From 657e3e330192e21d3ce8746b53d7cb9ffb2c5eca Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Sep 2021 19:35:06 +0200 Subject: [PATCH 0001/1450] PGPainless-0.2.12-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 4db30e24..93235f65 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { - shortVersion = '0.2.11' - isSnapshot = false + shortVersion = '0.2.12' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From c851457ef8c727a3abb05b5078f97ed1fe4c2db9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Sep 2021 20:31:02 +0200 Subject: [PATCH 0002/1450] Add S2KUsageFix class and tests to switch secret keys encrypted with USAGE_CHECKSUM over to USAGE_SHA1 --- .../exception/WrongPassphraseException.java | 4 + .../key/protection/fixes/S2KUsageFix.java | 103 +++++++++++++ .../key/protection/fixes/package-info.java | 19 +++ .../fixes/EnsureSecureS2KUsageTest.java | 135 ++++++++++++++++++ 4 files changed, 261 insertions(+) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java index f5207c06..bd0c051c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java @@ -19,6 +19,10 @@ import org.bouncycastle.openpgp.PGPException; public class WrongPassphraseException extends PGPException { + public WrongPassphraseException(String message) { + super(message); + } + public WrongPassphraseException(long keyId, PGPException cause) { this("Wrong passphrase provided for key " + Long.toHexString(keyId), cause); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java new file mode 100644 index 00000000..c4a43fe4 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java @@ -0,0 +1,103 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.key.protection.fixes; + +import org.bouncycastle.bcpg.SecretKeyPacket; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; +import org.bouncycastle.openpgp.operator.PGPDigestCalculator; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; + +/** + * Repair class to fix keys which use S2K usage of value {@link SecretKeyPacket#USAGE_CHECKSUM}. + * The method {@link #replaceUsageChecksumWithUsageSha1(PGPSecretKeyRing, SecretKeyRingProtector)} ensures + * that such keys are encrypted using S2K usage {@link SecretKeyPacket#USAGE_SHA1} instead. + * + * @see Related PGPainless Bug Report + * @see Related PGPainless Feature Request + * @see Related upstream BC bug report + */ +public final class S2KUsageFix { + + private S2KUsageFix() { + + } + + /** + * Repair method for keys which use S2K usage 
USAGE_CHECKSUM
which is deemed insecure. + * This method fixes the private keys by changing them to 
USAGE_SHA1
instead. + * + * @param keys keys + * @param protector protector to unlock and re-lock affected private keys + * @return fixed key ring + * @throws PGPException in case of a PGP error. + */ + public static PGPSecretKeyRing replaceUsageChecksumWithUsageSha1(PGPSecretKeyRing keys, SecretKeyRingProtector protector) throws PGPException { + return replaceUsageChecksumWithUsageSha1(keys, protector, false); + } + + /** + * Repair method for keys which use S2K usage 
USAGE_CHECKSUM
which is deemed insecure. + * This method fixes the private keys by changing them to 
USAGE_SHA1
instead. + * + * @param keys keys + * @param protector protector to unlock and re-lock affected private keys + * @param skipKeysWithMissingPassphrase if set to true, missing subkey passphrases will cause the subkey to stay unaffected. + * @return fixed key ring + * @throws PGPException in case of a PGP error. + */ + public static PGPSecretKeyRing replaceUsageChecksumWithUsageSha1(PGPSecretKeyRing keys, + SecretKeyRingProtector protector, + boolean skipKeysWithMissingPassphrase) throws PGPException { + PGPDigestCalculator digestCalculator = ImplementationFactory.getInstance().getPGPDigestCalculator(HashAlgorithm.SHA1); + for (PGPSecretKey key : keys) { + // CHECKSUM is not recommended + if (key.getS2KUsage() != SecretKeyPacket.USAGE_CHECKSUM) { + continue; + } + + long keyId = key.getKeyID(); + PBESecretKeyEncryptor encryptor = protector.getEncryptor(keyId); + if (encryptor == null) { + if (skipKeysWithMissingPassphrase) { + continue; + } + throw new WrongPassphraseException("Missing passphrase for key with ID " + Long.toHexString(keyId)); + } + + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(key, protector); + // This constructor makes use of USAGE_SHA1 by default + PGPSecretKey fixedKey = new PGPSecretKey( + privateKey, + key.getPublicKey(), + digestCalculator, + key.isMasterKey(), + protector.getEncryptor(keyId) + ); + + // replace the original key with the fixed one + keys = PGPSecretKeyRing.insertSecretKey(keys, fixedKey); + } + return keys; + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java new file mode 100644 index 00000000..69759cbd --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java @@ -0,0 +1,19 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * Secret Key Protection Fixes. + */ +package org.pgpainless.key.protection.fixes; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java new file mode 100644 index 00000000..9679c61e --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java @@ -0,0 +1,135 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.key.protection.fixes; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import org.bouncycastle.bcpg.SecretKeyPacket; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.Passphrase; + +public class EnsureSecureS2KUsageTest { + + private static final String KEY_WITH_USAGE_CHECKSUM = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 23BF 0F50 8FE4 2304 6AC6 6EE3 7616 09ED DAF2 A7EE\n" + + "Comment: Alice\n" + + "\n" + + "lHQEYTpM0xYJKwYBBAHaRw8BAQdA77HCCgjnEWBk9O9guvePTA7235v6yoTGUmUo\n" + + "91V2OVr/CQMC5+tUnE2l4Ypg4dv9+qzBXjlQKAU5fktbQpIvYV9+pPXY6O+Wa7qJ\n" + + "mIJsX2GsMR4uSLeAeQtFuPP0ZydL8rQFQWxpY2WIeAQTFgoAIAUCYTpM1AIbAQUW\n" + + "AgMBAAQLCQgHBRUKCQgLAh4BAhkBAAoJEHYWCe3a8qfu9uYBAJGoTlRUEPCmzDBY\n" + + "iqAXI8q1ZJDpYAF/AgdyfHgPZBLZAQDFagfWe/YyZV36EQ8P978gycUn4psQZyXE\n" + + "QoNByDZDAJx5BGE6TNQSCisGAQQBl1UBBQEBB0BM9uoewIA3wDjChe7qdpp9B/uD\n" + + "fQwxFj8AFcgR0qmDNgMBCAf/CQMC4B9NmOhlt+BgyZTk4BqqudczkJsRhoKPPC3e\n" + + "TEqvyeBavp1fPgvAUfsZdL7Z8RoVQNd0LFptsj2zN2VcmIh1BBgWCgAdBQJhOkzU\n" + + "AhsMBRYCAwEABAsJCAcFFQoJCAsCHgEACgkQdhYJ7dryp+4FxgEA29VePCidazQt\n" + + "F6DfQCyNPW/d0Y+rm64KaMfBHJGCorQA/Rdg/gGVH7RoMiIJ8+kDxWOC92tn8JBJ\n" + + "nIekiMcU45QJnHQEYTpM1BYJKwYBBAHaRw8BAQdAv2fItqEBrRsnrtWOU0Rc/S62\n" + + "tafcr2huX3W5Nu6R1On/CQMCR9EMBma4cl9gE854C43bgYY2o53XSnBS/OMzo1rt\n" + + "h+ixzZ6RZNafiAcXRUldVa55kc5KUvpc3y8lMlkDjYjVBBgWCgB9BQJhOkzUAhsC\n" + + "BRYCAwEABAsJCAcFFQoJCAsCHgFfIAQZFgoABgUCYTpM1AAKCRB7qwD3I/Rg7Iic\n" + + "AP4gOcJFEkRcNJMXVyXWWMaHGzvH7SJSn7/NDxjlbo+IhAD9HiPJoOm/88mHWxSr\n" + + "udMemY82nrspaOyxcwqgkJbT8wIACgkQdhYJ7dryp+6yUQD+IufwT/XdopWA+GPD\n" + + "IgT1CHRecJCkeYYmr7sZdPCLs3YA/jeVaFw4Z0drFnys4rh6aSoG6uf+YSba56V3\n" + + "VBL8P8MC\n" + + "=m6iF\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + // message encrypted to above key + private static final String MESSAGE = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DnMY7X1OYFewSAQdAxAxbWTZordzH+fN5s32ZU4PjYM/Og8z6DG7mrjOy+2Mw\n" + + "BCiqa3G9GNZrRQyXihd1sFaxlgqiHrhhmFyCCMLgj2RxjZ7DJ4E0tA7RbF0lkqx4\n" + + "0kAB1XXqAOJ50mEEQLYRN94xojDoJrlz2ZdmV1zqC2ZFd6YITEPIqSdwBuEG61rd\n" + + "BLkPg8RuGdPMKZHZzOxIALtv\n" + + "=//m8\n" + + "-----END PGP MESSAGE-----"; + // same message, but unencrypted + private static final String MESSAGE_PLAIN = "Hello, World!\n"; + + @Test + public void verifyBouncycastleChangesUnprotectedKeysTo_USAGE_CHECKSUM() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + // Bouncycastle unfortunately uses USAGE_CHECKSUM as default S2K usage when setting a passphrase + // on a previously unprotected key. + // This test verifies this hypothesis by creating a fresh, protected key (which uses the recommended USAGE_SHA1), + // unprotecting the key and then again setting a passphrase on it. + PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before"); + for (PGPSecretKey key : before) { + assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); + } + + PGPSecretKeyRing unprotected = PGPainless.modifyKeyRing(before) + .changePassphraseFromOldPassphrase(Passphrase.fromPassword("before")) + .withSecureDefaultSettings() + .toNoPassphrase() + .done(); + for (PGPSecretKey key : unprotected) { + assertEquals(SecretKeyPacket.USAGE_NONE, key.getS2KUsage()); + } + + PGPSecretKeyRing after = PGPainless.modifyKeyRing(unprotected) + .changePassphraseFromOldPassphrase(null) + .withSecureDefaultSettings() + .toNewPassphrase(Passphrase.fromPassword("after")) + .done(); + for (PGPSecretKey key : after) { + assertEquals(SecretKeyPacket.USAGE_CHECKSUM, key.getS2KUsage(), "Looks like BC fixed the default S2K usage. Yay!"); + } + } + + @Test + public void testFixS2KUsageFrom_USAGE_CHECKSUM_to_USAGE_SHA1() throws IOException, PGPException { + PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(KEY_WITH_USAGE_CHECKSUM); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("after"), keys); + + PGPSecretKeyRing fixed = S2KUsageFix.replaceUsageChecksumWithUsageSha1(keys, protector); + for (PGPSecretKey key : fixed) { + assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); + } + + testCanStillDecrypt(keys, protector); + } + + private void testCanStillDecrypt(PGPSecretKeyRing keys, SecretKeyRingProtector protector) throws PGPException, IOException { + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKey(keys, protector)); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + assertArrayEquals(MESSAGE_PLAIN.getBytes(StandardCharsets.UTF_8), out.toByteArray()); + } +} From 7e71af973b32cf95774335ee356c2a5f30103eaa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Sep 2021 19:57:05 +0200 Subject: [PATCH 0003/1450] Add JUnit tests for modification of keys with different sig classes --- ...nOnKeyWithDifferentSignatureTypesTest.java | 181 ++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java new file mode 100644 index 00000000..5a654330 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -0,0 +1,181 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.key.modification; + +import java.io.IOException; +import java.util.Date; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.JUtils; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.MethodSource; +import org.pgpainless.PGPainless; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.DateUtil; + +public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { + + private static final String keyWithGenericCertification = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 8204 4993 BF17 BC95 F1BF 4E80 9E47 B575 6733 80C1\n" + + "Comment: Test Key\n" + + "\n" + + "lQcYBGE7mxUBEACzbhVnKC34xXZ3WctNZgWZp3/r0X+O61Vul6TnTfi3mOaAeAgd\n" + + "5V9X9n/wwQ/T547RGQf9VHsgUlXgfn4IHROWf4cgqDu1jHOfio/IFynq0tVDAOjj\n" + + "94Pv4f5Ek1TforiCnsN3bjB98YrTC8tRbV/XsAi3j3niL6r4xOMWmHH6xFJ6YV/e\n" + + "zzUSqCNTLxw1rqlJaKNIzMTEdHQJFQlo7XIf4NSpX6p2l+Xewga+WCn2GKW1zg2F\n" + + "7bA1/Iv/UGhnGcXPU3bEz6s2fUlPAKS6kCzLCe6ZpFSOm0U70kuLbpZubdsgY4zO\n" + + "K96H5yC+eVupo1RPgzK6txSMf6IIMJYJqwgdFYjSoGegokQz6Kwxxt8hHUPZSitJ\n" + + "DXoVWDtUVA7Bmp0e9Dh0SzSZwFpdivcuQtKFAVh1gYDcknXhAIpll81faRExx7zz\n" + + "mvNlW/yRbTvOnBeoM8IlE7guS4M5bYUXYtsZP4BaYILv8v/Vn8EkJrGYLGiZYO+b\n" + + "OakWZiLhoFEC+yZ64NDHDbneoas13trJbhal2bCCtFk5Aj8WV2nUuTKLhIpsMxlM\n" + + "2VYnDL8ucfsVvrxLm67gGgl7A0AXvqL8r5yHVdfB3Sz70fgVpsdraknJxHD4KiWC\n" + + "0zqg5QgySuPgc2JIuTkconK1Piz61gNsUIh2i2snMBwnz23RvBaJyJ71XQARAQAB\n" + + "AA/7BG6A83335LURKqbPxqbxFyJz87cbl2695XAJZU0ftNPUnZ0EAPkGqdLaG3Ap\n" + + "RpU+3xs8f0f0N+V7XtgWSiJYYYHfgdxQh+Ni17CXFzIQmaQrcEQ4Jv6YsPa7+Pr1\n" + + "QFtx2IgN+90qMBzPI6H0RkaVShZ8S0xX46ZEasXcy1S95putYyhp3cRFuKLpJxzQ\n" + + "GDiq0GKtOxcTpREwlyjV2qmYBVbgPxlbHyK7+AyCw3YZ/eIN9beTze2uSdG7A3X7\n" + + "niWcz8oX8jR5iMGqFdwbisq/eyRQ/ap5YYGkQXNS5QFjkHFWKtlKmQJXCgmYssZR\n" + + "5UFgy7X0gs1oIdrlKElK62I2CQyKFlflejj1KhMrzit704FFWtTHfPVQKbloojbW\n" + + "Kf1BVhlAYtRT7hW1d0njOPsgdOczykcYPFerJm4SqiVC3nJ+/nTIgCX3UaEaaS4J\n" + + "6SzJldGlGFAcUCTXnQHdVmlHuPyes4CBo4tL1NjBC/F18DIr20c4Pw614Z9R2YrN\n" + + "Y+KSwE0Wm8xObVFCUnf4S0leKvr5JErYqyIkZS767ulbUR5GE2Q9qovAQ4hlOqjY\n" + + "Jib8Yy8eOows/re8NvC5xgokPy59FuNM5+tsXJgbRGKc7iAzGtZDWz3t+yOcJ3RO\n" + + "VGL+9YI09SF0W8PENbZakyhFBZFeKr1hSi5wdp97Gv9B/gEIAL9evLSYV3yzwW/z\n" + + "Xs8Du8HYTfuCgxADg95hecRruETvJh+E/d+zf5SfmYcZJdkcEaP7pDS/rOvpm2GB\n" + + "gqcu460uWWj5PDa9tTWC5+BBzs004xsdumQf3GnEnfzHJEudD4qQ0icaeutWH1kq\n" + + "+ZKXv3a9gbXY+7fYD+LhdOC4Lwf6L/OFpwMkH4Rg8OLfMISD7OMENoV0rbggn42d\n" + + "CXRRXV7jHYB9Ku+12GIxyWo/k2bZZU5v+dI4Jjehvtrpyu4Mw+bYbjJECaC6jMpp\n" + + "gAM8MoQbgWJSbD6hcX94JMcCIVoBRGXDlu7cyXvs1yJRR7Fvs9DGaaqVlBgG7n0z\n" + + "jSTHBI0IAPAHC+hA0nY2+qR/QSgKyp0TmAs8HBxIwAqPDa0ZaqOZMp9g/5XgCQqx\n" + + "ilaN3n/Wf6Y3DE9PMVpKx79WCBC443p/lY8CMsira1bCQ2q/gDmSpcxEXuWwvaqI\n" + + "wL348081PpTuq1rBpgP3Sm1MdhinSpBV4Z642Jua/UFV9DyaTP8ylgXtW3fjF08c\n" + + "+Y0MX7a7yacnkEwNWewk5Zhv6+iWI8YLa26KnGqobwlTIdsBQYf8SG+a/6B07tQC\n" + + "7qvwo24drsHT4VAOZNry4fxxB/6seOryS4vM8htdIM5Ef1BbhYgw26drFVistplY\n" + + "XetSKutnjCgg7XYglXI9LXtYQx6gSBEIAI9TQb2HAbkbU0ocG4kMbe2vgpJjWIll\n" + + "vInuwDuarSZqJ7b101z6qR3CVy1/xPyOeZ/Er3QEzFjxAJmPKrTbbB2ADyba2q9Y\n" + + "LEm/hurZfWzlHgOws42IMl9O13hYLqz4KElXabcRc3tlAtjQMTcS+ikMJn7GYnWR\n" + + "xHtzhYRNLcqvoN/LJ7fq5kvbkGP4TSV7uF5fFuSK2leA9tTV7KvEkpCDLGAbUoXB\n" + + "2+NYbz58sWcp++0AU0MCiEzPNm7Z230FpN+FjpbsHDThu+SloF6vXdSP7tA0yKdy\n" + + "heXjiAId+//zrlyHScc9sgZ0Leec4+yaOU0aL0sPf/iZHipyeX85DUx+ybQIVGVz\n" + + "dCBLZXmJAjYEEAEKACAFAmE7mxUCGwcFFgIDAQAECwkIBwUVCgkICwIeAQIZAQAK\n" + + "CRCeR7V1ZzOAwRlBD/42VkD/yUBIPNfZGSdNykdSapqaUz9Ym8Z4B7HYsWxvG59k\n" + + "dErsP1MOiWPX+z0yG/b2lKtFiAvMsPkf4qhvP3AFicfz4Vkn85+kC167cUg+hUsE\n" + + "lVi2sAm6gERkflTSVm4B9s5eElMSuZRAd51FBBRnp4QZnxcP5LFLqg7JJqViJKag\n" + + "vnoQDozlyCYV/o1S3tifm96xCC97HgACMMa5DpXj+w2efoJyPkPVJEDAC6HrajOY\n" + + "iX3eZoBsP3uDesWVInDOR8dRZFvz/7DZKdapjtJY2z1hv/r2HIbbHYnfrtoy1YFw\n" + + "uNJS3teIOZBBcz698M5oeFDwKdChsEZjYAHUgeWqDYmllecR3eJY/uL6lUv6p/Aj\n" + + "aPTNq4K77ozSbEtPhD6LHP0KsnHnRWzFRCAk9ym55Pb89iOiSjwmvRjxDObluood\n" + + "qwV2qNqenxYYOqVVzQl547y31i71f7hToEsfmkP+Wb0WJbuaJAHnL5nDKaZ0ekEA\n" + + "S1pVc6SnlL1D/f22C/deUnlDTwfY9Hy6IG72CKoQcsGWBNAbPbpPKp9o9tF2HSQR\n" + + "6iCmt4GJ5eJaJoTN8cJKZfq37Aj+3fF2sRgbtUppUUgovp3ffF97UoWwDzC/Lat/\n" + + "lwBTgW8Q9pk2JKbNWLPlO1CtJG54ppUcYgrGSK2UPQ+7KyO5HhMJ3vODLooLBg==\n" + + "=gbUk\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + private static final String keyWithCasualCertification = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 2077 4DD5 1456 73A1 ACB8 416E 4999 42A2 27CD 977C\n" + + "Comment: Test Key\n" + + "\n" + + "lQcYBGE7mxgBEADb3ivOtMZ8P58H+/eU9H7BbSdKztwn6LzhS/BMmv4IJZG1tzZP\n" + + "fsVwlVHMhEbst0A8kEfo5UmYy2ENldyqoKABH7fZrhcTdYm82046jAIsTKel/Bjv\n" + + "hA+La10Lz/SSIXGkHR+JfLvdnZo8mfMIp/0Tr/FCn3s/2QriOhYfDjWhLh8WMHwe\n" + + "g8/O9ipTTf0T7cRKqs2ThkA0i81FkP7C9Id/+fYby1hXqimmZvyQAF5b2a2NE74b\n" + + "OZ1PDPJ/97CLBTUeo2rKUh+hSusGR7wXos9ZaP11/AykAGcIejCcPLMlVKF8JveI\n" + + "E17BUkp04szKxe1IhtHica7xnqBlP253bccd91rVtVlObZ8qeRhmVruKVFhGCik4\n" + + "18wUET9xP/Xmf7a+YJfIeNLk+HfKbYnWB1orOul0dAqpRPK85dHa8skrtCRgD0pk\n" + + "HmfbMk8+8cAOAtlmUQql2u72M7GMDX0CUXKbmvfBi6fWjtvtT63zhJHu3+379M1y\n" + + "3pnnPinyLhqnY7WYlk8S/oZTh0XOCHpgMrESjqh0ILXIguF61UR16fP9k9R/VvO9\n" + + "k204+j58j702UbK+H8Xm5P+aleyxnNzt95y4SUqnY9IcX666SjwnoC9ipaq/vn3s\n" + + "40yIMrflUf6nd0N+OgtrjClnCbXF6QX50Ddpq73BwGbVUa7uFDp1K1k8JQARAQAB\n" + + "AA//UEIqdZsRtTs4Hx8AAlS5jHv+0tTuEndns0oYHq6ZOnoUVWPapGwfQHiRUnma\n" + + "tkAyZ6k3RrGkCu16sQ3abkKSBbcBUqm07LqEG/dl+AMxq+ATdoiuxYfMcNUxMuWn\n" + + "XkxtAj5LS9HHdh9YtPRxfeBshmo8RFiZEfZ1fZ08g/uY4gxG9r+eHzl4exDq5Fvc\n" + + "nRC3DZaJ0mc4OrYpqVJDXQEMEVA6YWz6A44vA/omCZ7I0viD3LKvO5rtbHTKdKIC\n" + + "xMyS1mtKyS3vM954KmO3Kl2ZGQc1NoNaTeeDtNl9sxqJPoBFLl+/DeIcPa9/VGmR\n" + + "3hcgBdCI/wMGnFaOMEdWWKwu+XkQhFAT5Myh1AdDzEJAVVIf4Ic/Cjqcg6fOOVND\n" + + "Er8uLEAHMK8+BAd+nY68jngmQ+4mjmErmKZYyDD0mUt2vRaG3QnHA73jj0tYkGJq\n" + + "KLjtdPK0845EOgBUfc4pZu1b7XJja/gqKgnuIXuuyaJq8rY68A8zYc1y66Z8pFVY\n" + + "CQ/KR/tqk5wig3VeiepKNP0zal+KVd47Ff3WgQqXVGiHG3YN3zGZQOmWdiC6hyjC\n" + + "R/LKVmdB0RMVK/T9Vg62fzugQJI6hIq+AaUUpqKxIbQ5utZxTwgFHNeRriRQKC5+\n" + + "5kaI/W8i5ZRCj3UBiOh+7CenrhZNBNWVlJ/AUGjDlRmbjQUIAOZmOwj0rdzIIpKw\n" + + "fWIVJlLBhG9keNHRts5ynORGBMpoziQsPdL3e9J+27XEMmfiKOi1bi2W4tZXWpnW\n" + + "SkEPSzR377wkxU9VLmPpR4TugqsbnV+cfCMMR1T6ghm9YNRqOfAtybFFatxwqdWN\n" + + "kv81pn09X6BWz7vDlC25lCBI947BhE4nTFPxOlENzAEQf8NknKBcgRbemDXBgHPx\n" + + "gAvwzF5l3TTo6zqbW7KB54PCTNl19sarruh8sJodMp5mr4G3a80vggipM0DCgxUq\n" + + "yRAU4ksCiHkQ/OznQ0ktEAR8kcP2krapY2kBcOb+ywwfJKryXiQB1d+tG6laYc9S\n" + + "7nVkn1cIAPRMXqflfW3EHXjky7WVJ+pKa0c9vb9t1f80BJJX7hjmRfLpA43IdNQP\n" + + "Xza0wDKe/fCgVZgMMP5DZQSGDguKCZ6sxnCIBWv6fSJhmnc5i7zdJqDqxfYU/w6r\n" + + "7ga4HiWbbQ9xpiUIf34nTA+uRNXTZOmXJl8QOokezSBLcK9AGyosKmSzHQxCgzTZ\n" + + "XYDAOxQccyjmAd0s0454egKNUtxF/OwCUK7BcH+rzdCz0b1jJJIOTVxq2OCBFW2P\n" + + "G49N/4QUfPHIsnpj4TN8o63923NQLUqHdH+w4SUfCqf2oTmHTHEqWyfHYk1heL71\n" + + "y7QJUKEB0vnDRYN+cz3Nb3YTWSeSXuMIAIVwWOowjCIMDAn0Jcx5Rk/QuF62GF9u\n" + + "NaW3UnRkx8Ziu+w6LBe9BKV5t5fflW6cYMc0LVHIgoRmqeYnTL5hWgxTKP5C2xUO\n" + + "GmjgRSjZG0tXvNfBKFqd7vBthTaQ0aPDc7k5fQz3T0jqD2hqS166/1fNAYRjoW9R\n" + + "kXDQpu7DDrxK0lEQp5auPj4D59PHCA2SCDn8lXJzXc1qU6WjiZIbrYJgjLVrlMxQ\n" + + "FVonR8qhaubbQCvngku6rT3g6q2DR1qAdGQNtRnQtTF+8loybPL06+jcKry9cdQa\n" + + "Z7qmaPsOhkX4yCKT4H0dJJ/kq271t+1VfFtbNmClVETWTyO+S73VSg1ow7QIVGVz\n" + + "dCBLZXmJAjYEEgEKACAFAmE7mxgCGwcFFgIDAQAECwkIBwUVCgkICwIeAQIZAQAK\n" + + "CRBJmUKiJ82XfBGOD/9XjZGRFmdszR7dpO+cMwNAuCHY69HoOt5xovZpeRJmacTR\n" + + "fTbM4XwT+HM9HoHmqu5Ac5eorkpu1xwSdJwPd3NhxDWRb6EEjpivNLyfGM+TXFp/\n" + + "ldLgVYecX5iieAsh9JfPBZ0nM2ZgQDKCEmLq7Pep/qDhBe5QOals5Yf6IyVN2lSe\n" + + "NAsk5EVCFS7OX21egOGruY+sq8TEVfaJRipe1v9l/oyMLqr8zp4lU/10wIP6uo7X\n" + + "6B7CpYo1q/b4gdkQCZVFaKWP30+RE1R74ka0KB6j3D9Hg8IF7EnGWXc32jyExgX0\n" + + "f5ve4NH9ojJNXWEfAuvdXA04iNyRTCMmrFb9hfxU1S3s+WcW2OoWBKdZp9rpZEAX\n" + + "yERaBJpVWdrZg6lgHGtRBvMnavnf57W1U1EC+jfbp5de6EGjyGDqdi6lZfhRSkv8\n" + + "lHKW6/iEXqkkn92KQvZWSQMg7u39Ew567qlUA6aHl55DgyQMOoRZTYDPJXpzo4O3\n" + + "Oj0jFWWTAy/N23VWDLkfrzsTK9hvEwjOznHu7zNUxBgEhzs+AV3NJrKHMjCwWR1u\n" + + "R0iI6tyZvNdn3dcyPo6i8V8AOa5aj1OEGhbza2Aaud1LrMyDzUXoZkamns/4Nhjf\n" + + "Bbwi+J0UaPsB2rJlPMsdoG1WVtX7dfjNbRfwhO3cfMBngmrp7K7mW327E52ihg==\n" + + "=GIQn\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void setExpirationDate_keyHasSigClass10(ImplementationFactory implementationFactory) + throws PGPException, IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithGenericCertification); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + executeTestForKeys(keys, protector); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void setExpirationDate_keyHasSigClass12(ImplementationFactory implementationFactory) + throws PGPException, IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithCasualCertification); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + executeTestForKeys(keys, protector); + } + + private void executeTestForKeys(PGPSecretKeyRing keys, SecretKeyRingProtector protector) + throws PGPException { + Date expirationDate = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * 14); + // round date for test stability + expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(expirationDate)); + + PGPSecretKeyRing modded = PGPainless.modifyKeyRing(keys) + .setExpirationDate(expirationDate, protector) + .done(); + + JUtils.assertDateEquals(expirationDate, PGPainless.inspectKeyRing(modded).getPrimaryKeyExpirationDate()); + } +} From 194e4d7631fec6c53b887c532666aaa8b6365477 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Sep 2021 20:14:12 +0200 Subject: [PATCH 0004/1450] Automatically 'repair' keys with S2K usage CHECKSUM to use SHA1 when changing passphrases --- .../secretkeyring/SecretKeyRingEditor.java | 28 ++++++++++++++----- ...S2KUsageTest.java => S2KUsageFixTest.java} | 10 ++----- 2 files changed, 24 insertions(+), 14 deletions(-) rename pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/{EnsureSecureS2KUsageTest.java => S2KUsageFixTest.java} (90%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 97834e35..d480a55a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -30,6 +30,7 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.bcpg.S2K; +import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyRingGenerator; @@ -59,6 +60,7 @@ import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.protection.UnprotectedKeysProtector; +import org.pgpainless.key.protection.fixes.S2KUsageFix; import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; @@ -591,32 +593,44 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PGPSecretKeyRing secretKeys, SecretKeyRingProtector oldProtector, SecretKeyRingProtector newProtector) throws PGPException { + List secretKeyList = new ArrayList<>(); if (keyId == null) { // change passphrase of whole key ring - List newlyEncryptedSecretKeys = new ArrayList<>(); Iterator secretKeyIterator = secretKeys.getSecretKeys(); while (secretKeyIterator.hasNext()) { PGPSecretKey secretKey = secretKeyIterator.next(); secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector); - newlyEncryptedSecretKeys.add(secretKey); + secretKeyList.add(secretKey); } - return new PGPSecretKeyRing(newlyEncryptedSecretKeys); } else { // change passphrase of selected subkey only - List secretKeyList = new ArrayList<>(); Iterator secretKeyIterator = secretKeys.getSecretKeys(); while (secretKeyIterator.hasNext()) { PGPSecretKey secretKey = secretKeyIterator.next(); - if (secretKey.getPublicKey().getKeyID() == keyId) { // Re-encrypt only the selected subkey secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector); } - secretKeyList.add(secretKey); } - return new PGPSecretKeyRing(secretKeyList); } + + PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList); + newRing = s2kUsageFixIfNecessary(newRing, newProtector); + return newRing; + } + + private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector) throws PGPException { + boolean hasS2KUsageChecksum = false; + for (PGPSecretKey secKey : secretKeys) { + if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) { + hasS2KUsageChecksum = true; + } + } + if (hasS2KUsageChecksum) { + secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(secretKeys, protector, true); + } + return secretKeys; } private static PGPSecretKey reencryptPrivateKey(PGPSecretKey secretKey, SecretKeyRingProtector oldProtector, SecretKeyRingProtector newProtector) throws PGPException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java similarity index 90% rename from pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java rename to pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index 9679c61e..1baf3593 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/EnsureSecureS2KUsageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -37,7 +37,7 @@ import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.Passphrase; -public class EnsureSecureS2KUsageTest { +public class S2KUsageFixTest { private static final String KEY_WITH_USAGE_CHECKSUM = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: PGPainless\n" + @@ -78,11 +78,7 @@ public class EnsureSecureS2KUsageTest { private static final String MESSAGE_PLAIN = "Hello, World!\n"; @Test - public void verifyBouncycastleChangesUnprotectedKeysTo_USAGE_CHECKSUM() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - // Bouncycastle unfortunately uses USAGE_CHECKSUM as default S2K usage when setting a passphrase - // on a previously unprotected key. - // This test verifies this hypothesis by creating a fresh, protected key (which uses the recommended USAGE_SHA1), - // unprotecting the key and then again setting a passphrase on it. + public void verifyOutFixInChangePassphraseWorks() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before"); for (PGPSecretKey key : before) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); @@ -103,7 +99,7 @@ public class EnsureSecureS2KUsageTest { .toNewPassphrase(Passphrase.fromPassword("after")) .done(); for (PGPSecretKey key : after) { - assertEquals(SecretKeyPacket.USAGE_CHECKSUM, key.getS2KUsage(), "Looks like BC fixed the default S2K usage. Yay!"); + assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); } } From 9a8bb7d3ef996c43834eab8f58e45491af99a3df Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Sep 2021 21:04:36 +0200 Subject: [PATCH 0005/1450] Add missing break statement to loop --- .../key/modification/secretkeyring/SecretKeyRingEditor.java | 1 + 1 file changed, 1 insertion(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index d480a55a..39863c1b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -625,6 +625,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { for (PGPSecretKey secKey : secretKeys) { if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) { hasS2KUsageChecksum = true; + break; } } if (hasS2KUsageChecksum) { From 601ce4031d697c0f64ed2d52ef660db8655d2c54 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Sep 2021 21:09:29 +0200 Subject: [PATCH 0006/1450] PGPainless 0.2.12 --- CHANGELOG.md | 4 ++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1515ef80..690d135d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # PGPainless Changelog +## 0.2.12 +- Fix: Add workaround for BC defaulting to S2K `USAGE_CHECKSUM` by changing S2K usage to `USAGE_SHA1` +- Repair keys with `USAGE_CHECKSUM` when changing passphrase + ## 0.2.11 - Fix: When changing expiration date of keys, also consider generic and casual certifications diff --git a/README.md b/README.md index 1b423f77..26c29db0 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.11' + implementation 'org.pgpainless:pgpainless-core:0.2.12' } ``` diff --git a/version.gradle b/version.gradle index 93235f65..d264418d 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { shortVersion = '0.2.12' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 3af9cb4b985bb119d753593d15be1a6d363a6783 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Sep 2021 21:14:48 +0200 Subject: [PATCH 0007/1450] PGPainless-0.2.13-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index d264418d..10517b18 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { - shortVersion = '0.2.12' - isSnapshot = false + shortVersion = '0.2.13' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From f28232893ca8af3117731d1ddb01a0378e0bd783 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 18:09:53 +0200 Subject: [PATCH 0008/1450] Refactoring: Move cleartext signed message processing to decryption_verification --- .../src/main/java/org/pgpainless/PGPainless.java | 4 ++-- .../pgpainless/decryption_verification/OpenPgpMetadata.java | 1 - .../decryption_verification/SignatureInputStream.java | 1 - .../SignatureVerification.java | 2 +- .../cleartext_signatures/ClearsignedMessageUtil.java | 2 +- .../cleartext_signatures/CleartextSignatureProcessor.java | 3 ++- .../cleartext_signatures/InMemoryMultiPassStrategy.java | 2 +- .../cleartext_signatures/MultiPassStrategy.java | 2 +- .../cleartext_signatures/VerifyCleartextSignatures.java | 2 +- .../cleartext_signatures/VerifyCleartextSignaturesImpl.java | 2 +- .../cleartext_signatures/WriteToFileMultiPassStrategy.java | 2 +- .../cleartext_signatures/package-info.java | 2 +- .../CleartextSignatureVerificationTest.java | 6 +++--- .../pgpainless/sop/DetachInbandSignatureAndMessageImpl.java | 2 +- 14 files changed, 16 insertions(+), 17 deletions(-) rename pgpainless-core/src/main/java/org/pgpainless/{signature/cleartext_signatures => decryption_verification}/SignatureVerification.java (97%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/ClearsignedMessageUtil.java (98%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/CleartextSignatureProcessor.java (97%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/InMemoryMultiPassStrategy.java (95%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/MultiPassStrategy.java (97%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/VerifyCleartextSignatures.java (96%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/VerifyCleartextSignaturesImpl.java (96%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/WriteToFileMultiPassStrategy.java (96%) rename pgpainless-core/src/main/java/org/pgpainless/{signature => decryption_verification}/cleartext_signatures/package-info.java (90%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java index ace68e81..a7410306 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java +++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java @@ -33,8 +33,8 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac import org.pgpainless.key.parsing.KeyRingReader; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.cleartext_signatures.VerifyCleartextSignatures; -import org.pgpainless.signature.cleartext_signatures.VerifyCleartextSignaturesImpl; +import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignatures; +import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl; import org.pgpainless.util.ArmorUtils; public final class PGPainless { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java index f2b6b47e..8ff8dc9b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java @@ -36,7 +36,6 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier; -import org.pgpainless.signature.cleartext_signatures.SignatureVerification; public class OpenPgpMetadata { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index ca46d5d0..f6a0b2c1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -31,7 +31,6 @@ import org.pgpainless.policy.Policy; import org.pgpainless.signature.CertificateValidator; import org.pgpainless.signature.DetachedSignature; import org.pgpainless.signature.OnePassSignatureCheck; -import org.pgpainless.signature.cleartext_signatures.SignatureVerification; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/SignatureVerification.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java similarity index 97% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/SignatureVerification.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java index 9b98b998..04ee261b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/SignatureVerification.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification; import javax.annotation.Nullable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/ClearsignedMessageUtil.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java similarity index 98% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/ClearsignedMessageUtil.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java index 3c4c4bc5..969e4a24 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/ClearsignedMessageUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.BufferedOutputStream; import java.io.ByteArrayOutputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java similarity index 97% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/CleartextSignatureProcessor.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index 5242cbd6..a8366b01 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import static org.pgpainless.signature.SignatureValidator.signatureWasCreatedInBounds; @@ -35,6 +35,7 @@ import org.pgpainless.algorithm.StreamEncoding; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.OpenPgpMetadata; +import org.pgpainless.decryption_verification.SignatureVerification; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.signature.CertificateValidator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/InMemoryMultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java similarity index 95% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/InMemoryMultiPassStrategy.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java index e9de8454..04ede0e8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/InMemoryMultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/MultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java similarity index 97% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/MultiPassStrategy.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java index f36eb186..71a6b9ee 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/MultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.ByteArrayOutputStream; import java.io.File; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignatures.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java similarity index 96% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignatures.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java index 3e2b0648..0aa1c2a0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignatures.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.File; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignaturesImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java similarity index 96% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignaturesImpl.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java index 66d83ca9..3ab6f2f4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/VerifyCleartextSignaturesImpl.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.IOException; import java.io.InputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/WriteToFileMultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java similarity index 96% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/WriteToFileMultiPassStrategy.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java index 16de077e..b86c851f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/WriteToFileMultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.File; import java.io.FileInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java similarity index 90% rename from pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/package-info.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java index 27b09a40..f8b363f4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/cleartext_signatures/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java @@ -16,4 +16,4 @@ /** * Classes related to cleartext signature verification. */ -package org.pgpainless.signature.cleartext_signatures; +package org.pgpainless.decryption_verification.cleartext_signatures; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index dec9f179..1302e12c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -39,9 +39,9 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.signature.CertificateValidator; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.SignatureVerifier; -import org.pgpainless.signature.cleartext_signatures.CleartextSignatureProcessor; -import org.pgpainless.signature.cleartext_signatures.InMemoryMultiPassStrategy; -import org.pgpainless.signature.cleartext_signatures.MultiPassStrategy; +import org.pgpainless.decryption_verification.cleartext_signatures.CleartextSignatureProcessor; +import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; +import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy; import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.TestUtils; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java index b904285d..ca0dcc1f 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java @@ -23,7 +23,7 @@ import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.pgpainless.exception.WrongConsumingMethodException; -import org.pgpainless.signature.cleartext_signatures.ClearsignedMessageUtil; +import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil; import org.pgpainless.util.ArmoredOutputStreamFactory; import sop.ReadyWithResult; import sop.Signatures; From 0a45f4de9e1ed865d2963048d552228f4f79a9e5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 18:18:50 +0200 Subject: [PATCH 0009/1450] Add documentation to SignatureVerification class --- .../SignatureVerification.java | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java index 04ee261b..4d151394 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java @@ -21,38 +21,83 @@ import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.SubkeyIdentifier; +/** + * Tuple of a signature and an identifier of its corresponding verification key. + * Semantic meaning of the signature verification (success, failure) is merely given by context. + * E.g. {@link OpenPgpMetadata#getVerifiedInbandSignatures()} contains verified verifications, + * while the class {@link Failure} contains failed verifications. + */ public class SignatureVerification { private final PGPSignature signature; private final SubkeyIdentifier signingKey; + /** + * Construct a verification tuple. + * + * @param signature PGPSignature object + * @param signingKey identifier of the signing key + */ public SignatureVerification(PGPSignature signature, @Nullable SubkeyIdentifier signingKey) { this.signature = signature; this.signingKey = signingKey; } + /** + * Return the {@link PGPSignature}. + * + * @return signature + */ public PGPSignature getSignature() { return signature; } + /** + * Return a {@link SubkeyIdentifier} of the (sub-) key that is used for signature verification. + * Note, that this method might return null, e.g. in case of a {@link Failure} due to missing verification key. + * + * @return verification key identifier + */ @Nullable public SubkeyIdentifier getSigningKey() { return signingKey; } + /** + * Tuple object of a {@link SignatureVerification} and the corresponding {@link SignatureValidationException} + * that caused the verification to fail. + */ public static class Failure { + private final SignatureVerification signatureVerification; private final SignatureValidationException validationException; + /** + * Construct a signature verification failure object. + * + * @param verification verification + * @param validationException exception that caused the verification to fail + */ public Failure(SignatureVerification verification, SignatureValidationException validationException) { this.signatureVerification = verification; this.validationException = validationException; } + /** + * Return the verification (tuple of {@link PGPSignature} and corresponding {@link SubkeyIdentifier} + * of the signing/verification key. + * + * @return verification + */ public SignatureVerification getSignatureVerification() { return signatureVerification; } + /** + * Return the {@link SignatureValidationException} that caused the verification to fail. + * + * @return exception + */ public SignatureValidationException getValidationException() { return validationException; } From 5683ee205e0e766cf1eac18a8542bcd0375bec15 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 19:45:49 +0200 Subject: [PATCH 0010/1450] Add acknowledgements section to readme --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 26c29db0..64f2e002 100644 --- a/README.md +++ b/README.md @@ -192,3 +192,8 @@ PGPainless is developed in - and accepts contributions from - the following plac * [Codeberg](https://codeberg.org/PGPainless/pgpainless) Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part of the project. + +## Acknowledgements +Development on PGPainless is generously sponsored by [FlowCrypt.com](https://flowcrypt.com). Thank you very very very much! + +Continuous Integration is kindly provided by [Travis-CI.com](https://travis-ci.com/). From 21f424551b10e328919ed07cb0b1e877f012b4a2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 19:20:19 +0200 Subject: [PATCH 0011/1450] Simplify KeySpecBuilder --- .../DecryptionStreamFactory.java | 2 +- .../key/generation/KeyRingBuilder.java | 32 ++- .../pgpainless/key/generation/KeySpec.java | 5 +- .../key/generation/KeySpecBuilder.java | 197 +++++++----------- .../generation/KeySpecBuilderInterface.java | 47 +---- .../java/org/pgpainless/policy/Policy.java | 24 ++- .../EncryptDecryptTest.java | 11 +- .../EncryptionOptionsTest.java | 17 +- .../org/pgpainless/example/GenerateKeys.java | 62 +++--- .../org/pgpainless/example/ModifyKeys.java | 5 +- .../BrainpoolKeyGenerationTest.java | 31 ++- ...rtificationKeyMustBeAbleToCertifyTest.java | 5 +- .../GenerateEllipticCurveKeyTest.java | 11 +- .../GenerateKeyWithAdditionalUserIdTest.java | 7 +- .../GenerateWithEmptyPassphrase.java | 7 +- .../key/generation/IllegalKeyFlagsTest.java | 31 +-- .../pgpainless/key/info/KeyRingInfoTest.java | 11 +- .../key/info/UserIdRevocationTest.java | 25 +-- .../key/modification/AddSubKeyTest.java | 4 +- .../org/pgpainless/policy/PolicyTest.java | 8 +- .../java/org/pgpainless/util/BCUtilTest.java | 11 +- .../util/GuessPreferredHashAlgorithmTest.java | 15 +- ...ncryptCommsStorageFlagsDifferentiated.java | 8 +- 23 files changed, 240 insertions(+), 336 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 1a6c27a3..b5d2000d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -384,7 +384,7 @@ public final class DecryptionStreamFactory { } private void throwIfAlgorithmIsRejected(SymmetricKeyAlgorithm algorithm) throws UnacceptableAlgorithmException { - if (!PGPainless.getPolicy().getSymmetricKeyDecryptionAlgoritmPolicy().isAcceptable(algorithm)) { + if (!PGPainless.getPolicy().getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) { throw new UnacceptableAlgorithmException("Data is " + (algorithm == SymmetricKeyAlgorithm.NULL ? "unencrypted" : "encrypted with symmetric algorithm " + algorithm) + " which is not acceptable as per PGPainless' policy.\n" + "To mark this algorithm as acceptable, use PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy()."); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 33ee155d..230a0a9a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -127,10 +127,9 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { WithAdditionalUserIdOrPassphrase builder = this - .withPrimaryKey( - KeySpec.getBuilder(KeyType.RSA(length)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) + .withPrimaryKey(KeySpec + .getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) + .build()) .withPrimaryUserId(userId); if (password == null) { @@ -197,13 +196,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { WithAdditionalUserIdOrPassphrase builder = this .withSubKey( - KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) + KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) + .build()) .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .build()) .withPrimaryUserId(userId); if (password == null) { @@ -225,17 +222,14 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { WithAdditionalUserIdOrPassphrase builder = this .withSubKey( - KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) + KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) + .build()) .withSubKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA) + .build()) .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms()) + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) + .build()) .withPrimaryUserId(userId); if (password == null) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 4ecce7be..5572f449 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -20,6 +20,7 @@ import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; public class KeySpec { @@ -54,7 +55,7 @@ public class KeySpec { return inheritedSubPackets; } - public static KeySpecBuilder getBuilder(KeyType type) { - return new KeySpecBuilder(type); + public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) { + return new KeySpecBuilder(type, flags); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index 17f4c55f..38e82e4e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -15,10 +15,14 @@ */ package org.pgpainless.key.generation; +import java.util.Arrays; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.Set; import javax.annotation.Nonnull; -import org.bouncycastle.bcpg.sig.Features; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.pgpainless.PGPainless; import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.Feature; @@ -30,20 +34,83 @@ import org.pgpainless.key.generation.type.KeyType; public class KeySpecBuilder implements KeySpecBuilderInterface { private final KeyType type; + private final KeyFlag[] keyFlags; private final PGPSignatureSubpacketGenerator hashedSubPackets = new PGPSignatureSubpacketGenerator(); + private final AlgorithmSuite algorithmSuite = PGPainless.getPolicy().getKeyGenerationAlgorithmSuite(); + private Set preferredCompressionAlgorithms = algorithmSuite.getCompressionAlgorithms(); + private Set preferredHashAlgorithms = algorithmSuite.getHashAlgorithms(); + private Set preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms(); - KeySpecBuilder(@Nonnull KeyType type) { + KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) { + if (flags == null || flags.length == 0) { + throw new IllegalArgumentException("KeyFlags cannot be empty."); + } + assureKeyCanCarryFlags(type, flags); this.type = type; + this.keyFlags = flags; } @Override - public WithDetailedConfiguration withKeyFlags(@Nonnull KeyFlag... flags) { - assureKeyCanCarryFlags(flags); - this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(flags)); - return new WithDetailedConfigurationImpl(); + public KeySpecBuilder overridePreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... compressionAlgorithms) { + this.preferredCompressionAlgorithms = new LinkedHashSet<>(Arrays.asList(compressionAlgorithms)); + return this; } - private void assureKeyCanCarryFlags(KeyFlag... flags) { + @Override + public KeySpecBuilder overridePreferredHashAlgorithms(@Nonnull HashAlgorithm... preferredHashAlgorithms) { + this.preferredHashAlgorithms = new LinkedHashSet<>(Arrays.asList(preferredHashAlgorithms)); + return this; + } + + @Override + public KeySpecBuilder overridePreferredSymmetricKeyAlgorithms(@Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms) { + this.preferredSymmetricAlgorithms = new LinkedHashSet<>(Arrays.asList(preferredSymmetricKeyAlgorithms)); + return this; + } + + + @Override + public KeySpec build() { + this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(keyFlags)); + this.hashedSubPackets.setPreferredCompressionAlgorithms(false, getPreferredCompressionAlgorithmIDs()); + this.hashedSubPackets.setPreferredHashAlgorithms(false, getPreferredHashAlgorithmIDs()); + this.hashedSubPackets.setPreferredSymmetricAlgorithms(false, getPreferredSymmetricKeyAlgorithmIDs()); + this.hashedSubPackets.setFeature(false, Feature.MODIFICATION_DETECTION.getFeatureId()); + + return new KeySpec( + KeySpecBuilder.this.type, + hashedSubPackets, + false); + } + + private int[] getPreferredCompressionAlgorithmIDs() { + int[] ids = new int[preferredCompressionAlgorithms.size()]; + Iterator iterator = preferredCompressionAlgorithms.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return ids; + } + + private int[] getPreferredHashAlgorithmIDs() { + int[] ids = new int[preferredHashAlgorithms.size()]; + Iterator iterator = preferredHashAlgorithms.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return ids; + } + + private int[] getPreferredSymmetricKeyAlgorithmIDs() { + int[] ids = new int[preferredSymmetricAlgorithms.size()]; + Iterator iterator = preferredSymmetricAlgorithms.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return ids; + } + + private static void assureKeyCanCarryFlags(KeyType type, KeyFlag... flags) { final int mask = KeyFlag.toBitmask(flags); if (!type.canCertify() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) { @@ -66,120 +133,4 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION."); } } - - @Override - public KeySpec withInheritedSubPackets() { - return new KeySpec(type, null, true); - } - - class WithDetailedConfigurationImpl implements WithDetailedConfiguration { - - @Deprecated - @Override - public WithPreferredSymmetricAlgorithms withDetailedConfiguration() { - return new WithPreferredSymmetricAlgorithmsImpl(); - } - - @Override - public KeySpec withDefaultAlgorithms() { - AlgorithmSuite defaultSuite = AlgorithmSuite.getDefaultAlgorithmSuite(); - hashedSubPackets.setPreferredCompressionAlgorithms(false, defaultSuite.getCompressionAlgorithmIds()); - hashedSubPackets.setPreferredSymmetricAlgorithms(false, defaultSuite.getSymmetricKeyAlgorithmIds()); - hashedSubPackets.setPreferredHashAlgorithms(false, defaultSuite.getHashAlgorithmIds()); - hashedSubPackets.setFeature(false, Features.FEATURE_MODIFICATION_DETECTION); - - return new KeySpec( - KeySpecBuilder.this.type, - KeySpecBuilder.this.hashedSubPackets, - false); - } - } - - class WithPreferredSymmetricAlgorithmsImpl implements WithPreferredSymmetricAlgorithms { - - @Override - public WithPreferredHashAlgorithms withPreferredSymmetricAlgorithms(@Nonnull SymmetricKeyAlgorithm... algorithms) { - int[] ids = new int[algorithms.length]; - for (int i = 0; i < ids.length; i++) { - ids[i] = algorithms[i].getAlgorithmId(); - } - KeySpecBuilder.this.hashedSubPackets.setPreferredSymmetricAlgorithms(false, ids); - return new WithPreferredHashAlgorithmsImpl(); - } - - @Override - public WithPreferredHashAlgorithms withDefaultSymmetricAlgorithms() { - KeySpecBuilder.this.hashedSubPackets.setPreferredSymmetricAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getSymmetricKeyAlgorithmIds()); - return new WithPreferredHashAlgorithmsImpl(); - } - - @Override - public WithFeatures withDefaultAlgorithms() { - hashedSubPackets.setPreferredSymmetricAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getSymmetricKeyAlgorithmIds()); - hashedSubPackets.setPreferredCompressionAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getCompressionAlgorithmIds()); - hashedSubPackets.setPreferredHashAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getHashAlgorithmIds()); - return new WithFeaturesImpl(); - } - } - - class WithPreferredHashAlgorithmsImpl implements WithPreferredHashAlgorithms { - - @Override - public WithPreferredCompressionAlgorithms withPreferredHashAlgorithms(@Nonnull HashAlgorithm... algorithms) { - int[] ids = new int[algorithms.length]; - for (int i = 0; i < ids.length; i++) { - ids[i] = algorithms[i].getAlgorithmId(); - } - KeySpecBuilder.this.hashedSubPackets.setPreferredHashAlgorithms(false, ids); - return new WithPreferredCompressionAlgorithmsImpl(); - } - - @Override - public WithPreferredCompressionAlgorithms withDefaultHashAlgorithms() { - KeySpecBuilder.this.hashedSubPackets.setPreferredHashAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getHashAlgorithmIds()); - return new WithPreferredCompressionAlgorithmsImpl(); - } - } - - class WithPreferredCompressionAlgorithmsImpl implements WithPreferredCompressionAlgorithms { - - @Override - public WithFeatures withPreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... algorithms) { - int[] ids = new int[algorithms.length]; - for (int i = 0; i < ids.length; i++) { - ids[i] = algorithms[i].getAlgorithmId(); - } - KeySpecBuilder.this.hashedSubPackets.setPreferredCompressionAlgorithms(false, ids); - return new WithFeaturesImpl(); - } - - @Override - public WithFeatures withDefaultCompressionAlgorithms() { - KeySpecBuilder.this.hashedSubPackets.setPreferredCompressionAlgorithms(false, - AlgorithmSuite.getDefaultAlgorithmSuite().getCompressionAlgorithmIds()); - return new WithFeaturesImpl(); - } - } - - class WithFeaturesImpl implements WithFeatures { - - @Override - public WithFeatures withFeature(@Nonnull Feature feature) { - KeySpecBuilder.this.hashedSubPackets.setFeature(false, feature.getFeatureId()); - return this; - } - - @Override - public KeySpec done() { - return new KeySpec( - KeySpecBuilder.this.type, - hashedSubPackets, - false); - } - } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java index f16959fd..2f366531 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java @@ -18,55 +18,16 @@ package org.pgpainless.key.generation; import javax.annotation.Nonnull; import org.pgpainless.algorithm.CompressionAlgorithm; -import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; public interface KeySpecBuilderInterface { - WithDetailedConfiguration withKeyFlags(@Nonnull KeyFlag... flags); + KeySpecBuilder overridePreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... compressionAlgorithms); - KeySpec withInheritedSubPackets(); + KeySpecBuilder overridePreferredHashAlgorithms(@Nonnull HashAlgorithm... preferredHashAlgorithms); - interface WithDetailedConfiguration { - - WithPreferredSymmetricAlgorithms withDetailedConfiguration(); - - KeySpec withDefaultAlgorithms(); - } - - interface WithPreferredSymmetricAlgorithms { - - WithPreferredHashAlgorithms withPreferredSymmetricAlgorithms(@Nonnull SymmetricKeyAlgorithm... algorithms); - - WithPreferredHashAlgorithms withDefaultSymmetricAlgorithms(); - - WithFeatures withDefaultAlgorithms(); - - } - - interface WithPreferredHashAlgorithms { - - WithPreferredCompressionAlgorithms withPreferredHashAlgorithms(@Nonnull HashAlgorithm... algorithms); - - WithPreferredCompressionAlgorithms withDefaultHashAlgorithms(); - - } - - interface WithPreferredCompressionAlgorithms { - - WithFeatures withPreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... algorithms); - - WithFeatures withDefaultCompressionAlgorithms(); - - } - - interface WithFeatures { - - WithFeatures withFeature(@Nonnull Feature feature); - - KeySpec done(); - } + KeySpecBuilder overridePreferredSymmetricKeyAlgorithms(@Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms); + KeySpec build(); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java index f2e3280a..44dd55b4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java @@ -21,6 +21,9 @@ import java.util.EnumMap; import java.util.List; import java.util.Map; +import javax.annotation.Nonnull; + +import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; @@ -48,6 +51,8 @@ public final class Policy { PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy(); private final NotationRegistry notationRegistry = new NotationRegistry(); + private AlgorithmSuite keyGenerationAlgorithmSuite = AlgorithmSuite.getDefaultAlgorithmSuite(); + Policy() { } @@ -122,7 +127,7 @@ public final class Policy { * * @return symmetric algorithm policy for decryption */ - public SymmetricKeyAlgorithmPolicy getSymmetricKeyDecryptionAlgoritmPolicy() { + public SymmetricKeyAlgorithmPolicy getSymmetricKeyDecryptionAlgorithmPolicy() { return symmetricKeyDecryptionAlgorithmPolicy; } @@ -459,4 +464,21 @@ public final class Policy { public NotationRegistry getNotationRegistry() { return notationRegistry; } + + /** + * Return the current {@link AlgorithmSuite} which defines preferred algorithms used during key generation. + * @return current algorithm suite + */ + public @Nonnull AlgorithmSuite getKeyGenerationAlgorithmSuite() { + return keyGenerationAlgorithmSuite; + } + + /** + * Set a custom {@link AlgorithmSuite} which defines preferred algorithms used during key generation. + * + * @param algorithmSuite custom algorithm suite + */ + public void setKeyGenerationAlgorithmSuite(@Nonnull AlgorithmSuite algorithmSuite) { + this.keyGenerationAlgorithmSuite = algorithmSuite; + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 1fd80e02..c7bd68dc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -88,8 +88,13 @@ public class EncryptDecryptTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(ElGamal.withLength(ElGamalLength._3072)).withKeyFlags(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS).withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096)).withKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER).withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder( + ElGamal.withLength(ElGamalLength._3072), + KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) + .build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._4096), + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER).build()) .withPrimaryUserId("juliet@capulet.lit").withoutPassphrase().build(); encryptDecryptForSecretKeyRings(sender, recipient); @@ -262,7 +267,7 @@ public class EncryptDecryptTest { EncryptionStream signer = PGPainless.encryptAndOrSign().onOutputStream(signOut) .withOptions(ProducerOptions.sign( SigningOptions.get() - .addInlineSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) + .addInlineSignature(keyRingProtector, signingKeys, DocumentSignatureType.BINARY_DOCUMENT) ).setAsciiArmor(true)); Streams.pipeAll(inputStream, signer); signer.close(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index 78617349..f0aef576 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -59,13 +59,12 @@ public class EncryptionOptionsTest { @BeforeAll public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS).withDefaultAlgorithms()) - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_STORAGE).withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) + .build()) + .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE) + .build()) + .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) + .build()) .withPrimaryUserId("test@pgpainless.org") .withoutPassphrase() .build(); @@ -140,8 +139,8 @@ public class EncryptionOptionsTest { public void testAddRecipient_KeyWithoutEncryptionKeyFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { EncryptionOptions options = new EncryptionOptions(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA).withDefaultAlgorithms()) + .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .build()) .withPrimaryUserId("test@pgpainless.org") .withoutPassphrase().build(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index e9e65a0f..75e847f5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -27,16 +27,13 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.EncryptionPurpose; -import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.generation.KeySpec; -import org.pgpainless.key.generation.KeySpecBuilderInterface; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; @@ -162,24 +159,20 @@ public class GenerateKeys { * the specifications for the subkeys first (in {@link org.pgpainless.key.generation.KeyRingBuilderInterface#withSubKey(KeySpec)}) * and add the primary key specification last (in {@link org.pgpainless.key.generation.KeyRingBuilderInterface#withPrimaryKey(KeySpec)}. * - * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType)} method and providing a {@link KeyType}. + * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag...)} method and providing a {@link KeyType}. * There are a bunch of factory methods for different {@link KeyType} implementations present in {@link KeyType} itself - * (such as {@link KeyType#ECDH(EllipticCurve)}. - * - * After that, the {@link org.pgpainless.key.generation.KeySpecBuilder} needs to be further configured. - * First of all, the keys {@link KeyFlag KeyFlags} need to be specified. {@link KeyFlag KeyFlags} determine + * (such as {@link KeyType#ECDH(EllipticCurve)}. {@link KeyFlag KeyFlags} determine * the use of the key, like encryption, signing data or certifying subkeys. - * KeyFlags can be set with {@link org.pgpainless.key.generation.KeySpecBuilder#withKeyFlags(KeyFlag...)}. * - * Next is algorithm setup. You can either trust PGPainless' defaults (see {@link AlgorithmSuite#getDefaultAlgorithmSuite()}), - * or specify your own algorithm preferences. - * To go with the defaults, call {@link KeySpecBuilderInterface.WithDetailedConfiguration#withDefaultAlgorithms()}, - * otherwise start detailed config with {@link KeySpecBuilderInterface.WithDetailedConfiguration#withDetailedConfiguration()}. + * If you so desire, you can now specify your own algorithm preferences. + * For that, see {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredCompressionAlgorithms(CompressionAlgorithm...)}, + * {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredHashAlgorithms(HashAlgorithm...)} or + * {@link org.pgpainless.key.generation.KeySpecBuilder#overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm...)}. * * Note, that if you set preferred algorithms, the preference lists are sorted from high priority to low priority. * * When setting the primary key spec ({@link org.pgpainless.key.generation.KeyRingBuilder#withPrimaryKey(KeySpec)}), - * make sure that the primary key spec has the {@link KeyFlag} {@link KeyFlag#CERTIFY_OTHER} set, as this is an requirement + * make sure that the primary key spec has the {@link KeyFlag} {@link KeyFlag#CERTIFY_OTHER} set, as this is a requirement * for primary keys. * * Furthermore you have to set at least the primary user-id via @@ -187,7 +180,7 @@ public class GenerateKeys { * but you can also add additional user-ids via * {@link org.pgpainless.key.generation.KeyRingBuilderInterface.WithAdditionalUserIdOrPassphrase#withAdditionalUserId(String)}. * - * Lastly you can decide whether or not to set a passphrase to protect the secret key. + * Lastly you can decide whether to set a passphrase to protect the secret key. * * @throws PGPException * @throws InvalidAlgorithmParameterException @@ -211,38 +204,33 @@ public class GenerateKeys { // Add the first subkey (in this case encryption) .withSubKey( KeySpec.getBuilder( - // We choose an ECDH key over the brainpoolp256r1 curve - KeyType.ECDH(EllipticCurve._BRAINPOOLP256R1) - ) - // Our key can encrypt both communication data, as well as data at rest - .withKeyFlags(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) + // We choose an ECDH key over the brainpoolp256r1 curve + KeyType.ECDH(EllipticCurve._BRAINPOOLP256R1), + // Our key can encrypt both communication data, as well as data at rest + KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS + ) // Optionally: Configure the subkey with custom algorithm preferences // Is is recommended though to go with PGPainless' defaults which can be found in the // AlgorithmSuite class. - .withDetailedConfiguration() - .withPreferredSymmetricAlgorithms(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128) - .withPreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256) - .withPreferredCompressionAlgorithms(CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZLIB) - // Modification Detection is highly recommended - .withFeature(Feature.MODIFICATION_DETECTION) - .done() + .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128) + .overridePreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256) + .overridePreferredCompressionAlgorithms(CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZLIB) + .build() ) // Add the second subkey (signing) .withSubKey( KeySpec.getBuilder( - KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1) - ) - // This key is used for creating signatures only - .withKeyFlags(KeyFlag.SIGN_DATA) - // Instead of manually specifying algorithm preferences, we can simply use PGPainless' sane defaults - .withDefaultAlgorithms() + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), + // This key is used for creating signatures only + KeyFlag.SIGN_DATA + ).build() ) // Lastly we add the primary key (certification only in our case) .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags - .withKeyFlags(KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms() + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), + // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags + KeyFlag.CERTIFY_OTHER) + .build() ) // Set primary user-id .withPrimaryUserId(userId) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 64c6814a..f8be9714 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -187,9 +187,8 @@ public class ModifyKeys { Passphrase subkeyPassphrase = Passphrase.fromPassword("subk3yP4ssphr4s3"); secretKey = PGPainless.modifyKeyRing(secretKey) .addSubKey( - KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._BRAINPOOLP512R1)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms(), + KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._BRAINPOOLP512R1), KeyFlag.ENCRYPT_COMMS) + .build(), subkeyPassphrase, protector) .done(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index 8949726a..aeafaf59 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -54,12 +54,10 @@ public class BrainpoolKeyGenerationTest { for (EllipticCurve curve : EllipticCurve.values()) { PGPSecretKeyRing secretKeys = generateKey( - KeySpec.getBuilder(KeyType.ECDSA(curve)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDefaultAlgorithms(), - KeySpec.getBuilder(KeyType.ECDH(curve)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .withDefaultAlgorithms(), + KeySpec.getBuilder( + KeyType.ECDSA(curve), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA).build(), + KeySpec.getBuilder( + KeyType.ECDH(curve), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).build(), "Elliptic Curve "); assertEquals(PublicKeyAlgorithm.ECDSA, PublicKeyAlgorithm.fromId(secretKeys.getPublicKey().getAlgorithm())); @@ -85,18 +83,15 @@ public class BrainpoolKeyGenerationTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .withDefaultAlgorithms()) - .withSubKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build()) + .withSubKey(KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) + .build()) + .withSubKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA) + .build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.CERTIFY_OTHER).build()) .withPrimaryUserId(UserId.nameAndEmail("Alice", "alice@pgpainless.org")) .withPassphrase(Passphrase.fromPassword("passphrase")) .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index 9a631e15..65b7a71f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -47,9 +47,8 @@ public class CertificationKeyMustBeAbleToCertifyTest { assertThrows(IllegalArgumentException.class, () -> PGPainless .generateKeyRing() .withPrimaryKey(KeySpec - .getBuilder(type) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) + .getBuilder(type, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .build()) .withPrimaryUserId("should@throw.ex") .withoutPassphrase().build()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index 01dc2fcb..9e60eca6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -41,12 +41,11 @@ public class GenerateEllipticCurveKeyTest { public void generateEllipticCurveKeys(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .build()) .withPrimaryUserId(UserId.onlyEmail("alice@wonderland.lit").toString()) .withoutPassphrase() .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index 46a3a652..33db6fc5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -47,9 +47,10 @@ public class GenerateKeyWithAdditionalUserIdTest { ImplementationFactory.setFactoryImplementation(implementationFactory); Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) + .build()) .withPrimaryUserId(UserId.onlyEmail("primary@user.id")) .withAdditionalUserId(UserId.onlyEmail("additional@user.id")) .withAdditionalUserId(UserId.onlyEmail("additional2@user.id")) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java index 0cc02f86..60e7c131 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java @@ -46,9 +46,10 @@ public class GenerateWithEmptyPassphrase { ImplementationFactory.setFactoryImplementation(implementationFactory); assertNotNull(PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) + .build()) .withPrimaryUserId("primary@user.id") .withPassphrase(Passphrase.emptyPassphrase()) .build()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java index 5803f6ef..0a861518 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java @@ -19,7 +19,6 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; -import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; @@ -32,29 +31,19 @@ public class IllegalKeyFlagsTest { @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") public void testKeyCannotCarryFlagsTest(ImplementationFactory implementationFactory) { ImplementationFactory.setFactoryImplementation(implementationFactory); - assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.SIGN_DATA) // <- should throw - .withDefaultAlgorithms())); + assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.SIGN_DATA)); - assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER) // <- should throw - .withDefaultAlgorithms())); + assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.CERTIFY_OTHER)); - assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.AUTHENTICATION) // <- should throw - .withDefaultAlgorithms())); + assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.AUTHENTICATION)); - assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) // <- should throw - .withDefaultAlgorithms())); + assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.ENCRYPT_COMMS)); - assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.ENCRYPT_STORAGE) // <- should throw as well - .withDefaultAlgorithms())); + assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.ENCRYPT_STORAGE)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index fefc1cf6..f1413a97 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -221,9 +221,14 @@ public class KeyRingInfoTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._BRAINPOOLP384R1)).withKeyFlags(KeyFlag.ENCRYPT_STORAGE).withDefaultAlgorithms()) - .withSubKey(KeySpec.getBuilder(KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1)).withKeyFlags(KeyFlag.SIGN_DATA).withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)).withKeyFlags(KeyFlag.CERTIFY_OTHER).withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder( + KeyType.ECDH(EllipticCurve._BRAINPOOLP384R1), + KeyFlag.ENCRYPT_STORAGE).build()) + .withSubKey(KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA) + .build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER).build()) .withPrimaryUserId(UserId.newBuilder().withName("Alice").withEmail("alice@pgpainless.org").build()) .withoutPassphrase() .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index caaf6ac0..fce78fcd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -51,12 +51,13 @@ public class UserIdRevocationTest { @Test public void testRevocationWithoutRevocationAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) + .build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) + .build()) .withPrimaryUserId("primary@key.id") .withAdditionalUserId("secondary@key.id") .withoutPassphrase() @@ -91,12 +92,12 @@ public class UserIdRevocationTest { @Test public void testRevocationWithRevocationReason() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) + .build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) + .build()) .withPrimaryUserId("primary@key.id") .withAdditionalUserId("secondary@key.id") .withoutPassphrase() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index fb4b6b4b..c6a4dd8d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -61,9 +61,7 @@ public class AddSubKeyTest { secretKeys = PGPainless.modifyKeyRing(secretKeys) .addSubKey( - KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256)) - .withKeyFlags(KeyFlag.SIGN_DATA) - .withDefaultAlgorithms(), + KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA).build(), Passphrase.fromPassword("subKeyPassphrase"), PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("password123"))) .done(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java index 732f1b47..c4819861 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java @@ -89,14 +89,14 @@ public class PolicyTest { @Test public void testAcceptableSymmetricKeyDecryptionAlgorithm() { - assertTrue(policy.getSymmetricKeyDecryptionAlgoritmPolicy().isAcceptable(SymmetricKeyAlgorithm.BLOWFISH)); - assertTrue(policy.getSymmetricKeyDecryptionAlgoritmPolicy().isAcceptable(SymmetricKeyAlgorithm.BLOWFISH.getAlgorithmId())); + assertTrue(policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(SymmetricKeyAlgorithm.BLOWFISH)); + assertTrue(policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(SymmetricKeyAlgorithm.BLOWFISH.getAlgorithmId())); } @Test public void testUnAcceptableSymmetricKeyDecryptionAlgorithm() { - assertFalse(policy.getSymmetricKeyDecryptionAlgoritmPolicy().isAcceptable(SymmetricKeyAlgorithm.CAMELLIA_128)); - assertFalse(policy.getSymmetricKeyDecryptionAlgoritmPolicy().isAcceptable(SymmetricKeyAlgorithm.CAMELLIA_128.getAlgorithmId())); + assertFalse(policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(SymmetricKeyAlgorithm.CAMELLIA_128)); + assertFalse(policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(SymmetricKeyAlgorithm.CAMELLIA_128.getAlgorithmId())); } @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index eb707e34..7cee1a7c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -47,12 +47,11 @@ public class BCUtilTest { throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sec = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS) - .withDefaultAlgorithms()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDefaultAlgorithms()) + .withSubKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.ENCRYPT_COMMS).build()) + .withPrimaryKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .build()) .withPrimaryUserId("donald@duck.tails").withoutPassphrase().build(); PGPPublicKeyRing pub = KeyRingUtils.publicKeyRingFrom(sec); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index ebc15725..05f676cf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -41,15 +41,12 @@ public class GuessPreferredHashAlgorithmTest { @Test public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .withDetailedConfiguration() - // Do not specify preferred algorithms - .withPreferredSymmetricAlgorithms(new SymmetricKeyAlgorithm[] {}) - .withPreferredHashAlgorithms(new HashAlgorithm[] {}) - .withPreferredCompressionAlgorithms(new CompressionAlgorithm[] {}) - - .done()) + .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .overridePreferredHashAlgorithms(new HashAlgorithm[] {}) + .overridePreferredSymmetricKeyAlgorithms(new SymmetricKeyAlgorithm[] {}) + .overridePreferredCompressionAlgorithms(new CompressionAlgorithm[] {}) + .build()) .withPrimaryUserId("test@test.test") .withoutPassphrase() .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index 772995cb..4bf93212 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -38,12 +38,12 @@ public class TestEncryptCommsStorageFlagsDifferentiated { @Test public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072)) - .withKeyFlags(KeyFlag.CERTIFY_OTHER, + .withPrimaryKey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_STORAGE // no ENCRYPT_COMMS - ) - .withDefaultAlgorithms()) + ).build()) .withPrimaryUserId("cannot@encrypt.comms") .withoutPassphrase() .build(); From 11ad6361f85e0980ddf547519bd2c0c3b7b993c7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 19:36:03 +0200 Subject: [PATCH 0012/1450] Reformat arguments --- .../java/org/pgpainless/key/generation/KeySpecBuilder.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index 38e82e4e..bbc7f14a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -77,10 +77,7 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { this.hashedSubPackets.setPreferredSymmetricAlgorithms(false, getPreferredSymmetricKeyAlgorithmIDs()); this.hashedSubPackets.setFeature(false, Feature.MODIFICATION_DETECTION.getFeatureId()); - return new KeySpec( - KeySpecBuilder.this.type, - hashedSubPackets, - false); + return new KeySpec(type, hashedSubPackets, false); } private int[] getPreferredCompressionAlgorithmIDs() { From fedf7c0cf889ecf950b5c2d6ca40a5f07aa282bf Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 19:39:42 +0200 Subject: [PATCH 0013/1450] Make AlgorithmSuite members final and remove setters --- .../pgpainless/algorithm/AlgorithmSuite.java | 46 +----------- .../algorithm/AlgorithmSuiteTest.java | 73 ------------------- 2 files changed, 3 insertions(+), 116 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/AlgorithmSuiteTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java index 17445df5..487ffad4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java @@ -15,7 +15,6 @@ */ package org.pgpainless.algorithm; -import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.LinkedHashSet; @@ -45,9 +44,9 @@ public class AlgorithmSuite { CompressionAlgorithm.UNCOMPRESSED) ); - private Set symmetricKeyAlgorithms; - private Set hashAlgorithms; - private Set compressionAlgorithms; + private final Set symmetricKeyAlgorithms; + private final Set hashAlgorithms; + private final Set compressionAlgorithms; public AlgorithmSuite(List symmetricKeyAlgorithms, List hashAlgorithms, @@ -57,57 +56,18 @@ public class AlgorithmSuite { this.compressionAlgorithms = Collections.unmodifiableSet(new LinkedHashSet<>(compressionAlgorithms)); } - public void setSymmetricKeyAlgorithms(List symmetricKeyAlgorithms) { - this.symmetricKeyAlgorithms = Collections.unmodifiableSet(new LinkedHashSet<>(symmetricKeyAlgorithms)); - } - public Set getSymmetricKeyAlgorithms() { return new LinkedHashSet<>(symmetricKeyAlgorithms); } - public int[] getSymmetricKeyAlgorithmIds() { - int[] array = new int[symmetricKeyAlgorithms.size()]; - List list = new ArrayList<>(getSymmetricKeyAlgorithms()); - for (int i = 0; i < array.length; i++) { - array[i] = list.get(i).getAlgorithmId(); - } - return array; - } - - public void setHashAlgorithms(List hashAlgorithms) { - this.hashAlgorithms = Collections.unmodifiableSet(new LinkedHashSet<>(hashAlgorithms)); - } - public Set getHashAlgorithms() { return new LinkedHashSet<>(hashAlgorithms); } - public int[] getHashAlgorithmIds() { - int[] array = new int[hashAlgorithms.size()]; - List list = new ArrayList<>(getHashAlgorithms()); - for (int i = 0; i < array.length; i++) { - array[i] = list.get(i).getAlgorithmId(); - } - return array; - } - - public void setCompressionAlgorithms(List compressionAlgorithms) { - this.compressionAlgorithms = Collections.unmodifiableSet(new LinkedHashSet<>(compressionAlgorithms)); - } - public Set getCompressionAlgorithms() { return new LinkedHashSet<>(compressionAlgorithms); } - public int[] getCompressionAlgorithmIds() { - int[] array = new int[compressionAlgorithms.size()]; - List list = new ArrayList<>(getCompressionAlgorithms()); - for (int i = 0; i < array.length; i++) { - array[i] = list.get(i).getAlgorithmId(); - } - return array; - } - public static AlgorithmSuite getDefaultAlgorithmSuite() { return defaultAlgorithmSuite; } diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/AlgorithmSuiteTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/AlgorithmSuiteTest.java deleted file mode 100644 index 89ac5a2a..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/AlgorithmSuiteTest.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.pgpainless.algorithm; - -import static org.junit.jupiter.api.Assertions.assertEquals; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -public class AlgorithmSuiteTest { - - private AlgorithmSuite suite; - - @BeforeEach - public void resetEmptyAlgorithmSuite() { - suite = new AlgorithmSuite( - Collections.emptyList(), - Collections.emptyList(), - Collections.emptyList() - ); - } - - @Test - public void setSymmetricAlgorithmsTest() { - List algorithmList = Arrays.asList( - SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_256 - ); - - suite.setSymmetricKeyAlgorithms(algorithmList); - - assertEquals(algorithmList, new ArrayList<>(suite.getSymmetricKeyAlgorithms())); - } - - @Test - public void setHashAlgorithmsTest() { - List algorithmList = Arrays.asList( - HashAlgorithm.SHA256, HashAlgorithm.SHA384, HashAlgorithm.SHA512 - ); - - suite.setHashAlgorithms(algorithmList); - - assertEquals(algorithmList, new ArrayList<>(suite.getHashAlgorithms())); - } - - @Test - public void setCompressionAlgorithmsTest() { - List algorithmList = Arrays.asList( - CompressionAlgorithm.ZLIB, CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2 - ); - - suite.setCompressionAlgorithms(algorithmList); - - assertEquals(algorithmList, new ArrayList<>(suite.getCompressionAlgorithms())); - } -} From cff69006f7e350c572614cfafe4dc3a69f435c48 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Sep 2021 19:50:24 +0200 Subject: [PATCH 0014/1450] Update readme --- README.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 64f2e002..406d4eca 100644 --- a/README.md +++ b/README.md @@ -76,22 +76,19 @@ There are some predefined key archetypes, but it is possible to fully customize // Customized key PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() .withSubKey( - KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256)) - .withKeyFlags(KeyFlag.SIGN_DATA) - .withDetailedConfiguration() - .withDefaultSymmetricAlgorithms() - .withDefaultHashAlgorithms() - .withPreferredCompressionAlgorithms(CompressionAlgorithm.ZLIB) - .withFeature(Feature.MODIFICATION_DETECTION) - .done() + KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA) + .overrideCompressionAlgorithms(CompressionAlgorithm.ZLIB) + .build() ).withSubKey( - KeySpec.getBuilder(ECDH.fromCurve(EllipticCurve._P256)) - .withKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .withDefaultAlgorithms() + KeySpec.getBuilder( + ECDH.fromCurve(EllipticCurve._P256), + KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) + .build() ).withMasterKey( - KeySpec.getBuilder(RSA.withLength(RsaLength._8192)) - .withKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .withDefaultAlgorithms() + KeySpec.getBuilder( + RSA.withLength(RsaLength._8192), + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) + .build() ).withPrimaryUserId("Juliet ") .withAdditionalUserId("xmpp:juliet@capulet.lit") .withPassphrase("romeo_oh_Romeo<3") From 81379a51765c7634d78d21a0d688a86e535f118f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Sep 2021 21:49:02 +0200 Subject: [PATCH 0015/1450] Add MessageInspector utility class which can be used to determine encryption keys for a message --- .../MessageInspector.java | 103 ++++++++++++++++++ .../MessageInspectorTest.java | 74 +++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java new file mode 100644 index 00000000..7fc54810 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -0,0 +1,103 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.decryption_verification; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import org.bouncycastle.openpgp.PGPCompressedData; +import org.bouncycastle.openpgp.PGPEncryptedData; +import org.bouncycastle.openpgp.PGPEncryptedDataList; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPLiteralData; +import org.bouncycastle.openpgp.PGPObjectFactory; +import org.bouncycastle.openpgp.PGPPBEEncryptedData; +import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.ArmorUtils; + +/** + * Inspect an OpenPGP message to determine IDs of its encryption keys or whether it is passphrase protected. + */ +public final class MessageInspector { + + public static class EncryptionInfo { + private final List keyIds = new ArrayList<>(); + private boolean isPassphraseEncrypted = false; + + public List getKeyIds() { + return Collections.unmodifiableList(keyIds); + } + + public boolean isPassphraseEncrypted() { + return isPassphraseEncrypted; + } + } + + private MessageInspector() { + + } + + /** + * Parses parts of the provided OpenPGP message in order to determine which keys were used to encrypt it. + * Note: This method does not rewind the passed in Stream, so you might need to take care of that yourselves. + * + * @param dataIn openpgp message + * @return encryption information + * @throws IOException + * @throws PGPException + */ + public static EncryptionInfo determineEncryptionInfoForMessage(InputStream dataIn) throws IOException, PGPException { + InputStream decoded = ArmorUtils.getDecoderStream(dataIn); + EncryptionInfo info = new EncryptionInfo(); + + collectDecryptionKeyIDs(decoded, info); + + return info; + } + + private static void collectDecryptionKeyIDs(InputStream dataIn, EncryptionInfo info) throws PGPException { + PGPObjectFactory objectFactory = new PGPObjectFactory(dataIn, + ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + + for (Object next : objectFactory) { + if (next instanceof PGPEncryptedDataList) { + PGPEncryptedDataList encryptedDataList = (PGPEncryptedDataList) next; + for (PGPEncryptedData encryptedData : encryptedDataList) { + if (encryptedData instanceof PGPPublicKeyEncryptedData) { + PGPPublicKeyEncryptedData pubKeyEncryptedData = (PGPPublicKeyEncryptedData) encryptedData; + info.keyIds.add(pubKeyEncryptedData.getKeyID()); + } else if (encryptedData instanceof PGPPBEEncryptedData) { + info.isPassphraseEncrypted = true; + } + } + } + + if (next instanceof PGPCompressedData) { + PGPCompressedData compressed = (PGPCompressedData) next; + InputStream decompressed = compressed.getDataStream(); + collectDecryptionKeyIDs(decompressed, info); + } + + if (next instanceof PGPLiteralData) { + return; + } + } + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java new file mode 100644 index 00000000..ff31ae7c --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java @@ -0,0 +1,74 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.junit.jupiter.api.Test; +import org.pgpainless.key.util.KeyIdUtil; + +public class MessageInspectorTest { + + @Test + public void testBasicMessageInspection() throws PGPException, IOException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wV4DR2b2udXyHrYSAQdAO6LtuB8LenDp1EPVSSYn1QCmTSPjeXj9Qdel7t6Ozi8w\n" + + "kewS+0AdZcvcd2PQEuCboilRAN4TTi9SziuSDNZe//suYHL7SRnOvX6mWSZoiKBm\n" + + "0j8BlbKlRhBzcNDj6DSKfM/KBhRaw0U9fGs01gq+RNXIHOOnzVjLK18xTNEkx72F\n" + + "Z1/i3TYsmy8B0mMKkNYtpMk=\n" + + "=IICf\n" + + "-----END PGP MESSAGE-----\n"; + + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage( + new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + + assertFalse(info.isPassphraseEncrypted()); + assertEquals(1, info.getKeyIds().size()); + assertEquals(KeyIdUtil.fromLongKeyId("4766F6B9D5F21EB6"), info.getKeyIds().get(0)); + } + + @Test + public void testMultipleRecipientKeysAndPassphrase() throws PGPException, IOException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "jC4ECQMCtjbxGuer3wJgmQNX6L5nrJzkOEsnsFxyDYmqpqaFaMRHwARfX2huZdNd\n" + + "hF4DTG6PmfbkcYQSAQdAxolEEp+NDhQXzf4/hN/4ihjSs16EoMVPxnQVZslvXm0w\n" + + "pCmY/zAd1i3cJjNw2IXtCUpAIwjGc3pJzPxnkm0aBSS1ejxTqKy34MlostqEveB+\n" + + "hF4DGDkHmmQLL6wSAQdAxdIJmu7Vbz12eG3lCUDuuwXW1s0ZsSftbUT3Ly+YMFIw\n" + + "TadDYpy4pAAC82G8Z291zMiyctJE5dPAEWE5/sIguJSTeeM3ltocCMfx3ZCbKiov\n" + + "jC4ECQMCssbl4ymUB6FgAVELIUXGolY6PgsnRmq3oBQbM7ysu+WsXm//CRXqfkgU\n" + + "0kABN21rVlCCSrgAQq2vY4GWQ8OfiUzJOWH//63VDYMJ5ehou9eFtOXq2YW9IUy4\n" + + "nxVuXey3iyihCFAfD8ZK1Rnh\n" + + "=z6e0\n" + + "-----END PGP MESSAGE-----"; + + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + + assertTrue(info.isPassphraseEncrypted()); + assertEquals(2, info.getKeyIds().size()); + assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("4C6E8F99F6E47184"))); + assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("1839079A640B2FAC"))); + } +} From ce645fc4297396aecc12ff2ce1e4f40ca4170f89 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 15 Sep 2021 16:33:03 +0200 Subject: [PATCH 0016/1450] Postpone decryption of PKESK if secret key passphrase is missing and try next PKESK first before passphrase retrieval using callback Fixes #186 --- .../ConsumerOptions.java | 2 +- .../DecryptionStreamFactory.java | 218 +++++++++++------ .../CachingSecretKeyRingProtector.java | 10 + .../PasswordBasedSecretKeyRingProtector.java | 15 ++ .../protection/SecretKeyRingProtector.java | 2 + .../protection/UnprotectedKeysProtector.java | 5 + .../MapBasedPassphraseProvider.java | 5 + .../SecretKeyPassphraseProvider.java | 2 + .../SolitaryPassphraseProvider.java | 5 + .../main/java/org/pgpainless/util/Tuple.java | 35 +++ ...tionUsingKeyWithMissingPassphraseTest.java | 221 ++++++++++++++++++ .../CachingSecretKeyRingProtectorTest.java | 5 + .../PassphraseProtectedKeyTest.java | 5 + .../SecretKeyRingProtectorTest.java | 5 + 14 files changed, 466 insertions(+), 69 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index 5e07e380..9ddecba0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -257,7 +257,7 @@ public class ConsumerOptions { return missingCertificateCallback; } - public @Nullable SecretKeyRingProtector getSecretKeyProtector(PGPSecretKeyRing decryptionKeyRing) { + public @Nonnull SecretKeyRingProtector getSecretKeyProtector(PGPSecretKeyRing decryptionKeyRing) { return decryptionKeys.get(decryptionKeyRing); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 1a6c27a3..84f94819 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -61,6 +61,7 @@ import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.signature.DetachedSignature; import org.pgpainless.signature.OnePassSignatureCheck; @@ -68,6 +69,7 @@ import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; import org.pgpainless.util.IntegrityProtectedInputStream; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.Tuple; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -276,93 +278,173 @@ public final class DecryptionStreamFactory { PGPPrivateKey decryptionKey = null; PGPPublicKeyEncryptedData encryptedSessionKey = null; + + List passphraseProtected = new ArrayList<>(); + List publicKeyProtected = new ArrayList<>(); + List> postponedDueToMissingPassphrase = new ArrayList<>(); + + // Sort PKESK and SKESK packets while (encryptedDataIterator.hasNext()) { PGPEncryptedData encryptedData = encryptedDataIterator.next(); - - // TODO: Can we just skip non-integrity-protected packages? + // TODO: Maybe just skip non-integrity-protected packages? if (!encryptedData.isIntegrityProtected()) { throw new MessageNotIntegrityProtectedException(); } - // Data is passphrase encrypted + // SKESK if (encryptedData instanceof PGPPBEEncryptedData) { - PGPPBEEncryptedData pbeEncryptedData = (PGPPBEEncryptedData) encryptedData; - for (Passphrase passphrase : options.getDecryptionPassphrases()) { - PBEDataDecryptorFactory passphraseDecryptor = ImplementationFactory.getInstance() - .getPBEDataDecryptorFactory(passphrase); - try { - InputStream decryptedDataStream = pbeEncryptedData.getDataStream(passphraseDecryptor); - - SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.fromId( - pbeEncryptedData.getSymmetricAlgorithm(passphraseDecryptor)); - throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); - resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); - - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData); - - return integrityProtectedEncryptedInputStream; - } catch (PGPException e) { - LOGGER.debug("Probable passphrase mismatch, skip PBE encrypted data block", e); - } - } + passphraseProtected.add((PGPPBEEncryptedData) encryptedData); } - - // data is public key encrypted + // PKESK else if (encryptedData instanceof PGPPublicKeyEncryptedData) { - PGPPublicKeyEncryptedData publicKeyEncryptedData = (PGPPublicKeyEncryptedData) encryptedData; - long keyId = publicKeyEncryptedData.getKeyID(); - if (!options.getDecryptionKeys().isEmpty()) { - // Known key id - if (keyId != 0) { - LOGGER.debug("PGPEncryptedData is encrypted for key {}", Long.toHexString(keyId)); - resultBuilder.addRecipientKeyId(keyId); - PGPSecretKeyRing decryptionKeyRing = findDecryptionKeyRing(keyId); - if (decryptionKeyRing != null) { - PGPSecretKey secretKey = decryptionKeyRing.getSecretKey(keyId); - LOGGER.debug("Found respective secret key {}", Long.toHexString(keyId)); - // Watch out! This assignment is possibly done multiple times. - encryptedSessionKey = publicKeyEncryptedData; - decryptionKey = UnlockSecretKey.unlockSecretKey(secretKey, options.getSecretKeyProtector(decryptionKeyRing)); - resultBuilder.setDecryptionKey(new SubkeyIdentifier(decryptionKeyRing, decryptionKey.getKeyID())); - } - } + publicKeyProtected.add((PGPPublicKeyEncryptedData) encryptedData); + } + } - // Hidden recipient - else { - LOGGER.debug("Hidden recipient detected. Try to decrypt with all available secret keys."); - outerloop: for (PGPSecretKeyRing ring : options.getDecryptionKeys()) { - KeyRingInfo info = new KeyRingInfo(ring); - List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); - for (PGPPublicKey pubkey : encryptionSubkeys) { - PGPSecretKey key = ring.getSecretKey(pubkey.getKeyID()); - if (key == null) { - continue; - } + // Try decryption with passphrases first + for (PGPPBEEncryptedData pbeEncryptedData : passphraseProtected) { + for (Passphrase passphrase : options.getDecryptionPassphrases()) { + PBEDataDecryptorFactory passphraseDecryptor = ImplementationFactory.getInstance() + .getPBEDataDecryptorFactory(passphrase); + try { + InputStream decryptedDataStream = pbeEncryptedData.getDataStream(passphraseDecryptor); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(key, options.getSecretKeyProtector(ring).getDecryptor(key.getKeyID())); - PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey); - try { - publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory); // will only succeed if we have the right secret key - LOGGER.debug("Found correct key {} for hidden recipient decryption.", Long.toHexString(key.getKeyID())); - decryptionKey = privateKey; - resultBuilder.setDecryptionKey(new SubkeyIdentifier(ring, decryptionKey.getKeyID())); - encryptedSessionKey = publicKeyEncryptedData; - break outerloop; - } catch (PGPException | ClassCastException e) { - LOGGER.debug("Skipping wrong key {} for hidden recipient decryption.", Long.toHexString(key.getKeyID()), e); - } - } - } - } + SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.fromId( + pbeEncryptedData.getSymmetricAlgorithm(passphraseDecryptor)); + throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); + resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); + + integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData); + + return integrityProtectedEncryptedInputStream; + } catch (PGPException e) { + LOGGER.debug("Probable passphrase mismatch, skip PBE encrypted data block", e); } } } + + // Then try decryption with public key encryption + for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) { + PGPPrivateKey privateKey = null; + if (options.getDecryptionKeys().isEmpty()) { + break; + } + + long keyId = publicKeyEncryptedData.getKeyID(); + // Wildcard KeyID + if (keyId == 0L) { + LOGGER.debug("Hidden recipient detected. Try to decrypt with all available secret keys."); + for (PGPSecretKeyRing secretKeys : options.getDecryptionKeys()) { + if (privateKey != null) { + break; + } + KeyRingInfo info = new KeyRingInfo(secretKeys); + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + for (PGPPublicKey pubkey : encryptionSubkeys) { + PGPSecretKey secretKey = secretKeys.getSecretKey(pubkey.getKeyID()); + // Skip missing secret key + if (secretKey == null) { + continue; + } + + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); + } + } + } + // Non-wildcard key-id + else { + LOGGER.debug("PGPEncryptedData is encrypted for key {}", Long.toHexString(keyId)); + resultBuilder.addRecipientKeyId(keyId); + + PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId); + if (secretKeys == null) { + LOGGER.debug("Missing certificate of {}. Skip.", Long.toHexString(keyId)); + continue; + } + + PGPSecretKey secretKey = secretKeys.getSecretKey(keyId); + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); + } + if (privateKey == null) { + continue; + } + decryptionKey = privateKey; + encryptedSessionKey = publicKeyEncryptedData; + } + + // Try postponed keys with missing passphrases (will cause missing passphrase callbacks to fire) + if (encryptedSessionKey == null) { + for (Tuple missingPassphrases : postponedDueToMissingPassphrase) { + SubkeyIdentifier keyId = missingPassphrases.getA(); + PGPPublicKeyEncryptedData publicKeyEncryptedData = missingPassphrases.getB(); + PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId.getKeyId()); + PGPSecretKey secretKey = secretKeys.getSecretKey(keyId.getSubkeyId()); + + PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, false); + if (privateKey == null) { + continue; + } + + decryptionKey = privateKey; + encryptedSessionKey = publicKeyEncryptedData; + break; + } + } + return decryptWith(encryptedSessionKey, decryptionKey); } + /** + * Try decryption of the provided public-key-encrypted-data using the given secret key. + * If the secret key is encrypted and the secret key protector does not have a passphrase available and the boolean + * postponeIfMissingPassphrase is true, data decryption is postponed by pushing a tuple of the encrypted data decryption key + * identifier to the postponed list. + * + * This method only returns a non-null private key, if the private key is able to decrypt the message successfully. + * + * @param secretKeys secret key ring + * @param secretKey secret key + * @param publicKeyEncryptedData encrypted data which is tried to decrypt using the secret key + * @param postponed list of postponed decryptions due to missing secret key passphrases + * @param postponeIfMissingPassphrase flag to specify whether missing secret key passphrases should result in postponed decryption + * @return private key if decryption is successful, null if decryption is unsuccessful or postponed + * + * @throws PGPException in case of an OpenPGP error + */ + private PGPPrivateKey tryPublicKeyDecryption( + PGPSecretKeyRing secretKeys, + PGPSecretKey secretKey, + PGPPublicKeyEncryptedData publicKeyEncryptedData, + List> postponed, + boolean postponeIfMissingPassphrase) throws PGPException { + SecretKeyRingProtector protector = options.getSecretKeyProtector(secretKeys); + + if (postponeIfMissingPassphrase && !protector.hasPassphraseFor(secretKey.getKeyID())) { + // Postpone decryption with key with missing passphrase + SubkeyIdentifier identifier = new SubkeyIdentifier(secretKeys, secretKey.getKeyID()); + postponed.add(new Tuple<>(identifier, publicKeyEncryptedData)); + return null; + } + + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey( + secretKey, protector.getDecryptor(secretKey.getKeyID())); + + // test if we have the right private key + PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance() + .getPublicKeyDataDecryptorFactory(privateKey); + try { + publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory); // will only succeed if we have the right secret key + LOGGER.debug("Found correct decryption key {}.", Long.toHexString(secretKey.getKeyID())); + resultBuilder.setDecryptionKey(new SubkeyIdentifier(secretKeys, privateKey.getKeyID())); + return privateKey; + } catch (PGPException | ClassCastException e) { + return null; + } + } + private InputStream decryptWith(PGPPublicKeyEncryptedData encryptedSessionKey, PGPPrivateKey decryptionKey) throws PGPException { - if (decryptionKey == null) { + if (decryptionKey == null || encryptedSessionKey == null) { throw new MissingDecryptionMethodException("Decryption failed - No suitable decryption key or passphrase found"); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index f1678230..e00a9f34 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -149,6 +149,16 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se return passphrase; } + @Override + public boolean hasPassphrase(Long keyId) { + return cache.containsKey(keyId); + } + + @Override + public boolean hasPassphraseFor(Long keyId) { + return cache.containsKey(keyId); + } + @Override @Nullable public PBESecretKeyDecryptor getDecryptor(@Nonnull Long keyId) throws PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java index e5678fb5..ace1739e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java @@ -65,6 +65,11 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect } return null; } + + @Override + public boolean hasPassphrase(Long keyId) { + return keyRing.getPublicKey(keyId) != null; + } }; return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); } @@ -80,10 +85,20 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect } return null; } + + @Override + public boolean hasPassphrase(Long keyId) { + return keyId == key.getKeyID(); + } }; return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); } + @Override + public boolean hasPassphraseFor(Long keyId) { + return passphraseProvider.hasPassphrase(keyId); + } + @Override @Nullable public PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java index d3881ea0..d57ab6fb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java @@ -38,6 +38,8 @@ import org.pgpainless.util.Passphrase; */ public interface SecretKeyRingProtector { + boolean hasPassphraseFor(Long keyId); + /** * Return a decryptor for the key of id {@code keyId}. * This method returns null if the key is unprotected. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java index fdac82da..0092b473 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java @@ -25,6 +25,11 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; */ public class UnprotectedKeysProtector implements SecretKeyRingProtector { + @Override + public boolean hasPassphraseFor(Long keyId) { + return true; + } + @Override @Nullable public PBESecretKeyDecryptor getDecryptor(Long keyId) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java index 24ea569d..9bf7a1fa 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java @@ -45,4 +45,9 @@ public class MapBasedPassphraseProvider implements SecretKeyPassphraseProvider { public Passphrase getPassphraseFor(Long keyId) { return map.get(keyId); } + + @Override + public boolean hasPassphrase(Long keyId) { + return map.containsKey(keyId); + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java index 342a4154..f2bf4fc8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java @@ -46,4 +46,6 @@ public interface SecretKeyPassphraseProvider { * @return passphrase or null, if no passphrase record has been found. */ @Nullable Passphrase getPassphraseFor(Long keyId); + + boolean hasPassphrase(Long keyId); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java index e251111f..c0983d15 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java @@ -36,4 +36,9 @@ public class SolitaryPassphraseProvider implements SecretKeyPassphraseProvider { // always return the same passphrase. return passphrase; } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java b/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java new file mode 100644 index 00000000..2f9407ea --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java @@ -0,0 +1,35 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.util; + +public class Tuple { + + private final A a; + private final B b; + + public Tuple(A a, B b) { + this.a = a; + this.b = b; + } + + public A getA() { + return a; + } + + public B getB() { + return b; + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java new file mode 100644 index 00000000..fbaff4ad --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -0,0 +1,221 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.fail; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.protection.CachingSecretKeyRingProtector; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; +import org.pgpainless.util.Passphrase; + +public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { + + private static PGPSecretKeyRing k1; + private static PGPSecretKeyRing k2; + private static final Passphrase p1 = Passphrase.fromPassword("P1"); + private static final Passphrase p2 = Passphrase.fromPassword("P2"); + + private static final String PLAINTEXT = "Hello, World!\n"; + + // message is encrypted for both k1 and k2. + // The first PKESK is for k1, the second for k2 + private static final String ENCRYPTED_FOR_K1_K2 = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4Dp8eMx2kPzEYSAQdAk0P2LL3pqZdq46eAGFkkESamDoPTn0EOLuPP+iA8lx8w\n" + + "RAMb6mUxPDVGqoXt05h2ps4BOTpy+Utsli0+BUzXTvtGM6RDTkaCuZvHQwPsggnN\n" + + "hF4DENqQkAsc7GgSAQdAJHwMR6+P5+HxwF8RqBEfrMCr0ZXWaLbekXf+FGTf/HYw\n" + + "+Et5NgaJazx0BdCf+D11Q4Vvem4Z9UEFL7x89B4mnv1dkJWRNwH6CkCNYVyIVrHi\n" + + "0kABB8V6DKCC1PNYlwCbSARz6X+xS9NsTFjGyROXajVEQ3x3ecLyKnyKxpcCJ2cb\n" + + "lfnLZ5ezQoyoukRkcdul1CWf\n" + + "=pvaA\n" + + "-----END PGP MESSAGE-----"; + + private static final String ENCRYPTED_FOR_K2_PASS_K1 = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DENqQkAsc7GgSAQdAqtuQIjsRLypFfT8UykXqOv0dnrZWcrZBEiek4DNufmsw\n" + + "zRgbpnyKme7LaM+Lu0yJk9wUsvdpypB5GrKY9cD1Hg5nx4bGyujC6olowa/8o6Xe\n" + + "jC4ECQMCrjrXCpFawJtgj0y9PpciV6TpHJtI+lGbMed1+c5u3+U/HpRjLl3wBv9C\n" + + "hF4Dp8eMx2kPzEYSAQdA+Qrv5R4hOnOuVHDJpCCW72ONcdnzEhw45MxT/7mp3nQw\n" + + "8xs3dyVjMwmvqhbce9LIRdEM5YBWj3nBQM5ZQURAaQHPTTFuqCd8AgbeUz5FOFrA\n" + + "0kABJpvij5utFmhTVDqm3TrWOAmZ/eba0GMg0g/vFh7HoEGr1gRHLpc+vaIMs+fF\n" + + "uXVb1J9NX60PiBqxnM2iIBtD\n" + + "=p8Ye\n" + + "-----END PGP MESSAGE-----"; + private static final Passphrase PASSPHRASE = Passphrase.fromPassword("Wow!"); + + @BeforeAll + public static void prepareKeys() throws IOException { + k1 = PGPainless.readKeyRing().secretKeyRing("-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 9D0D 40DD 5B0A B5C7 9E73 E847 71BD 67EB 18A5 1034\n" + + "Comment: K1\n" + + "\n" + + "lIYEYUH25xYJKwYBBAHaRw8BAQdAfnFMBZxpsZiJ0yheGIzWEQixVWexv3oxBpUS\n" + + "kboJPIP+CQMCBjB6dP815OFgNjItEDhZVpGgZfHd9eqdNGj7RRiz7QN6Egk4kpGF\n" + + "Mqd0wZ8Ey4vmiYaeSP7QT+Wf9EccHOR4D8XD+y//Pu5aJx1X7gmVvLQCSzGIeAQT\n" + + "FgoAIAUCYUH25wIbAQUWAgMBAAQLCQgHBRUKCQgLAh4BAhkBAAoJEHG9Z+sYpRA0\n" + + "OqkA/il0Tw+95YKXK5oPgqoHTzR5zaRyjmZ3r8Pjp5S+gCZYAP0RMmleSMVxkf+o\n" + + "4FBKwE+Vv41GPYKBUQ2op/mCOyc3CpyLBGFB9ucSCisGAQQBl1UBBQEBB0C2DoDx\n" + + "UjTXA/vFikJr64fB8qcCMyBx5ODBwBG9woSvLAMBCAf+CQMCBjB6dP815OFg8JuS\n" + + "6Z6j+M+7X8QNhZtHohmGbbWntREzAAVlN+UEmLljpcKdZKqlPgGoacw2ta/928FR\n" + + "6GD7tjyAPzSRTqPo6+pwBjU4/4h1BBgWCgAdBQJhQfbnAhsMBRYCAwEABAsJCAcF\n" + + "FQoJCAsCHgEACgkQcb1n6xilEDReNgD+L+B9YfbIPGd4NnOvt+9qrrzmRPXbhTu7\n" + + "9Vw0VmW7YfcBANH+0tH7HYbL5NOzGI888E28V0VhHqhhvtlctI574qAInIYEYUH2\n" + + "5xYJKwYBBAHaRw8BAQdARWEfFJZIKcsMrb/A3/AwFgwTLqMmoK6XTuTUfuqxZCb+\n" + + "CQMCBjB6dP815OFgHXyV5OYmG3BDr8xnw8boGZEdZRQARrbmYLCBEblH8X7X/jJy\n" + + "/SdBnsKed/dVItHAENVBjkbFXx7V8z7jqmZAEDSFR7R6o4jVBBgWCgB9BQJhQfbn\n" + + "AhsCBRYCAwEABAsJCAcFFQoJCAsCHgFfIAQZFgoABgUCYUH25wAKCRD9CYoy8Jjb\n" + + "qYXCAP487XkaTSeqHiygM9x5jKJQzBTNoa8LP5kmhk/qiRMKWAEAnEOvrTRMS9OL\n" + + "qLPQDJ5Zl4fwjXDC4MDEstxkwEkUXQEACgkQcb1n6xilEDTK+QD6AwFVz+NguD9k\n" + + "MElK0o9VDLUWheP9tXE/sHcCVXKrm4kA/2TK8puF9FKpBb3pJhsvLfFuklVlXEBv\n" + + "/lv8PRbqIHsN\n" + + "=PETI\n" + + "-----END PGP PRIVATE KEY BLOCK-----"); + k2 = PGPainless.readKeyRing().secretKeyRing("-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 1458 6C84 3082 7226 5F4A 1EAC 15C9 772F 51A3 F48A\n" + + "Comment: K2\n" + + "\n" + + "lIYEYUH25xYJKwYBBAHaRw8BAQdAQHpL7nSEOpOdEVcmNxTsjJmqPYI7ObVGZqCi\n" + + "snlK8XP+CQMCySs/5txmbAtgB6fPvXfs7I0bYIEcGNZqSPMqVU04EjLyvmeP2EZL\n" + + "L5ezq3U4Z835xEILFN5ngBxajMEu1A0pksiabHTR28RspoBDph+4/bQCSzKIeAQT\n" + + "FgoAIAUCYUH25wIbAQUWAgMBAAQLCQgHBRUKCQgLAh4BAhkBAAoJEBXJdy9Ro/SK\n" + + "vyQBALXaK7xt/JbIE4jqhWbliIHm8bskX3WG+jME5XjfDjBGAQC8hcKiWbOAF1tK\n" + + "8KH2mzeHsh0yhybUvlq6wq7GZ3aZCZyLBGFB9ucSCisGAQQBl1UBBQEBB0CDCUwj\n" + + "XBrIL5xf7TDKNOCyXgepXp+Ca3q2q0qmWm1nYwMBCAf+CQMCySs/5txmbAtg0/tL\n" + + "Rw8WbfHVGS3u+aEuookij7swVMTspPY/s1W3Mt1TP85lM1Bkn5fDr4UP9prEQNc7\n" + + "/fWsqvc1b9ZRBBqmwPOsKDfd3oh1BBgWCgAdBQJhQfbnAhsMBRYCAwEABAsJCAcF\n" + + "FQoJCAsCHgEACgkQFcl3L1Gj9IoDBAD/YNTgbTvgM6UsqJ1DFiaihR1kV3nv2fuc\n" + + "EAJfu7guvbsA/0gnPBxywJd4cK7spoAZjyjdgN8RPcZcUo6vXbMnT4YHnIYEYUH2\n" + + "5xYJKwYBBAHaRw8BAQdApegYPw86Q19XMX1M5YykP51E27ZvwBIMc1bORa7xAFv+\n" + + "CQMCySs/5txmbAtgFrYkIkpujELJEpD1hJlFSZzIxiA193PXfdo9CbFHBkjwIBh7\n" + + "idT7l1gA+eHhiC0QyEPt3un3P4gj4UMeBPtCwqTUxo887IjVBBgWCgB9BQJhQfbn\n" + + "AhsCBRYCAwEABAsJCAcFFQoJCAsCHgFfIAQZFgoABgUCYUH25wAKCRBQkr/WCypZ\n" + + "Xp2zAP43zOQPtlbM1cabvP8kaWEsYG/x9ka4GtT/vkFh2cg3NAD/aSi13QhFHIVq\n" + + "FI+3tH0vnxFAWmU9u7JnvM2+3ULHDA0ACgkQFcl3L1Gj9IqeqQEAx/2y5PMGl7t4\n" + + "oHOJ4zhtqzTo33qjbu05eneS+zp4ElYA/RP/IGjIVz9wzraOKzBptB1BOaiqu3JG\n" + + "xnMR9GND5bgA\n" + + "=Sknt\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n"); + } + + @Test + public void missingPassphraseFirst() throws PGPException, IOException { + SecretKeyRingProtector protector1 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + fail("Although the first PKESK is for k1, we should have skipped it and tried k2 first, which has passphrase available."); + return null; + } + + @Override + public boolean hasPassphrase(Long keyId) { + return false; + } + }); + SecretKeyRingProtector protector2 = SecretKeyRingProtector.unlockAllKeysWith(p2, k2); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) + .withOptions(new ConsumerOptions() + .addDecryptionKey(k1, protector1) + .addDecryptionKey(k2, protector2)); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + assertEquals(PLAINTEXT, out.toString()); + } + + @Test + public void missingPassphraseSecond() throws PGPException, IOException { + SecretKeyRingProtector protector1 = SecretKeyRingProtector.unlockAllKeysWith(p1, k1); + SecretKeyRingProtector protector2 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + fail("This callback should not get called, since the first PKESK is for k1, which has a passphrase available."); + return null; + } + + @Override + public boolean hasPassphrase(Long keyId) { + return false; + } + }); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) + .withOptions(new ConsumerOptions() + .addDecryptionKey(k1, protector1) + .addDecryptionKey(k2, protector2)); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + assertEquals(PLAINTEXT, out.toString()); + } + + @Test + public void messagePassphraseFirst() throws PGPException, IOException { + SecretKeyPassphraseProvider provider = new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + fail("Since we provide a decryption passphrase, we should not try to decrypt any key."); + return null; + } + + @Override + public boolean hasPassphrase(Long keyId) { + return false; + } + }; + SecretKeyRingProtector protector = new CachingSecretKeyRingProtector(provider); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K2_PASS_K1.getBytes(StandardCharsets.UTF_8))) + .withOptions(new ConsumerOptions() + .addDecryptionPassphrase(PASSPHRASE) + .addDecryptionKey(k1, protector) + .addDecryptionKey(k2, protector)); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + assertEquals(PLAINTEXT, out.toString()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 598a4c0e..6ba16525 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -46,6 +46,11 @@ public class CachingSecretKeyRingProtectorTest { long doubled = keyId * 2; return Passphrase.fromPassword(Long.toString(doubled)); } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } }; private CachingSecretKeyRingProtector protector; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index 8dd23bf9..f86b0815 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -49,6 +49,11 @@ public class PassphraseProtectedKeyTest { return null; } } + + @Override + public boolean hasPassphrase(Long keyId) { + return keyId.equals(TestKeys.CRYPTIE_KEY_ID); + } }); @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index dbbb398d..f7010a3f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -121,6 +121,11 @@ public class SecretKeyRingProtectorTest { public Passphrase getPassphraseFor(Long keyId) { return Passphrase.fromPassword("missingP455w0rd"); } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } }); assertEquals(Passphrase.emptyPassphrase(), protector.getPassphraseFor(1L)); From faf51fe3c01e771d2e4e67e171fa9fb701399b54 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 15 Sep 2021 17:21:33 +0200 Subject: [PATCH 0017/1450] PGPainless 0.2.13 --- CHANGELOG.md | 4 ++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 690d135d..40045664 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # PGPainless Changelog +## 0.2.13 +- Add `MessageInspector` class to determine IDs of recipient keys. +- PGPainless now tries decryption using keys with available passphrases first and only then request key passphrases using callbacks. + ## 0.2.12 - Fix: Add workaround for BC defaulting to S2K `USAGE_CHECKSUM` by changing S2K usage to `USAGE_SHA1` - Repair keys with `USAGE_CHECKSUM` when changing passphrase diff --git a/README.md b/README.md index 64f2e002..8b8d8b7b 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.12' + implementation 'org.pgpainless:pgpainless-core:0.2.13' } ``` diff --git a/version.gradle b/version.gradle index 10517b18..fbbdd1ca 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { shortVersion = '0.2.13' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 132b21b1e1f582afa927940e4e2b93029449f0da Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 15 Sep 2021 17:27:07 +0200 Subject: [PATCH 0018/1450] PGPainless-0.2.14-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index fbbdd1ca..d87dfb09 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { - shortVersion = '0.2.13' - isSnapshot = false + shortVersion = '0.2.14' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 895adb24c6d7eb3c8d28d5108edd8f9e6f923b56 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 17 Sep 2021 18:05:54 +0200 Subject: [PATCH 0019/1450] Export dependency on bcprov --- pgpainless-core/build.gradle | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle index 30387255..69041d73 100644 --- a/pgpainless-core/build.gradle +++ b/pgpainless-core/build.gradle @@ -6,18 +6,13 @@ dependencies { testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" - - implementation "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion" - - //* - api "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion" - /*/ - api files("libs/bcpg-jdk18on-1.70-SNAPSHOT.jar") - // */ - - implementation "org.slf4j:slf4j-api:$slf4jVersion" testImplementation 'ch.qos.logback:logback-classic:1.2.5' + api "org.slf4j:slf4j-api:$slf4jVersion" + + api "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion" + api "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion" + // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305 implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2' } From 5e2286de0d98953bd589c5966143d805cbb5e427 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 17 Sep 2021 18:16:58 +0200 Subject: [PATCH 0020/1450] Rework dependencies --- build.gradle | 1 + pgpainless-cli/build.gradle | 19 +++++-------------- pgpainless-sop/build.gradle | 7 +++---- sop-java-picocli/build.gradle | 9 +++------ 4 files changed, 12 insertions(+), 24 deletions(-) diff --git a/build.gradle b/build.gradle index 93d1fade..303ce683 100644 --- a/build.gradle +++ b/build.gradle @@ -62,6 +62,7 @@ allprojects { project.ext { slf4jVersion = '1.7.32' junitVersion = '5.7.2' + picocliVersion = '4.6.1' rootConfigDir = new File(rootDir, 'config') gitCommit = getGitCommit() isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI')) diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle index a1580eb4..a1fb70ef 100644 --- a/pgpainless-cli/build.gradle +++ b/pgpainless-cli/build.gradle @@ -22,33 +22,24 @@ task generateVersionProperties { processResources.dependsOn generateVersionProperties dependencies { - implementation(project(":pgpainless-sop")) - implementation(project(":sop-java")) - - implementation(project(":sop-java-picocli")) - implementation 'info.picocli:picocli:4.5.2' testImplementation(project(":pgpainless-core")) testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" - // https://todd.ginsberg.com/post/testing-system-exit/ testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' - // We want logback logging in tests testImplementation 'ch.qos.logback:logback-classic:1.2.5' + implementation(project(":pgpainless-sop")) + implementation(project(":sop-java")) + implementation(project(":sop-java-picocli")) + + implementation "info.picocli:picocli:$picocliVersion" // We don't want logging in the application itself implementation "org.slf4j:slf4j-nop:$slf4jVersion" - /* - implementation "org.bouncycastle:bcprov-debug-jdk15on:$bouncyCastleVersion" - /*/ - implementation "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion" - //*/ - implementation "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion" - // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305 implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2' } diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle index 9cc6cef6..7a01a71c 100644 --- a/pgpainless-sop/build.gradle +++ b/pgpainless-sop/build.gradle @@ -9,14 +9,13 @@ repositories { } dependencies { - - implementation(project(":pgpainless-core")) - implementation(project(":sop-java")) - testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.0' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.0' testImplementation 'ch.qos.logback:logback-classic:1.2.5' + + implementation(project(":pgpainless-core")) + implementation(project(":sop-java")) } test { diff --git a/sop-java-picocli/build.gradle b/sop-java-picocli/build.gradle index f48a891d..2fb275c7 100644 --- a/sop-java-picocli/build.gradle +++ b/sop-java-picocli/build.gradle @@ -3,18 +3,15 @@ plugins { } dependencies { - implementation(project(":sop-java")) - implementation 'info.picocli:picocli:4.6.1' - implementation 'com.google.inject:guice:5.0.1' - testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" - // https://todd.ginsberg.com/post/testing-system-exit/ testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' - testImplementation "org.mockito:mockito-core:3.11.2" + implementation(project(":sop-java")) + implementation "info.picocli:picocli:$picocliVersion" + // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305 implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2' } From 1a4052afb035bf6f93896333637064bd7b2fdd0e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Sep 2021 11:13:45 +0200 Subject: [PATCH 0021/1450] Add audit documentation --- audit/audit_cert.asc | 21 ++++++++++++++++++ audit/booby-traps/trap01.asc | 43 ++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 audit/audit_cert.asc create mode 100644 audit/booby-traps/trap01.asc diff --git a/audit/audit_cert.asc b/audit/audit_cert.asc new file mode 100644 index 00000000..6d02434f --- /dev/null +++ b/audit/audit_cert.asc @@ -0,0 +1,21 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: PGPainless +Comment: A16D 7A3E A645 F32B FFD2 9B30 DCDE B25E D526 4E4C +Comment: Audit + +mDMEYUhIQhYJKwYBBAHaRw8BAQdAz7UK1857JYHm+09xETHXsMYAyJWYir4SCVZc +FLfA/Eu0HEF1ZGl0IDxhdWRpdEBwZ3BhaW5sZXNzLm9yZz6IeAQTFgoAIAUCYUhI +QgIbAQUWAgMBAAQLCQgHBRUKCQgLAh4BAhkBAAoJENzesl7VJk5MqAABAJujTgJt +YmvyuGgeY6qiAOz5JTw8H2SShFtDbSNvKNt2AQDQDSauqTHxNh5DzkHxZv/+r/30 +Jhwj7cpW+Ktd83rvDLg4BGFISEISCisGAQQBl1UBBQEBB0AtCBfO8W27Ame+Zmar +nNeJxXfJXeVjfLMh37HjvzMaXgMBCAeIdQQYFgoAHQUCYUhIQgIbDAUWAgMBAAQL +CQgHBRUKCQgLAh4BAAoJENzesl7VJk5MbckBAMcDt/pRSltae0X6TC4nj43HBLXN +GEnv8vOOKzrwLbdiAQCJlDpWCC8GLfujEsaDmPCp59hQiGv4g2pY2zzEgicvArgz +BGFISEIWCSsGAQQB2kcPAQEHQHnZ1djBXKZXhnsz905kXomsyWNbNklfSNp0tJR5 +a/oNiNUEGBYKAH0FAmFISEICGwIFFgIDAQAECwkIBwUVCgkICwIeAV8gBBkWCgAG +BQJhSEhCAAoJEBPUPQ7ll5OWutIBAO1P/SIsaisKjmdaEPDn8x6hLikzPzjOJlZm +QYHBOCNXAP9wMQMInGDYAj1Sz67Z7Rjl6f4sOB/P6Tv9V4rbZwyNDAAKCRDc3rJe +1SZOTMgWAP9EBlU8v/Nj8rDo6ZT4RFAdVwV/YqOj1UgEe/paTFhPSgD/ezgwk4xF +UTvWjgYsHwtm94hgQfpu5P7ZdWhNMEBwHgg= +=/5mN +-----END PGP PUBLIC KEY BLOCK----- diff --git a/audit/booby-traps/trap01.asc b/audit/booby-traps/trap01.asc new file mode 100644 index 00000000..a57b55de --- /dev/null +++ b/audit/booby-traps/trap01.asc @@ -0,0 +1,43 @@ +-----BEGIN PGP MESSAGE----- +Version: PGPainless + +hF4DEr34KT0hCm4SAQdA1t9dOL8VcV8jGyd/P//stxC/ykhbnNrIX9Nl6d/0Lgkw +BuLTZ42dBR9IV0yy3MmeP+WLRX5riCcianAdkKbJZ980DdGQY6SRchbh7I8EbdVB +0ukBPauvl6C36FDfJO05ABM1jUAkxQih8qMQRsonCi/8l1EtdaHjU2VVv3NFkx9X +3+zY7sChquM9EZKjJH3ZeJ5kyxLLfPHFU9+EUz1aZBdQ5tHqFru9ifZNZ4mkVR+A +sp8RuQIkbpFLtf1G+DA3fnGf3QdtwYkCjwAoRWxo5Lkjjgi1vIMo4+a1NyJaSjec +LI8Ypz3S8zqvCmr9ZjMjMFLZ24VwLzo+NoYli19i08o9WY3r/8wD5JVBuR7fRB+f +sns9V9NSMMgesW2AXV0HJJ8zbZvudMfjtfEmaEdf3d7i1ykqD+uiudQ7JxPg7wUU +ejABmE0gYJAyqG78Wiw90wHHUlu26O+VPalDcPjL4opeweDzco/Ukm6TLotf+vIi +AmRlt5ZvTjEcBV2NEsZxEBPIOsd8mXdCWVulIvXD1l8HwtgoZIOL/qFs9nZBTM9/ +JcL0hyAn1EIxahZ6+lkGGwUe7EiJ/ynrXIAHzv/Oq5VVmSv0eqk/SCsi75EdsFB0 +FjRt/oiYtBV+QA9VU4RmttV5bT/K7vcLLNHLBkjbSUHUajZoZxFh4Bsh21kOE9V2 +oGZTkb3ogjogGCHUywBKpPikeMWnOskdBlHAAT+ScBciv+xJLbH+l1KERcLwFtx9 +ybLnKcRfJazrJgb9kQ8tBcttKixd6bKjWPRl0esIwjaCtela4k/O0dCGc0UxcraH +JmsnYU19DP+DERhgsJZhAZxKExbN4LmScbe2FvcxQPELrisDuNiiaed5/w7QaeBr +QfumdN+R+3wAtutbU/EiT1GEpRQEzPvSAb53bO2r/3s/pIAnAOaaKalDBo85OY8X +Sor7OE/X6ys5xAkQt5lnKG3lOeKzlhzhokEBvwdSlITwOt9PgIvQul5UNn6xvtMV +MQbdkzTdAePibggl2GV6CPo4MH9Y67Mv/1D30u0N2kxmtEZe1YS4hE9jvBybqoYN +ksmU7yuKq7hQmdB50Qi1uEEYUT72Nw5QGDo4JHQRnSeB4jVie9c4+LT4nDlM2yOL +osu4VOQTUrEF8ydlP06+yOD85X2isRY4OU/mwxaDmNyC+7uOywbkju5FpXPrI5J1 +P3siIR0TAr8zS+1lZbsZseGGaSPDmz+U5RJrPphnk5VIVXuTHzgH1kmC5vwZ0Eoe +xZnWhByBaGU34kyGGJcQrehB7twicuEdGnppDg5nULV8OB+7Su54Om3uqiznQNJl +hiOA5TT8jzz3k7V9wWjM/oFe5KU7yb33pvm615nHzxe/8balk552h6bIXgnkmj9D +hR5byVdmNw5/n+OpkvyziPrcUsW3h/Mk+tmsQsKcvpO/RrFPXWp39BZlgOdb7hB/ +u7YR3gs/KXObohQSsGjZWZJqSOlaSc5rzFieMYclPJWH/+XJQ7BD8s7FJtI+dvu0 +Q989W9qIHVFZyihT//sXD/jnKNSnbiYPQWBJSPQGfyCw0GJSB5AWCT0bFuuq1pzl +IRh93OHGhAPZ/NstkcMjJZk+xWDRtCrwR2tu16p8d38UloIlMxFQxiu8qwR7RHFI +Ow+ydVkdIcrVR8PgGO3MdNfN9ONhriiLIVTs7k8QDY4YTPc0qzwAX+taidE7rqcr +aSANnMF2t/+I9pYFysesn9b7l+82bpc9KbUss8BkV9qrCeowNNJ+pQOdOMdhvmNs +xd7RXT7SulqDPMfcv4KhledrxmvcRHHUhyoIUGZ+mv0VLi+isi67Yz6mPFtfnj6H +Tvn2oZaI7QX71oYiUHqDiA5en46Yzt9Di4t/yGm8Wr8QCj/ubZcgfT6M0WvuGPpC +47E2JHiB2hMaB3/ACBruwR5WaZsDPWewHXtb2QQmGQT1fkSdDYT/pDTTfB5S6DBg +pmNOhoH7sl262wvZQ3UOztLcbpWu25j6nBZJXWnt3VaNm20pf5uwXl/PSX0xIEfQ +aZLKFk+cFmmUUf7PnRcXfMFfLrUr1W6KeFQOVtZTEjq5SRzzI7BZHaHylpQMWUNK +V7rjRRiQ23sI7bE5+/+SUKDMrLe452Jn5BTEVnJ6igwL/PBVFLRCt8OLJoZNJdfJ +9R5Ugrhe+xuotUsQWd4df+by0hxpMXl/qV8M6zRVXkLyvl1gJIpwusCTVZkbo0T0 +l1zGqkDnhAJrRTQ9ejBmEa2b9zCAmakME3xEc7wF7iU5Dut3MifuJKe2RbnmSk60 +C2rsAikjAGfIJpDu/QQ55DR7JAKdCCzvZ54S9nveAkXOgQzlWNHdk+6B24VMtyX6 +MjH2xlLl7MmGGQ0e42N/KUbPgVQdcCN1ctlCt/QuntP52Ah87nMKEIlQ0JY0 +=LTKS +-----END PGP MESSAGE----- From 387b2b4b4370897b6f36679d774bbda1ff293542 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Sep 2021 11:26:00 +0200 Subject: [PATCH 0022/1450] Ensure that KeySpecBuilder gets at least one key flag --- .../java/org/pgpainless/key/generation/KeySpec.java | 4 ++-- .../org/pgpainless/key/generation/KeySpecBuilder.java | 11 ++++++++--- .../java/org/pgpainless/util/CollectionUtils.java | 8 ++++++++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 5572f449..c53d91e8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -55,7 +55,7 @@ public class KeySpec { return inheritedSubPackets; } - public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) { - return new KeySpecBuilder(type, flags); + public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) { + return new KeySpecBuilder(type, flag, flags); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index bbc7f14a..d6095201 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -30,6 +30,7 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.util.CollectionUtils; public class KeySpecBuilder implements KeySpecBuilderInterface { @@ -41,10 +42,14 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { private Set preferredHashAlgorithms = algorithmSuite.getHashAlgorithms(); private Set preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms(); - KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) { - if (flags == null || flags.length == 0) { - throw new IllegalArgumentException("KeyFlags cannot be empty."); + KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) { + if (flag == null) { + throw new IllegalArgumentException("Key MUST carry at least one key flag"); } + if (flags == null) { + throw new IllegalArgumentException("List of additional flags MUST NOT be null."); + } + flags = CollectionUtils.concat(flag, flags); assureKeyCanCarryFlags(type, flags); this.type = type; this.keyFlags = flags; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java index 6ad81991..cb845df4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java @@ -15,6 +15,7 @@ */ package org.pgpainless.util; +import java.lang.reflect.Array; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -33,4 +34,11 @@ public final class CollectionUtils { } return items; } + + public static T[] concat(T t, T[] ts) { + T[] concat = (T[]) Array.newInstance(t.getClass(), ts.length + 1); + concat[0] = t; + System.arraycopy(ts, 0, concat, 1, ts.length); + return concat; + } } From be47a960301868f186d48e18328270bf8ad3e7db Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Sep 2021 12:30:03 +0200 Subject: [PATCH 0023/1450] Further simplify the KeyRingBuilder API --- .../key/generation/KeyRingBuilder.java | 413 ++++++++---------- .../generation/KeyRingBuilderInterface.java | 56 +-- .../EncryptDecryptTest.java | 13 +- .../EncryptionOptionsTest.java | 16 +- .../org/pgpainless/example/GenerateKeys.java | 77 ++-- .../BrainpoolKeyGenerationTest.java | 27 +- ...rtificationKeyMustBeAbleToCertifyTest.java | 8 +- .../GenerateEllipticCurveKeyTest.java | 10 +- .../GenerateKeyWithAdditionalUserIdTest.java | 14 +- ...a => GenerateWithEmptyPassphraseTest.java} | 11 +- .../pgpainless/key/info/KeyRingInfoTest.java | 16 +- .../key/info/UserIdRevocationTest.java | 30 +- .../java/org/pgpainless/util/BCUtilTest.java | 10 +- .../util/GuessPreferredHashAlgorithmTest.java | 8 +- ...ncryptCommsStorageFlagsDifferentiated.java | 7 +- 15 files changed, 316 insertions(+), 400 deletions(-) rename pgpainless-core/src/test/java/org/pgpainless/key/generation/{GenerateWithEmptyPassphrase.java => GenerateWithEmptyPassphraseTest.java} (88%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 230a0a9a..3c81332c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -61,14 +61,18 @@ import org.pgpainless.provider.ProviderFactory; import org.pgpainless.util.Passphrase; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; -public class KeyRingBuilder implements KeyRingBuilderInterface { +public class KeyRingBuilder implements KeyRingBuilderInterface { private final Charset UTF8 = Charset.forName("UTF-8"); - private final List keySpecs = new ArrayList<>(); - private String userId; - private final Set additionalUserIds = new LinkedHashSet<>(); - private Passphrase passphrase; + private PGPSignatureGenerator signatureGenerator; + private PGPDigestCalculator digestCalculator; + private PBESecretKeyEncryptor secretKeyEncryptor; + + private KeySpec primaryKeySpec; + private final List subkeySpecs = new ArrayList<>(); + private final Set userIds = new LinkedHashSet<>(); + private Passphrase passphrase = null; private Date expirationDate = null; /** @@ -126,17 +130,14 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { */ public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - WithAdditionalUserIdOrPassphrase builder = this - .withPrimaryKey(KeySpec - .getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryUserId(userId); + KeyRingBuilder builder = new KeyRingBuilder() + .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) + .addUserId(userId); - if (password == null) { - return builder.withoutPassphrase().build(); - } else { - return builder.withPassphrase(new Passphrase(password.toCharArray())).build(); + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); } + return builder.build(); } /** @@ -194,20 +195,15 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { */ public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - WithAdditionalUserIdOrPassphrase builder = this - .withSubKey( - KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .build()) - .withPrimaryUserId(userId); + KeyRingBuilder builder = new KeyRingBuilder() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .addUserId(userId); - if (password == null) { - return builder.withoutPassphrase().build(); - } else { - return builder.withPassphrase(new Passphrase(password.toCharArray())).build(); + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); } + return builder.build(); } /** @@ -220,37 +216,59 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { */ public PGPSecretKeyRing modernKeyRing(String userId, String password) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - WithAdditionalUserIdOrPassphrase builder = this - .withSubKey( - KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) - .build()) - .withSubKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA) - .build()) - .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) - .build()) - .withPrimaryUserId(userId); - - if (password == null) { - return builder.withoutPassphrase().build(); - } else { - return builder.withPassphrase(new Passphrase(password.toCharArray())).build(); + KeyRingBuilder builder = new KeyRingBuilder() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA)) + .addUserId(userId); + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); } + return builder.build(); } @Override - public KeyRingBuilderInterface withSubKey(@Nonnull KeySpec type) { - KeyRingBuilder.this.keySpecs.add(type); + public KeyRingBuilder setPrimaryKey(@Nonnull KeySpec keySpec) { + verifyMasterKeyCanCertify(keySpec); + this.primaryKeySpec = keySpec; return this; } @Override - public WithPrimaryUserId withPrimaryKey(@Nonnull KeySpec spec) { - verifyMasterKeyCanCertify(spec); + public KeyRingBuilder addSubkey(@Nonnull KeySpec keySpec) { + this.subkeySpecs.add(keySpec); + return this; + } - KeyRingBuilder.this.keySpecs.add(0, spec); - return new WithPrimaryUserIdImpl(); + @Override + public KeyRingBuilder addUserId(@Nonnull String userId) { + this.userIds.add(userId.trim()); + return this; + } + + @Override + public KeyRingBuilder addUserId(@Nonnull byte[] userId) { + return addUserId(new String(userId, UTF8)); + } + + @Override + public KeyRingBuilder setExpirationDate(@Nonnull Date expirationDate) { + Date now = new Date(); + if (now.after(expirationDate)) { + throw new IllegalArgumentException("Expiration date must be in the future."); + } + this.expirationDate = expirationDate; + return this; + } + + @Override + public KeyRingBuilder setPassphrase(@Nonnull Passphrase passphrase) { + this.passphrase = passphrase; + return this; + } + + private static boolean isNullOrEmpty(String password) { + return password == null || password.trim().isEmpty(); } private void verifyMasterKeyCanCertify(KeySpec spec) { @@ -270,196 +288,139 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { return keySpec.getKeyType().canCertify(); } - class WithPrimaryUserIdImpl implements WithPrimaryUserId { + @Override + public PGPSecretKeyRing build() throws NoSuchAlgorithmException, PGPException, + InvalidAlgorithmParameterException { + if (userIds.isEmpty()) { + throw new IllegalStateException("At least one user-id is required."); + } + digestCalculator = buildDigestCalculator(); + secretKeyEncryptor = buildSecretKeyEncryptor(); + PBESecretKeyDecryptor secretKeyDecryptor = buildSecretKeyDecryptor(); - @Override - public WithAdditionalUserIdOrPassphrase withPrimaryUserId(@Nonnull String userId) { - KeyRingBuilder.this.userId = userId.trim(); - return new WithAdditionalUserIdOrPassphraseImpl(); + if (passphrase != null) { + passphrase.clear(); } - @Override - public WithAdditionalUserIdOrPassphrase withPrimaryUserId(@Nonnull byte[] userId) { - return withPrimaryUserId(new String(userId, UTF8)); + // Generate Primary Key + PGPKeyPair certKey = generateKeyPair(primaryKeySpec); + PGPContentSignerBuilder signer = buildContentSigner(certKey); + signatureGenerator = new PGPSignatureGenerator(signer); + PGPSignatureSubpacketGenerator hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); + hashedSubPacketGenerator.setPrimaryUserID(false, true); + if (expirationDate != null) { + SignatureSubpacketGeneratorUtil.setExpirationDateInSubpacketGenerator( + expirationDate, new Date(), hashedSubPacketGenerator); + } + PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.generate(); + + // Generator which the user can get the key pair from + PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets); + + addSubKeys(certKey, ringGenerator); + + // Generate secret key ring with only primary user id + PGPSecretKeyRing secretKeyRing = ringGenerator.generateSecretKeyRing(); + + Iterator secretKeys = secretKeyRing.getSecretKeys(); + + // Attempt to add additional user-ids to the primary public key + PGPPublicKey primaryPubKey = secretKeys.next().getPublicKey(); + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeyRing.getSecretKey(), secretKeyDecryptor); + Iterator additionalUserIds = userIds.iterator(); + additionalUserIds.next(); // Skip primary user id + while (additionalUserIds.hasNext()) { + String additionalUserId = additionalUserIds.next(); + signatureGenerator.init(SignatureType.POSITIVE_CERTIFICATION.getCode(), privateKey); + PGPSignature additionalUserIdSignature = + signatureGenerator.generateCertification(additionalUserId, primaryPubKey); + primaryPubKey = PGPPublicKey.addCertification(primaryPubKey, + additionalUserId, additionalUserIdSignature); + } + + // "reassemble" secret key ring with modified primary key + PGPSecretKey primarySecKey = new PGPSecretKey( + privateKey, + primaryPubKey, digestCalculator, true, secretKeyEncryptor); + List secretKeyList = new ArrayList<>(); + secretKeyList.add(primarySecKey); + while (secretKeys.hasNext()) { + secretKeyList.add(secretKeys.next()); + } + secretKeyRing = new PGPSecretKeyRing(secretKeyList); + + return secretKeyRing; + } + + private PGPKeyRingGenerator buildRingGenerator(PGPKeyPair certKey, + PGPContentSignerBuilder signer, + PGPSignatureSubpacketVector hashedSubPackets) + throws PGPException { + String primaryUserId = userIds.iterator().next(); + return new PGPKeyRingGenerator( + SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey, + primaryUserId, digestCalculator, + hashedSubPackets, null, signer, secretKeyEncryptor); + } + + private void addSubKeys(PGPKeyPair primaryKey, PGPKeyRingGenerator ringGenerator) + throws NoSuchAlgorithmException, PGPException, InvalidAlgorithmParameterException { + for (KeySpec subKeySpec : subkeySpecs) { + PGPKeyPair subKey = generateKeyPair(subKeySpec); + if (subKeySpec.isInheritedSubPackets()) { + ringGenerator.addSubKey(subKey); + } else { + PGPSignatureSubpacketVector hashedSubpackets = subKeySpec.getSubpackets(); + try { + hashedSubpackets = addPrimaryKeyBindingSignatureIfNecessary(primaryKey, subKey, hashedSubpackets); + } catch (IOException e) { + throw new PGPException("Exception while adding primary key binding signature to signing subkey", e); + } + ringGenerator.addSubKey(subKey, hashedSubpackets, null); + } } } - class WithAdditionalUserIdOrPassphraseImpl implements WithAdditionalUserIdOrPassphrase { - - @Override - public WithAdditionalUserIdOrPassphrase setExpirationDate(@Nonnull Date expirationDate) { - Date now = new Date(); - if (now.after(expirationDate)) { - throw new IllegalArgumentException("Expiration date must be in the future."); - } - KeyRingBuilder.this.expirationDate = expirationDate; - return this; + private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary(PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) throws PGPException, IOException { + int keyFlagMask = hashedSubpackets.getKeyFlags(); + if (!KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.SIGN_DATA) && !KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.CERTIFY_OTHER)) { + return hashedSubpackets; } - @Override - public WithAdditionalUserIdOrPassphrase withAdditionalUserId(@Nonnull String userId) { - String trimmed = userId.trim(); - if (KeyRingBuilder.this.userId.equals(trimmed)) { - throw new IllegalArgumentException("Additional user-id MUST NOT be equal to primary user-id."); - } - KeyRingBuilder.this.additionalUserIds.add(trimmed); - return this; - } + PGPSignatureGenerator bindingSignatureGenerator = new PGPSignatureGenerator(buildContentSigner(subKey)); + bindingSignatureGenerator.init(SignatureType.PRIMARYKEY_BINDING.getCode(), subKey.getPrivateKey()); + PGPSignature primaryKeyBindingSig = bindingSignatureGenerator.generateCertification(primaryKey.getPublicKey(), subKey.getPublicKey()); + PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(hashedSubpackets); + subpacketGenerator.addEmbeddedSignature(false, primaryKeyBindingSig); + return subpacketGenerator.generate(); + } - @Override - public WithAdditionalUserIdOrPassphrase withAdditionalUserId(@Nonnull byte[] userId) { - return withAdditionalUserId(new String(userId, UTF8)); - } + private PGPContentSignerBuilder buildContentSigner(PGPKeyPair certKey) { + HashAlgorithm hashAlgorithm = PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); + return ImplementationFactory.getInstance().getPGPContentSignerBuilder( + certKey.getPublicKey().getAlgorithm(), + hashAlgorithm.getAlgorithmId()); + } - @Override - public Build withPassphrase(@Nonnull Passphrase passphrase) { - KeyRingBuilder.this.passphrase = passphrase; - return new BuildImpl(); - } + private PBESecretKeyEncryptor buildSecretKeyEncryptor() { + SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy() + .getDefaultSymmetricKeyAlgorithm(); + PBESecretKeyEncryptor encryptor = passphrase == null || passphrase.isEmpty() ? + null : // unencrypted key pair, otherwise AES-256 encrypted + ImplementationFactory.getInstance().getPBESecretKeyEncryptor( + keyEncryptionAlgorithm, digestCalculator, passphrase); + return encryptor; + } - @Override - public Build withoutPassphrase() { - KeyRingBuilder.this.passphrase = null; - return new BuildImpl(); - } + private PBESecretKeyDecryptor buildSecretKeyDecryptor() throws PGPException { + PBESecretKeyDecryptor decryptor = passphrase == null || passphrase.isEmpty() ? + null : + ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); + return decryptor; + } - class BuildImpl implements Build { - - private PGPSignatureGenerator signatureGenerator; - private PGPDigestCalculator digestCalculator; - private PBESecretKeyEncryptor secretKeyEncryptor; - - @Override - public PGPSecretKeyRing build() throws NoSuchAlgorithmException, PGPException, - InvalidAlgorithmParameterException { - digestCalculator = buildDigestCalculator(); - secretKeyEncryptor = buildSecretKeyEncryptor(); - PBESecretKeyDecryptor secretKeyDecryptor = buildSecretKeyDecryptor(); - - if (passphrase != null) { - passphrase.clear(); - } - - // First key is the Master Key - KeySpec certKeySpec = keySpecs.remove(0); - - // Generate Master Key - PGPKeyPair certKey = generateKeyPair(certKeySpec); - PGPContentSignerBuilder signer = buildContentSigner(certKey); - signatureGenerator = new PGPSignatureGenerator(signer); - PGPSignatureSubpacketGenerator hashedSubPacketGenerator = certKeySpec.getSubpacketGenerator(); - hashedSubPacketGenerator.setPrimaryUserID(false, true); - if (expirationDate != null) { - SignatureSubpacketGeneratorUtil.setExpirationDateInSubpacketGenerator( - expirationDate, new Date(), hashedSubPacketGenerator); - } - PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.generate(); - - // Generator which the user can get the key pair from - PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets); - - addSubKeys(certKey, ringGenerator); - - // Generate secret key ring with only primary user id - PGPSecretKeyRing secretKeyRing = ringGenerator.generateSecretKeyRing(); - - Iterator secretKeys = secretKeyRing.getSecretKeys(); - - // Attempt to add additional user-ids to the primary public key - PGPPublicKey primaryPubKey = secretKeys.next().getPublicKey(); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeyRing.getSecretKey(), secretKeyDecryptor); - for (String additionalUserId : additionalUserIds) { - signatureGenerator.init(SignatureType.POSITIVE_CERTIFICATION.getCode(), privateKey); - PGPSignature additionalUserIdSignature = - signatureGenerator.generateCertification(additionalUserId, primaryPubKey); - primaryPubKey = PGPPublicKey.addCertification(primaryPubKey, - additionalUserId, additionalUserIdSignature); - } - - // "reassemble" secret key ring with modified primary key - PGPSecretKey primarySecKey = new PGPSecretKey( - privateKey, - primaryPubKey, digestCalculator, true, secretKeyEncryptor); - List secretKeyList = new ArrayList<>(); - secretKeyList.add(primarySecKey); - while (secretKeys.hasNext()) { - secretKeyList.add(secretKeys.next()); - } - secretKeyRing = new PGPSecretKeyRing(secretKeyList); - - return secretKeyRing; - } - - private PGPKeyRingGenerator buildRingGenerator(PGPKeyPair certKey, - PGPContentSignerBuilder signer, - PGPSignatureSubpacketVector hashedSubPackets) - throws PGPException { - return new PGPKeyRingGenerator( - SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey, - userId, digestCalculator, - hashedSubPackets, null, signer, secretKeyEncryptor); - } - - private void addSubKeys(PGPKeyPair primaryKey, PGPKeyRingGenerator ringGenerator) - throws NoSuchAlgorithmException, PGPException, InvalidAlgorithmParameterException { - for (KeySpec subKeySpec : keySpecs) { - PGPKeyPair subKey = generateKeyPair(subKeySpec); - if (subKeySpec.isInheritedSubPackets()) { - ringGenerator.addSubKey(subKey); - } else { - PGPSignatureSubpacketVector hashedSubpackets = subKeySpec.getSubpackets(); - try { - hashedSubpackets = addPrimaryKeyBindingSignatureIfNecessary(primaryKey, subKey, hashedSubpackets); - } catch (IOException e) { - throw new PGPException("Exception while adding primary key binding signature to signing subkey", e); - } - ringGenerator.addSubKey(subKey, hashedSubpackets, null); - } - } - } - - private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary(PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) throws PGPException, IOException { - int keyFlagMask = hashedSubpackets.getKeyFlags(); - if (!KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.SIGN_DATA) && !KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.CERTIFY_OTHER)) { - return hashedSubpackets; - } - - PGPSignatureGenerator bindingSignatureGenerator = new PGPSignatureGenerator(buildContentSigner(subKey)); - bindingSignatureGenerator.init(SignatureType.PRIMARYKEY_BINDING.getCode(), subKey.getPrivateKey()); - PGPSignature primaryKeyBindingSig = bindingSignatureGenerator.generateCertification(primaryKey.getPublicKey(), subKey.getPublicKey()); - PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(hashedSubpackets); - subpacketGenerator.addEmbeddedSignature(false, primaryKeyBindingSig); - return subpacketGenerator.generate(); - } - - private PGPContentSignerBuilder buildContentSigner(PGPKeyPair certKey) { - HashAlgorithm hashAlgorithm = PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); - return ImplementationFactory.getInstance().getPGPContentSignerBuilder( - certKey.getPublicKey().getAlgorithm(), - hashAlgorithm.getAlgorithmId()); - } - - private PBESecretKeyEncryptor buildSecretKeyEncryptor() { - SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy() - .getDefaultSymmetricKeyAlgorithm(); - PBESecretKeyEncryptor encryptor = passphrase == null || passphrase.isEmpty() ? - null : // unencrypted key pair, otherwise AES-256 encrypted - ImplementationFactory.getInstance().getPBESecretKeyEncryptor( - keyEncryptionAlgorithm, digestCalculator, passphrase); - return encryptor; - } - - private PBESecretKeyDecryptor buildSecretKeyDecryptor() throws PGPException { - PBESecretKeyDecryptor decryptor = passphrase == null || passphrase.isEmpty() ? - null : - ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); - return decryptor; - } - - private PGPDigestCalculator buildDigestCalculator() throws PGPException { - return ImplementationFactory.getInstance().getPGPDigestCalculator(HashAlgorithm.SHA1); - } - } + private PGPDigestCalculator buildDigestCalculator() throws PGPException { + return ImplementationFactory.getInstance().getPGPDigestCalculator(HashAlgorithm.SHA1); } public static PGPKeyPair generateKeyPair(KeySpec spec) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java index 8ddaff34..1113158b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java @@ -25,50 +25,32 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; -public interface KeyRingBuilderInterface { +public interface KeyRingBuilderInterface> { - KeyRingBuilderInterface withSubKey(@Nonnull KeySpec keySpec); - - WithPrimaryUserId withPrimaryKey(@Nonnull KeySpec keySpec); - - interface WithPrimaryUserId { - - default WithAdditionalUserIdOrPassphrase withPrimaryUserId(@Nonnull UserId userId) { - return withPrimaryUserId(userId.toString()); - } - - WithAdditionalUserIdOrPassphrase withPrimaryUserId(@Nonnull String userId); - - WithAdditionalUserIdOrPassphrase withPrimaryUserId(@Nonnull byte[] userId); + B setPrimaryKey(@Nonnull KeySpec keySpec); + default B setPrimaryKey(@Nonnull KeySpecBuilder builder) { + return setPrimaryKey(builder.build()); } - interface WithAdditionalUserIdOrPassphrase { + B addSubkey(@Nonnull KeySpec keySpec); - default WithAdditionalUserIdOrPassphrase withAdditionalUserId(@Nonnull UserId userId) { - return withAdditionalUserId(userId.toString()); - } - - /** - * Set an expiration date for the key. - * - * @param expirationDate date on which the key will expire. - * @return builder - */ - WithAdditionalUserIdOrPassphrase setExpirationDate(@Nonnull Date expirationDate); - - WithAdditionalUserIdOrPassphrase withAdditionalUserId(@Nonnull String userId); - - WithAdditionalUserIdOrPassphrase withAdditionalUserId(@Nonnull byte[] userId); - - Build withPassphrase(@Nonnull Passphrase passphrase); - - Build withoutPassphrase(); + default B addSubkey(@Nonnull KeySpecBuilder builder) { + return addSubkey(builder.build()); } - interface Build { + default B addUserId(UserId userId) { + return addUserId(userId.toString()); + } - PGPSecretKeyRing build() throws NoSuchAlgorithmException, PGPException, + B addUserId(@Nonnull String userId); + + B addUserId(@Nonnull byte[] userId); + + B setExpirationDate(@Nonnull Date expirationDate); + + B setPassphrase(@Nonnull Passphrase passphrase); + + PGPSecretKeyRing build() throws NoSuchAlgorithmException, PGPException, InvalidAlgorithmParameterException; - } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index c7bd68dc..175ea7ac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -88,14 +88,13 @@ public class EncryptDecryptTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder( - ElGamal.withLength(ElGamalLength._3072), - KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._4096), - KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER).build()) - .withPrimaryUserId("juliet@capulet.lit").withoutPassphrase().build(); + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder( + ElGamal.withLength(ElGamalLength._3072), + KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .addUserId("juliet@capulet.lit").build(); encryptDecryptForSecretKeyRings(sender, recipient); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index f0aef576..f8971467 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -59,14 +59,13 @@ public class EncryptionOptionsTest { @BeforeAll public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) .build()) - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) .build()) - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE) .build()) - .withPrimaryUserId("test@pgpainless.org") - .withoutPassphrase() + .addUserId("test@pgpainless.org") .build(); publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); @@ -139,10 +138,9 @@ public class EncryptionOptionsTest { public void testAddRecipient_KeyWithoutEncryptionKeyFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { EncryptionOptions options = new EncryptionOptions(); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .build()) - .withPrimaryUserId("test@pgpainless.org") - .withoutPassphrase().build(); + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addUserId("test@pgpainless.org") + .build(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); assertThrows(IllegalArgumentException.class, () -> options.addRecipient(publicKeys)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 75e847f5..e88c906f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -21,6 +21,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -34,6 +35,7 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.KeySpecBuilder; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; @@ -156,10 +158,11 @@ public class GenerateKeys { * algorithm preferences. * * If the target key amalgamation (key ring) should consist of more than just a single (sub-)key, start by providing - * the specifications for the subkeys first (in {@link org.pgpainless.key.generation.KeyRingBuilderInterface#withSubKey(KeySpec)}) - * and add the primary key specification last (in {@link org.pgpainless.key.generation.KeyRingBuilderInterface#withPrimaryKey(KeySpec)}. + * the primary key specification using {@link org.pgpainless.key.generation.KeyRingBuilder#setPrimaryKey(KeySpec)}. + * Any additional subkeys can be then added using {@link org.pgpainless.key.generation.KeyRingBuilder#addSubkey(KeySpec)}. * - * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag...)} method and providing a {@link KeyType}. + * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag, KeyFlag...)} + * method and providing a {@link KeyType}. * There are a bunch of factory methods for different {@link KeyType} implementations present in {@link KeyType} itself * (such as {@link KeyType#ECDH(EllipticCurve)}. {@link KeyFlag KeyFlags} determine * the use of the key, like encryption, signing data or certifying subkeys. @@ -171,16 +174,18 @@ public class GenerateKeys { * * Note, that if you set preferred algorithms, the preference lists are sorted from high priority to low priority. * - * When setting the primary key spec ({@link org.pgpainless.key.generation.KeyRingBuilder#withPrimaryKey(KeySpec)}), + * When setting the primary key spec ({@link org.pgpainless.key.generation.KeyRingBuilder#setPrimaryKey(KeySpecBuilder)}), * make sure that the primary key spec has the {@link KeyFlag} {@link KeyFlag#CERTIFY_OTHER} set, as this is a requirement * for primary keys. * * Furthermore you have to set at least the primary user-id via - * {@link org.pgpainless.key.generation.KeyRingBuilderInterface.WithPrimaryUserId#withPrimaryUserId(String)}, - * but you can also add additional user-ids via - * {@link org.pgpainless.key.generation.KeyRingBuilderInterface.WithAdditionalUserIdOrPassphrase#withAdditionalUserId(String)}. + * {@link org.pgpainless.key.generation.KeyRingBuilder#addUserId(String)}, + * but you can also add additional user-ids. * - * Lastly you can decide whether to set a passphrase to protect the secret key. + * If you want the key to expire at a certain point in time, call + * {@link org.pgpainless.key.generation.KeyRingBuilder#setExpirationDate(Date)}. + * Lastly you can decide whether to set a passphrase to protect the secret key using + * {@link org.pgpainless.key.generation.KeyRingBuilder#setPassphrase(Passphrase)}. * * @throws PGPException * @throws InvalidAlgorithmParameterException @@ -201,43 +206,35 @@ public class GenerateKeys { Passphrase passphrase = Passphrase.fromPassword("1nters3x"); PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), + // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags + KeyFlag.CERTIFY_OTHER)) // Add the first subkey (in this case encryption) - .withSubKey( - KeySpec.getBuilder( - // We choose an ECDH key over the brainpoolp256r1 curve - KeyType.ECDH(EllipticCurve._BRAINPOOLP256R1), - // Our key can encrypt both communication data, as well as data at rest - KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS - ) - // Optionally: Configure the subkey with custom algorithm preferences - // Is is recommended though to go with PGPainless' defaults which can be found in the - // AlgorithmSuite class. - .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128) - .overridePreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256) - .overridePreferredCompressionAlgorithms(CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZLIB) - .build() - ) + .addSubkey(KeySpec.getBuilder( + // We choose an ECDH key over the brainpoolp256r1 curve + KeyType.ECDH(EllipticCurve._BRAINPOOLP256R1), + // Our key can encrypt both communication data, as well as data at rest + KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS + ) + // Optionally: Configure the subkey with custom algorithm preferences + // Is is recommended though to go with PGPainless' defaults which can be found in the + // AlgorithmSuite class. + .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128) + .overridePreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256) + .overridePreferredCompressionAlgorithms(CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZLIB) + .build()) // Add the second subkey (signing) - .withSubKey( - KeySpec.getBuilder( - KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), - // This key is used for creating signatures only - KeyFlag.SIGN_DATA - ).build() - ) - // Lastly we add the primary key (certification only in our case) - .withPrimaryKey( - KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), - // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags - KeyFlag.CERTIFY_OTHER) - .build() - ) + .addSubkey(KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), + // This key is used for creating signatures only + KeyFlag.SIGN_DATA + )) // Set primary user-id - .withPrimaryUserId(userId) + .addUserId(userId) // Add an additional user id. This step can be repeated - .withAdditionalUserId(additionalUserId) + .addUserId(additionalUserId) // Set passphrase. Alternatively use .withoutPassphrase() to leave key unprotected. - .withPassphrase(passphrase) + .setPassphrase(passphrase) .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index aeafaf59..b94d5622 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -83,17 +83,15 @@ public class BrainpoolKeyGenerationTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build()) - .withSubKey(KeySpec.getBuilder( - KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .build()) - .withSubKey(KeySpec.getBuilder( - KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA) - .build()) - .withPrimaryKey(KeySpec.getBuilder( - KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.CERTIFY_OTHER).build()) - .withPrimaryUserId(UserId.nameAndEmail("Alice", "alice@pgpainless.org")) - .withPassphrase(Passphrase.fromPassword("passphrase")) + .setPrimaryKey(KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)) + .addSubkey(KeySpec.getBuilder( + KeyType.RSA(RsaLength._3072), KeyFlag.SIGN_DATA)) + .addUserId(UserId.nameAndEmail("Alice", "alice@pgpainless.org")) + .setPassphrase(Passphrase.fromPassword("passphrase")) .build(); for (PGPSecretKey key : secretKeys) { @@ -131,10 +129,9 @@ public class BrainpoolKeyGenerationTest { public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(subKey) - .withPrimaryKey(primaryKey) - .withPrimaryUserId(userId) - .withoutPassphrase() + .setPrimaryKey(primaryKey) + .addSubkey(subKey) + .addUserId(userId) .build(); return secretKeys; } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index 65b7a71f..ff48d159 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -46,11 +46,9 @@ public class CertificationKeyMustBeAbleToCertifyTest { for (KeyType type : typesIncapableOfCreatingVerifications) { assertThrows(IllegalArgumentException.class, () -> PGPainless .generateKeyRing() - .withPrimaryKey(KeySpec - .getBuilder(type, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .build()) - .withPrimaryUserId("should@throw.ex") - .withoutPassphrase().build()); + .setPrimaryKey(KeySpec.getBuilder(type, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addUserId("should@throw.ex") + .build()); } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index 9e60eca6..bf28aac0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -41,13 +41,11 @@ public class GenerateEllipticCurveKeyTest { public void generateEllipticCurveKeys(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build()) - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .build()) - .withPrimaryUserId(UserId.onlyEmail("alice@wonderland.lit").toString()) - .withoutPassphrase() + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS)) + .addUserId(UserId.onlyEmail("alice@wonderland.lit").toString()) .build(); assertEquals(PublicKeyAlgorithm.EDDSA.getAlgorithmId(), keyRing.getPublicKey().getAlgorithm()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index 33db6fc5..f3378df0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -47,16 +47,14 @@ public class GenerateKeyWithAdditionalUserIdTest { ImplementationFactory.setFactoryImplementation(implementationFactory); Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryUserId(UserId.onlyEmail("primary@user.id")) - .withAdditionalUserId(UserId.onlyEmail("additional@user.id")) - .withAdditionalUserId(UserId.onlyEmail("additional2@user.id")) - .withAdditionalUserId("\ttrimThis@user.id ") + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) + .addUserId(UserId.onlyEmail("primary@user.id")) + .addUserId(UserId.onlyEmail("additional@user.id")) + .addUserId(UserId.onlyEmail("additional2@user.id")) + .addUserId("\ttrimThis@user.id ") .setExpirationDate(expiration) - .withoutPassphrase() .build(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java similarity index 88% rename from pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java rename to pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index 60e7c131..39d1e6ef 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphrase.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -38,7 +38,7 @@ import org.pgpainless.util.Passphrase; * The issue is that the implementation of {@link Passphrase#emptyPassphrase()} would set the underlying * char array to null, which caused an NPE later on. */ -public class GenerateWithEmptyPassphrase { +public class GenerateWithEmptyPassphraseTest { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") @@ -46,12 +46,11 @@ public class GenerateWithEmptyPassphrase { ImplementationFactory.setFactoryImplementation(implementationFactory); assertNotNull(PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryUserId("primary@user.id") - .withPassphrase(Passphrase.emptyPassphrase()) + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) + .addUserId("primary@user.id") + .setPassphrase(Passphrase.emptyPassphrase()) .build()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index f1413a97..fe2191e5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -221,16 +221,14 @@ public class KeyRingInfoTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder( KeyType.ECDH(EllipticCurve._BRAINPOOLP384R1), - KeyFlag.ENCRYPT_STORAGE).build()) - .withSubKey(KeySpec.getBuilder( - KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA) - .build()) - .withPrimaryKey(KeySpec.getBuilder( - KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER).build()) - .withPrimaryUserId(UserId.newBuilder().withName("Alice").withEmail("alice@pgpainless.org").build()) - .withoutPassphrase() + KeyFlag.ENCRYPT_STORAGE)) + .addSubkey(KeySpec.getBuilder( + KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.SIGN_DATA)) + .addUserId(UserId.newBuilder().withName("Alice").withEmail("alice@pgpainless.org").build()) .build(); Iterator keys = secretKeys.iterator(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index fce78fcd..a6d9a006 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -51,16 +51,13 @@ public class UserIdRevocationTest { @Test public void testRevocationWithoutRevocationAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder( - KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), - KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .build()) - .withPrimaryUserId("primary@key.id") - .withAdditionalUserId("secondary@key.id") - .withoutPassphrase() + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder( + KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS)) + .addUserId("primary@key.id") + .addUserId("secondary@key.id") .build(); // make a copy with revoked subkey @@ -92,15 +89,12 @@ public class UserIdRevocationTest { @Test public void testRevocationWithRevocationReason() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) - .build()) - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), - KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .build()) - .withPrimaryUserId("primary@key.id") - .withAdditionalUserId("secondary@key.id") - .withoutPassphrase() + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS)) + .addUserId("primary@key.id") + .addUserId("secondary@key.id") .build(); secretKeys = PGPainless.modifyKeyRing(secretKeys) @@ -147,6 +141,6 @@ public class UserIdRevocationTest { assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys) .revokeUserId("cryptie@encrypted.key", protector, RevocationAttributes.createKeyRevocation().withReason(RevocationAttributes.Reason.KEY_RETIRED) - .withDescription("This is not a valid certification revocation reason."))); + .withDescription("This is not a valid certification revocation reason."))); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index 7cee1a7c..fc71b3f3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -47,12 +47,12 @@ public class BCUtilTest { throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sec = PGPainless.generateKeyRing() - .withSubKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.ENCRYPT_COMMS).build()) - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), - KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) - .build()) - .withPrimaryUserId("donald@duck.tails").withoutPassphrase().build(); + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._3072), KeyFlag.ENCRYPT_COMMS)) + .addUserId("donald@duck.tails") + .build(); PGPPublicKeyRing pub = KeyRingUtils.publicKeyRingFrom(sec); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index 05f676cf..ab3ba986 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -41,14 +41,12 @@ public class GuessPreferredHashAlgorithmTest { @Test public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(new HashAlgorithm[] {}) .overridePreferredSymmetricKeyAlgorithms(new SymmetricKeyAlgorithm[] {}) - .overridePreferredCompressionAlgorithms(new CompressionAlgorithm[] {}) - .build()) - .withPrimaryUserId("test@test.test") - .withoutPassphrase() + .overridePreferredCompressionAlgorithms(new CompressionAlgorithm[] {})) + .addUserId("test@test.test") .build(); PGPPublicKey publicKey = secretKeys.getPublicKey(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index 4bf93212..e08bd54a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -38,14 +38,13 @@ public class TestEncryptCommsStorageFlagsDifferentiated { @Test public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .withPrimaryKey(KeySpec.getBuilder( + .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_STORAGE // no ENCRYPT_COMMS - ).build()) - .withPrimaryUserId("cannot@encrypt.comms") - .withoutPassphrase() + )) + .addUserId("cannot@encrypt.comms") .build(); PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys); From 708282ba0a1b1409dc58f01154a2c4770ce77ce5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Sep 2021 12:32:15 +0200 Subject: [PATCH 0024/1450] Update README --- README.md | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 406d4eca..ad36f104 100644 --- a/README.md +++ b/README.md @@ -75,23 +75,19 @@ There are some predefined key archetypes, but it is possible to fully customize // Customized key PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() - .withSubKey( + .setPrimaryKey(KeySpec.getBuilder( + RSA.withLength(RsaLength._8192), + KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) + .addSubkey( KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA) .overrideCompressionAlgorithms(CompressionAlgorithm.ZLIB) - .build() - ).withSubKey( + ).addSubkey( KeySpec.getBuilder( ECDH.fromCurve(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .build() - ).withMasterKey( - KeySpec.getBuilder( - RSA.withLength(RsaLength._8192), - KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER) - .build() - ).withPrimaryUserId("Juliet ") - .withAdditionalUserId("xmpp:juliet@capulet.lit") - .withPassphrase("romeo_oh_Romeo<3") + ).addUserId("Juliet ") + .addUserId("xmpp:juliet@capulet.lit") + .setPassphrase("romeo_oh_Romeo<3") .build(); ``` From 8d5e36e2678ed6ec426d165078eb6c2f7b098385 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Sep 2021 15:24:47 +0200 Subject: [PATCH 0025/1450] Update README --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40045664..536ebe2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # PGPainless Changelog +## 0.2.14-SNAPSHOT +- Export dependency on Bouncycastle's `bcprov-jdk15on` +- Rework Key Generation API + - Replace builder-chain structure with single `KeyRingBuilder` class + ## 0.2.13 - Add `MessageInspector` class to determine IDs of recipient keys. - PGPainless now tries decryption using keys with available passphrases first and only then request key passphrases using callbacks. From f15f3a4e2a2dc13ab26c9aeffab775e498bb0c86 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 23 Sep 2021 18:06:54 +0200 Subject: [PATCH 0026/1450] Fix example use of ascii armoring --- .../src/test/java/org/pgpainless/example/GenerateKeys.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index e88c906f..2b7cd8c1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -43,7 +43,6 @@ import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; -import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.Passphrase; /** @@ -84,7 +83,7 @@ public class GenerateKeys { // Extract public key PGPPublicKeyRing publicKey = KeyRingUtils.publicKeyRingFrom(secretKey); // Encode the public key to an ASCII armored string ready for sharing - String asciiArmoredPublicKey = ArmorUtils.toAsciiArmoredString(publicKey); + String asciiArmoredPublicKey = PGPainless.asciiArmor(publicKey); KeyRingInfo keyInfo = new KeyRingInfo(secretKey); From ece5897baeec720086c1c42fd7a4a64d88c5c746 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Sep 2021 11:47:54 +0200 Subject: [PATCH 0027/1450] CleartextSignedMessage processing: Reuse normal processing API --- .../CloseForResultInputStream.java | 50 ++++++++++++++++ .../DecryptionStream.java | 44 +++++--------- .../CleartextSignatureProcessor.java | 59 ++++--------------- .../CleartextSignatureVerificationTest.java | 19 ++++-- 4 files changed, 92 insertions(+), 80 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java new file mode 100644 index 00000000..bb42e036 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java @@ -0,0 +1,50 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.decryption_verification; + +import java.io.IOException; +import java.io.InputStream; +import javax.annotation.Nonnull; + +public abstract class CloseForResultInputStream extends InputStream { + + protected final OpenPgpMetadata.Builder resultBuilder; + private boolean isClosed = false; + + public CloseForResultInputStream(@Nonnull OpenPgpMetadata.Builder resultBuilder) { + this.resultBuilder = resultBuilder; + } + + @Override + public void close() throws IOException { + this.isClosed = true; + } + + /** + * Return the result of the decryption. + * The result contains metadata about the decryption, such as signatures, used keys and algorithms, as well as information + * about the decrypted file/stream. + * + * Can only be obtained once the stream got successfully closed ({@link #close()}). + * @return metadata + */ + public OpenPgpMetadata getResult() { + if (!isClosed) { + throw new IllegalStateException("Stream MUST be closed before the result can be accessed."); + } + return resultBuilder.build(); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java index 2f04502e..cdee6e77 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java @@ -26,11 +26,9 @@ import org.pgpainless.util.IntegrityProtectedInputStream; * Decryption Stream that handles updating and verification of detached signatures, * as well as verification of integrity-protected input streams once the stream gets closed. */ -public class DecryptionStream extends InputStream { +public class DecryptionStream extends CloseForResultInputStream { private final InputStream inputStream; - private final OpenPgpMetadata.Builder resultBuilder; - private boolean isClosed = false; private final IntegrityProtectedInputStream integrityProtectedInputStream; private final InputStream armorStream; @@ -46,12 +44,24 @@ public class DecryptionStream extends InputStream { @Nonnull OpenPgpMetadata.Builder resultBuilder, IntegrityProtectedInputStream integrityProtectedInputStream, InputStream armorStream) { + super(resultBuilder); this.inputStream = wrapped; - this.resultBuilder = resultBuilder; this.integrityProtectedInputStream = integrityProtectedInputStream; this.armorStream = armorStream; } + @Override + public void close() throws IOException { + if (armorStream != null) { + Streams.drain(armorStream); + } + inputStream.close(); + if (integrityProtectedInputStream != null) { + integrityProtectedInputStream.close(); + } + super.close(); + } + @Override public int read() throws IOException { int r = inputStream.read(); @@ -64,30 +74,4 @@ public class DecryptionStream extends InputStream { return read; } - @Override - public void close() throws IOException { - if (armorStream != null) { - Streams.drain(armorStream); - } - inputStream.close(); - if (integrityProtectedInputStream != null) { - integrityProtectedInputStream.close(); - } - this.isClosed = true; - } - - /** - * Return the result of the decryption. - * The result contains metadata about the decryption, such as signatures, used keys and algorithms, as well as information - * about the decrypted file/stream. - * - * Can only be obtained once the stream got successfully closed ({@link #close()}). - * @return metadata - */ - public OpenPgpMetadata getResult() { - if (!isClosed) { - throw new IllegalStateException("DecryptionStream MUST be closed before the result can be accessed."); - } - return resultBuilder.build(); - } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index a8366b01..394de734 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -15,18 +15,12 @@ */ package org.pgpainless.decryption_verification.cleartext_signatures; -import static org.pgpainless.signature.SignatureValidator.signatureWasCreatedInBounds; - -import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.util.logging.Level; import java.util.logging.Logger; import org.bouncycastle.bcpg.ArmoredInputStream; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.pgpainless.PGPainless; @@ -34,12 +28,9 @@ import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.StreamEncoding; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; -import org.pgpainless.decryption_verification.SignatureVerification; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.key.SubkeyIdentifier; -import org.pgpainless.signature.CertificateValidator; -import org.pgpainless.signature.SignatureVerifier; import org.pgpainless.util.ArmoredInputStreamFactory; /** @@ -67,19 +58,21 @@ public class CleartextSignatureProcessor { } /** - * Unpack the message from the ascii armor and process the signature. - * This method only returns the signature, if it is correct. + * Perform the first pass of cleartext signed message processing: + * Unpack the message from the ascii armor and detach signatures. + * The plaintext message is being written to cache/disk according to the used {@link MultiPassStrategy}. * - * After the message has been processed, the content can be retrieved from the {@link MultiPassStrategy}. - * If an {@link InMemoryMultiPassStrategy} was used, the message can be accessed via {@link InMemoryMultiPassStrategy#getBytes()}. - * If {@link MultiPassStrategy#writeMessageToFile(File)} was used, the message content was written to the given file. + * The result of this method is a {@link DecryptionStream} which will perform the second pass. + * It again outputs the plaintext message and performs signature verification. + * + * The result of {@link DecryptionStream#getResult()} contains information about the messages signatures. * * @return validated signature * @throws IOException if the signature cannot be read. * @throws PGPException if the signature cannot be initialized. * @throws SignatureValidationException if the signature is invalid. */ - public OpenPgpMetadata process() throws IOException, PGPException { + public DecryptionStream getVerificationStream() throws IOException, PGPException { OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED) .setSymmetricKeyAlgorithm(SymmetricKeyAlgorithm.NULL) @@ -88,38 +81,12 @@ public class CleartextSignatureProcessor { PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(in, multiPassStrategy.getMessageOutputStream()); for (PGPSignature signature : signatures) { - PGPPublicKeyRing certificate = null; - PGPPublicKey signingKey = null; - for (PGPPublicKeyRing cert : options.getCertificates()) { - signingKey = cert.getPublicKey(signature.getKeyID()); - if (signingKey != null) { - certificate = cert; - break; - } - } - - try { - if (signingKey == null) { - throw new SignatureValidationException("Missing verification key with key-id " + Long.toHexString(signature.getKeyID())); - } - - SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(certificate, signingKey.getKeyID()); - - signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(signature); - SignatureVerifier.initializeSignatureAndUpdateWithSignedData(signature, multiPassStrategy.getMessageInputStream(), signingKey); - CertificateValidator.validateCertificateAndVerifyInitializedSignature(signature, certificate, PGPainless.getPolicy()); - resultBuilder.addVerifiedInbandSignature(new SignatureVerification(signature, signingKeyIdentifier)); - } catch (SignatureValidationException e) { - LOGGER.log(Level.INFO, "Cannot verify signature made by key " + Long.toHexString(signature.getKeyID()) + ": " + e.getMessage()); - SubkeyIdentifier signingKeyIdentifier = null; - if (signingKey != null) { - signingKeyIdentifier = new SubkeyIdentifier(certificate, signingKey.getKeyID()); - } - resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, signingKeyIdentifier), e); - } + options.addVerificationOfDetachedSignature(signature); } - return resultBuilder.build(); + return PGPainless.decryptAndOrVerify() + .onInputStream(multiPassStrategy.getMessageInputStream()) + .withOptions(options); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 1302e12c..ca86da0a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -89,13 +89,18 @@ public class CleartextSignatureVerificationTest { .withStrategy(multiPassStrategy) .withOptions(options); - OpenPgpMetadata result = processor.process(); + DecryptionStream decryptionStream = processor.getVerificationStream(); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + OpenPgpMetadata result = decryptionStream.getResult(); assertTrue(result.isVerified()); PGPSignature signature = result.getVerifiedSignatures().values().iterator().next(); assertEquals(signature.getKeyID(), signingKeys.getPublicKey().getKeyID()); - assertArrayEquals(MESSAGE_BODY, multiPassStrategy.getBytes()); + assertArrayEquals(MESSAGE_BODY, out.toByteArray()); } @Test @@ -112,7 +117,13 @@ public class CleartextSignatureVerificationTest { .withStrategy(multiPassStrategy) .withOptions(options); - OpenPgpMetadata result = processor.process(); + DecryptionStream decryptionStream = processor.getVerificationStream(); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + + OpenPgpMetadata result = decryptionStream.getResult(); assertTrue(result.isVerified()); PGPSignature signature = result.getVerifiedSignatures().values().iterator().next(); @@ -205,6 +216,6 @@ public class CleartextSignatureVerificationTest { .onInputStream(new ByteArrayInputStream(inlineSignedMessage.getBytes(StandardCharsets.UTF_8))) .withStrategy(new InMemoryMultiPassStrategy()) .withOptions(options) - .process()); + .getVerificationStream()); } } From 526dc0caac8f2fda46082e24bfb7e99a5e779fd6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Sep 2021 17:10:00 +0200 Subject: [PATCH 0028/1450] Add support for creating cleartext signed messages and add tests --- .../encryption_signing/EncryptionStream.java | 27 ++- .../encryption_signing/ProducerOptions.java | 26 +++ .../encryption_signing/SigningOptions.java | 20 ++- .../AsciiArmorDashEscapeTest.java | 56 ++++++ .../pgpainless/example/DecryptOrVerify.java | 169 ++++++++++++++++++ .../java/org/pgpainless/example/Sign.java | 165 +++++++++++++++++ 6 files changed, 453 insertions(+), 10 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/example/Sign.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java index 45d518a5..c304b0d5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java @@ -153,6 +153,11 @@ public final class EncryptionStream extends OutputStream { } private void prepareLiteralDataProcessing() throws IOException { + if (options.isCleartextSigned()) { + SigningOptions.SigningMethod firstMethod = options.getSigningOptions().getSigningMethods().values().iterator().next(); + armorOutputStream.beginClearText(firstMethod.getHashAlgorithm().getAlgorithmId()); + return; + } literalDataGenerator = new PGPLiteralDataGenerator(); literalDataStream = literalDataGenerator.open(outermostStream, options.getEncoding().getCode(), @@ -214,9 +219,22 @@ public final class EncryptionStream extends OutputStream { } // Literal Data - literalDataStream.flush(); - literalDataStream.close(); - literalDataGenerator.close(); + if (literalDataStream != null) { + literalDataStream.flush(); + literalDataStream.close(); + } + if (literalDataGenerator != null) { + literalDataGenerator.close(); + } + + if (options.isCleartextSigned()) { + // Add linebreak between body and signatures + // TODO: We should only add this line if required. + // I.e. if the message already ends with \n, don't add another linebreak. + armorOutputStream.write('\r'); + armorOutputStream.write('\n'); + armorOutputStream.endClearText(); + } try { writeSignatures(); @@ -260,7 +278,8 @@ public final class EncryptionStream extends OutputStream { PGPSignature signature = signatureGenerator.generate(); if (signingMethod.isDetached()) { resultBuilder.addDetachedSignature(signingKey, signature); - } else { + } + if (!signingMethod.isDetached() || options.isCleartextSigned()) { signature.encode(outermostStream); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java index 851ee56c..dfc156c8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java @@ -31,6 +31,7 @@ public final class ProducerOptions { private String fileName = ""; private Date modificationDate = PGPLiteralData.NOW; private StreamEncoding streamEncoding = StreamEncoding.BINARY; + private boolean cleartextSigned = false; private CompressionAlgorithm compressionAlgorithmOverride = PGPainless.getPolicy().getCompressionAlgorithmPolicy() .defaultCompressionAlgorithm(); @@ -101,6 +102,9 @@ public final class ProducerOptions { * @return builder */ public ProducerOptions setAsciiArmor(boolean asciiArmor) { + if (cleartextSigned && !asciiArmor) { + throw new IllegalArgumentException("Cleartext signing is enabled. Cannot disable ASCII armoring."); + } this.asciiArmor = asciiArmor; return this; } @@ -114,6 +118,28 @@ public final class ProducerOptions { return asciiArmor; } + public ProducerOptions setCleartextSigned() { + if (signingOptions == null) { + throw new IllegalArgumentException("Signing Options cannot be null if cleartext signing is enabled."); + } + if (encryptionOptions != null) { + throw new IllegalArgumentException("Cannot encode encrypted message as Cleartext Signed."); + } + for (SigningOptions.SigningMethod method : signingOptions.getSigningMethods().values()) { + if (!method.isDetached()) { + throw new IllegalArgumentException("For cleartext signed message, all signatures must be added as detached signatures."); + } + } + cleartextSigned = true; + asciiArmor = true; + compressionAlgorithmOverride = CompressionAlgorithm.UNCOMPRESSED; + return this; + } + + public boolean isCleartextSigned() { + return cleartextSigned; + } + /** * Set the name of the encrypted file. * Note: This option cannot be used simultaneously with {@link #setForYourEyesOnly()}. diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index 3f4b52f3..b44a3f02 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -52,10 +52,12 @@ public final class SigningOptions { public static final class SigningMethod { private final PGPSignatureGenerator signatureGenerator; private final boolean detached; + private final HashAlgorithm hashAlgorithm; - private SigningMethod(PGPSignatureGenerator signatureGenerator, boolean detached) { + private SigningMethod(PGPSignatureGenerator signatureGenerator, boolean detached, HashAlgorithm hashAlgorithm) { this.signatureGenerator = signatureGenerator; this.detached = detached; + this.hashAlgorithm = hashAlgorithm; } /** @@ -65,8 +67,8 @@ public final class SigningOptions { * @param signatureGenerator signature generator * @return inline signing method */ - public static SigningMethod inlineSignature(PGPSignatureGenerator signatureGenerator) { - return new SigningMethod(signatureGenerator, false); + public static SigningMethod inlineSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) { + return new SigningMethod(signatureGenerator, false, hashAlgorithm); } /** @@ -77,8 +79,8 @@ public final class SigningOptions { * @param signatureGenerator signature generator * @return detached signing method */ - public static SigningMethod detachedSignature(PGPSignatureGenerator signatureGenerator) { - return new SigningMethod(signatureGenerator, true); + public static SigningMethod detachedSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) { + return new SigningMethod(signatureGenerator, true, hashAlgorithm); } public boolean isDetached() { @@ -88,6 +90,10 @@ public final class SigningOptions { public PGPSignatureGenerator getSignatureGenerator() { return signatureGenerator; } + + public HashAlgorithm getHashAlgorithm() { + return hashAlgorithm; + } } private final Map signingMethods = new HashMap<>(); @@ -266,7 +272,9 @@ public final class SigningOptions { PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID()); PGPSignatureGenerator generator = createSignatureGenerator(signingSubkey, hashAlgorithm, signatureType); generator.setUnhashedSubpackets(unhashedSubpackets(signingSecretKey).generate()); - SigningMethod signingMethod = detached ? SigningMethod.detachedSignature(generator) : SigningMethod.inlineSignature(generator); + SigningMethod signingMethod = detached ? + SigningMethod.detachedSignature(generator, hashAlgorithm) : + SigningMethod.inlineSignature(generator, hashAlgorithm); signingMethods.put(signingKeyIdentifier, signingMethod); } diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java new file mode 100644 index 00000000..465591d2 --- /dev/null +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java @@ -0,0 +1,56 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.bouncycastle; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.bcpg.ArmoredInputStream; +import org.bouncycastle.bcpg.ArmoredOutputStream; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.algorithm.HashAlgorithm; + +public class AsciiArmorDashEscapeTest { + + @Test + public void testDashEscapingInCleartextArmor() throws IOException { + String withDash = "- This is a leading dash.\n"; + String dashEscaped = "-----BEGIN PGP SIGNED MESSAGE-----\n" + + "Hash: SHA512\n" + + "\n" + + "- - This is a leading dash.\n"; + ByteArrayOutputStream out = new ByteArrayOutputStream(); + ArmoredOutputStream armor = new ArmoredOutputStream(out); + + armor.beginClearText(HashAlgorithm.SHA512.getAlgorithmId()); + armor.write(withDash.getBytes(StandardCharsets.UTF_8)); + armor.endClearText(); + armor.close(); + + assertArrayEquals(dashEscaped.getBytes(StandardCharsets.UTF_8), out.toByteArray()); + + ArmoredInputStream armorIn = new ArmoredInputStream(new ByteArrayInputStream(out.toByteArray())); + ByteArrayOutputStream plain = new ByteArrayOutputStream(); + Streams.pipeAll(armorIn, plain); + assertEquals(withDash, plain.toString()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java new file mode 100644 index 00000000..157c7a82 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -0,0 +1,169 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.example; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.BufferedInputStream; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.OpenPgpMetadata; +import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.exception.WrongConsumingMethodException; +import org.pgpainless.key.protection.SecretKeyRingProtector; + +public class DecryptOrVerify { + + private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: AA21 9149 3B35 E679 8876 DE43 B0D7 8185 F639 B6C9\n" + + "Comment: Signora \n" + + "\n" + + "lFgEYVGUbRYJKwYBBAHaRw8BAQdAki59UUbUouvfd+4hoSAQ79He7cdmTyYTu3Su\n" + + "9Ww0isQAAQCvyi79y6YNzxdQpN8HLPmBd+zq6o/RNK4cBeN+RJrxiBHbtCBTaWdu\n" + + "b3JhIDxzaWdub3JhQHBncGFpbmxlc3Mub3JnPoh4BBMWCgAgBQJhUZRtAhsBBRYC\n" + + "AwEABRUKCQgLBAsJCAcCHgECGQEACgkQsNeBhfY5tskOqgEA3fDHE1n081xiseTl\n" + + "aXV1A/6aXvsnxVo+Lj35Mn7CarwBAO4PVjHvvUydTla3D5JHhZ0p4P5hSG7kPPrB\n" + + "d3nmbH0InF0EYVGUbRIKKwYBBAGXVQEFAQEHQFzDN2Tuaxim9YFRRXeRZyDC42KF\n" + + "9DSohUXEJ/TrM7MlAwEIBwAA/3h1IaQBIGlNZ6TSsuuryW8KtwdxI4Sd1JDzsVML\n" + + "2SGQEFKIdQQYFgoAHQUCYVGUbQIbDAUWAgMBAAUVCgkICwQLCQgHAh4BAAoJELDX\n" + + "gYX2ObbJBzwBAM4RYBuRsRTmEFTrc7FyAqqSrCVpyLkrnYqPTZriySX0AP9K+N1d\n" + + "LIDRkHW7EbK2ITRu6nemFu00+H1bInTCUVxtAZxYBGFRlG0WCSsGAQQB2kcPAQEH\n" + + "QOzydmmSnNw/NoWi0b0pODLNbT2VUFNFurxBoWj8T2oLAAD+Nbk5mZVQ91pDV6Bp\n" + + "SAjCP9/e7odHtipsdlG9lszzC98RcIjVBBgWCgB9BQJhUZRtAhsCBRYCAwEABRUK\n" + + "CQgLBAsJCAcCHgFfIAQZFgoABgUCYVGUbQAKCRBaxbg/GlrWhx43AP40HxpvHNL5\n" + + "m953hWBxZvzIpt98E8+bfR4rCyHY6A5rzQEA8BUI6oqsEPKlGiETYntk7fFhOIyJ\n" + + "bRH+a/LsdaxjpQwACgkQsNeBhfY5tskKHQEA+aanF6ZnSatjDdiKEehYmbqr4BTc\n" + + "UDnu37YkbgLlqPIBAJrPT5XS9oVa5xMsK+c3shnmPVQuK9r/AGwlligJprYH\n" + + "=JHMt\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n"; + + private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "owGbwMvMyCUWdXSHvVTUtXbG0yJJDCDgkZqTk6+jEJ5flJOiyNVRysIoxsXAxsqU\n" + + "GDiVjUGRUwCmQUyRRWnOn9Z/PIseF3Yz6cCEL05nZDj1OClo75WVTjNmJPemW6qV\n" + + "6ki//1K1++2s0qTP+0N11O4z/BVLDDdxnmQryS+5VXjBX7/0Hxnm/eqeX6Zum35r\n" + + "M8e7ufwA\n" + + "=RDiy\n" + + "-----END PGP MESSAGE-----"; + private static final String CLEARTEXT_SIGNED = "-----BEGIN PGP SIGNED MESSAGE-----\n" + + "Hash: SHA512\n" + + "\n" + + "Hello, World!\n" + + "\n" + + "-----BEGIN PGP SIGNATURE-----\n" + + "Version: PGPainless\n" + + "\n" + + "iHUEARYKAAYFAmFR1WIAIQkQWsW4Pxpa1ocWIQQinPyF/gyi43GLAixaxbg/GlrW\n" + + "h7qwAP9Vq0PfDdGpM+n4wfR162XBvvVU8KNl+vJI3u7Ghlj0zwEA1VMgwNnCRb9b\n" + + "QUibivG5Slahz8l7PWnGkxbB2naQxgw=\n" + + "=oNIK\n" + + "-----END PGP SIGNATURE-----"; + + private static PGPSecretKeyRing secretKey; + private static PGPPublicKeyRing certificate; + + @BeforeAll + public static void prepare() throws IOException { + secretKey = PGPainless.readKeyRing().secretKeyRing(KEY); + certificate = PGPainless.extractCertificate(secretKey); + } + + @Test + public void verifySignatures() throws PGPException, IOException { + ConsumerOptions options = new ConsumerOptions() + .addVerificationCert(certificate); + + for (String signed : new String[] {INBAND_SIGNED, CLEARTEXT_SIGNED}) { + ByteArrayOutputStream out = new ByteArrayOutputStream(); + ByteArrayInputStream in = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); + BufferedInputStream bufIn = new BufferedInputStream(in); + bufIn.mark(512); + DecryptionStream verificationStream; + try { + verificationStream = PGPainless.decryptAndOrVerify() + .onInputStream(bufIn) + .withOptions(options); + } catch (WrongConsumingMethodException e) { + bufIn.reset(); + // Cleartext Signed Message + verificationStream = PGPainless.verifyCleartextSignedMessage() + .onInputStream(bufIn) + .withStrategy(new InMemoryMultiPassStrategy()) + .withOptions(options) + .getVerificationStream(); + } + + Streams.pipeAll(verificationStream, out); + verificationStream.close(); + + OpenPgpMetadata metadata = verificationStream.getResult(); + assertTrue(metadata.isVerified()); + assertArrayEquals("Hello, World!\n".getBytes(StandardCharsets.UTF_8), out.toByteArray()); + } + } + + + @Test + public void createVerifyCleartextSignedMessage() throws PGPException, IOException { + for (String msg : new String[] {"Hello World!", "- Hello - World -", "Hello, World!\n", "Hello\nWorld!"}) { + ByteArrayInputStream in = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign() + .onOutputStream(out) + .withOptions(ProducerOptions.sign(SigningOptions.get() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) + ).setCleartextSigned()); + + Streams.pipeAll(in, signingStream); + signingStream.close(); + + ByteArrayInputStream signedIn = new ByteArrayInputStream(out.toByteArray()); + + DecryptionStream verificationStream = PGPainless.verifyCleartextSignedMessage() + .onInputStream(signedIn) + .withStrategy(new InMemoryMultiPassStrategy()) + .withOptions(new ConsumerOptions().addVerificationCert(certificate)) + .getVerificationStream(); + + ByteArrayOutputStream plain = new ByteArrayOutputStream(); + Streams.pipeAll(verificationStream, plain); + verificationStream.close(); + + OpenPgpMetadata metadata = verificationStream.getResult(); + assertTrue(metadata.isVerified()); + assertArrayEquals(msg.getBytes(StandardCharsets.UTF_8), plain.toByteArray()); + } + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java new file mode 100644 index 00000000..00e7df49 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -0,0 +1,165 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.example; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.encryption_signing.EncryptionResult; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.key.SubkeyIdentifier; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.ArmorUtils; + +public class Sign { + + private static PGPSecretKeyRing secretKey; + private static SecretKeyRingProtector protector; + + @BeforeAll + public static void prepare() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example ", null); + protector = SecretKeyRingProtector.unprotectedKeys(); // no password + } + + /** + * Demonstration of how to use the PGPainless API to sign some message using inband signatures. + * The result is not human-readable, however the resulting text contains both the signed data and the signatures. + * + * @throws PGPException + * @throws IOException + */ + @Test + public void inbandSignedMessage() throws PGPException, IOException { + String message = "\"Derivative Works\" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof."; + InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign() + .onOutputStream(signedOut) + .withOptions(ProducerOptions.sign(SigningOptions.get() + .addInlineSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) + ); + + Streams.pipeAll(messageIn, signingStream); + signingStream.close(); + + String signedMessage = signedOut.toString(); + assertTrue(signedMessage.startsWith("-----BEGIN PGP MESSAGE-----")); + assertTrue(signedMessage.endsWith("-----END PGP MESSAGE-----\n")); + assertFalse(signedMessage.contains("Derivative Works")); // hot human-readable + } + + /** + * Demonstration of how to create a detached signature for a message. + * A detached signature can be distributed alongside the message/file itself. + * + * The message/file doesn't need to be altered for detached signature creation. + * + * @throws PGPException + * @throws IOException + */ + @Test + public void detachedSignedMessage() throws PGPException, IOException { + String message = "\"Contribution\" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, \"submitted\" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as \"Not a Contribution.\""; + + InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + // The output stream below is named 'ignoreMe' because the output of the signing stream can be ignored. + // After signing, you want to distribute the original value of 'message' along with the 'detachedSignature' + // from below. + ByteArrayOutputStream ignoreMe = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign() + .onOutputStream(ignoreMe) + .withOptions(ProducerOptions.sign(SigningOptions.get() + .addDetachedSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) + .setAsciiArmor(false) + ); + + Streams.pipeAll(messageIn, signingStream); + signingStream.close(); + + EncryptionResult result = signingStream.getResult(); + + PGPPublicKey signingKey = PGPainless.inspectKeyRing(secretKey).getSigningSubkeys().get(0); + PGPSignature signature = result.getDetachedSignatures().get(new SubkeyIdentifier(secretKey, signingKey.getKeyID())).iterator().next(); + String detachedSignature = ArmorUtils.toAsciiArmoredString(signature.getEncoded()); + + assertTrue(detachedSignature.startsWith("-----BEGIN PGP SIGNATURE-----")); + + // Now distribute 'message' and 'detachedSignature'. + } + + /** + * Demonstration of how to sign a text message in a way that keeps the message content + * human-readable by utilizing the OpenPGP Cleartext Signature Framework. + * The resulting message contains the original (dash-escaped) message and the signatures. + * + * @throws PGPException + * @throws IOException + */ + @Test + public void cleartextSignedMessage() throws PGPException, IOException { + String message = "" + + "Copyright [yyyy] [name of copyright owner]\n" + + "\n" + + "Licensed under the Apache License, Version 2.0 (the \"License\");\n" + + "you may not use this file except in compliance with the License.\n" + + "You may obtain a copy of the License at\n" + + "\n" + + " http://www.apache.org/licenses/LICENSE-2.0\n" + + "\n" + + "Unless required by applicable law or agreed to in writing, software\n" + + "distributed under the License is distributed on an \"AS IS\" BASIS,\n" + + "WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n" + + "See the License for the specific language governing permissions and\n" + + "limitations under the License."; + InputStream messageIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign() + .onOutputStream(signedOut) + .withOptions(ProducerOptions.sign(SigningOptions.get() + .addDetachedSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) // Human-readable text document + .setCleartextSigned() // <- Explicitly use Cleartext Signature Framework!!! + ); + + Streams.pipeAll(messageIn, signingStream); + signingStream.close(); + + String signedMessage = signedOut.toString(); + + assertTrue(signedMessage.startsWith("-----BEGIN PGP SIGNED MESSAGE-----")); + assertTrue(signedMessage.contains("WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND")); // msg is human readable + assertTrue(signedMessage.endsWith("-----END PGP SIGNATURE-----\n")); + } +} From 88dba3a7641ffc622a74c1e34586adae9aa8e6e2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Sep 2021 17:16:31 +0200 Subject: [PATCH 0029/1450] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 536ebe2a..4ccd50b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ - Export dependency on Bouncycastle's `bcprov-jdk15on` - Rework Key Generation API - Replace builder-chain structure with single `KeyRingBuilder` class +- Change return value of `CleartextSignatureProcessor.process()` to `DecryptionStream` +- Rename `CleartextSignatureProcessor.process()` to `CleartextSignatureProcessor.getVerificationStream()` +- Add support for creating cleartext signed messages by calling `ProducerOptions.setCleartextSigned()` +- Add examples for signing messages in the `examples` package. ## 0.2.13 - Add `MessageInspector` class to determine IDs of recipient keys. From efad69244690502acede7ec7f643ce5b9d53bf19 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Sep 2021 17:17:53 +0200 Subject: [PATCH 0030/1450] PGPainless 0.2.14 --- CHANGELOG.md | 2 +- README.md | 2 +- version.gradle | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ccd50b7..51bde7c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # PGPainless Changelog -## 0.2.14-SNAPSHOT +## 0.2.14 - Export dependency on Bouncycastle's `bcprov-jdk15on` - Rework Key Generation API - Replace builder-chain structure with single `KeyRingBuilder` class diff --git a/README.md b/README.md index 61bf3815..8a6294ea 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.13' + implementation 'org.pgpainless:pgpainless-core:0.2.14' } ``` diff --git a/version.gradle b/version.gradle index d87dfb09..c1058ee1 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { shortVersion = '0.2.14' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From dd77d6be74faef5cab793b0d92046e15248d3ac2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Sep 2021 17:26:46 +0200 Subject: [PATCH 0031/1450] PGPainless-0.2.15-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index c1058ee1..6a2071e6 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { - shortVersion = '0.2.14' - isSnapshot = false + shortVersion = '0.2.15' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 8ec8a55f108463ee39ad78677de5e85dc34ee676 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 1 Oct 2021 13:54:51 +0200 Subject: [PATCH 0032/1450] Add ConsumerOptions.setIgnoreMDCErrors() This method can be used to make PGPainless ignore certain MDC related errors or mishabits. Use of this options is discouraged, but may come in handy in some situations. Fixes #190 --- .../ConsumerOptions.java | 36 +++ .../DecryptionStream.java | 1 - .../DecryptionStreamFactory.java | 9 +- .../IntegrityProtectedInputStream.java | 9 +- .../ModificationDetectionTests.java | 258 ++++++++++++++---- 5 files changed, 254 insertions(+), 59 deletions(-) rename pgpainless-core/src/main/java/org/pgpainless/{util => decryption_verification}/IntegrityProtectedInputStream.java (86%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index 9ddecba0..e958d3b5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -43,6 +43,8 @@ import org.pgpainless.util.Passphrase; */ public class ConsumerOptions { + private boolean ignoreMDCErrors = false; + private Date verifyNotBefore = null; private Date verifyNotAfter = new Date(); @@ -264,4 +266,38 @@ public class ConsumerOptions { public @Nonnull Set getDetachedSignatures() { return Collections.unmodifiableSet(detachedSignatures); } + + /** + * By default, PGPainless will require encrypted messages to make use of SEIP data packets. + * Those are Symmetrically Encrypted Integrity Protected Data packets. + * Symmetrically Encrypted Data Packets without integrity protection are rejected by default. + * Furthermore, PGPainless will throw an exception if verification of the MDC error detection code of the SEIP packet + * fails. + * + * Failure of MDC verification indicates a tampered ciphertext, which might be the cause of an attack or data corruption. + * + * This method can be used to ignore MDC errors and allow PGPainless to consume encrypted data without integrity protection. + * If the flag 
ignoreMDCErrors
is set to true, PGPainless will + *
    + *
  • not throw exceptions for SEIP packets with tampered ciphertext
    • + *
  • not throw exceptions for SEIP packets with tampered MDC
    • + *
  • not throw exceptions for MDCs with bad CTB
    • + *
  • not throw exceptions for MDCs with bad length
    • + *
+ * + * It will however still throw an exception if it encounters a SEIP packet with missing or truncated MDC + * + * @see Sym. Encrypted Integrity Protected Data Packet + * @param ignoreMDCErrors true if MDC errors or missing MDCs shall be ignored, false otherwise. + * @return options + */ + @Deprecated + public ConsumerOptions setIgnoreMDCErrors(boolean ignoreMDCErrors) { + this.ignoreMDCErrors = ignoreMDCErrors; + return this; + } + + boolean isIgnoreMDCErrors() { + return ignoreMDCErrors; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java index cdee6e77..d7cc1013 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java @@ -20,7 +20,6 @@ import java.io.InputStream; import javax.annotation.Nonnull; import org.bouncycastle.util.io.Streams; -import org.pgpainless.util.IntegrityProtectedInputStream; /** * Decryption Stream that handles updating and verification of detached signatures, diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 746ecb32..359408cb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -67,7 +67,6 @@ import org.pgpainless.signature.DetachedSignature; import org.pgpainless.signature.OnePassSignatureCheck; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; -import org.pgpainless.util.IntegrityProtectedInputStream; import org.pgpainless.util.Passphrase; import org.pgpainless.util.Tuple; import org.slf4j.Logger; @@ -286,8 +285,8 @@ public final class DecryptionStreamFactory { // Sort PKESK and SKESK packets while (encryptedDataIterator.hasNext()) { PGPEncryptedData encryptedData = encryptedDataIterator.next(); - // TODO: Maybe just skip non-integrity-protected packages? - if (!encryptedData.isIntegrityProtected()) { + + if (!encryptedData.isIntegrityProtected() && !options.isIgnoreMDCErrors()) { throw new MessageNotIntegrityProtectedException(); } @@ -314,7 +313,7 @@ public final class DecryptionStreamFactory { throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData); + integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData, options); return integrityProtectedEncryptedInputStream; } catch (PGPException e) { @@ -461,7 +460,7 @@ public final class DecryptionStreamFactory { throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey); + integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey, options); return integrityProtectedEncryptedInputStream; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/IntegrityProtectedInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java similarity index 86% rename from pgpainless-core/src/main/java/org/pgpainless/util/IntegrityProtectedInputStream.java rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java index ee6d3c45..41695ff3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/IntegrityProtectedInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java @@ -13,11 +13,10 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.pgpainless.util; +package org.pgpainless.decryption_verification; import java.io.IOException; import java.io.InputStream; - import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPEncryptedData; @@ -28,10 +27,12 @@ public class IntegrityProtectedInputStream extends InputStream { private final InputStream inputStream; private final PGPEncryptedData encryptedData; + private final ConsumerOptions options; - public IntegrityProtectedInputStream(InputStream inputStream, PGPEncryptedData encryptedData) { + public IntegrityProtectedInputStream(InputStream inputStream, PGPEncryptedData encryptedData, ConsumerOptions options) { this.inputStream = inputStream; this.encryptedData = encryptedData; + this.options = options; } @Override @@ -46,7 +47,7 @@ public class IntegrityProtectedInputStream extends InputStream { @Override public void close() throws IOException { - if (encryptedData.isIntegrityProtected()) { + if (encryptedData.isIntegrityProtected() && !options.isIgnoreMDCErrors()) { try { if (!encryptedData.verify()) { throw new ModificationDetectionException(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index cf116cc2..dcd29467 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -124,6 +124,96 @@ public class ModificationDetectionTests { "=miES\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; + private static final String MESSAGE_TAMPERED_CIPHERTEXT = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQv+NgaEl1h8ZLRD0YiGFqVyO4G0slWQotmgPuovBU8YpNPd\n" + + "A/sROQAOpkxR0mSzhUpMcgkpwi1r7dC3HGQCf+mitGwe+JFXCTx7N/4t1U321BKj\n" + + "c7k7Zu9pDHpPzWi52T6yL30dyR7XkU85P2BrZoOc7B6GuZF07f4qIG1c3+YzBWuw\n" + + "cXyqAmLx/zHUkX72Ga6vzUX/ud08gGYeWthLim7jLG9JzNr+BGnOb93+bKTwe7GX\n" + + "dxNkBP7NTtGaFBM9epvsBiMSBIUHxuJDFgN4KSzpTP3+tcgrpTAaNWalJPzzphqD\n" + + "Iu7ZrBDARQb/8FIymHt0QITZXu3ml8WopiIDbC42JOt16aMy5VDbcP/LlVZn/DB7\n" + + "xr3waDZoxIMhNDcnu8R0w25pbf9T6Lt90a8/UIewCVjciUF82TK6KWLJkTJhmRK3\n" + + "QJ/XgkMhDhS94Rj+l+FIRxJF/oyTtRFoeBHOB8V5neqXmOgGf3aX5UIJu3pf+GH/\n" + + "n+PEoyEw7S7gQxF4VV4S0kwBZlc6xwHfvO+NPf7W0rAtUxMdOl3LBLiILDxF+cq2\n" + + "eKG76gkewCp4EhTfK+iDr4KlObXDzADm1cXRlqFhtoQZrHV0poZVw2kIwSlF\n" + + "=3G7i\n" + + "-----END PGP MESSAGE-----\n"; + + private static final String MESSAGE_MISSING_MDC = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQwAnTmchA6ve/aF7cPEnyJSb9Ot61LSIMrU3+RaEdA90qn4\n" + + "iC+yA7rH+nBX4t9nYSLI4EbQibSfzgxj0Bon1sAwfUfU88UMHypnL1HYsZRoiiLe\n" + + "crRr/9Vot2X1firhSu6kwqPZw5eIbvPPhHojZxWo7Plv7lDsXdtgRXc544jKA+Cx\n" + + "4Rt9D0WG7sWDifHUaitNHC4klZbvO29qmaND1F+RNUpO6H1j63UCPvHqSEvfV+kT\n" + + "vQXtOqk34SLo8SOfpni8Dy1wUePIbuaXyqe5uwSprWoAAmRZOjskv6z28pj9jVs3\n" + + "dWRkWca5Mmm3VQZlmxcNeFyTAgSth0GNalwWSVNcPK9W/VaDX8ecw7xYU04cpbQr\n" + + "a4JF9oc33bhgn4ZDdcvcP8/QUQP+TyN4vGjp1k9+AgkIsJjLanqHE29chsh7ZcVF\n" + + "GDjq3DppEo/Hh647rYRqXpxLfJB6fsDyYLmqNKsBcgtBqE9DtiXQ16GuGFrePxd2\n" + + "nRKcSWQbisEa1LHr8G4d0jYBMjIoPiEhw4sgEt1ZCiQPO1HXqaK7VN3PhPOqjyjf\n" + + "Rt6lN5kVA3+Dd2DRov9NQ83TQPJdg7I=\n" + + "=pgX9\n" + + "-----END PGP MESSAGE-----\n"; + + private static final String MESSAGE_TAMPERED_MDC = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQv+NgaEl1h8ZLRD0YiGFqVyO4G0slWQotmgPuovBU8YpNPd\n" + + "A/sROQAOpkxR0mSzhUpMcgkpwi1r7dC3HGQCf+mitGwe+JFXCTx7N/4t1U321BKj\n" + + "c7k7Zu9pDHpPzWi52T6yL30dyR7XkU85P2BrZoOc7B6GuZF07f4qIG1c3+YzBWuw\n" + + "cXyqAmLx/zHUkX72Ga6vzUX/ud08gGYeWthLim7jLG9JzNr+BGnOb93+bKTwe7GX\n" + + "dxNkBP7NTtGaFBM9epvsBiMSBIUHxuJDFgN4KSzpTP3+tcgrpTAaNWalJPzzphqD\n" + + "Iu7ZrBDARQb/8FIymHt0QITZXu3ml8WopiIDbC42JOt16aMy5VDbcP/LlVZn/DB7\n" + + "xr3waDZoxIMhNDcnu8R0w25pbf9T6Lt90a8/UIewCVjciUF82TK6KWLJkTJhmRK3\n" + + "QJ/XgkMhDhS94Rj+l+FIRxJF/oyTtRFoeBHOB8V5neqXmOgGf3aX5UIJu3pf+GH/\n" + + "n+PEoyEw7S7gQxF4VV4S0kwBZlc6xwHfvO+NPf7W0rAtUxMdOl3LBLiILDxF+cq2\n" + + "eKG76gkewCp4EhTfK+iDr4KlObXDzB/m1cXRlqFhtoQZrHV0poZVw2kIwSkA\n" + + "=Ishh\n" + + "-----END PGP MESSAGE-----\n"; + + private static final String MESSAGE_TRUNCATED_MDC = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQv+NgaEl1h8ZLRD0YiGFqVyO4G0slWQotmgPuovBU8YpNPd\n" + + "A/sROQAOpkxR0mSzhUpMcgkpwi1r7dC3HGQCf+mitGwe+JFXCTx7N/4t1U321BKj\n" + + "c7k7Zu9pDHpPzWi52T6yL30dyR7XkU85P2BrZoOc7B6GuZF07f4qIG1c3+YzBWuw\n" + + "cXyqAmLx/zHUkX72Ga6vzUX/ud08gGYeWthLim7jLG9JzNr+BGnOb93+bKTwe7GX\n" + + "dxNkBP7NTtGaFBM9epvsBiMSBIUHxuJDFgN4KSzpTP3+tcgrpTAaNWalJPzzphqD\n" + + "Iu7ZrBDARQb/8FIymHt0QITZXu3ml8WopiIDbC42JOt16aMy5VDbcP/LlVZn/DB7\n" + + "xr3waDZoxIMhNDcnu8R0w25pbf9T6Lt90a8/UIewCVjciUF82TK6KWLJkTJhmRK3\n" + + "QJ/XgkMhDhS94Rj+l+FIRxJF/oyTtRFoeBHOB8V5neqXmOgGf3aX5UIJu3pf+GH/\n" + + "n+PEoyEw7S7gQxF4VV4S0ksBZlc6xwHfvO+NPf7W0rAtUxMdOl3LBLiILDxF+cq2\n" + + "eKG76gkewCp4EhTfK+iDr4KlObXDzB/m1cXRlqFhtoQZrHV0poZVw2kIwSk=\n" + + "=FDIu\n" + + "-----END PGP MESSAGE-----\n"; + + private static final String MESSAGE_MDC_WITH_BAD_CTB = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQv+NgaEl1h8ZLRD0YiGFqVyO4G0slWQotmgPuovBU8YpNPd\n" + + "A/sROQAOpkxR0mSzhUpMcgkpwi1r7dC3HGQCf+mitGwe+JFXCTx7N/4t1U321BKj\n" + + "c7k7Zu9pDHpPzWi52T6yL30dyR7XkU85P2BrZoOc7B6GuZF07f4qIG1c3+YzBWuw\n" + + "cXyqAmLx/zHUkX72Ga6vzUX/ud08gGYeWthLim7jLG9JzNr+BGnOb93+bKTwe7GX\n" + + "dxNkBP7NTtGaFBM9epvsBiMSBIUHxuJDFgN4KSzpTP3+tcgrpTAaNWalJPzzphqD\n" + + "Iu7ZrBDARQb/8FIymHt0QITZXu3ml8WopiIDbC42JOt16aMy5VDbcP/LlVZn/DB7\n" + + "xr3waDZoxIMhNDcnu8R0w25pbf9T6Lt90a8/UIewCVjciUF82TK6KWLJkTJhmRK3\n" + + "QJ/XgkMhDhS94Rj+l+FIRxJF/oyTtRFoeBHOB8V5neqXmOgGf3aX5UIJu3pf+GH/\n" + + "n+PEoyEw7S7gQxF4VV4S0kwBZlc6xwHfvO+NPf7W0rAtUxMdOl3LBLiILDxF+cq2\n" + + "eKG76gkewCp4EhTfK+iDr4KlObXDzB/n1cXRlqFhtoQZrHV0poZVw2kIwSlF\n" + + "=nOqY\n" + + "-----END PGP MESSAGE-----\n"; + + private static final String MESSAGE_MDC_WITH_BAD_LENGTH = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "wcDMA3wvqk35PDeyAQv+NgaEl1h8ZLRD0YiGFqVyO4G0slWQotmgPuovBU8YpNPd\n" + + "A/sROQAOpkxR0mSzhUpMcgkpwi1r7dC3HGQCf+mitGwe+JFXCTx7N/4t1U321BKj\n" + + "c7k7Zu9pDHpPzWi52T6yL30dyR7XkU85P2BrZoOc7B6GuZF07f4qIG1c3+YzBWuw\n" + + "cXyqAmLx/zHUkX72Ga6vzUX/ud08gGYeWthLim7jLG9JzNr+BGnOb93+bKTwe7GX\n" + + "dxNkBP7NTtGaFBM9epvsBiMSBIUHxuJDFgN4KSzpTP3+tcgrpTAaNWalJPzzphqD\n" + + "Iu7ZrBDARQb/8FIymHt0QITZXu3ml8WopiIDbC42JOt16aMy5VDbcP/LlVZn/DB7\n" + + "xr3waDZoxIMhNDcnu8R0w25pbf9T6Lt90a8/UIewCVjciUF82TK6KWLJkTJhmRK3\n" + + "QJ/XgkMhDhS94Rj+l+FIRxJF/oyTtRFoeBHOB8V5neqXmOgGf3aX5UIJu3pf+GH/\n" + + "n+PEoyEw7S7gQxF4VV4S0kwBZlc6xwHfvO+NPf7W0rAtUxMdOl3LBLiILDxF+cq2\n" + + "eKG76gkewCp4EhTfK+iDr4KlObXDzB/m1MXRlqFhtoQZrHV0poZVw2kIwSlF\n" + + "=Ak00\n" + + "-----END PGP MESSAGE-----\n"; + /** * Messages containing a missing MDC shall fail to decrypt. * @param implementationFactory implementation factory @@ -132,26 +222,12 @@ public class ModificationDetectionTests { */ @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void testMissingMDC(ImplementationFactory implementationFactory) throws IOException, PGPException { + public void testMissingMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); - String message = "-----BEGIN PGP MESSAGE-----\n" + - "\n" + - "wcDMA3wvqk35PDeyAQwAnTmchA6ve/aF7cPEnyJSb9Ot61LSIMrU3+RaEdA90qn4\n" + - "iC+yA7rH+nBX4t9nYSLI4EbQibSfzgxj0Bon1sAwfUfU88UMHypnL1HYsZRoiiLe\n" + - "crRr/9Vot2X1firhSu6kwqPZw5eIbvPPhHojZxWo7Plv7lDsXdtgRXc544jKA+Cx\n" + - "4Rt9D0WG7sWDifHUaitNHC4klZbvO29qmaND1F+RNUpO6H1j63UCPvHqSEvfV+kT\n" + - "vQXtOqk34SLo8SOfpni8Dy1wUePIbuaXyqe5uwSprWoAAmRZOjskv6z28pj9jVs3\n" + - "dWRkWca5Mmm3VQZlmxcNeFyTAgSth0GNalwWSVNcPK9W/VaDX8ecw7xYU04cpbQr\n" + - "a4JF9oc33bhgn4ZDdcvcP8/QUQP+TyN4vGjp1k9+AgkIsJjLanqHE29chsh7ZcVF\n" + - "GDjq3DppEo/Hh647rYRqXpxLfJB6fsDyYLmqNKsBcgtBqE9DtiXQ16GuGFrePxd2\n" + - "nRKcSWQbisEa1LHr8G4d0jYBMjIoPiEhw4sgEt1ZCiQPO1HXqaK7VN3PhPOqjyjf\n" + - "Rt6lN5kVA3+Dd2DRov9NQ83TQPJdg7I=\n" + - "=pgX9\n" + - "-----END PGP MESSAGE-----\n"; PGPSecretKeyRingCollection secretKeyRings = getDecryptionKey(); - InputStream in = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + InputStream in = new ByteArrayInputStream(MESSAGE_MISSING_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) .withOptions(new ConsumerOptions() @@ -167,24 +243,9 @@ public class ModificationDetectionTests { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void tamperedCiphertextTest(ImplementationFactory implementationFactory) throws IOException, PGPException { + public void testTamperedCiphertextThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); - String message = "-----BEGIN PGP MESSAGE-----\n" + - "\n" + - "wcDMA3wvqk35PDeyAQwAnTmchA6ve/aF7cPEnyJSb9Ot61LSIMrU3+RaEdA90qn4\n" + - "iC+yA7rH+nBX4t9nYSLI4EbQibSfzgxj0Bon1sAwfUfU88UMHypnL1HYsZRoiiLe\n" + - "crRr/9Vot2X1firhSu6kwqPZw5eIbvPPhHojZxWo7Plv7lDsXdtgRXc544jKA+Cx\n" + - "4Rt9D0WG7sWDifHUaitNHC4klZbvO29qmaND1F+RNUpO6H1j63UCPvHqSEvfV+kT\n" + - "vQXtOqk34SLo8SOfpni8Dy1wUePIbuaXyqe5uwSprWoAAmRZOjskv6z28pj9jVs3\n" + - "dWRkWca5Mmm3VQZlmxcNeFyTAgSth0GNalwWSVNcPK9W/VaDX8ecw7xYU04cpbQr\n" + - "a4JF9oc33bhgn4ZDdcvcP8/QUQP+TyN4vGjp1k9+AgkIsJjLanqHE29chsh7ZcVF\n" + - "GDjq3DppEo/Hh647rYRqXpxLfJB6fsDyYLmqNKsBcgtBqE9DtiXQ16GuGFrePxd2\n" + - "nRKcSWQbisEa1LHr8G4d0kwBMjIoPiEhw4sgEt1ZCiQPO1HXqaK7VN3PhPOqjyjf\n" + - "Rt6lN5kVA3+Dd2DRov9NQ83TQPJdgwCD5cXqlEliiMR4G0gWh8QZ4oAp541H\n" + - "=wx2s\n" + - "-----END PGP MESSAGE-----\n"; - - ByteArrayInputStream in = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) .withOptions(new ConsumerOptions() @@ -198,24 +259,26 @@ public class ModificationDetectionTests { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void tamperedMDCTest(ImplementationFactory implementationFactory) throws IOException, PGPException { + public void testIgnoreTamperedCiphertext(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); - String message = "-----BEGIN PGP MESSAGE-----\n" + - "\n" + - "wcDMA3wvqk35PDeyAQwAnTmchA6ve/aF7cPEnyJSb9Ot61LSIMrU3+RaEdA90qn4\n" + - "iC+yA7rH+nBX4t9nYSLI4EbQibSfzgxj0Bon1sAwfUfU88UMHypnL1HYsZRoiiLe\n" + - "crRr/9Vot2X1firhSu6kwqPZw5eIbvPPhHojZxWo7Plv7lDsXdtgRXc544jKA+Cx\n" + - "4Rt9D0WG7sWDifHUaitNHC4klZbvO29qmaND1F+RNUpO6H1j63UCPvHqSEvfV+kT\n" + - "vQXtOqk34SLo8SOfpni8Dy1wUePIbuaXyqe5uwSprWoAAmRZOjskv6z28pj9jVs3\n" + - "dWRkWca5Mmm3VQZlmxcNeFyTAgSth0GNalwWSVNcPK9W/VaDX8ecw7xYU04cpbQr\n" + - "a4JF9oc33bhgn4ZDdcvcP8/QUQP+TyN4vGjp1k9+AgkIsJjLanqHE29chsh7ZcVF\n" + - "GDjq3DppEo/Hh647rYRqXpxLfJB6fsDyYLmqNKsBcgtBqE9DtiXQ16GuGFrePxd2\n" + - "nRKcSWQbisEa1LHr8G4d0kwBMjIoPiEhw4sgEt1ZCiQPO1HXqaK7VN3PhPOqjyjf\n" + - "Rt6lN5kVA3+Dd2DRov9NQ83TQPJdg7KD5cXqlEliiMR4G0gWh8QZ4oAp540A\n" + - "=ucHU\n" + - "-----END PGP MESSAGE-----\n"; + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + .setIgnoreMDCErrors(true) + ); - ByteArrayInputStream in = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testTamperedMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) .withOptions(new ConsumerOptions() @@ -227,6 +290,103 @@ public class ModificationDetectionTests { assertThrows(ModificationDetectionException.class, decryptionStream::close); } + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testIgnoreTamperedMDC(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + .setIgnoreMDCErrors(true) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testTruncatedMDCThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + assertThrows(EOFException.class, () -> Streams.pipeAll(decryptionStream, out)); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testMDCWithBadCTBThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + assertThrows(ModificationDetectionException.class, decryptionStream::close); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testIgnoreMDCWithBadCTB(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + .setIgnoreMDCErrors(true) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testMDCWithBadLengthThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + assertThrows(ModificationDetectionException.class, decryptionStream::close); + } + + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testIgnoreMDCWithBadLength(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addDecryptionKeys(getDecryptionKey(), SecretKeyRingProtector.unprotectedKeys()) + .setIgnoreMDCErrors(true) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + } + @Test public void decryptMessageWithSEDPacket() throws IOException, PGPException { Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests"); From 5869996059aa7cca71d31ca4dbaced3fee43e6ce Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 1 Oct 2021 14:12:10 +0200 Subject: [PATCH 0033/1450] Add isSignedOnly() to MessageInspector This method can be used to determine, whether the message was created using gpg --sign --armor. It will return false if the message is signed and encrypted, since we cannot determine signed status while the message is encrypted. Fixes #188 --- .../MessageInspector.java | 38 ++++++++++++-- .../MessageInspectorTest.java | 50 +++++++++++++++++++ 2 files changed, 85 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index 7fc54810..1cb98b38 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -27,6 +27,7 @@ import org.bouncycastle.openpgp.PGPEncryptedDataList; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPObjectFactory; +import org.bouncycastle.openpgp.PGPOnePassSignatureList; import org.bouncycastle.openpgp.PGPPBEEncryptedData; import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; import org.pgpainless.implementation.ImplementationFactory; @@ -40,7 +41,12 @@ public final class MessageInspector { public static class EncryptionInfo { private final List keyIds = new ArrayList<>(); private boolean isPassphraseEncrypted = false; + private boolean isSignedOnly = false; + /** + * Return a list of recipient key ids for whom the message is encrypted. + * @return recipient key ids + */ public List getKeyIds() { return Collections.unmodifiableList(keyIds); } @@ -48,6 +54,24 @@ public final class MessageInspector { public boolean isPassphraseEncrypted() { return isPassphraseEncrypted; } + + /** + * Return true, if the message is encrypted. + * + * @return true if encrypted + */ + public boolean isEncrypted() { + return isPassphraseEncrypted || !keyIds.isEmpty(); + } + + /** + * Return true, if the message is not encrypted, but signed using {@link org.bouncycastle.openpgp.PGPOnePassSignature OnePassSignatures}. + * + * @return true if message is signed only + */ + public boolean isSignedOnly() { + return isSignedOnly; + } } private MessageInspector() { @@ -67,16 +91,24 @@ public final class MessageInspector { InputStream decoded = ArmorUtils.getDecoderStream(dataIn); EncryptionInfo info = new EncryptionInfo(); - collectDecryptionKeyIDs(decoded, info); + processMessage(decoded, info); return info; } - private static void collectDecryptionKeyIDs(InputStream dataIn, EncryptionInfo info) throws PGPException { + private static void processMessage(InputStream dataIn, EncryptionInfo info) throws PGPException { PGPObjectFactory objectFactory = new PGPObjectFactory(dataIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); for (Object next : objectFactory) { + if (next instanceof PGPOnePassSignatureList) { + PGPOnePassSignatureList signatures = (PGPOnePassSignatureList) next; + if (!signatures.isEmpty()) { + info.isSignedOnly = true; + return; + } + } + if (next instanceof PGPEncryptedDataList) { PGPEncryptedDataList encryptedDataList = (PGPEncryptedDataList) next; for (PGPEncryptedData encryptedData : encryptedDataList) { @@ -92,7 +124,7 @@ public final class MessageInspector { if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressed = compressed.getDataStream(); - collectDecryptionKeyIDs(decompressed, info); + processMessage(decompressed, info); } if (next instanceof PGPLiteralData) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java index ff31ae7c..8ffb1cc9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java @@ -44,6 +44,8 @@ public class MessageInspectorTest { new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); assertFalse(info.isPassphraseEncrypted()); + assertFalse(info.isSignedOnly()); + assertTrue(info.isEncrypted()); assertEquals(1, info.getKeyIds().size()); assertEquals(KeyIdUtil.fromLongKeyId("4766F6B9D5F21EB6"), info.getKeyIds().get(0)); } @@ -66,9 +68,57 @@ public class MessageInspectorTest { MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + assertTrue(info.isEncrypted()); assertTrue(info.isPassphraseEncrypted()); assertEquals(2, info.getKeyIds().size()); + assertFalse(info.isSignedOnly()); assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("4C6E8F99F6E47184"))); assertTrue(info.getKeyIds().contains(KeyIdUtil.fromLongKeyId("1839079A640B2FAC"))); } + + @Test + public void testSignedOnlyMessage() throws PGPException, IOException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "owGbwMvMwCU2JftV+VJxWRbG0yJJDCDgkZqTk6+jEJ5flJOiyNVRysIgxsXAxsqU\n" + + "GPbzCoMipwBMg5giy+9JdusX5zywTwq60QsTfj2J4a9ki6nKuVnu940q5qzl+aK3\n" + + "89zdHzzyDBEdJg4asQcf3PBk+Cu1W/vQ1mMVW3fyTVc0VNe9PyktZlfcge2CbR8F\n" + + "Dvxwv8UPAA==\n" + + "=nt5n\n" + + "-----END PGP MESSAGE-----"; + + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + + assertTrue(info.isSignedOnly()); + + assertFalse(info.isEncrypted()); + assertFalse(info.isPassphraseEncrypted()); + assertEquals(0, info.getKeyIds().size()); + } + + @Test + public void testEncryptedAndSignedMessage() throws PGPException, IOException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "jC4ECQMCKFdrpiMTt8xgtZjkH60Nu4s+5THbPWOgyTmXkAeBAsmXDNWWuB5QSXFz\n" + + "hF4DaM8R0fnHE6USAQdALJl6fCtB597Ub/GR3bxu3Uv2lirMA8bI2iGHUE7f0Rkw\n" + + "ZNgmEk3YRGp+zddZoLp0WAIL0y4FLwUlMrR+YFYA37eAILiCwLEesIpvIoYq+fIu\n" + + "0r4BJ/bM9oiCZGy7clpBQgOBFOTMR2fCO9ESVOaLwTGDJkVk6m+iLV1OYG6997vP\n" + + "qHrg/zzy/U+xm90iHJzXoQ7yd2QZMU7llvC/otf5j14x3PCqd/rIxQrO2uc76Pef\n" + + "Lh1JRHb7St4PC429HfE7pEAfFUej1I56U/ZCPwxa9f6je911jM4ZmZQTKJq3XZ3H\n" + + "KK0Ymg5GrsBTEGFm4jb1p+V85PPhsIioX3np/N3fkIfxFguTGZza33/GHy61+DTy\n" + + "=SZU6\n" + + "-----END PGP MESSAGE-----"; + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + + // Message is encrypted, so we cannot determine if it is signed or not. + // It is not signed only + assertFalse(info.isSignedOnly()); + + assertTrue(info.isEncrypted()); + assertTrue(info.isPassphraseEncrypted()); + assertEquals(1, info.getKeyIds().size()); + } } From f7a7035059cc699017f1a61ad127bab1e0aac55e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 1 Oct 2021 15:04:37 +0200 Subject: [PATCH 0034/1450] Workaround for PGPUtil accidentally mistaking plain data for base64 encoded data. --- .../DecryptionStreamFactory.java | 5 +- .../key/collection/PGPKeyRingCollection.java | 4 +- .../java/org/pgpainless/util/ArmorUtils.java | 3 +- .../org/pgpainless/util/PGPUtilWrapper.java | 52 ++++++++++++++++ .../org/bouncycastle/PGPUtilWrapperTest.java | 59 +++++++++++++++++++ 5 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 359408cb..10496a7d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -67,6 +67,7 @@ import org.pgpainless.signature.DetachedSignature; import org.pgpainless.signature.OnePassSignatureCheck; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; +import org.pgpainless.util.PGPUtilWrapper; import org.pgpainless.util.Passphrase; import org.pgpainless.util.Tuple; import org.slf4j.Logger; @@ -121,10 +122,10 @@ public final class DecryptionStreamFactory { } private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) throws IOException, PGPException { + // Make sure we handle armored and non-armored data properly BufferedInputStream bufferedIn = new BufferedInputStream(inputStream); - bufferedIn.mark(200); + InputStream decoderStream = PGPUtilWrapper.getDecoderStream(bufferedIn); - InputStream decoderStream = PGPUtil.getDecoderStream(bufferedIn); decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream); if (decoderStream instanceof ArmoredInputStream) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java index 473b392b..8951b4bc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java @@ -31,8 +31,8 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; -import org.bouncycastle.openpgp.PGPUtil; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.ArmorUtils; /** * This class describes a logic of handling a collection of different {@link PGPKeyRing}. The logic was inspired by @@ -57,7 +57,7 @@ public class PGPKeyRingCollection { */ public PGPKeyRingCollection(@Nonnull InputStream in, boolean isSilent) throws IOException, PGPException { // Double getDecoderStream because of #96 - InputStream decoderStream = PGPUtil.getDecoderStream(PGPUtil.getDecoderStream(in)); + InputStream decoderStream = ArmorUtils.getDecoderStream(in); PGPObjectFactory pgpFact = new PGPObjectFactory(decoderStream, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); Object obj; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java index 18b33574..3979b5ac 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java @@ -228,7 +228,8 @@ public final class ArmorUtils { * @return BufferedInputStreamExt */ public static InputStream getDecoderStream(InputStream inputStream) throws IOException { - InputStream decoderStream = PGPUtil.getDecoderStream(inputStream); + BufferedInputStream buf = new BufferedInputStream(inputStream, 512); + InputStream decoderStream = PGPUtilWrapper.getDecoderStream(buf); // Data is not armored -> return if (decoderStream instanceof BufferedInputStream) { return decoderStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java new file mode 100644 index 00000000..838b777e --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java @@ -0,0 +1,52 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.util; + +import java.io.BufferedInputStream; +import java.io.IOException; +import java.io.InputStream; + +import org.bouncycastle.openpgp.PGPUtil; + +public final class PGPUtilWrapper { + + private PGPUtilWrapper() { + + } + + /** + * {@link PGPUtil#getDecoderStream(InputStream)} sometimes mistakens non-base64 data for base64 encoded data. + * + * This method expects a {@link BufferedInputStream} which is being reset in case an {@link IOException} is encountered. + * Therefore, we can properly handle non-base64 encoded data. + * + * @param buf buffered input stream + * @return input stream + * @throws IOException in case of an io error which is unrelated to base64 encoding + */ + public static InputStream getDecoderStream(BufferedInputStream buf) throws IOException { + buf.mark(512); + try { + return PGPUtil.getDecoderStream(buf); + } catch (IOException e) { + if (e.getMessage().contains("invalid characters encountered at end of base64 data")) { + buf.reset(); + return buf; + } + throw e; + } + } +} diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java new file mode 100644 index 00000000..c24d990e --- /dev/null +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -0,0 +1,59 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.bouncycastle; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.BufferedInputStream; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.nio.charset.StandardCharsets; +import java.util.Date; + +import org.bouncycastle.openpgp.PGPLiteralData; +import org.bouncycastle.openpgp.PGPLiteralDataGenerator; +import org.bouncycastle.openpgp.PGPObjectFactory; +import org.bouncycastle.openpgp.bc.BcPGPObjectFactory; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.util.PGPUtilWrapper; + +public class PGPUtilWrapperTest { + + @Test + public void testGetDecoderStream() throws IOException { + ByteArrayInputStream msg = new ByteArrayInputStream("Foo\nBar".getBytes(StandardCharsets.UTF_8)); + PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator(); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + OutputStream litOut = literalDataGenerator.open(out, PGPLiteralDataGenerator.TEXT, "", new Date(), new byte[1 << 9]); + Streams.pipeAll(msg, litOut); + literalDataGenerator.close(); + + InputStream in = new ByteArrayInputStream(out.toByteArray()); + PGPObjectFactory objectFactory = new BcPGPObjectFactory(in); + PGPLiteralData literalData = (PGPLiteralData) objectFactory.nextObject(); + InputStream litIn = literalData.getDataStream(); + BufferedInputStream bufIn = new BufferedInputStream(litIn); + InputStream decoderStream = PGPUtilWrapper.getDecoderStream(bufIn); + ByteArrayOutputStream result = new ByteArrayOutputStream(); + Streams.pipeAll(decoderStream, result); + assertEquals("Foo\nBar", result.toString()); + } +} From 8fccc73370e96b6c902d951372cb226974b48f43 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 1 Oct 2021 15:09:50 +0200 Subject: [PATCH 0035/1450] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 51bde7c5..808a5a1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # PGPainless Changelog +## 0.2.15-SNAPSHOT +- Add `ConsumerOptions.setIgnoreMDCErrors()` which can be used to consume broken messages. Not recommended! +- Add `MessageInspector.isSignedOnly()` which can be used to identify messages created via `gpg --sign --armor` +- Workaround for BCs `PGPUtil.getDecoderStream` mistaking plaintext for base64 encoded data + ## 0.2.14 - Export dependency on Bouncycastle's `bcprov-jdk15on` - Rework Key Generation API From 7bc35dcba388c0fe2abdecf26ab5e4f64668707d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 1 Oct 2021 15:21:42 +0200 Subject: [PATCH 0036/1450] Add regression test for PGPUtil.getDecoderStream mistaking plaintext for base64 encoded data --- .../DecryptionStreamFactory.java | 2 +- .../CleartextSignatureVerificationTest.java | 49 +++++++++++++++++-- 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 10496a7d..65c2146f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -153,7 +153,7 @@ public final class DecryptionStreamFactory { bufferedIn.reset(); inputStream = wrapInVerifySignatureStream(bufferedIn); } catch (IOException e) { - if (e.getMessage().contains("invalid armor")) { + if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) { // We falsely assumed the data to be armored. LOGGER.debug("The message is apparently not armored."); bufferedIn.reset(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index ca86da0a..2b96f039 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -30,18 +30,24 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.exception.WrongConsumingMethodException; -import org.pgpainless.key.TestKeys; -import org.pgpainless.signature.CertificateValidator; -import org.pgpainless.signature.SignatureUtils; -import org.pgpainless.signature.SignatureVerifier; +import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.decryption_verification.cleartext_signatures.CleartextSignatureProcessor; import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.exception.WrongConsumingMethodException; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.CertificateValidator; +import org.pgpainless.signature.SignatureUtils; +import org.pgpainless.signature.SignatureVerifier; import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.TestUtils; @@ -218,4 +224,37 @@ public class CleartextSignatureVerificationTest { .withOptions(options) .getVerificationStream()); } + + @Test + public void getDecoderStreamMistakensPlaintextForBase64RegressionTest() throws PGPException, IOException { + String message = "Foo\nBar"; // PGPUtil.getDecoderStream() would mistaken this for base64 data + ByteArrayInputStream msgIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); + + PGPSecretKeyRing secretKey = TestKeys.getEmilSecretKeyRing(); + ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signedOut) + .withOptions(ProducerOptions.sign(SigningOptions.get() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) + .setCleartextSigned()); + + Streams.pipeAll(msgIn, signingStream); + signingStream.close(); + + String signed = signedOut.toString(); + + ByteArrayInputStream signedIn = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); + DecryptionStream verificationStream = PGPainless.verifyCleartextSignedMessage() + .onInputStream(signedIn) + .withStrategy(new InMemoryMultiPassStrategy()) + .withOptions(new ConsumerOptions() + .addVerificationCert(TestKeys.getEmilPublicKeyRing())) + .getVerificationStream(); + + ByteArrayOutputStream msgOut = new ByteArrayOutputStream(); + Streams.pipeAll(verificationStream, msgOut); + verificationStream.close(); + + OpenPgpMetadata metadata = verificationStream.getResult(); + assertTrue(metadata.isVerified()); + } } From 910bae58c0ed1d29a230e037a1534771785bc3e5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 3 Oct 2021 13:46:15 +0200 Subject: [PATCH 0037/1450] Remove unused methods in DetachedSignature --- .../signature/DetachedSignature.java | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java index 864c8d41..d2400aec 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java @@ -28,7 +28,6 @@ public class DetachedSignature { private final PGPSignature signature; private final PGPKeyRing signingKeyRing; private final SubkeyIdentifier signingKeyIdentifier; - private boolean verified; /** * Create a new {@link DetachedSignature} object. @@ -43,24 +42,6 @@ public class DetachedSignature { this.signingKeyIdentifier = signingKeyIdentifier; } - /** - * Mark this {@link DetachedSignature} as verified. - * - * @param verified verified - */ - public void setVerified(boolean verified) { - this.verified = verified; - } - - /** - * Return true iff the signature is verified. - * - * @return verified - */ - public boolean isVerified() { - return verified; - } - /** * Return the OpenPGP signature. * From 0e1d6cb5a16af9d33bba68c83ee86e042e9dd424 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 3 Oct 2021 13:47:20 +0200 Subject: [PATCH 0038/1450] Rename DetachedSignature -> DetachedSignatureCheck --- .../DecryptionStreamFactory.java | 6 +++--- .../SignatureInputStream.java | 12 ++++++------ ...hedSignature.java => DetachedSignatureCheck.java} | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) rename pgpainless-core/src/main/java/org/pgpainless/signature/{DetachedSignature.java => DetachedSignatureCheck.java} (91%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 65c2146f..eedfb302 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -63,7 +63,7 @@ import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.signature.DetachedSignature; +import org.pgpainless.signature.DetachedSignatureCheck; import org.pgpainless.signature.OnePassSignatureCheck; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; @@ -81,7 +81,7 @@ public final class DecryptionStreamFactory { private final ConsumerOptions options; private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); private final List onePassSignatureChecks = new ArrayList<>(); - private final List detachedSignatureChecks = new ArrayList<>(); + private final List detachedSignatureChecks = new ArrayList<>(); private static final PGPContentVerifierBuilderProvider verifierBuilderProvider = ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(); @@ -113,7 +113,7 @@ public final class DecryptionStreamFactory { SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID()); try { signature.init(verifierBuilderProvider, signingKey); - DetachedSignature detachedSignature = new DetachedSignature(signature, signingKeyRing, signingKeyIdentifier); + DetachedSignatureCheck detachedSignature = new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier); detachedSignatureChecks.add(detachedSignature); } catch (PGPException e) { LOGGER.warn("Cannot verify detached signature made by {}. Reason: {}", signingKeyIdentifier, e.getMessage(), e); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index f6a0b2c1..b316734f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -29,7 +29,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; import org.pgpainless.signature.CertificateValidator; -import org.pgpainless.signature.DetachedSignature; +import org.pgpainless.signature.DetachedSignatureCheck; import org.pgpainless.signature.OnePassSignatureCheck; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -45,14 +45,14 @@ public abstract class SignatureInputStream extends FilterInputStream { private static final Logger LOGGER = LoggerFactory.getLogger(VerifySignatures.class); private final List opSignatures; - private final List detachedSignatures; + private final List detachedSignatures; private final ConsumerOptions options; private final OpenPgpMetadata.Builder resultBuilder; public VerifySignatures( InputStream literalDataStream, List opSignatures, - List detachedSignatures, + List detachedSignatures, ConsumerOptions options, OpenPgpMetadata.Builder resultBuilder) { super(literalDataStream); @@ -114,7 +114,7 @@ public abstract class SignatureInputStream extends FilterInputStream { private void verifyDetachedSignatures() { Policy policy = PGPainless.getPolicy(); - for (DetachedSignature s : detachedSignatures) { + for (DetachedSignatureCheck s : detachedSignatures) { try { signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(s.getSignature()); CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), policy); @@ -140,13 +140,13 @@ public abstract class SignatureInputStream extends FilterInputStream { } private void updateDetachedSignatures(byte b) { - for (DetachedSignature detachedSignature : detachedSignatures) { + for (DetachedSignatureCheck detachedSignature : detachedSignatures) { detachedSignature.getSignature().update(b); } } private void updateDetachedSignatures(byte[] b, int off, int read) { - for (DetachedSignature detachedSignature : detachedSignatures) { + for (DetachedSignatureCheck detachedSignature : detachedSignatures) { detachedSignature.getSignature().update(b, off, read); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java similarity index 91% rename from pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java index d2400aec..d816d2fe 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java @@ -24,19 +24,19 @@ import org.pgpainless.key.SubkeyIdentifier; * Tuple-class which bundles together a signature, the signing key that created the signature, * an identifier of the signing key and a record of whether or not the signature was verified. */ -public class DetachedSignature { +public class DetachedSignatureCheck { private final PGPSignature signature; private final PGPKeyRing signingKeyRing; private final SubkeyIdentifier signingKeyIdentifier; /** - * Create a new {@link DetachedSignature} object. + * Create a new {@link DetachedSignatureCheck} object. * * @param signature signature * @param signingKeyRing signing key that created the signature * @param signingKeyIdentifier identifier of the used signing key */ - public DetachedSignature(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) { + public DetachedSignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) { this.signature = signature; this.signingKeyRing = signingKeyRing; this.signingKeyIdentifier = signingKeyIdentifier; From 76a0a6479a3d462b1fbf12fec7527b2207266506 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 3 Oct 2021 14:12:26 +0200 Subject: [PATCH 0039/1450] Remove unused OPS methods --- .../DecryptionStreamFactory.java | 6 ++-- .../signature/OnePassSignatureCheck.java | 29 ------------------- .../signature/SignatureVerifier.java | 5 +++- 3 files changed, 8 insertions(+), 32 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index eedfb302..3724c1c1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -239,11 +239,13 @@ public final class DecryptionStreamFactory { return literalDataInputStream; } + // Parse signatures from message PGPSignatureList signatures = parseSignatures(objectFactory); List signatureList = SignatureUtils.toList(signatures); - + // Set signatures as comparison sigs in OPS checks for (int i = 0; i < onePassSignatureChecks.size(); i++) { - onePassSignatureChecks.get(i).setSignature(signatureList.get(onePassSignatureChecks.size() - i - 1)); + int reversedIndex = onePassSignatureChecks.size() - i - 1; + onePassSignatureChecks.get(i).setSignature(signatureList.get(reversedIndex)); } return new SignatureInputStream.VerifySignatures(literalDataInputStream, diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java index 7122443d..6c474ccc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java @@ -15,11 +15,9 @@ */ package org.pgpainless.signature; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPOnePassSignature; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.pgpainless.decryption_verification.SignatureInputStream; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier; @@ -32,7 +30,6 @@ public class OnePassSignatureCheck { private final PGPOnePassSignature onePassSignature; private final PGPPublicKeyRing verificationKeys; private PGPSignature signature; - private boolean verified; /** * Create a new {@link OnePassSignatureCheck}. @@ -49,15 +46,6 @@ public class OnePassSignatureCheck { this.signature = signature; } - /** - * Return true if the signature is verified. - * - * @return verified - */ - public boolean isVerified() { - return verified; - } - /** * Return the {@link PGPOnePassSignature} object. * @@ -76,23 +64,6 @@ public class OnePassSignatureCheck { return new SubkeyIdentifier(verificationKeys, onePassSignature.getKeyID()); } - /** - * Verify the one-pass signature. - * Note: This method only checks if the signature itself is correct. - * It does not check if the signing key was eligible to create the signature, or if the signature is expired etc. - * Those checks are being done by {@link SignatureInputStream.VerifySignatures}. - * - * @return true if the signature was verified, false otherwise - * @throws PGPException if signature verification fails with an exception. - */ - public boolean verify() throws PGPException { - if (signature == null) { - throw new IllegalStateException("No comparison signature provided."); - } - this.verified = getOnePassSignature().verify(signature); - return verified; - } - /** * Return the signature. * diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java index 97a4fb00..e00536c9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java @@ -435,7 +435,10 @@ public final class SignatureVerifier { } try { - if (!onePassSignature.verify()) { + if (onePassSignature.getSignature() == null) { + throw new IllegalStateException("No comparison signature provided."); + } + if (!onePassSignature.getOnePassSignature().verify(signature)) { throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID())); } } catch (PGPException e) { From 7113dd1d7ebd3a8b0546c4d023c7fadb2fe23e7c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 3 Oct 2021 14:32:32 +0200 Subject: [PATCH 0040/1450] Add test for SignatureUtils --- .../signature/SignatureUtilsTest.java | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java new file mode 100644 index 00000000..0874e93a --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java @@ -0,0 +1,100 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.signature; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.IOException; +import java.util.List; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.key.util.KeyIdUtil; + +public class SignatureUtilsTest { + + @Test + public void readSignaturesFromCompressedData() throws PGPException, IOException { + String compressed = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" + + "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" + + "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" + + "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" + + "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" + + "=yZ18\n" + + "-----END PGP MESSAGE-----"; + List signatures = SignatureUtils.readSignatures(compressed); + assertEquals(2, signatures.size()); + assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID()); + assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID()); + } + + @Test + public void noIssuerResultsInKeyId0() throws PGPException, IOException { + String sig = "-----BEGIN PGP SIGNATURE-----\n" + + "\n" + + "wsEaBAABCABOBYJhVBVcRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + + "cGdwLm9yZ+goUZDURlALH597rQCp41yYHOF90OfPRrp6TSZAA/nQAAAeOQwAni7j\n" + + "R4YEXpcDfqwjOPIvq5i7VWBR5EdESvR1fJHD99y4TyllezSpQcmZSGrkIcFRgTxR\n" + + "CwJ6oOsY4QILFF5N330Bs7HQfTbdgpx29ELo+8PuizRvhRVlQack/GPoRON/QQDz\n" + + "EBjZwiiPHgyw3CeQahHqSPgUT5JvW5yOOs31AhDlgen0qRHKtRwaI+5M5Y9nHR6z\n" + + "H2o5xapE4Vz647sPkl269Sd4kl/qkInoyKf1x1U6bu6g9Onr1fafM1HLiGkJl0Sk\n" + + "YNHCHdnBbyZBJt3ijCokOAGe7DIHvz5rv9iO/WDdC5Tw9XJlrFTI4xAv0EXJCSZm\n" + + "9eVJbaOEmnjqwaZNf4tS+j6+Blp/1p0YMd/10Fh6cmLYyM2mDBB60pE/Y3ARS1lP\n" + + "fta43BXTAWu6h+ZT2gncbBv+yAxmMEMY2iBk11dCLrSFWGEcitrOigCLMrPdCKCl\n" + + "7zv9ar9WsNOibOEaso+MF7oAw+97o1nRXPHg/5FzcmosqKU3VJZU8QZfETO7\n" + + "=YWPw\n" + + "-----END PGP SIGNATURE-----"; + PGPSignature signature = SignatureUtils.readSignatures(sig).get(0); + assertEquals(0, SignatureUtils.determineIssuerKeyId(signature)); + } + + @Test + public void skipInvalidSignatures() throws PGPException, IOException { + // Sig version 23 (invalid), sig version 4 + String sigs = "-----BEGIN PGP SIGNATURE-----\n" + + "\n" + + "wsE7FwABCgBvBYJhVBVECRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + + "cy5zZXF1b2lhLXBncC5vcmfYpOWFSlKZpeZQTVMyX5UaWW+12r4Xb0EAFS4gOWJ/\n" + + "mhYhBNGmbhojsYLJmA94jPv8yCoBXnMwAABpyQwAorVkBMS2DTb5rYFPjWjoIo1A\n" + + "3SiYkgPzddqc8ZvTu3zlEXpoGzKQLrXW3AGCuXCeEst+kPV6j33zZiPFSdcn0Ddg\n" + + "QUWlxhmsVJ/ePujwfVyPLJISE/g1486qMERSnOKKyL7u62uwCggRzZMYKOC12PFO\n" + + "+9OsISkPs+BqsV7jd6L2NJCBZ0VFCP2kE4vMty0VltIa3nfr1PgWPH3ekBPt3a0p\n" + + "OF/aSckV0gy4t7JqT9nxU5oWwxef1TQuQ8yh96gBSFUcS58ov+tBuMIjphpKexxU\n" + + "HlOTDVRG8+qUiScGFrc1aavepd9x60aHLBSwyGt4/ZhPvRp3fljyGqSapSUmCeFJ\n" + + "FN+p7Ne35GO/lrr6Aao3HH1xVGF4+Jn7N8CgN/dsKWa+gSrnKZbYo0Sa7hx6yRtm\n" + + "a45VSoRmjEjP+cL+lvDBTqvv3anufZ5OCIzt2sUFJfWF6bOPjc+1X294qYNpVX6j\n" + + "xFWiAQt5XvispaNnuHE5tnlI7pLJ66zCU/Kl4WgywsE7BAABCgBvBYJhVBVECRD7\n" + + "/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfY\n" + + "pOWFSlKZpeZQTVMyX5UaWW+12r4Xb0EAFS4gOWJ/mhYhBNGmbhojsYLJmA94jPv8\n" + + "yCoBXnMwAABpyQwAorVkBMS2DTb5rYFPjWjoIo1A3SiYkgPzddqc8ZvTu3zlEXpo\n" + + "GzKQLrXW3AGCuXCeEst+kPV6j33zZiPFSdcn0DdgQUWlxhmsVJ/ePujwfVyPLJIS\n" + + "E/g1486qMERSnOKKyL7u62uwCggRzZMYKOC12PFO+9OsISkPs+BqsV7jd6L2NJCB\n" + + "Z0VFCP2kE4vMty0VltIa3nfr1PgWPH3ekBPt3a0pOF/aSckV0gy4t7JqT9nxU5oW\n" + + "wxef1TQuQ8yh96gBSFUcS58ov+tBuMIjphpKexxUHlOTDVRG8+qUiScGFrc1aave\n" + + "pd9x60aHLBSwyGt4/ZhPvRp3fljyGqSapSUmCeFJFN+p7Ne35GO/lrr6Aao3HH1x\n" + + "VGF4+Jn7N8CgN/dsKWa+gSrnKZbYo0Sa7hx6yRtma45VSoRmjEjP+cL+lvDBTqvv\n" + + "3anufZ5OCIzt2sUFJfWF6bOPjc+1X294qYNpVX6jxFWiAQt5XvispaNnuHE5tnlI\n" + + "7pLJ66zCU/Kl4Wgy\n" + + "=fvS+\n" + + "-----END PGP SIGNATURE-----\n"; + List signatures = SignatureUtils.readSignatures(sigs); + assertEquals(1, signatures.size()); // first sig gets skipped + } +} From bccf384dbf8791911cbb2e4625446f3c014db2c2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 13:32:04 +0200 Subject: [PATCH 0041/1450] Add feature-related utilities and tests --- .../org/pgpainless/algorithm/Feature.java | 34 ++++ .../subpackets/SignatureSubpacketsUtil.java | 17 ++ .../SignatureSubpacketsUtilTest.java | 165 ++++++++++++++++++ 3 files changed, 216 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java index 77f7ae65..ec090935 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java @@ -15,6 +15,8 @@ */ package org.pgpainless.algorithm; +import java.util.ArrayList; +import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -34,6 +36,8 @@ public enum Feature { * RFC-4880 §5.14: Modification Detection Code Packet */ MODIFICATION_DETECTION(Features.FEATURE_MODIFICATION_DETECTION), + AEAD_ENCRYPTED_DATA(Features.FEATURE_AEAD_ENCRYPTED_DATA), + VERSION_5_PUBLIC_KEY(Features.FEATURE_VERSION_5_PUBLIC_KEY) ; private static final Map MAP = new ConcurrentHashMap<>(); @@ -57,4 +61,34 @@ public enum Feature { public byte getFeatureId() { return featureId; } + + /** + * Convert a bitmask into a list of {@link KeyFlag KeyFlags}. + * + * @param bitmask bitmask + * @return list of key flags encoded by the bitmask + */ + public static List fromBitmask(int bitmask) { + List features = new ArrayList<>(); + for (Feature f : Feature.values()) { + if ((bitmask & f.featureId) != 0) { + features.add(f); + } + } + return features; + } + + /** + * Encode a list of {@link KeyFlag KeyFlags} into a bitmask. + * + * @param features list of flags + * @return bitmask + */ + public static byte toBitmask(Feature... features) { + byte mask = 0; + for (Feature f : features) { + mask |= f.featureId; + } + return mask; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 19ec1b21..57b06c02 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -49,6 +49,7 @@ import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.bouncycastle.util.encoders.Hex; import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SignatureSubpacket; @@ -356,6 +357,22 @@ public final class SignatureSubpacketsUtil { return hashed(signature, SignatureSubpacket.features); } + /** + * Parse out the features subpacket of a signature. + * If the signature has no features subpacket, return null. + * Otherwise, return the features as a feature set. + * + * @param signature signature + * @return features as set + */ + public static @Nullable Set parseFeatures(PGPSignature signature) { + Features features = getFeatures(signature); + if (features == null) { + return null; + } + return new LinkedHashSet<>(Feature.fromBitmask(features.getData()[0])); + } + /** * Return the signature target subpacket from the signature. * We search for this subpacket in the hashed and unhashed area (in this order). diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java new file mode 100644 index 00000000..34d82bfc --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -0,0 +1,165 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.signature; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.time.temporal.ChronoUnit; +import java.util.Arrays; +import java.util.Date; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.Set; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.policy.Policy; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; + +public class SignatureSubpacketsUtilTest { + + @Test + public void test() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Expire", null); + Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys()) + .done(); + + PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature(secretKeys, "Expire", Policy.getInstance(), new Date()); + PGPPublicKey notTheRightKey = PGPainless.inspectKeyRing(secretKeys).getSigningSubkeys().get(0); + + assertThrows(IllegalArgumentException.class, () -> + SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(expirationSig, notTheRightKey)); + } + + @Test + public void testGetRevocable() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature withoutRevocable = generator.generateCertification(secretKeys.getPublicKey()); + assertNull(SignatureSubpacketsUtil.getRevocable(withoutRevocable)); + + generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.setRevocable(true, true); + generator.setHashedSubpackets(hashed.generate()); + PGPSignature withRevocable = generator.generateCertification(secretKeys.getPublicKey()); + assertNotNull(SignatureSubpacketsUtil.getRevocable(withRevocable)); + } + + @Test + public void testParsePreferredCompressionAlgorithms() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + Set compressionAlgorithmSet = new LinkedHashSet<>(Arrays.asList(CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZIP)); + int[] ids = new int[compressionAlgorithmSet.size()]; + Iterator it = compressionAlgorithmSet.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = it.next().getAlgorithmId(); + } + hashed.setPreferredCompressionAlgorithms(true, ids); + generator.setHashedSubpackets(hashed.generate()); + + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + + Set parsed = SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signature); + assertEquals(compressionAlgorithmSet, parsed); + } + + @Test + public void testParseKeyFlagsOfNullIsNull() { + assertNull(SignatureSubpacketsUtil.parseKeyFlags(null)); + } + + @Test + public void testParseKeyFlagsOfNullSubpacketIsNull() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature withoutKeyFlags = generator.generateCertification(secretKeys.getPublicKey()); + assertNull(SignatureSubpacketsUtil.parseKeyFlags(withoutKeyFlags)); + } + + @Test + public void testParseFeaturesIsNullForNullSubpacket() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature withoutKeyFlags = generator.generateCertification(secretKeys.getPublicKey()); + assertNull(SignatureSubpacketsUtil.parseFeatures(withoutKeyFlags)); + } + + @Test + public void testParseFeatures() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.setFeature(true, Feature.toBitmask(Feature.MODIFICATION_DETECTION, Feature.AEAD_ENCRYPTED_DATA)); + generator.setHashedSubpackets(hashed.generate()); + + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + Set featureSet = SignatureSubpacketsUtil.parseFeatures(signature); + assertEquals(2, featureSet.size()); + assertTrue(featureSet.contains(Feature.MODIFICATION_DETECTION)); + assertTrue(featureSet.contains(Feature.AEAD_ENCRYPTED_DATA)); + assertFalse(featureSet.contains(Feature.VERSION_5_PUBLIC_KEY)); + } + + private PGPSignatureGenerator getSignatureGenerator(PGPPrivateKey signingKey, + SignatureType signatureType) throws PGPException { + PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder( + signingKey.getPublicKeyPacket().getAlgorithm(), + HashAlgorithm.SHA512.getAlgorithmId())); + signatureGenerator.init(signatureType.getCode(), signingKey); + return signatureGenerator; + } +} From 96755a82a5dd12f5181b81aee537634334013ae2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 14:00:23 +0200 Subject: [PATCH 0042/1450] More SignatureSubpacketsUtilTest methods --- .../SignatureSubpacketsUtilTest.java | 139 +++++++++++++++++- 1 file changed, 138 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 34d82bfc..a5b6eb9e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -15,6 +15,7 @@ */ package org.pgpainless.signature; +import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; @@ -30,8 +31,14 @@ import java.util.Arrays; import java.util.Date; import java.util.Iterator; import java.util.LinkedHashSet; +import java.util.List; import java.util.Set; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.bcpg.sig.TrustSignature; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; @@ -55,7 +62,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; public class SignatureSubpacketsUtilTest { @Test - public void test() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testGetKeyExpirationTimeAsDate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Expire", null); Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS)); @@ -153,6 +160,136 @@ public class SignatureSubpacketsUtilTest { assertFalse(featureSet.contains(Feature.VERSION_5_PUBLIC_KEY)); } + @Test + public void getSignatureTargetIsNull() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature withoutSignatureTarget = generator.generateCertification(secretKeys.getPublicKey()); + + assertNull(SignatureSubpacketsUtil.getSignatureTarget(withoutSignatureTarget)); + } + + @Test + public void testGetUnhashedNotationData() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator unhashed = new PGPSignatureSubpacketGenerator(); + unhashed.addNotationData(true, true, "test@notation.data", "notation-value"); + unhashed.addNotationData(true, true, "test@notation.data", "another-value"); + unhashed.addNotationData(true, true, "another@notation.data", "Hello-World!"); + generator.setUnhashedSubpackets(unhashed.generate()); + + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + List notations = SignatureSubpacketsUtil.getUnhashedNotationData(signature); + assertEquals(3, notations.size()); + assertEquals("test@notation.data", notations.get(0).getNotationName()); + assertEquals("test@notation.data", notations.get(1).getNotationName()); + assertEquals("another@notation.data", notations.get(2).getNotationName()); + assertEquals("notation-value", notations.get(0).getNotationValue()); + assertEquals("another-value", notations.get(1).getNotationValue()); + assertEquals("Hello-World!", notations.get(2).getNotationValue()); + + notations = SignatureSubpacketsUtil.getUnhashedNotationData(signature, "test@notation.data"); + assertEquals(2, notations.size()); + assertEquals("notation-value", notations.get(0).getNotationValue()); + assertEquals("another-value", notations.get(1).getNotationValue()); + + notations = SignatureSubpacketsUtil.getUnhashedNotationData(signature, "invalid"); + assertEquals(0, notations.size()); + } + + @Test + public void testGetRevocationKeyIsNull() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + + assertNull(SignatureSubpacketsUtil.getRevocationKey(signature)); + } + + @Test + public void testGetRevocationKey() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.addRevocationKey(true, secretKeys.getPublicKey().getAlgorithm(), secretKeys.getPublicKey().getFingerprint()); + generator.setHashedSubpackets(hashed.generate()); + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + + RevocationKey revocationKey = SignatureSubpacketsUtil.getRevocationKey(signature); + assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), revocationKey.getFingerprint()); + assertEquals(secretKeys.getPublicKey().getAlgorithm(), revocationKey.getAlgorithm()); + } + + @Test + public void testGetIntendedRecipientFingerprintsEmpty() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + + assertEquals(0, SignatureSubpacketsUtil.getIntendedRecipientFingerprints(signature).size()); + } + + @Test + public void testGetIntendedRecipientFingerprints() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.addIntendedRecipientFingerprint(true, secretKeys.getPublicKey()); + hashed.addIntendedRecipientFingerprint(true, TestKeys.getCryptiePublicKeyRing().getPublicKey()); + generator.setHashedSubpackets(hashed.generate()); + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + + List intendedRecipientFingerprints = SignatureSubpacketsUtil.getIntendedRecipientFingerprints(signature); + assertEquals(2, intendedRecipientFingerprints.size()); + assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), intendedRecipientFingerprints.get(0).getFingerprint()); + assertArrayEquals(TestKeys.getCryptiePublicKeyRing().getPublicKey().getFingerprint(), intendedRecipientFingerprints.get(1).getFingerprint()); + } + + @Test + public void testGetExportableCertification() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.setExportable(true, true); + generator.setHashedSubpackets(hashed.generate()); + + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + Exportable exportable = SignatureSubpacketsUtil.getExportableCertification(signature); + assertNotNull(exportable); + assertTrue(exportable.isExportable()); + } + + @Test + public void testGetTrustSignature() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPPrivateKey certKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = getSignatureGenerator(certKey, SignatureType.CASUAL_CERTIFICATION); + PGPSignatureSubpacketGenerator hashed = new PGPSignatureSubpacketGenerator(); + hashed.setTrust(true, 10, 3); + generator.setHashedSubpackets(hashed.generate()); + + PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey()); + TrustSignature trustSignature = SignatureSubpacketsUtil.getTrustSignature(signature); + assertEquals(10, trustSignature.getDepth()); + assertEquals(3, trustSignature.getTrustAmount()); + } + private PGPSignatureGenerator getSignatureGenerator(PGPPrivateKey signingKey, SignatureType signatureType) throws PGPException { PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( From 5d28823c80f1e5d0b91f458266c8264ab360902f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 14:21:06 +0200 Subject: [PATCH 0043/1450] Add more signing tests --- .../encryption_signing/SigningTest.java | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 1c2a9b8e..62d6a810 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -15,7 +15,9 @@ */ package org.pgpainless.encryption_signing; +import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -33,21 +35,30 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; +import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; +import org.pgpainless.exception.KeyCannotSignException; import org.pgpainless.exception.KeyValidationError; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.util.MultiMap; import org.pgpainless.util.Passphrase; public class SigningTest { @@ -141,4 +152,111 @@ public class SigningTest { assertThrows(KeyValidationError.class, () -> opts.addInlineSignature(protector, fSecretKeys, "alice", DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } + + @Test + public void signWithHashAlgorithmOverride() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + SigningOptions options = new SigningOptions(); + assertNull(options.getHashAlgorithmOverride()); + + options.overrideHashAlgorithm(HashAlgorithm.SHA224); + assertEquals(HashAlgorithm.SHA224, options.getHashAlgorithmOverride()); + + options.addDetachedSignature(protector, secretKeys, DocumentSignatureType.BINARY_DOCUMENT); + + String data = "Hello, World!\n"; + EncryptionStream signer = PGPainless.encryptAndOrSign() + .onOutputStream(new ByteArrayOutputStream()) + .withOptions(ProducerOptions.sign(options)); + + Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); + signer.close(); + EncryptionResult result = signer.getResult(); + + MultiMap sigs = result.getDetachedSignatures(); + assertEquals(1, sigs.size()); + SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); + assertEquals(1, sigs.get(signingKey).size()); + PGPSignature signature = sigs.get(signingKey).iterator().next(); + + assertEquals(HashAlgorithm.SHA224.getAlgorithmId(), signature.getHashAlgorithm()); + } + + @Test + public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA).overridePreferredHashAlgorithms()) + .addUserId("Alice") + .build(); + + SigningOptions options = new SigningOptions() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); + String data = "Hello, World!\n"; + EncryptionStream signer = PGPainless.encryptAndOrSign() + .onOutputStream(new ByteArrayOutputStream()) + .withOptions(ProducerOptions.sign(options)); + + Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); + signer.close(); + EncryptionResult result = signer.getResult(); + MultiMap sigs = result.getDetachedSignatures(); + SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); + PGPSignature signature = sigs.get(signingKey).iterator().next(); + + assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); + } + + @Test + public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .overridePreferredHashAlgorithms(HashAlgorithm.MD5)) + .addUserId("Alice") + .build(); + + SigningOptions options = new SigningOptions() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); + String data = "Hello, World!\n"; + EncryptionStream signer = PGPainless.encryptAndOrSign() + .onOutputStream(new ByteArrayOutputStream()) + .withOptions(ProducerOptions.sign(options)); + + Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), signer); + signer.close(); + EncryptionResult result = signer.getResult(); + MultiMap sigs = result.getDetachedSignatures(); + SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); + PGPSignature signature = sigs.get(signingKey).iterator().next(); + + assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); + } + + @Test + public void signingWithNonCapableKeyThrowsKeyCannotSignException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + .addUserId("Alice") + .build(); + + SigningOptions options = new SigningOptions(); + assertThrows(KeyCannotSignException.class, () -> options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); + assertThrows(KeyCannotSignException.class, () -> options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); + } + + @Test + public void signWithInvalidUserIdThrowsKeyValidationError() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addUserId("Alice") + .build(); + + SigningOptions options = new SigningOptions(); + assertThrows(KeyValidationError.class, () -> + options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); + assertThrows(KeyValidationError.class, () -> + options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); + } + } From c0ae6d75ba8373c91f49dae19228c2cb80fc6c5a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 14:47:16 +0200 Subject: [PATCH 0044/1450] Add tests for UserAttribute certification/revocation --- .../SignatureOverUserAttributesTest.java | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java new file mode 100644 index 00000000..519184ab --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -0,0 +1,101 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.signature; + +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.io.IOException; +import java.util.Date; + +import org.bouncycastle.bcpg.attr.ImageAttribute; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.SignatureValidationException; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; + +public class SignatureOverUserAttributesTest { + + private static final byte[] image = new byte[] {(byte) -1, (byte) -40, (byte) -1, (byte) -32, (byte) 0, (byte) 16, (byte) 74, (byte) 70, (byte) 73, (byte) 70, (byte) 0, (byte) 1, (byte) 1, (byte) 1, (byte) 1, (byte) 44, (byte) 1, (byte) 44, (byte) 0, (byte) 0, (byte) -1, (byte) -2, (byte) 0, (byte) 19, (byte) 67, (byte) 114, (byte) 101, (byte) 97, (byte) 116, (byte) 101, (byte) 100, (byte) 32, (byte) 119, (byte) 105, (byte) 116, (byte) 104, (byte) 32, (byte) 71, (byte) 73, (byte) 77, (byte) 80, (byte) -1, (byte) -30, (byte) 2, (byte) -80, (byte) 73, (byte) 67, (byte) 67, (byte) 95, (byte) 80, (byte) 82, (byte) 79, (byte) 70, (byte) 73, (byte) 76, (byte) 69, (byte) 0, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 2, (byte) -96, (byte) 108, (byte) 99, (byte) 109, (byte) 115, (byte) 4, (byte) 48, (byte) 0, (byte) 0, (byte) 109, (byte) 110, (byte) 116, (byte) 114, (byte) 82, (byte) 71, (byte) 66, (byte) 32, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 7, (byte) -27, (byte) 0, (byte) 10, (byte) 0, (byte) 4, (byte) 0, (byte) 12, (byte) 0, (byte) 27, (byte) 0, (byte) 19, (byte) 97, (byte) 99, (byte) 115, (byte) 112, (byte) 65, (byte) 80, (byte) 80, (byte) 76, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -10, (byte) -42, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -45, (byte) 45, (byte) 108, (byte) 99, (byte) 109, (byte) 115, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 13, (byte) 100, (byte) 101, (byte) 115, (byte) 99, (byte) 0, (byte) 0, (byte) 1, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 64, (byte) 99, (byte) 112, (byte) 114, (byte) 116, (byte) 0, (byte) 0, (byte) 1, (byte) 96, (byte) 0, (byte) 0, (byte) 0, (byte) 54, (byte) 119, (byte) 116, (byte) 112, (byte) 116, (byte) 0, (byte) 0, (byte) 1, (byte) -104, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 99, (byte) 104, (byte) 97, (byte) 100, (byte) 0, (byte) 0, (byte) 1, (byte) -84, (byte) 0, (byte) 0, (byte) 0, (byte) 44, (byte) 114, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 1, (byte) -40, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 98, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 1, (byte) -20, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 103, (byte) 88, (byte) 89, (byte) 90, (byte) 0, (byte) 0, (byte) 2, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 20, (byte) 114, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 103, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 98, (byte) 84, (byte) 82, (byte) 67, (byte) 0, (byte) 0, (byte) 2, (byte) 20, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) 99, (byte) 104, (byte) 114, (byte) 109, (byte) 0, (byte) 0, (byte) 2, (byte) 52, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 100, (byte) 109, (byte) 110, (byte) 100, (byte) 0, (byte) 0, (byte) 2, (byte) 88, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 100, (byte) 109, (byte) 100, (byte) 100, (byte) 0, (byte) 0, (byte) 2, (byte) 124, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 71, (byte) 0, (byte) 73, (byte) 0, (byte) 77, (byte) 0, (byte) 80, (byte) 0, (byte) 32, (byte) 0, (byte) 98, (byte) 0, (byte) 117, (byte) 0, (byte) 105, (byte) 0, (byte) 108, (byte) 0, (byte) 116, (byte) 0, (byte) 45, (byte) 0, (byte) 105, (byte) 0, (byte) 110, (byte) 0, (byte) 32, (byte) 0, (byte) 115, (byte) 0, (byte) 82, (byte) 0, (byte) 71, (byte) 0, (byte) 66, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 26, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 80, (byte) 0, (byte) 117, (byte) 0, (byte) 98, (byte) 0, (byte) 108, (byte) 0, (byte) 105, (byte) 0, (byte) 99, (byte) 0, (byte) 32, (byte) 0, (byte) 68, (byte) 0, (byte) 111, (byte) 0, (byte) 109, (byte) 0, (byte) 97, (byte) 0, (byte) 105, (byte) 0, (byte) 110, (byte) 0, (byte) 0, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -10, (byte) -42, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -45, (byte) 45, (byte) 115, (byte) 102, (byte) 51, (byte) 50, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 12, (byte) 66, (byte) 0, (byte) 0, (byte) 5, (byte) -34, (byte) -1, (byte) -1, (byte) -13, (byte) 37, (byte) 0, (byte) 0, (byte) 7, (byte) -109, (byte) 0, (byte) 0, (byte) -3, (byte) -112, (byte) -1, (byte) -1, (byte) -5, (byte) -95, (byte) -1, (byte) -1, (byte) -3, (byte) -94, (byte) 0, (byte) 0, (byte) 3, (byte) -36, (byte) 0, (byte) 0, (byte) -64, (byte) 110, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 111, (byte) -96, (byte) 0, (byte) 0, (byte) 56, (byte) -11, (byte) 0, (byte) 0, (byte) 3, (byte) -112, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 36, (byte) -97, (byte) 0, (byte) 0, (byte) 15, (byte) -124, (byte) 0, (byte) 0, (byte) -74, (byte) -60, (byte) 88, (byte) 89, (byte) 90, (byte) 32, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 98, (byte) -105, (byte) 0, (byte) 0, (byte) -73, (byte) -121, (byte) 0, (byte) 0, (byte) 24, (byte) -39, (byte) 112, (byte) 97, (byte) 114, (byte) 97, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 2, (byte) 102, (byte) 102, (byte) 0, (byte) 0, (byte) -14, (byte) -89, (byte) 0, (byte) 0, (byte) 13, (byte) 89, (byte) 0, (byte) 0, (byte) 19, (byte) -48, (byte) 0, (byte) 0, (byte) 10, (byte) 91, (byte) 99, (byte) 104, (byte) 114, (byte) 109, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -93, (byte) -41, (byte) 0, (byte) 0, (byte) 84, (byte) 124, (byte) 0, (byte) 0, (byte) 76, (byte) -51, (byte) 0, (byte) 0, (byte) -103, (byte) -102, (byte) 0, (byte) 0, (byte) 38, (byte) 103, (byte) 0, (byte) 0, (byte) 15, (byte) 92, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 8, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 71, (byte) 0, (byte) 73, (byte) 0, (byte) 77, (byte) 0, (byte) 80, (byte) 109, (byte) 108, (byte) 117, (byte) 99, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 12, (byte) 101, (byte) 110, (byte) 85, (byte) 83, (byte) 0, (byte) 0, (byte) 0, (byte) 8, (byte) 0, (byte) 0, (byte) 0, (byte) 28, (byte) 0, (byte) 115, (byte) 0, (byte) 82, (byte) 0, (byte) 71, (byte) 0, (byte) 66, (byte) -1, (byte) -37, (byte) 0, (byte) 67, (byte) 0, (byte) 16, (byte) 11, (byte) 12, (byte) 14, (byte) 12, (byte) 10, (byte) 16, (byte) 14, (byte) 13, (byte) 14, (byte) 18, (byte) 17, (byte) 16, (byte) 19, (byte) 24, (byte) 40, (byte) 26, (byte) 24, (byte) 22, (byte) 22, (byte) 24, (byte) 49, (byte) 35, (byte) 37, (byte) 29, (byte) 40, (byte) 58, (byte) 51, (byte) 61, (byte) 60, (byte) 57, (byte) 51, (byte) 56, (byte) 55, (byte) 64, (byte) 72, (byte) 92, (byte) 78, (byte) 64, (byte) 68, (byte) 87, (byte) 69, (byte) 55, (byte) 56, (byte) 80, (byte) 109, (byte) 81, (byte) 87, (byte) 95, (byte) 98, (byte) 103, (byte) 104, (byte) 103, (byte) 62, (byte) 77, (byte) 113, (byte) 121, (byte) 112, (byte) 100, (byte) 120, (byte) 92, (byte) 101, (byte) 103, (byte) 99, (byte) -1, (byte) -37, (byte) 0, (byte) 67, (byte) 1, (byte) 17, (byte) 18, (byte) 18, (byte) 24, (byte) 21, (byte) 24, (byte) 47, (byte) 26, (byte) 26, (byte) 47, (byte) 99, (byte) 66, (byte) 56, (byte) 66, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) 99, (byte) -1, (byte) -62, (byte) 0, (byte) 17, (byte) 8, (byte) 0, (byte) 16, (byte) 0, (byte) 16, (byte) 3, (byte) 1, (byte) 17, (byte) 0, (byte) 2, (byte) 17, (byte) 1, (byte) 3, (byte) 17, (byte) 1, (byte) -1, (byte) -60, (byte) 0, (byte) 22, (byte) 0, (byte) 1, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 5, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) -1, (byte) -38, (byte) 0, (byte) 12, (byte) 3, (byte) 1, (byte) 0, (byte) 2, (byte) 16, (byte) 3, (byte) 16, (byte) 0, (byte) 0, (byte) 1, (byte) -46, (byte) 4, (byte) -127, (byte) -1, (byte) -60, (byte) 0, (byte) 23, (byte) 16, (byte) 1, (byte) 1, (byte) 1, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 3, (byte) 1, (byte) 2, (byte) 18, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 5, (byte) 2, (byte) 100, (byte) -99, (byte) -118, (byte) 78, (byte) -44, (byte) -18, (byte) -100, (byte) -114, (byte) -27, (byte) -1, (byte) 0, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 3, (byte) 1, (byte) 1, (byte) 63, (byte) 1, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 2, (byte) 1, (byte) 1, (byte) 63, (byte) 1, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 31, (byte) 16, (byte) 0, (byte) 1, (byte) 1, (byte) 9, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 2, (byte) 17, (byte) 18, (byte) 33, (byte) 49, (byte) 81, (byte) 113, (byte) -111, (byte) -47, (byte) 3, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 6, (byte) 63, (byte) 2, (byte) 30, (byte) 111, (byte) 55, (byte) 107, (byte) 8, (byte) -80, (byte) -13, (byte) 118, (byte) 112, (byte) -88, (byte) 97, (byte) 32, (byte) 79, (byte) 125, (byte) 84, (byte) 48, (byte) -128, (byte) 103, (byte) -82, (byte) 47, (byte) -1, (byte) -60, (byte) 0, (byte) 28, (byte) 16, (byte) 1, (byte) 0, (byte) 2, (byte) 1, (byte) 5, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 17, (byte) 33, (byte) 49, (byte) 65, (byte) 81, (byte) 113, (byte) -127, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 63, (byte) 33, (byte) 50, (byte) -128, (byte) -43, (byte) 26, (byte) -84, (byte) -73, (byte) -18, (byte) 56, (byte) 104, (byte) 106, (byte) -83, (byte) -34, (byte) 27, (byte) -9, (byte) 26, (byte) 113, (byte) -125, (byte) -59, (byte) 65, (byte) 78, (byte) 112, (byte) 120, (byte) -88, (byte) -1, (byte) -38, (byte) 0, (byte) 12, (byte) 3, (byte) 1, (byte) 0, (byte) 2, (byte) 0, (byte) 3, (byte) 0, (byte) 0, (byte) 0, (byte) 16, (byte) 0, (byte) 15, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 3, (byte) 1, (byte) 1, (byte) 63, (byte) 16, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 20, (byte) 17, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 32, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 2, (byte) 1, (byte) 1, (byte) 63, (byte) 16, (byte) 31, (byte) -1, (byte) -60, (byte) 0, (byte) 25, (byte) 16, (byte) 1, (byte) 1, (byte) 0, (byte) 3, (byte) 1, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 0, (byte) 1, (byte) 17, (byte) 0, (byte) 33, (byte) 49, (byte) 65, (byte) -1, (byte) -38, (byte) 0, (byte) 8, (byte) 1, (byte) 1, (byte) 0, (byte) 1, (byte) 63, (byte) 16, (byte) -107, (byte) 3, (byte) 101, (byte) -86, (byte) 14, (byte) -55, (byte) 65, (byte) -18, (byte) 74, (byte) -95, (byte) -78, (byte) -43, (byte) 15, (byte) 109, (byte) -119, (byte) -9, (byte) 27, (byte) -42, (byte) -76, (byte) -70, (byte) 80, (byte) 69, (byte) -91, (byte) -27, (byte) 115, (byte) -61, (byte) 27, (byte) -62, (byte) -108, (byte) -70, (byte) 20, (byte) 1, (byte) -95, (byte) -27, (byte) 115, (byte) -41, (byte) 63, (byte) -1, (byte) -39}; + private static PGPUserAttributeSubpacketVector attribute; + private static PGPUserAttributeSubpacketVector invalidAttribute; + + static { + PGPUserAttributeSubpacketVectorGenerator attrGen = new PGPUserAttributeSubpacketVectorGenerator(); + attrGen.setImageAttribute(ImageAttribute.JPEG, image); + attribute = attrGen.generate(); + + byte[] modifiedImage = new byte[image.length]; + System.arraycopy(image, 0, modifiedImage, 0, image.length); + modifiedImage[0] = 25; // modify image + + attrGen = new PGPUserAttributeSubpacketVectorGenerator(); + attrGen.setImageAttribute(ImageAttribute.JPEG, modifiedImage); + invalidAttribute = attrGen.generate(); + } + + @Test + public void createAndVerifyUserAttributeCertification() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPSecretKey secretKey = secretKeys.getSecretKey(); + PGPPublicKey publicKey = secretKey.getPublicKey(); + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = new PGPSignatureGenerator( + ImplementationFactory.getInstance() + .getPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); + generator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey); + + PGPSignature signature = generator.generateCertification(attribute, publicKey); + publicKey = PGPPublicKey.addCertification(publicKey, attribute, signature); + SignatureVerifier.verifyUserAttributesCertification(attribute, signature, publicKey, PGPainless.getPolicy(), new Date()); + + PGPPublicKey finalPublicKey = publicKey; + assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, finalPublicKey, PGPainless.getPolicy(), new Date())); + } + + @Test + public void createAndVerifyUserAttributeRevocation() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + PGPSecretKey secretKey = secretKeys.getSecretKey(); + PGPPublicKey publicKey = secretKey.getPublicKey(); + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator generator = new PGPSignatureGenerator( + ImplementationFactory.getInstance() + .getPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())); + generator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey); + + PGPSignature signature = generator.generateCertification(attribute, publicKey); + publicKey = PGPPublicKey.addCertification(publicKey, attribute, signature); + SignatureVerifier.verifyUserAttributesRevocation(attribute, signature, publicKey, PGPainless.getPolicy(), new Date()); + PGPPublicKey finalPublicKey = publicKey; + assertThrows(SignatureValidationException.class, () -> SignatureVerifier.verifyUserAttributesCertification(invalidAttribute, signature, finalPublicKey, PGPainless.getPolicy(), new Date())); + } +} From d170138ea876e301f5970c211bac63e401e0e9a0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 15:02:28 +0200 Subject: [PATCH 0045/1450] Add test for GenerateKeyImpl --- .../org/pgpainless/sop/GenerateKeyTest.java | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java new file mode 100644 index 00000000..03e23063 --- /dev/null +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java @@ -0,0 +1,88 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.sop; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; + +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; +import sop.SOP; +import sop.exception.SOPGPException; + +public class GenerateKeyTest { + + private SOP sop; + + @BeforeEach + public void prepare() { + sop = new SOPImpl(); + } + + @Test + public void testMissingUserId() { + assertThrows(SOPGPException.MissingArg.class, () -> sop.generateKey().generate()); + } + + @Test + public void generateKey() throws IOException { + byte[] bytes = sop.generateKey() + .userId("Alice ") + .generate() + .getBytes(); + + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing() + .secretKeyRing(bytes); + + assertTrue(PGPainless.inspectKeyRing(secretKeys) + .isUserIdValid("Alice ")); + } + + @Test + public void generateKeyWithMultipleUserIds() throws IOException { + byte[] bytes = sop.generateKey() + .userId("Alice ") + .userId("Al ") + .generate() + .getBytes(); + + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing() + .secretKeyRing(bytes); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertEquals("Alice ", info.getPrimaryUserId()); + assertTrue(info.isUserIdValid("Alice ")); + assertTrue(info.isUserIdValid("Al ")); + } + + @Test + public void unarmoredKey() throws IOException { + byte[] bytes = sop.generateKey() + .userId("Alice ") + .noArmor() + .generate() + .getBytes(); + + assertFalse(new String(bytes).startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----")); + } +} From 5761f28db9b420ecfe0ed551c8549eebdb9ef88c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 15:34:42 +0200 Subject: [PATCH 0046/1450] Add FileUtil tests --- .../main/java/sop/cli/picocli/FileUtil.java | 22 ++- .../java/sop/cli/picocli/FileUtilTest.java | 134 ++++++++++++++++++ 2 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java b/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java index 30e2ae0c..f55af503 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java @@ -33,6 +33,26 @@ public class FileUtil { public static final String PRFX_ENV = "@ENV:"; public static final String PRFX_FD = "@FD:"; + private static EnvironmentVariableResolver envResolver = System::getenv; + + public static void setEnvironmentVariableResolver(EnvironmentVariableResolver envResolver) { + if (envResolver == null) { + throw new NullPointerException("Variable envResolver cannot be null."); + } + FileUtil.envResolver = envResolver; + } + + public interface EnvironmentVariableResolver { + /** + * Resolve the value of the given environment variable. + * Return null if the variable is not present. + * + * @param name name of the variable + * @return variable value or null + */ + String resolveEnvironmentVariable(String name); + } + public static File getFile(String fileName) { if (fileName == null) { throw new NullPointerException("File name cannot be null."); @@ -45,7 +65,7 @@ public class FileUtil { } String envName = fileName.substring(PRFX_ENV.length()); - String envValue = System.getenv(envName); + String envValue = envResolver.resolveEnvironmentVariable(envName); if (envValue == null) { throw new IllegalArgumentException(String.format(ERROR_ENV_FOUND, envName)); } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java new file mode 100644 index 00000000..aad57290 --- /dev/null +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java @@ -0,0 +1,134 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sop.cli.picocli; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.nio.file.Files; + +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import sop.exception.SOPGPException; + +public class FileUtilTest { + + @BeforeAll + public static void setup() { + FileUtil.setEnvironmentVariableResolver(new FileUtil.EnvironmentVariableResolver() { + @Override + public String resolveEnvironmentVariable(String name) { + if (name.equals("test123")) { + return "test321"; + } + return null; + } + }); + } + + @Test + public void getFile_ThrowsForNull() { + assertThrows(NullPointerException.class, () -> FileUtil.getFile(null)); + } + + @Test + public void getFile_prfxEnvAlreadyExists() throws IOException { + File tempFile = new File("@ENV:test"); + tempFile.createNewFile(); + tempFile.deleteOnExit(); + + assertThrows(SOPGPException.AmbiguousInput.class, () -> FileUtil.getFile("@ENV:test")); + } + + @Test + public void getFile_EnvironmentVariable() { + File file = FileUtil.getFile("@ENV:test123"); + assertEquals("test321", file.getName()); + } + + @Test + public void getFile_nonExistentEnvVariable() { + assertThrows(IllegalArgumentException.class, () -> FileUtil.getFile("@ENV:INVALID")); + } + + @Test + public void getFile_prfxFdAlreadyExists() throws IOException { + File tempFile = new File("@FD:1"); + tempFile.createNewFile(); + tempFile.deleteOnExit(); + + assertThrows(SOPGPException.AmbiguousInput.class, () -> FileUtil.getFile("@FD:1")); + } + + @Test + public void getFile_prfxFdNotSupported() { + assertThrows(IllegalArgumentException.class, () -> FileUtil.getFile("@FD:2")); + } + + @Test + public void createNewFileOrThrow_throwsForNull() { + assertThrows(NullPointerException.class, () -> FileUtil.createNewFileOrThrow(null)); + } + + @Test + public void createNewFileOrThrow_success() throws IOException { + File dir = Files.createTempDirectory("test").toFile(); + dir.deleteOnExit(); + File file = new File(dir, "file"); + + assertFalse(file.exists()); + FileUtil.createNewFileOrThrow(file); + assertTrue(file.exists()); + } + + @Test + public void createNewFileOrThrow_alreadyExists() throws IOException { + File dir = Files.createTempDirectory("test").toFile(); + dir.deleteOnExit(); + File file = new File(dir, "file"); + + FileUtil.createNewFileOrThrow(file); + assertTrue(file.exists()); + assertThrows(SOPGPException.OutputExists.class, () -> FileUtil.createNewFileOrThrow(file)); + } + + @Test + public void getFileInputStream_success() throws IOException { + File dir = Files.createTempDirectory("test").toFile(); + dir.deleteOnExit(); + File file = new File(dir, "file"); + + FileUtil.createNewFileOrThrow(file); + FileInputStream inputStream = FileUtil.getFileInputStream(file.getAbsolutePath()); + assertNotNull(inputStream); + } + + @Test + public void getFileInputStream_fileNotFound() throws IOException { + File dir = Files.createTempDirectory("test").toFile(); + dir.deleteOnExit(); + File file = new File(dir, "file"); + + assertThrows(SOPGPException.MissingInput.class, + () -> FileUtil.getFileInputStream(file.getAbsolutePath())); + } +} From 18a6090f0ece697c1e19c0e249080145836e60d3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 15:53:58 +0200 Subject: [PATCH 0047/1450] Add tests for user-attribute validation --- .../pgpainless/key/KeyRingValidatorTest.java | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java index 9e189caa..3b6d4679 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java @@ -20,14 +20,31 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.Iterator; +import java.util.Random; +import org.bouncycastle.bcpg.attr.ImageAttribute; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.DateUtil; @@ -286,4 +303,33 @@ public class KeyRingValidatorTest { PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); PGPPublicKeyRing validated = KeyRingValidator.validate(publicKeys, PGPainless.getPolicy()); } + + @Test + public void testKeyWithUserAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", null); + PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + PGPPublicKey publicKey = secretKeys.getPublicKey(); + PGPSecretKey secretKey = secretKeys.getSecretKey(); + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); + + PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKey.getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()) + ); + + signatureGenerator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey); + PGPUserAttributeSubpacketVectorGenerator userAttrGen = new PGPUserAttributeSubpacketVectorGenerator(); + byte[] image = new byte[100]; + new Random().nextBytes(image); + userAttrGen.setImageAttribute(ImageAttribute.JPEG, image); + PGPUserAttributeSubpacketVector userAttr = userAttrGen.generate(); + + PGPSignature certification = signatureGenerator.generateCertification(userAttr, publicKey); + publicKey = PGPPublicKey.addCertification(publicKey, userAttr, certification); + publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey); + secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); + + secretKeys = KeyRingValidator.validate(secretKeys, PGPainless.getPolicy()); + assertTrue(secretKeys.getPublicKey().getUserAttributes().hasNext()); + } } From c5b576d8d283d361bc58a91be118c9a6762e79ad Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 16:02:28 +0200 Subject: [PATCH 0048/1450] ArmorImpl: Write to provided output stream instead of system.out --- pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java index 62b9baf4..cb34fe0c 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java @@ -39,7 +39,7 @@ public class ArmorImpl implements Armor { return new Ready() { @Override public void writeTo(OutputStream outputStream) throws IOException { - ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(System.out); + ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(outputStream); Streams.pipeAll(data, armor); armor.close(); } From 637bd18ca616b294119b8e37cc22a23235f8c6d3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 16:03:24 +0200 Subject: [PATCH 0049/1450] Add ArmorTest --- .../java/org/pgpainless/sop/ArmorTest.java | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java new file mode 100644 index 00000000..9175673b --- /dev/null +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java @@ -0,0 +1,58 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.sop; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import org.bouncycastle.openpgp.PGPException; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.util.ArmorUtils; +import sop.enums.ArmorLabel; +import sop.exception.SOPGPException; + +public class ArmorTest { + + @Test + public void labelIsNotSupported() { + assertThrows(SOPGPException.UnsupportedOption.class, () -> new SOPImpl().armor().label(ArmorLabel.Sig)); + } + + @Test + public void armor() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + byte[] data = PGPainless.generateKeyRing().modernKeyRing("Alice", null).getEncoded(); + byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data).getBytes(StandardCharsets.UTF_8); + byte[] armored = new SOPImpl() + .armor() + .data(new ByteArrayInputStream(data)) + .getBytes(); + + assertArrayEquals(knownGoodArmor, armored); + + byte[] dearmored = new SOPImpl().dearmor() + .data(new ByteArrayInputStream(knownGoodArmor)) + .getBytes(); + + assertArrayEquals(data, dearmored); + } +} From 620959abc65166b25183e2e5a5c3d4a3d3c9d3e4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 16:28:56 +0200 Subject: [PATCH 0050/1450] Some more pgpainless-sop tests --- .../java/org/pgpainless/sop/VersionImpl.java | 7 +- .../java/org/pgpainless/sop/SignTest.java | 164 ++++++++++++++++++ .../java/org/pgpainless/sop/VersionTest.java | 6 + .../src/main/java/sop/operation/Sign.java | 1 + 4 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java index adee014f..d12ee599 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java @@ -16,6 +16,7 @@ package org.pgpainless.sop; import java.io.IOException; +import java.io.InputStream; import java.util.Properties; import sop.operation.Version; @@ -32,7 +33,11 @@ public class VersionImpl implements Version { String version; try { Properties properties = new Properties(); - properties.load(getClass().getResourceAsStream("/version.properties")); + InputStream propertiesFileIn = getClass().getResourceAsStream("/version.properties"); + if (propertiesFileIn == null) { + throw new IOException("File version.properties not found."); + } + properties.load(propertiesFileIn); version = properties.getProperty("version"); } catch (IOException e) { version = "DEVELOPMENT"; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java new file mode 100644 index 00000000..3c0ab9ac --- /dev/null +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java @@ -0,0 +1,164 @@ +/* + * Copyright 2021 Paul Schaub. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pgpainless.sop; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; +import java.util.Date; +import java.util.List; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.signature.SignatureUtils; +import sop.SOP; +import sop.Verification; +import sop.enums.SignAs; +import sop.exception.SOPGPException; + +public class SignTest { + + private static SOP sop; + private static byte[] key; + private static byte[] cert; + private static byte[] data; + + @BeforeAll + public static void setup() throws IOException { + sop = new SOPImpl(); + key = sop.generateKey() + .userId("Alice") + .generate() + .getBytes(); + cert = sop.extractCert() + .key(new ByteArrayInputStream(key)) + .getBytes(); + data = "Hello, World\n".getBytes(StandardCharsets.UTF_8); + } + + @Test + public void signArmored() throws IOException { + byte[] signature = sop.sign() + .key(new ByteArrayInputStream(key)) + .data(new ByteArrayInputStream(data)) + .getBytes(); + + assertTrue(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----")); + + List verifications = sop.verify() + .cert(new ByteArrayInputStream(cert)) + .notAfter(new Date(new Date().getTime() + 10000)) + .notBefore(new Date(new Date().getTime() - 10000)) + .signatures(new ByteArrayInputStream(signature)) + .data(new ByteArrayInputStream(data)); + + assertEquals(1, verifications.size()); + } + + @Test + public void signUnarmored() throws IOException { + byte[] signature = sop.sign() + .key(new ByteArrayInputStream(key)) + .noArmor() + .data(new ByteArrayInputStream(data)) + .getBytes(); + + assertFalse(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----")); + + List verifications = sop.verify() + .cert(new ByteArrayInputStream(cert)) + .notAfter(new Date(new Date().getTime() + 10000)) + .notBefore(new Date(new Date().getTime() - 10000)) + .signatures(new ByteArrayInputStream(signature)) + .data(new ByteArrayInputStream(data)); + + assertEquals(1, verifications.size()); + } + + @Test + public void rejectSignatureAsTooOld() throws IOException { + byte[] signature = sop.sign() + .key(new ByteArrayInputStream(key)) + .data(new ByteArrayInputStream(data)) + .getBytes(); + + assertThrows(SOPGPException.NoSignature.class, () -> sop.verify() + .cert(new ByteArrayInputStream(cert)) + .notAfter(new Date(new Date().getTime() - 10000)) // Sig is older + .signatures(new ByteArrayInputStream(signature)) + .data(new ByteArrayInputStream(data))); + } + + @Test + public void rejectSignatureAsTooYoung() throws IOException { + byte[] signature = sop.sign() + .key(new ByteArrayInputStream(key)) + .data(new ByteArrayInputStream(data)) + .getBytes(); + + assertThrows(SOPGPException.NoSignature.class, () -> sop.verify() + .cert(new ByteArrayInputStream(cert)) + .notBefore(new Date(new Date().getTime() + 10000)) // Sig is younger + .signatures(new ByteArrayInputStream(signature)) + .data(new ByteArrayInputStream(data))); + } + + @Test + public void mode() throws IOException, PGPException { + byte[] signature = sop.sign() + .mode(SignAs.Text) + .key(new ByteArrayInputStream(key)) + .data(new ByteArrayInputStream(data)) + .getBytes(); + + PGPSignature sig = SignatureUtils.readSignatures(new ByteArrayInputStream(signature)).get(0); + assertEquals(SignatureType.CANONICAL_TEXT_DOCUMENT.getCode(), sig.getSignatureType()); + } + + @Test + public void rejectKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice", null); + PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob", null); + PGPSecretKeyRingCollection collection = new PGPSecretKeyRingCollection(Arrays.asList(key1, key2)); + byte[] keys = collection.getEncoded(); + + assertThrows(SOPGPException.BadData.class, () -> sop.sign().key(new ByteArrayInputStream(keys))); + } + + @Test + public void rejectEncryptedKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing key = PGPainless.generateKeyRing() + .modernKeyRing("Alice", "passphrase"); + byte[] bytes = key.getEncoded(); + + assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.sign().key(new ByteArrayInputStream(bytes))); + } + +} diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java index 02a38217..222fb52e 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java @@ -16,11 +16,17 @@ package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; import org.junit.jupiter.api.Test; public class VersionTest { + @Test + public void testGetVersion() { + assertNotNull(new SOPImpl().version().getVersion()); + } + @Test public void assertNameEqualsPGPainless() { assertEquals("PGPainless-SOP", new SOPImpl().version().getName()); diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java index 1a3f7418..53ba5936 100644 --- a/sop-java/src/main/java/sop/operation/Sign.java +++ b/sop-java/src/main/java/sop/operation/Sign.java @@ -33,6 +33,7 @@ public interface Sign { /** * Sets the signature mode. + * Note: This method has to be called before {@link #key(InputStream)} is called. * * @param mode signature mode * @return builder instance From 722477673d9a1ebc5d61f237d57c6c936424ebcd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Oct 2021 16:48:27 +0200 Subject: [PATCH 0051/1450] Fix hen and egg problem with signature detaching in SOP --- .../DetachInbandSignatureAndMessageImpl.java | 44 +++++++++++-------- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java index ca0dcc1f..59926017 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java @@ -15,6 +15,8 @@ */ package org.pgpainless.sop; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -22,6 +24,7 @@ import java.io.OutputStream; import org.bouncycastle.bcpg.ArmoredOutputStream; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; +import org.bouncycastle.util.io.Streams; import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil; import org.pgpainless.util.ArmoredOutputStreamFactory; @@ -44,29 +47,34 @@ public class DetachInbandSignatureAndMessageImpl implements DetachInbandSignatur public ReadyWithResult message(InputStream messageInputStream) { return new ReadyWithResult() { + + private ByteArrayOutputStream sigOut = new ByteArrayOutputStream(); @Override - public Signatures writeTo(OutputStream messageOutputStream) throws SOPGPException.NoSignature { + public Signatures writeTo(OutputStream messageOutputStream) throws SOPGPException.NoSignature, IOException { + + PGPSignatureList signatures = null; + try { + signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(messageInputStream, messageOutputStream); + } catch (WrongConsumingMethodException e) { + throw new IOException(e); + } + + if (armor) { + ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(sigOut); + for (PGPSignature signature : signatures) { + signature.encode(armorOut); + } + armorOut.close(); + } else { + for (PGPSignature signature : signatures) { + signature.encode(sigOut); + } + } return new Signatures() { @Override public void writeTo(OutputStream signatureOutputStream) throws IOException { - PGPSignatureList signatures = null; - try { - signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(messageInputStream, messageOutputStream); - } catch (WrongConsumingMethodException e) { - throw new IOException(e); - } - if (armor) { - ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(signatureOutputStream); - for (PGPSignature signature : signatures) { - signature.encode(armorOut); - } - armorOut.close(); - } else { - for (PGPSignature signature : signatures) { - signature.encode(signatureOutputStream); - } - } + Streams.pipeAll(new ByteArrayInputStream(sigOut.toByteArray()), signatureOutputStream); } }; } From e390389c0a07b3a136e8159cc25fcf9790d43ac4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Oct 2021 15:48:52 +0200 Subject: [PATCH 0052/1450] Reuse compliance --- .editorconfig | 4 + .gitignore | 4 + .reuse/dep5 | 22 ++++ .travis.yml | 4 + CHANGELOG.md | 5 + CODE_OF_CONDUCT.md | 6 + LICENSES/Apache-2.0.txt | 73 +++++++++++ LICENSES/CC-BY-3.0.txt | 93 ++++++++++++++ LICENSES/CC0-1.0.txt | 121 ++++++++++++++++++ README.md | 6 + assets/repository-open-graph.png.license | 3 + build.gradle | 4 + config/checkstyle/checkstyle.xml | 13 +- config/checkstyle/checkstyleLicenseHeader.txt | 15 --- config/checkstyle/suppressions.xml | 6 + gradle/wrapper/gradle-wrapper.jar.license | 3 + gradle/wrapper/gradle-wrapper.properties | 4 + gradlew | 14 +- gradlew.bat | 2 + pgpainless-cli/README.md | 6 + pgpainless-cli/build.gradle | 4 + pgpainless-cli/pgpainless-cli | 3 + .../org/pgpainless/cli/PGPainlessCLI.java | 19 +-- .../java/org/pgpainless/cli/package-info.java | 19 +-- pgpainless-cli/src/main/resources/logback.xml | 6 + .../java/org/pgpainless/cli/ExitCodeTest.java | 19 +-- .../java/org/pgpainless/cli/TestUtils.java | 19 +-- .../pgpainless/cli/commands/ArmorTest.java | 19 +-- .../pgpainless/cli/commands/DearmorTest.java | 19 +-- .../DetachInbandSignatureAndMessageTest.java | 19 +-- .../cli/commands/EncryptDecryptTest.java | 19 +-- .../cli/commands/ExtractCertTest.java | 19 +-- .../cli/commands/GenerateCertTest.java | 19 +-- .../cli/commands/SignVerifyTest.java | 19 +-- pgpainless-core/README.md | 6 + pgpainless-core/build.gradle | 4 + .../main/java/org/pgpainless/PGPainless.java | 19 +-- .../pgpainless/algorithm/AlgorithmSuite.java | 19 +-- .../algorithm/CompressionAlgorithm.java | 19 +-- .../algorithm/DocumentSignatureType.java | 19 +-- .../algorithm/EncryptionPurpose.java | 19 +-- .../org/pgpainless/algorithm/Feature.java | 19 +-- .../pgpainless/algorithm/HashAlgorithm.java | 19 +-- .../org/pgpainless/algorithm/KeyFlag.java | 19 +-- .../algorithm/PublicKeyAlgorithm.java | 19 +-- .../algorithm/SignatureSubpacket.java | 19 +-- .../pgpainless/algorithm/SignatureType.java | 19 +-- .../pgpainless/algorithm/StreamEncoding.java | 19 +-- .../algorithm/SymmetricKeyAlgorithm.java | 19 +-- .../SymmetricKeyAlgorithmNegotiator.java | 19 +-- .../algorithm/negotiation/package-info.java | 19 +-- .../pgpainless/algorithm/package-info.java | 19 +-- .../CloseForResultInputStream.java | 19 +-- .../ConsumerOptions.java | 19 +-- .../DecryptionBuilder.java | 19 +-- .../DecryptionBuilderInterface.java | 19 +-- .../DecryptionStream.java | 19 +-- .../DecryptionStreamFactory.java | 19 +-- .../IntegrityProtectedInputStream.java | 19 +-- .../MessageInspector.java | 19 +-- .../MissingPublicKeyCallback.java | 19 +-- .../OpenPgpMetadata.java | 19 +-- .../SignatureInputStream.java | 19 +-- .../SignatureVerification.java | 19 +-- .../ClearsignedMessageUtil.java | 19 +-- .../CleartextSignatureProcessor.java | 19 +-- .../InMemoryMultiPassStrategy.java | 19 +-- .../MultiPassStrategy.java | 19 +-- .../VerifyCleartextSignatures.java | 19 +-- .../VerifyCleartextSignaturesImpl.java | 19 +-- .../WriteToFileMultiPassStrategy.java | 19 +-- .../cleartext_signatures/package-info.java | 19 +-- .../decryption_verification/package-info.java | 19 +-- .../encryption_signing/EncryptionBuilder.java | 19 +-- .../EncryptionBuilderInterface.java | 19 +-- .../encryption_signing/EncryptionOptions.java | 19 +-- .../encryption_signing/EncryptionResult.java | 19 +-- .../encryption_signing/EncryptionStream.java | 19 +-- .../encryption_signing/ProducerOptions.java | 19 +-- .../encryption_signing/SigningOptions.java | 19 +-- .../encryption_signing/package-info.java | 19 +-- .../exception/KeyCannotSignException.java | 19 +-- .../exception/KeyValidationError.java | 19 +-- ...MessageNotIntegrityProtectedException.java | 19 +-- .../MissingDecryptionMethodException.java | 19 +-- .../MissingLiteralDataException.java | 19 +-- .../ModificationDetectionException.java | 19 +-- .../exception/NotYetImplementedException.java | 19 +-- .../SignatureValidationException.java | 19 +-- .../UnacceptableAlgorithmException.java | 19 +-- .../WrongConsumingMethodException.java | 19 +-- .../exception/WrongPassphraseException.java | 19 +-- .../pgpainless/exception/package-info.java | 19 +-- .../BcImplementationFactory.java | 19 +-- .../implementation/ImplementationFactory.java | 19 +-- .../JceImplementationFactory.java | 19 +-- .../implementation/package-info.java | 19 +-- .../org/pgpainless/key/KeyRingValidator.java | 19 +-- .../pgpainless/key/OpenPgpV4Fingerprint.java | 19 +-- .../org/pgpainless/key/SubkeyIdentifier.java | 19 +-- .../key/collection/PGPKeyRingCollection.java | 19 +-- .../key/collection/package-info.java | 19 +-- .../key/generation/KeyRingBuilder.java | 19 +-- .../generation/KeyRingBuilderInterface.java | 19 +-- .../pgpainless/key/generation/KeySpec.java | 19 +-- .../key/generation/KeySpecBuilder.java | 19 +-- .../generation/KeySpecBuilderInterface.java | 19 +-- .../key/generation/package-info.java | 19 +-- .../key/generation/type/KeyLength.java | 19 +-- .../key/generation/type/KeyType.java | 19 +-- .../generation/type/ecc/EllipticCurve.java | 19 +-- .../key/generation/type/ecc/ecdh/ECDH.java | 19 +-- .../type/ecc/ecdh/package-info.java | 19 +-- .../key/generation/type/ecc/ecdsa/ECDSA.java | 19 +-- .../type/ecc/ecdsa/package-info.java | 19 +-- .../key/generation/type/ecc/package-info.java | 19 +-- .../key/generation/type/eddsa/EdDSA.java | 19 +-- .../key/generation/type/eddsa/EdDSACurve.java | 19 +-- .../generation/type/eddsa/package-info.java | 19 +-- .../key/generation/type/elgamal/ElGamal.java | 19 +-- .../type/elgamal/ElGamalLength.java | 19 +-- .../generation/type/elgamal/package-info.java | 19 +-- .../key/generation/type/package-info.java | 19 +-- .../key/generation/type/rsa/RSA.java | 19 +-- .../key/generation/type/rsa/RsaLength.java | 19 +-- .../key/generation/type/rsa/package-info.java | 19 +-- .../key/generation/type/xdh/XDH.java | 19 +-- .../key/generation/type/xdh/XDHSpec.java | 19 +-- .../key/generation/type/xdh/package-info.java | 19 +-- .../org/pgpainless/key/info/KeyAccessor.java | 19 +-- .../java/org/pgpainless/key/info/KeyInfo.java | 19 +-- .../org/pgpainless/key/info/KeyRingInfo.java | 19 +-- .../org/pgpainless/key/info/package-info.java | 19 +-- .../key/modification/package-info.java | 19 +-- .../secretkeyring/SecretKeyRingEditor.java | 19 +-- .../SecretKeyRingEditorInterface.java | 19 +-- .../secretkeyring/package-info.java | 19 +-- .../java/org/pgpainless/key/package-info.java | 19 +-- .../pgpainless/key/parsing/KeyRingReader.java | 19 +-- .../pgpainless/key/parsing/package-info.java | 19 +-- .../CachingSecretKeyRingProtector.java | 19 +-- .../protection/KeyRingProtectionSettings.java | 19 +-- .../PasswordBasedSecretKeyRingProtector.java | 19 +-- .../protection/SecretKeyRingProtector.java | 19 +-- .../key/protection/UnlockSecretKey.java | 20 +-- .../protection/UnprotectedKeysProtector.java | 19 +-- .../key/protection/fixes/S2KUsageFix.java | 19 +-- .../key/protection/fixes/package-info.java | 19 +-- .../key/protection/package-info.java | 19 +-- .../MapBasedPassphraseProvider.java | 19 +-- .../SecretKeyPassphraseProvider.java | 19 +-- .../SolitaryPassphraseProvider.java | 19 +-- .../passphrase_provider/package-info.java | 19 +-- .../org/pgpainless/key/util/KeyIdUtil.java | 19 +-- .../org/pgpainless/key/util/KeyRingUtils.java | 19 +-- .../key/util/OpenPgpKeyAttributeUtil.java | 19 +-- .../key/util/RevocationAttributes.java | 19 +-- .../java/org/pgpainless/key/util/UserId.java | 18 +-- .../org/pgpainless/key/util/package-info.java | 19 +-- .../java/org/pgpainless/package-info.java | 19 +-- .../java/org/pgpainless/policy/Policy.java | 19 +-- .../org/pgpainless/policy/package-info.java | 19 +-- .../provider/BouncyCastleProviderFactory.java | 19 +-- .../pgpainless/provider/ProviderFactory.java | 19 +-- .../org/pgpainless/provider/package-info.java | 19 +-- .../signature/CertificateValidator.java | 19 +-- .../signature/DetachedSignatureCheck.java | 19 +-- .../signature/OnePassSignatureCheck.java | 19 +-- .../java/org/pgpainless/signature/README.md | 6 + .../SignatureCreationDateComparator.java | 19 +-- .../pgpainless/signature/SignaturePicker.java | 19 +-- .../pgpainless/signature/SignatureUtils.java | 19 +-- .../signature/SignatureValidator.java | 19 +-- .../SignatureValidityComparator.java | 19 +-- .../signature/SignatureVerifier.java | 19 +-- .../pgpainless/signature/package-info.java | 19 +-- .../SignatureSubpacketGeneratorUtil.java | 19 +-- .../subpackets/SignatureSubpacketsUtil.java | 19 +-- .../signature/subpackets/package-info.java | 19 +-- .../java/org/pgpainless/util/ArmorUtils.java | 19 +-- .../util/ArmoredInputStreamFactory.java | 19 +-- .../util/ArmoredOutputStreamFactory.java | 19 +-- .../main/java/org/pgpainless/util/BCUtil.java | 19 +-- .../util/CRCingArmoredInputStreamWrapper.java | 19 +-- .../org/pgpainless/util/CollectionUtils.java | 19 +-- .../java/org/pgpainless/util/DateUtil.java | 19 +-- .../java/org/pgpainless/util/MultiMap.java | 19 +-- .../org/pgpainless/util/NotationRegistry.java | 19 +-- .../org/pgpainless/util/PGPUtilWrapper.java | 19 +-- .../java/org/pgpainless/util/Passphrase.java | 19 +-- .../main/java/org/pgpainless/util/Tuple.java | 19 +-- .../org/pgpainless/util/package-info.java | 19 +-- .../keyring/KeyRingSelectionStrategy.java | 19 +-- .../PublicKeyRingSelectionStrategy.java | 19 +-- .../SecretKeyRingSelectionStrategy.java | 19 +-- .../selection/keyring/impl/ExactUserId.java | 19 +-- .../selection/keyring/impl/Whitelist.java | 19 +-- .../util/selection/keyring/impl/Wildcard.java | 19 +-- .../util/selection/keyring/impl/XMPP.java | 19 +-- .../selection/keyring/impl/package-info.java | 19 +-- .../util/selection/keyring/package-info.java | 19 +-- .../util/selection/userid/SelectUserId.java | 19 +-- .../util/selection/userid/package-info.java | 19 +-- .../src/main/resources/logback.xml | 6 + ...vestigateMultiSEIPMessageHandlingTest.java | 19 +-- .../InvestigateThunderbirdDecryption.java | 19 +-- .../org/bouncycastle/AsciiArmorCRCTests.java | 19 +-- .../AsciiArmorDashEscapeTest.java | 19 +-- .../bouncycastle/PGPPublicKeyRingTest.java | 19 +-- .../org/bouncycastle/PGPUtilWrapperTest.java | 19 +-- .../src/test/java/org/junit/JUtils.java | 19 +-- .../org/pgpainless/algorithm/FeatureTest.java | 19 +-- .../algorithm/SignatureSubpacketTest.java | 19 +-- .../algorithm/SignatureTypeTest.java | 19 +-- .../SymmetricKeyAlgorithmNegotiatorTest.java | 19 +-- .../CleartextSignatureVerificationTest.java | 19 +-- .../DecryptAndVerifyMessageTest.java | 19 +-- .../DecryptHiddenRecipientMessage.java | 19 +-- .../MessageInspectorTest.java | 19 +-- .../ModificationDetectionTests.java | 19 +-- ...tionUsingKeyWithMissingPassphraseTest.java | 19 +-- .../RecursionDepthTest.java | 19 +-- ...eakSymmetricAlgorithmDuringDecryption.java | 19 +-- .../VerifyNotBeforeNotAfterTest.java | 19 +-- .../VerifyWithMissingPublicKeyCallback.java | 19 +-- .../EncryptDecryptTest.java | 19 +-- .../EncryptionOptionsTest.java | 19 +-- .../EncryptionStreamClosedTest.java | 19 +-- .../FileInformationTest.java | 19 +-- ...ymmetricAlgorithmDuringEncryptionTest.java | 19 +-- .../encryption_signing/SigningTest.java | 19 +-- .../org/pgpainless/example/ConvertKeys.java | 19 +-- .../pgpainless/example/DecryptOrVerify.java | 19 +-- .../java/org/pgpainless/example/Encrypt.java | 19 +-- .../org/pgpainless/example/GenerateKeys.java | 19 +-- .../org/pgpainless/example/ManagePolicy.java | 19 +-- .../org/pgpainless/example/ModifyKeys.java | 19 +-- .../java/org/pgpainless/example/ReadKeys.java | 19 +-- .../java/org/pgpainless/example/Sign.java | 19 +-- .../pgpainless/example/UnlockSecretKeys.java | 19 +-- .../key/BouncycastleExportSubkeys.java | 19 +-- .../pgpainless/key/ImportExportKeyTest.java | 19 +-- .../java/org/pgpainless/key/KeyFlagTest.java | 19 +-- .../pgpainless/key/KeyRingValidatorTest.java | 19 +-- .../key/OpenPgpV4FingerprintTest.java | 19 +-- .../pgpainless/key/SubkeyIdentifierTest.java | 19 +-- .../java/org/pgpainless/key/TestKeys.java | 19 +-- .../java/org/pgpainless/key/TestKeysTest.java | 19 +-- .../java/org/pgpainless/key/UserIdTest.java | 19 +-- .../java/org/pgpainless/key/WeirdKeys.java | 19 +-- .../collection/PGPKeyRingCollectionTest.java | 19 +-- .../BrainpoolKeyGenerationTest.java | 19 +-- ...rtificationKeyMustBeAbleToCertifyTest.java | 19 +-- .../GenerateEllipticCurveKeyTest.java | 19 +-- .../GenerateKeyWithAdditionalUserIdTest.java | 19 +-- .../GenerateWithEmptyPassphraseTest.java | 19 +-- .../key/generation/IllegalKeyFlagsTest.java | 19 +-- .../pgpainless/key/info/KeyRingInfoTest.java | 19 +-- .../key/info/PrimaryUserIdTest.java | 19 +-- .../key/info/UserIdRevocationTest.java | 19 +-- .../key/modification/AddSubKeyTest.java | 19 +-- .../key/modification/AddUserIdTest.java | 19 +-- ...nOnKeyWithDifferentSignatureTypesTest.java | 19 +-- .../modification/ChangeExpirationTest.java | 19 +-- .../ChangeSecretKeyRingPassphraseTest.java | 19 +-- .../GnuDummyS2KChangePassphraseTest.java | 19 +-- .../key/modification/KeyRingEditorTest.java | 19 +-- ...gnatureSubpacketsArePreservedOnNewSig.java | 19 +-- ...WithGenericCertificationSignatureTest.java | 19 +-- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 19 +-- .../key/modification/RevokeSubKeyTest.java | 19 +-- .../parsing/KeyRingCollectionReaderTest.java | 19 +-- .../key/parsing/KeyRingReaderTest.java | 19 +-- .../CachingSecretKeyRingProtectorTest.java | 19 +-- .../MapBasedPassphraseProviderTest.java | 19 +-- .../PassphraseProtectedKeyTest.java | 19 +-- .../key/protection/PassphraseTest.java | 19 +-- .../SecretKeyRingProtectorTest.java | 19 +-- .../key/protection/UnlockSecretKeyTest.java | 19 +-- .../UnprotectedKeysProtectorTest.java | 19 +-- .../key/protection/fixes/S2KUsageFixTest.java | 19 +-- .../pgpainless/policy/PolicySetterTest.java | 19 +-- .../org/pgpainless/policy/PolicyTest.java | 19 +-- .../provider/ProviderFactoryTest.java | 19 +-- .../BindingSignatureSubpacketsTest.java | 19 +-- .../signature/CertificateExpirationTest.java | 19 +-- .../signature/CertificateValidatorTest.java | 19 +-- .../signature/IgnoreMarkerPackets.java | 19 +-- .../signature/KeyRevocationTest.java | 19 +-- .../signature/KeyRingValidationTest.java | 19 +-- .../OnePassSignatureBracketingTest.java | 19 +-- .../SignatureOverUserAttributesTest.java | 19 +-- .../signature/SignatureStructureTest.java | 19 +-- .../SignatureSubpacketsUtilTest.java | 19 +-- .../signature/SignatureUtilsTest.java | 19 +-- .../SignatureWasPossiblyMadeByKeyTest.java | 19 +-- ...ultiPassphraseSymmetricEncryptionTest.java | 19 +-- .../SymmetricEncryptionTest.java | 19 +-- .../org/pgpainless/util/ArmorUtilsTest.java | 19 +-- .../java/org/pgpainless/util/BCUtilTest.java | 19 +-- .../util/GuessPreferredHashAlgorithmTest.java | 19 +-- .../org/pgpainless/util/MultiMapTest.java | 19 +-- .../pgpainless/util/NotationRegistryTest.java | 19 +-- .../SignatureSubpacketGeneratorUtilTest.java | 19 +-- .../TestImplementationFactoryProvider.java | 19 +-- .../java/org/pgpainless/util/TestUtils.java | 19 +-- .../keyring/KeyRingsFromCollectionTest.java | 19 +-- ...WhitelistKeyRingSelectionStrategyTest.java | 19 +-- .../WildcardKeyRingSelectionStrategyTest.java | 19 +-- .../XmppKeyRingSelectionStrategyTest.java | 19 +-- .../selection/userid/SelectUserIdTest.java | 19 +-- ...ncryptCommsStorageFlagsDifferentiated.java | 19 +-- .../weird_keys/TestTwoSubkeysEncryption.java | 19 +-- pgpainless-sop/README.md | 6 + pgpainless-sop/build.gradle | 4 + .../java/org/pgpainless/sop/ArmorImpl.java | 19 +-- .../java/org/pgpainless/sop/DearmorImpl.java | 19 +-- .../java/org/pgpainless/sop/DecryptImpl.java | 19 +-- .../DetachInbandSignatureAndMessageImpl.java | 19 +-- .../java/org/pgpainless/sop/EncryptImpl.java | 19 +-- .../org/pgpainless/sop/ExtractCertImpl.java | 19 +-- .../org/pgpainless/sop/GenerateKeyImpl.java | 19 +-- .../main/java/org/pgpainless/sop/SOPImpl.java | 19 +-- .../java/org/pgpainless/sop/SignImpl.java | 19 +-- .../java/org/pgpainless/sop/VerifyImpl.java | 19 +-- .../java/org/pgpainless/sop/VersionImpl.java | 19 +-- .../java/org/pgpainless/sop/package-info.java | 19 +-- .../java/org/pgpainless/sop/ArmorTest.java | 19 +-- .../sop/EncryptDecryptRoundTripTest.java | 19 +-- .../org/pgpainless/sop/ExtractCertTest.java | 19 +-- .../org/pgpainless/sop/GenerateKeyTest.java | 19 +-- .../java/org/pgpainless/sop/SignTest.java | 19 +-- .../java/org/pgpainless/sop/VersionTest.java | 19 +-- settings.gradle | 4 + sop-java-picocli/README.md | 5 + sop-java-picocli/build.gradle | 4 + .../main/java/sop/cli/picocli/DateParser.java | 19 +-- .../main/java/sop/cli/picocli/FileUtil.java | 19 +-- .../src/main/java/sop/cli/picocli/Print.java | 19 +-- .../picocli/SOPExceptionExitCodeMapper.java | 19 +-- .../picocli/SOPExecutionExceptionHandler.java | 19 +-- .../src/main/java/sop/cli/picocli/SopCLI.java | 19 +-- .../sop/cli/picocli/commands/ArmorCmd.java | 19 +-- .../sop/cli/picocli/commands/DearmorCmd.java | 19 +-- .../sop/cli/picocli/commands/DecryptCmd.java | 19 +-- .../DetachInbandSignatureAndMessageCmd.java | 19 +-- .../sop/cli/picocli/commands/EncryptCmd.java | 19 +-- .../cli/picocli/commands/ExtractCertCmd.java | 19 +-- .../cli/picocli/commands/GenerateKeyCmd.java | 19 +-- .../sop/cli/picocli/commands/SignCmd.java | 19 +-- .../sop/cli/picocli/commands/VerifyCmd.java | 19 +-- .../sop/cli/picocli/commands/VersionCmd.java | 19 +-- .../cli/picocli/commands/package-info.java | 19 +-- .../java/sop/cli/picocli/package-info.java | 19 +-- .../java/sop/cli/picocli/DateParserTest.java | 19 +-- .../java/sop/cli/picocli/FileUtilTest.java | 19 +-- .../test/java/sop/cli/picocli/SOPTest.java | 19 +-- .../cli/picocli/commands/ArmorCmdTest.java | 19 +-- .../cli/picocli/commands/DearmorCmdTest.java | 19 +-- .../cli/picocli/commands/DecryptCmdTest.java | 19 +-- .../cli/picocli/commands/EncryptCmdTest.java | 19 +-- .../picocli/commands/ExtractCertCmdTest.java | 19 +-- .../picocli/commands/GenerateKeyCmdTest.java | 19 +-- .../sop/cli/picocli/commands/SignCmdTest.java | 19 +-- .../cli/picocli/commands/VerifyCmdTest.java | 19 +-- .../cli/picocli/commands/VersionCmdTest.java | 19 +-- sop-java/README.md | 6 + sop-java/build.gradle | 4 + .../src/main/java/sop/ByteArrayAndResult.java | 19 +-- .../src/main/java/sop/DecryptionResult.java | 19 +-- sop-java/src/main/java/sop/Ready.java | 19 +-- .../src/main/java/sop/ReadyWithResult.java | 19 +-- sop-java/src/main/java/sop/SOP.java | 19 +-- sop-java/src/main/java/sop/SessionKey.java | 19 +-- sop-java/src/main/java/sop/Signatures.java | 19 +-- sop-java/src/main/java/sop/Verification.java | 19 +-- .../src/main/java/sop/enums/ArmorLabel.java | 19 +-- .../src/main/java/sop/enums/EncryptAs.java | 19 +-- sop-java/src/main/java/sop/enums/SignAs.java | 19 +-- .../src/main/java/sop/enums/package-info.java | 18 +-- .../java/sop/exception/SOPGPException.java | 19 +-- .../main/java/sop/exception/package-info.java | 18 +-- .../src/main/java/sop/operation/Armor.java | 19 +-- .../src/main/java/sop/operation/Dearmor.java | 19 +-- .../src/main/java/sop/operation/Decrypt.java | 19 +-- .../DetachInbandSignatureAndMessage.java | 19 +-- .../src/main/java/sop/operation/Encrypt.java | 19 +-- .../main/java/sop/operation/ExtractCert.java | 19 +-- .../main/java/sop/operation/GenerateKey.java | 19 +-- .../src/main/java/sop/operation/Sign.java | 19 +-- .../src/main/java/sop/operation/Verify.java | 19 +-- .../java/sop/operation/VerifySignatures.java | 19 +-- .../src/main/java/sop/operation/Version.java | 19 +-- .../main/java/sop/operation/package-info.java | 18 +-- sop-java/src/main/java/sop/package-info.java | 18 +-- sop-java/src/main/java/sop/util/HexUtil.java | 20 +-- sop-java/src/main/java/sop/util/Optional.java | 19 +-- .../main/java/sop/util/ProxyOutputStream.java | 19 +-- sop-java/src/main/java/sop/util/UTCUtil.java | 19 +-- .../src/main/java/sop/util/package-info.java | 19 +-- .../java/sop/util/ByteArrayAndResultTest.java | 19 +-- .../src/test/java/sop/util/HexUtilTest.java | 19 +-- .../src/test/java/sop/util/OptionalTest.java | 19 +-- .../java/sop/util/ProxyOutputStreamTest.java | 19 +-- .../src/test/java/sop/util/ReadyTest.java | 19 +-- .../java/sop/util/ReadyWithResultTest.java | 19 +-- .../test/java/sop/util/SessionKeyTest.java | 19 +-- .../src/test/java/sop/util/UTCUtilTest.java | 19 +-- version.gradle | 4 + 409 files changed, 1938 insertions(+), 5645 deletions(-) create mode 100644 .reuse/dep5 create mode 100644 LICENSES/Apache-2.0.txt create mode 100644 LICENSES/CC-BY-3.0.txt create mode 100644 LICENSES/CC0-1.0.txt create mode 100644 assets/repository-open-graph.png.license delete mode 100644 config/checkstyle/checkstyleLicenseHeader.txt create mode 100644 gradle/wrapper/gradle-wrapper.jar.license diff --git a/.editorconfig b/.editorconfig index cde08205..9bf812d1 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2021 Paul Schaub +# +# SPDX-License-Identifier: CC0-1.0 + [*] charset = utf-8 end_of_line = lf diff --git a/.gitignore b/.gitignore index 957d8f29..84123d97 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2021 Paul Schaub +# +# SPDX-License-Identifier: CC0-1.0 + .idea .gradle diff --git a/.reuse/dep5 b/.reuse/dep5 new file mode 100644 index 00000000..ae3e2f91 --- /dev/null +++ b/.reuse/dep5 @@ -0,0 +1,22 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: PGPainless +Upstream-Contact: Paul Schaub +Source: https://pgpainless.org + +# Sample paragraph, commented out: +# +# Files: src/* +# Copyright: $YEAR $NAME <$CONTACT> +# License: ... + +Files: assets/test_vectors/* +Copyright: 2018 Paul Schaub +License: CC0-1.0 + +Files: pgpainless-core/src/test/resources/* +Copyright: 2020 Paul Schaub +License: CC0-1.0 + +Files: audit/* +Copyright: 2021 Paul Schaub +License: CC0-1.0 diff --git a/.travis.yml b/.travis.yml index f54a7438..21079986 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2021 Paul Schaub +# +# SPDX-License-Identifier: Apache-2.0 + language: java dist: bionic jdk: diff --git a/CHANGELOG.md b/CHANGELOG.md index 808a5a1d..907d9b26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ + + # PGPainless Changelog ## 0.2.15-SNAPSHOT diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index f809c8b0..1886c07f 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,3 +1,9 @@ + + # Contributor Covenant Code of Conduct ## Our Pledge diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt new file mode 100644 index 00000000..137069b8 --- /dev/null +++ b/LICENSES/Apache-2.0.txt @@ -0,0 +1,73 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. + +"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: + + (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. + + You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/LICENSES/CC-BY-3.0.txt b/LICENSES/CC-BY-3.0.txt new file mode 100644 index 00000000..465aae75 --- /dev/null +++ b/LICENSES/CC-BY-3.0.txt @@ -0,0 +1,93 @@ +Creative Commons Attribution 3.0 Unported + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE. + +License + +THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. + +BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. + +1. Definitions + + a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. + + b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License. + + c. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. + + d. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. + + e. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. + + f. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. + + g. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. + + h. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. + + i. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. + +2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. + +3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: + + a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; + + b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified."; + + c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and, + + d. to Distribute and Publicly Perform Adaptations. + + e. For the avoidance of doubt: + + i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; + + ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, + + iii. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. + +The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. + +4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: + + a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested. + + b. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. + + c. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. + +5. Representations, Warranties and Disclaimer + +UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. + +6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +7. Termination + + a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. + + b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. + +8. Miscellaneous + + a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. + + b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. + + c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. + + d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. + + e. This License may not be modified without the mutual written agreement of the Licensor and You. + + f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. + +Creative Commons Notice + +Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor. + +Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of this License. + +Creative Commons may be contacted at http://creativecommons.org/. diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt new file mode 100644 index 00000000..0e259d42 --- /dev/null +++ b/LICENSES/CC0-1.0.txt @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/README.md b/README.md index 8a6294ea..6f54c4cc 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ + + # PGPainless - Use OpenPGP Painlessly! [![Travis (.com)](https://travis-ci.com/pgpainless/pgpainless.svg?branch=master)](https://travis-ci.com/pgpainless/pgpainless) diff --git a/assets/repository-open-graph.png.license b/assets/repository-open-graph.png.license new file mode 100644 index 00000000..f634f9b3 --- /dev/null +++ b/assets/repository-open-graph.png.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2021 Paul Schaub + +SPDX-License-Identifier: CC-BY-3.0 \ No newline at end of file diff --git a/build.gradle b/build.gradle index 303ce683..cac39a9e 100644 --- a/build.gradle +++ b/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + buildscript { repositories { diff --git a/config/checkstyle/checkstyle.xml b/config/checkstyle/checkstyle.xml index a951157b..06e167fd 100644 --- a/config/checkstyle/checkstyle.xml +++ b/config/checkstyle/checkstyle.xml @@ -1,4 +1,10 @@ + + @@ -9,13 +15,6 @@ - - - - - - - diff --git a/config/checkstyle/checkstyleLicenseHeader.txt b/config/checkstyle/checkstyleLicenseHeader.txt deleted file mode 100644 index fb341cd2..00000000 --- a/config/checkstyle/checkstyleLicenseHeader.txt +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright 2018 Author Authorsson. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ \ No newline at end of file diff --git a/config/checkstyle/suppressions.xml b/config/checkstyle/suppressions.xml index f2aba18d..1314d44d 100644 --- a/config/checkstyle/suppressions.xml +++ b/config/checkstyle/suppressions.xml @@ -1,4 +1,10 @@ + + diff --git a/gradle/wrapper/gradle-wrapper.jar.license b/gradle/wrapper/gradle-wrapper.jar.license new file mode 100644 index 00000000..714a6488 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.jar.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2021 The original Gradle authors + +SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index a488f210..f1f3afe8 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2021 The original Gradle authors +# +# SPDX-License-Identifier: Apache-2.0 + distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists distributionUrl=https\://services.gradle.org/distributions/gradle-6.4-rc-1-bin.zip diff --git a/gradlew b/gradlew index 2fe81a7d..e1641b8c 100755 --- a/gradlew +++ b/gradlew @@ -1,20 +1,8 @@ #!/usr/bin/env sh -# # Copyright 2015 the original author or authors. # -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# +# SPDX-License-Identifier: Apache-2.0 ############################################################################## ## diff --git a/gradlew.bat b/gradlew.bat index 9109989e..2c20fbad 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -1,3 +1,5 @@ +REM SPDX-License-Identifier: Apache-2.0 + @rem @rem Copyright 2015 the original author or authors. @rem diff --git a/pgpainless-cli/README.md b/pgpainless-cli/README.md index 4c014871..4f691f56 100644 --- a/pgpainless-cli/README.md +++ b/pgpainless-cli/README.md @@ -1,3 +1,9 @@ + + # PGPainless-CLI PGPainless-CLI is an implementation of the [Stateless OpenPGP Command Line Interface](https://tools.ietf.org/html/draft-dkg-openpgp-stateless-cli-01) specification based on PGPainless. diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle index a1fb70ef..4c892360 100644 --- a/pgpainless-cli/build.gradle +++ b/pgpainless-cli/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + plugins { id 'application' } diff --git a/pgpainless-cli/pgpainless-cli b/pgpainless-cli/pgpainless-cli index 61e01400..340c3cc0 100755 --- a/pgpainless-cli/pgpainless-cli +++ b/pgpainless-cli/pgpainless-cli @@ -1,4 +1,7 @@ #!/usr/bin/env bash +# SPDX-FileCopyrightText: 2021 Paul Schaub +# +# SPDX-License-Identifier: Apache-2.0 # Pretty fancy method to get reliable the absolute path of a shell # script, *even if it is sourced*. Credits go to GreenFox on diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java index f41810b9..b199ec72 100644 --- a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java +++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli; import org.pgpainless.sop.SOPImpl; diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/package-info.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/package-info.java index 2eabeaba..d2c59d33 100644 --- a/pgpainless-cli/src/main/java/org/pgpainless/cli/package-info.java +++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * PGPainless SOP implementing a Stateless OpenPGP Command Line Interface. * @see diff --git a/pgpainless-cli/src/main/resources/logback.xml b/pgpainless-cli/src/main/resources/logback.xml index d26a820b..13cccf62 100644 --- a/pgpainless-cli/src/main/resources/logback.xml +++ b/pgpainless-cli/src/main/resources/logback.xml @@ -1,3 +1,9 @@ + + System.err diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java index c9f88cca..aa3d7d5b 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java index 819e85f8..16e1937c 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java index c574bfc7..409d4040 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java index d735adab..ab5e2c7a 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java index 605e767b..15cf2546 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java index 77e55830..4e655864 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java index e3d0175b..6f746445 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java index e693c719..87ce74a4 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java index 27fedbec..cd2adc89 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.cli.commands; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md index 33ae850c..90bc0b83 100644 --- a/pgpainless-core/README.md +++ b/pgpainless-core/README.md @@ -1,3 +1,9 @@ + + # PGPainless-Core Wrapper around Bouncycastle's OpenPGP implementation. \ No newline at end of file diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle index 69041d73..61a3fda6 100644 --- a/pgpainless-core/build.gradle +++ b/pgpainless-core/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + plugins { id 'java-library' } diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java index a7410306..7d5ca4b0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java +++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java index 487ffad4..cc416ea2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.Arrays; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java index 970f1cf1..b1f11185 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/DocumentSignatureType.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/DocumentSignatureType.java index 09ec321d..4dbc58da 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/DocumentSignatureType.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/DocumentSignatureType.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java index aab57fe6..1917d837 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; public enum EncryptionPurpose { diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java index ec090935..df6d1de5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java index 2db066ff..b8c97d7e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.HashMap; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java index 0ef093aa..69843a93 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java index 3bdc248a..2069b2c9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java index 5c3a71bd..96c2e76f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import static org.bouncycastle.bcpg.SignatureSubpacketTags.ATTESTED_CERTIFICATIONS; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java index 35d7706c..a31dd31a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import org.bouncycastle.openpgp.PGPSignature; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java index 56dd7afa..3ea9507b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java index 899b61ec..43c327cc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java index 62fd65cf..427bcc69 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm.negotiation; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/package-info.java index b0ebdaef..3969d8df 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to algorithm negotiation. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/package-info.java index 5a1d3643..c2f5f5ff 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Enums which map to OpenPGP's algorithm IDs. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java index bb42e036..ba895a08 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index e958d3b5..f4bc7134 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java index 26b49a03..6dcc355b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java index 4d5e1905..07db42f0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java index d7cc1013..e3f1e720 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018-2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 3724c1c1..fb6012fd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.BufferedInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java index 41695ff3..4da52d0f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index 1cb98b38..1b94f877 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java index 57bcd0f9..f3eb949b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java index 8ff8dc9b..48afd5af 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index b316734f..59c93a4c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.pgpainless.signature.SignatureValidator.signatureWasCreatedInBounds; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java index 4d151394..6063d72a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import javax.annotation.Nullable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java index 969e4a24..feea89eb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.BufferedOutputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index 394de734..636b78e4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java index 04ede0e8..62433a2a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/InMemoryMultiPassStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java index 71a6b9ee..ab5781ca 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.ByteArrayOutputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java index 0aa1c2a0..31317c6c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.File; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java index 3ab6f2f4..276e027f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java index b86c851f..6c8d03ca 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/WriteToFileMultiPassStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.File; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java index f8b363f4..3123338f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to cleartext signature verification. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java index 37376629..07e7cd3d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes used to decryption and verification of OpenPGP encrypted / signed data. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilder.java index d9691f21..9490551b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilder.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java index 9b8abf59..9ba0bb78 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index 3f896f8f..befced35 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java index 6708b796..21d42254 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java index c304b0d5..7d2b9722 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java index dfc156c8..91e976a1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.util.Date; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index b44a3f02..eb50db5d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/package-info.java index c7e05044..4a2f1f39 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes used to encrypt or sign data using OpenPGP. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java index bb3d6574..ee869fa9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java index c0fdb9e5..8296d6c9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPSignature; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java index 9e1025b5..1d8559e1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MessageNotIntegrityProtectedException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java index ee522425..0e856ba6 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingDecryptionMethodException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java index aca46a41..e396b1df 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java index 797ab652..5be1b359 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/ModificationDetectionException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java index 12478f05..72f9b569 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java index 34a4a581..b5b8941d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/SignatureValidationException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java index 169bfed5..aa3c8603 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/UnacceptableAlgorithmException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java index 2ef88330..93d2e9c5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongConsumingMethodException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java index bd0c051c..409db3e2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/WrongPassphraseException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.exception; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java index 1d5adbd2..01a786aa 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Exceptions. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java index bd358061..ea9b0eb0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.implementation; import java.security.KeyPair; diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java index eadc0eed..6f5ea044 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.implementation; import java.security.KeyPair; diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java index c7e311b3..cbacdf1b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.implementation; import java.security.KeyPair; diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/package-info.java index b3e8787e..3ce87531 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Implementation factory classes to be able to switch out the underlying crypto engine implementation. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java index 5bf77a83..5809ad1a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java index 93c0ada3..b368e370 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018-2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.net.URI; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/SubkeyIdentifier.java b/pgpainless-core/src/main/java/org/pgpainless/key/SubkeyIdentifier.java index f1e26770..afd093af 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/SubkeyIdentifier.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/SubkeyIdentifier.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.util.NoSuchElementException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java index 8951b4bc..352343b5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.collection; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/collection/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/collection/package-info.java index 30920119..b2f5b153 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/collection/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/collection/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * OpenPGP key collections. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 3c81332c..b5fe326d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java index 1113158b..ecff123b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilderInterface.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018-2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import java.security.InvalidAlgorithmParameterException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index c53d91e8..364384ae 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index d6095201..80756b74 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import java.util.Arrays; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java index 2f366531..cd68e8b4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/package-info.java index b869e1a7..96728227 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP key generation. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyLength.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyLength.java index 35d84170..1cadfef8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyLength.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyLength.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type; public interface KeyLength { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java index d4332709..584ec1e7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type; import java.security.spec.AlgorithmParameterSpec; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java index 38858c4d..851d2d32 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java index c91c2b90..53f0d1b7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc.ecdh; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/package-info.java index 64e17d22..b1f2c882 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to ECDH. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java index 440019ff..93c6398b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.ecc.ecdsa; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/package-info.java index 9850591b..9b8ca577 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to ECDSA. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/package-info.java index 76c6b03b..d55a487a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes describing different OpenPGP key types based on elliptic curves. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java index 0db4c179..67532d6c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.eddsa; import java.security.spec.AlgorithmParameterSpec; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java index ca168fcc..cc1c1831 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.eddsa; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/package-info.java index de21fc28..cba16f54 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to EdDSA. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java index b55a2415..ac7a239b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.elgamal; import java.security.spec.AlgorithmParameterSpec; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamalLength.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamalLength.java index 648b06ae..852ad6f7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamalLength.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamalLength.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.elgamal; import java.math.BigInteger; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/package-info.java index 3d9a5374..19bc0214 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to ElGamal. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/package-info.java index c4cff4c9..bf048484 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes describing different OpenPGP key types. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java index 67d6a051..231c95a2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.rsa; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RsaLength.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RsaLength.java index e585d23f..74951f0d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RsaLength.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RsaLength.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.rsa; import org.pgpainless.key.generation.type.KeyLength; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/package-info.java index 8937a34d..2a2a0120 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to RSA. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java index 5f35dbf0..db8d7d1e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.xdh; import java.security.spec.AlgorithmParameterSpec; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java index cb4224e5..e33fecd4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation.type.xdh; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/package-info.java index 81b382b1..96af405a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to Diffie-Hellman on the X25519 curve. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java index efdb4daa..b4f61090 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import java.util.Set; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java index e46e09c0..e34de8c9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import org.bouncycastle.asn1.ASN1ObjectIdentifier; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index f58fb5fc..64af5ebb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import static org.pgpainless.util.CollectionUtils.iteratorToList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/package-info.java index 4f3e7d2a..9f33dd40 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Extract information from PGPKeyRings. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/package-info.java index 0b09adf5..9fa73e88 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes that deal with modifications made to OpenPGP keys. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 39863c1b..2785202c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification.secretkeyring; import static org.pgpainless.util.CollectionUtils.iteratorToList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 8f936636..5b8f329f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification.secretkeyring; import java.security.InvalidAlgorithmParameterException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/package-info.java index 4a055b39..6b3eb3b3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes that deal with modifications made to {@link org.bouncycastle.openpgp.PGPSecretKeyRing PGPSecretKeyRings}. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java index 04c318c0..060cd540 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP keys. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java index 4e283d73..585d3eb3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.parsing; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/package-info.java index aa7192a8..50030499 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP key reading. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index e00a9f34..192fb9f9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import java.util.HashMap; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java index 9ac0356c..ede286c6 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java index ace1739e..2f97863f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import java.util.Iterator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java index d57ab6fb..73fb64fc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import java.util.HashMap; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java index 8e45b0c8..c68e4914 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java @@ -1,18 +1,8 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Copyright 2021 Paul Schaub. +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java index 0092b473..26b5c596 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnprotectedKeysProtector.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import javax.annotation.Nullable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java index c4a43fe4..24fe533a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/S2KUsageFix.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection.fixes; import org.bouncycastle.bcpg.SecretKeyPacket; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java index 69759cbd..06c299b1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/fixes/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Secret Key Protection Fixes. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/package-info.java index f177f3ae..b936025f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP secret key password protection. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java index 9bf7a1fa..859758b1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/MapBasedPassphraseProvider.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection.passphrase_provider; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java index f2bf4fc8..59cb39ce 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SecretKeyPassphraseProvider.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection.passphrase_provider; import javax.annotation.Nullable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java index c0983d15..b439ef56 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/SolitaryPassphraseProvider.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection.passphrase_provider; import javax.annotation.Nullable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/package-info.java index bd356681..e70ad81f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/passphrase_provider/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Passphrase Provider classes. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java index 40decde7..e6ab4f48 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.util; import java.math.BigInteger; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index db3e4898..a85ea446 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.util; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java index 0cd4fb21..673b86ec 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.util; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java index de9f58c8..fba54559 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.util; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java index 2e56ee46..3cd0a444 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java @@ -1,18 +1,6 @@ -/* - * Copyright 2020 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 package org.pgpainless.key.util; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java index 27bc9acd..4609c126 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Utility functions to deal with OpenPGP keys. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/package-info.java index fdc0fe96..3573fcdc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * PGPainless - Use OpenPGP Painlessly! * diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java index 44dd55b4..506f245c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.policy; import java.util.Arrays; diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/policy/package-info.java index 34d001de..dd248151 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/policy/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/policy/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Policy regarding used algorithms. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/provider/BouncyCastleProviderFactory.java b/pgpainless-core/src/main/java/org/pgpainless/provider/BouncyCastleProviderFactory.java index c4aa3d1d..ace5edbe 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/provider/BouncyCastleProviderFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/provider/BouncyCastleProviderFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.provider; import java.security.Provider; diff --git a/pgpainless-core/src/main/java/org/pgpainless/provider/ProviderFactory.java b/pgpainless-core/src/main/java/org/pgpainless/provider/ProviderFactory.java index 99a801f9..4af67c60 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/provider/ProviderFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/provider/ProviderFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.provider; import java.security.Provider; diff --git a/pgpainless-core/src/main/java/org/pgpainless/provider/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/provider/package-info.java index 92c3cc32..b5faa3f8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/provider/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/provider/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes that allow setting a custom implementation of {@link java.security.Provider}. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java index cfbc7705..b163d61f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.pgpainless.signature.SignatureVerifier.verifyOnePassSignature; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java index d816d2fe..ab481b72 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import org.bouncycastle.openpgp.PGPKeyRing; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java index 6c474ccc..4fcfe239 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import org.bouncycastle.openpgp.PGPOnePassSignature; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/README.md b/pgpainless-core/src/main/java/org/pgpainless/signature/README.md index 0299c880..5af3ccd9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/README.md +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/README.md @@ -1,3 +1,9 @@ + + # Signature Verification and Validation This package can be a bit overwhelming, hence this README file. diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java index 7cd70d38..8900be40 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.util.Comparator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java index 0592fe97..54c75c89 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index d512efb8..ff05ca9f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java index cff9bea0..69a7a80a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.security.NoSuchAlgorithmException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java index c14d4614..31d29111 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.util.Comparator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java index e00536c9..30ec5d0c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/signature/package-info.java index f0e27779..624a2e24 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP signatures. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java index 66aa4b50..948441f3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature.subpackets; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 57b06c02..226be119 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature.subpackets; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/package-info.java index 790adf7f..09dfd6a2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Classes related to OpenPGP signatures. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java index 3979b5ac..f94a4ce3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.BufferedInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java index 7ab5f867..0c5ceeaf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java index 54922651..2ccf7536 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.OutputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java index 31ac586e..f548af98 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.security.NoSuchAlgorithmException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java index 5f76c112..3fa84d53 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.IOException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java index cb845df4..dcae3240 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.lang.reflect.Array; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java index 44711806..3f00ddb3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.text.ParseException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/MultiMap.java b/pgpainless-core/src/main/java/org/pgpainless/util/MultiMap.java index 45c5000b..ab3c7e67 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/MultiMap.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/MultiMap.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/NotationRegistry.java b/pgpainless-core/src/main/java/org/pgpainless/util/NotationRegistry.java index a2349a2b..11aa7651 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/NotationRegistry.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/NotationRegistry.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.util.HashSet; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java index 838b777e..c01dd03d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.BufferedInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java index 31bb867e..1d33ea5b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java b/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java index 2f9407ea..27ad6a12 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/Tuple.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; public class Tuple { diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java index 9f7b28ca..6c525229 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Utility classes. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java index 32918af2..a9f842e3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import java.util.Set; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java index 01a33ab4..038549bf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java index e53cf591..c54f81a5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import javax.annotation.Nonnull; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java index 4edc7cb5..5a05dc56 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring.impl; import java.util.Iterator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java index 2d8a6ed9..f296d8f1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring.impl; import java.util.Map; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java index 23562afe..f7bab777 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring.impl; import org.bouncycastle.openpgp.PGPPublicKeyRing; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java index aafb0ad9..11c3c8ff 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring.impl; import org.bouncycastle.openpgp.PGPPublicKeyRing; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java index 85449597..9b4bf1a4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Implementations of Key Ring Selection Strategies. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java index 394bb400..3c93ce47 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Different Key Ring Selection Strategies. */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java index 50dbb6d9..3f5cc98b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.userid; import java.util.ArrayList; diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/package-info.java index b292d289..5b70f412 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/package-info.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * UserID selection strategies. */ diff --git a/pgpainless-core/src/main/resources/logback.xml b/pgpainless-core/src/main/resources/logback.xml index d26a820b..13cccf62 100644 --- a/pgpainless-core/src/main/resources/logback.xml +++ b/pgpainless-core/src/main/resources/logback.xml @@ -1,3 +1,9 @@ + + System.err diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index 562d93d3..3e0f083b 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package investigations; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java b/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java index aac6513d..d96f7f48 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package investigations; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index 6f5ba46c..19d72dda 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.bouncycastle; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java index 465591d2..e00a7a6c 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorDashEscapeTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.bouncycastle; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java index 6cf8d237..411e81e5 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPPublicKeyRingTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.bouncycastle; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java index c24d990e..5ccb7be7 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.bouncycastle; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/junit/JUtils.java b/pgpainless-core/src/test/java/org/junit/JUtils.java index 6fced9c7..31dddd01 100644 --- a/pgpainless-core/src/test/java/org/junit/JUtils.java +++ b/pgpainless-core/src/test/java/org/junit/JUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.junit; import static org.junit.jupiter.api.Assertions.assertTrue; diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java index bd684429..347322f8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import org.junit.jupiter.api.Test; diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureSubpacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureSubpacketTest.java index 26fc7c94..b282bcdd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureSubpacketTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureSubpacketTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureTypeTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureTypeTest.java index 658818e0..1bf78776 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureTypeTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SignatureTypeTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java index 6263c193..3b9cd1b1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/SymmetricKeyAlgorithmNegotiatorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.algorithm; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 2b96f039..c355438d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 52c7af32..3fa1ec4e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java index d0336f13..69d695d5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java index 8ffb1cc9..2f08a432 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index dcd29467..2a2a0844 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java index fbaff4ad..4aad6c9e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index 5300bec9..5bc1ae61 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java index 635e0b2b..53c690ed 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java index 6ed7b843..d67b3d95 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyNotBeforeNotAfterTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java index 42eee3c8..9c786807 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.decryption_verification; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 175ea7ac..38dda178 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index f8971467..78d9057d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java index efe34861..c667de31 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java index 9e825e46..c5a4d28c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java index 7b18b2be..f866e962 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 62d6a810..a8663ba9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.encryption_signing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index 89dff8e6..7a9aad29 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java index 157c7a82..da641325 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index 6d3f8d43..85266a31 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 2b7cd8c1..6a791e19 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java index 820c7fb1..c762feca 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index f8be9714..6c5daff8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index 89f91731..ca819233 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index 00e7df49..ad3fc0d4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index 5666c022..784cff61 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.example; import java.io.IOException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java index 2b365631..f3e40825 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.security.InvalidAlgorithmParameterException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index a69a77eb..0a0d6294 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/KeyFlagTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/KeyFlagTest.java index 05eedfe0..7646f7aa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/KeyFlagTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/KeyFlagTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java index 3b6d4679..970cea9c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV4FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV4FingerprintTest.java index 9774ce6e..6450e506 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV4FingerprintTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV4FingerprintTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/SubkeyIdentifierTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/SubkeyIdentifierTest.java index 0349f55b..fe792e4d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/SubkeyIdentifierTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/SubkeyIdentifierTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java index 2bf1a286..cd4c7319 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeysTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeysTest.java index f838edfb..5b29e85b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/TestKeysTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/TestKeysTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java index 2530222e..4e596b3f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import org.junit.jupiter.api.Test; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index b0c5d826..87cea724 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key; import java.io.IOException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java index 839f1859..5a5a8471 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/collection/PGPKeyRingCollectionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.collection; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index b94d5622..feed47f6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index ff48d159..7b9747dc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index bf28aac0..aa128ec5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index f3378df0..a068aa69 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index 39d1e6ef..f16c0b1b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Wiktor Kwapisiewicz, 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Wiktor Kwapisiewicz, 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertNotNull; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java index 0a861518..e5c48d5b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index fe2191e5..56886581 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java index 88719aec..d2ec8598 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/PrimaryUserIdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index a6d9a006..33768c7f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.info; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index c6a4dd8d..406d300c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 28fd7817..afb761ef 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index 5a654330..36c9b8bb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import java.io.IOException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index 56cc999f..562e81a7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 26ac9901..b17a41e7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java index 8c8504a3..64439775 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/GnuDummyS2KChangePassphraseTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java index 374a72dc..68774cfc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java index 316c3ea1..a03744a3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java index d8a5ff4e..794438da 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. Copyright 2021 Flowcrypt a.s. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub , 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import java.io.ByteArrayOutputStream; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index fd25d92b..a218a6f9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import java.io.IOException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 7c26aa1b..279a94d1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java index 2027a243..5c117652 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.parsing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index c2142c33..b02f5beb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.parsing; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 6ba16525..277d9d44 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java index 2960a1c6..3961a2be 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/MapBasedPassphraseProviderTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java index f86b0815..45aaf20f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseProtectedKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNotNull; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java index 1b021d01..94eb5863 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index f7010a3f..1a8a3231 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java index ba770113..9e4c0984 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNotNull; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java index c216b495..76a90915 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertNull; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index 1baf3593..d5956da4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.key.protection.fixes; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java index 2511049e..31092c28 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.policy; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java index c4819861..6d86f8d9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.policy; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java index be642344..a7da6ca9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.provider; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index 36e71d05..01f5356b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java index efd8c9ca..c87bd2aa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 4be8e551..e01bf84d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java index 9df706de..c86efd05 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index a2834e5d..c4f899b4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java index 44c557a6..0352abba 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import java.io.IOException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 5317059b..2abf5efc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index 519184ab..c8e8c821 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java index 8d86096d..14d57567 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index a5b6eb9e..588a7191 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java index 0874e93a..296f20a8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java index a7485f3b..f01331b3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index f9d429b5..9b26921f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.symmetric_encryption; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index 15d6ab13..4f6172f4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.symmetric_encryption; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index f07d5dc1..b9610892 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index fc71b3f3..ab61b829 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index ab3ba986..76c269ea 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/MultiMapTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/MultiMapTest.java index 7982a492..74c3347f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/MultiMapTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/MultiMapTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2018 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2018 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/NotationRegistryTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/NotationRegistryTest.java index e646a2b5..3568e143 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/NotationRegistryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/NotationRegistryTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java index 541a9d94..fe10cf1e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java index 6e335c32..1ace7245 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import org.pgpainless.implementation.BcImplementationFactory; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestUtils.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestUtils.java index 8c700120..891ce406 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestUtils.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestUtils.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util; import java.io.ByteArrayInputStream; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java index dfee07c1..eb3510be 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java index a03eba91..43c19a6c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WhitelistKeyRingSelectionStrategyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java index 70e0eac3..4346bd75 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import static org.junit.jupiter.api.Assertions.assertTrue; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java index 014dfc2f..4de56a8a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.keyring; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java index 990b135f..6e7ea39c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.util.selection.userid; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index e08bd54a..d2540e73 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.weird_keys; import static org.junit.jupiter.api.Assertions.assertThrows; diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java index d1f8f181..dac83a7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.weird_keys; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md index 6f7e0984..15aa483c 100644 --- a/pgpainless-sop/README.md +++ b/pgpainless-sop/README.md @@ -1,3 +1,9 @@ + + # PGPainless-SOP Implementation of the Stateless OpenPGP Protocol using PGPainless. diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle index 7a01a71c..4858dbab 100644 --- a/pgpainless-sop/build.gradle +++ b/pgpainless-sop/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + plugins { id 'java' } diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java index cb34fe0c..5c92f9b9 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java index b4f7516e..73bd65d5 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java index 1b476cd7..7298065e 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java index 59926017..b1558a90 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.ByteArrayInputStream; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java index 4ff1d1e2..b869d6ba 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java index b2076eb2..d22c71c3 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java index 029b502b..e79475ce 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java index 2561da91..cfa426a5 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import sop.SOP; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java index 2c3f499e..22b6ed32 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.ByteArrayOutputStream; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java index b8cafba5..cdfa465c 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java index d12ee599..b08b2466 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import java.io.IOException; diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/package-info.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/package-info.java index a480c702..c0ce9cda 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/package-info.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Implementation of the java-sop package using pgpainless-core. */ diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java index 9175673b..24cb5908 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java index a4048827..9ef84724 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java index 1262c74a..41546fe7 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java index 03e23063..7f1710fd 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java index 3c0ab9ac..cf9f3ddd 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java index 222fb52e..712df550 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/settings.gradle b/settings.gradle index 2fb62820..7ebc7ad4 100644 --- a/settings.gradle +++ b/settings.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: CC0-1.0 + rootProject.name = 'PGPainless' include 'pgpainless-core', diff --git a/sop-java-picocli/README.md b/sop-java-picocli/README.md index 1a8f5e04..f76c9295 100644 --- a/sop-java-picocli/README.md +++ b/sop-java-picocli/README.md @@ -1,3 +1,8 @@ + # SOP-Java-Picocli Implementation of the [Stateless OpenPGP Command Line Interface](https://tools.ietf.org/html/draft-dkg-openpgp-stateless-cli-01) specification. diff --git a/sop-java-picocli/build.gradle b/sop-java-picocli/build.gradle index 2fb275c7..69cd1c52 100644 --- a/sop-java-picocli/build.gradle +++ b/sop-java-picocli/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + plugins { id 'application' } diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java b/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java index cfcdb870..d2e2188e 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import java.util.Date; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java b/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java index f55af503..cd92e6db 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java b/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java index fd8d98ea..d6474e1d 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; public class Print { diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java index 5f41db49..8b38af32 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import picocli.CommandLine; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java index a2ced90e..dc2a047b 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import picocli.CommandLine; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java index 2f5806ec..bc0ae3dd 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import picocli.CommandLine; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java index e4b62e3c..139cfcdb 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.IOException; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java index c4d1d009..f3c62908 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.IOException; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java index 21a90a06..58f49db9 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2020 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java index 0908a149..77471681 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java index fb18bc21..d1ee253c 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java index c8fbe1fc..59656e65 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.IOException; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java index b9ca045f..f97fcfa0 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.IOException; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java index 6140bfce..961869ce 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java index 18e1c03d..d731b25a 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import java.io.File; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java index a0a93e2a..0d5da1a6 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import picocli.CommandLine; diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java index 28684d5a..fc6aefda 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Subcommands of the PGPainless SOP. */ diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java b/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java index af01095d..83f426d6 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Implementation of the Stateless OpenPGP Command Line Interface using Picocli. */ diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java index 0be6f7f2..5c7def50 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java index aad57290..eeb4589d 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java index 3ee1461a..fbf4cfa7 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli; import static org.mockito.Mockito.mock; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java index 17d32536..62adf056 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java index d83f747e..fc1f713b 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java index 2093ff59..89ba709a 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java index 77a48be4..0300305d 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java index 6e453894..be602e72 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java index a99bbab4..643cf363 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java index 420af2e8..fdd376b1 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.ArgumentMatchers.any; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java index 29b4388e..99098d76 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2020 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java index 1aa1440e..6a4d628b 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.cli.picocli.commands; import static org.mockito.Mockito.mock; diff --git a/sop-java/README.md b/sop-java/README.md index e355b086..86d02008 100644 --- a/sop-java/README.md +++ b/sop-java/README.md @@ -1,3 +1,9 @@ + + # SOP-Java Stateless OpenPGP Protocol for Java. diff --git a/sop-java/build.gradle b/sop-java/build.gradle index 3da940c6..c2e2f1fb 100644 --- a/sop-java/build.gradle +++ b/sop-java/build.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + plugins { id 'java' } diff --git a/sop-java/src/main/java/sop/ByteArrayAndResult.java b/sop-java/src/main/java/sop/ByteArrayAndResult.java index b462926e..709836d2 100644 --- a/sop-java/src/main/java/sop/ByteArrayAndResult.java +++ b/sop-java/src/main/java/sop/ByteArrayAndResult.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; public class ByteArrayAndResult { diff --git a/sop-java/src/main/java/sop/DecryptionResult.java b/sop-java/src/main/java/sop/DecryptionResult.java index 3fa32d9c..4f0e1ab2 100644 --- a/sop-java/src/main/java/sop/DecryptionResult.java +++ b/sop-java/src/main/java/sop/DecryptionResult.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.util.ArrayList; diff --git a/sop-java/src/main/java/sop/Ready.java b/sop-java/src/main/java/sop/Ready.java index 104fae77..d234f911 100644 --- a/sop-java/src/main/java/sop/Ready.java +++ b/sop-java/src/main/java/sop/Ready.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.io.ByteArrayOutputStream; diff --git a/sop-java/src/main/java/sop/ReadyWithResult.java b/sop-java/src/main/java/sop/ReadyWithResult.java index 2412b8f3..c932b639 100644 --- a/sop-java/src/main/java/sop/ReadyWithResult.java +++ b/sop-java/src/main/java/sop/ReadyWithResult.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.io.ByteArrayOutputStream; diff --git a/sop-java/src/main/java/sop/SOP.java b/sop-java/src/main/java/sop/SOP.java index 64068650..2c2ccf16 100644 --- a/sop-java/src/main/java/sop/SOP.java +++ b/sop-java/src/main/java/sop/SOP.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import sop.operation.Armor; diff --git a/sop-java/src/main/java/sop/SessionKey.java b/sop-java/src/main/java/sop/SessionKey.java index 86e0edf5..2cb054d0 100644 --- a/sop-java/src/main/java/sop/SessionKey.java +++ b/sop-java/src/main/java/sop/SessionKey.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.util.Arrays; diff --git a/sop-java/src/main/java/sop/Signatures.java b/sop-java/src/main/java/sop/Signatures.java index cacd198e..dd3f000d 100644 --- a/sop-java/src/main/java/sop/Signatures.java +++ b/sop-java/src/main/java/sop/Signatures.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/Verification.java b/sop-java/src/main/java/sop/Verification.java index 5dd60cd9..e8a07555 100644 --- a/sop-java/src/main/java/sop/Verification.java +++ b/sop-java/src/main/java/sop/Verification.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop; import java.util.Date; diff --git a/sop-java/src/main/java/sop/enums/ArmorLabel.java b/sop-java/src/main/java/sop/enums/ArmorLabel.java index f5c1eea2..aeaa6f9b 100644 --- a/sop-java/src/main/java/sop/enums/ArmorLabel.java +++ b/sop-java/src/main/java/sop/enums/ArmorLabel.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.enums; public enum ArmorLabel { diff --git a/sop-java/src/main/java/sop/enums/EncryptAs.java b/sop-java/src/main/java/sop/enums/EncryptAs.java index 590333da..2de6792b 100644 --- a/sop-java/src/main/java/sop/enums/EncryptAs.java +++ b/sop-java/src/main/java/sop/enums/EncryptAs.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.enums; public enum EncryptAs { diff --git a/sop-java/src/main/java/sop/enums/SignAs.java b/sop-java/src/main/java/sop/enums/SignAs.java index 7c4e0249..fcd79f4d 100644 --- a/sop-java/src/main/java/sop/enums/SignAs.java +++ b/sop-java/src/main/java/sop/enums/SignAs.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.enums; public enum SignAs { diff --git a/sop-java/src/main/java/sop/enums/package-info.java b/sop-java/src/main/java/sop/enums/package-info.java index 1406a899..67148d3e 100644 --- a/sop-java/src/main/java/sop/enums/package-info.java +++ b/sop-java/src/main/java/sop/enums/package-info.java @@ -1,18 +1,6 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 /** * Stateless OpenPGP Interface for Java. diff --git a/sop-java/src/main/java/sop/exception/SOPGPException.java b/sop-java/src/main/java/sop/exception/SOPGPException.java index 77091d1c..a8c98c9c 100644 --- a/sop-java/src/main/java/sop/exception/SOPGPException.java +++ b/sop-java/src/main/java/sop/exception/SOPGPException.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.exception; public abstract class SOPGPException extends RuntimeException { diff --git a/sop-java/src/main/java/sop/exception/package-info.java b/sop-java/src/main/java/sop/exception/package-info.java index 0c65aecd..4abc562b 100644 --- a/sop-java/src/main/java/sop/exception/package-info.java +++ b/sop-java/src/main/java/sop/exception/package-info.java @@ -1,18 +1,6 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 /** * Stateless OpenPGP Interface for Java. diff --git a/sop-java/src/main/java/sop/operation/Armor.java b/sop-java/src/main/java/sop/operation/Armor.java index b60bf59b..8aa06614 100644 --- a/sop-java/src/main/java/sop/operation/Armor.java +++ b/sop-java/src/main/java/sop/operation/Armor.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.InputStream; diff --git a/sop-java/src/main/java/sop/operation/Dearmor.java b/sop-java/src/main/java/sop/operation/Dearmor.java index 43a55bc4..91004b7d 100644 --- a/sop-java/src/main/java/sop/operation/Dearmor.java +++ b/sop-java/src/main/java/sop/operation/Dearmor.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/Decrypt.java b/sop-java/src/main/java/sop/operation/Decrypt.java index 1ed1e700..944ab9ce 100644 --- a/sop-java/src/main/java/sop/operation/Decrypt.java +++ b/sop-java/src/main/java/sop/operation/Decrypt.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java index 6ed4b828..c240382b 100644 --- a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java +++ b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/Encrypt.java b/sop-java/src/main/java/sop/operation/Encrypt.java index 2722ed71..b1491fd9 100644 --- a/sop-java/src/main/java/sop/operation/Encrypt.java +++ b/sop-java/src/main/java/sop/operation/Encrypt.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/ExtractCert.java b/sop-java/src/main/java/sop/operation/ExtractCert.java index 4c427701..31b0a5fb 100644 --- a/sop-java/src/main/java/sop/operation/ExtractCert.java +++ b/sop-java/src/main/java/sop/operation/ExtractCert.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/GenerateKey.java b/sop-java/src/main/java/sop/operation/GenerateKey.java index 7447d924..c652e84a 100644 --- a/sop-java/src/main/java/sop/operation/GenerateKey.java +++ b/sop-java/src/main/java/sop/operation/GenerateKey.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java index 53ba5936..707f6f4e 100644 --- a/sop-java/src/main/java/sop/operation/Sign.java +++ b/sop-java/src/main/java/sop/operation/Sign.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/Verify.java b/sop-java/src/main/java/sop/operation/Verify.java index ae515e1e..b59fadfa 100644 --- a/sop-java/src/main/java/sop/operation/Verify.java +++ b/sop-java/src/main/java/sop/operation/Verify.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.InputStream; diff --git a/sop-java/src/main/java/sop/operation/VerifySignatures.java b/sop-java/src/main/java/sop/operation/VerifySignatures.java index 5fc01b31..6d10e4d6 100644 --- a/sop-java/src/main/java/sop/operation/VerifySignatures.java +++ b/sop-java/src/main/java/sop/operation/VerifySignatures.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; import java.io.IOException; diff --git a/sop-java/src/main/java/sop/operation/Version.java b/sop-java/src/main/java/sop/operation/Version.java index db89e121..ab32099a 100644 --- a/sop-java/src/main/java/sop/operation/Version.java +++ b/sop-java/src/main/java/sop/operation/Version.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.operation; public interface Version { diff --git a/sop-java/src/main/java/sop/operation/package-info.java b/sop-java/src/main/java/sop/operation/package-info.java index 6156f3d1..dde4d5bb 100644 --- a/sop-java/src/main/java/sop/operation/package-info.java +++ b/sop-java/src/main/java/sop/operation/package-info.java @@ -1,18 +1,6 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 /** * Stateless OpenPGP Interface for Java. diff --git a/sop-java/src/main/java/sop/package-info.java b/sop-java/src/main/java/sop/package-info.java index 8caf9bb9..5ad4f528 100644 --- a/sop-java/src/main/java/sop/package-info.java +++ b/sop-java/src/main/java/sop/package-info.java @@ -1,18 +1,6 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 /** * Stateless OpenPGP Interface for Java. diff --git a/sop-java/src/main/java/sop/util/HexUtil.java b/sop-java/src/main/java/sop/util/HexUtil.java index c1cb3580..a70346e2 100644 --- a/sop-java/src/main/java/sop/util/HexUtil.java +++ b/sop-java/src/main/java/sop/util/HexUtil.java @@ -1,18 +1,8 @@ -/* - * Copyright 2021 Paul Schaub, @maybeWeCouldStealAVan, @Dave L. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Copyright 2021 Paul Schaub, @maybeWeCouldStealAVan, @Dave L. +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; public class HexUtil { diff --git a/sop-java/src/main/java/sop/util/Optional.java b/sop-java/src/main/java/sop/util/Optional.java index 7ee61df5..00eb2012 100644 --- a/sop-java/src/main/java/sop/util/Optional.java +++ b/sop-java/src/main/java/sop/util/Optional.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; /** diff --git a/sop-java/src/main/java/sop/util/ProxyOutputStream.java b/sop-java/src/main/java/sop/util/ProxyOutputStream.java index 16fd04f6..516d7c92 100644 --- a/sop-java/src/main/java/sop/util/ProxyOutputStream.java +++ b/sop-java/src/main/java/sop/util/ProxyOutputStream.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import java.io.ByteArrayOutputStream; diff --git a/sop-java/src/main/java/sop/util/UTCUtil.java b/sop-java/src/main/java/sop/util/UTCUtil.java index c847863e..646ef25b 100644 --- a/sop-java/src/main/java/sop/util/UTCUtil.java +++ b/sop-java/src/main/java/sop/util/UTCUtil.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import java.text.ParseException; diff --git a/sop-java/src/main/java/sop/util/package-info.java b/sop-java/src/main/java/sop/util/package-info.java index 11a87c66..3dd9fc19 100644 --- a/sop-java/src/main/java/sop/util/package-info.java +++ b/sop-java/src/main/java/sop/util/package-info.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + /** * Utility classes. */ diff --git a/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java b/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java index 8b7c2d78..8ae1859f 100644 --- a/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java +++ b/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/sop-java/src/test/java/sop/util/HexUtilTest.java b/sop-java/src/test/java/sop/util/HexUtilTest.java index 6d229aad..c8f32ee9 100644 --- a/sop-java/src/test/java/sop/util/HexUtilTest.java +++ b/sop-java/src/test/java/sop/util/HexUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/sop-java/src/test/java/sop/util/OptionalTest.java b/sop-java/src/test/java/sop/util/OptionalTest.java index edcb7aa5..45900b73 100644 --- a/sop-java/src/test/java/sop/util/OptionalTest.java +++ b/sop-java/src/test/java/sop/util/OptionalTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java b/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java index b9c203b3..9d99fd4f 100644 --- a/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java +++ b/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java/src/test/java/sop/util/ReadyTest.java b/sop-java/src/test/java/sop/util/ReadyTest.java index 64a08a2c..07fa0903 100644 --- a/sop-java/src/test/java/sop/util/ReadyTest.java +++ b/sop-java/src/test/java/sop/util/ReadyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java b/sop-java/src/test/java/sop/util/ReadyWithResultTest.java index 51d1eeb7..668fec09 100644 --- a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java +++ b/sop-java/src/test/java/sop/util/ReadyWithResultTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertArrayEquals; diff --git a/sop-java/src/test/java/sop/util/SessionKeyTest.java b/sop-java/src/test/java/sop/util/SessionKeyTest.java index 712e6342..b79fd81b 100644 --- a/sop-java/src/test/java/sop/util/SessionKeyTest.java +++ b/sop-java/src/test/java/sop/util/SessionKeyTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/sop-java/src/test/java/sop/util/UTCUtilTest.java b/sop-java/src/test/java/sop/util/UTCUtilTest.java index 56c77f9f..18de8176 100644 --- a/sop-java/src/test/java/sop/util/UTCUtilTest.java +++ b/sop-java/src/test/java/sop/util/UTCUtilTest.java @@ -1,18 +1,7 @@ -/* - * Copyright 2021 Paul Schaub. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package sop.util; import static org.junit.jupiter.api.Assertions.assertEquals; diff --git a/version.gradle b/version.gradle index 6a2071e6..4a58314e 100644 --- a/version.gradle +++ b/version.gradle @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: CC0-1.0 + allprojects { ext { shortVersion = '0.2.15' From a28033cd65fb750b29a5211aa285515e9084c4d7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Oct 2021 16:04:37 +0200 Subject: [PATCH 0053/1450] Add licenses for external dependencies to LICENSE file --- LICENSE | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/LICENSE b/LICENSE index 261eeb9e..2f44d296 100644 --- a/LICENSE +++ b/LICENSE @@ -175,27 +175,31 @@ END OF TERMS AND CONDITIONS - APPENDIX: How to apply the Apache License to your work. +============================================================================ - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. +# Licenses for included dependencies - Copyright [yyyy] [name of copyright owner] +## [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0) +* info.picocli:picocli +* com.google.code.findbugs:jsr305 - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at +## [Bouncycastle License](https://www.bouncycastle.org/licence.html) +* org.bouncycastle:bcprov-jdk15on +* org.bouncycastle:bcpg-jdk15on - http://www.apache.org/licenses/LICENSE-2.0 +## [Eclipse Public License 1.0](https://www.eclipse.org/legal/epl-1.0/) +* ch.qos.logback:logback-classic - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +## [Eclipe Public License 2.0](https://www.eclipse.org/legal/epl-2.0/) +* org.junit.jupiter:junit-jupiter-api +* org.junit.jupiter:junit-jupiter-params +* org.junit.jupiter:junit-jupiter-engine + +## [LPGL-2.1](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.de.html) +* ch.qos.logback:logback-classic + +## [MIT License](https://opensource.org/licenses/MIT) +* com.ginsberg:junit5-system-exit +* org.slf4j:slf4j-api +* org.slf4j:slf4j-nop +* org.mockito:mockito-core From bb0873f1e4c3987ba9ca3233b8b25f3fa301bc56 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Oct 2021 16:22:36 +0200 Subject: [PATCH 0054/1450] Add reuse tool to CI --- .travis.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 21079986..b56ac589 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,6 +8,9 @@ jdk: - openjdk8 - openjdk11 +services: + - docker + before_cache: - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock - rm -fr $HOME/.gradle/caches/*/plugin-resolution/ @@ -20,7 +23,11 @@ before_install: - export GRADLE_VERSION=6.2 - wget https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-all.zip - unzip -q gradle-${GRADLE_VERSION}-all.zip - - export PATH="$(pwd)/gradle-${GRADLE_VERSION}/bin:$PATH" + - rm gradle-${GRADLE_VERSION}-all.zip + - sudo mv gradle-${GRADLE_VERSION} /usr/local/bin/ + - export PATH="/usr/local/bin/gradle-${GRADLE_VERSION}/bin:$PATH" + - docker pull fsfe/reuse:latest + - docker run -v ${TRAVIS_BUILD_DIR}:/data fsfe/reuse:latest lint install: gradle assemble --stacktrace From a4d1a95c59678784b0f414b8d858c14dc5e12889 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Oct 2021 14:15:40 +0200 Subject: [PATCH 0055/1450] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f54c4cc..7681893b 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ These rigorous checks make PGPainless stand out from other Java-based OpenPGP li PGPainless currently [*scores second place* on Sequoia-PGPs Interoperability Test-Suite](https://tests.sequoia-pgp.org). > At FlowCrypt we are using PGPainless in our Kotlin code bases on Android and on server side. -> The ergonomy of legacy PGP tooling on Java is not very good, and PGPainless improves it greatly. +> The ergonomics of legacy PGP tooling on Java is not very good, and PGPainless improves it greatly. > We were so happy with our initial tests and with Paul - the maintainer, that we decided to sponsor further development of this library. > > -Tom @ FlowCrypt.com From 0c122c1643fbb36ad11da3d678a1b6c7c76aaaee Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 7 Oct 2021 16:31:46 +0200 Subject: [PATCH 0056/1450] Add REUSE badge to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7681893b..daf32d6d 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0 [![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/) [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/) [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A) +[![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless) ## About PGPainless aims to make using OpenPGP in Java projects as simple as possible. From 33f516efe8840841d2f8cc16f17a86532c7b43b5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 8 Oct 2021 14:03:12 +0200 Subject: [PATCH 0057/1450] Fix detection of signed messages when verification keys are missing Fixes #187, supersedes #189 --- .../DecryptionStreamFactory.java | 23 +++++++-- ...eVerificationWithoutCertIsStillSigned.java | 47 +++++++++++++++++++ 2 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index fb6012fd..6e9627de 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -9,8 +9,10 @@ import java.io.EOFException; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; +import java.util.HashMap; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Set; import javax.annotation.Nonnull; @@ -45,6 +47,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.MissingDecryptionMethodException; import org.pgpainless.exception.MissingLiteralDataException; +import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.exception.UnacceptableAlgorithmException; import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.implementation.ImplementationFactory; @@ -71,6 +74,7 @@ public final class DecryptionStreamFactory { private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); private final List onePassSignatureChecks = new ArrayList<>(); private final List detachedSignatureChecks = new ArrayList<>(); + private final Map onePassSignaturesWithMissingCert = new HashMap<>(); private static final PGPContentVerifierBuilderProvider verifierBuilderProvider = ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(); @@ -96,6 +100,8 @@ public final class DecryptionStreamFactory { long issuerKeyId = SignatureUtils.determineIssuerKeyId(signature); PGPPublicKeyRing signingKeyRing = findSignatureVerificationKeyRing(issuerKeyId); if (signingKeyRing == null) { + SignatureValidationException ex = new SignatureValidationException("Missing verification certificate " + Long.toHexString(issuerKeyId)); + resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, null), ex); continue; } PGPPublicKey signingKey = signingKeyRing.getPublicKey(issuerKeyId); @@ -105,7 +111,8 @@ public final class DecryptionStreamFactory { DetachedSignatureCheck detachedSignature = new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier); detachedSignatureChecks.add(detachedSignature); } catch (PGPException e) { - LOGGER.warn("Cannot verify detached signature made by {}. Reason: {}", signingKeyIdentifier, e.getMessage(), e); + SignatureValidationException ex = new SignatureValidationException("Cannot verify detached signature made by " + signingKeyIdentifier + ".", e); + resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, signingKeyIdentifier), ex); } } } @@ -223,7 +230,7 @@ public final class DecryptionStreamFactory { .setModificationDate(pgpLiteralData.getModificationTime()) .setFileEncoding(StreamEncoding.fromCode(pgpLiteralData.getFormat())); - if (onePassSignatureChecks.isEmpty()) { + if (onePassSignatureChecks.isEmpty() && onePassSignaturesWithMissingCert.isEmpty()) { LOGGER.debug("No OnePassSignatures found -> We are done"); return literalDataInputStream; } @@ -237,6 +244,16 @@ public final class DecryptionStreamFactory { onePassSignatureChecks.get(i).setSignature(signatureList.get(reversedIndex)); } + for (PGPSignature signature : signatureList) { + if (onePassSignaturesWithMissingCert.containsKey(signature.getKeyID())) { + OnePassSignatureCheck check = onePassSignaturesWithMissingCert.remove(signature.getKeyID()); + check.setSignature(signature); + + resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null), + new SignatureValidationException("Missing verification certificate " + Long.toHexString(signature.getKeyID()))); + } + } + return new SignatureInputStream.VerifySignatures(literalDataInputStream, onePassSignatureChecks, detachedSignatureChecks, options, resultBuilder) { }; @@ -488,7 +505,7 @@ public final class DecryptionStreamFactory { // Find public key PGPPublicKeyRing verificationKeyRing = findSignatureVerificationKeyRing(keyId); if (verificationKeyRing == null) { - LOGGER.debug("Missing verification key from {}", Long.toHexString(keyId)); + onePassSignaturesWithMissingCert.put(keyId, new OnePassSignatureCheck(signature, null)); return; } PGPPublicKey verificationKey = verificationKeyRing.getPublicKey(keyId); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java new file mode 100644 index 00000000..0e979ead --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java @@ -0,0 +1,47 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; + +public class SignedMessageVerificationWithoutCertIsStillSigned { + + private static final String message = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "owGbwMvMwCGmFN+gfIiXM5zxtG4SQ2Iw74rgzPS81BSFktSKEoW0/CKFlNS0xNKc\n" + + "Eoe0nPzy5KLKghK9ktTiEq6OXhYGMQ4GUzFFFtvXL7+VX9252+LpIheYcaxMQLMO\n" + + "iMtg183AxSkAUynizshwbBMnx4e4tn6NgJYtG/od3HL1y26GvpgqUtr2o37HpC+v\n" + + "GRmudmly/g+Osdt3t6Rb+8t8i8Y94ZJ3P/zNlk015FihXM0JAA==\n" + + "=A8uF\n" + + "-----END PGP MESSAGE-----\n"; + + @Test + public void verifyMissingVerificationCertOptionStillResultsInMessageIsSigned() throws IOException, PGPException { + ConsumerOptions withoutVerificationCert = new ConsumerOptions(); + DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) + .withOptions(withoutVerificationCert); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(verificationStream, out); + verificationStream.close(); + + OpenPgpMetadata metadata = verificationStream.getResult(); + + assertTrue(metadata.isSigned(), "Message is signed, even though we miss the verification cert."); + assertFalse(metadata.isVerified(), "Message is not verified because we lack the verification cert."); + } +} From bf80e9262ffc42a63dc21bda0ade2ec2c0ea39e2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 8 Oct 2021 14:14:02 +0200 Subject: [PATCH 0058/1450] PGPainless 0.2.15 --- CHANGELOG.md | 6 +++++- version.gradle | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 907d9b26..854b888f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,10 +5,14 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog -## 0.2.15-SNAPSHOT +## 0.2.15 - Add `ConsumerOptions.setIgnoreMDCErrors()` which can be used to consume broken messages. Not recommended! - Add `MessageInspector.isSignedOnly()` which can be used to identify messages created via `gpg --sign --armor` - Workaround for BCs `PGPUtil.getDecoderStream` mistaking plaintext for base64 encoded data +- Cleanup of unused internal methods +- SOP: Fix `ArmorImpl` writing data to provided output stream instead of `System.out` +- Fix hen and egg problem with streams in signature detaching implementation of SOP +- Make code [REUSE](https://reuse.software) compliant ## 0.2.14 - Export dependency on Bouncycastle's `bcprov-jdk15on` diff --git a/version.gradle b/version.gradle index 4a58314e..590aaac7 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '0.2.15' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 2bf8e5ecd7ce10ec8dab1da4e7881c8a0d3bd6f4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 8 Oct 2021 14:20:44 +0200 Subject: [PATCH 0059/1450] PGPainless-0.2.16-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 590aaac7..86f4f1b0 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.15' - isSnapshot = false + shortVersion = '0.2.16' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 32f3f0246e5e43ecb83de9a041365861e07b1923 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 8 Oct 2021 14:52:37 +0200 Subject: [PATCH 0060/1450] Declare gradle license via .reuse/dep5 --- .reuse/dep5 | 10 ++ assets/repository-open-graph.png.license | 3 - gradle/wrapper/gradle-wrapper.jar.license | 3 - gradle/wrapper/gradle-wrapper.properties | 4 - gradlew | 4 - gradlew.bat | 208 +++++++++++----------- 6 files changed, 113 insertions(+), 119 deletions(-) delete mode 100644 assets/repository-open-graph.png.license delete mode 100644 gradle/wrapper/gradle-wrapper.jar.license diff --git a/.reuse/dep5 b/.reuse/dep5 index ae3e2f91..99b0abe2 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -9,6 +9,16 @@ Source: https://pgpainless.org # Copyright: $YEAR $NAME <$CONTACT> # License: ... +# Gradle build tool +Files: gradle* +Copyright: 2015 the original author or authors. +License: Apache-2.0 + +# PGPainless Logo +Files: assets/repository-open-graph.png +Copyright: 2021 Paul Schaub +License: CC-BY-3.0 + Files: assets/test_vectors/* Copyright: 2018 Paul Schaub License: CC0-1.0 diff --git a/assets/repository-open-graph.png.license b/assets/repository-open-graph.png.license deleted file mode 100644 index f634f9b3..00000000 --- a/assets/repository-open-graph.png.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2021 Paul Schaub - -SPDX-License-Identifier: CC-BY-3.0 \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar.license b/gradle/wrapper/gradle-wrapper.jar.license deleted file mode 100644 index 714a6488..00000000 --- a/gradle/wrapper/gradle-wrapper.jar.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2021 The original Gradle authors - -SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index f1f3afe8..a488f210 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,7 +1,3 @@ -# SPDX-FileCopyrightText: 2021 The original Gradle authors -# -# SPDX-License-Identifier: Apache-2.0 - distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists distributionUrl=https\://services.gradle.org/distributions/gradle-6.4-rc-1-bin.zip diff --git a/gradlew b/gradlew index e1641b8c..15ec5ee7 100755 --- a/gradlew +++ b/gradlew @@ -1,9 +1,5 @@ #!/usr/bin/env sh -# Copyright 2015 the original author or authors. -# -# SPDX-License-Identifier: Apache-2.0 - ############################################################################## ## ## Gradle start up script for UN*X diff --git a/gradlew.bat b/gradlew.bat index 2c20fbad..62bd9b9c 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -1,105 +1,103 @@ -REM SPDX-License-Identifier: Apache-2.0 - -@rem -@rem Copyright 2015 the original author or authors. -@rem -@rem Licensed under the Apache License, Version 2.0 (the "License"); -@rem you may not use this file except in compliance with the License. -@rem You may obtain a copy of the License at -@rem -@rem https://www.apache.org/licenses/LICENSE-2.0 -@rem -@rem Unless required by applicable law or agreed to in writing, software -@rem distributed under the License is distributed on an "AS IS" BASIS, -@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -@rem See the License for the specific language governing permissions and -@rem limitations under the License. -@rem - -@if "%DEBUG%" == "" @echo off -@rem ########################################################################## -@rem -@rem Gradle startup script for Windows -@rem -@rem ########################################################################## - -@rem Set local scope for the variables with windows NT shell -if "%OS%"=="Windows_NT" setlocal - -set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. -set APP_BASE_NAME=%~n0 -set APP_HOME=%DIRNAME% - -@rem Resolve any "." and ".." in APP_HOME to make it shorter. -for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi - -@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" - -@rem Find java.exe -if defined JAVA_HOME goto findJavaFromJavaHome - -set JAVA_EXE=java.exe -%JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init - -echo. -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. - -goto fail - -:findJavaFromJavaHome -set JAVA_HOME=%JAVA_HOME:"=% -set JAVA_EXE=%JAVA_HOME%/bin/java.exe - -if exist "%JAVA_EXE%" goto init - -echo. -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. - -goto fail - -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - -:execute -@rem Setup the command line - -set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar - -@rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% - -:end -@rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd - -:fail -rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of -rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 - -:mainEnd -if "%OS%"=="Windows_NT" endlocal - -:omega +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega From 15736586dd901fabecb99288e9cdf23f68bf40a1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 10 Oct 2021 16:34:17 +0200 Subject: [PATCH 0061/1450] SOP: Add convenience methods to deal with byte arrays --- .../java/org/pgpainless/sop/ArmorTest.java | 5 +- .../DetachInbandSignatureAndMessageTest.java | 78 +++++++++++++++ .../sop/EncryptDecryptRoundTripTest.java | 96 ++++++++++--------- .../org/pgpainless/sop/ExtractCertTest.java | 5 +- .../java/org/pgpainless/sop/SignTest.java | 53 +++++----- .../cli/picocli/commands/ArmorCmdTest.java | 7 +- .../cli/picocli/commands/DearmorCmdTest.java | 7 +- .../cli/picocli/commands/DecryptCmdTest.java | 25 ++--- .../cli/picocli/commands/EncryptCmdTest.java | 21 ++-- .../picocli/commands/ExtractCertCmdTest.java | 7 +- .../sop/cli/picocli/commands/SignCmdTest.java | 11 ++- .../cli/picocli/commands/VerifyCmdTest.java | 17 ++-- .../src/main/java/sop/ByteArrayAndResult.java | 26 +++++ sop-java/src/main/java/sop/Ready.java | 12 +++ .../src/main/java/sop/ReadyWithResult.java | 13 ++- .../src/main/java/sop/operation/Armor.java | 11 +++ .../src/main/java/sop/operation/Dearmor.java | 11 +++ .../src/main/java/sop/operation/Decrypt.java | 35 +++++++ .../DetachInbandSignatureAndMessage.java | 22 +++++ .../src/main/java/sop/operation/Encrypt.java | 37 +++++++ .../main/java/sop/operation/ExtractCert.java | 13 ++- .../src/main/java/sop/operation/Sign.java | 21 ++++ .../src/main/java/sop/operation/Verify.java | 21 ++++ .../java/sop/operation/VerifySignatures.java | 23 +++++ .../java/sop/util/ReadyWithResultTest.java | 2 +- 25 files changed, 451 insertions(+), 128 deletions(-) create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java index 24cb5908..ad6da440 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java @@ -7,7 +7,6 @@ package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.security.InvalidAlgorithmParameterException; @@ -33,13 +32,13 @@ public class ArmorTest { byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data).getBytes(StandardCharsets.UTF_8); byte[] armored = new SOPImpl() .armor() - .data(new ByteArrayInputStream(data)) + .data(data) .getBytes(); assertArrayEquals(knownGoodArmor, armored); byte[] dearmored = new SOPImpl().dearmor() - .data(new ByteArrayInputStream(knownGoodArmor)) + .data(knownGoodArmor) .getBytes(); assertArrayEquals(data, dearmored); diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java new file mode 100644 index 00000000..06c11226 --- /dev/null +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java @@ -0,0 +1,78 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.sop; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.util.List; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import sop.ByteArrayAndResult; +import sop.SOP; +import sop.Signatures; +import sop.Verification; + +public class DetachInbandSignatureAndMessageTest { + + @Test + public void testDetachingOfInbandSignaturesAndMessage() throws IOException, PGPException { + SOP sop = new SOPImpl(); + byte[] key = sop.generateKey() + .userId("Alice ") + .generate() + .getBytes(); + byte[] cert = sop.extractCert().key(key).getBytes(); + PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(key); + + // Create a cleartext signed message + byte[] data = "Hello, World\n".getBytes(StandardCharsets.UTF_8); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + EncryptionStream signingStream = PGPainless.encryptAndOrSign() + .onOutputStream(out) + .withOptions( + ProducerOptions.sign( + SigningOptions.get() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), + secretKey, DocumentSignatureType.BINARY_DOCUMENT) + ).setCleartextSigned()); + + Streams.pipeAll(new ByteArrayInputStream(data), signingStream); + signingStream.close(); + + // actually detach the message + ByteArrayAndResult detachedMsg = sop.detachInbandSignatureAndMessage() + .message(out.toByteArray()) + .toByteArrayAndResult(); + + byte[] message = detachedMsg.getBytes(); + byte[] signature = detachedMsg.getResult().getBytes(); + + List verificationList = sop.verify() + .cert(cert) + .signatures(signature) + .data(message); + + assertFalse(verificationList.isEmpty()); + assertEquals(1, verificationList.size()); + assertEquals(new OpenPgpV4Fingerprint(secretKey).toString(), verificationList.get(0).getSigningCertFingerprint()); + assertArrayEquals(data, message); + } +} diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java index 9ef84724..f6f6c235 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java @@ -8,10 +8,11 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; +import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import sop.ByteArrayAndResult; @@ -36,34 +37,35 @@ public class EncryptDecryptRoundTripTest { .generate() .getBytes(); aliceCert = sop.extractCert() - .key(new ByteArrayInputStream(aliceKey)) + .key(aliceKey) .getBytes(); bobKey = sop.generateKey() .userId("Bob ") .generate() .getBytes(); bobCert = sop.extractCert() - .key(new ByteArrayInputStream(bobKey)) + .key(bobKey) .getBytes(); } @Test public void basicRoundTripWithKey() throws IOException, SOPGPException.CertCannotSign { byte[] encrypted = sop.encrypt() - .signWith(new ByteArrayInputStream(aliceKey)) - .withCert(new ByteArrayInputStream(aliceCert)) - .withCert(new ByteArrayInputStream(bobCert)) - .plaintext(new ByteArrayInputStream(message)) + .signWith(aliceKey) + .withCert(aliceCert) + .withCert(bobCert) + .plaintext(message) .getBytes(); ByteArrayAndResult bytesAndResult = sop.decrypt() - .withKey(new ByteArrayInputStream(bobKey)) - .verifyWithCert(new ByteArrayInputStream(aliceCert)) - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes(); + .withKey(bobKey) + .verifyWithCert(aliceCert) + .ciphertext(encrypted) + .toByteArrayAndResult(); - byte[] decrypted = bytesAndResult.getBytes(); - assertArrayEquals(message, decrypted); + ByteArrayOutputStream decrypted = new ByteArrayOutputStream(); + Streams.pipeAll(bytesAndResult.getInputStream(), decrypted); + assertArrayEquals(message, decrypted.toByteArray()); DecryptionResult result = bytesAndResult.getResult(); assertEquals(1, result.getVerifications().size()); @@ -78,20 +80,20 @@ public class EncryptDecryptRoundTripTest { .getBytes(); byte[] aliceCertNoArmor = sop.extractCert() .noArmor() - .key(new ByteArrayInputStream(aliceKeyNoArmor)) + .key(aliceKeyNoArmor) .getBytes(); byte[] encrypted = sop.encrypt() - .signWith(new ByteArrayInputStream(aliceKeyNoArmor)) - .withCert(new ByteArrayInputStream(aliceCertNoArmor)) + .signWith(aliceKeyNoArmor) + .withCert(aliceCertNoArmor) .noArmor() - .plaintext(new ByteArrayInputStream(message)) + .plaintext(message) .getBytes(); ByteArrayAndResult bytesAndResult = sop.decrypt() - .withKey(new ByteArrayInputStream(aliceKeyNoArmor)) - .verifyWithCert(new ByteArrayInputStream(aliceCertNoArmor)) - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes(); + .withKey(aliceKeyNoArmor) + .verifyWithCert(aliceCertNoArmor) + .ciphertext(encrypted) + .toByteArrayAndResult(); byte[] decrypted = bytesAndResult.getBytes(); assertArrayEquals(message, decrypted); @@ -104,13 +106,13 @@ public class EncryptDecryptRoundTripTest { public void basicRoundTripWithPassword() throws IOException { byte[] encrypted = sop.encrypt() .withPassword("passphr4s3") - .plaintext(new ByteArrayInputStream(message)) + .plaintext(message) .getBytes(); ByteArrayAndResult bytesAndResult = sop.decrypt() .withPassword("passphr4s3") - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes(); + .ciphertext(encrypted) + .toByteArrayAndResult(); byte[] decrypted = bytesAndResult.getBytes(); assertArrayEquals(message, decrypted); @@ -121,15 +123,15 @@ public class EncryptDecryptRoundTripTest { @Test public void roundTripWithDecryptionPasswordContainingWhitespace() throws IOException { - byte[] encrypted = sop.encrypt() - .withPassword("passphr4s3") - .plaintext(new ByteArrayInputStream(message)) - .getBytes(); - ByteArrayAndResult bytesAndResult = sop.decrypt() .withPassword("passphr4s3 ") // whitespace is removed - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes(); + .ciphertext( + sop.encrypt() + .withPassword("passphr4s3") + .plaintext(message) + .getInputStream() + ) + .toByteArrayAndResult(); byte[] decrypted = bytesAndResult.getBytes(); assertArrayEquals(message, decrypted); @@ -142,13 +144,13 @@ public class EncryptDecryptRoundTripTest { public void roundTripWithEncryptionPasswordContainingWhitespace() throws IOException { byte[] encrypted = sop.encrypt() .withPassword("passphr4s3 ") - .plaintext(new ByteArrayInputStream(message)) + .plaintext(message) .getBytes(); ByteArrayAndResult bytesAndResult = sop.decrypt() .withPassword("passphr4s3 ") - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes(); + .ciphertext(encrypted) + .toByteArrayAndResult(); byte[] decrypted = bytesAndResult.getBytes(); assertArrayEquals(message, decrypted); @@ -160,29 +162,29 @@ public class EncryptDecryptRoundTripTest { @Test public void encrypt_decryptAndVerifyYieldsNoSignatureException() throws IOException { byte[] encrypted = sop.encrypt() - .withCert(new ByteArrayInputStream(bobCert)) - .plaintext(new ByteArrayInputStream(message)) + .withCert(bobCert) + .plaintext(message) .getBytes(); assertThrows(SOPGPException.NoSignature.class, () -> sop .decrypt() - .withKey(new ByteArrayInputStream(bobKey)) - .verifyWithCert(new ByteArrayInputStream(aliceCert)) - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes()); + .withKey(bobKey) + .verifyWithCert(aliceCert) + .ciphertext(encrypted) + .toByteArrayAndResult()); } @Test public void encrypt_decryptWithoutKeyOrPassphraseYieldsMissingArgException() throws IOException { byte[] encrypted = sop.encrypt() - .withCert(new ByteArrayInputStream(bobCert)) - .plaintext(new ByteArrayInputStream(message)) + .withCert(bobCert) + .plaintext(message) .getBytes(); assertThrows(SOPGPException.MissingArg.class, () -> sop .decrypt() - .ciphertext(new ByteArrayInputStream(encrypted)) - .toBytes()); + .ciphertext(encrypted) + .toByteArrayAndResult()); } @Test @@ -192,7 +194,7 @@ public class EncryptDecryptRoundTripTest { System.arraycopy(bobKey, 0, keys, aliceKey.length, bobKey.length); assertThrows(SOPGPException.BadData.class, () -> sop.decrypt() - .withKey(new ByteArrayInputStream(keys))); + .withKey(keys)); } @Test @@ -225,12 +227,12 @@ public class EncryptDecryptRoundTripTest { "-----END PGP PRIVATE KEY BLOCK-----"; assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.decrypt() - .withKey(new ByteArrayInputStream(passwordProtectedKey.getBytes(StandardCharsets.UTF_8)))); + .withKey(passwordProtectedKey.getBytes(StandardCharsets.UTF_8))); } @Test public void verifyWith_noDataThrowsBadData() { assertThrows(SOPGPException.BadData.class, () -> sop.decrypt() - .verifyWithCert(new ByteArrayInputStream(new byte[0]))); + .verifyWithCert(new byte[0])); } } diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java index 41546fe7..84a1f471 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java @@ -7,7 +7,6 @@ package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -76,13 +75,13 @@ public class ExtractCertTest { assertArrayEquals( cert.getBytes(StandardCharsets.UTF_8), sop.extractCert() - .key(new ByteArrayInputStream(key.getBytes(StandardCharsets.UTF_8))) + .key(key.getBytes(StandardCharsets.UTF_8)) .getBytes()); } @Test public void emptyKeyDataYieldsBadData() { assertThrows(SOPGPException.BadData.class, () -> sop.extractCert() - .key(new ByteArrayInputStream(new byte[0]))); + .key(new byte[0])); } } diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java index cf9f3ddd..3167618c 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java @@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.security.InvalidAlgorithmParameterException; @@ -47,7 +46,7 @@ public class SignTest { .generate() .getBytes(); cert = sop.extractCert() - .key(new ByteArrayInputStream(key)) + .key(key) .getBytes(); data = "Hello, World\n".getBytes(StandardCharsets.UTF_8); } @@ -55,18 +54,18 @@ public class SignTest { @Test public void signArmored() throws IOException { byte[] signature = sop.sign() - .key(new ByteArrayInputStream(key)) - .data(new ByteArrayInputStream(data)) + .key(key) + .data(data) .getBytes(); assertTrue(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----")); List verifications = sop.verify() - .cert(new ByteArrayInputStream(cert)) + .cert(cert) .notAfter(new Date(new Date().getTime() + 10000)) .notBefore(new Date(new Date().getTime() - 10000)) - .signatures(new ByteArrayInputStream(signature)) - .data(new ByteArrayInputStream(data)); + .signatures(signature) + .data(data); assertEquals(1, verifications.size()); } @@ -74,19 +73,19 @@ public class SignTest { @Test public void signUnarmored() throws IOException { byte[] signature = sop.sign() - .key(new ByteArrayInputStream(key)) + .key(key) .noArmor() - .data(new ByteArrayInputStream(data)) + .data(data) .getBytes(); assertFalse(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----")); List verifications = sop.verify() - .cert(new ByteArrayInputStream(cert)) + .cert(cert) .notAfter(new Date(new Date().getTime() + 10000)) .notBefore(new Date(new Date().getTime() - 10000)) - .signatures(new ByteArrayInputStream(signature)) - .data(new ByteArrayInputStream(data)); + .signatures(signature) + .data(data); assertEquals(1, verifications.size()); } @@ -94,40 +93,40 @@ public class SignTest { @Test public void rejectSignatureAsTooOld() throws IOException { byte[] signature = sop.sign() - .key(new ByteArrayInputStream(key)) - .data(new ByteArrayInputStream(data)) + .key(key) + .data(data) .getBytes(); assertThrows(SOPGPException.NoSignature.class, () -> sop.verify() - .cert(new ByteArrayInputStream(cert)) + .cert(cert) .notAfter(new Date(new Date().getTime() - 10000)) // Sig is older - .signatures(new ByteArrayInputStream(signature)) - .data(new ByteArrayInputStream(data))); + .signatures(signature) + .data(data)); } @Test public void rejectSignatureAsTooYoung() throws IOException { byte[] signature = sop.sign() - .key(new ByteArrayInputStream(key)) - .data(new ByteArrayInputStream(data)) + .key(key) + .data(data) .getBytes(); assertThrows(SOPGPException.NoSignature.class, () -> sop.verify() - .cert(new ByteArrayInputStream(cert)) + .cert(cert) .notBefore(new Date(new Date().getTime() + 10000)) // Sig is younger - .signatures(new ByteArrayInputStream(signature)) - .data(new ByteArrayInputStream(data))); + .signatures(signature) + .data(data)); } @Test public void mode() throws IOException, PGPException { byte[] signature = sop.sign() .mode(SignAs.Text) - .key(new ByteArrayInputStream(key)) - .data(new ByteArrayInputStream(data)) + .key(key) + .data(data) .getBytes(); - PGPSignature sig = SignatureUtils.readSignatures(new ByteArrayInputStream(signature)).get(0); + PGPSignature sig = SignatureUtils.readSignatures(signature).get(0); assertEquals(SignatureType.CANONICAL_TEXT_DOCUMENT.getCode(), sig.getSignatureType()); } @@ -138,7 +137,7 @@ public class SignTest { PGPSecretKeyRingCollection collection = new PGPSecretKeyRingCollection(Arrays.asList(key1, key2)); byte[] keys = collection.getEncoded(); - assertThrows(SOPGPException.BadData.class, () -> sop.sign().key(new ByteArrayInputStream(keys))); + assertThrows(SOPGPException.BadData.class, () -> sop.sign().key(keys)); } @Test @@ -147,7 +146,7 @@ public class SignTest { .modernKeyRing("Alice", "passphrase"); byte[] bytes = key.getEncoded(); - assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.sign().key(new ByteArrayInputStream(bytes))); + assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.sign().key(bytes)); } } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java index 62adf056..01aaa9a5 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java @@ -12,6 +12,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; @@ -35,7 +36,7 @@ public class ArmorCmdTest { armor = mock(Armor.class); sop = mock(SOP.class); when(sop.armor()).thenReturn(armor); - when(armor.data(any())).thenReturn(nopReady()); + when(armor.data((InputStream) any())).thenReturn(nopReady()); SopCLI.setSopInstance(sop); } @@ -57,7 +58,7 @@ public class ArmorCmdTest { @Test public void assertDataIsAlwaysCalled() throws SOPGPException.BadData { SopCLI.main(new String[] {"armor"}); - verify(armor, times(1)).data(any()); + verify(armor, times(1)).data((InputStream) any()); } @Test @@ -77,7 +78,7 @@ public class ArmorCmdTest { @Test @ExpectSystemExitWithStatus(41) public void ifBadDataExit41() throws SOPGPException.BadData { - when(armor.data(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(armor.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"armor"}); } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java index fc1f713b..aaad201b 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java @@ -11,6 +11,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; @@ -31,7 +32,7 @@ public class DearmorCmdTest { public void mockComponents() throws IOException, SOPGPException.BadData { sop = mock(SOP.class); dearmor = mock(Dearmor.class); - when(dearmor.data(any())).thenReturn(nopReady()); + when(dearmor.data((InputStream) any())).thenReturn(nopReady()); when(sop.dearmor()).thenReturn(dearmor); SopCLI.setSopInstance(sop); @@ -48,13 +49,13 @@ public class DearmorCmdTest { @Test public void assertDataIsCalled() throws IOException, SOPGPException.BadData { SopCLI.main(new String[] {"dearmor"}); - verify(dearmor, times(1)).data(any()); + verify(dearmor, times(1)).data((InputStream) any()); } @Test @ExpectSystemExitWithStatus(41) public void assertBadDataCausesExit41() throws IOException, SOPGPException.BadData { - when(dearmor.data(any())).thenThrow(new SOPGPException.BadData(new IOException("invalid armor"))); + when(dearmor.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException("invalid armor"))); SopCLI.main(new String[] {"dearmor"}); } } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java index 89ba709a..507b6723 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java @@ -18,6 +18,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileReader; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import java.nio.charset.StandardCharsets; import java.nio.file.Files; @@ -55,8 +56,8 @@ public class DecryptCmdTest { when(decrypt.verifyNotBefore(any())).thenReturn(decrypt); when(decrypt.withPassword(any())).thenReturn(decrypt); when(decrypt.withSessionKey(any())).thenReturn(decrypt); - when(decrypt.withKey(any())).thenReturn(decrypt); - when(decrypt.ciphertext(any())).thenReturn(nopReadyWithResult()); + when(decrypt.withKey((InputStream) any())).thenReturn(decrypt); + when(decrypt.ciphertext((InputStream) any())).thenReturn(nopReadyWithResult()); when(sop.decrypt()).thenReturn(decrypt); @@ -75,14 +76,14 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(19) public void missingArgumentsExceptionCausesExit19() throws SOPGPException.MissingArg, SOPGPException.BadData, SOPGPException.CannotDecrypt { - when(decrypt.ciphertext(any())).thenThrow(new SOPGPException.MissingArg("Missing arguments.")); + when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.MissingArg("Missing arguments.")); SopCLI.main(new String[] {"decrypt"}); } @Test @ExpectSystemExitWithStatus(41) public void badDataExceptionCausesExit41() throws SOPGPException.MissingArg, SOPGPException.BadData, SOPGPException.CannotDecrypt { - when(decrypt.ciphertext(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"decrypt"}); } @@ -187,7 +188,7 @@ public class DecryptCmdTest { @Test public void assertSessionKeyIsProperlyWrittenToSessionKeyFile() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData, IOException { byte[] key = "C7CBDAF42537776F12509B5168793C26B93294E5ABDFA73224FB0177123E9137".getBytes(StandardCharsets.UTF_8); - when(decrypt.ciphertext(any())).thenReturn(new ReadyWithResult() { + when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() { @Override public DecryptionResult writeTo(OutputStream outputStream) { return new DecryptionResult( @@ -220,14 +221,14 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(29) public void assertUnableToDecryptExceptionResultsInExit29() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData { - when(decrypt.ciphertext(any())).thenThrow(new SOPGPException.CannotDecrypt()); + when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.CannotDecrypt()); SopCLI.main(new String[] {"decrypt"}); } @Test @ExpectSystemExitWithStatus(3) public void assertNoSignatureExceptionCausesExit3() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData { - when(decrypt.ciphertext(any())).thenReturn(new ReadyWithResult() { + when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() { @Override public DecryptionResult writeTo(OutputStream outputStream) throws SOPGPException.NoSignature { throw new SOPGPException.NoSignature(); @@ -239,7 +240,7 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(41) public void badDataInVerifyWithCausesExit41() throws IOException, SOPGPException.BadData { - when(decrypt.verifyWithCert(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(decrypt.verifyWithCert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); File tempFile = File.createTempFile("verify-with-", ".tmp"); SopCLI.main(new String[] {"decrypt", "--verify-with", tempFile.getAbsolutePath()}); } @@ -268,7 +269,7 @@ public class DecryptCmdTest { } verifyOut.deleteOnExit(); Date date = UTCUtil.parseUTCDate("2021-07-11T20:58:23Z"); - when(decrypt.ciphertext(any())).thenReturn(new ReadyWithResult() { + when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() { @Override public DecryptionResult writeTo(OutputStream outputStream) { return new DecryptionResult(null, Collections.singletonList( @@ -308,7 +309,7 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(41) public void assertBadDataInKeysResultsInExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData, IOException { - when(decrypt.withKey(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); File tempKeyFile = File.createTempFile("key-", ".tmp"); SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()}); } @@ -322,7 +323,7 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(67) public void assertProtectedKeyCausesExit67() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData { - when(decrypt.withKey(any())).thenThrow(new SOPGPException.KeyIsProtected()); + when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected()); File tempKeyFile = File.createTempFile("key-", ".tmp"); SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()}); } @@ -330,7 +331,7 @@ public class DecryptCmdTest { @Test @ExpectSystemExitWithStatus(13) public void assertUnsupportedAlgorithmExceptionCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData, IOException { - when(decrypt.withKey(any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new IOException())); + when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new IOException())); File tempKeyFile = File.createTempFile("key-", ".tmp"); SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()}); } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java index 0300305d..cfa8a3f6 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java @@ -13,6 +13,7 @@ import static org.mockito.Mockito.when; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; @@ -32,7 +33,7 @@ public class EncryptCmdTest { @BeforeEach public void mockComponents() throws IOException { encrypt = mock(Encrypt.class); - when(encrypt.plaintext(any())).thenReturn(new Ready() { + when(encrypt.plaintext((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) { @@ -95,7 +96,7 @@ public class EncryptCmdTest { File keyFile2 = File.createTempFile("sign-with-2-", ".asc"); SopCLI.main(new String[] {"encrypt", "--with-password", "password", "--sign-with", keyFile1.getAbsolutePath(), "--sign-with", keyFile2.getAbsolutePath()}); - verify(encrypt, times(2)).signWith(any()); + verify(encrypt, times(2)).signWith((InputStream) any()); } @Test @@ -107,7 +108,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(67) public void signWith_keyIsProtectedCausesExit67() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException { - when(encrypt.signWith(any())).thenThrow(new SOPGPException.KeyIsProtected()); + when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected()); File keyFile = File.createTempFile("sign-with", ".asc"); SopCLI.main(new String[] {"encrypt", "--sign-with", keyFile.getAbsolutePath(), "--with-password", "starship"}); } @@ -115,7 +116,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(13) public void signWith_unsupportedAsymmetricAlgoCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException { - when(encrypt.signWith(any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception())); + when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception())); File keyFile = File.createTempFile("sign-with", ".asc"); SopCLI.main(new String[] {"encrypt", "--with-password", "123456", "--sign-with", keyFile.getAbsolutePath()}); } @@ -123,7 +124,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(1) public void signWith_certCannotSignCausesExit1() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData { - when(encrypt.signWith(any())).thenThrow(new SOPGPException.CertCannotSign()); + when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.CertCannotSign()); File keyFile = File.createTempFile("sign-with", ".asc"); SopCLI.main(new String[] {"encrypt", "--with-password", "dragon", "--sign-with", keyFile.getAbsolutePath()}); } @@ -131,7 +132,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(41) public void signWith_badDataCausesExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException { - when(encrypt.signWith(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); File keyFile = File.createTempFile("sign-with", ".asc"); SopCLI.main(new String[] {"encrypt", "--with-password", "orange", "--sign-with", keyFile.getAbsolutePath()}); } @@ -145,7 +146,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(13) public void cert_unsupportedAsymmetricAlgorithmCausesExit13() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData { - when(encrypt.withCert(any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception())); + when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception())); File certFile = File.createTempFile("cert", ".asc"); SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()}); } @@ -153,7 +154,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(17) public void cert_certCannotEncryptCausesExit17() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData { - when(encrypt.withCert(any())).thenThrow(new SOPGPException.CertCannotEncrypt("Certificate cannot encrypt.", new Exception())); + when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.CertCannotEncrypt("Certificate cannot encrypt.", new Exception())); File certFile = File.createTempFile("cert", ".asc"); SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()}); } @@ -161,7 +162,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(41) public void cert_badDataCausesExit41() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData { - when(encrypt.withCert(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); File certFile = File.createTempFile("cert", ".asc"); SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()}); } @@ -181,7 +182,7 @@ public class EncryptCmdTest { @Test @ExpectSystemExitWithStatus(1) public void writeTo_ioExceptionCausesExit1() throws IOException { - when(encrypt.plaintext(any())).thenReturn(new Ready() { + when(encrypt.plaintext((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) throws IOException { throw new IOException(); diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java index be602e72..382fe300 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java @@ -12,6 +12,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; @@ -30,7 +31,7 @@ public class ExtractCertCmdTest { @BeforeEach public void mockComponents() throws IOException, SOPGPException.BadData { extractCert = mock(ExtractCert.class); - when(extractCert.key(any())).thenReturn(new Ready() { + when(extractCert.key((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) { } @@ -57,7 +58,7 @@ public class ExtractCertCmdTest { @Test @ExpectSystemExitWithStatus(1) public void key_ioExceptionCausesExit1() throws IOException, SOPGPException.BadData { - when(extractCert.key(any())).thenReturn(new Ready() { + when(extractCert.key((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) throws IOException { throw new IOException(); @@ -69,7 +70,7 @@ public class ExtractCertCmdTest { @Test @ExpectSystemExitWithStatus(41) public void key_badDataCausesExit41() throws IOException, SOPGPException.BadData { - when(extractCert.key(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(extractCert.key((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"extract-cert"}); } } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java index fdd376b1..8de61409 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java @@ -13,6 +13,7 @@ import static org.mockito.Mockito.when; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; @@ -32,7 +33,7 @@ public class SignCmdTest { @BeforeEach public void mockComponents() throws IOException, SOPGPException.ExpectedText { sign = mock(Sign.class); - when(sign.data(any())).thenReturn(new Ready() { + when(sign.data((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) { @@ -76,14 +77,14 @@ public class SignCmdTest { @Test @ExpectSystemExitWithStatus(1) public void key_keyIsProtectedCausesExit1() throws SOPGPException.KeyIsProtected, IOException, SOPGPException.BadData { - when(sign.key(any())).thenThrow(new SOPGPException.KeyIsProtected()); + when(sign.key((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected()); SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()}); } @Test @ExpectSystemExitWithStatus(41) public void key_badDataCausesExit41() throws SOPGPException.KeyIsProtected, IOException, SOPGPException.BadData { - when(sign.key(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(sign.key((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()}); } @@ -108,7 +109,7 @@ public class SignCmdTest { @Test @ExpectSystemExitWithStatus(1) public void data_ioExceptionCausesExit1() throws IOException, SOPGPException.ExpectedText { - when(sign.data(any())).thenReturn(new Ready() { + when(sign.data((InputStream) any())).thenReturn(new Ready() { @Override public void writeTo(OutputStream outputStream) throws IOException { throw new IOException(); @@ -120,7 +121,7 @@ public class SignCmdTest { @Test @ExpectSystemExitWithStatus(53) public void data_expectedTextExceptionCausesExit53() throws IOException, SOPGPException.ExpectedText { - when(sign.data(any())).thenThrow(new SOPGPException.ExpectedText()); + when(sign.data((InputStream) any())).thenThrow(new SOPGPException.ExpectedText()); SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()}); } } diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java index 99098d76..028d2451 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java @@ -14,6 +14,7 @@ import static org.mockito.Mockito.when; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.io.PrintStream; import java.util.Arrays; import java.util.Collections; @@ -47,9 +48,9 @@ public class VerifyCmdTest { verify = mock(Verify.class); when(verify.notBefore(any())).thenReturn(verify); when(verify.notAfter(any())).thenReturn(verify); - when(verify.cert(any())).thenReturn(verify); - when(verify.signatures(any())).thenReturn(verify); - when(verify.data(any())).thenReturn( + when(verify.cert((InputStream) any())).thenReturn(verify); + when(verify.signatures((InputStream) any())).thenReturn(verify); + when(verify.data((InputStream) any())).thenReturn( Collections.singletonList( new Verification( UTCUtil.parseUTCDate("2019-10-29T18:36:45Z"), @@ -146,7 +147,7 @@ public class VerifyCmdTest { @Test @ExpectSystemExitWithStatus(41) public void cert_badDataCausesExit41() throws SOPGPException.BadData { - when(verify.cert(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(verify.cert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()}); } @@ -159,27 +160,27 @@ public class VerifyCmdTest { @Test @ExpectSystemExitWithStatus(41) public void signature_badDataCausesExit41() throws SOPGPException.BadData { - when(verify.signatures(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(verify.signatures((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()}); } @Test @ExpectSystemExitWithStatus(3) public void data_noSignaturesCausesExit3() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData { - when(verify.data(any())).thenThrow(new SOPGPException.NoSignature()); + when(verify.data((InputStream) any())).thenThrow(new SOPGPException.NoSignature()); SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()}); } @Test @ExpectSystemExitWithStatus(41) public void data_badDataCausesExit41() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData { - when(verify.data(any())).thenThrow(new SOPGPException.BadData(new IOException())); + when(verify.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException())); SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()}); } @Test public void resultIsPrintedProperly() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData { - when(verify.data(any())).thenReturn(Arrays.asList( + when(verify.data((InputStream) any())).thenReturn(Arrays.asList( new Verification(UTCUtil.parseUTCDate("2019-10-29T18:36:45Z"), "EB85BB5FA33A75E15E944E63F231550C4F47E38E", "EB85BB5FA33A75E15E944E63F231550C4F47E38E"), diff --git a/sop-java/src/main/java/sop/ByteArrayAndResult.java b/sop-java/src/main/java/sop/ByteArrayAndResult.java index 709836d2..fd2b39a7 100644 --- a/sop-java/src/main/java/sop/ByteArrayAndResult.java +++ b/sop-java/src/main/java/sop/ByteArrayAndResult.java @@ -4,6 +4,13 @@ package sop; +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +/** + * Tuple of a byte array and associated result object. + * @param type of result + */ public class ByteArrayAndResult { private final byte[] bytes; @@ -14,11 +21,30 @@ public class ByteArrayAndResult { this.result = result; } + /** + * Return the byte array part. + * + * @return bytes + */ public byte[] getBytes() { return bytes; } + /** + * Return the result part. + * + * @return result + */ public T getResult() { return result; } + + /** + * Return the byte array part as an {@link InputStream}. + * + * @return input stream + */ + public InputStream getInputStream() { + return new ByteArrayInputStream(getBytes()); + } } diff --git a/sop-java/src/main/java/sop/Ready.java b/sop-java/src/main/java/sop/Ready.java index d234f911..71ab26ec 100644 --- a/sop-java/src/main/java/sop/Ready.java +++ b/sop-java/src/main/java/sop/Ready.java @@ -4,8 +4,10 @@ package sop; +import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InputStream; import java.io.OutputStream; public abstract class Ready { @@ -30,4 +32,14 @@ public abstract class Ready { writeTo(bytes); return bytes.toByteArray(); } + + /** + * Return an input stream containing the data. + * + * @return input stream + * @throws IOException in case of an IO error + */ + public InputStream getInputStream() throws IOException { + return new ByteArrayInputStream(getBytes()); + } } diff --git a/sop-java/src/main/java/sop/ReadyWithResult.java b/sop-java/src/main/java/sop/ReadyWithResult.java index c932b639..753d41d1 100644 --- a/sop-java/src/main/java/sop/ReadyWithResult.java +++ b/sop-java/src/main/java/sop/ReadyWithResult.java @@ -20,11 +20,20 @@ public abstract class ReadyWithResult { * @return result, eg. signatures * * @throws IOException in case of an IO error - * @throws SOPGPException.NoSignature + * @throws SOPGPException.NoSignature if there are no valid signatures found */ public abstract T writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature; - public ByteArrayAndResult toBytes() throws IOException, SOPGPException.NoSignature { + /** + * Return the data as a {@link ByteArrayAndResult}. + * Calling {@link ByteArrayAndResult#getBytes()} will give you access to the data as byte array, while + * {@link ByteArrayAndResult#getResult()} will grant access to the appended result. + * + * @return byte array and result + * @throws IOException in case of an IO error + * @throws SOPGPException.NoSignature if there are no valid signatures found + */ + public ByteArrayAndResult toByteArrayAndResult() throws IOException, SOPGPException.NoSignature { ByteArrayOutputStream bytes = new ByteArrayOutputStream(); T result = writeTo(bytes); return new ByteArrayAndResult<>(bytes.toByteArray(), result); diff --git a/sop-java/src/main/java/sop/operation/Armor.java b/sop-java/src/main/java/sop/operation/Armor.java index 8aa06614..dea3257a 100644 --- a/sop-java/src/main/java/sop/operation/Armor.java +++ b/sop-java/src/main/java/sop/operation/Armor.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.InputStream; import sop.Ready; @@ -27,4 +28,14 @@ public interface Armor { * @return armored data */ Ready data(InputStream data) throws SOPGPException.BadData; + + /** + * Armor the provided data. + * + * @param data unarmored OpenPGP data + * @return armored data + */ + default Ready data(byte[] data) throws SOPGPException.BadData { + return data(new ByteArrayInputStream(data)); + } } diff --git a/sop-java/src/main/java/sop/operation/Dearmor.java b/sop-java/src/main/java/sop/operation/Dearmor.java index 91004b7d..35eceb56 100644 --- a/sop-java/src/main/java/sop/operation/Dearmor.java +++ b/sop-java/src/main/java/sop/operation/Dearmor.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -19,4 +20,14 @@ public interface Dearmor { * @return input stream of unarmored data */ Ready data(InputStream data) throws SOPGPException.BadData, IOException; + + /** + * Dearmor armored OpenPGP data. + * + * @param data armored OpenPGP data + * @return input stream of unarmored data + */ + default Ready data(byte[] data) throws SOPGPException.BadData, IOException { + return data(new ByteArrayInputStream(data)); + } } diff --git a/sop-java/src/main/java/sop/operation/Decrypt.java b/sop-java/src/main/java/sop/operation/Decrypt.java index 944ab9ce..4cbd6f35 100644 --- a/sop-java/src/main/java/sop/operation/Decrypt.java +++ b/sop-java/src/main/java/sop/operation/Decrypt.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.util.Date; @@ -43,6 +44,17 @@ public interface Decrypt { throws SOPGPException.BadData, IOException; + /** + * Adds the verification cert. + * + * @param cert byte array containing the cert + * @return builder instance + */ + default Decrypt verifyWithCert(byte[] cert) + throws SOPGPException.BadData, IOException { + return verifyWithCert(new ByteArrayInputStream(cert)); + } + /** * Tries to decrypt with the given session key. * @@ -73,6 +85,19 @@ public interface Decrypt { SOPGPException.BadData, SOPGPException.UnsupportedAsymmetricAlgo; + /** + * Adds the decryption key. + * + * @param key byte array containing the key + * @return builder instance + */ + default Decrypt withKey(byte[] key) + throws SOPGPException.KeyIsProtected, + SOPGPException.BadData, + SOPGPException.UnsupportedAsymmetricAlgo { + return withKey(new ByteArrayInputStream(key)); + } + /** * Decrypts the given ciphertext, returning verification results and plaintext. * @param ciphertext ciphertext @@ -80,4 +105,14 @@ public interface Decrypt { */ ReadyWithResult ciphertext(InputStream ciphertext) throws SOPGPException.BadData, SOPGPException.MissingArg, SOPGPException.CannotDecrypt; + + /** + * Decrypts the given ciphertext, returning verification results and plaintext. + * @param ciphertext ciphertext + * @return ready with result + */ + default ReadyWithResult ciphertext(byte[] ciphertext) + throws SOPGPException.BadData, SOPGPException.MissingArg, SOPGPException.CannotDecrypt { + return ciphertext(new ByteArrayInputStream(ciphertext)); + } } diff --git a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java index c240382b..46bd3f77 100644 --- a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java +++ b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -12,8 +13,29 @@ import sop.Signatures; public interface DetachInbandSignatureAndMessage { + /** + * Do not wrap the signatures in ASCII armor. + * @return builder + */ DetachInbandSignatureAndMessage noArmor(); + /** + * Detach the provided cleartext signed message from its signatures. + * + * @param messageInputStream input stream containing the signed message + * @return result containing the detached message + * @throws IOException in case of an IO error + */ ReadyWithResult message(InputStream messageInputStream) throws IOException; + /** + * Detach the provided cleartext signed message from its signatures. + * + * @param message byte array containing the signed message + * @return result containing the detached message + * @throws IOException in case of an IO error + */ + default ReadyWithResult message(byte[] message) throws IOException { + return message(new ByteArrayInputStream(message)); + } } diff --git a/sop-java/src/main/java/sop/operation/Encrypt.java b/sop-java/src/main/java/sop/operation/Encrypt.java index b1491fd9..b5a92b25 100644 --- a/sop-java/src/main/java/sop/operation/Encrypt.java +++ b/sop-java/src/main/java/sop/operation/Encrypt.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -41,6 +42,20 @@ public interface Encrypt { SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData; + /** + * Adds the signer key. + * + * @param key byte array containing the encoded signer key + * @return builder instance + */ + default Encrypt signWith(byte[] key) + throws SOPGPException.KeyIsProtected, + SOPGPException.CertCannotSign, + SOPGPException.UnsupportedAsymmetricAlgo, + SOPGPException.BadData { + return signWith(new ByteArrayInputStream(key)); + } + /** * Encrypt with the given password. * @@ -62,6 +77,19 @@ public interface Encrypt { SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData; + /** + * Encrypt with the given cert. + * + * @param cert byte array containing the encoded cert. + * @return builder instance + */ + default Encrypt withCert(byte[] cert) + throws SOPGPException.CertCannotEncrypt, + SOPGPException.UnsupportedAsymmetricAlgo, + SOPGPException.BadData { + return withCert(new ByteArrayInputStream(cert)); + } + /** * Encrypt the given data yielding the ciphertext. * @param plaintext plaintext @@ -69,4 +97,13 @@ public interface Encrypt { */ Ready plaintext(InputStream plaintext) throws IOException; + + /** + * Encrypt the given data yielding the ciphertext. + * @param plaintext plaintext + * @return input stream containing the ciphertext + */ + default Ready plaintext(byte[] plaintext) throws IOException { + return plaintext(new ByteArrayInputStream(plaintext)); + } } diff --git a/sop-java/src/main/java/sop/operation/ExtractCert.java b/sop-java/src/main/java/sop/operation/ExtractCert.java index 31b0a5fb..7a0de5c6 100644 --- a/sop-java/src/main/java/sop/operation/ExtractCert.java +++ b/sop-java/src/main/java/sop/operation/ExtractCert.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -23,7 +24,17 @@ public interface ExtractCert { * Extract the cert from the provided key. * * @param keyInputStream input stream containing the encoding of an OpenPGP key - * @return input stream containing the encoding of the keys cert + * @return result containing the encoding of the keys cert */ Ready key(InputStream keyInputStream) throws IOException, SOPGPException.BadData; + + /** + * Extract the cert from the provided key. + * + * @param key byte array containing the encoding of an OpenPGP key + * @return result containing the encoding of the keys cert + */ + default Ready key(byte[] key) throws IOException, SOPGPException.BadData { + return key(new ByteArrayInputStream(key)); + } } diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java index 707f6f4e..9b9c3a6f 100644 --- a/sop-java/src/main/java/sop/operation/Sign.java +++ b/sop-java/src/main/java/sop/operation/Sign.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -37,6 +38,16 @@ public interface Sign { */ Sign key(InputStream key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException; + /** + * Adds the signer key. + * + * @param key byte array containing encoded key + * @return builder instance + */ + default Sign key(byte[] key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException { + return key(new ByteArrayInputStream(key)); + } + /** * Signs data. * @@ -44,4 +55,14 @@ public interface Sign { * @return ready */ Ready data(InputStream data) throws IOException, SOPGPException.ExpectedText; + + /** + * Signs data. + * + * @param data byte array containing data + * @return ready + */ + default Ready data(byte[] data) throws IOException, SOPGPException.ExpectedText { + return data(new ByteArrayInputStream(data)); + } } diff --git a/sop-java/src/main/java/sop/operation/Verify.java b/sop-java/src/main/java/sop/operation/Verify.java index b59fadfa..30905de2 100644 --- a/sop-java/src/main/java/sop/operation/Verify.java +++ b/sop-java/src/main/java/sop/operation/Verify.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.InputStream; import java.util.Date; @@ -35,6 +36,16 @@ public interface Verify extends VerifySignatures { */ Verify cert(InputStream cert) throws SOPGPException.BadData; + /** + * Adds the verification cert. + * + * @param cert byte array containing the encoded cert + * @return builder instance + */ + default Verify cert(byte[] cert) throws SOPGPException.BadData { + return cert(new ByteArrayInputStream(cert)); + } + /** * Provides the signatures. * @param signatures input stream containing encoded, detached signatures. @@ -43,4 +54,14 @@ public interface Verify extends VerifySignatures { */ VerifySignatures signatures(InputStream signatures) throws SOPGPException.BadData; + /** + * Provides the signatures. + * @param signatures byte array containing encoded, detached signatures. + * + * @return builder instance + */ + default VerifySignatures signatures(byte[] signatures) throws SOPGPException.BadData { + return signatures(new ByteArrayInputStream(signatures)); + } + } diff --git a/sop-java/src/main/java/sop/operation/VerifySignatures.java b/sop-java/src/main/java/sop/operation/VerifySignatures.java index 6d10e4d6..d41a8edd 100644 --- a/sop-java/src/main/java/sop/operation/VerifySignatures.java +++ b/sop-java/src/main/java/sop/operation/VerifySignatures.java @@ -4,6 +4,7 @@ package sop.operation; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.util.List; @@ -13,5 +14,27 @@ import sop.exception.SOPGPException; public interface VerifySignatures { + /** + * Provide the signed data (without signatures). + * + * @param data signed data + * @return list of signature verifications + * @throws IOException in case of an IO error + * @throws SOPGPException.NoSignature when no signature is found + * @throws SOPGPException.BadData when the data is invalid OpenPGP data + */ List data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData; + + /** + * Provide the signed data (without signatures). + * + * @param data signed data + * @return list of signature verifications + * @throws IOException in case of an IO error + * @throws SOPGPException.NoSignature when no signature is found + * @throws SOPGPException.BadData when the data is invalid OpenPGP data + */ + default List data(byte[] data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData { + return data(new ByteArrayInputStream(data)); + } } diff --git a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java b/sop-java/src/test/java/sop/util/ReadyWithResultTest.java index 668fec09..97841fa8 100644 --- a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java +++ b/sop-java/src/test/java/sop/util/ReadyWithResultTest.java @@ -37,7 +37,7 @@ public class ReadyWithResultTest { } }; - ByteArrayAndResult> bytesAndResult = readyWithResult.toBytes(); + ByteArrayAndResult> bytesAndResult = readyWithResult.toByteArrayAndResult(); assertArrayEquals(data, bytesAndResult.getBytes()); assertEquals(result, bytesAndResult.getResult()); } From bbc68e980359ab13138d3f483fface6711c78796 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 12 Oct 2021 14:04:23 +0200 Subject: [PATCH 0062/1450] Fix Picking of Subkey Revocation Signatures --- .../src/main/java/org/pgpainless/signature/SignaturePicker.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java index 54c75c89..b5bb9706 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java @@ -268,7 +268,7 @@ public final class SignaturePicker { throw new IllegalArgumentException("Primary key cannot have subkey binding revocations."); } - List signatures = getSortedSignaturesOfType(subkey, SignatureType.SUBKEY_BINDING); + List signatures = getSortedSignaturesOfType(subkey, SignatureType.SUBKEY_REVOCATION); PGPSignature latestSubkeyRevocation = null; for (PGPSignature signature : signatures) { From ee1d38a38a428fae283e93766e3e5c81b292307a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 12 Oct 2021 14:18:59 +0200 Subject: [PATCH 0063/1450] Increase test coverage for KeyRingInfo --- .../pgpainless/key/info/KeyRingInfoTest.java | 240 ++++++++++++++++++ 1 file changed, 240 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 56886581..5a2dd415 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -267,4 +267,244 @@ public class KeyRingInfoTest { assertEquals(primaryKeyExpiration.getTime(), info.getExpirationDateForUse(KeyFlag.ENCRYPT_STORAGE).getTime(), 5); } + + @Test + public void subkeyIsHardRevokedTest() throws IOException { + String KEY = "-----BEGIN PGP ARMORED FILE-----\n" + + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + + "\n" + + "xsBNBFpJegABCAC1ePFquP0135m8DYhcybhv7l+ecojitFOd/jRM7hCczIqKgalD\n" + + "1Ro1gNr3VmH6FjRIKIvGT+sOzCKne1v3KyAAPoxtwxjkATTKdOGo15I6v5ZjmO1d\n" + + "rLQOLSt1TF7XbQSt+ns6PUZWJL907DvECUU5b9FkNUqfQ14QqY+gi7MOyAQez3b7\n" + + "Pg5Cyz/kVWQ6TSMW/myDEDEertQ4rDBsptEDFHCC2+iF4hO2LqfiCriu5qyLcKCQ\n" + + "pd6dEuwJQ/jjT0D9A9Fwf+i04x6ZPKSU9oNAWqn8OSAq3/0B/hu9V+0U0iHPnJxe\n" + + "quykvJk7maxhiGhxBWYXTvDJmoon0NOles7LABEBAAHCwHwEHwEKAA8Fgl4L4QAC\n" + + "FQoCmwMCHgEAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOPu8ffB/9Q\n" + + "60dg60qhA2rPnd/1dCL2B+c8RWnq44PpijE3gA1RQvcRQE5jNzMSo/MnG0mSL5wH\n" + + "eTsjSd/DRI3nHP06rs6Qub11NoKhNuya3maz9gyzeZMc/jNib83/BzFCrxsSQm+9\n" + + "WHurxXeWXOPMLZs3xS/jG0EDtCJ2Fm4UF19fcIydwN/ssF4NGpfCY82+wTSx4joI\n" + + "3cRKObCFJaaBgG5nl+eFr7cfjEIuqCJCaQsXiqBe7d6V3KqN18t+CgSaybMZXcys\n" + + "Q/USxEkLhIB2pOZwcz4E3TTFgxRAxcr4cs4Bd2PRz3Z5FKTzo0ma/Ft0UfFJR+fC\n" + + "cs55+n6kC9K0y/E7BY2hwsB8BB8BCgAPBYJaSXoAAhUKApsDAh4BACEJEGhPrWLc\n" + + "A4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7uqDQf7BqTD6GNTwXPOt/0kHQPYmbdI\n" + + "tX+pWP+o3jaB6VTHDXcn27bttA5M82EXZfae4+bC1dMB+1uLal4ciVgO9ImJC9Nw\n" + + "s5fc3JH4R5uuSvpjzjudkJsGu3cAKE3hwiT93Mi6t6ENpLCDSxqxzAmfoOQbVJYW\n" + + "Y7gP7Z4Cj0IAP29aprEc0JWoMjHKpKgYF6u0sWgHWBuEXk/6o6GYb2HZYK4ycpY2\n" + + "WXKgVhy7/iQDYO1FOfcWQXHVGLn8OzILjobKohNenTT20ZhAASi3LUDSDMTQfxSS\n" + + "Vt0nhzWuXJJ4R8PzUVeRJ0A0oMyjZVHivHC6GwMsiQuSUTx8e/GnOByOqfGne80S\n" + + "anVsaWV0QGV4YW1wbGUub3JnwsBzBBMBCgAGBYJaSXoAACEJEGhPrWLcA4+7FiEE\n" + + "8tFQpP6Ykl1R6RU5aE+tYtwDj7tDfQf+PnxsIFu/0juKBUjjtAYfRzkrrYtMepPj\n" + + "taTvGfo1SzUkX/6F/GjdSeVg5Iq6YcBrj8c+cB3EoZpHnScTgWQHwceWQLd9Hhbg\n" + + "TrUNvW1eg2CVzN0RBuYMtWu9JM4pH7ssJW1NmN+/N9B67qb2y+JfBwH/la508NzC\n" + + "rl3xWTxjT5wNy+FGkNZg23s/0qlO2uxCjc+mRAuAlp5EmTOVWOIBbM0xttjBOx39\n" + + "ZmWWQKJZ0nrFjK1jppHqazwWWNX7RHkK81tlbSUtOPoTIJDz38NaiyMcZH3p9okN\n" + + "3DU4XtF+oE18M+Z/E0xUQmumbkajFzcUjmd7enozP5BnGESzdNS5Xc7ATQRaSsuA\n" + + "AQgAykb8tqlWXtqHGGkBqAq3EnpmvBqrKvqejjtZKAXqEszJ9NlibCGUuLwnNOVO\n" + + "R/hcOUlOGH+cyMcApBWJB+7d/83K1eCCdv88nDFVav7hKLKlEBbZJNHgHpJ313pl\n" + + "etzCR4x3STEISrEtO71l2HBdrKSYXaxGgILxYwcSi3i2EjzxRDy+0zyy8s7d+OD5\n" + + "ShFYexgSrKH3Xx1cxQAJzGGJVx75HHU9GVh3xHwJ7nDm26KzHegG2XPIBXJ2z8vm\n" + + "sSVTWyj0AjT4kVVapN0f84AKKjyQ7fguCzXGHFV9jmxDx+YH+9HhjIrHSzbDx6+4\n" + + "wyRsxj7Su+hu/bogJ28nnbTzQwARAQABwsBzBCgBCgAGBYJcKq2AACEJEGhPrWLc\n" + + "A4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7u9+wf/Wl2BqJzeAw06pbpT8AEn8Sw4\n" + + "Hmv5o5LiTOMgCLlX8vK9aIwFGJj/BZW0BAY70JUWUrk0nSjYD16vlVUwKJ8SifTu\n" + + "eElBYp2I/wkin3FSng3Ewv1iRN5XoQMallKf3EHCbf4LnO1UqzzuIlKWLShl7oIZ\n" + + "hIQIqzelLJ0Y/2eOTAgoh9Wd3+aLLo7Yp7cUO6yrxBjTOS31yC2gQ3mQv7TWiQ+Z\n" + + "I0oUTfxFdUAF2efEqpfePYnPDgy0W0fhJEShO/jyAKqhiwT6YdV2Q+IONL1k7su2\n" + + "N6DkV7T4myGhRAaey/XOEZzLxYg9Jlromc6PZxVLug1nyQOc3ETrUslTfZ1hHMLB\n" + + "rAQYAQoACQWCXgvhAAKbAgFXCRBoT61i3AOPu8B0oAQZAQoABgWCXgvhAAAhCRBK\n" + + "cjSjoSE6ZRYhBFF5LA5I4v2pTpO5EUpyNKOhITplp0kIAIrv83RJh3+lm8H27P3O\n" + + "hTm3z8Rrsy5EK+H2SnKivNTLUdZodVlSyUYF1uLvHB7Wch+aU4Z4DHFIss1rGtIO\n" + + "iWs/MOrK/1r93tanUwiE7JDK1gg2qA4Q9rXgI5lrpPbvGQTye8YZnvkP1EPdMaJk\n" + + "PzXQiWn4q5Ng7Pdqeze0SkhEtSssAYXzjSWz8NU3WfTLbPgxo5LnGG3vmcz8ay6V\n" + + "l7q9QUhhKgbUwBlt3Uv8acAWDZYWrFx42DK+B3iGGGDsfqEeSYA2KFX6dpNA8Cv0\n" + + "F6IG42vv1Y7/i613TWNLdWwN+RTZ5et+zPIgja17yKERQEWzcoHvHP40lhjywf7S\n" + + "MjYWIQTy0VCk/piSXVHpFTloT61i3AOPuxS8CACtRp4DTJ67sVjOBKIISk0pija3\n" + + "eqf3d1rHfsttNfQOzc/uDsnZBA75jVVYZVHH4Dn9i+gX+t8HTdIaPjg4QrjUqh3u\n" + + "jS9TYXSE2zBpw3Sm+eyCAfQriRaSC5/S2dRIuiTxKZqYkhGi/lSbdXzJ33PI7RfD\n" + + "d1nEVXybKtWrJV3vDaYO9PWFYJtjl7DVoJLZfX3IruBDU8m0Bo6TfVk2tWlNZ5JK\n" + + "OjVKCH47TPjzuFVO8dNDPnUybGBoZ3PehLU/BH0gCBQSmUQJDARYRHHZMWvIQiiN\n" + + "/p8iN4E6tE3BUk98MtOQJqFe8JYM1ADLFuzFdjaRu3ybpdkO6bisPrnQVHNEwsGs\n" + + "BBgBCgAJBYJa6P+AApsCAVcJEGhPrWLcA4+7wHSgBBkBCgAGBYJa6P+AACEJEEpy\n" + + "NKOhITplFiEEUXksDkji/alOk7kRSnI0o6EhOmXhRwf/do4VE16xIIaOg2IZlRbl\n" + + "2tzRoQIyMmaN8mBzKC/Wmdw1Mo8YQMkQ6SNgq2oUOCbD4Xo9pvt3x1mt+P7W+ZqR\n" + + "2BVhGoUL3VkhQnFO6djVCnKtszQOosTtvn0EIZm62EfkxcWJoS4whlDbdeBP12iC\n" + + "9VcT0DgOSm4kT6WvAbFDZTYpPQEj1sp9GQNK4ydWVe5yWq11W7mQxHFA7g5t3AOb\n" + + "bqe47gfH089gQ3INymvjnDxM9BoGX6vSuNHYt6/SBywYTTx4nhVSI/Y/ycjJ071T\n" + + "nHjNyf0W9DAliVW1zQSqUTA4mwkIfu326skBDP8yKZpNE4AaU2WajD9IMWHViJk9\n" + + "SBYhBPLRUKT+mJJdUekVOWhPrWLcA4+7TrYIAIYAKrzgdeNi9kpEt2SHcLoQLViz\n" + + "xwrRMATqhrT/GdtOK6gJm5ycps6O+/jk/kknJw068MzlCZwotKj1MX7sYbx8ZwcQ\n" + + "SI2qDHBfvoirKhdb3+lrlzo2ydTfCNPKQdp4obeTMSGfazBg3gEo+/V+yPSY87Hd\n" + + "9DlRn02cst1cmD8XCep/7GaHDZmk79PxfCt04q0h+iQ13WOc4q0YvfRid0fgC+js\n" + + "8awobryxUhLSESa1uV1X4N8IXNFw/uSfUbB6C997m/WYUBxSrI639JxmGxBcDIUn\n" + + "crH02GDG8CotAnEHkLTz9GPO80q8mowzBV0EtHsXb4TeAFw5T5Qd0a5I+wk=\n" + + "=Vcb3\n" + + "-----END PGP ARMORED FILE-----\n"; + PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + + KeyRingInfo info = new KeyRingInfo(keys, DateUtil.parseUTCDate("2021-10-10 00:00:00 UTC")); + // Subkey is hard revoked + assertFalse(info.isKeyValidlyBound(5364407983539305061L)); + } + + @Test + public void subkeyIsSoftRevokedTest() throws IOException { + String KEY = "-----BEGIN PGP ARMORED FILE-----\n" + + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + + "\n" + + "xsBNBFpJegABCAC1ePFquP0135m8DYhcybhv7l+ecojitFOd/jRM7hCczIqKgalD\n" + + "1Ro1gNr3VmH6FjRIKIvGT+sOzCKne1v3KyAAPoxtwxjkATTKdOGo15I6v5ZjmO1d\n" + + "rLQOLSt1TF7XbQSt+ns6PUZWJL907DvECUU5b9FkNUqfQ14QqY+gi7MOyAQez3b7\n" + + "Pg5Cyz/kVWQ6TSMW/myDEDEertQ4rDBsptEDFHCC2+iF4hO2LqfiCriu5qyLcKCQ\n" + + "pd6dEuwJQ/jjT0D9A9Fwf+i04x6ZPKSU9oNAWqn8OSAq3/0B/hu9V+0U0iHPnJxe\n" + + "quykvJk7maxhiGhxBWYXTvDJmoon0NOles7LABEBAAHCwHwEHwEKAA8Fgl4L4QAC\n" + + "FQoCmwMCHgEAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOPu8ffB/9Q\n" + + "60dg60qhA2rPnd/1dCL2B+c8RWnq44PpijE3gA1RQvcRQE5jNzMSo/MnG0mSL5wH\n" + + "eTsjSd/DRI3nHP06rs6Qub11NoKhNuya3maz9gyzeZMc/jNib83/BzFCrxsSQm+9\n" + + "WHurxXeWXOPMLZs3xS/jG0EDtCJ2Fm4UF19fcIydwN/ssF4NGpfCY82+wTSx4joI\n" + + "3cRKObCFJaaBgG5nl+eFr7cfjEIuqCJCaQsXiqBe7d6V3KqN18t+CgSaybMZXcys\n" + + "Q/USxEkLhIB2pOZwcz4E3TTFgxRAxcr4cs4Bd2PRz3Z5FKTzo0ma/Ft0UfFJR+fC\n" + + "cs55+n6kC9K0y/E7BY2hwsB8BB8BCgAPBYJaSXoAAhUKApsDAh4BACEJEGhPrWLc\n" + + "A4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7uqDQf7BqTD6GNTwXPOt/0kHQPYmbdI\n" + + "tX+pWP+o3jaB6VTHDXcn27bttA5M82EXZfae4+bC1dMB+1uLal4ciVgO9ImJC9Nw\n" + + "s5fc3JH4R5uuSvpjzjudkJsGu3cAKE3hwiT93Mi6t6ENpLCDSxqxzAmfoOQbVJYW\n" + + "Y7gP7Z4Cj0IAP29aprEc0JWoMjHKpKgYF6u0sWgHWBuEXk/6o6GYb2HZYK4ycpY2\n" + + "WXKgVhy7/iQDYO1FOfcWQXHVGLn8OzILjobKohNenTT20ZhAASi3LUDSDMTQfxSS\n" + + "Vt0nhzWuXJJ4R8PzUVeRJ0A0oMyjZVHivHC6GwMsiQuSUTx8e/GnOByOqfGne80S\n" + + "anVsaWV0QGV4YW1wbGUub3JnwsBzBBMBCgAGBYJaSXoAACEJEGhPrWLcA4+7FiEE\n" + + "8tFQpP6Ykl1R6RU5aE+tYtwDj7tDfQf+PnxsIFu/0juKBUjjtAYfRzkrrYtMepPj\n" + + "taTvGfo1SzUkX/6F/GjdSeVg5Iq6YcBrj8c+cB3EoZpHnScTgWQHwceWQLd9Hhbg\n" + + "TrUNvW1eg2CVzN0RBuYMtWu9JM4pH7ssJW1NmN+/N9B67qb2y+JfBwH/la508NzC\n" + + "rl3xWTxjT5wNy+FGkNZg23s/0qlO2uxCjc+mRAuAlp5EmTOVWOIBbM0xttjBOx39\n" + + "ZmWWQKJZ0nrFjK1jppHqazwWWNX7RHkK81tlbSUtOPoTIJDz38NaiyMcZH3p9okN\n" + + "3DU4XtF+oE18M+Z/E0xUQmumbkajFzcUjmd7enozP5BnGESzdNS5Xc7ATQRaSsuA\n" + + "AQgAykb8tqlWXtqHGGkBqAq3EnpmvBqrKvqejjtZKAXqEszJ9NlibCGUuLwnNOVO\n" + + "R/hcOUlOGH+cyMcApBWJB+7d/83K1eCCdv88nDFVav7hKLKlEBbZJNHgHpJ313pl\n" + + "etzCR4x3STEISrEtO71l2HBdrKSYXaxGgILxYwcSi3i2EjzxRDy+0zyy8s7d+OD5\n" + + "ShFYexgSrKH3Xx1cxQAJzGGJVx75HHU9GVh3xHwJ7nDm26KzHegG2XPIBXJ2z8vm\n" + + "sSVTWyj0AjT4kVVapN0f84AKKjyQ7fguCzXGHFV9jmxDx+YH+9HhjIrHSzbDx6+4\n" + + "wyRsxj7Su+hu/bogJ28nnbTzQwARAQABwsCHBCgBCgAaBYJcKq2AEx0BS2V5IGlz\n" + + "IHN1cGVyc2VkZWQAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOPuxBk\n" + + "CACOpX6rx67fE33qOGStis1toGfDxcgDjfCC9VKXQ6DY5LSKNf2d32OJq5iPeuFb\n" + + "ZNBrSr+jE5kF2Zit3P1/cCLKb6sfyTLswWLiQaFNd/D1tWZR4W5H7cgC44NNIXbh\n" + + "jGvJWGPJZT9FgFCaZzq4Oxya+wwvFEvvtvl+tMPqaYUiDQKjRqi0OWCGTuIpblQf\n" + + "suc6Jw9qzE6TT2zhaTNWFvDvsLoqgJKsxa8sCZXCuUBB8fKaURTQBDMJSiTyeHgz\n" + + "4t/n9LKGmTGlTwy12Yhpsyp3yz/uFsJPoM32FWkFtd/bSdXiAxR5Al9mn+fuJLW2\n" + + "VeILEUjzY1/MfLq6KBlT7EePwsGsBBgBCgAJBYJeC+EAApsCAVcJEGhPrWLcA4+7\n" + + "wHSgBBkBCgAGBYJeC+EAACEJEEpyNKOhITplFiEEUXksDkji/alOk7kRSnI0o6Eh\n" + + "OmWnSQgAiu/zdEmHf6Wbwfbs/c6FObfPxGuzLkQr4fZKcqK81MtR1mh1WVLJRgXW\n" + + "4u8cHtZyH5pThngMcUiyzWsa0g6Jaz8w6sr/Wv3e1qdTCITskMrWCDaoDhD2teAj\n" + + "mWuk9u8ZBPJ7xhme+Q/UQ90xomQ/NdCJafirk2Ds92p7N7RKSES1KywBhfONJbPw\n" + + "1TdZ9Mts+DGjkucYbe+ZzPxrLpWXur1BSGEqBtTAGW3dS/xpwBYNlhasXHjYMr4H\n" + + "eIYYYOx+oR5JgDYoVfp2k0DwK/QXogbja+/Vjv+LrXdNY0t1bA35FNnl637M8iCN\n" + + "rXvIoRFARbNyge8c/jSWGPLB/tIyNhYhBPLRUKT+mJJdUekVOWhPrWLcA4+7FLwI\n" + + "AK1GngNMnruxWM4EoghKTSmKNrd6p/d3Wsd+y2019A7Nz+4OydkEDvmNVVhlUcfg\n" + + "Of2L6Bf63wdN0ho+ODhCuNSqHe6NL1NhdITbMGnDdKb57IIB9CuJFpILn9LZ1Ei6\n" + + "JPEpmpiSEaL+VJt1fMnfc8jtF8N3WcRVfJsq1aslXe8Npg709YVgm2OXsNWgktl9\n" + + "fciu4ENTybQGjpN9WTa1aU1nkko6NUoIfjtM+PO4VU7x00M+dTJsYGhnc96EtT8E\n" + + "fSAIFBKZRAkMBFhEcdkxa8hCKI3+nyI3gTq0TcFST3wy05AmoV7wlgzUAMsW7MV2\n" + + "NpG7fJul2Q7puKw+udBUc0TCwawEGAEKAAkFglro/4ACmwIBVwkQaE+tYtwDj7vA\n" + + "dKAEGQEKAAYFglro/4AAIQkQSnI0o6EhOmUWIQRReSwOSOL9qU6TuRFKcjSjoSE6\n" + + "ZeFHB/92jhUTXrEgho6DYhmVFuXa3NGhAjIyZo3yYHMoL9aZ3DUyjxhAyRDpI2Cr\n" + + "ahQ4JsPhej2m+3fHWa34/tb5mpHYFWEahQvdWSFCcU7p2NUKcq2zNA6ixO2+fQQh\n" + + "mbrYR+TFxYmhLjCGUNt14E/XaIL1VxPQOA5KbiRPpa8BsUNlNik9ASPWyn0ZA0rj\n" + + "J1ZV7nJarXVbuZDEcUDuDm3cA5tup7juB8fTz2BDcg3Ka+OcPEz0GgZfq9K40di3\n" + + "r9IHLBhNPHieFVIj9j/JyMnTvVOceM3J/Rb0MCWJVbXNBKpRMDibCQh+7fbqyQEM\n" + + "/zIpmk0TgBpTZZqMP0gxYdWImT1IFiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7tOtggA\n" + + "hgAqvOB142L2SkS3ZIdwuhAtWLPHCtEwBOqGtP8Z204rqAmbnJymzo77+OT+SScn\n" + + "DTrwzOUJnCi0qPUxfuxhvHxnBxBIjaoMcF++iKsqF1vf6WuXOjbJ1N8I08pB2nih\n" + + "t5MxIZ9rMGDeASj79X7I9Jjzsd30OVGfTZyy3VyYPxcJ6n/sZocNmaTv0/F8K3Ti\n" + + "rSH6JDXdY5zirRi99GJ3R+AL6OzxrChuvLFSEtIRJrW5XVfg3whc0XD+5J9RsHoL\n" + + "33ub9ZhQHFKsjrf0nGYbEFwMhSdysfTYYMbwKi0CcQeQtPP0Y87zSryajDMFXQS0\n" + + "exdvhN4AXDlPlB3Rrkj7CQ==\n" + + "=7Feh\n" + + "-----END PGP ARMORED FILE-----\n"; + + PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + + KeyRingInfo inspectDuringRevokedPeriod = new KeyRingInfo(keys, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); + assertFalse(inspectDuringRevokedPeriod.isKeyValidlyBound(5364407983539305061L)); + + KeyRingInfo inspectAfterRebinding = new KeyRingInfo(keys, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); + assertTrue(inspectAfterRebinding.isKeyValidlyBound(5364407983539305061L)); + } + + @Test + public void primaryKeyIsHardRevokedTest() throws IOException { + String KEY = "-----BEGIN PGP ARMORED FILE-----\n" + + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + + "\n" + + "xsBNBFpJegABCAC1ePFquP0135m8DYhcybhv7l+ecojitFOd/jRM7hCczIqKgalD\n" + + "1Ro1gNr3VmH6FjRIKIvGT+sOzCKne1v3KyAAPoxtwxjkATTKdOGo15I6v5ZjmO1d\n" + + "rLQOLSt1TF7XbQSt+ns6PUZWJL907DvECUU5b9FkNUqfQ14QqY+gi7MOyAQez3b7\n" + + "Pg5Cyz/kVWQ6TSMW/myDEDEertQ4rDBsptEDFHCC2+iF4hO2LqfiCriu5qyLcKCQ\n" + + "pd6dEuwJQ/jjT0D9A9Fwf+i04x6ZPKSU9oNAWqn8OSAq3/0B/hu9V+0U0iHPnJxe\n" + + "quykvJk7maxhiGhxBWYXTvDJmoon0NOles7LABEBAAHCwJMEIAEKACYFglwqrYAf\n" + + "HchVbmtub3duIHJldm9jYXRpb24gcmVhc29uIDIwMAAhCRBoT61i3AOPuxYhBPLR\n" + + "UKT+mJJdUekVOWhPrWLcA4+7yUoH/1KmYWve5h9Tsl1dAguIwVhqNw5fQjxYQCy2\n" + + "kq+1XBBjKSalNpoFIgV0fJWo+x8i3neNH0pnWRPR9lddiW3C/TjsjGp69QvYaZnM\n" + + "NXGymkvb6JMFGtTBwpM6R8iH0UqQHWK984nEcD4ZTU2zWY5Q3zr/ahKDoMKooqbc\n" + + "tBlMumQ3KhSmDrJlU7xxn0K3A5bZoHd/ZlIxk7FX7yoSBUffy6gRdT0IFk9X93Vn\n" + + "GuUpo+vTjEBO3PQuKOMOT0qJxqZHCUN0LWHDdH3IwmfrlRSRWq63pbO6pyHyEehS\n" + + "5LQ7NbP994BNxT9yYQ3REvk/ngJk4aK5xRHXdPL529Dio4XWZ4rCwHwEHwEKAA8F\n" + + "gl4L4QACFQoCmwMCHgEAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOP\n" + + "u8ffB/9Q60dg60qhA2rPnd/1dCL2B+c8RWnq44PpijE3gA1RQvcRQE5jNzMSo/Mn\n" + + "G0mSL5wHeTsjSd/DRI3nHP06rs6Qub11NoKhNuya3maz9gyzeZMc/jNib83/BzFC\n" + + "rxsSQm+9WHurxXeWXOPMLZs3xS/jG0EDtCJ2Fm4UF19fcIydwN/ssF4NGpfCY82+\n" + + "wTSx4joI3cRKObCFJaaBgG5nl+eFr7cfjEIuqCJCaQsXiqBe7d6V3KqN18t+CgSa\n" + + "ybMZXcysQ/USxEkLhIB2pOZwcz4E3TTFgxRAxcr4cs4Bd2PRz3Z5FKTzo0ma/Ft0\n" + + "UfFJR+fCcs55+n6kC9K0y/E7BY2hwsB8BB8BCgAPBYJaSXoAAhUKApsDAh4BACEJ\n" + + "EGhPrWLcA4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7uqDQf7BqTD6GNTwXPOt/0k\n" + + "HQPYmbdItX+pWP+o3jaB6VTHDXcn27bttA5M82EXZfae4+bC1dMB+1uLal4ciVgO\n" + + "9ImJC9Nws5fc3JH4R5uuSvpjzjudkJsGu3cAKE3hwiT93Mi6t6ENpLCDSxqxzAmf\n" + + "oOQbVJYWY7gP7Z4Cj0IAP29aprEc0JWoMjHKpKgYF6u0sWgHWBuEXk/6o6GYb2HZ\n" + + "YK4ycpY2WXKgVhy7/iQDYO1FOfcWQXHVGLn8OzILjobKohNenTT20ZhAASi3LUDS\n" + + "DMTQfxSSVt0nhzWuXJJ4R8PzUVeRJ0A0oMyjZVHivHC6GwMsiQuSUTx8e/GnOByO\n" + + "qfGne80SanVsaWV0QGV4YW1wbGUub3JnwsBzBBMBCgAGBYJaSXoAACEJEGhPrWLc\n" + + "A4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7tDfQf+PnxsIFu/0juKBUjjtAYfRzkr\n" + + "rYtMepPjtaTvGfo1SzUkX/6F/GjdSeVg5Iq6YcBrj8c+cB3EoZpHnScTgWQHwceW\n" + + "QLd9HhbgTrUNvW1eg2CVzN0RBuYMtWu9JM4pH7ssJW1NmN+/N9B67qb2y+JfBwH/\n" + + "la508NzCrl3xWTxjT5wNy+FGkNZg23s/0qlO2uxCjc+mRAuAlp5EmTOVWOIBbM0x\n" + + "ttjBOx39ZmWWQKJZ0nrFjK1jppHqazwWWNX7RHkK81tlbSUtOPoTIJDz38NaiyMc\n" + + "ZH3p9okN3DU4XtF+oE18M+Z/E0xUQmumbkajFzcUjmd7enozP5BnGESzdNS5Xc7A\n" + + "TQRaSsuAAQgAykb8tqlWXtqHGGkBqAq3EnpmvBqrKvqejjtZKAXqEszJ9NlibCGU\n" + + "uLwnNOVOR/hcOUlOGH+cyMcApBWJB+7d/83K1eCCdv88nDFVav7hKLKlEBbZJNHg\n" + + "HpJ313pletzCR4x3STEISrEtO71l2HBdrKSYXaxGgILxYwcSi3i2EjzxRDy+0zyy\n" + + "8s7d+OD5ShFYexgSrKH3Xx1cxQAJzGGJVx75HHU9GVh3xHwJ7nDm26KzHegG2XPI\n" + + "BXJ2z8vmsSVTWyj0AjT4kVVapN0f84AKKjyQ7fguCzXGHFV9jmxDx+YH+9HhjIrH\n" + + "SzbDx6+4wyRsxj7Su+hu/bogJ28nnbTzQwARAQABwsGsBBgBCgAJBYJeC+EAApsC\n" + + "AVcJEGhPrWLcA4+7wHSgBBkBCgAGBYJeC+EAACEJEEpyNKOhITplFiEEUXksDkji\n" + + "/alOk7kRSnI0o6EhOmWnSQgAiu/zdEmHf6Wbwfbs/c6FObfPxGuzLkQr4fZKcqK8\n" + + "1MtR1mh1WVLJRgXW4u8cHtZyH5pThngMcUiyzWsa0g6Jaz8w6sr/Wv3e1qdTCITs\n" + + "kMrWCDaoDhD2teAjmWuk9u8ZBPJ7xhme+Q/UQ90xomQ/NdCJafirk2Ds92p7N7RK\n" + + "SES1KywBhfONJbPw1TdZ9Mts+DGjkucYbe+ZzPxrLpWXur1BSGEqBtTAGW3dS/xp\n" + + "wBYNlhasXHjYMr4HeIYYYOx+oR5JgDYoVfp2k0DwK/QXogbja+/Vjv+LrXdNY0t1\n" + + "bA35FNnl637M8iCNrXvIoRFARbNyge8c/jSWGPLB/tIyNhYhBPLRUKT+mJJdUekV\n" + + "OWhPrWLcA4+7FLwIAK1GngNMnruxWM4EoghKTSmKNrd6p/d3Wsd+y2019A7Nz+4O\n" + + "ydkEDvmNVVhlUcfgOf2L6Bf63wdN0ho+ODhCuNSqHe6NL1NhdITbMGnDdKb57IIB\n" + + "9CuJFpILn9LZ1Ei6JPEpmpiSEaL+VJt1fMnfc8jtF8N3WcRVfJsq1aslXe8Npg70\n" + + "9YVgm2OXsNWgktl9fciu4ENTybQGjpN9WTa1aU1nkko6NUoIfjtM+PO4VU7x00M+\n" + + "dTJsYGhnc96EtT8EfSAIFBKZRAkMBFhEcdkxa8hCKI3+nyI3gTq0TcFST3wy05Am\n" + + "oV7wlgzUAMsW7MV2NpG7fJul2Q7puKw+udBUc0TCwawEGAEKAAkFglro/4ACmwIB\n" + + "VwkQaE+tYtwDj7vAdKAEGQEKAAYFglro/4AAIQkQSnI0o6EhOmUWIQRReSwOSOL9\n" + + "qU6TuRFKcjSjoSE6ZeFHB/92jhUTXrEgho6DYhmVFuXa3NGhAjIyZo3yYHMoL9aZ\n" + + "3DUyjxhAyRDpI2CrahQ4JsPhej2m+3fHWa34/tb5mpHYFWEahQvdWSFCcU7p2NUK\n" + + "cq2zNA6ixO2+fQQhmbrYR+TFxYmhLjCGUNt14E/XaIL1VxPQOA5KbiRPpa8BsUNl\n" + + "Nik9ASPWyn0ZA0rjJ1ZV7nJarXVbuZDEcUDuDm3cA5tup7juB8fTz2BDcg3Ka+Oc\n" + + "PEz0GgZfq9K40di3r9IHLBhNPHieFVIj9j/JyMnTvVOceM3J/Rb0MCWJVbXNBKpR\n" + + "MDibCQh+7fbqyQEM/zIpmk0TgBpTZZqMP0gxYdWImT1IFiEE8tFQpP6Ykl1R6RU5\n" + + "aE+tYtwDj7tOtggAhgAqvOB142L2SkS3ZIdwuhAtWLPHCtEwBOqGtP8Z204rqAmb\n" + + "nJymzo77+OT+SScnDTrwzOUJnCi0qPUxfuxhvHxnBxBIjaoMcF++iKsqF1vf6WuX\n" + + "OjbJ1N8I08pB2niht5MxIZ9rMGDeASj79X7I9Jjzsd30OVGfTZyy3VyYPxcJ6n/s\n" + + "ZocNmaTv0/F8K3TirSH6JDXdY5zirRi99GJ3R+AL6OzxrChuvLFSEtIRJrW5XVfg\n" + + "3whc0XD+5J9RsHoL33ub9ZhQHFKsjrf0nGYbEFwMhSdysfTYYMbwKi0CcQeQtPP0\n" + + "Y87zSryajDMFXQS0exdvhN4AXDlPlB3Rrkj7CQ==\n" + + "=MhJL\n" + + "-----END PGP ARMORED FILE-----\n"; + + PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + + KeyRingInfo info = PGPainless.inspectKeyRing(keys); + // Primary key is hard revoked + assertFalse(info.isKeyValidlyBound(keys.getPublicKey().getKeyID())); + } } From b04ecc4eefbcb857e1de80d6fb3478d3f08df914 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 12 Oct 2021 14:56:24 +0200 Subject: [PATCH 0064/1450] Further increase coverage of KeyRingInfo --- .../pgpainless/key/info/KeyRingInfoTest.java | 137 +++++++++++++++++- 1 file changed, 135 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 5a2dd415..54650890 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -8,6 +8,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; @@ -18,19 +19,26 @@ import java.util.Calendar; import java.util.Collections; import java.util.Date; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.List; +import java.util.NoSuchElementException; +import java.util.Set; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; @@ -420,12 +428,14 @@ public class KeyRingInfoTest { "-----END PGP ARMORED FILE-----\n"; PGPPublicKeyRing keys = PGPainless.readKeyRing().publicKeyRing(KEY); + final long subkeyId = 5364407983539305061L; KeyRingInfo inspectDuringRevokedPeriod = new KeyRingInfo(keys, DateUtil.parseUTCDate("2019-01-02 00:00:00 UTC")); - assertFalse(inspectDuringRevokedPeriod.isKeyValidlyBound(5364407983539305061L)); + assertFalse(inspectDuringRevokedPeriod.isKeyValidlyBound(subkeyId)); + assertNotNull(inspectDuringRevokedPeriod.getSubkeyRevocationSignature(subkeyId)); KeyRingInfo inspectAfterRebinding = new KeyRingInfo(keys, DateUtil.parseUTCDate("2020-01-02 00:00:00 UTC")); - assertTrue(inspectAfterRebinding.isKeyValidlyBound(5364407983539305061L)); + assertTrue(inspectAfterRebinding.isKeyValidlyBound(subkeyId)); } @Test @@ -506,5 +516,128 @@ public class KeyRingInfoTest { KeyRingInfo info = PGPainless.inspectKeyRing(keys); // Primary key is hard revoked assertFalse(info.isKeyValidlyBound(keys.getPublicKey().getKeyID())); + assertFalse(info.isFullyEncrypted()); + } + + @Test + public void getSecretKeyTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(secretKeys); + PGPSecretKey primaryKey = info.getSecretKey(primaryKeyFingerprint); + + assertEquals(secretKeys.getSecretKey(), primaryKey); + } + + @Test + public void testGetLatestKeyCreationDate() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + Date latestCreationDate = DateUtil.parseUTCDate("2020-01-12 18:01:44 UTC"); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + JUtils.assertDateEquals(latestCreationDate, info.getLatestKeyCreationDate()); + } + + @Test + public void testGetExpirationDateForUse_SPLIT() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertThrows(IllegalArgumentException.class, () -> info.getExpirationDateForUse(KeyFlag.SPLIT)); + } + + @Test + public void testGetExpirationDateForUse_SHARED() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertThrows(IllegalArgumentException.class, () -> info.getExpirationDateForUse(KeyFlag.SHARED)); + } + + @Test + public void testGetExpirationDateForUse_NoSuchKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .addUserId("Alice") + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + .build(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + assertThrows(NoSuchElementException.class, () -> info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS)); + } + + @Test + public void testGetPreferredAlgorithms() throws IOException { + String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: AC6F E854 F1F8 FC2C 121F 64BC 5C33 8C29 81C0 25F0\n" + + "Comment: Alice\n" + + "\n" + + "lFgEYWWA1BYJKwYBBAHaRw8BAQdAdrm6pbGxiF810GBTscYRc5Nj3ds1BS3OoMOK\n" + + "Ae7LPEoAAQDqwu/sBr0UQbxwinbc5SxajwkIZFmZppLugkEu19eNIRB8tAVBbGlj\n" + + "ZYh4BBMWCgAgBQJhZYDUAhsBBRYCAwEABRUKCQgLBAsJCAcCHgECGQEACgkQXDOM\n" + + "KYHAJfAqLwEA1H99UN3+/iJZjD0ZecqDZGeH2axtFj9WRr1hqokwFv0A/jXyBV+Q\n" + + "Y+bQYiKcmHwk2n7VxHC4PBNY0pEDI/iDwYcBnF0EYWWA1BIKKwYBBAGXVQEFAQEH\n" + + "QMDczPpxXth89G/sJ84tYrg2WPIut04H4z8Ys49FuH0GAwEIBwAA/0ASQkU3tbCD\n" + + "jqwbnJ69qqQ9Qko+CnwuMcxXBCy5rNBYDl2IdQQYFgoAHQUCYWWA1AIbDAUWAgMB\n" + + "AAUVCgkICwQLCQgHAh4BAAoJEFwzjCmBwCXwcBoBAKhQxSlacUPB27OJ0KVUXJsQ\n" + + "CGoZ4wcOsstla9N1da8uAP9+W6zxc4VFYFZa3L9PsGLaQ01NTgngWJmPG+gRVu9h\n" + + "BJxYBGFlgNQWCSsGAQQB2kcPAQEHQFW53p+2ZwsazALz7P5dYzx0LaQ7lv0veR8e\n" + + "DjKAeAMVAAD6AlUAJfkp19PmEEDWW7I3iSpXB3e5njEDbGs12Kt2XLoOwIjVBBgW\n" + + "CgB9BQJhZYDUAhsCBRYCAwEABRUKCQgLBAsJCAcCHgFfIAQZFgoABgUCYWWA1AAK\n" + + "CRDShjEjcUDsWJA+AQCtbMUCXa8M3znR95V22zxptRmPsapGpw21/t2U4YHYhgD/\n" + + "aFFrxG7Q3pbjHJa42u9jakpCm4zIhyfWI0wasPuaBwMACgkQXDOMKYHAJfCTYgD/\n" + + "Uc9F3P6UQM0KpeUbensec/fKs8tp67WLLBvBa+p0YBIA/272CXdHaJurCEJoDYaG\n" + + "/+XL+qMMgLHaQ25aA11GVAkC\n" + + "=7gbt\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + final long pkid = 6643807985200014832L; + final long skid1 = -2328413746552029063L; + final long skid2 = -3276877650571760552L; + Set preferredHashAlgorithms = new LinkedHashSet<>( + Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224)); + Set preferredCompressionAlgorithms = new LinkedHashSet<>( + Arrays.asList(CompressionAlgorithm.ZLIB, CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZIP, CompressionAlgorithm.UNCOMPRESSED)); + Set preferredSymmetricAlgorithms = new LinkedHashSet<>( + Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128)); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + // Bob is an invalid userId + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", 0)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", pkid)); + // 123 is an invalid keyid + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(null, 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Alice", 123L)); + + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms("Alice", pkid)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, pkid)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, skid1)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, skid2)); + + // Bob is an invalid userId + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob", 0)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob", pkid)); + // 123 is an invalid keyid + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms(null, 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Alice", 123L)); + + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms("Alice", pkid)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, pkid)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, skid1)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, skid2)); + + // Bob is an invalid userId + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", 0)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", pkid)); + // 123 is an invalid keyid + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(null, 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Alice", 123L)); + + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms("Alice", pkid)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, pkid)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, skid1)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, skid2)); + } } From 4e16cf13c5df119ef9ae4c430a056d2069eb6ec8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 12 Oct 2021 15:31:38 +0200 Subject: [PATCH 0065/1450] Remove unused subclass --- .../decryption_verification/SignatureInputStream.java | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index 59c93a4c..6166d6f6 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -13,7 +13,6 @@ import java.util.List; import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPPublicKeyRing; -import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; @@ -141,10 +140,4 @@ public abstract class SignatureInputStream extends FilterInputStream { } } - - public static class CleartextSignatures extends SignatureInputStream { - public CleartextSignatures(InputStream inputStream, List signatures) { - super(inputStream); - } - } } From 5ea8294a6090a583adcfbdaff7537693425b7a38 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 14 Oct 2021 15:27:01 +0200 Subject: [PATCH 0066/1450] Improve javadoc of Feature class --- .../org/pgpainless/algorithm/Feature.java | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java index df6d1de5..27837b09 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java @@ -19,13 +19,36 @@ import org.bouncycastle.bcpg.sig.Features; public enum Feature { /** - * Add modification detection package. + * Support for Symmetrically Encrypted Integrity Protected Data Packets using Modification Detection Code Packets. * * @see * RFC-4880 §5.14: Modification Detection Code Packet */ MODIFICATION_DETECTION(Features.FEATURE_MODIFICATION_DETECTION), + + /** + * Support for Authenticated Encryption with Additional Data (AEAD). + * If a key announces this feature, it signals support for consuming AEAD Encrypted Data Packets. + * + * NOTE: PGPAINLESS DOES NOT YET SUPPORT THIS FEATURE!!! + * + * @see + * AEAD Encrypted Data Packet + */ AEAD_ENCRYPTED_DATA(Features.FEATURE_AEAD_ENCRYPTED_DATA), + + /** + * If a key announces this feature, it is a version 5 public key. + * The version 5 format is similar to the version 4 format except for the addition of a count for the key material. + * This count helps parsing secret key packets (which are an extension of the public key packet format) in the case + * of an unknown algorithm. + * In addition, fingerprints of version 5 keys are calculated differently from version 4 keys. + * + * NOTE: PGPAINLESS DOES NOT YET SUPPORT THIS FEATURE!!! + * + * @see + * Public-Key Packet Formats + */ VERSION_5_PUBLIC_KEY(Features.FEATURE_VERSION_5_PUBLIC_KEY) ; From aef213a672cb74edb95d678694cd6a288c55912a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 14 Oct 2021 15:53:49 +0200 Subject: [PATCH 0067/1450] Fix AssertionError when determining encryption subkeys from set containing unbound key --- .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 64af5ebb..6c1b5778 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -748,12 +748,13 @@ public class KeyRingInfo { List encryptionKeys = new ArrayList<>(); while (subkeys.hasNext()) { PGPPublicKey subKey = subkeys.next(); - Date subkeyExpiration = getSubkeyExpirationDate(new OpenPgpV4Fingerprint(subKey)); - if (subkeyExpiration != null && subkeyExpiration.before(new Date())) { + + if (!isKeyValidlyBound(subKey.getKeyID())) { continue; } - if (!isKeyValidlyBound(subKey.getKeyID())) { + Date subkeyExpiration = getSubkeyExpirationDate(new OpenPgpV4Fingerprint(subKey)); + if (subkeyExpiration != null && subkeyExpiration.before(new Date())) { continue; } From 23b714f61b31eb93d70a8883ea2977e5ec85a401 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 14 Oct 2021 16:15:42 +0200 Subject: [PATCH 0068/1450] Only consider validly bound subkeys when determining latest key creation date --- .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 6c1b5778..f5a23ca0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -532,13 +532,16 @@ public class KeyRingInfo { public @Nonnull Date getLatestKeyCreationDate() { Date latestCreation = null; for (PGPPublicKey key : getPublicKeys()) { + if (!isKeyValidlyBound(key.getKeyID())) { + continue; + } Date keyCreation = key.getCreationTime(); if (latestCreation == null || latestCreation.before(keyCreation)) { latestCreation = keyCreation; } } if (latestCreation == null) { - throw new AssertionError("Apparently there is no key in this key ring."); + throw new AssertionError("Apparently there is no validly bound key in this key ring."); } return latestCreation; } From bebb9709ac5eac907c2149da2447ce3c8e8493d5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 14 Oct 2021 16:16:06 +0200 Subject: [PATCH 0069/1450] Add tests for how unbound subkeys are handled in KeyRingInfo --- .../pgpainless/key/info/KeyRingInfoTest.java | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 54650890..4a344f98 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -35,6 +35,7 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; @@ -640,4 +641,77 @@ public class KeyRingInfoTest { assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, skid2)); } + + @Test + public void testUnboundSubkeyIsIgnored() throws IOException { + // Contains unbound subkey D622C916384E0F6D364907E55D918BBD521CCD10 + String KEY = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + + "\n" + + "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" + + "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" + + "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" + + "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" + + "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" + + "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" + + "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" + + "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" + + "vLIwa3T4CyshfT0AEQEAAc0hQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" + + "bGU+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" + + "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" + + "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" + + "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" + + "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" + + "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" + + "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" + + "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" + + "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" + + "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGzsDNBF2lnPIBDADW\n" + + "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" + + "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" + + "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" + + "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" + + "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" + + "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" + + "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" + + "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" + + "EQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" + + "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" + + "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" + + "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" + + "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" + + "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" + + "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" + + "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" + + "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" + + "NEJd3XZRzaXZE2aAMc7ATQRhaDWyAQgA1CaZPxLUMm7sH0i/KTWVqqFgTTxVJjy+\n" + + "Aj3vjhrzAsQw1gqtbLXTlwBVVqhGIisEf7ZsFBBIzXNXi2Gk2O8HiZoKyey87f4R\n" + + "MkVCmHZKJyL2vBhsl8bfHI8rK41XeVmmpGnM+pUgD2MSoBbyDZKqhr3+zsnJD4gt\n" + + "hNMEYmZkqOzO20c1TO/92qPmmNn8hFa7sRqcff4TEzy3SsYUxsXvV/FjCfVNC3ij\n" + + "2u3RlB/8xljVjXhtrvlyl5uwmjJYs2fR9RHQPfhQt0YvcXw5ihCcLK0mu2FP0qT+\n" + + "C9h35EjDuD+1COXUOoW2B8LX6m2yf8cY72K70QgtGemj7UWhXL5u/wARAQAB\n" + + "=A3B8\n" + + "-----END PGP PUBLIC KEY BLOCK-----\n"; + + PGPPublicKeyRing certificate = PGPainless.readKeyRing().publicKeyRing(KEY); + OpenPgpV4Fingerprint unboundKey = new OpenPgpV4Fingerprint("D622C916384E0F6D364907E55D918BBD521CCD10"); + KeyRingInfo info = PGPainless.inspectKeyRing(certificate); + + assertFalse(info.isKeyValidlyBound(unboundKey.getKeyId())); + + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + assertTrue(encryptionSubkeys.stream().map(OpenPgpV4Fingerprint::new).noneMatch(f -> f.equals(unboundKey)), + "Unbound subkey MUST NOT be considered a valid encryption subkey"); + + List signingSubkeys = info.getSigningSubkeys(); + assertTrue(signingSubkeys.stream().map(OpenPgpV4Fingerprint::new).noneMatch(f -> f.equals(unboundKey)), + "Unbound subkey MUST NOT be considered a valid signing subkey"); + + assertTrue(info.getKeyFlagsOf(unboundKey.getKeyId()).isEmpty()); + + Date latestModification = info.getLastModified(); + Date latestKeyCreation = info.getLatestKeyCreationDate(); + Date unboundKeyCreation = certificate.getPublicKey(unboundKey.getKeyId()).getCreationTime(); + assertTrue(unboundKeyCreation.after(latestModification)); + assertTrue(unboundKeyCreation.after(latestKeyCreation)); + } } From 2ad917d27c4d9e5f537752f3c68aa62532d533d3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 18 Oct 2021 16:01:19 +0200 Subject: [PATCH 0070/1450] Add ConsumerOptions.setMissingKeyPassphraseStrategy() This allows switching missing passphrase handling from interactive mode (fire callbacks to prompt user for missing key passphrases) to non-interactive mode (throw MissingPassphraseException with all keys with missing passphrase in it). Fixes #193 --- .../ConsumerOptions.java | 11 ++ .../DecryptionStreamFactory.java | 42 +++-- .../MissingKeyPassphraseStrategy.java | 10 ++ .../exception/MissingPassphraseException.java | 26 +++ .../MissingPassphraseForDecryptionTest.java | 154 ++++++++++++++++++ 5 files changed, 231 insertions(+), 12 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index f4bc7134..f5be25bd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -32,6 +32,7 @@ import org.pgpainless.util.Passphrase; */ public class ConsumerOptions { + private boolean ignoreMDCErrors = false; private Date verifyNotBefore = null; @@ -47,6 +48,7 @@ public class ConsumerOptions { private final Map decryptionKeys = new HashMap<>(); private final Set decryptionPassphrases = new HashSet<>(); + private MissingKeyPassphraseStrategy missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE; /** @@ -289,4 +291,13 @@ public class ConsumerOptions { boolean isIgnoreMDCErrors() { return ignoreMDCErrors; } + + public ConsumerOptions setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy strategy) { + this.missingKeyPassphraseStrategy = strategy; + return this; + } + + MissingKeyPassphraseStrategy getMissingKeyPassphraseStrategy() { + return missingKeyPassphraseStrategy; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 6e9627de..07ddb01a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -10,6 +10,7 @@ import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -47,6 +48,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.MissingDecryptionMethodException; import org.pgpainless.exception.MissingLiteralDataException; +import org.pgpainless.exception.MissingPassphraseException; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.exception.UnacceptableAlgorithmException; import org.pgpainless.exception.WrongConsumingMethodException; @@ -67,6 +69,7 @@ import org.slf4j.LoggerFactory; public final class DecryptionStreamFactory { + private static final Logger LOGGER = LoggerFactory.getLogger(DecryptionStreamFactory.class); private static final int MAX_RECURSION_DEPTH = 16; @@ -382,21 +385,36 @@ public final class DecryptionStreamFactory { // Try postponed keys with missing passphrases (will cause missing passphrase callbacks to fire) if (encryptedSessionKey == null) { - for (Tuple missingPassphrases : postponedDueToMissingPassphrase) { - SubkeyIdentifier keyId = missingPassphrases.getA(); - PGPPublicKeyEncryptedData publicKeyEncryptedData = missingPassphrases.getB(); - PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId.getKeyId()); - PGPSecretKey secretKey = secretKeys.getSecretKey(keyId.getSubkeyId()); - PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, false); - if (privateKey == null) { - continue; + if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.THROW_EXCEPTION) { + // Non-interactive mode: Throw an exception with all locked decryption keys + Set keyIds = new HashSet<>(); + for (Tuple k : postponedDueToMissingPassphrase) { + keyIds.add(k.getA()); } - - decryptionKey = privateKey; - encryptedSessionKey = publicKeyEncryptedData; - break; + throw new MissingPassphraseException(keyIds); } + else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) { + // Interactive mode: Fire protector callbacks to get passphrases interactively + for (Tuple missingPassphrases : postponedDueToMissingPassphrase) { + SubkeyIdentifier keyId = missingPassphrases.getA(); + PGPPublicKeyEncryptedData publicKeyEncryptedData = missingPassphrases.getB(); + PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId.getKeyId()); + PGPSecretKey secretKey = secretKeys.getSecretKey(keyId.getSubkeyId()); + + PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, false); + if (privateKey == null) { + continue; + } + + decryptionKey = privateKey; + encryptedSessionKey = publicKeyEncryptedData; + break; + } + } else { + throw new IllegalStateException("Invalid PostponedKeysStrategy set in consumer options."); + } + } return decryptWith(encryptedSessionKey, decryptionKey); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java new file mode 100644 index 00000000..166f954b --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java @@ -0,0 +1,10 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +public enum MissingKeyPassphraseStrategy { + INTERACTIVE, // ask for missing key passphrases one by one + THROW_EXCEPTION // throw an exception with all keys with missing passphrases +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java new file mode 100644 index 00000000..3f8e0799 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingPassphraseException.java @@ -0,0 +1,26 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Set; + +import org.bouncycastle.openpgp.PGPException; +import org.pgpainless.key.SubkeyIdentifier; + +public class MissingPassphraseException extends PGPException { + + private final Set keyIds; + + public MissingPassphraseException(Set keyIds) { + super("Missing passphrase encountered for keys " + Arrays.toString(keyIds.toArray())); + this.keyIds = Collections.unmodifiableSet(keyIds); + } + + public Set getKeyIds() { + return keyIds; + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java new file mode 100644 index 00000000..e7b36875 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -0,0 +1,154 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.List; +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.EncryptionPurpose; +import org.pgpainless.encryption_signing.EncryptionOptions; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.exception.MissingPassphraseException; +import org.pgpainless.key.SubkeyIdentifier; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; +import org.pgpainless.util.Passphrase; + +public class MissingPassphraseForDecryptionTest { + + private String passphrase = "dragon123"; + private PGPSecretKeyRing secretKeys; + private byte[] message; + + @BeforeEach + public void setup() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + secretKeys = PGPainless.generateKeyRing().modernKeyRing("Test", passphrase); + PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + .onOutputStream(out) + .withOptions(ProducerOptions.encrypt(EncryptionOptions.encryptCommunications() + .addRecipient(certificate))); + + Streams.pipeAll(new ByteArrayInputStream("Hey, what's up?".getBytes(StandardCharsets.UTF_8)), encryptionStream); + encryptionStream.close(); + message = out.toByteArray(); + } + + @Test + public void invalidPostponedKeysStrategyTest() { + SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + fail("MUST NOT get called in if postponed key strategy is invalid."); + return null; + } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } + }; + ConsumerOptions options = new ConsumerOptions() + .setMissingKeyPassphraseStrategy(null) // illegal + .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); + + assertThrows(IllegalStateException.class, () -> PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(message)) + .withOptions(options)); + } + + @Test + public void interactiveStrategy() throws PGPException, IOException { + // interactive callback + SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + // is called in interactive mode + return Passphrase.fromPassword(passphrase); + } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } + }; + ConsumerOptions options = new ConsumerOptions() + .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.INTERACTIVE) + .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(message)) + .withOptions(options); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + + decryptionStream.close(); + assertArrayEquals("Hey, what's up?".getBytes(StandardCharsets.UTF_8), out.toByteArray()); + } + + @Test + public void throwExceptionStrategy() throws PGPException, IOException { + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + + SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { + @Nullable + @Override + public Passphrase getPassphraseFor(Long keyId) { + fail("MUST NOT get called in non-interactive mode."); + return null; + } + + @Override + public boolean hasPassphrase(Long keyId) { + return true; + } + }; + + ConsumerOptions options = new ConsumerOptions() + .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) + .addDecryptionKey(secretKeys, SecretKeyRingProtector.defaultSecretKeyRingProtector(callback)); + + try { + PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(message)) + .withOptions(options); + fail("Expected exception!"); + } catch (MissingPassphraseException e) { + assertFalse(e.getKeyIds().isEmpty()); + assertEquals(encryptionKeys.size(), e.getKeyIds().size()); + for (PGPPublicKey encryptionKey : encryptionKeys) { + assertTrue(e.getKeyIds().contains(new SubkeyIdentifier(secretKeys, encryptionKey.getKeyID()))); + } + } + } +} From dc0b96278e4f7fcec8bc60df0386360194052fcd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 18 Oct 2021 16:19:12 +0200 Subject: [PATCH 0071/1450] Add javadoc --- .../ConsumerOptions.java | 27 +++++++++++++++++++ .../MissingKeyPassphraseStrategy.java | 15 +++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index f5be25bd..3c1a9454 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -225,6 +225,9 @@ public class ConsumerOptions { /** * Add a passphrase for message decryption. + * This passphrase will be used to try to decrypt messages which were symmetrically encrypted for a passphrase. + * + * @see Symmetrically Encrypted Data Packet * * @param passphrase passphrase * @return options @@ -288,15 +291,39 @@ public class ConsumerOptions { return this; } + /** + * Return true, if PGPainless is ignoring MDC errors. + * + * @return ignore mdc errors + */ boolean isIgnoreMDCErrors() { return ignoreMDCErrors; } + /** + * Specify the {@link MissingKeyPassphraseStrategy}. + * This strategy defines, how missing passphrases for unlocking secret keys are handled. + * In interactive mode ({@link MissingKeyPassphraseStrategy#INTERACTIVE}) PGPainless will try to obtain missing + * passphrases for secret keys via the {@link SecretKeyRingProtector SecretKeyRingProtectors} + * {@link org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider} callback. + * + * In non-interactice mode ({@link MissingKeyPassphraseStrategy#THROW_EXCEPTION}, PGPainless will instead + * throw a {@link org.pgpainless.exception.MissingPassphraseException} containing the ids of all keys for which + * there are missing passphrases. + * + * @param strategy strategy + * @return options + */ public ConsumerOptions setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy strategy) { this.missingKeyPassphraseStrategy = strategy; return this; } + /** + * Return the currently configured {@link MissingKeyPassphraseStrategy}. + * + * @return missing key passphrase strategy + */ MissingKeyPassphraseStrategy getMissingKeyPassphraseStrategy() { return missingKeyPassphraseStrategy; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java index 166f954b..ed6a9c63 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingKeyPassphraseStrategy.java @@ -4,7 +4,18 @@ package org.pgpainless.decryption_verification; +/** + * Strategy defining how missing secret key passphrases are handled. + */ public enum MissingKeyPassphraseStrategy { - INTERACTIVE, // ask for missing key passphrases one by one - THROW_EXCEPTION // throw an exception with all keys with missing passphrases + /** + * Try to interactively obtain key passphrases one-by-one via callbacks, + * eg {@link org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider}. + */ + INTERACTIVE, + /** + * Do not try to obtain passphrases interactively and instead throw a + * {@link org.pgpainless.exception.MissingPassphraseException} listing all keys with missing passphrases. + */ + THROW_EXCEPTION } From c6f9c723eeffcf85840e62746847f2a444d62f00 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 18 Oct 2021 16:24:22 +0200 Subject: [PATCH 0072/1450] PGPainless 0.2.16 --- CHANGELOG.md | 6 ++++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 854b888f..f4bb3e49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 0.2.16 +- Fix handling of subkey revocation signatures +- SOP: improve API use with byte arrays +- Fix `AssertionError` when determining encryption subkeys from set containing unbound key +- Add `ConsumerOptions.setMissingKeyPassphraseStrategy(strategy)` to modify behavior when missing key passphrases are encountered during decryption + ## 0.2.15 - Add `ConsumerOptions.setIgnoreMDCErrors()` which can be used to consume broken messages. Not recommended! - Add `MessageInspector.isSignedOnly()` which can be used to identify messages created via `gpg --sign --armor` diff --git a/README.md b/README.md index daf32d6d..b41f6db9 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.14' + implementation 'org.pgpainless:pgpainless-core:0.2.16' } ``` diff --git a/version.gradle b/version.gradle index 86f4f1b0..a918a123 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '0.2.16' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From b7bf722ecfa08de5278376a5c6e94bd213328fc9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 18 Oct 2021 16:28:52 +0200 Subject: [PATCH 0073/1450] PGPainless-0.2.17-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index a918a123..c9afc786 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.16' - isSnapshot = false + shortVersion = '0.2.17' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From f05be3dc307cde429fb2896a9ddc011bd34d36cd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 19 Oct 2021 18:13:23 +0200 Subject: [PATCH 0074/1450] Fix prematurely throwing of MissingPassphraseException --- .../decryption_verification/DecryptionStreamFactory.java | 4 +++- .../symmetric_encryption/SymmetricEncryptionTest.java | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 07ddb01a..d598cce8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -392,7 +392,9 @@ public final class DecryptionStreamFactory { for (Tuple k : postponedDueToMissingPassphrase) { keyIds.add(k.getA()); } - throw new MissingPassphraseException(keyIds); + if (!keyIds.isEmpty()) { + throw new MissingPassphraseException(keyIds); + } } else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) { // Interactive mode: Fire protector callbacks to get passphrases interactively diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index 4f6172f4..68f929af 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -22,6 +22,7 @@ import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.MissingKeyPassphraseStrategy; import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; @@ -113,6 +114,7 @@ public class SymmetricEncryptionTest { assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray())) .withOptions(new ConsumerOptions() + .setMissingKeyPassphraseStrategy(MissingKeyPassphraseStrategy.THROW_EXCEPTION) .addDecryptionPassphrase(Passphrase.fromPassword("meldir")))); } } From 3de69b83e7505bbdf976d74baf59d7e8235b6f6e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 14:33:41 +0200 Subject: [PATCH 0075/1450] Small README fixes --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b41f6db9..d66357fc 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ SPDX-License-Identifier: Apache-2.0 PGPainless aims to make using OpenPGP in Java projects as simple as possible. It does so by introducing an intuitive Builder structure, which allows easy -setup of encryptionOptions / decryption operations, as well as straight forward key generation. +setup of encryption/decryption operations, as well as straight forward key generation. PGPainless is based around the Bouncycastle java library and can be used on Android down to API level 10. It can be configured to either use the Java Cryptographic Engine (JCE), or Bouncycastles lightweight reimplementation. From 2435e2e1303a76166bd65c82bddf988bfbc24d41 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 15:25:26 +0200 Subject: [PATCH 0076/1450] PGPainless 0.2.17 --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index c9afc786..b6f0de75 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '0.2.17' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 3f31b076dd772c1c1cc900c31a62899b96f95b09 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 15:30:37 +0200 Subject: [PATCH 0077/1450] PGPainless-0.2.18-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index b6f0de75..432ab1fd 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.17' - isSnapshot = false + shortVersion = '0.2.18' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From a8998f27ad22fe6e2dd250dff33f8af7c45bdb5e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 21:26:47 +0200 Subject: [PATCH 0078/1450] Introduce HashAlgorithmNegotiator --- .../negotiation/HashAlgorithmNegotiator.java | 37 +++++++++++++++++++ .../encryption_signing/SigningOptions.java | 17 ++------- .../key/util/OpenPgpKeyAttributeUtil.java | 22 +++++++++-- .../pgpainless/signature/SignatureUtils.java | 32 ++++------------ 4 files changed, 67 insertions(+), 41 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java new file mode 100644 index 00000000..f76a2c26 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java @@ -0,0 +1,37 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.algorithm.negotiation; + +import java.util.Set; + +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.policy.Policy; + +public interface HashAlgorithmNegotiator { + + HashAlgorithm negotiateHashAlgorithm(Set orderedHashAlgorithmPreferencesSet); + + static HashAlgorithmNegotiator negotiateSignatureHashAlgorithm(Policy policy) { + return negotiateByPolicy(policy.getSignatureHashAlgorithmPolicy()); + } + + static HashAlgorithmNegotiator negotiateRevocationSignatureAlgorithm(Policy policy) { + return negotiateByPolicy(policy.getRevocationSignatureHashAlgorithmPolicy()); + } + + static HashAlgorithmNegotiator negotiateByPolicy(Policy.HashAlgorithmPolicy hashAlgorithmPolicy) { + return new HashAlgorithmNegotiator() { + @Override + public HashAlgorithm negotiateHashAlgorithm(Set orderedPreferencesSet) { + for (HashAlgorithm preference : orderedPreferencesSet) { + if (hashAlgorithmPolicy.isAcceptable(preference)) { + return preference; + } + } + return hashAlgorithmPolicy.defaultHashAlgorithm(); + } + }; + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index eb50db5d..651e96ea 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -23,6 +23,7 @@ import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.exception.KeyCannotSignException; import org.pgpainless.exception.KeyValidationError; import org.pgpainless.implementation.ImplementationFactory; @@ -270,7 +271,7 @@ public final class SigningOptions { /** * Negotiate, which hash algorithm to use. * - * This method gives highest priority to the algorithm override, which can be set via {@link #overrideHashAlgorithm(HashAlgorithm)}. + * This method gives the highest priority to the algorithm override, which can be set via {@link #overrideHashAlgorithm(HashAlgorithm)}. * After that, the signing keys hash algorithm preferences are iterated to find the first acceptable algorithm. * Lastly, should no acceptable algorithm be found, the {@link Policy Policies} default signature hash algorithm is * used as a fallback. @@ -284,18 +285,8 @@ public final class SigningOptions { return hashAlgorithmOverride; } - HashAlgorithm algorithm = policy.getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); - if (preferences.isEmpty()) { - return algorithm; - } - - for (HashAlgorithm pref : preferences) { - if (policy.getSignatureHashAlgorithmPolicy().isAcceptable(pref)) { - return pref; - } - } - - return algorithm; + return HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(policy) + .negotiateHashAlgorithm(preferences); } private PGPSignatureGenerator createSignatureGenerator(PGPPrivateKey privateKey, diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java index 673b86ec..a775bc08 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java @@ -8,7 +8,9 @@ import java.util.ArrayList; import java.util.Collections; import java.util.Date; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.List; +import java.util.Set; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSignature; @@ -23,7 +25,6 @@ public final class OpenPgpKeyAttributeUtil { public static List getPreferredHashAlgorithms(PGPPublicKey publicKey) { List hashAlgorithms = new ArrayList<>(); - // TODO: I'd assume that we have to use publicKey.getKeySignatures() here, but that is empty... Iterator keySignatures = publicKey.getSignatures(); while (keySignatures.hasNext()) { PGPSignature signature = (PGPSignature) keySignatures.next(); @@ -44,8 +45,6 @@ public final class OpenPgpKeyAttributeUtil { hashAlgorithms.add(HashAlgorithm.fromId(h)); } // Exit the loop after the first key signature with hash algorithms. - // TODO: Find out, if it is possible that there are multiple key signatures which specify preferred - // algorithms and how to deal with that. break; } } @@ -87,4 +86,21 @@ public final class OpenPgpKeyAttributeUtil { } return Collections.singletonList(hashAlgorithm); } + + /** + * Try to extract hash algorithm preferences from self signatures. + * If no self-signature containing hash algorithm preferences is found, + * try to derive a hash algorithm preference by inspecting the hash algorithm used by existing + * self-signatures. + * + * @param publicKey key + * @return hash algorithm preferences (might be empty!) + */ + public static Set getOrGuessPreferredHashAlgorithms(PGPPublicKey publicKey) { + List preferredHashAlgorithms = OpenPgpKeyAttributeUtil.getPreferredHashAlgorithms(publicKey); + if (preferredHashAlgorithms.isEmpty()) { + preferredHashAlgorithms = OpenPgpKeyAttributeUtil.guessPreferredHashAlgorithms(publicKey); + } + return new LinkedHashSet<>(preferredHashAlgorithms); + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index ff05ca9f..0a6003f2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -10,7 +10,9 @@ import java.io.InputStream; import java.nio.charset.Charset; import java.util.ArrayList; import java.util.Date; +import java.util.LinkedHashSet; import java.util.List; +import java.util.Set; import org.bouncycastle.bcpg.sig.IssuerKeyID; import org.bouncycastle.bcpg.sig.KeyExpirationTime; @@ -30,6 +32,7 @@ import org.bouncycastle.util.encoders.Hex; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; @@ -78,39 +81,18 @@ public final class SignatureUtils { * If no preferences can be derived, the key will fall back to the default hash algorithm as set in * the {@link org.pgpainless.policy.Policy}. * - * TODO: Move negotiation to negotiator class - * * @param publicKey public key * @return content signer builder */ private static PGPContentSignerBuilder getPgpContentSignerBuilderForKey(PGPPublicKey publicKey) { - List preferredHashAlgorithms = OpenPgpKeyAttributeUtil.getPreferredHashAlgorithms(publicKey); - if (preferredHashAlgorithms.isEmpty()) { - preferredHashAlgorithms = OpenPgpKeyAttributeUtil.guessPreferredHashAlgorithms(publicKey); - } - HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(preferredHashAlgorithms); + Set hashAlgorithmSet = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); + + HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) + .negotiateHashAlgorithm(hashAlgorithmSet); return ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKey.getAlgorithm(), hashAlgorithm.getAlgorithmId()); } - /** - * Negotiate an acceptable hash algorithm from the provided list of options. - * Acceptance of hash algorithms can be changed by setting a custom {@link Policy}. - * - * @param preferredHashAlgorithms list of preferred hash algorithms of a key - * @return first acceptable algorithm, or policies default hash algorithm - */ - private static HashAlgorithm negotiateHashAlgorithm(List preferredHashAlgorithms) { - Policy policy = PGPainless.getPolicy(); - for (HashAlgorithm option : preferredHashAlgorithms) { - if (policy.getSignatureHashAlgorithmPolicy().isAcceptable(option)) { - return option; - } - } - - return PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); - } - /** * Extract and return the key expiration date value from the given signature. * If the signature does not carry a {@link KeyExpirationTime} subpacket, return null. From 2b2639bde72ce106d0664e27949e3567d7d845a4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 21:37:48 +0200 Subject: [PATCH 0079/1450] Fix checkstyle issues --- .../src/main/java/org/pgpainless/signature/SignatureUtils.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 0a6003f2..754f3e7e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -10,7 +10,6 @@ import java.io.InputStream; import java.nio.charset.Charset; import java.util.ArrayList; import java.util.Date; -import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -37,7 +36,6 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.policy.Policy; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.ArmorUtils; From 963a8170daa285fa2c5db25b3d372d0f591b4ad6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 23 Oct 2021 16:44:40 +0200 Subject: [PATCH 0080/1450] Fix decryption of signed messages created with PGPainless < 0.2.10 --- .../DecryptionStreamFactory.java | 54 ++----- .../SignatureInputStream.java | 57 ++++++++ ...artialLengthLiteralDataRegressionTest.java | 135 ++++++++++++++++++ 3 files changed, 200 insertions(+), 46 deletions(-) create mode 100644 pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index d598cce8..55ae284d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -34,7 +34,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; @@ -150,13 +149,13 @@ public final class DecryptionStreamFactory { // to allow for detached signature verification. LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?"); bufferedIn.reset(); - inputStream = wrapInVerifySignatureStream(bufferedIn); + inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } catch (IOException e) { if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) { // We falsely assumed the data to be armored. LOGGER.debug("The message is apparently not armored."); bufferedIn.reset(); - inputStream = wrapInVerifySignatureStream(bufferedIn); + inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } else { throw e; } @@ -166,10 +165,10 @@ public final class DecryptionStreamFactory { (decoderStream instanceof ArmoredInputStream) ? decoderStream : null); } - private InputStream wrapInVerifySignatureStream(InputStream bufferedIn) { + private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, PGPObjectFactory objectFactory) { return new SignatureInputStream.VerifySignatures( - bufferedIn, onePassSignatureChecks, - detachedSignatureChecks, options, + bufferedIn, objectFactory, onePassSignatureChecks, + onePassSignaturesWithMissingCert, detachedSignatureChecks, options, resultBuilder); } @@ -222,7 +221,7 @@ public final class DecryptionStreamFactory { throws PGPException, IOException { LOGGER.debug("Depth {}: Encountered PGPOnePassSignatureList of size {}", depth, onePassSignatures.size()); initOnePassSignatures(onePassSignatures); - return processPGPPackets(objectFactory, ++depth); + return processPGPPackets(objectFactory, depth); } private InputStream processPGPLiteralData(@Nonnull PGPObjectFactory objectFactory, PGPLiteralData pgpLiteralData, int depth) throws IOException { @@ -238,48 +237,11 @@ public final class DecryptionStreamFactory { return literalDataInputStream; } - // Parse signatures from message - PGPSignatureList signatures = parseSignatures(objectFactory); - List signatureList = SignatureUtils.toList(signatures); - // Set signatures as comparison sigs in OPS checks - for (int i = 0; i < onePassSignatureChecks.size(); i++) { - int reversedIndex = onePassSignatureChecks.size() - i - 1; - onePassSignatureChecks.get(i).setSignature(signatureList.get(reversedIndex)); - } - - for (PGPSignature signature : signatureList) { - if (onePassSignaturesWithMissingCert.containsKey(signature.getKeyID())) { - OnePassSignatureCheck check = onePassSignaturesWithMissingCert.remove(signature.getKeyID()); - check.setSignature(signature); - - resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null), - new SignatureValidationException("Missing verification certificate " + Long.toHexString(signature.getKeyID()))); - } - } - - return new SignatureInputStream.VerifySignatures(literalDataInputStream, - onePassSignatureChecks, detachedSignatureChecks, options, resultBuilder) { + return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory, + onePassSignatureChecks, onePassSignaturesWithMissingCert, detachedSignatureChecks, options, resultBuilder) { }; } - private PGPSignatureList parseSignatures(PGPObjectFactory objectFactory) throws IOException { - PGPSignatureList signatureList = null; - Object pgpObject = objectFactory.nextObject(); - while (pgpObject != null && signatureList == null) { - if (pgpObject instanceof PGPSignatureList) { - signatureList = (PGPSignatureList) pgpObject; - } else { - pgpObject = objectFactory.nextObject(); - } - } - - if (signatureList == null || signatureList.isEmpty()) { - throw new IOException("Verification failed - No Signatures found"); - } - - return signatureList; - } - private InputStream decryptSessionKey(@Nonnull PGPEncryptedDataList encryptedDataList) throws PGPException { Iterator encryptedDataIterator = encryptedDataList.getEncryptedDataObjects(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index 6166d6f6..5145f86b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -10,15 +10,20 @@ import java.io.FilterInputStream; import java.io.IOException; import java.io.InputStream; import java.util.List; +import java.util.Map; import javax.annotation.Nonnull; +import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureList; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; import org.pgpainless.signature.CertificateValidator; import org.pgpainless.signature.DetachedSignatureCheck; import org.pgpainless.signature.OnePassSignatureCheck; +import org.pgpainless.signature.SignatureUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -32,19 +37,25 @@ public abstract class SignatureInputStream extends FilterInputStream { private static final Logger LOGGER = LoggerFactory.getLogger(VerifySignatures.class); + private final PGPObjectFactory objectFactory; private final List opSignatures; + private final Map opSignaturesWithMissingCert; private final List detachedSignatures; private final ConsumerOptions options; private final OpenPgpMetadata.Builder resultBuilder; public VerifySignatures( InputStream literalDataStream, + PGPObjectFactory objectFactory, List opSignatures, + Map onePassSignaturesWithMissingCert, List detachedSignatures, ConsumerOptions options, OpenPgpMetadata.Builder resultBuilder) { super(literalDataStream); + this.objectFactory = objectFactory; this.opSignatures = opSignatures; + this.opSignaturesWithMissingCert = onePassSignaturesWithMissingCert; this.detachedSignatures = detachedSignatures; this.options = options; this.resultBuilder = resultBuilder; @@ -71,6 +82,7 @@ public abstract class SignatureInputStream extends FilterInputStream { final boolean endOfStream = read == -1; if (endOfStream) { + parseAndCombineSignatures(); verifyOnePassSignatures(); verifyDetachedSignatures(); } else { @@ -80,6 +92,51 @@ public abstract class SignatureInputStream extends FilterInputStream { return read; } + public void parseAndCombineSignatures() throws IOException { + // Parse signatures from message + PGPSignatureList signatures; + try { + signatures = parseSignatures(objectFactory); + } catch (IOException e) { + return; + } + List signatureList = SignatureUtils.toList(signatures); + // Set signatures as comparison sigs in OPS checks + for (int i = 0; i < opSignatures.size(); i++) { + int reversedIndex = opSignatures.size() - i - 1; + opSignatures.get(i).setSignature(signatureList.get(reversedIndex)); + } + + for (PGPSignature signature : signatureList) { + if (opSignaturesWithMissingCert.containsKey(signature.getKeyID())) { + OnePassSignatureCheck check = opSignaturesWithMissingCert.remove(signature.getKeyID()); + check.setSignature(signature); + + resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null), + new SignatureValidationException("Missing verification certificate " + Long.toHexString(signature.getKeyID()))); + } + } + } + + private PGPSignatureList parseSignatures(PGPObjectFactory objectFactory) throws IOException { + PGPSignatureList signatureList = null; + Object pgpObject = objectFactory.nextObject(); + while (pgpObject != null && signatureList == null) { + if (pgpObject instanceof PGPSignatureList) { + signatureList = (PGPSignatureList) pgpObject; + } else { + pgpObject = objectFactory.nextObject(); + } + } + + if (signatureList == null || signatureList.isEmpty()) { + throw new IOException("Verification failed - No Signatures found"); + } + + return signatureList; + } + + private synchronized void verifyOnePassSignatures() { Policy policy = PGPainless.getPolicy(); for (OnePassSignatureCheck opSignature : opSignatures) { diff --git a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java new file mode 100644 index 00000000..4b76cb8f --- /dev/null +++ b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java @@ -0,0 +1,135 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package investigations; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.bcpg.ArmoredInputStream; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; + +public class OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest { + + /** + * Signed and Encrypted Message created with PGPainless 0.2.9. + * PGPainless versions 0.2.10 - 0.2.18 fail to decrypt this message, due to it failing to parse the signatures trailing + * the literal data. The cause for this was not draining the literal data first before trying to parse the sigs. + * This is likely caused by the literal data using a partial length encoding scheme, so the PGPObjectFactory did not yet + * reach the signatures packet. + * + * As a fix, PGPainless now only tries to parse signatures from after the literal data packet, once the literal data + * stream gets closed. + */ + public static final String MSG = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "aEY0RHRHcWVYOENCUGRzU0FRZEFVTjJrSkZNb2lJUHhCUEFSWkZodnJxU2FGd090\n" + + "c3llR2pkU1l4bS9UdFJRd01JK09PUGJYVjlnUEM3VEZFemlKWmRmL0ZxcUVaQTNV\n" + + "ZkhIeEo3Y0hnWlhQWWw1Q29LMU5aSW9NRC9udk1iT1poRjREYmtNdFV2TkpWL3dT\n" + + "QVFkQW00b01SQXVVbTdYL1BZUTc3T3Q2ZUxwTWs2VDk3TmhHMzB6RFFDSUMvV1l3\n" + + "TTUvZkR4dW1uVW5ucXNwVFVJSmhRMmVYM0I2R2NtVE5ZdXVmSUNIbGZKMU9UQk05\n" + + "MklNMkVGWHU1M2x3TVBLYTB1a0IzRWltbmJRNUpCNTBpT2NUeDZCcDJQREJZK0VN\n" + + "K29IdDVlUzFzOWxlZjJUNHdCY0w1ejFLU3hQTkRpODh6Skp6dTZ1b3BxMXFwdWVI\n" + + "UDFtemYzN0NTY3lJTHpJK0lwRXVUbWwvODdyK294TWVQR3NvR3NwblBuUWFXa0xY\n" + + "dzdGVHpnWUJ5SGxyS3gzTGJIT040bDFVbC90dnhMbFBwNE5aRmJQcjQwWlYxb0o4\n" + + "eE9JczRTaXpZSTNDUGRXQmlNVXJiaDJRMEFBTkg4aWNyMjhDeUZneDFSenpGdFRZ\n" + + "MzVjeE5HSXRRZzRoR3BNUmVOWDdWNHpWOFRsUkFJSEVtaFRCTHpGZXR4eWJCbFJh\n" + + "c3l0SUN0eWVydnZiNTQ3V2htK2tDWUxRQUcyOUlwZXUxOWo2MnV1dHJjWm10YWJn\n" + + "LzEyTG5HSEczRkxoMGxHTmNOZnd3OXN6VC9zV0RXM2swQ3RCdVpsSmFUVXFLYlY2\n" + + "QkRsTjZMWXFvYi9ad01wcDE4WGVuTk5tU2ZsL2JpcHZ0UE1hMk5NdGVuWXV2SGVO\n" + + "R2hZK3Q0MFE3NE5OYmJRV1dsVXFqakFYZ3NOaUhsTjhDV2Z3UG82Ykx1OW9PaEFL\n" + + "eTgvbFlNL1dlL2hlUFFpVGpqUUVaM3J2OHVDVGdCekFuc2tqazd0bUVOdTdnclJz\n" + + "WjBSdzlYelRwTzJlTCtHRmV3VlhOMzNWUzFHVnR5QTMyVFRCd1ZDcStaNEtCMXRX\n" + + "MVFIRUlDekc2UldsMkR5djBmZENpc2FoQU5SLzBmQXRrZm0wU3k1R1htWm5pWU9L\n" + + "MkhiN2NZeHEzREs1MHowWTN4WkdiemE4L2VUMzlPTG1jMG5DdWQ5cktHaUkya0Er\n" + + "a0NDQzF5UUlrek9zZDZlU1pFR1FncFV5UHlxdDRNQUhYeDcxUkFuR0NiWW9OVkRY\n" + + "aUQwZ0d0M2lZRHFJV1N0TGErek1xbkJWN085Z3lSZFFVN2lXR25CeW9QNnlXc1Nk\n" + + "aVBRSW5RR3RVSFZabU0wQnBwUk45ZUo0QlVJd2RvY0lIRldjZ0xNQjNiYlBDWHVF\n" + + "bGl6N1ZPSHBFVWVYVmNWNWl6Z3NVUEJOSVVOZWxHcElrSk5Xa0lSSndMSFVnUlR0\n" + + "SEh1ZFMyNnJZeURoU0tGcjdiM01HdWwyVU9GdTFlM0FzK24yVkJjcGN0ZHFtTGxG\n" + + "THU3ZGxHMGJ0dHJQVWhaYyt4NjlFenUraTRtamRoZzZyVC9ydnYvRTJmRTRUVlpN\n" + + "MGExbk5CUG40UT09\n" + + "=mKyE\n" + + "-----END PGP MESSAGE-----"; + + public static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 23A2 3010 2038 66BC B390 8598 BB0C CFD4 57D4 DE77\n" + + "Comment: xmpp:one@exampletwo.org\n" + + "\n" + + "lFgEYXQMCRYJKwYBBAHaRw8BAQdA1NhQdMUKkiwSI92ETqlY2lrAt4EbehgzpWMs\n" + + "sm1Ke34AAP4sx3S3r0qoNpGyi3o7zfet60xIIkw9qKNdnYQyvouFhRFftBd4bXBw\n" + + "Om9uZUBleGFtcGxldHdvLm9yZ4h4BBMWCgAgBQJhdAwJAhsBBRYCAwEABRUKCQgL\n" + + "BAsJCAcCHgECGQEACgkQuwzP1FfU3ncAWQD/dUR7rbOpV8H4CTIpDJXiDuWi1vkC\n" + + "Rmm5jFQsJlrIzZEA/0aZSEXH3Gj5OdQGy9qKrvqGkq7idjrTkh3gYiWRB+EOnF0E\n" + + "YXQMCRIKKwYBBAGXVQEFAQEHQCobua4HJAsmfCB9TFjBSRfP1FEIEht4MMl4rHN4\n" + + "eWc0AwEIBwAA/0Tmh56XX8bVDof1VVCdapcCC+LAA3wSH5SfP+EVaIJoD8WIdQQY\n" + + "FgoAHQUCYXQMCQIbDAUWAgMBAAUVCgkICwQLCQgHAh4BAAoJELsMz9RX1N533dQB\n" + + "ANRojORnaZw224DRVhONAuQazhKZz3e13MhyTFi91BhmAP9chFgUkvpiorQ6I65D\n" + + "iCM315VHIvorrIElhKDtYu65CZxYBGF0DAkWCSsGAQQB2kcPAQEHQB3vy1KMKzDG\n" + + "/yooOsvfNXtdFh8ROWWth2CZAh1rt3fdAAD+KVMkDED4xf7h1/aAunFAmdZ+xGTo\n" + + "uPbTr8vWQMrVUFAUi4jVBBgWCgB9BQJhdAwJAhsCBRYCAwEABRUKCQgLBAsJCAcC\n" + + "HgFfIAQZFgoABgUCYXQMCQAKCRDFaY6lJy4mR/FEAP9dHZi975eqlSdRa5pEn1xz\n" + + "TLBfz2mAfWLQEr2kWLLVRAD+JBsyldKsUF8q1m/D/ty0lUUSGslgOhTcEoXxx3yC\n" + + "1wwACgkQuwzP1FfU3neefwEA82brBIEKARYD/zHwNEPGLZweZHLPV5Iu9dmBw3l9\n" + + "tmoA/RlQYaAKD86S1ZcfPIbjDIZkL9sjFh5tK0+mSl8rv4UH\n" + + "=/1RX\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + public static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: FC0A 2CB3 F757 8B26 442C 7091 A7BA 7031 BD1E 0D5F\n" + + "Comment: xmpp:one@exampleone.org\n" + + "\n" + + "mDMEYXQMCRYJKwYBBAHaRw8BAQdA01hwFPFYUpsGGUpf21BUlwoL9tVVAnR3sS+J\n" + + "UZSUlka0F3htcHA6b25lQGV4YW1wbGVvbmUub3JniHgEExYKACAFAmF0DAkCGwEF\n" + + "FgIDAQAFFQoJCAsECwkIBwIeAQIZAQAKCRCnunAxvR4NX+f7AQCjzT+r25dDlUpp\n" + + "tocSQtgEmWZabwB41ykD/XfyBtM0RAD/ba4yYv+f/4mX7u3XpJxkrKFs/bHwyWsR\n" + + "VapeUGxhKwa4OARhdAwJEgorBgEEAZdVAQUBAQdAlbrJ+h8CygRFZBsx+Rsm4Kp+\n" + + "VCB7yUR2IxOrmiGqUlsDAQgHiHUEGBYKAB0FAmF0DAkCGwwFFgIDAQAFFQoJCAsE\n" + + "CwkIBwIeAQAKCRCnunAxvR4NX3bmAP4mTtMWgKl7RkAB/pSLMJ4bbTMSMUJCH/jS\n" + + "qz/PNtmVrgD+JLrWg2+hNPAA8zJx8LH73G4YzZMSQ0CBd9nmWRZr3w+4MwRhdAwJ\n" + + "FgkrBgEEAdpHDwEBB0BrLuiD0Xb6/N66IehUl77qh/Q0vDa8ack6TcOIwxZsHIjV\n" + + "BBgWCgB9BQJhdAwJAhsCBRYCAwEABRUKCQgLBAsJCAcCHgFfIAQZFgoABgUCYXQM\n" + + "CQAKCRD97UDyQowaGe1MAPwJeSe2vkEcMIk711lBbAsambR7D72XVyc0F8maniUy\n" + + "LwD8Dbgx8O0bCcd7fcXztfyZe8OtGKQk19fSLd+xp5VThwkACgkQp7pwMb0eDV8y\n" + + "aQEA+g10lq+1gkaLBXZbc/mUJ4odIjYBk0JdGgU8oTAZd58A/2UT9C5G9ht/lMhK\n" + + "hISFnP6CXwvy6L1XA9bjXQJ0unMF\n" + + "=OyZq\n" + + "-----END PGP PUBLIC KEY BLOCK-----"; + + @Test + public void testDecryptAndVerify_0_2_9_message() throws IOException, PGPException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); + PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(CERT); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + + ByteArrayOutputStream dearmored = new ByteArrayOutputStream(); + ArmoredInputStream armorIn = new ArmoredInputStream(new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8))); + Streams.pipeAll(armorIn, dearmored); + armorIn.close(); + + ByteArrayInputStream in = new ByteArrayInputStream(dearmored.toByteArray()); + + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addVerificationCert(cert) + .addDecryptionKey(secretKeys)); + + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + decryptionStream.getResult(); + } +} From 3fd929916dacab6e8861384cf81da90cdedfe275 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 26 Oct 2021 23:06:41 +0200 Subject: [PATCH 0081/1450] EncryptionOptions: Change return val of overrideEncryptionAlgorithm to EncryptionOptions --- .../org/pgpainless/encryption_signing/EncryptionOptions.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index befced35..b75e0081 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -273,11 +273,12 @@ public class EncryptionOptions { * * @param encryptionAlgorithm encryption algorithm override */ - public void overrideEncryptionAlgorithm(SymmetricKeyAlgorithm encryptionAlgorithm) { + public EncryptionOptions overrideEncryptionAlgorithm(SymmetricKeyAlgorithm encryptionAlgorithm) { if (encryptionAlgorithm == SymmetricKeyAlgorithm.NULL) { throw new IllegalArgumentException("Plaintext encryption can only be used to denote unencrypted secret keys."); } this.encryptionAlgorithmOverride = encryptionAlgorithm; + return this; } public interface EncryptionKeySelector { From 48570569860454238f27f0b14a888ccc8a875d2c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 26 Oct 2021 23:08:58 +0200 Subject: [PATCH 0082/1450] Add failing Kleopatra interoperability test --- .../KleopatraCompatibilityTest.java | 272 ++++++++++++++++++ 1 file changed, 272 insertions(+) create mode 100644 pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java diff --git a/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java b/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java new file mode 100644 index 00000000..9781cb6b --- /dev/null +++ b/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java @@ -0,0 +1,272 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: CC0-1.0 + +package investigations; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.DocumentSignatureType; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.decryption_verification.ConsumerOptions; +import org.pgpainless.decryption_verification.DecryptionStream; +import org.pgpainless.decryption_verification.MessageInspector; +import org.pgpainless.encryption_signing.EncryptionOptions; +import org.pgpainless.encryption_signing.EncryptionStream; +import org.pgpainless.encryption_signing.ProducerOptions; +import org.pgpainless.encryption_signing.SigningOptions; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.implementation.JceImplementationFactory; +import org.pgpainless.key.protection.SecretKeyRingProtector; + +public class KleopatraCompatibilityTest { + + public static final String KLEOPATRA_PUBKEY = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + + "\n" + + "mQGNBGF4StQBDADgAGvvtzCrSa5I9/jIZq0SKxoz7Hz61YM2Hs/hPedXfQeW7lrf\n" + + "qutyXSIb8L964v9u2RGnzteaPwciGSyoMal5teAPOsv6cp7kIDksQH8iJm/9FhoJ\n" + + "hFl2Yx5BX6sBtoXwY63Kf9Vpx/Std9tN34HHI7zrbO70rv6ZcDPFHyWoVdoDZOX1\n" + + "DWbBnOP3SoaNaPnbwEBfEkPwyN/NsnxTfe+IsCYC2byC3NZwYA5FscWFioeJ/UpF\n" + + "HMgZ6utn9mfTexOYEE0mL1mhrc7PbRjDlNasW3GLrpeVN55anT0jvtNXulG4POzG\n" + + "fJ8g3qddcbTXYhQItjurBlkYLV1JOhdCN83IJRect4EIKBkLuEKO0/a7bE6HC7nr\n" + + "PLw9MWGgcnDe2cTc4a6nAGC/eMeCONQlyAvOIEIXibbz4OB0dTNA5YYTMBHVO7n0\n" + + "GbNg8eqw+N+IijboLtJly+LshP81IdQMHg0h6K3+bfYV0rwC/XmR387s+pVpAp5k\n" + + "Lrw8Rt+BsQSY2O8AEQEAAbQhS2xlb3BhdHJhIDxrbGVvcGF0cmFAdGVzdC5kb21h\n" + + "aW4+iQHUBBMBCgA+FiEEzYzHEulLyE5PkaUp6EVgKKoTP1kFAmF4StQCGwMFCQPB\n" + + "7cwFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ6EVgKKoTP1nClwv/exOrk3H0\n" + + "aKOqwB6gMtA9bOJgYG4Lm3v9EM39mGScTJgAaZMlJIVMZ7qBUCEbw9lOJMZLguVm\n" + + "VJN8sVYE6zNdPGxmQLLciXDheGIdmQDi/K1j2ujKWUVZEvasiu7pO2Gcl3Kjqaeu\n" + + "dpvKtEDPUHtkqzTQHgxpQpSky58wubLyoX/bNnCky3M/tu774kJ2HGHTy6S4c1KH\n" + + "f6k4X96vP1V7yoKp+dukYLXwtm73JAi7nX/wOmoQI4I60fs26ZFDpoEkAZVjZtj6\n" + + "qfT9unS+XZeklc0siaZ5wZvVuSGWcI4v4/rA/ZU9KjDriatEu0ZzE/Xll1MHQyh4\n" + + "B31zjwP8LmLSrNHMLmT+7nM+nCfCoo71uZGkuuR0sKa6bToBUOls1olRmKaZf9NS\n" + + "JjW0K0xL3TEzduM7h+oDNLf5bSSZFoDGwsHRW6E53l7ZDe7tOH+ZGSDuCbIVu4dQ\n" + + "6k0NVMFI+gxTwQU/4RS3heRvn739P7VRLyUl4gX0/q8EanHPQX9NXIuSuQGNBGF4\n" + + "StQBDADMeuyDHP4np/ZnfaHXKLnz6C+6lrF/B0LhGXDxvN+cCpFvybmqGZ74DOkK\n" + + "VXVlmXjvb22p6+oOD163/KOqfrjKT/oeVhMglMc2raNy5+XWHcjKBhprxbX9bIhr\n" + + "QEjmvP57pIfQ83s1dgQsWlxIwX1g86X04u6tnG+fwNdGrhZwcbaivJT5F82uKKIq\n" + + "gtDbqcUtqOQpg+zUO2rdbgjWw5LZPBiC/dHkWydGvzWrnAgDmVAsJita2F+Pxwmn\n" + + "i3p5qU2hBJmJuVo15w6elST1Svn3jim5gqbXXhh2BwDSDPEp0uRZlV6r9RMlH+js\n" + + "4IvKiveGzdXTzmbPl8U+4HHynPM1TWRxCaXNF4w4Blnlqzgg0jFXVzV0tXk1HJTc\n" + + "P4Lmmo0xpf5OEsbCZv61qDJO20QMHw9Y9qU/lcCsXvmtFfEDTZSfvIEAlpo7tvIn\n" + + "3H94EiVc5FNpRfWrngwPnwt3m3QkmG3lkd5WnxuyjH/LbKMtuBC/3QuKNrrySvXF\n" + + "L4SL51cAEQEAAYkBvAQYAQoAJhYhBM2MxxLpS8hOT5GlKehFYCiqEz9ZBQJheErU\n" + + "AhsMBQkDwe3MAAoJEOhFYCiqEz9ZkhsL/itexY5+qkWjjGd8cLAtrJTzhQRlk6s7\n" + + "t7eBFSuTywlKC1f1wVpu5djOHTPH8H0JWMAAxtHQluk3IcQruBMFoao3xma+2HW1\n" + + "x4C0AfrL4C00zxUUxqtmfZi81NU0izmFNABdcEHGbE8jN86wIaiAnS1em61F+vju\n" + + "MTMLJVq56SQJhWSymf4z4d8gVIy7WzeSuHnHcDbMcCfFzN1kn2T/k5gav4wEcz3n\n" + + "LizUYsT+rFKizgVzSDLlSFcJQPd+a8Kwbo/hnzDt9zgmVirzU0/2Sgd0d6Iatplk\n" + + "YPzWmjATe3htmKrGXD4R/rF7aEnPCkR8k8WMLPleuenCRGQi5KKzNuevY2U8A4Mi\n" + + "KNt5EM8WdqcXD3Pv7nsVi4dNc8IK1TZ4BfN3YBFQL+hO/Fk7apiqZDu3sNpG7JR0\n" + + "V37ltHAK0HFdznyP79oixknV6pfdAVbIyzQXk/FqnpvbjCY4v/DWLz6a4n8tYQPh\n" + + "g94JEXpwhb9guKuzYzP/QeBp4qFu5FO87w==\n" + + "=Jz7i\n" + + "-----END PGP PUBLIC KEY BLOCK-----\n"; + public static final String KLEOPATRA_SECKEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "\n" + + "lQVYBGF4StQBDADgAGvvtzCrSa5I9/jIZq0SKxoz7Hz61YM2Hs/hPedXfQeW7lrf\n" + + "qutyXSIb8L964v9u2RGnzteaPwciGSyoMal5teAPOsv6cp7kIDksQH8iJm/9FhoJ\n" + + "hFl2Yx5BX6sBtoXwY63Kf9Vpx/Std9tN34HHI7zrbO70rv6ZcDPFHyWoVdoDZOX1\n" + + "DWbBnOP3SoaNaPnbwEBfEkPwyN/NsnxTfe+IsCYC2byC3NZwYA5FscWFioeJ/UpF\n" + + "HMgZ6utn9mfTexOYEE0mL1mhrc7PbRjDlNasW3GLrpeVN55anT0jvtNXulG4POzG\n" + + "fJ8g3qddcbTXYhQItjurBlkYLV1JOhdCN83IJRect4EIKBkLuEKO0/a7bE6HC7nr\n" + + "PLw9MWGgcnDe2cTc4a6nAGC/eMeCONQlyAvOIEIXibbz4OB0dTNA5YYTMBHVO7n0\n" + + "GbNg8eqw+N+IijboLtJly+LshP81IdQMHg0h6K3+bfYV0rwC/XmR387s+pVpAp5k\n" + + "Lrw8Rt+BsQSY2O8AEQEAAQAL/jBENv3Iud52umyzrfI0mZ9cFUHR994uqp67RezR\n" + + "Y2tpH/0IMCGY2THj2oktt3y5s/OFJ3ZCrhdo9FcHGKXHSa7Vn0l40GIPV6htPxSH\n" + + "cz1/Dct5ezPIxmQpmGfavuTYGQVC3TxQjkJEWTcVp/YgLn0j+L2708N6f5a9ZBJa\n" + + "E0mx8g+gKqLCd/1JGp/6+YI39/q/cr9plqUoC31ts7dj3/zSg+ZCV4nVHwnI0Np4\n" + + "o0iSoID9yIaa3I0lHwNgR1/82UVEla94QGKSRQqjTrgsTLPFIACNtSI/5iaPdKZK\n" + + "a01oic1LKGEpuqpHAbnPnCAKrtWODk8B/3U4CABflXufI3GTYOZeaGZvd6I/lx/t\n" + + "HQcg5SKE8vNIB1YZ2+rSsznAFmexaLjPVG3XhGQdBVoV/mmlcI71TUEcL9kXYMh6\n" + + "JnwH5/F2kG9JAXC+0Y3R9Ji+wabVGMUHxugcXpQa0d/malCZaS/dviDUfZ1KbDjH\n" + + "Jlzew7cmfRtiw4tfczboekeSbQYA6bh6IFqQlcW7qj34TAg8h8t34Q2o2U0VMj96\n" + + "OiG8B/LARF89ue4CaQQMQt16BHeMhePBAhPCkkCEtmbXremHsrtn6C149cS9GAEt\n" + + "fSAHVGedVDHzke/K84uHzBbY0dS6O6u2ApvWOutgWpB5Le4A7WTslyAdLWRZ1l69\n" + + "H2706M9fgGClVsQByCNVksDEbOizIlAkFOq0b39u8dnb063A9ReAuk/argCA7JHU\n" + + "j3BFIF5crIn+YrWl6slFuoXGWTXlBgD1WsVhU4hXJ5g35TOso0rEND/wHrjW0W4F\n" + + "LViA5yAt9sVLNGgm9Ye3YSVIHId6HiJQZmsWJb81WD5dvBLl74icZmfSWtRTwvCZ\n" + + "0k3rYlu3Ex4bQUwoyhSlDoPJ9YMaumd1yaM3nMeyrlaHYIpV8NtqSuqJc7i2iNX1\n" + + "3s9AotipHYEUOlsp936bNEuh0m8xXEZ2C8qjpNenymg8XfNd/IH2M4Sjzz+pN5sS\n" + + "gQt+pQhYFnW0Gersb/X3OsAtLtRE5kMF/3v7GAz7usMcajqbh9qB+Ytp4n1u3aQC\n" + + "ck1exVOwdLDZgsHfojO1SEFd3IafO01xp+TmS8qIoZvKJegM+qq9px1PHSTRnb4D\n" + + "8tuBxtdoUE7n+g3Li74je7+DEdcq6g9ZjgyeosCHGItUwTcCMqnHa+ikjQjsnnzu\n" + + "eSwvVSfMJQYyZrZ5qYgQZKcovkFDvgXiC/jqfDd6GeAfbxzL2cyAYWvUdGln79O3\n" + + "Tc7ZWd0Xn6IaMPVPRBvH4RsaWqFdO0pIOuH7tCFLbGVvcGF0cmEgPGtsZW9wYXRy\n" + + "YUB0ZXN0LmRvbWFpbj6JAdQEEwEKAD4WIQTNjMcS6UvITk+RpSnoRWAoqhM/WQUC\n" + + "YXhK1AIbAwUJA8HtzAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDoRWAoqhM/\n" + + "WcKXC/97E6uTcfRoo6rAHqAy0D1s4mBgbgube/0Qzf2YZJxMmABpkyUkhUxnuoFQ\n" + + "IRvD2U4kxkuC5WZUk3yxVgTrM108bGZAstyJcOF4Yh2ZAOL8rWPa6MpZRVkS9qyK\n" + + "7uk7YZyXcqOpp652m8q0QM9Qe2SrNNAeDGlClKTLnzC5svKhf9s2cKTLcz+27vvi\n" + + "QnYcYdPLpLhzUod/qThf3q8/VXvKgqn526RgtfC2bvckCLudf/A6ahAjgjrR+zbp\n" + + "kUOmgSQBlWNm2Pqp9P26dL5dl6SVzSyJpnnBm9W5IZZwji/j+sD9lT0qMOuJq0S7\n" + + "RnMT9eWXUwdDKHgHfXOPA/wuYtKs0cwuZP7ucz6cJ8KijvW5kaS65HSwprptOgFQ\n" + + "6WzWiVGYppl/01ImNbQrTEvdMTN24zuH6gM0t/ltJJkWgMbCwdFboTneXtkN7u04\n" + + "f5kZIO4JshW7h1DqTQ1UwUj6DFPBBT/hFLeF5G+fvf0/tVEvJSXiBfT+rwRqcc9B\n" + + "f01ci5KdBVgEYXhK1AEMAMx67IMc/ien9md9odcoufPoL7qWsX8HQuEZcPG835wK\n" + + "kW/JuaoZnvgM6QpVdWWZeO9vbanr6g4PXrf8o6p+uMpP+h5WEyCUxzato3Ln5dYd\n" + + "yMoGGmvFtf1siGtASOa8/nukh9DzezV2BCxaXEjBfWDzpfTi7q2cb5/A10auFnBx\n" + + "tqK8lPkXza4ooiqC0NupxS2o5CmD7NQ7at1uCNbDktk8GIL90eRbJ0a/NaucCAOZ\n" + + "UCwmK1rYX4/HCaeLenmpTaEEmYm5WjXnDp6VJPVK+feOKbmCptdeGHYHANIM8SnS\n" + + "5FmVXqv1EyUf6Ozgi8qK94bN1dPOZs+XxT7gcfKc8zVNZHEJpc0XjDgGWeWrOCDS\n" + + "MVdXNXS1eTUclNw/guaajTGl/k4SxsJm/rWoMk7bRAwfD1j2pT+VwKxe+a0V8QNN\n" + + "lJ+8gQCWmju28ifcf3gSJVzkU2lF9aueDA+fC3ebdCSYbeWR3lafG7KMf8tsoy24\n" + + "EL/dC4o2uvJK9cUvhIvnVwARAQABAAv9ExmcWWGY6p1e1StACyKrvqO+lEBFPidb\n" + + "Jj7udODT8PXFFgW9c60cU0aUHLn/fZ5d/zI6XSKYj02nkaoQo6QIoM/i/iMY0En1\n" + + "aHRvDb7+51w1iDa/uwy8biVNgi8pYBw2l9gLiQdlR94ej6y1GBAIJR6ShD26VmSE\n" + + "F2O3osuEybtleEKt660/MiMWMBWzaqwAq2jY6c5/4xHVw+87oMv4k0AbeLOQKojK\n" + + "h2o5mi5jSpVvOWCAsOYAhHlEEUQPDFQ1rbJ3P3XcRZE4EIxP2eKDyfyOXRTihLDl\n" + + "/9hqOf57wo0C43bnc1BkD6sk+ptKgUifpUHHejg/i7HINFivh7jCgCtoskf2P9BL\n" + + "WFuaPZVLQSVE5X2PsgeIYK9/eGeNxfXgtwRyUd8DtBge11tsMaENUTm39p36my2K\n" + + "jBgoEdBIQo1Mpi1EZba+L6pyw9bPFnj5H+opSe+X9/spkS9DyPOPGY7rCSTgv+7q\n" + + "Ph2WbtRRJslitLEjT9tNgwMRGWsgdbcpBgDgzujDUQb1coCdgw1gsQSTPir9hJxF\n" + + "Q+2DAbGpkqiYayHJqH7T9wGhiY8QoqLIejNawkrel4yTtYmM7pgtURWrkzz/jHAT\n" + + "3NNRTyvFqMmjwOIoV83tW8247uA8eofc981wEVayJ4y/KDcvU04FBrjCEoOUQMXw\n" + + "Ychr4cGiEckGBxAib6fVxjsU3PUIuUDpm9NC53Rc0GmwlduiZSJqRZQRgytLxWdM\n" + + "Va4c5oHdc0qpjCgk5qkW/09lI5kxTlMk3E0GAOjZ+HSQV8rI7qu7G0Qno9MP0Q49\n" + + "Qo5Hf4uV+I/6Iim/Eq5LWKmmairIob47jLtmhoIo7LArTm+9NsThFidc6wjRYgtT\n" + + "kGx4KUTEl8d0/mHV8GBzNNyRM7UOoLVjgf4tljFa8d2hQNMXZyBsIkLyoL6cL2sx\n" + + "aMZWl9jjh0bYE4TiTDIO1cfddxGjCPG9i12Z+yMl5p0g+r+IUAbuSh4+Yo7PUIKF\n" + + "8v+mqZRC9M9C/T/qOAB2gL2vDEZ4TdLAZfYUMwX9E/I1e0gHPlqXmQ/znTkjuCXd\n" + + "JopVXmvvku8SvVFb4pcW1k5Tk3iEj7nilQ64I5bONFUot+qKTtxAM2Fwxo0EjFZD\n" + + "TCP5RbY60iJcnhpk5mDGD41O1xe2HBkJw8dC5xUr1pPs+7Y8gMXN3qK4JcrLfLSO\n" + + "pOb623ir9jtJWLjv1wOvr7KsWZxg8XOQq8+AkEprUjb8v8WsJY5c7L8vSJ5OYlOP\n" + + "gv9Tj3MVmV1jGhH9pR+zGcclyathY3Ytloy1zZxR3WCJAbwEGAEKACYWIQTNjMcS\n" + + "6UvITk+RpSnoRWAoqhM/WQUCYXhK1AIbDAUJA8HtzAAKCRDoRWAoqhM/WZIbC/4r\n" + + "XsWOfqpFo4xnfHCwLayU84UEZZOrO7e3gRUrk8sJSgtX9cFabuXYzh0zx/B9CVjA\n" + + "AMbR0JbpNyHEK7gTBaGqN8Zmvth1tceAtAH6y+AtNM8VFMarZn2YvNTVNIs5hTQA\n" + + "XXBBxmxPIzfOsCGogJ0tXputRfr47jEzCyVauekkCYVkspn+M+HfIFSMu1s3krh5\n" + + "x3A2zHAnxczdZJ9k/5OYGr+MBHM95y4s1GLE/qxSos4Fc0gy5UhXCUD3fmvCsG6P\n" + + "4Z8w7fc4JlYq81NP9koHdHeiGraZZGD81powE3t4bZiqxlw+Ef6xe2hJzwpEfJPF\n" + + "jCz5XrnpwkRkIuSiszbnr2NlPAODIijbeRDPFnanFw9z7+57FYuHTXPCCtU2eAXz\n" + + "d2ARUC/oTvxZO2qYqmQ7t7DaRuyUdFd+5bRwCtBxXc58j+/aIsZJ1eqX3QFWyMs0\n" + + "F5Pxap6b24wmOL/w1i8+muJ/LWED4YPeCRF6cIW/YLirs2Mz/0HgaeKhbuRTvO8=\n" + + "=cgLL\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n"; + // signed and encrypted + public static final String KLEOPATRA_MESSAGE = "-----BEGIN PGP MESSAGE-----\n" + + "\n" + + "hQGMA2gglaIyvWSdAQv+NjugJ3Sqk7F9PnVOphT8TNc1i1rHlU9bDDeyZ2Czl6KA\n" + + "YXwSP5KmwgTJH+vt9N5xrbKOGCuSCJNeb0wzH/YpQHLL5Hx5Pk0KtNH8BCevApkM\n" + + "Rcn4EKiXMmTFyib0fCPlqvEvqdD1ni1IliHNLxR/TYCSxbmu3TqPie70PiLsB32l\n" + + "6QKDi1U3HftsZOLLgIPbd1IqnSMeT3E15oD8LTQe3k/CV+huA54wrIeqDxfJpcAu\n" + + "rvb4rLVvGmaF67FXekMEDjD3cdk2m6WJ8c1myh3EUpDRlMPobhgeEV+h28heGuhu\n" + + "g2Id97DMfUhxypGbQ/rlwHE3UMvdW3YS0KRT7UfPee0F2m737b/aWO341LOzJz94\n" + + "xggPafIC6IseQQVZirocG1CLl0lauWZoXbfmzrXCT+YGNuaNjlE01BYPBjgEygle\n" + + "7Kur60YkB0H6fACskcudWDRFTsjEgIZa3riHou7XmvqupvJC+hyYdH3QqyFMvdix\n" + + "03/E9ePUs051Bvzn+a/dhQGMAwAAAAAAAAAAAQv/RtljqQ2BsB0KkdzZtnfY+CZZ\n" + + "PBYvloxplK+Bs8aoLVujyI7g6weOvFD49tSowsvJ//DleDpcKe4UZA/WRj5HlB1J\n" + + "5zLK5qlWb8El6QKlwEKB02zHDv244Bm9ZROnSK3CrEqRcfdBQIx4ThEOZlG0cE60\n" + + "iTbrda2SYUDpHh4Re/qhw/wvc0uUf+59u8WU5AIpgfLBU2fNEjOr6LMIsR3Edvf8\n" + + "zIFUrHlfvKQaAnZYU79dA0ZnTYgLiwMWB19nvhnSIdWAC3tJUsiuEIzEzA+vVbG/\n" + + "YrTOMR+vFm+dVOcVanzn0vnV0n8+np1kM1V2JgGRKV6XybS1oUbNPvpv79FBgfPi\n" + + "F3WghBHZf9lTaj4w7LtQSojvC0YxSoxfTif/MMxNZUoexQbk0jE97ibeFk6rqrBn\n" + + "46G2WbrrReDyOUekSkM5MQ/bZ1GJuFfC+kGyHETBejsfn0ZKa2RUla9k3vYFcDJC\n" + + "Et7Vwv81SF4yzvSwiV0rFx1RcyZaGlJumjCkqaHHhQIMAwAAAAAAAAAAAQ/+KTsY\n" + + "vnPMOmjmLqu7BQwx3jUaEmCXTurv5XHMbAEcq0UAwHJ/XAcJe7B1707Fu1sSJJjV\n" + + "3rJVHGUv7+APg5/vALx/FGlKk/12M8NhgOreLCLa/vQ9NmNrcfqGQdZtpk6OQxLv\n" + + "DcnCbUjyTO2IFRjmzEy8d8rne/FMC1MZD9hY1IboJWk5fN1NCsIIbPn3OSqVIaa1\n" + + "9fJj6D7SGacraBNJwl0x22ipV4yLtpo2DtnPJGK4xgTm0eW7eUK3nIfC/foHEgxG\n" + + "Bny1axnKqC9TFhAQ7Eo+Wh9eAiXtFBY7po7tfYmhb6mHBMAfYsVvCCyLNqUbXiV9\n" + + "kXWMBf0yxtNQlkx1jK+iqfGBm3EfHKncXGfl6zxwkh1FZXcY2EyCavkGND+3Gexg\n" + + "vbCUltulq1Fv1WjOGz9Icc5pK9AyjUuc/AQ4k7WhCVhCmbpsb/Cq6LsiqOC219dE\n" + + "r5TLGr+K1289PVOgbd06BL5NVP6qeO5fyWUA/Bs+exxqEDKce0f0ppKkcGNAv9p/\n" + + "Lg57FxT8aYVBgSoTv1DASquZANrO3kp7M3nC5lVzUldz8aS4YEirLLTF0MBnZEZ8\n" + + "MRcG8h8oSKozw+cuJXNF+bFiKM0wwRyw0AXGt69/lrPlWKMCfuK3n8vqxVPJ78JD\n" + + "ut8xHNWelqS2uO0qinvfbBcKzptYUm8ctNbHlSLS6QEnmjoiF/jobEDWsp6yBaym\n" + + "o7h9VQrmCKjKsoQzoF5KYHW87BLb2YRnx5WwTvN1BvZTNqNjkm9tuDTIwhTUx/L/\n" + + "B8l+KqpGcrmsldQ/pF/W3m2mFlsqpb02uWJSpXQ7NEavjvPThKPJHUnni4YtCg5b\n" + + "v8Zy/zvYgGj5y4DDjM84Xw/HcMdyHsWIcGosZ6W/jJhO7sECXqS6HoF5zFsIBPX9\n" + + "dEM4GS5TapLe0s7DyC0bK7VbPgLMBxPmbBSVp3O72qKpvgc6PAggTJHNhd6MLsJA\n" + + "JAiAOF/KNNZxSdMWIXqMyMviSPeU9+KclOG7iiR75Q5kIbpj9hWo5ullxr6XrHl2\n" + + "HFR+5jnmbSNwz/cf0vwkTnNG/Crofyy0kPTfGp5Ku4hp0wIhWXM9f8m7tuoxI3ep\n" + + "uNwB7FOs3xemsxAmoufyWcsyxnVf/3OJLWejIcIK1v3NmoiSxFQXl2cmiRVLTtAT\n" + + "oNjUT9QDQiyi8YR+CepV6RnBSmRomr7HfRAoACaCg6ToaXm0Dc8OQSge2X80ifdD\n" + + "NUcfhQAivaVAqhAogUIaPp9yqwTWaZ00N5cPH4HItPJtukb+Fsove2SoF+iPQre6\n" + + "hDjZCNyfUjT+wnca315nN+9D6Z1JgV5YEM23sFKp4M732Zdb5JlR0DXfDEuQH1NL\n" + + "hXOcpr9LpAvASH7weiVTEYxNz5KzFkUQA5YKLLeDwtcK\n" + + "=MgH4\n" + + "-----END PGP MESSAGE-----\n"; + public static final String PGPAINLESS_MESSAGE = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hQGMA2gglaIyvWSdAQv/Y9Wx763qAM95+teCUPPNRc5Iwqbc5uFjxfbcwsHIWdiZ\n" + + "n2wHNUmd2dUqYgpqOcBwZ/fUJuoHj/uXKZ1pbz2QSVYaL9MulKpgWiVAo0K2w0Oc\n" + + "97KfZ0d66tcZIhslVpZW06+lXuwMyjjjExe32fAkPFnYyTNORljyYlb/RDSkh7Ke\n" + + "Q+48fLR2kitV0WyRZ+d9cMfx2+D2gWYiaFGek9SrhI8L+nNd4UKvM4K4sSq4JHYf\n" + + "DCxGPWYOaTculuX8dfDh3ftHbrmL2Ca7Iv4NB0kSduG8Gin2OWyeSIPIwpF2ci9g\n" + + "cIBssAYhmS88FQit5pW9z2RZ/e9XmYIP++kz3/EdI6DqkiPUv1fiHTrJBC93LvVg\n" + + "pq75h9RNFuUlqR09SVuB/uZB6tYgv77vy5lPFo+wmLjM41aS4+qI1hBI3Ym4XTc1\n" + + "spPA0sEHtQTQ/xRNYqGpwunJniMF3ukWpOB6UNvQld+p2lj8czexhEAcne1cjey/\n" + + "f0/WUnluSt0HIg8Mnd7s0ukBhb4YxjvARjuqi6PikGz4JPshRwB8dPtS9FQiRxL7\n" + + "obaPHXlmLwohEtT3akzoIj/9C3Y7qnfreSllDgRDxRVFPXy5QnQqpsTy2JuJ4cvo\n" + + "p55RE2kyJ3vBZlB6T53pSgC00hQnNxoqgy7aejRItlec7zx5DnEg8t4rA7LYEGLT\n" + + "MBLWbTRc/njH6GTyc/3x7j9k8V83exqpF6fXrE3GP1C3fBxHY2S9/5BFAlzimplz\n" + + "Mow4S15D04EllRRk6f9HKY598xS4QlDEW/f3utwkQ8+/lNqesVuV8n76WDldMv2O\n" + + "5gTqAZ/pKhDKRLY6km4B2+2IAt2zg+V141wryHJgE/4VyUbu7zZxDIcDouuATQvt\n" + + "wNMnntqy3NTbM7DefSiYe9IUsTUz/g0VQJikoJx+rdX6YzQnRk/cmwvELnskQjSk\n" + + "aGd92A4ousaM299IOkbpLvFaJdrs7cLH0rEQTG5S3tRJSLEnjr94BUVtpIhQDo3i\n" + + "455UahKcCx/KhyIzo+8OdH0TYZf5ZFGLdTrqgi0ybAHcLrXkM+g2JOsst99CeRUq\n" + + "f/T4oFvuDSlLU56iWlLVE7gvDBibXfWIJ65YBHY4ueEzBC/3xOVj+dmTM2JfUSX7\n" + + "mqD25NaDCOuN4WhJmZHC1wyipj3KYT2bLg4gasHr/LvEI+Df/DREdXtrYAqPqZYU\n" + + "0QuubMF4n3hMqmu2wA==\n" + + "=fMRM\n" + + "-----END PGP MESSAGE-----"; + + @Test + public void testMessageDecryptionAndVerification() throws PGPException, IOException { + ImplementationFactory.setFactoryImplementation(new JceImplementationFactory()); + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KLEOPATRA_SECKEY); + PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(KLEOPATRA_PUBKEY); + + ConsumerOptions options = new ConsumerOptions() + .addDecryptionKey(secretKeys) + .addVerificationCert(publicKeys); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(new ByteArrayInputStream(KLEOPATRA_MESSAGE.getBytes(StandardCharsets.UTF_8))) + .withOptions(options); + + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + } + + @Test + public void testEncryptAndSignMessage() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KLEOPATRA_SECKEY); + PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(KLEOPATRA_PUBKEY); + + ProducerOptions options = ProducerOptions.signAndEncrypt( + EncryptionOptions.encryptCommunications() + .addRecipient(publicKeys) + .overrideEncryptionAlgorithm(SymmetricKeyAlgorithm.AES_128), + SigningOptions.get() + .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT) + ); + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + .onOutputStream(out) + .withOptions(options); + + ByteArrayInputStream in = new ByteArrayInputStream("Hallo, Welt!\n\n".getBytes(StandardCharsets.UTF_8)); + Streams.pipeAll(in, encryptionStream); + encryptionStream.close(); + } + + @Test + public void testMessageInspection() throws PGPException, IOException { + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage( + new ByteArrayInputStream(KLEOPATRA_MESSAGE.getBytes(StandardCharsets.UTF_8))); + } +} From 5c3fa28946ec2ffe094e710b900f3fa8acbd4c5e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 13:09:39 +0200 Subject: [PATCH 0083/1450] Fix Kleopatra Interoperability The cause of this issue was that we skipped the first (proper) PKESK and instead tried to decrypt the wildcard PKESKs. Furthermore, we had an issue in MessageInspector which read past the PKESK packets --- .../DecryptionStreamFactory.java | 1 + .../decryption_verification/MessageInspector.java | 15 ++++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 55ae284d..e2b2da54 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -343,6 +343,7 @@ public final class DecryptionStreamFactory { } decryptionKey = privateKey; encryptedSessionKey = publicKeyEncryptedData; + break; } // Try postponed keys with missing passphrases (will cause missing passphrase callbacks to fire) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index 1b94f877..e8b04afb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -19,6 +19,8 @@ import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPOnePassSignatureList; import org.bouncycastle.openpgp.PGPPBEEncryptedData; import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; +import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.ArmorUtils; @@ -85,11 +87,12 @@ public final class MessageInspector { return info; } - private static void processMessage(InputStream dataIn, EncryptionInfo info) throws PGPException { - PGPObjectFactory objectFactory = new PGPObjectFactory(dataIn, - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + private static void processMessage(InputStream dataIn, EncryptionInfo info) throws PGPException, IOException { + KeyFingerPrintCalculator calculator = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); + PGPObjectFactory objectFactory = new PGPObjectFactory(dataIn, calculator); - for (Object next : objectFactory) { + Object next; + while ((next = objectFactory.nextObject()) != null) { if (next instanceof PGPOnePassSignatureList) { PGPOnePassSignatureList signatures = (PGPOnePassSignatureList) next; if (!signatures.isEmpty()) { @@ -108,12 +111,14 @@ public final class MessageInspector { info.isPassphraseEncrypted = true; } } + // Data is encrypted, we cannot go deeper + return; } if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressed = compressed.getDataStream(); - processMessage(decompressed, info); + objectFactory = new PGPObjectFactory(PGPUtil.getDecoderStream(decompressed), calculator); } if (next instanceof PGPLiteralData) { From 40926b69f8d26128e55b11d7b555c227ae693fcc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 13:34:33 +0200 Subject: [PATCH 0084/1450] PGPainless 0.2.18 --- CHANGELOG.md | 11 +++++++++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4bb3e49..4cbadd28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,17 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 0.2.18 +- Fix compatibility with PGPainless < 0.2.10 +- Fix interoperability with Kleopatra + - Decryption: Do not skip over first PKESKs when we have a matching decryption key + - MessageInspector: Break from object factory loop after encountering encrypted data (we cannot go deeper) +- Move hash algorithm negotiation to own class +- Change return value of `EncryptionOptions.overrideEncryptionAlgorithm()` + +## 0.2.17 +- Fix prematurely throwing `MissingPassphraseException` when decrypting message with multiple possible keys and passphrases + ## 0.2.16 - Fix handling of subkey revocation signatures - SOP: improve API use with byte arrays diff --git a/README.md b/README.md index d66357fc..5913b9b6 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.16' + implementation 'org.pgpainless:pgpainless-core:0.2.18' } ``` diff --git a/version.gradle b/version.gradle index 432ab1fd..d6a3716d 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '0.2.18' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 4bf2031414b8568be2246640dccd0cdc6a803283 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 13:42:08 +0200 Subject: [PATCH 0085/1450] PGPainless-0.2.19-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index d6a3716d..c7322e38 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.18' - isSnapshot = false + shortVersion = '0.2.19' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From abdc5c8fddf6da0237f28b6bcc92ead5609a96dc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 14:29:05 +0200 Subject: [PATCH 0086/1450] Fix license of KleopatraCompatibilityTest --- .../test/java/investigations/KleopatraCompatibilityTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java b/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java index 9781cb6b..cb6a26b9 100644 --- a/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java +++ b/pgpainless-core/src/test/java/investigations/KleopatraCompatibilityTest.java @@ -1,6 +1,6 @@ // SPDX-FileCopyrightText: 2021 Paul Schaub // -// SPDX-License-Identifier: CC0-1.0 +// SPDX-License-Identifier: Apache-2.0 package investigations; From aed06fc83205e3b3d8db9707d8b0af85e74b56f8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 15:54:34 +0200 Subject: [PATCH 0087/1450] Add MessageInspector.determineEncryptionInfo(String) --- .../decryption_verification/MessageInspector.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index e8b04afb..5883163a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -4,6 +4,7 @@ package org.pgpainless.decryption_verification; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; @@ -69,6 +70,18 @@ public final class MessageInspector { } + /** + * Parses parts of the provided OpenPGP message in order to determine which keys were used to encrypt it. + * + * @param message OpenPGP message + * @return encryption info + * @throws PGPException + * @throws IOException + */ + public static EncryptionInfo determineEncryptionInfoForMessage(String message) throws PGPException, IOException { + return determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes("UTF-8"))); + } + /** * Parses parts of the provided OpenPGP message in order to determine which keys were used to encrypt it. * Note: This method does not rewind the passed in Stream, so you might need to take care of that yourselves. From e8bf2ea9e7c38642a0031998b0f9133f6a865d58 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 15:54:50 +0200 Subject: [PATCH 0088/1450] Add tests for message inspection --- .../MessageInspectorTest.java | 46 ++++++++++++++++--- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java index 2f08a432..dd47ec4b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java @@ -8,9 +8,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.ByteArrayInputStream; import java.io.IOException; -import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.Test; @@ -29,8 +27,7 @@ public class MessageInspectorTest { "=IICf\n" + "-----END PGP MESSAGE-----\n"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage( - new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); assertFalse(info.isPassphraseEncrypted()); assertFalse(info.isSignedOnly()); @@ -55,7 +52,7 @@ public class MessageInspectorTest { "=z6e0\n" + "-----END PGP MESSAGE-----"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); assertTrue(info.isEncrypted()); assertTrue(info.isPassphraseEncrypted()); @@ -77,7 +74,7 @@ public class MessageInspectorTest { "=nt5n\n" + "-----END PGP MESSAGE-----"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); assertTrue(info.isSignedOnly()); @@ -100,7 +97,7 @@ public class MessageInspectorTest { "KK0Ymg5GrsBTEGFm4jb1p+V85PPhsIioX3np/N3fkIfxFguTGZza33/GHy61+DTy\n" + "=SZU6\n" + "-----END PGP MESSAGE-----"; - MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))); + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); // Message is encrypted, so we cannot determine if it is signed or not. // It is not signed only @@ -110,4 +107,39 @@ public class MessageInspectorTest { assertTrue(info.isPassphraseEncrypted()); assertEquals(1, info.getKeyIds().size()); } + + @Test + public void testPlaintextMessage() throws IOException, PGPException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "Comment: Literal Data\n" + + "\n" + + "yyl0CF9DT05TT0xFYXlXgUp1c3Qgc29tZSB1bmVuY3J5cHRlZCBkYXRhLg==\n" + + "=jVNT\n" + + "-----END PGP MESSAGE-----"; + + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + assertFalse(info.isEncrypted()); + assertFalse(info.isSignedOnly()); + assertFalse(info.isPassphraseEncrypted()); + assertTrue(info.getKeyIds().isEmpty()); + } + + @Test + public void testCompressedPlaintextMessage() throws IOException, PGPException { + String message = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "Comment: Compressed Literal Data\n" + + "\n" + + "owE7HVDCEe/s7xfs7+OaWBmxJDw1L08hIzOvJLVIwS0nMzU9NQ9Op0FoHRgDQ0Fe\n" + + "YnKGHgA=\n" + + "=jw3E\n" + + "-----END PGP MESSAGE-----"; + + MessageInspector.EncryptionInfo info = MessageInspector.determineEncryptionInfoForMessage(message); + assertFalse(info.isEncrypted()); + assertFalse(info.isSignedOnly()); + assertFalse(info.isPassphraseEncrypted()); + assertTrue(info.getKeyIds().isEmpty()); + } } From bc2afea7edfee60c84451df1692ed1ea2ad7e48d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 17:11:40 +0200 Subject: [PATCH 0089/1450] Add toString() methods for SignatureVerification & failure --- .../SignatureVerification.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java index 6063d72a..7ccd6129 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java @@ -7,6 +7,7 @@ package org.pgpainless.decryption_verification; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.util.encoders.Hex; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.SubkeyIdentifier; @@ -52,6 +53,12 @@ public class SignatureVerification { return signingKey; } + @Override + public String toString() { + return "Signature: " + (signature != null ? Hex.toHexString(signature.getDigestPrefix()) : "null") + + "; Key: " + (signingKey != null ? signingKey.toString() : "null") + ";"; + } + /** * Tuple object of a {@link SignatureVerification} and the corresponding {@link SignatureValidationException} * that caused the verification to fail. @@ -90,5 +97,10 @@ public class SignatureVerification { public SignatureValidationException getValidationException() { return validationException; } + + @Override + public String toString() { + return signatureVerification.toString() + " Failure: " + getValidationException().getMessage(); + } } } From 383f51277eea2390034bde1c120c6638748b26b6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 27 Oct 2021 17:12:06 +0200 Subject: [PATCH 0090/1450] Prepare for V5 keys: Extract abstract super class OpenPgpFingerprint from OpenPgpV4Fingerprint --- .../pgpainless/key/OpenPgpFingerprint.java | 135 +++++++++++++++++ .../pgpainless/key/OpenPgpV4Fingerprint.java | 137 +++++++----------- 2 files changed, 185 insertions(+), 87 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java new file mode 100644 index 00000000..e9db3f5e --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java @@ -0,0 +1,135 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key; + +import java.nio.charset.Charset; +import javax.annotation.Nonnull; + +import org.bouncycastle.openpgp.PGPKeyRing; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.encoders.Hex; + +/** + * Abstract super class of different version OpenPGP fingerprints. + * + * @param subclass type + */ +public abstract class OpenPgpFingerprint implements CharSequence, Comparable { + protected static final Charset utf8 = Charset.forName("UTF-8"); + protected final String fingerprint; + + /** + * Return the fingerprint of the given key. + * This method automatically matches key versions to fingerprint implementations. + * + * @param key key + * @return fingerprint + */ + public static OpenPgpFingerprint of(PGPPublicKey key) { + if (key.getVersion() == 4) { + return new OpenPgpV4Fingerprint(key); + } + throw new IllegalArgumentException("OpenPGP keys of version " + key.getVersion() + " are not supported."); + } + + /** + * Return the fingerprint of the primary key of the given key ring. + * This method automatically matches key versions to fingerprint implementations. + * + * @param ring key ring + * @return fingerprint + */ + public static OpenPgpFingerprint of(PGPKeyRing ring) { + return of(ring.getPublicKey()); + } + + public OpenPgpFingerprint(String fingerprint) { + String fp = fingerprint.replace(" ", "").trim().toUpperCase(); + if (!isValid(fp)) { + throw new IllegalArgumentException( + String.format("Fingerprint '%s' does not appear to be a valid OpenPGP V%d fingerprint.", fingerprint, getVersion()) + ); + } + this.fingerprint = fp; + } + + public OpenPgpFingerprint(@Nonnull byte[] bytes) { + this(new String(bytes, utf8)); + } + + public OpenPgpFingerprint(PGPPublicKey key) { + this(Hex.encode(key.getFingerprint())); + if (key.getVersion() != getVersion()) { + throw new IllegalArgumentException(String.format("Key is not a v%d OpenPgp key.", getVersion())); + } + } + + public OpenPgpFingerprint(@Nonnull PGPPublicKeyRing ring) { + this(ring.getPublicKey()); + } + + public OpenPgpFingerprint(@Nonnull PGPSecretKeyRing ring) { + this(ring.getPublicKey()); + } + + public OpenPgpFingerprint(@Nonnull PGPKeyRing ring) { + this(ring.getPublicKey()); + } + + /** + * Return the version of the fingerprint. + * + * @return version + */ + public abstract int getVersion(); + + /** + * Check, whether the fingerprint consists of 40 valid hexadecimal characters. + * @param fp fingerprint to check. + * @return true if fingerprint is valid. + */ + protected abstract boolean isValid(@Nonnull String fp); + + /** + * Return the key id of the OpenPGP public key this {@link OpenPgpFingerprint} belongs to. + * This method can be implemented for V4 and V5 fingerprints. + * V3 key-IDs cannot be derived from the fingerprint, but we don't care, since V3 is deprecated. + * + * @see + * RFC-4880 §12.2: Key IDs and Fingerprints + * @return key id + */ + public abstract long getKeyId(); + + @Override + public int length() { + return fingerprint.length(); + } + + @Override + public char charAt(int i) { + return fingerprint.charAt(i); + } + + @Override + public CharSequence subSequence(int i, int i1) { + return fingerprint.subSequence(i, i1); + } + + @Override + @Nonnull + public String toString() { + return fingerprint; + } + + /** + * Return a pretty printed representation of the fingerprint. + * + * @return pretty printed fingerprint + */ + public abstract String prettyPrint(); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java index b368e370..a1e6eb7f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java @@ -8,7 +8,6 @@ import java.net.URI; import java.net.URISyntaxException; import java.nio.Buffer; import java.nio.ByteBuffer; -import java.nio.charset.Charset; import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPKeyRing; @@ -21,13 +20,10 @@ import org.bouncycastle.util.encoders.Hex; /** * This class represents an hex encoded, uppercase OpenPGP v4 fingerprint. */ -public class OpenPgpV4Fingerprint implements CharSequence, Comparable { +public class OpenPgpV4Fingerprint extends OpenPgpFingerprint { public static final String SCHEME = "openpgp4fpr"; - private static final Charset utf8 = Charset.forName("UTF-8"); - private final String fingerprint; - /** * Create an {@link OpenPgpV4Fingerprint}. * @see @@ -35,57 +31,20 @@ public class OpenPgpV4Fingerprint implements CharSequence, Comparable - * RFC-4880 §12.2: Key IDs and Fingerprints - * @return key id - */ + @Override public long getKeyId() { byte[] bytes = Hex.decode(toString().getBytes(utf8)); ByteBuffer buf = ByteBuffer.wrap(bytes); @@ -97,6 +56,45 @@ public class OpenPgpV4Fingerprint implements CharSequence, Comparable Date: Wed, 27 Oct 2021 17:38:25 +0200 Subject: [PATCH 0091/1450] V5 Key-readyness: Replace usages of OpenPgpV4Fingerprint with abstract super class --- .../OpenPgpMetadata.java | 6 ++-- .../encryption_signing/EncryptionOptions.java | 4 +-- .../encryption_signing/SigningOptions.java | 4 +-- .../pgpainless/key/OpenPgpFingerprint.java | 7 ++--- .../pgpainless/key/OpenPgpV4Fingerprint.java | 10 +++---- .../org/pgpainless/key/SubkeyIdentifier.java | 28 +++++++++---------- .../org/pgpainless/key/info/KeyRingInfo.java | 18 ++++++------ .../secretkeyring/SecretKeyRingEditor.java | 14 +++++----- .../SecretKeyRingEditorInterface.java | 12 ++++---- .../CachingSecretKeyRingProtector.java | 4 +-- .../signature/DetachedSignatureCheck.java | 6 ++-- .../signature/OnePassSignatureCheck.java | 3 +- .../pgpainless/signature/SignatureUtils.java | 10 +++++-- .../signature/SignatureValidator.java | 6 ++-- .../subpackets/SignatureSubpacketsUtil.java | 12 ++++---- .../java/org/pgpainless/util/ArmorUtils.java | 4 +-- .../signature/SignatureStructureTest.java | 2 +- 17 files changed, 78 insertions(+), 72 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java index 48afd5af..9dfc8076 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java @@ -23,7 +23,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.StreamEncoding; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; public class OpenPgpMetadata { @@ -201,7 +201,7 @@ public class OpenPgpMetadata { */ public boolean containsVerifiedSignatureFrom(PGPPublicKeyRing certificate) { for (PGPPublicKey key : certificate) { - OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(key); + OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(key); if (containsVerifiedSignatureFrom(fingerprint)) { return true; } @@ -218,7 +218,7 @@ public class OpenPgpMetadata { * @param fingerprint fingerprint of primary key or signing subkey * @return true if validly signed, false otherwise */ - public boolean containsVerifiedSignatureFrom(OpenPgpV4Fingerprint fingerprint) { + public boolean containsVerifiedSignatureFrom(OpenPgpFingerprint fingerprint) { for (SubkeyIdentifier verifiedSigningKey : getVerifiedSignatures().keySet()) { if (verifiedSigningKey.getPrimaryKeyFingerprint().equals(fingerprint) || verifiedSigningKey.getSubkeyFingerprint().equals(fingerprint)) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index b75e0081..65948168 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -23,7 +23,7 @@ import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyAccessor; import org.pgpainless.key.info.KeyRingInfo; @@ -187,7 +187,7 @@ public class EncryptionOptions { KeyRingInfo info = new KeyRingInfo(key, new Date()); Date primaryKeyExpiration = info.getPrimaryKeyExpirationDate(); if (primaryKeyExpiration != null && primaryKeyExpiration.before(new Date())) { - throw new IllegalArgumentException("Provided key " + new OpenPgpV4Fingerprint(key) + " is expired: " + primaryKeyExpiration.toString()); + throw new IllegalArgumentException("Provided key " + OpenPgpFingerprint.of(key) + " is expired: " + primaryKeyExpiration); } List encryptionSubkeys = encryptionKeySelectionStrategy .selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose)); diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index 651e96ea..c1714c89 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -27,7 +27,7 @@ import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.exception.KeyCannotSignException; import org.pgpainless.exception.KeyValidationError; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -159,7 +159,7 @@ public final class SigningOptions { List signingPubKeys = keyRingInfo.getSigningSubkeys(); if (signingPubKeys.isEmpty()) { - throw new KeyCannotSignException("Key " + new OpenPgpV4Fingerprint(secretKey) + " has no valid signing key."); + throw new KeyCannotSignException("Key " + OpenPgpFingerprint.of(secretKey) + " has no valid signing key."); } for (PGPPublicKey signingPubKey : signingPubKeys) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java index e9db3f5e..318f7a05 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java @@ -16,9 +16,8 @@ import org.bouncycastle.util.encoders.Hex; /** * Abstract super class of different version OpenPGP fingerprints. * - * @param subclass type */ -public abstract class OpenPgpFingerprint implements CharSequence, Comparable { +public abstract class OpenPgpFingerprint implements CharSequence, Comparable { protected static final Charset utf8 = Charset.forName("UTF-8"); protected final String fingerprint; @@ -29,7 +28,7 @@ public abstract class OpenPgpFingerprint impleme * @param key key * @return fingerprint */ - public static OpenPgpFingerprint of(PGPPublicKey key) { + public static OpenPgpFingerprint of(PGPPublicKey key) { if (key.getVersion() == 4) { return new OpenPgpV4Fingerprint(key); } @@ -43,7 +42,7 @@ public abstract class OpenPgpFingerprint impleme * @param ring key ring * @return fingerprint */ - public static OpenPgpFingerprint of(PGPKeyRing ring) { + public static OpenPgpFingerprint of(PGPKeyRing ring) { return of(ring.getPublicKey()); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java index a1e6eb7f..b5b3d4a7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java @@ -18,9 +18,9 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.encoders.Hex; /** - * This class represents an hex encoded, uppercase OpenPGP v4 fingerprint. + * This class represents a hex encoded, uppercase OpenPGP v4 fingerprint. */ -public class OpenPgpV4Fingerprint extends OpenPgpFingerprint { +public class OpenPgpV4Fingerprint extends OpenPgpFingerprint { public static final String SCHEME = "openpgp4fpr"; @@ -129,7 +129,7 @@ public class OpenPgpV4Fingerprint extends OpenPgpFingerprint bindingSignatures = subjectPubKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode()); @@ -425,7 +425,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } if (oldSignature == null) { - throw new IllegalStateException("Key " + new OpenPgpV4Fingerprint(subjectPubKey) + " does not have a previous subkey binding signature."); + throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + " does not have a previous subkey binding signature."); } return oldSignature; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 5b8f329f..fc78f95c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -15,7 +15,7 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -104,7 +104,7 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the secret key ring * @return the builder */ - SecretKeyRingEditorInterface deleteSubKey(OpenPgpV4Fingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector); + SecretKeyRingEditorInterface deleteSubKey(OpenPgpFingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector); /** * Delete a subkey from the key ring. @@ -150,7 +150,7 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the secret key ring * @return the builder */ - default SecretKeyRingEditorInterface revokeSubKey(OpenPgpV4Fingerprint fingerprint, + default SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return revokeSubKey(fingerprint, secretKeyRingProtector, null); @@ -166,7 +166,7 @@ public interface SecretKeyRingEditorInterface { * @param revocationAttributes reason for the revocation * @return the builder */ - SecretKeyRingEditorInterface revokeSubKey(OpenPgpV4Fingerprint fingerprint, + SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector, RevocationAttributes revocationAttributes) throws PGPException; @@ -249,7 +249,7 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the priary key * @return the builder */ - SecretKeyRingEditorInterface setExpirationDate(OpenPgpV4Fingerprint fingerprint, + SecretKeyRingEditorInterface setExpirationDate(OpenPgpFingerprint fingerprint, Date expiration, SecretKeyRingProtector secretKeyRingProtector) throws PGPException; @@ -270,7 +270,7 @@ public interface SecretKeyRingEditorInterface { RevocationAttributes revocationAttributes) throws PGPException; - default PGPSignature createRevocationCertificate(OpenPgpV4Fingerprint subkeyFingerprint, + default PGPSignature createRevocationCertificate(OpenPgpFingerprint subkeyFingerprint, SecretKeyRingProtector secretKeyRingProtector, RevocationAttributes revocationAttributes) throws PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index 192fb9f9..d0cdd59e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -15,7 +15,7 @@ import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; import org.pgpainless.util.Passphrase; @@ -84,7 +84,7 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se addPassphrase(key.getKeyID(), passphrase); } - public void addPassphrase(@Nonnull OpenPgpV4Fingerprint fingerprint, @Nullable Passphrase passphrase) { + public void addPassphrase(@Nonnull OpenPgpFingerprint fingerprint, @Nullable Passphrase passphrase) { addPassphrase(fingerprint.getKeyId(), passphrase); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java index ab481b72..2ffcff0e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java @@ -6,7 +6,7 @@ package org.pgpainless.signature; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; /** @@ -59,13 +59,13 @@ public class DetachedSignatureCheck { } /** - * Return the {@link OpenPgpV4Fingerprint} of the key that created the signature. + * Return the {@link OpenPgpFingerprint} of the key that created the signature. * * @return fingerprint of the signing key * @deprecated use {@link #getSigningKeyIdentifier()} instead. */ @Deprecated - public OpenPgpV4Fingerprint getFingerprint() { + public OpenPgpFingerprint getFingerprint() { return signingKeyIdentifier.getSubkeyFingerprint(); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java index 4fcfe239..ec22b6ab 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java @@ -7,7 +7,6 @@ package org.pgpainless.signature; import org.bouncycastle.openpgp.PGPOnePassSignature; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier; /** @@ -45,7 +44,7 @@ public class OnePassSignatureCheck { } /** - * Return the {@link OpenPgpV4Fingerprint} of the signing key. + * Return an identifier for the signing key. * * @return signing key fingerprint */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 754f3e7e..c4468b89 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -33,7 +33,7 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; @@ -286,8 +286,14 @@ public final class SignatureUtils { * @return signatures issuing key id */ public static long determineIssuerKeyId(PGPSignature signature) { + if (signature.getVersion() == 3) { + // V3 sigs do not contain subpackets + return signature.getKeyID(); + } + IssuerKeyID issuerKeyId = SignatureSubpacketsUtil.getIssuerKeyId(signature); - OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature); + OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature); + if (issuerKeyId != null && issuerKeyId.getKeyID() != 0) { return issuerKeyId.getKeyID(); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java index 69a7a80a..0a4947af 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java @@ -28,7 +28,7 @@ import org.pgpainless.algorithm.SignatureSubpacket; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.policy.Policy; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.BCUtil; @@ -57,7 +57,7 @@ public abstract class SignatureValidator { return new SignatureValidator() { @Override public void verify(PGPSignature signature) throws SignatureValidationException { - OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey); + OpenPgpFingerprint signingKeyFingerprint = OpenPgpFingerprint.of(signingKey); Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature); if (issuer != null) { @@ -66,7 +66,7 @@ public abstract class SignatureValidator { } } - OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature); + OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature); if (fingerprint != null) { if (!fingerprint.equals(signingKeyFingerprint)) { throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")"); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 226be119..4792a362 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -43,6 +43,7 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SignatureSubpacket; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.signature.SignatureUtils; @@ -71,23 +72,24 @@ public final class SignatureSubpacketsUtil { } /** - * Return the {@link IssuerFingerprint} subpacket of the signature into a {@link OpenPgpV4Fingerprint}. + * Return the {@link IssuerFingerprint} subpacket of the signature into a {@link org.pgpainless.key.OpenPgpFingerprint}. * If no v4 issuer fingerprint is present in the signature, return null. * * @param signature signature * @return v4 fingerprint of the issuer, or null */ - public static OpenPgpV4Fingerprint getIssuerFingerprintAsOpenPgpV4Fingerprint(PGPSignature signature) { + public static OpenPgpFingerprint getIssuerFingerprintAsOpenPgpFingerprint(PGPSignature signature) { IssuerFingerprint subpacket = getIssuerFingerprint(signature); if (subpacket == null) { return null; } + OpenPgpFingerprint fingerprint = null; if (subpacket.getKeyVersion() == 4) { - OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(Hex.encode(subpacket.getFingerprint())); - return fingerprint; + fingerprint = new OpenPgpV4Fingerprint(Hex.encode(subpacket.getFingerprint())); } - return null; + + return fingerprint; } /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java index f94a4ce3..41aac842 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java @@ -26,7 +26,7 @@ import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.util.io.Streams; import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; public final class ArmorUtils { @@ -96,7 +96,7 @@ public final class ArmorUtils { private static MultiMap keyToHeader(PGPKeyRing keyRing) { MultiMap header = new MultiMap<>(); - OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(keyRing); + OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(keyRing); Iterator userIds = keyRing.getPublicKey().getUserIDs(); header.put(HEADER_COMMENT, fingerprint.prettyPrint()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java index 14d57567..84eecdb5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java @@ -75,7 +75,7 @@ public class SignatureStructureTest { @Test public void testGetIssuerFingerprint() { assertEquals(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330"), - SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature)); + SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature)); } @Test From 2d364d0939825b920524e9a5cc6a26c24ffdb109 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:08:11 +0200 Subject: [PATCH 0092/1450] Replace OpenPgpV4Fingerprint with OpenPgpFingerprint in examples --- .../src/test/java/org/pgpainless/example/ModifyKeys.java | 4 ++-- .../src/test/java/org/pgpainless/example/ReadKeys.java | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 6c5daff8..8a205c9c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -26,7 +26,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.exception.WrongPassphraseException; -import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; @@ -227,7 +227,7 @@ public class ModifyKeys { secretKey = PGPainless.modifyKeyRing(secretKey) .setExpirationDate( - new OpenPgpV4Fingerprint(secretKey.getPublicKey(encryptionSubkeyId)), + OpenPgpFingerprint.of(secretKey.getPublicKey(encryptionSubkeyId)), expirationDate, protector ) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index ca819233..cc23725b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -14,6 +14,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.info.KeyRingInfo; @@ -47,7 +48,7 @@ public class ReadKeys { KeyRingInfo keyInfo = new KeyRingInfo(publicKey); - OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); + OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); } @@ -83,7 +84,7 @@ public class ReadKeys { KeyRingInfo keyInfo = new KeyRingInfo(secretKey); - OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); + OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94 4E63 F231 550C 4F47 E38E"); assertEquals(fingerprint, keyInfo.getFingerprint()); assertEquals("Alice Lovelace ", keyInfo.getPrimaryUserId()); } From a9a61bc7998ab3cb2dcf231e851502e998614daa Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:28:14 +0200 Subject: [PATCH 0093/1450] Improve library usage of slf4j and logback. Logback-classic is now a test dependency and is additionally declared as OPTIONAL runtime dependency. Applications that don't want to use logback can now easily disable it by not explicitly depending on it. --- build.gradle | 1 + pgpainless-cli/build.gradle | 9 +++--- pgpainless-cli/src/main/resources/logback.xml | 18 ++++++++---- .../src/test/resources/logback-test.xml | 25 ++++++++++++++++ pgpainless-core/build.gradle | 4 ++- .../src/main/resources/logback.xml | 18 ------------ .../src/test/resources/logback-test.xml | 29 +++++++++++++++++++ pgpainless-sop/build.gradle | 8 +++-- sop-java-picocli/build.gradle | 1 + 9 files changed, 82 insertions(+), 31 deletions(-) create mode 100644 pgpainless-cli/src/test/resources/logback-test.xml delete mode 100644 pgpainless-core/src/main/resources/logback.xml create mode 100644 pgpainless-core/src/test/resources/logback-test.xml diff --git a/build.gradle b/build.gradle index cac39a9e..15ee13a1 100644 --- a/build.gradle +++ b/build.gradle @@ -65,6 +65,7 @@ allprojects { project.ext { slf4jVersion = '1.7.32' + logbackVersion = '1.2.6' junitVersion = '5.7.2' picocliVersion = '4.6.1' rootConfigDir = new File(rootDir, 'config') diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle index 4c892360..90d1837f 100644 --- a/pgpainless-cli/build.gradle +++ b/pgpainless-cli/build.gradle @@ -33,16 +33,17 @@ dependencies { testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" // https://todd.ginsberg.com/post/testing-system-exit/ testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' - // We want logback logging in tests - testImplementation 'ch.qos.logback:logback-classic:1.2.5' + + // implementation "ch.qos.logback:logback-core:1.2.6" + // We want logback logging in tests and in the app + testImplementation "ch.qos.logback:logback-classic:$logbackVersion" + implementation "ch.qos.logback:logback-classic:$logbackVersion" implementation(project(":pgpainless-sop")) implementation(project(":sop-java")) implementation(project(":sop-java-picocli")) implementation "info.picocli:picocli:$picocliVersion" - // We don't want logging in the application itself - implementation "org.slf4j:slf4j-nop:$slf4jVersion" // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305 implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2' diff --git a/pgpainless-cli/src/main/resources/logback.xml b/pgpainless-cli/src/main/resources/logback.xml index 13cccf62..559589ef 100644 --- a/pgpainless-cli/src/main/resources/logback.xml +++ b/pgpainless-cli/src/main/resources/logback.xml @@ -4,15 +4,23 @@ SPDX-FileCopyrightText: 2021 Paul Schaub SPDX-License-Identifier: Apache-2.0 --> - + System.err - %blue(%-5level) %green(%logger{35}) - %msg %n + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n - - - + + System.out + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/pgpainless-cli/src/test/resources/logback-test.xml b/pgpainless-cli/src/test/resources/logback-test.xml new file mode 100644 index 00000000..abb1b8fd --- /dev/null +++ b/pgpainless-cli/src/test/resources/logback-test.xml @@ -0,0 +1,25 @@ + + + + + System.err + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + System.out + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle index 61a3fda6..c649e71c 100644 --- a/pgpainless-core/build.gradle +++ b/pgpainless-core/build.gradle @@ -10,9 +10,11 @@ dependencies { testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" - testImplementation 'ch.qos.logback:logback-classic:1.2.5' + // Logging api "org.slf4j:slf4j-api:$slf4jVersion" + testImplementation "ch.qos.logback:logback-classic:$logbackVersion" + runtime "ch.qos.logback:logback-classic:$logbackVersion" api "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion" api "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion" diff --git a/pgpainless-core/src/main/resources/logback.xml b/pgpainless-core/src/main/resources/logback.xml deleted file mode 100644 index 13cccf62..00000000 --- a/pgpainless-core/src/main/resources/logback.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - System.err - - %blue(%-5level) %green(%logger{35}) - %msg %n - - - - - - - \ No newline at end of file diff --git a/pgpainless-core/src/test/resources/logback-test.xml b/pgpainless-core/src/test/resources/logback-test.xml new file mode 100644 index 00000000..7e4c3194 --- /dev/null +++ b/pgpainless-core/src/test/resources/logback-test.xml @@ -0,0 +1,29 @@ + + + + + System.err + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + System.out + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + + + + + \ No newline at end of file diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle index 4858dbab..6f30b5db 100644 --- a/pgpainless-sop/build.gradle +++ b/pgpainless-sop/build.gradle @@ -13,10 +13,12 @@ repositories { } dependencies { - testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.0' - testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.0' + testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" + testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" - testImplementation 'ch.qos.logback:logback-classic:1.2.5' + // Logging + testImplementation "ch.qos.logback:logback-classic:$logbackVersion" + runtime "ch.qos.logback:logback-classic:$logbackVersion" implementation(project(":pgpainless-core")) implementation(project(":sop-java")) diff --git a/sop-java-picocli/build.gradle b/sop-java-picocli/build.gradle index 69cd1c52..e5d208fc 100644 --- a/sop-java-picocli/build.gradle +++ b/sop-java-picocli/build.gradle @@ -9,6 +9,7 @@ plugins { dependencies { testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" + // https://todd.ginsberg.com/post/testing-system-exit/ testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' testImplementation "org.mockito:mockito-core:3.11.2" From d96b43220a8ea42632b1e0cfcbf59779f3e6de33 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:30:00 +0200 Subject: [PATCH 0094/1450] PGPainless 0.2.19 --- CHANGELOG.md | 5 +++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cbadd28..ebb13cfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 0.2.19 +- Some preparations for OpenPGP V5 keys: `OpenPgpV4Fingerprint` is now an implementation of `OpenPgpFingerprint` +- `SignatureVerification` and `Failure` now have `toString()` implementations +- Logging: `logback-classic` is now an optional runtime dependency + ## 0.2.18 - Fix compatibility with PGPainless < 0.2.10 - Fix interoperability with Kleopatra diff --git a/README.md b/README.md index 5913b9b6..45e58fba 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.18' + implementation 'org.pgpainless:pgpainless-core:0.2.19' } ``` diff --git a/version.gradle b/version.gradle index c7322e38..c52e9904 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '0.2.19' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From a691ac65d1b7cb34fefa4f5905f61b47d48c3b52 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:35:32 +0200 Subject: [PATCH 0095/1450] PGPainless-0.2.20-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index c52e9904..57c64a6a 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.19' - isSnapshot = false + shortVersion = '0.2.20' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 5971cd35a0ec6a96345f0093365db0056a0fa6a1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:49:52 +0200 Subject: [PATCH 0096/1450] Create SECURITY.md with information on how to report security issues --- SECURITY.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..111ddd36 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,18 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 0.2.x | :white_check_mark: | +| < 0.2.0 | :x: | + +## Reporting a Vulnerability + +If you find a security relevant vulnerability inside of PGPainless, please let me know! +[Here](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A) you can find my OpenPGP key to email me confidentially. + +Valid security issues will be fixed ASAP. From 56d9067a0f101a02f1c763f04b9b6658dd73ab5c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 20:54:25 +0200 Subject: [PATCH 0097/1450] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 70 +++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..b0c0bf05 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master, release/* ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '16 10 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 78269e0294df6ac9fcca24752db61269fdb065ec Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 29 Oct 2021 21:01:12 +0200 Subject: [PATCH 0098/1450] Fix reuse compliance --- .github/workflows/codeql-analysis.yml | 4 ++++ SECURITY.md | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b0c0bf05..ab7b9e6e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: 2021 Paul Schaub +# +# SPDX-License-Identifier: Apache-2.0 + # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # diff --git a/SECURITY.md b/SECURITY.md index 111ddd36..cefcc181 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,10 @@ + + + # Security Policy ## Supported Versions From cf1881a1405e35f2d5865cb84ed44d6ae639551a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 30 Oct 2021 15:00:04 +0200 Subject: [PATCH 0099/1450] Fix detection of non-armored data --- .../DecryptionStreamFactory.java | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index e2b2da54..6251cfe9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -122,23 +122,23 @@ public final class DecryptionStreamFactory { private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) throws IOException, PGPException { // Make sure we handle armored and non-armored data properly BufferedInputStream bufferedIn = new BufferedInputStream(inputStream); - InputStream decoderStream = PGPUtilWrapper.getDecoderStream(bufferedIn); - - decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream); - - if (decoderStream instanceof ArmoredInputStream) { - ArmoredInputStream armor = (ArmoredInputStream) decoderStream; - - if (armor.isClearText()) { - throw new WrongConsumingMethodException("Message appears to be using the Cleartext Signature Framework. " + - "Use PGPainless.verifyCleartextSignedMessage() to verify this message instead."); - } - } - - PGPObjectFactory objectFactory = new PGPObjectFactory( - decoderStream, keyFingerprintCalculator); + InputStream decoderStream; + PGPObjectFactory objectFactory; try { + decoderStream = PGPUtilWrapper.getDecoderStream(bufferedIn); + decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream); + + if (decoderStream instanceof ArmoredInputStream) { + ArmoredInputStream armor = (ArmoredInputStream) decoderStream; + + if (armor.isClearText()) { + throw new WrongConsumingMethodException("Message appears to be using the Cleartext Signature Framework. " + + "Use PGPainless.verifyCleartextSignedMessage() to verify this message instead."); + } + } + + objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); // Parse OpenPGP message inputStream = processPGPPackets(objectFactory, 1); } catch (EOFException e) { @@ -149,12 +149,16 @@ public final class DecryptionStreamFactory { // to allow for detached signature verification. LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?"); bufferedIn.reset(); + decoderStream = bufferedIn; + objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } catch (IOException e) { if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) { // We falsely assumed the data to be armored. LOGGER.debug("The message is apparently not armored."); bufferedIn.reset(); + decoderStream = bufferedIn; + objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } else { throw e; From bd67d9c0faca40b4ee23c7dda048d89b1551c558 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 11:30:44 +0100 Subject: [PATCH 0100/1450] Rename EncryptionPurpose.STORAGE_AND_COMMUNICATION -> ANY --- .../main/java/org/pgpainless/algorithm/EncryptionPurpose.java | 4 ++-- .../decryption_verification/DecryptionStreamFactory.java | 2 +- .../org/pgpainless/encryption_signing/EncryptionOptions.java | 2 +- .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java | 2 +- .../InvestigateMultiSEIPMessageHandlingTest.java | 2 +- .../DecryptHiddenRecipientMessage.java | 2 +- .../MissingPassphraseForDecryptionTest.java | 2 +- .../src/test/java/org/pgpainless/example/GenerateKeys.java | 2 +- .../src/test/java/org/pgpainless/example/ModifyKeys.java | 2 +- .../test/java/org/pgpainless/key/info/KeyRingInfoTest.java | 2 +- .../org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java index 1917d837..30aa9a0f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java @@ -11,12 +11,12 @@ public enum EncryptionPurpose { */ COMMUNICATIONS, /** - * The stream will encrypt data that is stored on disk. + * The stream will encrypt data at rest. * Eg. Encrypted backup... */ STORAGE, /** * The stream will use keys with either flags to encrypt the data. */ - STORAGE_AND_COMMUNICATIONS + ANY } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 6251cfe9..ad7088f1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -316,7 +316,7 @@ public final class DecryptionStreamFactory { break; } KeyRingInfo info = new KeyRingInfo(secretKeys); - List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); for (PGPPublicKey pubkey : encryptionSubkeys) { PGPSecretKey secretKey = secretKeys.getSecretKey(pubkey.getKeyID()); // Skip missing secret key diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index 65948168..9b51d931 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -71,7 +71,7 @@ public class EncryptionOptions { * or {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE}. */ public EncryptionOptions() { - this(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + this(EncryptionPurpose.ANY); } public EncryptionOptions(EncryptionPurpose purpose) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 55b0fd8d..66c7f041 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -777,7 +777,7 @@ public class KeyRingInfo { encryptionKeys.add(subKey); } break; - case STORAGE_AND_COMMUNICATIONS: + case ANY: if (keyFlags.contains(KeyFlag.ENCRYPT_COMMS) || keyFlags.contains(KeyFlag.ENCRYPT_STORAGE)) { encryptionKeys.add(subKey); } diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java index 3e0f083b..3350203a 100644 --- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java +++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java @@ -122,7 +122,7 @@ public class InvestigateMultiSEIPMessageHandlingTest { public void generateTestMessage() throws PGPException, IOException { PGPSecretKeyRing ring1 = PGPainless.readKeyRing().secretKeyRing(KEY1); KeyRingInfo info1 = PGPainless.inspectKeyRing(ring1); - PGPPublicKey cryptKey1 = info1.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0); + PGPPublicKey cryptKey1 = info1.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); PGPSecretKey signKey1 = ring1.getSecretKey(info1.getSigningSubkeys().get(0).getKeyID()); PGPSecretKeyRing ring2 = PGPainless.readKeyRing().secretKeyRing(KEY2); KeyRingInfo info2 = PGPainless.inspectKeyRing(ring2); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java index 69d695d5..3ebe5390 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java @@ -144,7 +144,7 @@ public class DecryptHiddenRecipientMessage { assertEquals(0, metadata.getRecipientKeyIds().size()); KeyRingInfo info = new KeyRingInfo(secretKeys); - List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertEquals(1, encryptionKeys.size()); assertEquals(new SubkeyIdentifier(secretKeys, encryptionKeys.get(0).getKeyID()), metadata.getDecryptionKey()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index e7b36875..87ae2fed 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -118,7 +118,7 @@ public class MissingPassphraseForDecryptionTest { @Test public void throwExceptionStrategy() throws PGPException, IOException { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); - List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { @Nullable diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 6a791e19..1ff39cdc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -83,7 +83,7 @@ public class GenerateKeys { assertEquals(PublicKeyAlgorithm.EDDSA.getAlgorithmId(), keyInfo.getSigningSubkeys().get(0).getAlgorithm()); assertEquals(PublicKeyAlgorithm.ECDH.getAlgorithmId(), - keyInfo.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0).getAlgorithm()); + keyInfo.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getAlgorithm()); } /** diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 8a205c9c..c98d03ad 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -56,7 +56,7 @@ public class ModifyKeys { KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); primaryKeyId = info.getKeyId(); - encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0).getKeyID(); + encryptionSubkeyId = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID(); signingSubkeyId = info.getSigningSubkeys().get(0).getKeyID(); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 4a344f98..c827b7dc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -698,7 +698,7 @@ public class KeyRingInfoTest { assertFalse(info.isKeyValidlyBound(unboundKey.getKeyId())); - List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertTrue(encryptionSubkeys.stream().map(OpenPgpV4Fingerprint::new).noneMatch(f -> f.equals(unboundKey)), "Unbound subkey MUST NOT be considered a valid encryption subkey"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java index dac83a7b..4b715a76 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestTwoSubkeysEncryption.java @@ -51,7 +51,7 @@ public class TestTwoSubkeysEncryption { EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() .onOutputStream(out) .withOptions( - ProducerOptions.encrypt(new EncryptionOptions(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS) + ProducerOptions.encrypt(new EncryptionOptions(EncryptionPurpose.ANY) .addRecipient(publicKeys, EncryptionOptions.encryptToAllCapableSubkeys()) ) .setAsciiArmor(false) From 59c9ec341edd2b0fd2b26678aff3dcb5f7668e95 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 12:12:29 +0100 Subject: [PATCH 0101/1450] Hide distinction between clearsigned and inline signed message verification --- .../main/java/org/pgpainless/PGPainless.java | 22 ---------- .../ConsumerOptions.java | 25 +++++++++++ .../DecryptionBuilder.java | 25 +++++++++-- .../DecryptionStreamFactory.java | 3 +- .../CleartextSignatureProcessor.java | 6 +-- .../VerifyCleartextSignatures.java | 19 +-------- .../VerifyCleartextSignaturesImpl.java | 19 ++------- .../CleartextSignatureVerificationTest.java | 42 ++++++------------- .../pgpainless/example/DecryptOrVerify.java | 23 ++-------- 9 files changed, 69 insertions(+), 115 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java index 7d5ca4b0..5bbe0e14 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java +++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java @@ -22,8 +22,6 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac import org.pgpainless.key.parsing.KeyRingReader; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.policy.Policy; -import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignatures; -import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl; import org.pgpainless.util.ArmorUtils; public final class PGPainless { @@ -91,26 +89,6 @@ public final class PGPainless { return new DecryptionBuilder(); } - /** - * Verify a cleartext-signed message. - * Cleartext signed messages are often found in emails and look like this: - * 
-     * {@code
-     * -----BEGIN PGP SIGNED MESSAGE-----
-     * Hash: [Hash algorithm]
-     * [Human Readable Message Body]
-     * -----BEGIN PGP SIGNATURE-----
-     * [Signature]
-     * -----END PGP SIGNATURE-----
-     * }
-     *
- * - * @return builder - */ - public static VerifyCleartextSignatures verifyCleartextSignedMessage() { - return new VerifyCleartextSignaturesImpl(); - } - /** * Make changes to a key ring. * This method can be used to change key expiration dates and passphrases, or add/remove/revoke subkeys. diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index 3c1a9454..1884ee92 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -22,6 +22,8 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; +import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy; import org.pgpainless.exception.NotYetImplementedException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.SignatureUtils; @@ -50,6 +52,7 @@ public class ConsumerOptions { private final Set decryptionPassphrases = new HashSet<>(); private MissingKeyPassphraseStrategy missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE; + private MultiPassStrategy multiPassStrategy = new InMemoryMultiPassStrategy(); /** * Consider signatures on the message made before the given timestamp invalid. @@ -327,4 +330,26 @@ public class ConsumerOptions { MissingKeyPassphraseStrategy getMissingKeyPassphraseStrategy() { return missingKeyPassphraseStrategy; } + + /** + * Set a custom multi-pass strategy for processing cleartext-signed messages. + * Uses {@link InMemoryMultiPassStrategy} by default. + * + * @param multiPassStrategy multi-pass caching strategy + * @return builder + */ + public ConsumerOptions setMultiPassStrategy(@Nonnull MultiPassStrategy multiPassStrategy) { + this.multiPassStrategy = multiPassStrategy; + return this; + } + + /** + * Return the currently configured {@link MultiPassStrategy}. + * Defaults to {@link InMemoryMultiPassStrategy}. + * + * @return multi-pass strategy + */ + public MultiPassStrategy getMultiPassStrategy() { + return multiPassStrategy; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java index 6dcc355b..0611ae99 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java @@ -4,31 +4,48 @@ package org.pgpainless.decryption_verification; +import java.io.BufferedInputStream; import java.io.IOException; import java.io.InputStream; import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPException; +import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl; +import org.pgpainless.exception.WrongConsumingMethodException; public class DecryptionBuilder implements DecryptionBuilderInterface { - private InputStream inputStream; + public static int BUFFER_SIZE = 4096; @Override public DecryptWith onInputStream(@Nonnull InputStream inputStream) { - this.inputStream = inputStream; - return new DecryptWithImpl(); + return new DecryptWithImpl(inputStream); } class DecryptWithImpl implements DecryptWith { + private BufferedInputStream inputStream; + + DecryptWithImpl(InputStream inputStream) { + this.inputStream = new BufferedInputStream(inputStream, BUFFER_SIZE); + this.inputStream.mark(BUFFER_SIZE); + } + @Override public DecryptionStream withOptions(ConsumerOptions consumerOptions) throws PGPException, IOException { if (consumerOptions == null) { throw new IllegalArgumentException("Consumer options cannot be null."); } - return DecryptionStreamFactory.create(inputStream, consumerOptions); + try { + return DecryptionStreamFactory.create(inputStream, consumerOptions); + } catch (WrongConsumingMethodException e) { + inputStream.reset(); + return new VerifyCleartextSignaturesImpl() + .onInputStream(inputStream) + .withOptions(consumerOptions) + .getVerificationStream(); + } } } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index ad7088f1..66ed2d05 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -121,7 +121,8 @@ public final class DecryptionStreamFactory { private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) throws IOException, PGPException { // Make sure we handle armored and non-armored data properly - BufferedInputStream bufferedIn = new BufferedInputStream(inputStream); + BufferedInputStream bufferedIn = new BufferedInputStream(inputStream, 512); + bufferedIn.mark(512); InputStream decoderStream; PGPObjectFactory objectFactory; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index 636b78e4..87facea7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -31,11 +31,9 @@ public class CleartextSignatureProcessor { private final ArmoredInputStream in; private final ConsumerOptions options; - private final MultiPassStrategy multiPassStrategy; public CleartextSignatureProcessor(InputStream inputStream, - ConsumerOptions options, - MultiPassStrategy multiPassStrategy) + ConsumerOptions options) throws IOException { if (inputStream instanceof ArmoredInputStream) { this.in = (ArmoredInputStream) inputStream; @@ -43,7 +41,6 @@ public class CleartextSignatureProcessor { this.in = ArmoredInputStreamFactory.get(inputStream); } this.options = options; - this.multiPassStrategy = multiPassStrategy; } /** @@ -67,6 +64,7 @@ public class CleartextSignatureProcessor { .setSymmetricKeyAlgorithm(SymmetricKeyAlgorithm.NULL) .setFileEncoding(StreamEncoding.TEXT); + MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy(); PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(in, multiPassStrategy.getMessageOutputStream()); for (PGPSignature signature : signatures) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java index 31317c6c..52360869 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java @@ -4,7 +4,6 @@ package org.pgpainless.decryption_verification.cleartext_signatures; -import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -20,23 +19,7 @@ public interface VerifyCleartextSignatures { * @param inputStream inputstream * @return api handle */ - WithStrategy onInputStream(InputStream inputStream); - - interface WithStrategy { - - /** - * Provide a {@link MultiPassStrategy} which is used to store the message content. - * Since cleartext-signed messages cannot be processed in one pass, the message has to be passed twice. - * Therefore the user needs to decide upon a strategy where to cache/store the message between the passes. - * This could be {@link MultiPassStrategy#writeMessageToFile(File)} or {@link MultiPassStrategy#keepMessageInMemory()}, - * depending on message size and use-case. - * - * @param multiPassStrategy strategy - * @return api handle - */ - VerifyWith withStrategy(MultiPassStrategy multiPassStrategy); - - } + VerifyWith onInputStream(InputStream inputStream); interface VerifyWith { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java index 276e027f..fde90874 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java @@ -12,31 +12,18 @@ import org.pgpainless.decryption_verification.ConsumerOptions; public class VerifyCleartextSignaturesImpl implements VerifyCleartextSignatures { private InputStream inputStream; - private MultiPassStrategy multiPassStrategy; @Override - public WithStrategy onInputStream(InputStream inputStream) { + public VerifyWithImpl onInputStream(InputStream inputStream) { VerifyCleartextSignaturesImpl.this.inputStream = inputStream; - return new WithStrategyImpl(); - } - - public class WithStrategyImpl implements WithStrategy { - - @Override - public VerifyWith withStrategy(MultiPassStrategy multiPassStrategy) { - if (multiPassStrategy == null) { - throw new NullPointerException("MultiPassStrategy cannot be null."); - } - VerifyCleartextSignaturesImpl.this.multiPassStrategy = multiPassStrategy; - return new VerifyWithImpl(); - } + return new VerifyWithImpl(); } public class VerifyWithImpl implements VerifyWith { @Override public CleartextSignatureProcessor withOptions(ConsumerOptions options) throws IOException { - return new CleartextSignatureProcessor(inputStream, options, multiPassStrategy); + return new CleartextSignatureProcessor(inputStream, options); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index c355438d..cdba4d07 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -25,9 +25,9 @@ import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; -import org.pgpainless.decryption_verification.cleartext_signatures.CleartextSignatureProcessor; import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy; +import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; @@ -79,12 +79,11 @@ public class CleartextSignatureVerificationTest { .addVerificationCert(signingKeys); InMemoryMultiPassStrategy multiPassStrategy = MultiPassStrategy.keepMessageInMemory(); - CleartextSignatureProcessor processor = PGPainless.verifyCleartextSignedMessage() + options.setMultiPassStrategy(multiPassStrategy); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(MESSAGE_SIGNED)) - .withStrategy(multiPassStrategy) .withOptions(options); - DecryptionStream decryptionStream = processor.getVerificationStream(); ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(decryptionStream, out); decryptionStream.close(); @@ -107,13 +106,11 @@ public class CleartextSignatureVerificationTest { File tempDir = TestUtils.createTempDirectory(); File file = new File(tempDir, "file"); MultiPassStrategy multiPassStrategy = MultiPassStrategy.writeMessageToFile(file); - CleartextSignatureProcessor processor = PGPainless.verifyCleartextSignedMessage() + options.setMultiPassStrategy(multiPassStrategy); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(MESSAGE_SIGNED)) - .withStrategy(multiPassStrategy) .withOptions(options); - DecryptionStream decryptionStream = processor.getVerificationStream(); - ByteArrayOutputStream out = new ByteArrayOutputStream(); Streams.pipeAll(decryptionStream, out); decryptionStream.close(); @@ -173,18 +170,6 @@ public class CleartextSignatureVerificationTest { assertEquals(1, metadata.getVerifiedSignatures().size()); } - @Test - public void consumingCleartextSignedMessageWithNormalAPIThrowsWrongConsumingMethodException() throws IOException, PGPException { - PGPPublicKeyRing certificate = TestKeys.getEmilPublicKeyRing(); - ConsumerOptions options = new ConsumerOptions() - .addVerificationCert(certificate); - - assertThrows(WrongConsumingMethodException.class, () -> - PGPainless.decryptAndOrVerify() - .onInputStream(new ByteArrayInputStream(MESSAGE_SIGNED)) - .withOptions(options)); - } - @Test public void consumingInlineSignedMessageWithCleartextSignedVerificationApiThrowsWrongConsumingMethodException() throws PGPException, IOException { String inlineSignedMessage = "-----BEGIN PGP MESSAGE-----\n" + @@ -207,11 +192,10 @@ public class CleartextSignatureVerificationTest { .addVerificationCert(certificate); assertThrows(WrongConsumingMethodException.class, () -> - PGPainless.verifyCleartextSignedMessage() - .onInputStream(new ByteArrayInputStream(inlineSignedMessage.getBytes(StandardCharsets.UTF_8))) - .withStrategy(new InMemoryMultiPassStrategy()) - .withOptions(options) - .getVerificationStream()); + new VerifyCleartextSignaturesImpl() + .onInputStream(new ByteArrayInputStream(inlineSignedMessage.getBytes(StandardCharsets.UTF_8))) + .withOptions(options) + .getVerificationStream()); } @Test @@ -223,7 +207,7 @@ public class CleartextSignatureVerificationTest { ByteArrayOutputStream signedOut = new ByteArrayOutputStream(); EncryptionStream signingStream = PGPainless.encryptAndOrSign().onOutputStream(signedOut) .withOptions(ProducerOptions.sign(SigningOptions.get() - .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)) .setCleartextSigned()); Streams.pipeAll(msgIn, signingStream); @@ -232,12 +216,10 @@ public class CleartextSignatureVerificationTest { String signed = signedOut.toString(); ByteArrayInputStream signedIn = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); - DecryptionStream verificationStream = PGPainless.verifyCleartextSignedMessage() + DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withStrategy(new InMemoryMultiPassStrategy()) .withOptions(new ConsumerOptions() - .addVerificationCert(TestKeys.getEmilPublicKeyRing())) - .getVerificationStream(); + .addVerificationCert(TestKeys.getEmilPublicKeyRing())); ByteArrayOutputStream msgOut = new ByteArrayOutputStream(); Streams.pipeAll(verificationStream, msgOut); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java index da641325..d0f3461c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java @@ -7,7 +7,6 @@ package org.pgpainless.example; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -24,11 +23,9 @@ import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; -import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.SigningOptions; -import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.key.protection.SecretKeyRingProtector; public class DecryptOrVerify { @@ -97,22 +94,10 @@ public class DecryptOrVerify { for (String signed : new String[] {INBAND_SIGNED, CLEARTEXT_SIGNED}) { ByteArrayOutputStream out = new ByteArrayOutputStream(); ByteArrayInputStream in = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8)); - BufferedInputStream bufIn = new BufferedInputStream(in); - bufIn.mark(512); DecryptionStream verificationStream; - try { verificationStream = PGPainless.decryptAndOrVerify() - .onInputStream(bufIn) + .onInputStream(in) .withOptions(options); - } catch (WrongConsumingMethodException e) { - bufIn.reset(); - // Cleartext Signed Message - verificationStream = PGPainless.verifyCleartextSignedMessage() - .onInputStream(bufIn) - .withStrategy(new InMemoryMultiPassStrategy()) - .withOptions(options) - .getVerificationStream(); - } Streams.pipeAll(verificationStream, out); verificationStream.close(); @@ -140,11 +125,9 @@ public class DecryptOrVerify { ByteArrayInputStream signedIn = new ByteArrayInputStream(out.toByteArray()); - DecryptionStream verificationStream = PGPainless.verifyCleartextSignedMessage() + DecryptionStream verificationStream = PGPainless.decryptAndOrVerify() .onInputStream(signedIn) - .withStrategy(new InMemoryMultiPassStrategy()) - .withOptions(new ConsumerOptions().addVerificationCert(certificate)) - .getVerificationStream(); + .withOptions(new ConsumerOptions().addVerificationCert(certificate)); ByteArrayOutputStream plain = new ByteArrayOutputStream(); Streams.pipeAll(verificationStream, plain); From 03a350d279bb0bbebf10a3f39aacf011d3e22f37 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 12:23:05 +0100 Subject: [PATCH 0102/1450] Separate key generation from scratch and from templates in to buildKeyRing() and generateKeyRing() --- .../main/java/org/pgpainless/PGPainless.java | 14 +- .../key/generation/KeyRingBuilder.java | 162 +-------------- .../key/generation/KeyRingTemplates.java | 184 ++++++++++++++++++ .../EncryptDecryptTest.java | 2 +- .../EncryptionOptionsTest.java | 4 +- .../encryption_signing/SigningTest.java | 8 +- .../org/pgpainless/example/GenerateKeys.java | 6 +- .../BrainpoolKeyGenerationTest.java | 4 +- ...rtificationKeyMustBeAbleToCertifyTest.java | 2 +- .../GenerateEllipticCurveKeyTest.java | 2 +- .../GenerateKeyWithAdditionalUserIdTest.java | 2 +- .../GenerateWithEmptyPassphraseTest.java | 2 +- .../pgpainless/key/info/KeyRingInfoTest.java | 4 +- .../key/info/UserIdRevocationTest.java | 4 +- .../java/org/pgpainless/util/BCUtilTest.java | 2 +- .../util/GuessPreferredHashAlgorithmTest.java | 2 +- ...ncryptCommsStorageFlagsDifferentiated.java | 2 +- 17 files changed, 220 insertions(+), 186 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java index 5bbe0e14..6813434c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java +++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java @@ -16,6 +16,7 @@ import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.encryption_signing.EncryptionBuilder; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.key.generation.KeyRingBuilder; +import org.pgpainless.key.generation.KeyRingTemplates; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor; import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface; @@ -31,10 +32,19 @@ public final class PGPainless { } /** - * Generate a new OpenPGP key ring. + * Generate a fresh OpenPGP key ring from predefined templates. + * @return templates + */ + public static KeyRingTemplates generateKeyRing() { + return new KeyRingTemplates(); + } + + /** + * Build a custom OpenPGP key ring. + * * @return builder */ - public static KeyRingBuilder generateKeyRing() { + public static KeyRingBuilder buildKeyRing() { return new KeyRingBuilder(); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index b5fe326d..c9419d28 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -41,14 +41,10 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.generation.type.eddsa.EdDSACurve; -import org.pgpainless.key.generation.type.rsa.RsaLength; -import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.key.util.UserId; import org.pgpainless.provider.ProviderFactory; -import org.pgpainless.util.Passphrase; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; +import org.pgpainless.util.Passphrase; public class KeyRingBuilder implements KeyRingBuilderInterface { @@ -64,158 +60,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private Passphrase passphrase = null; private Date expirationDate = null; - /** - * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}. - * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. - * - * @param userId user id. - * @param length length in bits. - * - * @return {@link PGPSecretKeyRing} containing the KeyPair. - */ - public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleRsaKeyRing(userId.toString(), length); - } - - /** - * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}. - * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. - * - * @param userId user id. - * @param length length in bits. - * - * @return {@link PGPSecretKeyRing} containing the KeyPair. - */ - public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleRsaKeyRing(userId, length, null); - } - - /** - * Creates a simple RSA KeyPair of length {@code length} with user-id {@code userId}. - * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. - * - * @param userId user id. - * @param length length in bits. - * @param password Password of the key. Can be null for unencrypted keys. - * - * @return {@link PGPSecretKeyRing} containing the KeyPair. - */ - public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length, String password) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleRsaKeyRing(userId.toString(), length, password); - } - - /** - * Creates a simple RSA KeyPair of length {@code length} with user-id {@code userId}. - * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. - * - * @param userId user id. - * @param length length in bits. - * @param password Password of the key. Can be null for unencrypted keys. - * - * @return {@link PGPSecretKeyRing} containing the KeyPair. - */ - public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password) - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - KeyRingBuilder builder = new KeyRingBuilder() - .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) - .addUserId(userId); - - if (!isNullOrEmpty(password)) { - builder.setPassphrase(Passphrase.fromPassword(password)); - } - return builder.build(); - } - - /** - * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. - * The EdDSA primary key is used for signing messages and certifying the sub key. - * The XDH subkey is used for encryption and decryption of messages. - * - * @param userId user-id - * - * @return {@link PGPSecretKeyRing} containing the key pairs. - */ - public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleEcKeyRing(userId.toString()); - } - - /** - * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. - * The EdDSA primary key is used for signing messages and certifying the sub key. - * The XDH subkey is used for encryption and decryption of messages. - * - * @param userId user-id - * - * @return {@link PGPSecretKeyRing} containing the key pairs. - */ - public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleEcKeyRing(userId, null); - } - - /** - * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. - * The EdDSA primary key is used for signing messages and certifying the sub key. - * The XDH subkey is used for encryption and decryption of messages. - * - * @param userId user-id - * @param password Password of the private key. Can be null for an unencrypted key. - * - * @return {@link PGPSecretKeyRing} containing the key pairs. - */ - public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId, String password) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - return simpleEcKeyRing(userId.toString(), password); - } - - /** - * Creates a key ring consisting of an ed25519 EdDSA primary key and a X25519 XDH subkey. - * The EdDSA primary key is used for signing messages and certifying the sub key. - * The XDH subkey is used for encryption and decryption of messages. - * - * @param userId user-id - * @param password Password of the private key. Can be null for an unencrypted key. - * - * @return {@link PGPSecretKeyRing} containing the key pairs. - */ - public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password) - throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - KeyRingBuilder builder = new KeyRingBuilder() - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) - .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) - .addUserId(userId); - - if (!isNullOrEmpty(password)) { - builder.setPassphrase(Passphrase.fromPassword(password)); - } - return builder.build(); - } - - /** - * Generate a modern PGP key ring consisting of an ed25519 EdDSA primary key which is used to certify - * an X25519 XDH encryption subkey and an ed25519 EdDSA signing key. - * - * @param userId primary user id - * @param password passphrase or null if the key should be unprotected. - * @return key ring - */ - public PGPSecretKeyRing modernKeyRing(String userId, String password) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - KeyRingBuilder builder = new KeyRingBuilder() - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) - .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) - .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA)) - .addUserId(userId); - if (!isNullOrEmpty(password)) { - builder.setPassphrase(Passphrase.fromPassword(password)); - } - return builder.build(); - } - @Override public KeyRingBuilder setPrimaryKey(@Nonnull KeySpec keySpec) { verifyMasterKeyCanCertify(keySpec); @@ -256,10 +100,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { return this; } - private static boolean isNullOrEmpty(String password) { - return password == null || password.trim().isEmpty(); - } - private void verifyMasterKeyCanCertify(KeySpec spec) { if (!hasCertifyOthersFlag(spec)) { throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER"); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java new file mode 100644 index 00000000..0917b110 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java @@ -0,0 +1,184 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.generation; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import javax.annotation.Nonnull; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa.EdDSACurve; +import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.key.util.UserId; +import org.pgpainless.util.Passphrase; + +public final class KeyRingTemplates { + + public KeyRingTemplates() { + + } + + /** + * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}. + * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. + * + * @param userId user id. + * @param length length in bits. + * + * @return {@link PGPSecretKeyRing} containing the KeyPair. + */ + public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleRsaKeyRing(userId.toString(), length); + } + + /** + * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}. + * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. + * + * @param userId user id. + * @param length length in bits. + * + * @return {@link PGPSecretKeyRing} containing the KeyPair. + */ + public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleRsaKeyRing(userId, length, null); + } + + /** + * Creates a simple RSA KeyPair of length {@code length} with user-id {@code userId}. + * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. + * + * @param userId user id. + * @param length length in bits. + * @param password Password of the key. Can be null for unencrypted keys. + * + * @return {@link PGPSecretKeyRing} containing the KeyPair. + */ + public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length, String password) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleRsaKeyRing(userId.toString(), length, password); + } + + /** + * Creates a simple RSA KeyPair of length {@code length} with user-id {@code userId}. + * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification. + * + * @param userId user id. + * @param length length in bits. + * @param password Password of the key. Can be null for unencrypted keys. + * + * @return {@link PGPSecretKeyRing} containing the KeyPair. + */ + public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password) + throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { + KeyRingBuilder builder = PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) + .addUserId(userId); + + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); + } + return builder.build(); + } + + /** + * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. + * The EdDSA primary key is used for signing messages and certifying the sub key. + * The XDH subkey is used for encryption and decryption of messages. + * + * @param userId user-id + * + * @return {@link PGPSecretKeyRing} containing the key pairs. + */ + public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleEcKeyRing(userId.toString()); + } + + /** + * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. + * The EdDSA primary key is used for signing messages and certifying the sub key. + * The XDH subkey is used for encryption and decryption of messages. + * + * @param userId user-id + * + * @return {@link PGPSecretKeyRing} containing the key pairs. + */ + public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleEcKeyRing(userId, null); + } + + /** + * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey. + * The EdDSA primary key is used for signing messages and certifying the sub key. + * The XDH subkey is used for encryption and decryption of messages. + * + * @param userId user-id + * @param password Password of the private key. Can be null for an unencrypted key. + * + * @return {@link PGPSecretKeyRing} containing the key pairs. + */ + public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId, String password) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + return simpleEcKeyRing(userId.toString(), password); + } + + /** + * Creates a key ring consisting of an ed25519 EdDSA primary key and a X25519 XDH subkey. + * The EdDSA primary key is used for signing messages and certifying the sub key. + * The XDH subkey is used for encryption and decryption of messages. + * + * @param userId user-id + * @param password Password of the private key. Can be null for an unencrypted key. + * + * @return {@link PGPSecretKeyRing} containing the key pairs. + */ + public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password) + throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { + KeyRingBuilder builder = PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .addUserId(userId); + + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); + } + return builder.build(); + } + + /** + * Generate a modern PGP key ring consisting of an ed25519 EdDSA primary key which is used to certify + * an X25519 XDH encryption subkey and an ed25519 EdDSA signing key. + * + * @param userId primary user id + * @param password passphrase or null if the key should be unprotected. + * @return key ring + */ + public PGPSecretKeyRing modernKeyRing(String userId, String password) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + KeyRingBuilder builder = PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) + .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS)) + .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA)) + .addUserId(userId); + if (!isNullOrEmpty(password)) { + builder.setPassphrase(Passphrase.fromPassword(password)); + } + return builder.build(); + } + + private static boolean isNullOrEmpty(String password) { + return password == null || password.trim().isEmpty(); + } + +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 38dda178..da70e170 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -76,7 +76,7 @@ public class EncryptDecryptTest { throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); - PGPSecretKeyRing recipient = PGPainless.generateKeyRing() + PGPSecretKeyRing recipient = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._4096), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java index 78d9057d..0c5f6489 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java @@ -47,7 +47,7 @@ public class EncryptionOptionsTest { @BeforeAll public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - secretKeys = PGPainless.generateKeyRing() + secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER) .build()) .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS) @@ -126,7 +126,7 @@ public class EncryptionOptionsTest { @Test public void testAddRecipient_KeyWithoutEncryptionKeyFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { EncryptionOptions options = new EncryptionOptions(); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("test@pgpainless.org") .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index a8663ba9..89531220 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -175,7 +175,7 @@ public class SigningTest { @Test public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA).overridePreferredHashAlgorithms()) .addUserId("Alice") .build(); @@ -199,7 +199,7 @@ public class SigningTest { @Test public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(HashAlgorithm.MD5)) .addUserId("Alice") @@ -224,7 +224,7 @@ public class SigningTest { @Test public void signingWithNonCapableKeyThrowsKeyCannotSignException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") .build(); @@ -236,7 +236,7 @@ public class SigningTest { @Test public void signWithInvalidUserIdThrowsKeyValidationError() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("Alice") .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 1ff39cdc..6dcd6812 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -38,8 +38,8 @@ import org.pgpainless.util.Passphrase; * This class demonstrates how to use PGPainless to generate secret keys. * In general the starting point for generating secret keys using PGPainless is {@link PGPainless#generateKeyRing()}. * The result ({@link org.pgpainless.key.generation.KeyRingBuilder}) provides some factory methods for key archetypes - * such as {@link org.pgpainless.key.generation.KeyRingBuilder#modernKeyRing(String, String)} or - * {@link org.pgpainless.key.generation.KeyRingBuilder#simpleRsaKeyRing(String, RsaLength)}. + * such as {@link org.pgpainless.key.generation.KeyRingTemplates#modernKeyRing(String, String)} or + * {@link org.pgpainless.key.generation.KeyRingTemplates#simpleRsaKeyRing(String, RsaLength)}. * * Those methods always take a user-id which is used as primary user-id, as well as a passphrase which is used to encrypt * the secret key. @@ -193,7 +193,7 @@ public class GenerateKeys { // It is recommended to use the Passphrase class, as it can be used to safely invalidate passwords from memory Passphrase passphrase = Passphrase.fromPassword("1nters3x"); - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKey = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), // The primary key MUST carry the CERTIFY_OTHER flag, but CAN carry additional flags KeyFlag.CERTIFY_OTHER)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index feed47f6..8740ff4a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -71,7 +71,7 @@ public class BrainpoolKeyGenerationTest { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.ECDSA(EllipticCurve._BRAINPOOLP384R1), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA)) @@ -117,7 +117,7 @@ public class BrainpoolKeyGenerationTest { } public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(primaryKey) .addSubkey(subKey) .addUserId(userId) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index 7b9747dc..31470715 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -34,7 +34,7 @@ public class CertificationKeyMustBeAbleToCertifyTest { }; for (KeyType type : typesIncapableOfCreatingVerifications) { assertThrows(IllegalArgumentException.class, () -> PGPainless - .generateKeyRing() + .buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(type, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("should@throw.ex") .build()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index aa128ec5..f1988d8f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -29,7 +29,7 @@ public class GenerateEllipticCurveKeyTest { @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") public void generateEllipticCurveKeys(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); - PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() + PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index a068aa69..58b96a1b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -35,7 +35,7 @@ public class GenerateKeyWithAdditionalUserIdTest { public void test(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index f16c0b1b..5b9c9a58 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -34,7 +34,7 @@ public class GenerateWithEmptyPassphraseTest { public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); - assertNotNull(PGPainless.generateKeyRing() + assertNotNull(PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index c827b7dc..2cf030e9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -218,7 +218,7 @@ public class KeyRingInfoTest { public void testGetKeysWithFlagsAndExpiry(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addSubkey(KeySpec.getBuilder( @@ -556,7 +556,7 @@ public class KeyRingInfoTest { @Test public void testGetExpirationDateForUse_NoSuchKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .addUserId("Alice") .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .build(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java index 33768c7f..fd665901 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java @@ -39,7 +39,7 @@ public class UserIdRevocationTest { @Test public void testRevocationWithoutRevocationAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) @@ -77,7 +77,7 @@ public class UserIdRevocationTest { @Test public void testRevocationWithRevocationReason() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index ab61b829..3eda2b66 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -35,7 +35,7 @@ public class BCUtilTest { public void keyRingToCollectionTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - PGPSecretKeyRing sec = PGPainless.generateKeyRing() + PGPSecretKeyRing sec = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index 76c269ea..fdb10672 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -29,7 +29,7 @@ public class GuessPreferredHashAlgorithmTest { @Test public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(new HashAlgorithm[] {}) diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index d2540e73..17ae436e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -26,7 +26,7 @@ public class TestEncryptCommsStorageFlagsDifferentiated { @Test public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), KeyFlag.CERTIFY_OTHER, From c20b8c7a0c8866d981a97270dfc65487062dc3fc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 12:25:52 +0100 Subject: [PATCH 0103/1450] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45e58fba..daf6b49d 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ There are some predefined key archetypes, but it is possible to fully customize .modernKeyRing("Romeo ", "I defy you, stars!"); // Customized key - PGPSecretKeyRing keyRing = PGPainless.generateKeyRing() + PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( RSA.withLength(RsaLength._8192), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)) From 87d7a37e267dedb8f7c4df9241ae7bb1be515ed8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 13:01:43 +0100 Subject: [PATCH 0104/1450] PGPainless 1.0.0-rc1 --- CHANGELOG.md | 11 +++++++++++ README.md | 10 +++++++--- version.gradle | 4 ++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebb13cfd..b20bf237 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,17 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc1 +- First release candidate for a 1.0.0 release! \o/ +- Rename `EncryptionPurpose.STORAGE_AND_COMMUNICATIONS` to `EncryptionPurpose.ANY` +- Hide `PGPainless.verifyCleartextSignedMessage()` behind `PGPainless.decryptAndVerify()`. + - the latter now checks whether the message is cleartext-signed or not and automatically calls the proper API + - `MultiPassStrategy` objects are now set through `ConsumerOptions.setMultiPassStrategy()`. +- Separate key ring generation through templates from custom key ring builder + - `PGPainless.generateKeyRing()` now offers to generate keys from templates + - `PGPainless.buildKeyRing()` offers a detailed API to build custom keys +- Fix detection of non-armored data + ## 0.2.19 - Some preparations for OpenPGP V5 keys: `OpenPgpV4Fingerprint` is now an implementation of `OpenPgpFingerprint` - `SignatureVerification` and `Failure` now have `toString()` implementations diff --git a/README.md b/README.md index daf6b49d..2e96f7eb 100644 --- a/README.md +++ b/README.md @@ -129,6 +129,9 @@ Still it allows you to manually specify which algorithms to use of course. Streams.pipeAll(plaintextInputStream, encryptionStream); encryptionStream.close(); + + // Information about the encryption (algorithms, detached signatures etc.) + EncryptionResult result = encryptionStream.getResult(); ``` ### Decrypt and Verify Signatures @@ -170,18 +173,19 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:0.2.19' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc1' } ``` ## About -PGPainless is a by-product of my [Summer of Code 2018 project](https://blog.jabberhead.tk/summer-of-code-2018/). +PGPainless is a by-product of my [Summer of Code 2018 project](https://blog.jabberhead.tk/summer-of-code-2018/) +implementing OpenPGP support for the XMPP client library [Smack](https://github.com/igniterealtime/Smack). For that project I was in need of a simple to use OpenPGP library. Originally I was going to use [Bouncy-GPG](https://github.com/neuhalje/bouncy-gpg) for my project, but ultimately I decided to create my own OpenPGP library which better fits my needs. -However, PGPainless is heavily influenced by Bouncy-GPG. +However, PGPainless was heavily influenced by Bouncy-GPG. To reach out to the development team, feel free to send a mail: info@pgpainless.org diff --git a/version.gradle b/version.gradle index 57c64a6a..fa20ad7e 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '0.2.20' - isSnapshot = true + shortVersion = '1.0.0-rc1' + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From d9ef55e22fd390aa1c1dd03c62e15be15bf42d78 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 2 Nov 2021 13:07:15 +0100 Subject: [PATCH 0105/1450] PGPainless-1.0.0-rc2-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index fa20ad7e..fa08666e 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc1' - isSnapshot = false + shortVersion = '1.0.0-rc2' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 2ac10e7bc76b39863c1106278658e6dd16fcaea1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 17:39:04 +0100 Subject: [PATCH 0106/1450] Rename method to set'Key'ExpirationDateInSubpacketGenerator() --- .../java/org/pgpainless/key/generation/KeyRingBuilder.java | 2 +- .../key/modification/secretkeyring/SecretKeyRingEditor.java | 2 +- .../subpackets/SignatureSubpacketGeneratorUtil.java | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index c9419d28..762757e0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -138,7 +138,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPSignatureSubpacketGenerator hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); hashedSubPacketGenerator.setPrimaryUserID(false, true); if (expirationDate != null) { - SignatureSubpacketGeneratorUtil.setExpirationDateInSubpacketGenerator( + SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator( expirationDate, new Date(), hashedSubPacketGenerator); } PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.generate(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 27e6046b..a83b4abd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -377,7 +377,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PGPSignatureSubpacketVector oldSubpackets = oldSignature.getHashedSubPackets(); PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(oldSubpackets); SignatureSubpacketGeneratorUtil.setSignatureCreationTimeInSubpacketGenerator(new Date(), subpacketGenerator); - SignatureSubpacketGeneratorUtil.setExpirationDateInSubpacketGenerator(expiration, subjectPubKey.getCreationTime(), subpacketGenerator); + SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator(expiration, subjectPubKey.getCreationTime(), subpacketGenerator); PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey); signatureGenerator.setHashedSubpackets(subpacketGenerator.generate()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java index 948441f3..fe493ac7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java @@ -88,9 +88,9 @@ public final class SignatureSubpacketGeneratorUtil { * @param creationDate date on which the key was created * @param subpacketGenerator subpacket generator */ - public static void setExpirationDateInSubpacketGenerator(Date expirationDate, - @Nonnull Date creationDate, - PGPSignatureSubpacketGenerator subpacketGenerator) { + public static void setKeyExpirationDateInSubpacketGenerator(Date expirationDate, + @Nonnull Date creationDate, + PGPSignatureSubpacketGenerator subpacketGenerator) { removeAllPacketsOfType(SignatureSubpacketTags.KEY_EXPIRE_TIME, subpacketGenerator); long secondsToExpire = getKeyLifetimeInSeconds(expirationDate, creationDate); subpacketGenerator.setKeyExpirationTime(true, secondsToExpire); From e4d1aa7edfe3949edf50f42ca36f646ca0a4109c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 12 Nov 2021 16:14:08 +0100 Subject: [PATCH 0107/1450] Remove support for deleting user-ids and subkeys. Use revoke* instead. --- .../secretkeyring/SecretKeyRingEditor.java | 54 ------------------- .../SecretKeyRingEditorInterface.java | 53 ------------------ .../key/modification/AddUserIdTest.java | 24 +++++---- 3 files changed, 15 insertions(+), 116 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index a83b4abd..9c991c08 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -4,8 +4,6 @@ package org.pgpainless.key.modification.secretkeyring; -import static org.pgpainless.util.CollectionUtils.iteratorToList; - import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; @@ -56,7 +54,6 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.selection.userid.SelectUserId; public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @@ -122,34 +119,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return userId; } - @Override - public SecretKeyRingEditorInterface deleteUserId(String userId, SecretKeyRingProtector protector) { - return deleteUserIds(SelectUserId.exactMatch(userId), protector); - } - - @Override - public SecretKeyRingEditorInterface deleteUserIds(SelectUserId selectionStrategy, SecretKeyRingProtector secretKeyRingProtector) { - List publicKeys = new ArrayList<>(); - Iterator publicKeyIterator = secretKeyRing.getPublicKeys(); - PGPPublicKey primaryKey = publicKeyIterator.next(); - List matchingUserIds = selectionStrategy.selectUserIds(iteratorToList(primaryKey.getUserIDs())); - if (matchingUserIds.isEmpty()) { - throw new NoSuchElementException("Key does not have a matching user-id attribute."); - } - for (String userId : matchingUserIds) { - primaryKey = PGPPublicKey.removeCertification(primaryKey, userId); - } - publicKeys.add(primaryKey); - - while (publicKeyIterator.hasNext()) { - publicKeys.add(publicKeyIterator.next()); - } - - PGPPublicKeyRing publicKeyRing = new PGPPublicKeyRing(publicKeys); - secretKeyRing = PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing); - return this; - } - @Override public SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, @Nonnull Passphrase subKeyPassphrase, @@ -213,29 +182,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return secretKey; } - @Override - public SecretKeyRingEditorInterface deleteSubKey(OpenPgpFingerprint fingerprint, - SecretKeyRingProtector protector) { - return deleteSubKey(fingerprint.getKeyId(), protector); - } - - @Override - public SecretKeyRingEditorInterface deleteSubKey(long subKeyId, - SecretKeyRingProtector protector) { - if (secretKeyRing.getSecretKey().getKeyID() == subKeyId) { - throw new IllegalArgumentException("You cannot delete the primary key of this key ring."); - } - - PGPSecretKey deleteMe = secretKeyRing.getSecretKey(subKeyId); - if (deleteMe == null) { - throw new NoSuchElementException("KeyRing does not contain a key with keyId " + Long.toHexString(subKeyId)); - } - - PGPSecretKeyRing newKeyRing = PGPSecretKeyRing.removeSecretKey(secretKeyRing, deleteMe); - secretKeyRing = newKeyRing; - return this; - } - @Override public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, RevocationAttributes revocationAttributes) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index fc78f95c..b45f7523 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -22,7 +22,6 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.selection.userid.SelectUserId; public interface SecretKeyRingEditorInterface { @@ -46,35 +45,6 @@ public interface SecretKeyRingEditorInterface { */ SecretKeyRingEditorInterface addUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException; - /** - * Remove a user-id from the key ring. - * - * @param userId exact user-id to be removed - * @param secretKeyRingProtector protector to unlock the secret key - * @return the builder - */ - SecretKeyRingEditorInterface deleteUserId(String userId, SecretKeyRingProtector secretKeyRingProtector); - - /** - * Remove a user-id from the key ring. - * - * @param userId exact user-id to be removed - * @param secretKeyRingProtector protector to unlock the secret key - * @return the builder - */ - default SecretKeyRingEditorInterface deleteUserId(UserId userId, SecretKeyRingProtector secretKeyRingProtector) { - return deleteUserId(userId.toString(), secretKeyRingProtector); - } - - /** - * Delete all user-ids from the key, which match the provided {@link SelectUserId} strategy. - * - * @param selectionStrategy strategy to select user-ids - * @param secretKeyRingProtector protector to unlock the secret key - * @return the builder - */ - SecretKeyRingEditorInterface deleteUserIds(SelectUserId selectionStrategy, SecretKeyRingProtector secretKeyRingProtector); - /** * Add a subkey to the key ring. * The subkey will be generated from the provided {@link KeySpec}. @@ -94,29 +64,6 @@ public interface SecretKeyRingEditorInterface { PGPSignatureSubpacketVector unhashedSubpackets, SecretKeyRingProtector subKeyProtector, SecretKeyRingProtector keyRingProtector) throws PGPException; - - /** - * Delete a subkey from the key ring. - * The subkey with the provided fingerprint will be remove from the key ring. - * If no suitable subkey is found, a {@link java.util.NoSuchElementException} will be thrown. - * - * @param fingerprint fingerprint of the subkey to be removed - * @param secretKeyRingProtector protector to unlock the secret key ring - * @return the builder - */ - SecretKeyRingEditorInterface deleteSubKey(OpenPgpFingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector); - - /** - * Delete a subkey from the key ring. - * The subkey with the provided key-id will be removed from the key ring. - * If no suitable subkey is found, a {@link java.util.NoSuchElementException} will be thrown. - * - * @param subKeyId id of the subkey - * @param secretKeyRingProtector protector to unlock the secret key ring - * @return the builder - */ - SecretKeyRingEditorInterface deleteSubKey(long subKeyId, SecretKeyRingProtector secretKeyRingProtector); - /** * Revoke the key ring. * The revocation will be a hard revocation, rendering the whole key invalid for any past or future signatures. diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index afb761ef..f8998c2b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -21,6 +21,7 @@ import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; +import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; @@ -30,11 +31,12 @@ public class AddUserIdTest { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void addUserIdToExistingKeyRing(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + public void addUserIdToExistingKeyRing(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); - Iterator userIds = secretKeys.getSecretKey().getPublicKey().getUserIDs(); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + Iterator userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); @@ -43,16 +45,18 @@ public class AddUserIdTest { .addUserId("cheshirecat@wonderland.lit", protector) .done(); - userIds = secretKeys.getPublicKey().getUserIDs(); + info = PGPainless.inspectKeyRing(secretKeys); + userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertEquals("cheshirecat@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .deleteUserId("cheshirecat@wonderland.lit", protector) + .revokeUserId("cheshirecat@wonderland.lit", protector) .done(); - userIds = secretKeys.getPublicKey().getUserIDs(); + info = PGPainless.inspectKeyRing(secretKeys); + userIds = info.getValidUserIds().iterator(); assertEquals("alice@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); } @@ -64,7 +68,7 @@ public class AddUserIdTest { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys) - .deleteUserId("invalid@user.id", new UnprotectedKeysProtector())); + .revokeUserId("invalid@user.id", new UnprotectedKeysProtector())); } @ParameterizedTest @@ -89,17 +93,19 @@ public class AddUserIdTest { "-----END PGP PRIVATE KEY BLOCK-----\r\n"; PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ARMORED_PRIVATE_KEY); - Iterator userIds = secretKeys.getSecretKey().getPublicKey().getUserIDs(); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + Iterator userIds = info.getValidUserIds().iterator(); assertEquals("", userIds.next()); assertFalse(userIds.hasNext()); SecretKeyRingProtector protector = new UnprotectedKeysProtector(); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .deleteUserId("", protector) + .revokeUserId("", protector) .addUserId("cheshirecat@wonderland.lit", protector) .done(); - userIds = secretKeys.getSecretKey().getPublicKey().getUserIDs(); + info = PGPainless.inspectKeyRing(secretKeys); + userIds = info.getValidUserIds().iterator(); assertEquals("cheshirecat@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); } From 0f77d81bd12a046ca3fdedcacf67f56d7f2b4be4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 12 Nov 2021 16:40:28 +0100 Subject: [PATCH 0108/1450] Add deprecated utility methods for deleting user-ids from keys/certificates --- .../org/pgpainless/key/util/KeyRingUtils.java | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index a85ea446..4d5dc834 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -154,4 +154,50 @@ public final class KeyRingUtils { long keyId) { return ring.getPublicKey(keyId) != null; } + + /** + * Delete the given user-id and its certification signatures from the given key. + * + * @deprecated Deleting user-ids is highly discouraged, since it might lead to all sorts of problems + * (e.g. lost key properties). + * Instead, user-ids should only be revoked. + * + * @param secretKeys secret keys + * @param userId user-id + * @return modified secret keys + */ + @Deprecated + public PGPSecretKeyRing deleteUserIdFromSecretKeyRing(PGPSecretKeyRing secretKeys, String userId) { + PGPSecretKey secretKey = secretKeys.getSecretKey(); // user-ids are located on primary key only + PGPPublicKey publicKey = secretKey.getPublicKey(); // user-ids are placed on the public key part + publicKey = PGPPublicKey.removeCertification(publicKey, userId); + if (publicKey == null) { + throw new NoSuchElementException("User-ID " + userId + " not found on the key."); + } + secretKey = PGPSecretKey.replacePublicKey(secretKey, publicKey); + secretKeys = PGPSecretKeyRing.insertSecretKey(secretKeys, secretKey); + return secretKeys; + } + + /** + * Delete the given user-id and its certification signatures from the given certificate. + * + * @deprecated Deleting user-ids is highly discouraged, since it might lead to all sorts of problems + * (e.g. lost key properties). + * Instead, user-ids should only be revoked. + * + * @param publicKeys certificate + * @param userId user-id + * @return modified secret keys + */ + @Deprecated + public PGPPublicKeyRing deleteUserIdFromPublicKeyRing(PGPPublicKeyRing publicKeys, String userId) { + PGPPublicKey publicKey = publicKeys.getPublicKey(); // user-ids are located on primary key only + publicKey = PGPPublicKey.removeCertification(publicKey, userId); + if (publicKey == null) { + throw new NoSuchElementException("User-ID " + userId + " not found on the key."); + } + publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey); + return publicKeys; + } } From d036cf25935fa0f7a14ee8a5bff28626d4c7162e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 12 Nov 2021 16:49:28 +0100 Subject: [PATCH 0109/1450] Add tests for KeyRingUtils.deleteUserIdFrom*KeyRing methods --- .../org/pgpainless/key/util/KeyRingUtils.java | 4 +- .../pgpainless/key/util/KeyRingUtilTest.java | 53 +++++++++++++++++++ 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 4d5dc834..1c9980be 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -167,7 +167,7 @@ public final class KeyRingUtils { * @return modified secret keys */ @Deprecated - public PGPSecretKeyRing deleteUserIdFromSecretKeyRing(PGPSecretKeyRing secretKeys, String userId) { + public static PGPSecretKeyRing deleteUserIdFromSecretKeyRing(PGPSecretKeyRing secretKeys, String userId) { PGPSecretKey secretKey = secretKeys.getSecretKey(); // user-ids are located on primary key only PGPPublicKey publicKey = secretKey.getPublicKey(); // user-ids are placed on the public key part publicKey = PGPPublicKey.removeCertification(publicKey, userId); @@ -191,7 +191,7 @@ public final class KeyRingUtils { * @return modified secret keys */ @Deprecated - public PGPPublicKeyRing deleteUserIdFromPublicKeyRing(PGPPublicKeyRing publicKeys, String userId) { + public static PGPPublicKeyRing deleteUserIdFromPublicKeyRing(PGPPublicKeyRing publicKeys, String userId) { PGPPublicKey publicKey = publicKeys.getPublicKey(); // user-ids are located on primary key only publicKey = PGPPublicKey.removeCertification(publicKey, userId); if (publicKey == null) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java new file mode 100644 index 00000000..d939dc24 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -0,0 +1,53 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.util; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.CollectionUtils; + +public class KeyRingUtilTest { + + @Test + public void testDeleteUserIdFromSecretKeyRing() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Bob", SecretKeyRingProtector.unprotectedKeys()) + .done(); + assertEquals(2, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); + + secretKeys = KeyRingUtils.deleteUserIdFromSecretKeyRing(secretKeys, "Bob"); + + assertEquals(1, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); + } + + @Test + public void testDeleteUserIdFromPublicKeyRing() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Bob", SecretKeyRingProtector.unprotectedKeys()) + .done(); + PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); + assertEquals(2, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); + + publicKeys = KeyRingUtils.deleteUserIdFromPublicKeyRing(publicKeys, "Alice"); + + assertEquals(1, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); + } +} From 74609e0ef7e9b4a97083d9bb1c0b0fea46db8d25 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 12 Nov 2021 16:52:32 +0100 Subject: [PATCH 0110/1450] Add another test for deletion of non-existent user-ids from key --- .../org/pgpainless/key/util/KeyRingUtilTest.java | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index d939dc24..d1384e40 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -5,9 +5,11 @@ package org.pgpainless.key.util; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -36,7 +38,8 @@ public class KeyRingUtilTest { } @Test - public void testDeleteUserIdFromPublicKeyRing() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testDeleteUserIdFromPublicKeyRing() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice", null); @@ -50,4 +53,14 @@ public class KeyRingUtilTest { assertEquals(1, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); } + + @Test + public void testDeleteNonexistentUserIdFromKeyRingThrows() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + assertThrows(NoSuchElementException.class, + () -> KeyRingUtils.deleteUserIdFromSecretKeyRing(secretKeys, "Charlie")); + } } From 021fd7846edf4cea985a3ee55feaceda9a1fbd6a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 13 Nov 2021 16:05:55 +0100 Subject: [PATCH 0111/1450] Rename user-id deletion methods --- .../src/main/java/org/pgpainless/key/util/KeyRingUtils.java | 4 ++-- .../test/java/org/pgpainless/key/util/KeyRingUtilTest.java | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 1c9980be..5ae789d4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -167,7 +167,7 @@ public final class KeyRingUtils { * @return modified secret keys */ @Deprecated - public static PGPSecretKeyRing deleteUserIdFromSecretKeyRing(PGPSecretKeyRing secretKeys, String userId) { + public static PGPSecretKeyRing deleteUserId(PGPSecretKeyRing secretKeys, String userId) { PGPSecretKey secretKey = secretKeys.getSecretKey(); // user-ids are located on primary key only PGPPublicKey publicKey = secretKey.getPublicKey(); // user-ids are placed on the public key part publicKey = PGPPublicKey.removeCertification(publicKey, userId); @@ -191,7 +191,7 @@ public final class KeyRingUtils { * @return modified secret keys */ @Deprecated - public static PGPPublicKeyRing deleteUserIdFromPublicKeyRing(PGPPublicKeyRing publicKeys, String userId) { + public static PGPPublicKeyRing deleteUserId(PGPPublicKeyRing publicKeys, String userId) { PGPPublicKey publicKey = publicKeys.getPublicKey(); // user-ids are located on primary key only publicKey = PGPPublicKey.removeCertification(publicKey, userId); if (publicKey == null) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index d1384e40..8312bd28 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -32,7 +32,7 @@ public class KeyRingUtilTest { .done(); assertEquals(2, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); - secretKeys = KeyRingUtils.deleteUserIdFromSecretKeyRing(secretKeys, "Bob"); + secretKeys = KeyRingUtils.deleteUserId(secretKeys, "Bob"); assertEquals(1, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); } @@ -49,7 +49,7 @@ public class KeyRingUtilTest { PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); assertEquals(2, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); - publicKeys = KeyRingUtils.deleteUserIdFromPublicKeyRing(publicKeys, "Alice"); + publicKeys = KeyRingUtils.deleteUserId(publicKeys, "Alice"); assertEquals(1, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); } @@ -61,6 +61,6 @@ public class KeyRingUtilTest { .modernKeyRing("Alice", null); assertThrows(NoSuchElementException.class, - () -> KeyRingUtils.deleteUserIdFromSecretKeyRing(secretKeys, "Charlie")); + () -> KeyRingUtils.deleteUserId(secretKeys, "Charlie")); } } From c68cdc4e31627d713081e73f8a77362b74f652ff Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 13 Nov 2021 16:44:04 +0100 Subject: [PATCH 0112/1450] Fix compile-time dependency of pgpainless-{core|sop} on logback-classic Fixes #214 --- pgpainless-core/build.gradle | 1 - pgpainless-sop/build.gradle | 1 - 2 files changed, 2 deletions(-) diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle index c649e71c..e6947458 100644 --- a/pgpainless-core/build.gradle +++ b/pgpainless-core/build.gradle @@ -14,7 +14,6 @@ dependencies { // Logging api "org.slf4j:slf4j-api:$slf4jVersion" testImplementation "ch.qos.logback:logback-classic:$logbackVersion" - runtime "ch.qos.logback:logback-classic:$logbackVersion" api "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion" api "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion" diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle index 6f30b5db..5ce6a7c6 100644 --- a/pgpainless-sop/build.gradle +++ b/pgpainless-sop/build.gradle @@ -18,7 +18,6 @@ dependencies { // Logging testImplementation "ch.qos.logback:logback-classic:$logbackVersion" - runtime "ch.qos.logback:logback-classic:$logbackVersion" implementation(project(":pgpainless-core")) implementation(project(":sop-java")) From 8a40cdeefbdf89e76cd309c7bf6031bcbd6a7cc8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 13 Nov 2021 16:50:19 +0100 Subject: [PATCH 0113/1450] Update changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b20bf237..5871ab6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,13 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc2 +- `SecretKeyRingEditor`: Remove support for user-id- and subkey *deletion* in favor of *revocation* + - Deletion causes all sorts of problems. Most notably, receiving implementations will not honor deletion of user-ids/subkeys. + If you really need to delete user-ids there now is `KeyRingUtils.deleteUserId(keys, userid)`, + but its use is highly discouraged and should only (if ever) be used for local manipulations of keys. +- `pgpainless-core` & `pgpainless-sop`: Fix accidental compile scope dependency on `logback-classic` + ## 1.0.0-rc1 - First release candidate for a 1.0.0 release! \o/ - Rename `EncryptionPurpose.STORAGE_AND_COMMUNICATIONS` to `EncryptionPurpose.ANY` From 19b1a0238d4fd7c57b5231b7f20817e4117dcded Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 15 Nov 2021 13:02:26 +0100 Subject: [PATCH 0114/1450] Fix API for accessing preferred algorithms --- .../encryption_signing/SigningOptions.java | 6 +- .../org/pgpainless/key/info/KeyRingInfo.java | 64 +++++++++---------- .../pgpainless/key/info/KeyRingInfoTest.java | 42 ++++++------ 3 files changed, 52 insertions(+), 60 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index c1714c89..39962724 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -165,7 +165,8 @@ public final class SigningOptions { for (PGPPublicKey signingPubKey : signingPubKeys) { PGPSecretKey signingSecKey = secretKey.getSecretKey(signingPubKey.getKeyID()); PGPPrivateKey signingSubkey = UnlockSecretKey.unlockSecretKey(signingSecKey, secretKeyDecryptor); - Set hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(userId, signingPubKey.getKeyID()); + Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId) + : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID()); HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy()); addSigningMethod(secretKey, signingSubkey, hashAlgorithm, signatureType, false); } @@ -244,7 +245,8 @@ public final class SigningOptions { for (PGPPublicKey signingPubKey : signingPubKeys) { PGPSecretKey signingSecKey = secretKey.getSecretKey(signingPubKey.getKeyID()); PGPPrivateKey signingSubkey = signingSecKey.extractPrivateKey(secretKeyDecryptor.getDecryptor(signingPubKey.getKeyID())); - Set hashAlgorithms = keyRingInfo.getPreferredHashAlgorithms(userId, signingPubKey.getKeyID()); + Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId) + : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID()); HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy()); addSigningMethod(secretKey, signingSubkey, hashAlgorithm, signatureType, true); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 66c7f041..f8711037 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -18,7 +18,6 @@ import java.util.NoSuchElementException; import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; - import javax.annotation.Nonnull; import javax.annotation.Nullable; @@ -846,43 +845,40 @@ public class KeyRingInfo { return signingKeys; } - /** - * Return the (sorted) set of preferred hash algorithms of the given key. - * - * @param userId user-id. If this is non-null, the hash algorithms are being extracted from the user-id - * certification signature first. - * @param keyID if of the key in question - * @return hash algorithm preferences - */ - public Set getPreferredHashAlgorithms(@Nullable String userId, long keyID) { - KeyAccessor keyAccessor = getKeyAccessor(userId, keyID); - return keyAccessor.getPreferredHashAlgorithms(); + public Set getPreferredHashAlgorithms() { + return getPreferredHashAlgorithms(getPrimaryUserId()); } - /** - * Return the (sorted) set of preferred symmetric encryption algorithms of the given key. - * - * @param userId user-id. If this is non-null, the symmetric encryption algorithms are being - * extracted from the user-id certification signature first. - * @param keyId if of the key in question - * @return symmetric encryption algorithm preferences - */ - public Set getPreferredSymmetricKeyAlgorithms(@Nullable String userId, long keyId) { - KeyAccessor keyAccessor = getKeyAccessor(userId, keyId); - return keyAccessor.getPreferredSymmetricKeyAlgorithms(); + public Set getPreferredHashAlgorithms(String userId) { + return getKeyAccessor(userId, getKeyId()).getPreferredHashAlgorithms(); } - /** - * Return the (sorted) set of preferred compression algorithms of the given key. - * - * @param userId user-id. If this is non-null, the compression algorithms are being extracted from the user-id - * certification signature first. - * @param keyId if of the key in question - * @return compression algorithm preferences - */ - public Set getPreferredCompressionAlgorithms(@Nullable String userId, long keyId) { - KeyAccessor keyAccessor = getKeyAccessor(userId, keyId); - return keyAccessor.getPreferredCompressionAlgorithms(); + public Set getPreferredHashAlgorithms(long keyId) { + return getKeyAccessor(null, keyId).getPreferredHashAlgorithms(); + } + + public Set getPreferredSymmetricKeyAlgorithms() { + return getPreferredSymmetricKeyAlgorithms(getPrimaryUserId()); + } + + public Set getPreferredSymmetricKeyAlgorithms(String userId) { + return getKeyAccessor(userId, getKeyId()).getPreferredSymmetricKeyAlgorithms(); + } + + public Set getPreferredSymmetricKeyAlgorithms(long keyId) { + return getKeyAccessor(null, keyId).getPreferredSymmetricKeyAlgorithms(); + } + + public Set getPreferredCompressionAlgorithms() { + return getPreferredCompressionAlgorithms(getPrimaryUserId()); + } + + public Set getPreferredCompressionAlgorithms(String userId) { + return getKeyAccessor(userId, getKeyId()).getPreferredCompressionAlgorithms(); + } + + public Set getPreferredCompressionAlgorithms(long keyId) { + return getKeyAccessor(null, keyId).getPreferredCompressionAlgorithms(); } private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 2cf030e9..39e13edd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -605,40 +605,34 @@ public class KeyRingInfoTest { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); // Bob is an invalid userId - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", 0)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", pkid)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(null, 123L)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Alice", 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L)); - assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms("Alice", pkid)); - assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, pkid)); - assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, skid1)); - assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(null, skid2)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms("Alice")); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(pkid)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(skid1)); + assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(skid2)); // Bob is an invalid userId - assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob", 0)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob", pkid)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms(null, 123L)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Alice", 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms(123L)); - assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms("Alice", pkid)); - assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, pkid)); - assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, skid1)); - assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(null, skid2)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms("Alice")); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(pkid)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(skid1)); + assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(skid2)); // Bob is an invalid userId - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", 0)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob", pkid)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob")); // 123 is an invalid keyid - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(null, 123L)); - assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Alice", 123L)); + assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L)); - assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms("Alice", pkid)); - assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, pkid)); - assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, skid1)); - assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(null, skid2)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms("Alice")); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(pkid)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(skid1)); + assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(skid2)); } From 0515c381333f00809dc1f88acd088dd2e83cd15b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 15 Nov 2021 13:03:00 +0100 Subject: [PATCH 0115/1450] gradle jar: define duplicate-strategy --- pgpainless-cli/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle index 90d1837f..1b807c46 100644 --- a/pgpainless-cli/build.gradle +++ b/pgpainless-cli/build.gradle @@ -40,7 +40,6 @@ dependencies { implementation "ch.qos.logback:logback-classic:$logbackVersion" implementation(project(":pgpainless-sop")) - implementation(project(":sop-java")) implementation(project(":sop-java-picocli")) implementation "info.picocli:picocli:$picocliVersion" @@ -52,6 +51,7 @@ dependencies { mainClassName = 'org.pgpainless.cli.PGPainlessCLI' jar { + duplicatesStrategy(DuplicatesStrategy.EXCLUDE) manifest { attributes 'Main-Class': "$mainClassName" } From 8af6c32848ab578047fd4f3518de90c8313a00b4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 15 Nov 2021 13:06:47 +0100 Subject: [PATCH 0116/1450] PGPainless 1.0.0-rc2 --- CHANGELOG.md | 1 + README.md | 2 +- version.gradle | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5871ab6e..6e8f16f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ SPDX-License-Identifier: CC0-1.0 If you really need to delete user-ids there now is `KeyRingUtils.deleteUserId(keys, userid)`, but its use is highly discouraged and should only (if ever) be used for local manipulations of keys. - `pgpainless-core` & `pgpainless-sop`: Fix accidental compile scope dependency on `logback-classic` +- `KeyRingInfo`: Sensible arguments for methods to get preferred algorithms ## 1.0.0-rc1 - First release candidate for a 1.0.0 release! \o/ diff --git a/README.md b/README.md index 2e96f7eb..086deb62 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc1' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc2' } ``` diff --git a/version.gradle b/version.gradle index fa08666e..d277ddb2 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc2' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From daefab60f603cc55ad0234d10a328734fa6ce7af Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 15 Nov 2021 13:12:00 +0100 Subject: [PATCH 0117/1450] PGPainless-1.0.0-rc3-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index d277ddb2..8599cf8c 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc2' - isSnapshot = false + shortVersion = '1.0.0-rc3' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From f0bc19b0daf9e42273ed8e688cdbfb7f547d9236 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 21:27:59 +0200 Subject: [PATCH 0118/1450] WIP: Work on SignatureBuilders --- .../builder/AbstractSignatureBuilder.java | 76 +++ .../CertificationSignatureBuilder.java | 38 ++ .../builder/RevocationSignatureBuilder.java | 41 ++ .../SubkeyBindingSignatureBuilder.java | 39 ++ .../subpackets/BaseSignatureSubpackets.java | 106 ++++ .../RevocationSignatureSubpackets.java | 22 + .../SelfSignatureSubpacketCallback.java | 13 + .../subpackets/SelfSignatureSubpackets.java | 88 +++ .../SignatureSubpacketGeneratorWrapper.java | 583 ++++++++++++++++++ ...ignatureSubpacketGeneratorWrapperTest.java | 441 +++++++++++++ 10 files changed, 1447 insertions(+) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java new file mode 100644 index 00000000..7f1425d4 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -0,0 +1,76 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import java.util.Set; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; +import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; + +public abstract class AbstractSignatureBuilder> { + protected final PGPPrivateKey privateSigningKey; + protected final PGPPublicKey publicSigningKey; + + protected HashAlgorithm hashAlgorithm; + protected SignatureType signatureType; + + protected SignatureSubpacketGeneratorWrapper unhashedSubpackets; + protected SignatureSubpacketGeneratorWrapper hashedSubpackets; + + public AbstractSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + if (!isValidSignatureType(signatureType)) { + throw new IllegalArgumentException("Invalid signature type."); + } + this.signatureType = signatureType; + this.privateSigningKey = UnlockSecretKey.unlockSecretKey(signingKey, protector); + this.publicSigningKey = signingKey.getPublicKey(); + this.hashAlgorithm = negotiateHashAlgorithm(publicSigningKey); + + unhashedSubpackets = new SignatureSubpacketGeneratorWrapper(); + hashedSubpackets = new SignatureSubpacketGeneratorWrapper(publicSigningKey); + } + + protected HashAlgorithm negotiateHashAlgorithm(PGPPublicKey publicKey) { + Set hashAlgorithmPreferences = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); + return HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) + .negotiateHashAlgorithm(hashAlgorithmPreferences); + } + + public B setSignatureType(SignatureType type) { + if (!isValidSignatureType(type)) { + throw new IllegalArgumentException("Invalid signature type: " + type); + } + this.signatureType = type; + return (B) this; + } + + protected PGPSignatureGenerator buildAndInitSignatureGenerator() throws PGPException { + PGPSignatureGenerator generator = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder( + publicSigningKey.getAlgorithm(), hashAlgorithm.getAlgorithmId() + ) + ); + generator.setUnhashedSubpackets(unhashedSubpackets.getGenerator().generate()); + generator.setHashedSubpackets(hashedSubpackets.getGenerator().generate()); + generator.init(signatureType.getCode(), privateSigningKey); + return generator; + } + + protected abstract boolean isValidSignatureType(SignatureType type); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java new file mode 100644 index 00000000..03801204 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java @@ -0,0 +1,38 @@ +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; + +public class CertificationSignatureBuilder extends AbstractSignatureBuilder { + + public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + super(SignatureType.GENERIC_CERTIFICATION, certificationKey, protector); + } + + public PGPSignature build(PGPPublicKey certifiedKey, String userId) throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userId, certifiedKey); + } + + public PGPSignature build(PGPPublicKey certifiedKey, PGPUserAttributeSubpacketVector userAttribute) throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userAttribute, certifiedKey); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + switch (signatureType) { + case GENERIC_CERTIFICATION: + case NO_CERTIFICATION: + case CASUAL_CERTIFICATION: + case POSITIVE_CERTIFICATION: + return true; + default: + return false; + } + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java new file mode 100644 index 00000000..bd7bef31 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -0,0 +1,41 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; + +public class RevocationSignatureBuilder extends AbstractSignatureBuilder { + + public RevocationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + switch (type) { + case KEY_REVOCATION: + case SUBKEY_REVOCATION: + case CERTIFICATION_REVOCATION: + return true; + default: + return false; + } + } + + public RevocationSignatureSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public RevocationSignatureSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public PGPSignature build() +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java new file mode 100644 index 00000000..8e74510b --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java @@ -0,0 +1,39 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder { + + public SubkeyBindingSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + return type == SignatureType.SUBKEY_BINDING; + } + + public SelfSignatureSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public SelfSignatureSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public PGPSignature build(PGPPublicKey subkey) throws PGPException { + return buildAndInitSignatureGenerator() + .generateCertification(publicSigningKey, subkey); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java new file mode 100644 index 00000000..6980d131 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java @@ -0,0 +1,106 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import java.io.IOException; +import java.util.Date; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.sig.EmbeddedSignature; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.bcpg.sig.IssuerKeyID; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.Revocable; +import org.bouncycastle.bcpg.sig.SignatureCreationTime; +import org.bouncycastle.bcpg.sig.SignatureExpirationTime; +import org.bouncycastle.bcpg.sig.SignatureTarget; +import org.bouncycastle.bcpg.sig.SignerUserID; +import org.bouncycastle.bcpg.sig.TrustSignature; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.PublicKeyAlgorithm; + +public interface BaseSignatureSubpackets { + + SignatureSubpacketGeneratorWrapper setIssuerFingerprintAndKeyId(PGPPublicKey key); + + SignatureSubpacketGeneratorWrapper setIssuerKeyId(long keyId); + + SignatureSubpacketGeneratorWrapper setIssuerKeyId(boolean isCritical, long keyId); + + SignatureSubpacketGeneratorWrapper setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID); + + SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nonnull PGPPublicKey key); + + SignatureSubpacketGeneratorWrapper setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key); + + SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint); + + SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nonnull Date creationTime); + + SignatureSubpacketGeneratorWrapper setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime); + + SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime); + + SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime); + + SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime); + + SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, long seconds); + + SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime); + + SignatureSubpacketGeneratorWrapper setSignerUserId(@Nonnull String userId); + + SignatureSubpacketGeneratorWrapper setSignerUserId(boolean isCritical, @Nonnull String userId); + + SignatureSubpacketGeneratorWrapper setSignerUserId(@Nullable SignerUserID signerUserId); + + SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue); + + SignatureSubpacketGeneratorWrapper addNotationData(@Nonnull NotationData notationData); + + SignatureSubpacketGeneratorWrapper clearNotationData(); + + SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient); + + SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient); + + SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint); + + SignatureSubpacketGeneratorWrapper clearIntendedRecipientFingerprints(); + + SignatureSubpacketGeneratorWrapper setExportable(boolean isCritical, boolean isExportable); + + SignatureSubpacketGeneratorWrapper setExportable(@Nullable Exportable exportable); + + SignatureSubpacketGeneratorWrapper setRevocable(boolean isCritical, boolean isRevocable); + + SignatureSubpacketGeneratorWrapper setRevocable(@Nullable Revocable revocable); + + SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); + + SignatureSubpacketGeneratorWrapper setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); + + SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nullable SignatureTarget signatureTarget); + + SignatureSubpacketGeneratorWrapper setTrust(int depth, int amount); + + SignatureSubpacketGeneratorWrapper setTrust(boolean isCritical, int depth, int amount); + + SignatureSubpacketGeneratorWrapper setTrust(@Nullable TrustSignature trust); + + SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException; + + SignatureSubpacketGeneratorWrapper addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException; + + SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature); + + SignatureSubpacketGeneratorWrapper clearEmbeddedSignatures(); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java new file mode 100644 index 00000000..b71c3a05 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java @@ -0,0 +1,22 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.pgpainless.key.util.RevocationAttributes; + +public interface RevocationSignatureSubpackets extends BaseSignatureSubpackets { + + SignatureSubpacketGeneratorWrapper setRevocationReason(RevocationAttributes revocationAttributes); + + SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes); + + SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description); + + SignatureSubpacketGeneratorWrapper setRevocationReason(@Nullable RevocationReason reason); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java new file mode 100644 index 00000000..a0d5f4c3 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java @@ -0,0 +1,13 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +public interface SelfSignatureSubpacketCallback { + + void modifyHashedSubpackets(SelfSignatureSubpackets subpackets); + + void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets); + +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java new file mode 100644 index 00000000..6643902b --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java @@ -0,0 +1,88 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import java.util.Date; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.sig.Features; +import org.bouncycastle.bcpg.sig.KeyExpirationTime; +import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.bouncycastle.bcpg.sig.PrimaryUserID; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; + +public interface SelfSignatureSubpackets extends BaseSignatureSubpackets { + + SignatureSubpacketGeneratorWrapper setKeyFlags(KeyFlag... keyFlags); + + SignatureSubpacketGeneratorWrapper setKeyFlags(boolean isCritical, KeyFlag... keyFlags); + + SignatureSubpacketGeneratorWrapper setKeyFlags(@Nullable KeyFlags keyFlags); + + SignatureSubpacketGeneratorWrapper setPrimaryUserId(); + + SignatureSubpacketGeneratorWrapper setPrimaryUserId(boolean isCritical); + + SignatureSubpacketGeneratorWrapper setPrimaryUserId(@Nullable PrimaryUserID primaryUserId); + + SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime); + + SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); + + SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); + + SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration); + + SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime); + + SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(HashAlgorithm... algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(boolean isCritical, Set algorithms); + + SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms); + + SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull PGPPublicKey revocationKey); + + SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey); + + SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey); + + SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull RevocationKey revocationKey); + + SignatureSubpacketGeneratorWrapper clearRevocationKeys(); + + SignatureSubpacketGeneratorWrapper setFeatures(Feature... features); + + SignatureSubpacketGeneratorWrapper setFeatures(boolean isCritical, Feature... features); + + SignatureSubpacketGeneratorWrapper setFeatures(@Nullable Features features); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java new file mode 100644 index 00000000..59ce6a47 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -0,0 +1,583 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Date; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.SignatureSubpacketTags; +import org.bouncycastle.bcpg.sig.EmbeddedSignature; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.Features; +import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.bcpg.sig.IssuerKeyID; +import org.bouncycastle.bcpg.sig.KeyExpirationTime; +import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.bouncycastle.bcpg.sig.PrimaryUserID; +import org.bouncycastle.bcpg.sig.Revocable; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.bouncycastle.bcpg.sig.SignatureCreationTime; +import org.bouncycastle.bcpg.sig.SignatureExpirationTime; +import org.bouncycastle.bcpg.sig.SignatureTarget; +import org.bouncycastle.bcpg.sig.SignerUserID; +import org.bouncycastle.bcpg.sig.TrustSignature; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.key.util.RevocationAttributes; + +public class SignatureSubpacketGeneratorWrapper + implements BaseSignatureSubpackets, SelfSignatureSubpackets, RevocationSignatureSubpackets { + + private SignatureCreationTime signatureCreationTime; + private SignatureExpirationTime signatureExpirationTime; + private IssuerKeyID issuerKeyID; + private IssuerFingerprint issuerFingerprint; + private final List notationDataList = new ArrayList<>(); + private final List intendedRecipientFingerprintList = new ArrayList<>(); + private final List revocationKeyList = new ArrayList<>(); + private Exportable exportable; + private SignatureTarget signatureTarget; + private Features features; + private KeyFlags keyFlags; + private TrustSignature trust; + private PreferredAlgorithms preferredCompressionAlgorithms; + private PreferredAlgorithms preferredSymmetricKeyAlgorithms; + private PreferredAlgorithms preferredHashAlgorithms; + private final List embeddedSignatureList = new ArrayList<>(); + private SignerUserID signerUserId; + private KeyExpirationTime keyExpirationTime; + private PrimaryUserID primaryUserId; + private Revocable revocable; + private RevocationReason revocationReason; + + public SignatureSubpacketGeneratorWrapper() { + setSignatureCreationTime(new Date()); + } + + public SignatureSubpacketGeneratorWrapper(PGPPublicKey issuer) { + this(); + setIssuerFingerprintAndKeyId(issuer); + } + + public PGPSignatureSubpacketGenerator getGenerator() { + PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); + + addSubpacket(generator, issuerKeyID); + addSubpacket(generator, issuerFingerprint); + addSubpacket(generator, signatureCreationTime); + addSubpacket(generator, signatureExpirationTime); + addSubpacket(generator, exportable); + for (NotationData notationData : notationDataList) { + addSubpacket(generator, notationData); + } + for (IntendedRecipientFingerprint intendedRecipientFingerprint : intendedRecipientFingerprintList) { + addSubpacket(generator, intendedRecipientFingerprint); + } + for (RevocationKey revocationKey : revocationKeyList) { + addSubpacket(generator, revocationKey); + } + addSubpacket(generator, signatureTarget); + addSubpacket(generator, features); + addSubpacket(generator, keyFlags); + addSubpacket(generator, trust); + addSubpacket(generator, preferredCompressionAlgorithms); + addSubpacket(generator, preferredSymmetricKeyAlgorithms); + addSubpacket(generator, preferredHashAlgorithms); + for (EmbeddedSignature embeddedSignature : embeddedSignatureList) { + addSubpacket(generator, embeddedSignature); + } + addSubpacket(generator, signerUserId); + addSubpacket(generator, keyExpirationTime); + addSubpacket(generator, primaryUserId); + addSubpacket(generator, revocable); + addSubpacket(generator, revocationReason); + + return generator; + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerFingerprintAndKeyId(PGPPublicKey key) { + setIssuerKeyId(key.getKeyID()); + setIssuerFingerprint(key); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerKeyId(long keyId) { + return setIssuerKeyId(true, keyId); + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerKeyId(boolean isCritical, long keyId) { + return setIssuerKeyId(new IssuerKeyID(isCritical, keyId)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID) { + this.issuerKeyID = issuerKeyID; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nonnull PGPPublicKey key) { + return setIssuerFingerprint(true, key); + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key) { + return setIssuerFingerprint(new IssuerFingerprint(isCritical, key.getVersion(), key.getFingerprint())); + } + + @Override + public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint) { + this.issuerFingerprint = fingerprint; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyFlags(KeyFlag... keyFlags) { + return setKeyFlags(true, keyFlags); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyFlags(boolean isCritical, KeyFlag... keyFlags) { + int bitmask = KeyFlag.toBitmask(keyFlags); + return setKeyFlags(new KeyFlags(isCritical, bitmask)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyFlags(@Nullable KeyFlags keyFlags) { + this.keyFlags = keyFlags; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nonnull Date creationTime) { + return setSignatureCreationTime(true, creationTime); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime) { + return setSignatureCreationTime(new SignatureCreationTime(isCritical, creationTime)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime) { + this.signatureCreationTime = signatureCreationTime; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime) { + return setSignatureExpirationTime(true, creationTime, expirationTime); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime) { + return setSignatureExpirationTime(isCritical, (expirationTime.getTime() / 1000) - (creationTime.getTime() / 1000)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, long seconds) { + if (seconds < 0) { + throw new IllegalArgumentException("Expiration time cannot be negative."); + } + return setSignatureExpirationTime(new SignatureExpirationTime(isCritical, seconds)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime) { + this.signatureExpirationTime = expirationTime; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignerUserId(@Nonnull String userId) { + return setSignerUserId(false, userId); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignerUserId(boolean isCritical, @Nonnull String userId) { + return setSignerUserId(new SignerUserID(isCritical, userId)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignerUserId(@Nullable SignerUserID signerUserId) { + this.signerUserId = signerUserId; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setPrimaryUserId() { + return setPrimaryUserId(true); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPrimaryUserId(boolean isCritical) { + return setPrimaryUserId(new PrimaryUserID(isCritical, true)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPrimaryUserId(@Nullable PrimaryUserID primaryUserId) { + this.primaryUserId = primaryUserId; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(key.getCreationTime(), keyExpirationTime); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(true, keyCreationTime, keyExpirationTime); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(isCritical, (keyExpirationTime.getTime() / 1000) - (keyCreationTime.getTime() / 1000)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration) { + if (secondsFromCreationToExpiration < 0) { + throw new IllegalArgumentException("Seconds from key creation to expiration cannot be less than 0."); + } + return setKeyExpirationTime(new KeyExpirationTime(isCritical, secondsFromCreationToExpiration)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime) { + this.keyExpirationTime = keyExpirationTime; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms) { + return setPreferredCompressionAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(Set algorithms) { + return setPreferredCompressionAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < algorithms.size(); i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredCompressionAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_COMP_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + this.preferredCompressionAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_COMP_ALGS) { + throw new IllegalArgumentException("Invalid preferred compression algorithms type."); + } + this.preferredCompressionAlgorithms = algorithms; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms) { + return setPreferredSymmetricKeyAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(Set algorithms) { + return setPreferredSymmetricKeyAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < algorithms.size(); i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredSymmetricKeyAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_SYM_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + this.preferredSymmetricKeyAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_SYM_ALGS) { + throw new IllegalArgumentException("Invalid preferred symmetric key algorithms type."); + } + this.preferredSymmetricKeyAlgorithms = algorithms; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(HashAlgorithm... algorithms) { + return setPreferredHashAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(Set algorithms) { + return setPreferredHashAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredHashAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_HASH_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + preferredHashAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_HASH_ALGS) { + throw new IllegalArgumentException("Invalid preferred hash algorithms type."); + } + this.preferredHashAlgorithms = algorithms; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue) { + return addNotationData(new NotationData(isCritical, true, notationName, notationValue)); + } + + @Override + public SignatureSubpacketGeneratorWrapper addNotationData(@Nonnull NotationData notationData) { + notationDataList.add(notationData); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper clearNotationData() { + notationDataList.clear(); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient) { + return addIntendedRecipientFingerprint(false, recipient); + } + + @Override + public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient) { + return addIntendedRecipientFingerprint(new IntendedRecipientFingerprint(isCritical, recipient.getVersion(), recipient.getFingerprint())); + } + + @Override + public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint) { + this.intendedRecipientFingerprintList.add(intendedRecipientFingerprint); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper clearIntendedRecipientFingerprints() { + intendedRecipientFingerprintList.clear(); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setExportable(boolean isCritical, boolean isExportable) { + return setExportable(new Exportable(isCritical, isExportable)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setExportable(@Nullable Exportable exportable) { + this.exportable = exportable; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocable(boolean isCritical, boolean isRevocable) { + return setRevocable(new Revocable(isCritical, isRevocable)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocable(@Nullable Revocable revocable) { + this.revocable = revocable; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull PGPPublicKey revocationKey) { + return addRevocationKey(true, revocationKey); + } + + @Override + public SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey) { + return addRevocationKey(isCritical, false, revocationKey); + } + + @Override + public SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey) { + byte clazz = (byte) 0x80; + clazz |= (isSensitive ? 0x40 : 0x00); + return addRevocationKey(new RevocationKey(isCritical, clazz, revocationKey.getAlgorithm(), revocationKey.getFingerprint())); + } + + @Override + public SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull RevocationKey revocationKey) { + this.revocationKeyList.add(revocationKey); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper clearRevocationKeys() { + revocationKeyList.clear(); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocationReason(RevocationAttributes revocationAttributes) { + return setRevocationReason(true, revocationAttributes); + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes) { + return setRevocationReason(isCritical, revocationAttributes.getReason(), revocationAttributes.getDescription()); + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description) { + return setRevocationReason(new RevocationReason(isCritical, reason.code(), description)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setRevocationReason(@Nullable RevocationReason reason) { + this.revocationReason = reason; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { + return setSignatureTarget(true, keyAlgorithm, hashAlgorithm, hashData); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { + return setSignatureTarget(new SignatureTarget(isCritical, keyAlgorithm.getAlgorithmId(), hashAlgorithm.getAlgorithmId(), hashData)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nullable SignatureTarget signatureTarget) { + this.signatureTarget = signatureTarget; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setFeatures(Feature... features) { + return setFeatures(true, features); + } + + @Override + public SignatureSubpacketGeneratorWrapper setFeatures(boolean isCritical, Feature... features) { + byte bitmask = Feature.toBitmask(features); + return setFeatures(new Features(isCritical, bitmask)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setFeatures(@Nullable Features features) { + this.features = features; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper setTrust(int depth, int amount) { + return setTrust(true, depth, amount); + } + + @Override + public SignatureSubpacketGeneratorWrapper setTrust(boolean isCritical, int depth, int amount) { + return setTrust(new TrustSignature(isCritical, depth, amount)); + } + + @Override + public SignatureSubpacketGeneratorWrapper setTrust(@Nullable TrustSignature trust) { + this.trust = trust; + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException { + return addEmbeddedSignature(true, signature); + } + + @Override + public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException { + byte[] sig = signature.getEncoded(); + byte[] data; + + if (sig.length - 1 > 256) + { + data = new byte[sig.length - 3]; + } + else + { + data = new byte[sig.length - 2]; + } + + System.arraycopy(sig, sig.length - data.length, data, 0, data.length); + + return addEmbeddedSignature(new EmbeddedSignature(isCritical, false, data)); + } + + @Override + public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature) { + this.embeddedSignatureList.add(embeddedSignature); + return this; + } + + @Override + public SignatureSubpacketGeneratorWrapper clearEmbeddedSignatures() { + this.embeddedSignatureList.clear(); + return this; + } + + private static void addSubpacket(PGPSignatureSubpacketGenerator generator, SignatureSubpacket subpacket) { + if (subpacket != null) { + generator.addCustomSubpacket(subpacket); + } + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java new file mode 100644 index 00000000..709b424c --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java @@ -0,0 +1,441 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; +import java.util.Date; +import java.util.Iterator; +import java.util.Random; + +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.SignatureSubpacketTags; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.Features; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.bouncycastle.bcpg.sig.Revocable; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.bouncycastle.bcpg.sig.SignatureTarget; +import org.bouncycastle.bcpg.sig.TrustSignature; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.key.util.RevocationAttributes; +import org.pgpainless.util.Passphrase; + +public class SignatureSubpacketGeneratorWrapperTest { + + private static PGPPublicKeyRing keys; + private static PGPPublicKey key; + + private SignatureSubpacketGeneratorWrapper wrapper; + + @BeforeAll + public static void setup() throws IOException { + keys = TestKeys.getEmilPublicKeyRing(); + key = keys.getPublicKey(); + } + + @BeforeEach + public void createWrapper() { + wrapper = new SignatureSubpacketGeneratorWrapper(key); + } + + @Test + public void initialStateTest() { + Date now = new Date(); + wrapper = new SignatureSubpacketGeneratorWrapper(); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(now.getTime(), vector.getSignatureCreationTime().getTime(), 1000); + } + + @Test + public void initialStateFromKeyTest() throws PGPException { + Date now = new Date(); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(key.getKeyID(), vector.getIssuerKeyID()); + assertEquals(key.getVersion(), vector.getIssuerFingerprint().getKeyVersion()); + assertArrayEquals(key.getFingerprint(), vector.getIssuerFingerprint().getFingerprint()); + assertEquals(now.getTime(), vector.getSignatureCreationTime().getTime(), 2000); + + assertEquals(0, vector.getKeyFlags()); + assertEquals(0, vector.getSignatureExpirationTime()); + assertNull(vector.getSignerUserID()); + assertFalse(vector.isPrimaryUserID()); + assertEquals(0, vector.getKeyExpirationTime()); + assertNull(vector.getPreferredCompressionAlgorithms()); + assertNull(vector.getPreferredSymmetricAlgorithms()); + assertNull(vector.getPreferredHashAlgorithms()); + assertEquals(0, vector.getNotationDataOccurrences().length); + assertNull(vector.getIntendedRecipientFingerprint()); + assertNull(vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE)); + assertNull(vector.getSubpacket(SignatureSubpacketTags.REVOCATION_KEY)); + assertNull(vector.getSubpacket(SignatureSubpacketTags.REVOCATION_REASON)); + assertNull(vector.getSignatureTarget()); + assertNull(vector.getFeatures()); + assertNull(vector.getSubpacket(SignatureSubpacketTags.TRUST_SIG)); + assertTrue(vector.getEmbeddedSignatures().isEmpty()); + } + + @Test + public void testNullKeyId() { + wrapper.setIssuerKeyId(null); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(0, vector.getIssuerKeyID()); + } + + + @Test + public void testNullFingerprint() { + wrapper.setIssuerFingerprint((IssuerFingerprint) null); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertNull(vector.getIssuerFingerprint()); + } + + @Test + public void testAddNotationData() { + wrapper.addNotationData(true, "critical@notation.data", "isCritical"); + wrapper.addNotationData(false, "noncrit@notation.data", "notCritical"); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + NotationData[] notationData = vector.getNotationDataOccurrences(); + assertEquals(2, notationData.length); + NotationData first = notationData[0]; + assertTrue(first.isCritical()); + assertTrue(first.isHumanReadable()); + assertEquals("critical@notation.data", first.getNotationName()); + assertEquals("isCritical", first.getNotationValue()); + + NotationData second = notationData[1]; + assertFalse(second.isCritical()); + assertTrue(second.isHumanReadable()); + assertEquals("noncrit@notation.data", second.getNotationName()); + assertEquals("notCritical", second.getNotationValue()); + + wrapper.clearNotationData(); + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getNotationDataOccurrences().length); + + } + + @Test + public void testIntendedRecipientFingerprints() { + wrapper.addIntendedRecipientFingerprint(key); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(1, vector.getSubpackets(SignatureSubpacketTags.INTENDED_RECIPIENT_FINGERPRINT).length); + assertArrayEquals(key.getFingerprint(), vector.getIntendedRecipientFingerprint().getFingerprint()); + assertEquals(key.getVersion(), vector.getIntendedRecipientFingerprint().getKeyVersion()); + + wrapper.clearIntendedRecipientFingerprints(); + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getSubpackets(SignatureSubpacketTags.INTENDED_RECIPIENT_FINGERPRINT).length); + } + + @Test + public void testAddRevocationKeys() { + Iterator keyIterator = keys.getPublicKeys(); + PGPPublicKey first = keyIterator.next(); + wrapper.addRevocationKey(first); + assertTrue(keyIterator.hasNext()); + PGPPublicKey second = keyIterator.next(); + wrapper.addRevocationKey(false, true, second); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + SignatureSubpacket[] revKeys = vector.getSubpackets(SignatureSubpacketTags.REVOCATION_KEY); + assertEquals(2, revKeys.length); + RevocationKey r1 = (RevocationKey) revKeys[0]; + RevocationKey r2 = (RevocationKey) revKeys[1]; + + assertTrue(r1.isCritical()); + assertArrayEquals(first.getFingerprint(), r1.getFingerprint()); + assertEquals(first.getAlgorithm(), r1.getAlgorithm()); + assertEquals((byte) 0x80, r1.getSignatureClass()); + + assertFalse(r2.isCritical()); + assertArrayEquals(second.getFingerprint(), r2.getFingerprint()); + assertEquals(second.getAlgorithm(), r2.getAlgorithm()); + assertEquals((byte) (0x80 | 0x40), r2.getSignatureClass()); + + wrapper.clearRevocationKeys(); + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getSubpackets(SignatureSubpacketTags.REVOCATION_KEY).length); + } + + @Test + public void testSetKeyFlags() { + wrapper.setKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA); // duplicates are removed + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(KeyFlag.toBitmask(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER), vector.getKeyFlags()); + assertTrue(vector.getSubpacket(SignatureSubpacketTags.KEY_FLAGS).isCritical()); + } + + @Test + public void testSignatureExpirationTime() { + Date now = new Date(); + long secondsInAWeek = 60 * 60 * 24 * 7; + Date inAWeek = new Date(now.getTime() + 1000 * secondsInAWeek); + wrapper.setSignatureExpirationTime(now, inAWeek); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(secondsInAWeek, vector.getSignatureExpirationTime()); + } + + @Test + public void testSignatureExpirationTimeCannotBeNegative() { + Date now = new Date(); + long secondsInAWeek = 60 * 60 * 24 * 7; + Date oneWeekEarlier = new Date(now.getTime() - 1000 * secondsInAWeek); + assertThrows(IllegalArgumentException.class, () -> wrapper.setSignatureExpirationTime(now, oneWeekEarlier)); + } + + @Test + public void testSignerUserId() { + String userId = "Alice "; + wrapper.setSignerUserId(userId); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(userId, vector.getSignerUserID()); + } + + @Test + public void testSetPrimaryUserId() { + assertFalse(wrapper.getGenerator().generate().isPrimaryUserID()); + + wrapper.setPrimaryUserId(); + assertTrue(wrapper.getGenerator().generate().isPrimaryUserID()); + } + + @Test + public void testSetKeyExpiration() { + Date now = new Date(); + long secondsSinceKeyCreation = (now.getTime() - key.getCreationTime().getTime()) / 1000; + wrapper.setKeyExpirationTime(key, now); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(secondsSinceKeyCreation, vector.getKeyExpirationTime()); + } + + @Test + public void testSetKeyExpirationCannotBeNegative() { + Date beforeKeyCreation = new Date(key.getCreationTime().getTime() - 10000); + assertThrows(IllegalArgumentException.class, () -> wrapper.setKeyExpirationTime(key, beforeKeyCreation)); + } + + @Test + public void testSetPreferredCompressionAlgorithms() { + wrapper.setPreferredCompressionAlgorithms(CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2); // duplicates get removed + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + int[] ids = vector.getPreferredCompressionAlgorithms(); + assertEquals(2, ids.length); + assertEquals(CompressionAlgorithm.BZIP2.getAlgorithmId(), ids[0]); + assertEquals(CompressionAlgorithm.ZIP.getAlgorithmId(), ids[1]); + + wrapper.setPreferredCompressionAlgorithms(); // empty + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getPreferredCompressionAlgorithms().length); + + wrapper.setPreferredCompressionAlgorithms((PreferredAlgorithms) null); + vector = wrapper.getGenerator().generate(); + assertNull(vector.getPreferredCompressionAlgorithms()); + + assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredCompressionAlgorithms( + new PreferredAlgorithms(SignatureSubpacketTags.PREFERRED_SYM_ALGS, true, new int[0]))); + } + + @Test + public void testSetPreferredSymmetricKeyAlgorithms() { + wrapper.setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.AES_128); // duplicates get removed + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + int[] ids = vector.getPreferredSymmetricAlgorithms(); + assertEquals(2, ids.length); + assertEquals(SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), ids[0]); + assertEquals(SymmetricKeyAlgorithm.AES_128.getAlgorithmId(), ids[1]); + + wrapper.setPreferredSymmetricKeyAlgorithms(); // empty + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getPreferredSymmetricAlgorithms().length); + + wrapper.setPreferredSymmetricKeyAlgorithms((PreferredAlgorithms) null); + vector = wrapper.getGenerator().generate(); + assertNull(vector.getPreferredCompressionAlgorithms()); + + assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredSymmetricKeyAlgorithms( + new PreferredAlgorithms(SignatureSubpacketTags.PREFERRED_HASH_ALGS, true, new int[0]))); + } + + @Test + public void testSetPreferredHashAlgorithms() { + wrapper.setPreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA512); // duplicates get removed + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + int[] ids = vector.getPreferredHashAlgorithms(); + assertEquals(2, ids.length); + assertEquals(HashAlgorithm.SHA512.getAlgorithmId(), ids[0]); + assertEquals(HashAlgorithm.SHA384.getAlgorithmId(), ids[1]); + + wrapper.setPreferredHashAlgorithms(); // empty + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getPreferredHashAlgorithms().length); + + wrapper.setPreferredHashAlgorithms((PreferredAlgorithms) null); + vector = wrapper.getGenerator().generate(); + assertNull(vector.getPreferredHashAlgorithms()); + + assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredHashAlgorithms( + new PreferredAlgorithms(SignatureSubpacketTags.PREFERRED_COMP_ALGS, true, new int[0]))); + } + + @Test + public void testSetExportable() { + wrapper.setExportable(true, false); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + Exportable exportable = (Exportable) vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE); + assertTrue(exportable.isCritical()); + assertFalse(exportable.isExportable()); + + wrapper.setExportable(false, true); + vector = wrapper.getGenerator().generate(); + + exportable = (Exportable) vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE); + assertFalse(exportable.isCritical()); + assertTrue(exportable.isExportable()); + } + + @Test + public void testSetRevocable() { + wrapper.setRevocable(true, true); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + Revocable revocable = (Revocable) vector.getSubpacket(SignatureSubpacketTags.REVOCABLE); + assertTrue(revocable.isCritical()); + assertTrue(revocable.isRevocable()); + + wrapper.setRevocable(false, false); + vector = wrapper.getGenerator().generate(); + + revocable = (Revocable) vector.getSubpacket(SignatureSubpacketTags.REVOCABLE); + assertFalse(revocable.isCritical()); + assertFalse(revocable.isRevocable()); + } + + @Test + public void testSetRevocationReason() { + wrapper.setRevocationReason(RevocationAttributes.createKeyRevocation() + .withReason(RevocationAttributes.Reason.KEY_RETIRED).withDescription("The key is too weak.")); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + assertEquals(1, vector.getSubpackets(SignatureSubpacketTags.REVOCATION_REASON).length); + RevocationReason reason = (RevocationReason) vector.getSubpacket(SignatureSubpacketTags.REVOCATION_REASON); + assertEquals(RevocationAttributes.Reason.KEY_RETIRED.code(), reason.getRevocationReason()); + assertEquals("The key is too weak.", reason.getRevocationDescription()); + } + + @Test + public void testSetSignatureTarget() { + byte[] hash = new byte[20]; + new Random().nextBytes(hash); + wrapper.setSignatureTarget(PublicKeyAlgorithm.fromId(key.getAlgorithm()), HashAlgorithm.SHA512, hash); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + SignatureTarget target = vector.getSignatureTarget(); + assertNotNull(target); + assertEquals(key.getAlgorithm(), target.getPublicKeyAlgorithm()); + assertEquals(HashAlgorithm.SHA512.getAlgorithmId(), target.getHashAlgorithm()); + assertArrayEquals(hash, target.getHashData()); + } + + @Test + public void testSetFeatures() { + wrapper.setFeatures(Feature.MODIFICATION_DETECTION, Feature.AEAD_ENCRYPTED_DATA); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + Features features = vector.getFeatures(); + assertTrue(features.supportsModificationDetection()); + assertTrue(features.supportsFeature(Features.FEATURE_AEAD_ENCRYPTED_DATA)); + assertFalse(features.supportsFeature(Features.FEATURE_VERSION_5_PUBLIC_KEY)); + } + + @Test + public void testSetTrust() { + wrapper.setTrust(10, 5); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + TrustSignature trustSignature = (TrustSignature) vector.getSubpacket(SignatureSubpacketTags.TRUST_SIG); + assertNotNull(trustSignature); + assertEquals(10, trustSignature.getDepth()); + assertEquals(5, trustSignature.getTrustAmount()); + } + + @Test + public void testAddEmbeddedSignature() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + Iterator secretKeyIterator = secretKeys.iterator(); + PGPSecretKey primaryKey = secretKeyIterator.next(); + PGPSignatureGenerator generator = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder(primaryKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()) + ); + + PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, (Passphrase) null); + generator.init(SignatureType.DIRECT_KEY.getCode(), privateKey); + PGPSignature sig1 = generator.generateCertification(primaryKey.getPublicKey()); + + generator.init(SignatureType.DIRECT_KEY.getCode(), privateKey); + PGPSignature sig2 = generator.generateCertification(secretKeyIterator.next().getPublicKey()); + + wrapper.addEmbeddedSignature(sig1); + + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + assertEquals(1, vector.getEmbeddedSignatures().size()); + assertArrayEquals(sig1.getSignature(), vector.getEmbeddedSignatures().get(0).getSignature()); + + wrapper.addEmbeddedSignature(sig2); + + vector = wrapper.getGenerator().generate(); + assertEquals(2, vector.getEmbeddedSignatures().size()); + assertArrayEquals(sig2.getSignature(), vector.getEmbeddedSignatures().get(1).getSignature()); + + wrapper.clearEmbeddedSignatures(); + vector = wrapper.getGenerator().generate(); + assertEquals(0, vector.getEmbeddedSignatures().size()); + } +} From 8b5ffedd29b241d1453520597aa021ab987a036d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 20 Oct 2021 21:40:44 +0200 Subject: [PATCH 0119/1450] More checkstyle issues --- .../signature/builder/CertificationSignatureBuilder.java | 4 ++++ .../signature/builder/RevocationSignatureBuilder.java | 4 +++- .../org/pgpainless/signature/builder/package-info.java | 8 ++++++++ .../subpackets/SignatureSubpacketGeneratorWrapper.java | 6 ++---- 4 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/package-info.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java index 03801204..792658ee 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + package org.pgpainless.signature.builder; import org.bouncycastle.openpgp.PGPException; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index bd7bef31..db263f07 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -37,5 +37,7 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +/** + * Classes related to OpenPGP signatures. + */ +package org.pgpainless.signature.builder; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java index 59ce6a47..5a4e72d3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -549,12 +549,10 @@ public class SignatureSubpacketGeneratorWrapper byte[] sig = signature.getEncoded(); byte[] data; - if (sig.length - 1 > 256) - { + if (sig.length - 1 > 256) { data = new byte[sig.length - 3]; } - else - { + else { data = new byte[sig.length - 2]; } From e9dc26b1da05a349cfcdf1b754bdce084cf7f54b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 22 Oct 2021 15:42:08 +0200 Subject: [PATCH 0120/1450] Started working on proofs --- .../org/pgpainless/signature/ProofUtil.java | 141 ++++++++++++++++++ .../builder/AbstractSignatureBuilder.java | 15 ++ .../CertificationSignatureBuilder.java | 19 ++- .../builder/DirectKeySignatureBuilder.java | 43 ++++++ .../subpackets/BaseSignatureSubpackets.java | 2 + .../SignatureSubpacketGeneratorWrapper.java | 122 ++++++++++++++- .../signature/builder/ProofUtilTest.java | 75 ++++++++++ .../SubkeyBindingSignatureBuilderTest.java | 56 +++++++ 8 files changed, 469 insertions(+), 4 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java new file mode 100644 index 00000000..81055b84 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java @@ -0,0 +1,141 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.NoSuchElementException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.builder.CertificationSignatureBuilder; +import org.pgpainless.signature.builder.DirectKeySignatureBuilder; + +public class ProofUtil { + + public PGPSecretKeyRing addProof(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, Proof proof) + throws PGPException { + return addProofs(secretKey, protector, Collections.singletonList(proof)); + } + + public PGPSecretKeyRing addProofs(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, List proofs) + throws PGPException { + KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + return addProofs(secretKey, protector, info.getPrimaryUserId(), proofs); + } + + public PGPSecretKeyRing addProof(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, String userId, Proof proof) + throws PGPException { + return addProofs(secretKey, protector, userId, Collections.singletonList(proof)); + } + + public PGPSecretKeyRing addProofs(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, + @Nullable String userId, List proofs) + throws PGPException { + KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + PGPSecretKey certificationKey = secretKey.getSecretKey(); + PGPPublicKey certificationPubKey = certificationKey.getPublicKey(); + PGPSignature certification = null; + + // null userid -> make direct key sig + if (userId == null) { + PGPSignature previousCertification = info.getLatestDirectKeySelfSignature(); + if (previousCertification == null) { + throw new NoSuchElementException("No previous valid direct key signature found."); + } + + DirectKeySignatureBuilder sigBuilder = new DirectKeySignatureBuilder(certificationKey, protector, previousCertification); + for (Proof proof : proofs) { + sigBuilder.getHashedSubpackets().addNotationData(false, proof.getNotationName(), proof.getNotationValue()); + } + certification = sigBuilder.build(certificationPubKey); + certificationPubKey = PGPPublicKey.addCertification(certificationPubKey, certification); + } else { + if (!info.isUserIdValid(userId)) { + throw new IllegalArgumentException("User ID " + userId + " seems to not be valid for this key."); + } + PGPSignature previousCertification = info.getLatestUserIdCertification(userId); + if (previousCertification == null) { + throw new NoSuchElementException("No previous valid user-id certification found."); + } + + CertificationSignatureBuilder sigBuilder = new CertificationSignatureBuilder(certificationKey, protector, previousCertification); + for (Proof proof : proofs) { + sigBuilder.getHashedSubpackets().addNotationData(false, proof.getNotationName(), proof.getNotationValue()); + } + certification = sigBuilder.build(certificationPubKey, userId); + certificationPubKey = PGPPublicKey.addCertification(certificationPubKey, userId, certification); + } + certificationKey = PGPSecretKey.replacePublicKey(certificationKey, certificationPubKey); + secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, certificationKey); + + return secretKey; + } + + public static class Proof { + public static final String NOTATION_NAME = "proof@metacode.biz"; + private final String notationValue; + + public Proof(String notationValue) { + if (notationValue == null) { + throw new IllegalArgumentException("Notation value cannot be null."); + } + String trimmed = notationValue.trim(); + if (trimmed.isEmpty()) { + throw new IllegalArgumentException("Notation value cannot be empty."); + } + this.notationValue = trimmed; + } + + public String getNotationName() { + return NOTATION_NAME; + } + + public String getNotationValue() { + return notationValue; + } + + public static Proof fromMatrixPermalink(String username, String eventPermalink) { + Pattern pattern = Pattern.compile("^https:\\/\\/matrix\\.to\\/#\\/(![a-zA-Z]{18}:matrix\\.org)\\/(\\$[a-zA-Z0-9\\-_]{43})\\?via=.*$"); + Matcher matcher = pattern.matcher(eventPermalink); + if (!matcher.matches()) { + throw new IllegalArgumentException("Invalid matrix event permalink."); + } + String roomId = matcher.group(1); + String eventId = matcher.group(2); + return new Proof(String.format("matrix:u/%s?org.keyoxide.r=%s&org.keyoxide.e=%s", username, roomId, eventId)); + } + + @Override + public String toString() { + return getNotationName() + "=" + getNotationValue(); + } + } + + public static List getProofs(PGPSignature signature) { + PGPSignatureSubpacketVector hashedSubpackets = signature.getHashedSubPackets(); + NotationData[] notations = hashedSubpackets.getNotationDataOccurrences(); + + List proofs = new ArrayList<>(); + for (NotationData notation : notations) { + if (notation.getNotationName().equals(Proof.NOTATION_NAME)) { + proofs.add(new Proof(notation.getNotationValue())); + } + } + return proofs; + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 7f1425d4..3c859883 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -10,6 +10,7 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; @@ -46,6 +47,20 @@ public abstract class AbstractSignatureBuilder hashAlgorithmPreferences = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); return HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java index 792658ee..f094c4fc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java @@ -4,6 +4,8 @@ package org.pgpainless.signature.builder; +import javax.annotation.Nonnull; + import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -12,6 +14,7 @@ import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class CertificationSignatureBuilder extends AbstractSignatureBuilder { @@ -19,6 +22,18 @@ public class CertificationSignatureBuilder extends AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class DirectKeySignatureBuilder extends AbstractSignatureBuilder { + + public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) throws WrongPassphraseException { + super(certificationKey, protector, archetypeSignature); + } + + public DirectKeySignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + public SelfSignatureSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public SelfSignatureSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public PGPSignature build(PGPPublicKey key) throws PGPException { + return buildAndInitSignatureGenerator() + .generateCertification(key); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + return type == SignatureType.DIRECT_KEY; + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java index 6980d131..3b824f11 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java @@ -64,6 +64,8 @@ public interface BaseSignatureSubpackets { SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue); + SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue); + SignatureSubpacketGeneratorWrapper addNotationData(@Nonnull NotationData notationData); SignatureSubpacketGeneratorWrapper clearNotationData(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java index 5a4e72d3..6bb9aaf4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -39,6 +39,7 @@ import org.bouncycastle.bcpg.sig.TrustSignature; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; @@ -71,16 +72,125 @@ public class SignatureSubpacketGeneratorWrapper private PrimaryUserID primaryUserId; private Revocable revocable; private RevocationReason revocationReason; + private final List unsupportedSubpackets = new ArrayList<>(); public SignatureSubpacketGeneratorWrapper() { setSignatureCreationTime(new Date()); } public SignatureSubpacketGeneratorWrapper(PGPPublicKey issuer) { - this(); + setSignatureCreationTime(new Date()); setIssuerFingerprintAndKeyId(issuer); } + public SignatureSubpacketGeneratorWrapper(PGPPublicKey issuer, PGPSignatureSubpacketVector base) { + extractSubpacketsFromVector(base); + setSignatureCreationTime(new Date()); + setIssuerFingerprintAndKeyId(issuer); + } + + public SignatureSubpacketGeneratorWrapper(PGPSignatureSubpacketVector base) { + extractSubpacketsFromVector(base); + setSignatureCreationTime(new Date()); + } + + private void extractSubpacketsFromVector(PGPSignatureSubpacketVector base) { + for (SignatureSubpacket subpacket : base.toArray()) { + org.pgpainless.algorithm.SignatureSubpacket type = org.pgpainless.algorithm.SignatureSubpacket.fromCode(subpacket.getType()); + switch (type) { + case signatureCreationTime: + case issuerKeyId: + case issuerFingerprint: + // ignore, we override this anyways + break; + case signatureExpirationTime: + SignatureExpirationTime sigExpTime = (SignatureExpirationTime) subpacket; + setSignatureExpirationTime(sigExpTime.isCritical(), sigExpTime.getTime()); + break; + case exportableCertification: + Exportable exp = (Exportable) subpacket; + setExportable(exp.isCritical(), exp.isExportable()); + break; + case trustSignature: + TrustSignature trustSignature = (TrustSignature) subpacket; + setTrust(trustSignature.isCritical(), trustSignature.getDepth(), trustSignature.getTrustAmount()); + break; + case revocable: + Revocable rev = (Revocable) subpacket; + setRevocable(rev.isCritical(), rev.isRevocable()); + break; + case keyExpirationTime: + KeyExpirationTime keyExpTime = (KeyExpirationTime) subpacket; + setKeyExpirationTime(keyExpTime.isCritical(), keyExpTime.getTime()); + break; + case preferredSymmetricAlgorithms: + setPreferredSymmetricKeyAlgorithms((PreferredAlgorithms) subpacket); + break; + case revocationKey: + RevocationKey revocationKey = (RevocationKey) subpacket; + addRevocationKey(revocationKey); + break; + case notationData: + NotationData notationData = (NotationData) subpacket; + addNotationData(notationData.isCritical(), notationData.getNotationName(), notationData.getNotationValue()); + break; + case preferredHashAlgorithms: + setPreferredHashAlgorithms((PreferredAlgorithms) subpacket); + break; + case preferredCompressionAlgorithms: + setPreferredCompressionAlgorithms((PreferredAlgorithms) subpacket); + break; + case primaryUserId: + PrimaryUserID primaryUserID = (PrimaryUserID) subpacket; + setPrimaryUserId(primaryUserID); + break; + case keyFlags: + KeyFlags flags = (KeyFlags) subpacket; + setKeyFlags(flags.isCritical(), KeyFlag.fromBitmask(flags.getFlags()).toArray(new KeyFlag[0])); + break; + case signerUserId: + SignerUserID signerUserID = (SignerUserID) subpacket; + setSignerUserId(signerUserID.isCritical(), signerUserID.getID()); + break; + case revocationReason: + RevocationReason reason = (RevocationReason) subpacket; + setRevocationReason(reason.isCritical(), + RevocationAttributes.Reason.fromCode(reason.getRevocationReason()), + reason.getRevocationDescription()); + break; + case features: + Features f = (Features) subpacket; + setFeatures(f.isCritical(), Feature.fromBitmask(f.getData()[0]).toArray(new Feature[0])); + break; + case signatureTarget: + SignatureTarget target = (SignatureTarget) subpacket; + setSignatureTarget(target.isCritical(), + PublicKeyAlgorithm.fromId(target.getPublicKeyAlgorithm()), + HashAlgorithm.fromId(target.getHashAlgorithm()), + target.getHashData()); + break; + case embeddedSignature: + EmbeddedSignature embeddedSignature = (EmbeddedSignature) subpacket; + addEmbeddedSignature(embeddedSignature); + break; + case intendedRecipientFingerprint: + IntendedRecipientFingerprint intendedRecipientFingerprint = (IntendedRecipientFingerprint) subpacket; + addIntendedRecipientFingerprint(intendedRecipientFingerprint); + break; + + case regularExpression: + case keyServerPreferences: + case preferredKeyServers: + case policyUrl: + case placeholder: + case preferredAEADAlgorithms: + case attestedCertification: + unsupportedSubpackets.add(subpacket); + break; + } + } + } + public PGPSignatureSubpacketGenerator getGenerator() { PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); @@ -113,6 +223,9 @@ public class SignatureSubpacketGeneratorWrapper addSubpacket(generator, primaryUserId); addSubpacket(generator, revocable); addSubpacket(generator, revocationReason); + for (SignatureSubpacket subpacket : unsupportedSubpackets) { + addSubpacket(generator, subpacket); + } return generator; } @@ -381,7 +494,12 @@ public class SignatureSubpacketGeneratorWrapper @Override public SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue) { - return addNotationData(new NotationData(isCritical, true, notationName, notationValue)); + return addNotationData(isCritical, true, notationName, notationValue); + } + + @Override + public SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue) { + return addNotationData(new NotationData(isCritical, isHumanReadable, notationName, notationValue)); } @Override diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java new file mode 100644 index 00000000..a040ee93 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java @@ -0,0 +1,75 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.ProofUtil; + +public class ProofUtilTest { + + @Test + public void testEmptyProofThrows() { + assertThrows(IllegalArgumentException.class, () -> new ProofUtil.Proof("")); + } + + @Test + public void testNullProofThrows() { + assertThrows(IllegalArgumentException.class, () -> new ProofUtil.Proof(null)); + } + + @Test + public void proofIsTrimmed() { + ProofUtil.Proof proof = new ProofUtil.Proof(" foo:bar "); + assertEquals("proof@metacode.biz=foo:bar", proof.toString()); + } + + @Test + public void testMatrixProof() { + String matrixUser = "@foo:matrix.org"; + String permalink = "https://matrix.to/#/!dBfQZxCoGVmSTujfiv:matrix.org/$3dVX1nv3lmwnKxc0mgto_Sf-REVr45Z6G7LWLWal10w?via=chat.matrix.org"; + ProofUtil.Proof proof = ProofUtil.Proof.fromMatrixPermalink(matrixUser, permalink); + + assertEquals("proof@metacode.biz=matrix:u/@foo:matrix.org?org.keyoxide.r=!dBfQZxCoGVmSTujfiv:matrix.org&org.keyoxide.e=$3dVX1nv3lmwnKxc0mgto_Sf-REVr45Z6G7LWLWal10w", + proof.toString()); + } + + @Test + public void testXmppBasicProof() { + String jid = "alice@pgpainless.org"; + ProofUtil.Proof proof = new ProofUtil.Proof("xmpp:" + jid); + + assertEquals("proof@metacode.biz=xmpp:alice@pgpainless.org", proof.toString()); + } + + @Test + public void testAddProof() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException, InterruptedException { + String userId = "Alice "; + PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() + .modernKeyRing(userId, null); + Thread.sleep(1000L); + secretKey = new ProofUtil() + .addProof(secretKey, SecretKeyRingProtector.unprotectedKeys(), new ProofUtil.Proof("xmpp:alice@pgpainless.org")); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + PGPSignature signature = info.getLatestUserIdCertification(userId); + assertNotNull(signature); + assertFalse(ProofUtil.getProofs(signature).isEmpty()); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java new file mode 100644 index 00000000..341940e5 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java @@ -0,0 +1,56 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.List; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.EncryptionPurpose; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.Passphrase; + +public class SubkeyBindingSignatureBuilderTest { + + @Test + public void testBindSubkeyWithCustomNotation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", "passphrase"); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); + List previousSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("passphrase"), secretKey); + + PGPSecretKeyRing tempSubkeyRing = PGPainless.generateKeyRing() + .modernKeyRing("Subkeys", null); + PGPPublicKey subkey = PGPainless.inspectKeyRing(tempSubkeyRing) + .getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0); + + SubkeyBindingSignatureBuilder skbb = new SubkeyBindingSignatureBuilder(SignatureType.SUBKEY_BINDING, secretKey.getSecretKey(), protector); + skbb.getHashedSubpackets().addNotationData(false, "testnotation@pgpainless.org", "hello-world"); + skbb.getHashedSubpackets().setKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE); + PGPSignature binding = skbb.build(subkey); + subkey = PGPPublicKey.addCertification(subkey, binding); + PGPSecretKey secSubkey = tempSubkeyRing.getSecretKey(subkey.getKeyID()); + secSubkey = PGPSecretKey.replacePublicKey(secSubkey, subkey); + secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, secSubkey); + + info = PGPainless.inspectKeyRing(secretKey); + List nextSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + assertEquals(previousSubkeys.size() + 1, nextSubkeys.size()); + } +} From de926e022f4b143d3641ef5a17c5703697ef4df9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 25 Oct 2021 21:03:34 +0200 Subject: [PATCH 0121/1450] More signature builder experimentations --- .../builder/AbstractSignatureBuilder.java | 8 +- .../PrimaryKeyBindingSignatureBuilder.java | 40 ++++++++++ .../signature/builder/SignatureBuilder.java | 74 +++++++++++++++++++ .../SubkeyBindingSignatureBuilder.java | 5 +- .../subpackets/BindingSignatureCallback.java | 12 +++ .../SignatureSubpacketGeneratorWrapper.java | 43 ++++++++--- .../SubkeyBindingSignatureBuilderTest.java | 3 +- ...ignatureSubpacketGeneratorWrapperTest.java | 4 +- 8 files changed, 168 insertions(+), 21 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 3c859883..b99693bc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -43,8 +43,8 @@ public abstract class AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder { + + public PrimaryKeyBindingSignatureBuilder(PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector) + throws WrongPassphraseException { + super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector); + } + + public SelfSignatureSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public SelfSignatureSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + return type == SignatureType.PRIMARYKEY_BINDING; + } + + public PGPSignature build(PGPPublicKey primaryKey) throws PGPException { + return buildAndInitSignatureGenerator() + .generateCertification(primaryKey, publicSigningKey); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java new file mode 100644 index 00000000..e211e098 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java @@ -0,0 +1,74 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import java.io.IOException; +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.BindingSignatureCallback; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class SignatureBuilder { + + public SubkeyBindingSignatureBuilder subkeyBindingSignatureBuilder( + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + PGPSecretKey subkey, + SecretKeyRingProtector subkeyProtector, + @Nullable BindingSignatureCallback subkeyBindingSubpacketsCallback, + @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback, + KeyFlag... flags) + throws PGPException, IOException { + if (flags.length == 0) { + throw new IllegalArgumentException("Keyflags for subkey binding cannot be empty."); + } + SubkeyBindingSignatureBuilder subkeyBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + + SelfSignatureSubpackets hashedSubpackets = subkeyBindingBuilder.getHashedSubpackets(); + hashedSubpackets.setKeyFlags(flags); + + boolean isSigningKey = false; + for (KeyFlag flag : flags) { + if (flag == KeyFlag.SIGN_DATA) { + isSigningKey = true; + break; + } + } + if (isSigningKey) { + PGPSignature backsig = primaryKeyBindingSignature( + subkey, subkeyProtector, primaryKey.getPublicKey(), primaryKeyBindingSubpacketsCallback); + hashedSubpackets.addEmbeddedSignature(backsig); + } + + if (subkeyBindingSubpacketsCallback != null) { + subkeyBindingSubpacketsCallback.modifyHashedSubpackets(subkeyBindingBuilder.getHashedSubpackets()); + subkeyBindingSubpacketsCallback.modifyUnhashedSubpackets(subkeyBindingBuilder.getUnhashedSubpackets()); + } + + return subkeyBindingBuilder; + } + + public PGPSignature primaryKeyBindingSignature( + PGPSecretKey subkey, + SecretKeyRingProtector subkeyProtector, + PGPPublicKey primaryKey, + BindingSignatureCallback primaryKeyBindingSubpacketsCallback) throws PGPException { + + PrimaryKeyBindingSignatureBuilder builder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); + if (primaryKeyBindingSubpacketsCallback != null) { + primaryKeyBindingSubpacketsCallback.modifyHashedSubpackets(builder.getHashedSubpackets()); + primaryKeyBindingSubpacketsCallback.modifyUnhashedSubpackets(builder.getUnhashedSubpackets()); + } + + return builder.build(primaryKey); + } + +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java index 8e74510b..fad7e31b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java @@ -15,8 +15,9 @@ import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder { - public SubkeyBindingSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { - super(signatureType, signingKey, protector); + public SubkeyBindingSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + super(SignatureType.SUBKEY_BINDING, signingKey, protector); } @Override diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java new file mode 100644 index 00000000..ee2629d7 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +public interface BindingSignatureCallback { + + void modifyHashedSubpackets(SelfSignatureSubpackets subpackets); + + void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets); +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java index 6bb9aaf4..636bbefa 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -75,23 +75,44 @@ public class SignatureSubpacketGeneratorWrapper private final List unsupportedSubpackets = new ArrayList<>(); public SignatureSubpacketGeneratorWrapper() { - setSignatureCreationTime(new Date()); + } - public SignatureSubpacketGeneratorWrapper(PGPPublicKey issuer) { - setSignatureCreationTime(new Date()); - setIssuerFingerprintAndKeyId(issuer); + public static SignatureSubpacketGeneratorWrapper refreshHashedSubpackets(PGPPublicKey issuer, PGPSignature oldSignature) { + return createHashedSubpacketsFrom(issuer, oldSignature.getHashedSubPackets()); } - public SignatureSubpacketGeneratorWrapper(PGPPublicKey issuer, PGPSignatureSubpacketVector base) { - extractSubpacketsFromVector(base); - setSignatureCreationTime(new Date()); - setIssuerFingerprintAndKeyId(issuer); + public static SignatureSubpacketGeneratorWrapper refreshUnhashedSubpackets(PGPSignature oldSignature) { + return createSubpacketsFrom(oldSignature.getUnhashedSubPackets()); } - public SignatureSubpacketGeneratorWrapper(PGPSignatureSubpacketVector base) { - extractSubpacketsFromVector(base); - setSignatureCreationTime(new Date()); + public static SignatureSubpacketGeneratorWrapper createHashedSubpacketsFrom(PGPPublicKey issuer, PGPSignatureSubpacketVector base) { + SignatureSubpacketGeneratorWrapper wrapper = createSubpacketsFrom(base); + wrapper.setIssuerFingerprintAndKeyId(issuer); + return wrapper; + } + + public static SignatureSubpacketGeneratorWrapper createSubpacketsFrom(PGPSignatureSubpacketVector base) { + SignatureSubpacketGeneratorWrapper wrapper = new SignatureSubpacketGeneratorWrapper(); + wrapper.extractSubpacketsFromVector(base); + wrapper.setSignatureCreationTime(new Date()); + return wrapper; + } + + public static SignatureSubpacketGeneratorWrapper createEmptySubpackets() { + return new SignatureSubpacketGeneratorWrapper(); + } + + public static SignatureSubpacketGeneratorWrapper createHashedSubpackets() { + SignatureSubpacketGeneratorWrapper wrapper = new SignatureSubpacketGeneratorWrapper(); + wrapper.setSignatureCreationTime(new Date()); + return wrapper; + } + + public static SignatureSubpacketGeneratorWrapper createHashedSubpackets(PGPPublicKey issuer) { + SignatureSubpacketGeneratorWrapper wrapper = createHashedSubpackets(); + wrapper.setIssuerFingerprintAndKeyId(issuer); + return wrapper; } private void extractSubpacketsFromVector(PGPSignatureSubpacketVector base) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java index 341940e5..b2c06cfb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java @@ -20,7 +20,6 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.SignatureType; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.Passphrase; @@ -40,7 +39,7 @@ public class SubkeyBindingSignatureBuilderTest { PGPPublicKey subkey = PGPainless.inspectKeyRing(tempSubkeyRing) .getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0); - SubkeyBindingSignatureBuilder skbb = new SubkeyBindingSignatureBuilder(SignatureType.SUBKEY_BINDING, secretKey.getSecretKey(), protector); + SubkeyBindingSignatureBuilder skbb = new SubkeyBindingSignatureBuilder(secretKey.getSecretKey(), protector); skbb.getHashedSubpackets().addNotationData(false, "testnotation@pgpainless.org", "hello-world"); skbb.getHashedSubpackets().setKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE); PGPSignature binding = skbb.build(subkey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java index 709b424c..fb1b0cd3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java @@ -69,13 +69,13 @@ public class SignatureSubpacketGeneratorWrapperTest { @BeforeEach public void createWrapper() { - wrapper = new SignatureSubpacketGeneratorWrapper(key); + wrapper = SignatureSubpacketGeneratorWrapper.createHashedSubpackets(key); } @Test public void initialStateTest() { Date now = new Date(); - wrapper = new SignatureSubpacketGeneratorWrapper(); + wrapper = SignatureSubpacketGeneratorWrapper.createHashedSubpackets(); PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); assertEquals(now.getTime(), vector.getSignatureCreationTime().getTime(), 1000); From b8a376f86a085263b37072645ad87dcad5e66157 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 3 Nov 2021 12:25:53 +0100 Subject: [PATCH 0122/1450] Create signature creator methods and fix compilation issues --- .../signature/builder/SignatureBuilder.java | 100 ++++++++++++++---- ...llback.java => SelfSignatureCallback.java} | 2 +- .../SubkeyBindingSignatureBuilderTest.java | 6 +- 3 files changed, 81 insertions(+), 27 deletions(-) rename pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/{SelfSignatureSubpacketCallback.java => SelfSignatureCallback.java} (85%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java index e211e098..f64c0302 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java @@ -12,13 +12,15 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.BindingSignatureCallback; +import org.pgpainless.signature.subpackets.SelfSignatureCallback; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class SignatureBuilder { - public SubkeyBindingSignatureBuilder subkeyBindingSignatureBuilder( + public SubkeyBindingSignatureBuilder bindSubkey( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, PGPSecretKey subkey, @@ -30,45 +32,97 @@ public class SignatureBuilder { if (flags.length == 0) { throw new IllegalArgumentException("Keyflags for subkey binding cannot be empty."); } - SubkeyBindingSignatureBuilder subkeyBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + SubkeyBindingSignatureBuilder subkeyBinder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); - SelfSignatureSubpackets hashedSubpackets = subkeyBindingBuilder.getHashedSubpackets(); + SelfSignatureSubpackets hashedSubpackets = subkeyBinder.getHashedSubpackets(); + SelfSignatureSubpackets unhashedSubpackets = subkeyBinder.getUnhashedSubpackets(); hashedSubpackets.setKeyFlags(flags); - boolean isSigningKey = false; - for (KeyFlag flag : flags) { - if (flag == KeyFlag.SIGN_DATA) { - isSigningKey = true; - break; - } - } - if (isSigningKey) { - PGPSignature backsig = primaryKeyBindingSignature( - subkey, subkeyProtector, primaryKey.getPublicKey(), primaryKeyBindingSubpacketsCallback); + if (hasSignDataFlag(flags)) { + PGPSignature backsig = createPrimaryKeyBinding( + subkey, subkeyProtector, primaryKeyBindingSubpacketsCallback, primaryKey.getPublicKey()); hashedSubpackets.addEmbeddedSignature(backsig); } if (subkeyBindingSubpacketsCallback != null) { - subkeyBindingSubpacketsCallback.modifyHashedSubpackets(subkeyBindingBuilder.getHashedSubpackets()); - subkeyBindingSubpacketsCallback.modifyUnhashedSubpackets(subkeyBindingBuilder.getUnhashedSubpackets()); + subkeyBindingSubpacketsCallback.modifyHashedSubpackets(hashedSubpackets); + subkeyBindingSubpacketsCallback.modifyUnhashedSubpackets(unhashedSubpackets); } - return subkeyBindingBuilder; + return subkeyBinder; } - public PGPSignature primaryKeyBindingSignature( + public PrimaryKeyBindingSignatureBuilder bindPrimaryKey( PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector, - PGPPublicKey primaryKey, - BindingSignatureCallback primaryKeyBindingSubpacketsCallback) throws PGPException { + @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback) throws WrongPassphraseException { + PrimaryKeyBindingSignatureBuilder primaryKeyBinder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); - PrimaryKeyBindingSignatureBuilder builder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); if (primaryKeyBindingSubpacketsCallback != null) { - primaryKeyBindingSubpacketsCallback.modifyHashedSubpackets(builder.getHashedSubpackets()); - primaryKeyBindingSubpacketsCallback.modifyUnhashedSubpackets(builder.getUnhashedSubpackets()); + primaryKeyBindingSubpacketsCallback.modifyHashedSubpackets(primaryKeyBinder.getHashedSubpackets()); + primaryKeyBindingSubpacketsCallback.modifyUnhashedSubpackets(primaryKeyBinder.getUnhashedSubpackets()); } - return builder.build(primaryKey); + return primaryKeyBinder; } + public PGPSignature createPrimaryKeyBinding( + PGPSecretKey subkey, + SecretKeyRingProtector subkeyProtector, + @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback, + PGPPublicKey primaryKey) + throws PGPException { + return bindPrimaryKey(subkey, subkeyProtector, primaryKeyBindingSubpacketsCallback) + .build(primaryKey); + } + + public CertificationSignatureBuilder selfCertifyUserId( + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + @Nullable SelfSignatureCallback selfSignatureCallback, + KeyFlag... flags) throws WrongPassphraseException { + + CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(primaryKey, primaryKeyProtector); + certifier.getHashedSubpackets().setKeyFlags(flags); + if (selfSignatureCallback != null) { + selfSignatureCallback.modifyHashedSubpackets(certifier.getHashedSubpackets()); + selfSignatureCallback.modifyUnhashedSubpackets(certifier.getUnhashedSubpackets()); + } + return certifier; + } + + public CertificationSignatureBuilder renewSelfCertification( + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + @Nullable SelfSignatureCallback selfSignatureCallback, + PGPSignature oldCertification) throws WrongPassphraseException { + CertificationSignatureBuilder certifier = + new CertificationSignatureBuilder(primaryKey, primaryKeyProtector, oldCertification); + + // TODO + return null; + } + + public PGPSignature createUserIdSelfCertification( + String userId, + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + @Nullable SelfSignatureCallback selfSignatureCallback, + KeyFlag... flags) + throws PGPException { + return selfCertifyUserId(primaryKey, primaryKeyProtector, selfSignatureCallback, flags) + .build(primaryKey.getPublicKey(), userId); + } + + private static boolean hasSignDataFlag(KeyFlag... flags) { + if (flags == null) { + return false; + } + for (KeyFlag flag : flags) { + if (flag == KeyFlag.SIGN_DATA) { + return true; + } + } + return false; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java similarity index 85% rename from pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java index a0d5f4c3..fda37510 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpacketCallback.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java @@ -4,7 +4,7 @@ package org.pgpainless.signature.subpackets; -public interface SelfSignatureSubpacketCallback { +public interface SelfSignatureCallback { void modifyHashedSubpackets(SelfSignatureSubpackets subpackets); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java index b2c06cfb..79f2471e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java @@ -31,13 +31,13 @@ public class SubkeyBindingSignatureBuilderTest { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .modernKeyRing("Alice ", "passphrase"); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - List previousSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List previousSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("passphrase"), secretKey); PGPSecretKeyRing tempSubkeyRing = PGPainless.generateKeyRing() .modernKeyRing("Subkeys", null); PGPPublicKey subkey = PGPainless.inspectKeyRing(tempSubkeyRing) - .getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS).get(0); + .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); SubkeyBindingSignatureBuilder skbb = new SubkeyBindingSignatureBuilder(secretKey.getSecretKey(), protector); skbb.getHashedSubpackets().addNotationData(false, "testnotation@pgpainless.org", "hello-world"); @@ -49,7 +49,7 @@ public class SubkeyBindingSignatureBuilderTest { secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, secSubkey); info = PGPainless.inspectKeyRing(secretKey); - List nextSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); + List nextSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertEquals(previousSubkeys.size() + 1, nextSubkeys.size()); } } From 3438b7259a9184cf0746cd30c110f4c29eb42c0a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 3 Nov 2021 13:24:05 +0100 Subject: [PATCH 0123/1450] Restructured API --- .../signature/builder/SignatureBuilder.java | 72 ++++++++++++------- .../subpackets/BindingSignatureCallback.java | 12 ---- .../RevocationSignatureSubpackets.java | 10 +++ .../subpackets/SelfSignatureCallback.java | 13 ---- .../subpackets/SelfSignatureSubpackets.java | 10 +++ .../SubkeyBindingSignatureBuilderTest.java | 38 +++++++--- 6 files changed, 97 insertions(+), 58 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java index f64c0302..8b1308dd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java @@ -14,36 +14,60 @@ import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.BindingSignatureCallback; -import org.pgpainless.signature.subpackets.SelfSignatureCallback; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; -public class SignatureBuilder { +public final class SignatureBuilder { - public SubkeyBindingSignatureBuilder bindSubkey( + private SignatureBuilder() { + + } + + public static SubkeyBindingSignatureBuilder bindNonSigningSubkey( + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, + KeyFlag... flags) throws WrongPassphraseException { + if (hasSignDataFlag(flags)) { + throw new IllegalArgumentException("Binding a subkey with SIGN_DATA flag requires primary key backsig." + + "Please use the method bindSigningSubkey()."); + } + + return bindSubkey(primaryKey, primaryKeyProtector, subkeyBindingSubpacketsCallback, flags); + } + + public static SubkeyBindingSignatureBuilder bindSigningSubkey( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector, - @Nullable BindingSignatureCallback subkeyBindingSubpacketsCallback, - @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback, + @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, + @Nullable SelfSignatureSubpackets.Callback primaryKeyBindingSubpacketsCallback, KeyFlag... flags) throws PGPException, IOException { - if (flags.length == 0) { - throw new IllegalArgumentException("Keyflags for subkey binding cannot be empty."); - } - SubkeyBindingSignatureBuilder subkeyBinder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); - SelfSignatureSubpackets hashedSubpackets = subkeyBinder.getHashedSubpackets(); - SelfSignatureSubpackets unhashedSubpackets = subkeyBinder.getUnhashedSubpackets(); - hashedSubpackets.setKeyFlags(flags); + SubkeyBindingSignatureBuilder subkeyBinder = bindSubkey(primaryKey, primaryKeyProtector, subkeyBindingSubpacketsCallback, flags); if (hasSignDataFlag(flags)) { PGPSignature backsig = createPrimaryKeyBinding( subkey, subkeyProtector, primaryKeyBindingSubpacketsCallback, primaryKey.getPublicKey()); - hashedSubpackets.addEmbeddedSignature(backsig); + subkeyBinder.getHashedSubpackets().addEmbeddedSignature(backsig); } + return subkeyBinder; + } + + private static SubkeyBindingSignatureBuilder bindSubkey(PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, + KeyFlag... flags) throws WrongPassphraseException { + if (flags.length == 0) { + throw new IllegalArgumentException("Keyflags for subkey binding cannot be empty."); + } + SubkeyBindingSignatureBuilder subkeyBinder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + SelfSignatureSubpackets hashedSubpackets = subkeyBinder.getHashedSubpackets(); + SelfSignatureSubpackets unhashedSubpackets = subkeyBinder.getUnhashedSubpackets(); + hashedSubpackets.setKeyFlags(flags); + if (subkeyBindingSubpacketsCallback != null) { subkeyBindingSubpacketsCallback.modifyHashedSubpackets(hashedSubpackets); subkeyBindingSubpacketsCallback.modifyUnhashedSubpackets(unhashedSubpackets); @@ -52,10 +76,10 @@ public class SignatureBuilder { return subkeyBinder; } - public PrimaryKeyBindingSignatureBuilder bindPrimaryKey( + public static PrimaryKeyBindingSignatureBuilder bindPrimaryKey( PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector, - @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback) throws WrongPassphraseException { + @Nullable SelfSignatureSubpackets.Callback primaryKeyBindingSubpacketsCallback) throws WrongPassphraseException { PrimaryKeyBindingSignatureBuilder primaryKeyBinder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); if (primaryKeyBindingSubpacketsCallback != null) { @@ -66,20 +90,20 @@ public class SignatureBuilder { return primaryKeyBinder; } - public PGPSignature createPrimaryKeyBinding( + public static PGPSignature createPrimaryKeyBinding( PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector, - @Nullable BindingSignatureCallback primaryKeyBindingSubpacketsCallback, + @Nullable SelfSignatureSubpackets.Callback primaryKeyBindingSubpacketsCallback, PGPPublicKey primaryKey) throws PGPException { return bindPrimaryKey(subkey, subkeyProtector, primaryKeyBindingSubpacketsCallback) .build(primaryKey); } - public CertificationSignatureBuilder selfCertifyUserId( + public static CertificationSignatureBuilder selfCertifyUserId( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureCallback selfSignatureCallback, + @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, KeyFlag... flags) throws WrongPassphraseException { CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(primaryKey, primaryKeyProtector); @@ -91,10 +115,10 @@ public class SignatureBuilder { return certifier; } - public CertificationSignatureBuilder renewSelfCertification( + public static CertificationSignatureBuilder renewSelfCertification( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureCallback selfSignatureCallback, + @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, PGPSignature oldCertification) throws WrongPassphraseException { CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(primaryKey, primaryKeyProtector, oldCertification); @@ -103,11 +127,11 @@ public class SignatureBuilder { return null; } - public PGPSignature createUserIdSelfCertification( + public static PGPSignature createUserIdSelfCertification( String userId, PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureCallback selfSignatureCallback, + @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, KeyFlag... flags) throws PGPException { return selfCertifyUserId(primaryKey, primaryKeyProtector, selfSignatureCallback, flags) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java deleted file mode 100644 index ee2629d7..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BindingSignatureCallback.java +++ /dev/null @@ -1,12 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.subpackets; - -public interface BindingSignatureCallback { - - void modifyHashedSubpackets(SelfSignatureSubpackets subpackets); - - void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets); -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java index b71c3a05..d3ffd9d5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java @@ -12,6 +12,16 @@ import org.pgpainless.key.util.RevocationAttributes; public interface RevocationSignatureSubpackets extends BaseSignatureSubpackets { + interface Callback { + default void modifyHashedSubpackets(RevocationSignatureSubpackets subpackets) { + + } + + default void modifyUnhashedSubpackets(RevocationSignatureSubpackets subpackets) { + + } + } + SignatureSubpacketGeneratorWrapper setRevocationReason(RevocationAttributes revocationAttributes); SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java deleted file mode 100644 index fda37510..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureCallback.java +++ /dev/null @@ -1,13 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.subpackets; - -public interface SelfSignatureCallback { - - void modifyHashedSubpackets(SelfSignatureSubpackets subpackets); - - void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets); - -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java index 6643902b..fa4eb719 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java @@ -24,6 +24,16 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; public interface SelfSignatureSubpackets extends BaseSignatureSubpackets { + interface Callback { + default void modifyHashedSubpackets(SelfSignatureSubpackets subpackets) { + + } + + default void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets) { + + } + } + SignatureSubpacketGeneratorWrapper setKeyFlags(KeyFlag... keyFlags); SignatureSubpacketGeneratorWrapper setKeyFlags(boolean isCritical, KeyFlag... keyFlags); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java index 79f2471e..d3f27bab 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java @@ -5,12 +5,15 @@ package org.pgpainless.signature.builder; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import java.util.Iterator; import java.util.List; +import org.bouncycastle.bcpg.sig.NotationData; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -22,6 +25,8 @@ import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.Passphrase; public class SubkeyBindingSignatureBuilderTest { @@ -36,20 +41,35 @@ public class SubkeyBindingSignatureBuilderTest { PGPSecretKeyRing tempSubkeyRing = PGPainless.generateKeyRing() .modernKeyRing("Subkeys", null); - PGPPublicKey subkey = PGPainless.inspectKeyRing(tempSubkeyRing) + PGPPublicKey subkeyPub = PGPainless.inspectKeyRing(tempSubkeyRing) .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + PGPSecretKey subkeySec = tempSubkeyRing.getSecretKey(subkeyPub.getKeyID()); - SubkeyBindingSignatureBuilder skbb = new SubkeyBindingSignatureBuilder(secretKey.getSecretKey(), protector); - skbb.getHashedSubpackets().addNotationData(false, "testnotation@pgpainless.org", "hello-world"); - skbb.getHashedSubpackets().setKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE); - PGPSignature binding = skbb.build(subkey); - subkey = PGPPublicKey.addCertification(subkey, binding); - PGPSecretKey secSubkey = tempSubkeyRing.getSecretKey(subkey.getKeyID()); - secSubkey = PGPSecretKey.replacePublicKey(secSubkey, subkey); - secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, secSubkey); + PGPSignature binding = SignatureBuilder.bindNonSigningSubkey( + secretKey.getSecretKey(), protector, + new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets subpackets) { + subpackets.addNotationData(false, "testnotation@pgpainless.org", "hello-world"); + } + }, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) + .build(subkeyPub); + + subkeyPub = PGPPublicKey.addCertification(subkeyPub, binding); + subkeySec = PGPSecretKey.replacePublicKey(subkeySec, subkeyPub); + secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, subkeySec); info = PGPainless.inspectKeyRing(secretKey); List nextSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); assertEquals(previousSubkeys.size() + 1, nextSubkeys.size()); + subkeyPub = secretKey.getPublicKey(subkeyPub.getKeyID()); + Iterator newBindingSigs = subkeyPub.getSignaturesForKeyID(secretKey.getPublicKey().getKeyID()); + PGPSignature bindingSig = newBindingSigs.next(); + assertNotNull(bindingSig); + List notations = SignatureSubpacketsUtil.getHashedNotationData(bindingSig); + + assertEquals(1, notations.size()); + assertEquals("testnotation@pgpainless.org", notations.get(0).getNotationName()); + assertEquals("hello-world", notations.get(0).getNotationValue()); } } From 352f099d8aacbc38626869c7b1d05ecb066a036a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 3 Nov 2021 13:30:16 +0100 Subject: [PATCH 0124/1450] Refactoring: Move signature verification stuff to consumer subpacket --- .../DecryptionStreamFactory.java | 4 ++-- .../SignatureInputStream.java | 8 ++++---- .../org/pgpainless/key/KeyRingValidator.java | 4 ++-- .../org/pgpainless/key/info/KeyRingInfo.java | 2 +- ...atureBuilder.java => SignatureFactory.java} | 4 ++-- .../{ => consumer}/CertificateValidator.java | 5 +++-- .../{ => consumer}/DetachedSignatureCheck.java | 2 +- .../{ => consumer}/OnePassSignatureCheck.java | 2 +- .../signature/{ => consumer}/ProofUtil.java | 2 +- .../signature/{ => consumer}/README.md | 0 .../SignatureCreationDateComparator.java | 2 +- .../{ => consumer}/SignaturePicker.java | 3 ++- .../{ => consumer}/SignatureValidator.java | 3 ++- .../SignatureValidityComparator.java | 5 +++-- .../{ => consumer}/SignatureVerifier.java | 2 +- .../subpackets/CertificationSubpackets.java | 18 ++++++++++++++++++ .../CleartextSignatureVerificationTest.java | 4 ++-- .../BindingSignatureSubpacketsTest.java | 1 + .../signature/CertificateValidatorTest.java | 1 + .../signature/KeyRevocationTest.java | 1 + .../SignatureOverUserAttributesTest.java | 1 + .../signature/SignatureSubpacketsUtilTest.java | 1 + .../SignatureWasPossiblyMadeByKeyTest.java | 1 + .../signature/builder/ProofUtilTest.java | 2 +- .../SubkeyBindingSignatureBuilderTest.java | 2 +- 25 files changed, 54 insertions(+), 26 deletions(-) rename pgpainless-core/src/main/java/org/pgpainless/signature/builder/{SignatureBuilder.java => SignatureFactory.java} (98%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/CertificateValidator.java (98%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/DetachedSignatureCheck.java (98%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/OnePassSignatureCheck.java (97%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/ProofUtil.java (99%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/README.md (100%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/SignatureCreationDateComparator.java (96%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/SignaturePicker.java (99%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/SignatureValidator.java (99%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/SignatureValidityComparator.java (92%) rename pgpainless-core/src/main/java/org/pgpainless/signature/{ => consumer}/SignatureVerifier.java (99%) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 66ed2d05..72707037 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -56,8 +56,8 @@ import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.signature.DetachedSignatureCheck; -import org.pgpainless.signature.OnePassSignatureCheck; +import org.pgpainless.signature.consumer.DetachedSignatureCheck; +import org.pgpainless.signature.consumer.OnePassSignatureCheck; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; import org.pgpainless.util.PGPUtilWrapper; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index 5145f86b..cd8682df 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -4,7 +4,7 @@ package org.pgpainless.decryption_verification; -import static org.pgpainless.signature.SignatureValidator.signatureWasCreatedInBounds; +import static org.pgpainless.signature.consumer.SignatureValidator.signatureWasCreatedInBounds; import java.io.FilterInputStream; import java.io.IOException; @@ -20,9 +20,9 @@ import org.bouncycastle.openpgp.PGPSignatureList; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.CertificateValidator; -import org.pgpainless.signature.DetachedSignatureCheck; -import org.pgpainless.signature.OnePassSignatureCheck; +import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.signature.consumer.DetachedSignatureCheck; +import org.pgpainless.signature.consumer.OnePassSignatureCheck; import org.pgpainless.signature.SignatureUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java index 5809ad1a..f52c1408 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java @@ -19,8 +19,8 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.SignatureCreationDateComparator; -import org.pgpainless.signature.SignatureVerifier; +import org.pgpainless.signature.consumer.SignatureCreationDateComparator; +import org.pgpainless.signature.consumer.SignatureVerifier; import org.pgpainless.util.CollectionUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index f8711037..37270b58 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -39,7 +39,7 @@ import org.pgpainless.exception.KeyValidationError; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.SignaturePicker; +import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java similarity index 98% rename from pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java index 8b1308dd..b113c161 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java @@ -16,9 +16,9 @@ import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; -public final class SignatureBuilder { +public final class SignatureFactory { - private SignatureBuilder() { + private SignatureFactory() { } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java similarity index 98% rename from pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java index b163d61f..7080e368 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/CertificateValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java @@ -2,9 +2,9 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; -import static org.pgpainless.signature.SignatureVerifier.verifyOnePassSignature; +import static org.pgpainless.signature.consumer.SignatureVerifier.verifyOnePassSignature; import java.io.InputStream; import java.util.ArrayList; @@ -24,6 +24,7 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java similarity index 98% rename from pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java index 2ffcff0e..c667e3e8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/DetachedSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPSignature; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/OnePassSignatureCheck.java similarity index 97% rename from pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/OnePassSignatureCheck.java index ec22b6ab..7a6a5b10 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/OnePassSignatureCheck.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/OnePassSignatureCheck.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import org.bouncycastle.openpgp.PGPOnePassSignature; import org.bouncycastle.openpgp.PGPPublicKeyRing; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java similarity index 99% rename from pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java index 81055b84..c61c2e25 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/ProofUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.util.ArrayList; import java.util.Collections; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/README.md b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md similarity index 100% rename from pgpainless-core/src/main/java/org/pgpainless/signature/README.md rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCreationDateComparator.java similarity index 96% rename from pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCreationDateComparator.java index 8900be40..7996e33b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureCreationDateComparator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCreationDateComparator.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.util.Comparator; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java similarity index 99% rename from pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java index b5bb9706..deaa2ff3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignaturePicker.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.util.Collections; import java.util.Date; @@ -15,6 +15,7 @@ import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CollectionUtils; /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java similarity index 99% rename from pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java index 0a4947af..8d4f682e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.security.NoSuchAlgorithmException; import java.util.Arrays; @@ -30,6 +30,7 @@ import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.BCUtil; import org.pgpainless.util.DateUtil; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java similarity index 92% rename from pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java index 31d29111..02558339 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureValidityComparator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java @@ -2,18 +2,19 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.util.Comparator; import org.bouncycastle.openpgp.PGPSignature; +import org.pgpainless.signature.SignatureUtils; /** * Comparator which sorts signatures based on an ordering and on revocation hardness. * * If a list of signatures gets ordered using this comparator, hard revocations will always * come first. - * Further, signatures are ordered by date according to the {@link org.pgpainless.signature.SignatureCreationDateComparator.Order}. + * Further, signatures are ordered by date according to the {@link SignatureCreationDateComparator.Order}. */ public class SignatureValidityComparator implements Comparator { diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java similarity index 99% rename from pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java index 30ec5d0c..b0db7c9b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureVerifier.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -package org.pgpainless.signature; +package org.pgpainless.signature.consumer; import java.io.IOException; import java.io.InputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java new file mode 100644 index 00000000..e6597ca9 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java @@ -0,0 +1,18 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +public interface CertificationSubpackets extends BaseSignatureSubpackets { + + interface Callback { + default void modifyHashedSubpackets(CertificationSubpackets subpackets) { + + } + + default void modifyUnhashedSubpackets(CertificationSubpackets subpackets) { + + } + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index cdba4d07..0fa5e9e4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -34,9 +34,9 @@ import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.exception.WrongConsumingMethodException; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.CertificateValidator; +import org.pgpainless.signature.consumer.CertificateValidator; import org.pgpainless.signature.SignatureUtils; -import org.pgpainless.signature.SignatureVerifier; +import org.pgpainless.signature.consumer.SignatureVerifier; import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.TestUtils; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index 01f5356b..85e4299d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -22,6 +22,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.consumer.CertificateValidator; /** * Explores how subpackets on binding sigs are handled. diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index e01bf84d..73a7cb85 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -28,6 +28,7 @@ import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.consumer.CertificateValidator; public class CertificateValidatorTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index c4f899b4..73e726bf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -19,6 +19,7 @@ import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.signature.consumer.CertificateValidator; public class KeyRevocationTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java index c8e8c821..16b241b4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureOverUserAttributesTest.java @@ -28,6 +28,7 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.signature.consumer.SignatureVerifier; public class SignatureOverUserAttributesTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index 588a7191..ce5b1690 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -46,6 +46,7 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; public class SignatureSubpacketsUtilTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java index f01331b3..c7424af1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureWasPossiblyMadeByKeyTest.java @@ -17,6 +17,7 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.signature.consumer.SignatureValidator; public class SignatureWasPossiblyMadeByKeyTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java index a040ee93..881b804d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java @@ -20,7 +20,7 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.ProofUtil; +import org.pgpainless.signature.consumer.ProofUtil; public class ProofUtilTest { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java index d3f27bab..4218563b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java @@ -45,7 +45,7 @@ public class SubkeyBindingSignatureBuilderTest { .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); PGPSecretKey subkeySec = tempSubkeyRing.getSecretKey(subkeyPub.getKeyID()); - PGPSignature binding = SignatureBuilder.bindNonSigningSubkey( + PGPSignature binding = SignatureFactory.bindNonSigningSubkey( secretKey.getSecretKey(), protector, new SelfSignatureSubpackets.Callback() { @Override From 8212fe1cc7e46350329425bdd33480acca0db340 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 3 Nov 2021 14:03:30 +0100 Subject: [PATCH 0125/1450] Create applyCallback util methods --- .../CertificationSignatureBuilder.java | 8 +++ .../builder/DirectKeySignatureBuilder.java | 9 ++++ .../PrimaryKeyBindingSignatureBuilder.java | 9 ++++ .../builder/RevocationSignatureBuilder.java | 10 ++++ .../signature/builder/SignatureFactory.java | 51 ++++--------------- .../SubkeyBindingSignatureBuilder.java | 9 ++++ .../signature/consumer/package-info.java | 8 +++ 7 files changed, 64 insertions(+), 40 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/consumer/package-info.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java index f094c4fc..fd37d9d5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java @@ -5,6 +5,7 @@ package org.pgpainless.signature.builder; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; @@ -34,6 +35,13 @@ public class CertificationSignatureBuilder extends AbstractSignatureBuilder { @@ -37,6 +40,13 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +/** + * Classes related to OpenPGP signature verification. + */ +package org.pgpainless.signature.consumer; From 15d42c294ecdf8602d59835819f5199cdc441014 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 14:38:28 +0100 Subject: [PATCH 0126/1450] Add tests for SignatureSubpacketGeneratorWrapper --- .../src/test/java/org/junit/JUtils.java | 5 + ...ignatureSubpacketGeneratorWrapperTest.java | 98 +++++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/pgpainless-core/src/test/java/org/junit/JUtils.java b/pgpainless-core/src/test/java/org/junit/JUtils.java index 31dddd01..50dc8ccc 100644 --- a/pgpainless-core/src/test/java/org/junit/JUtils.java +++ b/pgpainless-core/src/test/java/org/junit/JUtils.java @@ -4,6 +4,7 @@ package org.junit; +import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertTrue; import java.util.Date; @@ -19,4 +20,8 @@ public class JUtils { public static void assertDateEquals(Date a, Date b) { org.junit.jupiter.api.Assertions.assertEquals(DateUtil.formatUTCDate(a), DateUtil.formatUTCDate(b)); } + + public static void assertDateNotEquals(Date a, Date b) { + assertNotEquals(DateUtil.formatUTCDate(a), DateUtil.formatUTCDate(b)); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java index fb1b0cd3..e2498e19 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java @@ -37,7 +37,9 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.junit.JUtils; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -49,9 +51,11 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.RevocationAttributes; +import org.pgpainless.util.DateUtil; import org.pgpainless.util.Passphrase; public class SignatureSubpacketGeneratorWrapperTest { @@ -438,4 +442,98 @@ public class SignatureSubpacketGeneratorWrapperTest { vector = wrapper.getGenerator().generate(); assertEquals(0, vector.getEmbeddedSignatures().size()); } + + @Test + public void testExtractSubpacketsFromVector() throws IOException { + Date sigCreationDate = DateUtil.parseUTCDate("2021-11-06 12:39:06 UTC"); + PGPPublicKeyRing publicKeys = TestKeys.getEmilPublicKeyRing(); + OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKeys); + long keyId = fingerprint.getKeyId(); + + PGPSignatureSubpacketGenerator subpackets = new PGPSignatureSubpacketGenerator(); + // These are not extracted from the vector + subpackets.setSignatureCreationTime(true, sigCreationDate); + subpackets.setIssuerKeyID(true, keyId); + subpackets.setIssuerFingerprint(true, publicKeys.getPublicKey()); + // These are extracted + subpackets.setSignatureExpirationTime(true, 256000); + subpackets.setExportable(true, true); + subpackets.setTrust(true, 5, 15); + subpackets.setRevocable(true, true); + subpackets.setKeyExpirationTime(true, 512000); + subpackets.setPreferredSymmetricAlgorithms(true, new int[] { + SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), SymmetricKeyAlgorithm.AES_128.getAlgorithmId() + }); + subpackets.addRevocationKey(true, publicKeys.getPublicKey().getAlgorithm(), + publicKeys.getPublicKey().getFingerprint()); + subpackets.addNotationData(false, true, "test@test.test", "test"); + subpackets.addNotationData(false, true, "check@check.check", "check"); + subpackets.setPreferredHashAlgorithms(true, new int[] { + HashAlgorithm.SHA512.getAlgorithmId(), HashAlgorithm.SHA384.getAlgorithmId() + }); + subpackets.setPreferredCompressionAlgorithms(true, new int[] { + CompressionAlgorithm.ZIP.getAlgorithmId(), CompressionAlgorithm.BZIP2.getAlgorithmId() + }); + subpackets.setPrimaryUserID(true, true); + subpackets.setKeyFlags(true, KeyFlag.toBitmask(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)); + subpackets.addSignerUserID(false, "alice@test.test"); + subpackets.setRevocationReason(true, RevocationAttributes.Reason.KEY_RETIRED.code(), "Key was retired."); + subpackets.setFeature(true, Feature.toBitmask(Feature.MODIFICATION_DETECTION, Feature.AEAD_ENCRYPTED_DATA)); + byte[] hash = new byte[128]; + new Random().nextBytes(hash); + subpackets.setSignatureTarget(false, publicKeys.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId(), hash); + subpackets.addIntendedRecipientFingerprint(true, publicKeys.getPublicKey()); + PreferredAlgorithms aead = new PreferredAlgorithms(SignatureSubpacketTags.PREFERRED_AEAD_ALGORITHMS, false, new int[] {2}); + subpackets.addCustomSubpacket(aead); + + + SignatureSubpacketGeneratorWrapper wrapper = SignatureSubpacketGeneratorWrapper.createSubpacketsFrom(subpackets.generate()); + PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + + // Verify these are not extracted + assertEquals(0, vector.getIssuerKeyID()); + assertNull(vector.getIssuerFingerprint()); + // BC overrides the date with current time + JUtils.assertDateNotEquals(sigCreationDate, vector.getSignatureCreationTime()); + + // Verify these are extracted + assertEquals(256000, vector.getSignatureExpirationTime()); + assertTrue(((Exportable) vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE)).isExportable()); + TrustSignature trust = (TrustSignature) vector.getSubpacket(SignatureSubpacketTags.TRUST_SIG); + assertEquals(5, trust.getDepth()); + assertEquals(15, trust.getTrustAmount()); + assertTrue(((Revocable) vector.getSubpacket(SignatureSubpacketTags.REVOCABLE)).isRevocable()); + assertEquals(512000, vector.getKeyExpirationTime()); + assertArrayEquals(new int[] { + SymmetricKeyAlgorithm.AES_192.getAlgorithmId(), SymmetricKeyAlgorithm.AES_128.getAlgorithmId() + }, vector.getPreferredSymmetricAlgorithms()); + assertArrayEquals(publicKeys.getPublicKey().getFingerprint(), + ((RevocationKey) vector.getSubpacket(SignatureSubpacketTags.REVOCATION_KEY)).getFingerprint()); + assertEquals(2, vector.getNotationDataOccurrences().length); + assertEquals("test@test.test", vector.getNotationDataOccurrences()[0].getNotationName()); + assertEquals("test", vector.getNotationDataOccurrences()[0].getNotationValue()); + assertEquals("check@check.check", vector.getNotationDataOccurrences()[1].getNotationName()); + assertEquals("check", vector.getNotationDataOccurrences()[1].getNotationValue()); + assertArrayEquals(new int[] { + HashAlgorithm.SHA512.getAlgorithmId(), HashAlgorithm.SHA384.getAlgorithmId() + }, vector.getPreferredHashAlgorithms()); + assertArrayEquals(new int[] { + CompressionAlgorithm.ZIP.getAlgorithmId(), CompressionAlgorithm.BZIP2.getAlgorithmId() + }, vector.getPreferredCompressionAlgorithms()); + assertTrue(vector.isPrimaryUserID()); + assertEquals(KeyFlag.toBitmask(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER), vector.getKeyFlags()); + assertEquals("alice@test.test", vector.getSignerUserID()); + RevocationReason reason = (RevocationReason) vector.getSubpacket(SignatureSubpacketTags.REVOCATION_REASON); + assertEquals(RevocationAttributes.Reason.KEY_RETIRED.code(), reason.getRevocationReason()); + assertEquals("Key was retired.", reason.getRevocationDescription()); + assertTrue(vector.getFeatures().supportsFeature(Features.FEATURE_MODIFICATION_DETECTION)); + assertTrue(vector.getFeatures().supportsFeature(Features.FEATURE_AEAD_ENCRYPTED_DATA)); + SignatureTarget signatureTarget = vector.getSignatureTarget(); + assertEquals(publicKeys.getPublicKey().getAlgorithm(), signatureTarget.getPublicKeyAlgorithm()); + assertEquals(HashAlgorithm.SHA512.getAlgorithmId(), signatureTarget.getHashAlgorithm()); + assertArrayEquals(hash, signatureTarget.getHashData()); + assertArrayEquals(publicKeys.getPublicKey().getFingerprint(), vector.getIntendedRecipientFingerprint().getFingerprint()); + PreferredAlgorithms aeadAlgorithms = (PreferredAlgorithms) vector.getSubpacket(SignatureSubpacketTags.PREFERRED_AEAD_ALGORITHMS); + assertArrayEquals(aead.getPreferences(), aeadAlgorithms.getPreferences()); + } } From eb9ea23514f8e7539d2b3efe990b9fd104e350b7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 14:56:16 +0100 Subject: [PATCH 0127/1450] Add UniversalSignatureBuilder --- .../signature/builder/SignatureFactory.java | 17 ++++++ .../builder/UniversalSignatureBuilder.java | 57 +++++++++++++++++++ .../subpackets/BaseSignatureSubpackets.java | 10 ++++ 3 files changed, 84 insertions(+) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java index 2f9162a9..6ee1ea4b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java @@ -11,8 +11,10 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public final class SignatureFactory { @@ -109,6 +111,20 @@ public final class SignatureFactory { return certifier; } + public static UniversalSignatureBuilder universalSignature( + SignatureType signatureType, + PGPSecretKey signingKey, + SecretKeyRingProtector signingKeyProtector, + @Nullable BaseSignatureSubpackets.Callback callback) + throws WrongPassphraseException { + UniversalSignatureBuilder builder = + new UniversalSignatureBuilder(signatureType, signingKey, signingKeyProtector); + + builder.applyCallback(callback); + + return builder; + } + private static boolean hasSignDataFlag(KeyFlag... flags) { if (flags == null) { return false; @@ -120,4 +136,5 @@ public final class SignatureFactory { } return false; } + } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java new file mode 100644 index 00000000..b674cba9 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java @@ -0,0 +1,57 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; + +/** + * Signature builder without restrictions on subpacket contents. + */ +public class UniversalSignatureBuilder extends AbstractSignatureBuilder { + + public UniversalSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + public UniversalSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) + throws WrongPassphraseException { + super(certificationKey, protector, archetypeSignature); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + return true; + } + + public SignatureSubpacketGeneratorWrapper getHashedSubpackets() { + return hashedSubpackets; + } + + public SignatureSubpacketGeneratorWrapper getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public void applyCallback(@Nullable BaseSignatureSubpackets.Callback callback) { + if (callback != null) { + callback.modifyHashedSubpackets(getHashedSubpackets()); + callback.modifyUnhashedSubpackets(getUnhashedSubpackets()); + } + } + + public PGPSignatureGenerator getSignatureGenerator() throws PGPException { + return buildAndInitSignatureGenerator(); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java index 3b824f11..0f05b0d5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java @@ -28,6 +28,16 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm; public interface BaseSignatureSubpackets { + interface Callback { + default void modifyHashedSubpackets(SignatureSubpacketGeneratorWrapper subpackets) { + + } + + default void modifyUnhashedSubpackets(SignatureSubpacketGeneratorWrapper subpackets) { + + } + } + SignatureSubpacketGeneratorWrapper setIssuerFingerprintAndKeyId(PGPPublicKey key); SignatureSubpacketGeneratorWrapper setIssuerKeyId(long keyId); From ed96bcd109a28e193341c9db950be617d0f8e639 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 14:57:22 +0100 Subject: [PATCH 0128/1450] Checkstyle fix --- .../pgpainless/signature/builder/RevocationSignatureBuilder.java | 1 - 1 file changed, 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index 51f62a1f..2f7c304d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -12,7 +12,6 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; -import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class RevocationSignatureBuilder extends AbstractSignatureBuilder { From 8c49d37e1f2d7b9116aeef85abeed29638cc44be Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 15:40:10 +0100 Subject: [PATCH 0129/1450] Change return values of signature subpackets subclasses --- .../builder/AbstractSignatureBuilder.java | 32 ++++++- .../subpackets/BaseSignatureSubpackets.java | 86 +++++++++---------- .../subpackets/CertificationSubpackets.java | 8 +- .../RevocationSignatureSubpackets.java | 16 ++-- .../subpackets/SelfSignatureSubpackets.java | 70 +++++++-------- .../SignatureSubpacketCallback.java | 26 ++++++ 6 files changed, 135 insertions(+), 103 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketCallback.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index b99693bc..219e7d22 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -44,10 +44,12 @@ public abstract class AbstractSignatureBuilder hashAlgorithmPreferences = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); return HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) .negotiateHashAlgorithm(hashAlgorithmPreferences); } + /** + * Set the builders {@link SignatureType}. + * Note that only those types who are valid for the concrete subclass of this {@link AbstractSignatureBuilder} + * are allowed. Invalid choices result in an {@link IllegalArgumentException} to be thrown. + * + * @param type signature type + * @return builder + */ public B setSignatureType(SignatureType type) { if (!isValidSignatureType(type)) { throw new IllegalArgumentException("Invalid signature type: " + type); @@ -75,6 +91,13 @@ public abstract class AbstractSignatureBuilder { - } - - default void modifyUnhashedSubpackets(SignatureSubpacketGeneratorWrapper subpackets) { - - } } - SignatureSubpacketGeneratorWrapper setIssuerFingerprintAndKeyId(PGPPublicKey key); + BaseSignatureSubpackets setIssuerFingerprintAndKeyId(PGPPublicKey key); - SignatureSubpacketGeneratorWrapper setIssuerKeyId(long keyId); + BaseSignatureSubpackets setIssuerKeyId(long keyId); - SignatureSubpacketGeneratorWrapper setIssuerKeyId(boolean isCritical, long keyId); + BaseSignatureSubpackets setIssuerKeyId(boolean isCritical, long keyId); - SignatureSubpacketGeneratorWrapper setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID); + BaseSignatureSubpackets setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID); - SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nonnull PGPPublicKey key); + BaseSignatureSubpackets setIssuerFingerprint(@Nonnull PGPPublicKey key); - SignatureSubpacketGeneratorWrapper setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key); + BaseSignatureSubpackets setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key); - SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint); + BaseSignatureSubpackets setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint); - SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nonnull Date creationTime); + BaseSignatureSubpackets setSignatureCreationTime(@Nonnull Date creationTime); - SignatureSubpacketGeneratorWrapper setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime); + BaseSignatureSubpackets setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime); - SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime); + BaseSignatureSubpackets setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime); - SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime); + BaseSignatureSubpackets setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime); - SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime); + BaseSignatureSubpackets setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime); - SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, long seconds); + BaseSignatureSubpackets setSignatureExpirationTime(boolean isCritical, long seconds); - SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime); + BaseSignatureSubpackets setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime); - SignatureSubpacketGeneratorWrapper setSignerUserId(@Nonnull String userId); + BaseSignatureSubpackets setSignerUserId(@Nonnull String userId); - SignatureSubpacketGeneratorWrapper setSignerUserId(boolean isCritical, @Nonnull String userId); + BaseSignatureSubpackets setSignerUserId(boolean isCritical, @Nonnull String userId); - SignatureSubpacketGeneratorWrapper setSignerUserId(@Nullable SignerUserID signerUserId); + BaseSignatureSubpackets setSignerUserId(@Nullable SignerUserID signerUserId); - SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue); + BaseSignatureSubpackets addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue); - SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue); + BaseSignatureSubpackets addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue); - SignatureSubpacketGeneratorWrapper addNotationData(@Nonnull NotationData notationData); + BaseSignatureSubpackets addNotationData(@Nonnull NotationData notationData); - SignatureSubpacketGeneratorWrapper clearNotationData(); + BaseSignatureSubpackets clearNotationData(); - SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient); + BaseSignatureSubpackets addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient); - SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient); + BaseSignatureSubpackets addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient); - SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint); + BaseSignatureSubpackets addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint); - SignatureSubpacketGeneratorWrapper clearIntendedRecipientFingerprints(); + BaseSignatureSubpackets clearIntendedRecipientFingerprints(); - SignatureSubpacketGeneratorWrapper setExportable(boolean isCritical, boolean isExportable); + BaseSignatureSubpackets setExportable(boolean isCritical, boolean isExportable); - SignatureSubpacketGeneratorWrapper setExportable(@Nullable Exportable exportable); + BaseSignatureSubpackets setExportable(@Nullable Exportable exportable); - SignatureSubpacketGeneratorWrapper setRevocable(boolean isCritical, boolean isRevocable); + BaseSignatureSubpackets setRevocable(boolean isCritical, boolean isRevocable); - SignatureSubpacketGeneratorWrapper setRevocable(@Nullable Revocable revocable); + BaseSignatureSubpackets setRevocable(@Nullable Revocable revocable); - SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); + BaseSignatureSubpackets setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); - SignatureSubpacketGeneratorWrapper setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); + BaseSignatureSubpackets setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData); - SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nullable SignatureTarget signatureTarget); + BaseSignatureSubpackets setSignatureTarget(@Nullable SignatureTarget signatureTarget); - SignatureSubpacketGeneratorWrapper setTrust(int depth, int amount); + BaseSignatureSubpackets setTrust(int depth, int amount); - SignatureSubpacketGeneratorWrapper setTrust(boolean isCritical, int depth, int amount); + BaseSignatureSubpackets setTrust(boolean isCritical, int depth, int amount); - SignatureSubpacketGeneratorWrapper setTrust(@Nullable TrustSignature trust); + BaseSignatureSubpackets setTrust(@Nullable TrustSignature trust); - SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException; + BaseSignatureSubpackets addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException; - SignatureSubpacketGeneratorWrapper addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException; + BaseSignatureSubpackets addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException; - SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature); + BaseSignatureSubpackets addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature); - SignatureSubpacketGeneratorWrapper clearEmbeddedSignatures(); + BaseSignatureSubpackets clearEmbeddedSignatures(); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java index e6597ca9..59356bba 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java @@ -6,13 +6,7 @@ package org.pgpainless.signature.subpackets; public interface CertificationSubpackets extends BaseSignatureSubpackets { - interface Callback { - default void modifyHashedSubpackets(CertificationSubpackets subpackets) { + interface Callback extends SignatureSubpacketCallback { - } - - default void modifyUnhashedSubpackets(CertificationSubpackets subpackets) { - - } } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java index d3ffd9d5..358437dc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/RevocationSignatureSubpackets.java @@ -12,21 +12,15 @@ import org.pgpainless.key.util.RevocationAttributes; public interface RevocationSignatureSubpackets extends BaseSignatureSubpackets { - interface Callback { - default void modifyHashedSubpackets(RevocationSignatureSubpackets subpackets) { + interface Callback extends SignatureSubpacketCallback { - } - - default void modifyUnhashedSubpackets(RevocationSignatureSubpackets subpackets) { - - } } - SignatureSubpacketGeneratorWrapper setRevocationReason(RevocationAttributes revocationAttributes); + RevocationSignatureSubpackets setRevocationReason(RevocationAttributes revocationAttributes); - SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes); + RevocationSignatureSubpackets setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes); - SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description); + RevocationSignatureSubpackets setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description); - SignatureSubpacketGeneratorWrapper setRevocationReason(@Nullable RevocationReason reason); + RevocationSignatureSubpackets setRevocationReason(@Nullable RevocationReason reason); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java index fa4eb719..1ff45ae4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java @@ -24,75 +24,69 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; public interface SelfSignatureSubpackets extends BaseSignatureSubpackets { - interface Callback { - default void modifyHashedSubpackets(SelfSignatureSubpackets subpackets) { + interface Callback extends SignatureSubpacketCallback { - } - - default void modifyUnhashedSubpackets(SelfSignatureSubpackets subpackets) { - - } } - SignatureSubpacketGeneratorWrapper setKeyFlags(KeyFlag... keyFlags); + SelfSignatureSubpackets setKeyFlags(KeyFlag... keyFlags); - SignatureSubpacketGeneratorWrapper setKeyFlags(boolean isCritical, KeyFlag... keyFlags); + SelfSignatureSubpackets setKeyFlags(boolean isCritical, KeyFlag... keyFlags); - SignatureSubpacketGeneratorWrapper setKeyFlags(@Nullable KeyFlags keyFlags); + SelfSignatureSubpackets setKeyFlags(@Nullable KeyFlags keyFlags); - SignatureSubpacketGeneratorWrapper setPrimaryUserId(); + SelfSignatureSubpackets setPrimaryUserId(); - SignatureSubpacketGeneratorWrapper setPrimaryUserId(boolean isCritical); + SelfSignatureSubpackets setPrimaryUserId(boolean isCritical); - SignatureSubpacketGeneratorWrapper setPrimaryUserId(@Nullable PrimaryUserID primaryUserId); + SelfSignatureSubpackets setPrimaryUserId(@Nullable PrimaryUserID primaryUserId); - SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime); + SelfSignatureSubpackets setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime); - SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); + SelfSignatureSubpackets setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); - SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); + SelfSignatureSubpackets setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime); - SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration); + SelfSignatureSubpackets setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration); - SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime); + SelfSignatureSubpackets setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime); - SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms); + SelfSignatureSubpackets setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms); - SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(Set algorithms); + SelfSignatureSubpackets setPreferredCompressionAlgorithms(Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms); + SelfSignatureSubpackets setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms); + SelfSignatureSubpackets setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms); - SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms); + SelfSignatureSubpackets setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms); - SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(Set algorithms); + SelfSignatureSubpackets setPreferredSymmetricKeyAlgorithms(Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms); + SelfSignatureSubpackets setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms); + SelfSignatureSubpackets setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms); - SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(HashAlgorithm... algorithms); + SelfSignatureSubpackets setPreferredHashAlgorithms(HashAlgorithm... algorithms); - SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(Set algorithms); + SelfSignatureSubpackets setPreferredHashAlgorithms(Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(boolean isCritical, Set algorithms); + SelfSignatureSubpackets setPreferredHashAlgorithms(boolean isCritical, Set algorithms); - SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms); + SelfSignatureSubpackets setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms); - SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull PGPPublicKey revocationKey); + SelfSignatureSubpackets addRevocationKey(@Nonnull PGPPublicKey revocationKey); - SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey); + SelfSignatureSubpackets addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey); - SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey); + SelfSignatureSubpackets addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey); - SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull RevocationKey revocationKey); + SelfSignatureSubpackets addRevocationKey(@Nonnull RevocationKey revocationKey); - SignatureSubpacketGeneratorWrapper clearRevocationKeys(); + SelfSignatureSubpackets clearRevocationKeys(); - SignatureSubpacketGeneratorWrapper setFeatures(Feature... features); + SelfSignatureSubpackets setFeatures(Feature... features); - SignatureSubpacketGeneratorWrapper setFeatures(boolean isCritical, Feature... features); + SelfSignatureSubpackets setFeatures(boolean isCritical, Feature... features); - SignatureSubpacketGeneratorWrapper setFeatures(@Nullable Features features); + SelfSignatureSubpackets setFeatures(@Nullable Features features); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketCallback.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketCallback.java new file mode 100644 index 00000000..11650ea3 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketCallback.java @@ -0,0 +1,26 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +public interface SignatureSubpacketCallback { + + /** + * Callback method that can be used to modify the hashed subpackets of a signature. + * + * @param hashedSubpackets hashed subpackets + */ + default void modifyHashedSubpackets(S hashedSubpackets) { + + } + + /** + * Callback method that can be used to modify the unhashed subpackets of a signature. + * + * @param unhashedSubpackets unhashed subpackets + */ + default void modifyUnhashedSubpackets(S unhashedSubpackets) { + + } +} From 44169ecf6431df824aecea47f7d7cf4ea7367774 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 6 Nov 2021 17:37:01 +0100 Subject: [PATCH 0130/1450] More progress! --- .../CertificationSignatureBuilder.java | 27 +++++-- .../builder/SelfSignatureBuilder.java | 75 +++++++++++++++++++ .../signature/builder/SignatureFactory.java | 26 +++++-- .../signature/consumer/ProofUtil.java | 3 +- .../SignatureSubpacketGeneratorWrapper.java | 2 +- 5 files changed, 117 insertions(+), 16 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java index fd37d9d5..e41d9807 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java @@ -15,27 +15,37 @@ import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.signature.subpackets.CertificationSubpackets; public class CertificationSignatureBuilder extends AbstractSignatureBuilder { - public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector) throws WrongPassphraseException { - super(SignatureType.GENERIC_CERTIFICATION, certificationKey, protector); + public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + this(SignatureType.GENERIC_CERTIFICATION, certificationKey, protector); } - public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) throws WrongPassphraseException { + public CertificationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + public CertificationSignatureBuilder( + PGPSecretKey certificationKey, + SecretKeyRingProtector protector, + PGPSignature archetypeSignature) + throws WrongPassphraseException { super(certificationKey, protector, archetypeSignature); } - public SelfSignatureSubpackets getHashedSubpackets() { + public CertificationSubpackets getHashedSubpackets() { return hashedSubpackets; } - public SelfSignatureSubpackets getUnhashedSubpackets() { + public CertificationSubpackets getUnhashedSubpackets() { return unhashedSubpackets; } - public void applyCallback(@Nullable SelfSignatureSubpackets.Callback callback) { + public void applyCallback(@Nullable CertificationSubpackets.Callback callback) { if (callback != null) { callback.modifyHashedSubpackets(getHashedSubpackets()); callback.modifyUnhashedSubpackets(getUnhashedSubpackets()); @@ -46,7 +56,8 @@ public class CertificationSignatureBuilder extends AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class SelfSignatureBuilder extends AbstractSignatureBuilder { + + public SelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + this(SignatureType.GENERIC_CERTIFICATION, signingKey, protector); + } + + public SelfSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + public SelfSignatureBuilder( + PGPSecretKey primaryKey, + SecretKeyRingProtector primaryKeyProtector, + PGPSignature oldCertification) + throws WrongPassphraseException { + super(primaryKey, primaryKeyProtector, oldCertification); + } + + public SelfSignatureSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public SelfSignatureSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public void applyCallback(@Nullable SelfSignatureSubpackets.Callback callback) { + if (callback != null) { + callback.modifyHashedSubpackets(getHashedSubpackets()); + callback.modifyUnhashedSubpackets(getUnhashedSubpackets()); + } + } + + public PGPSignature build(PGPPublicKey certifiedKey, String userId) throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userId, certifiedKey); + } + + public PGPSignature build(PGPPublicKey certifiedKey, PGPUserAttributeSubpacketVector userAttribute) + throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userAttribute, certifiedKey); + } + + @Override + protected boolean isValidSignatureType(SignatureType type) { + switch (type) { + case GENERIC_CERTIFICATION: + case NO_CERTIFICATION: + case CASUAL_CERTIFICATION: + case POSITIVE_CERTIFICATION: + case DIRECT_KEY: + return true; + default: + return false; + } + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java index 6ee1ea4b..f9a7d540 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java @@ -15,6 +15,7 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; +import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public final class SignatureFactory { @@ -29,8 +30,8 @@ public final class SignatureFactory { @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, KeyFlag... flags) throws WrongPassphraseException { if (hasSignDataFlag(flags)) { - throw new IllegalArgumentException("Binding a subkey with SIGN_DATA flag requires primary key backsig." + - "Please use the method bindSigningSubkey()."); + throw new IllegalArgumentException("Binding a subkey with SIGN_DATA flag requires primary key backsig.\n" + + "Please use the method bindSigningSubkey() instead."); } return bindSubkey(primaryKey, primaryKeyProtector, subkeyBindingSubpacketsCallback, flags); @@ -85,25 +86,26 @@ public final class SignatureFactory { return primaryKeyBinder; } - public static CertificationSignatureBuilder selfCertifyUserId( + public static SelfSignatureBuilder selfCertifyUserId( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, KeyFlag... flags) throws WrongPassphraseException { - CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(primaryKey, primaryKeyProtector); + SelfSignatureBuilder certifier = new SelfSignatureBuilder(SignatureType.POSITIVE_CERTIFICATION, primaryKey, primaryKeyProtector); certifier.getHashedSubpackets().setKeyFlags(flags); + certifier.applyCallback(selfSignatureCallback); return certifier; } - public static CertificationSignatureBuilder renewSelfCertification( + public static SelfSignatureBuilder renewSelfCertification( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, PGPSignature oldCertification) throws WrongPassphraseException { - CertificationSignatureBuilder certifier = new CertificationSignatureBuilder( + SelfSignatureBuilder certifier = new SelfSignatureBuilder( primaryKey, primaryKeyProtector, oldCertification); certifier.applyCallback(selfSignatureCallback); @@ -111,6 +113,18 @@ public final class SignatureFactory { return certifier; } + public static CertificationSignatureBuilder certifyUserId( + PGPSecretKey signingKey, + SecretKeyRingProtector signingKeyProtector, + @Nullable CertificationSubpackets.Callback subpacketsCallback) + throws WrongPassphraseException { + CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(signingKey, signingKeyProtector); + + certifier.applyCallback(subpacketsCallback); + + return certifier; + } + public static UniversalSignatureBuilder universalSignature( SignatureType signatureType, PGPSecretKey signingKey, diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java index c61c2e25..87837bdf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java @@ -24,6 +24,7 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.builder.CertificationSignatureBuilder; import org.pgpainless.signature.builder.DirectKeySignatureBuilder; +import org.pgpainless.signature.builder.SelfSignatureBuilder; public class ProofUtil { @@ -73,7 +74,7 @@ public class ProofUtil { throw new NoSuchElementException("No previous valid user-id certification found."); } - CertificationSignatureBuilder sigBuilder = new CertificationSignatureBuilder(certificationKey, protector, previousCertification); + SelfSignatureBuilder sigBuilder = new SelfSignatureBuilder(certificationKey, protector, previousCertification); for (Proof proof : proofs) { sigBuilder.getHashedSubpackets().addNotationData(false, proof.getNotationName(), proof.getNotationValue()); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java index 636bbefa..e2e9c584 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -49,7 +49,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.util.RevocationAttributes; public class SignatureSubpacketGeneratorWrapper - implements BaseSignatureSubpackets, SelfSignatureSubpackets, RevocationSignatureSubpackets { + implements BaseSignatureSubpackets, SelfSignatureSubpackets, CertificationSubpackets, RevocationSignatureSubpackets { private SignatureCreationTime signatureCreationTime; private SignatureExpirationTime signatureExpirationTime; From c31fda95f98177a79153ea9608127c32577baa8a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 8 Nov 2021 15:57:35 +0100 Subject: [PATCH 0131/1450] Start reusing new signature builder in SecretKeyRingEditor --- .../secretkeyring/SecretKeyRingEditor.java | 42 +++++++++---------- .../pgpainless/signature/SignatureUtils.java | 2 +- .../signature/consumer/ProofUtil.java | 1 - 3 files changed, 20 insertions(+), 25 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 9c991c08..06718a6a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -52,6 +52,8 @@ import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvi import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; +import org.pgpainless.signature.builder.SelfSignatureBuilder; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; import org.pgpainless.util.Passphrase; @@ -73,6 +75,13 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface addUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException { + return addUserId(userId, null, secretKeyRingProtector); + } + + public SecretKeyRingEditorInterface addUserId( + String userId, + @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, + SecretKeyRingProtector protector) throws PGPException { userId = sanitizeUserId(userId); List secretKeyList = new ArrayList<>(); @@ -81,10 +90,15 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { // add user-id certificate to primary key PGPSecretKey primaryKey = secretKeyIterator.next(); PGPPublicKey publicKey = primaryKey.getPublicKey(); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, secretKeyRingProtector); - publicKey = addUserIdToPubKey(userId, privateKey, publicKey); - primaryKey = PGPSecretKey.replacePublicKey(primaryKey, publicKey); + SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector); + builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); + builder.applyCallback(signatureSubpacketCallback); + PGPSignature signature = builder.build(publicKey, userId); + + publicKey = PGPPublicKey.addCertification(publicKey, + userId, signature); + primaryKey = PGPSecretKey.replacePublicKey(primaryKey, publicKey); secretKeyList.add(primaryKey); while (secretKeyIterator.hasNext()) { @@ -96,21 +110,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return this; } - private static PGPPublicKey addUserIdToPubKey(String userId, PGPPrivateKey privateKey, PGPPublicKey publicKey) throws PGPException { - if (privateKey.getKeyID() != publicKey.getKeyID()) { - throw new IllegalArgumentException("Key-ID mismatch!"); - } - // Create signature with new user-id and add it to the public key - PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(publicKey); - signatureGenerator.init(SignatureType.POSITIVE_CERTIFICATION.getCode(), privateKey); - - PGPSignature userIdSignature = signatureGenerator.generateCertification(userId, publicKey); - publicKey = PGPPublicKey.addCertification(publicKey, - userId, userIdSignature); - - return publicKey; - } - // TODO: Move to utility class? private String sanitizeUserId(String userId) { userId = userId.trim(); @@ -149,11 +148,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PGPDigestCalculator digestCalculator = ImplementationFactory.getInstance().getPGPDigestCalculator(defaultDigestHashAlgorithm); - PGPContentSignerBuilder contentSignerBuilder = ImplementationFactory.getInstance() - .getPGPContentSignerBuilder( - primaryKey.getAlgorithm(), - HashAlgorithm.SHA256.getAlgorithmId() // TODO: Why SHA256? - ); + PGPContentSignerBuilder contentSignerBuilder = + SignatureUtils.getPgpContentSignerBuilderForKey(primaryKey); PGPPrivateKey privateSubKey = UnlockSecretKey.unlockSecretKey(secretSubKey, subKeyProtector); PGPKeyPair subKeyPair = new PGPKeyPair(secretSubKey.getPublicKey(), privateSubKey); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index c4468b89..2d97d460 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -82,7 +82,7 @@ public final class SignatureUtils { * @param publicKey public key * @return content signer builder */ - private static PGPContentSignerBuilder getPgpContentSignerBuilderForKey(PGPPublicKey publicKey) { + public static PGPContentSignerBuilder getPgpContentSignerBuilderForKey(PGPPublicKey publicKey) { Set hashAlgorithmSet = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java index 87837bdf..e22886ca 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java @@ -22,7 +22,6 @@ import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.builder.CertificationSignatureBuilder; import org.pgpainless.signature.builder.DirectKeySignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; From 04ada881884d21bd69f763bc543fdefe397583af Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 8 Nov 2021 21:25:02 +0100 Subject: [PATCH 0132/1450] Fix errors --- .../org/pgpainless/algorithm/KeyFlag.java | 9 ++ .../key/generation/KeyRingBuilder.java | 14 ++-- .../pgpainless/key/generation/KeySpec.java | 22 +++-- .../key/generation/KeySpecBuilder.java | 27 +----- .../secretkeyring/SecretKeyRingEditor.java | 83 +++++++++++++++++++ .../SecretKeyRingEditorInterface.java | 20 +++++ .../org/pgpainless/key/util/KeyRingUtils.java | 27 ++++++ .../SignatureSubpacketGeneratorWrapper.java | 1 - .../subpackets/SignatureSubpacketsUtil.java | 56 +++++++++++++ .../org/pgpainless/util/CollectionUtils.java | 9 ++ .../org/pgpainless/example/GenerateKeys.java | 3 +- ...ignatureSubpacketGeneratorWrapperTest.java | 4 +- 12 files changed, 232 insertions(+), 43 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java index 69843a93..92205fd9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/KeyFlag.java @@ -109,4 +109,13 @@ public enum KeyFlag { public static boolean hasKeyFlag(int mask, KeyFlag flag) { return (mask & flag.getFlag()) == flag.getFlag(); } + + public static boolean containsAny(int mask, KeyFlag... flags) { + for (KeyFlag flag : flags) { + if (hasKeyFlag(mask, flag)) { + return true; + } + } + return false; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 762757e0..85b95b92 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -44,6 +44,7 @@ import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.provider.ProviderFactory; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; +import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; import org.pgpainless.util.Passphrase; public class KeyRingBuilder implements KeyRingBuilderInterface { @@ -110,7 +111,9 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } private boolean hasCertifyOthersFlag(KeySpec keySpec) { - return SignatureSubpacketGeneratorUtil.hasKeyFlag(KeyFlag.CERTIFY_OTHER, keySpec.getSubpacketGenerator()); + return SignatureSubpacketGeneratorUtil.hasKeyFlag(KeyFlag.CERTIFY_OTHER, + keySpec.getSubpacketGenerator() == null ? null : + keySpec.getSubpacketGenerator().getGenerator()); } private boolean keyIsCertificationCapable(KeySpec keySpec) { @@ -135,13 +138,12 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPKeyPair certKey = generateKeyPair(primaryKeySpec); PGPContentSignerBuilder signer = buildContentSigner(certKey); signatureGenerator = new PGPSignatureGenerator(signer); - PGPSignatureSubpacketGenerator hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); - hashedSubPacketGenerator.setPrimaryUserID(false, true); + SignatureSubpacketGeneratorWrapper hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); + hashedSubPacketGenerator.setPrimaryUserId(); if (expirationDate != null) { - SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator( - expirationDate, new Date(), hashedSubPacketGenerator); + hashedSubPacketGenerator.setKeyExpirationTime(certKey.getPublicKey(), expirationDate); } - PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.generate(); + PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.getGenerator().generate(); // Generator which the user can get the key pair from PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 364384ae..bff89af4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -5,21 +5,30 @@ package org.pgpainless.key.generation; import javax.annotation.Nonnull; -import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; public class KeySpec { private final KeyType keyType; - private final PGPSignatureSubpacketGenerator subpacketGenerator; + private final SignatureSubpacketGeneratorWrapper subpacketGenerator; private final boolean inheritedSubPackets; KeySpec(@Nonnull KeyType type, - @Nullable PGPSignatureSubpacketGenerator subpacketGenerator, + @Nonnull PGPSignatureSubpacketGenerator subpacketGenerator, + boolean inheritedSubPackets) { + this( + type, + SignatureSubpacketGeneratorWrapper.createSubpacketsFrom(subpacketGenerator.generate()), + inheritedSubPackets); + } + + KeySpec(@Nonnull KeyType type, + @Nonnull SignatureSubpacketGeneratorWrapper subpacketGenerator, boolean inheritedSubPackets) { this.keyType = type; this.subpacketGenerator = subpacketGenerator; @@ -31,12 +40,13 @@ public class KeySpec { return keyType; } - @Nullable + @Nonnull public PGPSignatureSubpacketVector getSubpackets() { - return subpacketGenerator != null ? subpacketGenerator.generate() : null; + return subpacketGenerator.getGenerator().generate(); } - PGPSignatureSubpacketGenerator getSubpacketGenerator() { + @Nonnull + SignatureSubpacketGeneratorWrapper getSubpacketGenerator() { return subpacketGenerator; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index 80756b74..3a99bb94 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -19,6 +19,7 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.CollectionUtils; public class KeySpecBuilder implements KeySpecBuilderInterface { @@ -39,7 +40,7 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { throw new IllegalArgumentException("List of additional flags MUST NOT be null."); } flags = CollectionUtils.concat(flag, flags); - assureKeyCanCarryFlags(type, flags); + SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags); this.type = type; this.keyFlags = flags; } @@ -100,28 +101,4 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { } return ids; } - - private static void assureKeyCanCarryFlags(KeyType type, KeyFlag... flags) { - final int mask = KeyFlag.toBitmask(flags); - - if (!type.canCertify() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag CERTIFY_OTHER."); - } - - if (!type.canSign() && KeyFlag.hasKeyFlag(mask, KeyFlag.SIGN_DATA)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag SIGN_DATA."); - } - - if (!type.canEncryptCommunication() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_COMMS."); - } - - if (!type.canEncryptStorage() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_STORAGE)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_STORAGE."); - } - - if (!type.canAuthenticate() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION."); - } - } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 06718a6a..299721f7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -4,6 +4,9 @@ package org.pgpainless.key.modification.secretkeyring; +import static org.pgpainless.util.CollectionUtils.concat; + +import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; @@ -35,6 +38,8 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; @@ -52,9 +57,13 @@ import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvi import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; +import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; +import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; +import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.Passphrase; public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @@ -134,6 +143,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override + @Deprecated public SecretKeyRingEditorInterface addSubKey(PGPSecretKey secretSubKey, PGPSignatureSubpacketVector hashedSubpackets, PGPSignatureSubpacketVector unhashedSubpackets, @@ -163,6 +173,79 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return this; } + @Override + public SecretKeyRingEditorInterface addSubKey(PGPSecretKey subkey, + @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, + @Nullable SelfSignatureSubpackets.Callback backSignatureCallback, + SecretKeyRingProtector subkeyProtector, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) throws PGPException, IOException { + KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); + SignatureSubpacketsUtil.assureKeyCanCarryFlags(PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm())); + + boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || + CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); + if (!isSigningKey) { + return addSubKey(subkey.getPublicKey(), + bindingSignatureCallback, + primaryKeyProtector, + keyFlag, + additionalKeyFlags); + } + + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); + SubkeyBindingSignatureBuilder bindingSigBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + bindingSigBuilder.applyCallback(bindingSignatureCallback); + bindingSigBuilder.getHashedSubpackets().setKeyFlags(flags); + + PrimaryKeyBindingSignatureBuilder backSigBuilder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); + backSigBuilder.applyCallback(backSignatureCallback); + PGPSignature backSig = backSigBuilder.build(primaryKey.getPublicKey()); + + bindingSigBuilder.getHashedSubpackets().addEmbeddedSignature(backSig); + PGPSignature bindingSig = bindingSigBuilder.build(subkey.getPublicKey()); + subkey = KeyRingUtils.secretKeyPlusSignature(subkey, bindingSig); + secretKeyRing = KeyRingUtils.secretKeysPlusSecretKey(secretKeyRing, subkey); + + return this; + } + + @Override + public SecretKeyRingEditorInterface addSubKey(PGPPublicKey subkey, + SelfSignatureSubpackets.Callback bindingSignatureCallback, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) throws PGPException { + KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); + boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || + CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); + if (isSigningKey) { + throw new IllegalArgumentException("Cannot bind a signing capable subkey without access to the secret subkey.\n" + + "Please use addSubKey(PGPSecretKey secretSubKey, [...]) instead."); + } + + PGPSignature bindingSignature = createSubkeyBindingSignature(subkey, bindingSignatureCallback, primaryKeyProtector, flags); + subkey = PGPPublicKey.addCertification(subkey, bindingSignature); + + secretKeyRing = KeyRingUtils.secretKeysPlusPublicKey(secretKeyRing, subkey); + + return this; + } + + private PGPSignature createSubkeyBindingSignature(PGPPublicKey subkey, + SelfSignatureSubpackets.Callback bindingSignatureCallback, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag... keyFlags) throws PGPException { + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); + SubkeyBindingSignatureBuilder builder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + builder.applyCallback(bindingSignatureCallback); + builder.getHashedSubpackets().setKeyFlags(keyFlags); + + PGPSignature signature = builder.build(subkey); + return signature; + } + private PGPSecretKey generateSubKey(@Nonnull KeySpec keySpec, @Nonnull Passphrase subKeyPassphrase) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index b45f7523..a1699eaa 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -4,6 +4,7 @@ package org.pgpainless.key.modification.secretkeyring; +import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Date; @@ -11,16 +12,19 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.UserId; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.util.Passphrase; public interface SecretKeyRingEditorInterface { @@ -59,11 +63,27 @@ public interface SecretKeyRingEditorInterface { SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException; + @Deprecated SecretKeyRingEditorInterface addSubKey(PGPSecretKey subKey, PGPSignatureSubpacketVector hashedSubpackets, PGPSignatureSubpacketVector unhashedSubpackets, SecretKeyRingProtector subKeyProtector, SecretKeyRingProtector keyRingProtector) throws PGPException; + + SecretKeyRingEditorInterface addSubKey(PGPSecretKey subkey, + @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, + @Nullable SelfSignatureSubpackets.Callback backSignatureCallback, + SecretKeyRingProtector subkeyProtector, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) throws PGPException, IOException; + + SecretKeyRingEditorInterface addSubKey(PGPPublicKey subkey, + SelfSignatureSubpackets.Callback bindingSignatureCallback, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) throws PGPException; + /** * Revoke the key ring. * The revocation will be a hard revocation, rendering the whole key invalid for any past or future signatures. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 5ae789d4..99c4c894 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -21,8 +21,10 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; +import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.util.CollectionUtils; public final class KeyRingUtils { @@ -200,4 +202,29 @@ public final class KeyRingUtils { publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey); return publicKeys; } + + public static PGPSecretKeyRing secretKeysPlusPublicKey(PGPSecretKeyRing secretKeys, PGPPublicKey subkey) { + PGPPublicKeyRing publicKeys = publicKeyRingFrom(secretKeys); + PGPPublicKeyRing newPublicKeys = publicKeysPlusPublicKey(publicKeys, subkey); + PGPSecretKeyRing newSecretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, newPublicKeys); + return newSecretKeys; + } + + public static PGPPublicKeyRing publicKeysPlusPublicKey(PGPPublicKeyRing publicKeys, PGPPublicKey subkey) { + List publicKeyList = CollectionUtils.iteratorToList(publicKeys.getPublicKeys()); + publicKeyList.add(subkey); + PGPPublicKeyRing newPublicKeys = new PGPPublicKeyRing(publicKeyList); + return newPublicKeys; + } + + public static PGPSecretKeyRing secretKeysPlusSecretKey(PGPSecretKeyRing secretKeys, PGPSecretKey subkey) { + return PGPSecretKeyRing.insertSecretKey(secretKeys, subkey); + } + + public static PGPSecretKey secretKeyPlusSignature(PGPSecretKey secretKey, PGPSignature signature) { + PGPPublicKey publicKey = secretKey.getPublicKey(); + publicKey = PGPPublicKey.addCertification(publicKey, signature); + PGPSecretKey newSecretKey = PGPSecretKey.replacePublicKey(secretKey, publicKey); + return newSecretKey; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java index e2e9c584..c4016709 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java @@ -95,7 +95,6 @@ public class SignatureSubpacketGeneratorWrapper public static SignatureSubpacketGeneratorWrapper createSubpacketsFrom(PGPSignatureSubpacketVector base) { SignatureSubpacketGeneratorWrapper wrapper = new SignatureSubpacketGeneratorWrapper(); wrapper.extractSubpacketsFromVector(base); - wrapper.setSignatureCreationTime(new Date()); return wrapper; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 4792a362..751c9f73 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -41,10 +41,12 @@ import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureSubpacket; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.signature.SignatureUtils; /** @@ -560,4 +562,58 @@ public final class SignatureSubpacketsUtil { } return (P) allPackets[allPackets.length - 1]; // return last } + + /** + * Make sure that the given key type can carry the given key flags. + * + * @param type key type + * @param flags key flags + */ + public static void assureKeyCanCarryFlags(KeyType type, KeyFlag... flags) { + final int mask = KeyFlag.toBitmask(flags); + + if (!type.canCertify() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) { + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag CERTIFY_OTHER."); + } + + if (!type.canSign() && KeyFlag.hasKeyFlag(mask, KeyFlag.SIGN_DATA)) { + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag SIGN_DATA."); + } + + if (!type.canEncryptCommunication() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS)) { + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_COMMS."); + } + + if (!type.canEncryptStorage() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_STORAGE)) { + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_STORAGE."); + } + + if (!type.canAuthenticate() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) { + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION."); + } + } + + public static void assureKeyCanCarryFlags(PublicKeyAlgorithm algorithm, KeyFlag... flags) { + final int mask = KeyFlag.toBitmask(flags); + + if (!algorithm.isSigningCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) { + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag CERTIFY_OTHER."); + } + + if (!algorithm.isSigningCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.SIGN_DATA)) { + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag SIGN_DATA."); + } + + if (!algorithm.isEncryptionCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS)) { + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag ENCRYPT_COMMS."); + } + + if (!algorithm.isEncryptionCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_STORAGE)) { + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag ENCRYPT_STORAGE."); + } + + if (!algorithm.isSigningCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) { + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag AUTHENTIACTION."); + } + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java index dcae3240..91b48ba2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java @@ -30,4 +30,13 @@ public final class CollectionUtils { System.arraycopy(ts, 0, concat, 1, ts.length); return concat; } + + public static boolean contains(T[] ts, T t) { + for (T i : ts) { + if (i.equals(t)) { + return true; + } + } + return false; + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 6dcd6812..4046ede6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -97,7 +97,7 @@ public class GenerateKeys { * @throws NoSuchAlgorithmException */ @Test - public void generateSimpleRSAKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateSimpleRSAKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { // Define a primary user-id String userId = "mpage@pgpainless.org"; // Set a password to protect the secret key @@ -106,7 +106,6 @@ public class GenerateKeys { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .simpleRsaKeyRing(userId, RsaLength._4096, password); - KeyRingInfo keyInfo = new KeyRingInfo(secretKey); assertEquals(1, keyInfo.getSecretKeys().size()); assertEquals(userId, keyInfo.getPrimaryUserId()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java index e2498e19..a07f792e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java @@ -39,7 +39,6 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; -import org.junit.JUtils; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -493,8 +492,7 @@ public class SignatureSubpacketGeneratorWrapperTest { // Verify these are not extracted assertEquals(0, vector.getIssuerKeyID()); assertNull(vector.getIssuerFingerprint()); - // BC overrides the date with current time - JUtils.assertDateNotEquals(sigCreationDate, vector.getSignatureCreationTime()); + assertNull(vector.getSignatureCreationTime()); // Verify these are extracted assertEquals(256000, vector.getSignatureExpirationTime()); From 3f09fa0cc755e9b673ca946a50c2f2317e83c82a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 8 Nov 2021 22:45:08 +0100 Subject: [PATCH 0133/1450] Progress --- .../implementation/ImplementationFactory.java | 4 + .../key/generation/KeyRingBuilder.java | 62 ++++++++++----- .../secretkeyring/SecretKeyRingEditor.java | 78 ++++--------------- .../SecretKeyRingEditorInterface.java | 9 +-- .../CachingSecretKeyRingProtector.java | 20 ++--- .../PasswordBasedSecretKeyRingProtector.java | 10 ++- .../protection/SecretKeyRingProtector.java | 4 + .../java/org/pgpainless/util/Passphrase.java | 2 +- ...ithModifiedBindingSignatureSubpackets.java | 77 ++++++++++++++++++ 9 files changed, 163 insertions(+), 103 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java index 6f5ea044..774dcad0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java @@ -59,6 +59,10 @@ public abstract class ImplementationFactory { public abstract PBESecretKeyDecryptor getPBESecretKeyDecryptor(Passphrase passphrase) throws PGPException; + public PGPDigestCalculator getV4FingerprintCalculator() throws PGPException { + return getPGPDigestCalculator(HashAlgorithm.SHA1); + } + public PGPDigestCalculator getPGPDigestCalculator(HashAlgorithm algorithm) throws PGPException { return getPGPDigestCalculator(algorithm.getAlgorithmId()); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 85b95b92..205b7b4e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -41,6 +41,7 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.provider.ProviderFactory; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; @@ -52,13 +53,13 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private final Charset UTF8 = Charset.forName("UTF-8"); private PGPSignatureGenerator signatureGenerator; - private PGPDigestCalculator digestCalculator; + private PGPDigestCalculator keyFingerprintCalculator; private PBESecretKeyEncryptor secretKeyEncryptor; private KeySpec primaryKeySpec; private final List subkeySpecs = new ArrayList<>(); private final Set userIds = new LinkedHashSet<>(); - private Passphrase passphrase = null; + private Passphrase passphrase = Passphrase.emptyPassphrase(); private Date expirationDate = null; @Override @@ -126,13 +127,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { if (userIds.isEmpty()) { throw new IllegalStateException("At least one user-id is required."); } - digestCalculator = buildDigestCalculator(); + keyFingerprintCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator(); secretKeyEncryptor = buildSecretKeyEncryptor(); PBESecretKeyDecryptor secretKeyDecryptor = buildSecretKeyDecryptor(); - if (passphrase != null) { - passphrase.clear(); - } + passphrase.clear(); // Generate Primary Key PGPKeyPair certKey = generateKeyPair(primaryKeySpec); @@ -171,8 +170,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { // "reassemble" secret key ring with modified primary key PGPSecretKey primarySecKey = new PGPSecretKey( - privateKey, - primaryPubKey, digestCalculator, true, secretKeyEncryptor); + privateKey, primaryPubKey, keyFingerprintCalculator, true, secretKeyEncryptor); List secretKeyList = new ArrayList<>(); secretKeyList.add(primarySecKey); while (secretKeys.hasNext()) { @@ -190,7 +188,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { String primaryUserId = userIds.iterator().next(); return new PGPKeyRingGenerator( SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey, - primaryUserId, digestCalculator, + primaryUserId, keyFingerprintCalculator, hashedSubPackets, null, signer, secretKeyEncryptor); } @@ -236,22 +234,20 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private PBESecretKeyEncryptor buildSecretKeyEncryptor() { SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy() .getDefaultSymmetricKeyAlgorithm(); - PBESecretKeyEncryptor encryptor = passphrase == null || passphrase.isEmpty() ? - null : // unencrypted key pair, otherwise AES-256 encrypted + if (!passphrase.isValid()) { + throw new IllegalStateException("Passphrase was cleared."); + } + return passphrase.isEmpty() ? null : // unencrypted key pair, otherwise AES-256 encrypted ImplementationFactory.getInstance().getPBESecretKeyEncryptor( - keyEncryptionAlgorithm, digestCalculator, passphrase); - return encryptor; + keyEncryptionAlgorithm, keyFingerprintCalculator, passphrase); } private PBESecretKeyDecryptor buildSecretKeyDecryptor() throws PGPException { - PBESecretKeyDecryptor decryptor = passphrase == null || passphrase.isEmpty() ? - null : + if (!passphrase.isValid()) { + throw new IllegalStateException("Passphrase was cleared."); + } + return passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); - return decryptor; - } - - private PGPDigestCalculator buildDigestCalculator() throws PGPException { - return ImplementationFactory.getInstance().getPGPDigestCalculator(HashAlgorithm.SHA1); } public static PGPKeyPair generateKeyPair(KeySpec spec) @@ -269,4 +265,30 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPKeyPair pgpKeyPair = ImplementationFactory.getInstance().getPGPKeyPair(type.getAlgorithm(), keyPair, new Date()); return pgpKeyPair; } + + public static PGPSecretKey generatePGPSecretKey(KeySpec keySpec, @Nonnull Passphrase passphrase, boolean isPrimary) + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPDigestCalculator keyFingerprintCalculator = ImplementationFactory.getInstance() + .getV4FingerprintCalculator(); + PGPKeyPair keyPair = generateKeyPair(keySpec); + SecretKeyRingProtector protector; + + synchronized (passphrase.lock) { + if (!passphrase.isValid()) { + throw new IllegalStateException("Passphrase has been cleared."); + } + if (!passphrase.isEmpty()) { + protector = SecretKeyRingProtector.unlockSingleKeyWith(passphrase, keyPair.getKeyID()); + } else { + protector = SecretKeyRingProtector.unprotectedKeys(); + } + + return new PGPSecretKey( + keyPair.getPrivateKey(), + keyPair.getPublicKey(), + keyFingerprintCalculator, + isPrimary, + protector.getEncryptor(keyPair.getKeyID())); + } + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 299721f7..cc20a156 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -41,7 +41,6 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeyRingBuilder; @@ -182,28 +181,27 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { KeyFlag keyFlag, KeyFlag... additionalKeyFlags) throws PGPException, IOException { KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); - SignatureSubpacketsUtil.assureKeyCanCarryFlags(PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm())); - - boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || - CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); - if (!isSigningKey) { - return addSubKey(subkey.getPublicKey(), - bindingSignatureCallback, - primaryKeyProtector, - keyFlag, - additionalKeyFlags); - } + PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm()); + SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm); PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); - SubkeyBindingSignatureBuilder bindingSigBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + SubkeyBindingSignatureBuilder bindingSigBuilder = + new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + bindingSigBuilder.applyCallback(bindingSignatureCallback); bindingSigBuilder.getHashedSubpackets().setKeyFlags(flags); - PrimaryKeyBindingSignatureBuilder backSigBuilder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); - backSigBuilder.applyCallback(backSignatureCallback); - PGPSignature backSig = backSigBuilder.build(primaryKey.getPublicKey()); + boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || + CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); + if (isSigningKey) { + // Add embedded back-signature made by subkey over primary key + PrimaryKeyBindingSignatureBuilder backSigBuilder = + new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); + backSigBuilder.applyCallback(backSignatureCallback); + PGPSignature backSig = backSigBuilder.build(primaryKey.getPublicKey()); + bindingSigBuilder.getHashedSubpackets().addEmbeddedSignature(backSig); + } - bindingSigBuilder.getHashedSubpackets().addEmbeddedSignature(backSig); PGPSignature bindingSig = bindingSigBuilder.build(subkey.getPublicKey()); subkey = KeyRingUtils.secretKeyPlusSignature(subkey, bindingSig); secretKeyRing = KeyRingUtils.secretKeysPlusSecretKey(secretKeyRing, subkey); @@ -211,54 +209,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return this; } - @Override - public SecretKeyRingEditorInterface addSubKey(PGPPublicKey subkey, - SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag keyFlag, - KeyFlag... additionalKeyFlags) throws PGPException { - KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); - boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || - CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); - if (isSigningKey) { - throw new IllegalArgumentException("Cannot bind a signing capable subkey without access to the secret subkey.\n" + - "Please use addSubKey(PGPSecretKey secretSubKey, [...]) instead."); - } - - PGPSignature bindingSignature = createSubkeyBindingSignature(subkey, bindingSignatureCallback, primaryKeyProtector, flags); - subkey = PGPPublicKey.addCertification(subkey, bindingSignature); - - secretKeyRing = KeyRingUtils.secretKeysPlusPublicKey(secretKeyRing, subkey); - - return this; - } - - private PGPSignature createSubkeyBindingSignature(PGPPublicKey subkey, - SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag... keyFlags) throws PGPException { - PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); - SubkeyBindingSignatureBuilder builder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); - builder.applyCallback(bindingSignatureCallback); - builder.getHashedSubpackets().setKeyFlags(keyFlags); - - PGPSignature signature = builder.build(subkey); - return signature; - } - private PGPSecretKey generateSubKey(@Nonnull KeySpec keySpec, @Nonnull Passphrase subKeyPassphrase) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPDigestCalculator checksumCalculator = ImplementationFactory.getInstance() - .getPGPDigestCalculator(defaultDigestHashAlgorithm); - - PBESecretKeyEncryptor subKeyEncryptor = subKeyPassphrase.isEmpty() ? null : - ImplementationFactory.getInstance().getPBESecretKeyEncryptor(SymmetricKeyAlgorithm.AES_256, subKeyPassphrase); - - PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); - PGPSecretKey secretKey = new PGPSecretKey(keyPair.getPrivateKey(), keyPair.getPublicKey(), - checksumCalculator, false, subKeyEncryptor); - return secretKey; + return KeyRingBuilder.generatePGPSecretKey(keySpec, subKeyPassphrase, false); } @Override diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index a1699eaa..541c0db8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -12,7 +12,6 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; @@ -59,7 +58,7 @@ public interface SecretKeyRingEditorInterface { * @return the builder */ SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, - @Nonnull Passphrase subKeyPassphrase, + @Nullable Passphrase subKeyPassphrase, SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException; @@ -78,12 +77,6 @@ public interface SecretKeyRingEditorInterface { KeyFlag keyFlag, KeyFlag... additionalKeyFlags) throws PGPException, IOException; - SecretKeyRingEditorInterface addSubKey(PGPPublicKey subkey, - SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag keyFlag, - KeyFlag... additionalKeyFlags) throws PGPException; - /** * Revoke the key ring. * The revocation will be a hard revocation, rendering the whole key invalid for any past or future signatures. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index d0cdd59e..4a58b5f9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -56,7 +56,7 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se * @param keyId id of the key * @param passphrase passphrase */ - public void addPassphrase(@Nonnull Long keyId, @Nullable Passphrase passphrase) { + public void addPassphrase(@Nonnull Long keyId, @Nonnull Passphrase passphrase) { this.cache.put(keyId, passphrase); } @@ -66,7 +66,7 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se * @param keyRing key ring * @param passphrase passphrase */ - public void addPassphrase(@Nonnull PGPKeyRing keyRing, @Nullable Passphrase passphrase) { + public void addPassphrase(@Nonnull PGPKeyRing keyRing, @Nonnull Passphrase passphrase) { Iterator keys = keyRing.getPublicKeys(); while (keys.hasNext()) { PGPPublicKey publicKey = keys.next(); @@ -80,11 +80,11 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se * @param key key * @param passphrase passphrase */ - public void addPassphrase(@Nonnull PGPPublicKey key, @Nullable Passphrase passphrase) { + public void addPassphrase(@Nonnull PGPPublicKey key, @Nonnull Passphrase passphrase) { addPassphrase(key.getKeyID(), passphrase); } - public void addPassphrase(@Nonnull OpenPgpFingerprint fingerprint, @Nullable Passphrase passphrase) { + public void addPassphrase(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull Passphrase passphrase) { addPassphrase(fingerprint.getKeyId(), passphrase); } @@ -95,9 +95,10 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se * @param keyId id of the key */ public void forgetPassphrase(@Nonnull Long keyId) { - Passphrase passphrase = cache.get(keyId); - passphrase.clear(); - cache.remove(keyId); + Passphrase passphrase = cache.remove(keyId); + if (passphrase != null) { + passphrase.clear(); + } } /** @@ -140,12 +141,13 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se @Override public boolean hasPassphrase(Long keyId) { - return cache.containsKey(keyId); + Passphrase passphrase = cache.get(keyId); + return passphrase != null && passphrase.isValid(); } @Override public boolean hasPassphraseFor(Long keyId) { - return cache.containsKey(keyId); + return hasPassphrase(keyId); } @Override diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java index 2f97863f..d198c187 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java @@ -64,12 +64,16 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect } public static PasswordBasedSecretKeyRingProtector forKey(PGPSecretKey key, Passphrase passphrase) { + return forKeyId(key.getPublicKey().getKeyID(), passphrase); + } + + public static PasswordBasedSecretKeyRingProtector forKeyId(long singleKeyId, Passphrase passphrase) { KeyRingProtectionSettings protectionSettings = KeyRingProtectionSettings.secureDefaultSettings(); SecretKeyPassphraseProvider passphraseProvider = new SecretKeyPassphraseProvider() { - @Override @Nullable + @Override public Passphrase getPassphraseFor(Long keyId) { - if (key.getKeyID() == keyId) { + if (keyId == singleKeyId) { return passphrase; } return null; @@ -77,7 +81,7 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect @Override public boolean hasPassphrase(Long keyId) { - return keyId == key.getKeyID(); + return keyId == singleKeyId; } }; return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java index 73fb64fc..b1cb7fdf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java @@ -98,6 +98,10 @@ public interface SecretKeyRingProtector { return PasswordBasedSecretKeyRingProtector.forKey(key, passphrase); } + static SecretKeyRingProtector unlockSingleKeyWith(Passphrase passphrase, long keyId) { + return PasswordBasedSecretKeyRingProtector.forKeyId(keyId, passphrase); + } + /** * Protector for unprotected keys. * This protector returns null for all {@link #getEncryptor(Long)}/{@link #getDecryptor(Long)} calls, diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java index 1d33ea5b..bd2e203f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java @@ -10,7 +10,7 @@ import java.util.Arrays; public class Passphrase { - private final Object lock = new Object(); + public final Object lock = new Object(); private final char[] chars; private boolean valid = true; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java new file mode 100644 index 00000000..4306298d --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java @@ -0,0 +1,77 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.Date; +import java.util.List; + +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.JUtils; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.EncryptionPurpose; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.key.OpenPgpV4Fingerprint; +import org.pgpainless.key.generation.KeyRingBuilder; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; +import org.pgpainless.util.Passphrase; + +public class AddSubkeyWithModifiedBindingSignatureSubpackets { + + @Test + public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", null); + KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); + + PGPSecretKey secretSubkey = KeyRingBuilder.generatePGPSecretKey( + KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), + Passphrase.emptyPassphrase(), false); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addSubKey(secretSubkey, new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setKeyExpirationTime(true, 1000); + hashedSubpackets.addNotationData(false, "test@test.test", "test"); + } + }, null, SecretKeyRingProtector.unprotectedKeys(), protector, KeyFlag.ENCRYPT_COMMS) + .done(); + + KeyRingInfo after = PGPainless.inspectKeyRing(secretKeys); + + List encryptionKeys = after.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); + encryptionKeys.removeAll(before.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS)); + assertFalse(encryptionKeys.isEmpty()); + assertEquals(1, encryptionKeys.size()); + + PGPPublicKey newKey = encryptionKeys.get(0); + JUtils.assertEquals(new Date().getTime() + 1000 * 1000, after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey)).getTime(), 2000); + assertTrue(newKey.getSignatures().hasNext()); + PGPSignature binding = newKey.getSignatures().next(); + List notations = SignatureSubpacketsUtil.getHashedNotationData(binding); + assertEquals(1, notations.size()); + assertEquals("test@test.test", notations.get(0).getNotationName()); + } +} From 3d5a005ec7c1f9b7cc63c25d89f0efb6589e4813 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 9 Nov 2021 12:21:57 +0100 Subject: [PATCH 0134/1450] Make SignatureSubpackets more procedural --- .../key/generation/KeyRingBuilder.java | 16 +- .../pgpainless/key/generation/KeySpec.java | 13 +- .../builder/AbstractSignatureBuilder.java | 19 +- .../builder/UniversalSignatureBuilder.java | 6 +- .../subpackets/BaseSignatureSubpackets.java | 2 +- .../SignatureSubpacketGeneratorWrapper.java | 719 ------------------ .../subpackets/SignatureSubpackets.java | 660 ++++++++++++++++ .../subpackets/SignatureSubpacketsHelper.java | 180 +++++ ...Test.java => SignatureSubpacketsTest.java} | 93 ++- 9 files changed, 916 insertions(+), 792 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java rename pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/{SignatureSubpacketGeneratorWrapperTest.java => SignatureSubpacketsTest.java} (86%) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 205b7b4e..e62a9d15 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -19,6 +19,7 @@ import java.util.List; import java.util.Set; import javax.annotation.Nonnull; +import org.bouncycastle.bcpg.sig.KeyFlags; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyRingGenerator; @@ -44,8 +45,8 @@ import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.provider.ProviderFactory; -import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; -import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; +import org.pgpainless.signature.subpackets.SignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.util.Passphrase; public class KeyRingBuilder implements KeyRingBuilderInterface { @@ -112,9 +113,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } private boolean hasCertifyOthersFlag(KeySpec keySpec) { - return SignatureSubpacketGeneratorUtil.hasKeyFlag(KeyFlag.CERTIFY_OTHER, - keySpec.getSubpacketGenerator() == null ? null : - keySpec.getSubpacketGenerator().getGenerator()); + KeyFlags keyFlags = keySpec.getSubpacketGenerator().getKeyFlagsSubpacket(); + return keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER); } private boolean keyIsCertificationCapable(KeySpec keySpec) { @@ -137,12 +137,14 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPKeyPair certKey = generateKeyPair(primaryKeySpec); PGPContentSignerBuilder signer = buildContentSigner(certKey); signatureGenerator = new PGPSignatureGenerator(signer); - SignatureSubpacketGeneratorWrapper hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); + SignatureSubpackets hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); hashedSubPacketGenerator.setPrimaryUserId(); if (expirationDate != null) { hashedSubPacketGenerator.setKeyExpirationTime(certKey.getPublicKey(), expirationDate); } - PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.getGenerator().generate(); + PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); + SignatureSubpacketsHelper.applyTo(hashedSubPacketGenerator, generator); + PGPSignatureSubpacketVector hashedSubPackets = generator.generate(); // Generator which the user can get the key pair from PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index bff89af4..2249c854 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -10,12 +10,13 @@ import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; +import org.pgpainless.signature.subpackets.SignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; public class KeySpec { private final KeyType keyType; - private final SignatureSubpacketGeneratorWrapper subpacketGenerator; + private final SignatureSubpackets subpacketGenerator; private final boolean inheritedSubPackets; KeySpec(@Nonnull KeyType type, @@ -23,12 +24,12 @@ public class KeySpec { boolean inheritedSubPackets) { this( type, - SignatureSubpacketGeneratorWrapper.createSubpacketsFrom(subpacketGenerator.generate()), + SignatureSubpackets.createSubpacketsFrom(subpacketGenerator.generate()), inheritedSubPackets); } KeySpec(@Nonnull KeyType type, - @Nonnull SignatureSubpacketGeneratorWrapper subpacketGenerator, + @Nonnull SignatureSubpackets subpacketGenerator, boolean inheritedSubPackets) { this.keyType = type; this.subpacketGenerator = subpacketGenerator; @@ -42,11 +43,11 @@ public class KeySpec { @Nonnull public PGPSignatureSubpacketVector getSubpackets() { - return subpacketGenerator.getGenerator().generate(); + return SignatureSubpacketsHelper.toVector(subpacketGenerator); } @Nonnull - SignatureSubpacketGeneratorWrapper getSubpacketGenerator() { + SignatureSubpackets getSubpacketGenerator() { return subpacketGenerator; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 219e7d22..d919d49b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -21,7 +21,8 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; -import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorWrapper; +import org.pgpainless.signature.subpackets.SignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; public abstract class AbstractSignatureBuilder> { protected final PGPPrivateKey privateSigningKey; @@ -30,8 +31,8 @@ public abstract class AbstractSignatureBuilder { + interface Callback extends SignatureSubpacketCallback { } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java deleted file mode 100644 index c4016709..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapper.java +++ /dev/null @@ -1,719 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.subpackets; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Date; -import java.util.Iterator; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Set; -import javax.annotation.Nonnull; -import javax.annotation.Nullable; - -import org.bouncycastle.bcpg.SignatureSubpacket; -import org.bouncycastle.bcpg.SignatureSubpacketTags; -import org.bouncycastle.bcpg.sig.EmbeddedSignature; -import org.bouncycastle.bcpg.sig.Exportable; -import org.bouncycastle.bcpg.sig.Features; -import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; -import org.bouncycastle.bcpg.sig.IssuerFingerprint; -import org.bouncycastle.bcpg.sig.IssuerKeyID; -import org.bouncycastle.bcpg.sig.KeyExpirationTime; -import org.bouncycastle.bcpg.sig.KeyFlags; -import org.bouncycastle.bcpg.sig.NotationData; -import org.bouncycastle.bcpg.sig.PreferredAlgorithms; -import org.bouncycastle.bcpg.sig.PrimaryUserID; -import org.bouncycastle.bcpg.sig.Revocable; -import org.bouncycastle.bcpg.sig.RevocationKey; -import org.bouncycastle.bcpg.sig.RevocationReason; -import org.bouncycastle.bcpg.sig.SignatureCreationTime; -import org.bouncycastle.bcpg.sig.SignatureExpirationTime; -import org.bouncycastle.bcpg.sig.SignatureTarget; -import org.bouncycastle.bcpg.sig.SignerUserID; -import org.bouncycastle.bcpg.sig.TrustSignature; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; -import org.pgpainless.algorithm.CompressionAlgorithm; -import org.pgpainless.algorithm.Feature; -import org.pgpainless.algorithm.HashAlgorithm; -import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.PublicKeyAlgorithm; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; -import org.pgpainless.key.util.RevocationAttributes; - -public class SignatureSubpacketGeneratorWrapper - implements BaseSignatureSubpackets, SelfSignatureSubpackets, CertificationSubpackets, RevocationSignatureSubpackets { - - private SignatureCreationTime signatureCreationTime; - private SignatureExpirationTime signatureExpirationTime; - private IssuerKeyID issuerKeyID; - private IssuerFingerprint issuerFingerprint; - private final List notationDataList = new ArrayList<>(); - private final List intendedRecipientFingerprintList = new ArrayList<>(); - private final List revocationKeyList = new ArrayList<>(); - private Exportable exportable; - private SignatureTarget signatureTarget; - private Features features; - private KeyFlags keyFlags; - private TrustSignature trust; - private PreferredAlgorithms preferredCompressionAlgorithms; - private PreferredAlgorithms preferredSymmetricKeyAlgorithms; - private PreferredAlgorithms preferredHashAlgorithms; - private final List embeddedSignatureList = new ArrayList<>(); - private SignerUserID signerUserId; - private KeyExpirationTime keyExpirationTime; - private PrimaryUserID primaryUserId; - private Revocable revocable; - private RevocationReason revocationReason; - private final List unsupportedSubpackets = new ArrayList<>(); - - public SignatureSubpacketGeneratorWrapper() { - - } - - public static SignatureSubpacketGeneratorWrapper refreshHashedSubpackets(PGPPublicKey issuer, PGPSignature oldSignature) { - return createHashedSubpacketsFrom(issuer, oldSignature.getHashedSubPackets()); - } - - public static SignatureSubpacketGeneratorWrapper refreshUnhashedSubpackets(PGPSignature oldSignature) { - return createSubpacketsFrom(oldSignature.getUnhashedSubPackets()); - } - - public static SignatureSubpacketGeneratorWrapper createHashedSubpacketsFrom(PGPPublicKey issuer, PGPSignatureSubpacketVector base) { - SignatureSubpacketGeneratorWrapper wrapper = createSubpacketsFrom(base); - wrapper.setIssuerFingerprintAndKeyId(issuer); - return wrapper; - } - - public static SignatureSubpacketGeneratorWrapper createSubpacketsFrom(PGPSignatureSubpacketVector base) { - SignatureSubpacketGeneratorWrapper wrapper = new SignatureSubpacketGeneratorWrapper(); - wrapper.extractSubpacketsFromVector(base); - return wrapper; - } - - public static SignatureSubpacketGeneratorWrapper createEmptySubpackets() { - return new SignatureSubpacketGeneratorWrapper(); - } - - public static SignatureSubpacketGeneratorWrapper createHashedSubpackets() { - SignatureSubpacketGeneratorWrapper wrapper = new SignatureSubpacketGeneratorWrapper(); - wrapper.setSignatureCreationTime(new Date()); - return wrapper; - } - - public static SignatureSubpacketGeneratorWrapper createHashedSubpackets(PGPPublicKey issuer) { - SignatureSubpacketGeneratorWrapper wrapper = createHashedSubpackets(); - wrapper.setIssuerFingerprintAndKeyId(issuer); - return wrapper; - } - - private void extractSubpacketsFromVector(PGPSignatureSubpacketVector base) { - for (SignatureSubpacket subpacket : base.toArray()) { - org.pgpainless.algorithm.SignatureSubpacket type = org.pgpainless.algorithm.SignatureSubpacket.fromCode(subpacket.getType()); - switch (type) { - case signatureCreationTime: - case issuerKeyId: - case issuerFingerprint: - // ignore, we override this anyways - break; - case signatureExpirationTime: - SignatureExpirationTime sigExpTime = (SignatureExpirationTime) subpacket; - setSignatureExpirationTime(sigExpTime.isCritical(), sigExpTime.getTime()); - break; - case exportableCertification: - Exportable exp = (Exportable) subpacket; - setExportable(exp.isCritical(), exp.isExportable()); - break; - case trustSignature: - TrustSignature trustSignature = (TrustSignature) subpacket; - setTrust(trustSignature.isCritical(), trustSignature.getDepth(), trustSignature.getTrustAmount()); - break; - case revocable: - Revocable rev = (Revocable) subpacket; - setRevocable(rev.isCritical(), rev.isRevocable()); - break; - case keyExpirationTime: - KeyExpirationTime keyExpTime = (KeyExpirationTime) subpacket; - setKeyExpirationTime(keyExpTime.isCritical(), keyExpTime.getTime()); - break; - case preferredSymmetricAlgorithms: - setPreferredSymmetricKeyAlgorithms((PreferredAlgorithms) subpacket); - break; - case revocationKey: - RevocationKey revocationKey = (RevocationKey) subpacket; - addRevocationKey(revocationKey); - break; - case notationData: - NotationData notationData = (NotationData) subpacket; - addNotationData(notationData.isCritical(), notationData.getNotationName(), notationData.getNotationValue()); - break; - case preferredHashAlgorithms: - setPreferredHashAlgorithms((PreferredAlgorithms) subpacket); - break; - case preferredCompressionAlgorithms: - setPreferredCompressionAlgorithms((PreferredAlgorithms) subpacket); - break; - case primaryUserId: - PrimaryUserID primaryUserID = (PrimaryUserID) subpacket; - setPrimaryUserId(primaryUserID); - break; - case keyFlags: - KeyFlags flags = (KeyFlags) subpacket; - setKeyFlags(flags.isCritical(), KeyFlag.fromBitmask(flags.getFlags()).toArray(new KeyFlag[0])); - break; - case signerUserId: - SignerUserID signerUserID = (SignerUserID) subpacket; - setSignerUserId(signerUserID.isCritical(), signerUserID.getID()); - break; - case revocationReason: - RevocationReason reason = (RevocationReason) subpacket; - setRevocationReason(reason.isCritical(), - RevocationAttributes.Reason.fromCode(reason.getRevocationReason()), - reason.getRevocationDescription()); - break; - case features: - Features f = (Features) subpacket; - setFeatures(f.isCritical(), Feature.fromBitmask(f.getData()[0]).toArray(new Feature[0])); - break; - case signatureTarget: - SignatureTarget target = (SignatureTarget) subpacket; - setSignatureTarget(target.isCritical(), - PublicKeyAlgorithm.fromId(target.getPublicKeyAlgorithm()), - HashAlgorithm.fromId(target.getHashAlgorithm()), - target.getHashData()); - break; - case embeddedSignature: - EmbeddedSignature embeddedSignature = (EmbeddedSignature) subpacket; - addEmbeddedSignature(embeddedSignature); - break; - case intendedRecipientFingerprint: - IntendedRecipientFingerprint intendedRecipientFingerprint = (IntendedRecipientFingerprint) subpacket; - addIntendedRecipientFingerprint(intendedRecipientFingerprint); - break; - - case regularExpression: - case keyServerPreferences: - case preferredKeyServers: - case policyUrl: - case placeholder: - case preferredAEADAlgorithms: - case attestedCertification: - unsupportedSubpackets.add(subpacket); - break; - } - } - } - - public PGPSignatureSubpacketGenerator getGenerator() { - PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); - - addSubpacket(generator, issuerKeyID); - addSubpacket(generator, issuerFingerprint); - addSubpacket(generator, signatureCreationTime); - addSubpacket(generator, signatureExpirationTime); - addSubpacket(generator, exportable); - for (NotationData notationData : notationDataList) { - addSubpacket(generator, notationData); - } - for (IntendedRecipientFingerprint intendedRecipientFingerprint : intendedRecipientFingerprintList) { - addSubpacket(generator, intendedRecipientFingerprint); - } - for (RevocationKey revocationKey : revocationKeyList) { - addSubpacket(generator, revocationKey); - } - addSubpacket(generator, signatureTarget); - addSubpacket(generator, features); - addSubpacket(generator, keyFlags); - addSubpacket(generator, trust); - addSubpacket(generator, preferredCompressionAlgorithms); - addSubpacket(generator, preferredSymmetricKeyAlgorithms); - addSubpacket(generator, preferredHashAlgorithms); - for (EmbeddedSignature embeddedSignature : embeddedSignatureList) { - addSubpacket(generator, embeddedSignature); - } - addSubpacket(generator, signerUserId); - addSubpacket(generator, keyExpirationTime); - addSubpacket(generator, primaryUserId); - addSubpacket(generator, revocable); - addSubpacket(generator, revocationReason); - for (SignatureSubpacket subpacket : unsupportedSubpackets) { - addSubpacket(generator, subpacket); - } - - return generator; - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerFingerprintAndKeyId(PGPPublicKey key) { - setIssuerKeyId(key.getKeyID()); - setIssuerFingerprint(key); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerKeyId(long keyId) { - return setIssuerKeyId(true, keyId); - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerKeyId(boolean isCritical, long keyId) { - return setIssuerKeyId(new IssuerKeyID(isCritical, keyId)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID) { - this.issuerKeyID = issuerKeyID; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nonnull PGPPublicKey key) { - return setIssuerFingerprint(true, key); - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key) { - return setIssuerFingerprint(new IssuerFingerprint(isCritical, key.getVersion(), key.getFingerprint())); - } - - @Override - public SignatureSubpacketGeneratorWrapper setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint) { - this.issuerFingerprint = fingerprint; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyFlags(KeyFlag... keyFlags) { - return setKeyFlags(true, keyFlags); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyFlags(boolean isCritical, KeyFlag... keyFlags) { - int bitmask = KeyFlag.toBitmask(keyFlags); - return setKeyFlags(new KeyFlags(isCritical, bitmask)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyFlags(@Nullable KeyFlags keyFlags) { - this.keyFlags = keyFlags; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nonnull Date creationTime) { - return setSignatureCreationTime(true, creationTime); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime) { - return setSignatureCreationTime(new SignatureCreationTime(isCritical, creationTime)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime) { - this.signatureCreationTime = signatureCreationTime; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime) { - return setSignatureExpirationTime(true, creationTime, expirationTime); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime) { - return setSignatureExpirationTime(isCritical, (expirationTime.getTime() / 1000) - (creationTime.getTime() / 1000)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(boolean isCritical, long seconds) { - if (seconds < 0) { - throw new IllegalArgumentException("Expiration time cannot be negative."); - } - return setSignatureExpirationTime(new SignatureExpirationTime(isCritical, seconds)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime) { - this.signatureExpirationTime = expirationTime; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignerUserId(@Nonnull String userId) { - return setSignerUserId(false, userId); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignerUserId(boolean isCritical, @Nonnull String userId) { - return setSignerUserId(new SignerUserID(isCritical, userId)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignerUserId(@Nullable SignerUserID signerUserId) { - this.signerUserId = signerUserId; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setPrimaryUserId() { - return setPrimaryUserId(true); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPrimaryUserId(boolean isCritical) { - return setPrimaryUserId(new PrimaryUserID(isCritical, true)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPrimaryUserId(@Nullable PrimaryUserID primaryUserId) { - this.primaryUserId = primaryUserId; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime) { - return setKeyExpirationTime(key.getCreationTime(), keyExpirationTime); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { - return setKeyExpirationTime(true, keyCreationTime, keyExpirationTime); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { - return setKeyExpirationTime(isCritical, (keyExpirationTime.getTime() / 1000) - (keyCreationTime.getTime() / 1000)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration) { - if (secondsFromCreationToExpiration < 0) { - throw new IllegalArgumentException("Seconds from key creation to expiration cannot be less than 0."); - } - return setKeyExpirationTime(new KeyExpirationTime(isCritical, secondsFromCreationToExpiration)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime) { - this.keyExpirationTime = keyExpirationTime; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms) { - return setPreferredCompressionAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(Set algorithms) { - return setPreferredCompressionAlgorithms(true, algorithms); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms) { - int[] ids = new int[algorithms.size()]; - Iterator iterator = algorithms.iterator(); - for (int i = 0; i < algorithms.size(); i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return setPreferredCompressionAlgorithms(new PreferredAlgorithms( - SignatureSubpacketTags.PREFERRED_COMP_ALGS, isCritical, ids)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms) { - if (algorithms == null) { - this.preferredCompressionAlgorithms = null; - return this; - } - - if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_COMP_ALGS) { - throw new IllegalArgumentException("Invalid preferred compression algorithms type."); - } - this.preferredCompressionAlgorithms = algorithms; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms) { - return setPreferredSymmetricKeyAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(Set algorithms) { - return setPreferredSymmetricKeyAlgorithms(true, algorithms); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms) { - int[] ids = new int[algorithms.size()]; - Iterator iterator = algorithms.iterator(); - for (int i = 0; i < algorithms.size(); i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return setPreferredSymmetricKeyAlgorithms(new PreferredAlgorithms( - SignatureSubpacketTags.PREFERRED_SYM_ALGS, isCritical, ids)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms) { - if (algorithms == null) { - this.preferredSymmetricKeyAlgorithms = null; - return this; - } - - if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_SYM_ALGS) { - throw new IllegalArgumentException("Invalid preferred symmetric key algorithms type."); - } - this.preferredSymmetricKeyAlgorithms = algorithms; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(HashAlgorithm... algorithms) { - return setPreferredHashAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(Set algorithms) { - return setPreferredHashAlgorithms(true, algorithms); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(boolean isCritical, Set algorithms) { - int[] ids = new int[algorithms.size()]; - Iterator iterator = algorithms.iterator(); - for (int i = 0; i < ids.length; i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return setPreferredHashAlgorithms(new PreferredAlgorithms( - SignatureSubpacketTags.PREFERRED_HASH_ALGS, isCritical, ids)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms) { - if (algorithms == null) { - preferredHashAlgorithms = null; - return this; - } - - if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_HASH_ALGS) { - throw new IllegalArgumentException("Invalid preferred hash algorithms type."); - } - this.preferredHashAlgorithms = algorithms; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue) { - return addNotationData(isCritical, true, notationName, notationValue); - } - - @Override - public SignatureSubpacketGeneratorWrapper addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue) { - return addNotationData(new NotationData(isCritical, isHumanReadable, notationName, notationValue)); - } - - @Override - public SignatureSubpacketGeneratorWrapper addNotationData(@Nonnull NotationData notationData) { - notationDataList.add(notationData); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper clearNotationData() { - notationDataList.clear(); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient) { - return addIntendedRecipientFingerprint(false, recipient); - } - - @Override - public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient) { - return addIntendedRecipientFingerprint(new IntendedRecipientFingerprint(isCritical, recipient.getVersion(), recipient.getFingerprint())); - } - - @Override - public SignatureSubpacketGeneratorWrapper addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint) { - this.intendedRecipientFingerprintList.add(intendedRecipientFingerprint); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper clearIntendedRecipientFingerprints() { - intendedRecipientFingerprintList.clear(); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setExportable(boolean isCritical, boolean isExportable) { - return setExportable(new Exportable(isCritical, isExportable)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setExportable(@Nullable Exportable exportable) { - this.exportable = exportable; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocable(boolean isCritical, boolean isRevocable) { - return setRevocable(new Revocable(isCritical, isRevocable)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocable(@Nullable Revocable revocable) { - this.revocable = revocable; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull PGPPublicKey revocationKey) { - return addRevocationKey(true, revocationKey); - } - - @Override - public SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey) { - return addRevocationKey(isCritical, false, revocationKey); - } - - @Override - public SignatureSubpacketGeneratorWrapper addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey) { - byte clazz = (byte) 0x80; - clazz |= (isSensitive ? 0x40 : 0x00); - return addRevocationKey(new RevocationKey(isCritical, clazz, revocationKey.getAlgorithm(), revocationKey.getFingerprint())); - } - - @Override - public SignatureSubpacketGeneratorWrapper addRevocationKey(@Nonnull RevocationKey revocationKey) { - this.revocationKeyList.add(revocationKey); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper clearRevocationKeys() { - revocationKeyList.clear(); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocationReason(RevocationAttributes revocationAttributes) { - return setRevocationReason(true, revocationAttributes); - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes) { - return setRevocationReason(isCritical, revocationAttributes.getReason(), revocationAttributes.getDescription()); - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description) { - return setRevocationReason(new RevocationReason(isCritical, reason.code(), description)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setRevocationReason(@Nullable RevocationReason reason) { - this.revocationReason = reason; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { - return setSignatureTarget(true, keyAlgorithm, hashAlgorithm, hashData); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { - return setSignatureTarget(new SignatureTarget(isCritical, keyAlgorithm.getAlgorithmId(), hashAlgorithm.getAlgorithmId(), hashData)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setSignatureTarget(@Nullable SignatureTarget signatureTarget) { - this.signatureTarget = signatureTarget; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setFeatures(Feature... features) { - return setFeatures(true, features); - } - - @Override - public SignatureSubpacketGeneratorWrapper setFeatures(boolean isCritical, Feature... features) { - byte bitmask = Feature.toBitmask(features); - return setFeatures(new Features(isCritical, bitmask)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setFeatures(@Nullable Features features) { - this.features = features; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper setTrust(int depth, int amount) { - return setTrust(true, depth, amount); - } - - @Override - public SignatureSubpacketGeneratorWrapper setTrust(boolean isCritical, int depth, int amount) { - return setTrust(new TrustSignature(isCritical, depth, amount)); - } - - @Override - public SignatureSubpacketGeneratorWrapper setTrust(@Nullable TrustSignature trust) { - this.trust = trust; - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException { - return addEmbeddedSignature(true, signature); - } - - @Override - public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException { - byte[] sig = signature.getEncoded(); - byte[] data; - - if (sig.length - 1 > 256) { - data = new byte[sig.length - 3]; - } - else { - data = new byte[sig.length - 2]; - } - - System.arraycopy(sig, sig.length - data.length, data, 0, data.length); - - return addEmbeddedSignature(new EmbeddedSignature(isCritical, false, data)); - } - - @Override - public SignatureSubpacketGeneratorWrapper addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature) { - this.embeddedSignatureList.add(embeddedSignature); - return this; - } - - @Override - public SignatureSubpacketGeneratorWrapper clearEmbeddedSignatures() { - this.embeddedSignatureList.clear(); - return this; - } - - private static void addSubpacket(PGPSignatureSubpacketGenerator generator, SignatureSubpacket subpacket) { - if (subpacket != null) { - generator.addCustomSubpacket(subpacket); - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java new file mode 100644 index 00000000..a7a5b71d --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java @@ -0,0 +1,660 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Date; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.SignatureSubpacketTags; +import org.bouncycastle.bcpg.sig.EmbeddedSignature; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.Features; +import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.bcpg.sig.IssuerKeyID; +import org.bouncycastle.bcpg.sig.KeyExpirationTime; +import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.bouncycastle.bcpg.sig.PrimaryUserID; +import org.bouncycastle.bcpg.sig.Revocable; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.bouncycastle.bcpg.sig.SignatureCreationTime; +import org.bouncycastle.bcpg.sig.SignatureExpirationTime; +import org.bouncycastle.bcpg.sig.SignatureTarget; +import org.bouncycastle.bcpg.sig.SignerUserID; +import org.bouncycastle.bcpg.sig.TrustSignature; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.key.util.RevocationAttributes; + +public class SignatureSubpackets + implements BaseSignatureSubpackets, SelfSignatureSubpackets, CertificationSubpackets, RevocationSignatureSubpackets { + + private SignatureCreationTime signatureCreationTime; + private SignatureExpirationTime signatureExpirationTime; + private IssuerKeyID issuerKeyID; + private IssuerFingerprint issuerFingerprint; + private final List notationDataList = new ArrayList<>(); + private final List intendedRecipientFingerprintList = new ArrayList<>(); + private final List revocationKeyList = new ArrayList<>(); + private Exportable exportable; + private SignatureTarget signatureTarget; + private Features features; + private KeyFlags keyFlags; + private TrustSignature trust; + private PreferredAlgorithms preferredCompressionAlgorithms; + private PreferredAlgorithms preferredSymmetricKeyAlgorithms; + private PreferredAlgorithms preferredHashAlgorithms; + private final List embeddedSignatureList = new ArrayList<>(); + private SignerUserID signerUserId; + private KeyExpirationTime keyExpirationTime; + private PrimaryUserID primaryUserId; + private Revocable revocable; + private RevocationReason revocationReason; + private final List residualSubpackets = new ArrayList<>(); + + public SignatureSubpackets() { + + } + + public static SignatureSubpackets refreshHashedSubpackets(PGPPublicKey issuer, PGPSignature oldSignature) { + return createHashedSubpacketsFrom(issuer, oldSignature.getHashedSubPackets()); + } + + public static SignatureSubpackets refreshUnhashedSubpackets(PGPSignature oldSignature) { + return createSubpacketsFrom(oldSignature.getUnhashedSubPackets()); + } + + public static SignatureSubpackets createHashedSubpacketsFrom(PGPPublicKey issuer, PGPSignatureSubpacketVector base) { + SignatureSubpackets wrapper = createSubpacketsFrom(base); + wrapper.setIssuerFingerprintAndKeyId(issuer); + return wrapper; + } + + public static SignatureSubpackets createSubpacketsFrom(PGPSignatureSubpacketVector base) { + SignatureSubpackets wrapper = new SignatureSubpackets(); + SignatureSubpacketsHelper.applyFrom(base, wrapper); + return wrapper; + } + + public static SignatureSubpackets createHashedSubpackets(PGPPublicKey issuer) { + SignatureSubpackets wrapper = new SignatureSubpackets(); + wrapper.setIssuerFingerprintAndKeyId(issuer); + return wrapper; + } + + @Override + public SignatureSubpackets setIssuerFingerprintAndKeyId(PGPPublicKey key) { + setIssuerKeyId(key.getKeyID()); + setIssuerFingerprint(key); + return this; + } + + @Override + public SignatureSubpackets setIssuerKeyId(long keyId) { + return setIssuerKeyId(true, keyId); + } + + @Override + public SignatureSubpackets setIssuerKeyId(boolean isCritical, long keyId) { + return setIssuerKeyId(new IssuerKeyID(isCritical, keyId)); + } + + @Override + public SignatureSubpackets setIssuerKeyId(@Nullable IssuerKeyID issuerKeyID) { + this.issuerKeyID = issuerKeyID; + return this; + } + + public IssuerKeyID getIssuerKeyIdSubpacket() { + return issuerKeyID; + } + + @Override + public SignatureSubpackets setIssuerFingerprint(@Nonnull PGPPublicKey key) { + return setIssuerFingerprint(true, key); + } + + @Override + public SignatureSubpackets setIssuerFingerprint(boolean isCritical, @Nonnull PGPPublicKey key) { + return setIssuerFingerprint(new IssuerFingerprint(isCritical, key.getVersion(), key.getFingerprint())); + } + + @Override + public SignatureSubpackets setIssuerFingerprint(@Nullable IssuerFingerprint fingerprint) { + this.issuerFingerprint = fingerprint; + return this; + } + + public IssuerFingerprint getIssuerFingerprintSubpacket() { + return issuerFingerprint; + } + + @Override + public SignatureSubpackets setKeyFlags(KeyFlag... keyFlags) { + return setKeyFlags(true, keyFlags); + } + + @Override + public SignatureSubpackets setKeyFlags(boolean isCritical, KeyFlag... keyFlags) { + int bitmask = KeyFlag.toBitmask(keyFlags); + return setKeyFlags(new KeyFlags(isCritical, bitmask)); + } + + @Override + public SignatureSubpackets setKeyFlags(@Nullable KeyFlags keyFlags) { + this.keyFlags = keyFlags; + return this; + } + + public KeyFlags getKeyFlagsSubpacket() { + return keyFlags; + } + + @Override + public SignatureSubpackets setSignatureCreationTime(@Nonnull Date creationTime) { + return setSignatureCreationTime(true, creationTime); + } + + @Override + public SignatureSubpackets setSignatureCreationTime(boolean isCritical, @Nonnull Date creationTime) { + return setSignatureCreationTime(new SignatureCreationTime(isCritical, creationTime)); + } + + @Override + public SignatureSubpackets setSignatureCreationTime(@Nullable SignatureCreationTime signatureCreationTime) { + this.signatureCreationTime = signatureCreationTime; + return this; + } + + public SignatureCreationTime getSignatureCreationTimeSubpacket() { + return signatureCreationTime; + } + + @Override + public SignatureSubpackets setSignatureExpirationTime(@Nonnull Date creationTime, @Nonnull Date expirationTime) { + return setSignatureExpirationTime(true, creationTime, expirationTime); + } + + @Override + public SignatureSubpackets setSignatureExpirationTime(boolean isCritical, @Nonnull Date creationTime, @Nonnull Date expirationTime) { + return setSignatureExpirationTime(isCritical, (expirationTime.getTime() / 1000) - (creationTime.getTime() / 1000)); + } + + @Override + public SignatureSubpackets setSignatureExpirationTime(boolean isCritical, long seconds) { + if (seconds < 0) { + throw new IllegalArgumentException("Expiration time cannot be negative."); + } + return setSignatureExpirationTime(new SignatureExpirationTime(isCritical, seconds)); + } + + @Override + public SignatureSubpackets setSignatureExpirationTime(@Nullable SignatureExpirationTime expirationTime) { + this.signatureExpirationTime = expirationTime; + return this; + } + + public SignatureExpirationTime getSignatureExpirationTimeSubpacket() { + return signatureExpirationTime; + } + + @Override + public SignatureSubpackets setSignerUserId(@Nonnull String userId) { + return setSignerUserId(false, userId); + } + + @Override + public SignatureSubpackets setSignerUserId(boolean isCritical, @Nonnull String userId) { + return setSignerUserId(new SignerUserID(isCritical, userId)); + } + + @Override + public SignatureSubpackets setSignerUserId(@Nullable SignerUserID signerUserId) { + this.signerUserId = signerUserId; + return this; + } + + public SignerUserID getSignerUserIdSubpacket() { + return signerUserId; + } + + @Override + public SignatureSubpackets setPrimaryUserId() { + return setPrimaryUserId(true); + } + + @Override + public SignatureSubpackets setPrimaryUserId(boolean isCritical) { + return setPrimaryUserId(new PrimaryUserID(isCritical, true)); + } + + @Override + public SignatureSubpackets setPrimaryUserId(@Nullable PrimaryUserID primaryUserId) { + this.primaryUserId = primaryUserId; + return this; + } + + public PrimaryUserID getPrimaryUserIdSubpacket() { + return primaryUserId; + } + + @Override + public SignatureSubpackets setKeyExpirationTime(@Nonnull PGPPublicKey key, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(key.getCreationTime(), keyExpirationTime); + } + + @Override + public SignatureSubpackets setKeyExpirationTime(@Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(true, keyCreationTime, keyExpirationTime); + } + + @Override + public SignatureSubpackets setKeyExpirationTime(boolean isCritical, @Nonnull Date keyCreationTime, @Nonnull Date keyExpirationTime) { + return setKeyExpirationTime(isCritical, (keyExpirationTime.getTime() / 1000) - (keyCreationTime.getTime() / 1000)); + } + + @Override + public SignatureSubpackets setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration) { + if (secondsFromCreationToExpiration < 0) { + throw new IllegalArgumentException("Seconds from key creation to expiration cannot be less than 0."); + } + return setKeyExpirationTime(new KeyExpirationTime(isCritical, secondsFromCreationToExpiration)); + } + + @Override + public SignatureSubpackets setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime) { + this.keyExpirationTime = keyExpirationTime; + return this; + } + + public KeyExpirationTime getKeyExpirationTimeSubpacket() { + return keyExpirationTime; + } + + @Override + public SignatureSubpackets setPreferredCompressionAlgorithms(CompressionAlgorithm... algorithms) { + return setPreferredCompressionAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpackets setPreferredCompressionAlgorithms(Set algorithms) { + return setPreferredCompressionAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpackets setPreferredCompressionAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < algorithms.size(); i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredCompressionAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_COMP_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpackets setPreferredCompressionAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + this.preferredCompressionAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_COMP_ALGS) { + throw new IllegalArgumentException("Invalid preferred compression algorithms type."); + } + this.preferredCompressionAlgorithms = algorithms; + return this; + } + + public PreferredAlgorithms getPreferredCompressionAlgorithmsSubpacket() { + return preferredCompressionAlgorithms; + } + + @Override + public SignatureSubpackets setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm... algorithms) { + return setPreferredSymmetricKeyAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpackets setPreferredSymmetricKeyAlgorithms(Set algorithms) { + return setPreferredSymmetricKeyAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpackets setPreferredSymmetricKeyAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < algorithms.size(); i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredSymmetricKeyAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_SYM_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpackets setPreferredSymmetricKeyAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + this.preferredSymmetricKeyAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_SYM_ALGS) { + throw new IllegalArgumentException("Invalid preferred symmetric key algorithms type."); + } + this.preferredSymmetricKeyAlgorithms = algorithms; + return this; + } + + public PreferredAlgorithms getPreferredSymmetricKeyAlgorithmsSubpacket() { + return preferredSymmetricKeyAlgorithms; + } + + @Override + public SignatureSubpackets setPreferredHashAlgorithms(HashAlgorithm... algorithms) { + return setPreferredHashAlgorithms(new LinkedHashSet<>(Arrays.asList(algorithms))); + } + + @Override + public SignatureSubpackets setPreferredHashAlgorithms(Set algorithms) { + return setPreferredHashAlgorithms(true, algorithms); + } + + @Override + public SignatureSubpackets setPreferredHashAlgorithms(boolean isCritical, Set algorithms) { + int[] ids = new int[algorithms.size()]; + Iterator iterator = algorithms.iterator(); + for (int i = 0; i < ids.length; i++) { + ids[i] = iterator.next().getAlgorithmId(); + } + return setPreferredHashAlgorithms(new PreferredAlgorithms( + SignatureSubpacketTags.PREFERRED_HASH_ALGS, isCritical, ids)); + } + + @Override + public SignatureSubpackets setPreferredHashAlgorithms(@Nullable PreferredAlgorithms algorithms) { + if (algorithms == null) { + preferredHashAlgorithms = null; + return this; + } + + if (algorithms.getType() != SignatureSubpacketTags.PREFERRED_HASH_ALGS) { + throw new IllegalArgumentException("Invalid preferred hash algorithms type."); + } + this.preferredHashAlgorithms = algorithms; + return this; + } + + public PreferredAlgorithms getPreferredHashAlgorithmsSubpacket() { + return preferredHashAlgorithms; + } + + @Override + public SignatureSubpackets addNotationData(boolean isCritical, @Nonnull String notationName, @Nonnull String notationValue) { + return addNotationData(isCritical, true, notationName, notationValue); + } + + @Override + public SignatureSubpackets addNotationData(boolean isCritical, boolean isHumanReadable, @Nonnull String notationName, @Nonnull String notationValue) { + return addNotationData(new NotationData(isCritical, isHumanReadable, notationName, notationValue)); + } + + @Override + public SignatureSubpackets addNotationData(@Nonnull NotationData notationData) { + notationDataList.add(notationData); + return this; + } + + @Override + public SignatureSubpackets clearNotationData() { + notationDataList.clear(); + return this; + } + + public List getNotationDataSubpackets() { + return new ArrayList<>(notationDataList); + } + + @Override + public SignatureSubpackets addIntendedRecipientFingerprint(@Nonnull PGPPublicKey recipient) { + return addIntendedRecipientFingerprint(false, recipient); + } + + @Override + public SignatureSubpackets addIntendedRecipientFingerprint(boolean isCritical, @Nonnull PGPPublicKey recipient) { + return addIntendedRecipientFingerprint(new IntendedRecipientFingerprint(isCritical, recipient.getVersion(), recipient.getFingerprint())); + } + + @Override + public SignatureSubpackets addIntendedRecipientFingerprint(IntendedRecipientFingerprint intendedRecipientFingerprint) { + this.intendedRecipientFingerprintList.add(intendedRecipientFingerprint); + return this; + } + + @Override + public SignatureSubpackets clearIntendedRecipientFingerprints() { + intendedRecipientFingerprintList.clear(); + return this; + } + + public List getIntendedRecipientFingerprintSubpackets() { + return new ArrayList<>(intendedRecipientFingerprintList); + } + + @Override + public SignatureSubpackets setExportable(boolean isCritical, boolean isExportable) { + return setExportable(new Exportable(isCritical, isExportable)); + } + + @Override + public SignatureSubpackets setExportable(@Nullable Exportable exportable) { + this.exportable = exportable; + return this; + } + + public Exportable getExportableSubpacket() { + return exportable; + } + + @Override + public SignatureSubpackets setRevocable(boolean isCritical, boolean isRevocable) { + return setRevocable(new Revocable(isCritical, isRevocable)); + } + + @Override + public SignatureSubpackets setRevocable(@Nullable Revocable revocable) { + this.revocable = revocable; + return this; + } + + public Revocable getRevocableSubpacket() { + return revocable; + } + + @Override + public SignatureSubpackets addRevocationKey(@Nonnull PGPPublicKey revocationKey) { + return addRevocationKey(true, revocationKey); + } + + @Override + public SignatureSubpackets addRevocationKey(boolean isCritical, @Nonnull PGPPublicKey revocationKey) { + return addRevocationKey(isCritical, false, revocationKey); + } + + @Override + public SignatureSubpackets addRevocationKey(boolean isCritical, boolean isSensitive, @Nonnull PGPPublicKey revocationKey) { + byte clazz = (byte) 0x80; + clazz |= (isSensitive ? 0x40 : 0x00); + return addRevocationKey(new RevocationKey(isCritical, clazz, revocationKey.getAlgorithm(), revocationKey.getFingerprint())); + } + + @Override + public SignatureSubpackets addRevocationKey(@Nonnull RevocationKey revocationKey) { + this.revocationKeyList.add(revocationKey); + return this; + } + + @Override + public SignatureSubpackets clearRevocationKeys() { + revocationKeyList.clear(); + return this; + } + + public List getRevocationKeySubpackets() { + return new ArrayList<>(revocationKeyList); + } + + @Override + public SignatureSubpackets setRevocationReason(RevocationAttributes revocationAttributes) { + return setRevocationReason(true, revocationAttributes); + } + + @Override + public SignatureSubpackets setRevocationReason(boolean isCritical, RevocationAttributes revocationAttributes) { + return setRevocationReason(isCritical, revocationAttributes.getReason(), revocationAttributes.getDescription()); + } + + @Override + public SignatureSubpackets setRevocationReason(boolean isCritical, RevocationAttributes.Reason reason, @Nonnull String description) { + return setRevocationReason(new RevocationReason(isCritical, reason.code(), description)); + } + + @Override + public SignatureSubpackets setRevocationReason(@Nullable RevocationReason reason) { + this.revocationReason = reason; + return this; + } + + public RevocationReason getRevocationReasonSubpacket() { + return revocationReason; + } + + @Override + public SignatureSubpackets setSignatureTarget(@Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { + return setSignatureTarget(true, keyAlgorithm, hashAlgorithm, hashData); + } + + @Override + public SignatureSubpackets setSignatureTarget(boolean isCritical, @Nonnull PublicKeyAlgorithm keyAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, @Nonnull byte[] hashData) { + return setSignatureTarget(new SignatureTarget(isCritical, keyAlgorithm.getAlgorithmId(), hashAlgorithm.getAlgorithmId(), hashData)); + } + + @Override + public SignatureSubpackets setSignatureTarget(@Nullable SignatureTarget signatureTarget) { + this.signatureTarget = signatureTarget; + return this; + } + + public SignatureTarget getSignatureTargetSubpacket() { + return signatureTarget; + } + + @Override + public SignatureSubpackets setFeatures(Feature... features) { + return setFeatures(true, features); + } + + @Override + public SignatureSubpackets setFeatures(boolean isCritical, Feature... features) { + byte bitmask = Feature.toBitmask(features); + return setFeatures(new Features(isCritical, bitmask)); + } + + @Override + public SignatureSubpackets setFeatures(@Nullable Features features) { + this.features = features; + return this; + } + + public Features getFeaturesSubpacket() { + return features; + } + + @Override + public SignatureSubpackets setTrust(int depth, int amount) { + return setTrust(true, depth, amount); + } + + @Override + public SignatureSubpackets setTrust(boolean isCritical, int depth, int amount) { + return setTrust(new TrustSignature(isCritical, depth, amount)); + } + + @Override + public SignatureSubpackets setTrust(@Nullable TrustSignature trust) { + this.trust = trust; + return this; + } + + public TrustSignature getTrustSubpacket() { + return trust; + } + + @Override + public SignatureSubpackets addEmbeddedSignature(@Nonnull PGPSignature signature) throws IOException { + return addEmbeddedSignature(true, signature); + } + + @Override + public SignatureSubpackets addEmbeddedSignature(boolean isCritical, @Nonnull PGPSignature signature) throws IOException { + byte[] sig = signature.getEncoded(); + byte[] data; + + if (sig.length - 1 > 256) { + data = new byte[sig.length - 3]; + } + else { + data = new byte[sig.length - 2]; + } + + System.arraycopy(sig, sig.length - data.length, data, 0, data.length); + + return addEmbeddedSignature(new EmbeddedSignature(isCritical, false, data)); + } + + @Override + public SignatureSubpackets addEmbeddedSignature(@Nonnull EmbeddedSignature embeddedSignature) { + this.embeddedSignatureList.add(embeddedSignature); + return this; + } + + @Override + public SignatureSubpackets clearEmbeddedSignatures() { + this.embeddedSignatureList.clear(); + return this; + } + + public List getEmbeddedSignatureSubpackets() { + return new ArrayList<>(embeddedSignatureList); + } + + public SignatureSubpackets addResidualSubpacket(SignatureSubpacket subpacket) { + this.residualSubpackets.add(subpacket); + return this; + } + + public List getResidualSubpackets() { + return new ArrayList<>(residualSubpackets); + } + +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java new file mode 100644 index 00000000..34b717e9 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java @@ -0,0 +1,180 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.subpackets; + +import org.bouncycastle.bcpg.SignatureSubpacket; +import org.bouncycastle.bcpg.sig.EmbeddedSignature; +import org.bouncycastle.bcpg.sig.Exportable; +import org.bouncycastle.bcpg.sig.Features; +import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint; +import org.bouncycastle.bcpg.sig.KeyExpirationTime; +import org.bouncycastle.bcpg.sig.KeyFlags; +import org.bouncycastle.bcpg.sig.NotationData; +import org.bouncycastle.bcpg.sig.PreferredAlgorithms; +import org.bouncycastle.bcpg.sig.PrimaryUserID; +import org.bouncycastle.bcpg.sig.Revocable; +import org.bouncycastle.bcpg.sig.RevocationKey; +import org.bouncycastle.bcpg.sig.RevocationReason; +import org.bouncycastle.bcpg.sig.SignatureExpirationTime; +import org.bouncycastle.bcpg.sig.SignatureTarget; +import org.bouncycastle.bcpg.sig.SignerUserID; +import org.bouncycastle.bcpg.sig.TrustSignature; +import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.key.util.RevocationAttributes; + +public class SignatureSubpacketsHelper { + + public static SignatureSubpackets applyFrom(PGPSignatureSubpacketVector vector, SignatureSubpackets subpackets) { + for (SignatureSubpacket subpacket : vector.toArray()) { + org.pgpainless.algorithm.SignatureSubpacket type = org.pgpainless.algorithm.SignatureSubpacket.fromCode(subpacket.getType()); + switch (type) { + case signatureCreationTime: + case issuerKeyId: + case issuerFingerprint: + // ignore, we override this anyways + break; + case signatureExpirationTime: + SignatureExpirationTime sigExpTime = (SignatureExpirationTime) subpacket; + subpackets.setSignatureExpirationTime(sigExpTime.isCritical(), sigExpTime.getTime()); + break; + case exportableCertification: + Exportable exp = (Exportable) subpacket; + subpackets.setExportable(exp.isCritical(), exp.isExportable()); + break; + case trustSignature: + TrustSignature trustSignature = (TrustSignature) subpacket; + subpackets.setTrust(trustSignature.isCritical(), trustSignature.getDepth(), trustSignature.getTrustAmount()); + break; + case revocable: + Revocable rev = (Revocable) subpacket; + subpackets.setRevocable(rev.isCritical(), rev.isRevocable()); + break; + case keyExpirationTime: + KeyExpirationTime keyExpTime = (KeyExpirationTime) subpacket; + subpackets.setKeyExpirationTime(keyExpTime.isCritical(), keyExpTime.getTime()); + break; + case preferredSymmetricAlgorithms: + subpackets.setPreferredSymmetricKeyAlgorithms((PreferredAlgorithms) subpacket); + break; + case revocationKey: + RevocationKey revocationKey = (RevocationKey) subpacket; + subpackets.addRevocationKey(revocationKey); + break; + case notationData: + NotationData notationData = (NotationData) subpacket; + subpackets.addNotationData(notationData.isCritical(), notationData.getNotationName(), notationData.getNotationValue()); + break; + case preferredHashAlgorithms: + subpackets.setPreferredHashAlgorithms((PreferredAlgorithms) subpacket); + break; + case preferredCompressionAlgorithms: + subpackets.setPreferredCompressionAlgorithms((PreferredAlgorithms) subpacket); + break; + case primaryUserId: + PrimaryUserID primaryUserID = (PrimaryUserID) subpacket; + subpackets.setPrimaryUserId(primaryUserID); + break; + case keyFlags: + KeyFlags flags = (KeyFlags) subpacket; + subpackets.setKeyFlags(flags.isCritical(), KeyFlag.fromBitmask(flags.getFlags()).toArray(new KeyFlag[0])); + break; + case signerUserId: + SignerUserID signerUserID = (SignerUserID) subpacket; + subpackets.setSignerUserId(signerUserID.isCritical(), signerUserID.getID()); + break; + case revocationReason: + RevocationReason reason = (RevocationReason) subpacket; + subpackets.setRevocationReason(reason.isCritical(), + RevocationAttributes.Reason.fromCode(reason.getRevocationReason()), + reason.getRevocationDescription()); + break; + case features: + Features f = (Features) subpacket; + subpackets.setFeatures(f.isCritical(), Feature.fromBitmask(f.getData()[0]).toArray(new Feature[0])); + break; + case signatureTarget: + SignatureTarget target = (SignatureTarget) subpacket; + subpackets.setSignatureTarget(target.isCritical(), + PublicKeyAlgorithm.fromId(target.getPublicKeyAlgorithm()), + HashAlgorithm.fromId(target.getHashAlgorithm()), + target.getHashData()); + break; + case embeddedSignature: + EmbeddedSignature embeddedSignature = (EmbeddedSignature) subpacket; + subpackets.addEmbeddedSignature(embeddedSignature); + break; + case intendedRecipientFingerprint: + IntendedRecipientFingerprint intendedRecipientFingerprint = (IntendedRecipientFingerprint) subpacket; + subpackets.addIntendedRecipientFingerprint(intendedRecipientFingerprint); + break; + + case regularExpression: + case keyServerPreferences: + case preferredKeyServers: + case policyUrl: + case placeholder: + case preferredAEADAlgorithms: + case attestedCertification: + subpackets.addResidualSubpacket(subpacket); + break; + } + } + return subpackets; + } + + public static PGPSignatureSubpacketGenerator applyTo(SignatureSubpackets subpackets, PGPSignatureSubpacketGenerator generator) { + addSubpacket(generator, subpackets.getIssuerKeyIdSubpacket()); + addSubpacket(generator, subpackets.getIssuerFingerprintSubpacket()); + addSubpacket(generator, subpackets.getSignatureCreationTimeSubpacket()); + addSubpacket(generator, subpackets.getSignatureExpirationTimeSubpacket()); + addSubpacket(generator, subpackets.getExportableSubpacket()); + for (NotationData notationData : subpackets.getNotationDataSubpackets()) { + addSubpacket(generator, notationData); + } + for (IntendedRecipientFingerprint intendedRecipientFingerprint : subpackets.getIntendedRecipientFingerprintSubpackets()) { + addSubpacket(generator, intendedRecipientFingerprint); + } + for (RevocationKey revocationKey : subpackets.getRevocationKeySubpackets()) { + addSubpacket(generator, revocationKey); + } + addSubpacket(generator, subpackets.getSignatureTargetSubpacket()); + addSubpacket(generator, subpackets.getFeaturesSubpacket()); + addSubpacket(generator, subpackets.getKeyFlagsSubpacket()); + addSubpacket(generator, subpackets.getTrustSubpacket()); + addSubpacket(generator, subpackets.getPreferredCompressionAlgorithmsSubpacket()); + addSubpacket(generator, subpackets.getPreferredSymmetricKeyAlgorithmsSubpacket()); + addSubpacket(generator, subpackets.getPreferredHashAlgorithmsSubpacket()); + for (EmbeddedSignature embeddedSignature : subpackets.getEmbeddedSignatureSubpackets()) { + addSubpacket(generator, embeddedSignature); + } + addSubpacket(generator, subpackets.getSignerUserIdSubpacket()); + addSubpacket(generator, subpackets.getKeyExpirationTimeSubpacket()); + addSubpacket(generator, subpackets.getPrimaryUserIdSubpacket()); + addSubpacket(generator, subpackets.getRevocableSubpacket()); + addSubpacket(generator, subpackets.getRevocationReasonSubpacket()); + for (SignatureSubpacket subpacket : subpackets.getResidualSubpackets()) { + addSubpacket(generator, subpacket); + } + + return generator; + } + + private static void addSubpacket(PGPSignatureSubpacketGenerator generator, SignatureSubpacket subpacket) { + if (subpacket != null) { + generator.addCustomSubpacket(subpacket); + } + } + + public static PGPSignatureSubpacketVector toVector(SignatureSubpackets subpackets) { + PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); + applyTo(subpackets, generator); + return generator.generate(); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java similarity index 86% rename from pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java rename to pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java index a07f792e..988bc776 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorWrapperTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java @@ -57,12 +57,12 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.util.DateUtil; import org.pgpainless.util.Passphrase; -public class SignatureSubpacketGeneratorWrapperTest { +public class SignatureSubpacketsTest { private static PGPPublicKeyRing keys; private static PGPPublicKey key; - private SignatureSubpacketGeneratorWrapper wrapper; + private SignatureSubpackets wrapper; @BeforeAll public static void setup() throws IOException { @@ -72,27 +72,24 @@ public class SignatureSubpacketGeneratorWrapperTest { @BeforeEach public void createWrapper() { - wrapper = SignatureSubpacketGeneratorWrapper.createHashedSubpackets(key); + wrapper = SignatureSubpackets.createHashedSubpackets(key); } @Test public void initialStateTest() { - Date now = new Date(); - wrapper = SignatureSubpacketGeneratorWrapper.createHashedSubpackets(); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); - - assertEquals(now.getTime(), vector.getSignatureCreationTime().getTime(), 1000); + wrapper = new SignatureSubpackets(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); + assertNull(vector.getSignatureCreationTime()); } @Test public void initialStateFromKeyTest() throws PGPException { - Date now = new Date(); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(key.getKeyID(), vector.getIssuerKeyID()); assertEquals(key.getVersion(), vector.getIssuerFingerprint().getKeyVersion()); assertArrayEquals(key.getFingerprint(), vector.getIssuerFingerprint().getFingerprint()); - assertEquals(now.getTime(), vector.getSignatureCreationTime().getTime(), 2000); + assertNull(vector.getSignatureCreationTime()); assertEquals(0, vector.getKeyFlags()); assertEquals(0, vector.getSignatureExpirationTime()); @@ -116,7 +113,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testNullKeyId() { wrapper.setIssuerKeyId(null); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getIssuerKeyID()); } @@ -125,7 +122,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testNullFingerprint() { wrapper.setIssuerFingerprint((IssuerFingerprint) null); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertNull(vector.getIssuerFingerprint()); } @@ -134,7 +131,7 @@ public class SignatureSubpacketGeneratorWrapperTest { public void testAddNotationData() { wrapper.addNotationData(true, "critical@notation.data", "isCritical"); wrapper.addNotationData(false, "noncrit@notation.data", "notCritical"); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); NotationData[] notationData = vector.getNotationDataOccurrences(); assertEquals(2, notationData.length); @@ -151,7 +148,7 @@ public class SignatureSubpacketGeneratorWrapperTest { assertEquals("notCritical", second.getNotationValue()); wrapper.clearNotationData(); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getNotationDataOccurrences().length); } @@ -159,14 +156,14 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testIntendedRecipientFingerprints() { wrapper.addIntendedRecipientFingerprint(key); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(1, vector.getSubpackets(SignatureSubpacketTags.INTENDED_RECIPIENT_FINGERPRINT).length); assertArrayEquals(key.getFingerprint(), vector.getIntendedRecipientFingerprint().getFingerprint()); assertEquals(key.getVersion(), vector.getIntendedRecipientFingerprint().getKeyVersion()); wrapper.clearIntendedRecipientFingerprints(); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getSubpackets(SignatureSubpacketTags.INTENDED_RECIPIENT_FINGERPRINT).length); } @@ -178,7 +175,7 @@ public class SignatureSubpacketGeneratorWrapperTest { assertTrue(keyIterator.hasNext()); PGPPublicKey second = keyIterator.next(); wrapper.addRevocationKey(false, true, second); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); SignatureSubpacket[] revKeys = vector.getSubpackets(SignatureSubpacketTags.REVOCATION_KEY); assertEquals(2, revKeys.length); @@ -196,14 +193,14 @@ public class SignatureSubpacketGeneratorWrapperTest { assertEquals((byte) (0x80 | 0x40), r2.getSignatureClass()); wrapper.clearRevocationKeys(); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getSubpackets(SignatureSubpacketTags.REVOCATION_KEY).length); } @Test public void testSetKeyFlags() { wrapper.setKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA); // duplicates are removed - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(KeyFlag.toBitmask(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER), vector.getKeyFlags()); assertTrue(vector.getSubpacket(SignatureSubpacketTags.KEY_FLAGS).isCritical()); @@ -215,7 +212,7 @@ public class SignatureSubpacketGeneratorWrapperTest { long secondsInAWeek = 60 * 60 * 24 * 7; Date inAWeek = new Date(now.getTime() + 1000 * secondsInAWeek); wrapper.setSignatureExpirationTime(now, inAWeek); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(secondsInAWeek, vector.getSignatureExpirationTime()); } @@ -232,17 +229,19 @@ public class SignatureSubpacketGeneratorWrapperTest { public void testSignerUserId() { String userId = "Alice "; wrapper.setSignerUserId(userId); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(userId, vector.getSignerUserID()); } @Test public void testSetPrimaryUserId() { - assertFalse(wrapper.getGenerator().generate().isPrimaryUserID()); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); + assertFalse(vector.isPrimaryUserID()); wrapper.setPrimaryUserId(); - assertTrue(wrapper.getGenerator().generate().isPrimaryUserID()); + vector = SignatureSubpacketsHelper.toVector(wrapper); + assertTrue(vector.isPrimaryUserID()); } @Test @@ -250,7 +249,7 @@ public class SignatureSubpacketGeneratorWrapperTest { Date now = new Date(); long secondsSinceKeyCreation = (now.getTime() - key.getCreationTime().getTime()) / 1000; wrapper.setKeyExpirationTime(key, now); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(secondsSinceKeyCreation, vector.getKeyExpirationTime()); } @@ -264,7 +263,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetPreferredCompressionAlgorithms() { wrapper.setPreferredCompressionAlgorithms(CompressionAlgorithm.BZIP2, CompressionAlgorithm.ZIP, CompressionAlgorithm.BZIP2); // duplicates get removed - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); int[] ids = vector.getPreferredCompressionAlgorithms(); assertEquals(2, ids.length); @@ -272,11 +271,11 @@ public class SignatureSubpacketGeneratorWrapperTest { assertEquals(CompressionAlgorithm.ZIP.getAlgorithmId(), ids[1]); wrapper.setPreferredCompressionAlgorithms(); // empty - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getPreferredCompressionAlgorithms().length); wrapper.setPreferredCompressionAlgorithms((PreferredAlgorithms) null); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertNull(vector.getPreferredCompressionAlgorithms()); assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredCompressionAlgorithms( @@ -286,7 +285,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetPreferredSymmetricKeyAlgorithms() { wrapper.setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.AES_128); // duplicates get removed - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); int[] ids = vector.getPreferredSymmetricAlgorithms(); assertEquals(2, ids.length); @@ -294,11 +293,11 @@ public class SignatureSubpacketGeneratorWrapperTest { assertEquals(SymmetricKeyAlgorithm.AES_128.getAlgorithmId(), ids[1]); wrapper.setPreferredSymmetricKeyAlgorithms(); // empty - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getPreferredSymmetricAlgorithms().length); wrapper.setPreferredSymmetricKeyAlgorithms((PreferredAlgorithms) null); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertNull(vector.getPreferredCompressionAlgorithms()); assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredSymmetricKeyAlgorithms( @@ -308,7 +307,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetPreferredHashAlgorithms() { wrapper.setPreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA512); // duplicates get removed - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); int[] ids = vector.getPreferredHashAlgorithms(); assertEquals(2, ids.length); @@ -316,11 +315,11 @@ public class SignatureSubpacketGeneratorWrapperTest { assertEquals(HashAlgorithm.SHA384.getAlgorithmId(), ids[1]); wrapper.setPreferredHashAlgorithms(); // empty - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getPreferredHashAlgorithms().length); wrapper.setPreferredHashAlgorithms((PreferredAlgorithms) null); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertNull(vector.getPreferredHashAlgorithms()); assertThrows(IllegalArgumentException.class, () -> wrapper.setPreferredHashAlgorithms( @@ -330,14 +329,14 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetExportable() { wrapper.setExportable(true, false); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); Exportable exportable = (Exportable) vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE); assertTrue(exportable.isCritical()); assertFalse(exportable.isExportable()); wrapper.setExportable(false, true); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); exportable = (Exportable) vector.getSubpacket(SignatureSubpacketTags.EXPORTABLE); assertFalse(exportable.isCritical()); @@ -347,14 +346,14 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetRevocable() { wrapper.setRevocable(true, true); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); Revocable revocable = (Revocable) vector.getSubpacket(SignatureSubpacketTags.REVOCABLE); assertTrue(revocable.isCritical()); assertTrue(revocable.isRevocable()); wrapper.setRevocable(false, false); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); revocable = (Revocable) vector.getSubpacket(SignatureSubpacketTags.REVOCABLE); assertFalse(revocable.isCritical()); @@ -365,7 +364,7 @@ public class SignatureSubpacketGeneratorWrapperTest { public void testSetRevocationReason() { wrapper.setRevocationReason(RevocationAttributes.createKeyRevocation() .withReason(RevocationAttributes.Reason.KEY_RETIRED).withDescription("The key is too weak.")); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(1, vector.getSubpackets(SignatureSubpacketTags.REVOCATION_REASON).length); RevocationReason reason = (RevocationReason) vector.getSubpacket(SignatureSubpacketTags.REVOCATION_REASON); @@ -378,7 +377,7 @@ public class SignatureSubpacketGeneratorWrapperTest { byte[] hash = new byte[20]; new Random().nextBytes(hash); wrapper.setSignatureTarget(PublicKeyAlgorithm.fromId(key.getAlgorithm()), HashAlgorithm.SHA512, hash); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); SignatureTarget target = vector.getSignatureTarget(); assertNotNull(target); @@ -390,7 +389,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetFeatures() { wrapper.setFeatures(Feature.MODIFICATION_DETECTION, Feature.AEAD_ENCRYPTED_DATA); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); Features features = vector.getFeatures(); assertTrue(features.supportsModificationDetection()); @@ -401,7 +400,7 @@ public class SignatureSubpacketGeneratorWrapperTest { @Test public void testSetTrust() { wrapper.setTrust(10, 5); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); TrustSignature trustSignature = (TrustSignature) vector.getSubpacket(SignatureSubpacketTags.TRUST_SIG); assertNotNull(trustSignature); @@ -427,18 +426,18 @@ public class SignatureSubpacketGeneratorWrapperTest { wrapper.addEmbeddedSignature(sig1); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(1, vector.getEmbeddedSignatures().size()); assertArrayEquals(sig1.getSignature(), vector.getEmbeddedSignatures().get(0).getSignature()); wrapper.addEmbeddedSignature(sig2); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(2, vector.getEmbeddedSignatures().size()); assertArrayEquals(sig2.getSignature(), vector.getEmbeddedSignatures().get(1).getSignature()); wrapper.clearEmbeddedSignatures(); - vector = wrapper.getGenerator().generate(); + vector = SignatureSubpacketsHelper.toVector(wrapper); assertEquals(0, vector.getEmbeddedSignatures().size()); } @@ -486,8 +485,8 @@ public class SignatureSubpacketGeneratorWrapperTest { subpackets.addCustomSubpacket(aead); - SignatureSubpacketGeneratorWrapper wrapper = SignatureSubpacketGeneratorWrapper.createSubpacketsFrom(subpackets.generate()); - PGPSignatureSubpacketVector vector = wrapper.getGenerator().generate(); + SignatureSubpackets wrapper = SignatureSubpackets.createSubpacketsFrom(subpackets.generate()); + PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper); // Verify these are not extracted assertEquals(0, vector.getIssuerKeyID()); From a6181218a20aa5f8d82d9baf8afecd4af71a5b54 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 11 Nov 2021 13:07:49 +0100 Subject: [PATCH 0135/1450] Convert KeyRingBuilder fields to local variables --- .../key/generation/KeyRingBuilder.java | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index e62a9d15..731efef3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -53,10 +53,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private final Charset UTF8 = Charset.forName("UTF-8"); - private PGPSignatureGenerator signatureGenerator; - private PGPDigestCalculator keyFingerprintCalculator; - private PBESecretKeyEncryptor secretKeyEncryptor; - private KeySpec primaryKeySpec; private final List subkeySpecs = new ArrayList<>(); private final Set userIds = new LinkedHashSet<>(); @@ -127,8 +123,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { if (userIds.isEmpty()) { throw new IllegalStateException("At least one user-id is required."); } - keyFingerprintCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator(); - secretKeyEncryptor = buildSecretKeyEncryptor(); + PGPDigestCalculator keyFingerprintCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator(); + PBESecretKeyEncryptor secretKeyEncryptor = buildSecretKeyEncryptor(keyFingerprintCalculator); PBESecretKeyDecryptor secretKeyDecryptor = buildSecretKeyDecryptor(); passphrase.clear(); @@ -136,7 +132,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { // Generate Primary Key PGPKeyPair certKey = generateKeyPair(primaryKeySpec); PGPContentSignerBuilder signer = buildContentSigner(certKey); - signatureGenerator = new PGPSignatureGenerator(signer); + PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(signer); SignatureSubpackets hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); hashedSubPacketGenerator.setPrimaryUserId(); if (expirationDate != null) { @@ -147,7 +143,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPSignatureSubpacketVector hashedSubPackets = generator.generate(); // Generator which the user can get the key pair from - PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets); + PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, keyFingerprintCalculator, hashedSubPackets, secretKeyEncryptor); addSubKeys(certKey, ringGenerator); @@ -185,7 +181,9 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private PGPKeyRingGenerator buildRingGenerator(PGPKeyPair certKey, PGPContentSignerBuilder signer, - PGPSignatureSubpacketVector hashedSubPackets) + PGPDigestCalculator keyFingerprintCalculator, + PGPSignatureSubpacketVector hashedSubPackets, + PBESecretKeyEncryptor secretKeyEncryptor) throws PGPException { String primaryUserId = userIds.iterator().next(); return new PGPKeyRingGenerator( @@ -212,7 +210,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } } - private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary(PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) throws PGPException, IOException { + private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary(PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) + throws PGPException, IOException { int keyFlagMask = hashedSubpackets.getKeyFlags(); if (!KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.SIGN_DATA) && !KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.CERTIFY_OTHER)) { return hashedSubpackets; @@ -233,7 +232,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { hashAlgorithm.getAlgorithmId()); } - private PBESecretKeyEncryptor buildSecretKeyEncryptor() { + private PBESecretKeyEncryptor buildSecretKeyEncryptor(PGPDigestCalculator keyFingerprintCalculator) { SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy() .getDefaultSymmetricKeyAlgorithm(); if (!passphrase.isValid()) { @@ -268,29 +267,30 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { return pgpKeyPair; } + private static SecretKeyRingProtector protectorFromPassphrase(@Nonnull Passphrase passphrase, long keyId) { + if (!passphrase.isValid()) { + throw new IllegalStateException("Passphrase has been cleared."); + } + if (passphrase.isEmpty()) { + return SecretKeyRingProtector.unprotectedKeys(); + } else { + return SecretKeyRingProtector.unlockSingleKeyWith(passphrase, keyId); + } + } + public static PGPSecretKey generatePGPSecretKey(KeySpec keySpec, @Nonnull Passphrase passphrase, boolean isPrimary) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPDigestCalculator keyFingerprintCalculator = ImplementationFactory.getInstance() .getV4FingerprintCalculator(); PGPKeyPair keyPair = generateKeyPair(keySpec); - SecretKeyRingProtector protector; - synchronized (passphrase.lock) { - if (!passphrase.isValid()) { - throw new IllegalStateException("Passphrase has been cleared."); - } - if (!passphrase.isEmpty()) { - protector = SecretKeyRingProtector.unlockSingleKeyWith(passphrase, keyPair.getKeyID()); - } else { - protector = SecretKeyRingProtector.unprotectedKeys(); - } + SecretKeyRingProtector protector = protectorFromPassphrase(passphrase, keyPair.getKeyID()); - return new PGPSecretKey( - keyPair.getPrivateKey(), - keyPair.getPublicKey(), - keyFingerprintCalculator, - isPrimary, - protector.getEncryptor(keyPair.getKeyID())); - } + return new PGPSecretKey( + keyPair.getPrivateKey(), + keyPair.getPublicKey(), + keyFingerprintCalculator, + isPrimary, + protector.getEncryptor(keyPair.getKeyID())); } } From ab3ae15719bdb300a76d5f5841011805d80a6952 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 12 Nov 2021 15:07:09 +0100 Subject: [PATCH 0136/1450] Ensure keyflags are set when adding userid --- .../secretkeyring/SecretKeyRingEditor.java | 17 +++--- .../builder/AbstractSignatureBuilder.java | 53 +++++++++++++------ .../subpackets/SignatureSubpackets.java | 4 ++ 3 files changed, 47 insertions(+), 27 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index cc20a156..1ceea650 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -37,7 +37,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.PGPDigestCalculator; -import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; @@ -45,6 +45,7 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeyRingBuilder; import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.CachingSecretKeyRingProtector; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; @@ -58,6 +59,7 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; +import org.pgpainless.signature.builder.SignatureFactory; import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; @@ -67,11 +69,6 @@ import org.pgpainless.util.Passphrase; public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { - // Default algorithm for calculating private key checksums - // While I'd like to use something else, eg. SHA256, BC seems to lack support for - // calculating secret key checksums with algorithms other than SHA1. - private static final HashAlgorithm defaultDigestHashAlgorithm = HashAlgorithm.SHA1; - private PGPSecretKeyRing secretKeyRing; public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing) { @@ -98,8 +95,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { // add user-id certificate to primary key PGPSecretKey primaryKey = secretKeyIterator.next(); PGPPublicKey publicKey = primaryKey.getPublicKey(); - - SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + List keyFlags = info.getKeyFlagsOf(info.getKeyId()); + SelfSignatureBuilder builder = SignatureFactory.selfCertifyUserId(primaryKey, protector, signatureSubpacketCallback, keyFlags.toArray(new KeyFlag[0])); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); builder.applyCallback(signatureSubpacketCallback); PGPSignature signature = builder.build(publicKey, userId); @@ -155,8 +153,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PBESecretKeyDecryptor ringDecryptor = keyRingProtector.getDecryptor(primaryKey.getKeyID()); PBESecretKeyEncryptor subKeyEncryptor = subKeyProtector.getEncryptor(secretSubKey.getKeyID()); - PGPDigestCalculator digestCalculator = - ImplementationFactory.getInstance().getPGPDigestCalculator(defaultDigestHashAlgorithm); + PGPDigestCalculator digestCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator(); PGPContentSignerBuilder contentSignerBuilder = SignatureUtils.getPgpContentSignerBuilderForKey(primaryKey); diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index d919d49b..7b92ab02 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -24,6 +24,8 @@ import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; +import javax.annotation.Nonnull; + public abstract class AbstractSignatureBuilder> { protected final PGPPrivateKey privateSigningKey; protected final PGPPublicKey publicSigningKey; @@ -34,7 +36,12 @@ public abstract class AbstractSignatureBuilder hashAlgorithmPreferences = OpenPgpKeyAttributeUtil.getOrGuessPreferredHashAlgorithms(publicKey); return HashAlgorithmNegotiator.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) .negotiateHashAlgorithm(hashAlgorithmPreferences); } + public B overrideHashAlgorithm(@Nonnull HashAlgorithm hashAlgorithm) { + this.hashAlgorithm = hashAlgorithm; + return (B) this; + } + /** * Set the builders {@link SignatureType}. * Note that only those types who are valid for the concrete subclass of this {@link AbstractSignatureBuilder} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java index a7a5b71d..7076873f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java @@ -103,6 +103,10 @@ public class SignatureSubpackets return wrapper; } + public static SignatureSubpackets createEmptySubpackets() { + return new SignatureSubpackets(); + } + @Override public SignatureSubpackets setIssuerFingerprintAndKeyId(PGPPublicKey key) { setIssuerKeyId(key.getKeyID()); From 24aebfaf635016131c466350d45062693d622d66 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 16 Nov 2021 15:18:51 +0100 Subject: [PATCH 0137/1450] Rework subkey-revocation using new signature subpackets api --- .../secretkeyring/SecretKeyRingEditor.java | 224 ++++++++++-------- .../SecretKeyRingEditorInterface.java | 51 ++-- .../org/pgpainless/key/util/KeyRingUtils.java | 4 +- .../builder/RevocationSignatureBuilder.java | 15 +- .../subpackets/SignatureSubpacketsHelper.java | 6 + .../key/modification/RevokeSubKeyTest.java | 68 ++++++ 6 files changed, 254 insertions(+), 114 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 1ceea650..1510a865 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -58,9 +58,11 @@ import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder; +import org.pgpainless.signature.builder.RevocationSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; import org.pgpainless.signature.builder.SignatureFactory; import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder; +import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; @@ -79,10 +81,14 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface addUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException { + public SecretKeyRingEditorInterface addUserId( + String userId, + SecretKeyRingProtector secretKeyRingProtector) + throws PGPException { return addUserId(userId, null, secretKeyRingProtector); } + @Override public SecretKeyRingEditorInterface addUserId( String userId, @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, @@ -97,7 +103,11 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PGPPublicKey publicKey = primaryKey.getPublicKey(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); List keyFlags = info.getKeyFlagsOf(info.getKeyId()); - SelfSignatureBuilder builder = SignatureFactory.selfCertifyUserId(primaryKey, protector, signatureSubpacketCallback, keyFlags.toArray(new KeyFlag[0])); + SelfSignatureBuilder builder = SignatureFactory.selfCertifyUserId( + primaryKey, + protector, + signatureSubpacketCallback, + keyFlags.toArray(new KeyFlag[0])); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); builder.applyCallback(signatureSubpacketCallback); PGPSignature signature = builder.build(publicKey, userId); @@ -176,7 +186,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { SecretKeyRingProtector subkeyProtector, SecretKeyRingProtector primaryKeyProtector, KeyFlag keyFlag, - KeyFlag... additionalKeyFlags) throws PGPException, IOException { + KeyFlag... additionalKeyFlags) + throws PGPException, IOException { KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm()); SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm); @@ -214,17 +225,17 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) throws PGPException { - return revokeSubKey(secretKeyRing.getSecretKey().getKeyID(), secretKeyRingProtector, revocationAttributes); + RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes); + return revoke(secretKeyRingProtector, callback); } @Override - public SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, - SecretKeyRingProtector protector, - RevocationAttributes revocationAttributes) + public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { - return revokeSubKey(fingerprint.getKeyId(), protector, revocationAttributes); + return revokeSubKey(secretKeyRing.getSecretKey().getKeyID(), secretKeyRingProtector, subpacketsCallback); } @Override @@ -232,15 +243,75 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { SecretKeyRingProtector protector, RevocationAttributes revocationAttributes) throws PGPException { - PGPPublicKey revokeeSubKey = secretKeyRing.getPublicKey(subKeyId); - if (revokeeSubKey == null) { - throw new NoSuchElementException("No subkey with id " + Long.toHexString(subKeyId) + " found."); - } + RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes); + return revokeSubKey(subKeyId, protector, callback); + } - secretKeyRing = revokeSubKey(protector, revokeeSubKey, revocationAttributes); + @Override + public SecretKeyRingEditorInterface revokeSubKey(long keyID, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + throws PGPException { + PGPPublicKey revokeeSubKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, keyID); + PGPSignature subKeyRevocation = generateRevocation(secretKeyRingProtector, revokeeSubKey, + subpacketsCallback); + revokeeSubKey = PGPPublicKey.addCertification(revokeeSubKey, subKeyRevocation); + + // Inject revoked public key into key ring + PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing); + publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, revokeeSubKey); + secretKeyRing = PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing); return this; } + @Override + public PGPSignature createRevocationCertificate(SecretKeyRingProtector secretKeyRingProtector, + RevocationAttributes revocationAttributes) + throws PGPException { + PGPPublicKey revokeeSubKey = secretKeyRing.getPublicKey(); + PGPSignature revocationCertificate = generateRevocation( + secretKeyRingProtector, revokeeSubKey, callbackFromRevocationAttributes(revocationAttributes)); + return revocationCertificate; + } + + @Override + public PGPSignature createRevocationCertificate( + long subkeyId, + SecretKeyRingProtector secretKeyRingProtector, + RevocationAttributes revocationAttributes) + throws PGPException { + PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId); + RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes); + return generateRevocation(secretKeyRingProtector, revokeeSubkey, callback); + } + + private PGPSignature generateRevocation(SecretKeyRingProtector protector, + PGPPublicKey revokeeSubKey, + @Nullable RevocationSignatureSubpackets.Callback callback) + throws PGPException { + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); + SignatureType signatureType = revokeeSubKey.isMasterKey() ? + SignatureType.KEY_REVOCATION : SignatureType.SUBKEY_REVOCATION; + + RevocationSignatureBuilder signatureBuilder = + new RevocationSignatureBuilder(signatureType, primaryKey, protector); + signatureBuilder.applyCallback(callback); + PGPSignature revocation = signatureBuilder.build(revokeeSubKey); + return revocation; + } + + private static RevocationSignatureSubpackets.Callback callbackFromRevocationAttributes( + RevocationAttributes attributes) { + return new RevocationSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) { + if (attributes != null) { + hashedSubpackets.setRevocationReason(attributes); + } + } + }; + } + @Override public SecretKeyRingEditorInterface revokeUserId(String userId, SecretKeyRingProtector secretKeyRingProtector, @@ -262,7 +333,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { private SecretKeyRingEditorInterface doRevokeUserId(String userId, SecretKeyRingProtector protector, - RevocationAttributes revocationAttributes) throws PGPException { + RevocationAttributes revocationAttributes) + throws PGPException { PGPSecretKey primarySecretKey = secretKeyRing.getSecretKey(); PGPPublicKey primaryPublicKey = primarySecretKey.getPublicKey(); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primarySecretKey, protector); @@ -277,7 +349,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { && reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) { throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID"); } - subpacketGenerator.setRevocationReason(false, revocationAttributes.getReason().code(), revocationAttributes.getDescription()); + subpacketGenerator.setRevocationReason( + false, + revocationAttributes.getReason().code(), + revocationAttributes.getDescription()); } PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primarySecretKey); @@ -353,7 +428,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { PGPSignatureSubpacketVector oldSubpackets = oldSignature.getHashedSubPackets(); PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(oldSubpackets); SignatureSubpacketGeneratorUtil.setSignatureCreationTimeInSubpacketGenerator(new Date(), subpacketGenerator); - SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator(expiration, subjectPubKey.getCreationTime(), subpacketGenerator); + SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator( + expiration, subjectPubKey.getCreationTime(), subpacketGenerator); PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey); signatureGenerator.setHashedSubpackets(subpacketGenerator.generate()); @@ -369,7 +445,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } else { signatureGenerator.init(PGPSignature.SUBKEY_BINDING, privateKey); - PGPSignature signature = signatureGenerator.generateCertification(primaryKey.getPublicKey(), subjectPubKey); + PGPSignature signature = signatureGenerator.generateCertification( + primaryKey.getPublicKey(), subjectPubKey); subjectPubKey = PGPPublicKey.addCertification(subjectPubKey, signature); } @@ -391,82 +468,28 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } } if (oldSignature == null) { - throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + " does not have a previous positive/casual/generic certification signature."); + throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + + " does not have a previous positive/casual/generic certification signature."); } } else { - Iterator bindingSignatures = subjectPubKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode()); + Iterator bindingSignatures = subjectPubKey.getSignaturesOfType( + SignatureType.SUBKEY_BINDING.getCode()); while (bindingSignatures.hasNext()) { oldSignature = bindingSignatures.next(); } } if (oldSignature == null) { - throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + " does not have a previous subkey binding signature."); + throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + + " does not have a previous subkey binding signature."); } return oldSignature; } @Override - public PGPSignature createRevocationCertificate(SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) - throws PGPException { - PGPPublicKey revokeeSubKey = secretKeyRing.getPublicKey(); - PGPSignature revocationCertificate = generateRevocation(secretKeyRingProtector, revokeeSubKey, revocationAttributes); - return revocationCertificate; - } - - @Override - public PGPSignature createRevocationCertificate(long subkeyId, SecretKeyRingProtector secretKeyRingProtector, RevocationAttributes revocationAttributes) throws PGPException { - PGPPublicKey revokeeSubKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId); - PGPSignature revocationCertificate = generateRevocation(secretKeyRingProtector, revokeeSubKey, revocationAttributes); - return revocationCertificate; - } - - private PGPSecretKeyRing revokeSubKey(SecretKeyRingProtector protector, - PGPPublicKey revokeeSubKey, - RevocationAttributes revocationAttributes) - throws PGPException { - PGPSignature subKeyRevocation = generateRevocation(protector, revokeeSubKey, revocationAttributes); - revokeeSubKey = PGPPublicKey.addCertification(revokeeSubKey, subKeyRevocation); - - // Inject revoked public key into key ring - PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing); - publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, revokeeSubKey); - return PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing); - } - - private PGPSignature generateRevocation(SecretKeyRingProtector protector, - PGPPublicKey revokeeSubKey, - RevocationAttributes revocationAttributes) - throws PGPException { - PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); - PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey); - PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(); - subpacketGenerator.setIssuerFingerprint(false, primaryKey); - - if (revocationAttributes != null) { - subpacketGenerator.setRevocationReason(false, revocationAttributes.getReason().code(), revocationAttributes.getDescription()); - } - - PGPSignatureSubpacketVector subPackets = subpacketGenerator.generate(); - signatureGenerator.setHashedSubpackets(subPackets); - - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, protector); - - PGPSignature revocation; - if (revokeeSubKey.isMasterKey()) { - signatureGenerator.init(SignatureType.KEY_REVOCATION.getCode(), privateKey); - revocation = signatureGenerator.generateCertification(revokeeSubKey); - } else { - signatureGenerator.init(SignatureType.SUBKEY_REVOCATION.getCode(), privateKey); - revocation = signatureGenerator.generateCertification(primaryKey.getPublicKey(), revokeeSubKey); - } - return revocation; - } - - @Override - public WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase(@Nullable Passphrase oldPassphrase, - @Nonnull KeyRingProtectionSettings oldProtectionSettings) { + public WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase( + @Nullable Passphrase oldPassphrase, + @Nonnull KeyRingProtectionSettings oldProtectionSettings) { SecretKeyRingProtector protector = new PasswordBasedSecretKeyRingProtector( oldProtectionSettings, new SolitaryPassphraseProvider(oldPassphrase)); @@ -475,9 +498,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase(@Nonnull Long keyId, - @Nullable Passphrase oldPassphrase, - @Nonnull KeyRingProtectionSettings oldProtectionSettings) { + public WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase( + @Nonnull Long keyId, + @Nullable Passphrase oldPassphrase, + @Nonnull KeyRingProtectionSettings oldProtectionSettings) { Map passphraseMap = Collections.singletonMap(keyId, oldPassphrase); SecretKeyRingProtector protector = new CachingSecretKeyRingProtector( passphraseMap, oldProtectionSettings, null); @@ -526,28 +550,35 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { private final KeyRingProtectionSettings newProtectionSettings; private final Long keyId; - private WithPassphraseImpl(Long keyId, SecretKeyRingProtector oldProtector, KeyRingProtectionSettings newProtectionSettings) { + private WithPassphraseImpl( + Long keyId, + SecretKeyRingProtector oldProtector, + KeyRingProtectionSettings newProtectionSettings) { this.keyId = keyId; this.oldProtector = oldProtector; this.newProtectionSettings = newProtectionSettings; } @Override - public SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase) throws PGPException { + public SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase) + throws PGPException { SecretKeyRingProtector newProtector = new PasswordBasedSecretKeyRingProtector( newProtectionSettings, new SolitaryPassphraseProvider(passphrase)); - PGPSecretKeyRing secretKeys = changePassphrase(keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector); + PGPSecretKeyRing secretKeys = changePassphrase( + keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector); SecretKeyRingEditor.this.secretKeyRing = secretKeys; return SecretKeyRingEditor.this; } @Override - public SecretKeyRingEditorInterface toNoPassphrase() throws PGPException { + public SecretKeyRingEditorInterface toNoPassphrase() + throws PGPException { SecretKeyRingProtector newProtector = new UnprotectedKeysProtector(); - PGPSecretKeyRing secretKeys = changePassphrase(keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector); + PGPSecretKeyRing secretKeys = changePassphrase( + keyId, SecretKeyRingEditor.this.secretKeyRing, oldProtector, newProtector); SecretKeyRingEditor.this.secretKeyRing = secretKeys; return SecretKeyRingEditor.this; @@ -557,7 +588,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { private PGPSecretKeyRing changePassphrase(Long keyId, PGPSecretKeyRing secretKeys, SecretKeyRingProtector oldProtector, - SecretKeyRingProtector newProtector) throws PGPException { + SecretKeyRingProtector newProtector) + throws PGPException { List secretKeyList = new ArrayList<>(); if (keyId == null) { // change passphrase of whole key ring @@ -585,7 +617,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return newRing; } - private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector) throws PGPException { + private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector) + throws PGPException { boolean hasS2KUsageChecksum = false; for (PGPSecretKey secKey : secretKeys) { if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) { @@ -594,12 +627,17 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } } if (hasS2KUsageChecksum) { - secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(secretKeys, protector, true); + secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1( + secretKeys, protector, true); } return secretKeys; } - private static PGPSecretKey reencryptPrivateKey(PGPSecretKey secretKey, SecretKeyRingProtector oldProtector, SecretKeyRingProtector newProtector) throws PGPException { + private static PGPSecretKey reencryptPrivateKey( + PGPSecretKey secretKey, + SecretKeyRingProtector oldProtector, + SecretKeyRingProtector newProtector) + throws PGPException { S2K s2k = secretKey.getS2K(); // If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 541c0db8..117d52be 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -23,6 +23,7 @@ import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.UserId; +import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.util.Passphrase; @@ -48,6 +49,11 @@ public interface SecretKeyRingEditorInterface { */ SecretKeyRingEditorInterface addUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException; + SecretKeyRingEditorInterface addUserId( + String userId, + @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, + SecretKeyRingProtector protector) throws PGPException; + /** * Add a subkey to the key ring. * The subkey will be generated from the provided {@link KeySpec}. @@ -86,7 +92,7 @@ public interface SecretKeyRingEditorInterface { */ default SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return revoke(secretKeyRingProtector, null); + return revoke(secretKeyRingProtector, (RevocationAttributes) null); } /** @@ -98,9 +104,12 @@ public interface SecretKeyRingEditorInterface { * @return the builder */ SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) throws PGPException; + SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException; + /** * Revoke the subkey binding signature of a subkey. * The subkey with the provided fingerprint will be revoked. @@ -126,24 +135,13 @@ public interface SecretKeyRingEditorInterface { * @param revocationAttributes reason for the revocation * @return the builder */ - SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, + default SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, SecretKeyRingProtector secretKeyRingProtector, RevocationAttributes revocationAttributes) - throws PGPException; - - /** - * Revoke the subkey binding signature of a subkey. - * The subkey with the provided key-id will be revoked. - * If no suitable subkey is found, q {@link java.util.NoSuchElementException} will be thrown. - * - * @param subKeyId id of the subkey - * @param secretKeyRingProtector protector to unlock the secret key ring - * @return the builder - */ - default SecretKeyRingEditorInterface revokeSubKey(long subKeyId, - SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return revokeSubKey(subKeyId, secretKeyRingProtector, null); + return revokeSubKey(fingerprint.getKeyId(), + secretKeyRingProtector, + revocationAttributes); } /** @@ -161,6 +159,25 @@ public interface SecretKeyRingEditorInterface { RevocationAttributes revocationAttributes) throws PGPException; + /** + * Revoke the subkey binding signature of a subkey. + * The subkey with the provided key-id will be revoked. + * If no suitable subkey is found, q {@link java.util.NoSuchElementException} will be thrown. + * + * @param subKeyId id of the subkey + * @param secretKeyRingProtector protector to unlock the secret key ring + * @return the builder + */ + default SecretKeyRingEditorInterface revokeSubKey(long subKeyId, + SecretKeyRingProtector secretKeyRingProtector) + throws PGPException { + return revokeSubKey(subKeyId, secretKeyRingProtector, (RevocationSignatureSubpackets.Callback) null); + } + + SecretKeyRingEditorInterface revokeSubKey(long keyID, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + throws PGPException; /** * Revoke the given userID. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 99c4c894..7398edcd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -97,7 +97,7 @@ public final class KeyRingUtils { public static PGPPublicKey requirePublicKeyFrom(PGPKeyRing keyRing, long subKeyId) { PGPPublicKey publicKey = getPublicKeyFrom(keyRing, subKeyId); if (publicKey == null) { - throw new IllegalArgumentException("KeyRing does not contain public key with keyID " + Long.toHexString(subKeyId)); + throw new NoSuchElementException("KeyRing does not contain public key with keyID " + Long.toHexString(subKeyId)); } return publicKey; } @@ -105,7 +105,7 @@ public final class KeyRingUtils { public static PGPSecretKey requireSecretKeyFrom(PGPSecretKeyRing keyRing, long subKeyId) { PGPSecretKey secretKey = keyRing.getSecretKey(subKeyId); if (secretKey == null) { - throw new IllegalArgumentException("KeyRing does not contain secret key with keyID " + Long.toHexString(subKeyId)); + throw new NoSuchElementException("KeyRing does not contain secret key with keyID " + Long.toHexString(subKeyId)); } return secretKey; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index 2f7c304d..d9f6ece3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -6,8 +6,11 @@ package org.pgpainless.signature.builder; import javax.annotation.Nullable; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -46,7 +49,15 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder Date: Tue, 16 Nov 2021 15:35:17 +0100 Subject: [PATCH 0138/1450] Rework user-id revocation to use subpackets callback API --- .../secretkeyring/SecretKeyRingEditor.java | 59 +++++++++++-------- .../SecretKeyRingEditorInterface.java | 9 ++- .../builder/RevocationSignatureBuilder.java | 9 +++ 3 files changed, 51 insertions(+), 26 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 1510a865..3aab17c9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -315,7 +315,33 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface revokeUserId(String userId, SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) + throws PGPException { + if (revocationAttributes != null) { + RevocationAttributes.Reason reason = revocationAttributes.getReason(); + if (reason != RevocationAttributes.Reason.NO_REASON + && reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) { + throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID"); + } + } + + RevocationSignatureSubpackets.Callback callback = new RevocationSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) { + if (revocationAttributes != null) { + hashedSubpackets.setRevocationReason(false, revocationAttributes); + } + } + }; + + return revokeUserId(userId, secretKeyRingProtector, callback); + } + + @Override + public SecretKeyRingEditorInterface revokeUserId( + String userId, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) throws PGPException { Iterator userIds = secretKeyRing.getPublicKey().getUserIDs(); boolean found = false; @@ -328,38 +354,23 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { if (!found) { throw new NoSuchElementException("No user-id '" + userId + "' found on the key."); } - return doRevokeUserId(userId, secretKeyRingProtector, revocationAttributes); + return doRevokeUserId(userId, secretKeyRingProtector, subpacketCallback); } private SecretKeyRingEditorInterface doRevokeUserId(String userId, SecretKeyRingProtector protector, - RevocationAttributes revocationAttributes) + @Nullable RevocationSignatureSubpackets.Callback callback) throws PGPException { PGPSecretKey primarySecretKey = secretKeyRing.getSecretKey(); PGPPublicKey primaryPublicKey = primarySecretKey.getPublicKey(); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primarySecretKey, protector); + RevocationSignatureBuilder signatureBuilder = new RevocationSignatureBuilder( + SignatureType.CERTIFICATION_REVOCATION, + primarySecretKey, + protector); - PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(); - subpacketGenerator.setSignatureCreationTime(false, new Date()); - subpacketGenerator.setRevocable(false, false); - subpacketGenerator.setIssuerFingerprint(false, primarySecretKey); - if (revocationAttributes != null) { - RevocationAttributes.Reason reason = revocationAttributes.getReason(); - if (reason != RevocationAttributes.Reason.NO_REASON - && reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) { - throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID"); - } - subpacketGenerator.setRevocationReason( - false, - revocationAttributes.getReason().code(), - revocationAttributes.getDescription()); - } + signatureBuilder.applyCallback(callback); - PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primarySecretKey); - signatureGenerator.setHashedSubpackets(subpacketGenerator.generate()); - signatureGenerator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey); - - PGPSignature revocationSignature = signatureGenerator.generateCertification(userId, primaryPublicKey); + PGPSignature revocationSignature = signatureBuilder.build(userId); primaryPublicKey = PGPPublicKey.addCertification(primaryPublicKey, userId, revocationSignature); PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 117d52be..41a395f9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -190,7 +190,7 @@ public interface SecretKeyRingEditorInterface { default SecretKeyRingEditorInterface revokeUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return revokeUserId(userId, secretKeyRingProtector, null); + return revokeUserId(userId, secretKeyRingProtector, (RevocationAttributes) null); } /** @@ -203,9 +203,14 @@ public interface SecretKeyRingEditorInterface { */ SecretKeyRingEditorInterface revokeUserId(String userId, SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) throws PGPException; + SecretKeyRingEditorInterface revokeUserId(String userId, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) + throws PGPException; + /** * Set the expiration date for the primary key of the key ring. * If the key is supposed to never expire, then an expiration date of null is expected. diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index d9f6ece3..3449a5dd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -20,6 +20,7 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder Date: Sat, 20 Nov 2021 16:07:27 +0100 Subject: [PATCH 0139/1450] Wip --- .../key/generation/KeyRingBuilder.java | 41 +---- .../pgpainless/key/generation/KeySpec.java | 2 +- .../secretkeyring/SecretKeyRingEditor.java | 167 ++++++++---------- .../SecretKeyRingEditorInterface.java | 26 ++- .../org/pgpainless/key/util/KeyRingUtils.java | 127 +++++++++++-- .../signature/builder/SignatureFactory.java | 121 +------------ .../org/pgpainless/example/ModifyKeys.java | 2 +- ...ithModifiedBindingSignatureSubpackets.java | 41 ++--- .../key/modification/RevokeSubKeyTest.java | 10 +- .../SubkeyBindingSignatureBuilderTest.java | 75 -------- 10 files changed, 238 insertions(+), 374 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 731efef3..13baf553 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -42,7 +42,6 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.provider.ProviderFactory; import org.pgpainless.signature.subpackets.SignatureSubpackets; @@ -133,6 +132,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPKeyPair certKey = generateKeyPair(primaryKeySpec); PGPContentSignerBuilder signer = buildContentSigner(certKey); PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(signer); + + // Prepare primary user-id sig SignatureSubpackets hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); hashedSubPacketGenerator.setPrimaryUserId(); if (expirationDate != null) { @@ -142,9 +143,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { SignatureSubpacketsHelper.applyTo(hashedSubPacketGenerator, generator); PGPSignatureSubpacketVector hashedSubPackets = generator.generate(); - // Generator which the user can get the key pair from PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, keyFingerprintCalculator, hashedSubPackets, secretKeyEncryptor); - addSubKeys(certKey, ringGenerator); // Generate secret key ring with only primary user id @@ -155,10 +154,10 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { // Attempt to add additional user-ids to the primary public key PGPPublicKey primaryPubKey = secretKeys.next().getPublicKey(); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeyRing.getSecretKey(), secretKeyDecryptor); - Iterator additionalUserIds = userIds.iterator(); - additionalUserIds.next(); // Skip primary user id - while (additionalUserIds.hasNext()) { - String additionalUserId = additionalUserIds.next(); + Iterator userIdIterator = this.userIds.iterator(); + userIdIterator.next(); // Skip primary user id + while (userIdIterator.hasNext()) { + String additionalUserId = userIdIterator.next(); signatureGenerator.init(SignatureType.POSITIVE_CERTIFICATION.getCode(), privateKey); PGPSignature additionalUserIdSignature = signatureGenerator.generateCertification(additionalUserId, primaryPubKey); @@ -175,7 +174,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { secretKeyList.add(secretKeys.next()); } secretKeyRing = new PGPSecretKeyRing(secretKeyList); - return secretKeyRing; } @@ -266,31 +264,4 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPKeyPair pgpKeyPair = ImplementationFactory.getInstance().getPGPKeyPair(type.getAlgorithm(), keyPair, new Date()); return pgpKeyPair; } - - private static SecretKeyRingProtector protectorFromPassphrase(@Nonnull Passphrase passphrase, long keyId) { - if (!passphrase.isValid()) { - throw new IllegalStateException("Passphrase has been cleared."); - } - if (passphrase.isEmpty()) { - return SecretKeyRingProtector.unprotectedKeys(); - } else { - return SecretKeyRingProtector.unlockSingleKeyWith(passphrase, keyId); - } - } - - public static PGPSecretKey generatePGPSecretKey(KeySpec keySpec, @Nonnull Passphrase passphrase, boolean isPrimary) - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPDigestCalculator keyFingerprintCalculator = ImplementationFactory.getInstance() - .getV4FingerprintCalculator(); - PGPKeyPair keyPair = generateKeyPair(keySpec); - - SecretKeyRingProtector protector = protectorFromPassphrase(passphrase, keyPair.getKeyID()); - - return new PGPSecretKey( - keyPair.getPrivateKey(), - keyPair.getPublicKey(), - keyFingerprintCalculator, - isPrimary, - protector.getEncryptor(keyPair.getKeyID())); - } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 2249c854..5032c83a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -47,7 +47,7 @@ public class KeySpec { } @Nonnull - SignatureSubpackets getSubpacketGenerator() { + public SignatureSubpackets getSubpacketGenerator() { return subpacketGenerator; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 3aab17c9..1a6585b9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -26,7 +26,6 @@ import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyRingGenerator; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; @@ -36,11 +35,12 @@ import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; -import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeyRingBuilder; @@ -57,14 +57,14 @@ import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvi import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; -import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder; import org.pgpainless.signature.builder.RevocationSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; import org.pgpainless.signature.builder.SignatureFactory; -import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; +import org.pgpainless.signature.subpackets.SignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.Passphrase; @@ -95,33 +95,21 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { SecretKeyRingProtector protector) throws PGPException { userId = sanitizeUserId(userId); - List secretKeyList = new ArrayList<>(); - Iterator secretKeyIterator = secretKeyRing.getSecretKeys(); + // user-id certifications live on the primary key + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); - // add user-id certificate to primary key - PGPSecretKey primaryKey = secretKeyIterator.next(); - PGPPublicKey publicKey = primaryKey.getPublicKey(); + // retain key flags from previous signature KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); List keyFlags = info.getKeyFlagsOf(info.getKeyId()); + SelfSignatureBuilder builder = SignatureFactory.selfCertifyUserId( primaryKey, protector, signatureSubpacketCallback, - keyFlags.toArray(new KeyFlag[0])); + keyFlags); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); - builder.applyCallback(signatureSubpacketCallback); - PGPSignature signature = builder.build(publicKey, userId); - - publicKey = PGPPublicKey.addCertification(publicKey, - userId, signature); - primaryKey = PGPSecretKey.replacePublicKey(primaryKey, publicKey); - secretKeyList.add(primaryKey); - - while (secretKeyIterator.hasNext()) { - secretKeyList.add(secretKeyIterator.next()); - } - - secretKeyRing = new PGPSecretKeyRing(secretKeyList); + PGPSignature signature = builder.build(primaryKey.getPublicKey(), userId); + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, userId, signature); return this; } @@ -138,51 +126,30 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { public SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, @Nonnull Passphrase subKeyPassphrase, SecretKeyRingProtector secretKeyRingProtector) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { + + PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); - PGPSecretKey secretSubKey = generateSubKey(keySpec, subKeyPassphrase); SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector - .forKey(secretSubKey, subKeyPassphrase); - PGPSignatureSubpacketVector hashedSubpackets = keySpec.getSubpackets(); - PGPSignatureSubpacketVector unhashedSubpackets = null; + .forKeyId(keyPair.getKeyID(), subKeyPassphrase); - return addSubKey(secretSubKey, hashedSubpackets, unhashedSubpackets, subKeyProtector, secretKeyRingProtector); + SelfSignatureSubpackets.Callback callback = new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + SignatureSubpacketsHelper.applyFrom(keySpec.getSubpackets(), (SignatureSubpackets) hashedSubpackets); + } + }; + + List keyFlags = KeyFlag.fromBitmask(keySpec.getSubpackets().getKeyFlags()); + KeyFlag firstFlag = keyFlags.remove(0); + KeyFlag[] otherFlags = keyFlags.toArray(new KeyFlag[0]); + + return addSubKey(keyPair, callback, subKeyProtector, secretKeyRingProtector, firstFlag, otherFlags); } @Override - @Deprecated - public SecretKeyRingEditorInterface addSubKey(PGPSecretKey secretSubKey, - PGPSignatureSubpacketVector hashedSubpackets, - PGPSignatureSubpacketVector unhashedSubpackets, - SecretKeyRingProtector subKeyProtector, - SecretKeyRingProtector keyRingProtector) - throws PGPException { - - PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey(); - - PBESecretKeyDecryptor ringDecryptor = keyRingProtector.getDecryptor(primaryKey.getKeyID()); - PBESecretKeyEncryptor subKeyEncryptor = subKeyProtector.getEncryptor(secretSubKey.getKeyID()); - - PGPDigestCalculator digestCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator(); - PGPContentSignerBuilder contentSignerBuilder = - SignatureUtils.getPgpContentSignerBuilderForKey(primaryKey); - - PGPPrivateKey privateSubKey = UnlockSecretKey.unlockSecretKey(secretSubKey, subKeyProtector); - PGPKeyPair subKeyPair = new PGPKeyPair(secretSubKey.getPublicKey(), privateSubKey); - - PGPKeyRingGenerator keyRingGenerator = new PGPKeyRingGenerator( - secretKeyRing, ringDecryptor, digestCalculator, contentSignerBuilder, subKeyEncryptor); - - keyRingGenerator.addSubKey(subKeyPair, hashedSubpackets, unhashedSubpackets); - secretKeyRing = keyRingGenerator.generateSecretKeyRing(); - - return this; - } - - @Override - public SecretKeyRingEditorInterface addSubKey(PGPSecretKey subkey, + public SecretKeyRingEditorInterface addSubKey(PGPKeyPair subkey, @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, - @Nullable SelfSignatureSubpackets.Callback backSignatureCallback, SecretKeyRingProtector subkeyProtector, SecretKeyRingProtector primaryKeyProtector, KeyFlag keyFlag, @@ -193,36 +160,49 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm); PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); - SubkeyBindingSignatureBuilder bindingSigBuilder = - new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.fromId(primaryKey.getPublicKey().getAlgorithm()); + HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator + .negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) + .negotiateHashAlgorithm(info.getPreferredHashAlgorithms()); - bindingSigBuilder.applyCallback(bindingSignatureCallback); - bindingSigBuilder.getHashedSubpackets().setKeyFlags(flags); + // While we'd like to rely on our own BindingSignatureBuilder implementation, + // unfortunately we have to use BCs PGPKeyRingGenerator class since there is no public constructor + // for subkeys. See https://github.com/bcgit/bc-java/pull/1063 + PGPKeyRingGenerator ringGenerator = new PGPKeyRingGenerator( + secretKeyRing, + primaryKeyProtector.getDecryptor(primaryKey.getKeyID()), + ImplementationFactory.getInstance().getV4FingerprintCalculator(), + ImplementationFactory.getInstance().getPGPContentSignerBuilder( + signingKeyAlgorithm, hashAlgorithm), + subkeyProtector.getEncryptor(subkey.getKeyID())); + + SelfSignatureSubpackets hashedSubpackets = SignatureSubpackets.createHashedSubpackets(primaryKey.getPublicKey()); + SelfSignatureSubpackets unhashedSubpackets = SignatureSubpackets.createEmptySubpackets(); + hashedSubpackets.setKeyFlags(flags); + + if (bindingSignatureCallback != null) { + bindingSignatureCallback.modifyHashedSubpackets(hashedSubpackets); + bindingSignatureCallback.modifyUnhashedSubpackets(unhashedSubpackets); + } boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); + PGPContentSignerBuilder primaryKeyBindingSigner = null; if (isSigningKey) { - // Add embedded back-signature made by subkey over primary key - PrimaryKeyBindingSignatureBuilder backSigBuilder = - new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); - backSigBuilder.applyCallback(backSignatureCallback); - PGPSignature backSig = backSigBuilder.build(primaryKey.getPublicKey()); - bindingSigBuilder.getHashedSubpackets().addEmbeddedSignature(backSig); + primaryKeyBindingSigner = ImplementationFactory.getInstance().getPGPContentSignerBuilder(subkeyAlgorithm, hashAlgorithm); } - PGPSignature bindingSig = bindingSigBuilder.build(subkey.getPublicKey()); - subkey = KeyRingUtils.secretKeyPlusSignature(subkey, bindingSig); - secretKeyRing = KeyRingUtils.secretKeysPlusSecretKey(secretKeyRing, subkey); + ringGenerator.addSubKey(subkey, + SignatureSubpacketsHelper.toVector((SignatureSubpackets) hashedSubpackets), + SignatureSubpacketsHelper.toVector((SignatureSubpackets) unhashedSubpackets), + primaryKeyBindingSigner); + + secretKeyRing = ringGenerator.generateSecretKeyRing(); return this; } - private PGPSecretKey generateSubKey(@Nonnull KeySpec keySpec, - @Nonnull Passphrase subKeyPassphrase) - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - return KeyRingBuilder.generatePGPSecretKey(keySpec, subKeyPassphrase, false); - } - @Override public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationAttributes revocationAttributes) @@ -252,15 +232,13 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { + // retrieve subkey to be revoked PGPPublicKey revokeeSubKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, keyID); + // create revocation PGPSignature subKeyRevocation = generateRevocation(secretKeyRingProtector, revokeeSubKey, subpacketsCallback); - revokeeSubKey = PGPPublicKey.addCertification(revokeeSubKey, subKeyRevocation); - - // Inject revoked public key into key ring - PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing); - publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, revokeeSubKey); - secretKeyRing = PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing); + // inject revocation sig into key ring + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, revokeeSubKey, subKeyRevocation); return this; } @@ -285,6 +263,16 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return generateRevocation(secretKeyRingProtector, revokeeSubkey, callback); } + @Override + public PGPSignature createRevocationCertificate( + long subkeyId, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback) + throws PGPException { + PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId); + return generateRevocation(secretKeyRingProtector, revokeeSubkey, certificateSubpacketsCallback); + } + private PGPSignature generateRevocation(SecretKeyRingProtector protector, PGPPublicKey revokeeSubKey, @Nullable RevocationSignatureSubpackets.Callback callback) @@ -371,12 +359,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { signatureBuilder.applyCallback(callback); PGPSignature revocationSignature = signatureBuilder.build(userId); - primaryPublicKey = PGPPublicKey.addCertification(primaryPublicKey, userId, revocationSignature); - - PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing); - publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, primaryPublicKey); - secretKeyRing = PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing); - + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, userId, revocationSignature); return this; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 41a395f9..f2a64190 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -12,10 +12,9 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeySpec; @@ -66,18 +65,10 @@ public interface SecretKeyRingEditorInterface { SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, @Nullable Passphrase subKeyPassphrase, SecretKeyRingProtector secretKeyRingProtector) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException; + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException; - @Deprecated - SecretKeyRingEditorInterface addSubKey(PGPSecretKey subKey, - PGPSignatureSubpacketVector hashedSubpackets, - PGPSignatureSubpacketVector unhashedSubpackets, - SecretKeyRingProtector subKeyProtector, SecretKeyRingProtector keyRingProtector) - throws PGPException; - - SecretKeyRingEditorInterface addSubKey(PGPSecretKey subkey, + SecretKeyRingEditorInterface addSubKey(PGPKeyPair subkey, @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, - @Nullable SelfSignatureSubpackets.Callback backSignatureCallback, SecretKeyRingProtector subkeyProtector, SecretKeyRingProtector primaryKeyProtector, KeyFlag keyFlag, @@ -244,17 +235,22 @@ public interface SecretKeyRingEditorInterface { * @return revocation certificate */ PGPSignature createRevocationCertificate(SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) throws PGPException; PGPSignature createRevocationCertificate(long subkeyId, SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) + throws PGPException; + + PGPSignature createRevocationCertificate(long subkeyId, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback) throws PGPException; default PGPSignature createRevocationCertificate(OpenPgpFingerprint subkeyFingerprint, SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nullable RevocationAttributes revocationAttributes) throws PGPException { return createRevocationCertificate(subkeyFingerprint.getKeyId(), secretKeyRingProtector, revocationAttributes); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 7398edcd..4afbfd6a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -22,9 +22,10 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.pgpainless.PGPainless; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.CollectionUtils; public final class KeyRingUtils { @@ -203,22 +204,121 @@ public final class KeyRingUtils { return publicKeys; } - public static PGPSecretKeyRing secretKeysPlusPublicKey(PGPSecretKeyRing secretKeys, PGPPublicKey subkey) { - PGPPublicKeyRing publicKeys = publicKeyRingFrom(secretKeys); - PGPPublicKeyRing newPublicKeys = publicKeysPlusPublicKey(publicKeys, subkey); - PGPSecretKeyRing newSecretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, newPublicKeys); - return newSecretKeys; + public static T injectCertification(T keyRing, PGPPublicKey certifiedKey, PGPSignature certification) { + PGPSecretKeyRing secretKeys = null; + PGPPublicKeyRing publicKeys; + if (keyRing instanceof PGPSecretKeyRing) { + secretKeys = (PGPSecretKeyRing) keyRing; + publicKeys = PGPainless.extractCertificate(secretKeys); + } else { + publicKeys = (PGPPublicKeyRing) keyRing; + } + + certifiedKey = PGPPublicKey.addCertification(certifiedKey, certification); + List publicKeyList = new ArrayList<>(); + Iterator publicKeyIterator = publicKeys.iterator(); + boolean added = false; + while (publicKeyIterator.hasNext()) { + PGPPublicKey key = publicKeyIterator.next(); + if (key.getKeyID() == certifiedKey.getKeyID()) { + added = true; + publicKeyList.add(certifiedKey); + } else { + publicKeyList.add(key); + } + } + if (!added) { + throw new NoSuchElementException("Cannot find public key with id " + Long.toHexString(certifiedKey.getKeyID()) + " in the provided key ring."); + } + + publicKeys = new PGPPublicKeyRing(publicKeyList); + if (secretKeys == null) { + return (T) publicKeys; + } else { + secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); + return (T) secretKeys; + } } - public static PGPPublicKeyRing publicKeysPlusPublicKey(PGPPublicKeyRing publicKeys, PGPPublicKey subkey) { - List publicKeyList = CollectionUtils.iteratorToList(publicKeys.getPublicKeys()); - publicKeyList.add(subkey); - PGPPublicKeyRing newPublicKeys = new PGPPublicKeyRing(publicKeyList); - return newPublicKeys; + public static T injectCertification(T keyRing, String userId, PGPSignature certification) { + PGPSecretKeyRing secretKeys = null; + PGPPublicKeyRing publicKeys; + if (keyRing instanceof PGPSecretKeyRing) { + secretKeys = (PGPSecretKeyRing) keyRing; + publicKeys = PGPainless.extractCertificate(secretKeys); + } else { + publicKeys = (PGPPublicKeyRing) keyRing; + } + + Iterator publicKeyIterator = publicKeys.iterator(); + PGPPublicKey primaryKey = publicKeyIterator.next(); + primaryKey = PGPPublicKey.addCertification(primaryKey, userId, certification); + + List publicKeyList = new ArrayList<>(); + publicKeyList.add(primaryKey); + while (publicKeyIterator.hasNext()) { + publicKeyList.add(publicKeyIterator.next()); + } + + publicKeys = new PGPPublicKeyRing(publicKeyList); + if (secretKeys == null) { + return (T) publicKeys; + } else { + secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); + return (T) secretKeys; + } } - public static PGPSecretKeyRing secretKeysPlusSecretKey(PGPSecretKeyRing secretKeys, PGPSecretKey subkey) { - return PGPSecretKeyRing.insertSecretKey(secretKeys, subkey); + public static T injectCertification(T keyRing, PGPUserAttributeSubpacketVector userAttributes, PGPSignature certification) { + PGPSecretKeyRing secretKeys = null; + PGPPublicKeyRing publicKeys; + if (keyRing instanceof PGPSecretKeyRing) { + secretKeys = (PGPSecretKeyRing) keyRing; + publicKeys = PGPainless.extractCertificate(secretKeys); + } else { + publicKeys = (PGPPublicKeyRing) keyRing; + } + + Iterator publicKeyIterator = publicKeys.iterator(); + PGPPublicKey primaryKey = publicKeyIterator.next(); + primaryKey = PGPPublicKey.addCertification(primaryKey, userAttributes, certification); + + List publicKeyList = new ArrayList<>(); + publicKeyList.add(primaryKey); + while (publicKeyIterator.hasNext()) { + publicKeyList.add(publicKeyIterator.next()); + } + + publicKeys = new PGPPublicKeyRing(publicKeyList); + if (secretKeys == null) { + return (T) publicKeys; + } else { + secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); + return (T) secretKeys; + } + } + + public static T keysPlusPublicKey(T keyRing, PGPPublicKey publicKey) { + PGPSecretKeyRing secretKeys = null; + PGPPublicKeyRing publicKeys; + if (keyRing instanceof PGPSecretKeyRing) { + secretKeys = (PGPSecretKeyRing) keyRing; + publicKeys = PGPainless.extractCertificate(secretKeys); + } else { + publicKeys = (PGPPublicKeyRing) keyRing; + } + + publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey); + if (secretKeys == null) { + return (T) publicKeys; + } else { + secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); + return (T) secretKeys; + } + } + + public static PGPSecretKeyRing keysPlusSecretKey(PGPSecretKeyRing secretKeys, PGPSecretKey secretKey) { + return PGPSecretKeyRing.insertSecretKey(secretKeys, secretKey); } public static PGPSecretKey secretKeyPlusSignature(PGPSecretKey secretKey, PGPSignature signature) { @@ -227,4 +327,5 @@ public final class KeyRingUtils { PGPSecretKey newSecretKey = PGPSecretKey.replacePublicKey(secretKey, publicKey); return newSecretKey; } + } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java index f9a7d540..9bcac504 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java @@ -4,18 +4,14 @@ package org.pgpainless.signature.builder; -import java.io.IOException; +import java.util.List; import javax.annotation.Nullable; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; -import org.pgpainless.signature.subpackets.CertificationSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public final class SignatureFactory { @@ -24,66 +20,14 @@ public final class SignatureFactory { } - public static SubkeyBindingSignatureBuilder bindNonSigningSubkey( + public static SelfSignatureBuilder selfCertifyUserId( PGPSecretKey primaryKey, SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, - KeyFlag... flags) throws WrongPassphraseException { - if (hasSignDataFlag(flags)) { - throw new IllegalArgumentException("Binding a subkey with SIGN_DATA flag requires primary key backsig.\n" + - "Please use the method bindSigningSubkey() instead."); - } - - return bindSubkey(primaryKey, primaryKeyProtector, subkeyBindingSubpacketsCallback, flags); - } - - public static SubkeyBindingSignatureBuilder bindSigningSubkey( - PGPSecretKey primaryKey, - SecretKeyRingProtector primaryKeyProtector, - PGPSecretKey subkey, - SecretKeyRingProtector subkeyProtector, - @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, - @Nullable SelfSignatureSubpackets.Callback primaryKeyBindingSubpacketsCallback, - KeyFlag... flags) - throws PGPException, IOException { - - SubkeyBindingSignatureBuilder subkeyBinder = bindSubkey(primaryKey, primaryKeyProtector, subkeyBindingSubpacketsCallback, flags); - - if (hasSignDataFlag(flags)) { - PGPSignature backsig = bindPrimaryKey( - subkey, subkeyProtector, primaryKeyBindingSubpacketsCallback) - .build(primaryKey.getPublicKey()); - subkeyBinder.getHashedSubpackets().addEmbeddedSignature(backsig); - } - - return subkeyBinder; - } - - private static SubkeyBindingSignatureBuilder bindSubkey(PGPSecretKey primaryKey, - SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureSubpackets.Callback subkeyBindingSubpacketsCallback, - KeyFlag... flags) throws WrongPassphraseException { - if (flags.length == 0) { - throw new IllegalArgumentException("Keyflags for subkey binding cannot be empty."); - } - SubkeyBindingSignatureBuilder subkeyBinder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector); - SelfSignatureSubpackets hashedSubpackets = subkeyBinder.getHashedSubpackets(); - hashedSubpackets.setKeyFlags(flags); - - subkeyBinder.applyCallback(subkeyBindingSubpacketsCallback); - - return subkeyBinder; - } - - public static PrimaryKeyBindingSignatureBuilder bindPrimaryKey( - PGPSecretKey subkey, - SecretKeyRingProtector subkeyProtector, - @Nullable SelfSignatureSubpackets.Callback primaryKeyBindingSubpacketsCallback) throws WrongPassphraseException { - PrimaryKeyBindingSignatureBuilder primaryKeyBinder = new PrimaryKeyBindingSignatureBuilder(subkey, subkeyProtector); - - primaryKeyBinder.applyCallback(primaryKeyBindingSubpacketsCallback); - - return primaryKeyBinder; + @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, + List keyFlags) + throws WrongPassphraseException { + KeyFlag[] keyFlagArray = keyFlags.toArray(new KeyFlag[0]); + return selfCertifyUserId(primaryKey, primaryKeyProtector, selfSignatureCallback, keyFlagArray); } public static SelfSignatureBuilder selfCertifyUserId( @@ -100,55 +44,4 @@ public final class SignatureFactory { return certifier; } - public static SelfSignatureBuilder renewSelfCertification( - PGPSecretKey primaryKey, - SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, - PGPSignature oldCertification) throws WrongPassphraseException { - SelfSignatureBuilder certifier = new SelfSignatureBuilder( - primaryKey, primaryKeyProtector, oldCertification); - - certifier.applyCallback(selfSignatureCallback); - - return certifier; - } - - public static CertificationSignatureBuilder certifyUserId( - PGPSecretKey signingKey, - SecretKeyRingProtector signingKeyProtector, - @Nullable CertificationSubpackets.Callback subpacketsCallback) - throws WrongPassphraseException { - CertificationSignatureBuilder certifier = new CertificationSignatureBuilder(signingKey, signingKeyProtector); - - certifier.applyCallback(subpacketsCallback); - - return certifier; - } - - public static UniversalSignatureBuilder universalSignature( - SignatureType signatureType, - PGPSecretKey signingKey, - SecretKeyRingProtector signingKeyProtector, - @Nullable BaseSignatureSubpackets.Callback callback) - throws WrongPassphraseException { - UniversalSignatureBuilder builder = - new UniversalSignatureBuilder(signatureType, signingKey, signingKeyProtector); - - builder.applyCallback(callback); - - return builder; - } - - private static boolean hasSignDataFlag(KeyFlag... flags) { - if (flags == null) { - return false; - } - for (KeyFlag flag : flags) { - if (flag == KeyFlag.SIGN_DATA) { - return true; - } - } - return false; - } - } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index c98d03ad..51d1d2a6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -170,7 +170,7 @@ public class ModifyKeys { * @throws NoSuchAlgorithmException */ @Test - public void addSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void addSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { // Protector for unlocking the existing secret key SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword(originalPassphrase), secretKey); Passphrase subkeyPassphrase = Passphrase.fromPassword("subk3yP4ssphr4s3"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java index 4306298d..4e1e5c18 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java @@ -16,28 +16,28 @@ import java.util.List; import org.bouncycastle.bcpg.sig.NotationData; import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.generation.KeyRingBuilder; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.KeyType; -import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -import org.pgpainless.util.Passphrase; public class AddSubkeyWithModifiedBindingSignatureSubpackets { + public static long MILLIS_IN_SEC = 1000; + @Test public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -45,29 +45,30 @@ public class AddSubkeyWithModifiedBindingSignatureSubpackets { .modernKeyRing("Alice ", null); KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys); - PGPSecretKey secretSubkey = KeyRingBuilder.generatePGPSecretKey( - KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), - Passphrase.emptyPassphrase(), false); + PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair( + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build()); + long secondsUntilExpiration = 1000; secretKeys = PGPainless.modifyKeyRing(secretKeys) .addSubKey(secretSubkey, new SelfSignatureSubpackets.Callback() { - @Override - public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { - hashedSubpackets.setKeyExpirationTime(true, 1000); - hashedSubpackets.addNotationData(false, "test@test.test", "test"); - } - }, null, SecretKeyRingProtector.unprotectedKeys(), protector, KeyFlag.ENCRYPT_COMMS) + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setKeyExpirationTime(true, secondsUntilExpiration); + hashedSubpackets.addNotationData(false, "test@test.test", "test"); + } + }, SecretKeyRingProtector.unprotectedKeys(), protector, KeyFlag.SIGN_DATA) .done(); KeyRingInfo after = PGPainless.inspectKeyRing(secretKeys); + List signingKeys = after.getSigningSubkeys(); + signingKeys.removeAll(before.getSigningSubkeys()); + assertFalse(signingKeys.isEmpty()); - List encryptionKeys = after.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS); - encryptionKeys.removeAll(before.getEncryptionSubkeys(EncryptionPurpose.COMMUNICATIONS)); - assertFalse(encryptionKeys.isEmpty()); - assertEquals(1, encryptionKeys.size()); - - PGPPublicKey newKey = encryptionKeys.get(0); - JUtils.assertEquals(new Date().getTime() + 1000 * 1000, after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey)).getTime(), 2000); + PGPPublicKey newKey = signingKeys.get(0); + Date now = new Date(); + JUtils.assertEquals( + now.getTime() + MILLIS_IN_SEC * secondsUntilExpiration, + after.getSubkeyExpirationDate(new OpenPgpV4Fingerprint(newKey)).getTime(), 2 * MILLIS_IN_SEC); assertTrue(newKey.getSignatures().hasNext()); PGPSignature binding = newKey.getSignatures().next(); List notations = SignatureSubpacketsUtil.getHashedNotationData(binding); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index f78cc32f..421c9ecf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -39,7 +39,6 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -import org.pgpainless.util.ArmorUtils; import org.pgpainless.util.Passphrase; public class RevokeSubKeyTest { @@ -82,11 +81,6 @@ public class RevokeSubKeyTest { .withReason(RevocationAttributes.Reason.KEY_RETIRED) .withDescription("Key no longer used.")); - // CHECKSTYLE:OFF - System.out.println("Revocation Certificate:"); - System.out.println(ArmorUtils.toAsciiArmoredString(revocationCertificate.getEncoded())); - // CHECKSTYLE:ON - PGPPublicKey publicKey = secretKeys.getPublicKey(); assertFalse(publicKey.hasRevocation()); @@ -107,8 +101,8 @@ public class RevokeSubKeyTest { .forKey(secretKeys, Passphrase.fromPassword("password123")); SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); - PGPSignature keyRevocation = editor.createRevocationCertificate(primaryKey.getKeyID(), protector, null); - PGPSignature subkeyRevocation = editor.createRevocationCertificate(subKey.getKeyID(), protector, null); + PGPSignature keyRevocation = editor.createRevocationCertificate(primaryKey.getKeyID(), protector, (RevocationAttributes) null); + PGPSignature subkeyRevocation = editor.createRevocationCertificate(subKey.getKeyID(), protector, (RevocationAttributes) null); assertEquals(SignatureType.KEY_REVOCATION.getCode(), keyRevocation.getSignatureType()); assertEquals(SignatureType.SUBKEY_REVOCATION.getCode(), subkeyRevocation.getSignatureType()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java deleted file mode 100644 index 4218563b..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilderTest.java +++ /dev/null @@ -1,75 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.builder; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertNotNull; - -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import java.util.Iterator; -import java.util.List; - -import org.bouncycastle.bcpg.sig.NotationData; -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSignature; -import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; -import org.pgpainless.algorithm.EncryptionPurpose; -import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.key.info.KeyRingInfo; -import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; -import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -import org.pgpainless.util.Passphrase; - -public class SubkeyBindingSignatureBuilderTest { - - @Test - public void testBindSubkeyWithCustomNotation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() - .modernKeyRing("Alice ", "passphrase"); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - List previousSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("passphrase"), secretKey); - - PGPSecretKeyRing tempSubkeyRing = PGPainless.generateKeyRing() - .modernKeyRing("Subkeys", null); - PGPPublicKey subkeyPub = PGPainless.inspectKeyRing(tempSubkeyRing) - .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); - PGPSecretKey subkeySec = tempSubkeyRing.getSecretKey(subkeyPub.getKeyID()); - - PGPSignature binding = SignatureFactory.bindNonSigningSubkey( - secretKey.getSecretKey(), protector, - new SelfSignatureSubpackets.Callback() { - @Override - public void modifyHashedSubpackets(SelfSignatureSubpackets subpackets) { - subpackets.addNotationData(false, "testnotation@pgpainless.org", "hello-world"); - } - }, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE) - .build(subkeyPub); - - subkeyPub = PGPPublicKey.addCertification(subkeyPub, binding); - subkeySec = PGPSecretKey.replacePublicKey(subkeySec, subkeyPub); - secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, subkeySec); - - info = PGPainless.inspectKeyRing(secretKey); - List nextSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); - assertEquals(previousSubkeys.size() + 1, nextSubkeys.size()); - subkeyPub = secretKey.getPublicKey(subkeyPub.getKeyID()); - Iterator newBindingSigs = subkeyPub.getSignaturesForKeyID(secretKey.getPublicKey().getKeyID()); - PGPSignature bindingSig = newBindingSigs.next(); - assertNotNull(bindingSig); - List notations = SignatureSubpacketsUtil.getHashedNotationData(bindingSig); - - assertEquals(1, notations.size()); - assertEquals("testnotation@pgpainless.org", notations.get(0).getNotationName()); - assertEquals("hello-world", notations.get(0).getNotationValue()); - } -} From 91080f411dcea8638350e6e5e8196af36e3da6f3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 20 Nov 2021 20:19:22 +0100 Subject: [PATCH 0140/1450] Rework secret key protection --- .../secretkeyring/SecretKeyRingEditor.java | 10 +-- .../BaseSecretKeyRingProtector.java | 54 +++++++++++++ .../PasswordBasedSecretKeyRingProtector.java | 52 ++---------- .../protection/SecretKeyRingProtector.java | 38 +++++++-- .../signature/builder/SignatureFactory.java | 47 ----------- .../subpackets/SelfSignatureSubpackets.java | 6 ++ .../org/bouncycastle/AsciiArmorCRCTests.java | 2 +- .../ModificationDetectionTests.java | 2 +- ...tionUsingKeyWithMissingPassphraseTest.java | 4 +- .../encryption_signing/SigningTest.java | 79 ++++++++++++------- .../org/pgpainless/example/ModifyKeys.java | 36 ++++++--- .../pgpainless/example/UnlockSecretKeys.java | 6 +- .../key/modification/AddSubKeyTest.java | 2 +- .../SecretKeyRingProtectorTest.java | 18 +++-- .../key/protection/UnlockSecretKeyTest.java | 15 ++-- .../key/protection/fixes/S2KUsageFixTest.java | 11 ++- 16 files changed, 217 insertions(+), 165 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 1a6585b9..4cafe337 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -59,7 +59,6 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.builder.RevocationSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; -import org.pgpainless.signature.builder.SignatureFactory; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; @@ -102,12 +101,11 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); List keyFlags = info.getKeyFlagsOf(info.getKeyId()); - SelfSignatureBuilder builder = SignatureFactory.selfCertifyUserId( - primaryKey, - protector, - signatureSubpacketCallback, - keyFlags); + SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); + builder.getHashedSubpackets().setKeyFlags(keyFlags); + builder.applyCallback(signatureSubpacketCallback); + PGPSignature signature = builder.build(primaryKey.getPublicKey(), userId); secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, userId, signature); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java new file mode 100644 index 00000000..6df10082 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java @@ -0,0 +1,54 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.protection; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; +import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; +import org.pgpainless.util.Passphrase; + +import javax.annotation.Nullable; + +public class BaseSecretKeyRingProtector implements SecretKeyRingProtector { + + private final SecretKeyPassphraseProvider passphraseProvider; + private final KeyRingProtectionSettings protectionSettings; + + public BaseSecretKeyRingProtector(SecretKeyPassphraseProvider passphraseProvider) { + this(passphraseProvider, KeyRingProtectionSettings.secureDefaultSettings()); + } + + public BaseSecretKeyRingProtector(SecretKeyPassphraseProvider passphraseProvider, KeyRingProtectionSettings protectionSettings) { + this.passphraseProvider = passphraseProvider; + this.protectionSettings = protectionSettings; + } + + @Override + public boolean hasPassphraseFor(Long keyId) { + return passphraseProvider.hasPassphrase(keyId); + } + + @Override + @Nullable + public PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException { + Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); + return passphrase == null ? null : + ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); + } + + @Override + @Nullable + public PBESecretKeyEncryptor getEncryptor(Long keyId) throws PGPException { + Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); + return passphrase == null ? null : + ImplementationFactory.getInstance().getPBESecretKeyEncryptor( + protectionSettings.getEncryptionAlgorithm(), + protectionSettings.getHashAlgorithm(), + protectionSettings.getS2kCount(), + passphrase); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java index d198c187..c5745068 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/PasswordBasedSecretKeyRingProtector.java @@ -4,17 +4,13 @@ package org.pgpainless.key.protection; -import java.util.Iterator; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyRing; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; import org.pgpainless.util.Passphrase; @@ -22,10 +18,11 @@ import org.pgpainless.util.Passphrase; * Provides {@link PBESecretKeyDecryptor} and {@link PBESecretKeyEncryptor} objects while getting the passphrases * from a {@link SecretKeyPassphraseProvider} and using settings from an {@link KeyRingProtectionSettings}. */ -public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtector { +public class PasswordBasedSecretKeyRingProtector extends BaseSecretKeyRingProtector { - protected final KeyRingProtectionSettings protectionSettings; - protected final SecretKeyPassphraseProvider passphraseProvider; + public PasswordBasedSecretKeyRingProtector(@Nonnull SecretKeyPassphraseProvider passphraseProvider) { + super(passphraseProvider); + } /** * Constructor. @@ -36,23 +33,15 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect * @param passphraseProvider provider which provides passphrases. */ public PasswordBasedSecretKeyRingProtector(@Nonnull KeyRingProtectionSettings settings, @Nonnull SecretKeyPassphraseProvider passphraseProvider) { - this.protectionSettings = settings; - this.passphraseProvider = passphraseProvider; + super(passphraseProvider, settings); } public static PasswordBasedSecretKeyRingProtector forKey(PGPKeyRing keyRing, Passphrase passphrase) { - KeyRingProtectionSettings protectionSettings = KeyRingProtectionSettings.secureDefaultSettings(); SecretKeyPassphraseProvider passphraseProvider = new SecretKeyPassphraseProvider() { @Override @Nullable public Passphrase getPassphraseFor(Long keyId) { - for (Iterator it = keyRing.getPublicKeys(); it.hasNext(); ) { - PGPPublicKey key = it.next(); - if (key.getKeyID() == keyId) { - return passphrase; - } - } - return null; + return hasPassphrase(keyId) ? passphrase : null; } @Override @@ -60,7 +49,7 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect return keyRing.getPublicKey(keyId) != null; } }; - return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); + return new PasswordBasedSecretKeyRingProtector(passphraseProvider); } public static PasswordBasedSecretKeyRingProtector forKey(PGPSecretKey key, Passphrase passphrase) { @@ -68,7 +57,6 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect } public static PasswordBasedSecretKeyRingProtector forKeyId(long singleKeyId, Passphrase passphrase) { - KeyRingProtectionSettings protectionSettings = KeyRingProtectionSettings.secureDefaultSettings(); SecretKeyPassphraseProvider passphraseProvider = new SecretKeyPassphraseProvider() { @Nullable @Override @@ -84,31 +72,7 @@ public class PasswordBasedSecretKeyRingProtector implements SecretKeyRingProtect return keyId == singleKeyId; } }; - return new PasswordBasedSecretKeyRingProtector(protectionSettings, passphraseProvider); + return new PasswordBasedSecretKeyRingProtector(passphraseProvider); } - @Override - public boolean hasPassphraseFor(Long keyId) { - return passphraseProvider.hasPassphrase(keyId); - } - - @Override - @Nullable - public PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException { - Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); - return passphrase == null ? null : - ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); - } - - @Override - @Nullable - public PBESecretKeyEncryptor getEncryptor(Long keyId) throws PGPException { - Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); - return passphrase == null ? null : - ImplementationFactory.getInstance().getPBESecretKeyEncryptor( - protectionSettings.getEncryptionAlgorithm(), - protectionSettings.getHashAlgorithm(), - protectionSettings.getS2kCount(), - passphrase); - } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java index b1cb7fdf..a77e4486 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java @@ -7,6 +7,7 @@ package org.pgpainless.key.protection; import java.util.HashMap; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; @@ -15,6 +16,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; +import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.util.Passphrase; /** @@ -66,7 +68,23 @@ public interface SecretKeyRingProtector { } /** - * Use the provided passphrase to lock/unlock all subkeys in the provided key ring. + * Use the provided passphrase to lock/unlock all keys in the provided key ring. + * + * This protector will use the provided passphrase to lock/unlock all subkeys present in the provided keys object. + * For other keys that are not present in the ring, it will return null. + * + * @param passphrase passphrase + * @param keys key ring + * @return protector + * @deprecated use {@link #unlockEachKeyWith(Passphrase, PGPSecretKeyRing)} instead. + */ + @Deprecated + static SecretKeyRingProtector unlockAllKeysWith(@Nonnull Passphrase passphrase, @Nonnull PGPSecretKeyRing keys) { + return unlockEachKeyWith(passphrase, keys); + } + + /** + * Use the provided passphrase to lock/unlock all keys in the provided key ring. * * This protector will use the provided passphrase to lock/unlock all subkeys present in the provided keys object. * For other keys that are not present in the ring, it will return null. @@ -75,7 +93,7 @@ public interface SecretKeyRingProtector { * @param keys key ring * @return protector */ - static SecretKeyRingProtector unlockAllKeysWith(Passphrase passphrase, PGPSecretKeyRing keys) { + static SecretKeyRingProtector unlockEachKeyWith(@Nonnull Passphrase passphrase, @Nonnull PGPSecretKeyRing keys) { Map map = new ConcurrentHashMap<>(); for (PGPSecretKey secretKey : keys) { map.put(secretKey.getKeyID(), passphrase); @@ -83,6 +101,16 @@ public interface SecretKeyRingProtector { return fromPassphraseMap(map); } + /** + * Use the provided passphrase to unlock any key. + * + * @param passphrase passphrase + * @return protector + */ + static SecretKeyRingProtector unlockAnyKeyWith(@Nonnull Passphrase passphrase) { + return new BaseSecretKeyRingProtector(new SolitaryPassphraseProvider(passphrase)); + } + /** * Use the provided passphrase to lock/unlock only the provided (sub-)key. * This protector will only return a non-null encryptor/decryptor based on the provided passphrase if @@ -94,11 +122,11 @@ public interface SecretKeyRingProtector { * @param key key to lock/unlock * @return protector */ - static SecretKeyRingProtector unlockSingleKeyWith(Passphrase passphrase, PGPSecretKey key) { + static SecretKeyRingProtector unlockSingleKeyWith(@Nonnull Passphrase passphrase, @Nonnull PGPSecretKey key) { return PasswordBasedSecretKeyRingProtector.forKey(key, passphrase); } - static SecretKeyRingProtector unlockSingleKeyWith(Passphrase passphrase, long keyId) { + static SecretKeyRingProtector unlockSingleKeyWith(@Nonnull Passphrase passphrase, long keyId) { return PasswordBasedSecretKeyRingProtector.forKeyId(keyId, passphrase); } @@ -123,7 +151,7 @@ public interface SecretKeyRingProtector { * @param passphraseMap map of key ids and their respective passphrases * @return protector */ - static SecretKeyRingProtector fromPassphraseMap(Map passphraseMap) { + static SecretKeyRingProtector fromPassphraseMap(@Nonnull Map passphraseMap) { return new CachingSecretKeyRingProtector(passphraseMap, KeyRingProtectionSettings.secureDefaultSettings(), null); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java deleted file mode 100644 index 9bcac504..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SignatureFactory.java +++ /dev/null @@ -1,47 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.builder; - -import java.util.List; -import javax.annotation.Nullable; - -import org.bouncycastle.openpgp.PGPSecretKey; -import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; -import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; - -public final class SignatureFactory { - - private SignatureFactory() { - - } - - public static SelfSignatureBuilder selfCertifyUserId( - PGPSecretKey primaryKey, - SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, - List keyFlags) - throws WrongPassphraseException { - KeyFlag[] keyFlagArray = keyFlags.toArray(new KeyFlag[0]); - return selfCertifyUserId(primaryKey, primaryKeyProtector, selfSignatureCallback, keyFlagArray); - } - - public static SelfSignatureBuilder selfCertifyUserId( - PGPSecretKey primaryKey, - SecretKeyRingProtector primaryKeyProtector, - @Nullable SelfSignatureSubpackets.Callback selfSignatureCallback, - KeyFlag... flags) throws WrongPassphraseException { - - SelfSignatureBuilder certifier = new SelfSignatureBuilder(SignatureType.POSITIVE_CERTIFICATION, primaryKey, primaryKeyProtector); - certifier.getHashedSubpackets().setKeyFlags(flags); - - certifier.applyCallback(selfSignatureCallback); - - return certifier; - } - -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java index 1ff45ae4..02cc5e93 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SelfSignatureSubpackets.java @@ -5,6 +5,7 @@ package org.pgpainless.signature.subpackets; import java.util.Date; +import java.util.List; import java.util.Set; import javax.annotation.Nonnull; import javax.annotation.Nullable; @@ -30,6 +31,11 @@ public interface SelfSignatureSubpackets extends BaseSignatureSubpackets { SelfSignatureSubpackets setKeyFlags(KeyFlag... keyFlags); + default SelfSignatureSubpackets setKeyFlags(List keyFlags) { + KeyFlag[] flags = keyFlags.toArray(new KeyFlag[0]); + return setKeyFlags(flags); + } + SelfSignatureSubpackets setKeyFlags(boolean isCritical, KeyFlag... keyFlags); SelfSignatureSubpackets setKeyFlags(@Nullable KeyFlags keyFlags); diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java index 19d72dda..8fa1bd9d 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java @@ -546,7 +546,7 @@ public class AsciiArmorCRCTests { DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) .withOptions(new ConsumerOptions().addDecryptionKey( - key, SecretKeyRingProtector.unlockAllKeysWith(passphrase, key) + key, SecretKeyRingProtector.unlockAnyKeyWith(passphrase) )); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index 2a2a0844..2eb870cb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -537,7 +537,7 @@ public class ModificationDetectionTests { assertThrows(MessageNotIntegrityProtectedException.class, () -> PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8))) .withOptions(new ConsumerOptions().addDecryptionKey(secretKeyRing, - SecretKeyRingProtector.unlockAllKeysWith(passphrase, secretKeyRing))) + SecretKeyRingProtector.unlockAnyKeyWith(passphrase))) ); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java index 4aad6c9e..fc3f7163 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -132,7 +132,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { return false; } }); - SecretKeyRingProtector protector2 = SecretKeyRingProtector.unlockAllKeysWith(p2, k2); + SecretKeyRingProtector protector2 = SecretKeyRingProtector.unlockEachKeyWith(p2, k2); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(new ByteArrayInputStream(ENCRYPTED_FOR_K1_K2.getBytes(StandardCharsets.UTF_8))) @@ -149,7 +149,7 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { @Test public void missingPassphraseSecond() throws PGPException, IOException { - SecretKeyRingProtector protector1 = SecretKeyRingProtector.unlockAllKeysWith(p1, k1); + SecretKeyRingProtector protector1 = SecretKeyRingProtector.unlockEachKeyWith(p1, k1); SecretKeyRingProtector protector2 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { @Nullable @Override diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 89531220..6a73152d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -54,7 +54,8 @@ public class SigningTest { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void testEncryptionAndSignatureVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { + public void testEncryptionAndSignatureVerification(ImplementationFactory implementationFactory) + throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPPublicKeyRing julietKeys = TestKeys.getJulietPublicKeyRing(); @@ -73,12 +74,13 @@ public class SigningTest { EncryptionOptions.encryptDataAtRest() .addRecipients(keys) .addRecipient(KeyRingUtils.publicKeyRingFrom(cryptieKeys)), - new SigningOptions() - .addInlineSignature(SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, cryptieSigningKey), + new SigningOptions().addInlineSignature( + SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, cryptieSigningKey), cryptieKeys, TestKeys.CRYPTIE_UID, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) ).setAsciiArmor(true)); - byte[] messageBytes = "This message is signed and encrypted to Romeo and Juliet.".getBytes(StandardCharsets.UTF_8); + byte[] messageBytes = "This message is signed and encrypted to Romeo and Juliet." + .getBytes(StandardCharsets.UTF_8); ByteArrayInputStream message = new ByteArrayInputStream(messageBytes); Streams.pipeAll(message, encryptionStream); @@ -90,8 +92,10 @@ public class SigningTest { PGPSecretKeyRing romeoSecret = TestKeys.getRomeoSecretKeyRing(); PGPSecretKeyRing julietSecret = TestKeys.getJulietSecretKeyRing(); - PGPSecretKeyRingCollection secretKeys = new PGPSecretKeyRingCollection(Arrays.asList(romeoSecret, julietSecret)); - PGPPublicKeyRingCollection verificationKeys = new PGPPublicKeyRingCollection(Arrays.asList(KeyRingUtils.publicKeyRingFrom(cryptieKeys), romeoKeys)); + PGPSecretKeyRingCollection secretKeys = new PGPSecretKeyRingCollection( + Arrays.asList(romeoSecret, julietSecret)); + PGPPublicKeyRingCollection verificationKeys = new PGPPublicKeyRingCollection( + Arrays.asList(KeyRingUtils.publicKeyRingFrom(cryptieKeys), romeoKeys)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(cryptIn) @@ -114,22 +118,26 @@ public class SigningTest { } @Test - public void testSignWithInvalidUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testSignWithInvalidUserIdFails() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("password123"), secretKeys); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); SigningOptions opts = new SigningOptions(); // "bob" is not a valid user-id assertThrows(KeyValidationError.class, - () -> opts.addInlineSignature(protector, secretKeys, "bob", DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); + () -> opts.addInlineSignature(protector, secretKeys, "bob", + DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } @Test - public void testSignWithRevokedUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testSignWithRevokedUserIdFails() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("password123"), secretKeys); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( + Passphrase.fromPassword("password123")); secretKeys = PGPainless.modifyKeyRing(secretKeys) .revokeUserId("alice", protector) .done(); @@ -139,7 +147,8 @@ public class SigningTest { SigningOptions opts = new SigningOptions(); // "alice" has been revoked assertThrows(KeyValidationError.class, - () -> opts.addInlineSignature(protector, fSecretKeys, "alice", DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); + () -> opts.addInlineSignature(protector, fSecretKeys, "alice", + DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } @Test @@ -174,14 +183,18 @@ public class SigningTest { } @Test - public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA).overridePreferredHashAlgorithms()) + .setPrimaryKey(KeySpec.getBuilder( + KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .overridePreferredHashAlgorithms()) .addUserId("Alice") .build(); SigningOptions options = new SigningOptions() - .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, + DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; EncryptionStream signer = PGPainless.encryptAndOrSign() .onOutputStream(new ByteArrayOutputStream()) @@ -194,19 +207,23 @@ public class SigningTest { SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); PGPSignature signature = sigs.get(signingKey).iterator().next(); - assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); + assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), + signature.getHashAlgorithm()); } @Test - public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) + .setPrimaryKey( + KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) .overridePreferredHashAlgorithms(HashAlgorithm.MD5)) .addUserId("Alice") .build(); SigningOptions options = new SigningOptions() - .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT); + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, + DocumentSignatureType.BINARY_DOCUMENT); String data = "Hello, World!\n"; EncryptionStream signer = PGPainless.encryptAndOrSign() .onOutputStream(new ByteArrayOutputStream()) @@ -219,33 +236,41 @@ public class SigningTest { SubkeyIdentifier signingKey = sigs.keySet().iterator().next(); PGPSignature signature = sigs.get(signingKey).iterator().next(); - assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), signature.getHashAlgorithm()); + assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(), + signature.getHashAlgorithm()); } @Test - public void signingWithNonCapableKeyThrowsKeyCannotSignException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void signingWithNonCapableKeyThrowsKeyCannotSignException() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") .build(); SigningOptions options = new SigningOptions(); - assertThrows(KeyCannotSignException.class, () -> options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); - assertThrows(KeyCannotSignException.class, () -> options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); + assertThrows(KeyCannotSignException.class, () -> options.addDetachedSignature( + SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); + assertThrows(KeyCannotSignException.class, () -> options.addInlineSignature( + SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); } @Test - public void signWithInvalidUserIdThrowsKeyValidationError() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void signWithInvalidUserIdThrowsKeyValidationError() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() - .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) .addUserId("Alice") .build(); SigningOptions options = new SigningOptions(); assertThrows(KeyValidationError.class, () -> - options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); + options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", + DocumentSignatureType.BINARY_DOCUMENT)); assertThrows(KeyValidationError.class, () -> - options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", DocumentSignatureType.BINARY_DOCUMENT)); + options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob", + DocumentSignatureType.BINARY_DOCUMENT)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 51d1d2a6..f8096dba 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -50,7 +50,8 @@ public class ModifyKeys { private long signingSubkeyId; @BeforeEach - public void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateKey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId, originalPassphrase); @@ -128,10 +129,13 @@ public class ModifyKeys { // encryption key can now only be unlocked using the new passphrase assertThrows(WrongPassphraseException.class, () -> - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword(originalPassphrase))); - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword("cryptP4ssphr4s3")); + UnlockSecretKey.unlockSecretKey( + secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword(originalPassphrase))); + UnlockSecretKey.unlockSecretKey( + secretKey.getSecretKey(encryptionSubkeyId), Passphrase.fromPassword("cryptP4ssphr4s3")); // primary key remains unchanged - UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(primaryKeyId), Passphrase.fromPassword(originalPassphrase)); + UnlockSecretKey.unlockSecretKey( + secretKey.getSecretKey(primaryKeyId), Passphrase.fromPassword(originalPassphrase)); } /** @@ -141,7 +145,8 @@ public class ModifyKeys { */ @Test public void addUserId() throws PGPException { - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword(originalPassphrase), secretKey); + SecretKeyRingProtector protector = + SecretKeyRingProtector.unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); secretKey = PGPainless.modifyKeyRing(secretKey) .addUserId("additional@user.id", protector) .done(); @@ -172,7 +177,8 @@ public class ModifyKeys { @Test public void addSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { // Protector for unlocking the existing secret key - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword(originalPassphrase), secretKey); + SecretKeyRingProtector protector = + SecretKeyRingProtector.unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); Passphrase subkeyPassphrase = Passphrase.fromPassword("subk3yP4ssphr4s3"); secretKey = PGPainless.modifyKeyRing(secretKey) .addSubKey( @@ -202,16 +208,19 @@ public class ModifyKeys { Date expirationDate = DateUtil.parseUTCDate("2030-06-24 12:44:56 UTC"); SecretKeyRingProtector protector = SecretKeyRingProtector - .unlockAllKeysWith(Passphrase.fromPassword(originalPassphrase), secretKey); + .unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); secretKey = PGPainless.modifyKeyRing(secretKey) .setExpirationDate(expirationDate, protector) .done(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); - assertEquals(DateUtil.formatUTCDate(expirationDate), DateUtil.formatUTCDate(info.getPrimaryKeyExpirationDate())); - assertEquals(DateUtil.formatUTCDate(expirationDate), DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS))); - assertEquals(DateUtil.formatUTCDate(expirationDate), DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.SIGN_DATA))); + assertEquals(DateUtil.formatUTCDate(expirationDate), + DateUtil.formatUTCDate(info.getPrimaryKeyExpirationDate())); + assertEquals(DateUtil.formatUTCDate(expirationDate), + DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS))); + assertEquals(DateUtil.formatUTCDate(expirationDate), + DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.SIGN_DATA))); } /** @@ -223,7 +232,7 @@ public class ModifyKeys { public void setSubkeyExpirationDate() throws PGPException { Date expirationDate = DateUtil.parseUTCDate("2032-01-13 22:30:01 UTC"); SecretKeyRingProtector protector = SecretKeyRingProtector - .unlockAllKeysWith(Passphrase.fromPassword(originalPassphrase), secretKey); + .unlockEachKeyWith(Passphrase.fromPassword(originalPassphrase), secretKey); secretKey = PGPainless.modifyKeyRing(secretKey) .setExpirationDate( @@ -237,7 +246,8 @@ public class ModifyKeys { KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); assertNull(info.getPrimaryKeyExpirationDate()); assertNull(info.getExpirationDateForUse(KeyFlag.SIGN_DATA)); - assertEquals(DateUtil.formatUTCDate(expirationDate), DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS))); + assertEquals(DateUtil.formatUTCDate(expirationDate), + DateUtil.formatUTCDate(info.getExpirationDateForUse(KeyFlag.ENCRYPT_COMMS))); } /** @@ -247,7 +257,7 @@ public class ModifyKeys { */ @Test public void revokeUserId() throws PGPException { - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith( + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword(originalPassphrase), secretKey); secretKey = PGPainless.modifyKeyRing(secretKey) .addUserId("alcie@pgpainless.org", protector) diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index 784cff61..a7b056b7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -58,10 +58,10 @@ public class UnlockSecretKeys { @Test public void unlockWholeKeyWithSamePassphrase() throws PGPException, IOException { PGPSecretKeyRing secretKey = TestKeys.getCryptieSecretKeyRing(); - // Unlock all subkeys in the secret key with the same passphrase - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith( - Passphrase.fromPassword(TestKeys.CRYPTIE_PASSWORD), secretKey); + Passphrase passphrase = TestKeys.CRYPTIE_PASSPHRASE; + // Unlock all subkeys in the secret key with the same passphrase + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(passphrase); assertProtectorUnlocksAllSecretKeys(secretKey, protector); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 406d300c..0fb9a5ec 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -65,7 +65,7 @@ public class AddSubKeyTest { long subKeyId = keyIdsAfter.get(0); PGPSecretKey subKey = secretKeys.getSecretKey(subKeyId); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith( + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword("subKeyPassphrase"), secretKeys); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(subKey, protector); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 1a8a3231..037d996d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -36,11 +36,13 @@ public class SecretKeyRingProtectorTest { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void testUnlockAllKeysWithSamePassword(ImplementationFactory implementationFactory) throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testUnlockAllKeysWithSamePassword(ImplementationFactory implementationFactory) + throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(TestKeys.CRYPTIE_PASSPHRASE, secretKeys); + SecretKeyRingProtector protector = + SecretKeyRingProtector.unlockEachKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKeys); for (PGPSecretKey secretKey : secretKeys) { PBESecretKeyDecryptor decryptor = protector.getDecryptor(secretKey.getKeyID()); assertNotNull(decryptor); @@ -51,7 +53,8 @@ public class SecretKeyRingProtectorTest { for (PGPSecretKey unrelatedKey : unrelatedKeys) { PBESecretKeyDecryptor decryptor = protector.getDecryptor(unrelatedKey.getKeyID()); assertNull(decryptor); - assertThrows(PGPException.class, () -> unrelatedKey.extractPrivateKey(protector.getDecryptor(unrelatedKey.getKeyID()))); + assertThrows(PGPException.class, + () -> unrelatedKey.extractPrivateKey(protector.getDecryptor(unrelatedKey.getKeyID()))); } } @@ -68,7 +71,8 @@ public class SecretKeyRingProtectorTest { @ParameterizedTest @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void testUnlockSingleKeyWithPassphrase(ImplementationFactory implementationFactory) throws IOException, PGPException { + public void testUnlockSingleKeyWithPassphrase(ImplementationFactory implementationFactory) + throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); @@ -76,7 +80,8 @@ public class SecretKeyRingProtectorTest { PGPSecretKey secretKey = iterator.next(); PGPSecretKey subKey = iterator.next(); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKey); + SecretKeyRingProtector protector = + SecretKeyRingProtector.unlockSingleKeyWith(TestKeys.CRYPTIE_PASSPHRASE, secretKey); assertNotNull(protector.getDecryptor(secretKey.getKeyID())); assertNotNull(protector.getEncryptor(secretKey.getKeyID())); assertNull(protector.getEncryptor(subKey.getKeyID())); @@ -87,7 +92,8 @@ public class SecretKeyRingProtectorTest { public void testFromPassphraseMap() { Map passphraseMap = new ConcurrentHashMap<>(); passphraseMap.put(1L, Passphrase.emptyPassphrase()); - CachingSecretKeyRingProtector protector = (CachingSecretKeyRingProtector) SecretKeyRingProtector.fromPassphraseMap(passphraseMap); + CachingSecretKeyRingProtector protector = + (CachingSecretKeyRingProtector) SecretKeyRingProtector.fromPassphraseMap(passphraseMap); assertNotNull(protector.getPassphraseFor(1L)); assertNull(protector.getPassphraseFor(5L)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java index 9e4c0984..c6a35ea9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnlockSecretKeyTest.java @@ -27,12 +27,17 @@ public class UnlockSecretKeyTest { .simpleEcKeyRing("alice@wonderland.lit", "heureka!"); PGPSecretKey secretKey = secretKeyRing.getSecretKey(); - SecretKeyRingProtector correctPassphrase = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("heureka!"), secretKeyRing); - SecretKeyRingProtector incorrectPassphrase = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("bazinga!"), secretKeyRing); - SecretKeyRingProtector emptyPassphrase = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.emptyPassphrase(), secretKeyRing); + SecretKeyRingProtector correctPassphrase = SecretKeyRingProtector + .unlockAnyKeyWith(Passphrase.fromPassword("heureka!")); + SecretKeyRingProtector incorrectPassphrase = SecretKeyRingProtector + .unlockAnyKeyWith(Passphrase.fromPassword("bazinga!")); + SecretKeyRingProtector emptyPassphrase = SecretKeyRingProtector + .unlockAnyKeyWith(Passphrase.emptyPassphrase()); Passphrase cleared = Passphrase.fromPassword("cleared"); cleared.clear(); - SecretKeyRingProtector invalidPassphrase = SecretKeyRingProtector.unlockAllKeysWith(cleared, secretKeyRing); + SecretKeyRingProtector invalidPassphrase = SecretKeyRingProtector + .unlockAnyKeyWith(cleared); + // Correct passphrase works PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, correctPassphrase); assertNotNull(privateKey); @@ -41,7 +46,7 @@ public class UnlockSecretKeyTest { UnlockSecretKey.unlockSecretKey(secretKey, incorrectPassphrase)); assertThrows(WrongPassphraseException.class, () -> UnlockSecretKey.unlockSecretKey(secretKey, emptyPassphrase)); - assertThrows(WrongPassphraseException.class, () -> + assertThrows(IllegalStateException.class, () -> UnlockSecretKey.unlockSecretKey(secretKey, invalidPassphrase)); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java index d5956da4..f324892f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/fixes/S2KUsageFixTest.java @@ -67,7 +67,8 @@ public class S2KUsageFixTest { private static final String MESSAGE_PLAIN = "Hello, World!\n"; @Test - public void verifyOutFixInChangePassphraseWorks() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void verifyOutFixInChangePassphraseWorks() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing before = PGPainless.generateKeyRing().modernKeyRing("Alice", "before"); for (PGPSecretKey key : before) { assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage()); @@ -93,9 +94,10 @@ public class S2KUsageFixTest { } @Test - public void testFixS2KUsageFrom_USAGE_CHECKSUM_to_USAGE_SHA1() throws IOException, PGPException { + public void testFixS2KUsageFrom_USAGE_CHECKSUM_to_USAGE_SHA1() + throws IOException, PGPException { PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(KEY_WITH_USAGE_CHECKSUM); - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAllKeysWith(Passphrase.fromPassword("after"), keys); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("after")); PGPSecretKeyRing fixed = S2KUsageFix.replaceUsageChecksumWithUsageSha1(keys, protector); for (PGPSecretKey key : fixed) { @@ -105,7 +107,8 @@ public class S2KUsageFixTest { testCanStillDecrypt(keys, protector); } - private void testCanStillDecrypt(PGPSecretKeyRing keys, SecretKeyRingProtector protector) throws PGPException, IOException { + private void testCanStillDecrypt(PGPSecretKeyRing keys, SecretKeyRingProtector protector) + throws PGPException, IOException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) From 76e19359b42f739c99193c8f94c31828f9ea33b6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 20 Nov 2021 20:27:36 +0100 Subject: [PATCH 0141/1450] Replace subpacket generator in key spec classes --- .../pgpainless/key/generation/KeySpec.java | 10 ---- .../key/generation/KeySpecBuilder.java | 54 ++++++------------- 2 files changed, 15 insertions(+), 49 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 5032c83a..6bffde16 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -6,7 +6,6 @@ package org.pgpainless.key.generation; import javax.annotation.Nonnull; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; @@ -19,15 +18,6 @@ public class KeySpec { private final SignatureSubpackets subpacketGenerator; private final boolean inheritedSubPackets; - KeySpec(@Nonnull KeyType type, - @Nonnull PGPSignatureSubpacketGenerator subpacketGenerator, - boolean inheritedSubPackets) { - this( - type, - SignatureSubpackets.createSubpacketsFrom(subpacketGenerator.generate()), - inheritedSubPackets); - } - KeySpec(@Nonnull KeyType type, @Nonnull SignatureSubpackets subpacketGenerator, boolean inheritedSubPackets) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java index 3a99bb94..07b53383 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java @@ -5,12 +5,10 @@ package org.pgpainless.key.generation; import java.util.Arrays; -import java.util.Iterator; import java.util.LinkedHashSet; import java.util.Set; import javax.annotation.Nonnull; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.CompressionAlgorithm; @@ -19,6 +17,8 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.CollectionUtils; @@ -26,7 +26,7 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { private final KeyType type; private final KeyFlag[] keyFlags; - private final PGPSignatureSubpacketGenerator hashedSubPackets = new PGPSignatureSubpacketGenerator(); + private final SelfSignatureSubpackets hashedSubpackets = new SignatureSubpackets(); private final AlgorithmSuite algorithmSuite = PGPainless.getPolicy().getKeyGenerationAlgorithmSuite(); private Set preferredCompressionAlgorithms = algorithmSuite.getCompressionAlgorithms(); private Set preferredHashAlgorithms = algorithmSuite.getHashAlgorithms(); @@ -46,19 +46,22 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { } @Override - public KeySpecBuilder overridePreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... compressionAlgorithms) { + public KeySpecBuilder overridePreferredCompressionAlgorithms( + @Nonnull CompressionAlgorithm... compressionAlgorithms) { this.preferredCompressionAlgorithms = new LinkedHashSet<>(Arrays.asList(compressionAlgorithms)); return this; } @Override - public KeySpecBuilder overridePreferredHashAlgorithms(@Nonnull HashAlgorithm... preferredHashAlgorithms) { + public KeySpecBuilder overridePreferredHashAlgorithms( + @Nonnull HashAlgorithm... preferredHashAlgorithms) { this.preferredHashAlgorithms = new LinkedHashSet<>(Arrays.asList(preferredHashAlgorithms)); return this; } @Override - public KeySpecBuilder overridePreferredSymmetricKeyAlgorithms(@Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms) { + public KeySpecBuilder overridePreferredSymmetricKeyAlgorithms( + @Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms) { this.preferredSymmetricAlgorithms = new LinkedHashSet<>(Arrays.asList(preferredSymmetricKeyAlgorithms)); return this; } @@ -66,39 +69,12 @@ public class KeySpecBuilder implements KeySpecBuilderInterface { @Override public KeySpec build() { - this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(keyFlags)); - this.hashedSubPackets.setPreferredCompressionAlgorithms(false, getPreferredCompressionAlgorithmIDs()); - this.hashedSubPackets.setPreferredHashAlgorithms(false, getPreferredHashAlgorithmIDs()); - this.hashedSubPackets.setPreferredSymmetricAlgorithms(false, getPreferredSymmetricKeyAlgorithmIDs()); - this.hashedSubPackets.setFeature(false, Feature.MODIFICATION_DETECTION.getFeatureId()); + this.hashedSubpackets.setKeyFlags(keyFlags); + this.hashedSubpackets.setPreferredCompressionAlgorithms(preferredCompressionAlgorithms); + this.hashedSubpackets.setPreferredHashAlgorithms(preferredHashAlgorithms); + this.hashedSubpackets.setPreferredSymmetricKeyAlgorithms(preferredSymmetricAlgorithms); + this.hashedSubpackets.setFeatures(Feature.MODIFICATION_DETECTION); - return new KeySpec(type, hashedSubPackets, false); - } - - private int[] getPreferredCompressionAlgorithmIDs() { - int[] ids = new int[preferredCompressionAlgorithms.size()]; - Iterator iterator = preferredCompressionAlgorithms.iterator(); - for (int i = 0; i < ids.length; i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return ids; - } - - private int[] getPreferredHashAlgorithmIDs() { - int[] ids = new int[preferredHashAlgorithms.size()]; - Iterator iterator = preferredHashAlgorithms.iterator(); - for (int i = 0; i < ids.length; i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return ids; - } - - private int[] getPreferredSymmetricKeyAlgorithmIDs() { - int[] ids = new int[preferredSymmetricAlgorithms.size()]; - Iterator iterator = preferredSymmetricAlgorithms.iterator(); - for (int i = 0; i < ids.length; i++) { - ids[i] = iterator.next().getAlgorithmId(); - } - return ids; + return new KeySpec(type, (SignatureSubpackets) hashedSubpackets, false); } } From 6a137698c43c91c20dcc46f48d45ed1116a37182 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 20 Nov 2021 21:12:12 +0100 Subject: [PATCH 0142/1450] Wip: Add test for signature structure, set fingerprint on primary user-id self sig --- .../key/generation/KeyRingBuilder.java | 61 ++++++++++++++----- .../KeyGenerationSubpacketsTest.java | 32 ++++++++++ 2 files changed, 77 insertions(+), 16 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 13baf553..3f22174e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -14,10 +14,11 @@ import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Date; import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.LinkedHashMap; import java.util.List; -import java.util.Set; +import java.util.Map; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.bouncycastle.bcpg.sig.KeyFlags; import org.bouncycastle.openpgp.PGPException; @@ -44,6 +45,7 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.provider.ProviderFactory; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.util.Passphrase; @@ -54,7 +56,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { private KeySpec primaryKeySpec; private final List subkeySpecs = new ArrayList<>(); - private final Set userIds = new LinkedHashSet<>(); + private final Map userIds = new LinkedHashMap<>(); private Passphrase passphrase = Passphrase.emptyPassphrase(); private Date expirationDate = null; @@ -73,7 +75,14 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { @Override public KeyRingBuilder addUserId(@Nonnull String userId) { - this.userIds.add(userId.trim()); + this.userIds.put(userId.trim(), null); + return this; + } + + public KeyRingBuilder addUserId( + @Nonnull String userId, + @Nullable SelfSignatureSubpackets.Callback subpacketsCallback) { + this.userIds.put(userId.trim(), subpacketsCallback); return this; } @@ -135,6 +144,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { // Prepare primary user-id sig SignatureSubpackets hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator(); + hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.getPublicKey()); hashedSubPacketGenerator.setPrimaryUserId(); if (expirationDate != null) { hashedSubPacketGenerator.setKeyExpirationTime(certKey.getPublicKey(), expirationDate); @@ -143,7 +153,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { SignatureSubpacketsHelper.applyTo(hashedSubPacketGenerator, generator); PGPSignatureSubpacketVector hashedSubPackets = generator.generate(); - PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, keyFingerprintCalculator, hashedSubPackets, secretKeyEncryptor); + PGPKeyRingGenerator ringGenerator = buildRingGenerator( + certKey, signer, keyFingerprintCalculator, hashedSubPackets, secretKeyEncryptor); addSubKeys(certKey, ringGenerator); // Generate secret key ring with only primary user id @@ -154,15 +165,27 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { // Attempt to add additional user-ids to the primary public key PGPPublicKey primaryPubKey = secretKeys.next().getPublicKey(); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeyRing.getSecretKey(), secretKeyDecryptor); - Iterator userIdIterator = this.userIds.iterator(); + Iterator> userIdIterator = + this.userIds.entrySet().iterator(); userIdIterator.next(); // Skip primary user id while (userIdIterator.hasNext()) { - String additionalUserId = userIdIterator.next(); + Map.Entry additionalUserId = userIdIterator.next(); + String userIdString = additionalUserId.getKey(); + SelfSignatureSubpackets.Callback callback = additionalUserId.getValue(); + SelfSignatureSubpackets subpackets = null; + if (callback == null) { + subpackets = hashedSubPacketGenerator; + } else { + subpackets = SignatureSubpackets.createHashedSubpackets(primaryPubKey); + callback.modifyHashedSubpackets(subpackets); + } signatureGenerator.init(SignatureType.POSITIVE_CERTIFICATION.getCode(), privateKey); + signatureGenerator.setHashedSubpackets( + SignatureSubpacketsHelper.toVector((SignatureSubpackets) subpackets)); PGPSignature additionalUserIdSignature = - signatureGenerator.generateCertification(additionalUserId, primaryPubKey); + signatureGenerator.generateCertification(userIdString, primaryPubKey); primaryPubKey = PGPPublicKey.addCertification(primaryPubKey, - additionalUserId, additionalUserIdSignature); + userIdString, additionalUserIdSignature); } // "reassemble" secret key ring with modified primary key @@ -183,7 +206,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { PGPSignatureSubpacketVector hashedSubPackets, PBESecretKeyEncryptor secretKeyEncryptor) throws PGPException { - String primaryUserId = userIds.iterator().next(); + String primaryUserId = userIds.entrySet().iterator().next().getKey(); return new PGPKeyRingGenerator( SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey, primaryUserId, keyFingerprintCalculator, @@ -199,7 +222,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } else { PGPSignatureSubpacketVector hashedSubpackets = subKeySpec.getSubpackets(); try { - hashedSubpackets = addPrimaryKeyBindingSignatureIfNecessary(primaryKey, subKey, hashedSubpackets); + hashedSubpackets = addPrimaryKeyBindingSignatureIfNecessary( + primaryKey, subKey, hashedSubpackets); } catch (IOException e) { throw new PGPException("Exception while adding primary key binding signature to signing subkey", e); } @@ -208,10 +232,12 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } } - private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary(PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) + private PGPSignatureSubpacketVector addPrimaryKeyBindingSignatureIfNecessary( + PGPKeyPair primaryKey, PGPKeyPair subKey, PGPSignatureSubpacketVector hashedSubpackets) throws PGPException, IOException { int keyFlagMask = hashedSubpackets.getKeyFlags(); - if (!KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.SIGN_DATA) && !KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.CERTIFY_OTHER)) { + if (!KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.SIGN_DATA) && + !KeyFlag.hasKeyFlag(keyFlagMask, KeyFlag.CERTIFY_OTHER)) { return hashedSubpackets; } @@ -224,14 +250,16 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { } private PGPContentSignerBuilder buildContentSigner(PGPKeyPair certKey) { - HashAlgorithm hashAlgorithm = PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); + HashAlgorithm hashAlgorithm = PGPainless.getPolicy() + .getSignatureHashAlgorithmPolicy().defaultHashAlgorithm(); return ImplementationFactory.getInstance().getPGPContentSignerBuilder( certKey.getPublicKey().getAlgorithm(), hashAlgorithm.getAlgorithmId()); } private PBESecretKeyEncryptor buildSecretKeyEncryptor(PGPDigestCalculator keyFingerprintCalculator) { - SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy() + SymmetricKeyAlgorithm keyEncryptionAlgorithm = PGPainless.getPolicy() + .getSymmetricKeyEncryptionAlgorithmPolicy() .getDefaultSymmetricKeyAlgorithm(); if (!passphrase.isValid()) { throw new IllegalStateException("Passphrase was cleared."); @@ -261,7 +289,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { KeyPair keyPair = certKeyGenerator.generateKeyPair(); // Form PGP key pair - PGPKeyPair pgpKeyPair = ImplementationFactory.getInstance().getPGPKeyPair(type.getAlgorithm(), keyPair, new Date()); + PGPKeyPair pgpKeyPair = ImplementationFactory.getInstance() + .getPGPKeyPair(type.getAlgorithm(), keyPair, new Date()); return pgpKeyPair; } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java new file mode 100644 index 00000000..4371b84c --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -0,0 +1,32 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.generation; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import static org.junit.jupiter.api.Assertions.assertNotNull; + +public class KeyGenerationSubpacketsTest { + + @Test + public void verifyDefaultSubpackets() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + PGPSignature userIdSig = info.getLatestUserIdCertification("Alice"); + assertNotNull(userIdSig); + assertNotNull(userIdSig.getHashedSubPackets().getIssuerFingerprint()); + + } +} From 9e715aabfe123bf8fabb5a5e0efdb69e6d7f5eea Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 22:25:45 +0100 Subject: [PATCH 0143/1450] Test signature subpackets and fix bug for missing user-id sig --- .../secretkeyring/SecretKeyRingEditor.java | 66 ++++++-- .../SecretKeyRingEditorInterface.java | 5 + .../KeyGenerationSubpacketsTest.java | 145 ++++++++++++++++-- 3 files changed, 197 insertions(+), 19 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 4cafe337..88d67440 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -16,6 +16,7 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.NoSuchElementException; +import java.util.Set; import javax.annotation.Nonnull; import javax.annotation.Nullable; @@ -36,10 +37,14 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.AlgorithmSuite; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; @@ -101,9 +106,31 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); List keyFlags = info.getKeyFlagsOf(info.getKeyId()); + Set hashAlgorithmPreferences; + Set symmetricKeyAlgorithmPreferences; + Set compressionAlgorithmPreferences; + try { + hashAlgorithmPreferences = info.getPreferredHashAlgorithms(); + symmetricKeyAlgorithmPreferences = info.getPreferredSymmetricKeyAlgorithms(); + compressionAlgorithmPreferences = info.getPreferredCompressionAlgorithms(); + } catch (IllegalStateException e) { + // missing user-id sig + AlgorithmSuite algorithmSuite = AlgorithmSuite.getDefaultAlgorithmSuite(); + hashAlgorithmPreferences = algorithmSuite.getHashAlgorithms(); + symmetricKeyAlgorithmPreferences = algorithmSuite.getSymmetricKeyAlgorithms(); + compressionAlgorithmPreferences = algorithmSuite.getCompressionAlgorithms(); + } + SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); + + // Retain signature subpackets of previous signatures builder.getHashedSubpackets().setKeyFlags(keyFlags); + builder.getHashedSubpackets().setPreferredHashAlgorithms(hashAlgorithmPreferences); + builder.getHashedSubpackets().setPreferredSymmetricKeyAlgorithms(symmetricKeyAlgorithmPreferences); + builder.getHashedSubpackets().setPreferredCompressionAlgorithms(compressionAlgorithmPreferences); + builder.getHashedSubpackets().setFeatures(Feature.MODIFICATION_DETECTION); + builder.applyCallback(signatureSubpacketCallback); PGPSignature signature = builder.build(primaryKey.getPublicKey(), userId); @@ -121,9 +148,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, - @Nonnull Passphrase subKeyPassphrase, - SecretKeyRingProtector secretKeyRingProtector) + public SecretKeyRingEditorInterface addSubKey( + @Nonnull KeySpec keySpec, + @Nonnull Passphrase subKeyPassphrase, + SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); @@ -146,12 +174,32 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface addSubKey(PGPKeyPair subkey, - @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector subkeyProtector, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag keyFlag, - KeyFlag... additionalKeyFlags) + public SecretKeyRingEditorInterface addSubKey( + @Nonnull KeySpec keySpec, + @Nullable Passphrase subkeyPassphrase, + @Nullable SelfSignatureSubpackets.Callback subpacketsCallback, + SecretKeyRingProtector secretKeyRingProtector) + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); + + SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector + .forKeyId(keyPair.getKeyID(), subkeyPassphrase); + + List keyFlags = KeyFlag.fromBitmask(keySpec.getSubpackets().getKeyFlags()); + KeyFlag firstFlag = keyFlags.remove(0); + KeyFlag[] otherFlags = keyFlags.toArray(new KeyFlag[0]); + + return addSubKey(keyPair, subpacketsCallback, subKeyProtector, secretKeyRingProtector, firstFlag, otherFlags); + } + + @Override + public SecretKeyRingEditorInterface addSubKey( + PGPKeyPair subkey, + @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, + SecretKeyRingProtector subkeyProtector, + SecretKeyRingProtector primaryKeyProtector, + KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) throws PGPException, IOException { KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index f2a64190..67974ade 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -67,6 +67,11 @@ public interface SecretKeyRingEditorInterface { SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException; + SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, + @Nullable Passphrase subkeyPassphrase, + @Nullable SelfSignatureSubpackets.Callback subpacketsCallback, + SecretKeyRingProtector secretKeyRingProtector) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException; + SecretKeyRingEditorInterface addSubKey(PGPKeyPair subkey, @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, SecretKeyRingProtector subkeyProtector, diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 4371b84c..5451a4dc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -4,29 +4,154 @@ package org.pgpainless.key.generation; -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSignature; -import org.junit.jupiter.api.Test; -import org.pgpainless.PGPainless; -import org.pgpainless.key.info.KeyRingInfo; +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertTrue; +import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; -import static org.junit.jupiter.api.Assertions.assertNotNull; +import org.bouncycastle.bcpg.sig.IssuerFingerprint; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.eddsa.EdDSACurve; +import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class KeyGenerationSubpacketsTest { @Test - public void verifyDefaultSubpackets() + public void verifyDefaultSubpacketsForUserIdSignatures() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); PGPSignature userIdSig = info.getLatestUserIdCertification("Alice"); assertNotNull(userIdSig); - assertNotNull(userIdSig.getHashedSubPackets().getIssuerFingerprint()); + int keyFlags = userIdSig.getHashedSubPackets().getKeyFlags(); + int[] preferredHashAlgorithms = userIdSig.getHashedSubPackets().getPreferredHashAlgorithms(); + int[] preferredSymmetricAlgorithms = userIdSig.getHashedSubPackets().getPreferredSymmetricAlgorithms(); + int[] preferredCompressionAlgorithms = userIdSig.getHashedSubPackets().getPreferredCompressionAlgorithms(); + assureSignatureHasDefaultSubpackets(userIdSig, secretKeys, KeyFlag.CERTIFY_OTHER); + assertTrue(userIdSig.getHashedSubPackets().isPrimaryUserID()); + assertEquals("Alice", info.getPrimaryUserId()); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Bob", + new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setPrimaryUserId(); + } + }, + SecretKeyRingProtector.unprotectedKeys()) + .addUserId("Alice", SecretKeyRingProtector.unprotectedKeys()) + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + + userIdSig = info.getLatestUserIdCertification("Alice"); + assertNotNull(userIdSig); + assureSignatureHasDefaultSubpackets(userIdSig, secretKeys, KeyFlag.CERTIFY_OTHER); + assertFalse(userIdSig.getHashedSubPackets().isPrimaryUserID()); + assertEquals(keyFlags, userIdSig.getHashedSubPackets().getKeyFlags()); + assertArrayEquals(preferredHashAlgorithms, userIdSig.getHashedSubPackets().getPreferredHashAlgorithms()); + assertArrayEquals(preferredSymmetricAlgorithms, userIdSig.getHashedSubPackets().getPreferredSymmetricAlgorithms()); + assertArrayEquals(preferredCompressionAlgorithms, userIdSig.getHashedSubPackets().getPreferredCompressionAlgorithms()); + + userIdSig = info.getLatestUserIdCertification("Bob"); + assertNotNull(userIdSig); + assureSignatureHasDefaultSubpackets(userIdSig, secretKeys, KeyFlag.CERTIFY_OTHER); + assertTrue(userIdSig.getHashedSubPackets().isPrimaryUserID()); + assertArrayEquals(preferredHashAlgorithms, userIdSig.getHashedSubPackets().getPreferredHashAlgorithms()); + assertArrayEquals(preferredSymmetricAlgorithms, userIdSig.getHashedSubPackets().getPreferredSymmetricAlgorithms()); + assertArrayEquals(preferredCompressionAlgorithms, userIdSig.getHashedSubPackets().getPreferredCompressionAlgorithms()); + + assertEquals("Bob", info.getPrimaryUserId()); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Alice", new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setPrimaryUserId(); + hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA1); + } + }, SecretKeyRingProtector.unprotectedKeys()) + .done(); + info = PGPainless.inspectKeyRing(secretKeys); + assertEquals("Alice", info.getPrimaryUserId()); + assertEquals(Collections.singleton(HashAlgorithm.SHA1), info.getPreferredHashAlgorithms("Alice")); + } + + @Test + public void verifyDefaultSubpacketsForSubkeyBindingSignatures() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + List keysBefore = info.getPublicKeys(); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build(), null, SecretKeyRingProtector.unprotectedKeys()) + .done(); + + + info = PGPainless.inspectKeyRing(secretKeys); + List keysAfter = new ArrayList<>(info.getPublicKeys()); + keysAfter.removeAll(keysBefore); + assertEquals(1, keysAfter.size()); + PGPPublicKey newSigningKey = keysAfter.get(0); + + PGPSignature bindingSig = info.getCurrentSubkeyBindingSignature(newSigningKey.getKeyID()); + assertNotNull(bindingSig); + assureSignatureHasDefaultSubpackets(bindingSig, secretKeys, KeyFlag.SIGN_DATA); + assertNotNull(bindingSig.getHashedSubPackets().getEmbeddedSignatures().get(0)); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), null, + new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setIssuerFingerprint((IssuerFingerprint) null); + } + }, SecretKeyRingProtector.unprotectedKeys()) + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + keysAfter = new ArrayList<>(info.getPublicKeys()); + keysAfter.removeAll(keysBefore); + keysAfter.remove(newSigningKey); + assertEquals(1, keysAfter.size()); + PGPPublicKey newEncryptionKey = keysAfter.get(0); + bindingSig = info.getCurrentSubkeyBindingSignature(newEncryptionKey.getKeyID()); + assertNotNull(bindingSig); + assertNull(bindingSig.getHashedSubPackets().getIssuerFingerprint()); + assertEquals(KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS), bindingSig.getHashedSubPackets().getKeyFlags()); + } + + private void assureSignatureHasDefaultSubpackets(PGPSignature signature, PGPSecretKeyRing secretKeys, KeyFlag... keyFlags) { + PGPSignatureSubpacketVector hashedSubpackets = signature.getHashedSubPackets(); + assertNotNull(hashedSubpackets.getIssuerFingerprint()); + assertEquals(secretKeys.getPublicKey().getKeyID(), hashedSubpackets.getIssuerKeyID()); + assertArrayEquals( + secretKeys.getPublicKey().getFingerprint(), + hashedSubpackets.getIssuerFingerprint().getFingerprint()); + assertEquals(hashedSubpackets.getKeyFlags(), KeyFlag.toBitmask(keyFlags)); } } From 398ca5f9a5a86ab3bd01cca696a9103ca210ec4c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 22:39:30 +0100 Subject: [PATCH 0144/1450] PGPainless 1.0.0-rc3 --- CHANGELOG.md | 15 +++++++++++++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e8f16f7..b3be1a68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,21 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc3 +- New Signature builder API for more fine-grained control over key-signatures: + - Introduce `CertificationSignatureSubpackets` builder class to wrap `PGPSignatureSubpacketGenerator` for + certification style signatures. + - Introduce `SelfSignatureSubpackets` builder class for self-signatures. + - Introduce `RevocationSignatureSubpackets` builder class for revocation signatures. + - Introduce `CertificationSignatureSubpackets.Callback`, `SelfSignatureSubpackets.Callback` and + `RevocationSignatureSubpackets.Callback` to allow modification of signature subpackets by the user. + - Incorporate `*SignatureSubpackets.Callback` classes as arguments in `SecretKeyRingEditor` and `KeyRingBuilder` methods. +- Start working on `ProofUtil` to create KeyOxide style identity proofs (WIP) +- Move Signature verification related code to `org.pgpainless.signature.consumer` package +- Ensure keyflags and other common subpackets are set in new signatures when adding user-ids +- Ensure subkey can carry keyflag when adding it to a key +- Refactor `SecretKeyRingProtector` methods and code + ## 1.0.0-rc2 - `SecretKeyRingEditor`: Remove support for user-id- and subkey *deletion* in favor of *revocation* - Deletion causes all sorts of problems. Most notably, receiving implementations will not honor deletion of user-ids/subkeys. diff --git a/README.md b/README.md index 086deb62..53fa420d 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc2' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc3' } ``` diff --git a/version.gradle b/version.gradle index 8599cf8c..cc02cb19 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc3' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 7c27d60dbff4a94091371999905d4fb698f176d7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 22:44:08 +0100 Subject: [PATCH 0145/1450] PGPainless-1.0.0-rc4-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index cc02cb19..9147c2c9 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc3' - isSnapshot = false + shortVersion = '1.0.0-rc4' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 4b2089b42bfc96f3d421fb9f9037c273e72327a4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 23:02:23 +0100 Subject: [PATCH 0146/1450] Fix key ring builder adding additional user-ids as primary --- .../main/java/org/pgpainless/key/generation/KeyRingBuilder.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 3f22174e..b45baeb3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -175,6 +175,8 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { SelfSignatureSubpackets subpackets = null; if (callback == null) { subpackets = hashedSubPacketGenerator; + subpackets.setPrimaryUserId(null); + // additional user-ids are not primary } else { subpackets = SignatureSubpackets.createHashedSubpackets(primaryPubKey); callback.modifyHashedSubpackets(subpackets); From 661b25a9738a1a0adff2cf3c16f53034cb686314 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 23:03:11 +0100 Subject: [PATCH 0147/1450] PGPainless 1.0.0-rc4 --- CHANGELOG.md | 3 +++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3be1a68..6fb89d9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc4 +- Fix bug where `KeyRingBuilder` would mark additional user-ids as primary + ## 1.0.0-rc3 - New Signature builder API for more fine-grained control over key-signatures: - Introduce `CertificationSignatureSubpackets` builder class to wrap `PGPSignatureSubpacketGenerator` for diff --git a/README.md b/README.md index 53fa420d..609595e5 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc3' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc4' } ``` diff --git a/version.gradle b/version.gradle index 9147c2c9..a17598cf 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc4' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 51311581f956bc519d6b223563a79cd3040b4a4d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 21 Nov 2021 23:12:15 +0100 Subject: [PATCH 0148/1450] PGPainless-1.0.0-rc5-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index a17598cf..bb4c88ea 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc4' - isSnapshot = false + shortVersion = '1.0.0-rc5' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 50f565dd8c3173ba281b16b73648630f72153ab3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 22 Nov 2021 19:20:04 +0100 Subject: [PATCH 0149/1450] Add methods to sign messages with custom subpackets --- .../encryption_signing/SigningOptions.java | 79 ++++++++++++++++--- .../subpackets/BaseSignatureSubpackets.java | 2 +- 2 files changed, 69 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index 39962724..6f342429 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -10,6 +10,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; +import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; @@ -18,7 +19,6 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignatureGenerator; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; @@ -33,6 +33,9 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.policy.Policy; +import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; public final class SigningOptions { @@ -152,6 +155,31 @@ public final class SigningOptions { String userId, DocumentSignatureType signatureType) throws KeyValidationError, PGPException { + return addInlineSignature(secretKeyDecryptor, secretKey, userId, signatureType, null); + } + + /** + * Add an inline-signature. + * Inline signatures are being embedded into the message itself and can be processed in one pass, thanks to the use + * of one-pass-signature packets. + * + * This method uses the passed in user-id to select user-specific hash algorithms. + * + * @param secretKeyDecryptor decryptor to unlock the signing secret key + * @param secretKey signing key + * @param userId user-id of the signer + * @param signatureType signature type (binary, canonical text) + * @param subpacketsCallback callback to modify the hashed and unhashed subpackets of the signature + * @return this + * @throws KeyValidationError if the key is invalid + * @throws PGPException if the key cannot be unlocked or the signing method cannot be created + */ + public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor, + PGPSecretKeyRing secretKey, + String userId, + DocumentSignatureType signatureType, + @Nullable BaseSignatureSubpackets.Callback subpacketsCallback) + throws KeyValidationError, PGPException { KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date()); if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw new KeyValidationError(userId, keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId)); @@ -168,7 +196,7 @@ public final class SigningOptions { Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId) : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID()); HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy()); - addSigningMethod(secretKey, signingSubkey, hashAlgorithm, signatureType, false); + addSigningMethod(secretKey, signingSubkey, subpacketsCallback, hashAlgorithm, signatureType, false); } return this; @@ -232,6 +260,31 @@ public final class SigningOptions { String userId, DocumentSignatureType signatureType) throws PGPException { + return addDetachedSignature(secretKeyDecryptor, secretKey, userId, signatureType, null); + } + + /** + * Create a detached signature. + * Detached signatures are not being added into the PGP message itself. + * Instead they can be distributed separately to the message. + * Detached signatures are useful if the data that is being signed shall not be modified (eg. when signing a file). + * + * This method uses the passed in user-id to select user-specific hash algorithms. + * + * @param secretKeyDecryptor decryptor to unlock the secret signing key + * @param secretKey signing key + * @param userId user-id + * @param signatureType type of data that is signed (binary, canonical text) + * @param subpacketCallback callback to modify hashed and unhashed subpackets of the signature + * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created + * @return this + */ + public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor, + PGPSecretKeyRing secretKey, + String userId, + DocumentSignatureType signatureType, + @Nullable BaseSignatureSubpackets.Callback subpacketCallback) + throws PGPException { KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date()); if (userId != null && !keyRingInfo.isUserIdValid(userId)) { throw new KeyValidationError(userId, keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId)); @@ -248,7 +301,7 @@ public final class SigningOptions { Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId) : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID()); HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy()); - addSigningMethod(secretKey, signingSubkey, hashAlgorithm, signatureType, true); + addSigningMethod(secretKey, signingSubkey, subpacketCallback, hashAlgorithm, signatureType, true); } return this; @@ -256,6 +309,7 @@ public final class SigningOptions { private void addSigningMethod(PGPSecretKeyRing secretKey, PGPPrivateKey signingSubkey, + @Nullable BaseSignatureSubpackets.Callback subpacketCallback, HashAlgorithm hashAlgorithm, DocumentSignatureType signatureType, boolean detached) @@ -263,7 +317,17 @@ public final class SigningOptions { SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID()); PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID()); PGPSignatureGenerator generator = createSignatureGenerator(signingSubkey, hashAlgorithm, signatureType); - generator.setUnhashedSubpackets(unhashedSubpackets(signingSecretKey).generate()); + + // Subpackets + SignatureSubpackets hashedSubpackets = SignatureSubpackets.createHashedSubpackets(signingSecretKey.getPublicKey()); + SignatureSubpackets unhashedSubpackets = SignatureSubpackets.createEmptySubpackets(); + if (subpacketCallback != null) { + subpacketCallback.modifyHashedSubpackets(hashedSubpackets); + subpacketCallback.modifyUnhashedSubpackets(unhashedSubpackets); + } + generator.setHashedSubpackets(SignatureSubpacketsHelper.toVector(hashedSubpackets)); + generator.setUnhashedSubpackets(SignatureSubpacketsHelper.toVector(unhashedSubpackets)); + SigningMethod signingMethod = detached ? SigningMethod.detachedSignature(generator, hashAlgorithm) : SigningMethod.inlineSignature(generator, hashAlgorithm); @@ -304,13 +368,6 @@ public final class SigningOptions { return signatureGenerator; } - private PGPSignatureSubpacketGenerator unhashedSubpackets(PGPSecretKey key) { - PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator(); - generator.setIssuerKeyID(false, key.getKeyID()); - generator.setIssuerFingerprint(false, key); - return generator; - } - /** * Return a map of key-ids and signing methods. * For internal use. diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java index dd04117f..9e882d22 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java @@ -28,7 +28,7 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm; public interface BaseSignatureSubpackets { - interface Callback extends SignatureSubpacketCallback { + interface Callback extends SignatureSubpacketCallback { } From 16e283f3a6cc4e964c01c884fc79472132da51ef Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 14:51:16 +0100 Subject: [PATCH 0150/1450] Fix unvalid cursor mark for large cleartext signed messages Fixes #219, #220 --- .../ConsumerOptions.java | 17 ++++++ .../DecryptionStreamFactory.java | 9 ++- .../SignatureInputStream.java | 6 +- .../CleartextSignatureProcessor.java | 4 +- .../CleartextSignatureVerificationTest.java | 57 +++++++++++++++++++ 5 files changed, 88 insertions(+), 5 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index 1884ee92..a80d1fee 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -53,6 +53,7 @@ public class ConsumerOptions { private MissingKeyPassphraseStrategy missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE; private MultiPassStrategy multiPassStrategy = new InMemoryMultiPassStrategy(); + private boolean cleartextSigned; /** * Consider signatures on the message made before the given timestamp invalid. @@ -352,4 +353,20 @@ public class ConsumerOptions { public MultiPassStrategy getMultiPassStrategy() { return multiPassStrategy; } + + /** + * INTERNAL method to mark cleartext signed messages. + * Do not call this manually. + */ + public void setIsCleartextSigned() { + this.cleartextSigned = true; + } + + /** + * Return true if the message is cleartext signed. + * @return cleartext signed + */ + public boolean isCleartextSigned() { + return this.cleartextSigned; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 72707037..560a4d39 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -16,6 +16,7 @@ import java.util.List; import java.util.Map; import java.util.Set; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.bouncycastle.bcpg.ArmoredInputStream; import org.bouncycastle.openpgp.PGPCompressedData; @@ -126,6 +127,12 @@ public final class DecryptionStreamFactory { InputStream decoderStream; PGPObjectFactory objectFactory; + if (options.isCleartextSigned()) { + inputStream = wrapInVerifySignatureStream(bufferedIn, null); + return new DecryptionStream(inputStream, resultBuilder, integrityProtectedEncryptedInputStream, + null); + } + try { decoderStream = PGPUtilWrapper.getDecoderStream(bufferedIn); decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream); @@ -170,7 +177,7 @@ public final class DecryptionStreamFactory { (decoderStream instanceof ArmoredInputStream) ? decoderStream : null); } - private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, PGPObjectFactory objectFactory) { + private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) { return new SignatureInputStream.VerifySignatures( bufferedIn, objectFactory, onePassSignatureChecks, onePassSignaturesWithMissingCert, detachedSignatureChecks, options, diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index cd8682df..44a4a468 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -12,6 +12,7 @@ import java.io.InputStream; import java.util.List; import java.util.Map; import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -46,7 +47,7 @@ public abstract class SignatureInputStream extends FilterInputStream { public VerifySignatures( InputStream literalDataStream, - PGPObjectFactory objectFactory, + @Nullable PGPObjectFactory objectFactory, List opSignatures, Map onePassSignaturesWithMissingCert, List detachedSignatures, @@ -93,6 +94,9 @@ public abstract class SignatureInputStream extends FilterInputStream { } public void parseAndCombineSignatures() throws IOException { + if (objectFactory == null) { + return; + } // Parse signatures from message PGPSignatureList signatures; try { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index 87facea7..352321ca 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -6,7 +6,6 @@ package org.pgpainless.decryption_verification.cleartext_signatures; import java.io.IOException; import java.io.InputStream; -import java.util.logging.Logger; import org.bouncycastle.bcpg.ArmoredInputStream; import org.bouncycastle.openpgp.PGPException; @@ -27,8 +26,6 @@ import org.pgpainless.util.ArmoredInputStreamFactory; */ public class CleartextSignatureProcessor { - private static final Logger LOGGER = Logger.getLogger(CleartextSignatureProcessor.class.getName()); - private final ArmoredInputStream in; private final ConsumerOptions options; @@ -71,6 +68,7 @@ public class CleartextSignatureProcessor { options.addVerificationOfDetachedSignature(signature); } + options.setIsCleartextSigned(); return PGPainless.decryptAndOrVerify() .onInputStream(multiPassStrategy.getMessageInputStream()) .withOptions(options); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 0fa5e9e4..7ca8592f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -15,6 +15,9 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.Random; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; @@ -72,6 +75,9 @@ public class CleartextSignatureVerificationTest { "=Z2SO\n" + "-----END PGP SIGNATURE-----").getBytes(StandardCharsets.UTF_8); + public static final String alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + public static final Random random = new Random(); + @Test public void cleartextSignVerification_InMemoryMultiPassStrategy() throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); @@ -228,4 +234,55 @@ public class CleartextSignatureVerificationTest { OpenPgpMetadata metadata = verificationStream.getResult(); assertTrue(metadata.isVerified()); } + + @Test + public void testDecryptionOfVeryLongClearsignedMessage() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + String message = randomString(28, 4000); + + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + EncryptionStream encryptionStream = PGPainless.encryptAndOrSign() + .onOutputStream(out) + .withOptions(ProducerOptions.sign( + SigningOptions.get() + .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), + secretKeys, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT) + ).setCleartextSigned()); + + Streams.pipeAll(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)), encryptionStream); + encryptionStream.close(); + + String cleartextSigned = out.toString(); + + ByteArrayInputStream in = new ByteArrayInputStream(cleartextSigned.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(in) + .withOptions(new ConsumerOptions() + .addVerificationCert(PGPainless.extractCertificate(secretKeys))); + + out = new ByteArrayOutputStream(); + Streams.pipeAll(decryptionStream, out); + decryptionStream.close(); + } + + private String randomString(int maxWordLen, int wordCount) { + StringBuilder sb = new StringBuilder(); + for (int i = 0; i < wordCount; i++) { + sb.append(randomWord(maxWordLen)).append(' '); + int n = random.nextInt(12); + if (n == 11) { + sb.append('\n'); + } + } + return sb.toString(); + } + + private String randomWord(int maxWordLen) { + int len = random.nextInt(maxWordLen); + char[] word = new char[len]; + for (int i = 0; i < word.length; i++) { + word[i] = alphabet.charAt(random.nextInt(alphabet.length())); + } + return new String(word); + } } From cc16a3da88ed5777350076c9cacde526785cb137 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 15:07:54 +0100 Subject: [PATCH 0151/1450] Add overloaded method for user-id revocation using SelectUserId --- .../secretkeyring/SecretKeyRingEditor.java | 16 ++++- .../SecretKeyRingEditorInterface.java | 6 ++ .../key/modification/RevokeUserIdsTest.java | 62 +++++++++++++++++++ 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 88d67440..25550dbf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -72,6 +72,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.selection.userid.SelectUserId; public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @@ -391,12 +392,25 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return doRevokeUserId(userId, secretKeyRingProtector, subpacketCallback); } + @Override + public SecretKeyRingEditorInterface revokeUserIds(SelectUserId userIdSelector, SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { + List selected = userIdSelector.selectUserIds(secretKeyRing); + if (selected.isEmpty()) { + throw new NoSuchElementException("No matching user-ids found on the key."); + } + + for (String userId : selected) { + doRevokeUserId(userId, secretKeyRingProtector, subpacketsCallback); + } + + return this; + } + private SecretKeyRingEditorInterface doRevokeUserId(String userId, SecretKeyRingProtector protector, @Nullable RevocationSignatureSubpackets.Callback callback) throws PGPException { PGPSecretKey primarySecretKey = secretKeyRing.getSecretKey(); - PGPPublicKey primaryPublicKey = primarySecretKey.getPublicKey(); RevocationSignatureBuilder signatureBuilder = new RevocationSignatureBuilder( SignatureType.CERTIFICATION_REVOCATION, primarySecretKey, diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 67974ade..0e662a50 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -25,6 +25,7 @@ import org.pgpainless.key.util.UserId; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.selection.userid.SelectUserId; public interface SecretKeyRingEditorInterface { @@ -207,6 +208,11 @@ public interface SecretKeyRingEditorInterface { @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) throws PGPException; + SecretKeyRingEditorInterface revokeUserIds(SelectUserId userIdSelector, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + throws PGPException; + /** * Set the expiration date for the primary key of the key ring. * If the key is supposed to never expire, then an expiration date of null is expected. diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java new file mode 100644 index 00000000..f5d070d7 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -0,0 +1,62 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.selection.userid.SelectUserId; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.NoSuchElementException; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class RevokeUserIdsTest { + + @Test + public void revokeWithSelectUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Allice ", protector) + .addUserId("Alice ", protector) + .done(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertTrue(info.isUserIdValid("Alice ")); + assertTrue(info.isUserIdValid("Allice ")); + assertTrue(info.isUserIdValid("Alice ")); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .revokeUserIds(SelectUserId.containsEmailAddress("alice@example.org"), protector, null) + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + assertTrue(info.isUserIdValid("Alice ")); + assertFalse(info.isUserIdValid("Allice ")); + assertFalse(info.isUserIdValid("Alice ")); + } + + @Test + public void emptySelectionYieldsNoSuchElementException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", null); + + assertThrows(NoSuchElementException.class, () -> + PGPainless.modifyKeyRing(secretKeys).revokeUserIds( + SelectUserId.containsEmailAddress("alice@example.org"), + SecretKeyRingProtector.unprotectedKeys(), + null)); + } +} From 96f6128dd3c1b21c6ca110367dc33c7420d4bb36 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 15:17:49 +0100 Subject: [PATCH 0152/1450] PGPainless 1.0.0-rc5 --- CHANGELOG.md | 4 ++++ README.md | 2 +- version.gradle | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fb89d9f..a9410ec3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc5 +- Fix invalid cursor mark in `BufferedInputStream` when processing large cleartext signed messages +- Add `SecretKeyRingEditor.revokeUserIds(SelectUserId, SecretKeyRingProtector, RevocationSignatureSubpackets.Callback)` + ## 1.0.0-rc4 - Fix bug where `KeyRingBuilder` would mark additional user-ids as primary diff --git a/README.md b/README.md index 609595e5..e951d935 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc4' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc5' } ``` diff --git a/version.gradle b/version.gradle index bb4c88ea..14c520a1 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc5' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From c4c67771740baec8b7813c51c3115fe9e84e4bf7 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 15:22:49 +0100 Subject: [PATCH 0153/1450] PGPainless-1.0.0-rc6-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 14c520a1..a5804425 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc5' - isSnapshot = false + shortVersion = '1.0.0-rc6' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 3b49840c9c2db6fbca7e873cc90c7e91ea492eb6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 18:32:50 +0100 Subject: [PATCH 0154/1450] Reuse GNUObjectIdentifiers.Ed25519 --- .../src/main/java/org/pgpainless/key/info/KeyInfo.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java index e34de8c9..1cc4b6c8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java @@ -5,6 +5,7 @@ package org.pgpainless.key.info; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.gnu.GNUObjectIdentifiers; import org.bouncycastle.bcpg.ECDHPublicBCPGKey; import org.bouncycastle.bcpg.ECDSAPublicBCPGKey; import org.bouncycastle.bcpg.ECPublicBCPGKey; @@ -89,7 +90,7 @@ public class KeyInfo { ASN1ObjectIdentifier identifier = key.getCurveOID(); // Workaround for ECUtil not recognizing ed25519 - if (identifier.getId().equals("1.3.6.1.4.1.11591.15.1")) { + if (identifier.equals(GNUObjectIdentifiers.Ed25519)) { return EdDSACurve._Ed25519.getName(); } From 5364e21b5e2fc96c8a2708e88ba29e2e63dc43a8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 24 Nov 2021 18:46:29 +0100 Subject: [PATCH 0155/1450] WiP implementation of public key parameter validation --- .../exception/KeyIntegrityException.java | 12 ++ .../key/protection/UnlockSecretKey.java | 15 +- .../PublicKeyParameterValidationUtil.java | 172 ++++++++++++++++++ .../GenerateEllipticCurveKeyTest.java | 3 + 4 files changed, 199 insertions(+), 3 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java new file mode 100644 index 00000000..65ed3dea --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java @@ -0,0 +1,12 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.exception; + +public class KeyIntegrityException extends AssertionError { + + public KeyIntegrityException() { + super("Key Integrity Exception"); + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java index c68e4914..ce7bb5b6 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java @@ -9,8 +9,10 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; +import org.pgpainless.exception.KeyIntegrityException; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.info.KeyInfo; +import org.pgpainless.key.util.PublicKeyParameterValidationUtil; import org.pgpainless.util.Passphrase; public final class UnlockSecretKey { @@ -20,13 +22,20 @@ public final class UnlockSecretKey { } public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws WrongPassphraseException, KeyIntegrityException { try { PBESecretKeyDecryptor decryptor = null; if (KeyInfo.isEncrypted(secretKey)) { decryptor = protector.getDecryptor(secretKey.getKeyID()); } - return secretKey.extractPrivateKey(decryptor); + PGPPrivateKey privateKey = secretKey.extractPrivateKey(decryptor); + + if (secretKey.getPublicKey() != null) { + PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey()); + } + return privateKey; + } catch (KeyIntegrityException e) { + throw e; } catch (PGPException e) { throw new WrongPassphraseException(secretKey.getKeyID(), e); } @@ -40,7 +49,7 @@ public final class UnlockSecretKey { } } - public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) throws WrongPassphraseException { + public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) throws WrongPassphraseException, KeyIntegrityException { return unlockSecretKey(secretKey, SecretKeyRingProtector.unlockSingleKeyWith(passphrase, secretKey)); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java new file mode 100644 index 00000000..e2cf058f --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java @@ -0,0 +1,172 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.util; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.math.BigInteger; +import java.security.SecureRandom; + +import org.bouncycastle.bcpg.BCPGKey; +import org.bouncycastle.bcpg.DSAPublicBCPGKey; +import org.bouncycastle.bcpg.DSASecretBCPGKey; +import org.bouncycastle.bcpg.EdDSAPublicBCPGKey; +import org.bouncycastle.bcpg.EdSecretBCPGKey; +import org.bouncycastle.bcpg.RSAPublicBCPGKey; +import org.bouncycastle.bcpg.RSASecretBCPGKey; +import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; +import org.bouncycastle.openpgp.PGPEncryptedDataList; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPrivateKey; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; +import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.io.Streams; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.exception.KeyIntegrityException; +import org.pgpainless.implementation.ImplementationFactory; + +public class PublicKeyParameterValidationUtil { + + public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey) + throws KeyIntegrityException, PGPException { + PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm()); + boolean valid = true; + // Additional to the algorithm-specific tests further below, we also perform + // generic functionality tests with the key, such as whether it is able to decrypt encrypted data + // or verify signatures. + // These tests should be more or less constant time. + if (publicKeyAlgorithm.isSigningCapable()) { + valid = verifyCanSign(privateKey, publicKey) && valid; + } + if (publicKeyAlgorithm.isEncryptionCapable()) { + valid = verifyCanDecrypt(privateKey, publicKey) && valid; + } + + // Algorithm specific validations + BCPGKey key = privateKey.getPrivateKeyDataPacket(); + if (key instanceof RSASecretBCPGKey) { + valid = verifyRSAKeyIntegrity( + (RSASecretBCPGKey) key, + (RSAPublicBCPGKey) publicKey.getPublicKeyPacket().getKey()) + && valid; + } else if (key instanceof EdSecretBCPGKey) { + valid = verifyEdDsaKeyIntegrity( + (EdSecretBCPGKey) key, + (EdDSAPublicBCPGKey) publicKey.getPublicKeyPacket().getKey()) + && valid; + } else if (key instanceof DSASecretBCPGKey) { + valid = verifyDsaKeyIntegrity( + (DSASecretBCPGKey) key, + (DSAPublicBCPGKey) publicKey.getPublicKeyPacket().getKey()) + && valid; + } + + // TODO: ElGamal + + if (!valid) { + throw new KeyIntegrityException(); + } + } + + private static boolean verifyCanSign(PGPPrivateKey privateKey, PGPPublicKey publicKey) throws PGPException { + SecureRandom random = new SecureRandom(); + PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm()); + PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKeyAlgorithm, HashAlgorithm.SHA256) + ); + + signatureGenerator.init(SignatureType.TIMESTAMP.getCode(), privateKey); + + byte[] data = new byte[512]; + random.nextBytes(data); + + signatureGenerator.update(data); + PGPSignature sig = signatureGenerator.generate(); + + sig.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), publicKey); + sig.update(data); + return sig.verify(); + } + + private static boolean verifyCanDecrypt(PGPPrivateKey privateKey, PGPPublicKey publicKey) { + SecureRandom random = new SecureRandom(); + PGPEncryptedDataGenerator encryptedDataGenerator = new PGPEncryptedDataGenerator( + ImplementationFactory.getInstance().getPGPDataEncryptorBuilder(SymmetricKeyAlgorithm.AES_256) + ); + encryptedDataGenerator.addMethod( + ImplementationFactory.getInstance().getPublicKeyKeyEncryptionMethodGenerator(publicKey)); + + byte[] data = new byte[1024]; + random.nextBytes(data); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + try { + OutputStream outputStream = encryptedDataGenerator.open(out, new byte[1024]); + outputStream.write(data); + encryptedDataGenerator.close(); + PGPEncryptedDataList encryptedDataList = new PGPEncryptedDataList(out.toByteArray()); + PublicKeyDataDecryptorFactory decryptorFactory = + ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey); + PGPPublicKeyEncryptedData encryptedData = + (PGPPublicKeyEncryptedData) encryptedDataList.getEncryptedDataObjects().next(); + InputStream decrypted = encryptedData.getDataStream(decryptorFactory); + out = new ByteArrayOutputStream(); + Streams.pipeAll(decrypted, out); + decrypted.close(); + } catch (IOException | PGPException e) { + return false; + } + + return Arrays.constantTimeAreEqual(data, out.toByteArray()); + } + + private static boolean verifyEdDsaKeyIntegrity(EdSecretBCPGKey privateKey, EdDSAPublicBCPGKey publicKey) + throws KeyIntegrityException { + // TODO: Implement + return true; + } + + private static boolean verifyDsaKeyIntegrity(DSASecretBCPGKey privateKey, DSAPublicBCPGKey publicKey) + throws KeyIntegrityException { + // Not sure what value to put here in order to have a "robust" primality check + // I went with 40, since that's what SO recommends: + // https://stackoverflow.com/a/6330138 + final int certainty = 40; + BigInteger pG = publicKey.getG(); + BigInteger pP = publicKey.getP(); + BigInteger pQ = publicKey.getQ(); + BigInteger pY = publicKey.getY(); + BigInteger sX = privateKey.getX(); + + boolean pPrime = pP.isProbablePrime(certainty); + boolean qPrime = pQ.isProbablePrime(certainty); + // q > 160 bits + boolean qLarge = pQ.getLowestSetBit() > 160; + // q divides p - 1 + boolean qDividesPminus1 = pP.subtract(BigInteger.ONE).mod(pQ).equals(BigInteger.ZERO); + // 1 < g < p + boolean gInBounds = BigInteger.ONE.max(pG).equals(pG) && pG.max(pP).equals(pP); + // g^q = 1 mod p + boolean gPowXModPEquals1 = pG.modPow(pQ, pP).equals(BigInteger.ONE); + // y = g^x mod p + boolean yEqualsGPowXModP = pY.equals(pG.modPow(sX, pP)); + + return pPrime && qPrime && qLarge && qDividesPminus1 && gInBounds && gPowXModPEquals1 && yEqualsGPowXModP; + } + + private static boolean verifyRSAKeyIntegrity(RSASecretBCPGKey secretKey, RSAPublicBCPGKey publicKey) + throws KeyIntegrityException { + // Verify that the public keys N is equal to private keys p*q + return publicKey.getModulus().equals(secretKey.getPrimeP().multiply(secretKey.getPrimeQ())); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index f1988d8f..eef7812b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -21,6 +21,8 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.UserId; public class GenerateEllipticCurveKeyTest { @@ -38,5 +40,6 @@ public class GenerateEllipticCurveKeyTest { .build(); assertEquals(PublicKeyAlgorithm.EDDSA.getAlgorithmId(), keyRing.getPublicKey().getAlgorithm()); + UnlockSecretKey.unlockSecretKey(keyRing.getSecretKey(), SecretKeyRingProtector.unprotectedKeys()); } } From 5376a289b3470e725ca0e7cbb693206f33e3a188 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 13:36:49 +0100 Subject: [PATCH 0156/1450] Add documentation to revocation attributes class --- .../key/util/RevocationAttributes.java | 90 ++++++++++++++++++- 1 file changed, 87 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java index fba54559..972fe7dc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java @@ -4,16 +4,37 @@ package org.pgpainless.key.util; +import javax.annotation.Nonnull; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; public final class RevocationAttributes { public enum Reason { + /** + * The key or certification is being revoked without a reason. + * This is a HARD revocation reason and cannot be undone. + */ NO_REASON((byte) 0), + /** + * The key was superseded by another key. + * This is a SOFT revocation reason and can be undone. + */ KEY_SUPERSEDED((byte) 1), + /** + * The key has potentially been compromised. + * This is a HARD revocation reason and cannot be undone. + */ KEY_COMPROMISED((byte) 2), + /** + * The key was retired and shall no longer be used. + * This is a SOFT revocation reason can can be undone. + */ KEY_RETIRED((byte) 3), + /** + * The user-id is no longer valid. + * This is a SOFT revocation reason and can be undone. + */ USER_ID_NO_LONGER_VALID((byte) 32), ; @@ -24,6 +45,12 @@ public final class RevocationAttributes { } } + /** + * Decode a machine-readable reason code. + * + * @param code byte + * @return reason + */ public static Reason fromCode(byte code) { Reason reason = MAP.get(code); if (reason == null) { @@ -32,11 +59,32 @@ public final class RevocationAttributes { return reason; } + /** + * Return true if the {@link Reason} the provided code encodes is a hard revocation reason, false + * otherwise. + * Hard revocations cannot be undone, while keys or certifications with soft revocations can be + * re-certified by placing another signature on them. + * + * @param code reason code + * @return is hard + */ public static boolean isHardRevocation(byte code) { Reason reason = MAP.get(code); return reason != KEY_SUPERSEDED && reason != KEY_RETIRED && reason != USER_ID_NO_LONGER_VALID; } + /** + * Return true if the given {@link Reason} is a hard revocation, false otherwise. + * Hard revocations cannot be undone, while keys or certifications with soft revocations can be + * re-certified by placing another signature on them. + * + * @param reason reason + * @return is hard + */ + public static boolean isHardRevocation(@Nonnull Reason reason) { + return isHardRevocation(reason.reasonCode); + } + private final byte reasonCode; Reason(byte reasonCode) { @@ -66,18 +114,38 @@ public final class RevocationAttributes { this.description = description; } - public Reason getReason() { + /** + * Return the machine-readable reason for revocation. + * + * @return reason + */ + public @Nonnull Reason getReason() { return reason; } - public String getDescription() { + /** + * Return the human-readable description for the revocation reason. + * @return description + */ + public @Nonnull String getDescription() { return description; } + /** + * Build a {@link RevocationAttributes} object suitable for key revocations. + * Key revocations are revocations for keys or subkeys. + * + * @return builder + */ public static WithReason createKeyRevocation() { return new WithReason(RevocationType.KEY_REVOCATION); } + /** + * Build a {@link RevocationAttributes} object suitable for certification (eg. user-id) revocations. + * + * @return builder + */ public static WithReason createCertificateRevocation() { return new WithReason(RevocationType.CERT_REVOCATION); } @@ -90,6 +158,16 @@ public final class RevocationAttributes { this.type = type; } + /** + * Set the machine-readable reason. + * Note that depending on whether this is a key-revocation or certification-revocation, + * only certain reason codes are valid. + * Invalid input will result in an {@link IllegalArgumentException} to be thrown. + * + * @param reason reason + * @throws IllegalArgumentException in case of an invalid revocation reason + * @return builder + */ public WithDescription withReason(Reason reason) { throwIfReasonTypeMismatch(reason, type); return new WithDescription(reason); @@ -120,7 +198,13 @@ public final class RevocationAttributes { this.reason = reason; } - public RevocationAttributes withDescription(String description) { + /** + * Set a human-readable description of the revocation reason. + * + * @param description description + * @return revocation attributes + */ + public RevocationAttributes withDescription(@Nonnull String description) { return new RevocationAttributes(reason, description); } } From 5e85e975cd996bc362fa360b119fbd58f741a410 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 13:37:10 +0100 Subject: [PATCH 0157/1450] Add RevocationAttributesTest --- .../key/util/RevocationAttributesTest.java | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/util/RevocationAttributesTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/RevocationAttributesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/RevocationAttributesTest.java new file mode 100644 index 00000000..8f588a28 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/RevocationAttributesTest.java @@ -0,0 +1,35 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.util; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class RevocationAttributesTest { + + @Test + public void testIsHardRevocationReason() { + // No reason and key compromised are hard revocation reasons + assertTrue(RevocationAttributes.Reason.isHardRevocation(RevocationAttributes.Reason.NO_REASON)); + assertTrue(RevocationAttributes.Reason.isHardRevocation(RevocationAttributes.Reason.KEY_COMPROMISED)); + + // others are soft + assertFalse(RevocationAttributes.Reason.isHardRevocation(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID)); + assertFalse(RevocationAttributes.Reason.isHardRevocation(RevocationAttributes.Reason.KEY_RETIRED)); + assertFalse(RevocationAttributes.Reason.isHardRevocation(RevocationAttributes.Reason.KEY_SUPERSEDED)); + } + + @Test + public void fromReasonCode() { + assertEquals(RevocationAttributes.Reason.NO_REASON, RevocationAttributes.Reason.fromCode((byte) 0)); + assertEquals(RevocationAttributes.Reason.KEY_SUPERSEDED, RevocationAttributes.Reason.fromCode((byte) 1)); + assertEquals(RevocationAttributes.Reason.KEY_COMPROMISED, RevocationAttributes.Reason.fromCode((byte) 2)); + assertEquals(RevocationAttributes.Reason.KEY_RETIRED, RevocationAttributes.Reason.fromCode((byte) 3)); + assertEquals(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID, RevocationAttributes.Reason.fromCode((byte) 32)); + } +} From 151d3c7b9657d39d9d05cdd79dde404efb964ebc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 14:50:04 +0100 Subject: [PATCH 0158/1450] SecretKeyRingEditor: Restructure arguments of modification methods --- .../org/pgpainless/key/info/KeyRingInfo.java | 6 +- .../secretkeyring/SecretKeyRingEditor.java | 140 ++++--- .../SecretKeyRingEditorInterface.java | 355 +++++++++++++----- .../KeyGenerationSubpacketsTest.java | 5 +- .../key/modification/AddUserIdTest.java | 18 + .../key/modification/RevokeUserIdsTest.java | 6 +- 6 files changed, 383 insertions(+), 147 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 37270b58..a75b5741 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -254,8 +254,8 @@ public class KeyRingInfo { /** * Return the primary user-id of the key ring. * - * Note: If no user-id is marked as primary key using a {@link PrimaryUserID} packet, this method returns the - * first valid user-id, otherwise null. + * Note: If no user-id is marked as primary key using a {@link PrimaryUserID} packet, + * this method returns the first valid user-id, otherwise null. * * @return primary user-id or null */ @@ -278,7 +278,7 @@ public class KeyRingInfo { PrimaryUserID subpacket = SignatureSubpacketsUtil.getPrimaryUserId(signature); if (subpacket != null && subpacket.isPrimaryUserID()) { // if there are multiple primary userIDs, return most recently signed - if (modificationDate == null || modificationDate.before(signature.getCreationTime())) { + if (modificationDate == null || !signature.getCreationTime().before(modificationDate)) { primaryUserId = userId; modificationDate = signature.getCreationTime(); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 25550dbf..0f2b0eee 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -87,18 +87,19 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface addUserId( - String userId, - SecretKeyRingProtector secretKeyRingProtector) + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return addUserId(userId, null, secretKeyRingProtector); } @Override public SecretKeyRingEditorInterface addUserId( - String userId, + @Nonnull CharSequence userId, @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, - SecretKeyRingProtector protector) throws PGPException { - userId = sanitizeUserId(userId); + @Nonnull SecretKeyRingProtector protector) + throws PGPException { + String sanitizeUserId = sanitizeUserId(userId); // user-id certifications live on the primary key PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); @@ -134,25 +135,39 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { builder.applyCallback(signatureSubpacketCallback); - PGPSignature signature = builder.build(primaryKey.getPublicKey(), userId); - secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, userId, signature); + PGPSignature signature = builder.build(primaryKey.getPublicKey(), sanitizeUserId); + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, sanitizeUserId, signature); return this; } + @Override + public SecretKeyRingEditorInterface addPrimaryUserId( + @Nonnull CharSequence userId, @Nonnull SecretKeyRingProtector protector) + throws PGPException { + return addUserId( + userId, + new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setPrimaryUserId(); + } + }, + protector); + } + // TODO: Move to utility class? - private String sanitizeUserId(String userId) { - userId = userId.trim(); + private String sanitizeUserId(@Nonnull CharSequence userId) { // TODO: Further research how to sanitize user IDs. // eg. what about newlines? - return userId; + return userId.toString().trim(); } @Override public SecretKeyRingEditorInterface addSubKey( @Nonnull KeySpec keySpec, @Nonnull Passphrase subKeyPassphrase, - SecretKeyRingProtector secretKeyRingProtector) + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); @@ -179,7 +194,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Nonnull KeySpec keySpec, @Nullable Passphrase subkeyPassphrase, @Nullable SelfSignatureSubpackets.Callback subpacketsCallback, - SecretKeyRingProtector secretKeyRingProtector) + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); @@ -195,11 +210,11 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface addSubKey( - PGPKeyPair subkey, + @Nonnull PGPKeyPair subkey, @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector subkeyProtector, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag keyFlag, + @Nonnull SecretKeyRingProtector subkeyProtector, + @Nonnull SecretKeyRingProtector primaryKeyProtector, + @Nonnull KeyFlag keyFlag, KeyFlag... additionalKeyFlags) throws PGPException, IOException { KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); @@ -251,7 +266,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, + public SecretKeyRingEditorInterface revoke(@Nonnull SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationAttributes revocationAttributes) throws PGPException { RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes); @@ -259,7 +274,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, + public SecretKeyRingEditorInterface revoke(@Nonnull SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { return revokeSubKey(secretKeyRing.getSecretKey().getKeyID(), secretKeyRingProtector, subpacketsCallback); @@ -276,7 +291,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface revokeSubKey(long keyID, - SecretKeyRingProtector secretKeyRingProtector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { // retrieve subkey to be revoked @@ -290,8 +305,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public PGPSignature createRevocationCertificate(SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + public PGPSignature createRevocationCertificate(@Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException { PGPPublicKey revokeeSubKey = secretKeyRing.getPublicKey(); PGPSignature revocationCertificate = generateRevocation( @@ -302,8 +317,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public PGPSignature createRevocationCertificate( long subkeyId, - SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException { PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId); RevocationSignatureSubpackets.Callback callback = callbackFromRevocationAttributes(revocationAttributes); @@ -313,15 +328,15 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public PGPSignature createRevocationCertificate( long subkeyId, - SecretKeyRingProtector secretKeyRingProtector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback) throws PGPException { PGPPublicKey revokeeSubkey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subkeyId); return generateRevocation(secretKeyRingProtector, revokeeSubkey, certificateSubpacketsCallback); } - private PGPSignature generateRevocation(SecretKeyRingProtector protector, - PGPPublicKey revokeeSubKey, + private PGPSignature generateRevocation(@Nonnull SecretKeyRingProtector protector, + @Nonnull PGPPublicKey revokeeSubKey, @Nullable RevocationSignatureSubpackets.Callback callback) throws PGPException { PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); @@ -336,7 +351,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } private static RevocationSignatureSubpackets.Callback callbackFromRevocationAttributes( - RevocationAttributes attributes) { + @Nullable RevocationAttributes attributes) { return new RevocationSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) { @@ -348,9 +363,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface revokeUserId(String userId, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) + public SecretKeyRingEditorInterface revokeUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException { if (revocationAttributes != null) { RevocationAttributes.Reason reason = revocationAttributes.getReason(); @@ -374,26 +390,41 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Override public SecretKeyRingEditorInterface revokeUserId( - String userId, - SecretKeyRingProtector secretKeyRingProtector, + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) throws PGPException { - Iterator userIds = secretKeyRing.getPublicKey().getUserIDs(); - boolean found = false; - while (userIds.hasNext()) { - if (userId.equals(userIds.next())) { - found = true; - break; - } - } - if (!found) { - throw new NoSuchElementException("No user-id '" + userId + "' found on the key."); - } - return doRevokeUserId(userId, secretKeyRingProtector, subpacketCallback); + String sanitized = sanitizeUserId(userId); + return revokeUserIds( + SelectUserId.exactMatch(sanitized), + secretKeyRingProtector, + subpacketCallback); } @Override - public SecretKeyRingEditorInterface revokeUserIds(SelectUserId userIdSelector, SecretKeyRingProtector secretKeyRingProtector, @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException { + public SecretKeyRingEditorInterface revokeUserIds( + @Nonnull SelectUserId userIdSelector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) + throws PGPException { + + return revokeUserIds( + userIdSelector, + secretKeyRingProtector, + new RevocationSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setRevocationReason(revocationAttributes); + } + }); + } + + @Override + public SecretKeyRingEditorInterface revokeUserIds( + @Nonnull SelectUserId userIdSelector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + throws PGPException { List selected = userIdSelector.selectUserIds(secretKeyRing); if (selected.isEmpty()) { throw new NoSuchElementException("No matching user-ids found on the key."); @@ -406,9 +437,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return this; } - private SecretKeyRingEditorInterface doRevokeUserId(String userId, - SecretKeyRingProtector protector, - @Nullable RevocationSignatureSubpackets.Callback callback) + private SecretKeyRingEditorInterface doRevokeUserId( + @Nonnull String userId, + @Nonnull SecretKeyRingProtector protector, + @Nullable RevocationSignatureSubpackets.Callback callback) throws PGPException { PGPSecretKey primarySecretKey = secretKeyRing.getSecretKey(); RevocationSignatureBuilder signatureBuilder = new RevocationSignatureBuilder( @@ -424,16 +456,18 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } @Override - public SecretKeyRingEditorInterface setExpirationDate(Date expiration, - SecretKeyRingProtector secretKeyRingProtector) + public SecretKeyRingEditorInterface setExpirationDate( + @Nullable Date expiration, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return setExpirationDate(OpenPgpFingerprint.of(secretKeyRing), expiration, secretKeyRingProtector); } @Override - public SecretKeyRingEditorInterface setExpirationDate(OpenPgpFingerprint fingerprint, - Date expiration, - SecretKeyRingProtector secretKeyRingProtector) + public SecretKeyRingEditorInterface setExpirationDate( + @Nonnull OpenPgpFingerprint fingerprint, + @Nullable Date expiration, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { List secretKeyList = new ArrayList<>(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 0e662a50..87c53acd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -21,7 +21,6 @@ import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.key.util.UserId; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.util.Passphrase; @@ -36,23 +35,39 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the secret key * @return the builder */ - default SecretKeyRingEditorInterface addUserId(UserId userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return addUserId(userId.toString(), secretKeyRingProtector); - } + SecretKeyRingEditorInterface addUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) + throws PGPException; /** * Add a user-id to the key ring. * * @param userId user-id - * @param secretKeyRingProtector protector to unlock the secret key + * @param signatureSubpacketCallback callback that can be used to modify signature subpackets of the + * certification signature. + * @param protector protector to unlock the primary secret key + * @return the builder + * @throws PGPException + */ + SecretKeyRingEditorInterface addUserId( + @Nonnull CharSequence userId, + @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, + @Nonnull SecretKeyRingProtector protector) + throws PGPException; + + /** + * Add a user-id to the key ring and mark it as primary. + * If the user-id is already present, a new certification signature will be created. + * + * @param userId user id + * @param protector protector to unlock the secret key * @return the builder */ - SecretKeyRingEditorInterface addUserId(String userId, SecretKeyRingProtector secretKeyRingProtector) throws PGPException; - - SecretKeyRingEditorInterface addUserId( - String userId, - @Nullable SelfSignatureSubpackets.Callback signatureSubpacketCallback, - SecretKeyRingProtector protector) throws PGPException; + SecretKeyRingEditorInterface addPrimaryUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector protector) + throws PGPException; /** * Add a subkey to the key ring. @@ -63,22 +78,48 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the secret key of the key ring * @return the builder */ - SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, - @Nullable Passphrase subKeyPassphrase, - SecretKeyRingProtector secretKeyRingProtector) + SecretKeyRingEditorInterface addSubKey( + @Nonnull KeySpec keySpec, + @Nonnull Passphrase subKeyPassphrase, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException; - SecretKeyRingEditorInterface addSubKey(@Nonnull KeySpec keySpec, - @Nullable Passphrase subkeyPassphrase, - @Nullable SelfSignatureSubpackets.Callback subpacketsCallback, - SecretKeyRingProtector secretKeyRingProtector) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException; + /** + * Add a subkey to the key ring. + * The subkey will be generated from the provided {@link KeySpec}. + * + * @param keySpec key spec of the subkey + * @param subkeyPassphrase passphrase to encrypt the subkey + * @param subpacketsCallback callback to modify the subpackets of the subkey binding signature + * @param secretKeyRingProtector protector to unlock the primary key + * @return builder + */ + SecretKeyRingEditorInterface addSubKey( + @Nonnull KeySpec keySpec, + @Nonnull Passphrase subkeyPassphrase, + @Nullable SelfSignatureSubpackets.Callback subpacketsCallback, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException; - SecretKeyRingEditorInterface addSubKey(PGPKeyPair subkey, - @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, - SecretKeyRingProtector subkeyProtector, - SecretKeyRingProtector primaryKeyProtector, - KeyFlag keyFlag, - KeyFlag... additionalKeyFlags) throws PGPException, IOException; + /** + * Add a subkey to the key ring. + * + * @param subkey subkey key pair + * @param bindingSignatureCallback callback to modify the subpackets of the subkey binding signature + * @param subkeyProtector protector to unlock and encrypt the subkey + * @param primaryKeyProtector protector to unlock the primary key + * @param keyFlag first key flag for the subkey + * @param additionalKeyFlags optional additional key flags + * @return builder + */ + SecretKeyRingEditorInterface addSubKey( + @Nonnull PGPKeyPair subkey, + @Nullable SelfSignatureSubpackets.Callback bindingSignatureCallback, + @Nonnull SecretKeyRingProtector subkeyProtector, + @Nonnull SecretKeyRingProtector primaryKeyProtector, + @Nonnull KeyFlag keyFlag, + KeyFlag... additionalKeyFlags) + throws PGPException, IOException; /** * Revoke the key ring. @@ -87,37 +128,55 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector of the primary key * @return the builder */ - default SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector) + default SecretKeyRingEditorInterface revoke( + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return revoke(secretKeyRingProtector, (RevocationAttributes) null); } /** * Revoke the key ring using the provided revocation attributes. - * The attributes define, whether or not the revocation was a hard revocation or not. + * The attributes define, whether the revocation was a hard revocation or not. * * @param secretKeyRingProtector protector of the primary key * @param revocationAttributes reason for the revocation * @return the builder */ - SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) + SecretKeyRingEditorInterface revoke( + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException; - SecretKeyRingEditorInterface revoke(SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException; + /** + * Revoke the key ring. + * You can use the {@link RevocationSignatureSubpackets.Callback} to modify the revocation signatures + * subpackets, eg. in order to define whether this is a hard or soft revocation. + * + * @param secretKeyRingProtector protector to unlock the primary secret key + * @param subpacketsCallback callback to modify the revocations subpackets + * @return builder + */ + SecretKeyRingEditorInterface revoke( + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException; /** * Revoke the subkey binding signature of a subkey. * The subkey with the provided fingerprint will be revoked. * If no suitable subkey is found, a {@link java.util.NoSuchElementException} will be thrown. * + * Note: This method will hard-revoke the provided subkey, meaning it cannot be re-certified at a later point. + * If you instead want to temporarily "deactivate" the subkey, provide a soft revocation reason, + * eg. by calling {@link #revokeSubKey(OpenPgpFingerprint, SecretKeyRingProtector, RevocationAttributes)} + * and provide a suitable {@link RevocationAttributes} object. + * * @param fingerprint fingerprint of the subkey to be revoked * @param secretKeyRingProtector protector to unlock the secret key ring * @return the builder */ - default SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, - SecretKeyRingProtector secretKeyRingProtector) + default SecretKeyRingEditorInterface revokeSubKey( + @Nonnull OpenPgpFingerprint fingerprint, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return revokeSubKey(fingerprint, secretKeyRingProtector, null); } @@ -132,9 +191,10 @@ public interface SecretKeyRingEditorInterface { * @param revocationAttributes reason for the revocation * @return the builder */ - default SecretKeyRingEditorInterface revokeSubKey(OpenPgpFingerprint fingerprint, - SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + default SecretKeyRingEditorInterface revokeSubKey( + OpenPgpFingerprint fingerprint, + SecretKeyRingProtector secretKeyRingProtector, + RevocationAttributes revocationAttributes) throws PGPException { return revokeSubKey(fingerprint.getKeyId(), secretKeyRingProtector, @@ -144,16 +204,17 @@ public interface SecretKeyRingEditorInterface { /** * Revoke the subkey binding signature of a subkey. * The subkey with the provided key-id will be revoked. - * If no suitable subkey is found, q {@link java.util.NoSuchElementException} will be thrown. + * If no suitable subkey is found, a {@link java.util.NoSuchElementException} will be thrown. * * @param subKeyId id of the subkey * @param secretKeyRingProtector protector to unlock the primary key * @param revocationAttributes reason for the revocation * @return the builder */ - SecretKeyRingEditorInterface revokeSubKey(long subKeyId, - SecretKeyRingProtector secretKeyRingProtector, - RevocationAttributes revocationAttributes) + SecretKeyRingEditorInterface revokeSubKey( + long subKeyId, + SecretKeyRingProtector secretKeyRingProtector, + RevocationAttributes revocationAttributes) throws PGPException; /** @@ -161,31 +222,59 @@ public interface SecretKeyRingEditorInterface { * The subkey with the provided key-id will be revoked. * If no suitable subkey is found, q {@link java.util.NoSuchElementException} will be thrown. * + * Note: This method will hard-revoke the subkey, meaning it cannot be re-bound at a later point. + * If you intend to re-bind the subkey in order to make it usable again at a later point in time, + * consider using {@link #revokeSubKey(long, SecretKeyRingProtector, RevocationAttributes)} + * and provide a soft revocation reason. + * * @param subKeyId id of the subkey * @param secretKeyRingProtector protector to unlock the secret key ring * @return the builder */ - default SecretKeyRingEditorInterface revokeSubKey(long subKeyId, - SecretKeyRingProtector secretKeyRingProtector) + default SecretKeyRingEditorInterface revokeSubKey( + long subKeyId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return revokeSubKey(subKeyId, secretKeyRingProtector, (RevocationSignatureSubpackets.Callback) null); + + return revokeSubKey( + subKeyId, + secretKeyRingProtector, + (RevocationSignatureSubpackets.Callback) null); } - SecretKeyRingEditorInterface revokeSubKey(long keyID, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + /** + * Revoke the subkey binding signature of a subkey. + * The subkey with the provided key-id will be revoked. + * If no suitable subkey is found, q {@link java.util.NoSuchElementException} will be thrown. + * + * The provided subpackets callback is used to modify the revocation signatures subpackets. + * + * @param keyID id of the subkey + * @param secretKeyRingProtector protector to unlock the secret key ring + * @param subpacketsCallback callback which can be used to modify the subpackets of the revocation + * signature + * @return the builder + */ + SecretKeyRingEditorInterface revokeSubKey( + long keyID, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) throws PGPException; /** * Revoke the given userID. * The revocation will be a hard revocation, rendering the user-id invalid for any past or future signatures. + * If you intend to re-certify the user-id at a later point in time, consider using + * {@link #revokeUserId(CharSequence, SecretKeyRingProtector, RevocationAttributes)} instead and provide + * a soft revocation reason. * * @param userId userId to revoke * @param secretKeyRingProtector protector to unlock the primary key * @return the builder */ - default SecretKeyRingEditorInterface revokeUserId(String userId, - SecretKeyRingProtector secretKeyRingProtector) + default SecretKeyRingEditorInterface revokeUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { return revokeUserId(userId, secretKeyRingProtector, (RevocationAttributes) null); } @@ -198,20 +287,71 @@ public interface SecretKeyRingEditorInterface { * @param revocationAttributes reason for the revocation * @return the builder */ - SecretKeyRingEditorInterface revokeUserId(String userId, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) + SecretKeyRingEditorInterface revokeUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException; - SecretKeyRingEditorInterface revokeUserId(String userId, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) - throws PGPException; + /** + * Revoke the provided user-id. + * Note: If you don't provide a {@link RevocationSignatureSubpackets.Callback} which + * sets a revocation reason ({@link RevocationAttributes}), the revocation might be considered hard. + * So if you intend to re-certify the user-id at a later point to make it valid again, + * make sure to set a soft revocation reason in the signatures hashed area using the subpacket callback. + * + * @param userId userid to be revoked + * @param secretKeyRingProtector protector to unlock the primary secret key + * @param subpacketCallback callback to modify the revocations subpackets + * @return builder + */ + SecretKeyRingEditorInterface revokeUserId( + @Nonnull CharSequence userId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketCallback) + throws PGPException; - SecretKeyRingEditorInterface revokeUserIds(SelectUserId userIdSelector, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) - throws PGPException; + /** + * Revoke all user-ids that match the provided {@link SelectUserId} filter. + * The provided {@link RevocationAttributes} will be set as reason for revocation in each + * revocation signature. + * + * Note: If you intend to re-certify these user-ids at a later point, make sure to choose + * a soft revocation reason. See {@link RevocationAttributes.Reason} for more information. + * + * @param userIdSelector user-id selector + * @param secretKeyRingProtector protector to unlock the primary secret key + * @param revocationAttributes revocation attributes + * @return builder + * @throws PGPException + */ + SecretKeyRingEditorInterface revokeUserIds( + @Nonnull SelectUserId userIdSelector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) + throws PGPException; + + /** + * Revoke all user-ids that match the provided {@link SelectUserId} filter. + * The provided {@link RevocationSignatureSubpackets.Callback} will be used to modify the + * revocation signatures subpackets. + * + * Note: If you intend to re-certify these user-ids at a later point, make sure to set + * a soft revocation reason in the revocation signatures hashed subpacket area using the callback. + * + * See {@link RevocationAttributes.Reason} for more information. + * + * @param userIdSelector user-id selector + * @param secretKeyRingProtector protector to unlock the primary secret key + * @param subpacketsCallback callback to modify the revocations subpackets + * @return builder + * @throws PGPException + */ + SecretKeyRingEditorInterface revokeUserIds( + @Nonnull SelectUserId userIdSelector, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback subpacketsCallback) + throws PGPException; /** * Set the expiration date for the primary key of the key ring. @@ -221,8 +361,9 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector to unlock the secret key * @return the builder */ - SecretKeyRingEditorInterface setExpirationDate(Date expiration, - SecretKeyRingProtector secretKeyRingProtector) + SecretKeyRingEditorInterface setExpirationDate( + @Nullable Date expiration, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException; /** @@ -233,37 +374,70 @@ public interface SecretKeyRingEditorInterface { * @param secretKeyRingProtector protector to unlock the priary key * @return the builder */ - SecretKeyRingEditorInterface setExpirationDate(OpenPgpFingerprint fingerprint, - Date expiration, - SecretKeyRingProtector secretKeyRingProtector) + SecretKeyRingEditorInterface setExpirationDate( + @Nonnull OpenPgpFingerprint fingerprint, + @Nullable Date expiration, + @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException; /** - * Create a detached revocation certificate, which can be used to revoke the specified key. + * Create a detached revocation certificate, which can be used to revoke the whole key. * * @param secretKeyRingProtector protector to unlock the primary key. * @param revocationAttributes reason for the revocation * @return revocation certificate */ - PGPSignature createRevocationCertificate(SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) + PGPSignature createRevocationCertificate( + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) throws PGPException; - PGPSignature createRevocationCertificate(long subkeyId, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) - throws PGPException; + /** + * Create a detached revocation certificate, which can be used to revoke the specified subkey. + * + * @param subkeyId id of the subkey to be revoked + * @param secretKeyRingProtector protector to unlock the primary key. + * @param revocationAttributes reason for the revocation + * @return revocation certificate + */ + PGPSignature createRevocationCertificate( + long subkeyId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) + throws PGPException; - PGPSignature createRevocationCertificate(long subkeyId, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback) - throws PGPException; + /** + * Create a detached revocation certificate, which can be used to revoke the specified subkey. + * + * @param subkeyId id of the subkey to be revoked + * @param secretKeyRingProtector protector to unlock the primary key. + * @param certificateSubpacketsCallback callback to modify the subpackets of the revocation certificate. + * @return revocation certificate + */ + PGPSignature createRevocationCertificate( + long subkeyId, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationSignatureSubpackets.Callback certificateSubpacketsCallback) + throws PGPException; - default PGPSignature createRevocationCertificate(OpenPgpFingerprint subkeyFingerprint, - SecretKeyRingProtector secretKeyRingProtector, - @Nullable RevocationAttributes revocationAttributes) - throws PGPException { - return createRevocationCertificate(subkeyFingerprint.getKeyId(), secretKeyRingProtector, revocationAttributes); + /** + * Create a detached revocation certificate, which can be used to revoke the specified subkey. + * + * @param subkeyFingerprint fingerprint of the subkey to be revoked + * @param secretKeyRingProtector protector to unlock the primary key. + * @param revocationAttributes reason for the revocation + * @return revocation certificate + */ + default PGPSignature createRevocationCertificate( + OpenPgpFingerprint subkeyFingerprint, + SecretKeyRingProtector secretKeyRingProtector, + @Nullable RevocationAttributes revocationAttributes) + throws PGPException { + + return createRevocationCertificate( + subkeyFingerprint.getKeyId(), + secretKeyRingProtector, + revocationAttributes); } /** @@ -272,7 +446,8 @@ public interface SecretKeyRingEditorInterface { * @param oldPassphrase old passphrase or null, if the key was unprotected * @return next builder step */ - default WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase(@Nullable Passphrase oldPassphrase) { + default WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase( + @Nullable Passphrase oldPassphrase) { return changePassphraseFromOldPassphrase(oldPassphrase, KeyRingProtectionSettings.secureDefaultSettings()); } @@ -283,8 +458,9 @@ public interface SecretKeyRingEditorInterface { * @param oldProtectionSettings custom settings for the old passphrase * @return next builder step */ - WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase(@Nullable Passphrase oldPassphrase, - @Nonnull KeyRingProtectionSettings oldProtectionSettings); + WithKeyRingEncryptionSettings changePassphraseFromOldPassphrase( + @Nullable Passphrase oldPassphrase, + @Nonnull KeyRingProtectionSettings oldProtectionSettings); /** * Change the passphrase of a single subkey in the key ring. @@ -296,14 +472,16 @@ public interface SecretKeyRingEditorInterface { * @param oldPassphrase old passphrase * @return next builder step */ - default WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase(@Nonnull Long keyId, - @Nullable Passphrase oldPassphrase) { + default WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase( + @Nonnull Long keyId, + @Nullable Passphrase oldPassphrase) { return changeSubKeyPassphraseFromOldPassphrase(keyId, oldPassphrase, KeyRingProtectionSettings.secureDefaultSettings()); } - WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase(@Nonnull Long keyId, - @Nullable Passphrase oldPassphrase, - @Nonnull KeyRingProtectionSettings oldProtectionSettings); + WithKeyRingEncryptionSettings changeSubKeyPassphraseFromOldPassphrase( + @Nonnull Long keyId, + @Nullable Passphrase oldPassphrase, + @Nonnull KeyRingProtectionSettings oldProtectionSettings); interface WithKeyRingEncryptionSettings { @@ -333,7 +511,8 @@ public interface SecretKeyRingEditorInterface { * @param passphrase passphrase * @return editor builder */ - SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase) throws PGPException; + SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase) + throws PGPException; /** * Leave the key unprotected. diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 5451a4dc..4d6458ef 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -39,7 +39,7 @@ public class KeyGenerationSubpacketsTest { @Test public void verifyDefaultSubpacketsForUserIdSignatures() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); @@ -87,6 +87,9 @@ public class KeyGenerationSubpacketsTest { assertEquals("Bob", info.getPrimaryUserId()); + // wait one sec so that it is clear that the new certification for alice is the most recent one + Thread.sleep(1000); + secretKeys = PGPainless.modifyKeyRing(secretKeys) .addUserId("Alice", new SelfSignatureSubpackets.Callback() { @Override diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index f8998c2b..705e7d48 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -6,6 +6,7 @@ package org.pgpainless.key.modification; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.IOException; @@ -16,6 +17,7 @@ import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.PGPainless; @@ -25,6 +27,7 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; +import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; public class AddUserIdTest { @@ -109,4 +112,19 @@ public class AddUserIdTest { assertEquals("cheshirecat@wonderland.lit", userIds.next()); assertFalse(userIds.hasNext()); } + + @Test + public void addNewPrimaryUserIdTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + UserId bob = UserId.newBuilder().withName("Bob").noEmail().noComment().build(); + + assertNotEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId()); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addPrimaryUserId(bob, SecretKeyRingProtector.unprotectedKeys()) + .done(); + + assertEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId()); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index f5d070d7..4be6c245 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -10,6 +10,8 @@ import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.util.RevocationAttributes; +import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.util.selection.userid.SelectUserId; import java.security.InvalidAlgorithmParameterException; @@ -39,7 +41,7 @@ public class RevokeUserIdsTest { assertTrue(info.isUserIdValid("Alice ")); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .revokeUserIds(SelectUserId.containsEmailAddress("alice@example.org"), protector, null) + .revokeUserIds(SelectUserId.containsEmailAddress("alice@example.org"), protector, (RevocationSignatureSubpackets.Callback) null) .done(); info = PGPainless.inspectKeyRing(secretKeys); @@ -57,6 +59,6 @@ public class RevokeUserIdsTest { PGPainless.modifyKeyRing(secretKeys).revokeUserIds( SelectUserId.containsEmailAddress("alice@example.org"), SecretKeyRingProtector.unprotectedKeys(), - null)); + (RevocationAttributes) null)); } } From c9c84a2dc53f20363e5e9b7aa2a45b50e9827888 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 14:59:12 +0100 Subject: [PATCH 0159/1450] Add revocation certificate test --- .../key/util/RevocationAttributes.java | 8 ++++ .../RevocationCertificateTest.java | 46 +++++++++++++++++++ .../key/modification/RevokeUserIdsTest.java | 24 ++++++---- 3 files changed, 68 insertions(+), 10 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java index 972fe7dc..98b486d4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java @@ -207,5 +207,13 @@ public final class RevocationAttributes { public RevocationAttributes withDescription(@Nonnull String description) { return new RevocationAttributes(reason, description); } + + /** + * Set an empty human-readable description. + * @return revocation attributes + */ + public RevocationAttributes withoutDescription() { + return withDescription(""); + } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java new file mode 100644 index 00000000..ec518847 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevocationCertificateTest.java @@ -0,0 +1,46 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.key.util.RevocationAttributes; + +public class RevocationCertificateTest { + + @Test + public void createRevocationCertificateTest() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + + PGPSignature revocation = PGPainless.modifyKeyRing(secretKeys) + .createRevocationCertificate(SecretKeyRingProtector.unprotectedKeys(), + RevocationAttributes.createKeyRevocation() + .withReason(RevocationAttributes.Reason.KEY_RETIRED) + .withoutDescription()); + + assertNotNull(revocation); + + assertTrue(PGPainless.inspectKeyRing(secretKeys).isKeyValidlyBound(secretKeys.getPublicKey().getKeyID())); + + // merge key and revocation certificate + PGPSecretKeyRing revokedKey = KeyRingUtils.keysPlusSecretKey( + secretKeys, + KeyRingUtils.secretKeyPlusSignature(secretKeys.getSecretKey(), revocation)); + + assertFalse(PGPainless.inspectKeyRing(revokedKey).isKeyValidlyBound(secretKeys.getPublicKey().getKeyID())); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index 4be6c245..e416bf04 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -4,6 +4,14 @@ package org.pgpainless.key.modification; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.NoSuchElementException; + import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; @@ -11,17 +19,8 @@ import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.util.selection.userid.SelectUserId; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import java.util.NoSuchElementException; - -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.junit.jupiter.api.Assertions.assertTrue; - public class RevokeUserIdsTest { @Test @@ -41,7 +40,12 @@ public class RevokeUserIdsTest { assertTrue(info.isUserIdValid("Alice ")); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .revokeUserIds(SelectUserId.containsEmailAddress("alice@example.org"), protector, (RevocationSignatureSubpackets.Callback) null) + .revokeUserIds( + SelectUserId.containsEmailAddress("alice@example.org"), + protector, + RevocationAttributes.createCertificateRevocation() + .withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) + .withoutDescription()) .done(); info = PGPainless.inspectKeyRing(secretKeys); From 936ea55ceebef491992934ccd6c635e7bc4f5e3d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 15:07:12 +0100 Subject: [PATCH 0160/1450] Add explanation of revocation reason hard-ness to RevocationAttributes --- .../pgpainless/key/util/RevocationAttributes.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java index 98b486d4..d545e5e4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java @@ -10,6 +10,21 @@ import java.util.concurrent.ConcurrentHashMap; public final class RevocationAttributes { + /** + * Reason for revocation. + * There are two kinds of reasons: hard and soft reason. + * + * Soft revocation reasons gracefully disable keys or user-ids. + * Softly revoked keys can no longer be used to encrypt data to or to generate signatures. + * Any signature made after a key has been soft revoked is deemed invalid. + * Any signature made before the key has been soft revoked stays valid. + * Soft revoked info can be re-certified at a later point. + * + * Hard revocation reasons on the other hand renders the key or user-id invalid immediately. + * Hard reasons are suitable to use if for example a key got compromised. + * Any signature made before or after a key has been hard revoked is no longer considered valid. + * Hard revoked information can also not be re-certified. + */ public enum Reason { /** * The key or certification is being revoked without a reason. From c2295625736e49eb0b286d727a295f3f919d1909 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 15:22:33 +0100 Subject: [PATCH 0161/1450] Rename CertificationSignatureBuilder to ThirdPartyCertificationSignatureBuilder Also add javadoc --- .../CertificationSignatureBuilder.java | 76 ----------- ...irdPartyCertificationSignatureBuilder.java | 118 ++++++++++++++++++ 2 files changed, 118 insertions(+), 76 deletions(-) delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java deleted file mode 100644 index e41d9807..00000000 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/CertificationSignatureBuilder.java +++ /dev/null @@ -1,76 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.signature.builder; - -import javax.annotation.Nonnull; -import javax.annotation.Nullable; - -import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; -import org.bouncycastle.openpgp.PGPSecretKey; -import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; -import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; -import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.signature.subpackets.CertificationSubpackets; - -public class CertificationSignatureBuilder extends AbstractSignatureBuilder { - - public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { - this(SignatureType.GENERIC_CERTIFICATION, certificationKey, protector); - } - - public CertificationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { - super(signatureType, signingKey, protector); - } - - public CertificationSignatureBuilder( - PGPSecretKey certificationKey, - SecretKeyRingProtector protector, - PGPSignature archetypeSignature) - throws WrongPassphraseException { - super(certificationKey, protector, archetypeSignature); - } - - public CertificationSubpackets getHashedSubpackets() { - return hashedSubpackets; - } - - public CertificationSubpackets getUnhashedSubpackets() { - return unhashedSubpackets; - } - - public void applyCallback(@Nullable CertificationSubpackets.Callback callback) { - if (callback != null) { - callback.modifyHashedSubpackets(getHashedSubpackets()); - callback.modifyUnhashedSubpackets(getUnhashedSubpackets()); - } - } - - public PGPSignature build(PGPPublicKey certifiedKey, String userId) throws PGPException { - return buildAndInitSignatureGenerator().generateCertification(userId, certifiedKey); - } - - public PGPSignature build(PGPPublicKey certifiedKey, PGPUserAttributeSubpacketVector userAttribute) - throws PGPException { - return buildAndInitSignatureGenerator().generateCertification(userAttribute, certifiedKey); - } - - @Override - protected boolean isValidSignatureType(@Nonnull SignatureType type) { - switch (type) { - case GENERIC_CERTIFICATION: - case NO_CERTIFICATION: - case CASUAL_CERTIFICATION: - case POSITIVE_CERTIFICATION: - return true; - default: - return false; - } - } -} diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java new file mode 100644 index 00000000..84f9e8dd --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java @@ -0,0 +1,118 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.exception.WrongPassphraseException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.CertificationSubpackets; + +/** + * Certification signature builder used to certify other users keys. + */ +public class ThirdPartyCertificationSignatureBuilder extends AbstractSignatureBuilder { + + /** + * Create a new certification signature builder. + * This constructor uses {@link SignatureType#GENERIC_CERTIFICATION} as signature type. + * + * @param signingKey our own certification key + * @param protector protector to unlock the certification key + * @throws WrongPassphraseException in case of a wrong passphrase + */ + public ThirdPartyCertificationSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + this(SignatureType.GENERIC_CERTIFICATION, signingKey, protector); + } + + /** + * Create a new certification signature builder. + * + * @param signatureType type of certification + * @param signingKey our own certification key + * @param protector protector to unlock the certification key + * @throws WrongPassphraseException in case of a wrong passphrase + */ + public ThirdPartyCertificationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) + throws WrongPassphraseException { + super(signatureType, signingKey, protector); + } + + /** + * Create a new certification signature builder. + * + * @param signingKey our own certification key + * @param protector protector to unlock the certification key + * @param archetypeSignature signature to use as a template for the new signature + * @throws WrongPassphraseException in case of a wrong passphrase + */ + public ThirdPartyCertificationSignatureBuilder( + PGPSecretKey signingKey, + SecretKeyRingProtector protector, + PGPSignature archetypeSignature) + throws WrongPassphraseException { + super(signingKey, protector, archetypeSignature); + } + + public CertificationSubpackets getHashedSubpackets() { + return hashedSubpackets; + } + + public CertificationSubpackets getUnhashedSubpackets() { + return unhashedSubpackets; + } + + public void applyCallback(@Nullable CertificationSubpackets.Callback callback) { + if (callback != null) { + callback.modifyHashedSubpackets(getHashedSubpackets()); + callback.modifyUnhashedSubpackets(getUnhashedSubpackets()); + } + } + + /** + * Create a certification signature for the given user-id and the primary key of the given key ring. + * @param certifiedKey key ring + * @param userId user-id to certify + * @return signature + * @throws PGPException + */ + public PGPSignature build(PGPPublicKeyRing certifiedKey, String userId) throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userId, certifiedKey.getPublicKey()); + } + + /** + * Create a certification signature for the given user attribute and the primary key of the given key ring. + * @param certifiedKey key ring + * @param userAttribute user-attributes to certify + * @return signature + * @throws PGPException + */ + public PGPSignature build(PGPPublicKeyRing certifiedKey, PGPUserAttributeSubpacketVector userAttribute) + throws PGPException { + return buildAndInitSignatureGenerator().generateCertification(userAttribute, certifiedKey.getPublicKey()); + } + + @Override + protected boolean isValidSignatureType(@Nonnull SignatureType type) { + switch (type) { + case GENERIC_CERTIFICATION: + case NO_CERTIFICATION: + case CASUAL_CERTIFICATION: + case POSITIVE_CERTIFICATION: + return true; + default: + return false; + } + } +} From b44a97760a2d93a7479ad8cb16f0ac9ed83d3fea Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 15:36:45 +0100 Subject: [PATCH 0162/1450] Add test for ThirdPartyCertificationBuilder --- ...artyCertificationSignatureBuilderTest.java | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java new file mode 100644 index 00000000..89732991 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java @@ -0,0 +1,71 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; +import org.pgpainless.signature.subpackets.CertificationSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class ThirdPartyCertificationSignatureBuilderTest { + + @Test + public void testInvalidSignatureTypeThrows() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + assertThrows(IllegalArgumentException.class, () -> + new ThirdPartyCertificationSignatureBuilder( + SignatureType.BINARY_DOCUMENT, // invalid type + secretKeys.getSecretKey(), + SecretKeyRingProtector.unprotectedKeys())); + } + + @Test + public void testUserIdCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + PGPPublicKeyRing bobsPublicKeys = PGPainless.extractCertificate( + PGPainless.generateKeyRing().modernKeyRing("Bob", null)); + + ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder( + secretKeys.getSecretKey(), + SecretKeyRingProtector.unprotectedKeys()); + + signatureBuilder.applyCallback(new CertificationSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(BaseSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setExportable(true, false); + } + }); + + PGPSignature certification = signatureBuilder.build(bobsPublicKeys, "Bob"); + assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(certification.getSignatureType())); + assertEquals(secretKeys.getPublicKey().getKeyID(), certification.getKeyID()); + assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), certification.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); + assertFalse(SignatureSubpacketsUtil.getExportableCertification(certification).isExportable()); + + // test sig correctness + certification.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), secretKeys.getPublicKey()); + assertTrue(certification.verifyCertification("Bob", bobsPublicKeys.getPublicKey())); + } +} From c7dc7f755c9174a967fc449f4e030a6f04a36d9a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 16:03:32 +0100 Subject: [PATCH 0163/1450] KeyAccessor.ViaKeyId: Differentiate between primary key (direct-key sig) and subkey --- .../main/java/org/pgpainless/key/info/KeyAccessor.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java index b4f61090..c27d3531 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java @@ -110,7 +110,13 @@ public abstract class KeyAccessor { @Override public @Nonnull PGPSignature getSignatureWithPreferences() { - PGPSignature signature = info.getLatestDirectKeySelfSignature(); + PGPSignature signature; + if (key.getPrimaryKeyId() != key.getSubkeyId()) { + signature = info.getCurrentSubkeyBindingSignature(key.getSubkeyId()); + } else { + signature = info.getLatestDirectKeySelfSignature(); + } + if (signature != null) { return signature; } From 06a4b4cf5e9c662ed6a02f58c9386fb19beca713 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 16:03:55 +0100 Subject: [PATCH 0164/1450] Add basic test for SubkeyBindingSignatureBuilder --- ...irdPartyCertificationSignatureBuilder.java | 1 - ...bkeyAndPrimaryKeyBindingSignatureTest.java | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java index 84f9e8dd..5d19fa83 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java @@ -8,7 +8,6 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java new file mode 100644 index 00000000..e44af522 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/SubkeyAndPrimaryKeyBindingSignatureTest.java @@ -0,0 +1,64 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; + +import java.io.IOException; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKey; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.EncryptionPurpose; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.key.TestKeys; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; + +public class SubkeyAndPrimaryKeyBindingSignatureTest { + + @Test + public void testRebindSubkey() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + PGPSecretKey primaryKey = secretKeys.getSecretKey(); + PGPPublicKey encryptionSubkey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0); + assertNotNull(encryptionSubkey); + + Set hashAlgorithmSet = info.getPreferredHashAlgorithms(encryptionSubkey.getKeyID()); + assertEquals( + new HashSet<>(Arrays.asList( + HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224)), + hashAlgorithmSet); + + SubkeyBindingSignatureBuilder sbb = new SubkeyBindingSignatureBuilder(primaryKey, SecretKeyRingProtector.unprotectedKeys()); + sbb.applyCallback(new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setKeyFlags(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE); + hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA512); + } + }); + + PGPSignature binding = sbb.build(encryptionSubkey); + secretKeys = KeyRingUtils.injectCertification(secretKeys, encryptionSubkey, binding); + + info = PGPainless.inspectKeyRing(secretKeys); + assertEquals(Collections.singleton(HashAlgorithm.SHA512), info.getPreferredHashAlgorithms(encryptionSubkey.getKeyID())); + } +} From d670b5ee071702ccf1048220efa32da275134ded Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 16:15:50 +0100 Subject: [PATCH 0165/1450] Fix test --- .../RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java index f866e962..a370f825 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java @@ -79,7 +79,7 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { EncryptionStream encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) .withOptions( ProducerOptions.encrypt(new EncryptionOptions() - .addRecipient(publicKeys) + .addRecipient(publicKeys, "Bob Babbage ") )); encryptionStream.close(); From 27c4fd240dab1b2c6daada920607d51ce2fdb361 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 17:03:17 +0100 Subject: [PATCH 0166/1450] Improve test for preferred sym algs --- ...SymmetricAlgorithmDuringEncryptionTest.java | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java index a370f825..be80c4e2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java @@ -18,7 +18,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { @Test - public void onlyAES128() throws IOException, PGPException { + public void algorithmPreferencesAreRespectedDependingOnEncryptionTarget() throws IOException, PGPException { // Key has [AES128] as preferred symm. algo on latest user-id cert String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -75,6 +75,9 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { "-----END PGP ARMORED FILE-----\n"; PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key); + + // Encrypt to the user-id + // PGPainless should extract algorithm preferences from the latest user-id sig in this case (AES-128) ByteArrayOutputStream out = new ByteArrayOutputStream(); EncryptionStream encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) .withOptions( @@ -84,5 +87,18 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest { encryptionStream.close(); assertEquals(SymmetricKeyAlgorithm.AES_128, encryptionStream.getResult().getEncryptionAlgorithm()); + + + // Encrypt without specifying user-id + // PGPainless should now inspect the subkey binding sig for algorithm preferences (AES256, AES192, AES128) + out = new ByteArrayOutputStream(); + encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out) + .withOptions( + ProducerOptions.encrypt(new EncryptionOptions() + .addRecipient(publicKeys) // no user-id passed + )); + + encryptionStream.close(); + assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionStream.getResult().getEncryptionAlgorithm()); } } From b09858e1860e80ec30980776b399cdf9873ba361 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 27 Nov 2021 17:14:45 +0100 Subject: [PATCH 0167/1450] Add basic test for DirectKeySignatureBuilder --- .../builder/DirectKeySignatureBuilder.java | 4 +- .../DirectKeySignatureBuilderTest.java | 74 +++++++++++++++++++ 2 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java index f65c7bb8..6871bea6 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java @@ -21,8 +21,8 @@ public class DirectKeySignatureBuilder extends AbstractSignatureBuilder +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.signature.builder; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.Collections; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.CompressionAlgorithm; +import org.pgpainless.algorithm.Feature; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; + +public class DirectKeySignatureBuilderTest { + + @Test + public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + DirectKeySignatureBuilder dsb = new DirectKeySignatureBuilder( + secretKeys.getSecretKey(), + SecretKeyRingProtector.unprotectedKeys()); + + dsb.applyCallback(new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER); + hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA512); + hashedSubpackets.setPreferredCompressionAlgorithms(CompressionAlgorithm.ZIP); + hashedSubpackets.setPreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_256); + hashedSubpackets.setFeatures(Feature.MODIFICATION_DETECTION); + } + }); + + Thread.sleep(1000); + + PGPSignature directKeySig = dsb.build(secretKeys.getPublicKey()); + assertNotNull(directKeySig); + secretKeys = KeyRingUtils.injectCertification(secretKeys, secretKeys.getPublicKey(), directKeySig); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + PGPSignature signature = info.getLatestDirectKeySelfSignature(); + + assertNotNull(signature); + assertEquals(directKeySig, signature); + + assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType())); + assertEquals(Collections.singletonList(KeyFlag.CERTIFY_OTHER), SignatureSubpacketsUtil.parseKeyFlags(signature)); + assertEquals(Collections.singleton(HashAlgorithm.SHA512), SignatureSubpacketsUtil.parsePreferredHashAlgorithms(signature)); + assertEquals(Collections.singleton(CompressionAlgorithm.ZIP), SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(signature)); + assertEquals(Collections.singleton(SymmetricKeyAlgorithm.AES_256), SignatureSubpacketsUtil.parsePreferredSymmetricKeyAlgorithms(signature)); + assertEquals(secretKeys.getPublicKey().getKeyID(), signature.getKeyID()); + assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), signature.getHashedSubPackets().getIssuerFingerprint().getFingerprint()); + } +} From b874aee6bb98f6a46d73085351bcc3eac03498cc Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 13:09:10 +0100 Subject: [PATCH 0168/1450] Move getKeyLifetimeInSeconds to SignatureSubpacketsUtil and make public --- .../SignatureSubpacketGeneratorUtil.java | 20 +------------------ .../subpackets/SignatureSubpacketsUtil.java | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java index fe493ac7..eeb87a10 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java @@ -92,28 +92,10 @@ public final class SignatureSubpacketGeneratorUtil { @Nonnull Date creationDate, PGPSignatureSubpacketGenerator subpacketGenerator) { removeAllPacketsOfType(SignatureSubpacketTags.KEY_EXPIRE_TIME, subpacketGenerator); - long secondsToExpire = getKeyLifetimeInSeconds(expirationDate, creationDate); + long secondsToExpire = SignatureSubpacketsUtil.getKeyLifetimeInSeconds(expirationDate, creationDate); subpacketGenerator.setKeyExpirationTime(true, secondsToExpire); } - /** - * Calculate the duration in seconds until the key expires after creation. - * - * @param expirationDate new expiration date - * @param creationTime key creation time - * @return life time of the key in seconds - */ - private static long getKeyLifetimeInSeconds(Date expirationDate, @Nonnull Date creationTime) { - long secondsToExpire = 0; // 0 means "no expiration" - if (expirationDate != null) { - if (creationTime.after(expirationDate)) { - throw new IllegalArgumentException("Key MUST NOT expire before being created. (creation: " + creationTime + ", expiration: " + expirationDate + ")"); - } - secondsToExpire = (expirationDate.getTime() - creationTime.getTime()) / 1000; - } - return secondsToExpire; - } - /** * Return true, if the subpacket generator has a {@link KeyFlags} subpacket which carries the given key flag. * Returns false, if no {@link KeyFlags} subpacket is present. diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 751c9f73..d564bfce 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -11,6 +11,7 @@ import java.util.LinkedHashSet; import java.util.List; import java.util.Set; +import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.bcpg.sig.Exportable; @@ -204,6 +205,25 @@ public final class SignatureSubpacketsUtil { return SignatureUtils.datePlusSeconds(signingKey.getCreationTime(), subpacket.getTime()); } + /** + * Calculate the duration in seconds until the key expires after creation. + * + * @param expirationDate new expiration date + * @param creationDate key creation time + * @return life time of the key in seconds + */ + public static long getKeyLifetimeInSeconds(@Nullable Date expirationDate, @Nonnull Date creationDate) { + long secondsToExpire = 0; // 0 means "no expiration" + if (expirationDate != null) { + if (creationDate.after(expirationDate)) { + throw new IllegalArgumentException("Key MUST NOT expire before being created. " + + "(creation: " + creationDate + ", expiration: " + expirationDate + ")"); + } + secondsToExpire = (expirationDate.getTime() - creationDate.getTime()) / 1000; + } + return secondsToExpire; + } + /** * Return the revocable subpacket of this signature. * We only look for it in the hashed area of the signature. From e1334348889c5d690311de1d470525f36f4ba59c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 13:09:21 +0100 Subject: [PATCH 0169/1450] Remove unused methods from SignatureSubpacketGeneratorUtil --- .../SignatureSubpacketGeneratorUtil.java | 42 ------------------- 1 file changed, 42 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java index eeb87a10..137e5508 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java @@ -4,16 +4,12 @@ package org.pgpainless.signature.subpackets; -import java.util.ArrayList; import java.util.Date; -import java.util.List; import javax.annotation.Nonnull; import org.bouncycastle.bcpg.SignatureSubpacket; import org.bouncycastle.bcpg.SignatureSubpacketTags; -import org.bouncycastle.bcpg.sig.KeyFlags; import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.pgpainless.algorithm.KeyFlag; /** * Utility class that helps dealing with BCs SignatureSubpacketGenerator class. @@ -24,25 +20,6 @@ public final class SignatureSubpacketGeneratorUtil { } - /** - * Return a list of {@link SignatureSubpacket SignatureSubpackets} from the subpacket generator, which correspond - * to the given {@link org.pgpainless.algorithm.SignatureSubpacket} type. - * - * @param type subpacket type - * @param generator subpacket generator - * @param

generic subpacket type - * @return possibly empty list of subpackets - */ - public static

List

getSubpacketsOfType(org.pgpainless.algorithm.SignatureSubpacket type, - PGPSignatureSubpacketGenerator generator) { - SignatureSubpacket[] subpackets = generator.getSubpackets(type.getCode()); - List

list = new ArrayList<>(); - for (SignatureSubpacket p : subpackets) { - list.add((P) p); - } - return list; - } - /** * Remove all packets of the given type from the {@link PGPSignatureSubpacketGenerator PGPSignatureSubpacketGenerators} * internal set. @@ -95,23 +72,4 @@ public final class SignatureSubpacketGeneratorUtil { long secondsToExpire = SignatureSubpacketsUtil.getKeyLifetimeInSeconds(expirationDate, creationDate); subpacketGenerator.setKeyExpirationTime(true, secondsToExpire); } - - /** - * Return true, if the subpacket generator has a {@link KeyFlags} subpacket which carries the given key flag. - * Returns false, if no {@link KeyFlags} subpacket is present. - * If there are more than one instance of a {@link KeyFlags} packet present, only the last occurrence will - * be tested. - * - * @param keyFlag flag to test for - * @param generator subpackets generator - * @return true if the generator has the given key flag set - */ - public static boolean hasKeyFlag(KeyFlag keyFlag, PGPSignatureSubpacketGenerator generator) { - List keyFlagPackets = getSubpacketsOfType(org.pgpainless.algorithm.SignatureSubpacket.keyFlags, generator); - if (keyFlagPackets.isEmpty()) { - return false; - } - KeyFlags last = keyFlagPackets.get(keyFlagPackets.size() - 1); - return KeyFlag.hasKeyFlag(last.getFlags(), keyFlag); - } } From 03912f9dc12b0b40199954332736ed38061b0f2d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 13:22:08 +0100 Subject: [PATCH 0170/1450] Fix typos --- .../signature/subpackets/SignatureSubpacketsUtil.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index d564bfce..50ba126c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -609,7 +609,7 @@ public final class SignatureSubpacketsUtil { } if (!type.canAuthenticate() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) { - throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION."); + throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTICATION."); } } @@ -633,7 +633,7 @@ public final class SignatureSubpacketsUtil { } if (!algorithm.isSigningCapable() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) { - throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag AUTHENTIACTION."); + throw new IllegalArgumentException("Algorithm " + algorithm + " cannot be used with key flag AUTHENTICATION."); } } } From 635de19fb828526a3b7875ecd0713285f271b33e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 14:15:01 +0100 Subject: [PATCH 0171/1450] Add tests for KeyRingUtils.injectCertification and render keysPlusPublicKey unusable --- .../org/pgpainless/key/util/KeyRingUtils.java | 8 ++++ .../pgpainless/key/util/KeyRingUtilTest.java | 45 +++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 4afbfd6a..9848ced9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -24,6 +24,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.PGPainless; +import org.pgpainless.exception.NotYetImplementedException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -299,6 +300,10 @@ public final class KeyRingUtils { } public static T keysPlusPublicKey(T keyRing, PGPPublicKey publicKey) { + if (true) + // Is currently broken beyond repair + throw new NotYetImplementedException(); + PGPSecretKeyRing secretKeys = null; PGPPublicKeyRing publicKeys; if (keyRing instanceof PGPSecretKeyRing) { @@ -312,6 +317,9 @@ public final class KeyRingUtils { if (secretKeys == null) { return (T) publicKeys; } else { + // TODO: Replace with PGPSecretKeyRing.insertOrReplacePublicKey() once available + // Right now replacePublicKeys looses extra public keys. + // See https://github.com/bcgit/bc-java/pull/1068 for a possible fix secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys); return (T) secretKeys; } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 8312bd28..9f2546ae 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -5,18 +5,30 @@ package org.pgpainless.key.util; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.NoSuchElementException; +import java.util.Random; +import org.bouncycastle.bcpg.attr.ImageAttribute; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureGenerator; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; +import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.SignatureType; +import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.CollectionUtils; public class KeyRingUtilTest { @@ -63,4 +75,37 @@ public class KeyRingUtilTest { assertThrows(NoSuchElementException.class, () -> KeyRingUtils.deleteUserId(secretKeys, "Charlie")); } + + @Test + public void testInjectCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + // test preconditions + assertFalse(secretKeys.getPublicKey().getUserAttributes().hasNext()); + int sigCount = CollectionUtils.iteratorToList(secretKeys.getPublicKey().getSignatures()).size(); + + // Create "image" + byte[] image = new byte[512]; + new Random().nextBytes(image); + PGPUserAttributeSubpacketVectorGenerator userAttrGen = new PGPUserAttributeSubpacketVectorGenerator(); + userAttrGen.setImageAttribute(ImageAttribute.JPEG, image); + PGPUserAttributeSubpacketVector userAttr = userAttrGen.generate(); + + // create sig + PGPSignatureGenerator sigGen = new PGPSignatureGenerator( + ImplementationFactory.getInstance().getPGPContentSignerBuilder( + secretKeys.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId() + )); + sigGen.init( + SignatureType.POSITIVE_CERTIFICATION.getCode(), + UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys())); + PGPSignature signature = sigGen.generateCertification(userAttr, secretKeys.getPublicKey()); + // inject sig + secretKeys = KeyRingUtils.injectCertification(secretKeys, userAttr, signature); + + assertTrue(secretKeys.getPublicKey().getUserAttributes().hasNext()); + assertEquals(userAttr, secretKeys.getPublicKey().getUserAttributes().next()); + assertEquals(sigCount + 1, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getSignatures()).size()); + } } From aef9ebfd7b0a252a29ec3a1a5ee5e70d5db44fa6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 14:45:53 +0100 Subject: [PATCH 0172/1450] Incorporate feedback --- .../PublicKeyParameterValidationUtil.java | 54 +++++++++++++++---- 1 file changed, 43 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java index e2cf058f..592ef945 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java @@ -42,16 +42,6 @@ public class PublicKeyParameterValidationUtil { throws KeyIntegrityException, PGPException { PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm()); boolean valid = true; - // Additional to the algorithm-specific tests further below, we also perform - // generic functionality tests with the key, such as whether it is able to decrypt encrypted data - // or verify signatures. - // These tests should be more or less constant time. - if (publicKeyAlgorithm.isSigningCapable()) { - valid = verifyCanSign(privateKey, publicKey) && valid; - } - if (publicKeyAlgorithm.isEncryptionCapable()) { - valid = verifyCanDecrypt(privateKey, publicKey) && valid; - } // Algorithm specific validations BCPGKey key = privateKey.getPrivateKeyDataPacket(); @@ -77,6 +67,21 @@ public class PublicKeyParameterValidationUtil { if (!valid) { throw new KeyIntegrityException(); } + + // Additional to the algorithm-specific tests further above, we also perform + // generic functionality tests with the key, such as whether it is able to decrypt encrypted data + // or verify signatures. + // These tests should be more or less constant time. + if (publicKeyAlgorithm.isSigningCapable()) { + valid = verifyCanSign(privateKey, publicKey); + } + if (publicKeyAlgorithm.isEncryptionCapable()) { + valid = verifyCanDecrypt(privateKey, publicKey) && valid; + } + + if (!valid) { + throw new KeyIntegrityException(); + } } private static boolean verifyCanSign(PGPPrivateKey privateKey, PGPPublicKey publicKey) throws PGPException { @@ -149,19 +154,46 @@ public class PublicKeyParameterValidationUtil { BigInteger sX = privateKey.getX(); boolean pPrime = pP.isProbablePrime(certainty); + if (!pPrime) { + return false; + } + boolean qPrime = pQ.isProbablePrime(certainty); + if (!qPrime) { + return false; + } + // q > 160 bits boolean qLarge = pQ.getLowestSetBit() > 160; + if (!qLarge) { + return false; + } + // q divides p - 1 boolean qDividesPminus1 = pP.subtract(BigInteger.ONE).mod(pQ).equals(BigInteger.ZERO); + if (!qDividesPminus1) { + return false; + } + // 1 < g < p boolean gInBounds = BigInteger.ONE.max(pG).equals(pG) && pG.max(pP).equals(pP); + if (!gInBounds) { + return false; + } + // g^q = 1 mod p boolean gPowXModPEquals1 = pG.modPow(pQ, pP).equals(BigInteger.ONE); + if (!gPowXModPEquals1) { + return false; + } + // y = g^x mod p boolean yEqualsGPowXModP = pY.equals(pG.modPow(sX, pP)); + if (!yEqualsGPowXModP) { + return false; + } - return pPrime && qPrime && qLarge && qDividesPminus1 && gInBounds && gPowXModPEquals1 && yEqualsGPowXModP; + return true; } private static boolean verifyRSAKeyIntegrity(RSASecretBCPGKey secretKey, RSAPublicBCPGKey publicKey) From 18e135823f1eaaced3d8acda3157e9affa51aa2f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 15:06:10 +0100 Subject: [PATCH 0173/1450] Update changelog and readme --- CHANGELOG.md | 8 ++++++++ README.md | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9410ec3..42e62032 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc6 +- Restructure method arguments in `SecretKeyRingEditor` +- Add explanations of revocation reasons to `RevocationAttributes` +- Rename `CertificationSignatureBuilder` to `ThirdPartyCertificationSignatureBuilder` +- `KeyAccessor.ViaKeyId`: Differentiate between primary key (rely on direct-key sig) and subkey (subkey binding sig) +- Expose `SignatureSubpacketsUtil.getKeyLifetimeInSeconds` +- Various cleanup steps and new tests + ## 1.0.0-rc5 - Fix invalid cursor mark in `BufferedInputStream` when processing large cleartext signed messages - Add `SecretKeyRingEditor.revokeUserIds(SelectUserId, SecretKeyRingProtector, RevocationSignatureSubpackets.Callback)` diff --git a/README.md b/README.md index e951d935..e4732090 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc5' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc6' } ``` From 98af276d3bcceafed32779194862310f8ca22109 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 15:07:03 +0100 Subject: [PATCH 0174/1450] PGPainless 1.0.0-rc6 --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index a5804425..9c3990ef 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc6' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 729b33a1163cf1b5486fdb3f742de89934e94d0c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 28 Nov 2021 15:12:23 +0100 Subject: [PATCH 0175/1450] PGPainless-1.0.0-rc7-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 9c3990ef..574fdfd1 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc6' - isSnapshot = false + shortVersion = '1.0.0-rc7' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.69' From 176ad09d19ce0c388d634fe7efb067d997f9b41e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 29 Nov 2021 21:55:35 +0100 Subject: [PATCH 0176/1450] Make Passphrase comparison constant time --- .../main/java/org/pgpainless/util/BCUtil.java | 37 +++++++++++++++++++ .../java/org/pgpainless/util/Passphrase.java | 5 ++- .../java/org/pgpainless/util/BCUtilTest.java | 16 ++++++++ 3 files changed, 57 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java index f548af98..f059a571 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java @@ -47,4 +47,41 @@ public final class BCUtil { return bitStrength; } + + /** + * A constant time equals comparison - does not terminate early if + * test will fail. For best results always pass the expected value + * as the first parameter. + * + * @param expected first array + * @param supplied second array + * @return true if arrays equal, false otherwise. + */ + public static boolean constantTimeAreEqual( + char[] expected, + char[] supplied) { + if (expected == null || supplied == null) { + return false; + } + + if (expected == supplied) { + return true; + } + + int len = (expected.length < supplied.length) ? expected.length : supplied.length; + + int nonEqual = expected.length ^ supplied.length; + + // do the char-wise comparison + for (int i = 0; i != len; i++) { + nonEqual |= (expected[i] ^ supplied[i]); + } + // If supplied is longer than expected, iterate over rest of supplied with NOPs + for (int i = len; i < supplied.length; i++) { + nonEqual |= ((byte) supplied[i] ^ (byte) ~supplied[i]); + } + + return nonEqual == 0; + } + } diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java index bd2e203f..4cef145a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java @@ -8,6 +8,8 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import java.util.Arrays; +import static org.pgpainless.util.BCUtil.constantTimeAreEqual; + public class Passphrase { public final Object lock = new Object(); @@ -162,6 +164,7 @@ public class Passphrase { return false; } Passphrase other = (Passphrase) obj; - return Arrays.equals(getChars(), other.getChars()); + return (getChars() == null && other.getChars() == null) || + constantTimeAreEqual(getChars(), other.getChars()); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java index 3eda2b66..6fb90e63 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java @@ -5,6 +5,8 @@ package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; @@ -88,4 +90,18 @@ public class BCUtilTest { assertEquals(pubColSize, secColSize); } + + @Test + public void constantTimeAreEqualsTest() { + char[] b = "Hello".toCharArray(); + assertTrue(BCUtil.constantTimeAreEqual(b, b)); + assertTrue(BCUtil.constantTimeAreEqual("Hello".toCharArray(), "Hello".toCharArray())); + assertTrue(BCUtil.constantTimeAreEqual(new char[0], new char[0])); + assertTrue(BCUtil.constantTimeAreEqual(new char[] {'H', 'e', 'l', 'l', 'o'}, "Hello".toCharArray())); + + assertFalse(BCUtil.constantTimeAreEqual("Hello".toCharArray(), "Hello World".toCharArray())); + assertFalse(BCUtil.constantTimeAreEqual(null, "Hello".toCharArray())); + assertFalse(BCUtil.constantTimeAreEqual("Hello".toCharArray(), null)); + assertFalse(BCUtil.constantTimeAreEqual(null, null)); + } } From 888073b60411a540dff878cf83471d0212328040 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 15 Oct 2021 13:06:41 +0200 Subject: [PATCH 0177/1450] Add basic canonicalization test for new BC generator class --- .../LiteralDataCRLFEncodingTest.java | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java diff --git a/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java new file mode 100644 index 00000000..a5f0aa52 --- /dev/null +++ b/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java @@ -0,0 +1,40 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.bouncycastle; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.nio.charset.StandardCharsets; +import java.util.Date; + +import org.bouncycastle.openpgp.PGPCanonicalizedDataGenerator; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; + +public class LiteralDataCRLFEncodingTest { + + @Test + public void testCanonicalization() throws IOException { + PGPCanonicalizedDataGenerator generator = new PGPCanonicalizedDataGenerator(); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + OutputStream canonicalizer = generator.open(out, PGPCanonicalizedDataGenerator.UTF8, "", new Date(), new byte[1<<9]); + + ByteArrayInputStream in = new ByteArrayInputStream("Foo\nBar\n".getBytes(StandardCharsets.UTF_8)); + Streams.pipeAll(in, canonicalizer); + canonicalizer.close(); + + byte[] bytes = out.toByteArray(); + byte[] canonicalized = new byte[bytes.length - 8]; // header is not interesting + System.arraycopy(bytes, 8, canonicalized, 0, canonicalized.length); + assertArrayEquals(new byte[] { + // F o o \r \n B a r \r \n + 70, 111, 111, 13, 10, 66, 97, 114, 13, 10}, + canonicalized); + } +} From 03f13ee4a7923b969975fab957ef25da62c930a5 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 15 Oct 2021 13:32:48 +0200 Subject: [PATCH 0178/1450] Add StreamGeneratorWrapper which uses new PGPCanonicalizedDataGenerator if required --- .../encryption_signing/EncryptionStream.java | 18 ++-- .../util/StreamGeneratorWrapper.java | 94 +++++++++++++++++++ .../LiteralDataCRLFEncodingTest.java | 2 +- 3 files changed, 103 insertions(+), 11 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java index 7d2b9722..e7b0cb23 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java @@ -15,7 +15,6 @@ import org.bouncycastle.bcpg.BCPGOutputStream; import org.bouncycastle.openpgp.PGPCompressedDataGenerator; import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPLiteralDataGenerator; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder; @@ -25,6 +24,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.util.ArmoredOutputStreamFactory; +import org.pgpainless.util.StreamGeneratorWrapper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -50,7 +50,7 @@ public final class EncryptionStream extends OutputStream { private OutputStream publicKeyEncryptedStream = null; private PGPCompressedDataGenerator compressedDataGenerator; private BCPGOutputStream basicCompressionStream; - private PGPLiteralDataGenerator literalDataGenerator; + private StreamGeneratorWrapper streamGeneratorWrapper; private OutputStream literalDataStream; EncryptionStream(@Nonnull OutputStream targetOutputStream, @@ -147,12 +147,10 @@ public final class EncryptionStream extends OutputStream { armorOutputStream.beginClearText(firstMethod.getHashAlgorithm().getAlgorithmId()); return; } - literalDataGenerator = new PGPLiteralDataGenerator(); - literalDataStream = literalDataGenerator.open(outermostStream, - options.getEncoding().getCode(), - options.getFileName(), - options.getModificationDate(), - new byte[BUFFER_SIZE]); + + streamGeneratorWrapper = StreamGeneratorWrapper.forStreamEncoding(options.getEncoding()); + literalDataStream = streamGeneratorWrapper.open(outermostStream, + options.getFileName(), options.getModificationDate(), new byte[BUFFER_SIZE]); outermostStream = literalDataStream; resultBuilder.setFileName(options.getFileName()) @@ -212,8 +210,8 @@ public final class EncryptionStream extends OutputStream { literalDataStream.flush(); literalDataStream.close(); } - if (literalDataGenerator != null) { - literalDataGenerator.close(); + if (streamGeneratorWrapper != null) { + streamGeneratorWrapper.close(); } if (options.isCleartextSigned()) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java new file mode 100644 index 00000000..2618d022 --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java @@ -0,0 +1,94 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.util; + +import java.io.IOException; +import java.io.OutputStream; +import java.util.Date; + +import javax.annotation.Nonnull; + +import org.bouncycastle.openpgp.PGPCanonicalizedDataGenerator; +import org.bouncycastle.openpgp.PGPLiteralDataGenerator; +import org.pgpainless.algorithm.StreamEncoding; + +/** + * Literal Data can be encoded in different ways. + * BINARY encoding leaves the data as is and is generated through the {@link PGPLiteralDataGenerator}. + * However, if the data is encoded in TEXT or UTF8 encoding, we need to use the {@link PGPCanonicalizedDataGenerator} + * instead. + * + * This wrapper class acts as a handle for both options and provides a unified interface for them. + */ +public final class StreamGeneratorWrapper { + + private final StreamEncoding encoding; + private final PGPLiteralDataGenerator literalDataGenerator; + private final PGPCanonicalizedDataGenerator canonicalizedDataGenerator; + + /** + * Create a new instance for the given encoding. + * + * @param encoding stream encoding + * @return wrapper + */ + public static StreamGeneratorWrapper forStreamEncoding(@Nonnull StreamEncoding encoding) { + if (encoding == StreamEncoding.BINARY) { + return new StreamGeneratorWrapper(encoding, new PGPLiteralDataGenerator()); + } else { + return new StreamGeneratorWrapper(encoding, new PGPCanonicalizedDataGenerator()); + } + } + + private StreamGeneratorWrapper(@Nonnull StreamEncoding encoding, @Nonnull PGPLiteralDataGenerator literalDataGenerator) { + if (encoding != StreamEncoding.BINARY) { + throw new IllegalArgumentException("PGPLiteralDataGenerator can only be used with BINARY encoding."); + } + this.encoding = encoding; + this.literalDataGenerator = literalDataGenerator; + this.canonicalizedDataGenerator = null; + } + + private StreamGeneratorWrapper(@Nonnull StreamEncoding encoding, @Nonnull PGPCanonicalizedDataGenerator canonicalizedDataGenerator) { + if (encoding != StreamEncoding.TEXT && encoding != StreamEncoding.UTF8) { + throw new IllegalArgumentException("PGPCanonicalizedDataGenerator can only be used with TEXT or UTF8 encoding."); + } + this.encoding = encoding; + this.canonicalizedDataGenerator = canonicalizedDataGenerator; + this.literalDataGenerator = null; + } + + /** + * Open a new encoding stream. + * + * @param outputStream wrapped output stream + * @param filename file name + * @param modificationDate modification date + * @param buffer buffer + * @return encoding stream + * @throws IOException + */ + public OutputStream open(OutputStream outputStream, String filename, Date modificationDate, byte[] buffer) throws IOException { + if (literalDataGenerator != null) { + return literalDataGenerator.open(outputStream, encoding.getCode(), filename, modificationDate, buffer); + } else { + return canonicalizedDataGenerator.open(outputStream, encoding.getCode(), filename, modificationDate, buffer); + } + } + + /** + * Close all encoding streams opened by this generator wrapper. + * + * @throws IOException + */ + public void close() throws IOException { + if (literalDataGenerator != null) { + literalDataGenerator.close(); + } + if (canonicalizedDataGenerator != null) { + canonicalizedDataGenerator.close(); + } + } +} diff --git a/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java b/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java index a5f0aa52..b6f92bc6 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/LiteralDataCRLFEncodingTest.java @@ -23,7 +23,7 @@ public class LiteralDataCRLFEncodingTest { public void testCanonicalization() throws IOException { PGPCanonicalizedDataGenerator generator = new PGPCanonicalizedDataGenerator(); ByteArrayOutputStream out = new ByteArrayOutputStream(); - OutputStream canonicalizer = generator.open(out, PGPCanonicalizedDataGenerator.UTF8, "", new Date(), new byte[1<<9]); + OutputStream canonicalizer = generator.open(out, PGPCanonicalizedDataGenerator.UTF8, "", new Date(), new byte[1 << 9]); ByteArrayInputStream in = new ByteArrayInputStream("Foo\nBar\n".getBytes(StandardCharsets.UTF_8)); Streams.pipeAll(in, canonicalizer); From c55fd2e5522e0e25e5e5fd75e173c2f0a05b72e6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 15 Oct 2021 14:58:17 +0200 Subject: [PATCH 0179/1450] Implement decryption with - and access of session keys --- .../ConsumerOptions.java | 19 +- .../DecryptionStreamFactory.java | 61 ++++++- .../OpenPgpMetadata.java | 27 +-- .../CleartextSignatureProcessor.java | 2 - .../BcImplementationFactory.java | 8 + .../implementation/ImplementationFactory.java | 4 + .../JceImplementationFactory.java | 8 + .../java/org/pgpainless/util/SessionKey.java | 35 ++++ .../java/org/pgpainless/sop/DecryptImpl.java | 22 ++- .../sop/EncryptDecryptRoundTripTest.java | 163 ++++++++++++++++++ sop-java/src/main/java/sop/SessionKey.java | 15 ++ .../test/java/sop/util/SessionKeyTest.java | 7 + 12 files changed, 334 insertions(+), 37 deletions(-) create mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java index a80d1fee..436d9356 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java @@ -24,10 +24,10 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy; import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy; -import org.pgpainless.exception.NotYetImplementedException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.SessionKey; /** * Options for decryption and signature verification. @@ -46,7 +46,7 @@ public class ConsumerOptions { private MissingPublicKeyCallback missingCertificateCallback = null; // Session key for decryption without passphrase/key - private byte[] sessionKey = null; + private SessionKey sessionKey = null; private final Map decryptionKeys = new HashMap<>(); private final Set decryptionPassphrases = new HashSet<>(); @@ -162,16 +162,15 @@ public class ConsumerOptions { * Attempt decryption using a session key. * * Note: PGPainless does not yet support decryption with session keys. - * TODO: Add support for decryption using session key. * * @see RFC4880 on Session Keys * * @param sessionKey session key * @return options */ - public ConsumerOptions setSessionKey(@Nonnull byte[] sessionKey) { + public ConsumerOptions setSessionKey(@Nonnull SessionKey sessionKey) { this.sessionKey = sessionKey; - throw new NotYetImplementedException(); + return this; } /** @@ -179,14 +178,8 @@ public class ConsumerOptions { * * @return session key or null */ - public @Nullable byte[] getSessionKey() { - if (sessionKey == null) { - return null; - } - - byte[] sk = new byte[sessionKey.length]; - System.arraycopy(sessionKey, 0, sk, 0, sessionKey.length); - return sk; + public @Nullable SessionKey getSessionKey() { + return sessionKey; } /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 560a4d39..459bfb8d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -34,12 +34,14 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSessionKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; +import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.EncryptionPurpose; @@ -63,6 +65,7 @@ import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; import org.pgpainless.util.PGPUtilWrapper; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.SessionKey; import org.pgpainless.util.Tuple; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -210,12 +213,53 @@ public final class DecryptionStreamFactory { private InputStream processPGPEncryptedDataList(PGPEncryptedDataList pgpEncryptedDataList, int depth) throws PGPException, IOException { LOGGER.debug("Depth {}: Encountered PGPEncryptedDataList", depth); + + SessionKey sessionKey = options.getSessionKey(); + if (sessionKey != null) { + integrityProtectedEncryptedInputStream = decryptWithProvidedSessionKey(pgpEncryptedDataList, sessionKey); + InputStream decodedDataStream = PGPUtil.getDecoderStream(integrityProtectedEncryptedInputStream); + PGPObjectFactory factory = new PGPObjectFactory(decodedDataStream, keyFingerprintCalculator); + return processPGPPackets(factory, ++depth); + } + InputStream decryptedDataStream = decryptSessionKey(pgpEncryptedDataList); InputStream decodedDataStream = PGPUtil.getDecoderStream(decryptedDataStream); PGPObjectFactory factory = new PGPObjectFactory(decodedDataStream, keyFingerprintCalculator); return processPGPPackets(factory, ++depth); } + private IntegrityProtectedInputStream decryptWithProvidedSessionKey(PGPEncryptedDataList pgpEncryptedDataList, SessionKey sessionKey) throws PGPException { + PGPSessionKey pgpSessionKey = new PGPSessionKey(sessionKey.getAlgorithm().getAlgorithmId(), sessionKey.getKey()); + SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance().provideSessionKeyDataDecryptorFactory(pgpSessionKey); + InputStream decryptedDataStream = null; + PGPEncryptedData encryptedData = null; + for (PGPEncryptedData pgpEncryptedData : pgpEncryptedDataList) { + encryptedData = pgpEncryptedData; + if (!options.isIgnoreMDCErrors() && !encryptedData.isIntegrityProtected()) { + throw new MessageNotIntegrityProtectedException(); + } + + if (encryptedData instanceof PGPPBEEncryptedData) { + PGPPBEEncryptedData pbeEncrypted = (PGPPBEEncryptedData) encryptedData; + decryptedDataStream = pbeEncrypted.getDataStream(decryptorFactory); + break; + } else if (encryptedData instanceof PGPPublicKeyEncryptedData) { + PGPPublicKeyEncryptedData pkEncrypted = (PGPPublicKeyEncryptedData) encryptedData; + decryptedDataStream = pkEncrypted.getDataStream(decryptorFactory); + break; + } + } + + if (decryptedDataStream == null) { + throw new PGPException("No valid PGP data encountered."); + } + + resultBuilder.setSessionKey(sessionKey); + throwIfAlgorithmIsRejected(sessionKey.getAlgorithm()); + integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, encryptedData, options); + return integrityProtectedEncryptedInputStream; + } + private InputStream processPGPCompressedData(PGPCompressedData pgpCompressedData, int depth) throws PGPException, IOException { CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.fromId(pgpCompressedData.getAlgorithm()); @@ -294,10 +338,11 @@ public final class DecryptionStreamFactory { try { InputStream decryptedDataStream = pbeEncryptedData.getDataStream(passphraseDecryptor); - SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.fromId( - pbeEncryptedData.getSymmetricAlgorithm(passphraseDecryptor)); - throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); - resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); + PGPSessionKey pgpSessionKey = pbeEncryptedData.getSessionKey(passphraseDecryptor); + SessionKey sessionKey = new SessionKey(pgpSessionKey); + resultBuilder.setSessionKey(sessionKey); + + throwIfAlgorithmIsRejected(sessionKey.getAlgorithm()); integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData, options); @@ -454,15 +499,17 @@ public final class DecryptionStreamFactory { PublicKeyDataDecryptorFactory dataDecryptor = ImplementationFactory.getInstance() .getPublicKeyDataDecryptorFactory(decryptionKey); - SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm - .fromId(encryptedSessionKey.getSymmetricAlgorithm(dataDecryptor)); + PGPSessionKey pgpSessionKey = encryptedSessionKey.getSessionKey(dataDecryptor); + SessionKey sessionKey = new SessionKey(pgpSessionKey); + resultBuilder.setSessionKey(sessionKey); + + SymmetricKeyAlgorithm symmetricKeyAlgorithm = sessionKey.getAlgorithm(); if (symmetricKeyAlgorithm == SymmetricKeyAlgorithm.NULL) { LOGGER.debug("Message is unencrypted"); } else { LOGGER.debug("Message is encrypted using {}", symmetricKeyAlgorithm); } throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); - resultBuilder.setSymmetricKeyAlgorithm(symmetricKeyAlgorithm); integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey, options); return integrityProtectedEncryptedInputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java index 9dfc8076..c0d8284f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java @@ -25,6 +25,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; +import org.pgpainless.util.SessionKey; public class OpenPgpMetadata { @@ -34,7 +35,7 @@ public class OpenPgpMetadata { private final List invalidInbandSignatures; private final List verifiedDetachedSignatures; private final List invalidDetachedSignatures; - private final SymmetricKeyAlgorithm symmetricKeyAlgorithm; + private final SessionKey sessionKey; private final CompressionAlgorithm compressionAlgorithm; private final String fileName; private final Date modificationDate; @@ -42,7 +43,7 @@ public class OpenPgpMetadata { public OpenPgpMetadata(Set recipientKeyIds, SubkeyIdentifier decryptionKey, - SymmetricKeyAlgorithm symmetricKeyAlgorithm, + SessionKey sessionKey, CompressionAlgorithm algorithm, List verifiedInbandSignatures, List invalidInbandSignatures, @@ -54,7 +55,7 @@ public class OpenPgpMetadata { this.recipientKeyIds = Collections.unmodifiableSet(recipientKeyIds); this.decryptionKey = decryptionKey; - this.symmetricKeyAlgorithm = symmetricKeyAlgorithm; + this.sessionKey = sessionKey; this.compressionAlgorithm = algorithm; this.verifiedInbandSignatures = Collections.unmodifiableList(verifiedInbandSignatures); this.invalidInbandSignatures = Collections.unmodifiableList(invalidInbandSignatures); @@ -80,7 +81,7 @@ public class OpenPgpMetadata { * @return true if encrypted, false otherwise */ public boolean isEncrypted() { - return symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL && !getRecipientKeyIds().isEmpty(); + return sessionKey != null && sessionKey.getAlgorithm() != SymmetricKeyAlgorithm.NULL && !getRecipientKeyIds().isEmpty(); } /** @@ -100,7 +101,11 @@ public class OpenPgpMetadata { * @return encryption algorithm */ public @Nullable SymmetricKeyAlgorithm getSymmetricKeyAlgorithm() { - return symmetricKeyAlgorithm; + return sessionKey == null ? null : sessionKey.getAlgorithm(); + } + + public @Nullable SessionKey getSessionKey() { + return sessionKey; } /** @@ -271,8 +276,8 @@ public class OpenPgpMetadata { public static class Builder { private final Set recipientFingerprints = new HashSet<>(); + private SessionKey sessionKey; private SubkeyIdentifier decryptionKey; - private SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.NULL; private CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.UNCOMPRESSED; private String fileName; private StreamEncoding fileEncoding; @@ -294,13 +299,13 @@ public class OpenPgpMetadata { return this; } - public Builder setCompressionAlgorithm(CompressionAlgorithm algorithm) { - this.compressionAlgorithm = algorithm; + public Builder setSessionKey(SessionKey sessionKey) { + this.sessionKey = sessionKey; return this; } - public Builder setSymmetricKeyAlgorithm(SymmetricKeyAlgorithm symmetricKeyAlgorithm) { - this.symmetricKeyAlgorithm = symmetricKeyAlgorithm; + public Builder setCompressionAlgorithm(CompressionAlgorithm algorithm) { + this.compressionAlgorithm = algorithm; return this; } @@ -322,7 +327,7 @@ public class OpenPgpMetadata { public OpenPgpMetadata build() { return new OpenPgpMetadata( recipientFingerprints, decryptionKey, - symmetricKeyAlgorithm, compressionAlgorithm, + sessionKey, compressionAlgorithm, verifiedInbandSignatures, invalidInbandSignatures, verifiedDetachedSignatures, invalidDetachedSignatures, fileName, modificationDate, fileEncoding); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java index 352321ca..26e33a96 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java @@ -14,7 +14,6 @@ import org.bouncycastle.openpgp.PGPSignatureList; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.StreamEncoding; -import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; @@ -58,7 +57,6 @@ public class CleartextSignatureProcessor { public DecryptionStream getVerificationStream() throws IOException, PGPException { OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED) - .setSymmetricKeyAlgorithm(SymmetricKeyAlgorithm.NULL) .setFileEncoding(StreamEncoding.TEXT); MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java index ea9b0eb0..0be562a2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java @@ -14,6 +14,7 @@ import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSessionKey; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator; @@ -25,6 +26,7 @@ import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder; import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator; +import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator; import org.bouncycastle.openpgp.operator.bc.BcPBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcPBEKeyEncryptionMethodGenerator; @@ -38,6 +40,7 @@ import org.bouncycastle.openpgp.operator.bc.BcPGPKeyConverter; import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair; import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator; +import org.bouncycastle.openpgp.operator.bc.BcSessionKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; @@ -137,6 +140,11 @@ public class BcImplementationFactory extends ImplementationFactory { .build(passphrase.getChars()); } + @Override + public SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) { + return new BcSessionKeyDataDecryptorFactory(sessionKey); + } + private AsymmetricCipherKeyPair jceToBcKeyPair(PublicKeyAlgorithm algorithm, KeyPair keyPair, Date creationDate) throws PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java index 774dcad0..50937a30 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSessionKey; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator; @@ -24,6 +25,7 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator; +import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; @@ -103,6 +105,8 @@ public abstract class ImplementationFactory { HashAlgorithm hashAlgorithm, int s2kCount, Passphrase passphrase) throws PGPException; + public abstract SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey); + @Override public String toString() { return getClass().getSimpleName(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java index cbacdf1b..c480ed10 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSessionKey; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator; @@ -24,6 +25,7 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator; +import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider; @@ -36,6 +38,7 @@ import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyEncryptorBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator; +import org.bouncycastle.openpgp.operator.jcajce.JceSessionKeyDataDecryptorFactoryBuilder; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; @@ -124,4 +127,9 @@ public class JceImplementationFactory extends ImplementationFactory { .setProvider(ProviderFactory.getProvider()) .build(passphrase.getChars()); } + + @Override + public SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) { + return new JceSessionKeyDataDecryptorFactoryBuilder().build(sessionKey); + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java new file mode 100644 index 00000000..cea8639d --- /dev/null +++ b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java @@ -0,0 +1,35 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.util; + +import javax.annotation.Nonnull; + +import org.bouncycastle.openpgp.PGPSessionKey; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; + +public class SessionKey { + + private SymmetricKeyAlgorithm algorithm; + private byte[] key; + + public SessionKey(@Nonnull PGPSessionKey sessionKey) { + this(SymmetricKeyAlgorithm.fromId(sessionKey.getAlgorithm()), sessionKey.getKey()); + } + + public SessionKey(@Nonnull SymmetricKeyAlgorithm algorithm, @Nonnull byte[] key) { + this.algorithm = algorithm; + this.key = key; + } + + public SymmetricKeyAlgorithm getAlgorithm() { + return algorithm; + } + + public byte[] getKey() { + byte[] copy = new byte[key.length]; + System.arraycopy(key, 0, copy, 0, copy.length); + return copy; + } +} diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java index 7298065e..606f8673 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java @@ -18,6 +18,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; @@ -67,7 +68,11 @@ public class DecryptImpl implements Decrypt { @Override public DecryptImpl withSessionKey(SessionKey sessionKey) throws SOPGPException.UnsupportedOption { - throw new SOPGPException.UnsupportedOption("Setting custom session key not supported."); + consumerOptions.setSessionKey( + new org.pgpainless.util.SessionKey( + SymmetricKeyAlgorithm.fromId(sessionKey.getAlgorithm()), + sessionKey.getKey())); + return this; } @Override @@ -118,8 +123,8 @@ public class DecryptImpl implements Decrypt { throws SOPGPException.BadData, SOPGPException.MissingArg { - if (consumerOptions.getDecryptionKeys().isEmpty() && consumerOptions.getDecryptionPassphrases().isEmpty()) { - throw new SOPGPException.MissingArg("Missing decryption key or passphrase."); + if (consumerOptions.getDecryptionKeys().isEmpty() && consumerOptions.getDecryptionPassphrases().isEmpty() && consumerOptions.getSessionKey() == null) { + throw new SOPGPException.MissingArg("Missing decryption key, passphrase or session key."); } DecryptionStream decryptionStream; @@ -153,7 +158,16 @@ public class DecryptImpl implements Decrypt { } } - return new DecryptionResult(null, verificationList); + SessionKey sessionKey = null; + if (metadata.getSessionKey() != null) { + org.pgpainless.util.SessionKey sk = metadata.getSessionKey(); + sessionKey = new SessionKey( + (byte) sk.getAlgorithm().getAlgorithmId(), + sk.getKey() + ); + } + + return new DecryptionResult(sessionKey, verificationList); } }; } diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java index f6f6c235..807c9dd3 100644 --- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java +++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java @@ -7,6 +7,7 @@ package org.pgpainless.sop; import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -18,6 +19,7 @@ import org.junit.jupiter.api.Test; import sop.ByteArrayAndResult; import sop.DecryptionResult; import sop.SOP; +import sop.SessionKey; import sop.exception.SOPGPException; public class EncryptDecryptRoundTripTest { @@ -235,4 +237,165 @@ public class EncryptDecryptRoundTripTest { assertThrows(SOPGPException.BadData.class, () -> sop.decrypt() .verifyWithCert(new byte[0])); } + + @Test + public void testPassphraseDecryptionYieldsSessionKey() throws IOException { + byte[] message = "Hello\nWorld\n".getBytes(StandardCharsets.UTF_8); + byte[] ciphertext = ("-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "jA0ECQMCdFswArqHpj1g0j4BLDTkZhCC1crZf0EFq1xPIMUtnyRmfJJ7IzsdMJ5Y\n" + + "EhKbBc2h6wIX7B/GxUbyNj1xh5JRzt2ZX8KL2d6HAQ==\n" + + "=zZ0/\n" + + "-----END PGP MESSAGE-----").getBytes(StandardCharsets.UTF_8); + String passphrase = "sw0rdf1sh"; + ByteArrayAndResult bytesAndResult = sop.decrypt().withPassword(passphrase).ciphertext(ciphertext).toByteArrayAndResult(); + assertArrayEquals(message, bytesAndResult.getBytes()); + assertTrue(bytesAndResult.getResult().getSessionKey().isPresent()); + assertEquals("9:7BCB7383D23E20D4BA8980B26D6C0813769056546C45B7E55F4612BFAD5B4B1C", bytesAndResult.getResult().getSessionKey().get().toString()); + } + + @Test + public void testPublicKeyDecryptionYieldsSessionKey() throws IOException { + byte[] key = ("-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: D94A AA9C 5F73 48B2 5D81 72E7 F20C F71E 93FE 897F\n" + + "Comment: Alice\n" + + "\n" + + "lFgEYWlyaRYJKwYBBAHaRw8BAQdAJsJfjByLE+8HNVGbEKiIbSGXBYwR6L61bT5E\n" + + "Hhu642kAAP49D4TOaI+Z3G5ko4C4D1bOzLajLRpIuPLuwYHpF1xD0RHmtAVBbGlj\n" + + "ZYh4BBMWCgAgBQJhaXJpAhsBBRYCAwEABRUKCQgLBAsJCAcCHgECGQEACgkQ8gz3\n" + + "HpP+iX/c8AD9Hx0PUu97n8ZlrpuA6YuJL3rONPQnaXMz9eE+KHxJS6sBAM06X8Wm\n" + + "XRGUVURsoerwYTbUnXcUnqH/U/JhwlUerJAInF0EYWlyaRIKKwYBBAGXVQEFAQEH\n" + + "QJOHyxI5K8ZqX+v/AmTLHAIjWd8wHO8eGld4KHniCFx9AwEIBwAA/0zVZYYWsr3w\n" + + "GKkmqfIZlB+wIeJlWrho87kvXiNAe0LIEIGIdQQYFgoAHQUCYWlyaQIbDAUWAgMB\n" + + "AAUVCgkICwQLCQgHAh4BAAoJEPIM9x6T/ol/vggA/ilxi5UTjDYDR7sGrYyaGPRK\n" + + "Sg0KNn2SV4c5M5ZmZR7sAP4kKz6kQ4UtYmSmUmMBu+A3mMTN8VQY+6LSTdekvU0N\n" + + "ApxYBGFpcmkWCSsGAQQB2kcPAQEHQJiiZENQ52jyt8wBwX7fD1vQkvgTg5T3v1S1\n" + + "yzr1yI0RAAD+KOTcMdv8rz3U6K42PNE4b983KoMfyQ/hgjIWOi2BYBwP94jVBBgW\n" + + "CgB9BQJhaXJpAhsCBRYCAwEABRUKCQgLBAsJCAcCHgFfIAQZFgoABgUCYWlyaQAK\n" + + "CRDP7lemqmadIYLuAP9oAm+OFzyMNrmWRcvdHqH/DAfJTM2+ZmANSm44geZDEAD9\n" + + "HfeCHev1H1H1wOd0S3tW9gZwonrYFoqOBW/YTmf5XwYACgkQ8gz3HpP+iX+veQEA\n" + + "sWC+xDo+lc6oJr4q0mTJkxzYfgUBtQ0VjUWNcGyOdegBAL8hMzb9+e4wbP2F0tMb\n" + + "ZFA2MgHsvqGhXyAXi50arZYF\n" + + "=k66N\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n").getBytes(StandardCharsets.UTF_8); + byte[] message = "Hello\nWorld\n".getBytes(StandardCharsets.UTF_8); + byte[] ciphertext = ("-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DrJ3c2YF1IKUSAQdA9VL6OwIwOwB4GnE4yR5JJ5OjcC76WTpdm85I6WHvhD4w\n" + + "hqHpf6UGaDDQ7xAcSd7YnEGVMBOOBnJfD1PRuNWE5hwgqqsqpMDrvvMHjUsg3HNH\n" + + "0j4BriMU8XQ6MLdvCaFmeQqFwBD4mlI/x32wj0I9VyBIKysopA8HNV4ES2rOhGuW\n" + + "T/zFmI9Tm9eWvNwv0LUNhQ==\n" + + "=4Z+m\n" + + "-----END PGP MESSAGE-----\n").getBytes(StandardCharsets.UTF_8); + + ByteArrayAndResult bytesAndResult = sop.decrypt().withKey(key).ciphertext(ciphertext).toByteArrayAndResult(); + DecryptionResult result = bytesAndResult.getResult(); + assertArrayEquals(message, bytesAndResult.getBytes()); + assertTrue(result.getSessionKey().isPresent()); + assertEquals("9:63F741E7FB60247BE59C64158573308F727236482DB7653908C95839E4166AAE", result.getSessionKey().get().toString()); + } + + @Test + public void testDecryptionWithSessionKey() throws IOException { + byte[] message = "Hello\nWorld\n".getBytes(StandardCharsets.UTF_8); + byte[] ciphertext = ("-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DrJ3c2YF1IKUSAQdA9VL6OwIwOwB4GnE4yR5JJ5OjcC76WTpdm85I6WHvhD4w\n" + + "hqHpf6UGaDDQ7xAcSd7YnEGVMBOOBnJfD1PRuNWE5hwgqqsqpMDrvvMHjUsg3HNH\n" + + "0j4BriMU8XQ6MLdvCaFmeQqFwBD4mlI/x32wj0I9VyBIKysopA8HNV4ES2rOhGuW\n" + + "T/zFmI9Tm9eWvNwv0LUNhQ==\n" + + "=4Z+m\n" + + "-----END PGP MESSAGE-----\n").getBytes(StandardCharsets.UTF_8); + SessionKey sessionKey = SessionKey.fromString("9:63F741E7FB60247BE59C64158573308F727236482DB7653908C95839E4166AAE"); + + ByteArrayAndResult bytesAndResult = sop.decrypt().withSessionKey(sessionKey) + .ciphertext(ciphertext) + .toByteArrayAndResult(); + + DecryptionResult result = bytesAndResult.getResult(); + assertTrue(result.getSessionKey().isPresent()); + assertEquals(sessionKey, result.getSessionKey().get()); + + assertArrayEquals(message, bytesAndResult.getBytes()); + } + + @Test + public void testDecryptionWithSessionKey_VerificationWithCert() throws IOException { + byte[] plaintext = "This is a test message.\nSit back and relax.\n".getBytes(StandardCharsets.UTF_8); + byte[] key = ("-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 9C26 EFAB 1C65 00A2 28E8 A9C2 658E E420 C824 D191\n" + + "Comment: Alice\n" + + "\n" + + "lFgEYWl4ixYJKwYBBAHaRw8BAQdAv6+cd8R/ICS/z9hlT99g++wyquxVsO0FCb8F\n" + + "MSkTplUAAP9gPoBi8fxdfLaEyt6GWeIBTeYsVxsogbKzXXnjp3MbiRE/tAVBbGlj\n" + + "ZYh4BBMWCgAgBQJhaXiLAhsBBRYCAwEABRUKCQgLBAsJCAcCHgECGQEACgkQZY7k\n" + + "IMgk0ZEZuAEA3hWzfqCXGUjlv+miWey1AyWRu9eQvTdE9YqbIMuxIk4BAMtGlo6l\n" + + "d3E868q0zLOOktmsBxnzaE7knbd9nAlK3FUJnF0EYWl4ixIKKwYBBAGXVQEFAQEH\n" + + "QK8vS3T3Yf3Gpy9iWOTR0jdhV4XgtchcvKCpFMgc5uwFAwEIBwAA/1tNle5cT9kS\n" + + "8yzNxL16ElEREtEX+5kpkt6JZyTx0xfAEPGIdQQYFgoAHQUCYWl4iwIbDAUWAgMB\n" + + "AAUVCgkICwQLCQgHAh4BAAoJEGWO5CDIJNGRM80BANJ6EGKIkVNxYj7wOaEqyRh1\n" + + "Rtv3tLAnEzLl/b0mZx3WAQDADAPNCl5xnjTt5InyfrwV90kM4vDGcl4mQE8FD7dD\n" + + "B5xYBGFpeIsWCSsGAQQB2kcPAQEHQFuEaBKUllw+MfdkkSNE0CncJCeFGCbHvmsc\n" + + "Ma/DPgrpAAEAlsoxcTyTFfHxV2CayDCFvBSHYXOSOg6fyMdh0SxzjC0PVIjVBBgW\n" + + "CgB9BQJhaXiLAhsCBRYCAwEABRUKCQgLBAsJCAcCHgFfIAQZFgoABgUCYWl4iwAK\n" + + "CRBGMq3j1oKUXenjAP974AvBOAVIdNUkVAishoDL7ee7/eAU3Ni7V2Kn47cusQD/\n" + + "c8c9phtf2NIL23K4bvBdvsU3opV2DIVJwRutV4v6jgAACgkQZY7kIMgk0ZG1dwEA\n" + + "sFp1AuPcn3dGF05D6ohlqunoBwBWEcwZLjx+v5X27R8A/17V5nzC+eny3XjCF8Ib\n" + + "qw1VTfR84stki65Xhm2lxFAN\n" + + "=TQO7\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n").getBytes(StandardCharsets.UTF_8); + byte[] cert = sop.extractCert().key(key).getBytes(); + byte[] ciphertext = ("-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DSjXDMRql2RASAQdAkhJyA9GX5ios8PNlti7v7BieggiiR9trqrKFQwomU2Aw\n" + + "elEFuDA3ugJO2rNiyQQH1riFFJuod6BiQuxFhdf/mmsFFDzHmJeUOx9pQeNemzST\n" + + "0sAdAQQYC+iXUNn2y15kTqbFQFgfOWObgsqspGY04V17fZdVI7bEORLM+YT6KoZA\n" + + "uq2WO49ze9jp2jdvTsjjNNseZDhmxtgOCfi1/Fi3IHPnBJW7M3UWaJCSLozWkO95\n" + + "FztCSWL22jDGPGIjgQ589hYW+WuJMvMv6ltTOo+l70S5dHSObijbcOqfNSmrxlpw\n" + + "hqZfkU0BA01I9Pf3lBPCNyMbCPZP0oaIiWACnm6svWp4oH5u5ClhS9BVJTptzwXv\n" + + "mMj+lTi5ahGQJ3Nr8krloTSsjpkssz6D2+FDnvjwu6E=\n" + + "=BYOB\n" + + "-----END PGP MESSAGE-----").getBytes(StandardCharsets.UTF_8); + String sessionKey = "9:87C0870598AD908ABEECCAE265DCEEA146CF557AAF698D097024404A00EBD072"; + + // Decrypt with public key + ByteArrayAndResult bytesAndResult = + sop.decrypt().withKey(key).verifyWithCert(cert).ciphertext(ciphertext).toByteArrayAndResult(); + assertEquals(sessionKey, bytesAndResult.getResult().getSessionKey().get().toString()); + assertArrayEquals(plaintext, bytesAndResult.getBytes()); + assertEquals(1, bytesAndResult.getResult().getVerifications().size()); + + // Decrypt with session key + bytesAndResult = sop.decrypt().withSessionKey(SessionKey.fromString(sessionKey)) + .verifyWithCert(cert).ciphertext(ciphertext).toByteArrayAndResult(); + assertEquals(sessionKey, bytesAndResult.getResult().getSessionKey().get().toString()); + assertArrayEquals(plaintext, bytesAndResult.getBytes()); + assertEquals(1, bytesAndResult.getResult().getVerifications().size()); + } + + @Test + public void decryptWithWrongSessionKey() { + byte[] ciphertext = ("-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hF4DSjXDMRql2RASAQdAkhJyA9GX5ios8PNlti7v7BieggiiR9trqrKFQwomU2Aw\n" + + "elEFuDA3ugJO2rNiyQQH1riFFJuod6BiQuxFhdf/mmsFFDzHmJeUOx9pQeNemzST\n" + + "0sAdAQQYC+iXUNn2y15kTqbFQFgfOWObgsqspGY04V17fZdVI7bEORLM+YT6KoZA\n" + + "uq2WO49ze9jp2jdvTsjjNNseZDhmxtgOCfi1/Fi3IHPnBJW7M3UWaJCSLozWkO95\n" + + "FztCSWL22jDGPGIjgQ589hYW+WuJMvMv6ltTOo+l70S5dHSObijbcOqfNSmrxlpw\n" + + "hqZfkU0BA01I9Pf3lBPCNyMbCPZP0oaIiWACnm6svWp4oH5u5ClhS9BVJTptzwXv\n" + + "mMj+lTi5ahGQJ3Nr8krloTSsjpkssz6D2+FDnvjwu6E=\n" + + "=BYOB\n" + + "-----END PGP MESSAGE-----").getBytes(StandardCharsets.UTF_8); + SessionKey wrongSessionKey = SessionKey.fromString("9:63F741E7FB60247BE59C64158573308F727236482DB7653908C95839E4166AAE"); + + assertThrows(SOPGPException.BadData.class, () -> + sop.decrypt().withSessionKey(wrongSessionKey).ciphertext(ciphertext)); + } } diff --git a/sop-java/src/main/java/sop/SessionKey.java b/sop-java/src/main/java/sop/SessionKey.java index 2cb054d0..2adcec4d 100644 --- a/sop-java/src/main/java/sop/SessionKey.java +++ b/sop-java/src/main/java/sop/SessionKey.java @@ -5,11 +5,15 @@ package sop; import java.util.Arrays; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import sop.util.HexUtil; public class SessionKey { + private static final Pattern PATTERN = Pattern.compile("^(\\d):([0-9a-fA-F]+)$"); + private final byte algorithm; private final byte[] sessionKey; @@ -57,6 +61,17 @@ public class SessionKey { return getAlgorithm() == otherKey.getAlgorithm() && Arrays.equals(getKey(), otherKey.getKey()); } + public static SessionKey fromString(String string) { + Matcher matcher = PATTERN.matcher(string); + if (!matcher.matches()) { + throw new IllegalArgumentException("Provided session key does not match expected format."); + } + byte algorithm = Byte.parseByte(matcher.group(1)); + String key = matcher.group(2); + + return new SessionKey(algorithm, HexUtil.hexToBytes(key)); + } + @Override public String toString() { return "" + (int) getAlgorithm() + ':' + HexUtil.bytesToHex(sessionKey); diff --git a/sop-java/src/test/java/sop/util/SessionKeyTest.java b/sop-java/src/test/java/sop/util/SessionKeyTest.java index b79fd81b..2d03279d 100644 --- a/sop-java/src/test/java/sop/util/SessionKeyTest.java +++ b/sop-java/src/test/java/sop/util/SessionKeyTest.java @@ -12,6 +12,13 @@ import sop.SessionKey; public class SessionKeyTest { + @Test + public void fromStringTest() { + String string = "9:FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"; + SessionKey sessionKey = SessionKey.fromString(string); + assertEquals(string, sessionKey.toString()); + } + @Test public void toStringTest() { SessionKey sessionKey = new SessionKey((byte) 9, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD")); From cd9e7611ac552dc732bdc054351458e634947849 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 15 Oct 2021 15:32:21 +0200 Subject: [PATCH 0180/1450] Remove workaround for invalid signature processing --- .../pgpainless/signature/SignatureUtils.java | 35 +++---------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 2d97d460..3209fc8a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -19,7 +19,6 @@ import org.bouncycastle.bcpg.sig.RevocationReason; import org.bouncycastle.bcpg.sig.SignatureExpirationTime; import org.bouncycastle.openpgp.PGPCompressedData; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPMarker; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -226,56 +225,30 @@ public final class SignatureUtils { PGPObjectFactory objectFactory = new PGPObjectFactory( pgpIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); - Object nextObject = tryNext(objectFactory); - while (nextObject != null) { - if (nextObject instanceof PGPMarker) { - nextObject = tryNext(objectFactory); - continue; - } + Object nextObject; + while ((nextObject = objectFactory.nextObject()) != null) { if (nextObject instanceof PGPCompressedData) { PGPCompressedData compressedData = (PGPCompressedData) nextObject; objectFactory = new PGPObjectFactory(compressedData.getDataStream(), ImplementationFactory.getInstance().getKeyFingerprintCalculator()); - nextObject = tryNext(objectFactory); - continue; } + if (nextObject instanceof PGPSignatureList) { PGPSignatureList signatureList = (PGPSignatureList) nextObject; for (PGPSignature s : signatureList) { signatures.add(s); } } + if (nextObject instanceof PGPSignature) { signatures.add((PGPSignature) nextObject); } - nextObject = tryNext(objectFactory); } pgpIn.close(); return signatures; } - /** - * Try reading the next signature from the factory. - * - * This is a helper method for BC choking on unexpected data like invalid signature versions. - * Unfortunately, this solves only half the issue, see bcgit/bc-java#1006 for a proper fix. - * - * @see BC-Java: Ignore PGPSignature with invalid version - * - * @param factory pgp object factory - * @return next non-throwing object or null - * @throws IOException in case of a stream error - */ - private static Object tryNext(PGPObjectFactory factory) throws IOException { - try { - Object o = factory.nextObject(); - return o; - } catch (RuntimeException e) { - return tryNext(factory); - } - } - /** * Determine the issuer key-id of a {@link PGPSignature}. * This method first inspects the {@link IssuerKeyID} subpacket of the signature and returns the key-id if present. From ddc071374ce25df99014c34f23be550ef01e675a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 15 Oct 2021 15:32:35 +0200 Subject: [PATCH 0181/1450] Add invalid signature version processing regression test --- .../IgnoreUnknownSignatureVersionsTest.java | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java new file mode 100644 index 00000000..2b60ea02 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java @@ -0,0 +1,188 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPPublicKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; + +/** + * Regression test for BC handling signatures of unknown version. + * This test makes sure that BC properly ignores unknown signature version. + */ +public class IgnoreUnknownSignatureVersionsTest { + + private static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + + "Comment: Bob's OpenPGP certificate\n" + + "\n" + + "mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" + + "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" + + "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" + + "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" + + "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" + + "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" + + "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" + + "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" + + "vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" + + "bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" + + "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" + + "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" + + "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" + + "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" + + "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" + + "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" + + "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" + + "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" + + "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW\n" + + "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" + + "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" + + "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" + + "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" + + "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" + + "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" + + "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" + + "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" + + "EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" + + "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" + + "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" + + "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" + + "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" + + "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" + + "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" + + "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" + + "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" + + "NEJd3XZRzaXZE2aAMQ==\n" + + "=NXei\n" + + "-----END PGP PUBLIC KEY BLOCK-----\n"; + private static final String message = "Hello World :)"; + + private static PGPPublicKeyRing cert; + static { + try { + cert = PGPainless.readKeyRing().publicKeyRing(CERT); + } catch (IOException e) { + + } + } + + @Test + public void baseCase() throws IOException, PGPException { + String BASE_CASE = "-----BEGIN PGP SIGNATURE-----\n" + + "\n" + + "wsE7BAABCgBvBYJhaVoTCRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + + "cy5zZXF1b2lhLXBncC5vcmcQWMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxI\n" + + "yxYhBNGmbhojsYLJmA94jPv8yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC\n" + + "0afvqv/tfcLVX6tZEmXkh6DfCtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs\n" + + "+h+eZoQ3VwZ8jmfisQs7FUhbPOURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2Ls\n" + + "iNob9J0godpjlkGGWGqjWl0AO1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBb\n" + + "JzrbJqWaS1FaqMCuPwcpq0KLsn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blq\n" + + "J20D2sKGUGcJpmLdiupnDdsHWU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwI\n" + + "a8Upx9lG8ol0uuDE4jieie4wuNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKz\n" + + "Wdg/ngldiePCjg2RQztgb6Hsut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIq\n" + + "xKukH+bioF/+baqBu1AlXmNVou1uiXJaDzZ6wQfBwsE7BAABCgBvBYJhaVoTCRD7\n" + + "/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcQ\n" + + "WMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxIyxYhBNGmbhojsYLJmA94jPv8\n" + + "yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC0afvqv/tfcLVX6tZEmXkh6Df\n" + + "CtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs+h+eZoQ3VwZ8jmfisQs7FUhb\n" + + "POURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2LsiNob9J0godpjlkGGWGqjWl0A\n" + + "O1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBbJzrbJqWaS1FaqMCuPwcpq0KL\n" + + "sn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blqJ20D2sKGUGcJpmLdiupnDdsH\n" + + "WU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwIa8Upx9lG8ol0uuDE4jieie4w\n" + + "uNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKzWdg/ngldiePCjg2RQztgb6Hs\n" + + "ut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIqxKukH+bioF/+baqBu1AlXmNV\n" + + "ou1uiXJaDzZ6wQfB\n" + + "=uHRc\n" + + "-----END PGP SIGNATURE-----\n"; + OpenPgpMetadata metadata = verifySignature(cert, BASE_CASE); + + assertTrue(metadata.isVerified()); + } + + @Test + public void detached_SIG4_SIG23() throws PGPException, IOException { + String SIG4SIG23 = "-----BEGIN PGP SIGNATURE-----\n" + + "\n" + + "wsE7BAABCgBvBYJhaVoTCRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + + "cy5zZXF1b2lhLXBncC5vcmcQWMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxI\n" + + "yxYhBNGmbhojsYLJmA94jPv8yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC\n" + + "0afvqv/tfcLVX6tZEmXkh6DfCtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs\n" + + "+h+eZoQ3VwZ8jmfisQs7FUhbPOURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2Ls\n" + + "iNob9J0godpjlkGGWGqjWl0AO1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBb\n" + + "JzrbJqWaS1FaqMCuPwcpq0KLsn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blq\n" + + "J20D2sKGUGcJpmLdiupnDdsHWU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwI\n" + + "a8Upx9lG8ol0uuDE4jieie4wuNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKz\n" + + "Wdg/ngldiePCjg2RQztgb6Hsut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIq\n" + + "xKukH+bioF/+baqBu1AlXmNVou1uiXJaDzZ6wQfBwsE7FwABCgBvBYJhaVoTCRD7\n" + + "/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcQ\n" + + "WMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxIyxYhBNGmbhojsYLJmA94jPv8\n" + + "yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC0afvqv/tfcLVX6tZEmXkh6Df\n" + + "CtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs+h+eZoQ3VwZ8jmfisQs7FUhb\n" + + "POURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2LsiNob9J0godpjlkGGWGqjWl0A\n" + + "O1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBbJzrbJqWaS1FaqMCuPwcpq0KL\n" + + "sn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blqJ20D2sKGUGcJpmLdiupnDdsH\n" + + "WU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwIa8Upx9lG8ol0uuDE4jieie4w\n" + + "uNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKzWdg/ngldiePCjg2RQztgb6Hs\n" + + "ut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIqxKukH+bioF/+baqBu1AlXmNV\n" + + "ou1uiXJaDzZ6wQfB\n" + + "=/JL1\n" + + "-----END PGP SIGNATURE-----\n"; + OpenPgpMetadata metadata = verifySignature(cert, SIG4SIG23); + + assertTrue(metadata.isVerified()); + } + + @Test + public void detached_SIG23_SIG4() throws PGPException, IOException { + String SIG23SIG4 = "-----BEGIN PGP SIGNATURE-----\n" + + "\n" + + "wsE7FwABCgBvBYJhaVoTCRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u\n" + + "cy5zZXF1b2lhLXBncC5vcmcQWMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxI\n" + + "yxYhBNGmbhojsYLJmA94jPv8yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC\n" + + "0afvqv/tfcLVX6tZEmXkh6DfCtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs\n" + + "+h+eZoQ3VwZ8jmfisQs7FUhbPOURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2Ls\n" + + "iNob9J0godpjlkGGWGqjWl0AO1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBb\n" + + "JzrbJqWaS1FaqMCuPwcpq0KLsn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blq\n" + + "J20D2sKGUGcJpmLdiupnDdsHWU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwI\n" + + "a8Upx9lG8ol0uuDE4jieie4wuNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKz\n" + + "Wdg/ngldiePCjg2RQztgb6Hsut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIq\n" + + "xKukH+bioF/+baqBu1AlXmNVou1uiXJaDzZ6wQfBwsE7BAABCgBvBYJhaVoTCRD7\n" + + "/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcQ\n" + + "WMonyHF4Gcry0TOPKj/RQyhVoSI+1C31rXHHBcxIyxYhBNGmbhojsYLJmA94jPv8\n" + + "yCoBXnMwAAB7RwwAo+/P0/foJZp0/4yZWbBu/uNC0afvqv/tfcLVX6tZEmXkh6Df\n" + + "CtDwqX0vWrwAJuqtLUC8RvUDj7X4vi90/LhU2GUs+h+eZoQ3VwZ8jmfisQs7FUhb\n" + + "POURZhRoS4UT8w7Le3pLodj5vAcaB6VvZP7SZ2LsiNob9J0godpjlkGGWGqjWl0A\n" + + "O1kVvaNJTXpNhwpCRZyad8wUgri5QtrHWzRo4FBbJzrbJqWaS1FaqMCuPwcpq0KL\n" + + "sn4v6i4sD6Vy3HOaF29+avWNawnMLB/92csl4blqJ20D2sKGUGcJpmLdiupnDdsH\n" + + "WU1jSpUvoUv+viE1RDqBFDQaNkUxdv5DhDOSRcwIa8Upx9lG8ol0uuDE4jieie4w\n" + + "uNq41jVRWJ55aJ46zO9QPifq59SMcRj8uN8byRKzWdg/ngldiePCjg2RQztgb6Hs\n" + + "ut7xeYYhuAYQ8m1+vLCnS8tRnCqhAqxdW51uSfIqxKukH+bioF/+baqBu1AlXmNV\n" + + "ou1uiXJaDzZ6wQfB\n" + + "=Yc8d\n" + + "-----END PGP SIGNATURE-----\n"; + OpenPgpMetadata metadata = verifySignature(cert, SIG23SIG4); + + assertTrue(metadata.isVerified()); + } + + private OpenPgpMetadata verifySignature(PGPPublicKeyRing cert, String BASE_CASE) throws PGPException, IOException { + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8))) + .withOptions(new ConsumerOptions() + .addVerificationCert(cert) + .addVerificationOfDetachedSignatures(new ByteArrayInputStream(BASE_CASE.getBytes(StandardCharsets.UTF_8)))); + + Streams.drain(decryptionStream); + decryptionStream.close(); + + return decryptionStream.getResult(); + } +} From ec61f4de9f03ed2d6adb6b756707436d93d53db4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 12:44:09 +0100 Subject: [PATCH 0182/1450] Bump BC to 1.70 --- version.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.gradle b/version.gradle index 574fdfd1..171e7946 100644 --- a/version.gradle +++ b/version.gradle @@ -8,6 +8,6 @@ allprojects { isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 - bouncyCastleVersion = '1.69' + bouncyCastleVersion = '1.70' } } From f5c3e7b23f1427b02352f622b5f7deaa4f99c5b3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 13:09:35 +0100 Subject: [PATCH 0183/1450] Remove Blowfish from default symmetric decryption/encryption algorithm policies --- .../src/main/java/org/pgpainless/policy/Policy.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java index 506f245c..f89b811c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java @@ -224,11 +224,10 @@ public final class Policy { */ public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyEncryptionAlgorithmPolicy() { return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList( - // Reject: Unencrypted, IDEA, TripleDES, CAST5 + // Reject: Unencrypted, IDEA, TripleDES, CAST5, Blowfish SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, - SymmetricKeyAlgorithm.BLOWFISH, SymmetricKeyAlgorithm.TWOFISH, SymmetricKeyAlgorithm.CAMELLIA_256, SymmetricKeyAlgorithm.CAMELLIA_192, @@ -243,12 +242,11 @@ public final class Policy { */ public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyDecryptionAlgorithmPolicy() { return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList( - // Reject: Unencrypted, IDEA, TripleDES + // Reject: Unencrypted, IDEA, TripleDES, Blowfish SymmetricKeyAlgorithm.CAST5, SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, - SymmetricKeyAlgorithm.BLOWFISH, SymmetricKeyAlgorithm.TWOFISH, SymmetricKeyAlgorithm.CAMELLIA_256, SymmetricKeyAlgorithm.CAMELLIA_192, From 8b1bdb98f18823f02c395d152eac17748d1e5846 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 14:18:21 +0100 Subject: [PATCH 0184/1450] Adding subkeys, generating keys: Verify subkeys comply to public key algorithm policy --- .../key/generation/KeyRingBuilder.java | 14 ++++++++++++ .../pgpainless/key/generation/KeySpec.java | 2 +- .../key/generation/type/KeyType.java | 6 +++++ .../generation/type/ecc/EllipticCurve.java | 22 ++++++++++++------- .../key/generation/type/ecc/ecdh/ECDH.java | 5 +++++ .../key/generation/type/ecc/ecdsa/ECDSA.java | 5 +++++ .../key/generation/type/eddsa/EdDSA.java | 5 +++++ .../key/generation/type/eddsa/EdDSACurve.java | 10 +++++++-- .../key/generation/type/elgamal/ElGamal.java | 5 +++++ .../key/generation/type/rsa/RSA.java | 5 +++++ .../key/generation/type/xdh/XDH.java | 5 +++++ .../key/generation/type/xdh/XDHSpec.java | 10 +++++++-- .../secretkeyring/SecretKeyRingEditor.java | 12 ++++++++-- .../SecretKeyRingEditorInterface.java | 2 +- 14 files changed, 92 insertions(+), 16 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index b45baeb3..3e1cadca 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -39,11 +39,13 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.policy.Policy; import org.pgpainless.provider.ProviderFactory; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpackets; @@ -62,6 +64,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { @Override public KeyRingBuilder setPrimaryKey(@Nonnull KeySpec keySpec) { + verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy()); verifyMasterKeyCanCertify(keySpec); this.primaryKeySpec = keySpec; return this; @@ -69,6 +72,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { @Override public KeyRingBuilder addSubkey(@Nonnull KeySpec keySpec) { + verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy()); this.subkeySpecs.add(keySpec); return this; } @@ -107,6 +111,16 @@ public class KeyRingBuilder implements KeyRingBuilderInterface { return this; } + private void verifyKeySpecCompliesToPolicy(KeySpec keySpec, Policy policy) { + PublicKeyAlgorithm publicKeyAlgorithm = keySpec.getKeyType().getAlgorithm(); + int bitStrength = keySpec.getKeyType().getBitStrength(); + + if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) { + throw new IllegalArgumentException("Public key algorithm policy violation: " + + publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable."); + } + } + private void verifyMasterKeyCanCertify(KeySpec spec) { if (!hasCertifyOthersFlag(spec)) { throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER"); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java index 6bffde16..bd5a5063 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java @@ -27,7 +27,7 @@ public class KeySpec { } @Nonnull - KeyType getKeyType() { + public KeyType getKeyType() { return keyType; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java index 584ec1e7..b62fa190 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java @@ -33,6 +33,12 @@ public interface KeyType { */ PublicKeyAlgorithm getAlgorithm(); + /** + * Return the strength of the key in bits. + * @return + */ + int getBitStrength(); + /** * Return an implementation of {@link AlgorithmParameterSpec} that can be used to generate the key. * diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java index 851d2d32..2372896e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/EllipticCurve.java @@ -15,22 +15,28 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; * {@link XDHSpec} and {@link org.pgpainless.key.generation.type.eddsa.EdDSACurve}. */ public enum EllipticCurve { - _P256("prime256v1"), // prime256v1 is equivalent to P-256, see https://tools.ietf.org/search/rfc4492#page-32 - _P384("secp384r1"), // secp384r1 is equivalent to P-384, see https://tools.ietf.org/search/rfc4492#page-32 - _P521("secp521r1"), // secp521r1 is equivalent to P-521, see https://tools.ietf.org/search/rfc4492#page-32 - _SECP256K1("secp256k1"), - _BRAINPOOLP256R1("brainpoolP256r1"), - _BRAINPOOLP384R1("brainpoolP384r1"), - _BRAINPOOLP512R1("brainpoolP512r1") + _P256("prime256v1", 256), // prime256v1 is equivalent to P-256, see https://tools.ietf.org/search/rfc4492#page-32 + _P384("secp384r1", 384), // secp384r1 is equivalent to P-384, see https://tools.ietf.org/search/rfc4492#page-32 + _P521("secp521r1", 521), // secp521r1 is equivalent to P-521, see https://tools.ietf.org/search/rfc4492#page-32 + _SECP256K1("secp256k1", 256), + _BRAINPOOLP256R1("brainpoolP256r1", 256), + _BRAINPOOLP384R1("brainpoolP384r1", 384), + _BRAINPOOLP512R1("brainpoolP512r1", 512) ; private final String name; + private final int bitStrength; - EllipticCurve(@Nonnull String name) { + EllipticCurve(@Nonnull String name, int bitStrength) { this.name = name; + this.bitStrength = bitStrength; } public String getName() { return name; } + + public int getBitStrength() { + return bitStrength; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java index 53f0d1b7..bb7e3f3c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdh/ECDH.java @@ -34,6 +34,11 @@ public final class ECDH implements KeyType { return PublicKeyAlgorithm.ECDH; } + @Override + public int getBitStrength() { + return curve.getBitStrength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new ECNamedCurveGenParameterSpec(curve.getName()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java index 93c6398b..87301655 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/ecc/ecdsa/ECDSA.java @@ -35,6 +35,11 @@ public final class ECDSA implements KeyType { return PublicKeyAlgorithm.ECDSA; } + @Override + public int getBitStrength() { + return curve.getBitStrength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new ECNamedCurveGenParameterSpec(curve.getName()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java index 67532d6c..ae46b44f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSA.java @@ -35,6 +35,11 @@ public final class EdDSA implements KeyType { return PublicKeyAlgorithm.EDDSA; } + @Override + public int getBitStrength() { + return curve.getBitStrength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new ECNamedCurveGenParameterSpec(curve.getName()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java index cc1c1831..4d5aed1c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/eddsa/EdDSACurve.java @@ -7,16 +7,22 @@ package org.pgpainless.key.generation.type.eddsa; import javax.annotation.Nonnull; public enum EdDSACurve { - _Ed25519("ed25519"), + _Ed25519("ed25519", 256), ; final String name; + final int bitStrength; - EdDSACurve(@Nonnull String curveName) { + EdDSACurve(@Nonnull String curveName, int bitStrength) { this.name = curveName; + this.bitStrength = bitStrength; } public String getName() { return name; } + + public int getBitStrength() { + return bitStrength; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java index ac7a239b..4deb0559 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/elgamal/ElGamal.java @@ -36,6 +36,11 @@ public final class ElGamal implements KeyType { return PublicKeyAlgorithm.ELGAMAL_ENCRYPT; } + @Override + public int getBitStrength() { + return length.getLength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new ElGamalParameterSpec(length.getP(), length.getG()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java index 231c95a2..3cf717b2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/rsa/RSA.java @@ -36,6 +36,11 @@ public class RSA implements KeyType { return PublicKeyAlgorithm.RSA_GENERAL; } + @Override + public int getBitStrength() { + return length.getLength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new RSAKeyGenParameterSpec(length.getLength(), RSAKeyGenParameterSpec.F4); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java index db8d7d1e..4e589677 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDH.java @@ -32,6 +32,11 @@ public final class XDH implements KeyType { return PublicKeyAlgorithm.ECDH; } + @Override + public int getBitStrength() { + return spec.getBitStrength(); + } + @Override public AlgorithmParameterSpec getAlgorithmSpec() { return new ECNamedCurveGenParameterSpec(spec.getName()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java index e33fecd4..ccbd2038 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/xdh/XDHSpec.java @@ -7,15 +7,17 @@ package org.pgpainless.key.generation.type.xdh; import javax.annotation.Nonnull; public enum XDHSpec { - _X25519("X25519", "curve25519"), + _X25519("X25519", "curve25519", 256), ; final String name; final String curveName; + final int bitStrength; - XDHSpec(@Nonnull String name, @Nonnull String curveName) { + XDHSpec(@Nonnull String name, @Nonnull String curveName, int bitStrength) { this.name = name; this.curveName = curveName; + this.bitStrength = bitStrength; } public String getName() { @@ -25,4 +27,8 @@ public enum XDHSpec { public String getCurveName() { return curveName; } + + public int getBitStrength() { + return bitStrength; + } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 0f2b0eee..db657a31 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -70,6 +70,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; +import org.pgpainless.util.BCUtil; import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.Passphrase; import org.pgpainless.util.selection.userid.SelectUserId; @@ -169,7 +170,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Nonnull Passphrase subKeyPassphrase, @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec); SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector @@ -216,11 +216,19 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Nonnull SecretKeyRingProtector primaryKeyProtector, @Nonnull KeyFlag keyFlag, KeyFlag... additionalKeyFlags) - throws PGPException, IOException { + throws PGPException, IOException, NoSuchAlgorithmException { KeyFlag[] flags = concat(keyFlag, additionalKeyFlags); PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm()); SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm); + // check key against public key algorithm policy + PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm()); + int bitStrength = BCUtil.getBitStrength(subkey.getPublicKey()); + if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) { + throw new IllegalArgumentException("Public key algorithm policy violation: " + + publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable."); + } + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.fromId(primaryKey.getPublicKey().getAlgorithm()); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 87c53acd..66fa58b5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -119,7 +119,7 @@ public interface SecretKeyRingEditorInterface { @Nonnull SecretKeyRingProtector primaryKeyProtector, @Nonnull KeyFlag keyFlag, KeyFlag... additionalKeyFlags) - throws PGPException, IOException; + throws PGPException, IOException, NoSuchAlgorithmException; /** * Revoke the key ring. From 14c1cf013ecc9b44c241fa4d733bc88c21174fcd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 14:29:01 +0100 Subject: [PATCH 0185/1450] Add test to verify correct behavior of public key algorithm policy enforcement during key generation --- .../GeneratingWeakKeyThrowsTest.java | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java new file mode 100644 index 00000000..aa79add5 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java @@ -0,0 +1,72 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.generation; + +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.HashMap; +import java.util.Map; + +import org.bouncycastle.openpgp.PGPException; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.policy.Policy; + +public class GeneratingWeakKeyThrowsTest { + + @Test + public void refuseToGenerateWeakPrimaryKeyTest() { + // ensure we have default public key algorithm policy set + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( + Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); + + assertThrows(IllegalArgumentException.class, () -> + PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))); + } + + @Test + public void refuseToAddWeakSubkeyDuringGenerationTest() { + // ensure we have default public key algorithm policy set + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( + Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); + + KeyRingBuilder kb = PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)); + + assertThrows(IllegalArgumentException.class, () -> + kb.addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), + KeyFlag.ENCRYPT_COMMS))); + } + + @Test + public void allowToAddWeakKeysWithWeakPolicy() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + // set a weak algorithm policy + Map bitStrengths = new HashMap<>(); + bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512); + + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( + new Policy.PublicKeyAlgorithmPolicy(bitStrengths)); + + PGPainless.buildKeyRing() + .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), + KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) + .addSubkey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), + KeyFlag.ENCRYPT_COMMS)) + .addUserId("Henry") + .build(); + + // reset public key algorithm policy + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); + } +} From e7d0cf9c0081ef762d618a691e8c2e5262236560 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 14:44:03 +0100 Subject: [PATCH 0186/1450] Fix BaseSecretKeyRingProtector misinterpreting empty passphrases --- .../pgpainless/key/protection/BaseSecretKeyRingProtector.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java index 6df10082..5b545c12 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java @@ -36,7 +36,7 @@ public class BaseSecretKeyRingProtector implements SecretKeyRingProtector { @Nullable public PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException { Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); - return passphrase == null ? null : + return passphrase == null || passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); } @@ -44,7 +44,7 @@ public class BaseSecretKeyRingProtector implements SecretKeyRingProtector { @Nullable public PBESecretKeyEncryptor getEncryptor(Long keyId) throws PGPException { Passphrase passphrase = passphraseProvider.getPassphraseFor(keyId); - return passphrase == null ? null : + return passphrase == null || passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyEncryptor( protectionSettings.getEncryptionAlgorithm(), protectionSettings.getHashAlgorithm(), From 8d6aca0d0494d647363c374a52989b1f9703a499 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 14:45:54 +0100 Subject: [PATCH 0187/1450] Test modifyKeyRing().addSubkey() respects pk algorithm policy --- .../RefuseToAddWeakSubkeyTest.java | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java new file mode 100644 index 00000000..8d459c33 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -0,0 +1,87 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.EnumMap; +import java.util.Map; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.algorithm.EncryptionPurpose; +import org.pgpainless.algorithm.KeyFlag; +import org.pgpainless.algorithm.PublicKeyAlgorithm; +import org.pgpainless.key.generation.KeySpec; +import org.pgpainless.key.generation.type.KeyType; +import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.policy.Policy; +import org.pgpainless.util.Passphrase; + +public class RefuseToAddWeakSubkeyTest { + + @Test + public void testEditorRefusesToAddWeakSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + // ensure default policy is set + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); + + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); + KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build(); + + assertThrows(IllegalArgumentException.class, () -> + editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())); + } + + @Test + public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice", null); + + // set weak policy + Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class); + // §5.4.1 + minimalBitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 1024); + minimalBitStrengths.put(PublicKeyAlgorithm.RSA_SIGN, 1024); + minimalBitStrengths.put(PublicKeyAlgorithm.RSA_ENCRYPT, 1024); + // Note: ElGamal is not mentioned in the BSI document. + // We assume that the requirements are similar to other DH algorithms + minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_ENCRYPT, 2000); + minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_GENERAL, 2000); + // §5.4.2 + minimalBitStrengths.put(PublicKeyAlgorithm.DSA, 2000); + // §5.4.3 + minimalBitStrengths.put(PublicKeyAlgorithm.ECDSA, 250); + // Note: EdDSA is not mentioned in the BSI document. + // We assume that the requirements are similar to other EC algorithms. + minimalBitStrengths.put(PublicKeyAlgorithm.EDDSA, 250); + // §7.2.1 + minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000); + // §7.2.2 + minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250); + minimalBitStrengths.put(PublicKeyAlgorithm.EC, 250); + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)); + + SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); + KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build(); + + secretKeys = editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()) + .done(); + + assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); + + // reset default policy + PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); + } +} From fae5cd0efec0fa475b79ca4448a0944e15f3998f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 2 Dec 2021 15:10:53 +0100 Subject: [PATCH 0188/1450] SOP: Fix signing using key with missing signing key --- .../misc/SignUsingPublicKeyBehaviorTest.java | 150 ++++++++++++++++++ .../encryption_signing/SigningOptions.java | 14 +- 2 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java new file mode 100644 index 00000000..ae1148bb --- /dev/null +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java @@ -0,0 +1,150 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.cli.misc; + +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.PrintStream; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; + +import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.pgpainless.cli.PGPainlessCLI; +import org.pgpainless.cli.TestUtils; +import sop.exception.SOPGPException; + +public class SignUsingPublicKeyBehaviorTest { + + public static final String KEY_THAT_IS_A_CERT = "" + + "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + + "\n" + + "xcLYBF2lnPIBCACjEFpOZIbVN2la1dFPlhksA6D7D/n+eQ0y+201cWZXFLJ0MAE0\n" + + "L+9lK1hvp1XTfFvdChdMmgziTLhyR/1im0qk38oVMpyF8JKJ118U35+y5rObaB5I\n" + + "sbzka4y5Qj5KXTtHEXSsMH8bkBoUUXcbNvw+FFys8ZcW/21fvzB8ZD4vtef6ogNZ\n" + + "hG/W0+Mi2d/zBhZqiHEHR6bJeIGmFhfT36C0jXssRL5de44xpWSqwqfHBrx6n7sq\n" + + "iDABT2sEzckDNikobhnZ1ZRay+1xxAJDKVglRzb3O/fgvV+vUE90OI2r9iX6kpiC\n" + + "sybpAwrlYCHz/NXJZ6wjFCKccNyrxuunjkC3ABEBAAEAB/sEMKNhaEveprHaV6wt\n" + + "M1oqO12jleGCnHGuYa+ItAVBL5L2UVV2ldS88MQw+kfGS2fA4kV+/mZeWkJTDW6B\n" + + "XiQo4Gc87DQBbREW4aXbz3M3EZ6D28ULcSW9aNYQ3JblKkgfp18sHYLmnmlNJFq/\n" + + "JEaPAc7v0rVjLeUNlMgWKi0+5I8xbFQS4fyoRPGC/CjN9i+6SMZhFlyD+XV0lqHd\n" + + "1A+y9pVTeVsPnm24wx9UPF4ucbrHW0vvj8khDmATcnGtJEqQ0D3pxnuCI6a0jc0D\n" + + "C1ADFLP2+6EX8DpTxl2btDiBShRVbVInhDz0yIwIAe98vgo5joBeLDVXE5puevIu\n" + + "Y3iBBADBedq17N0p15P+c6Wfr8fK2h+BKmZexbrFVxnjs9f4N19gKKPb1GfTo724\n" + + "4bcvfnKde1JdXQ4gQGMN6U4u5O60IlizKXltsfQxvhhQ8wUBCBro8fbr6GGLeOz9\n" + + "WqkdXgRLoXdDvRHSADWCmErnaTdz0HarLE1TY8HOa3CcWJb88QQA18KGAsBBL8Nq\n" + + "MBjBW0276Pv2hI7vBfzAjv/sBTu1VfBeGXw6V774KVjfwI63MBpg21XxC+LNQ0/l\n" + + "gLT1ZeL/I/tRy1Kn9yKV7r/BWGfOvrsqBH27AHuAk8GIM/1PjxY3iPDfzabc2ew5\n" + + "CbyrgBBQygPGwQN1Zr21g+a9lQjJOCcD/jLeuw8qPgxT7NRdm0PK+TyJXMth2/xZ\n" + + "leG76Ea/QI91pvEiAaxPJZS4uDYlSe2YMklgLdCA/NyWA1xockFmJ7lXRuAOoUBv\n" + + "pvbBG4YKqAoYDTVmimZixod5Qutgc0VruXkFUZdJ1FoBOGWY+t+OgO2TJAhk8wwx\n" + + "L20hQ5F9aUZXPtrNIUJvYiBCYWJiYWdlIDxib2JAb3BlbnBncC5leGFtcGxlPsLA\n" + + "xwQTAQoAewWCXaWc8gILCQkQRHvvaGE2IENHFAAAAAAAHgAgc2FsdEBub3RhdGlv\n" + + "bnMuc2VxdW9pYS1wZ3Aub3JnRDad7R7dr9jE9iOyMFJUMGV0MsemxDU9caUUh7vc\n" + + "j/UCFQgCmwECHgEWIQQ1+/wUJNwezbxPcdxEe+9oYTYgQwAAaX8IAKCen/rWA3mW\n" + + "peTK72K5HuKQp9ES8QWu2ZhMs8DN0nLZ8iULMOoNK5kh62lzeNJExzDqpgVTx2MO\n" + + "iQd/zAAgY6/3Eis2YonK2JRc14dZiu4ddzPGoIRokRIZGHZNmuz081kGqZoJIj9g\n" + + "ewyeEypIf0JUYwO1sAcMlwj+OAbvGPUxSo7vyVYCIdlZiC2xg8hGL+5C6XPNZ4YX\n" + + "Sdm9Z6MMzBk4K2SxjqnAFEBB9xvbrOCxj0GKyCgSkoltAkQenhhJ/LAFJ4lzy21G\n" + + "9FnfpkVqH6De3kSIf/oXWN8QI8peWYoiFMAiLFvhkdcQuoiRB1qGY5qVq9YOOJ8+\n" + + "Ki7F1REeH7TOwM0EXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90\n" + + "YNBj+xS1ldGDbUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pz\n" + + "h0LzrBrVNHar29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4\n" + + "PIp1DU9ewcc2WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+\n" + + "D9LiTWcxdUPBleu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYO\n" + + "iEFBJ9lbb4teg9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t\n" + + "0c91kbNE5lgjZ7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLs\n" + + "T7Vr1QMX9jznJtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH97\n" + + "0TGYOe2aUcSxIRDMXDOPyzEfjwARAQABwsK8BBgBCgJwBYJdpZzyCRBEe+9oYTYg\n" + + "Q0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdUIRfuKIW7\n" + + "qT28vY2xnlsGmF6fJWTfx4wDijIW6xACLQKbAsE8oAQZAQoAbwWCXaWc8gkQfC+q\n" + + "Tfk8N7JHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnRn08\n" + + "63PC8uNyHKkFl9lppIVyVxwWD/x8mh5xV1aLB0AWIQQd3OFfCSF87i87N2B8L6pN\n" + + "+Tw3sgAAlHAL+gIJEIVStzC2zRoQ20PS705y4q+uGJPLEXtk6FZxP87eZdzZp/1U\n" + + "oBRrnQ5YzoIjvHs02DaDwp+AtzAb+pDi6i96Y7sW8X74rSvOlEBwjGgVRw9TsAlw\n" + + "0Th85ujoOtn8GINAykoFOTqtb3az299LLdZr0x3nf51Fka4/3qL6MeCAqh/Uc0x4\n" + + "dZRGXsKuCgkAQArCsFP79m1tJkqSHkOF8oQ4lpRh9REJzri+Iada8mwnnCuTtMRv\n" + + "QpNCCxfUFke4LSOSon6hj2k11FrF8zE1RO5MA0CN1pBQQ1GeeMT98VFEwG07oCiw\n" + + "bKjCkW1qez+EplzPIrpeJxyPMt/oKFc2BslNVECB5qqhsUpj7qkqQTv+i7kqH7ra\n" + + "occY9+C7KdcsXjfGgSf7mNv/CS30c65PAO0a/IqrLeD8XCV1G4AQwW/pDLHj334s\n" + + "/lQXVY3JqMjW7cHG5xuYXGpMYllMv+gsWFxMJNg2Cc3Ze/234bXCRWpgpOjitbx9\n" + + "+/IO2VuNfsqJcBYhBDX7/BQk3B7NvE9x3ER772hhNiBDAADfCAgAkf8qY9naXmqh\n" + + "//V0mhydfNIZBnHlh876s91QbLz7+hcFnb0epIBnemF5zgW0HULnbWYQfcn/tuVx\n" + + "/D5fdHQR8m6Sidc82x4A0/p7sFxcCfola8e1wL5aEbBK342EDqFSpZv8nsOrLzyR\n" + + "jb42+TVZGiTGFuOqnPKKWbeo30fC70SiBpoVceF0xXHRZdvz1dB+gJyk0NF1HpIt\n" + + "MhRxHMDgFNyj5A5SIY5A42Y7tyJ6hHh1QEk5+69Q5u9GblI6ZblSp48uEhz762fg\n" + + "gig5pXpGHwgJHf1+bbc6ZOvZ4XqdIGzr30wE8oP6zdIj+Xvra3ZPNVlOQCbxB/wr\n" + + "ltx3QXLHQw==\n" + + "=oJQ2\n" + + "-----END PGP PUBLIC KEY BLOCK-----"; + + + private static File tempDir; + private static PrintStream originalSout; + + private final String data = "If privacy is outlawed, only outlaws will have privacy.\n"; + + @BeforeAll + public static void prepare() throws IOException { + tempDir = TestUtils.createTempDirectory(); + } + + @Test + @ExpectSystemExitWithStatus(SOPGPException.BadData.EXIT_CODE) + public void testSignatureCreationAndVerification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + originalSout = System.out; + InputStream originalIn = System.in; + + // Write alice key to disc + File aliceKeyFile = new File(tempDir, "alice.key"); + assertTrue(aliceKeyFile.createNewFile()); + OutputStream aliceKeyOut = new FileOutputStream(aliceKeyFile); + Streams.pipeAll(new ByteArrayInputStream(KEY_THAT_IS_A_CERT.getBytes(StandardCharsets.UTF_8)), aliceKeyOut); + aliceKeyOut.close(); + + // Write alice pub key to disc + File aliceCertFile = new File(tempDir, "alice.pub"); + assertTrue(aliceCertFile.createNewFile()); + OutputStream aliceCertOut = new FileOutputStream(aliceCertFile); + Streams.pipeAll(new ByteArrayInputStream(KEY_THAT_IS_A_CERT.getBytes(StandardCharsets.UTF_8)), aliceCertOut); + aliceCertOut.close(); + + // Write test data to disc + File dataFile = new File(tempDir, "data"); + assertTrue(dataFile.createNewFile()); + FileOutputStream dataOut = new FileOutputStream(dataFile); + Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), dataOut); + dataOut.close(); + + // Sign test data + FileInputStream dataIn = new FileInputStream(dataFile); + System.setIn(dataIn); + File sigFile = new File(tempDir, "sig.asc"); + assertTrue(sigFile.createNewFile()); + FileOutputStream sigOut = new FileOutputStream(sigFile); + System.setOut(new PrintStream(sigOut)); + PGPainlessCLI.execute("sign", "--armor", aliceKeyFile.getAbsolutePath()); + } + + @AfterAll + public static void after() { + System.setOut(originalSout); + // CHECKSTYLE:OFF + System.out.println(tempDir.getAbsolutePath()); + // CHECKSTYLE:ON + } +} diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index 6f342429..de01fa53 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -23,6 +23,7 @@ import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.exception.KeyCannotSignException; import org.pgpainless.exception.KeyValidationError; @@ -297,7 +298,11 @@ public final class SigningOptions { for (PGPPublicKey signingPubKey : signingPubKeys) { PGPSecretKey signingSecKey = secretKey.getSecretKey(signingPubKey.getKeyID()); - PGPPrivateKey signingSubkey = signingSecKey.extractPrivateKey(secretKeyDecryptor.getDecryptor(signingPubKey.getKeyID())); + if (signingSecKey == null) { + throw new PGPException("Missing secret key for signing key " + Long.toHexString(signingPubKey.getKeyID())); + } + PGPPrivateKey signingSubkey = signingSecKey.extractPrivateKey( + secretKeyDecryptor.getDecryptor(signingPubKey.getKeyID())); Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId) : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID()); HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy()); @@ -316,6 +321,13 @@ public final class SigningOptions { throws PGPException { SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID()); PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID()); + PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(signingSecretKey.getPublicKey().getAlgorithm()); + int bitStrength = secretKey.getPublicKey().getBitStrength(); + if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) { + throw new IllegalArgumentException("Public key algorithm policy violation: " + + publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable."); + } + PGPSignatureGenerator generator = createSignatureGenerator(signingSubkey, hashAlgorithm, signatureType); // Subpackets From 5485d490e275b057c2a615d600ffb6ba8666a2a6 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 3 Dec 2021 13:07:38 +0100 Subject: [PATCH 0189/1450] Add threat model sketch to pgpainless-core/README --- pgpainless-core/README.md | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md index 90bc0b83..66c3765a 100644 --- a/pgpainless-core/README.md +++ b/pgpainless-core/README.md @@ -6,4 +6,40 @@ SPDX-License-Identifier: Apache-2.0 # PGPainless-Core -Wrapper around Bouncycastle's OpenPGP implementation. \ No newline at end of file +Wrapper around Bouncycastle's OpenPGP implementation. + +## Protection Against Attacks + +PGPainless aims to fulfil the primary goals of cryptography: +* Confidentiality through message encryption +* Authenticity through signatures +* Integrity through the use of Modification Detection Code and again signatures + +In short: Communication protected using PGPainless is intended to be private, +users can verify that messages they receive were really send by their communication peer +and users can verify that messages have not been tampered with. + +This is being achieved by preventing a number of typical attacks on the users communication, +like the attacker introducing an evil subkey to the victims public key, or the attacker creating +counterfeit signatures to fool the victim. + +Due to its nature as a library however, it does not make sense to set up defences against all possible +attack types (see below). +So here is a threat model that best applies to PGPainless. + +### Threat Model +A threat model that makes the most sense for PGPainless would be an evil attacker using PGPainless +through a benign client application (like an email app) on a trustworthy device. + +The attacker can try to feed the application malicious input (like manipulated public key updates, +specially crafted PGP message objects etc.) but they cannot access the victims decrypted secret key material as +it is protected by the device (eg. stored in a secure key store). + +### What doesn't PGPainless Protect Against? + +#### Brute Force Attacks +It was decided that protection against brute force attacks on passwords used in symmetric encryption +(password encrypted messages/keys) are out of scope for PGPainless. +PGPainless cannot limit access to the ciphertext that is being brute forced, as that is provided by +the application that uses PGPainless. +Therefore, protection against brute force attacks must be employed by the application itself. From 601efd94f2c50fa2572d95899489d4409f5092d3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 3 Dec 2021 14:20:36 +0100 Subject: [PATCH 0190/1450] Fix typo --- pgpainless-core/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md index 66c3765a..68b27096 100644 --- a/pgpainless-core/README.md +++ b/pgpainless-core/README.md @@ -10,7 +10,7 @@ Wrapper around Bouncycastle's OpenPGP implementation. ## Protection Against Attacks -PGPainless aims to fulfil the primary goals of cryptography: +PGPainless aims to fulfill the primary goals of cryptography: * Confidentiality through message encryption * Authenticity through signatures * Integrity through the use of Modification Detection Code and again signatures From d54a40196b94b3523222057baaf5f1d1c2ed66cb Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 15:01:37 +0100 Subject: [PATCH 0191/1450] Fix NPE when attempting to decrypt GNU_DUMMY_S2K keys --- .../key/protection/UnlockSecretKey.java | 47 +++++++++++-------- .../builder/AbstractSignatureBuilder.java | 10 ++-- .../CertificationSignatureBuilder.java | 7 ++- .../builder/DirectKeySignatureBuilder.java | 5 +- .../PrimaryKeyBindingSignatureBuilder.java | 3 +- .../builder/RevocationSignatureBuilder.java | 3 +- .../builder/SelfSignatureBuilder.java | 7 ++- .../SubkeyBindingSignatureBuilder.java | 3 +- .../builder/UniversalSignatureBuilder.java | 5 +- .../pgpainless/example/UnlockSecretKeys.java | 3 +- 10 files changed, 45 insertions(+), 48 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java index ce7bb5b6..5557fe0b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java @@ -22,34 +22,41 @@ public final class UnlockSecretKey { } public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, SecretKeyRingProtector protector) - throws WrongPassphraseException, KeyIntegrityException { - try { - PBESecretKeyDecryptor decryptor = null; - if (KeyInfo.isEncrypted(secretKey)) { - decryptor = protector.getDecryptor(secretKey.getKeyID()); - } - PGPPrivateKey privateKey = secretKey.extractPrivateKey(decryptor); + throws PGPException, KeyIntegrityException { - if (secretKey.getPublicKey() != null) { - PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey()); - } - return privateKey; - } catch (KeyIntegrityException e) { - throw e; + PBESecretKeyDecryptor decryptor = null; + if (KeyInfo.isEncrypted(secretKey)) { + decryptor = protector.getDecryptor(secretKey.getKeyID()); + } + PGPPrivateKey privateKey = unlockSecretKey(secretKey, decryptor); + return privateKey; + } + + public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, PBESecretKeyDecryptor decryptor) throws PGPException { + PGPPrivateKey privateKey; + try { + privateKey = secretKey.extractPrivateKey(decryptor); } catch (PGPException e) { throw new WrongPassphraseException(secretKey.getKeyID(), e); } - } - public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, PBESecretKeyDecryptor decryptor) throws WrongPassphraseException { - try { - return secretKey.extractPrivateKey(decryptor); - } catch (PGPException e) { - throw new WrongPassphraseException(secretKey.getKeyID(), e); + if (privateKey == null) { + int s2kType = secretKey.getS2K().getType(); + if (s2kType >= 100 && s2kType <= 110) { + throw new PGPException("Cannot decrypt secret key" + Long.toHexString(secretKey.getKeyID()) + ": " + + "Unsupported private S2K usage type " + s2kType); + } + + throw new PGPException("Cannot decrypt secret key."); } + + if (secretKey.getPublicKey() != null) { + PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey()); + } + return privateKey; } - public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) throws WrongPassphraseException, KeyIntegrityException { + public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) throws PGPException, KeyIntegrityException { return unlockSecretKey(secretKey, SecretKeyRingProtector.unlockSingleKeyWith(passphrase, secretKey)); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 7b92ab02..9eaa70b4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -5,6 +5,7 @@ package org.pgpainless.signature.builder; import java.util.Set; +import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; @@ -16,7 +17,6 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -24,8 +24,6 @@ import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; -import javax.annotation.Nonnull; - public abstract class AbstractSignatureBuilder> { protected final PGPPrivateKey privateSigningKey; protected final PGPPublicKey publicSigningKey; @@ -42,7 +40,7 @@ public abstract class AbstractSignatureBuilder { public CertificationSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { this(SignatureType.GENERIC_CERTIFICATION, certificationKey, protector); } public CertificationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } @@ -33,7 +32,7 @@ public class CertificationSignatureBuilder extends AbstractSignatureBuilder { - public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) throws WrongPassphraseException { + public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) throws PGPException { super(certificationKey, protector, archetypeSignature); } - public DirectKeySignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public DirectKeySignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { super(signatureType, signingKey, protector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java index 0f88dec4..93339f86 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java @@ -11,14 +11,13 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder { public PrimaryKeyBindingSignatureBuilder(PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector) - throws WrongPassphraseException { + throws PGPException { super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index 3449a5dd..ebae151d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -12,13 +12,12 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; public class RevocationSignatureBuilder extends AbstractSignatureBuilder { - public RevocationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public RevocationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { super(signatureType, signingKey, protector); getHashedSubpackets().setRevocable(true, false); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java index a7ffd488..e6bf94c3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java @@ -12,18 +12,17 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class SelfSignatureBuilder extends AbstractSignatureBuilder { - public SelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public SelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { this(SignatureType.GENERIC_CERTIFICATION, signingKey, protector); } public SelfSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } @@ -31,7 +30,7 @@ public class SelfSignatureBuilder extends AbstractSignatureBuilder { public SubkeyBindingSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(SignatureType.SUBKEY_BINDING, signingKey, protector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java index 3b63a032..b3ed5bf0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java @@ -11,7 +11,6 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpackets; @@ -22,12 +21,12 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets; public class UniversalSignatureBuilder extends AbstractSignatureBuilder { public UniversalSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } public UniversalSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) - throws WrongPassphraseException { + throws PGPException { super(certificationKey, protector, archetypeSignature); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index a7b056b7..f4716211 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -11,7 +11,6 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.CachingSecretKeyRingProtector; @@ -120,7 +119,7 @@ public class UnlockSecretKeys { } private void assertProtectorUnlocksAllSecretKeys(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { for (PGPSecretKey key : secretKey) { UnlockSecretKey.unlockSecretKey(key, protector); } From a34cd779201050ea8ed592aeedd2a64ff8e94f60 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 15:02:31 +0100 Subject: [PATCH 0192/1450] Add test keys --- .../ModifiedPublicKeysInvestigation.java | 157 ++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java new file mode 100644 index 00000000..f418f577 --- /dev/null +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -0,0 +1,157 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package investigations; + +import java.io.IOException; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKey; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.exception.KeyIntegrityException; +import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.util.Passphrase; + +public class ModifiedPublicKeysInvestigation { + + private static final String DSA = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: OpenPGP.js VERSION\n" + + "Comment: https://openpgpjs.org\n" + + "\n" + + "xcLBBF7gtMkRCAC3vDJOsVLxDrh78Mm8hgwpxIPJp47p2AZH2DPrv0hqigc7\n" + + "zqaF9DGZpovOEag3t192bIxY81Nv7HKsjdhMhPnpXY5xrWhcZm2qYWQ37Hy6\n" + + "GBQCYJpYWIz8y1OohbK72lvoOp8zfLY5L6QtQvenZFWLZEhM27uY0mvEwZhK\n" + + "w8BnZinqviupyL58pDG2nSvJZBC3JSPpRUt9m/91aKdF1bM2EeL8PSExfRaD\n" + + "YrDEcWhtXR+WOHMNNjIzCJH1bYGXzokMYbgX5TfbTAqUvxWlbpSPe+jTDDei\n" + + "xCZ1qNiYKJARb9Du8KDaFu7D1/DlE+Y6xQY8QxuF5GIig8/j9DXMBGuHAQCx\n" + + "NS8+e0LZ63YHiPWHDAPeGztx2QoLRoy26LUC+gw9Fwf+MiaaKCc8IAom8nSV\n" + + "JUW6BYBhxAQ4oXja/rIXfjfHMTpHyAv2D6rzYWs4MTpjwq/bp+f61PZA7LF4\n" + + "hI2fvZIh5A+7pkzhDQ3vsR0JlHCN7zjdyDkecqXoxF2Li+0A1iofcC9iApFf\n" + + "hVeGhEETtCJ75MjTcG4HH9icSsIeO99ez6fbw8xtD4cm8/cCZviRJzY2NWaP\n" + + "OUFee4DoHXBqJvmA9tZ7GCa1yJj3QNcMSV4+g5bom/kbiJWE3Kxvt3vbt9HY\n" + + "uutjK6t95VoL8Gn/KeRmcafyvHb5v03IJOZYtWVtMnnhzp4eULB5NIMnNO+j\n" + + "2Fp0BT2hG9tRuiR7NhT6pUAi2AgAgbYnNdmQbUw8SOszWckiI5Cy43jhuR7U\n" + + "8yQKxLK2sGATyEbORgo1R5ykMsOm5stviqSleihqaij01dtrufhNRNuW/hHy\n" + + "yhEzMLJCjOQ2K1OOlavmNPnUvBOKSaHIIGxtDf6kUhuXTUZeuoX+SqzemlEN\n" + + "w6dRopm3o98wkLmf9XZIIe3YzhnIqnXrVChMJR1Tb5uZ2cgL+J4mhTw4XE6G\n" + + "9S/7VG+033wOH4vBNNzr/oeEDqEWbnvsK0z2LQhMqS3oEMGtiBuUBqrSQ4Ol\n" + + "pKa6uN1YSbFhPGFdVjyUTsDJodQKXCAcDiuXkxqhU3yTps/9pdQTFV+nHnFo\n" + + "UQ+q6qcKuf4JAwiezB8yRqiUDwDYXJPqetnfSfb8HJK94SobBbpnnJWmimTo\n" + + "5xXmh8ADOeNPFvoUBAHLVlaOHQ+RxvH5+myTWgQGUCFwx0hw/FKYwf5/TJoL\n" + + "zRNhIDxkc2FAZWxnYW1hbC5jb20+wo8EEBEIACAFAl/0Q7UGCwkHCAMCBBUI\n" + + "CgIEFgIBAAIZAQIbAwIeAQAhCRCxvR8Ensh/PRYhBA/hAsFZyBjvLX2ffrG9\n" + + "HwSeyH89eTkBAI3qhlbtwKsmGKON1vNOlMoowQdM4vQ79Thff+cTCjseAQCP\n" + + "KtVp3MBiGFVGL9WWkLWZ4pA/B5i3/j34AgI+ko4clMfCqgRe4LTJEAgAt7wy\n" + + "TrFS8Q64e/DJvIYMKcSDyaeO6dgGR9gz679IaooHO86mhfQxmaaLzhGoN7df\n" + + "dmyMWPNTb+xyrI3YTIT56V2Oca1oXGZtqmFkN+x8uhgUAmCaWFiM/MtTqIWy\n" + + "u9pb6DqfM3y2OS+kLUL3p2RVi2RITNu7mNJrxMGYSsPAZ2Yp6r4rqci+fKQx\n" + + "tp0ryWQQtyUj6UVLfZv/dWinRdWzNhHi/D0hMX0Wg2KwxHFobV0fljhzDTYy\n" + + "MwiR9W2Bl86JDGG4F+U320wKlL8VpW6Uj3vo0ww3osQmdajYmCiQEW/Q7vCg\n" + + "2hbuw9fw5RPmOsUGPEMbheRiIoPP4/Q1zARrhwf+MiaaKCc8IAom8nSVJUW6\n" + + "BYBhxAQ4oXja/rIXfjfHMTpHyAv2D6rzYWs4MTpjwq/bp+f61PZA7LF4hI2f\n" + + "vZIh5A+7pkzhDQ3vsR0JlHCN7zjdyDkecqXoxF2Li+0A1iofcC9iApFfhVeG\n" + + "hEETtCJ75MjTcG4HH9icSsIeO99ez6fbw8xtD4cm8/cCZviRJzY2NWaPOUFe\n" + + "e4DoHXBqJvmA9tZ7GCa1yJj3QNcMSV4+g5bom/kbiJWE3Kxvt3vbt9HYuutj\n" + + "K6t95VoL8Gn/KeRmcafyvHb5v03IJOZYtWVtMnnhzp4eULB5NIMnNO+j2Fp0\n" + + "BT2hG9tRuiR7NhT6pUAi2Af/Ww4X+sMiX5so7CZzIi0cMaYFaO4QD3zOFATg\n" + + "lpqEmyYIT0CdQrr3fxJfpVgLZKzRkacecbJD1yBg75x6DlEPf4ScClygymzQ\n" + + "W0YBJ4/aQBBwn0uBGJUsvU5vBjN4uNNvoKkT4PGPGWw4duzTjwAg9UPirsQf\n" + + "DOgSBtA8VJpCvY8uZwu1rMybSitgo3SWnsmB0Sfk7FpPcWx5wbuF5aWENiBG\n" + + "TcecGrWHlB7mHDJ2VKnqvsn0Ned13lgCrbVri5WcodB30IXAK1xknQD+SBiL\n" + + "Ere8Wxf5Ge/dsi9ygdin0lwfveLHmreO9rLOLXA40q1bfVMguUcx+oSQHad1\n" + + "YXft1/4JAwgOjqeNUGKHFQDYG8nEzqEAT8zs6r+WYXwJAWHjwO4kFQjxy6Fv\n" + + "dv9JnfXweIWvrfaoytJ4PX9yy0y2EHyMmH2p+ZXGBSphERJjdzdgjZU95cGF\n" + + "VMpOoyoUpg/CeAQYEQgACQUCX/RDtQIbDAAhCRCxvR8Ensh/PRYhBA/hAsFZ\n" + + "yBjvLX2ffrG9HwSeyH8925EBAJ5ILo/q8Z01vCiCdEV/i2nMEevI7EHG5DtM\n" + + "RuvLdJPtAP9VND4sdnrXUXoUn6OgUmKoV0KKcTUPEnMqQ8QgfVDEJA==\n" + + "=p9kX\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + private static final String ELGAMAL = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: OpenPGP.js VERSION\n" + + "Comment: https://openpgpjs.org\n" + + "\n" + + "xcJ2BF7gtMkRCACn33NmdVvNmFRs7wp/EYbfFo3eHygwJDx93cpi++YDWf57\n" + + "Jz0A0WbihN3CYQuO/CE1sqJfpktc4Q0yhNwAMX49xxfcl6mwWawAhianG1Tj\n" + + "zM5L0YY6Qipi+L8F4cRk/u4leElAPySN/X7Ami3HGcVoU+BJ03ssnz0iiBb0\n" + + "mA4gPDRBueXNSQdI5TG6qEANCCRNLvg53p8G9BQRCXs0SunorUFc9BSOqcgX\n" + + "IH+dkzjjvJPFVCMvcsp5L9nsJ9demtSwWsJrlBkA2UmgZ/PVItvxSGSukP3c\n" + + "5+JKUaIFsAjBWwMsJcBDvq6FYBL1e7IO/ZBsl/5TpFtWtCYEbNAnmjg3AQCz\n" + + "ZGzliaDRrxn1wREz13aQ760Tzno+X9O54Ef6Ya+Nywf9HQh5LEdpQJio7rYp\n" + + "6/Heu8j0dqgqBs6SNHxVQPuiKgpnTOCEE3eXN4FnZ1/PyQOyMdPkIoi4p36Y\n" + + "iMBnxJBRHG0QAFqVdiP4Yzqv+K07De/De569okE43CHlgJN5r+ZU+NVGT5vW\n" + + "jN6izoK0H1IjIkLU4ZNbVEOuEVRI///MZ++OTEtEyv92sIFFfbKa5efazsQu\n" + + "xBm1w8T2W9avcUwEdV/iErNqRfZ1Ty+WMFNyTlFpEBdNkSx6QQsHw6lAfWjR\n" + + "ScEf3HhpaIEvZ3xwYvUeM4/h+H+tvy8MSF5jNuw4UV7dCiG4cf3vrTWHoTDh\n" + + "3iYwTYZNB/NcU37gu7mdEoz/yQf/Tn0pExWBO9qYjPmsOcviZX/2dXJv4E85\n" + + "eHRO8NpliXsNXLypZQXYcMIOT60LYDIHJnideMapa84xkT2eNK3jdK/yVbkO\n" + + "X/9/UvvYkruMv4d05jEN3oTVGeBbeplgbnnbmOI0mRhm8nML3+4+76p+zTH3\n" + + "5yXHhbe5e8vN9HLDSaxJMBT9YLSzi4B3qYUbN3GP6xxpBdsUNC4uPUWrgJZe\n" + + "ruz1ItTEHc9zecPoBjZ2zsNBfYKa4IBbPC0Hdu5xhrlUUlDQfYWpLbtuuxgz\n" + + "2W5l8FZpHH8DAQ/pv5TMuMEr5cGK5N7/D7VIILsl4zRSrZfpLlN3p/bTrYaq\n" + + "vBLy7kSdeP4JZQBHTlUBzRNhIDxkc2FAZWxnYW1hbC5jb20+wo8EEBEIACAF\n" + + "Al+uqvIGCwkHCAMCBBUICgIEFgIBAAIZAQIbAwIeAQAhCRBfBKz0T9gisRYh\n" + + "BJsPXWgA3qU0mfRVx18ErPRP2CKxG/cA/0EMxk/JebLdXJuHCdFfmuefSLJx\n" + + "3r/T5YAC2C2J3NoUAQCzL8sEY3GPjwLG3usTC03OiCeyaS3cMSodpJr38TwX\n" + + "U8fCqgRe4LTJEAgAt7wyTrFS8Q64e/DJvIYMKcSDyaeO6dgGR9gz679IaooH\n" + + "O86mhfQxmaaLzhGoN7dfdmyMWPNTb+xyrI3YTIT56V2Oca1oXGZtqmFkN+x8\n" + + "uhgUAmCaWFiM/MtTqIWyu9pb6DqfM3y2OS+kLUL3p2RVi2RITNu7mNJrxMGY\n" + + "SsPAZ2Yp6r4rqci+fKQxtp0ryWQQtyUj6UVLfZv/dWinRdWzNhHi/D0hMX0W\n" + + "g2KwxHFobV0fljhzDTYyMwiR9W2Bl86JDGG4F+U320wKlL8VpW6Uj3vo0ww3\n" + + "osQmdajYmCiQEW/Q7vCg2hbuw9fw5RPmOsUGPEMbheRiIoPP4/Q1zARrhwf+\n" + + "MiaaKCc8IAom8nSVJUW6BYBhxAQ4oXja/rIXfjfHMTpHyAv2D6rzYWs4MTpj\n" + + "wq/bp+f61PZA7LF4hI2fvZIh5A+7pkzhDQ3vsR0JlHCN7zjdyDkecqXoxF2L\n" + + "i+0A1iofcC9iApFfhVeGhEETtCJ75MjTcG4HH9icSsIeO99ez6fbw8xtD4cm\n" + + "8/cCZviRJzY2NWaPOUFee4DoHXBqJvmA9tZ7GCa1yJj3QNcMSV4+g5bom/kb\n" + + "iJWE3Kxvt3vbt9HYuutjK6t95VoL8Gn/KeRmcafyvHb5v03IJOZYtWVtMnnh\n" + + "zp4eULB5NIMnNO+j2Fp0BT2hG9tRuiR7NhT6pUAi2Af/Ww4X+sMiX5so7CZz\n" + + "Ii0cMaYFaO4QD3zOFATglpqEmyYIT0CdQrr3fxJfpVgLZKzRkacecbJD1yBg\n" + + "75x6DlEPf4ScClygymzQW0YBJ4/aQBBwn0uBGJUsvU5vBjN4uNNvoKkT4PGP\n" + + "GWw4duzTjwAg9UPirsQfDOgSBtA8VJpCvY8uZwu1rMybSitgo3SWnsmB0Sfk\n" + + "7FpPcWx5wbuF5aWENiBGTcecGrWHlB7mHDJ2VKnqvsn0Ned13lgCrbVri5Wc\n" + + "odB30IXAK1xknQD+SBiLEre8Wxf5Ge/dsi9ygdin0lwfveLHmreO9rLOLXA4\n" + + "0q1bfVMguUcx+oSQHad1YXft1/4JAwiUPMqEIUCgsACIlVF2VExLGCEnlGvC\n" + + "r6xO8HZyFotZCvTaqdpAeEwR3j8iPuLHZ6UM4qM0iWKGnXwvwnXQb9gNCQjv\n" + + "sQi3ZA0XU9VyF0Br2pWC8O1pSzsfR6nCeAQYEQgACQUCX66q8gIbDAAhCRBf\n" + + "BKz0T9gisRYhBJsPXWgA3qU0mfRVx18ErPRP2CKxAT4A/1Me/0H9uMxhqeL8\n" + + "IZ2L59G9ofFMud0g1eUzYaAN+XLtAQCkR7SCspq4PWYYY+YcnhWWMPAA1TM6\n" + + "TsMBqN9H5d+2XQ==\n" + + "=lI+G\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n"; + + @Test + public void investigate() throws IOException { + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); + + PGPSecretKeyRing dsa = PGPainless.readKeyRing().secretKeyRing(DSA); + PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL); + + // CHECKSTYLE:OFF + for (PGPSecretKey secretKey : dsa) { + try { + UnlockSecretKey.unlockSecretKey(secretKey, protector); + System.out.println("No KeyIntegrityException for dsa key " + Long.toHexString(secretKey.getKeyID())); + } catch (KeyIntegrityException e) { + System.out.println("KeyIntegrityException for dsa key " + Long.toHexString(secretKey.getKeyID())); + } catch (PGPException e) { + System.out.println("Cannot unlock dsa key: " + e.getMessage()); + } + } + + for (PGPSecretKey secretKey : elgamal) { + try { + UnlockSecretKey.unlockSecretKey(secretKey, protector); + System.out.println("No KeyIntegrityException for elgamal key " + Long.toHexString(secretKey.getKeyID())); + } catch (KeyIntegrityException e) { + System.out.println("KeyIntegrityException for elgamal key " + Long.toHexString(secretKey.getKeyID())); + }catch (PGPException e) { + System.out.println("Cannot unlock elgamal key: " + e.getMessage()); + } + } + // CHECKSTYLE:ON + } +} From 073cf870d25db933460634ff66c5080b1704822c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 15:01:37 +0100 Subject: [PATCH 0193/1450] Fix NPE when attempting to decrypt GNU_DUMMY_S2K keys --- .../key/protection/UnlockSecretKey.java | 45 ++++++++++++------- .../builder/AbstractSignatureBuilder.java | 10 ++--- .../builder/DirectKeySignatureBuilder.java | 6 +-- .../PrimaryKeyBindingSignatureBuilder.java | 3 +- .../builder/RevocationSignatureBuilder.java | 3 +- .../builder/SelfSignatureBuilder.java | 7 ++- .../SubkeyBindingSignatureBuilder.java | 3 +- ...irdPartyCertificationSignatureBuilder.java | 6 +-- .../builder/UniversalSignatureBuilder.java | 5 +-- .../pgpainless/example/UnlockSecretKeys.java | 3 +- 10 files changed, 48 insertions(+), 43 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java index c68e4914..36ceac44 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java @@ -20,27 +20,40 @@ public final class UnlockSecretKey { } public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { + + PBESecretKeyDecryptor decryptor = null; + if (KeyInfo.isEncrypted(secretKey)) { + decryptor = protector.getDecryptor(secretKey.getKeyID()); + } + PGPPrivateKey privateKey = unlockSecretKey(secretKey, decryptor); + return privateKey; + } + + public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, PBESecretKeyDecryptor decryptor) + throws PGPException { + PGPPrivateKey privateKey; try { - PBESecretKeyDecryptor decryptor = null; - if (KeyInfo.isEncrypted(secretKey)) { - decryptor = protector.getDecryptor(secretKey.getKeyID()); + privateKey = secretKey.extractPrivateKey(decryptor); + } catch (PGPException e) { + throw new WrongPassphraseException(secretKey.getKeyID(), e); + } + + if (privateKey == null) { + int s2kType = secretKey.getS2K().getType(); + if (s2kType >= 100 && s2kType <= 110) { + throw new PGPException("Cannot decrypt secret key" + Long.toHexString(secretKey.getKeyID()) + ": " + + "Unsupported private S2K usage type " + s2kType); } - return secretKey.extractPrivateKey(decryptor); - } catch (PGPException e) { - throw new WrongPassphraseException(secretKey.getKeyID(), e); + + throw new PGPException("Cannot decrypt secret key."); } + + return privateKey; } - public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, PBESecretKeyDecryptor decryptor) throws WrongPassphraseException { - try { - return secretKey.extractPrivateKey(decryptor); - } catch (PGPException e) { - throw new WrongPassphraseException(secretKey.getKeyID(), e); - } - } - - public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) throws WrongPassphraseException { + public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, Passphrase passphrase) + throws PGPException { return unlockSecretKey(secretKey, SecretKeyRingProtector.unlockSingleKeyWith(passphrase, secretKey)); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 7b92ab02..9eaa70b4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -5,6 +5,7 @@ package org.pgpainless.signature.builder; import java.util.Set; +import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPrivateKey; @@ -16,7 +17,6 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; @@ -24,8 +24,6 @@ import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; -import javax.annotation.Nonnull; - public abstract class AbstractSignatureBuilder> { protected final PGPPrivateKey privateSigningKey; protected final PGPPublicKey publicSigningKey; @@ -42,7 +40,7 @@ public abstract class AbstractSignatureBuilder { - public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) throws WrongPassphraseException { + public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) + throws PGPException { super(certificationKey, protector, archetypeSignature); } - public DirectKeySignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public DirectKeySignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { super(SignatureType.DIRECT_KEY, signingKey, protector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java index 0f88dec4..93339f86 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java @@ -11,14 +11,13 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder { public PrimaryKeyBindingSignatureBuilder(PGPSecretKey subkey, SecretKeyRingProtector subkeyProtector) - throws WrongPassphraseException { + throws PGPException { super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java index 3449a5dd..ebae151d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java @@ -12,13 +12,12 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; public class RevocationSignatureBuilder extends AbstractSignatureBuilder { - public RevocationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public RevocationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { super(signatureType, signingKey, protector); getHashedSubpackets().setRevocable(true, false); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java index a7ffd488..e6bf94c3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SelfSignatureBuilder.java @@ -12,18 +12,17 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; public class SelfSignatureBuilder extends AbstractSignatureBuilder { - public SelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws WrongPassphraseException { + public SelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException { this(SignatureType.GENERIC_CERTIFICATION, signingKey, protector); } public SelfSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } @@ -31,7 +30,7 @@ public class SelfSignatureBuilder extends AbstractSignatureBuilder { public SubkeyBindingSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(SignatureType.SUBKEY_BINDING, signingKey, protector); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java index 5d19fa83..9128e5da 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilder.java @@ -31,7 +31,7 @@ public class ThirdPartyCertificationSignatureBuilder extends AbstractSignatureBu * @throws WrongPassphraseException in case of a wrong passphrase */ public ThirdPartyCertificationSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { this(SignatureType.GENERIC_CERTIFICATION, signingKey, protector); } @@ -44,7 +44,7 @@ public class ThirdPartyCertificationSignatureBuilder extends AbstractSignatureBu * @throws WrongPassphraseException in case of a wrong passphrase */ public ThirdPartyCertificationSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } @@ -60,7 +60,7 @@ public class ThirdPartyCertificationSignatureBuilder extends AbstractSignatureBu PGPSecretKey signingKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) - throws WrongPassphraseException { + throws PGPException { super(signingKey, protector, archetypeSignature); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java index 3b63a032..b3ed5bf0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java @@ -11,7 +11,6 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.BaseSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpackets; @@ -22,12 +21,12 @@ import org.pgpainless.signature.subpackets.SignatureSubpackets; public class UniversalSignatureBuilder extends AbstractSignatureBuilder { public UniversalSignatureBuilder(SignatureType signatureType, PGPSecretKey signingKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { super(signatureType, signingKey, protector); } public UniversalSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature) - throws WrongPassphraseException { + throws PGPException { super(certificationKey, protector, archetypeSignature); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index a7b056b7..f4716211 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -11,7 +11,6 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; -import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.CachingSecretKeyRingProtector; @@ -120,7 +119,7 @@ public class UnlockSecretKeys { } private void assertProtectorUnlocksAllSecretKeys(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector) - throws WrongPassphraseException { + throws PGPException { for (PGPSecretKey key : secretKey) { UnlockSecretKey.unlockSecretKey(key, protector); } From af1d4f3e5b320d3ee3c810add8b87372bc097eee Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 16:43:27 +0100 Subject: [PATCH 0194/1450] Add ElGamal validation ported from openpgpjs --- .../PublicKeyParameterValidationUtil.java | 101 +++++++++++++++--- 1 file changed, 89 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java index 592ef945..5ee8135b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java @@ -16,6 +16,8 @@ import org.bouncycastle.bcpg.DSAPublicBCPGKey; import org.bouncycastle.bcpg.DSASecretBCPGKey; import org.bouncycastle.bcpg.EdDSAPublicBCPGKey; import org.bouncycastle.bcpg.EdSecretBCPGKey; +import org.bouncycastle.bcpg.ElGamalPublicBCPGKey; +import org.bouncycastle.bcpg.ElGamalSecretBCPGKey; import org.bouncycastle.bcpg.RSAPublicBCPGKey; import org.bouncycastle.bcpg.RSASecretBCPGKey; import org.bouncycastle.openpgp.PGPEncryptedDataGenerator; @@ -39,7 +41,7 @@ import org.pgpainless.implementation.ImplementationFactory; public class PublicKeyParameterValidationUtil { public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey) - throws KeyIntegrityException, PGPException { + throws KeyIntegrityException { PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm()); boolean valid = true; @@ -60,10 +62,13 @@ public class PublicKeyParameterValidationUtil { (DSASecretBCPGKey) key, (DSAPublicBCPGKey) publicKey.getPublicKeyPacket().getKey()) && valid; + } else if (key instanceof ElGamalSecretBCPGKey) { + valid = verifyElGamalKeyIntegrity( + (ElGamalSecretBCPGKey) key, + (ElGamalPublicBCPGKey) publicKey.getPublicKeyPacket().getKey()) + && valid; } - // TODO: ElGamal - if (!valid) { throw new KeyIntegrityException(); } @@ -84,26 +89,43 @@ public class PublicKeyParameterValidationUtil { } } - private static boolean verifyCanSign(PGPPrivateKey privateKey, PGPPublicKey publicKey) throws PGPException { + /** + * Verify that the public key can be used to successfully verify a signature made by the private key. + * @param privateKey private key + * @param publicKey public key + * @return false if signature verification fails + */ + private static boolean verifyCanSign(PGPPrivateKey privateKey, PGPPublicKey publicKey) { SecureRandom random = new SecureRandom(); PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm()); PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator( ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKeyAlgorithm, HashAlgorithm.SHA256) ); - signatureGenerator.init(SignatureType.TIMESTAMP.getCode(), privateKey); + try { + signatureGenerator.init(SignatureType.TIMESTAMP.getCode(), privateKey); - byte[] data = new byte[512]; - random.nextBytes(data); + byte[] data = new byte[512]; + random.nextBytes(data); - signatureGenerator.update(data); - PGPSignature sig = signatureGenerator.generate(); + signatureGenerator.update(data); + PGPSignature sig = signatureGenerator.generate(); - sig.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), publicKey); - sig.update(data); - return sig.verify(); + sig.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), publicKey); + sig.update(data); + return sig.verify(); + } catch (PGPException e) { + return false; + } } + /** + * Verify that the public key can be used to encrypt a message which can successfully be + * decrypted using the private key. + * @param privateKey private key + * @param publicKey public key + * @return false if decryption of a message encrypted with the public key fails + */ private static boolean verifyCanDecrypt(PGPPrivateKey privateKey, PGPPublicKey publicKey) { SecureRandom random = new SecureRandom(); PGPEncryptedDataGenerator encryptedDataGenerator = new PGPEncryptedDataGenerator( @@ -201,4 +223,59 @@ public class PublicKeyParameterValidationUtil { // Verify that the public keys N is equal to private keys p*q return publicKey.getModulus().equals(secretKey.getPrimeP().multiply(secretKey.getPrimeQ())); } + + /** + * Validate ElGamal public key parameters. + * + * Original implementation by the openpgpjs authors: + * https://github.com/openpgpjs/openpgpjs/blob/main/src/crypto/public_key/elgamal.js#L76-L143 + * @param secretKey secret key + * @param publicKey public key + * @return true if supposedly valid, false if invalid + */ + private static boolean verifyElGamalKeyIntegrity(ElGamalSecretBCPGKey secretKey, ElGamalPublicBCPGKey publicKey) { + BigInteger p = publicKey.getP(); + BigInteger g = publicKey.getG(); + BigInteger y = publicKey.getY(); + BigInteger one = BigInteger.ONE; + + // 1 < g < p + if (g.min(one).equals(g) || g.max(p).equals(g)) { + return false; + } + + // p-1 is large + if (p.bitLength() < 1023) { + return false; + } + + // g^(p-1) mod p = 1 + if (!g.modPow(p.subtract(one), p).equals(one)) { + return false; + } + + // check g^i mod p != 1 for i < threshold + BigInteger res = g; + BigInteger i = BigInteger.valueOf(1); + BigInteger threshold = BigInteger.valueOf(2).shiftLeft(17); + while (i.compareTo(threshold) < 0) { + res = res.multiply(g).mod(p); + if (res.equals(one)) { + return false; + } + i = i.add(one); + } + + // blinded exponentiation to check y = g^(r*(p-1)+x) mod p + SecureRandom random = new SecureRandom(); + BigInteger x = secretKey.getX(); + BigInteger r = new BigInteger(p.bitLength(), random); + BigInteger rqx = p.subtract(one).multiply(r).add(x); + if (!y.equals(g.modPow(rqx, p))) { + return false; + } + + return true; + } + } From c4618617f60a2830c3e66848592a91d23fb91de8 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 17:11:23 +0100 Subject: [PATCH 0195/1450] Introduce iteration limit to prevent resource exhaustion when reading signatures --- .../pgpainless/signature/SignatureUtils.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 3209fc8a..93e8aae0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -43,6 +43,8 @@ import org.pgpainless.util.ArmorUtils; */ public final class SignatureUtils { + public static final int MAX_ITERATIONS = 10000; + private SignatureUtils() { } @@ -220,13 +222,28 @@ public final class SignatureUtils { * @throws PGPException in case of an OpenPGP error */ public static List readSignatures(InputStream inputStream) throws IOException, PGPException { + return readSignatures(inputStream, MAX_ITERATIONS); + } + + /** + * Read and return {@link PGPSignature PGPSignatures}. + * This method can deal with signatures that may be armored, compressed and may contain marker packets. + * + * @param inputStream input stream + * @param maxIterations number of loop iterations until reading is aborted + * @return list of encountered signatures + * @throws IOException in case of a stream error + * @throws PGPException in case of an OpenPGP error + */ + public static List readSignatures(InputStream inputStream, int maxIterations) throws IOException, PGPException { List signatures = new ArrayList<>(); InputStream pgpIn = ArmorUtils.getDecoderStream(inputStream); PGPObjectFactory objectFactory = new PGPObjectFactory( pgpIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + int i = 0; Object nextObject; - while ((nextObject = objectFactory.nextObject()) != null) { + while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) { if (nextObject instanceof PGPCompressedData) { PGPCompressedData compressedData = (PGPCompressedData) nextObject; objectFactory = new PGPObjectFactory(compressedData.getDataStream(), From 82cbe467f25706948cdeba0a5e6f6094ce9f360a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 6 Dec 2021 17:11:42 +0100 Subject: [PATCH 0196/1450] Introduce iteration limit to prevent resource exhaustion when reading keys --- .../pgpainless/key/parsing/KeyRingReader.java | 81 ++++++++++++++++-- .../key/parsing/KeyRingReaderTest.java | 85 +++++++++++++++++++ 2 files changed, 159 insertions(+), 7 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java index 585d3eb3..5dcf0bd4 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java @@ -27,6 +27,8 @@ import org.pgpainless.util.ArmorUtils; public class KeyRingReader { + public static final int MAX_ITERATIONS = 10000; + public static final Charset UTF8 = Charset.forName("UTF-8"); public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream) throws IOException { @@ -93,9 +95,23 @@ public class KeyRingReader { } public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream) throws IOException { + return readPublicKeyRing(inputStream, MAX_ITERATIONS); + } + + /** + * Read a public key ring from the provided {@link InputStream}. + * If more than maxIterations PGP packets are encountered before a {@link PGPPublicKeyRing} is read, + * an {@link IOException} is thrown. + * + * @param inputStream input stream + * @param maxIterations max iterations before abort + * @return public key ring + */ + public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException { PGPObjectFactory objectFactory = new PGPObjectFactory( ArmorUtils.getDecoderStream(inputStream), ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + int i = 0; Object next; do { next = objectFactory.nextObject(); @@ -108,17 +124,34 @@ public class KeyRingReader { if (next instanceof PGPPublicKeyRing) { return (PGPPublicKeyRing) next; } - } while (true); + } while (++i < maxIterations); + + throw new IOException("Loop exceeded max iteration count."); } public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream) throws IOException, PGPException { + return readPublicKeyRingCollection(inputStream, MAX_ITERATIONS); + } + + /** + * Read a public key ring collection from the provided {@link InputStream}. + * If more than maxIterations PGP packets are encountered before the stream is exhausted, + * an {@link IOException} is thrown. + * + * @param inputStream input stream + * @param maxIterations max iterations before abort + * @return public key ring collection + * @throws IOException + */ + public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations) + throws IOException, PGPException { PGPObjectFactory objectFactory = new PGPObjectFactory( ArmorUtils.getDecoderStream(inputStream), ImplementationFactory.getInstance().getKeyFingerprintCalculator()); List rings = new ArrayList<>(); - + int i = 0; Object next; do { next = objectFactory.nextObject(); @@ -138,15 +171,30 @@ public class KeyRingReader { rings.add(iterator.next()); } } - } while (true); + } while (++i < maxIterations); + + throw new IOException("Loop exceeded max iteration count."); } public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream) throws IOException { + return readSecretKeyRing(inputStream, MAX_ITERATIONS); + } + + /** + * Read a secret key ring from the provided {@link InputStream}. + * If more than maxIterations PGP packets are encountered before a {@link PGPSecretKeyRing} is read, + * an {@link IOException} is thrown. + * + * @param inputStream input stream + * @param maxIterations max iterations before abort + * @return public key ring + */ + public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException { InputStream decoderStream = ArmorUtils.getDecoderStream(inputStream); PGPObjectFactory objectFactory = new PGPObjectFactory( decoderStream, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); - + int i = 0; Object next; do { next = objectFactory.nextObject(); @@ -160,17 +208,34 @@ public class KeyRingReader { Streams.drain(decoderStream); return (PGPSecretKeyRing) next; } - } while (true); + } while (++i < maxIterations); + + throw new IOException("Loop exceeded max iteration count."); } public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream) throws IOException, PGPException { + return readSecretKeyRingCollection(inputStream, MAX_ITERATIONS); + } + + /** + * Read a secret key ring collection from the provided {@link InputStream}. + * If more than maxIterations PGP packets are encountered before the stream is exhausted, + * an {@link IOException} is thrown. + * + * @param inputStream input stream + * @param maxIterations max iterations before abort + * @return secret key ring collection + */ + public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream, + int maxIterations) + throws IOException, PGPException { PGPObjectFactory objectFactory = new PGPObjectFactory( ArmorUtils.getDecoderStream(inputStream), ImplementationFactory.getInstance().getKeyFingerprintCalculator()); List rings = new ArrayList<>(); - + int i = 0; Object next; do { next = objectFactory.nextObject(); @@ -190,7 +255,9 @@ public class KeyRingReader { rings.add(iterator.next()); } } - } while (true); + } while (++i < maxIterations); + + throw new IOException("Loop exceeded max iteration count."); } public static PGPKeyRingCollection readKeyRingCollection(@Nonnull InputStream inputStream, boolean isSilent) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index b02f5beb..e281091d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -5,6 +5,7 @@ package org.pgpainless.key.parsing; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.io.ByteArrayInputStream; @@ -475,4 +476,88 @@ class KeyRingReaderTest { assertTrue(secretKeys.contains(alice.getSecretKey().getKeyID())); assertTrue(secretKeys.contains(bob.getSecretKey().getKeyID())); } + + @Test + public void testReadingSecretKeysExceedsIterationLimit() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null); + MarkerPacket marker = TestUtils.getMarkerPacket(); + + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes); + BCPGOutputStream outputStream = new BCPGOutputStream(armor); + + for (int i = 0; i < 600; i++) { + marker.encode(outputStream); + } + alice.encode(outputStream); + + assertThrows(IOException.class, () -> + KeyRingReader.readSecretKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512)); + } + + @Test + public void testReadingSecretKeyCollectionExceedsIterationLimit() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null); + PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null); + MarkerPacket marker = TestUtils.getMarkerPacket(); + + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes); + BCPGOutputStream outputStream = new BCPGOutputStream(armor); + + for (int i = 0; i < 600; i++) { + marker.encode(outputStream); + } + alice.encode(outputStream); + bob.encode(outputStream); + + assertThrows(IOException.class, () -> + KeyRingReader.readSecretKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512)); + } + + + @Test + public void testReadingPublicKeysExceedsIterationLimit() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null); + PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys); + MarkerPacket marker = TestUtils.getMarkerPacket(); + + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes); + BCPGOutputStream outputStream = new BCPGOutputStream(armor); + + for (int i = 0; i < 600; i++) { + marker.encode(outputStream); + } + alice.encode(outputStream); + + assertThrows(IOException.class, () -> + KeyRingReader.readPublicKeyRing(new ByteArrayInputStream(bytes.toByteArray()), 512)); + } + + @Test + public void testReadingPublicKeyCollectionExceedsIterationLimit() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null); + PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null); + PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1); + PGPPublicKeyRing bob = PGPainless.extractCertificate(sec2); + MarkerPacket marker = TestUtils.getMarkerPacket(); + + ByteArrayOutputStream bytes = new ByteArrayOutputStream(); + ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bytes); + BCPGOutputStream outputStream = new BCPGOutputStream(armor); + + for (int i = 0; i < 600; i++) { + marker.encode(outputStream); + } + alice.encode(outputStream); + bob.encode(outputStream); + + assertThrows(IOException.class, () -> + KeyRingReader.readPublicKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512)); + } } From b3ec3333cef2d2460cce5c49a0d3234176f91179 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 7 Dec 2021 14:42:03 +0100 Subject: [PATCH 0197/1450] CachingSecretKeyRingProtector: Prevent accidental passphrase override via addPassphrase() --- .../CachingSecretKeyRingProtector.java | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index 4a58b5f9..a939c8af 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -23,6 +23,9 @@ import org.pgpainless.util.Passphrase; * Implementation of the {@link SecretKeyRingProtector} which holds a map of key ids and their passwords. * In case the needed passphrase is not contained in the map, the {@code missingPassphraseCallback} will be consulted, * and the passphrase is added to the map. + * + * If you need to unlock multiple {@link PGPKeyRing PGPKeyRings}, it is advised to use a separate + * {@link CachingSecretKeyRingProtector} instance for each ring. */ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, SecretKeyPassphraseProvider { @@ -52,21 +55,76 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se /** * Add a passphrase to the cache. + * If the cache already contains a passphrase for the given key-id, a {@link IllegalArgumentException} is thrown. + * The reason for this is to prevent accidental override of passphrases when dealing with multiple key rings + * containing a key with the same key-id but different passphrases. + * + * If you can ensure that there will be no key-id clash, and you want to replace the passphrase, you can use + * {@link #replacePassphrase(Long, Passphrase)} to replace the passphrase. * * @param keyId id of the key * @param passphrase passphrase */ public void addPassphrase(@Nonnull Long keyId, @Nonnull Passphrase passphrase) { + if (this.cache.containsKey(keyId)) { + throw new IllegalArgumentException("The cache already holds a passphrase for ID " + Long.toHexString(keyId) + ".\n" + + "If you want to replace the passphrase, use replacePassphrase(Long, Passphrase) instead."); + } + this.cache.put(keyId, passphrase); + } + + /** + * Replace the passphrase for the given key-id in the cache. + * + * @param keyId keyId + * @param passphrase passphrase + */ + public void replacePassphrase(@Nonnull Long keyId, @Nonnull Passphrase passphrase) { this.cache.put(keyId, passphrase); } /** * Remember the given passphrase for all keys in the given key ring. + * If for the key-id of any key on the key ring the cache already contains a passphrase, a + * {@link IllegalArgumentException} is thrown before any changes are committed to the cache. + * This is to prevent accidental passphrase override when dealing with multiple key rings containing + * keys with conflicting key-ids. + * + * If you can ensure that there will be no key-id clashes and you want to replace the passphrases for the key ring, + * use {@link #replacePassphrase(PGPKeyRing, Passphrase)} instead. + * + * If you need to unlock multiple {@link PGPKeyRing PGPKeyRings}, it is advised to use a separate + * {@link CachingSecretKeyRingProtector} instance for each ring. * * @param keyRing key ring * @param passphrase passphrase */ public void addPassphrase(@Nonnull PGPKeyRing keyRing, @Nonnull Passphrase passphrase) { + Iterator keys = keyRing.getPublicKeys(); + // check for existing passphrases before doing anything + while (keys.hasNext()) { + long keyId = keys.next().getKeyID(); + if (cache.containsKey(keyId)) { + throw new IllegalArgumentException("The cache already holds a passphrase for ID " + Long.toHexString(keyId) + ".\n" + + "If you want to replace the passphrase, use replacePassphrase(PGPKeyRing, Passphrase) instead."); + } + } + + // only then insert + keys = keyRing.getPublicKeys(); + while (keys.hasNext()) { + PGPPublicKey publicKey = keys.next(); + addPassphrase(publicKey, passphrase); + } + } + + /** + * Replace the cached passphrases for all keys in the key ring with the provided passphrase. + * + * @param keyRing key ring + * @param passphrase passphrase + */ + public void replacePassphrase(@Nonnull PGPKeyRing keyRing, @Nonnull Passphrase passphrase) { Iterator keys = keyRing.getPublicKeys(); while (keys.hasNext()) { PGPPublicKey publicKey = keys.next(); From 35462ab539d14c783f7cfe8ff231e08f857892ea Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Dec 2021 13:25:23 +0100 Subject: [PATCH 0198/1450] Add tests for PublicKeyParameterValidation --- .../key/protection/UnlockSecretKey.java | 3 + .../ModifiedPublicKeysInvestigation.java | 174 +++++++++++++++--- 2 files changed, 153 insertions(+), 24 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java index 71b9265b..42a5b9b7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java @@ -12,6 +12,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.pgpainless.exception.KeyIntegrityException; import org.pgpainless.exception.WrongPassphraseException; import org.pgpainless.key.info.KeyInfo; +import org.pgpainless.key.util.PublicKeyParameterValidationUtil; import org.pgpainless.util.Passphrase; public final class UnlockSecretKey { @@ -50,6 +51,8 @@ public final class UnlockSecretKey { throw new PGPException("Cannot decrypt secret key."); } + PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey()); + return privateKey; } diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java index f418f577..ba16e2d0 100644 --- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java +++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java @@ -4,7 +4,12 @@ package investigations; +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; +import static org.junit.jupiter.api.Assertions.assertThrows; + import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; @@ -12,8 +17,10 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.exception.KeyIntegrityException; +import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.key.util.KeyIdUtil; import org.pgpainless.util.Passphrase; public class ModifiedPublicKeysInvestigation { @@ -123,35 +130,154 @@ public class ModifiedPublicKeysInvestigation { "=lI+G\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - @Test - public void investigate() throws IOException { - SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); + // created with exploit code by cure53.de + private static final String INJECTED_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: F594 D7CC E7D0 1F15 1511 4395 C075 FD34 4B2A D41A\n" + + "Comment: Juliet \n" + + "\n" + + "lQPGBGGx9LYBCACxNiT7XMd6WXuZFJQ1RaQXixA+rw/VRiDueNUAkNs0BkJ92qpe\n" + + "y5ljEiY2QY8O6hXxY7b2KF77jiuejGgz962+bIEhumtyPyN4oIML7tVWSyjN5pOd\n" + + "bySAuw25752vB8Z0sDkENhidBF5yeNqeayqZOHvn1eFZsvJ2yV7J/k/H+5v1L2rH\n" + + "CoO/lttbnnAH3cGqp9FkerejlE5HGld/LKhc2ViTayjJFWGAaAqpQJNYMRtJLTVG\n" + + "c2jfYGv0j6na8/K118b/wqfKNU9O2/lzu0EpaJu6TpWZ02TeVht9NRnan6cmXH/Q\n" + + "6yxJQLRn4a1MiAyYIoWs7BpBLAxh+Za/btAFABEBAAH+CQMCIJAO8LIQWNtgQSLB\n" + + "YNMXgafrSc+E871154/yYeMPtn739smaedfrnI5nxHnuWb0pXLrfkWUIMjUwxnZ+\n" + + "ktrVekc+RLhRWJqbO42/qdNzPlNwZFZXK6VRdT8DI23pOXkQiS7kXP3RwJzFw21q\n" + + "emkOv26ZCWjnB4p/R4zpEYEAMtPDpdrIzlLU5laT9ashWDMUBA3ZSI9tH+jTmR+h\n" + + "wvjVAXRNPf4Dhyh3sadorHHqgC8v6B5/Ou5fQoSIIn6FKB4lpvnXy/R/Gp8AhmRo\n" + + "99Fdk1/XxovBVnTExO9upe/JVvu4XIQM+OxTdMyzCoFvoOGb+xhC2h/HrByouY+k\n" + + "umSCq3XMQ4GVednXufWpFu3gapf2bnCzkgczwHrrXR6B3sNgXyKhS2yCPHfLsoFE\n" + + "pkfpBQSSh5vpz5s5JWxdYWr415g8sUyva0XSwJN8QvzcLNgUBuSTDuSxGJ3j+ojl\n" + + "E2isGyo0BhJkKp90bVnpBDJD2HAsHgFns5fA1xHuLzz86kEZwH852nhXQ64SzoJZ\n" + + "Uy2+sA8afEkLm+YwcVj+6O6Kki4fqeEHVGB4aRSYbVWSLAuBfZqdIHR25xp1mp1J\n" + + "lBFeo4F3/mXtY1fO5RrROmEsDz5O018jDbB7ZeLlROPV3s/F7Dvl6LC8omOHsinw\n" + + "cV+FBEIXodrHvX55Lo+bxMDTXkQlaZjUvoce+GY0Sy1b/p2BMccG3DCfH7JH3VcM\n" + + "cLpvLg+w0/o3mxEoSkCgohAcge1V4yUXDDGXNVs3UNvtzNemMjlUX6jlcC2WBeUu\n" + + "YW0U9MxqI7pPx8+kXp0hzakr1ESRL65nFQoVYk0t8Jp4fQN79wOxt7JMnwHJ/ftg\n" + + "y7czM2WdCHmxQgaBXX8SodKrwHfbm4armomgUCKBlcytQstMghfhNwUhu8F1l/Wt\n" + + "9x8vyuVWUdpUtBxKdWxpZXQgPGp1bGlldEBtb250YWd1ZS5saXQ+iQFNBBMBCgBB\n" + + "BQJhsfS2CZDAdf00SyrUGhahBPWU18zn0B8VFRFDlcB1/TRLKtQaAp4BApsDBZYC\n" + + "AwEABIsJCAcFlQoJCAsCmQEAADvLB/9x66wNnA0O5MTIFIYf3HkMceHHq1eVgx88\n" + + "NgItRXQh4Bg90C96SY6NWwoTkcZTGsmymNuuAzhCJwXFUr+mnoBODC6Qhoo4qr9D\n" + + "vip1ekIGZUVGGRLQK6LHYtvQVKTVV4yih3CtrnP7jpN7lBVaTLCvhXqG1Ebez99Y\n" + + "ne1DbHvIzHv6l9pf2rlUf8A6I8iBlPjWe3DLVKaMI3RjfMuRFI32UYnc+bBdcpVR\n" + + "XYhXNrwj2OSTyplSBDAJfrIG5Kp+YD9Vip70csR+hZviNvyv7b/I9qfTbZw/RWBR\n" + + "P6k/8mWU66NCnP4H4vqf5wak91T/KMI59rLRl8h4oIAXtSBHYGF1nKkEYbH0thII\n" + + "KoZIzj0DAQcCAwRrGeShPKqoZYAey4qDWnMmMK//UAfP83Sf+hryPzpVa+/ywD0+\n" + + "b+lU6W5AKoK6/9AySYE02XQdC8UawAhA9CtcAwEIB/4JAwIgkA7wshBY22DxMfI0\n" + + "y3FeCOMZhTmZRkB1UgFWXeYGyd6gKI5jYFQyRCeogVZDven2aGzWiyEey+j20NbZ\n" + + "KcS0S/YUvOIIDYN2wU+2yHG4iQEzBBgBCgAdBQJhsfS2Ap4BApsMBZYCAwEABIsJ\n" + + "CAcFlQoJCAsACgkQDG4T6nONbigLjwf9EjyKrAhdrznmC2+vVoJSq9DHqLtpiGid\n" + + "b3ImJ5REKzXs8JVyyRLj0dQMOx+D6lA5xmxMjMKAFu+QKXFv1khDQofz3x+GbHDu\n" + + "Q9jROzUpErcXmTHinRE3lA2ogd0uPbQcVvG8zBxy4GuEZgXoEgYHawijnXpTdNeh\n" + + "oeLWpnx/3UQlNbQR8oSj2InG96C8fHyOBEkGdY2KweI/BU+7ui3JfSoHuOiWnsa3\n" + + "d0bptkmD7d3grIuq8oHZBkOCPOYkZbYY4WFh5L01W95Hrzf1yEjqyzvVatpiSrMK\n" + + "JIsbPcS2yyN9uXP54vwsq7D/mx6CMV1XcpZGwsT8o35Txa00MoXRo5ypBGGx9LYS\n" + + "CCqGSM49AwEHAgME8pVmU/csKSjqhvuJ0siOaf1K91BWQ4/piZ3Fv3zrcrk2sl15\n" + + "ThOU0OyvPnUf77yDrW5NRv2gnFDQNpQq2x3spAMBCAf+CQMCIJAO8LIQWNtgb47o\n" + + "8lBl7RalDXipU01bB59q2wqHVKvF3+fPQ6+c0WdT6ZxZKmV4MXnaVpx4kDozYSf8\n" + + "E7Sj7PwFdUGcP2/i8Y/NYlRErIkBMwQYAQoAHQUCYbH0tgKeAQKbDAWWAgMBAASL\n" + + "CQgHBZUKCQgLAAoJEAxuE+pzjW4oKb0H/ictFOa+m1gbxuQ4WW81/Yxt4sprsa0p\n" + + "rf7KmUAKnChcFEswtmgfFltqgo6CZssWm9bp/bsqksONUHDF1ElU1kiwKQdEau38\n" + + "Ufj7tzdBmlZuFAokHnTG+pQpyJP0w/unFZD++QU7hjXN4if/q3q2kZ+JvYpCQ1yI\n" + + "mzUkYkTbP94PBsVO7SDWnFHsvGefXwacYvV/W+OvRLFuQVR53xqbn6wGtD61t8nD\n" + + "XIFyxOECyp+E22nkeeI3betGSq0LeExPbjEUpVWWhZ4Rt2UkkmaME9V717vl5x4s\n" + + "L24DZ9kR5ToqBF682oWOXe4H18WLeBQqCI7jpx/Mx95oC+Xsm7F/K4qcqQRhsfS2\n" + + "EggqhkjOPQMBBwIDBAc4vOQ08Z6IDj/7JSKomFsJtE++n1Bb22QdiQWnrQ/t0B2Y\n" + + "53woGsMh+KYDInE2XET7xpl5Ufscy2X3AMnFZlEDAQgH/gkDArgFuyIOfkRHYHi3\n" + + "iHCxic2RPt8FkLlQMjg66rKPv7sAye1tJG0QeEBOvDeTq0f64OddF7BuBe5t/wUg\n" + + "qABg8nj8tku9Tj8vUjnowraha5+JATMEGAEKAB0FAmGx9LYCngECmwwFlgIDAQAE\n" + + "iwkIBwWVCgkICwAKCRDAdf00SyrUGmfyB/9aVNKuDTH6yRZWPYoypA6UCChvJb38\n" + + "K4aW2DexljtmuA7i4lbomFkltbbEiZOw2+Q1uan2gVrhwPIh9aRFZH4H4djlVzEh\n" + + "Xg4G51N548Ye4xWHw7LLttoRghfUB4skgAxvuj5eBRfQJBM4/qm1V3QXGkbYPKuD\n" + + "QDgApRZNt5Cal4uD+dj7rxhq+RUC0KbFKMXQoGtgqeeKZ0AtLgjxDR/7NXo21YS2\n" + + "6hEQTtowHm3gFQPyC9LHZbnlp6lmz3gVTeR79kQkbwGjeFZtnbVboSwIYuurq4vc\n" + + "gHJaPa2iv3d1AmhtqLXIGfVPuW5+ldPDIeXGcVa1QWy+tPqf+d2V0O3SnKkEYbH0\n" + + "thIIKoZIzj0DAQcCAwSdwn1X0Iad1ljcVzuhCLfQgmfe6vslc/DzTrXK9zM/JeZ7\n" + + "pYQZybmkIqVr+azNDGR5A1queAf9Z6jgbPSR2uQlAwEIB/4JAwK4BbsiDn5ER2Aj\n" + + "XvTPCUUX6hL8kG3mybW/Y9B3GzMSAUjYm0waLsvmu8f/miOqZ/sprMQKhpFE76f7\n" + + "1NvDh2ZjMwVO3BOs2PRfnAOPE8KXiQEzBBgBCgAdBQJhsfS2Ap4BApsMBZYCAwEA\n" + + "BIsJCAcFlQoJCAsACgkQwHX9NEsq1BoVPQf/QY4yo51KqtpxxZ3DGc+A11kcQC2M\n" + + "GSJR7kMAlGY/wMhjVVVhdvU0d1tNUI//qil/xjdCHggGnIC0k6Gn64j2KDbwGn/n\n" + + "ptCO7X4w9r/dHjWe0s7OSVBKs8fF7/7gX3eejQ3IXV6CrwIZ1nP5Ugd5ywX2ciLE\n" + + "T1bWeJWPaNV+dz+ZzZqgd/vM8dmDUw3bfolJRdxdRIzJyq6TgdG/U8Ae2TkGEHyM\n" + + "a3ZBwq51y2Y6z9WuangJ00RFjnQOZvXsueJKepLPTioo4TJXaYkD7VOYNxFIJQPt\n" + + "7Yv10ZA5XaaMrWtWG6vei9Ji53/bYNRVqs5jcNS168zeMOYgwrEaDbpU3g==\n" + + "=WEYQ\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + @Test + public void assertModifiedDSAKeyThrowsKeyIntegrityException() throws IOException { + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); PGPSecretKeyRing dsa = PGPainless.readKeyRing().secretKeyRing(DSA); + + assertThrows(KeyIntegrityException.class, () -> + UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("b1bd1f049ec87f3d")), protector)); + assertThrows(KeyIntegrityException.class, () -> + UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector)); + } + + @Test + public void assertModifiedElGamalKeyThrowsKeyIntegrityException() throws IOException { + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL); - // CHECKSTYLE:OFF - for (PGPSecretKey secretKey : dsa) { - try { - UnlockSecretKey.unlockSecretKey(secretKey, protector); - System.out.println("No KeyIntegrityException for dsa key " + Long.toHexString(secretKey.getKeyID())); - } catch (KeyIntegrityException e) { - System.out.println("KeyIntegrityException for dsa key " + Long.toHexString(secretKey.getKeyID())); - } catch (PGPException e) { - System.out.println("Cannot unlock dsa key: " + e.getMessage()); - } - } + assertThrows(KeyIntegrityException.class, () -> + UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector)); + } - for (PGPSecretKey secretKey : elgamal) { - try { - UnlockSecretKey.unlockSecretKey(secretKey, protector); - System.out.println("No KeyIntegrityException for elgamal key " + Long.toHexString(secretKey.getKeyID())); - } catch (KeyIntegrityException e) { - System.out.println("KeyIntegrityException for elgamal key " + Long.toHexString(secretKey.getKeyID())); - }catch (PGPException e) { - System.out.println("Cannot unlock elgamal key: " + e.getMessage()); - } + @Test + public void assertInjectedKeyRingFailsToUnlockPrimaryKey() throws IOException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(INJECTED_KEY); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("pass")); + + assertThrows(KeyIntegrityException.class, () -> + UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), protector)); + } + + @Test + public void assertCannotUnlockElGamalPrimaryKeyDueToDummyS2K() throws IOException { + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678")); + PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL); + + assertThrows(PGPException.class, () -> + UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(KeyIdUtil.fromLongKeyId("5f04acf44fd822b1")), protector)); + } + + @Test + public void assertUnmodifiedRSAKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .simpleRsaKeyRing("Unmodified", RsaLength._4096, "987654321"); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); + + for (PGPSecretKey secretKey : secretKeys) { + assertDoesNotThrow(() -> + UnlockSecretKey.unlockSecretKey(secretKey, protector)); + } + } + + @Test + public void assertUnmodifiedECKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .simpleEcKeyRing("Unmodified", "987654321"); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); + + for (PGPSecretKey secretKey : secretKeys) { + assertDoesNotThrow(() -> + UnlockSecretKey.unlockSecretKey(secretKey, protector)); + } + } + + @Test + public void assertUnmodifiedModernKeyDoesNotThrow() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Unmodified", "987654321"); + SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("987654321")); + + for (PGPSecretKey secretKey : secretKeys) { + assertDoesNotThrow(() -> + UnlockSecretKey.unlockSecretKey(secretKey, protector)); } - // CHECKSTYLE:ON } } From 710f676dc3959f6a98f57b8116d789cacfd22800 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 7 Dec 2021 23:46:44 +0100 Subject: [PATCH 0199/1450] Rename MAX_RECURSION_DEPTH constant to avoid confusion --- .../decryption_verification/DecryptionStreamFactory.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 459bfb8d..d6864104 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -74,7 +74,8 @@ public final class DecryptionStreamFactory { private static final Logger LOGGER = LoggerFactory.getLogger(DecryptionStreamFactory.class); - private static final int MAX_RECURSION_DEPTH = 16; + // Maximum nesting depth of packets (e.g. compression, encryption...) + private static final int MAX_PACKET_NESTING_DEPTH = 16; private final ConsumerOptions options; private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); @@ -188,7 +189,7 @@ public final class DecryptionStreamFactory { } private InputStream processPGPPackets(@Nonnull PGPObjectFactory objectFactory, int depth) throws IOException, PGPException { - if (depth >= MAX_RECURSION_DEPTH) { + if (depth >= MAX_PACKET_NESTING_DEPTH) { throw new PGPException("Maximum recursion depth of packages exceeded."); } Object nextPgpObject; From ba9de4b44a0bc3086ddb7f34f472bfc294008b60 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 01:14:24 +0100 Subject: [PATCH 0200/1450] EncryptionOptions: replace arguments of type PGPPublicKeyRingCollection with Iterable --- .../pgpainless/encryption_signing/EncryptionOptions.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index 9b51d931..705389d1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -99,12 +99,12 @@ public class EncryptionOptions { } /** - * Add all key rings in the provided key ring collection as recipients. + * Add all key rings in the provided {@link Iterable} (e.g. {@link PGPPublicKeyRingCollection}) as recipients. * * @param keys keys * @return this */ - public EncryptionOptions addRecipients(PGPPublicKeyRingCollection keys) { + public EncryptionOptions addRecipients(Iterable keys) { for (PGPPublicKeyRing key : keys) { addRecipient(key); } @@ -112,14 +112,14 @@ public class EncryptionOptions { } /** - * Add all key rings in the provided key ring collection as recipients. + * Add all key rings in the provided {@link Iterable} (e.g. {@link PGPPublicKeyRingCollection}) as recipients. * Per key ring, the selector is applied to select one or more encryption subkeys. * * @param keys keys * @param selector encryption key selector * @return this */ - public EncryptionOptions addRecipients(@Nonnull PGPPublicKeyRingCollection keys, @Nonnull EncryptionKeySelector selector) { + public EncryptionOptions addRecipients(@Nonnull Iterable keys, @Nonnull EncryptionKeySelector selector) { for (PGPPublicKeyRing key : keys) { addRecipient(key, selector); } From e59a8884c15eb3d118b446b64cfd14f4ac24552e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 01:14:55 +0100 Subject: [PATCH 0201/1450] SigningOptions: Replace arguments PGPSecretKeyRingCollection with Iterable --- .../org/pgpainless/encryption_signing/SigningOptions.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index de01fa53..1ef1bc4c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -17,7 +17,6 @@ import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignatureGenerator; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; import org.pgpainless.PGPainless; @@ -108,7 +107,7 @@ public final class SigningOptions { * @throws PGPException if any of the keys cannot be unlocked or a signing method cannot be created */ public SigningOptions addInlineSignatures(SecretKeyRingProtector secrectKeyDecryptor, - PGPSecretKeyRingCollection signingKeys, + Iterable signingKeys, DocumentSignatureType signatureType) throws KeyValidationError, PGPException { for (PGPSecretKeyRing signingKey : signingKeys) { @@ -213,7 +212,7 @@ public final class SigningOptions { * @throws PGPException if any of the keys cannot be validated or unlocked, or if any signing method cannot be created */ public SigningOptions addDetachedSignatures(SecretKeyRingProtector secretKeyDecryptor, - PGPSecretKeyRingCollection signingKeys, + Iterable signingKeys, DocumentSignatureType signatureType) throws PGPException { for (PGPSecretKeyRing signingKey : signingKeys) { From 80e12db8b683193fcf4c4365a37b21498c8dbac4 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 12:27:32 +0100 Subject: [PATCH 0202/1450] Prevent message decryption using non-encryption key --- .../DecryptionStreamFactory.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index d6864104..40c0af61 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -393,7 +393,22 @@ public final class DecryptionStreamFactory { continue; } - PGPSecretKey secretKey = secretKeys.getSecretKey(keyId); + // Make sure that the recipient key is encryption capable and non-expired + KeyRingInfo info = new KeyRingInfo(secretKeys); + List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); + + PGPSecretKey secretKey = null; + for (PGPPublicKey pubkey : encryptionSubkeys) { + if (pubkey.getKeyID() == keyId) { + secretKey = secretKeys.getSecretKey(keyId); + break; + } + } + + if (secretKey == null) { + LOGGER.debug("Key " + Long.toHexString(keyId) + " is not valid or not capable for decryption."); + } + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); } if (privateKey == null) { From 5108b812521fba7444e30272988c7b991bccacd3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 12:43:08 +0100 Subject: [PATCH 0203/1450] Add test to ensure PGPainless will refuse to decrypt message with incapable key --- .../DecryptionStreamFactory.java | 4 +- ...ntDecryptionUsingNonEncryptionKeyTest.java | 202 ++++++++++++++++++ 2 files changed, 204 insertions(+), 2 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 40c0af61..df2f5172 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -407,9 +407,9 @@ public final class DecryptionStreamFactory { if (secretKey == null) { LOGGER.debug("Key " + Long.toHexString(keyId) + " is not valid or not capable for decryption."); + } else { + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); } - - privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); } if (privateKey == null) { continue; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java new file mode 100644 index 00000000..851a1bef --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java @@ -0,0 +1,202 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.decryption_verification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.util.io.Streams; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.exception.MissingDecryptionMethodException; +import org.pgpainless.key.SubkeyIdentifier; + +public class PreventDecryptionUsingNonEncryptionKeyTest { + + private static final String ENCRYPTION_CAPABLE_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 1E9C 0357 913E 797A E3EF 5D15 E683 CE77 5D98 8147\n" + + "Comment: Alice \n" + + "\n" + + "lQcYBGG3LpQBEADL6KpZqK4hVU49g7xDxalj2Nuf5rtVHmof2qcYHulPjchveUHN\n" + + "+mHuRiyCZIZ0tlURMEvq4hQmQTxvEVkQumH5mvnpOMR0hWOM7WYZGp+X8frqzT0t\n" + + "S2HE/PVYfN8P3W2HGarX9ihy+oqSTdmxSBTGPEHuOKeAazgL2oOPzA+dtOOVxbxC\n" + + "YyK5r3X/Ut5rJk84OdXNRTjxqiLUneXTBnJc9HP1FpUCpBjkvgJpT9o8Ixe5OMSP\n" + + "J+ubwscPBA5AaWXAPT0HKBo7LSgOxCIKq/QcP+YnZhsVfoUrzs4YiCUlY5U3yWt+\n" + + "57vWxXgYJanlqnkOP+bxxkp6Yly4XnRzYGne3FWQ2y3WyZA8M66HbkmgNjuh74S5\n" + + "RIFJ3RdPxUGzRmdl/bosxSwpqjOE26tE0373gxbQ2y5xHAFfRTrBh8RjSQBn/dUN\n" + + "9ZO6QwOCc90B/Vlg83sNjNrkRA4E8+q8I30dX2iXUrclis5FrqZb6fJsAFA0tCv0\n" + + "Dojk4pt3HBlrc+AUCzqnEmary5T/RchrZ8ynod9uh3P4jyOiEGS2zui66ghJ1Iqg\n" + + "N1QVex+eyRDU4wxQQvUEX4uzmjta6VtVa1vCVi0i4N3Ntt49yi38L4V32m0duzVf\n" + + "owyhtu3+qBbRZaeFxmJlqbjK9PASW5VtRept8cnDQU8MN3Rs8o7U0fglvwARAQAB\n" + + "AA/+Jp1yHTaXe1KHVZjr/z2gfXsk5Fwyn8T5vfyPZj78Wgd0rL+e2Z4QC6qYZT0a\n" + + "RWH+LBokVl/oBvKVukbjwgo54aYaq7MHaTWVi6utiRWEoaa+qNajPj+nTUHGSLKl\n" + + "H4EEa/BNbUZ9lICj218I2czXuk7RAYcTGXu0inIgNgwj7O7Dpqpio4PYoKd8xhRw\n" + + "cIQ5vmEdfxkb1pAstm0Mh/ERmU7l4sUbBPwEhtUA6eaoYnkW1gnNF3ss4Dt7rPlM\n" + + "paAQF97A/uj2RryfeGRmOfUkbnEfadipSmHCYHBykSy/NBxutrjbNZY2+U4+FvyS\n" + + "9x5YfH1Xg/PUSOb1viiNDwh0I9yQme3xybbSB8lMDjzGx4RY4+CCQSKwvaiCI7QT\n" + + "+A8MZoPZNImQtPcyJLRnY2NKVs4OoCq6lC4H5JNbk0Yu2Vzm8j/jkIxBlD7YOIXh\n" + + "4RXXmnbufKYUjzqioEa0A4AJDwIZKDhLmjqJ0QAXwxiRP5qSAV8ayDN8ocxMsaSb\n" + + "Ri4nKgcSXwXV3dEMpy5nGFyf7oYatF8t89l9zGHrACeC/bYU9q4jd8lModgb+ndP\n" + + "KCRvq2P0Yku48czKCp5v554c9kk6WyBpoJXZePbIX+1Hd71A7xBwgBSui+xRVq6o\n" + + "Ue4GSySXJAFSkFIN2K8NZ3AsV4+SK+S0QDyRzVoEZ3fhTNkIANdsnIonVP6hsbQ4\n" + + "+e00UHaJSxWeqlgEEc6ytf5V7VVDX59fgMdMndORh0VQgHnFbpmHj0/N5hb+wFfo\n" + + "ryBb5EbFijruNcT1g+0TfeBduArvrvUwtnoYQpEAb/ykCVTyOf4ItESnaFTzv3Fr\n" + + "7rdoWQo2Oei94lS1qc14fqxmMfjjZwG+aEvLwZc5UTf986UTXOvAuZuUBr5T0g4/\n" + + "0/ilq1ZwVNmOYbyBFEIsLusSlnqYLytlRWyHY9JBQt8BG3QjixF0rBz9uKtdOjdN\n" + + "3gOPFh/5+kmjpJ7s0M0CrfGsjaGk2jgUW1TjYQCviRrNNgZB8jKDK1pYFEQIqWYC\n" + + "KVncr9MIAPJQzOhus0jdM7F7i0z1dSSIcQS3onLAfyGZywJFb3QCOfjLFI3StJQW\n" + + "mKYXR7rHnvmT6b/Lk+WtMUT7TWGReG8ST4riDNAPoQeblaSMHpMKadmjME2/sjz3\n" + + "nbm9gUfbtA8hwJP+0HPLjwx4oh6A6YaUgSKYjeTgd6T6a1Je0uTrYwsrI3Dh1lJs\n" + + "IqgIakbFWwGBpNr+zUF2Wz7clmIb7VWd1ywoHnN48ebr6rxGp8dHecZRI2EY8se2\n" + + "SPUd2bhrYgYlYxeFt0k35USBzBV9283Iq+c73ux5E5+yxuzZbm9/YG9rqztjlOLx\n" + + "VZsAjuvq6Ema4sJ5CvOwNJaEbf7I6uUH/RX8kLog9P5USzWcAuWpIJUJ4Pt0juNy\n" + + "L++sr65cgsCcdcTXTT8kIyTRnHEXDbl75IKPu9PsACEPdVRIeb6hnrPBMwKmafEq\n" + + "0uLdnMtmmCwjc49sp69VvhXZj0cEFBgaYq7OUvWzsjlDd/IrKC+x9uJoaXb6CpMp\n" + + "IU8KyEqwIHyqRAIz8jD9oRa/OCMTqno0fuW+Q663g2AvW/Hn/oSWiHVFaU6zJd9L\n" + + "SPgKUIQ/jUpxLbYoC45wtui9kCvR3KbA4rI/9OQwPSUtW6fOyENkT0rwz8o76yiv\n" + + "w22cnXrkKZZRKpfAtpXrB2f0/uLFeCUMJ5cydeCOX1jS8I4R6HOUlTGDiLQcQWxp\n" + + "Y2UgPGFsaWNlQHBncGFpbmxlc3Mub3JnPokCTQQTAQoAQQUCYbculAmQ5oPOd12Y\n" + + "gUcWoQQenANXkT55euPvXRXmg853XZiBRwKeAQKbBwWWAgMBAASLCQgHBZUKCQgL\n" + + "ApkBAAAdOA/9F4H5t1QtDhtlICCAunvNXhCCALeO9sS6p3ChBcxitTVeqrjTpS/3\n" + + "UvIDeTgswFSX4isxM27bN/ee/WdNhFIM/sNxrx6C1hdeaOskYPr6CLrzFyety4Mu\n" + + "aeOc7CsHBUYwo7M0n4Po0z6Sc1yZHN1tKxYuyC2v8jr+QdH2DQfgl1p0xMyGXIQw\n" + + "I5zzHK7mUUPV6Rhk0uBNzcoC2iQqLxcfxWISxGn7mBqKEnQRC15Jx30uUon3RHKh\n" + + "O4Zo217qnAx3DgeUU9D+Bw9MByHK+rjuSCiHySfvEQNXQZroMAf8/oLrtviIm/aa\n" + + "qoOsnIavkPJz+ScnMXeSiZkuPsBNys1S5XHBIP9BtKO6/UgVE/Lla//7j2Y42859\n" + + "AL+v4mswCtCW4pIYTxkJjvz7eFEDWoanLutvk3wwcNCds8+vx9RYXN0T3x+l8C6F\n" + + "AW1Mppg0oblEDw9X4wwL1pwaE29AwDLQRy0a93sqe5qePXiC3Hp3ln19ReR0+trm\n" + + "PMvuQHTsrp+Q4WsVDKIhXONGE6Zcq2jE9w5GJDR98ASGq/b8KVjmZwslh0N6KBra\n" + + "bFTBNvQAwKiHynOzFDgxBuZ1RqUKsuJS22ddkdDa1bcGJs2e0PucBsRbH+GJc9Xh\n" + + "VIBeDZV/7BVRxsifv1CXYAQF0bwSWROzRV9zf8l4Nfouk2kJ/3TEpMY=\n" + + "=JH2v\n" + + "-----END PGP PRIVATE KEY BLOCK-----"; + + // same key, but with crippling self-signature with flags [C,S] + private static final String ENCRYPTION_INCAPABLE_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + + "Version: PGPainless\n" + + "Comment: 1E9C 0357 913E 797A E3EF 5D15 E683 CE77 5D98 8147\n" + + "Comment: Alice \n" + + "\n" + + "lQcYBGG3LpQBEADL6KpZqK4hVU49g7xDxalj2Nuf5rtVHmof2qcYHulPjchveUHN\n" + + "+mHuRiyCZIZ0tlURMEvq4hQmQTxvEVkQumH5mvnpOMR0hWOM7WYZGp+X8frqzT0t\n" + + "S2HE/PVYfN8P3W2HGarX9ihy+oqSTdmxSBTGPEHuOKeAazgL2oOPzA+dtOOVxbxC\n" + + "YyK5r3X/Ut5rJk84OdXNRTjxqiLUneXTBnJc9HP1FpUCpBjkvgJpT9o8Ixe5OMSP\n" + + "J+ubwscPBA5AaWXAPT0HKBo7LSgOxCIKq/QcP+YnZhsVfoUrzs4YiCUlY5U3yWt+\n" + + "57vWxXgYJanlqnkOP+bxxkp6Yly4XnRzYGne3FWQ2y3WyZA8M66HbkmgNjuh74S5\n" + + "RIFJ3RdPxUGzRmdl/bosxSwpqjOE26tE0373gxbQ2y5xHAFfRTrBh8RjSQBn/dUN\n" + + "9ZO6QwOCc90B/Vlg83sNjNrkRA4E8+q8I30dX2iXUrclis5FrqZb6fJsAFA0tCv0\n" + + "Dojk4pt3HBlrc+AUCzqnEmary5T/RchrZ8ynod9uh3P4jyOiEGS2zui66ghJ1Iqg\n" + + "N1QVex+eyRDU4wxQQvUEX4uzmjta6VtVa1vCVi0i4N3Ntt49yi38L4V32m0duzVf\n" + + "owyhtu3+qBbRZaeFxmJlqbjK9PASW5VtRept8cnDQU8MN3Rs8o7U0fglvwARAQAB\n" + + "AA/+Jp1yHTaXe1KHVZjr/z2gfXsk5Fwyn8T5vfyPZj78Wgd0rL+e2Z4QC6qYZT0a\n" + + "RWH+LBokVl/oBvKVukbjwgo54aYaq7MHaTWVi6utiRWEoaa+qNajPj+nTUHGSLKl\n" + + "H4EEa/BNbUZ9lICj218I2czXuk7RAYcTGXu0inIgNgwj7O7Dpqpio4PYoKd8xhRw\n" + + "cIQ5vmEdfxkb1pAstm0Mh/ERmU7l4sUbBPwEhtUA6eaoYnkW1gnNF3ss4Dt7rPlM\n" + + "paAQF97A/uj2RryfeGRmOfUkbnEfadipSmHCYHBykSy/NBxutrjbNZY2+U4+FvyS\n" + + "9x5YfH1Xg/PUSOb1viiNDwh0I9yQme3xybbSB8lMDjzGx4RY4+CCQSKwvaiCI7QT\n" + + "+A8MZoPZNImQtPcyJLRnY2NKVs4OoCq6lC4H5JNbk0Yu2Vzm8j/jkIxBlD7YOIXh\n" + + "4RXXmnbufKYUjzqioEa0A4AJDwIZKDhLmjqJ0QAXwxiRP5qSAV8ayDN8ocxMsaSb\n" + + "Ri4nKgcSXwXV3dEMpy5nGFyf7oYatF8t89l9zGHrACeC/bYU9q4jd8lModgb+ndP\n" + + "KCRvq2P0Yku48czKCp5v554c9kk6WyBpoJXZePbIX+1Hd71A7xBwgBSui+xRVq6o\n" + + "Ue4GSySXJAFSkFIN2K8NZ3AsV4+SK+S0QDyRzVoEZ3fhTNkIANdsnIonVP6hsbQ4\n" + + "+e00UHaJSxWeqlgEEc6ytf5V7VVDX59fgMdMndORh0VQgHnFbpmHj0/N5hb+wFfo\n" + + "ryBb5EbFijruNcT1g+0TfeBduArvrvUwtnoYQpEAb/ykCVTyOf4ItESnaFTzv3Fr\n" + + "7rdoWQo2Oei94lS1qc14fqxmMfjjZwG+aEvLwZc5UTf986UTXOvAuZuUBr5T0g4/\n" + + "0/ilq1ZwVNmOYbyBFEIsLusSlnqYLytlRWyHY9JBQt8BG3QjixF0rBz9uKtdOjdN\n" + + "3gOPFh/5+kmjpJ7s0M0CrfGsjaGk2jgUW1TjYQCviRrNNgZB8jKDK1pYFEQIqWYC\n" + + "KVncr9MIAPJQzOhus0jdM7F7i0z1dSSIcQS3onLAfyGZywJFb3QCOfjLFI3StJQW\n" + + "mKYXR7rHnvmT6b/Lk+WtMUT7TWGReG8ST4riDNAPoQeblaSMHpMKadmjME2/sjz3\n" + + "nbm9gUfbtA8hwJP+0HPLjwx4oh6A6YaUgSKYjeTgd6T6a1Je0uTrYwsrI3Dh1lJs\n" + + "IqgIakbFWwGBpNr+zUF2Wz7clmIb7VWd1ywoHnN48ebr6rxGp8dHecZRI2EY8se2\n" + + "SPUd2bhrYgYlYxeFt0k35USBzBV9283Iq+c73ux5E5+yxuzZbm9/YG9rqztjlOLx\n" + + "VZsAjuvq6Ema4sJ5CvOwNJaEbf7I6uUH/RX8kLog9P5USzWcAuWpIJUJ4Pt0juNy\n" + + "L++sr65cgsCcdcTXTT8kIyTRnHEXDbl75IKPu9PsACEPdVRIeb6hnrPBMwKmafEq\n" + + "0uLdnMtmmCwjc49sp69VvhXZj0cEFBgaYq7OUvWzsjlDd/IrKC+x9uJoaXb6CpMp\n" + + "IU8KyEqwIHyqRAIz8jD9oRa/OCMTqno0fuW+Q663g2AvW/Hn/oSWiHVFaU6zJd9L\n" + + "SPgKUIQ/jUpxLbYoC45wtui9kCvR3KbA4rI/9OQwPSUtW6fOyENkT0rwz8o76yiv\n" + + "w22cnXrkKZZRKpfAtpXrB2f0/uLFeCUMJ5cydeCOX1jS8I4R6HOUlTGDiLQcQWxp\n" + + "Y2UgPGFsaWNlQHBncGFpbmxlc3Mub3JnPokCTQQTAQoAQQUCYbculAmQ5oPOd12Y\n" + + "gUcWoQQenANXkT55euPvXRXmg853XZiBRwKeAQKbBwWWAgMBAASLCQgHBZUKCQgL\n" + + "ApkBAAAdOA/9F4H5t1QtDhtlICCAunvNXhCCALeO9sS6p3ChBcxitTVeqrjTpS/3\n" + + "UvIDeTgswFSX4isxM27bN/ee/WdNhFIM/sNxrx6C1hdeaOskYPr6CLrzFyety4Mu\n" + + "aeOc7CsHBUYwo7M0n4Po0z6Sc1yZHN1tKxYuyC2v8jr+QdH2DQfgl1p0xMyGXIQw\n" + + "I5zzHK7mUUPV6Rhk0uBNzcoC2iQqLxcfxWISxGn7mBqKEnQRC15Jx30uUon3RHKh\n" + + "O4Zo217qnAx3DgeUU9D+Bw9MByHK+rjuSCiHySfvEQNXQZroMAf8/oLrtviIm/aa\n" + + "qoOsnIavkPJz+ScnMXeSiZkuPsBNys1S5XHBIP9BtKO6/UgVE/Lla//7j2Y42859\n" + + "AL+v4mswCtCW4pIYTxkJjvz7eFEDWoanLutvk3wwcNCds8+vx9RYXN0T3x+l8C6F\n" + + "AW1Mppg0oblEDw9X4wwL1pwaE29AwDLQRy0a93sqe5qePXiC3Hp3ln19ReR0+trm\n" + + "PMvuQHTsrp+Q4WsVDKIhXONGE6Zcq2jE9w5GJDR98ASGq/b8KVjmZwslh0N6KBra\n" + + "bFTBNvQAwKiHynOzFDgxBuZ1RqUKsuJS22ddkdDa1bcGJs2e0PucBsRbH+GJc9Xh\n" + + "VIBeDZV/7BVRxsifv1CXYAQF0bwSWROzRV9zf8l4Nfouk2kJ/3TEpMaJAkoEEwEK\n" + + "AD4FAmG3MJUJkOaDznddmIFHFqEEHpwDV5E+eXrj710V5oPOd12YgUcCngECmwMF\n" + + "lgIDAQAEiwkIBwWVCgkICwAAWs8QALXbuNxiLfNBZ+d+WoZVAgfDXuFtiayWr9pX\n" + + "KGX+a1aXgrr2+e4DjjMChdyRUHiM1IH4KsHQ3ws/lrIB3Th2a25FAXwnFs03P0Xb\n" + + "XDyl0pBH/+tzdhOugfZdA1GM16H6nT1BPzn8wk9sfQvbYk1LopioI7PVIhjjbo1g\n" + + "rgFt6v9IEaRjfhWaOuFQ2PoYe/Nl0d2P69Wig718s7aW4cgkt5l63yu/QbBcSCTo\n" + + "CTDqlR8Fz93E3h1v4mS6Y+yIJ1Pz8rv7HEH0o2WALMSKuPlSSBaQdimYPOlYTmxO\n" + + "9lrdXMxTWQggiAvljzjwute5HT+1770gNuNtjbUgzyw4T/bLGTQms4dSG1FOyO4w\n" + + "OYuyD/09bAeas99DDPR8MYj8g1xjPTwUo50kNw1p6oO8TXEItvK2xrQSc69qNbX4\n" + + "k2tRC7ef/aGaJerzGXr8j5TPU0+qaudTF0if5oGbz2/fyg9JeLmV5yXa86o83KxR\n" + + "EapO9b+UW46R5USUhqi9OAxN3I3SsuR60/3F1nyli4PZKGwBH3ZIjSrW4JaeUWsB\n" + + "+f9VJKhwtshcue+FxtZVEczrlZrQxuICJTUt84gvtXz22ZGNhXTBNCMsO0UPSEj9\n" + + "fxRW1IcRfQYnmmaJLDOMuiFynX49Ck3UzXsc4OjUGapAFGMEbL5yyJUoq8tHM+XG\n" + + "sqSmGpGc\n" + + "=3NqQ\n" + + "-----END PGP PRIVATE KEY BLOCK-----\n"; + + private static final String MSG = "-----BEGIN PGP MESSAGE-----\n" + + "Version: PGPainless\n" + + "\n" + + "hQIMA+aDznddmIFHAQ//X9ML2+fboZEJZpw/p2WD7k9SREZ24KdJtdUif98pEoFw\n" + + "yQB5CC2s2gBENJ+2N7UV1esU/oW7Bs+RSvNKl4eIyrH/Tz3ijVd/mcGYcKOxejW8\n" + + "4ES5BWdRj0+9/CV3AGwAKb3g3D39tbiWqh0CH+2Ayq9O8MQo4/zE+fKSjFdfPD/y\n" + + "oLtrv9Fkh6stg+j+1QRgWG/2NIeA7/8JJlyzHvcuq0jpBUhsrVRgm0vjpyZnPl/s\n" + + "tz3wjWBcQD1RQXFTSpgsnbB8e0FkzPGWZ5QtxKHOo8clrTQg9LUtj/S3R0iLN6sI\n" + + "CtiTojpMRSbTOCjdFCcYR/scU+eyqDcZ096EgfBQitj4ALUYOFkILBS9M+Lh3xIz\n" + + "rv3+z0kmRHyKn8kcmTEoqyqkZfuEMOY6gK+hD9garBJ/91tN8ul4uHax7CMwqN8/\n" + + "yKWoATEU7ZHMe7jF6jS5pK8ET8IP2yVfZOhGZW8mcMrUMiF7LG1HepK5p7UMkmbX\n" + + "GHkU3vEU429PL4NXDnuLufObqZBg5zSdIzo/LXtvLKXaHUv0am1JW2wQD8hAUJAt\n" + + "Uz+NFncS+a8bbsu1wNRjAr6Rg/5VHEk/5h+zuZP8UkCQp5NID26oVvnfDkTXAZ1+\n" + + "egh7coZ4a2IqEVBDWnkAXssxGBxVwGDr14oNC1SaABWzqPxaY0yVrpZcr30ghqPS\n" + + "PwHcN1NCaMtJDH4ThxH5L6zHboQeX2R6x9vpWLu9FDFqEDilxHtw+7Lax4yralGC\n" + + "q3K54WgyYD2Q2tzMXOTEwg==\n" + + "=+Ttf\n" + + "-----END PGP MESSAGE-----"; + + @Test + public void baseCase() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_CAPABLE_KEY); + + ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); + DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() + .onInputStream(msgIn) + .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys)); + + Streams.drain(decryptionStream); + decryptionStream.close(); + OpenPgpMetadata metadata = decryptionStream.getResult(); + + assertEquals(metadata.getDecryptionKey(), new SubkeyIdentifier(secretKeys, secretKeys.getPublicKey().getKeyID())); + } + + @Test + public void nonEncryptionKeyCannotDecrypt() throws IOException { + PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY); + + ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8)); + + assertThrows(MissingDecryptionMethodException.class, () -> + PGPainless.decryptAndOrVerify() + .onInputStream(msgIn) + .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys))); + } +} From af8d04c66f44d8d08e5eb37ca6bdc91cfd7e5bf1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 13:21:18 +0100 Subject: [PATCH 0204/1450] Threat Model: add remark about secure key storage --- pgpainless-core/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md index 68b27096..82a7fcf0 100644 --- a/pgpainless-core/README.md +++ b/pgpainless-core/README.md @@ -43,3 +43,11 @@ It was decided that protection against brute force attacks on passwords used in PGPainless cannot limit access to the ciphertext that is being brute forced, as that is provided by the application that uses PGPainless. Therefore, protection against brute force attacks must be employed by the application itself. + +#### (Public) Key Modification Attacks +As a library, PGPainless cannot protect against swapped out public keys. +It is therefore responsibility of the consumer to ensure that an attacker on the same system cannot tamper with stored keys. +It is highly advised to store both secret and public keys in a secure key storage which protects against modifications. + +Furthermore, PGPainless cannot verify key authenticity, so it is up to the application that uses PGPainless to check, +if a key really belongs to a certain user. \ No newline at end of file From bf5510893dbb7757222f08808c27fdb72b1e910b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 13:21:44 +0100 Subject: [PATCH 0205/1450] Update changelog --- CHANGELOG.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42e62032..e0c72507 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,27 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc7-SNAPSHOT +- Make `Passphrase` comparison constant time +- Bump Bouncycastle to 1.70 + - Use new `PGPCanonicalizedDataGenerator` where applicable + - Implement decryption with user-provided session key + - Remove workaround for invalid signature processing +- Remove Blowfish from default symmetric decryption/encryption policy +- When adding/generating keys: Check compliance to `PublicKeyAlgorithmPolicy` +- Fix `BaseSecretKeyRingProtector` misinterpreting empty passphrases +- SOP: Fix NPE when attempting to sign with key with missing signing subkey +- Describe Threat Model in [pgpainless-core/README.md] +- Fix NPE when attempting to decrypt GNU_DUMMY_S2K key +- Validate public key parameters when unlocking secret keys +- Introduce iteration limits to prevent resource exhaustion when + - reading signatures + - reading keys +- `CachingSecretKeyRingProtector`: Prevent accidental passphrase overriding via `addPassphrase()` +- `EncryptionOptions`: replace method argument type `PGPPublicKeyRingCollection` with `Iterable` to allow for `Collection` as argument +- `SigningOptions`: replace method argument type `PGPSecretKeyRingCollection` with `Iterable` to allow for `Collection` as argument +- Prevent message decryption with non-encryption subkey + ## 1.0.0-rc6 - Restructure method arguments in `SecretKeyRingEditor` - Add explanations of revocation reasons to `RevocationAttributes` From c4e3e2782144f87032e1c374c0c30bcad84e6b70 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 13:28:34 +0100 Subject: [PATCH 0206/1450] Fix replacePassphrase(secretKeys, passphrase) --- .../key/protection/CachingSecretKeyRingProtector.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java index a939c8af..d5b05613 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java @@ -128,7 +128,7 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se Iterator keys = keyRing.getPublicKeys(); while (keys.hasNext()) { PGPPublicKey publicKey = keys.next(); - addPassphrase(publicKey, passphrase); + replacePassphrase(publicKey.getKeyID(), passphrase); } } From f8968fc075f418d33ee257f735ccc6c82a2ca8c9 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 13 Dec 2021 13:28:53 +0100 Subject: [PATCH 0207/1450] Add test for CachingSecretKeyRingProtector.replacePassphrase(*) --- .../CachingSecretKeyRingProtectorTest.java | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index 277d9d44..d843b9c2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -7,7 +7,9 @@ package org.pgpainless.key.protection; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Iterator; @@ -22,6 +24,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; +import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; import org.pgpainless.util.Passphrase; @@ -132,4 +135,30 @@ public class CachingSecretKeyRingProtectorTest { } } + @Test + public void testAddPassphrase_collision() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector(); + protector.addPassphrase(secretKeys, TestKeys.CRYPTIE_PASSPHRASE); + + assertThrows(IllegalArgumentException.class, () -> + protector.addPassphrase(secretKeys.getPublicKey(), Passphrase.emptyPassphrase())); + + assertThrows(IllegalArgumentException.class, () -> + protector.addPassphrase(secretKeys, Passphrase.fromPassword("anotherPass"))); + } + + @Test + public void testReplacePassphrase() throws PGPException, IOException { + PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); + CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector(); + protector.addPassphrase(secretKeys, Passphrase.fromPassword("wrong")); + // no throwing + protector.replacePassphrase(secretKeys, TestKeys.CRYPTIE_PASSPHRASE); + + for (PGPSecretKey key : secretKeys) { + UnlockSecretKey.unlockSecretKey(key, protector); + } + } + } From bff2b3fbfeb4fb7493dc63cca6ada412bace489d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 13:14:56 +0100 Subject: [PATCH 0208/1450] Clarify nesting depth exceeded error message --- .../decryption_verification/DecryptionStreamFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index df2f5172..8bd10b5d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -190,7 +190,7 @@ public final class DecryptionStreamFactory { private InputStream processPGPPackets(@Nonnull PGPObjectFactory objectFactory, int depth) throws IOException, PGPException { if (depth >= MAX_PACKET_NESTING_DEPTH) { - throw new PGPException("Maximum recursion depth of packages exceeded."); + throw new PGPException("Maximum depth of nested packages exceeded."); } Object nextPgpObject; while ((nextPgpObject = objectFactory.nextObject()) != null) { From 1681f3934ffbed275ad12506432c5896193b9236 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 14:42:53 +0100 Subject: [PATCH 0209/1450] Fix method name getCommentHeader --- .../src/main/java/org/pgpainless/util/ArmorUtils.java | 2 +- .../src/test/java/org/pgpainless/util/ArmorUtilsTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java index 41aac842..38527997 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java @@ -157,7 +157,7 @@ public final class ArmorUtils { return armor; } - public static List getCommendHeaderValues(ArmoredInputStream armor) { + public static List getCommentHeaderValues(ArmoredInputStream armor) { return getArmorHeaderValues(armor, HEADER_COMMENT); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index b9610892..9adb8d96 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -70,7 +70,7 @@ public class ArmorUtilsTest { assertEquals(HashAlgorithm.SHA512, hashes.get(0)); // Comment - List commentHeader = ArmorUtils.getCommendHeaderValues(armorIn); + List commentHeader = ArmorUtils.getCommentHeaderValues(armorIn); assertEquals(2, commentHeader.size()); assertEquals("This is a comment", commentHeader.get(0)); assertEquals("This is another comment", commentHeader.get(1)); From 60f7a9d9ec0106e7bd1eb4db543367683fbf5573 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 14:43:16 +0100 Subject: [PATCH 0210/1450] Source PGPObjectFactory from ImplementationProvider --- .../implementation/BcImplementationFactory.java | 13 +++++++++++++ .../implementation/ImplementationFactory.java | 6 ++++++ .../implementation/JceImplementationFactory.java | 13 +++++++++++++ .../org/pgpainless/key/ImportExportKeyTest.java | 15 +++++++++------ .../java/org/pgpainless/util/ArmorUtilsTest.java | 15 ++++++++++----- 5 files changed, 51 insertions(+), 11 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java index 0be562a2..67cc6881 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java @@ -4,6 +4,7 @@ package org.pgpainless.implementation; +import java.io.InputStream; import java.security.KeyPair; import java.util.Date; @@ -11,10 +12,12 @@ import org.bouncycastle.crypto.AsymmetricCipherKeyPair; import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; +import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSessionKey; +import org.bouncycastle.openpgp.bc.BcPGPObjectFactory; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator; @@ -145,6 +148,16 @@ public class BcImplementationFactory extends ImplementationFactory { return new BcSessionKeyDataDecryptorFactory(sessionKey); } + @Override + public PGPObjectFactory getPGPObjectFactory(byte[] bytes) { + return new BcPGPObjectFactory(bytes); + } + + @Override + public PGPObjectFactory getPGPObjectFactory(InputStream inputStream) { + return new BcPGPObjectFactory(inputStream); + } + private AsymmetricCipherKeyPair jceToBcKeyPair(PublicKeyAlgorithm algorithm, KeyPair keyPair, Date creationDate) throws PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java index 50937a30..94967dee 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java @@ -4,11 +4,13 @@ package org.pgpainless.implementation; +import java.io.InputStream; import java.security.KeyPair; import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; +import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; @@ -107,6 +109,10 @@ public abstract class ImplementationFactory { public abstract SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey); + public abstract PGPObjectFactory getPGPObjectFactory(InputStream inputStream); + + public abstract PGPObjectFactory getPGPObjectFactory(byte[] bytes); + @Override public String toString() { return getClass().getSimpleName(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java index c480ed10..504b197e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java @@ -4,15 +4,18 @@ package org.pgpainless.implementation; +import java.io.InputStream; import java.security.KeyPair; import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; +import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSessionKey; +import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator; @@ -132,4 +135,14 @@ public class JceImplementationFactory extends ImplementationFactory { public SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) { return new JceSessionKeyDataDecryptorFactoryBuilder().build(sessionKey); } + + @Override + public PGPObjectFactory getPGPObjectFactory(InputStream inputStream) { + return new JcaPGPObjectFactory(inputStream); + } + + @Override + public PGPObjectFactory getPGPObjectFactory(byte[] bytes) { + return new JcaPGPObjectFactory(bytes); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index 0a0d6294..bcb9086e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -12,8 +12,7 @@ import java.io.IOException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator; -import org.junit.jupiter.api.Test; +import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.implementation.ImplementationFactory; @@ -30,17 +29,21 @@ public class ImportExportKeyTest { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPPublicKeyRing publicKeys = TestKeys.getJulietPublicKeyRing(); - BcKeyFingerprintCalculator calc = new BcKeyFingerprintCalculator(); + KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); byte[] bytes = publicKeys.getEncoded(); PGPPublicKeyRing parsed = new PGPPublicKeyRing(bytes, calc); assertArrayEquals(publicKeys.getEncoded(), parsed.getEncoded()); } - @Test - public void testExportImportSecretKeyRing() throws IOException, PGPException { + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testExportImportSecretKeyRing(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getRomeoSecretKeyRing(); + + KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); byte[] bytes = secretKeys.getEncoded(); - PGPSecretKeyRing parsed = new PGPSecretKeyRing(bytes, new BcKeyFingerprintCalculator()); + PGPSecretKeyRing parsed = new PGPSecretKeyRing(bytes, calc); assertArrayEquals(secretKeys.getEncoded(), parsed.getEncoded()); assertEquals(secretKeys.getPublicKey().getKeyID(), parsed.getPublicKey().getKeyID()); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 9adb8d96..2c360b04 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -23,11 +23,13 @@ import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.bc.BcPGPObjectFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.MethodSource; import org.pgpainless.algorithm.HashAlgorithm; +import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; public class ArmorUtilsTest { @@ -142,8 +144,10 @@ public class ArmorUtilsTest { "-----END PGP MESSAGE-----\n", out.toString()); } - @Test - public void decodeExampleTest() throws IOException, PGPException { + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void decodeExampleTest(ImplementationFactory implementationFactory) throws IOException, PGPException { + ImplementationFactory.setFactoryImplementation(implementationFactory); String armored = "-----BEGIN PGP MESSAGE-----\n" + "Version: OpenPrivacy 0.99\n" + "\n" + @@ -152,9 +156,10 @@ public class ArmorUtilsTest { "=njUN\n" + "-----END PGP MESSAGE-----"; InputStream inputStream = PGPUtil.getDecoderStream(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8))); - PGPObjectFactory factory = new BcPGPObjectFactory(inputStream); + + PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(inputStream); PGPCompressedData compressed = (PGPCompressedData) factory.nextObject(); - factory = new BcPGPObjectFactory(compressed.getDataStream()); + factory = ImplementationFactory.getInstance().getPGPObjectFactory(compressed.getDataStream()); PGPLiteralData literal = (PGPLiteralData) factory.nextObject(); ByteArrayOutputStream out = new ByteArrayOutputStream(); assertEquals("_CONSOLE", literal.getFileName()); From a66b45c3d27808cbef4d097d9dcae94f6cdcf046 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 15:03:45 +0100 Subject: [PATCH 0211/1450] Further sourcing of PGPObjectFactory from ImplementationProvider --- .../DecryptionStreamFactory.java | 17 +++++++---------- .../MessageInspector.java | 7 +++---- .../ClearsignedMessageUtil.java | 2 +- .../key/collection/PGPKeyRingCollection.java | 2 +- .../pgpainless/key/parsing/KeyRingReader.java | 19 +++++++------------ .../pgpainless/signature/SignatureUtils.java | 6 ++---- .../org/bouncycastle/PGPUtilWrapperTest.java | 14 +++++++++----- .../ChangeSecretKeyRingPassphraseTest.java | 7 +------ .../OnePassSignatureBracketingTest.java | 10 ++++------ 9 files changed, 35 insertions(+), 49 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index 8bd10b5d..aa6d409f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -37,7 +37,6 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSessionKey; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; @@ -59,9 +58,9 @@ import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.consumer.DetachedSignatureCheck; import org.pgpainless.signature.consumer.OnePassSignatureCheck; -import org.pgpainless.signature.SignatureUtils; import org.pgpainless.util.CRCingArmoredInputStreamWrapper; import org.pgpainless.util.PGPUtilWrapper; import org.pgpainless.util.Passphrase; @@ -85,8 +84,6 @@ public final class DecryptionStreamFactory { private static final PGPContentVerifierBuilderProvider verifierBuilderProvider = ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(); - private static final KeyFingerPrintCalculator keyFingerprintCalculator = - ImplementationFactory.getInstance().getKeyFingerprintCalculator(); private IntegrityProtectedInputStream integrityProtectedEncryptedInputStream; @@ -150,7 +147,7 @@ public final class DecryptionStreamFactory { } } - objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream); // Parse OpenPGP message inputStream = processPGPPackets(objectFactory, 1); } catch (EOFException e) { @@ -162,7 +159,7 @@ public final class DecryptionStreamFactory { LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?"); bufferedIn.reset(); decoderStream = bufferedIn; - objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream); inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } catch (IOException e) { if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) { @@ -170,7 +167,7 @@ public final class DecryptionStreamFactory { LOGGER.debug("The message is apparently not armored."); bufferedIn.reset(); decoderStream = bufferedIn; - objectFactory = new PGPObjectFactory(decoderStream, keyFingerprintCalculator); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream); inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory); } else { throw e; @@ -219,13 +216,13 @@ public final class DecryptionStreamFactory { if (sessionKey != null) { integrityProtectedEncryptedInputStream = decryptWithProvidedSessionKey(pgpEncryptedDataList, sessionKey); InputStream decodedDataStream = PGPUtil.getDecoderStream(integrityProtectedEncryptedInputStream); - PGPObjectFactory factory = new PGPObjectFactory(decodedDataStream, keyFingerprintCalculator); + PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream); return processPGPPackets(factory, ++depth); } InputStream decryptedDataStream = decryptSessionKey(pgpEncryptedDataList); InputStream decodedDataStream = PGPUtil.getDecoderStream(decryptedDataStream); - PGPObjectFactory factory = new PGPObjectFactory(decodedDataStream, keyFingerprintCalculator); + PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream); return processPGPPackets(factory, ++depth); } @@ -269,7 +266,7 @@ public final class DecryptionStreamFactory { InputStream inflatedDataStream = pgpCompressedData.getDataStream(); InputStream decodedDataStream = PGPUtil.getDecoderStream(inflatedDataStream); - PGPObjectFactory objectFactory = new PGPObjectFactory(decodedDataStream, keyFingerprintCalculator); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream); return processPGPPackets(objectFactory, ++depth); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index 5883163a..6ded10bb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -21,7 +21,6 @@ import org.bouncycastle.openpgp.PGPOnePassSignatureList; import org.bouncycastle.openpgp.PGPPBEEncryptedData; import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.ArmorUtils; @@ -101,8 +100,7 @@ public final class MessageInspector { } private static void processMessage(InputStream dataIn, EncryptionInfo info) throws PGPException, IOException { - KeyFingerPrintCalculator calculator = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); - PGPObjectFactory objectFactory = new PGPObjectFactory(dataIn, calculator); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(dataIn); Object next; while ((next = objectFactory.nextObject()) != null) { @@ -131,7 +129,8 @@ public final class MessageInspector { if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressed = compressed.getDataStream(); - objectFactory = new PGPObjectFactory(PGPUtil.getDecoderStream(decompressed), calculator); + InputStream decoded = PGPUtil.getDecoderStream(decompressed); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoded); } if (next instanceof PGPLiteralData) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java index feea89eb..d2b514bb 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java @@ -71,7 +71,7 @@ public final class ClearsignedMessageUtil { out.close(); } - PGPObjectFactory objectFactory = new PGPObjectFactory(in, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(in); PGPSignatureList signatures = (PGPSignatureList) objectFactory.nextObject(); return signatures; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java index 352343b5..46aa2baf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java @@ -47,7 +47,7 @@ public class PGPKeyRingCollection { public PGPKeyRingCollection(@Nonnull InputStream in, boolean isSilent) throws IOException, PGPException { // Double getDecoderStream because of #96 InputStream decoderStream = ArmorUtils.getDecoderStream(in); - PGPObjectFactory pgpFact = new PGPObjectFactory(decoderStream, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory pgpFact = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream); Object obj; List secretKeyRings = new ArrayList<>(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java index 5dcf0bd4..6e900a95 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java @@ -108,9 +108,8 @@ public class KeyRingReader { * @return public key ring */ public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException { - PGPObjectFactory objectFactory = new PGPObjectFactory( - ArmorUtils.getDecoderStream(inputStream), - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory( + ArmorUtils.getDecoderStream(inputStream)); int i = 0; Object next; do { @@ -146,9 +145,8 @@ public class KeyRingReader { */ public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations) throws IOException, PGPException { - PGPObjectFactory objectFactory = new PGPObjectFactory( - ArmorUtils.getDecoderStream(inputStream), - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory( + ArmorUtils.getDecoderStream(inputStream)); List rings = new ArrayList<>(); int i = 0; @@ -191,9 +189,7 @@ public class KeyRingReader { */ public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException { InputStream decoderStream = ArmorUtils.getDecoderStream(inputStream); - PGPObjectFactory objectFactory = new PGPObjectFactory( - decoderStream, - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream); int i = 0; Object next; do { @@ -230,9 +226,8 @@ public class KeyRingReader { public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations) throws IOException, PGPException { - PGPObjectFactory objectFactory = new PGPObjectFactory( - ArmorUtils.getDecoderStream(inputStream), - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory( + ArmorUtils.getDecoderStream(inputStream)); List rings = new ArrayList<>(); int i = 0; diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index 93e8aae0..d31233e5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -238,16 +238,14 @@ public final class SignatureUtils { public static List readSignatures(InputStream inputStream, int maxIterations) throws IOException, PGPException { List signatures = new ArrayList<>(); InputStream pgpIn = ArmorUtils.getDecoderStream(inputStream); - PGPObjectFactory objectFactory = new PGPObjectFactory( - pgpIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(pgpIn); int i = 0; Object nextObject; while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) { if (nextObject instanceof PGPCompressedData) { PGPCompressedData compressedData = (PGPCompressedData) nextObject; - objectFactory = new PGPObjectFactory(compressedData.getDataStream(), - ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream()); } if (nextObject instanceof PGPSignatureList) { diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java index 5ccb7be7..604cdfdf 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -18,15 +18,19 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPLiteralDataGenerator; import org.bouncycastle.openpgp.PGPObjectFactory; -import org.bouncycastle.openpgp.bc.BcPGPObjectFactory; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.MethodSource; +import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.PGPUtilWrapper; public class PGPUtilWrapperTest { - @Test - public void testGetDecoderStream() throws IOException { + @ParameterizedTest + @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + public void testGetDecoderStream(ImplementationFactory implementationFactory) throws IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); + ByteArrayInputStream msg = new ByteArrayInputStream("Foo\nBar".getBytes(StandardCharsets.UTF_8)); PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator(); @@ -36,7 +40,7 @@ public class PGPUtilWrapperTest { literalDataGenerator.close(); InputStream in = new ByteArrayInputStream(out.toByteArray()); - PGPObjectFactory objectFactory = new BcPGPObjectFactory(in); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(in); PGPLiteralData literalData = (PGPLiteralData) objectFactory.nextObject(); InputStream litIn = literalData.getDataStream(); BufferedInputStream bufIn = new BufferedInputStream(litIn); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index b17a41e7..7f4067ee 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -19,9 +19,6 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; -import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider; -import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder; -import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; @@ -168,14 +165,12 @@ public class ChangeSecretKeyRingPassphraseTest { * @throws PGPException if passphrase is wrong */ private void extractPrivateKey(PGPSecretKey secretKey, Passphrase passphrase) throws PGPException { - PGPDigestCalculatorProvider digestCalculatorProvider = new BcPGPDigestCalculatorProvider(); if (passphrase.isEmpty() && secretKey.getKeyEncryptionAlgorithm() != SymmetricKeyAlgorithm.NULL.getAlgorithmId()) { throw new PGPException("Cannot unlock encrypted private key with empty passphrase."); } else if (!passphrase.isEmpty() && secretKey.getKeyEncryptionAlgorithm() == SymmetricKeyAlgorithm.NULL.getAlgorithmId()) { throw new PGPException("Cannot unlock unprotected private key with non-empty passphrase."); } - PBESecretKeyDecryptor decryptor = passphrase.isEmpty() ? null : new BcPBESecretKeyDecryptorBuilder(digestCalculatorProvider) - .build(passphrase.getChars()); + PBESecretKeyDecryptor decryptor = passphrase.isEmpty() ? null : ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase); UnlockSecretKey.unlockSecretKey(secretKey, decryptor); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 2abf5efc..a68c7725 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -31,9 +31,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.bc.BcPGPObjectFactory; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; -import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; @@ -79,7 +77,7 @@ public class OnePassSignatureBracketingTest { ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(out.toByteArray()); InputStream inputStream = PGPUtil.getDecoderStream(ciphertextIn); - PGPObjectFactory objectFactory = new BcPGPObjectFactory(inputStream); + PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(inputStream); PGPOnePassSignatureList onePassSignatures = null; PGPSignatureList signatures = null; @@ -96,9 +94,9 @@ public class OnePassSignatureBracketingTest { PGPPublicKeyEncryptedData publicKeyEncryptedData = (PGPPublicKeyEncryptedData) encryptedData; PGPSecretKey secretKey = key1.getSecretKey(publicKeyEncryptedData.getKeyID()); PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys()); - PublicKeyDataDecryptorFactory decryptorFactory = new BcPublicKeyDataDecryptorFactory(privateKey); + PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance().getPublicKeyDataDecryptorFactory(privateKey); InputStream decryptionStream = publicKeyEncryptedData.getDataStream(decryptorFactory); - objectFactory = new BcPGPObjectFactory(decryptionStream); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decryptionStream); continue outerloop; } } @@ -108,7 +106,7 @@ public class OnePassSignatureBracketingTest { } else if (next instanceof PGPCompressedData) { PGPCompressedData compressed = (PGPCompressedData) next; InputStream decompressor = compressed.getDataStream(); - objectFactory = new PGPObjectFactory(decompressor, ImplementationFactory.getInstance().getKeyFingerprintCalculator()); + objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decompressor); continue outerloop; } else if (next instanceof PGPLiteralData) { continue outerloop; From 2ebf4be39c53f0685744312b7953446ad8125f41 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 15:47:53 +0100 Subject: [PATCH 0212/1450] Replace @MethodSource annotation with @ArgumentsSource --- .../org/bouncycastle/PGPUtilWrapperTest.java | 5 +- .../DecryptAndVerifyMessageTest.java | 5 +- .../DecryptHiddenRecipientMessage.java | 5 +- .../ModificationDetectionTests.java | 30 +++++---- .../RecursionDepthTest.java | 8 ++- .../EncryptDecryptTest.java | 26 ++++---- .../EncryptionStreamClosedTest.java | 5 +- .../encryption_signing/SigningTest.java | 48 +++++++++----- .../key/BouncycastleExportSubkeys.java | 5 +- .../pgpainless/key/ImportExportKeyTest.java | 7 +- .../BrainpoolKeyGenerationTest.java | 7 +- ...rtificationKeyMustBeAbleToCertifyTest.java | 5 +- .../GenerateEllipticCurveKeyTest.java | 5 +- .../GenerateKeyWithAdditionalUserIdTest.java | 5 +- .../GenerateWithEmptyPassphraseTest.java | 5 +- .../key/generation/IllegalKeyFlagsTest.java | 5 +- .../pgpainless/key/info/KeyRingInfoTest.java | 11 ++-- .../key/modification/AddSubKeyTest.java | 5 +- .../key/modification/AddUserIdTest.java | 12 ++-- ...nOnKeyWithDifferentSignatureTypesTest.java | 7 +- .../modification/ChangeExpirationTest.java | 13 ++-- .../ChangeSecretKeyRingPassphraseTest.java | 11 ++-- ...gnatureSubpacketsArePreservedOnNewSig.java | 8 +-- ...WithGenericCertificationSignatureTest.java | 5 +- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 8 ++- .../key/modification/RevokeSubKeyTest.java | 9 +-- .../SecretKeyRingProtectorTest.java | 8 +-- .../BindingSignatureSubpacketsTest.java | 65 ++++++++++--------- .../signature/CertificateValidatorTest.java | 17 ++--- .../signature/KeyRevocationTest.java | 7 +- .../OnePassSignatureBracketingTest.java | 5 +- ...ultiPassphraseSymmetricEncryptionTest.java | 5 +- .../SymmetricEncryptionTest.java | 7 +- .../org/pgpainless/util/ArmorUtilsTest.java | 4 +- .../TestImplementationFactoryProvider.java | 11 +++- 35 files changed, 225 insertions(+), 169 deletions(-) diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java index 604cdfdf..fd1ec62a 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -20,14 +20,15 @@ import org.bouncycastle.openpgp.PGPLiteralDataGenerator; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.PGPUtilWrapper; +import org.pgpainless.util.TestImplementationFactoryProvider; public class PGPUtilWrapperTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testGetDecoderStream(ImplementationFactory implementationFactory) throws IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 3fa1ec4e..76426582 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -18,7 +18,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; @@ -26,6 +26,7 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.util.TestImplementationFactoryProvider; public class DecryptAndVerifyMessageTest { @@ -42,7 +43,7 @@ public class DecryptAndVerifyMessageTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void decryptMessageAndVerifySignatureTest(ImplementationFactory implementationFactory) throws Exception { ImplementationFactory.setFactoryImplementation(implementationFactory); String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java index 3ebe5390..060435ff 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java @@ -17,17 +17,18 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.util.TestImplementationFactoryProvider; public class DecryptHiddenRecipientMessage { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testDecryptionWithWildcardRecipient(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); String secretKeyAscii = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index 2eb870cb..03f6165e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -18,15 +18,15 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.ModificationDetectionException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class ModificationDetectionTests { @@ -210,7 +210,7 @@ public class ModificationDetectionTests { * @throws PGPException in case of a pgp error */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testMissingMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -231,7 +231,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testTamperedCiphertextThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); @@ -247,7 +247,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testIgnoreTamperedCiphertext(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); @@ -264,7 +264,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testTamperedMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); @@ -280,7 +280,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testIgnoreTamperedMDC(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); @@ -296,7 +296,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testTruncatedMDCThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); @@ -311,7 +311,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testMDCWithBadCTBThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); @@ -327,7 +327,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testIgnoreMDCWithBadCTB(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); @@ -344,7 +344,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testMDCWithBadLengthThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); @@ -360,7 +360,7 @@ public class ModificationDetectionTests { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testIgnoreMDCWithBadLength(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); @@ -376,8 +376,10 @@ public class ModificationDetectionTests { decryptionStream.close(); } - @Test - public void decryptMessageWithSEDPacket() throws IOException, PGPException { + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void decryptMessageWithSEDPacket(ImplementationFactory implementationFactory) throws IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests"); String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n" + "Version: FlowCrypt 6.9.1 Gmail Encryption\r\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index 5bc1ae61..73ff3f71 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -15,9 +15,10 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.TestImplementationFactoryProvider; public class RecursionDepthTest { @@ -27,8 +28,9 @@ public class RecursionDepthTest { * @see Sequoia-PGP Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void decryptionAbortsWhenMaximumRecursionDepthReachedTest(ImplementationFactory implementationFactory) throws IOException, PGPException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void decryptionAbortsWhenMaximumRecursionDepthReachedTest(ImplementationFactory implementationFactory) + throws IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Bob's OpenPGP Transferable Secret Key\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index da70e170..09a58695 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -25,9 +25,8 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.KeyFlag; @@ -48,6 +47,7 @@ import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.policy.Policy; import org.pgpainless.util.ArmoredOutputStreamFactory; +import org.pgpainless.util.TestImplementationFactoryProvider; public class EncryptDecryptTest { @@ -71,7 +71,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void freshKeysRsaToElGamalTest(ImplementationFactory implementationFactory) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -89,7 +89,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void freshKeysRsaToRsaTest(ImplementationFactory implementationFactory) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -100,7 +100,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void freshKeysEcToEcTest(ImplementationFactory implementationFactory) throws IOException, PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -111,7 +111,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void freshKeysEcToRsaTest(ImplementationFactory implementationFactory) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -122,7 +122,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void freshKeysRsaToEcTest(ImplementationFactory implementationFactory) throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -133,7 +133,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void existingRsaKeysTest(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = TestKeys.getJulietSecretKeyRing(); @@ -198,7 +198,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testDetachedSignatureCreationAndVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -244,7 +244,7 @@ public class EncryptDecryptTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testOnePassSignatureCreationAndVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); @@ -274,8 +274,10 @@ public class EncryptDecryptTest { assertFalse(metadata.getVerifiedSignatures().isEmpty()); } - @Test - public void expiredSubkeyBacksigTest() throws IOException { + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void expiredSubkeyBacksigTest(ImplementationFactory implementationFactory) throws IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java index c667de31..e3b31967 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java @@ -12,15 +12,16 @@ import java.io.OutputStream; import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class EncryptionStreamClosedTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testStreamHasToBeClosedBeforeGetResultCanBeCalled(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); OutputStream out = new ByteArrayOutputStream(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 6a73152d..27860088 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -26,9 +26,8 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; @@ -49,11 +48,12 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.util.MultiMap; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class SigningTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testEncryptionAndSignatureVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -117,9 +117,11 @@ public class SigningTest { assertFalse(metadata.containsVerifiedSignatureFrom(julietKeys)); } - @Test - public void testSignWithInvalidUserIdFails() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void testSignWithInvalidUserIdFails(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); @@ -131,9 +133,11 @@ public class SigningTest { DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } - @Test - public void testSignWithRevokedUserIdFails() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void testSignWithRevokedUserIdFails(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( @@ -151,8 +155,10 @@ public class SigningTest { DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } - @Test - public void signWithHashAlgorithmOverride() throws PGPException, IOException { + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void signWithHashAlgorithmOverride(ImplementationFactory implementationFactory) throws PGPException, IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -182,9 +188,11 @@ public class SigningTest { assertEquals(HashAlgorithm.SHA224.getAlgorithmId(), signature.getHashAlgorithm()); } - @Test - public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -211,9 +219,11 @@ public class SigningTest { signature.getHashAlgorithm()); } - @Test - public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey( KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -240,9 +250,11 @@ public class SigningTest { signature.getHashAlgorithm()); } - @Test - public void signingWithNonCapableKeyThrowsKeyCannotSignException() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void signingWithNonCapableKeyThrowsKeyCannotSignException(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") @@ -255,9 +267,11 @@ public class SigningTest { SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); } - @Test - public void signWithInvalidUserIdThrowsKeyValidationError() + @ParameterizedTest + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void signWithInvalidUserIdThrowsKeyValidationError(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java index f3e40825..e651eb2d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java @@ -30,14 +30,15 @@ import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.provider.ProviderFactory; +import org.pgpainless.util.TestImplementationFactoryProvider; public class BouncycastleExportSubkeys { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testExportImport(ImplementationFactory implementationFactory) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); KeyPairGenerator generator; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index bcb9086e..d12963cd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -14,8 +14,9 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.TestImplementationFactoryProvider; public class ImportExportKeyTest { @@ -24,7 +25,7 @@ public class ImportExportKeyTest { * @throws IOException in case of a IO error */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testExportImportPublicKeyRing(ImplementationFactory implementationFactory) throws IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPPublicKeyRing publicKeys = TestKeys.getJulietPublicKeyRing(); @@ -36,7 +37,7 @@ public class ImportExportKeyTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testExportImportSecretKeyRing(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getRomeoSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index 8740ff4a..376777a2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -18,7 +18,7 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; @@ -32,11 +32,12 @@ import org.pgpainless.key.info.KeyInfo; import org.pgpainless.key.util.UserId; import org.pgpainless.util.BCUtil; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class BrainpoolKeyGenerationTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void generateEcKeysTest(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -66,7 +67,7 @@ public class BrainpoolKeyGenerationTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void generateEdDSAKeyTest(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index 31470715..fecde6c7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -7,13 +7,14 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.util.TestImplementationFactoryProvider; public class CertificationKeyMustBeAbleToCertifyTest { @@ -23,7 +24,7 @@ public class CertificationKeyMustBeAbleToCertifyTest { * This test therefore verifies that generating such keys fails. */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testCertificationIncapableKeyTypesThrow(ImplementationFactory implementationFactory) { ImplementationFactory.setFactoryImplementation(implementationFactory); KeyType[] typesIncapableOfCreatingVerifications = new KeyType[] { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index eef7812b..36a987f9 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -13,7 +13,7 @@ import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; @@ -24,11 +24,12 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.UserId; +import org.pgpainless.util.TestImplementationFactoryProvider; public class GenerateEllipticCurveKeyTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void generateEllipticCurveKeys(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index 58b96a1b..4505662a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -18,7 +18,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; @@ -27,11 +27,12 @@ import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; +import org.pgpainless.util.TestImplementationFactoryProvider; public class GenerateKeyWithAdditionalUserIdTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void test(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index 5b9c9a58..6233e59e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -12,13 +12,14 @@ import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; /** * Reproduce behavior of https://github.com/pgpainless/pgpainless/issues/16 @@ -30,7 +31,7 @@ import org.pgpainless.util.Passphrase; public class GenerateWithEmptyPassphraseTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java index e5c48d5b..3477e189 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java @@ -7,17 +7,18 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; +import org.pgpainless.util.TestImplementationFactoryProvider; public class IllegalKeyFlagsTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testKeyCannotCarryFlagsTest(ImplementationFactory implementationFactory) { ImplementationFactory.setFactoryImplementation(implementationFactory); assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 39e13edd..8f07d33f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -32,7 +32,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.EncryptionPurpose; @@ -53,11 +53,12 @@ import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class KeyRingInfoTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testWithEmilsKeys(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -175,8 +176,8 @@ public class KeyRingInfoTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void dummyS2KTest(ImplementationFactory implementationFactory) throws PGPException, IOException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void dummyS2KTest(ImplementationFactory implementationFactory) throws IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); String withDummyS2K = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + @@ -214,7 +215,7 @@ public class KeyRingInfoTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testGetKeysWithFlagsAndExpiry(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 0fb9a5ec..1b97cd1a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -21,7 +21,7 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.implementation.ImplementationFactory; @@ -34,11 +34,12 @@ import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class AddSubKeyTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testAddSubKey(ImplementationFactory implementationFactory) throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 705e7d48..77c1383b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -19,7 +19,7 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; @@ -29,12 +29,14 @@ import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class AddUserIdTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void addUserIdToExistingKeyRing(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void addUserIdToExistingKeyRing(ImplementationFactory implementationFactory) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); @@ -65,7 +67,7 @@ public class AddUserIdTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void deleteUserId_noSuchElementExceptionForMissingUserId(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -75,7 +77,7 @@ public class AddUserIdTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void deleteExistingAndAddNewUserIdToExistingKeyRing(ImplementationFactory implementationFactory) throws PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index 36c9b8bb..aa8b0589 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -11,11 +11,12 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.DateUtil; +import org.pgpainless.util.TestImplementationFactoryProvider; public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @@ -136,7 +137,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { "-----END PGP PRIVATE KEY BLOCK-----"; @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void setExpirationDate_keyHasSigClass10(ImplementationFactory implementationFactory) throws PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -146,7 +147,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void setExpirationDate_keyHasSigClass12(ImplementationFactory implementationFactory) throws PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index 562e81a7..b728016a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -14,7 +14,7 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; @@ -22,14 +22,16 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; +import org.pgpainless.util.TestImplementationFactoryProvider; public class ChangeExpirationTest { private final OpenPgpV4Fingerprint subKeyFingerprint = new OpenPgpV4Fingerprint("F73FDE6439ABE210B1AF4EDD273EF7A0C749807B"); @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void setExpirationDateAndThenUnsetIt_OnPrimaryKey(ImplementationFactory implementationFactory) throws PGPException, IOException, InterruptedException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void setExpirationDateAndThenUnsetIt_OnPrimaryKey(ImplementationFactory implementationFactory) + throws PGPException, IOException, InterruptedException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); @@ -61,8 +63,9 @@ public class ChangeExpirationTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void setExpirationDateAndThenUnsetIt_OnSubkey(ImplementationFactory implementationFactory) throws PGPException, IOException, InterruptedException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void setExpirationDateAndThenUnsetIt_OnSubkey(ImplementationFactory implementationFactory) + throws PGPException, IOException, InterruptedException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 7f4067ee..283d74cc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -21,7 +21,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; @@ -33,6 +33,7 @@ import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class ChangeSecretKeyRingPassphraseTest { @@ -42,7 +43,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void changePassphraseOfWholeKeyRingTest(ImplementationFactory implementationFactory) throws PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -70,7 +71,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void changePassphraseOfWholeKeyRingToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) @@ -88,7 +89,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void changePassphraseOfSingleSubkeyToNewPassphrase(ImplementationFactory implementationFactory) throws PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -125,7 +126,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void changePassphraseOfSingleSubkeyToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java index a03744a3..b9a00cd6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java @@ -8,7 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotEquals; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Date; @@ -18,18 +17,19 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.protection.UnprotectedKeysProtector; +import org.pgpainless.util.TestImplementationFactoryProvider; public class OldSignatureSubpacketsArePreservedOnNewSig { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig(ImplementationFactory implementationFactory) - throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException, IOException { + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleEcKeyRing("Alice "); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java index 794438da..a9b1f0a8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java @@ -15,11 +15,12 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; +import org.pgpainless.util.TestImplementationFactoryProvider; /** * Test that makes sure that PGPainless can deal with keys that carry a key @@ -64,7 +65,7 @@ public class RevokeKeyWithGenericCertificationSignatureTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void test(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); revokeKey(SAMPLE_PRIVATE_KEY); // would crash previously diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index a218a6f9..1cce7290 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -14,7 +14,7 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; @@ -23,6 +23,7 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; +import org.pgpainless.util.TestImplementationFactoryProvider; public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @@ -101,8 +102,9 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { "-----END PGP PRIVATE KEY BLOCK-----"; @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") - public void testChangingExpirationTimeWithKeyWithoutPrefAlgos(ImplementationFactory implementationFactory) throws IOException, PGPException { + @ArgumentsSource(TestImplementationFactoryProvider.class) + public void testChangingExpirationTimeWithKeyWithoutPrefAlgos(ImplementationFactory implementationFactory) + throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); Date expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(new Date())); PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 421c9ecf..861002f0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -25,7 +25,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.SignatureType; @@ -40,11 +40,12 @@ import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class RevokeSubKeyTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void revokeSukeyTest(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); @@ -69,7 +70,7 @@ public class RevokeSubKeyTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void detachedRevokeSubkeyTest(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); @@ -90,7 +91,7 @@ public class RevokeSubKeyTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testRevocationSignatureTypeCorrect(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 037d996d..b641af56 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -16,7 +16,6 @@ import java.util.Iterator; import java.util.Map; import java.util.Random; import java.util.concurrent.ConcurrentHashMap; - import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; @@ -25,17 +24,18 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class SecretKeyRingProtectorTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testUnlockAllKeysWithSamePassword(ImplementationFactory implementationFactory) throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -70,7 +70,7 @@ public class SecretKeyRingProtectorTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testUnlockSingleKeyWithPassphrase(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index 85e4299d..f94380cd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -17,12 +17,13 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.util.TestImplementationFactoryProvider; /** * Explores how subpackets on binding sigs are handled. @@ -52,7 +53,7 @@ public class BindingSignatureSubpacketsTest { private Policy policy = PGPainless.getPolicy(); @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void baseCase(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -114,7 +115,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingIssuerFpOnly(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -176,7 +177,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingIssuerV6IssuerFp(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -238,7 +239,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingIssuerFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -300,7 +301,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingFakeIssuerIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -362,7 +363,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -424,7 +425,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingNoIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -485,7 +486,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void unknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -547,7 +548,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingUnknownCriticalSubpacket(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -609,7 +610,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -671,7 +672,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingUnknownCriticalSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -733,7 +734,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -796,7 +797,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingCriticalUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -859,7 +860,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -922,7 +923,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingCriticalUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -985,7 +986,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingBackSigFakeBackSig(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1058,7 +1059,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeyBindingFakeBackSigBackSig(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1131,7 +1132,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingIssuerFpOnly(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1193,7 +1194,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingIssuerV6IssuerFp(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1255,7 +1256,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingIssuerFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1317,7 +1318,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingFakeIssuerIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1379,7 +1380,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1441,7 +1442,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingNoIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1502,7 +1503,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingUnknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1564,7 +1565,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingCriticalUnknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1626,7 +1627,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1688,7 +1689,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingCriticalUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1750,7 +1751,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1813,7 +1814,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingCriticalUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1876,7 +1877,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -1939,7 +1940,7 @@ public class BindingSignatureSubpacketsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void primaryBindingCriticalUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 73a7cb85..5eb98aa7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -20,7 +20,7 @@ import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -29,6 +29,7 @@ import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.util.TestImplementationFactoryProvider; public class CertificateValidatorTest { @@ -38,7 +39,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testPrimaryKeySignsAndIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -190,7 +191,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -343,7 +344,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testSubkeySignsAndIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -496,7 +497,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testPrimaryKeySignsAndIsSoftRevokedSuperseded(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -654,7 +655,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -808,7 +809,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testPrimaryKeySignsAndIsSoftRevokedRetired(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -962,7 +963,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testTemporaryValidity(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 73e726bf..95728fb0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -15,18 +15,19 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.signature.consumer.CertificateValidator; +import org.pgpainless.util.TestImplementationFactoryProvider; public class KeyRevocationTest { private static final String data = "Hello, World"; @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeySignsPrimaryKeyRevokedNoReason(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); @@ -174,7 +175,7 @@ public class KeyRevocationTest { * @see Sequoia Test-Suite */ @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void subkeySignsPrimaryKeyNotRevoked(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index a68c7725..20fb598a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -34,7 +34,7 @@ import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; @@ -47,11 +47,12 @@ import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.util.TestImplementationFactoryProvider; public class OnePassSignatureBracketingTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void onePassSignaturePacketsAndSignaturesAreBracketedTest(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index 9b26921f..7ab00868 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -12,7 +12,7 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -21,11 +21,12 @@ import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; public class MultiPassphraseSymmetricEncryptionTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void encryptDecryptWithMultiplePassphrases(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); String message = "Here we test if during decryption of a message that was encrypted with two passphrases, " + diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index 68f929af..aa14394c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -18,7 +18,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -34,6 +34,7 @@ import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestImplementationFactoryProvider; /** * Test parallel symmetric and public key encryption/decryption. @@ -41,7 +42,7 @@ import org.pgpainless.util.Passphrase; public class SymmetricEncryptionTest { @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void encryptWithKeyAndPassphrase_DecryptWithKey(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); byte[] plaintext = "This is a secret message".getBytes(StandardCharsets.UTF_8); @@ -95,7 +96,7 @@ public class SymmetricEncryptionTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void testMismatchPassphraseFails(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 2c360b04..6a8a6a64 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -27,7 +27,7 @@ import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.params.provider.ArgumentsSource; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; @@ -145,7 +145,7 @@ public class ArmorUtilsTest { } @ParameterizedTest - @MethodSource("org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories") + @ArgumentsSource(TestImplementationFactoryProvider.class) public void decodeExampleTest(ImplementationFactory implementationFactory) throws IOException, PGPException { ImplementationFactory.setFactoryImplementation(implementationFactory); String armored = "-----BEGIN PGP MESSAGE-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java index 1ace7245..63dc386c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java @@ -4,24 +4,29 @@ package org.pgpainless.util; +import org.junit.jupiter.api.extension.ExtensionContext; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.ArgumentsProvider; import org.pgpainless.implementation.BcImplementationFactory; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.implementation.JceImplementationFactory; import java.util.Arrays; import java.util.List; +import java.util.stream.Stream; /** * Utility class used to provide all available implementations of {@link ImplementationFactory} for parametrized tests. */ -public class TestImplementationFactoryProvider { +public class TestImplementationFactoryProvider implements ArgumentsProvider { private static final List IMPLEMENTATIONS = Arrays.asList( new BcImplementationFactory(), new JceImplementationFactory() ); - public static List provideImplementationFactories() { - return IMPLEMENTATIONS; + @Override + public Stream provideArguments(ExtensionContext context) { + return IMPLEMENTATIONS.stream().map(Arguments::of); } } From c331dee6b1818a8e00f6465a26630bba21b38b67 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 16:55:04 +0100 Subject: [PATCH 0213/1450] Replace @ArgumentSource with @TestTemplate, @ExtendWith --- .../org/bouncycastle/PGPUtilWrapperTest.java | 13 +- .../DecryptAndVerifyMessageTest.java | 14 +- .../DecryptHiddenRecipientMessage.java | 14 +- .../ModificationDetectionTests.java | 85 +++---- .../RecursionDepthTest.java | 14 +- .../EncryptDecryptTest.java | 70 +++--- .../EncryptionStreamClosedTest.java | 14 +- .../encryption_signing/SigningTest.java | 63 +++-- .../key/BouncycastleExportSubkeys.java | 14 +- .../pgpainless/key/ImportExportKeyTest.java | 20 +- .../BrainpoolKeyGenerationTest.java | 21 +- ...rtificationKeyMustBeAbleToCertifyTest.java | 14 +- .../GenerateEllipticCurveKeyTest.java | 16 +- .../GenerateKeyWithAdditionalUserIdTest.java | 14 +- .../GenerateWithEmptyPassphraseTest.java | 16 +- .../key/generation/IllegalKeyFlagsTest.java | 14 +- .../pgpainless/key/info/KeyRingInfoTest.java | 28 +-- .../key/modification/AddSubKeyTest.java | 15 +- .../key/modification/AddUserIdTest.java | 28 +-- ...nOnKeyWithDifferentSignatureTypesTest.java | 21 +- .../modification/ChangeExpirationTest.java | 21 +- .../ChangeSecretKeyRingPassphraseTest.java | 34 ++- ...gnatureSubpacketsArePreservedOnNewSig.java | 14 +- ...WithGenericCertificationSignatureTest.java | 14 +- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 14 +- .../key/modification/RevokeSubKeyTest.java | 28 +-- .../key/protection/PassphraseTest.java | 16 +- .../SecretKeyRingProtectorTest.java | 21 +- .../BindingSignatureSubpacketsTest.java | 224 ++++++++---------- .../signature/CertificateValidatorTest.java | 56 ++--- .../signature/KeyRevocationTest.java | 21 +- .../OnePassSignatureBracketingTest.java | 14 +- ...ultiPassphraseSymmetricEncryptionTest.java | 14 +- .../SymmetricEncryptionTest.java | 22 +- .../org/pgpainless/util/ArmorUtilsTest.java | 11 +- ...nFactoryTestInvocationContextProvider.java | 66 ++++++ .../TestImplementationFactoryProvider.java | 2 + 37 files changed, 514 insertions(+), 586 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java index fd1ec62a..8c2b432b 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -19,18 +19,17 @@ import org.bouncycastle.openpgp.PGPLiteralData; import org.bouncycastle.openpgp.PGPLiteralDataGenerator; import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.PGPUtilWrapper; -import org.pgpainless.util.TestImplementationFactoryProvider; public class PGPUtilWrapperTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testGetDecoderStream(ImplementationFactory implementationFactory) throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testGetDecoderStream() throws IOException { ByteArrayInputStream msg = new ByteArrayInputStream("Foo\nBar".getBytes(StandardCharsets.UTF_8)); PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 76426582..79e6fae0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -17,16 +17,15 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; import org.pgpainless.key.util.KeyRingUtils; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class DecryptAndVerifyMessageTest { @@ -42,10 +41,9 @@ public class DecryptAndVerifyMessageTest { romeo = TestKeys.getRomeoSecretKeyRing(); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void decryptMessageAndVerifySignatureTest(ImplementationFactory implementationFactory) throws Exception { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void decryptMessageAndVerifySignatureTest() throws Exception { String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; ConsumerOptions options = new ConsumerOptions() diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java index 060435ff..3ea67b62 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java @@ -16,21 +16,19 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class DecryptHiddenRecipientMessage { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testDecryptionWithWildcardRecipient(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testDecryptionWithWildcardRecipient() throws IOException, PGPException { String secretKeyAscii = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Bob's OpenPGP Transferable Secret Key\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index 03f6165e..db6fb9f3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -18,15 +18,14 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.ModificationDetectionException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class ModificationDetectionTests { @@ -205,14 +204,12 @@ public class ModificationDetectionTests { /** * Messages containing a missing MDC shall fail to decrypt. - * @param implementationFactory implementation factory * @throws IOException in case of an io-error * @throws PGPException in case of a pgp error */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testMissingMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testMissingMDCThrowsByDefault() throws IOException, PGPException { PGPSecretKeyRingCollection secretKeyRings = getDecryptionKey(); @@ -230,10 +227,9 @@ public class ModificationDetectionTests { }); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testTamperedCiphertextThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testTamperedCiphertextThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -246,10 +242,9 @@ public class ModificationDetectionTests { assertThrows(ModificationDetectionException.class, decryptionStream::close); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testIgnoreTamperedCiphertext(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testIgnoreTamperedCiphertext() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -263,10 +258,9 @@ public class ModificationDetectionTests { decryptionStream.close(); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testTamperedMDCThrowsByDefault(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testTamperedMDCThrowsByDefault() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -279,10 +273,9 @@ public class ModificationDetectionTests { assertThrows(ModificationDetectionException.class, decryptionStream::close); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testIgnoreTamperedMDC(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testIgnoreTamperedMDC() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -295,10 +288,9 @@ public class ModificationDetectionTests { Streams.pipeAll(decryptionStream, out); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testTruncatedMDCThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testTruncatedMDCThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -310,10 +302,9 @@ public class ModificationDetectionTests { assertThrows(EOFException.class, () -> Streams.pipeAll(decryptionStream, out)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testMDCWithBadCTBThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testMDCWithBadCTBThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -326,10 +317,9 @@ public class ModificationDetectionTests { assertThrows(ModificationDetectionException.class, decryptionStream::close); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testIgnoreMDCWithBadCTB(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testIgnoreMDCWithBadCTB() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -343,10 +333,9 @@ public class ModificationDetectionTests { decryptionStream.close(); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testMDCWithBadLengthThrows(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testMDCWithBadLengthThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -359,10 +348,9 @@ public class ModificationDetectionTests { assertThrows(ModificationDetectionException.class, decryptionStream::close); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testIgnoreMDCWithBadLength(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testIgnoreMDCWithBadLength() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() .onInputStream(in) @@ -376,10 +364,9 @@ public class ModificationDetectionTests { decryptionStream.close(); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void decryptMessageWithSEDPacket(ImplementationFactory implementationFactory) throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void decryptMessageWithSEDPacket() throws IOException { Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests"); String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n" + "Version: FlowCrypt 6.9.1 Gmail Encryption\r\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index 73ff3f71..343feb7b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -14,11 +14,10 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class RecursionDepthTest { @@ -27,11 +26,10 @@ public class RecursionDepthTest { * * @see Sequoia-PGP Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void decryptionAbortsWhenMaximumRecursionDepthReachedTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void decryptionAbortsWhenMaximumRecursionDepthReachedTest() throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Bob's OpenPGP Transferable Secret Key\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 09a58695..c6075853 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -25,8 +25,8 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.KeyFlag; @@ -34,7 +34,6 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; @@ -47,7 +46,7 @@ import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.policy.Policy; import org.pgpainless.util.ArmoredOutputStreamFactory; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class EncryptDecryptTest { @@ -70,11 +69,10 @@ public class EncryptDecryptTest { Policy.SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyDecryptionAlgorithmPolicy()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void freshKeysRsaToElGamalTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void freshKeysRsaToElGamalTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( @@ -88,54 +86,49 @@ public class EncryptDecryptTest { encryptDecryptForSecretKeyRings(sender, recipient); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void freshKeysRsaToRsaTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void freshKeysRsaToRsaTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); encryptDecryptForSecretKeyRings(sender, recipient); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void freshKeysEcToEcTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void freshKeysEcToEcTest() throws IOException, PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); encryptDecryptForSecretKeyRings(sender, recipient); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void freshKeysEcToRsaTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void freshKeysEcToRsaTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleRsaKeyRing("juliet@capulet.lit", RsaLength._3072); encryptDecryptForSecretKeyRings(sender, recipient); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void freshKeysRsaToEcTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void freshKeysRsaToEcTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); PGPSecretKeyRing recipient = PGPainless.generateKeyRing().simpleEcKeyRing("juliet@capulet.lit"); encryptDecryptForSecretKeyRings(sender, recipient); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void existingRsaKeysTest(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void existingRsaKeysTest() throws IOException, PGPException { PGPSecretKeyRing sender = TestKeys.getJulietSecretKeyRing(); PGPSecretKeyRing recipient = TestKeys.getRomeoSecretKeyRing(); @@ -197,10 +190,9 @@ public class EncryptDecryptTest { assertTrue(result.isVerified()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testDetachedSignatureCreationAndVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testDetachedSignatureCreationAndVerification() throws IOException, PGPException { PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); SecretKeyRingProtector keyRingProtector = new UnprotectedKeysProtector(); @@ -243,10 +235,9 @@ public class EncryptDecryptTest { assertFalse(decryptionResult.getVerifiedSignatures().isEmpty()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testOnePassSignatureCreationAndVerification(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testOnePassSignatureCreationAndVerification() throws IOException, PGPException { PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); SecretKeyRingProtector keyRingProtector = new UnprotectedKeysProtector(); byte[] data = testMessage.getBytes(); @@ -274,10 +265,9 @@ public class EncryptDecryptTest { assertFalse(metadata.getVerifiedSignatures().isEmpty()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void expiredSubkeyBacksigTest(ImplementationFactory implementationFactory) throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void expiredSubkeyBacksigTest() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java index e3b31967..4f0f05d2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java @@ -11,19 +11,17 @@ import java.io.IOException; import java.io.OutputStream; import org.bouncycastle.openpgp.PGPException; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class EncryptionStreamClosedTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testStreamHasToBeClosedBeforeGetResultCanBeCalled(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testStreamHasToBeClosedBeforeGetResultCanBeCalled() throws IOException, PGPException { OutputStream out = new ByteArrayOutputStream(); EncryptionStream stream = PGPainless.encryptAndOrSign() .onOutputStream(out) diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index 27860088..aaaa09db 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -26,8 +26,8 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; @@ -37,7 +37,6 @@ import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.exception.KeyCannotSignException; import org.pgpainless.exception.KeyValidationError; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; @@ -46,17 +45,16 @@ import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.KeyRingUtils; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.MultiMap; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class SigningTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testEncryptionAndSignatureVerification(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testEncryptionAndSignatureVerification() throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPPublicKeyRing julietKeys = TestKeys.getJulietPublicKeyRing(); PGPPublicKeyRing romeoKeys = TestKeys.getRomeoPublicKeyRing(); @@ -117,11 +115,10 @@ public class SigningTest { assertFalse(metadata.containsVerifiedSignatureFrom(julietKeys)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testSignWithInvalidUserIdFails(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testSignWithInvalidUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("password123")); @@ -133,11 +130,10 @@ public class SigningTest { DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testSignWithRevokedUserIdFails(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testSignWithRevokedUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("alice", "password123"); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith( @@ -155,10 +151,9 @@ public class SigningTest { DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void signWithHashAlgorithmOverride(ImplementationFactory implementationFactory) throws PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void signWithHashAlgorithmOverride() throws PGPException, IOException { PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -188,11 +183,10 @@ public class SigningTest { assertEquals(HashAlgorithm.SHA224.getAlgorithmId(), signature.getHashAlgorithm()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -219,11 +213,10 @@ public class SigningTest { signature.getHashAlgorithm()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey( KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) @@ -250,11 +243,10 @@ public class SigningTest { signature.getHashAlgorithm()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void signingWithNonCapableKeyThrowsKeyCannotSignException(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void signingWithNonCapableKeyThrowsKeyCannotSignException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER)) .addUserId("Alice") @@ -267,11 +259,10 @@ public class SigningTest { SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void signWithInvalidUserIdThrowsKeyValidationError(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void signWithInvalidUserIdThrowsKeyValidationError() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java index e651eb2d..74f02dcf 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java @@ -29,18 +29,16 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder; import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; -import org.pgpainless.implementation.ImplementationFactory; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.provider.ProviderFactory; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class BouncycastleExportSubkeys { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testExportImport(ImplementationFactory implementationFactory) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testExportImport() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { KeyPairGenerator generator; KeyPair pair; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index d12963cd..fc05a3ca 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -13,10 +13,10 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class ImportExportKeyTest { @@ -24,10 +24,9 @@ public class ImportExportKeyTest { * Test the export and import of a key ring with sub keys. * @throws IOException in case of a IO error */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testExportImportPublicKeyRing(ImplementationFactory implementationFactory) throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testExportImportPublicKeyRing() throws IOException { PGPPublicKeyRing publicKeys = TestKeys.getJulietPublicKeyRing(); KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); @@ -36,10 +35,9 @@ public class ImportExportKeyTest { assertArrayEquals(publicKeys.getEncoded(), parsed.getEncoded()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testExportImportSecretKeyRing(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testExportImportSecretKeyRing() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getRomeoSecretKeyRing(); KeyFingerPrintCalculator calc = ImplementationFactory.getInstance().getKeyFingerprintCalculator(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index 376777a2..f5b3cf73 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -17,12 +17,11 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; @@ -31,16 +30,15 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.info.KeyInfo; import org.pgpainless.key.util.UserId; import org.pgpainless.util.BCUtil; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class BrainpoolKeyGenerationTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void generateEcKeysTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void generateEcKeysTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); for (EllipticCurve curve : EllipticCurve.values()) { PGPSecretKeyRing secretKeys = generateKey( @@ -66,11 +64,10 @@ public class BrainpoolKeyGenerationTest { } } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void generateEdDSAKeyTest(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void generateEdDSAKeyTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index fecde6c7..1c74d321 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -6,15 +6,14 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class CertificationKeyMustBeAbleToCertifyTest { @@ -23,10 +22,9 @@ public class CertificationKeyMustBeAbleToCertifyTest { * would result in an invalid key. * This test therefore verifies that generating such keys fails. */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testCertificationIncapableKeyTypesThrow(ImplementationFactory implementationFactory) { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testCertificationIncapableKeyTypesThrow() { KeyType[] typesIncapableOfCreatingVerifications = new KeyType[] { KeyType.ECDH(EllipticCurve._P256), KeyType.ECDH(EllipticCurve._P384), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index 36a987f9..9102092b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -6,32 +6,30 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertEquals; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.UserId; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class GenerateEllipticCurveKeyTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void generateEllipticCurveKeys(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void generateEllipticCurveKeys() + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.EDDSA(EdDSACurve._Ed25519), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index 4505662a..ab79b171 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -17,24 +17,22 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class GenerateKeyWithAdditionalUserIdTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void test(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index 6233e59e..6ac8ffb7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -6,20 +6,18 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertNotNull; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import org.bouncycastle.openpgp.PGPException; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.rsa.RsaLength; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; /** * Reproduce behavior of https://github.com/pgpainless/pgpainless/issues/16 @@ -30,10 +28,10 @@ import org.pgpainless.util.TestImplementationFactoryProvider; */ public class GenerateWithEmptyPassphraseTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow(ImplementationFactory implementationFactory) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow() + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { assertNotNull(PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java index 3477e189..adb0c10e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java @@ -6,21 +6,19 @@ package org.pgpainless.key.generation; import static org.junit.jupiter.api.Assertions.assertThrows; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class IllegalKeyFlagsTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testKeyCannotCarryFlagsTest(ImplementationFactory implementationFactory) { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testKeyCannotCarryFlagsTest() { assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( KeyType.XDH(XDHSpec._X25519), KeyFlag.SIGN_DATA)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 8f07d33f..335c7959 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -31,8 +31,8 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.EncryptionPurpose; @@ -40,7 +40,6 @@ import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.algorithm.PublicKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; @@ -52,15 +51,14 @@ import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class KeyRingInfoTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testWithEmilsKeys(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testWithEmilsKeys() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); PGPPublicKeyRing publicKeys = TestKeys.getEmilPublicKeyRing(); @@ -175,10 +173,9 @@ public class KeyRingInfoTest { KeyRingUtils.requireSecretKeyFrom(secretKeys, secretKeys.getPublicKey().getKeyID())); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void dummyS2KTest(ImplementationFactory implementationFactory) throws IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void dummyS2KTest() throws IOException { String withDummyS2K = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "\n" + @@ -214,10 +211,9 @@ public class KeyRingInfoTest { assertTrue(new KeyInfo(secretKeys.getSecretKey()).hasDummyS2K()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testGetKeysWithFlagsAndExpiry(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testGetKeysWithFlagsAndExpiry() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 1b97cd1a..0ac53d58 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -20,11 +20,10 @@ import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.generation.type.ecc.EllipticCurve; @@ -33,15 +32,15 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class AddSubKeyTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testAddSubKey(ImplementationFactory implementationFactory) throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testAddSubKey() + throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); List keyIdsBefore = new ArrayList<>(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 77c1383b..5caa99e1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -18,26 +18,24 @@ import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.UserId; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class AddUserIdTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void addUserIdToExistingKeyRing(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void addUserIdToExistingKeyRing() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); @@ -66,20 +64,18 @@ public class AddUserIdTest { assertFalse(userIds.hasNext()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void deleteUserId_noSuchElementExceptionForMissingUserId(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void deleteUserId_noSuchElementExceptionForMissingUserId() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys) .revokeUserId("invalid@user.id", new UnprotectedKeysProtector())); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void deleteExistingAndAddNewUserIdToExistingKeyRing(ImplementationFactory implementationFactory) throws PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void deleteExistingAndAddNewUserIdToExistingKeyRing() throws PGPException, IOException { final String ARMORED_PRIVATE_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n\r\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index aa8b0589..dd6d03d8 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -10,13 +10,12 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @@ -136,21 +135,19 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { "=GIQn\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void setExpirationDate_keyHasSigClass10(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void setExpirationDate_keyHasSigClass10() throws PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithGenericCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void setExpirationDate_keyHasSigClass12(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void setExpirationDate_keyHasSigClass12() throws PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithCasualCertification); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); executeTestForKeys(keys, protector); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index b728016a..d9ddd44e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -13,26 +13,24 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class ChangeExpirationTest { private final OpenPgpV4Fingerprint subKeyFingerprint = new OpenPgpV4Fingerprint("F73FDE6439ABE210B1AF4EDD273EF7A0C749807B"); - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void setExpirationDateAndThenUnsetIt_OnPrimaryKey(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void setExpirationDateAndThenUnsetIt_OnPrimaryKey() throws PGPException, IOException, InterruptedException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); @@ -62,11 +60,10 @@ public class ChangeExpirationTest { assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void setExpirationDateAndThenUnsetIt_OnSubkey(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void setExpirationDateAndThenUnsetIt_OnSubkey() throws PGPException, IOException, InterruptedException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 283d74cc..0e81d6a2 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -20,8 +20,8 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; @@ -32,8 +32,8 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class ChangeSecretKeyRingPassphraseTest { @@ -42,10 +42,9 @@ public class ChangeSecretKeyRingPassphraseTest { public ChangeSecretKeyRingPassphraseTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void changePassphraseOfWholeKeyRingTest(ImplementationFactory implementationFactory) throws PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void changePassphraseOfWholeKeyRingTest() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")) @@ -70,10 +69,9 @@ public class ChangeSecretKeyRingPassphraseTest { "Unlocking the secret key ring with the new passphrase MUST succeed."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void changePassphraseOfWholeKeyRingToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void changePassphraseOfWholeKeyRingToEmptyPassphrase() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() @@ -88,10 +86,9 @@ public class ChangeSecretKeyRingPassphraseTest { signDummyMessageWithKeysAndPassphrase(changedPassphraseKeyRing, Passphrase.emptyPassphrase()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void changePassphraseOfSingleSubkeyToNewPassphrase(ImplementationFactory implementationFactory) throws PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void changePassphraseOfSingleSubkeyToNewPassphrase() throws PGPException { Iterator keys = keyRing.getSecretKeys(); PGPSecretKey primaryKey = keys.next(); @@ -125,10 +122,9 @@ public class ChangeSecretKeyRingPassphraseTest { "Unlocking the subkey with the primary key passphrase must fail."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void changePassphraseOfSingleSubkeyToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void changePassphraseOfSingleSubkeyToEmptyPassphrase() throws PGPException { Iterator keys = keyRing.getSecretKeys(); PGPSecretKey primaryKey = keys.next(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java index b9a00cd6..bdead096 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java @@ -16,21 +16,19 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.protection.UnprotectedKeysProtector; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class OldSignatureSubpacketsArePreservedOnNewSig { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleEcKeyRing("Alice "); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java index a9b1f0a8..b6a4d435 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java @@ -14,13 +14,12 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; /** * Test that makes sure that PGPainless can deal with keys that carry a key @@ -64,10 +63,9 @@ public class RevokeKeyWithGenericCertificationSignatureTest { } } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void test(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void test() throws IOException, PGPException { revokeKey(SAMPLE_PRIVATE_KEY); // would crash previously } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index 1cce7290..68c9ddaa 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -13,17 +13,16 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @@ -101,11 +100,10 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { "=3Zyp\n" + "-----END PGP PRIVATE KEY BLOCK-----"; - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testChangingExpirationTimeWithKeyWithoutPrefAlgos(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testChangingExpirationTimeWithKeyWithoutPrefAlgos() throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); Date expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(new Date())); PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); List fingerprintList = new ArrayList<>(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 861002f0..4f612c50 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -24,12 +24,11 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.SignatureType; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.TestKeys; import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface; @@ -39,15 +38,14 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class RevokeSubKeyTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void revokeSukeyTest(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void revokeSukeyTest() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); Iterator keysIterator = secretKeys.iterator(); @@ -69,10 +67,9 @@ public class RevokeSubKeyTest { assertTrue(subKey.getPublicKey().hasRevocation()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void detachedRevokeSubkeyTest(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void detachedRevokeSubkeyTest() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(secretKeys); SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector.forKey(secretKeys, Passphrase.fromPassword("password123")); @@ -90,10 +87,9 @@ public class RevokeSubKeyTest { assertTrue(publicKey.hasRevocation()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testRevocationSignatureTypeCorrect(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testRevocationSignatureTypeCorrect() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); Iterator keysIterator = secretKeys.getPublicKeys(); PGPPublicKey primaryKey = keysIterator.next(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java index 94eb5863..83477b28 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/PassphraseTest.java @@ -13,6 +13,8 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; import org.pgpainless.util.Passphrase; public class PassphraseTest { @@ -49,15 +51,13 @@ public class PassphraseTest { assertTrue(fromEmptyChars.isEmpty()); } - @Test - public void testEmptyPassphrase() { - Passphrase empty = Passphrase.emptyPassphrase(); - assertNull(empty.getChars()); - assertTrue(empty.isEmpty()); + @ParameterizedTest + @ValueSource(strings = {"", " ", " ", "\t", "\t\t"}) + public void testEmptyPassphrases(String empty) { + Passphrase passphrase = Passphrase.fromPassword(empty); + assertTrue(passphrase.isEmpty()); - Passphrase trimmedEmpty = Passphrase.fromPassword(" "); - assertNull(trimmedEmpty.getChars()); - assertTrue(trimmedEmpty.isEmpty()); + assertEquals(Passphrase.emptyPassphrase(), passphrase); } @Test diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index b641af56..3fd0e1eb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -23,22 +23,20 @@ import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class SecretKeyRingProtectorTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testUnlockAllKeysWithSamePassword(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testUnlockAllKeysWithSamePassword() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); SecretKeyRingProtector protector = @@ -69,11 +67,10 @@ public class SecretKeyRingProtectorTest { } } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testUnlockSingleKeyWithPassphrase(ImplementationFactory implementationFactory) + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testUnlockSingleKeyWithPassphrase() throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); Iterator iterator = secretKeys.iterator(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index f94380cd..e158b958 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -16,14 +16,13 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; /** * Explores how subpackets on binding sigs are handled. @@ -52,10 +51,9 @@ public class BindingSignatureSubpacketsTest { private Date validationDate = new Date(); private Policy policy = PGPainless.getPolicy(); - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void baseCase(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void baseCase() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -114,10 +112,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Base case. Is valid."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingIssuerFpOnly(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -176,10 +173,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Interoperability concern."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingIssuerV6IssuerFp(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -238,10 +234,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Interoperability concern"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingIssuerFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -300,10 +295,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Interoperability concern."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingFakeIssuerIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -362,10 +356,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Interop concern"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -424,10 +417,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "fake issuers do not throw us off here."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingNoIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -485,10 +477,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "subkey binding sig does not need issuer"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void unknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void unknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -547,10 +538,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown subpackets are okay in hashed area"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingUnknownCriticalSubpacket(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingUnknownCriticalSubpacket() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -609,10 +599,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationFails(key, "Unknown critical subpacket in hashed area invalidates signature"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -671,10 +660,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown subpackets may be allowed in unhashed area."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingUnknownCriticalSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -733,10 +721,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Critical unknown subpacket is okay in unhashed area."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -796,10 +783,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown notation is okay in subkey binding sig."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingCriticalUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -859,10 +845,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationFails(key, "Critical unknown notation invalidates subkey binding sig."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -922,10 +907,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown notation is okay in unhashed area."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingCriticalUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -985,10 +969,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Critical unknown notation is okay in unhashed area."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingBackSigFakeBackSig(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingBackSigFakeBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1058,10 +1041,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Back-sig, fake back-sig should succeed to verify"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeyBindingFakeBackSigBackSig(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeyBindingFakeBackSigBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1131,10 +1113,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Fake back-sig, back-sig should succeed to verify."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingIssuerFpOnly(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1193,10 +1174,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "issuer fp is enough"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingIssuerV6IssuerFp(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1255,10 +1235,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "interop"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingIssuerFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1317,10 +1296,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "interop"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingFakeIssuerIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1379,10 +1357,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "interop"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingFakeIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1441,10 +1418,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Fake issuer on primary key binding sig is not an issue."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingNoIssuer(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1502,10 +1478,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Missing issuer on primary key binding sig is not an issue"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingUnknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1564,10 +1539,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown subpacket in hashed area is not a problem."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingCriticalUnknownSubpacketHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1626,10 +1600,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationFails(key, "Critical unknown subpacket in hashed area invalidates signature."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1688,10 +1661,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown subpacket is not an issue in the unhashed area"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingCriticalUnknownSubpacketUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1750,10 +1722,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Critical unknown subpacket is acceptable in unhashed area of primary binding sig"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1813,10 +1784,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown notation is acceptable in hashed area of primary binding sig."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingCriticalUnknownNotationHashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1876,10 +1846,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationFails(key, "Critical unknown notation in hashed area invalidates primary binding sig"); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + @@ -1939,10 +1908,9 @@ public class BindingSignatureSubpacketsTest { expectSignatureValidationSucceeds(key, "Unknown notation in unhashed area of primary key binding is okay."); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void primaryBindingCriticalUnknownNotationUnhashed(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index 5eb98aa7..cf7e07ed 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -19,17 +19,16 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class CertificateValidatorTest { @@ -38,10 +37,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testPrimaryKeySignsAndIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testPrimaryKeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -190,10 +188,9 @@ public class CertificateValidatorTest { * Subkey signs, primary key is hard revoked with reason: unknown. * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -343,10 +340,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testSubkeySignsAndIsHardRevokedUnknown(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testSubkeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { String keyWithHardRev = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -496,10 +492,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testPrimaryKeySignsAndIsSoftRevokedSuperseded(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testPrimaryKeySignsAndIsSoftRevokedSuperseded() throws IOException, PGPException { String keyWithSoftRev = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -654,10 +649,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -808,10 +802,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testPrimaryKeySignsAndIsSoftRevokedRetired(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testPrimaryKeySignsAndIsSoftRevokedRetired() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -962,10 +955,9 @@ public class CertificateValidatorTest { * * @see Sequoia Test Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testTemporaryValidity(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testTemporaryValidity() throws IOException, PGPException { String keyA = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "Comment: D1A6 6E1A 23B1 82C9 980F 788C FBFC C82A 015E 7330\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 95728fb0..3db8096d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -14,22 +14,20 @@ import java.util.Date; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class KeyRevocationTest { private static final String data = "Hello, World"; - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeySignsPrimaryKeyRevokedNoReason(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeySignsPrimaryKeyRevokedNoReason() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + @@ -174,10 +172,9 @@ public class KeyRevocationTest { * * @see Sequoia Test-Suite */ - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void subkeySignsPrimaryKeyNotRevoked(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void subkeySignsPrimaryKeyNotRevoked() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 20fb598a..00f39144 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -33,8 +33,8 @@ import org.bouncycastle.openpgp.PGPSignatureList; import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.algorithm.DocumentSignatureType; import org.pgpainless.algorithm.HashAlgorithm; @@ -47,14 +47,14 @@ import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.TestImplementationFactoryProvider; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; public class OnePassSignatureBracketingTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void onePassSignaturePacketsAndSignaturesAreBracketedTest(ImplementationFactory implementationFactory) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void onePassSignaturePacketsAndSignaturesAreBracketedTest() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice", null); PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob", null); diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index 7ab00868..efcef2ec 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -11,24 +11,22 @@ import java.nio.charset.StandardCharsets; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; -import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; public class MultiPassphraseSymmetricEncryptionTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void encryptDecryptWithMultiplePassphrases(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void encryptDecryptWithMultiplePassphrases() throws IOException, PGPException { String message = "Here we test if during decryption of a message that was encrypted with two passphrases, " + "the decryptor finds the session key encrypted for the right passphrase."; ByteArrayInputStream plaintextIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index aa14394c..2a2de35a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -17,8 +17,9 @@ import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.util.io.Streams; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; +import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -27,24 +28,21 @@ import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.exception.MissingDecryptionMethodException; -import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.util.Passphrase; -import org.pgpainless.util.TestImplementationFactoryProvider; /** * Test parallel symmetric and public key encryption/decryption. */ public class SymmetricEncryptionTest { - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void encryptWithKeyAndPassphrase_DecryptWithKey(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void encryptWithKeyAndPassphrase_DecryptWithKey() throws IOException, PGPException { byte[] plaintext = "This is a secret message".getBytes(StandardCharsets.UTF_8); ByteArrayInputStream plaintextIn = new ByteArrayInputStream(plaintext); PGPPublicKeyRing encryptionKey = TestKeys.getCryptiePublicKeyRing(); @@ -95,11 +93,9 @@ public class SymmetricEncryptionTest { assertArrayEquals(plaintext, decrypted.toByteArray()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void testMismatchPassphraseFails(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); - + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void testMismatchPassphraseFails() throws IOException, PGPException { byte[] bytes = new byte[5000]; new Random().nextBytes(bytes); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 6a8a6a64..116c18cd 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -26,8 +26,8 @@ import org.bouncycastle.openpgp.PGPUtil; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; +import org.junit.jupiter.api.TestTemplate; +import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.algorithm.HashAlgorithm; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.TestKeys; @@ -144,10 +144,9 @@ public class ArmorUtilsTest { "-----END PGP MESSAGE-----\n", out.toString()); } - @ParameterizedTest - @ArgumentsSource(TestImplementationFactoryProvider.class) - public void decodeExampleTest(ImplementationFactory implementationFactory) throws IOException, PGPException { - ImplementationFactory.setFactoryImplementation(implementationFactory); + @TestTemplate + @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + public void decodeExampleTest() throws IOException, PGPException { String armored = "-----BEGIN PGP MESSAGE-----\n" + "Version: OpenPrivacy 0.99\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java new file mode 100644 index 00000000..430290e5 --- /dev/null +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java @@ -0,0 +1,66 @@ +// SPDX-FileCopyrightText: 2021 Paul Schaub +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.util; + +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.stream.Stream; + +import org.junit.jupiter.api.extension.BeforeTestExecutionCallback; +import org.junit.jupiter.api.extension.Extension; +import org.junit.jupiter.api.extension.ExtensionContext; +import org.junit.jupiter.api.extension.TestTemplateInvocationContext; +import org.junit.jupiter.api.extension.TestTemplateInvocationContextProvider; +import org.pgpainless.implementation.BcImplementationFactory; +import org.pgpainless.implementation.ImplementationFactory; +import org.pgpainless.implementation.JceImplementationFactory; + +/** + * InvocationContextProvider that sets different {@link ImplementationFactory} implementations before running annotated + * tests. + * + * Example test annotation: + * {@code + * @TestTemplate + * @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + * public void testAllImplementationFactories() { + * ... + * } + * } + * + * @see Baeldung: Writing Templates for Test Cases Using JUnit 5 + */ +public class ImplementationFactoryTestInvocationContextProvider implements TestTemplateInvocationContextProvider { + + private static final List IMPLEMENTATIONS = Arrays.asList( + new BcImplementationFactory(), + new JceImplementationFactory() + ); + + @Override + public boolean supportsTestTemplate(ExtensionContext context) { + return true; + } + + @Override + public Stream provideTestTemplateInvocationContexts(ExtensionContext context) { + + return IMPLEMENTATIONS.stream() + .map(implementationFactory -> new TestTemplateInvocationContext() { + @Override + public String getDisplayName(int invocationIndex) { + return context.getDisplayName() + " with " + implementationFactory.getClass().getSimpleName(); + } + + @Override + public List getAdditionalExtensions() { + return Collections.singletonList( + (BeforeTestExecutionCallback) ctx -> ImplementationFactory.setFactoryImplementation(implementationFactory) + ); + } + }); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java index 63dc386c..bb9b0feb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java @@ -17,6 +17,8 @@ import java.util.stream.Stream; /** * Utility class used to provide all available implementations of {@link ImplementationFactory} for parametrized tests. + * + * @deprecated in favor of {@link ImplementationFactoryTestInvocationContextProvider}. */ public class TestImplementationFactoryProvider implements ArgumentsProvider { From cf90c25afc5ee0578565f561c6fb0be6b44ae970 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 16:56:29 +0100 Subject: [PATCH 0214/1450] rename invocationContextProvider to TestAllImplementations --- .../org/bouncycastle/PGPUtilWrapperTest.java | 4 +- .../DecryptAndVerifyMessageTest.java | 4 +- .../DecryptHiddenRecipientMessage.java | 4 +- .../ModificationDetectionTests.java | 24 +++---- .../RecursionDepthTest.java | 4 +- .../EncryptDecryptTest.java | 20 +++--- .../EncryptionStreamClosedTest.java | 4 +- .../encryption_signing/SigningTest.java | 18 +++--- .../key/BouncycastleExportSubkeys.java | 4 +- .../pgpainless/key/ImportExportKeyTest.java | 6 +- .../BrainpoolKeyGenerationTest.java | 6 +- ...rtificationKeyMustBeAbleToCertifyTest.java | 4 +- .../GenerateEllipticCurveKeyTest.java | 4 +- .../GenerateKeyWithAdditionalUserIdTest.java | 4 +- .../GenerateWithEmptyPassphraseTest.java | 4 +- .../key/generation/IllegalKeyFlagsTest.java | 4 +- .../pgpainless/key/info/KeyRingInfoTest.java | 8 +-- .../key/modification/AddSubKeyTest.java | 4 +- .../key/modification/AddUserIdTest.java | 8 +-- ...nOnKeyWithDifferentSignatureTypesTest.java | 6 +- .../modification/ChangeExpirationTest.java | 6 +- .../ChangeSecretKeyRingPassphraseTest.java | 10 +-- ...gnatureSubpacketsArePreservedOnNewSig.java | 4 +- ...WithGenericCertificationSignatureTest.java | 4 +- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 4 +- .../key/modification/RevokeSubKeyTest.java | 8 +-- .../SecretKeyRingProtectorTest.java | 6 +- .../BindingSignatureSubpacketsTest.java | 64 +++++++++---------- .../signature/CertificateValidatorTest.java | 16 ++--- .../signature/KeyRevocationTest.java | 6 +- .../OnePassSignatureBracketingTest.java | 4 +- ...ultiPassphraseSymmetricEncryptionTest.java | 4 +- .../SymmetricEncryptionTest.java | 6 +- .../org/pgpainless/util/ArmorUtilsTest.java | 2 +- ...vider.java => TestAllImplementations.java} | 2 +- .../TestImplementationFactoryProvider.java | 2 +- 36 files changed, 146 insertions(+), 146 deletions(-) rename pgpainless-core/src/test/java/org/pgpainless/util/{ImplementationFactoryTestInvocationContextProvider.java => TestAllImplementations.java} (95%) diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java index 8c2b432b..1c0093f3 100644 --- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java +++ b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java @@ -22,13 +22,13 @@ import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.PGPUtilWrapper; public class PGPUtilWrapperTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testGetDecoderStream() throws IOException { ByteArrayInputStream msg = new ByteArrayInputStream("Foo\nBar".getBytes(StandardCharsets.UTF_8)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index 79e6fae0..da00f7a0 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -25,7 +25,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.TestKeys; import org.pgpainless.key.util.KeyRingUtils; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class DecryptAndVerifyMessageTest { @@ -42,7 +42,7 @@ public class DecryptAndVerifyMessageTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void decryptMessageAndVerifySignatureTest() throws Exception { String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java index 3ea67b62..5c63a996 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java @@ -22,12 +22,12 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.key.SubkeyIdentifier; import org.pgpainless.key.info.KeyRingInfo; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class DecryptHiddenRecipientMessage { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testDecryptionWithWildcardRecipient() throws IOException, PGPException { String secretKeyAscii = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Bob's OpenPGP Transferable Secret Key\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java index db6fb9f3..2ca265ea 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java @@ -24,7 +24,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.ModificationDetectionException; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class ModificationDetectionTests { @@ -208,7 +208,7 @@ public class ModificationDetectionTests { * @throws PGPException in case of a pgp error */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testMissingMDCThrowsByDefault() throws IOException, PGPException { PGPSecretKeyRingCollection secretKeyRings = getDecryptionKey(); @@ -228,7 +228,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testTamperedCiphertextThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -243,7 +243,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testIgnoreTamperedCiphertext() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_CIPHERTEXT.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -259,7 +259,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testTamperedMDCThrowsByDefault() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -274,7 +274,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testIgnoreTamperedMDC() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TAMPERED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -289,7 +289,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testTruncatedMDCThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_TRUNCATED_MDC.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -303,7 +303,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testMDCWithBadCTBThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -318,7 +318,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testIgnoreMDCWithBadCTB() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_CTB.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -334,7 +334,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testMDCWithBadLengthThrows() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -349,7 +349,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testIgnoreMDCWithBadLength() throws IOException, PGPException { ByteArrayInputStream in = new ByteArrayInputStream(MESSAGE_MDC_WITH_BAD_LENGTH.getBytes(StandardCharsets.UTF_8)); DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify() @@ -365,7 +365,7 @@ public class ModificationDetectionTests { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void decryptMessageWithSEDPacket() throws IOException { Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests"); String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java index 343feb7b..b253cf7f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java @@ -17,7 +17,7 @@ import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class RecursionDepthTest { @@ -27,7 +27,7 @@ public class RecursionDepthTest { * @see Sequoia-PGP Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void decryptionAbortsWhenMaximumRecursionDepthReachedTest() throws IOException { String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index c6075853..32592207 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -46,7 +46,7 @@ import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.policy.Policy; import org.pgpainless.util.ArmoredOutputStreamFactory; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class EncryptDecryptTest { @@ -70,7 +70,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToElGamalTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); @@ -87,7 +87,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToRsaTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); @@ -97,7 +97,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void freshKeysEcToEcTest() throws IOException, PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); @@ -107,7 +107,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void freshKeysEcToRsaTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleEcKeyRing("romeo@montague.lit"); @@ -117,7 +117,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void freshKeysRsaToEcTest() throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, IOException { PGPSecretKeyRing sender = PGPainless.generateKeyRing().simpleRsaKeyRing("romeo@montague.lit", RsaLength._3072); @@ -127,7 +127,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void existingRsaKeysTest() throws IOException, PGPException { PGPSecretKeyRing sender = TestKeys.getJulietSecretKeyRing(); PGPSecretKeyRing recipient = TestKeys.getRomeoSecretKeyRing(); @@ -191,7 +191,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testDetachedSignatureCreationAndVerification() throws IOException, PGPException { PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); @@ -236,7 +236,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testOnePassSignatureCreationAndVerification() throws IOException, PGPException { PGPSecretKeyRing signingKeys = TestKeys.getJulietSecretKeyRing(); SecretKeyRingProtector keyRingProtector = new UnprotectedKeysProtector(); @@ -266,7 +266,7 @@ public class EncryptDecryptTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void expiredSubkeyBacksigTest() throws IOException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java index 4f0f05d2..4ac43630 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionStreamClosedTest.java @@ -14,13 +14,13 @@ import org.bouncycastle.openpgp.PGPException; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class EncryptionStreamClosedTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testStreamHasToBeClosedBeforeGetResultCanBeCalled() throws IOException, PGPException { OutputStream out = new ByteArrayOutputStream(); EncryptionStream stream = PGPainless.encryptAndOrSign() diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java index aaaa09db..593938ad 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java @@ -45,14 +45,14 @@ import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.util.KeyRingUtils; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.MultiMap; import org.pgpainless.util.Passphrase; public class SigningTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testEncryptionAndSignatureVerification() throws IOException, PGPException { @@ -116,7 +116,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testSignWithInvalidUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() @@ -131,7 +131,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testSignWithRevokedUserIdFails() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() @@ -152,7 +152,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void signWithHashAlgorithmOverride() throws PGPException, IOException { PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -184,7 +184,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfEmptyPreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() @@ -214,7 +214,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void negotiateHashAlgorithmChoseFallbackIfUnacceptablePreferences() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() @@ -244,7 +244,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void signingWithNonCapableKeyThrowsKeyCannotSignException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() @@ -260,7 +260,7 @@ public class SigningTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void signWithInvalidUserIdThrowsKeyValidationError() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java index 74f02dcf..f8ea991b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/BouncycastleExportSubkeys.java @@ -32,12 +32,12 @@ import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.provider.ProviderFactory; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class BouncycastleExportSubkeys { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testExportImport() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException { KeyPairGenerator generator; KeyPair pair; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java index fc05a3ca..52dac288 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/ImportExportKeyTest.java @@ -16,7 +16,7 @@ import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class ImportExportKeyTest { @@ -25,7 +25,7 @@ public class ImportExportKeyTest { * @throws IOException in case of a IO error */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testExportImportPublicKeyRing() throws IOException { PGPPublicKeyRing publicKeys = TestKeys.getJulietPublicKeyRing(); @@ -36,7 +36,7 @@ public class ImportExportKeyTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testExportImportSecretKeyRing() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getRomeoSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java index f5b3cf73..8a8afe0e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java @@ -30,13 +30,13 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.info.KeyInfo; import org.pgpainless.key.util.UserId; import org.pgpainless.util.BCUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class BrainpoolKeyGenerationTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void generateEcKeysTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { @@ -65,7 +65,7 @@ public class BrainpoolKeyGenerationTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void generateEdDSAKeyTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java index 1c74d321..7b6710c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/CertificationKeyMustBeAbleToCertifyTest.java @@ -13,7 +13,7 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class CertificationKeyMustBeAbleToCertifyTest { @@ -23,7 +23,7 @@ public class CertificationKeyMustBeAbleToCertifyTest { * This test therefore verifies that generating such keys fails. */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testCertificationIncapableKeyTypesThrow() { KeyType[] typesIncapableOfCreatingVerifications = new KeyType[] { KeyType.ECDH(EllipticCurve._P256), diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java index 9102092b..8ea4877d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateEllipticCurveKeyTest.java @@ -22,12 +22,12 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.util.UserId; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class GenerateEllipticCurveKeyTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void generateEllipticCurveKeys() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing keyRing = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java index ab79b171..b05dbe1e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java @@ -26,12 +26,12 @@ import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class GenerateKeyWithAdditionalUserIdTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000); PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java index 6ac8ffb7..dbb3f49b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java @@ -16,7 +16,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.rsa.RsaLength; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; /** @@ -29,7 +29,7 @@ import org.pgpainless.util.Passphrase; public class GenerateWithEmptyPassphraseTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testGeneratingKeyWithEmptyPassphraseDoesNotThrow() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java index adb0c10e..24ea4aa4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/IllegalKeyFlagsTest.java @@ -12,12 +12,12 @@ import org.pgpainless.algorithm.KeyFlag; import org.pgpainless.key.generation.type.KeyType; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.xdh.XDHSpec; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class IllegalKeyFlagsTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testKeyCannotCarryFlagsTest() { assertThrows(IllegalArgumentException.class, () -> KeySpec.getBuilder( KeyType.XDH(XDHSpec._X25519), KeyFlag.SIGN_DATA)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 335c7959..8119aa9e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -51,13 +51,13 @@ import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class KeyRingInfoTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testWithEmilsKeys() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); @@ -174,7 +174,7 @@ public class KeyRingInfoTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void dummyS2KTest() throws IOException { String withDummyS2K = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + @@ -212,7 +212,7 @@ public class KeyRingInfoTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testGetKeysWithFlagsAndExpiry() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 0ac53d58..47e5f43f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -32,13 +32,13 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class AddSubKeyTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testAddSubKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java index 5caa99e1..4580b00c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java @@ -27,13 +27,13 @@ import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.util.UserId; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class AddUserIdTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void addUserIdToExistingKeyRing() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("alice@wonderland.lit", "rabb1th0le"); @@ -65,7 +65,7 @@ public class AddUserIdTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void deleteUserId_noSuchElementExceptionForMissingUserId() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); @@ -74,7 +74,7 @@ public class AddUserIdTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void deleteExistingAndAddNewUserIdToExistingKeyRing() throws PGPException, IOException { final String ARMORED_PRIVATE_KEY = diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index dd6d03d8..a12b8b6b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -15,7 +15,7 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { @@ -136,7 +136,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { "-----END PGP PRIVATE KEY BLOCK-----"; @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass10() throws PGPException, IOException { PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithGenericCertification); @@ -145,7 +145,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void setExpirationDate_keyHasSigClass12() throws PGPException, IOException { PGPSecretKeyRing keys = PGPainless.readKeyRing().secretKeyRing(keyWithCasualCertification); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java index d9ddd44e..89d9d5bb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java @@ -21,14 +21,14 @@ import org.pgpainless.key.TestKeys; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class ChangeExpirationTest { private final OpenPgpV4Fingerprint subKeyFingerprint = new OpenPgpV4Fingerprint("F73FDE6439ABE210B1AF4EDD273EF7A0C749807B"); @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void setExpirationDateAndThenUnsetIt_OnPrimaryKey() throws PGPException, IOException, InterruptedException { @@ -61,7 +61,7 @@ public class ChangeExpirationTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void setExpirationDateAndThenUnsetIt_OnSubkey() throws PGPException, IOException, InterruptedException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 0e81d6a2..0199bbc4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -32,7 +32,7 @@ import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class ChangeSecretKeyRingPassphraseTest { @@ -43,7 +43,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void changePassphraseOfWholeKeyRingTest() throws PGPException { PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) @@ -70,7 +70,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void changePassphraseOfWholeKeyRingToEmptyPassphrase() throws PGPException, IOException { PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) .changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")) @@ -87,7 +87,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void changePassphraseOfSingleSubkeyToNewPassphrase() throws PGPException { Iterator keys = keyRing.getSecretKeys(); @@ -123,7 +123,7 @@ public class ChangeSecretKeyRingPassphraseTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void changePassphraseOfSingleSubkeyToEmptyPassphrase() throws PGPException { Iterator keys = keyRing.getSecretKeys(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java index bdead096..dbca56d4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java @@ -21,12 +21,12 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.protection.UnprotectedKeysProtector; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class OldSignatureSubpacketsArePreservedOnNewSig { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java index b6a4d435..b2cd85fc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithGenericCertificationSignatureTest.java @@ -19,7 +19,7 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.ArmoredOutputStreamFactory; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; /** * Test that makes sure that PGPainless can deal with keys that carry a key @@ -64,7 +64,7 @@ public class RevokeKeyWithGenericCertificationSignatureTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void test() throws IOException, PGPException { revokeKey(SAMPLE_PRIVATE_KEY); // would crash previously } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index 68c9ddaa..98d79556 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -22,7 +22,7 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.DateUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @@ -101,7 +101,7 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { "-----END PGP PRIVATE KEY BLOCK-----"; @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testChangingExpirationTimeWithKeyWithoutPrefAlgos() throws IOException, PGPException { Date expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(new Date())); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java index 4f612c50..81e6287f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java @@ -38,13 +38,13 @@ import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class RevokeSubKeyTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void revokeSukeyTest() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); @@ -68,7 +68,7 @@ public class RevokeSubKeyTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void detachedRevokeSubkeyTest() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); OpenPgpV4Fingerprint fingerprint = new OpenPgpV4Fingerprint(secretKeys); @@ -88,7 +88,7 @@ public class RevokeSubKeyTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testRevocationSignatureTypeCorrect() throws IOException, PGPException { PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing(); Iterator keysIterator = secretKeys.getPublicKeys(); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 3fd0e1eb..7a547740 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -28,13 +28,13 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class SecretKeyRingProtectorTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testUnlockAllKeysWithSamePassword() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { @@ -68,7 +68,7 @@ public class SecretKeyRingProtectorTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testUnlockSingleKeyWithPassphrase() throws IOException, PGPException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java index e158b958..331ca07a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/BindingSignatureSubpacketsTest.java @@ -22,7 +22,7 @@ import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; /** * Explores how subpackets on binding sigs are handled. @@ -52,7 +52,7 @@ public class BindingSignatureSubpacketsTest { private Policy policy = PGPainless.getPolicy(); @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void baseCase() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -113,7 +113,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -174,7 +174,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -235,7 +235,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -296,7 +296,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -357,7 +357,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -418,7 +418,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -478,7 +478,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void unknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -539,7 +539,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingUnknownCriticalSubpacket() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -600,7 +600,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -661,7 +661,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingUnknownCriticalSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -722,7 +722,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -784,7 +784,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -846,7 +846,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -908,7 +908,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -970,7 +970,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingBackSigFakeBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1042,7 +1042,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeyBindingFakeBackSigBackSig() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1114,7 +1114,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingIssuerFpOnly() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1175,7 +1175,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingIssuerV6IssuerFp() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1236,7 +1236,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingIssuerFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1297,7 +1297,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingFakeIssuerIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1358,7 +1358,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingFakeIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1419,7 +1419,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingNoIssuer() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1479,7 +1479,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1540,7 +1540,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingCriticalUnknownSubpacketHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1601,7 +1601,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1662,7 +1662,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingCriticalUnknownSubpacketUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1723,7 +1723,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1785,7 +1785,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingCriticalUnknownNotationHashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1847,7 +1847,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + @@ -1909,7 +1909,7 @@ public class BindingSignatureSubpacketsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void primaryBindingCriticalUnknownNotationUnhashed() throws IOException, PGPException { String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java index cf7e07ed..a17f700e 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateValidatorTest.java @@ -28,7 +28,7 @@ import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.policy.Policy; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class CertificateValidatorTest { @@ -38,7 +38,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testPrimaryKeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -189,7 +189,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testSubkeySignsPrimaryKeyIsHardRevokedUnknown() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -341,7 +341,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testSubkeySignsAndIsHardRevokedUnknown() throws IOException, PGPException { String keyWithHardRev = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -493,7 +493,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testPrimaryKeySignsAndIsSoftRevokedSuperseded() throws IOException, PGPException { String keyWithSoftRev = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -650,7 +650,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testSubkeySignsPrimaryKeyIsSoftRevokedSuperseded() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -803,7 +803,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testPrimaryKeySignsAndIsSoftRevokedRetired() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -956,7 +956,7 @@ public class CertificateValidatorTest { * @see Sequoia Test Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testTemporaryValidity() throws IOException, PGPException { String keyA = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java index 3db8096d..67f5cf4c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRevocationTest.java @@ -19,14 +19,14 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.signature.consumer.CertificateValidator; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class KeyRevocationTest { private static final String data = "Hello, World"; @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeySignsPrimaryKeyRevokedNoReason() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + @@ -173,7 +173,7 @@ public class KeyRevocationTest { * @see Sequoia Test-Suite */ @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void subkeySignsPrimaryKeyNotRevoked() throws IOException, PGPException { String key = "-----BEGIN PGP ARMORED FILE-----\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 00f39144..65351e64 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -47,12 +47,12 @@ import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; public class OnePassSignatureBracketingTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void onePassSignaturePacketsAndSignaturesAreBracketedTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java index efcef2ec..5132ef57 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/MultiPassphraseSymmetricEncryptionTest.java @@ -19,13 +19,13 @@ import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.encryption_signing.EncryptionOptions; import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.ProducerOptions; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; public class MultiPassphraseSymmetricEncryptionTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void encryptDecryptWithMultiplePassphrases() throws IOException, PGPException { String message = "Here we test if during decryption of a message that was encrypted with two passphrases, " + "the decryptor finds the session key encrypted for the right passphrase."; diff --git a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java index 2a2de35a..d3c503ab 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/symmetric_encryption/SymmetricEncryptionTest.java @@ -19,7 +19,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; -import org.pgpainless.util.ImplementationFactoryTestInvocationContextProvider; +import org.pgpainless.util.TestAllImplementations; import org.pgpainless.PGPainless; import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.DecryptionStream; @@ -41,7 +41,7 @@ import org.pgpainless.util.Passphrase; public class SymmetricEncryptionTest { @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void encryptWithKeyAndPassphrase_DecryptWithKey() throws IOException, PGPException { byte[] plaintext = "This is a secret message".getBytes(StandardCharsets.UTF_8); ByteArrayInputStream plaintextIn = new ByteArrayInputStream(plaintext); @@ -94,7 +94,7 @@ public class SymmetricEncryptionTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void testMismatchPassphraseFails() throws IOException, PGPException { byte[] bytes = new byte[5000]; new Random().nextBytes(bytes); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java index 116c18cd..f421277b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java @@ -145,7 +145,7 @@ public class ArmorUtilsTest { } @TestTemplate - @ExtendWith(ImplementationFactoryTestInvocationContextProvider.class) + @ExtendWith(TestAllImplementations.class) public void decodeExampleTest() throws IOException, PGPException { String armored = "-----BEGIN PGP MESSAGE-----\n" + "Version: OpenPrivacy 0.99\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java similarity index 95% rename from pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java rename to pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java index 430290e5..2b874b6d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/ImplementationFactoryTestInvocationContextProvider.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestAllImplementations.java @@ -33,7 +33,7 @@ import org.pgpainless.implementation.JceImplementationFactory; * * @see Baeldung: Writing Templates for Test Cases Using JUnit 5 */ -public class ImplementationFactoryTestInvocationContextProvider implements TestTemplateInvocationContextProvider { +public class TestAllImplementations implements TestTemplateInvocationContextProvider { private static final List IMPLEMENTATIONS = Arrays.asList( new BcImplementationFactory(), diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java index bb9b0feb..b6f83ecc 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java @@ -18,7 +18,7 @@ import java.util.stream.Stream; /** * Utility class used to provide all available implementations of {@link ImplementationFactory} for parametrized tests. * - * @deprecated in favor of {@link ImplementationFactoryTestInvocationContextProvider}. + * @deprecated in favor of {@link TestAllImplementations}. */ public class TestImplementationFactoryProvider implements ArgumentsProvider { From 78b668880b5286c1463a1ab4e847202906513373 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 14 Dec 2021 16:57:50 +0100 Subject: [PATCH 0215/1450] Delete unused TestImplementationFactoryProvider --- .../TestImplementationFactoryProvider.java | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java b/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java deleted file mode 100644 index b6f83ecc..00000000 --- a/pgpainless-core/src/test/java/org/pgpainless/util/TestImplementationFactoryProvider.java +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-FileCopyrightText: 2021 Paul Schaub -// -// SPDX-License-Identifier: Apache-2.0 - -package org.pgpainless.util; - -import org.junit.jupiter.api.extension.ExtensionContext; -import org.junit.jupiter.params.provider.Arguments; -import org.junit.jupiter.params.provider.ArgumentsProvider; -import org.pgpainless.implementation.BcImplementationFactory; -import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.implementation.JceImplementationFactory; - -import java.util.Arrays; -import java.util.List; -import java.util.stream.Stream; - -/** - * Utility class used to provide all available implementations of {@link ImplementationFactory} for parametrized tests. - * - * @deprecated in favor of {@link TestAllImplementations}. - */ -public class TestImplementationFactoryProvider implements ArgumentsProvider { - - private static final List IMPLEMENTATIONS = Arrays.asList( - new BcImplementationFactory(), - new JceImplementationFactory() - ); - - @Override - public Stream provideArguments(ExtensionContext context) { - return IMPLEMENTATIONS.stream().map(Arguments::of); - } -} From ef68fc1890bb00b57956180a6039873d11046df0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 15 Dec 2021 17:28:24 +0100 Subject: [PATCH 0216/1450] Add cure53 audit report --- resources/FLO-04-report.pdf | Bin 0 -> 597408 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 resources/FLO-04-report.pdf diff --git a/resources/FLO-04-report.pdf b/resources/FLO-04-report.pdf new file mode 100644 index 0000000000000000000000000000000000000000..57205665f6fcd913d823361d1455259a79c442a7 GIT binary patch literal 597408 zcma&NLzHMu)FfKAZQHh8w`|+CZQinN+qP}nw)yV&cdz#b{RTbDm1mIW#M-eVSH#(* z@*-lijC3qeq=Q9+U4t!yxll|53Q;2>BTIpolP9+#jFjS zO+-wL?2JwL_@JDe9Zd{upxm>jwIySZxEy;f)y{YXl83WFut1fc4f|T_vF{A_lr|1S z<1O@0nEZB)uav1$UnhXEgUVy%3IhArFkmQmUoKX9Y5g=>e|oRJG&A&mKkz4ee+<5F zk7FG8p}NteOr#+&fa z|H&yNm7V?02yVlPB%w&f^~syV1y>hq&2loqpz2Ht%YRU{6cH}pN0h}(Te-J$uKB(E07U>;-fvyaqXHwT$Uu}iXkA)w1c-){0j6mE(A;ldX`e3RSOvYA zH1BaDZeqgvIo(F}p&+J7Nn1#uNq{s9w)VNKXI-R7aeHr$P!CpzcIU|84#rH z^uSUS1Jd!t$xg?a2AnjU}f;bMD6r*!N{k$oVGd4%Y@Quh4_n zx5Sv{k^OVy{;L@$hwg5S1Uz$zix6H_hq$yaFS0@>kvf_ z)Dmx`MtxOo7nWS;c?1ExcMq9_n}=f{xQb{J{zD!g#6oVnxVrU5b@IH=AyROOfZ;kk zuOEA|#sKX&Qi)AELSu!C*H>gtFm4GWseyc*rPmG80w`~~1%^{W8}Il5B?1eMt! ziib_{9^J>LKl;78;GT?5`k80MR90f&3H%+RcIegxs~QJt6Su^q0fb9U-6T!s_Jl@JoGQJ=*F=93eKLo6fjz35q?Z^hjZ5!WlwiI zhc}F&QQQ|DfdyOecg zg$^N>3svRZEFu<&BHEA5L~DMtCnoD$zzuWrpE&YvV-hn$6W@GBr9FKVRD*=2XQ`1D zp0sX|ScFRFgVr$*0iz8(@+7N?7usVXT$1M%E1*B>Z@TF5@1Y1!U_t-aqNL4Gil-VN zTA(r0r=6N~+NA#$7$U^doP6bt$q>U1uy_g>rI~KKy|~hf91aV~Nv_9eE~d2jGe%S_Y6}Fu9a;Dm$x_>~>C< z$M+4{0t|$qB5w4Ed9b%v9zqXtFH&owa9orKVj#wy+Y=9%41>yQCTEOecPq$GG&KyG z0UPGkOcGa5W}nN52%}rOiwWhEy6ld|1^n@0*Vz#7CnKYOKOJM zhFPzHz6dQE#3NX7N3CC0T2O-6T7cv&J8E>apZ$E4n6&VAKe{#mYLhL6-OiaRwGv1? zFfnDGW)UnN5)Kh}7l_7ZieUvqKKg^XMa#;i&SzBxI5D|J=2zOHf@Q--dNonR)=}N+ zn}Q;X`Y14&?^uH2Mq9W2O;RaC#1c_EIGpm_wrva#FvKw2{f9E2;&M8k5sM@&Ul4>N zc{+JoXd3Ci4@T!wY!bc_UyKXawo=Wf{2}h$dZHm7@nAW}KT0U!^@$064wI|UEbc0Z(QXrYK_=E2BDQppO8X7Mo|1dl z9W@F?%IO5o|BP9@n}!?`iMVLv0ND)b#7#_RX|n^9jY^hJ zJkF05@-o%MCpt(M)>L&!x0=-&hwoGipe~_H>hLYgKADEWL{m~SE)8n<{xr@|ttV-@{+v>h_~~(OZq^x8SV$_Ti^n@c{k|c><$`UI zDLXlM-8H#3{|DwxV=Y}D;WZ33GH6@XzJ3*4%XEkM~CzAOT zl#?)?(S)0Xx7=hqhf>kav{1oZ!1D*>Jk*L7H?5erk-+ zgRqsS(IIoyx*qj!d-Ju@kSZqVWsdM!uq$7-eBU%vkk>TCTqQGo?=}rEIAEL{T-ENC`eE^ z_*3Gm6YOu;g^hsPqi=!Zwo-6OID{whm1;P-v8=92#Cu~5EUzx6!CBN$F8}^*9y`Y!AR+g%XpZ!73|9t z;v&;T3noHAopHPVeERHP#G9U_bA zL2lC-M^s!2U>+P4@>UoQC-37Y{>`_F6rhS$~r0KcS*mq^%rrbdf<jw;`65h@MlxnrahhZ*8biNR=a$^pYr>xZ)M{9 zX(KJ{cAo8Sy_i7T(fO_)w8iaQq|(Ay^i_Yn9Gs&uncLC(TzzI*9k%Ftg-+uH2?{wh8GoIQ^1d@iv;fd;>H0nCYI0KUU} z>|psh(%O>n(r4H^aoY&uCyDR%TJ9ZYq`#nme};to!-77!DOCckQ%;8*_5ybCWX}q> zeTJepx@UK{C9@nn(o6A@t25=+OgQyrWbP1j9)JU{+-a{XeZ&gZaN?tpuW^s5@p`3) z{Cg_;K@!hr+nq54Y6cQBBB#srQM5KDy{8Y=s@YOH$%M4ETeAN9j-P7dgDH8}FaXX( zzXtV_O3gYH4E{{a8g0_?FvW!Io8j3lt)6Suq1-g_seU=C#j!F7O+gg(o7|ci$$-qS zEP{9bP(p;{v`()`|CPcE?5GBzqg2$ zC7j;#vffdVZK}Yod>vZynQO;^{q@ZUQd#u-gA!cu3FtgKulMm3bF(cAdRV+uPl2~k z#e?7L9;wIPMJ&`nu1*>EIn)oHun3CO#5^%!rhQhPiYJO$sFP7+&Fbzf5`o`3P*RVKa~Vv8hKj=x z8ck$Fgw^S9g!&OX?(_^;H_=8@4oLf;qqqoWE$@neFnvGo@~ub-$r58bhDdRV5%QAm zRHUhscCM-KjgE$XGrChOsTlH&G!UP^Oc$HoEw(j~TjvC)De=Q6753(5Ytgd@hru%A z@%E%kKn_Q>Po?6_ zSoP%OF`NE#`N#;9kPGn6i_n>OH%b;vZ;;EJ?+Wf)3;FFdj}1jlN75w4KzTbNM#UM|9Q3I? zK%Tg-yIXPr8fCv{=6%4f`9)P4Mh4S-v9si=SR{j-u+1w4VF6asWo1=2g{)QM*U|(< zdmexPy6%bdnLECeE+r@JACbz(C6^2?ImYqqpWk`+<4SK*={APkWYc4%?05G#5=2Js z&ZS%0IOWugMD63KeP!FHId&jNQd!L#?Min-G2HSx){FnKW;dZwWaxSTD+ZB2LbhI8F1VID6N^ zt(SMKTX(Eo3sKG_&)ze2z+TNRqvQU4`Y7>~e(4UGvzWK@8T?K1@pNV*Y_s3xj#sJ8 z%sTEB2twESDLpG_%5=uMV?3i`+xpJ*Y=;;R1v_{AC2uq=<=)1d`76t0>t(#??YceT z>Jl5BEnO3__ugChIIVh;wWEy#9aieT`W|hKcF6Ii=@DB|Q*9lY45K&Ma{{F2U9OcJ z?yo&6&f4YQ49KO@M7BfehIKV%!psaPH%FGN7_m%q>~I+HVGTbKPFXW$Bhsy~CETSQ zvg+>^83@)dk>4gBY&N_e_#bVd&76jGSez;X*Ukt$S843<*~FzI0tl}@?4lvgSCTxyP+W` zmTtLxZ;UoF!r=wFldAnnui{!xwW$cW0g((vFZ%TqXMUR0G11fSQ2CnZ%Ak9Q>4^?6T_0D^+bEUT)HlCMn z@%ZDP57GUv@8qZL1V+__^V1feMwkxJ84cFR`(DtWl)?b)%<3;8Oe{+fIXJrK!&nAq z0>s*dTNA7E$raBCi3(194YSQ8^`D&% z^`DFW--4Bsf%U(~|Fg;Zf0*rT|2Jm4j#MlOr)|$^?O0;~RoD&^14Uj%>88J(75rY% zzS8>Te{TD0gWv8!W@PkKRsU7LdS0kra3B$7LIFm6_ofxc@AXsaBipZ0PD#_$eez@B?T&4g>AK&CPm_>C)dh> ze9CqfcvRb;y1zZe%wOzb48PbXpeX)Rh^?!}WMV}nnuu~ptxW4t0D*9+U<$b3&4*4# zj#>)P22ec97!Hm`&S)S%=!3BT9CxZoX${g?=K)m2O%7A*YL*C8VIN#7G-5{JzgvWg zI3TQM0r{t;B=>21k&OeOtbM%2kc+>mf5}2b*YBBQ>2&FyNHKR|2 z{26@c$+sN@?r&)4PtEH`eA7wOqp1H_HdE$75` zP;rogY@g}uKPV(<q!^2E{s1$p7^X^+@9BHD_B2Bqj~y)#af5k$8^XSCyyKQ7dfCw zn?;VYA&Gc$ZD<@EXfpu!HMf*dQ}=IHP|Ub-O2IYUb*gUm?l{|;0-9!!A+-|gTzNx5 za`}~PNGL>G7K(A^PZR(!5Uuc!x;tV&zIgqf0()5%;v}Vjr2w2Ayg--X*D{+SBjjy~ ztk1JPla~K31Vr7fmwiTFhy zevJFxoX*K3kMU$|i7;xzq9TU8sD&-l4A2)HW=qxic?SW)6Qd;#sQ@_|!_+{FrF00b zWdlgZ88V_yB+z8xH_s!B91dp(Pe&GhVOhHwp0xZ%D6|BNXa)h3pE5WD?-(W%Hr$Ow zJVO$iZYbT2uBpX?+MFc95ZETX@LppGx9N(6PIDHuh#0RQI#OS7 zbZd8L4tWtd+P@4eQ*yu;eF7CAoSTQN;K}cY7P!|pzzziU4DZVAV^dr5MaZ9g$0RzZwj|o*oO4WJ+&-T%jUQ#vl!#wLL~fp8 zP`@out5jrpSez$2Rksd4GnRN?EE%Td+X(m2d6&)OmQZo!TaZSWLUQly$$$2Sb6%Yb z|C8v7rfHi@s`rib%yCnIX*7(Eb>dUl;8hzHkO8W1wlXI$Tp}e<(wZPAGJZ35!brQAt-PddWme3P6khT~^yJIxexE@%;3Bv(in^2v zda=TgaGF&yNUGUCKaH^6cGl*_MY9!{JH8P>C??~u3M$z8${A=MQd6f|uK#qj}GL&&}3;ljLdC$AVp;idvyxLj}7HAN>7XEa7bfK0LOR*!+n zW~)y9PwnjFIRw%KUH;+cfF~Oe^>z{$9UUqgI>59*I3WSf@}ZFMkWXxODG3mHBkSs1 zFMajDiu5pkW(3<}a%dctnX)X=-(?FfzO9Lq8kBK{<;1Y~m3jbL{Yzn+5aS1Dzn>em zl1Q;-!}MWMB&983;69>KjVUw#n}$Cih`)^6nUh~^Je|J5B5*-_jCp|Kk1L0nF4E#S z5l_*C1IzzrpX&mTD7j!$^thsX!w9>iF`Pz|9@WZWP=_#?g4Pi;3J!l`*19s>MfthI zVF!W!BSw1Kw#@2xKMQQ>T3uoELYp4Lg*Q3H_WD_y-rbk_S?LI6Oj*BoMu(YG6uqdp zQAEN{{NjG}V3)<~tCJu)PU@^?jhFG)UdId_v*CiQ4}G#`Y%Fl#Qi8}jG+jzlkc}YQ z1(100d)=5sm5$5$XQdS-iG>A8k$*t* zv|6xp2;ID;6UaQ%0qW74Od(d(qFUob@H*#|iYSVk!d zr`!tXQ}Z$PxjMo`Qq}9pCvUS4j?9tKD5vYieo0c9FJGKsCjJ$>sNQsEfrncG+r&p| z6ctVmkCRzxz+?{zE_k`_om5purE9Z}+POHi;Bi%1z*MVa3Krvl&m$K{VjAai+37bV zt$_>Iq8>Cqsn2Gom{=yOp#68KE`G*pBJtcQWq2LtuLvTvKI=?!_IbYfuXOQLNl06` zA4}kW`17C_bD=vZ4yq34CEWp#c1Qx`b14KJ5=i+hpr&n4=NNU;Q>|(ruDnp*v~rDA zX(u~L8kQqd#^^PoGA{%Dmz{z~V+w}#C4aiK3OxDd1V^<7AC(YGs)%wyT=q#hi_C3i zm>1m>A!oZtX*PmI4^APXdJkk}0 z(_59f@2Oyg=$|fO6OxV*?dudvSxPM*OLfBhS9%N`zQu~^J+pb_b9lu(9aY;S7qlI? zjUOh}?6^HSn^ng@&1u3;_OO*-C0b6XWS+bqx8#nowqfS~M#XfN4i3=1rMCg1R!|pK z*vwORgLvsAh`5m7Vp%)bnoG;8DC!Nt111*9imY$n7giL_B#NVVkCJZakbJ$c+(B>Q z608rI3N;#WIXjefcnkpr{>M|D{kjFIz^Vre^!6k|jIM$Pn$WJdVmmI}0j~{*iWd*C zx#{wY7&;X_T@@sLs@E7P)yzgqu2j-VHaE z)|m(M>a{=@0L{HcqLC(Hl2|L5t-QUr^6f0qVukr4ajkc7>>JP-SjYSIif)grS=L;x z419KDl%J%5?&h0`IC`gap;c^lAif7qp6HA_;{m^r4`=h7N>YSB2(hc!Sp-(IE?;=1i z&lw88dJLt^tXD@ZOUDFUz_GE~jf#%V#Z}hK@<4a*gjLT%6tM znXIDcBQ9e@qm}ann9#p(`2JKVSQ8YiP6R%Df9mkA|Gmnt( z);#75+3JbNDETpU%oP67PE#eLIF~vov_ zsaE3LLyZ*I8}o2FI1^sZOnBqdB28XyoRJ@xbBZGX*Pg6Fy+oLrqHy1V#wd$UycWYY zhyECEjWWV_iDO|BFByz141;Ga+}VM?XRvNnY|vl*%;>yu*Jke?hB1my9RF$4P3DY2 z`2s4B@MQM>2VDgqN%feX7kiRa4Q++cj!Y5zQ&aG__6HLZ6h^TB;h}Kf<NRy|TAkq(>BHWOEYd^9K!#hn?PU@7Rt5&f_N%-q)|v z@fLjN^9DbnHyG9)!k&Jp72Tbz>wDDh*ZbpV^IVSGXA*39AfShE{}IznV28nu;;wY( zaAai=RM^(RjQ490X*f*nP%G49Tnu%plmu&D$J&lQnO?dubOL7tJA?UP8K$M4vZsGf z@4mgWL{ivS0q3`jY1anU;RIiQ7`9X#3GYnTL4hnPCPMA8zG|)Njkw`vy%+8MRP=-- zo!_=Qoup_FWM)QAm+HN!CO(s34`u&q-B(vGZttgM>WBW@9{)Ut0 z7mKXI{|>i|4)u7}A8bazs1F<>6b1=2i6W?&oRh#M6s%tsFp)9cwcTH?#|dsMLE-+Q z_5+-AnwyX&)+Z4LdIKy2n@G(R8fSO%n**0{;SqQ$QBXStjfY5#UaqWQ-MbFzGETlu zGzwCj44Pup6P@H_bq6O;=v?Y;CkBfOJ1RI!}HHDJfE)B*YSME zN`BP7zaAmrK7V=&1{xAbwczcZVSYFNP?2#ygY>{Tj!B~U0C({+gy4r_rfw;CPgH!= z_Is$?6uo`O9P}`uUd8<{YUwXriU0Z`TRDb*!*6q4YLB6|xH=f>zPV5`w*AaxQT>j~WzIOV$X z9CprG{H+uKPwI&YK3)KRsl33h&Xlxk77Tp*T;ux5#9bTc-zjGAfpg0TS2LV)n;ui! z>r+kI2LW2w2T{*9vSzBb8J?#!pOOqOpjnErXX>3M&>=*R~YSdYXa#^Ri)dqEFAc^GGx z=VkTx0*C{cqj*TVxJ^jws~Uu3gfS|%(KoiiH6@lTBp^he1R(9L$|gvSp(dNPfNbT%nC(+SOgOhkc`nU#46UiU9E zh7bMe3_hn@=&#-_2P~m3n3;T#<^DPE4!cOEUD-K_`<-LF#i;B$&R$((22SO%h5Q7) z$^;Im4{tncy^Q#2PF$T1W^}l*S%E@*ok#W~u9);fBx9_Io zk=bj3MSw+t?O5F7466=Ye^D=p3+1!#WJ`*P!;H-z!h_GToZ zD8$~?X45k0|HPL&dX2Qf4L6pp(U)`!uCS6-Rd}ocx*W_h*w%QfgKTgbq-xLK#4aH5#KjHR~Ak>gw@|* zg9ovgcpM|Tk%7k4c|lR5J9&em?a__0h(xsDIQft|LBb7UjtgwTAqC?A+35CLpo6*n ze&6OL*9jr>%aVbE&-^b|nUvxeb(9046``OP_T$;fwKv6kt;1rrsoL!Rb8O)eL5koY zA!ALRlR1vz=s0nSM{F@ zatr9U%Cw0bHtFq_Ib_lj7MsGUYB9dcAG!md<-yu{x1!={$l&t^PuC3d*-6vP@cBu@ zdQz!8F)i31siX!bI*pa2Cv@m4Y%_UdLtAA2>T*9NpW>urQRWqNis#)Jfc!BHb7{c4 zq~A)T@vw*zv^;%BqMgmq`+A4pAt{92qPnsn%iQYfMeLRwQ*CXgMoEZI&-6p`x>Mq8 zMnC67gxg#M$OKy8bFzb(Z-z^r%;d(Uxfl~VUDk8VcI6{t1b8MZH(SYskh?vIJKN(* zbmUReB+FPSlR~r&|MQ@cG22?bZ4eDAc5^iCn>=jgQ~KGa zL^~3MOwHTvnqZf_`RE|)QsmD|{H^0vSgD1Db{(4y@cZ1UBOI=|u8fJx^7<+cUtR~! zJ@=WpQZ3HO!*7nzsWgQIbn{^owccJZOt&%h;UM4ar-uwa-NtXCfVYgXhUVc+>Nt0q zFlAlF&1Sl8{hF~)jXz1y`8a%Su{D0)0vZ*XdBe}Hgh%H)BT{!P588y># z-9iw}*E)E!Sf6F0T&jf@#@+1I8-K1os5UexL_IP(fm`{NUzmqu_fUy`Xklf5x={=V zy_`ujWK;g;p#F?HGH^#A=f3~+J>BtrYgsjF74v)W-Em@2dg3ePY*N#u9hcyA@4}hz zQLRR(_J7`i=S=mT|0Eq z^FG#5zv&`nvoYdq)>s_ckYtd6^Sqh#`glN>+UgU4)oE43V}Lb)b0aYbL_cG)Rt|#;X`dV&o)#v z&C@E|yLfO@{N*5}*#jjZn3?5j>{z?M!nA<5urM{{@B~Ly9-}Dkh1Ys(hu0~2)q1Pi z`;anh;3uTZx!BlMRH?u{F?Y`#dx%dUdjF(n~m6NT21ocEY;ar*!7t+VkW-o zwS`-F)(F7|cKnU?QQ5G)Gn4?Ww{27WXh3e4Nz_R>&;i=68;@O26Lp`j>+S-D-wnw1 z!D6OzCALl8IeOSUtcQ$Sb*A$rP!>Aqj|2RE`X>Ejf*<7t2OzT4xJdE#ofQ5Ax;wdFYz55IiG-ADgC z&*Wpbm*cb60M$CUdYG>?>e-3Z`$B*La^ z9t3FzO&Qa+W~`9!3CkiV%9kNBZu!|50rtn)ma4LI)AviA*C_a7sOTv1+9ILvH!7G| z%|Ap(O7XYmtnG}4t{*MgySux##rGBSE-!MC(nW3bLC!O`mFDIq<%KHDsyBz;VyvzB26Yug)#vE}tzJ5jW z(9fCN6Gr~eFqJd*oy`@XxB8p%ONW6m)>`+~ZDzEayrSv!%rHhCmr&7|KEqCtV@j(1 z_vdl#YVog{P?s&O?(d6Us^9P8vmbr0?yu+efmByYhpw=O?gZ=cPuON^stshd_GqtF zwc5z<%Wi62HT|WFR!gdPH}{omcKu7kv^vEqb}#GRd3NrSs^*Q~E!<&G{c}*ly8p9yNRmuGLTy| zqFE#AjyCimN#Rtv)1GW(2q58%fQ_bg)@4_MOTfG}T4{7F!NiIG&;$}l;Z?O|&;}Gb zNeEkjw)&5$#7(;@6@lL2>68sd4>6|9#CWRo9fQ~>f)O?&7#HrtAT=u)XCKh!Sd4!10R433{XSdn)hfG^>Prp2yt~@1Z#H;hR;<)y8**Js~>2hdv@sX z*RUcuYy!kL3FzCb#zy(G`$itUC~QRU>EaQ)_)7@k=o8!-$)`h}FB#nq?5WR$iP}aZ zI0ev#yN3euUqVeE{_PayGMJ4c^kqfPJp?F>(?+hZ;Fqggp35A4lefqEJOv#+2Z5I| zjN5z$On|7`gSbGT0J0)4T11XG`t!6GYT7wZeP6;)Ki5hKKuqD@iIC=TP`bCGCmge6 za1ipuMKL+Zeej6N0XkG`G|4TI#0a!y$x+f< z7zU`8+c*=U0TJz-hX{K9w~B;-Hhk@g^&c3nJ`ivL6kNg4KEpe8__TK;+V;lY9dQOU z4J(9zFi_yC8h-)DEf4roQz;^C5FnUm5LK63kem(xmeHPRLRuS4ZZgN-V20VoSUzT@ z4pnwgud-wMi?W2=z`vyE#ctMMRr5e!^_R0L3(hb!_GeI#N>Mu*96KQrTt4K8@(}tk zlSY%-9L9{aR6ImrpsK^qjDw8?6z!s59#nDl+y`-to_9pbZqd$zIET1^L?m8l9nU2U z&e19D=qC>A>MZR5*dJm+f`XLa$Yv=MwA90BS11hG)Oj8gGkU_<&N zwerJhP)@~8IEFmO>x>!Y+`?dm@Qtu7#{H2IF+BCPL`nychSlNRli7*FQK(XePdq%? zVu=%6HLhHJqDAX@c^LsM+1CVu6&5jsU&Ijsbikp6$wvO7!69Yz@uV2CFQ!Cfd|_S< ztj)n5;FpEg)F6o}XfjoysHI9avgJuI7MnXgQKC(`YjBkEeCGwjG@vep{-YBEo{`oi zW0|PrtlD9)~t4P`?0%Xuy8@ZmTu4BOfB9ng0|uTV0~(&Pjj+5Zyu#Ntcr*dIfN&rqe!u)A%-@yniA5rWmoJ98 zg>{@*fKCds!@|V^Bz!Kz4K+*1H6VGy{lR2LHdDx>8n?QmQ{b8cECqe-?1~hJ28cx{ z%pS&{MClxKEY?IQZw?qv{c%*7Y?KW;}n2UNEgOuSu9f^M^ z6T2Zop+>R=Im}KU!AF9wF6x_$!Rsq87U-f^j2M;-lFj~&g2b-JYW-86+5Zr&;~brj zmnk5sJr1rfskP?eJfkd(iniKPDUkOEqR_*@eFt`))Ui zhUQ3NI$?(Ie6;QUo*1+%87+7y#_-TKE?Y(SY<+%BAr*~+wefJs8=K|NuEBY49U&=3 zTa1qaojuA)3PabQNf{Omtw#SaCHOLoK-^W!R1Y zWD+XrLDYm@;zV+B)U>d);#}8%O2;@e2P<}-HJE2(bcvMS6VDLl_ zw0p!U>Cl9#Jwh?q_>V16v z(NPICTx|X3p>Ysq%J4Xt8w~h(il%lb7UwMex?!MMZXxWp4dre9!cQj{q}wJ-l=y}b zHXj~F;|LJ{KN(qz>Q#%9tUN_R zo=YGn^(g-;+PcgmQU_zuM%r>95v?bl2z5;5qIin;&k}42icJjPa3H1}XDQFI2(L|o z?G`Rus7Ewq`oC!_8^eqY4fRE3G5tIAU=>S9AT>j-H|Pv}pzo&m2;s7Mj?C~=Q?}fo zn7RWz=VT50D?G9^43k*(pjUsGE%1dRCGf6ZNVm)UFR7WR7Pb@ zRo4otz)68k)tL8;&4t+;bU?8x1nr9*0yXT?vP5Nz2J=3_u($DzCb*Q0rbf#8S;I+a zD?Ne?<}?PVnnePbEx6Bo*+3(v>P=D8p7W*ZrQ1yWJ2&$+-f{fSl2>#hYcH1F3VY|`ns{Ydioy%oyNQo z?!@c;mX4^x=%-y)^U-R1f=xkst{9m#QGXFxmNeKKm!?fS!LaL=P}P*|Q2yzY0?_-m zku;N8z7=X3k!=v=xA&z@pw5cs+6{0c%nJ8y9h1>j1~mHo<4t!ilO+qY$Rd5lJT1IS5TA+Gb_ld6)VXnGH%o zwjs|BOzb_73V0mb3FaV4+W$k?IR;18H41koPA0Z9v2EM7Gnv@z*tTs>Y)qU?Y}>Z& zjh5|?)s;4 z4OUbO>&$GutZ<9k#sGouY=`h(RZ)q|i%e}JNc}}S*9r-+qAw9cDSK9_#`?L^w(VQNQ4X?|VfDJkJcjE0W9)NXdi6fy3BI9#G$B+3UmSAi3K zKF>JaTfteWGMLW@#n@qD}li}p0*($O0x zN~Kj%_!4^W!&Ji?YC2^OG;Er}Zkyv$JeZ!9XvjfGIK1wDP&jtN1S<|teLwq z)G@LpA$vTtr<93BD@2Mh_)`0S zJA{Jc_8xo(5VmIjDUpAn?Zq5TEPxZMhq4-({_n-fge-7;*;re20%Gjvn6GSQ(KKy5 znW9kw4vF==(~Ar>-8V{+fJrtqoE#CpzNN(mvT!Ud)k^@h!?Z_(nHBm`4>LF~L(c{PFGn=+Jc$+sEvJVra(h5^ z7sOSyIZoCvWFV&iY#SSb8(le^O+3fI4I6>8sJ+mReB}KM#6N!t^MG+7aEt<^ z>3u$00~a|y0#*M!9sTr#8(k#r2!3-K-tB(T>Y_6iz+stRq>oFt^L=>v_2}gRXWhO? z(AB$ZJB2Xt2Cnz^q1Aj2+2GYw-B2V@qML$AbnyFGQxQl=pz z#yrTNpCHc(|HF7c2je)wsCBJ1gQQR&YC=q|6E#tCnV4D7m$GLb{?)z<7WC1D{k7}k z*0{wROYF)!=o{0I8q_yiZnix%lzU>fNaNsh=24w%ixcm(n$9UeX*0F0VdZ7@aVo+O zUnJ2zTMu62K;Tor#3KwT#gQ7v2m1}dwGW#ghZ4R=r>M~)q&O_ zFRXB}!Hz*pGGVfvfp&2J=ur^Z1HV79eGq@PlqnD|z~7~WofgNl1!su9Q-?S^o8Y03 z`X;~8ER0KIVqt){PIazu85isMRF5S=8FATtr+(wNR2BMcc|xR{w!q%x-Ne+irDEJ| z%Y!KQK_`9rxo1q%-IWC?JA|S$X`{0x_Twq+XRcQiF~{{Qj4d&ifI`X~%z@pTVJf8V z7x95p;Vs==bq!qS$ppHkNJQ_r=ik=uEoyFZ{(!5YA+_&n?UY`vwl&6nrL`c_8p!!p z-z25hf+-qwv*4;Er1& z=QHS}$!jWrkn!9!a@c^-18u)qSKjNV?^D(8yNG-DHU1rD#RivrwsCGv1Q^5i-x?xc zw8YFaR!TI(B30S#A&3AmGSEZK^b@63cO?1EmB6c4@(o)rfALaeWDRY;+L4gmn*}=i zA;_lvPp4YZkwTi`W_0m*y**u$awERe>^Z@SK3bZ&=(eI{MP(y=iGGdA%Q^gv=cX5p9%@P-Ssn03V}-^P z(CsvAq|)lxeK?(G+P>pIceG-Df%GLN#|mrLSFXqnj7^6snKXeXxUL9uf+J49L zh3Dcgts%4^aF>zVUC{b5>~;`1mtIrMx4b@Xq@~xpeq*PM9yc!FSJ9a42unUQ?tw~y zH=ON5ZB-vEs@vE>4WGDp!!g_$tNBLT7-k&eUpUC)JDQDxfIlK%j+_xYJYp3KkE-gS zT@XZb6)gj3tV9-%d&Bt!bGA#-j+u2zEs9isJ$PONpLUE@?RKh_G__nxEvRQdzA~1- zs4jlRNgi0mo5sLw#FI80)n!MHh*yNMcv*=gDgW$_7{`MS@x9Ih_OK1ZlmYBS^7Uaj2&^F;=JRl>9Z_uK0BYfWytam%sdSW$TSQn4 zHPS?$B6HFHc`s#AHSXxyt8WRMHI~c}(<`9kw0yRR$u-qxG8bvQX>jr*CS*V9s@spp z_TwVHWmx-OdnmVh$uOP=M9F4zjKyh=+656Y!BHPAXNoGDpxrg~g zlG0UWpV-5tsij7s>S5&cTayI#(7ZnRN!48f9QjvEJ@8WY%n=?hh6a}JSbOs!?yL+Y zvvrivji)M&K%&AXB&2dVk%TJ=0u{d4<;N0I z0iFWGgx8pAM64J>GT!!SCkB@kzIS>aQC9Avd15o%vPh3#iH|yey*XOkD+nO#sBrNT z%rke1dS*lrO$KrUn@dq=o3U{wiD|2K4vrQ1RC&1Zy3@#y+b>+!G5z|Z zZ7}i3!89uXBd8BfD?OaWiKphJw$!ANtkV*g7lXXm79}HauPLDuBwg3r9%pyCdZoE0 z2NF(#FHI!7FF0b+tMe|OaWGJeYXPHLtb3dJFk&fR>|mDRCm7^|G$aX}A7 zc(dp>RnwB=olIJfCCNK>Do0nyt@#nD^CH#xb6XV+rg$(ZnV?N%dI=80AuTifJvzFc z+il4>roo8bgD&Z?8BQs*W12NIyIABGEP4$g<(z4kCeR{XSpH}O)jQI1-2vgpqKG} zUY>4~?;q1AqRa4b-_1_e&1v*hMdpFXPd`W=Q3Sqn1t5@2dOZ%?%qHV4fO;zSgVDF2 z>xBe}RlEvg8P*nKhX(&@BUbxy3I$nVA1vUpx+{qSBEz+BIhp*yOvl#>TUfms;7IxW zV0Bz;wr8#WN1^xIKH0E_SMqN3Mk`D4bxUy6>)HIAi&U}qa%qzGwO$^>gpO+jJi?E0 z--BHcZp=Xi@8ALtAl_~dEVOKkSqH7J&dwlPZf11FwYg7=&YO%1Yoyu$zEQxFlU`Q@3f?Cu9uXN zhpXh!@~BKp)llZ@Z;yNf?>w-T6dEa)L~EM*$b%(6h9k@QP8ixCYt-q-u2Esq9A}eD z5&%NOan>1l$7j%lMLCoF?bQnmYj9+>TY{11?l)@K2-+^psY(H#1AD$HYdKc@c)gs| z{nxM=>@c_d*GXc&pO9w>)hs$^ELd<3$EXDumK)A_bHC+d=Y$B3mIZ@fpFKik!rjem zsdVo}P|{rtqqZ|cFEuUbTpcd8ee`RxfO;cd+3+b^-g$kbWDT;?b&4PEd_cR0wOcOS(ViE-&^tgs6jd9k0u#W%eTY=T{S30N~V` zzo@}-*b10Yc@HCqT(zNnrjP;Cgh9nDBIM(z8b_)hMCJAXCREnQ>7O5X;DccY49BM zq;&eR{p!3gZQ&Z7#tNbSg$v2jNAIJ`z9fxw6P2NJaZf@OFtAZn5J5EfNS6a{vHLm5 zkm3SznWcw@kz!ddHcvs>H8HOqUf7!m;1BDV3R~)7gu-xRZyGidjla+K8IivmPv+1O}dQM9m8(2E#ziuhtKCer0;tC zEHUs!CQ#$RY{u2AxvT#q{eanqnBWxz1}r|J(>l?K%Zk}soswg;l27{VmKtH_G57WM z8!@gH>;fJ}K@sz8*!&U7Sz-2D2u|0$*8|rYsJDMWw!uziInwD*6`dc;jc-%A=T{F0 zDjE9Q`KKv646gbfJnpV8Gnu(Zhxi)5IOrvLN~_NdvTi7ey$*PESw5E>VWOV%2tx=K zWiysLgSz_rHj(_99E2t-`4JPY)Nn>dp6)Y*cx!IMAN#ISB9E+m-Xgzs+LKASy`?UF zrM)`k-lft*IP+<@v5P`5+lE|PAjpZtUF=nb*NXO0CoM+#J>~wsdHy-RTb~mFvnxLS zczVh0*8agtC$7!d?DZhT6<6TjwM>%u?*7i-Lvz9Rf1vrl%>5rU&&kR8-{v(V< zTSzl!H2&s^_;T^EHCPY*$;Hwd30OPj3u@)HmDW9V)T=^irSX`{ImHjE(<#K5YUA5{ z);)H6>yVRJ!3K$DF0;g*T|k05fAQjfe?};tT1n+&ZI&}*$%!-Nk(YYCMlJTVrk^*WrCk)n)KXo%tBE^OhjXisWD32ovC!}b2wzHxnpr}nY$xGf@4KzVSOW>KQpI8da0)~bmwv#q z-{nPeXqt>D-$+1aBGpEDJuS#2XfP%oRv9oNvnq_@<%b32nw$j!b||BKOaU~+a^`_w zGvYu~_R*ncvx8+&5EU)#lSRH1%SPe4u|RN|NHDP0VuuU>gz-E`7FPT&W{ zhih8mAr?ZMB~gQ!S;T`qju6Wfy{f?}MlOW=QkRB58}erM)L!bj2rYQ1UD%sq5%9`T zU%63@iRR!aHcxy_B4+L$qD+CL!aIFtt1Tp*8ViO=a3R&fOb)}^oDwy}Q~|+)J!}vr zqMbf0R$mIu-U;VYZ~}kQ)d|NhU<}s;H%C=u>o-@C<&Sn-YFFY zIOc_dq3Y8(63IVZ3J-BCV1hRFhavyU*VaxZoS=W@>lX&vEc5QRRAZbICw(jaN5L)M z`DA=I9ukQb-a1JoZXKr+`GuO?fLd07a~BoKO7E~=L`Rs*7qGp~x}WUyXKq#@vhCOg zfuKuXAWo1RVy+B;J|u&;3YBQ98d-BQ*nafCVs@*Np@b@)ip zLm2e$g%_MYLu9D8rdfZFW&D=yYdDmHlH22DbFT%K@j*_cA~7 zT7S$@v9p49Jn>3A+boFfHGP;lT)ESW?=+E$$Ax8aB}P+oO6RE8YV|yQpb%))fC>S~ zXJMl>1@TUSwOqIYWFbPmV5&YK=c0VW6f@ACEAGK&)d1-*j|n9cjozR3&Qu&n5r3eI zp&K?@K`3{7+|&iW+-5=+>mzZ*vqxpk&zbgI8<%Ug34jdN+5IBC zShLKUOmUJC$^2{C_@N>k8H*|Ggd`_#>&bXN^Z0HI97~OQ4{j0qYX+8NMHW)FsQKv5 z3%D5Caaluy1v|@gECD#iqc73D3cIX*RB%~Y36=XUg^hf$#lP02okYYnsa8@L@Edw6 znP&QjRfllVe@!ujk|`s)SNrHy9e@;zlQf90_sfZ?L}ZZ#Ub4aG2uOp${k$h+sW=h# z&}uiAnaYdsz`#uMFgu?#03lm1YIrir@vM{o+0wGaaVj(^Qh4hm1W*Fn*9}1XTHzQ> zGkZ!OoZ(vE2FIWCuYH{zSFc5r9bE&?us+2Iw69%O38|>GcmCANGJg?os?E=aL~5nE zB#iIek}=|j)Uv?J;O@{IzfBc`qeSL4$X!6!czKZFuz73 zu3^*#3$iX;BUk0B* zA%bf(EPNrt7s|MxK8eUOo9zuc4fH*ZtSi#Q-*(QUjW``#6{YZ0P{E5&o}Whu?wOk* zgeibzX)&+W#gLC;l?f@ETt`QtDo;-y`Hw;T^+GX;sx>JSiPVEQV{l5wQE7TxOE*zS zohZF0V(N8%tG~PzY7u&wvnrR3R-qo0`1r7BMK>1>cO7cF@gJA6kM=3Rw8o@X5f|fj)$IN=xAC3IFVTFCtC6(rJ6)aBH2CLH9Y6Ur7TSFAx!KCH z_m`h`5e^?}>pBceeI*nkoGT|%qn`2j`*sL*0$GX%9jWimye&5llCGhW2rSiqmoyTz zR$-k9S*T6buqu1U*%g{rcoiDbFb5@^z@m52;|M-e>gW$JbwqVn{47{jPn3CmHtM7= z$G2xP^!3oOd6-Oap=d})BXd{kn!RyDl($GaxkzXW@)GhG z8Udk1Ghd^e6G^@K961f{JnCKky2>?})dzqGv4mp?=J~2vt%XT`wjIs;LsoDrd)GK(wfUW;b zR8sUScuY)~cNy+Z=*d`dnVVYEQ#?Q=nc^6y6h4IDKvmvn5~WqYt=+8kBJMiikgGK^ zRFJ!|L#2$D4ic=CEUXSehsGRq-QNlTgPU|<5Ep0Gc2w77>QWfHCqYbTO|5>%k}|g0 z*)V1~x!E3I^X2a$=5BbIs)Pz?|4mc%Lt$^i6;pE5?8t~hh88d1*G-^+^FV*z*g1*S zVPh@hDo1mTghk>`qfGYE$GFvj_K!w=*QNro(s<%d1avOopNn z3I8PBTY-+d+2kT41qf<~x?T1Z_-czk(7$eqQ$HM!qBk^v#T=4eX!hDUx7g)myLqSC zf7vo)^flVYRNxSgmXe00VAmpN9+Ap%GICE?gBdZWA2IykujI#(SEp~2gG!$)d5+gb za4Z#~Ul7v5?F)EleVF}z20wuy`={NCD_QYDah_uWY4lRwH2Ers57VY_>88n0e|I+4RH-;t8`eK z;l(y>l~G78GY{@79_pUh#^Iz~vUZYStMrW9p}7sCo^+RQvsOJM*RN0sUE`|1xd^nH zt*#ALD-Mjc4h$DDMELILvg8fc&75jlwEBlhSufQpc2uzgvyTpONC-!XxAaRV)YetX ztDW&cv?kHmT{cSYL~|0rr8W%pupz2hhO21p3TtKLtG+E>G65M+;gE;G97eK-D9TX5r&_F3ffyzz5~; z4_K%m(NrhQzJ2QVdi`k;oZz>trH?82ai3T4;;gH+El;_o9zjM>(USEErCdDO+gN5k zGjtIlM!Uh?-pA8TmZLvSfD3|zPuzH!JVu~(2fx1d7)ItMubR%=llRWiOPr2Yu?YQl z{?Xu@Q!58cGodyK#Gl@4Xo8`?4n2szPd6$6PC%^2mEm;>2f6@c;D>8Sg7uzBBuY3o z4r>@H9%m@6f3O1Le8tNs{Qh{$11P(iByW7-|4+EZZ`in>FI7>QE!3GNKHlniDW6M}s zqe0pp$sRxjdjK1v7A-y$BM)fx8g68qzG{0HBW$1}=W_4%*yX$lll!qR zQVhx4!4=T}D4N}uwoyr+1hl@2^{L_F2hSNfG?O5JY5$+YBM;0{H@=GO*{qMIu9*|v5ATfcLiB1H)ekMn9@4n znL+w;gb=2$ck#O?Ve5L{aL!p1?4MCQpn_dMaUNZO_n)dtJWiO|<9VH}g{govHfRHP z`LSn2p(XnAJ%r?@Rkq_Vw8bR6{M|`5xNdnO0-|M0clANoj^zsgjQcdshK3FLQx7va zP{9^|_BM!)2P)W__{1*7_1Yx>X!%7zahoGX)>p8~p{5S%5z?l~Kr%jj-Ll{n{Tn2(?ZUpc&&dG>;;Ntpn_eN@Q;FRJ_Z;*mYaKB28ZiMtZ|EM4aahVjJVif z3AO4{09hd;y9*wTh;x80)_64Sa^$tDK~ z4)2v8!DI1z;yZa_F%vbpQm38N)=x9`ETokdzCLLd_IJ=$-LR5V$$DgbuXfP@XlM1c zp1hDXvo;|7AW1m4u1Cv-?*0S@PkmYhWS;dWwuZ?-)7*?`PBXggzQfTx&WS;+V!~Z1m zi6y|sDs*z{iT%t)owaln2;Zya4k9WEquPD*KkiZyJCa`#&||$D zQgCByP$8a+kLfMZwXIA;|1}uC`OA^eR{-u4Z=j4fKL{m@PZ>kuUC7fDrJC7i@V5Ys z1*TkUg{}T6SUOJLKC!u*Q7}XGho!haoNB%`y~Y>GKTN$Cq_$k1s?%9K zbNA<>TxeDRAHKr*$rnV{YpR=J+{+3&dh`!pGrbL0TQ|crkE5Fb*fQa~U3Zs1*7sQj z06A)TN0}pL8L0bIDI?ilk)M14j$0`WdRKhWv~CSvZWeuns^Lw$+rPc5UW7arD#9PE0*4;&V*UW!HC-ki`-aeY!E@vFg zl;x>4@Lv{4P9kgBIDi7QnQ4cx*y$YrY}2m&BTnTAFX?|DeJ}|Se9gQffW0KT9Et2(RQ!0wVL2^flO($s95840mrqybpQkOoS0xv0 zb;p@tEb^cB|A?2fu3Mrn;Z=ylQude+?R!tBfl@+%yVXNbnCPXekk(ezl5&4s7TQ`& zgH2S3%PYKF-G%cyx>5+JIb%%Ha-sA)8(cte*>x~wzc6Hve)@{mJ?%Wkr}_tiZ%=t) zw^m+pkK9L`)z%>1Y@Y6=BA&3kQhA94)D*?d5nr&N84ae5bd_^^gVnnS?|Iu$9Xq2J zfedR;Xl5gszf+`EJX+994L6AfCQM5r0`c42acNV(yVqbjQW5WSF%dz`2$JMl`3wjMvM9mL zBGHAiSs^1lSX>^AuZtkf;9OZP$OSY3I7cws?27RA?mvgp+v=B39v@u^}} zWKd>;?oax|4P$)@Im))!i~7=U0X9mVNkc&@NuaXX3(ENw5Y{c5bb@P@G9+U>()nk* zzpbm)#ui{Acdn}=iBQKn^Zg@yTNt|mze_2j*<2u07^=Rk#dEPcJsP^>xvhht6&@{=+kDC$!>>LE0!oAd%#lX%a%#yt=V0 z9a;&}aEkM)@sT6W8=>4&UX;g*ICW|pD(pJn{PLHAA4%}+4qN(yB7n`CHONYeoCj7V zaK{3Yy#9OO;?P2XC{gf)^Wkz+$k|KGUgJ$L8PDqEP!*XjS)ESRF+y-yf{r!>z7`^f zU32rr0#2m6)jm7osR=729}_OStH(DAGE!Z#-mk>4tIW`ClEi1t(@wILeuKXaWr8I? zh|0NMeVJ>$cAM_gg*T*N(|c)+etR3lpYa#&t24diqW2})G4$o#CfTugQQ+rgHmI`0 zD>mJ|M!sQQ;_z!D=$re!_p!iF$_nf6rJ+p%L6ZqP)1q@q!Vf@U|#M&$&S)wQv z_#@?!Y>&Ko_*%R_OLkb}-|W!%ao;5ZF4eAAF4fCj-`=&#=ol&-PGr^Zk!8q!Ql^~2 zqwB8aC2+Rut2KkO1{d(OZ$nag?5O2A#I(5)tS$1!g3~ug;hETBzf`;WAQ{I&-r4YU z_Hx>U)VJp-900^=c{ZPI-`m`PBBP1#CLF=oXA}4B=8k&?f<|E|KNhZT!D>|nf-sb0?YsA3V$oF|39uU{y$CETM*5ExI&zOs!Jn~E8zd- z3j28MkusodDetf7n<_>kYLn4$9@xs`^g@DhsFIQ@BKJ4Q6F%JU`|ZHMP@m)Z_1hwU z&c{8%;V0Mo^;?Q#6#cc%iaWfq8|7i*AVN!5`yA<=LvYvP!h}C?yR~A4#gu!Ul$ZF) zN9gql?YSQ(=s^yh!^#4-+0WgNQj@!fUP3bqh<2HZx-$ye9^V_>E(VVm`7?zqg}p57 za;D7qh$mguq;d?=iVwYIgw|X{l~hiGHyDqCLCYA$fM5YswMR=ocSK3M$d9Szve=8( z*?9S`g*mhyOxjkOt9KI!7F;kf6uvP1wf@pDpAFxpW{i+KS|40{05eOEj+zRm~LYD^k3@nQzD=r> z^8C7fjC?Q_NfN_mh{A2oBJg84Hy>j8iu4QpP!deR+G200gO7qi7-YWB5*M4eE~F0w z{XQOLW~~gPm>&em6KsOvG1A$CD^8!0L)wic{qnmp?joZ@q+B4!y|E*2k;}8xhTJ| zGe^Ztu=GIDqxNcn4@-<25nEgIgxP>(wWAe-gP4NPvolYDPT=>J_M(ey8Fwh_pk+FM z$R)trX;74mP57Bb<@Y7BJa;3`w|IP?gc8t0IbxWkwgh7aMQ+c#?Ky9Q-0g-l!(kYk zXWL>S`^yy^T^gn|q%&80)K8yx*Fe6h`;kn8Bvj_`%SmnQQH60g-_hpQu0g^{AQOUM zrM`XnFRnz4DO~fn>N@&w)m7U-IqDQT1Y7%C3<5EG zyH955B;wzyYtt=CY^oIp5(}{Ex{7Et1gyFa+)VkJ@J~^%n&{9k{YLS_jcm_K9h zHo}XE6U8ocMeFc0!ZHzW?acqB@ProZ8B3G)r9sU!nb~)mSvdoIL@B0o}M61pd8|^3|4(u25%b6g6;}USX?eGQf_#-A(9Sw5DZmw*nF5(>V_ z1UXRDYw!D;4+A#%h(Kr2*4wus7P(ll%{#8@J@l}jF*pmD?b}S%SNQRYOxC7(>$pWrw^gm=_py#)lOb{us>*_vFPSlDDo-DrVJz$f~ z;Q(+0aPx~RI!-R7<~E=~#+rq*2pWBq!0WrmG8?hsuEmK8scX4nwYGSq{Tk*Ekn{h} zw&ab8U8HLmmcKDvLTR4DSw|&h^zX%^|8B~>gUKwyM(nmtQ2sU_p*}P5a3gb%R^o4( zi7cuMLzu( z7{A|gH6tk4?O#w4(0>zZ3L1D!3%XluI2&#xnu<2fz-3f6j$ z)`%~1)J^A~uq)a>Vb?ok*H-UbCm(pg?0BH{T{ zn{enPSy^G@qXUJF{Df=Ys}d=+EGa%j(l+9R!5Sc0P_(biPU=x0N}q|CTAkkNF6V-J zgx17USIB@U(d?GUb}VyFF#{K06b78aa@NE2p%IZvfMNdD`J99!P`LTxW3%*SZ;+o35lTMgau_mf zj8rg+Qrf!a)8yuqAvxa>RHBeq``?-@_eVxaj|s_W%{IsZ+_rINQ+PY)Yk^mKNoUyV z#S0e8PPqos@f1lb-&w}#rGVqa!~PCUN3gy3_QHA@H(`}od0w9fZfrk2IHMQ^#7z?VdGrQ9o1kAGR?>OrEJ9mA?@z9okDV- z524sM%o|ljMt=XsdSi(r)%%MU{%N~f)ARcVYy#V^z(M$*wrhK=X`o`FmE%M^Nl}8R zt3=Rl2{mmy?D|^AS>ZEk7T7ccne_HB%qB@3=U&;pQZ2si9NvF{y|n$YqB=!+)h3)r zAl5q^>a(h9J76y=I)g6`4D9&)# zapT&jVpM*3%Nzxt-)N?s;$!hQS9M6oq&6t8O8r{cJ@@_INTTTcr$3&phIU9yb*qHM z79A_BF#_Jh!=5yVgfuF!AxdZ3g07`2t6|J=(sV=sVT^F%FBQV)2Tbrkk2 zcp?jpSpZC^Mal4rJ!^T>c#bve#?IW9d+n{<^V8!+Fd_fU1z0fvwvFNYaN)%BTrjgV z3tu@owsf%*O-d-ZBAi=jxy_n18iyUsfh8cp;TJdIQU|hy(rrsb$;*lh=sZRfEY?nx zqzT+}%-3Z!lDZ1kj2YZdO?Ym^Ab4@&jMLcB80O^6VZ3obKpsQly&D=cmf1)pDzDH7C)tj*kaWe7CyzItgN zsZ+8@rg$-OJ)p5yWYB>x0?=yYnmbuVQ)kZb=d(d>EjLt;ouYo5_mU>_PF&JN+T&*7 zZ>*;~2f!KNp0me#uq>jR_4)k*d;ZoBeq{qDn;@LQxbj9y0YxufSWP#>aq=%+;Jw5q zvj)oBr07>=g6qLA@V{&kU_9IeovU*Sk+1sO0FDZ>##9+ob}g zP~LBRNsQgVaIH$~)ru{E-5_A!wRPv@BV#T1$KMXnardT|353SM#tnuOji>Z%&K)r8`scZ?AcUHM3g;El= z>6We=;?QpZOqJwb)Dww8@dK?M=5BqDsXQbp0IIBe88tQ;U-;Ou0fR%I9; zu3E}SeFKAQvGAKvSg(~&`VU^n_#1f50pf+spWW^(mt{6l`_qjEaB5#m{9Gb1|Kf!z zmTO=C-C}1)^duqCBy8(#1h%!W6QB;)nh{w%(T8R7c=JuCGcf$W?26H4;em94Kd^N6 z+OF~>eXgE+x};w`BqbHi$^q=(zAJ92PZO~3nvZaFFhQPP;ZgRt?`r*ug*0u|>z*@p z{)P*#jnLTd>@QP~!Q2ySrgUD}BTbawQm2ikpFM z9}J0$4qS`oI)VmB^$JL@tB+|_u1*mb}t+p<=q5y`%aanr!m^q7viY7yyC*; z5VSg85Y0=0Y=MNGYMeFeVxnZJ^+DLv2)W@N#37H*y6C0B%U!@J z!btCI)}+jqO?lnAsC8Aq`lvOp7f9-}bzlLHWMMN`sm1%EX;^5B@GdCpXu(ISCd=yp zPGH~F7z5aMef<6=1mMo4%s$hG*xDbNhPS7eYIA4+4u>0bAdz+8MLM6LdoA;ZXrM9l zb#6?bu#E%giaL7*6jm1X=EJmE&g}xq@ zKS<8sY%4tjM1&f9$i^~+4ruo^V$(YF{JTQ6Z;PWdYXdjPJps}MyuWlI`Y&C8h`8u5 zM_ld%(gjo$_x^2(_J0GfJEVm49zeR_cB*$Y(Qb7)!gM3>y7;O=*GUYt`^?=I9}I=q z6J_K?*@vFC?@QjLbC6p4#fRsjv$CR*eox4dW)1R-Xl1VM5EXMOny0UVxwZA?t{##6 zR$b)oj>^OHjFVw&8rSos1MAZId8tk}rTXT1f1aY;BX4TqOZdLOIr(|To4NX&^5gT) z7_kv!I)A&wSB%SWvD4suuD&DbY4@+PU2L!o`G%ce@;QH+N2oIh zY`Y4y^04%c*y`E*ZM!~C@G*U0({^nUg7=W@jS9Jf9!HeSqQ8zh25~7>{e$zP zI+0h*!_MCB%U&!*$UbW)kqG|o$5R*&&*{FG#>=1eXYKT(xo=%t~I!ii&@u4YR^u;(J$bGlsA4YzbG*D+B5Fm~9vZ6vQ zqr8phc^;7?=sY{(PpxF0eL~-qz(}H)Yk`*WMc|#vVxnfz;(Pq^mTvy=#Q>5n7eeGG zGaRi)h;Hvg>ep*}uXJ3qEZa~eFQ#BuIPP&XS+Pb&mV&q&+m%DR7!5P8@5H{laB?og zl9&breF9)^h|#F0B~KM9X~v{j?MEz1l2|jY5!6rFY!}v``wbWi4wQm-v9jyFsbbh+ z6wtg`!B8nu8~BN%K{;H*D?dfs?2)4?YOox3a$fw*JG2-kQu+V1FY_|k3!4UG z<(Yp&%erd}1=YrJoca9}x2Kc1P-z>N`hD00k@amn<#)IIIWo)z5A&len^U|~oE3I_ z)>~}`t3T&B_9xxEjtL1y)vWH#r2JYwoAy$zHZ0ZyGVz`6kmoNha%0VIQmNS0lQ&Ou z>&*77A<6|&M}**w^!w*cCi!_$f(#UlRaM)kXMbkk#-{5@Vh@D;PthuTGo`582Cxh( zS+d@fcgZkMMx|7z>f>vB#N69BZcwsP_QSS09HM?+r)26@a|W~Uir!kZjW1`DXUh6q z4;n7VX&F(gvG}s_`t_82)AM4p9G?rvF4!BWwDKK!;}{KeGrct_h%@!)Dt_ag%y!72 zG2q`bs636CMX;wZjo`X5eLQ(jh<3$kJq%Oh$@F2M@AORt9xNsTk6$?Sy`dA?iMxve z8TSR)lF<)0%x}rPo9VRaJ+sk!xR-L&Ia8ZKe#KB|Dy~oKPjDaKc&MzK_lwX!qz3F~9k*~W=`f)p~=j21#0!Xj3-|Om-RXubU z6foBA32{usWYrB;?!wfqW^@k6z_^6@JlrE815ana4q3CllGpKr6`b7+#76QLSP$es zU}G;JOg=&1{`m9+-fJ9krrhnicJcq5u&X0Edj);v?>0$!P%h!7x>Ff)a@zwD?&w0> zhx)VG=qF!+4f+)~r#|x_|DGWc85JG3VDAx%P;tla1`Ag8fZ($E%ySl2!PV`nrGB_K zROS;LTN7-}_zWdUIci>Wj41K%kY>-~doRBkQSWs%Nb21d2A+1y6V=GAGFaGO&>pGfu++E>58kCL zC0YINhb~y*&U=T1gf#_@j$-E0m$f>7ni+`LEv3;?3qWW0=P_z!br9cpCgvtQsp6w( z*D#mfXtSFqxG|#Bd|wLAkciC^RO{sHEC?yR+BWgjmEZZ+cp~O+{yF&_I~H=J#*gw;LglfnRTu8;m!aVl(2Kvn(z2= zK)R&$C2x!b^$aJ>y4+3}##4<_ySBbxidI{$iOcGdFgn`GkL1lANX-pu=N4_ zCV>$hb*6PTIA3clgZ<9An5Dtj%FUoU5_0(~{~jcNRT3u}X_3_6_|l41AD|B0Z{|S_ z;uu2wWEqlRm3RBo2PQJ++q5kZ*lD7rtZcmH;WEVsiwjGo)Ae4JYXJ+!V%C4Vsu`!M zu%rxZuf+TDY465}Y{nBQZL)dfkWyJ(r-*{D+b4iWA17l~*d^8!kP@2e{G>~lF#fC- ziy}Tl3�JfG?;KJ^Rlxa-EI;{Du&ipAb)Xso3FK=Ls!d38kwCDJS5|(zdhcBV(3| zfrnzv%Ol;aW?@nmvX^YfKTj6XbN`$d=5i^ART zFNT+xNCv77@I-hDc9f4-U_gCG=I8^^@(yIz_T>^h^PI9yn2Xl17V-o(C0L@chlJwG zSk8to<$uaVr3BvIncaVlarb7*}6Q+_?UCCC&Wb_ zrs+xXxn_^%Ed^-c>^^v1AEV3YrEuqPdbsA5y*;3;%1vnDc}6De z(rkyR<+J?G)t2)am9X79RPaK}y znfC~CPv$g!1>@%5uv}cMa+fbzT%w%EPNEsI@)kx1Zyl~WURe$qn$8%Okv|T{3vRcv zG_?+P$IJ6INctFLLp`O&m0k5{}BH$biD|u$K1B$bn)Ol&+f2r z?tO1LiEDJ&IMHhVU8C&9)kU{7s~v+ut?9B+&0RD| zdolLv7sYeZ(>oeBlOav~`}42jJ=hu^!=-^d25p59dEeRMbWfWe&qXPyD)g=&^E@&y z*}^Z{L$k$(#pKlrg617w)K+IxT+^s|5Cu(dEqQ?gZu0Ff! zgz@K?{sP*hR=V>{(&h?srdao!&HN zG0nIyn5~_&43X>VPf7h`(e7A02v7<^c-=ec`EbtM^aOA94f3%8u;Iwp7!i0+x+*`x z;(>puK$}}sh5L1~w?`^%5K+8)I@|?`7MUbmct;iQEL_c2=RLrAAUv|kpEUuKj&Gk} zWGVCFc4QMdbD-c{N8)zPoL^qrU~%du1=V;K95H6RYNg46b^eIufcl~*0jrZ<1?*Ms z`yNIW*RaV}=JWs|H~|!Ce;a|d0rYkUw;-@K1RaNd{4g_s`a8Y4N4!L+#Zk*0dwufi zf_WBmNl(p@I-MX2b_0uJ(^Xh3yjw>cw48TYqJ704Dd_XWdusn{c8 zY>!8$o6$@gd*1;(2fV0@O`WVfzJgSSk*x!(zhC)syV@`t@+RzbTsb+RX_&{`QtK3gh(Zwi#RH> z6z?e@bt^T;vgj1L8NLj3_DfUJ3YCh_R*mskjlt`8ppKG2D%_5W7J3%7o$onKuys(k z>3(Damkw2atAj2eNBgG!zM;ii2HQ^{qfBcpGwbr%F&=J}VO^DedL3tR7md+IotgW%`f*68jm|KY!3zZ9YCEFF)RNYxBk!QC>tB=|Hp@8`=8wU zBVYUfgIilux7e;vR3y~_QI3h-0O3GRGVwdf(*6#Nj{kW;kOZY`{c_*qhVI@h#>wy# z16{SGA~mYyXO$XtwPV77&D+V*#DO6|hT~qqoA7?zIoj}ce#@M>nDFLZc)*y*|8pRp zFkmO^`ttjJL|22 z!fzme4Ttxy4fg@9r&{R=Oq@*+@{JMDTZR&2oyW$JMxGo zp34K5K}JwEyGxT{3!jm3S z^=ZTPIsaz;ms&608ZrT>^-AvfP05QkIcU7~Kh$~+K&@T-iYA$jm3U&3dnsftISjw0{eMN@YS<^0tV2m#9sm3YM7WGm;0wO@pFj1;EyUIir-6*Rh0Q_P6}Uke&4a9WH&L z0BIBsaR)8}UFQc61}a;YWv9IAiqDK1JrNpq|C)jjaRPfoVCMYIK@*r!Ij}?-7?~!Y zcgBYg_tUv{y1}R44xgDIH1Knbv~d&`{9dUU5^DQ%jC5F}4lxNe=*i++dk~f?0=WJU zAo`93^$DcGBI<_T60C`@@GJ=lth^DcwXZkAXRtwCvFtV+8$h8$K`;U!{y(eXM8Wx@ z)vZPm;7sm7+N!PkZ~P3okQV(ug*eW)n6g|f(>&jB)p=~21U<*RgKuWg$v^Z4A%@aE zgg7fZaC*1-n8TjhzY-wpebg)R6(IVL9N@mVDqQ!2uY>}_XVEe-!&^n)J*$J5Wa;aJ z#%C&^L+@+4y#V0WQ3~YsAQ%8{ zom}E+xF<|7h903E25UH>$Xa#d8+z7RaGP03s|YaS0`ESIxIKUohX*j?7#Dw|WBJdC z790u}4u**qRC4@L67Jl~Bhb9x0A(kXXEKQThCsBa|HJaS2oohCR>-@r|k<+v0gw+iYZ(C5oaJ47K+m|BO1t2Z-lut>oNxPBUBru{AY<1dGpUHB*f zT#Jpu15_UuVzfoa_(yJM_3PXrfD*@y0BNo7yuouq`89Pt^%Uz(v+RF3aWOFt$;K)ok+7Izj@y7m(z8z|E|$%pQ8RnV zCLNKPiTDaYuC?M4sLKKKpwZ=$QpHX}GdTZ{>%5HP-nil^d1X{(5o?^jy&-uxz^<02 zLk!yV((-?#xO{*VcLk8*#wD}$5M>Go{;IrlYmITpMunJ0HQ%KFGNE%yL2TDt@&u;A zV-DzRnXEj-S)OK04f25poYd|t!pY9(3xmRNE}dp1e`Y3s-c3loiKwAvCMSxo_?jc# z#}H-$<0F{$=c}-*pg*e5W>nrc*HxIDW8 zz>15RJHv+!EY1_!6?HaADdpq6g;&mOAth5%VS$U!4i|C_mz@Wfjw(@_%HRE} zP|a5D0z1Y$fJ(Xm0E20g!m;j1Zd_R0F3J#FoP;Ag&}K7VSfnr{c*xD1BUNl1c!X7H zo9B6O3+DYUhNgW9MICJc8gc!-Ip_>(bvIU@XmTUQhUm&Wg2o8lws^AWpYQ6`FlHj6 zl$;0n+J6t&pM*tjO*v9j>a7VJtQ4-T=Z5^o$wWm6CCy5|(Oi?r?AgFo^T$(E>5O`{ z7?pGX*v9)g9kA~xn0SLW1iwbO{%OTsmD@W0{IjnOL4_70JTwcQZR)A;lrymumOHTt zy^Wh8MlJ-mA~z<)?nE`?a6P-G|nBtY~E8^sCHO`b+w zi|4L~(gqR0u46vgwIru79)MkQNh0$yTP)cD*tI)=U8j&ceb}2hv31eo^Q_bRp|LPV zit@xjXN{;twk7~}z0W>#7#_bK35l?I+;9vpa8-e1)jDIQAUuq=^6PFknlv)6(qsED ze%8ojWkk-T3jm*+(=Kv%XVKMJ1We&~F}J8C>p2eU4P?nvw+K-)0AAcbH(_Kd9bn54 zPM;AygZfGaCt098g%0)XN_35Ir%3h%6S|ydChbUx^|<)hX@`^0WS^IjHT9(YF~am% zw$e%yGvBsNclJR>zPW1Jwr%r`VNxz$8%H61rPwTE4z3*(H=aZCNz^G=A8%izrXv#| z#x;4&+pH0rBV?FgOcQgS&DLub-??xRh_gt<;o2}1!a2aSDxk4bjiri+=A7m9tmA1* z5=uw{#5iJA=2WSDYjT>K#hYa3Nw7`MYy}U0w2Nlc?AV2vzB#}!X=HG8+~@YI(lnu6 z5*KrdK74)4sFiU9O~tv4qeD%8_rKSuD5vJif5B^Y0KAT5)A)ebNr3;6t;pG3dyJ|E zLl5Z3J%h6zJPk_hIr>l2uyp*zpNt$?0{S^dimp4dvA(m{8xj4oxhLH?&~B zud!GV3*QF`QN05S)ZZg?BjsQHwwcVl zM#@8stTK%p7X-Kj>CKOfMi#q#AHJox2#3kff2whipY%FyQUu8zK(D942>^$s5Rbod zsNouiI;RNMEOFGzp<9jQt2W)!Kzl5ZC#x(RQHMIPMX1W8O5zv0q*N8($fK@7+ez0Lp7>qxqP={3mA*H;(+UI4wOQ7fuZA^(?Nw{9O_M@RzRP3l>*Yhumz zD(x!y9NSKV4~d%A*lx>pXjjig)WM=#*h=-{3HwA6e?7im6xL&DBTU7ImpjS@7uRjN zZ-XjP(Eg&T7oPabyfm^)61L)+sOxVplt5Il=MhxSDpw1{`2Cxl4`qKNR1o&?elKiSr@gmLOp4$lIP z&vjClLEiIp2T`i>u0jC3j_>fLzm+$Xz_C!_Kotf$&N+3KQbt)a{keEPS&#l8s5=#M z#0hvc&~B?t4I~;BLl-P9p|*q$v6u`hLo){*M|zg5MjT4oYks_-P8%PQ(?PeOVU}|p zRSnHYqx!>G)WEaA*J-xXoI)OKi$k$dwA@SB3Kb-jl!m6z-gJ9#H&+SR0BT(9fI@}a zf`VrgZT{tVXlJvj-OiMeN1-H6T!e*^0tud$uMrwArJu9W?pEtf8jMMQ#a-m$%4EM@sOK#dCrsBv-ssBv5$YFxHG_Jzvm5DR0D-^*Ygfh81?&RUmH zthDXA_z2mQr|1A7g$Mpo*(q)KB6{K7B+V;Ivs5N!1Xnh#^TDBvqT3ZF?m0dar$;45W%9@or$d(=ZSD?I{Q%}a@EYqMcpWn}1qjoQ z3}U9Yi;EUQjOlnnH^j{x*~MVT@2AN+8!MG*GZWwfG%Utgd)NDU$3huysAUbHWcf_i z@1DzmanfdyYT7$fra89M;`0xFoyF>~HmPR@fY+-yhvxuzEk8D6r(h)77vHlc>>Nti zJWSn^N()i*xBN7R-|~S6@<)gj1oIgAa{|z^-H}OfBYM6z=kkA^n*V{-s8mYMnIlbylA$dbv!wvo%X_Ffrj;R!WpA28W?EhKQiJrl6 zXbX5hO?+*j5Qq{=yz$&UcW|6=^@yj;3q!BxA1InF53pM*A87 ztMzbN_EJ9LA|OjNPKVbVlJb8PDtDr7mB`;<_hj7j7-mR=xfCvp(V0<%CPzJIS7LYaJ(K12;BwyhMjuAaW`lj^QNyD z{Fx&g#*VBo2ixFm>*f<(Ylb(Z72|PX;}TP+CrdU*dP6rf*7u3X+UHEy)=yU2RXn_@uFpX>+McPd#MHh7f4LC!aP#5ZI^y$sPMmqRF5Ix*)kcRzbJ~T2Ix#*4 zTKR`vE0~w@;LuypSk(seCFQ!@n|cgS(j67~JjDrRrJ;^VXF=hCbt2iHxz0Lx>mptk^c5n>%=#*Z*OQi4P$)e*9Rh^ zki0@Hn7IVNNVI3m;RMM%^1+^i;pLi?nQ5>~wN@7q1fvy&|#RE62Ms!fL_hvSG`CU{ISGnNUqt zY)yAYgPM{4Q3=PRy@V;Wg1w_v=P|49hEe69SvLJr$iMz|1GfsZ%Q4THf^+bS;^dpv z7mR}QYf-^{a$vp*3rJtEh_9&Vh%+e#3)Ck}E20Fx9taaHW+70`Yk%`^(*=o!4KG04 za8WQz2NJX2LEgK1@Ck#GgS{K4#CZ^^)V#KX;t2GEX&zPg|IZwiRaB$ z!!&WwAMG2$&N+t^5T)L-GAVbMLa>O;TKjz_KzOC1 zL70At4%`sv$!|hXb}@z^5QN1ijb+%iz2tSt4Rq6?2%Cx{-Pvq6Hcp0p(H4dirXYY# z9)2=PMeEeaZaPmc9k+XqZdI@oY|6ky+v`xe(Q;<&5_SyjR@znX&pvyop+3yVJKls>t-u8_uYvL;n3a`dB6dr z7|r537|ABx6H%j@s}hw}(bJ+^J;L5GPQQ)JbLf~CoZrM;w!~WBXA*Qfypo^cgS$08 z>D>TzGpn2T)89v0KT}2Zd*h#CYs@&)$yKLmrmIYf370^*Q|Pqkxbb*}oa?K(St~MZ z=4StD7spphXsj6*Tgqlc7K&m{7=4 zj8}~vgZ7k5*s{Mtm?o|R7D2X2P=1pxpdo|S= zEx1(b?hp8h)y=LC9Z8Y4Nk6x(tKPAOjSd8B9cQ4ECu-f)VjQXdpzteCOnnO9uDOOZ zipE{f604)wY=fEc@@BJ326TDkP%Ru2@2u=`G;Kmvq}%w;*|_^SP$7nw2xi_lG@*AI_drfjOR0?@LO* zR@6}B;{;#bQl7GMVh=8$#a!i?#L_;D z?^BViY+1=j!m)ac6#0!qcL>OSb5x(>Wxn{`Jw~!R1{FHe#fNi1!cwRYg8>CzkkbAA zues+E^+RgBHT8&?mvJD@Lq?Eo?fkw|!pxh*>P?y-Vnb<4hq6!;l*OwT2;cYR?>%&q z(&Zz9L>l-AbCtAvos&v%5=2PLhj7o$*0pf;{O+RWL8PfF+O+6*a3f9-oNe2f4}mA4 z+br4r6>d%Wn8XS2)2m&*V`-;h;f~?3kL6DV$0Og-<+h!khcH%bz~RY)4B$53Z0`JG zk>^~WxHG@@a}D%lLk1i52x%`njaw1z*OmabuBvF5Ln?x0(8UGJXKHw^8)s6k%Sr<% z&Lhya+vKyxr2-yhheU%`lwzcW*4;eK71EoGNVM#|<|e5_tAo|a;Rvi$EknOhv^GY- z5^T@ZN{g~o0+XO|%cB~N)EWFD!e~YaWjG)h2@CHVUG-#xNmwu#P-Sc^7prie3G4$) zyGf4mFTuv8Nt9lt_SvnEO2`E}PvAg9kl|`23O=-tJ)a=5CgZa(dZHQq76@Qdc(m_O zQO?e&`Q4+Dm1`u@4DoiV^Hm{2vIb)Fm*p*kKfl413)D+V{XPu0CLSL!{mY6TN3%5L zmYAqMkpO5q*Vp@Z*_$p{_tK8@M-nGK*N1I@Z-h@>&>a5_CfC9)&{af91(A`P+?F>s zVzWEMV-Tw8NwojLwI#V3NBL(bToyHXIEJk~(+I7Q-xzG9tgXTx81tQVX4J{8%dtCw zA!2+d0>>c>Y;>SjRk6QT4qh{nb&VVc$NLf7^vc7?P&DG4ja>O$3Fba1i#p;V_rY*n zm+8CRB(kF%%bD4sE;yJ2ESG`>MCBIjT9#oCN1kolrRzj{iZ(MpmCkH8Ltp1>US$MK zJKp_lDNfv*_d`-Ji9`k&Zv}9#+Bf00-m~mcDC$q#fwLP{JUxa}`cQo0N7a=f-Y$vpUexYe z!8k6UvLdOfE`XK{?wfc;huNR}ja{_4CPSTL>m7^;%LAI75P4`Zgo*@co6=+~=Qmlc zJ4?RwEl|QagE#*uOQB?Vy^DI^pvK%ty78`&FnOxy|K9~C?zOS#lm4>gZ9eHAhIC9y? z-j92AY72_hnS_Iixx2xP;xpayB=TAYbk$JOc@O;2JGGJQ$PMIZ*_qKFuXNt_LbqEZ zqh)1SYRQ1;w1;8S(K_!kBz2k=q$O8$93M00NRdrb6xZyx2=z`dTr<4#7`|!e*xLBA z{?L9#dqI!!Fsvu?A||?90)sFM!xb>dXWPl(IpIF*to`hV)))JBncWoQ(E6t!JHTKO1dS+>J5f{Jlqny(l-j9g+J2zwh@rS`qZ*16G`+uzQ>vzP{WKc#!vK zDm_?ZObLj*m}~w;UF+2jtMHF?Y@QE@r^v>4+vbZx+B8bnAz3nbE46M`oB`_3il{mj zYPk?fbe**QWzjcvs2jUu3cYiL*by=1imU(Cwl#8BobqfKsK=p<|#*ZnK(wy^9L@y zWMWDJtoC@K_6>Bb_r7k4Q-shnMA55|(NhN7UUUOe{ z7EZ%SNw@Sz-R}jzd1QxXiVcM|pKd&7^12rNPHQT@g&6($(?dMeO4^*8KO`;Tiel?P z?C;m@q+Wbz0oxKNcrIUuzmFgXWLqNcl8RsXGCK=lxcgWy=Rw&xiJD1pd(K3Onyz6y zkVWLsPAxzexiVFfd>-`r+%EM*_TT_6(f=(Z8nfn?l~2in;FMNS5E9!LP$TN zH2f!OBgOt~%f8x{PJdwwP8MS3ttNbQqg3#V%h46*L7^20RFy;xZBi_jZ|YZI{=H>l z5RBez_|SD+T1M1}G=y-tb~WUn<($9DP=BO2fcLFSf`;#e53o+%LIm`-J^$zB=!_qb zF?AOLTIMbJ4S!lR2@yDqIVT9ScZ~XOTQ2FH;xGP!4SOl)I>i@pOzHM|^A{Mu{EhA) z>if_Cjq3hqYm|+Jnd!f5WJdb`L3J5F!l(alsw-nn!eiBbUvYQ?yc5?>s;k?XQ3bMF zKLoQ|IXDD3+j+w z7QnQ}-I+6%@dDl2#p$w~J-x14IImw^wSU*Lfa0jm)-%t2HcnpwhO=|w!Vvw`K`Sa`_xj*~l7D z>ktb%zegaEvxyoDY4K5}GxK*=eAQo6fgHK}(Za~NwXH&^W}x5cmE(?MyY4a zJ9DDB6U6`K$DiiONHtE<=>BfluIAq?%X%~d7ww$W=X6~3hitWQ2rCVflI=8{27-qH zi&)}7{G$*DIQQCtk;AEqkQeo3x6TLXq_tYKl98Z`i<7Pukiq0S=il%(EpG=YY|<6B zU`=<=3N)gzJ;&y=JczPKpw1OpFyfmEv}DRuwcrZjhZoh6l{UhB_+C9`We^Qd zsUvbhpdK_Aoq=A90{ugGnEaz~Y7S@A1e^pYoZiuY^PCJoupQwYJL%N&I`{8{D$Nwz zz4}eC6FEpLab`1L%;(yJ3G%B=&*p)Ja0*`*Uh7n*6@-8=Dgw8~U5{_yZjrQvP>kJY z4Smwd$36gJMl_9ZKdKv^(XV-I)^+gv@X02-bj%68k8A!sJ3jGXZ(0Zw&l)>}${Z>; zzjz(Lf+fz7dhC7^uLvCA<7>1Lfka76Z%3Gb27OFBOnPr{n$`B&x6?^?;B~vEHS9bP%zk<%0F1&^}U2E};&-X)##S+C5ZvcVQ z`_Tv}$rT&m&;s$V!uwIjUkV^Ngp7K+uqly){yT6A4S>0ey3cwhNlxjcVNYba1$o;0 zgJu-bfW#urM`H1Z%1E*dpNmjX3u;)+Usmh8eC=T9<( zkf|cNS$k)cpCf+;PJ8xbMQhQyXdpLGWdVUxa5%jiN@fczK;SgTl)Kk&uKVrEyNnR$f2JgmmPgjhL>qDu(0x-9D z-he--&Vwc=wg{4Rj*;|H@Ujaj8BSooiW32Wbin?0?D~OnnS`fRXa7aH%`>TEL{X-- zzlo}d$;@!|D%V9aRq~7Wf^%iYs}>=rhJIfciiAf!m=Nx}?y>o<6DTh|iZcn&OK$Ex z12|en9R!`hEGSZeD+OM_ft4PdC`Q?jt9igM7RT3SJ-ONArz(n zeN#W5qp<1(K;P6Zo2K++U__+ILw*(~CSmM@?pr@+g6kX&X~ z7MV|y8ztKh(w$4G>`3{@A9or-jW@%%CLt1RepZGOggh0e6Rhbi5zibfk9( z^!HHc z#gi*1{@)rg6wd$&+37<k=U8iP5Hdjr*d)tjfiNP@?$+O%q$=Hv1UP(-FJbz66 z0J+UsOCG_jna!wrF$)QEw=iL=mA!qeD;818WW_M@Vc$I}^% z5@#>5gs0j1ZV|Ec6BG{E6pluxBC9gje1#JljC?OqV9AGX28EiE8ak92$t@Ow7aOFn;^rjz2Iiku$XdkHhpiVTeZa5~H(CmRI%#Z8TLJ z@+x-oF-SiCWZ+R0m^O;-{M8`|_ZKMZ82%!JxGeS|6 zImXh2Jx$~#GZCrX#In9IM}f{``+$|moIYI%uMW)|H{MBsl@;HEU?ORCk#bPSEmDp= z6U%Yp@9wcs_pPMV%K;+W6G&*@ePwYp^6qC2KV5CguH33{x8mW?9Wa;g?MO!19guluAF}>O0MA3xL&CXSr$&Fy% zN?VhsFJJ*;2r>!1lt!@?entE%N-uh1sLD<$YV};T_+VZ_x-(%%%~>Olgg?uZcFY@c zp$j;clmQTz$7EO;#vy2*_nEl~n<36f=M&<7-pv4rI}d=kjwjSn^IU)d_jym(OFj^(y({8Ym}d_*`HZ5Ia93J@=)KX0-w#M_WW5I zZt(S%uU#8i9A&VUJf}?NJ{9ECYbdmxE<(gD2F3UDq3vuj{K+-X%tOU{=6nt!oaHDc z;+&PB+m9d30Ih;>JN6$1`Ot28B_L5)*m=NByJRZ6_EMwdzZK-e^N=jfPX*bT;~d6} zClV@HoT#DYBXD|Zgccuis4N2b_y7b>$Htl6W&nZHzJLJwlkW&l8OQ$>IJNo+oN{~y zPSpT`Q!?yApmpv;6h5^`N|{%lHB~Ha!{AQ4YO4E^a#lwt*#on!^~~K*1$q2aK|Tg3 z$f{Cy>1jnd|51>iFDLi%*e_}g6EWU|2MA4GFie%;ox|8!jqm7BA1Gm+Jqno51Ao283G8LGVT5oI1K^>PUl4+rU57TzuA8TPJ_>DCCCKa z=?KuVMvTm;R|>Ib@5JZ(sw@int(aI=jm#S1W+Sb*IH_0t@Q3<3ZP+B@f~+zU!WqAn zl;fV01$`Dyt6MOy^%B+J8W< z*$2pN0)Sk;;fk;JaXABkFC7LuXU^b!N!3eO8s{J`X9YNd50JYiPx}FKudY4<+zH!K zfB-jHc?&6jZB8hT3K#67V_cR>?#}_@&(FhQE-wRy8q&lMkgMu|BGkFhfJJ3Ai%Q+> zK0{Fb8iYJqkTeNaNNij6339RNpj?;EY_s;}+a~>80U+0KHxvMJ)o8tle;_eV+W{P8 z0rWWO_OSEcS3L&`1Bnd8cHs>%#kde$xWpF!fZUK;0LYbT-v@-_Ex+!b!N*$F#4f4` zZGf@`-))5(RM%PF0y_{s%s`8I+xcc}S5&mWIY~a0GSPI#z1?LVc)KASc)guPc|WuV z9zgO5Dlqc8VPy8)c}h(XdT%gtQ%t-*tN5Bdl<;|nzl34@IlW~~yUvx{K|RD!xXr3saYH%!+e;qQ-|$pkc&g8r_)s5j zi0prl0-o65P?YSxH8-)=@g9l?gK&s8AvSjweC6cgHs0!@?+f0%mIv0q{~@^%k$&%I z{jg1wqOXGh4cX*}Ld_(Aiy)eeaKjqq!!+$_x5o zZJQiQx0Flz#Ku7^?>lOZe+=o_BJRz#$iL6W4=rTvJF-0ue+nIlol_a3$8{Ev zg*@EZwJ>%6ij1>!Eu1;NJp=cw8T*8xm2L6(L$0mc2CWy8KF0wswq>1p$x;gT0x&f$>UuH|OjnA;bjUi+9#2Zr}3_rP?ve=om<5 zu$vc4M;7y8z5#yM1w+b@a&lc%m!Jw-F zsMsdQ9FcRwb%A?TIWuz}UFOgTI_1a+ zwZ;hlwbCT@F>NnSur45M*fu7dqV_TI3Wc2H+}SW2f|Gr|`bqMpl3s>x1B5_d0C%N7PuFe)NOcMzH(A)g&el#`#!!kMs`I?50!AAL%JHtPXe?Zxy4F`PFDN;-ql3|^Im-mteu+a<@I9H zy8P^KV&*2(1EPfjS*;6+Pa(*Hv5k==yw}RvjSQozwV+wA64baF&Hf%2qnRv2)JpA0 zPVi-B0eaH9&n)RXnk2T9Bk_rqMPYT`&hsyHE682djDXm6&)$3lr(tCa1$h z$zwIF{rG$aJsq1wtd}(iPJr{t4RpP~vQ=O67^-*eOX$$4_S4h*0vOVk| zT2ato?WJnqTC+-aX0g5{E}{udDDcpYywpX%bcy(l7KtCD;Z?doU977jekd^NaL+E+ zmV9}!azX?ns_5N%4BeuVPZC`;#&`A;Opn(VUP6|hPK^qpN(43QNPOEBNbFa2?4b%U zc!-Sab^N`249*5Xalb{}X6oKLJLqj&Q%${0I-6f?e}o2jYhKBR>S8u4^e1fRZtTr( zGGCYT#%;C|cl*2Wy~p}n7?NY5N|g6%hBfgIXxwZFOFhk_Yd9Xml38%sEm{Ck^SYN6r^A)xc_xE{C!V+_|LtgqI*_9B!lzz+7 zPY=Bn!Tw-=U)e%O=Bu%Q#l#mjlwp`6~A<+$L><=*I%JEB=-#bpS zUc)n^TdPANoXAl39K*7atsn$r>_^9BOuStfVV%R$T*tWIVCEHTJf33HgR5co3 z%Go=qa~y}HeK1R#I0E_pmAeN5r%1XUv`*ClH8Pba;~8tO(jxsCVhhcM8{h0VfG^=2 zyoF|bD+9PW+%+n*6YE(mN=H>VB5E|~&N+^6*VkucOXgy{vbi@b-YP^QMDP!Lh$bgC zI>MTYwdM94Vsg6Rh5@~?MnRkg&1Dd*PsTHMiwJg!7ry%tjBPEsNh{+I&eZecuJ*Er zS{h$bz&xsZ#wd#U+{GYExzyNd{7RAsg`4|o>xu`%>EueV#pTwE)R)nW5Ee)ctIH&{ zu=6g5Qb@j0rGv-!AgEW1Zyw;YA-!*cnKduHqLzR*g4pbW*@36+GCx+~Ti%*_E6H}n z&S6xWS)3y-1$w)*@K6UjNjQIL#C-0Da(#2~0p8eJn)rP-j|fQ;b@e z+C3?EV16TCqS~&YI@3CP;9gE=N@SVmf6f_rQ*pIpkZ-0u<^?uEzQHHT8=azq**OUf za&6h_J`abPm)q*QJ|b%H3~+T__m*3hd+2{&zkQyXo(NDo+rgPi^RMrrbK0)Vb72y- z`B6POBUGE!(t&w^Y5nwSpKc3Ft;1r0G!gULawYURt*fbJp{KFu;L;0aeWK08Qqd)h z*b=4k&(az?CW=qWk}D79{8>!}1(j&w&6}aP>KkErv~<4NNP!pK>C!qMMbdoV5<*dE zf~D@hHjeq!rEL;-#!>SR;dU%ZU%vibxrDj=(`}85IbL%`^`g0xu0r-P)7l!S`bDMl zx}>2*`b;H7r1!%S0a8Qk$U`Sdt7NXl%9$K%2+3;Ys+5sP;?)++Uua47a?uE-&506h z2PF06p>si40|@9cM5~uXnXf={+u4zqm;_Bz?**K?JO<(S_vt#V9d2yYbs%_U`J1TT zr(YhDkMWhdY`a_BOVBPEE3v0(DLnR=+%`e+i`vx-LOYIj$lmA1e~;BzK;xjJQ|g*9 zmTibXjB%EIvy1BHn`M-B?ytldnL0=z$b~165~euk7Ft+c>(`l&?}PM;sI}*&TT~o5 z%D|J^m9yph=5;9tesPY3A~k8S(`r9~&hVmuiSjV*n}19>HL}(M$(Y+(6$0BM^%byX4?_al1e5fk~S73GFW$J6FKyZ z?^z80;GIt7OvoOIy~dek(JA%S)6Op#+uLQGCe%Uu5f#64iRUd#E-UWn0xOKP*wUHJ z3TDNjX!4PE(~ikzWMw6xJ5OnSuNfX7IZFfrEqpf0M;DPo|t~|MG;zf56?i{>* zXHTfj_TFYQbMZRdKe)Z+z}05LwrNz%TadSY;{1AQgZke2vD@7xD%Q2t-5-T3vbx1p zB9Z?>?qO2o zea@ezH6K|-`n1@UH%LgK+Xr+fnYV9qxT)UT*5>>ON#1@``V|p)S4ESC?2VMq8nZ3HH}&RL*LI=FZ#tYfL)`&;VvUjYFLyxL}Jd zUn1YDo^74eZE=sKVB7OA>K%1T+yN@t9WPnIRd^A_xRFR+`ol<&k}1{kCSaI&?cqv! z*KaJ-f^bdNBUNa@)u;R1YQ5@yf97b)E;kOf-YZT3bBc_?8#>+e3`8t*zg&wr4&8T=0^-pV zjM24d9@!HnmjsL{-i}VUfm0t3>4yscNEwn`j`P7@1I2RvW(5PP0@mk*oyD=r)BL@K z=d#m$RMs}$cEq+(2CGvqJBywRcI6i>pjl7jH!w(kQI>W!N~( z7#qw}CvFkf3s9mOtsGZv05WAN$CF}>@35oY8S07At8-~ zba!`mHwZ|Bbc1wBN+aFfCEeZKEe+D$-QPrg_u2b9`?}6={;(!%&AAxkx$m)^P;A*k zEvdal5wzG)&682X4S_0-+ySa;Ms;k~B6InDPg3(L+jqU_xmD4u_GoTVR48+DV>N}6?Eah?2$44`QQ zMWlm!Hp8k&@O4tiZ&e#llxepDrW9{zR5|-!o5mxV2%cOrNP(WynzU4ynz9tc-_=)Qm-K?C z&NzTvEN0kZEgL}I%^~7`6&{N`xZGR53Xj$7weX0_8uE3dVASu3Yun!#-!T*$?mZX5yWnYMFb&z6BRYWG8!Znk|RQ~PXa*@n8>jbt==hX z=rgumdFZVXYnFiUnDu{z$JfI~Df&tgw31R~u40O?^J-sg5Xc$j7|bM1l$ezT6cs`; z>-jkL`BlEHIgZ8> z&4n?cWs!(jOY*yEbg-(Tn6~`gG!{~sjL%eah~B|k9*Jmv7LSjKOR!LsuBD(+iT>j| zhFB#Pjt#ckoIroWA*Mpcz6A}Z{U*2x@Z^Q^J89o6!u-p3j0!fDRb(m^Kwf0w{a!AK z*^3{~&ZPucQY;-qlt@>2KR@an*EBqys$PraBAxAr5`@E`Z~z;6C40|ICBj4Jk84{y zAQ~9w9m8j-uDPBanlKxyfn9?i`=@9O**Lln`}x2zt}N6=C9@DZ&X`O+QJguhk_%&Q zGM*)#ZoG}j0Z#j#5N1X{=NcGNL|8#;I zi7~xn1h9s}e1ShjBe$bgF;Fx*ilisg^rEt|(9Ha~%-FgkD~4DqkNQ)wIKI8-q6F{eMb`X92AN{Y#9?2`LqO9YwprqNCFS|M zFgmkRa&5M$@dJ40=63G$r|+~07R@S~%`vq}lUZ`(AK}Aab;qEKhPT#JgR!wvliv{3 z$D3t#fo;E~ak%w^CExNAamTBHf>=?y$8JVUVHaP%d<~?7kdWgW zXN*X8#T3Ta^AhEIXZy9F-({Nkjms1=T&gH3>#mvnQnukK)WNUN%l_^TY$G2dtWXES3}E7brA7CKz4fYq}_{ z5?N~z5(hxj*jj+aOiUU56^x_HTGeV!iFQA8*I@(r=v{n(V<<{2T?jEX5v^b?Wt80T z=qRuaQEaT7uxa~scb0+oE}uOM^MYbOt%tf5oAaF%O0|ep01x~|-puNdZ|NLesjFt4 z$tkd<*fbm{!8P5YWX9795A{(BnMM0cMGmS3Or-+q9Mwp?h^XFC@sPHTv;={;1Q9;Z zCt7os_$AL~)5O`dRTr-1H&*ZWmz_+i3N?^OU5*k**z^0Rfi1;w5?nt zBiFf;F2ik2C(`)(GGHUFntWbg@|flvji5(R7AGlF+i(y^1`(Co*0XnAQ8(wO;3x9g zt5KWHH&L;6{M$^GD(bfUtyP>23QG4`Oo~$UROB<-F~;35)z63AGTDc$1iQT1W@U%L z)}G{_2h!Gr$ML z(Qfl7n43}s`s|Ig^O^^%P9is~-8;+8l2%9}ON^LBJc3>88)TqVdBmKL#9co~cdR%? ztBgS|n7$~SHj{V8#BN4sP&N|>5c4Eo3{QLZ`#P;`l3FeipV|2av>8~{{y?D7#J(fU zwb?OLzr;wV3;g;)>xbOu#oZ(P#HQd#spDpfaICUP{7d1sB?1XGG>`zBX^EZ!^+U^9 z{EV8?1nCxqy&_&RgqVsxaqCe^m5)hsOAv5(TSav^Jj?1;o9@hU0xcIfgKoqcc5#HR z%~&^z4X#Yz*q)l#tW4Q#>>NpH`5P?46kIGOn0Vg0r9}y|vYj0Et}jg_WK`zxhU0-k zNTdd4nO3w^=8X1a71f?09ic$C@xVP|t3ZmgRwRxeCO~Mx4I1HAc;T~MF^j9rja zB}rCZL_M5D%@&&UEJc)qDL)eE8i|4gR741cs&`ffj11P-Eebm`cyHfBNg;^TcGDU~ z)&X7PywW49B&wQKlCuSy2_MX(;OD9Lz+-pz>UY;@hm-r-HEx}ekcMZFsL+gK1iKt5 zZY~DqF<&t5nk{5SZd0g(ufYRdqq~Yj5p{SPY6upp*ZOU3AcH01fWG8=r+y5eYt&bu zP(mr3FnaFrck#9hkp3FSy~2HM(~}pb_rS8}$CpcQP4lC67MylE3(w_iMYCPIm)7tL@ zj4Ad|k_ng9=HxP=pCpMz6>SP*Y(-|^n?n<-jf4bH#;(^-#c5^D2Zsra-!V)USmXuI zvFba{irx*dDDo;|S_{gwre?=wTpCeva`Sz%zg5&O-lZQw#d)fn4f$RTW%-pt*w(am zoGyy!Ic9j;9drs$BZ+> zhCdQvro(8t7G#!EQU|*EnRI|L#V%?Zyuo4eWDn#VF`q5$@NXqHg^1l`%rO&6XDYa8Wce=r<7`;%9y^%uTwxc+&h2!=YylSf%U=5m}e^BglP{_YxGo)?-jG|#UR$GiK0uSg-(J^AB=foP>kG(gwrXR&cO zzPUp#TOt~O6XGvy7-gMNzafT(RlB(nHhWUV#5u?hl#OPTd9ygf$tQUNn`ba283B5N zWSU{^0jOp{l0$Ubpy!x6;b1g6%P`9cv-Q9C6t6FM<3cnxX#|DUTWeaRcY~t_G$wE` zA5R-*?+j(bmmXUT%=&s|`=H#!@_ddr&?C`qSlb2`vCEi`EPaZXbtn4v!E2SL(2Re6 zX}%>)>|J4X0|5XfQ@?D!KYNNgp41?~o+38&Uigdl%T`y3!_!$l-*aVy3c^c$PLAj0 zcw6I9JWX@s?GW0UfNM#c1xA67%+*!M4yoR_cH3pEby;ag{qrpq@3a3?#Euj8?Q>G@ z5!m9&5#me8;u|hV%h5IuZ-(QmHjl@}^Jo1#hkWaWU*%si%3#=e*J1mywjH3K2aK2I zTgaV6H}uK|?D3ihzgN#TE$$79bV1L^2{(ZbL5S60aA zDM;*?e0Na;WDcRj;PClhiVWQvXd-?+^Nu{9yfj)Ipo{y|q4GuC3FiKKsb>B`#OB*nvGV8{NMhqUriPmkIN+T`L34_vgH|lyY##KSEOlI@^ zH822=wx!*p`C7}h4?_nf zf36$j9amSt!)}1@uct(DX2dqlBw<2ChhIX7B(|^?k|?e@7fsBd@0?L zc)#3RU61DVjjUB8>d&}+XFUDng!ty_PLP8=SqA><+W8IcxucP^)?_QhvZWv!;U;8k z3szMMCrib5=e(yB#q1e9)0YS-JW0q&PlrqmOWX54(9KF1A!$<(o{W4pO(=1PWv+W< zZVlgrNm_9^bni+2@4D$p>9D7ZD|dXROgC^gUjC({eV>*!$l5ylPeUiM=1?9L^qTdZ z_Zg`1_b}4AYp7uwXWaRlEl*Y+TA0kwcQ<}|@o{>_a0j}Xh%~#);+`?Pobo>|zJFmJ z_~u8c+vfh{zj^jj9RTsTvWpkeE1`N$6WB9y*v7@jiFiuIA!_ZeNAq}nRR`nh4CVY8 z^|77q_A7cuiaEWaPo8mu?E(=3i;bxhuFoOUX0MQRJl9u*F9{MK()JpLRS|DBKX#rGmp*J4O>bKF9Hk&_nXjuo9X1}?W-i#!qSh<@d-nS0y za@jP_K3|i(ws&;8@9f}-4ykHEnzmV!T zhMnL$n!>(%6Q|5@?CQRd1pg8W zR9xq1Jt>}=EA7xgFrTZxpO|~gJ&X}JLupmJ z&7R@yzvKg`4{$|_(pBdQ~kd)3o z^A0`MK|+Lr5P=;9f#r%vcsMCqc3ruNqxp!E|7SUD+hS%LC*u$Vp1SKd9e^> zAITL%HAx;Ep7=0uh>ibSg8R=*9SbuX%l{;}tp7W~ef0wV-wCdkHFb++>#9!0EXZM4 zE6J~RFLw*{U9AQ5U6FArwmpFg+K8pi6P3q2BjZ_FP!tiwwy&bdA|HuKY>dXPKa6_v zJl!>qyv!huS$1FOJUidttfs!~Ts~Z+kJ0e<+8u3S?_aBqQH=3Tw(``{e0TMKiCY=- zc{$g~A0O1`s4L;wzS!}h-QmFuw+t8L(J??7Z(?YxFA3v*@t_sI#{>*7_sj6FCOGqxX#pI7H<&Yf;r!s~-b^DcSzU>;#Hz5PA8|)sGu%E#Aj1tp z%x|^$o8h9zp4bV{-(v1v*3576j>L@gp=L`08LrD~hD!rvxS^l-{kEN{pm}r!qCS6Z zEIRU+jWPQ|mz-$m3a82()rTC^S{;>IZ3@lS_!jp3(-Im~3M%vJNIO)$n{+IAetqg2#hl8Ur847MJ8;Gy{X7+g z+ZVo4p)G!W0g+rQZL;0Q?_d+Vy@&4L#ibpWpg7r4qTSyyZUs@>8oQVXRO#$?)+UZo zUE>JjLlV)Ekyc4RlFV-dDQ*Ce;yOi8cL6Cb43Of|m2XD>PH`csG(n2fY>?d&VtGwE z0_qLZw;euP@zn|Z@|_t2%;4e?Hev?xIUe=<%xTSQ-$8m;=-D5WB6bnTAZdRhTfY(S z*Vpem)}9M*z;O&R>qmnBb^5j%=NI-`M>Udh;9Y+Cx9=HNOb)o`G3T7@@X?!`u%ERG z*-HDMD(T7ArRCUUzbiYuML_&WBd_#(x6Yw7{B^gE+h_>_`A2s7@7=m>8j(0#gT24I zbsNtI%)&!*M8^5Qd66c77ZC$^5jcPs`I#{{2=F4DY7>J>j`@OG;F_}UDrH_|ygn288LQNcx3@RrH5zlhdI2%;-#bnssj>r^N7!2pYa5c;$Xs zDP4Zx)b0Q~%xROsTxDMV*jw+68-)#W5Y7rOU0jQzUZuG#QmKrPu)y7qD5|(eJBf8J z>-`gd?0+LX7kWOEteX5;6qDeQciEg?djg{o^IygZ1AKwwqKx)7mcVS?ssNb)B9;Xo zEZkISm9T;aqnYG_VOX(0G6rMN0%3aQuUo^Kl=;hVbOz2EnI^ZIh~;XLn+vGAG?KtD z7A?J*I9qP6N?R6%|08vMJtRtEJ_id4GiTC|%)){mg{5@tnLo!J*CIxH<4ssdvkGWp z-3)VzqKl%qQvN-~ZInvEjU2~?i+@dV53BJls8V>n<6tp6w-rt1nEkJ-g{PFpGegV) zUWBGPRP4X-B1wU;&zgwJlvde+t#8P|8#y~D{(~1e{=1G>B&td2lv&*AAOejl9F?+9PLWGL-qHcx$?APPf)%%zw069eKv>(W#?*wur5 zVG}zf6fqT+!gHazzFQ27p^T~y+)Us{Z)gn*vg%D>b%UWv_I{2)t9>1}-AXBJ@JVq|Qi+&HnAbHu9^_0y*V4ha3%{DZCfau&r%YFWt z0;ITlN+?+|wf;bgJNY-oeI2cHGWpkNod+$Tv?XfDM0#R^5? zLC4y}*UdU!3Eh|Od=Y#TAAhp~L^c>l=ZqTQg zQ}nw2X1I1z@{Lu0Gu(7cAj5^YFx^iZp#d^nOsSaH43`Q10?2RyfT3K6_rPYEXajQ0 z!7&jj+Hv2laN6}N4q{Fm@!)HQi}O3f1+;&^Gu$6TD|lKG1QHT}_K!-XCQ0hp+FJc* z&5qNG0Grp?+mU0g>bvO@sOVCR1mXc620p+(XovnQj#_G4!TLMtcnIGJjQ>;6vG#a|ikU|<@i z!}uIi?LQCxLyJsU0kp_{rQymi{wKi`Ey7fJ$uBgQg$USBUbNDl)Vo=MRbgUeYarsz z(cpsa8Q?tksTO9Jkj|5=s8wbF7o5j_01?Q>q5s3WlUe~-99Q}iXoz3pT$xqQ+|xBI^uw; z9|ZTz{KZ8u+`eCKzv3cy-A54vbUH0ZyIViiNlvmWu#-~D;D56x%iEXUV^z{D2%SHXc=kwhKGba&3BU*)5;s!T~%?f%!KQVEzpUtyt`#bpNLsE)P}h zXH+k=*9i9rabQF8y~`ebyUx%ip zt!l^jf}BTF7NDUxo0GVV75d5D-Z@CEgSPB511>fw(lOE1Ng6e->m|tY@Q~B#{wKd!)HQ?TeO(1VR1VdNYzVMoLjRa{zORa3k)E?l~;uMRr0A3By z6aqg~A>4J;CJCAjXo`98Q4iPeB#7!?F1_xzVQNYgAt7{Cj^srLmp;xkVhLTT{%5fc zvtv|oxvm7{Z4{b{(DA36x7t!AY6{IkpTj{{k}OgnZnp&TZ#y;;CYe{J+;b?X)`q3onx4K)MRqm?&+iI#G0H-MOGKH ziv8u#3OVB>A?(A)-?WGhvGF5CV$rMg&!aSJ1L=Gtc(k0Yft8H&xqOw}mp3OX8_ya2 zb+JxAI(QW7?_wR(ri_(Rk~wErOSaxY7TDfCacyivN>S5ICYxoH#P|wKzhAFyBIeN5 z-n$x}D0ds`_`-@NX*j1u%wy1+?8Pv6fW0)fWuRY*CzkA@mm3Org+=gINd2i`C-R4F z0a!#YZegF`U3b^2!0oqPk8iKA2;&<%l`zLZV}*s-Y@FY;tpRsba*)Z*u`S9KQ^wW@ zu^xv?E%pX`J-4fF$U3f*La`t24@*c{ikhMugmD(?aw7c<* zagR71vTgDJ+yL60hko}d4r=8_u(9!t(Jv0@GjF0kZI-oQ4U*`jL(6>SZmh2z{`eIJ zm{jd_sCygusXC%-6kf<940+nje(tQF*ev9$|9Kdm+OWkyUuwbXUs{Csl@`IFZUh2c zg9pDqv`9SBnXaEYp#2Mp_ia8r0BDgSw@k>3$|k_E2y?`DqTf(2vO;K(v!$^JJf!3q zU8ov`dJ)paQgyb!_tR)g+J7&1GNRn$eI}S(UqNGYNq!%j*CG>9$3@*(BCDqX zX9;ZuchrMEVBog6|8`gKRE`S!DH`Sy#k2MPe34>J&RE@x;hMw2&s4p%}@VUa!Sw8JPyaaTnypWGa*oqKhV^8Op zO+zT<4yU+&?NYqc>lhW?uyQxSndM|CxF^_C_$SXpAK^=Le+uzMUx`YzFG@=L{M~>M zN%}O4?R)SP!W5px@Ui#A^=-6OF9&?UKbBy`9b-%$fc7sJ(Ec$B(f$c=F&3Prseu5u zCaFN@Lmp+xAk*&sc}&>Rsh5AjzUR?i9>G$#4rZ2MW3y>s=idPL;e-hC-DTB53W@E3 zOS{+H`tYzuDm06QZc((yVj7v66}^uql|G}SM3z5>U*dFK-Dzu!#fiq^`XFs>xg|x; z5eJXlBQ6=sL(l2E7ArYXI%IuB7MDtn51YqSSZNmdV$Ft8nhy*Y9tWN`x!vj6#kI?l z&gm~97j23KmdIF>8ZcYCdzzu?pL>s#)rm6LU1Ch9&9xe4wK@jh@Swvz#pu$`EV@HD z6R=mlTt}lhNM3M%+Za5rlew$I_%NoM+o1w41`(!@nQvw27XEp`3AJcApH5Mc{>B32 zLST$J6hnJJ-x$GJdt%sHr`V>@)Zv~gucDHMw20#8A_T};u(?WEk0h#!U8&pPA`}fz zU((8?61i{lR)n@*lH7p|US2uv?OD5Cq8AdR-bikOU=Gble~2Q=_n-@&AjDP)A zI2{3%-3~-EFJl3#`?LHvZcudkYVVEv!t?2(&30e1uu^-5X)$Lot;k%2WX`l1X41{TowTX>8;%RREU2uj5vp{zN(gGI{lS#TGpPZSHJWJt;D zsVq8<6zc9n?T&| zh=g{6=;jUfK|`9Us02^Er!4%;jCoOEfC5Z8fj>{Y{&0PRs*mIManH##+D6$|Zf>A$u1=$NDHF61+zB z^dq{t2vR)wG315ByIX3J>#1PWGW;v9Vwx5^9BO`5%K1Xh%V;TK0;U`Pu8JeI9oVv9 z0>MiRAPMfiJ0bJ2ZL!Xp*n-}KFq*H`0&}0pC5oKk6P3>NI zRyl>8&bS6|edmMf@Ra#Q=gIxD=cELan`T;)S8RTnQHfFN2z^aYkKKjQ`&Ujz& zcQnV`*!-%`jI=IMknqvJm?+MzzUu(*G2F@!O9$6Z@6Xp4Mu2s8#lMl;+!-hOG%)7K z>@#TJ%1P(Ifu5V0Z7jzjw6>zWc9u6{mwAD}Dc_=KHl~_<1^P=Uh4fma{(}gjJSiHM z_gTe6damDnbQ;Rj{5(O>huF#SZ~YJs`e~AjrcoBg!ZA2;M6sz~ja29c<*@I6#C6F= z5<$n`SgD5!4f#1{;PfI4%Gp~)j_C8+FrwFR7fWPZ7%VYjgsJZy!h|=mMyFU0lb`eY zfbE%lHy;jusR^ zXBx0gM3Wscd{Uap818{=7G(4pn#pDTvT9O%4*vB?UW3`r!)Vz7sdbf2NkCGWN@0N} z1F6Fa=h5D3hpE}9@}y6=0`D38Y_X?=z*RO%Ubnuh_K``%c86>RK8Mpp270}xmDrB! zEADP_LcIJq_h|`t->BVc-YwSpa>>(?gq6mu!;gTJ-30dCD8{lQ*F>iqPNmA*^HA9;IlRY=T%VN9#5Xe9P48;EtAY<%29zW-(Tyg9F~E;HGYl znuVg95b~k&loC!MRO&kZ2L~m{7vz&X8j0pJmNO7&rV3=YJ_+I_GZ_z7NUSbA26g(z z8#zs&@(pH_275_G-nHc6j;J1`@q%49JhJl{d>};A6UKA52s1#|2r;Z9v*~~t7_T`G3$}ak&#nSeqtg2c2mrol`VAKPQr$r_joJAM$Nfu@= zKH%o5mLrHB_gcl&l&Xo!+Bfy~T~`wiR5RJlTUAXr2hl0qiq2EFrRz-9aszuJ;fcHH?G`zJvC1y70VAx(67(A z3X9k>Y|cd9X}0BN-)eSAtGLLf$#s<;TVnf!SvEo&jsDW=6SH*78$ISYoBU|6<=0_B z5ngcp^$Jut9E0_P;!nmytTMXeChg_;rz_=e_0Bh_a&;3#1X+*Lp6wPJzrEVrM$s{0HDceJ{%nCiVOtYE z%S!F|_QZ{2Qe zrEMMaB}v7K3YuFD(5&`p2F(~!dEw+%3OCIIEg)fdzmR%@<+5vr-96Jxqo1_>T79?F zwyOn?tgF0!2ZOh*=c#;m!TxP-KHHgl|+g8KZvt)t8Y@>)M%Tff_4OYgFA}YUSsXb&oP+@R|s{NbT(Y-@5--BK=%Cc zluk-<6OMH4srF;Tm)4&Af`a~GOg1!nw8btu!7TCM9Af{M;Bbb&k;mNPD z*y1Rih1UAXV>V_OuBlBo3A3w}p8iN%H}}#aE4}~^j%}<|JN{Q7r}=zq`5Wr!a1d;{ z`wev*0Z_*i0Ci|0{5#ZP3_u<40jPss;T7r-hHEJM19kLrC;T_4BdzN%)PeXH>R@LH zv@IG#efTd>humf6_X27r!&vG`5MyBr_k#+SDdIS%yM{v5@7=J|wgKWci1zGU1j^jL z&#M@(0=X+@dS=F7l^zhC)qb>7;KDIcp=3z>HHDD`;k_B{_8>~{%NPpA`jL=z=BB04 zavGF}L;-=EGeU~hF$PXpb;Rct3@NqgWITMsL&bCsQ5XVQcbj_Lsenh5+XSUnV9Maa zIHzle5u(nN)RMLIgW)?n(H_DeVo_b!07?Udyfl-rI^f$nDKT_!UX!NPu5cm5Y-O5S zmEbz_8%E@MqtbVMPg27b&$Bup%WCPjI!M#$I@#&D}A~cLRts4eI#r;P_?G%&I%FEIx@K(ApC&YgaQqD>jh(@b-2yII8zP zYZYov$Np&hZb3CxkJZIHHJoUrZzQrfNX<3ILZZ-JB-b5jEfGv;!v)?(37_(Fl8)gU z8jR=W|5Ou~-?8Wrd4q*MBKVp0!$KA5S2&(hH2V%*kS}eR^P{-pWrVZsdHZ8vvMjY| zxH|&J&M%sQa_E3R4kZ2x9!mO?CKM&m2iCw$Zk`?g6sxMm1^3VTyJ=^ z&5}XKSNE6d;QmW>aHTlx|Nm5nVe=W=8{*B{3Vju-!v?wlP(w&|G1YO) zZj7v#=sAHT#kxICHWx`39P9uITO0`bvT4knY>vbPKlZ7q(D(YEv^v0im0*ZxdLvR; zOw%r^X4_fc)M39H7IBo(K~DaXTP8}F>K(NFDwJDiT2h8_C@4RA1KWo^edbu^p^r#e=*V! z1^=}d_6nMpv+1eIVqgz(a|kE!haI&5btJ%VZ?*226hH&|KI z&Syo;FB^Qf9kj8vVgyss>H-kR$u4wd0|GgpZ(+q8 zXu=CO2d_*(AZGvwS_0Bd07i9jKU0ThB7MpI)9l;Y^Qxynz%0M?=K#r8k2 zjtMLw8#mi&Z(4{R9(7+KRY;wznS{XR)`2BT!qiaB#3fzjcR1fnY~N#L-D};-x5SQUJazW!`g_WZeg$VI zZo7R?d-bl~3ZP?Cu5Aw@lfmTA2(M`V`3*|zr&wUlSV0i=4*!sv(XOoZzjGZ>f4L5t zv47(_XkNJvzl5FGRd!$t%xH&b1iXVhEdD^QI&I9m6cbb1bkfQqdHYhb-zT-P+DGS`U9fz!|yZm_}sxC)#9U=vglX( z*C%KcLzR>?sfs>+kQ7#QMRMiC;&u@sTLX5S`cRefp?_q5CVu+OKqT&8yJeG&)eb$+$y+ zk4fvs`mO^*x6UQ z(ZA*7;+bIlzJTBD`Lprf&hsj5a+@K0HM_k319s^B2iRfp7wkYKJpK7UV280U8U1`V z0CqewbbfOZ*GETMpZf!LoaB_d|62YHc8~*L2M+*tsGa-+cC7pXJHGt?UKeDrn{A;vu7eVw-sUFv_@@yvJN~CuXw*IT-OXY>w(?Sy)y$*uy+q{^1pO`dj zAg9K^>sewO#`IqKC~UFG?hT6eUHSC&g?f+!4mq>o`~o*Lrn|~La%zQfHe1d^n-6Ry z&uL`#9ga3LM~x!i{&C1<9=|%|Y+fC51!vwNBqg6UB0_((Yn$@EI^>K~ukS4+-w8-! zg6uKasTDPBK5s}3ao;?SEbf7RNtL&56-t&_4yGS4AF{aT5XtN95?8&={86nGqsj6CT$=RQ%0}K6@Rd=PVQ41Q-K@7iCo!9sKdy z3IYPn?6O4~G=?ugD~JU?a+0mfsi^;*v~Z0jFvB`(kAS(CI(yK%c``B^N1rdrM>wX% zNI7YPZ?I2>j`3rPSoE_3EzKW?oZ1O$%IizsZnr`@mqM9gNIWx?9tOct8=$O1Xx1e8 zS@H2ujHA>kjOe#Rj`1Y21!x7&$%>+}L~_SC8C#%@AaVhR-1pn`?ex@q(-`0eJYuYL z6sd(IVwIfLxRvH^?i* z-txvV_!tAA>8}nsrrm_m;h`86mrEX7U};K9?{YxiCv|#yUF@` zKRQJy6WvtSSbZ!0xvqU7ueW7({x^eBN>N&li#%@GX31~k@1Gu_B?c>@*uR&^Qi{&# z$u&WMlsNPl?EfADbIG{m5p}iw)DShmwR zIbu49Jc+GVIc~Z^)qcXMS)?h*cQp;dBdiFFIC)Om#8LViErcOcm@0onvN~oC)1i^8 zWQ1C&W26)uc&Kqq-arIGn|=Ni{?~leeC|@?H(K9+Z0|;0Z7AoJfPDB~0K@nGZE(p2 z{kr57oKoaZONls59|`V!h0$SCV)r~3DZO!#$bQ75R;Nn9BFC=rgTBD&8MJd!D3YWi zL~XMOpHiL`wJr3cNL)0j)gs(NIA|NbPM`NCMUNt)^I^kEyJq%To6yF7wup zx12%@>F&Wxp(c_{bim_Di+Pe;I0Ro)x5Ksi_=i>O)IwCVbL zTmSTh5mlvks3K<7iJs-UyuZE*lJZL7>fpMy=_!g;93@o)wO~RSnli7d9oGX=o^*PE zl)`LIB(P>0WofSp)Pj`hKrIOSrxwH%)|MN-IJ(0H}Tu^6^cHcjMJpC&n$1pm1Q=?W_;5*FyUNg@{_s8HN+ z)Zq5{3J^zfXdOkau^zHgQz9u;1>2`0(l-PQ7MMV16GeO_0n--8LFX6C zOcLr{GStt%WCt4pWeOSJ1F4i(7bJ>ppi=0VqmOdhLYdAAyav@>uNWyZBf`{!$ z%velsw0v}v-6bh`%X~0=csMFf>tF~f5U*rqv$?hOi${<5$`C|JRRLRIVYiBmic>6r zSW;S~k8raOHI=n>GmK&4Z1FbKrwE`qTsycb!ZasLla=g~ruJvla&nVoqv;y7O-uKf zFG7P$Lf~_%-p_sN+LB&wVdXK6miD>U=BJ&`>rzS%lS`MMCsIRSv`;W=>QZ6~C^UkX z=W0AOc_p5R--C@T5i4Les;Seyf*p>|Nv~jsO5&FN)MgiT%O9`T`HW?9Tjnw@CJ1qZz9cU6$S_V^C#58a`JJE5gtnh*Ue2dsn9>^}}1L{*r5P9Yf z#j+t&z!;d(;Rv>l^R`U50N^;K9adoFfzbN-(7&{2L8P1nCpUE@%k;YzjN4gUdAk+0 zXe{_1F9di)8&I_Rq6skD%us`5p~@Iwxdo8&iP@O3EF7x-VGnz7_$uehNvxfkSH?zn z$-zL99|{T+v{mS>k7d5~Z=g%^BlP&nvg3HOQC*T!(zH24_nR-_LaJN+<~rB`u7i8x z+7)l8$9j_r;5v>MfX9@;z-G}dJeJJH;g0EW&y5a7T`Kc zesdj@eTT1H2ixfI+U=##H{{I-~)vL-l3tH`meE=DxTz(8Whfv3J6A zNml2+*g4Q+t>Fu~r_^Q%U>#-qdjl6#dgHQkEk{EGEW5LKZR;B+bMP*$x_vi_aZY%* z$IFgqt4k1b9L_tBd(ijwQ*AG|`CCtY=MS>0)g4A_{5t66p4~_hY~K%%AET{p^bgj2 z3E0}IaG$%7@0#SEC_3v6vSGIskwZ;zDoKa1 z>A>*LK8wzm<}I`{fcV1ht3k7P;ouE^Q)hbV`P^ryk&X|otpZGe2?L$roq>PCZia^e zg#1)&SwZ5i*}gH00^h9v4`wR5jDrIT?8P-`xX788L7)>HZbyKNB+y!67G6(|=fdH? z!FzGv`39PMevF>mf+$piJ#_1^$p4EsQu^w@+ zA0b&)d$1pRa~ZqR0d0zT{cs)jt@F!D3kMKGSS)f@5VTw!&Qp9q7WM+6f`6PStlTQQ zg32s9t3+Mhdmvn2HMmtq(&9AR3V8`TiV1++YreB=k7DrHN zf~N&i^GW<^AUPn&eeXeN^zB>VFwJ)OZb8^A-SJIH*Y3~`&+Zpt)IA9Y!G{a8;x_&AYHn}yJ1axl!A zrbz#Um6(LXFyYw*3g3Nb3HA=t&^fq8LukDv(3cN8$$xn9=5)Oy{^9#&i=~`Z0mJyf z4y}CU*jH%0i2!7w?<)-&RefDoig`HSS?*Rs<26rn4<;KWxTID)rTW);9A@Y1f|C(= z1C|y&5Kh**8Y1+4j3cOyli1e>Oj&J=@4Z206+N7ZrdDPMzgjyAToe8)@Vo?&$| zd)nyEmz3;&a4bE~fxt9>56hE))9k}O|4RUJ)p4Fb&rUu3!4;W`6e|T?T=dxCS6bL- zR8Mb~lCdSKgmK~=NW%KYA*w#YrLlx?hz^~}m44XtswcX#IwwD9nqxcv0hfp^tDP^> zJp^^BVPijzflg8R`J1CE;)k?f2Zp$rfnpUga#Rg^N+8w*? zm2&(#cO70Sp!@PdjO4sj^_GvnEDdfzUxM>I@MWbRW{#!Shta-r!#;bL@YS)dPuW{% z3%+;q{8e(yxEJcO-N8#&fDPHlmCI)ixq40u=_w;+xPSW9&-40=M$?=;htKLDpAfXk z(?;Eff)rvpm4$B_&;8(ja~mD4w&{IJlSp--ln{dCT+Ag)Age}Gm85Gi;pUy#-a(|H z(2C1k8N{7_1s=@S#^}TINk_gGiuf;Wd+5}Z`f1;|L%X!OA70-qgkJZ%_Uu} zvGYmLsu7kc(J^!1iMpzkB6GSBm zB@Vax(MMC(Axn4))>iTH0UZfUmY@n&t)}kTUl;B5t1?_|yA0q6U*GE5vEqM9W9ORexai>gm8NGYmtMcsZcDafs$s+( z2vE;px4z+u9VbHML4eul=?t!w7iZtOi5a^KF1x(;qHXJU1m29Tna5R2{o#1SNDQG4 zfe))x<7w{8Ko|5`fAY9tZ5_kp$-xUK3dM@ae+j~W=i9G#BNlf0{|UmG82@(={wh5B zKZ9^BDRUYL+m&=3o1YK^u_w~?P?z$Dxk@l8hS@aFRwUi*;Al)G? z-5}i{BGS^Fbax{yjdZ7ggmfby-QC^YU3);Uy03d5&$Hk6GhaAPh8g(%XRXyyDVCnX za15X^hVDlVKuP7QhUldU3`fydGf;jZGx9X=#m;H22Z!%`?lsGzjiAkC5YLJdwOgo? zddf`&%#jmSWX81psh6Mwo_xqw4KfZ#zTews1v?Yos7&eofsx;OBg^Gi&1}~({f7&9 zEw>hNSb*M0Y?dG@9y=nzScFGnwp)(@9EQvG7aFtCzFL`q*@Etv&$PVSzDWzS%-~1! zhu(-_>k|!0rB&~&DhQRv@0#ODZ-n!tH!^OP6~~YR-8+bMyv~p;gO3wMRPUb}S&JQL7|H_77y*h*!9Y^eCjLM2A6NX0|=qr;6pfO>;(U`!0qA^QPXbf-1rf`6i zR^_1XbvU6+YH;^O4Uyw-G^VjPx^DwOV?d8+Ogw^jdUA;#YZSl_facQkQ zgOL1nbWxR!rsp$GiBVPnIjSy*oEtQPN^c8?jSfU;kvV9L+~d4ZEYIQu@z06C84{C^ z^OqyhEaPoGN8SkP+9L|%qLb(9bus{Yqg?3Y&;LxRJZG4_KmEv84dDizQ*(`&wC;^! zH3`4(g_+%ZAkDpL!j>X+i=_Q@KQnDV-z^G5&Z74ViE=2Aahj_Q+m%pX-z2dS4&K z>LrFnh;T(aVl?>Zy?ifLt2y|V$`veDE|MJ0a~!AF8fx)(N+rD2|I-s1L;r}zc>jsU ztcGVHahKqS&l=q$|=CbYR|8I0|}FdNtGW$T4NlU zx}!V#)Bb4+&)TLkO@hf9%W#rJQ4XcmMZ+Q#H-)yJ^+@(Jx&p1@*-BHCq0>1SHJxrQ z%f>W^mWCq*Ipr8BCG-*L0`Le)Tp^Q($f+?ycw*ykvvPm zxjVFoUj}p@@b|?b5jFJr`h{X{jkw+sbJw(ZzLKB0?70xaQ%k0}*5^osLdA0VYN2rS__z!ENo@NC4# zo49OgG1T;TN@cExR^}cNNU6*MDHY?Vl!`OuQ%a@xUn!MK0l!>~Za;wBNW_pR)Id4U zu+_60fD%R6$|?W6t<16(o(h%xJEijWS4w4{Bd9|$?O!Ps*)@fylnOeKQek8a$dP|c zsn{z!_>PdGPG>F|Q<8E8Cu4rPfQ^+)%l7swxkANZ>r3aQn_|HLMEmn3^ zzN&`U-yDVtl&Ep8mW-loXxZM_zRtP@4J~65(*4|3ZbaKeeEY>Gj0Fv{3{tbG*oZe3 zVvdzHV>l~0J4WsI5I*-o$X_<-)LFkMUU5-ZP%qv6^Qh)eA)_)kAr~uD3^RJ*-T1g7 zsvWi-Qg!;rPx#0hvNzA`SVD0>?R4B<{F&Ibtgnu?UJ^qtq$-q*`% z<_M%t{drvK=@@u(@IxWNp>?^fKocSU8$PzqC@OHb+&p&=A<{^v`Bpbc6&QRoW3=%g zv2!T{`zScVk+Kq0|0y+u@vv$C8;yy{)Yk{lm}SiD2LO%v@Px*c|3YKlBk~KPe8nNJ z3~oCZ?Eexg)h#4FJ$S1=xK=M_{l+06%m%K-MJC^bR<=-Q%r3)NEs`pEnuw*4K~n3K zOU&vNUtQ3(q_!hFvZ=kkmALLSkCc6p5SfaDgtC5^3QZQU)xUGHl5a_ao)oE zLVUt_C-(jVZ(<4E5p4l4GGb`3Oa6l>moUbbXFG>vsoQ4flrySlMqL!X#y3=MTPv!A zp)SX)vLn&yS60@E@#rk#Ke)_&#p^48k_u-(%Q#R{A<%}#^myk08AUnXk~Rnd;%_oko`K(Dv;EeF*RptD(OUjWavXimcyzo#|fjw^xfTu zL8y+kGV=-E*Y1`YhOsZd8|5|v4yld~FhOI9j9n-!sp;lQB3wJK%wg9LdSv58+voS2 zs<0BOI4?ja>SN~gzD*4v6}N$ddLQ~{sc;Fc4n`;0YABda_$qTYf)P7MjDLN`P$!=4 zmc7lgu~W(4B5bT25;E)PFc5!VpNjVLT_U^AE1K#-+I>xrC$FSN7`&T?eL}#s@`_AMJ4e3 z#4bTJ3N0z0q!%cc@Wy76(^gt}eQmmc=Y|04ew;F1spptJ(6l0h{6uQJuMZ%g#wK9G z@I}~t$gfV!197edpz$pb29QKPlm@w?j{3%qhG)3gq{O!;N;|I8X%A7*qI!f_o+!_D zy+0%F&@aHso{WzL4R!EoAzv}py-WRBIW!_@Wr#r;o8%-_f%d33dc&_tOszry20gPK zz5dSZzI+FHa9WwRXyNOrNUIo!!#pqkO4}cf)pRP8E95B0Ejz|H@T`_oX>KTcyQe@>4T2F{0jrS$ zmStf>`)6_v?pM;nnaEcakim|0-g7`-2$*nds#PvGe7wRTIOV4^+C~>e5-al^{ z7m6ac3YuCiBziT-hT-v{AfsCXt!fW(&(Le(aRdkMCp}m6Iz=CVl*)Uk5%t}Cx4Nc)xYc8xiCzFpQT z)eCFy1QmR>h#X)^2y(s9yBf@t+uWa*vz>ZOsgUAL4=^)l%y^wW{+r;2ZpuH(&JE~| z6nbHpGo-4jUNCe8>`yyu*k=NFpo(2pj9+&k;EQ#bf>n2~B(j)hv*)lzos-ZIBZT*D zE5t$*r}}7Ly&NhCI;|o4XpO|W13Jwydm6z@wnxzLc*fjjaO8<r=XH&;4bc|7HVMWFn83E zGp8ffHxTC=R3moKg)!D5vYzxtbHV=f$;(EUtO zsY58!i5L2ZlCw_NxdFYA{iEJ!cayOXAJ7}I2Yp`sq^$)Tp{`1I8oc_sNpjt}77@59 z>})!Ix~wULPi9|ir@-T4N^zV2%?bfcfZ_L8I)Sr|O9C7vzD%hjF=ULh%?%?1*w`t*m~ViUyo>@J>up7f*0Z>Tfv4^{J#%gujOj zw@PNu9Kz4-!%qNu zqckHCKyQ@(TW^#ZToy4?O z3%qu-Zxdhwo>7_UI-(lQ88_xQ!j%j1;M3@6wQ1a_7VkG@->bT>kP|c9IO7>zZEJ2e z*YECjzb?(Z+i;`BT8OBEc?r52|J72Ne`=}hC~U-X0xgw^$Ce5-J}KVcTPpK^wp3)< z56CLV2DzKB1~pwHq$?{66+DR{Jye%A<>&{MZqLSI7i3>}*yTW3Zdp7y-FIAA?r$vI zpC0g69-=RaQAxJDV67-lx|?oMuM(>H!L8*zOumvwusF;0@2m=Fc65%@O-*g_+*n`3 zs=p0d3E#lwyFAJ3Zg8l-7~x0t_=I2yW6AI{7uu16=dQ!z!S(uTW($eit><~-Q%hyz z4?ITf36DYiv!zm}yrSsm^hZlY!&DCG3xjl~UpHPmS_1R(7<}b-YEA7!Tt0^p7Eq@J zddEURuiOcsH$r^U8!dVL#$zTEFZA0C+72S@2JXLireeiM=>d8p$qBr?2Qy z+obG*Kd4)#%I+?C1ifx{Uf(p`j)1uN1yF8zR-j)ajl$kf&@ivQfj%Q;_Do236YG1E znxk0|c2eYR5$GvjhW}rf1vGFx}GpZxNV7NTA=g%zzCeKGW(MFbY$yj?x1tR5vgT}D{KR3m8`VN+19P;&S*A4XN$|%16Jg%s7mkgc4m5@IIQV5a-lRjp zgz~)n&ewhNh#?)&I?|DYpZPf@m_=)?Q?ezYAlJ!=vBjaBtKZJOSbb+hkqm*ODfI>V ztHW|m*+6riB1)e-$=gVkc`8ag1e8jaI-|`Tmc;l9L~bVGc!+~i{-MSr{d=EznRX`* zh$dHJGIMri;#Tg0q|RZ945Q~ldJBuN>K?Qyxm_9@AgXYxkqT-WF&2=gIIXixAES?h z40swJV*zM-q^gCy^8(WdV!nGGWDS^gfeGvM*Y*W+~tuh zZmUYVPEvCmk;{fJOdVVI8X?mn>xWd*pqWicSVy}0W6Tm+ZL3upGcdwxz20XT7?)!) zOI>N6uQ41bY(l-HKMMa`3nXyu(B`n2=+j3MtoFSX-Xc*edX{k1+Ish?=M>v)Q}0u+ z2f6&KmJ~g?Z&_WE1FYyDtJ1Wth#ic6>Q$*VMw;*cDArFbYOIpQy6r?yr9wSL->TPn%eWw! z2wCUWLHZ&L(vGC-ItVNX)>4#0k{lbQ0A22t)t7vzJ(t@ygdHeh5YF`}Ui=l}cs^__ zdjoHB%Fzdi8C_eO_V9D?MUg-8g6GB|JYHL6Lt$%(A(Xs%n+AsdWIFF&y+MA{Gg{g8REEyqhlCQ0>(ZU+=fc&8hFXLbERsS|p8-tyf%;w% zIwZaq@8H&9UgOOP)(|076;(;}r}n}Wclw|(WQM6Q<*RUv2|$?kVe7NnP0KL3dMa5x z;RRLM2U&ZSy8Af~HC(TL3c*$Ts{ktheu_ScmjtC%2<_Eoq_pe;nK%3JiKflH$;Bl8 zsu*^lS_$fCQ1%Kw?DX*2bXqw`jOoVwIVyYXH#z4X{&$)*(EO~lV<4aAqY90q7mh6K z?4Fp}TXW*I-{tyf*nMKiLfTATruqGFYlPH^jLKP+pf8NC{%Rh-Pw$dl@vLjer_x|* zPWxOUS1;BvOkLtgK7-k}FJo=7Agyci#{v{W?Y@jhTtL-GYAL@O=UCrRB6D{kk8{kh zbo}g_?7O2}6n5rO-9dobH8tZW#vLslF09TqJwN>5NxRqUciG zbC+fxT4e{BaJ9QU$hjE^QrRh&HHpL7(|YrVwMztiAGO+jQ@V}f)thJbpRrslZ1idlKrjZ&M@p?pn=LSHy%Aasev zp7YFljrDso>LPWE57dXS6!j4%uY;YvB!!W?77~@#`Y6A{+X-#j3#o5CNd*#7!spUA zxsWw4+)69%H#ax+lN!$)47_LasHVPMN`zPs<`ZpSIG*-x{Q@$SH|gEGgT|B@7y78Z zid_^T#XZ}1#x)LocBnqnfQlN7H6__us+5cgE2lou^nIb4b;6SYgoN;OXa(V+S4I`i zKL6_n!EYf)Z_MZPlIXZ4IzHZgHO70LPQzm`{j7m(OPPnED~|1D7RrkZ%ev<&`eBmY z5xZR#G}9GWtym3pcuUOQ$ra;l@N_6hnU=VsHlrB?#EOG}ftN9d-@2N&lkC4UIPZ~7qOP9{SI^M_8sH+Yg zDx@=y$+Qi&!cs2%h#%lo5Y;~gO&97?Xq$L+!#j+ftdLB%=p3o}Q|*EZ{P})hRc;MV2gFn-3Ph45%QbCllfszB)9R30cG> zP>#Cd4P{PTF)EHaAN!6k-cdl>cv?gcIr#2C2&ZDy z>>IOtlQF6943Hnr^o6KvhbY)5QPsxRHW%qMW3Ka{QJlQ&AJ)D$P}g77`h_J3wtA&{ zA<=fO7mFRp*CVyI^se=zn#?2YOFvkj*^AB(+b#37ipFA8N!i#PtE4QC2lLmsZdDr< z8(g+2WIEuEmVP|@n&@fK%!J`FT_?j!YVMf!18c_1U7pliXWt;=Bj=ll*}M(G;;pLK zL%i#l%8NpOvjVmF2a@UIa~mn`x8KdpToS1)5J1%@{iGh|1L;3G1!=1^$rlf@DR1AH z#^2iA1S+;>G1Uw9a7YJMN|=gUm_?#cJ{O$M66|E73_CHrn@0l``OTc5<6pa72!AHM zHwP2q#KBN=ZL{ho1rJ(sn=XT zwL`62zJnbojL9An%WSmho7UI5^mt`N8A2IM2T6QYfFQAeZ$#YV;f7-&HQEk}WJgk#tye~a@rseL{q!KEC1N1aO4QHFoS1txDDe1d4{ z0Ee@@l=(>SD)c2Yje|3AmOPP>qtSNRbSV6yZa4JgiX%r=b?2DvrRWFN97<27(P4p| z;5mq}PjR|MHEw$mELrhRt)w<2B@QzDLP_^=Xfh^ES+RR(oy<2w%yGsrD7PFr9_9dz z9q6Xa)@W_;HLPPl$$t|;xj<0r&HhNk$D*xR72o;R;3au0CU-x5kn=v2w0O_E7V_0b zm`nd^3$i^s^1Hc$DGlwzDr5UnBUbNgn=*6uK@wI6^hqP#wuN9GvdIQ=uKpS2j2GMt zu9KdM3Tr4V)jUV+os$Er3O2>(mX}Pq^u&AOsIDf23tn;n+~QdJMq(9wE-}`kk%x2i z=sfpJSr$I7Z-s_OZzp?y6iV0`ng6ohF|+>rWbaXg_dlNOssDwzfIlHF3Ia{to))_7i>)oW zO?rY8Ons#qh6SN-AwR)N!Kz9pk zRcFN}N5$@atcCOz#ZCy{A4m_XCQ55!lrKHohrd=S5HB(|DVrAHw>vuchD3ONOv02<`7!7q#Wl`ZLK#7sIJkyD_v~G&nqYiX-m#Jr{Itj`1C)2kvIrTo+a_)9g*J%_Rz+~LV@8cO zy5+Fo4=4M6d|yz$=;wTk6yaL@98hS%TWOH+^O(Mg4I?-r&P$a5nHtd>@lko_Kls3( zX#*(lQl9&XKHuG;L(ZYIji(^Wh&JU3e3ma00`J8394ZGcEx|EF&`q>I{IVrSvy`Z> zP?hbP6uH@D(bi^Q(>BW&@}&PmcgFlJB(-kpbuW`DjMa8<>scJ%npkT`)-mvgYO+NH zVrmceY)*XnRJBetb?-}zV6sST-!1(7aNaoQ49@wt0&;QTWY~%O)-{=E**NMw&IVhW z5SVAH--R<6`t-=nB!BptgNM{(#6p1=cj@L#hf`^V8g_td9R2Gvu1V95d(y=+W2SX?{#CCJ*RM!eiF1wVkI0>n5)z|A#C;xxGi#M zk5xDkAia2PezF@mifEX89mW0)`{OP`NNX`n;C%^pNf`S*qUWbsHv3&;--gq*63KT$ zp^VS!tpaR)%coTx+G% zn@{8D8E)*AHH{rvM$u>Eeugvoe35O1@2_l0>RY{6YSERyvL(<@*%D3YDct18Y)Q;x zwuIH4vga{df;b%am@VO^NqEYZ1bVtDAa@)RLSiEuy*%#t83l7cISfN!=hKVxJqcV7 zsdLE;EFku|M@7g7>6W^$iduA=y%Zm@z`=KKFlq7ij@-|V&$&!@*VIuWU(WZ%*p3Y)OH$&@aA4?(f->Klm1VpJkN4WlI+H%rPSRMT?~OOJ4bg3bNFA z4~hYbO{FLfI+AocV+x1Y8D*2NiCtqk+`#Exj@I<$$X9{j@j-z(MQMU{P8-;3E=DHB z%iuz_S>-?V5_L*tKs5=o95ZiBNQSSti1XjgiV?Vhh1=NLdTXQ%E<&YM<7)5B!q{%u zH8c6-B)KDRN9Tnag-$i0dvX}GvSP!?&jtve*HP2(;BfnN#Ae( z)Brc4gGE(5ViEL6%(E+tFj4O=81D(@#b(#ji#(+Q|7-1DrIkLNeLK_3inF zrI9}`JJvL&pSdF1jtw44M%j~=_mW7lm{6S-*=i#osG@J3^s1Bk|ImM zfN8bGFL#?iEI$OD20GTyOkm%zS%9?dC1O)d+vUe>c&ZS0ddixoVShEzG5(>o4 z){ia(4M9bPTm&V>4!>7aJ$<3ty+p9;m9Oxz4*tPRwWics!ue1TE@9%u-VVzDfVUJ4 zOa(U-F2XLOrHJ$hU@SP=#j%7+dY(G56k$z4bt*i^!9;$MW6G-%3Xjh=$Dlzunz%sZ z;0+k>0P4bu05O#P2>1ZEpjDq+D@yrLktPpriV0RCVQ_{eKoVKZ3k&5&1R_i$1c{Zy z6KLbtM-aqw#PvyAZj*h)FM9(yKMe#mJ~M~ZeArs~dZ;jHj1lrE${EP{<-8DsK<>^@Oa|R>gMz53(*Jl_9VjDcx zN5HJk2`hv}Ziplxhv_pqf#^~q84hB6x#p|!6`xu`p^VpE?BUF}ertX*YiR^Q1ndC$ z#1=M$T$Zqu&l~4wfNruvl?i+TpIgNp0Hcw!u@!JX2HzZ>}XoZiUEvh13exGiS(~e zSvzHLGju3qM4yGyWHqTbQD>7Y2G-~4Uf?740s7#hXd89ViqO-+9{y+GU@uyU8U`VU z=EO==%i#m9&LVdEB?NHZWej8C$InAD`@G!~aT2|i zI~nL7Vd(~FuXX19^G?8dS0$q`XFI$PIPYqwhUF~N+%pd7Q|zg_;@NG-pex-4D03Ll zrZKF>zZ;?aKG%aH7Z)x4K`E0ywFl3Y%Y5>BO^M(x0B_;!MQc9jI!3rMVF>+-dV75x zxWk^|Eqy25GGK&qnU~SzB{a(26Kg)nfKhxONh7EPDDNa{**7Bc?!sRT)OX2DS4%8! zz_5FCB>~F2gldjs5y_R_p7KrRqQ9~wTSW0?K(?eG$d){v>j^i_6Fp^1zK=a+OF(~R zOEglWpd}Yx>I{lzskRu`R&2{C{Oz@c)Btar*SXVO#3{Z)}UTz<;nUTK_Ay zh2T%N#r^aDf3^jF;x;eMZbh5NC@}CF{#&#p_E)szO7tmOGWBP) zB;_$$BE~?3WjvytFVm5W`z};`yp0V%XL^ZotXDff9s)pnp`U2c$7l(=M6{oIOib`= z=I$K)6p93D_#q|WRFCC~QR?8B+WKc}is0oN+Xf*;o{&f79RRfih$&1*Xa4bEYW^%- zeq}!udHr&*Gz4sV)EH-h1XLSr>I{IJ=^L)Y$209Amc#Tn2nmrFLqD?M=pHCJj~qoEbW2 z&0VfT)%aP5*8MHW#)9D9Nf!Q;q343I#{$}I z1US<}bJO^7k0K^8&sZdNDA(8lDDTkxW^bFFFOj5H3Hi<}P}<3H^%+wmjf781>KpXj z2Sc`B+Zb6G$%e_1P8z@;Vc>YQx;x0ACER9AK4|JUKGH1<&HqWae1D`{cuNVUnkcSL zNZi6ZW7RDFpj%@9PPgw17fo_x0(Ez#rQPj>!^}1bT=h#^YiQrskL+$1Pk2vT+_9qE|^AO zg#5FfKymA=39j|q+sXDsfiE+Lu9hvQ*MO{((DJ%YIES*}g$Gsz_(! z*zykEKF2DzIS|h1(3Gg2)-JAf7FuV0PUQ9+K?cs0+MKcd8rKLy=;Ftg!E+mLWMbDC zz9x&DBkL1dRrYm1zul8D=*!{Osvny_taq3uUQ%k2clzTHe4S-KRH{#h`$9H*hozMo zys{ipv-hSHAY z7Db4wn+=Q8l9eM~U2#6@xy~ROB(-Pgs@l4w8r4mai`^v1@P~14+~=?Gu{hK}Ys7bV z%f7`(P7U_|@`>MQ?=}eh`Ds|#x9G+!q0!s@FV?Uwgfsr<<9t^q4R+3`=e)Uuyz8Xe z78JYK{)8~Lm#wb*gp`8~H2$m`VH$0OGdot0%TW4Z9&SszG@SO9bobgj985p?mCn-b zlDMPyu)nnVftfc9k$_b$I&!(x`%_lt5iIXDlC#woYld={Q{vZi7afq<3Zr4pasr;D zgUAb6xg|ng8-9dpv6&w?>7v`!d&)To{JqlM>|BDGEtbp9O}Uny4a#w9C&QLnu9^|% zH8pz>^PYrT4^89|d=j*$ENRZUzI7lI{QLH zC_$0p91i^~cNhgyMFz9Qo7kzwkO+6R2P9J_7Uuspy8aOrVP)pzc>MY!S^>+<@$b>~ zQ8o1cG`ea$dW94O>>Pf1h5UWxK*hMCIbL%;_in**3K1yrtYugO&*pC5zy@WB2fd|o zak1K2h;1rTd*J78idmm%x|=vY@KAklxH7xjQN0b;vXLq1nUT^I+Vv2>Ie*JGaSZE` ztE$}WadXi24TdnTG^;&3n4lfOrcG~9r_ZRb0S*DXh09>wzCVRGvX^9z$$tCNAzY!u^irPsAg zG#EBm2~x;mG<-)JDXxQ_!}gBYh4D<-ras#WTy<)z2z#bZ0l zI=`%?zX-9{;R z6vn;Q&lz2Oq9%1eY`sC7|4C=UUJT}T#R(mX_Ff}#<0zbHg>8Ud;?8n>%k9_?1LAW- zy458H@em;|D;y z>?-w|oh2ScmmT(x`nMKIVe5K2n7=Y3D!(!#;qP#TtjDvQ`WZAKW}eY9_y468a*KV` z3Z4F`6{-NVLTsJ$TYqYWg8!)%%Kv6$@VZVhgC4vn*qg)ef$WE;Ku6$*1Qb?{X++VBf9fuqH)9PAV6c#Zt zJHk#uW!C(HEP+G@Iewu40-m??B?&H~YL>W>BwVpqQ4Sqo6=ME}Rmen2SVp3*GeSu| z!|SO9NMv{^QZZYy<;$*D4P-{DWndn>iWb|{IR+^S6e0`GbSsH zzJ6L=4cQKkte0LBqGR}E88Y4Y1GbhCBFRi>7GDrS0e#BvS~U4%En4QEwdl7`wP@O3 zwP=46eI;0-KqE4zUh1dhCY|vUNNv6gqGvDJ(Rb=u=qB2lc$Qr3?MK^BSoa9K@N zf6cCMQcy${uoD5Af(c*rQ(ZV`Xu@!dNgB}N6ivuALJ=Op7KKGxS$vvZPwRow2(F#a zAHRMGJqU^2qP*yH=Cc%#rUaS92CS`0bxa6-RO9XMMM3He*h=Pq&aRl(>6SsH`An%9 z`zpPwQbP(KGScWuxgVuMymyZk&b#IOwSP&4?EfhhlJ#mBu2%tYihi!Wvo<_xNX}sx z@v!(FXCO7g-&o#jGq6yfO#iIv#Tk$qnfjF)>0Rf|?MwoAiWK)W{m0O60O~qe$UgSm zq=sl&nP`7kIl9oq_jlN~tW^8J*}x~eLqvmjNf{h`(a-3l5C)q&MSH|mzIYFQtbI*r zcxqSIM)EvV`?H%*+Kn!Yv|&GXri8I00*R5-YYUhVrXC=Wt;}UzuDdH{Lxhq&{!P;6 zR_v;JOGGs2#AukmJKO)<72oHzz_<%k>;DY4#}Z&3Co3}PVoZ&D$USwE@b z12NjZQ&eKPRn*S`6ikn<-9Kkn-GTp@UH6IN8-UsM9GG44|51xp*v`^U1Y#{u9Jz^`g}e@WsNwV*-GpS5TTA->z;WLcjQ8M&n6>J%_rru>9Lsqrx7 zc*#ecLfM@H7Tu-4H9+pE7Tps`TLT&8D7(V(s}>#kGp&Fmf_S?2ms7~)owmHk6&g$! zK@e@AMlXpLl!8}j-lZ9ylHL?ZXUcrg9sSbxM-Il{YtdpD(l(_%D-;w>|Jq&uszv{` zyN(C7g`jyZJ68SLT|+7Mfs>R`^Y#pDd4<)_Y$r%;z0gVAddp?2M{D1klufs(Dz&0C zFBM@=#xlC0P4*4>TcWp4EUC8>SW2%l6iP!7X_#m}tfA4i`v?-X=w{t(v2Kk%jV+8CKQ~73(!ABYH3JoewLrY;1z42W zSKtUr^)yb*h>4iE_xkiXw;Y>;8a^x;-8y_ts0|<$N`A^k|3fMiqboUb^IxPw6_$kz z)&ojL-#@H<+8m2vu`^iFI1#u0l0=osgNm+4CrDOsbtu1<^-C&rF5E%1d5aBt$7b^@ z7u|joWwL%L4VrzyTEi_yC%Dy@vUzyvn9-{2bR_H#;u{)DYyb{pB#c&akh`*{-dK={ z0kIKIz$z4U*Bclr(itXaJAE0+-7ef=vBC~p#Kt)^1UDaOw~Cfr*%c^j^9eNM)ljND-t2_DC&QfAyk!t;z*?f`->QrvG?2#YF_LEzqmI z<%dx1#!l-~ky%kAlPT!TVHa1$aqj1)Ycj(_M)0WQM7||ECXTGgVMUOh*#3}=nTyqs zu0LuJ%D`hYq&w&ytp#Tjozam7-jJfn?q*NDtt@hK-z6BsQV)_&t(R;PY<&FZfGCN6h?K_ej znWpHR#;0)WmHnv3YG!4C*x}C*3HoMMhLr}_%wK4E3h)$)w^!R$sZu{u`_Z8luTS_V zJgzNGG(7It2DI2OwwI7%qff&Ku9d6Y=2{AZwW?r{hE48j_0wS4#wHk25(5NX?uKs~ z8)}~)oOLW59y#p#^LQ)<9~7%h^Ofw)H7+;RB9zz+uHWupId(MMcMN!_%zMx`?VZZt zq64v!TF(P9JTRx$YWilvtIxPL?EV>zIR{VV;hW#JXr4r%7Tx-* zHWEwrP%lnMcDy!TC#Y^Ix@dH}Dn*ex%J~|C1FxkpW^b)h!29Ng<+|zqq_hy2UgzHf zVjfW7 z6-=eBFl8I^p;j5L5=ZdDqg+ovnR0;w;xr1YMb0sXRsU!}#t?c}`h z;jU7N=CY>bvNbEZl~OEc-;vq~XDWocBZ66$p4c{M&n0%xhfFU%?XJ&D=*I}*9EOeq zL|obA7Sj6R{7u#d&vjfKTUE^kK?o8?GfmTosWKj8@A^!_jpHT{4=Mfr`mOXnsZ&=? z=;>iL93-<#M@O~`)4)c;r=R(IHVP)WXWzp~mU&|}q`7+?50OyXs@uKo@Nb>>pn^&( zVvWUKceDiNmHZ^s80s@T7J=5*LLbWvsQ?dJU>|B(Yk@`N^VNg zqtIVhmK8rbH#28NxGspwK%O`Kq5g1OYrn-VO03gM&7CBTKcGCM&G!?0#shsyDhjvX z9mzEXaL^{5x~o;6m<~9f!gXRt0rrLNw#( z6E14&1jdNc;2=s!_*%51TE>M;I3_Z}7MIISZIopPXtZ<8Yi9tF%x%w9Vkj?_Qt#*= z@|Q$*p}H*tiW3J8NwhSII52r`uMj@%h7AiiMLs{R;E#L`K3|+reu>x|)_*-NGm@O~ zpnS_Mf4@Robgk~de!*`fo9AGZo?OSuCHDij-cV{UI!dmzn!(;F1Q&=K&hcMqsTdwjU+*nkg%uosy%@OS9wStlsGtIDi5ZR5n4hlcz@sF=7jrqmbWo?{<&Q%GI{<`yKdB{)!}Dd zd$F+{+21a1@^2KVgG2Gvb9o>=Vi87cW5Cadu0xq(=%Z$f3(w zHrQ6>Ce4O#*khLQ>}U_e7J)tlnN?599oS>cUkAQ`g zumeID8k>f_Y(3E`pZOalk4Cl2-Y@EoGdO-usDZYVEp`n>5L@%iWsI(v9_uJxhgzYV~DDCAjLng1GqS(yGc0JA(QcK+u9 zSSFZ^*Sc|{_-k4EOrFIHKfnDe#>>icI6myuX-%Y@?h==&CW|%)Dw+c0c@50oAJRP3 z`c&vaFure8${GNnj;sfl#fcok(X1%X!&Q^)lTe2j5bEUG1Q-7j>NGqGbr?VknomNV zrtFKdMgE5i>hfdNelwHeD_4z21Hnqgp2F9S;CiUj{p8fy_hKm?T3BRm2w)u;6?A=| z9hgt{2X{PoM})HJ7o2X}mKuY*jU)q($H857Z=n@KM+}8r>+=v_@HP*x| zAHL#9`ugUp?ZjhtuQsNH8d_2HnD_dKsFP2ME)2iC?<4N@Xm#}j59eAwPmpd4c&9|O zEV%rh!UaWOaA}w*KeNf+)k4~w#+X>zYlB5JX%;&f%ImJpQi!lSAWA=n2Z&AozyM;? zITpWS)A+y!tne6{PT+tsZkH9OOc}m?H0mrz8(^2bLwN>*6{1TDhXH8X3kfLCvGSETKVH!ZW!USRr+M2nR@j=;2SnED=z$Sfgv-^8ts040|HQrRYh)s`F+m_DlcW@`Y`UoY*_*Pa zFP~ych+Z)A&5qd{%A!BkrX%!K5sX+O+fV~5f!ege2&y@t)X^)frh8QCG$sN{or^fp zC#4Q<@@@Wd44P%4t>@e?rOpm|TW(g5oF7MW0rYX`lTzoVzErg2HBmD+4g-r8ZydwE zz=Bs^Q6ofdjkfSETZl`Vp8>tqJ}$r6#()hHtvW=cFr4(c)jbcjQ$#M={_5*<&+%hy zTOx^1FnS-4(Xx8sb52L=U|)<}oi37iehD@vE_nriHU-DlimQy2^Ksx=oYug%4H&(5 z5iUAPeH$-gaa`bl<6Vb(kCcD`bZnA9h}aW|@VMP-6kA3riW_vjZZwtE{^LP!gQh`W zJLXj7UG4w@L{UvyX@i%S)KlvwSrLfDnj!~8Dt>bjDOjWEuv#CxD7zwG2$&%l)PR2g zlseapbZ*1mNK8F^V>>@)-S>TdfEA>QtpYRfT4*N)FawWmxt01cb78Bse!MVwlfj#W zSN%b%9)gG{ECiv>MVo)aezL8ASd_!Fm?3TNSqBVKPAJEl-X>VwP8ef0n|`5`x9ZTX z+L6-!VBcuY+Rv~BG1rBYwzk^6zHh5HgMWI5fSw#e%4s~zH8JrubnjWt%L}jSZK`j8 zQ>P7Z>O^GYsa#Va@-0px?p8nWAjGeYbxv)?N#{^c@5_5^jZGz+`rzxQvr<*QR>Dty zO`{s$z5ecNuxF2iVC9krN}5obK_>wm1IgqH)jE&y^Dl-!tzpCQ!T|&fxft7HEW}89 zwk}Tr_|f)aF0zAzo8Ay4QGC_8GhSO6v&Cbx+VeYIyo&(M5`{Ew+Vroo9chO>H|#}B zhPN|9fy1lqaZT|zy&77V_uVZ=e{P$>!bWWf<{k^LHhyTUfedqv&3cZSh6aaiprbaH z+k(mZ0bJuWB!EIBbZy8z$ti&{bXS8wqd!bxbdnhf*nwN2$P##Dkn{NS!6tb+v0u|5 zs**`yOTsY-VNJxSB;3+$lEJw8ocR}Nm+jChjK+Ls&Ysdg|3_|mENSaB3Q5mVmDr-1 z9%k~JxXxZs31&8LfeXVQx#{#S|68iZ+;m=U4JgRO_MMWDl0tB1HUG=}UnSob;^Yv9 zp?ql|X#MJq zeg1Dr9)%heCA*0kC+b(7WGz}vUS$9976@~Xo~ zroq#YH#Z?wQU*UlF&=$1$MxoP4yavlCo!yeeESxPac+o-7YHg^2jq9ha2!VKKVRHr zdp`=iecN;Ol4OgfU%1jHZH-pfCO4*!Ck!+iPBKLL+!$Z`us)ctP*Pz)PAoA=cL*gT zig-;f5i|DEh;-dzkUYshORw-s|e5d7jQ%*E$cf69;#J{ad`9k`m;Y z+}Q-vddXO$)Ql0poBlnL5k>5-nP6&w3E17n`Gh2sKwW;$ZuyJWfuK+@-1MtAEm_Ic ze#q~tcunvxZ<_P3H~oWPWaF_a;X9!WvYt{qe@`{uVD})+X+oX4bLLvH`stz?;pRg7(CzcbF;2@K* z(ETWKiZiMP-y2f`V_>)mY_h4~+2fIZAga?YAfYrFc z2Hyowi3_>9eR2GwdHSpyCNie<^KmnCTc`s`9fFsn&gyGYhn(dAczSz;`GcbtNa|4I zU&9d)qCQTrbs{szOUs>`S)7vX8qvs%VX)&%@eU>_dh%id&gyN^Zi7fSQtJK=12N>` z#I@|ts~fg=qRe8^8ZX+k9bAPBIvdqcfRJ$JA)rlb{f9QaWywmrKX;zuID)X!kUr}k zz(Ux7t{py|I@yGYRu88k4mx)30o1#v7dTk?G5d!30iM`c z+!~kw^90Sk1fZxRCz2bxq4=c$ zDC*okS3H?<2{auvyxaLx)akYDS(_BVJR|@s&H13V1%sHYwX;Mf>o4nLnj!7}?h?G= z<70h#FmWgcL5eTbyH!aP=*u7!wD&4&QMn^#4v6^UG0yd8RAJ2`-Yu76xsw$OWDzBb zRZbp#i3`AQa#1P?mjjw4r1;tPBFf~MH{#qfY--x~k9z30r1@|kf{27{Z3z*dOQ!j<^d~F-eJt6UQ}1j*$&%BBy;?Eo zKA$GQU>jHdTC`@1O6bDvd`Wr}=RZC&>Ojy7#Ip*_N2#0GTs3?I?cX2cm|0sG!GBTU z*Xl$9jq;TeoUOjmRN&w4%L=Zs{_cPY)54AL0Hy>b$}*ZTVipfXmkKQKM!nL@F6=~= zfS?Y_Yfy(=ADROQ>I4)03F^$`qUV{U8G$iD=2HWhLvK+uFI{L=a$5=&pJ^7s=G zQ&riYY1-at2FEa(mZ$$_$|FV8KnsGO-EImV7VV&zYf9ROpG+XHDD0l=E>{$owgyjauA>15L?>GVvFhvOUbff-EaHalx` z6;WH1uhw)GU`-DfS8^r(wWg~AdHz__tbjFLz?vuXPiy*DYdzmEuUd6d&#mTpM%Jx| zfXk{h< z@fua*44|f60czShSHzC9OcT?NomaT+ETef=EZn$8M|cNWqo7IBDM-XlX=*<*1QB@n zA6ZS+|N7wr&7JuRg|F5vhEx{!NcIS>fcpw2K$O_AVUDC{=)wR8J#0ror~&A_aq$nC z;4~R0h#1Kb5&ZzBzqr!&%QcW_qN?f$^=gZlPPEkqLZ@^-+^|ljW!8+XACNe1k#b+A zzo|#mA-NR->Fl#Ht_pHVwhqGEHmgfoo197+Lb@s7I`SH0WA)!0OEES$uw{gtJ1Irg zfTXG;e`mOdGeqI+d>aDe%h>Tux6AI|* z`HtxMkEFcT74U(8p*<7FPZ}o-_ejjXF5RatIh_G_Ws8m<7EY*S=fAiy7jJaa;gR+B zF8q6_$BKp%kd(&;lJdeMdy{#h;>;;Tto1TLQXbw>q-#zHd~8yzh?y?bL{#!f{82X{hBhOoUUU$&e2Ea1yB=_T6}yAi?*;0x36^{fM>VUT(pG! zMfnXLPKj709|hAG26hd4yJ)H>1<(Qmc)y)MjXokuKIygSgJ_oE9lj0AtfKz6m=4P5 z5g<)hGp3UP&u%A8AU%Z`n1b={-tiCx}%!c;CBog<)e=q+Z24&!hNA4J=TRtx1DxNY}IZ3rz#FUjUk3`kd>6XZBBMn(`Hzt{)2eJibKUyN{2t zsQA9T#J>ij*5Bb&h+%fAMin&i?ZY&z$n)l(SGNxipKrz!Fusa;-v2)5eS+ThcsdMw ze$t1tM1F!5>I24FZgBH)v`u~w`U5BFjh7$P-V|uddAbHI2*P*I4;=~BL5v(@|)4LD?L{Kz$Jk}TzXlx}K6M^ZkPS-N=e(IxX z#IvRzV&v`mR1zOQtklZE!A4G`SF0aO&aqB?Rcvhk>2vGwHm;2Qa=9mu@6I z&3v?nQdW~*Kg2x|6E9=`E9&tVYx8W4SA==AkQ&d-t@NOJ^zx?6UC>?OeLEHH30Mm-(DCxCqnR&>uPGKN_-Qv*=yn zZ~57Vvi;^rXp!#b&IRXldHCLhVwVQ?5J*_Lji$4=w(?td)Z~sDB5S*LfZla#R#@8L zd6zLg1?sMCSrWbRSrdNeaTU&)DR`bJ9lQtZ=$WSpm4x6SYI#(trP=Spt*-FWM^-oVA`GU7%pCW=B!&Ee2_yjz0!~&hL~p@qD^iq4Qn;0jn|#*$Wz( zNx_9G82$AdY9X-rtxWvfJxz5DLLZ^F@Bk8Jo-3S^Pxyonsf~Sc>s6n%F;WD6s{;IK z8+b=7y0Vik6(e8Mi|{i-2|0prO5d%ok$3p=Gt)?|YZ5UoSgetf0GsACnuomxy?bFJ z3mKba-K9iZm~Q3V!q=0Jy;Lsu3{AP2NXyeAQE!Sndz#)X4OMdYL&*8t=8r3)nCE;F zLo0fhmj&HQ)tqfP7vFx(Dxu7W4 zV%vQaw%$X^&8UlXR!2FMiRs>BQZ0waL+6jZ8G1>-LEoydU;*2-O6Z7K3ST{Hq)!C0 z3qiaTM+>;vmJ4CI|({TTD%)&gak@ulVGBybq7$7XXrC> zqEE7xkoo5?eZJ7wTD#s+C_9n)I6K|e^sA`&uXyQHSBsPd2047})wjrV*-@VJw)2!0 zNAj_BA}IOnu~<5{l_T8OJF;ZoKt*gaN&uVtNjDzc=pC&J=@#a)yCp}=l5cquxoq8h zqz^;#cfn7=cO@YVxbr?nLKs@IL`U&mx})aI@<@z2NcfX$?VQc>f}Hb}UT+Ka%xb=1 z?VCAfhj4_jhEA}&!N3+4N9X$D_I?q<-1({V9uGXu;(`BeG!4lu*)s4w56dm4HNu5- z5KNVnl{(T`!(2Yk>eE$hTxPLOa|J6D_>?&ujKE)%0r9m>ztl*3C>Vv=w!1*|9QW0Q4ID8(N;BNu1c^s)mn~V|Q zWCUew$7v!yrJWh&oFPe$nHPE`s0le~^@Z7^=-2Wf7=JkTZ*?5guWJfPf@~UJCCV4C z$_`Ag9iM5Jk-&+^W7Ce^V@b`N39Z}^PiQ8sT&z&D1>Ht>VpWFRQ$o~YE7rFU0&MOR zWzyiA=`aS?9l*;;|;0i&{wp4)D9x zg(y16Rd;j;%O%BYl95VZi<8qq5V*O~U2s{0kGvx=sg7N)tgj@it`TOgz_K#q*!hxe zV!~QeU5dLxyqY-d+Y~Rt8DDjrd0ZJd%JS1_ff?~`9}2uQ*+*3^!sK$M7wRql^BCBL5=5}I#*?jfUw^4tb<`gKz|zSG*Oa71zB z7BpCA##1}iH^N!&dj6<(gQD$H&&y#&UiXGe)>2s@oAmcF7xNX)m#gbrY4lDa3^Y@X zI>F1skO~+FVW(-_M_o1Q%UrB(mCq`bXj?oQ)E){!14+xm*(MijL%M9|Gn<6zLsOx1 zm9>TMkz0O#ePWsr;+kdd%9~A|AMz?vicil~r325Vbs_I6@WAXJ6iMxt%R`nNm#Dqg z=LpSUNn##hFSTQTx_;jszHZJp_`65nf^-`y1sgNt5ZW;cy$DLs6GSbvFm@FWpKLSR zrFN!o2njXR(6G+;*>ku=^kI@rRC@?@ql~3LC1yjxQhKO9>i2KYB1r8#S(o~mYItwJ1z&p zHA!5Gbz*WupDBdwSgdfDX{)SZ9}k$0Nj=P><{~6kQgLZHQK^p0L07J8Il=2ZixxGe zZp6b*_eE5d%HqI_7jhr&tYZf$k4nVXSff^RxAYc|)a}|HW6tO7+lSxK;JqnUHQK6N zuu@rFanwW%38+=jHN3eOVq4lIR0DhJ)URdbS~3S))?4uHy>XmhwZithUsficf@6)O z3YSlmmt-Hk_N#=xak>rdulTVTx1+H&FQ%r73hRiIQ9+!M>?I%_$%8X5S8#Q+9K>2oQzb)SPM65KnCVN*t5e&Ct zw>Ydqrr|L{J?O%$Of57Y05j~ilV00ca_?%j7F$b(#q5-KJm(5TM%3tr#s}ccBJ_$F1}2-UTIf8pxUBEj4&wH+6`Y)@c*NxH3Jpl^~^S`JDCZ_+nT6$@`{I9De4Y4qqdTU^{)LZFg z@jh+?jEiZc5Oi4&Y2{nGoZ8tp8U0VTqsy$iNCx@}*FWsaAkWF0B^aRwvGix4!m7KpRN^}%~2x{uW0K9|81-k zXzSep3>OK)v#izg+%pYwh?LR@M6CjZqk+MiyG9*(iXm);Fw!Wj9H8g&h4`iCvRvaE z@sWt~WAj3ci@FgTvlNA(GvQiLVtpT&wosyc4T*x+z zMo6(=PhJG)60dZpAvAnUC-AEcMM{n<1%Utt@UIZqXMz~@nVpF3bG-K(Vg*ynO10OlZ&Jh5y*mC8J?^P^L0mR})Lm=p4kRxs56jx@} z(TMnCcbf%Ty=-obBrE^|yH*5I%p^cF?+Fb7jvPxwVEdwwUxzChk8M853H%e^5jB*< zdAmpGZkd>(K#0{#(B%kZ8XCzzq>ldwFAHKg0h5{kutut^MnJ1}B!2+tO^j+5uglw> zbyv>${+g?scE#7FG{uEc?SzaEYm1>Egd#@}d?cB(27hOhzS!jcfl(y$c> z&yrp+-mw`@3o}7)!`v$Yrh(#>X_)eQWg3!BU%}$0LP+2@w#^L8gZK~A;6)5D4NHUo z(-1RJBI=k5fW_F(^VUhAFR9CfY_ z%bZFrr{^=K<_I_HXX4X)$_M@G^5vr*3tnS{5WkYD6E?>$$Ap}|Wxn@(;kahJ5(wiZ z<$^NHdK1xA1Ia4rWDI&JlVUsqZKne!?3KIkEqkqM`Dd*XUcBOoIqX%H=o*?5t*`PC zC7;C$9faf%Z)Ha6q0kcYIGD+paS{tMf9`~2)p5Tm$fy)>4wGspqV0||VkXbbw}h?j z7sY(9lwqYD-QM~xk)Lm;>2X$L2wf^n)F`Z>Fy)8Q2ZzMB&GU7@MhTtCcQS6I%mne! zxGy&&UBK{~?ju$0$Q&UVuu+mU?(5^()JyBPv8}eQ@k<4~;sM{C>@}9}Sa4qa>BXo; zXTJUvAYI>b%%NjgOZtbPVIb2ymtMAc1LHM<`HFNW>GLx&Bs7c7Q4T@5D4xx zy7`IT`6Tw*AyyseOE|hzs&3JTV91g>bn+LI*iE^P=Lu1o-0m7hRZ9P58phU0coG9= zOCQKbaI;~dUQY{PxHPn0PYaAq1aklnjFzU9q9UA29_8y0oh^=CyA7_VOQM z{cH*h7%{m2ezitAcVV^4K=hR(t7w2G%&K7|w(D|zml%zQq5x5BVDAdazkOnihzd9@ z$T2Qg!ITcEmIx^Ly@-ZNm6WKizjN?9viG{k|BRmUnFpE7l_aXCOu|-nbX8R&x?P?) zu|Igk)w1lofCKo4aQ2{2kV7$ZevI^xnmmFnUfB^2EYYxA;KnBhMqzqA-bBK*)^RXx z#>dmpW9U+T_UO1|*4FO0=FhxF<}IIzUV|=_bb-N6lnrZyi+jJtE`t2`#_gDf%$7eX zFJvaSDCEImysnf))HIAo-|xyGUZ+FLhoH=Nt<~=L{c##x(w!4VoM%a9ftAvHJJQd2#h@s)!R&NCuqkUs!L^*BOtcNQapmBcC0Aek zy4&IgfsqGOU)ydHIwy}!of!6Oj|5OfR-9t13RcXxS@%=fy9qgji4K&}`fG9iACBpW){Bz}2^3TDV~# zpYrl<)C-w^pIX8)RW5U6I9q}gst7KsSOV%d-791K6LhnG4^3EQR~iVqkZ$v_13?#> z=l9RHCw4;>1HS3EKN6QKs51u-W-=89XvRLt?Q`d6Y~6DFQuq+L}jBF(S)Zt&Z-ID)vduWD&&% zO!`l;_SUw*XY3u$YK`uA*GlYzhhy-I)L?E21uT}z^vrF@@?k#wBuXk7a@I4kWLQmg zgo|R)j=VAT4Q?4a1a1p#)N5SI&1<&xRWHi-;fM(h;`X9uSQX z-@0THmWD^ugn50VwXfNeFZQSfs0Npky83hBoZolJ#9!|I+!iE_HLf}IZUBt{PM5iA zjGy;LGy%fv)bdxNxm&;=Zf*;f|7@13UzgFHv^T(Q0To*94=NU+-xtvb`cx=ghmGPN zx7A0L)4xYI2V#OoMFX3qrqkl@(Zf+9hVDJ$RY{^ZhsGbalpS0EG_{X$#tq&$V+}Nvvf^cdaYLbu0|r8A#+s3Ac8a77dM!sOX2RqpZG?c; zz~KqLIw}xDX&tDt`2rRzp|{M-2t}lj)6L_*g2l@AU3S37R6PI|Pu+|i^046rEUqiXkbD7)pOJH= z(gI8;N3tUpF+)_{9Gn2Km>d9$3GrUQ;*jH58bTnLwYYE{M82O|z-0KcToM*$nlIBN zx6?ez`nsP{Gba^p9I7K6k1Q$WT6hxq!{|u4w9ll9nzk`lp)m6x`xYeyLR*;0QEu*UNV4zyKrWhmnv_g9LQ^g23c3lj@}IU#me52{Co;=w-XK zRL8hsunkxZ9HxqBmc;Q{UbPswd7w*NMu63TCzp8V+AzfA-;e0Msi$ZmBw)UC;4@t8 zr{)^%TEZXPg@f6dUqd=wAL2-@xPkLVhR>Ol@)az;Ud`wevtBYDAR2uP3KbZ6u^JAJ z(8^1P4>IOY<#vu1Xr2 zgnezoo&|Vy)_y1=YVC@M4g1KVBuY+3Qr>3f;E(U70l$Kd5dC+kDi16g+~RW_H{ZTl zTfKhgM%1vFPMLO43*S0`FT&ZGMR6FKh5z@HGZHt*==!k2@&#*PfHZPc9KXd7n^w@9 z#wB%Ux zOb{?U;J$HW=Rh4}(Kc>hKfYKWYyu)geP(|A-KOu5F(W8U1o)DwL|f(uzNG55azRGF z@dGjo*?LpJDPG0xdU^k4@y%rqq$y0B#GYUT+JIwB21O9=>8Rqiv0(jU*$d8I*+}oWh1Imn}<R0TKIPqTK#@It(VC$*34%Jqkw<*N^vnXhqA5Qv#Q18&m zYCnd^TE`U$S=kt81(N~F=Ti}?WJT{ggyoR|B}5jAU$$|hYcZ%iKB(S5KT^n=EG1x8 zVKW#dDHny{YfSqE~eo_R&IPgw>o~D+W;Gs zDnh`!dWGhdb{QrXu~{ypSyTuZ4q~rG#%KBm**0utV#a*-1tu;+)`QqK?)5%g32peY zp}BJRdx~CUf;)2gJ|N)wVpfPM&7he?>j7(ENKPe|`7 zbNy9+<;cf!g~|IY9fO)!ORPjJWH1MV0oe3|h%O>R^Wi0AXHD@Du?MQfP7FMWf(IUn zIX%t6H{#GWt8}Og2^U0#+Q%H8`zOd&4m=3nG+OGg0e#Tal)EWDQC3&YhSEH|DhprK zwD3!!kCN~};bD#y8kM!5co<+|hh#I2vvCdt5Ka36 zRQ45YXJVq~U2>8QVI)eCsN~Ih;Hi_X%MmLu*p>rrmq?hjR-xYFUR@zJbiORIwK|G@;I^zB@ z>t35ZF6twR%6EHBYvS@zu#am*-U@qEJ&Xva;nn5h2`bnV1m>t(-Mo_cmckwM53TqE zWc8;WX6B=@od+cE%PE$bSwOZbA`RZ6#;~F$Eb3_h=hY{{*Gf#!puA;m;eyWb#q7T` z;7eKjjjl%Okp_Y9Bhf7@nK82*1w%T4GmFB^reN?xN&c}b+ZxH_=6$^7pdkj+P==^2 z6D-4pwz6=BpK{D_cnqA(#w}s)vaS_0(2g|&cyKqU-!u+wuZlQG72D*uI=_Zp3=J-i zd+TnW*w}W0W>Hk+`6J!j^5KxYpXRS%YyRQ>M$C!^kL%2hV#>2rd1qFEYuD*bUL~pY z@tE9pOq0K-^0mFMz?jBThYVc5m$yJ8%Qj7!Ue4&}MaZ2E2Q&2qILKsVbV8P2n}Q&@|$-Vm|3o68>2d_sjb zn(RWKHNI6$Ey?lQRu#yG_>n3Zm-6e*Fj#zJd#X{pqD^6E;BzZv4gb?*W7@oeSY5S5 zjgMoC$)N!(@8O$yL%cx)MYhdbd)kz(?E1MiH-XjF?;9=(G3M4P?Qvx4RKMl%!XL{P zg3~0LXE?ufbN*^2$__4yd%Qbx>Voe!7kZy1O|wqlbtN=n+;ZloYks4^E4gy3A%W?q>Y})25JpFl42I#mt2_a zNw;>qx`jtSPtFP~R5=JsQd-npD0@q$&c@ua@_v%q-prmadJrD!2E-}Z;0=QuQoHMq zlG3VKo4!#p&KC4%{>-V`Z%>(_d3JQ0W6rAUY5zSORlTMzQJ}dA`_7~`QlO3_C;n=q zfz(cD-vr&h+Lo&ElSB#CEWd*U@VXh>;-L5w&%Gb;*5-R2oOS>*GLv^5l3OWBSkqbi z#I;qmY|Wt3K=gj!xsk@;y|5uGdyT^s3~_~K#kWe-U$ZsdP?0y z?HRXLbe}ksk~~SSQ0j}lIl|KM3KK4+5W@4UAVto0_m5;`Qt3Ib^Gxk-$q)#eZwg>B zpV2YH6CpBQb%&l|u!0!)^xHve0ZSk9tMz)%$9M-MeRte$H^_6u2!Bf5E=RJERh_`& z>)C*J_X)>p;1AGC52BXO@P$9vL{IG>zD?CrTO4Re&2-{$>ORR8qnaiN9H6h+ek|Od zkJng&>R@={#Dh}}S)Cg(H^Ml9F&pn5H|H|Xeta8tNl2FCF5;D$C$UF>PowIivWFM2 zHw|v?qP<_cdq=k3*pG9>ibKzR|M8p7scQ(s*9$L z_!L|Qqi@(V#XA1xtLs!f?a~G)b(;4V69ERxS6X7f6S#~l$R=-H6^StgCwZ!TQIE z(hZOBuQS_X$q{=)eRH1np5D;6>+Xz2m0^fm*1hG|$Y0*3q<`ifETWDIY=BB&pLn$K z-_a-ZVAT~A)=|2cX<_Ccxc_{+3Ek7MGp|Gk^_7zP+x(*5&v3Gz4abs&3qt zL7}LJcY5s_IOawt7DlTW6Hcyc1NBa9y~X^S1htA@^#o%4K!?vu`p&7KZd*ib1GEV@ z%o3l=EP&(a2(JN=eevV#$<^~RSF?Q#M{C}u?m#4&rG2NV zlucx>22N_COeuZts!PG7AcS{SLwZYGrNiL540QOG;Kgv81_h z7q)4+KlMB?T$*!xdHh`eu!*$)Ow&^AsTS;cYFc7!@9f%V8u*9=+*|c;scNns%kNX& z96wjrMQVsf3?o?#&|dMDqDD4@18cDuTDzCESirRh z4X_qlGdbLo3)lw|B-kq5m9lpPg=|gNx+rTdRFRqLh!;V8NC02XV>^r2hQA0>6+$>(Hx(N z%avmVVdrmyMy$Qtv2x%qaDsk3#!eXsq`GAK$i(nf%hLO!dBy+}C~}V8x){V4^F6)Z zN_vWq8X%LMrto`=HvXNMESHgQjE^QOMhU&4m%#IqT!r&UXi4K8yJayhkKT)7-%l8Z zj`9b}Y2lUhTu}1j@Q}wGa}YV*V(gyO|7bH$6iW)B7EWkSmMIq{4w8wV18!T|CQye? zW5Hb7eM#G9?BWLSQz#}^RHqoluW`!q--nT*xEqsG8_R*w*`XS3yzu49=xFoiURzd| zJ5qC5f99;_CWId}4#vlQHKJ5qaCs|Q(@sV`ASeYD3a2xoby{2FYQ_lJ!UkyI_ zDA{QmHLH$jae29bEUI6E#5R9*I+#lNmEm`%sZ)&0OS`XM9O_5?DbgskZ*FQJbAwJ= zY+*PDA9QGwJ^xcAG=XT(#+&RP@C_FeoNzFE>NGQN%B)9eAPl}`aGSOpIIWxTVIE+E zTo*sqc_V{dq0hxy&uc@srpm6alW`dYEZ|D`P>zDOgSF3d23 zdO!db=TPu{jihI4xg`l0JG_n7|Ks3RJrdsgq6U`V>qLCr=BXNycdJF?_ZtY*kXWt) z>nGIwnY=WR2U%UqpyA>3-Ju%AWpT}Tia{p5$dD`hs1#7G?Cm}lB*SkX!#WYik{cwa z>-*&T_gB~?BKJRfIp-{~5f1fr(sU-IS|npt?!gkg%T|5&lf{3dNbEdWs}ZsWv~H*l ziBw)qXWi+Y2;E*DT0%cYj^)Y*xVL$$_kCDSQ0z3{mDIK#R&3@b;vuHykL5lFWf_db zZ%hW{rs;rQZa`kiNw!D)RST_?{(%z|641*Z=ub&~cx#w^L>Avw3e)6)%!1oEse!EJ zv}u`>U__nJ?M*1baa6+0_<4ccH@^{wQfbs`YHWhX{Uyo&>)oQ0yB-c^FW>Q9vZGB> zXPHol;~*q0xPlQfl37E)`V_f%Ga-i_5w&C&NC8ENWOss>2H7G8GdIwk_u&!t%YxWx z1#4(7AHtEdI8UVUmb&v7iOX!Q*kP069YPfer3(fc>t~6scWn?kv}}N0o(<^buJ&FT zQ0xMF9elxND6hSr#VVm#@@6PnpLZ-X9#}X6zxq*}&4cnOjWO9PV1cK6;rSA02pjM% z`LVbxO()*)($r`O(=eb(*kUCq$WxhBKo5#t_|0x+)kOg-Q&%|toA=kg#OG*PxxT_e za_CIx)mY!}qp}dIaM8kykP)@<-GUT#iO=RD>y-pKaO)ZBI||S^AV)V~`3Vnyk1I&7 zRR#Liij1rF;B_?FRH-$AG{}14ag3ozYVdt?7~gtj4nF)><^VXf;(s}` z;<^KSw+$Rx{o=}KgZpI7+CEi}yfeJ-;>tI?SFVh&jr6ra=c{T}QqBL$986S%^!~-m zgH%O~iX6xCR4DhH=`X@7C0Y2Z;9v1_6aX*hDqUF1fAe#2SR@g~M+Wc1G;3ArZ|@Qu z98Kdf3*T6kSG;^FhOQ`sFPPXpHNkY_ZJk6Qjr{M3xnL(~ZZoYBO*}y{;LZvLbR1h~ z(Llv_!0!sE7-`a}Z}H2}i@IRgdSLZRawB9ix$w)yZ#OW~8;G}Z;$LvoAZP^NzGVOL4(X&AohYjz(izk;$OohAsnBg;p&XGhh0%Sh1# z;X*mBGq^S4$_>f0YlCY;(uVYmxhgzK>Uqw$A?l;KMkMk!)cw+u`;PgwUQ@h=ee{!blX#BI^V?*}3>I&$xGUcT#a zH>Cb8w3J48nk%RUo#TxA}F_iQD;yVqDZ6hiA_L|$O zOn{L}fhf{d3~W_PQlJd9&ZWnsc27o5ZPg3ggXFv3hDKT<3egY@)U_PHH715@jB0=K zb}ZGa@ea*;071M;w-{;W5pIkBU1^*=))-;vD}&a(n(Qnl5rDi(rx%))TXh1s6y~F% z=V-J(MmQa!tJ-MIVwtPqV*9UpIW7|^Rg@bzdxxd6#f&`SUdE2~I?%sA$3mbl#4efp zW^5!}&Jqf2#a!Be_>^2j#i(`D%Bgi0A#5I7CeAtKUTT*_vl$1hI9ipEQ~)>PdhX=% zfUm;=rqW`G8q-aiExv|uXEy$x3{^D&Ar!<?)9mFK%4pYXZ zA9AzbW@jUZ6EMbA|7UJ%8pv%y{YP$V!U;=Ensi3L&Wh(f8SrXr{(eo%mk;py`$b#E_tQcjGRm^$E6kjsfgYCYkT^{JIi>15#Zs!RL zVLSmxmq`qvln=sOYzrZS-T+&{;`FmfsKbv(BUluft3(Ck&}Rxl)}~%jYXZqTk@_m5 z-_!II;Cf9;RtY1akAvQe#2axG1-cACH9H=hqasq_h|sD2bCGV&Oqh-OF`fwGI~8^) zy(JRY95Sd4+`=eap_~sK4AuWdIXL>?lmiT4DW=AojyfI(bNHQYU%3hz=~H_W>DxUY z6jBnE72wwDzyUI4Ji$2uxV7>S3_ZT{)t+Q>7bjL5GW!02W^Zeo^0v$+^kgQ&jxpYc z`Nm3o} zmN>_H3s{L^Ph$%5{GgkBUuJ$`7e1)c)k|i$6x|c_x)Rf}2+yVo_Uf2<&23#(0l6(z zC5haneBg~$ANc0t|5-UW{x{`d={`gKMMv@YhmL}RnXb+8ttZ%vPxgJLk*ZngALW2$DRWV%{a6&7w`USGQqqi^i8B}YIh_4Lg7J1E zHx+Uh{#QaOie7A?#)d37-!^uRF~dg3hs9kc==rL(=$=dX^kA7uJdFyE#{Md1kZ;J< z=ZrGxGaN`HB}|Ka=*Ek&dVOT^owhiegUP~UhKaSLkcZy|{f(}hqK0}qyJltm_#QVM z-_dZRsi6Fd7ixyh1k;y0ou^RHV>e!_SxjH2IDzw)bd-3JSYD2;dbT+}|DS7H|NLpT z@_VyC+ECb_5G!&G)V5$hS-Yur# zvo)8|0NtpW&_7~ZazbWF^uJ8A9ySswU-5Es$L)MFil*7`h+$#q_|5+~w_(TuutCOm4Mg zcr~ZQU3^Mwjmg~FAYLev7U{V1yupW0m_7hqevqb~o_BLT`FlCei#LT5G56x$v*`J3 zYpTKHdB4SdVWBX9S6z0D*JVd*@yZ&ml+I&;m`k+uay{0YYDQj**U17nM!pm{zTcf> zb}Hq4`VrRhm3QM7UF+d0G3O9rzIj&ZL8KPc0dX$b^AY5@ZrbztDQ|QBdb9Rhv+=i~ z_Mm3EmHU4v2O|Hj96-G)2c`d^9C-9Tq~lKNZ;fbS5-2zzQ-^vgbjsHZ^|&iM#m;^QU+@uYSu|mHzA=Od?Uv@z zI}=L*MDh-z1(R9L5;)R2Pl>GOeZn~NM-Z`-hP5{dNb;~x=ONfSncwabus=yEEoB*G z7XGX?$@C~eP%u{H@h(Zz>Zr%(Nhhkf({gSyg=RdF6VMZlb3}-^+1liT8hO0;Ok)qv zO4C^1WO5@aMbNrAs3|t%aa)qjV;D20KH66lm?=1a{IXX2;qi8U>pm?()tzsHV|hZ& z#b-B}#~!VQb#Haded$Q8c2$56f1x7*LNbNVzpZ`RHn+JB1S~aZ?H9q*dpNFg@UX)5ts^C5(sgS0o&PiCf_X@jmeDKl_po>R?~ z98v6RB?vimq}8srmhRFRjh^{tor%}k7W;ed!a0H&!+EYvx*v96>khd;r$QadEeEpW zyRR=g>(uO@XPjtB-{w$?skT@pdk?8Uw`4tCaEno|Egrba*>KWSr8;FOk)28B9PaEL zOV9tdgC8PXpsShr^mOv3TJ)$mU{48Fg+Xh1kw;HuvCTYHzjnCJ@SNw%iPlKrvJ_Lo z*`_Y&iR(fT2#kt6d{RhUM9DIde&o5?wXgjyBJ10_!ZN>;pDj=WQMJam<-Jb(x`}E@ zYpM4p&`)&^%nXDaVsTw9i%I@v=9k?uz3*#D;;!SDEkE3rr!}*BTe4wGGcE7YTQ|$a z@ffDntdZn><4jmqVq4|?{XoFWnymM9LwbIXf@pi(v|Qs=60=k);hFa?aZ!EA>KKSs#46aDro8LEXK3&iFO%C5U`}bHPKSMP$I|N@I;@p39 zLDNJLtU-^bxK+{gHRLhpWNA`l7?1vqn zT<*&E+~>q%9bx%Zr##a@&7iu{09rb%s~II2mQ<+|HtT(`6VCqe`9nRM#^r{+*2BO4yG}64+;;v zb5y{vGCv1?Q+7gmXy4JxRQ6JfI;EsyU??=4X2AfTIDw=5L$sP*uU)s8dCo1~l-`t0 z6I}5=_gs~>%s;!{KR)F(`Nx&T#X4#&h|lWccxEp)$#1*Pu0GdSYn-G#+nzJGY&138 zMPAMOl-wg<#<>VKA1FD)?R0SR))ikcJuP97y1xetr7oaD{5!fd^L$v`Qo{vCm-9Zt z*XSzUg)gJay2fi=(lL{(BFh|0X#Y`(3U+;4+*u7{!o zqi#uebn?9Mc+*0N^aX@L#Oi}}B34AAi4d2lmGjGs{uiNjY+k(M`fjBrbMNu3Q~qej zO1BXv#1rNNzB?5O)qsQw8DIqfov0BJvzJbkoAd4;D}d{rEFMJ4ixm)N{opCI&5-$- z1VJJMzV7JyQ~VX1o~l=%Z15>5SU!tA!^SKYT0D=B$r>|c2sXRG8k|&EwqSCr6 z|4Te$0frbU{daNPf-hk4E*b1gHiFX1uR`l*_w-jQK-d5q5Lyvlh1Oy{5_6MIKMT;5 zSE2QnkI65|5$+O#j-QXn5G%|gd398E8%}?P)`S#LZ3oyFD*y@*TK`x9wCNo$RzMNF z=!yR@+z=~VcQDil;@9{>{8ko>A6|?8wvJUJGvWtBr{fJ;S6eDCFZ#C<%-mbdKEGH2 zoOKr@>GfPt2%;!NAiD{TUeQ5q;i)c|M0_d1Zb4%c_FZ!Vz#P$LzrH-Rm4_=7Yl#WtZ zfM~_GN}*i^1&CIBPKU~N&2F0+(gGq8td~d>!3)vq4-lpm_?US*B|BfyT|BNoxHGN)3mrn4c@~#H!5bq4>a9&22so9nr z{}^2s2glZmg#x3??S*K4VlY2Q@pTYtIKS&_OVW z9LMnpbL1u?!~`?;G4%%;u@4{ZDfn3uzr)DO;3WO11o`#ZC60-E5d#=qio^h;%U-a% z@^V@nxurLfv7ZdxNz%n-zN*;a876N9k%+_zO+T{3Cc1V5qs!udj4q+uJIG`mjpne~e3rR%5L6B4!m7ma| zIFb(K7@bVF6HKxSyx$P7!a`r|*wI2?B|_gZTrUz>TQ zmzbdBfk-Ps^J{Wqju^8Te%4826vNR%-(A@KKjtwx=8z=^_`vGOrkJYW6HV&Ji7xUAKXF%}<%dp4r*||^Z zgkc$X8-9ypdrKv-gL_OxO|7-|BL)+JaCq~r(5{eQ$&G1H4nux0?WSO#hRKc`osAg& zm>ChsKwM^=TiEn_1wS3I5fz%1m+DdWI@_9fT|V@2BZ_Flbsa;VP6GXpq1Cmn3H)ei z9UFcD7+P8WGPJ60_hMsLQjKo<*O4Q7_xS*Ue%z-(|JXVDeuq$ORqcB%WJVpuQR{e6 zt+v^a!NTf#8zw!PD&PuW+YAi89es2KPynugq(XYNa5mYSuR{YUt28Oexfa=lLfb*r zJy306YE?(7I>L|&5Ju#?B$J%%70vm$HU;A3(a_

7|}RZnzql0bnDlT1FuShQxI! ze?~SN9k>5Q>nVId!If5b`;M=OHr`e3aYU$HXnank$Ley2d zf2jgi^#8C+cE$GiOvISYM|LUSd4}@HE=9)xb{Soa39w7>*xjhL5cme~nBoOX{yFUi z-(dR)(5S;E6@J#_lYcgU|)gMLcUuR$L zdhVm5wGf}f2L2iQ&L_0)*Lxk7`ck?buk<}Jk2Nf>p?LDyptowqB1jOcwdxukL;dY0axCkWY+px zpTobl2$}QKGNV{xrk$S~NWD~)!hXHYh1*p4MA3~jR~$17Gk^tUQt1W*OQ0IC44M^ykb z$f@^970@E6R^E9>!l0hyWQBGk8L{iT+W({qXmeZ3tX%tKZ|YMiMhaa+*G2LV|PTM0+ZybU{j+ zCL^k|A41QO;hIShZh0SEO+j4nAk4sU^rKS)%;a@kllulPwvx*_H!t!YZP+`6nKP^Q;jeq`WEg7ZlBiXp7 zF-Yr5?vd*%Z7{4F)%|&|$))T~Qtd~ruZ(7mx2P|qkyPV<5Shf4`s52bQF~^52_dGC zovX%i#D(!BT5{}i)Eaj33Q45dxEwVp@G+NjHeUF##$nd03hx+T!GEJthcgmqq6^%d zw3tWTL)e9C+kDQ<=2hph`@n7;JEkz1ANlDFWN<`}6GwmG9R~n${S@aSdiIC%g4tL9dSE{#Ks}-BU6FN(iUWPlz;%O9u~dwC=Oh zQNJDu32_8&PObqvMdp=Xji2KDjJuEYvSZHr>^Hqk0qAAbcrv814(y~H(FaaIQH z4JOWCXm}pa#}37I#wa8-IEtqMgbZ0t-AjWt-s`V{7`wh!Sw`eusUgglQw zj3$5b80H7$tSgGK?CWN}C9q#eX2>JW#E56y8}>BrUYSjILRed{rP)R~&V!u43yq$P zJMfvqY;qEE-&;8lUrMeilUmCD!cJ_espGcRW%wx4H<#ktbl9JQ?+d(In@R**eSB4a zFceicHf{Qq6(_x9HqB;-{wpMDaZAm2nqIP+AwP2dN12iVmFG)qfL1Q+D*UV?Hu zs^~bcl2K#-qL-;@-PJoYD+9QLkMvS|R_#CNrERm#YcFnPKAG*(ho*=2z{T17U4nEu>Mh|tT-!F^kDcG|p5OR3O}CmXi|P>^-T9Fa z+G0(bUMl0;8SXCo5!Jl^hJXJqxNR(NnXR?f2>fhA8715d|K}uwKfx>TbsO$AO)|^U z7<6@#hB&V2?&{ykm}H82sIpHoIRf*}Z7is!o`Ng?pNcx{XYkZ5Bjn+y~P9 z@Nqs5>w~YT#)R(r0Z~Ay0N5nAu;2oqmre2jy=?L+S=3#v!)wYU3c1$v@Gt}DWnKW~ zXL zl#`N6+={|`Iy7v`a8vs04IM0vUXK&K=NVi4KXvbKkoV@lU+pc-H4tR`{{nxxj=UT& z{soJK?BGgqd9-+={LX>lIs7Gu$vOKESC>U?p|W9WkxO>0&7o-nnC(*ixqxnusYZn2 zuLJ`kHCe`&8=7VrNLo$6XCkO6%emp@kFf8g0bKyyzurv`$lL`2sjI#=J|0<#Jd*dk4%kbD=u^@kQ}|%lJsad!tdw57Grgf zUT(#>j|w=n#SbSsvbkVhOYFF08;5{Ggt}&(YOz9lRpg`bgBPC7GY8o+gbL;tK^;5N z=4`97M#8W5XCz$VTUY!hr8ljtrEhL`a;F*nvl z`in!j%TsQbHb?xQW>1$9hgRuw?H%vsb%VAO%^qGZ!Ywa-dcav&oncbG)B7mDb@tiq zL9dZwX*0SR_1Bwdf{HT=hS>Lx9Ovn4n{8}ry~c0c2ALap0>{x;J-r7^zJL1`U1R9Aw>_Alu?RIB(vy-}HC}GpbEWvb-L?Xq|?< zphucH;J_Q|DA`{^X1%i<4M@OvVmSuY1@C^~{86L;1A?K0z z?XFC8Js)x}Zou)I$pR~vs9NrqaXS@;bVK{pCU-^8gWQ_PbQbZb-SNC%Xx-cGokhuI z$s1zdZ%3^DM8iADLcrHJi}AjmpEf-Z{SNoyqKA4mLY#O`xLxBR1q|b~9AJ(rE7Zwl z;{V)Gwe}LD@DfOa_my=6H$ocm9 zREItvviWvQC~cE^j=68wb<3U07N>kC@W;{`>FI)uk1P>LI&Ndo~7yp+ahDGGUqAE&V3khMVve-KfOZj_doh1PKX;$|0Rnp?W@DcE645RP5PnXQ#?UebohTK zi+u#Zb36ZA7K`u?0Q^5>u}=W_U$R(-zhtp{yL8C8bdE{ngxRrHyulD(Wz$}{vctmU z!e=Ib2p94Y8~l9PmaAJ%IPhJQ{TlEDxGgz43~f2)_(PuzzU|FkxPzuL%((7n(tKgJ z6WV^3$iFV$-j#Cf5~Fi;jcrVD0oL2LUzZXrEy@!!N8DP?w z{iqQ;2LRyNy2>X2j4pxF3bmaG0N^O0g!GT5PXM?9f}K9uzr~8N(o}Zpm8~}2mJc7) zk|$ev8sBGKP>HwfM8@+}i#JFEw7YhoLRv{6)#+nKkypcZ-=dayvcruni5J@uG!}1 zaFue!!wrLLqZ+E|v_ko*z>`jNeokdGPd^ErY+;9}0VDx_ z7SdL@NNe4oyV!roVmaSGlmW6>Za@~B`l?;2axUwx?LTC(Ga4iPM$UPnI?#JhvRK0Z zEsJ#%M6`t$Y-GJGwEkg$vH(iEwh%I9hipJb)?cjA-zE&bC`_nHcxPB6X@;4DQyM9= z`iyH!C*wrUCI+iI|0rTQ6VOx9t$53-C-u!3^<0Pq(i(j!!1^=k@~tpuHaj>zKAVLA zlP;d6h>WL%ra@MmW>K=j%90Yyu?GuZu2?fJq zqr^!zd8aO8PT05SV)B1pHuuk71_E>}Bt2CuZJM!<(aNrTLY>%n-LrsPta9+uTDpQ! zy1{ttaK71BpWJK=5j!vYac^hemDhA_L`A*~BNj5Ex?0Q^Arht}>f|nOFrd&dgUX=<;4{eh7t zE!--?xalhi79qxv)%ELupC??ysv_+)vNPes%%QX+MOniQqyB8HW{NpOEDqtg&l2FG z{CBvN++HJP1@6Pog!)pN+dY22+~E9K+R*oP!|BtFU48z2+LY9=l0ycANKkbJc|x&b z@@6l`c-3@@{=*gfJA4W7U&=Tqfd9S(1N_$}$>Nd!YW$P`(s08~!i59;ms?f=?>GOI z$wuG%H|3)k*RX3T)d4qA{yD!ma)|=^Po1KKmX5n(g3Sjx%Lmzi^4~_u`-MOJHzgiy zZhQmLwzl!*UM-A1(W+5>tueMbc{E#oSP8LN2tOYirn>KNF*okFDz-Ay_3>U7l{$>D zvO4GYtyseOtS3KC%z2+Ok}fzwsu(r-C*~Iyk3ro%YZ!Ipj6+&Y*soJ76YoYjsUb%< zM{0GAFbT!qn7tJwO)Nh%;$n83a%^@4?scBNb8v01zVcPLMxMNX-x$mQ`>#~xn{7Wa zftTeT`Q5JLq!6xSC5UIpnZso}-3w>d?XU#1jYvk>sG$n9&5ZBK>Y!^$=(uzNhFf-XjiFM-2 z9Ps4Y8oi{q0|>*jO~5 zSk`Bwh8yK-4n22W3GuE6S1C1PFiYH73wNK`Qvgpu^dxYgZlWbUdIGkeYr@(q%llHk zOCR2f7zrOUW~H!POO=ska>SGN|5rfRg%P}h)^U^tZKh%I2~mt)Qw+#g`@xRIU2%d- zd1x`1-oG;3!-1YB0Kel_HVh*#SY`{#r0Z!UV(p{__tNQZcaKDr5y%P=_v%(q4;&G! zujXRDp&A5BK2RoL>|b%i8hh4|1!n88I=O~*WD1nzxhx2SN}Ku z{o54l^kj;C!oR;wv3yVX_Zq;z@~871V~Av2f8k$)YvwGS*QR)(7|W0nA7Y?|brgJz zNa5W_(URu}Gaa~D7?gF_M3dDu3IY zUz<4bcAoJ<<7Eh8G$yM{dgSmW34v9!`u!oGH-J0m>P z+zsg&$BA1w<8sYxbc;A$E3zm1;@V|B{29nX;cab?CzJgGm%Z9avsK_H)<~{E8(AH2 z6NoM3Ao(yhgmVz@jLKmuzVa-#&jcr~3x#hC`0!McMh?e=HZp?<;c(Q_J0~ArGfM1; zqREEt$B{YFW9-j#YE?E!T;iE8ZPs!NmIn{`nRKxN=V6N7k7quQTI{rU9AnBp{q|L% z+7^UcykJ(@-)kx=Z7DBfIF zJKxmhJZBb+IAKr}w)F;qRU#56NB0lYp4C1>uhOY;MXP4=?}vG48-<`aq@Qy`o_wZu8*|J67of2cRYlfOUQj4uSdfJj zw9}rtB=OlY^*Vpv&(%c6AX4VMLK5b=fcXFr8L@?06mVpcM=HEw3)igdC#g*QjBMiZ z(Kn4ErJ)!RCK^Loqy&5b-At_-*k7x}H6 z+IsTDMEzjrcE4`zPt3Ya>dLo8_QIzY(#hNohb6A0by9M%iuiCZ%i{^7C)_{eD^W!} zx1J_TF5bd|P9q=*?=|@vWX)pYVjY{I&9ct&<%o2A?Etq5`U{5^u;o(r=!pgXVO4iL zH7Uh>V~#RYOC@S=UOkM{^V&z1+yk> z%`H>4ed*}i`?{xoDz{yQ2RApFONPzi6Zi1CU_)?91xXT?*#>#==wb4g$0?Wc?ZCWX zlb0fnaT;xv|yKvdq-f8D5X;DEC0G={=*Vm%_Nwj z`DBT8iITPbT*-QxDzE7|%Snh0&|gA;{)zzf*AhFiWTK3lPVSNZPNi`DO@H4$(O=;1 z)IGOtMWULFAV0P*$Kr%J0TCU)IlBO}9zAO+j7k7J9bssMAY}n}Cv7(APi7$0>CT0$ zo*~6l&2V-e420lb(nZ0emPlH5tDafB(u)cf?q0!`4JHff+)4EQ6t^+L<4b>(VG*V* zR5|gbftOXHU)C`hAYH>}R|Wfu-Lh~_uuXv}7m69(UxszHpeAC`$0-+MVIC=RJrI)F zVf&_TR{|5C{Yg!90Uizy9?2eF(#!e?JyA{V*;{fwhsM#$YPfReKuLlM)G0Mtt<V+09$HI4QI|)b+ZBA@J((1h!oC+`R@y&k<%9_G#`p z{>rXG1KHJw%X@~tn~U{}|6keF-v7$3(l~myUmPTpvtEJ99>n8Z34rXX7u5go#2R!6 z5bs9aNk@C><{+V5+3yYz(sPo$XZ1X$ijm*JO@hQlTvqElx7Q(Tz4O4n(|d58{we<% zx|Bxu^OfkAC9ei15gA7X0T!tI?OyS58ArA=HQDi@sx0b(Uen>TK1!^RYS>bP($#91U(yjyT3K=?wgWm=4 zyLl9EGCR(l;1OAc!~|#r?$eE;7q3>T>Fp5HAT5yFHV15N)4u%TUX%0M7FjghJM20r zXk}k%xl9jnOd&+S%oZrPL>J%1m|vLtNw+(k{zY2t#tTjbHsxHmdeeRn{*wsy&XN&9Gt6(M@nU$;|9swc& zS4xumBAVrnW%HK;0-lgw6I_y;?;C5qXJd<dH50bsVP$e#-g`8U zYuy-KG-r81+Bz>(-8TyajHtEaG)?5;n?SP0nriJXzZep5sh1w{?O5bsp+>QbknA@ti+e?0Sqe4392kY=AaQYpcr%Zta^XT=0}Ld=N9bW{%kv^&MF7Pk}hrT=6Cp` zo%r63Y7D}~Y7jqzaQQSA(${2>-ScJo>z+wlx8=kx zj>QbpmQT&>^#jjL_j>vve_|>afWzh~ppP$R#g&Y_&N+8oZ!xhBIv#>Oe=-Zi-0^y5 zUI#4*WC#}}5=aoIZMR+(kypkTS$j#fH{#X2MGCt((UkMikRur8`~e>GcyHpRD0Z?y zz+s$cat~@3@@BsMVU(FSRv(`(lj61lbC^c=ps4&@j+4Wdce2)RRdKJNGg`tkZeyB& zLqVYUsv_*7|D}0@WJy<;fYv()Q~4hJ$i8w|SuqcdQQ- z7>k-Vz84~v4EStjn0A(Z`}e)nrWY0HW~sXw^fs46*Ru8;v6JAUyZ-&=`Pr_3bR_QV zg*BuLvZyQmiKA9WwAw8UM;zFPTm;pKrY0piHbFZ|!MnT|P10R}o4ycu2gCR~H46u&CSPrJ)c7F*$j>4i>-=F*4f45;V?{|lS`wRp|O!ovP9 zY|8%M*z|D(;Qtw$0z241Y<9CW$N@?faUbPSL9iIs-Le6a;8jNNm?tAMLcjLLFD-2l zNX+P`8=tQogT}2e3Q+j3@?)M9uem)t-89~RFxgBPy**A4NV~sFSoe}|ruWhf@j8_* zF}HK|=$8(<6X~7oDzA^nyiBpsfqqzTmM_Was*J7T?ObQhIw=S3msv&i^=W8Aem6f! z>$4BNJ7Fd&;6Z+$s;D8NuH{BpX?}5cdc#1WZmFI@txY~&IMmIY9yjV-v@(8hL;Ay5 zofK4OwT0(v!;?$U@*%tmf5pi#DVSJ2 zY@7^)X3L*Kv#QK%x&&y6^q(F>vuCfTfzWK>#~wKIl7II78~D;B7=ML*q1~Bq`OJJ? z5Qz&$C6e>7tHmE{xXr&wRA~aHERWbm4;`*YGEzePjSdhGk31AYH$pzlAz1N8l=x|RVB z^H<+L8tD5|FTTm<#)Quahgf6thCKn?s*Egztu)*WXnM3;2ppLuUo#m6LqhDOwDpKa6A_NMgP6<4+sba ze;5939t;1+?gq?KT`oPNDN!KmoDb;VeT-h4h<{8UR-$zGA^JrsO%72!k+}X!{}h&@ ztn1q-1;Pi^nxgqe*wgJzEKa$%PUh)1B0gcWybYui?TUHlYY6cFD*UIu;*3P`f*>TS ziNkBqd?#?@_?GM`H9J6|!2Zd>4`yC0mFQaB;JLZneD3bt8r8bfdtCA!C#;rQC2QQs z4I_OypzvSvpN0R`RD$o1so8!`Sd_1HWp=!uNiffJLS7k%Dsj9&_HJR zI+wb6Ec|Z+g@63;#U56m@Q>}wD)w0T?+p=qEc|~ZUUFAL7QfK@lbZeE3#4X8UjV7u z{-@L|Lie&YWKaU^pVVx=GVnj!Pp(h#?AhK8Mk;sr%H7WTzTMPRG0F_gcIOGn7^e{8 zb^XR>S6*FUbIEYMM0kr6=}RAfiUMlnB!&YAKHxJ92$f$r>?P`2;xc z%o@dIN=WW+pGp|4Dmr7ezLQI5##H~Nrq(yxk3-l1HFd2EZ`??40*0{R5eY}o%ze6V zb@BAKga(nP-zyM@`aL#|x2$@JrBR!G@GLsI zk#TfZ;4=f*)bHmxB|T$~w3IZ!Ovz_s;|qJjE9g#TM6vbAMJdp`y1@((_7T-`-+EE8 z8zInKNUYLuybl@&Ycjeu_%P(fr=Su`uo5xSWHn|$8piOcA4YQ^p|7|4c3qLPPVAAQ zPT#OaZR46v_r01gFv5%KV%3z0ntF{|bw2#|SB`vzlFG^0u*e|$^otR5!gcu=41%K( z(f-w5vIwcqy?gFCNrYP+M~)sKAUC=7HETJJd|%8gNiyE-r@~gnBRAd3k;pLJz~+MH zrx3;XdLyw9;`PI?W-wzw%+3jfPk8G5>j0hqG5??axp?xJ^d~|<=idUO!VBp9vjLs| zdJ&-W&$PQzP?l@1ep;7gp#4sHOaZ}>oziB+{P5EurIhjG61Kl0ag2D44BO)pwnprq z;Oy+k5^&*p0c=G(XbU-EXL2Kk<)kTAC5h5ZrQkOfY$CWwKmMu57rrXE`8~I`&u^*n zf*&aTE5Fm}_z0)1y?9;r@T>Bt9$6G~xLRKQ8emry>q%MrHLx=z0Zd_AJWXNi2`0`p zrZ%I4;mL7+p>r{aYsmsr*jtK-HH1hi;m>A`FKx$Sev{Kv!IP&OTDb^EP>lm>TRHLc z1O-?Pd%6nD8&9e$2ekfwPhszMETlh8VT1C#spCI5C9*zEVY8NCPQ!F7!eV0}!{u7> zX+*rjQ`2G40q%HuL^ZyQz7_*kGj{lh5tv6EgazBrxe?ZKlVKIbX0k>ieP{`&?eR@f zJ~dJW2gs42;{5pnfg?5iwEIUZt%;8^1>|nx8{)%J6UCPXspkD1QnuoL&l#tS>xC5V z_}ju=Bn;7Cue_ag^i1x425ez_E&*HE)|u7}i{8HT`8bZcHemh!&1qISbKP#1Hp-WV z4ug%Px$QykF`2s*A75QKvKx;`IAEqhk1z&AwY75shSdNOay|z1-6OI2Od`dkHJt7@ zp6$SUi*iLIPz?@nbfnCh1!>5-OxVbXu!K~V#VKNM!i&X8r;f&jN1VW1M8e-GaCW?& zNR(H+pfx!(9#MRook>>CvuB5;&Ubg0I{aq01C+3ff#7+l?UsPgWFA-_Cso`v3n^qF zncWFbA7ANXEyT_Zb1rpa5*789XZPErxI+%|ngj_UpBVkFIep#3hcV_zzUC8WZpg>pycrn8=AuwmdZp8)@@{xK zvlf)sNAl2rocu!W?f&40sF zvOn;2z*{u7%0xAJRiL*|mVsF*RXpZik)E$|a~CTXvV4K&^6__0LTCVWGbpNb8C@sv zGd*`SA}iDuICPAA+a*;-VBE046@e>QZjadAD0VI-jo7WOM!^vx+9@CXt8Y~z1Zq~9lX%+K{JcgRBG!h67Ah5 zITZ4xh)cRxp=gFvq)ZeTEhl;hSb;A z$-HkmDiu$Iv`B?9ug&e-bfXRS2{{~Dk`8$ zB&mS`8CW(h*^#fgXERBdd8W;j^m`1OS7GLWWS*-~Thd(D4u|z|3>ya+!#3#w#;|=q zuG7TU0Atv+fm=sk=Uvu!WRVuePk_|@{Eva@^h=0d~4ji%lj6eQe{kPI7Zvv|StU&eOX~Q&Iuxyhz>@sH? zLN&)pBbqEhA7#iK*K~t5nt!a3lxeF-!YIgjo@Y8tMmv=c;HMn-&)UF&#LAESR14sz zMF2k)N7rypuC?MYn}v55(VsvcGZx-lCpRcbTy?+`|Ev37lS!mbH~c2VbzgbSMpQZ3 z_08X>^ztkCpI}#Yr$XAu67*0U3W$y)o7aXjgwb8Nvf4zZmj&}-p!Lk`?l;yO3|5Jl zoa#>ib->V8-D-!jS~o`XQuXD@&+J}!%Mw$)w%F~n_f$K{;}x!8#qw}O8YY^z>*%zd zzCwg;);ae&?LmP%)`IFMp4q+id6WaM-wju1;J`Z?oU> zMMVdwM~#JB)-b47WxyDG8?QBGBwkeTSLtu|Y}gcvc<1~`C7QH*B&Zc8pnK$2+3&EHz!%Bc#$XcWh0zL_K-PG1*nT<0t6(=m?xu;j;b4+;{eQ^B5VQ zYF$D4@!SEGlxlhPe59|e_p!+$YDFgV~^BVS}!az(H|Jxh%(y_S&| zO>s$}E69MP>%+<%(0GEV>VH907fnwcE<$WiYXG83t;v!){D!DZJZY)ArvcGr><;eB zNtk@F)^1mx1`*|3Ok0g}e+B?(KP1z;By+haA`qIpHtp*u(ARm8vmTW_JuDuPIiiR{ zsSltLYK{n2mpPjqJE7&Nfjc5VBH7G6913%XB%uge$M#*jcY9$G%*fyB!jnU`onQeE z0&5U&Qx^28g3Oj*`|A&7!eol(SDn&=x~u1$!}hznTb+%a3vtG4-qn*gZ|UiyYF@lH zud}@2%3_fsw*_%LQPi6Ret@D*{-LNv07d1F^a`outhrKM*!b|p+y>QXAJLazjN)5y zay%zXz-k9(59>ztH2kptQXcxb=i?yuBru5019Q70W5<}&d^dS4PheBfXWRVHRWrfo zdih>b(rY)%%YL_pjkoU7I{c83Z^G6R_N%_4$Hzl$0HThGl-}H~VOQ=(>Kz`@{1i#I zojSaulAeAZ|9zJHK1B@MJmh;zcf(yf? z(uYxzwPk1TTRx{OzC{vvOYC)0;1x2=Fiq)u6)Q@T9JszsbmD8Hl8_|gChYLh9lMns z9IBpw8?cWki<;~Xo_bI;Ug*Ly7$VT`KyMI7!B#1(r9=gFwSZl<)Od?7Ny=@e1<0>l zqZTCBfH~~6+NH3Tk;@(t@{DmNW<1WlHoExz&2?zFgHq*R57$F^POhIwKWH5K^h4pn zJj})c_5bke^vC*tQ}$#1e-a4LKGy$L(uF1y^1j&yK7S&p@__-2c#CYJ0gkR_K|eSc zIJiF@G~W%SLmf%)V3FCMjD8b(n=#q=lkL>&t5@?pFLW@v&4EY8ns1?{T|q^!rN(!L zI}Q6n8p|WQ0eaWXU)}3zl*D0Uicr`0oSql$>{~jO_sx2Ga}K4bKO;ZatJvzWx!lo0 zD`>3klVe5WCqwYaA;d$+!064VXhltEnVvN@71cdB6;jNeI}e$qV$W!L>>E#nOlO2< z4sbj?bE*%VM|-Ber4}@-y{9A4Fg(3^#z#KBRW(K_b}{E@{ajCb%fJ*P(?#B}gZCQw z+^fN#ID#UKDSn|$!MpE8MWjE*4Bny?S3lyRy9!>jY22a5RV3@7q!sL9M$4yPavRN8 z_%##nU<=+**aqE9W!$`U{MeSd)Z{118~(=BjA8RIS!_}PNA3DJWw>VCz?a*VgsFDGrhnVhzd)QPWNNO(5m z$RWB>8x-tR9o3$f@5*4-FNHInZ-D8JRlYyvp})^>9M7x~r9!I~Pk?@`e{O{IeusGn z(nST1)Jfl0xpZg+-DrFNh`VRvRJmP#A_>Al4AFuloNyXQ(Gtf_ATsb5!O7PyWR36dL!>k@^uxnvWT zD2;sV;wud*4m%@o1L=X6D~B+MUPHaIAbs~y{Xq3t_}5mFy8Vb0E{^##Fh*tC0lcXD z00W<#+bUM&25*yZhoavxqYwg*%q)|I((Xngl5DtqB))K5FZD)(=tH^XJzZSgKE!2+ zDGO6j?^6Aq`tb99%+87HjG(6LBO~QI$}~RLsV-BeZ%uchgPh_fiyz*2-dR_7W!bsF zeob=3xn+HsY!hyKZfmFyoSFrPj)udoHAjzi3Yp1w=5Pag zE8lnI%wX&=0|<6RRZTxqB$5J}g59hS1?|4duF}GFoThZ?+QmiGGQLhPwAKhWU=x-v zQxwVZbn|ISZm50R<0#xX?M;H7+dLclP8!x~Ot~<2Q^B_Sy()}pU|9m12ZQ`%bS9#I z%W1&4>ihmHDt?>!<=oOy32{Tc=Va}+9P~7~nCe36k?Q<}sLV{w*bsTNHi*r6$+*Gu zKiU=M-itejV{?40LG1pn=g)akf3TZhf$90dO|TPk5(`NE*(I^|rZWxY;)Bfw zE6JI2Sj&Tb;%Is={i}$(nhv+lC?y2305GxnKn36~#umo)rc+2=$jVXYu3t}~DUR`?unl(OIIM=Ks!NQKO2)Wh!yR>V z-_E_PZr-vq_;zP!M!p>^W1X&H!y~9sT63v4XTK+BZ(Q*s>6L=f2G5J=?^vz1O~oRo z>NimeM)Y579C6&~`p&SIAThD0<+k41Af_Ois{d-q6wApp`QpkIv$>KD4eg65HQ%+k zRrN|U2akE^W@fZkhy#UV5>u9Zgz35TblU1OOur+#1o399bcV)@0V@#%4N^rTtAsAA zsPOE;FxfP_+6oMWOB|+K8+q8g;X+DrE!TLB$=${S_Y}Lt?@J?f3XQi#wJimv?s2?$ zZL0+?1P+{6awQQJ)*0Ja^_$cVQf|#ik&`yL-~)!#%)re{41=Jf`R4>H4Q}DTAVjta z$T|sPA-$Y__9EYTydl1gF@z%wk0h8MyYa&Ra!40X5KELWP?&Ie1oMW!9=gtDdv#|2 zr?6A$Jci|ifFq9|@Wah-Im2NZd3r511=_TJU9H+OF0|S%l)4)?Rv`s4%yNrdo_&lI zSir}uAA-ijzdz1fztB5?TRCz$3M2H_V|0YNHr4wWNN_*Ve6}vSlQDE>ejq=OL>O@1|(vI?0{kVOOc6KOs zwTXu3b1Rx$tC`x$@Kr|#GidA8xAm>TGV&&Yku%?#gFB7=47ellyk+u^kc4Lo>PR>7 z5rw~S=cF-difjuVKEnW``2qdMkS>tgEiO0nH%yc6OR|Bwzp86L>>s_IYr>|%7xlDr zS|=qpxIkZY`>>Cu`$k`J;bv?nnr4t|kpne9H7G!xQNg{IrwpSpID6mbWe8?f0kEwo*fhY%c|&&I$jfl%|9?w^1L=$TOmV>8xDA03F_fu?yVNfW9+KK7WF}6 zd}(I5vpv{9x{}=;chZf6DwTy)oV2yi=^pCRFEY=^g+dXbPcY`=` z+GJDWi(>%~14J!eP`reYQ@D0sGGjmd`c-J6C0BGmeSev`m23H8VuXMv9H+$^L-4G9?HMCX*Ow;X?{S7Z)=9#=_j8 z?DJ5vRUMXt66;+M1+}@4O*s}Nm;b3WmVq*mj zLW|+-D3W-|kS}q2MY7VB!*u%ZD@V&)^jU`8Yv9B(C!l<|afL*69h?UXrKIIDjYlCR z;h|)wxR6cr^0~g~c)lQYqQ~FDg85+y2{q|zD64PW;^XpC*Q)6Q1Qb#x0YqXUK?@v4 zn8Z9`?Q@M6=O|i>>*llkHTa^n0i>ZAetU*Dyl-58=F!r>ezzP6+OtVhxV14Zxo+fmIt#gEg7-}5_6FRT_n#E2r zFF%Fr(%tG0cR~FkQpD669zwWjbD}LQ1z~4o=(S*Cdra4)8Y=^ipk6EcPl$e>H-VsOPSGmp2{!4h$V*h8688D;W|P1GPDg(hTwTa~Hk$ z{P%Ae-*BA=EQ($u4j;l)LVd1JT#~E?imir zqt+kJOD%U@=K1jnlEQhjM#=Fj>k)ei_&Rgj%u|vW=R!&81@T*r6$V2paCvPyXsPnB z$Eo)ekYvyr0jp&}s7(0cNj-+|6hI_V%H9W%WZ(G&k9yZ^s})1dKXSnDgg$Svg7hTP zCoKEb3MV+RRYOS-IoA1Za@iP^m>Are2nXEb8Mt==MkhgIB2&fQQ= zJGz!3L;*^~F%XanFVMjZ&aN^Vjjig7)(9s}Hj^61xFUZUp~v1Qo8sB)9VSPUijV+9 zl!9(vtn+#vq%pM92_qD~Wm0**qt3edIm18I&DY?BH7_?;j6#`>8NG&6>e?Yw&e55Y zU__ED$NJcKCQOo2Q#wvJX=`WgD=uP+A{v&A10|(LWpiy|L)-Ri`2CUhRm#X29dhv5 z)x_(l=Ea#rdrf`;^Y&X3mh9d>h-o@n$STdkHy_546Gzd(Y!qG5F@{uq^AnvD7|s;g zz6|gyDIukbId28go)M(IPsn2xgQUhcnF(M-ZQA(5B{M}?KpHbh^g4$DkJ-p3R6ouONAI^;Bb5o1lRN-0>! z(8vXed>Ins7#YrrA#&68w~R--)JE3IUlcQ8*vLAq^dNDQL_u%R2CmadC6u%5eI%On zMW#-xMs+V#=|hr5W-97V+C|@OZzCs+;IQVIrxnuAV{0WL4x~4bk+U+fHCSXK9BXM?XKyNNS@2%ZFQ zQw6VNm^#8HVCx#xH9z)l8RJ&wgq!h)8QDQOVdMTC{=52>;&1x~U~>9>+g08NDC;{H zx*Xw{i8_WZ7zafLkoqln_Kqu{MGg&aHbJ7vd-bQcVmvtiYhT%rqtwy}4^kKZ{)j6O1VsoePjsjH^Cm5B@c+wqN zYlY-VOz_aTb~fiVjyA}??PQBpF)!W>Qh7rWE{bo6{d4LW;EvmD%4 z^aC*suUFhLnRk@k6_t<1&ORjxjaFiq+s0p_ylOhE4Hq-nqHIJwG6*VE;46>ce6zUY zp`7snu~NDl&XTD=ZI4{YHO2Jz@@aDJ!DA?{OW%5t&3%5UL3c$N)Uf#QM#A1~R;0}~ zX$S6sS4ag?_z2**Nm0|u_%znV>=Omr+;O~QlqyhDu+J(7 z9f$ST=V#-4wRRfF<#my{iSx3Pcde`lc~gnvZ@}i?k;lJ~Va<1JRqA%%R*uNaO5rMt zT(ZIsZKRf_M3AG9S&obmt-V{=KfiDgGTlkwm@RQ*y;^oi(J{@*PPW1ba&4j%(oDe4iHQNW2dm%s7Z5pO^0#i|AclhEqT6F{5Z_(gm?aO+ zGnuH5Z?Oa!(RG9?B-^VgB*dFJ##`mh4IKy*@9I|I&|PJmt(&O4;To!-c_2;Dnd#fa z(uVx%p?+AG$#UlK+&MBxZ@Fl&W1!SQ2?1h_YW&Arw)hSR!(K8T zui%VEu3_58Yo&}P7YwF36Th6@!wGG$WxKQ*;)ZqFv3^5q8dZqTz-tqfbA35+|K<~w zZ2^LQ@(s^`EzHeP?Gr41y|60-?aUwbs3SA*hvNOJbmXl%09uE#fgE z_iSD(w1lxJJIx1qEOx4+Si|gaU@uIpP=L3wGedt$tt=V?J^jJi=PnmHR#JE1Q>F`7 z!6jFzCRK0Vi}bjWQC{+u0dG25+{YSlJzEfU;+4;X^!`vSP$hg zEhmprb8m`+;`fM)CjrAjiyPBOi?1A`pQMy;hk+kBdz|Et9;SeYIqOEu>c$B6h-1{_ zV81m+b*i$i&Nq3GI**zpU=wHhiU42v%`YcPE0O1=(824mk0%W37=Ig-{{vkfsh)VF z?CnEunmD))FG)i-^rI^8rMf3*jwVHxqkA9jyx*)6f5q1z5 zTw)<(bOByoFko2K5bpek^qiNLZg7dqR8J-^p2N>t&>8$xDiOF#5#%Mz(g%G5N|#sM zd;H_d!Qh{?pItteup6lx297|s98pfwIco-*G(KUZ8jr0E+r^U7{>V!LK4&`Twc5N% zRH#m?|;8)W(7>CZ-c#DTX& z)bSIpl`A9Bc?^d#(HPg$hGVf63&E#e&e=i<4`$}YJ32qs_`Nz?U<={%Nq>K=EWP=1 zPohHON32!V?J_lH>BR}x=;cJysEF%eW#PA{;iqY5!P=u4wwNpMO& zE|x=$6D{Wm5wKsL%hAnW(&C*zyYW0(t5wQK16TRJxY=E*5%hjvY}<0Pspmb@q0}ju zj!&@9|5481&R9;4{I0^(Q$F>Q(c@Ktf|8H>htW>d?lHJyFK-mMp0*V{_v_a;A0SWA zJbemgPlc`by(O-xcRq-;);vlhc`NODIkj~ASA*P&Qn%ZT7|x(66~PFvTx_<{|gZjV$!y`@Tuqxz+DtuW;6>6Cl?O*;%b21`;B9-)k9Go4?KP?C-< z?uMA#W{lt0ob~eM+&KBj485I|tlYnm+<*{!M_$+0^80->_gP9?36+um-s`YY)TWaY za9Wf4tVn@6m&?}<9(di5+Mzi54+i0?&jZM7a@>493Wj@ETCKOGTm*{4E8NxBvF_e; zE4L&@=uEfVlYEMZ*P4pn82lL1q`5y~tl&Nno_$_QC!EKr{SkW8HH-%DjWI;+%PwF) zVC#m2x%lo<0^z2XHl7Qj7JrRKDo)_H%+Dsl6u$ueFcAU+0yKQA^aMJrO7Yq zC3q7-R)^mSlYP%AqRjP-$dKWzqj0^JR%`#5`=I*G7Eb2{OVzqm(WJmadS%?dpb84?K#XsWb`||P? zld-AeT%RVho~Qe1;?(Vuv6x}J_9N~0vNIav_Y2{L83dYO*an8)yky9acrhZE2(< z?gUGA#2?EtZxBN4yitUmn;!ivD}C?uesZm9OaQH+-I-tt@Gwr*t0fIGydxt%XSDO} zn|mvpz%q=Bifa~)c&flgVM!_QK1?-MkPX$DKKLw>E$prTcb_(-1wutgO2K3Mn0

N*l#(#QE8m)1#?4S!;=L7-na?bR5% z9}c#W_2VS?8Uu@>ph)kCRAxuU$%1U+mDTx!M{TDI?eSV^o6HFCy?zIp$lpGQxXP(o ziK6i7$7Jvi#VYd!msfDb)G;#!ONoa5pmCJ#7aP|wVzzspJ(7q6Z(4>FPW+%S+S*2a zBelCK_yc&XC6AV>A-A(6;9Ml}8vG^LwY13{BCqg9F@arYZr+|>jF#Oh_^Y9ceStDT zA%-Cf(c=T<#IMWgwnjBMOuI1k&GK)`I1l?eJYxE!i*&Uai_>P*Xr^ax77rtvZkp*B zHRY^`6sE19{urG>sFlv9=%R`Lu&s5=g1Qlc&Rd^M1N-dRiZTJfveYob0rE*5)Twr6fK zsy{JovUybM;A#&Fo}51ueVxNw4DL`5kxxh%vWk&kT~&Ojjvy|gx7SQFgc-lWx$I;|3EP%{lg=WLQoC3I9v;3*y_+ao5^deM)sn3s*hLcz``7}wkY{~)Bg1i?Cy-=Y?A%S3>qCD+mF@h2Ka9l zbT$cMkL>GhG%n1U=BA7K>sivM3%qlaHmCHEI9uMb?AH(zC}Eo(nn#-Z6I9F=>Tqvu z7=;pg+J0`_)p*a%yCl{IS8gu@>=Eaix!Wba+pQ+$R=Gu+Jj%eUb9?}+mitSJ7HQOw-R(b%3*R76?S*vR&cF{8Ax zjVaJ13ky3p@N#!XB^d(;OEL}?=*0$^fB=evqrI_#HOk%e-FMKV*J6@lAQ%`JkOW8^ z1iG68iGbi>VWB@Dzym*o2M7r8@CYbKNQe(mQBYAIqC9+vhK}_J4ILBx;loF`k1!u& z}d_5n~z2o&6hKMO%Hu)qiq?`A=$a6rvRaF0MBm>YQ* zP5Qh~FyS6x4hc{uUJS~xwGv>vunO2UOXo248hIu-1f9NN4phQ_)6GYq5P>MY+#7{| zYhr}|raVyDs4WKnr?D6x0lfh4jQ{R-;7Z6 zdi;MS61t+uKeCwOO2_y3Kl=!j-$&HngPYj@(P1${wZ>QF#96>1^@<2R)-(t2RdCXKw}Zvk0 z?)k~fwwE&}YbX0bK||Sb&-0UGF?enRY+W_e-Y;6$HLu95L$Wafk4QuC4mW~0>$4afGiXa!V&_a`v64- z01SE}AYrM10{0xOEOW%e~vbuhvnC{HDMB~BK4iiSJdupik_)Uk+T8a{fAeVQ< z^@aB-ZjVq)`lz?>^&RMvVYL?ZmZ6^~je#db2qWz)g^(mB1vM2+KnfzFyM#pNh{i$R zwbiYRhd%pJ8sbAfebz21uT&;V14L9S1T_~RrO!mLTwFbik`^$a;^MXq6k$yrPoXS*c2vawL1hTvf7?MCO;eda%pY`^_WlDY=8b2Wy3=SL z`fL|ZVDiqU*GYJ>KOdb?YchzezYz=dV7Rpy^DYj(MCYDf6X4?e$Tv++i5bgGVDvj; zf;^WNQ|~nX_zzKANI(9^@(=y^4ly*8^oA_m{~kS;mKgBI`CDs$wfjF#QL><_{ullK z6HWgCQ;xqU@&7}VPDTSPSm;uP|MVHzR}%gcux3Als9sW02~*L)P*DkiXn=JpiTp?s zSlyyfGyowU*%yirO;ZWMf06{z!0KZO1B)8|6Rha(iZ7uF=)#9q0pR-3EEGYX238b6 z#`=X253~;w{qP9}i$Vx=|AUu+!2*FE08bHx5WEDC5cLHC0SW{H6b?qwswqqSSTpf_#^kls-$pESKSW@l zMP9fn7Jb--3CFP2#t6C$$jZ-LUK#?vjl>Gziq^02q z6r3+gs&rJsp#=G0DvLL3`!Wg?iA)9pQTa+sy#GM;zLo0z2Z`VZRK6f-&|^>}@B>N1 ze*m(eNEl|O$1oJgWRb|^6j)>c96$hp5S+WRdj#mK=P())h&KA}! zQugpFgr*eq%x%ATH^|eVo#a$I(x1~c@19dSdk0dg=(m6n6CuDb0i8pGxr?Tv+rG%! zjF~47Qg=>6k5j-49IcG0I1Ivr$Ry%q*`p>(o=?CGg5Z#Nqpw)Uz1(n?GKO#(1?c=T zKh;=y5qr3`c#Qv?{P7uVZNIlp!b8Wg-(=xXojV!ORMDEhW-^_)8?G<(YkC2;0#o%E zI&xTjX<(rMU?zBEfEp@aWHNXt`wC{iADl`)#(Jp_f`1QPsKOL9f2~riM-sulu)r$4 zM}V$0ePEeki6uE9M!JZ+UI?SI>5g>zcOY$B&BU;VBQJ_l^AaO>Is^(Y_hGG*79H!C+dqzU z3<_sG!J?fYX;=y12g8I#VJHEN1(Fs^DNu3Mv2y!vxGU2)-5A8i0|4;<4T_ z0V@d@F_tg<7nrBWK=$2JVAMcM`mX^dK;f-406u&x&=L*&7a$Gu6#BfuFagznaSZF- z?~2fbFVO6L6`*~f!Cx!|D1xq6pgRBpwD8CL0-U}Nz;pKB1lS6VXiK};+-W0zvB8Sz zi!SZ>%Qn0 zDu4h4EOFM&_Tbhq=fR^|m0rP@%RMw_o9gUcf+F&lC=N?f zIq|DYUX?!z)>w0Q2v%HccEg=idbZAi_cHjrjf!+$5LkIF$Gbx?-KfQx?YX7owg1?Z zudRN!(iQD0`)14dt?XH7Qs2pqzn&@iE;cy4x{p*-9KYx+xxtA@s>z*}YW7$=xo&WO zMWk`@=~O)UYfS1~kg<}+nAf&o)JckVoug&TsJHG74kS3q^0>Qqd=+>t9`|ifg=GCY zu^@`Bj^dt5V#(F<9q7TDdr1?-1VRQQ1TcXHHbR`&Kf;lHiSCNVAs(Nu$>JJqPUYBY z_8Ujo3xzUERt)D{P(}50Z@qbin*PK}Qg_-GM<3WL$t8%~vZCDcvEjjFQh=@Vn`)lX z;Ze_|$^66{Z$=fyt%4Da~sJLnCI;~jbK#N~u zBobIQ7984@7(*w#cqz7mBZsvlI885?uFHPPoMpp;ZE%Jn$HMySpH*D74NBVYUe3on zx0_0C0P|!W@mXwz*uK}*&ezf8-mBm#{G=f@@6c3|-Rx@J&$EG9kYP#ugf8YpmQ;e* z^TIb8zVj0ZBrOSwkEel^e+*1E)&puR(aul6>=^2UK$OD4gHv^NCTmG!35GIGLDXAk zf`on4EP^8WU#mUUej3+uL%JNz($$R0xMln5DMODtTnh~dI8vo*Lsic{@9)`G_Fl4T z;qi|5Xv$}lR)XKsZxsw;aF%UxznUz49pKZWx zw(^P0c%2hYSb2apsOByWl^M_g!vsX|Sbz`)alhhOnP^P&dB1l#4=f?UUb`!lMegcq z4F|4d=ib_*Qi%`=L6>!nu>yC8#;ZaViAdH2q)!y2(}jNReQknrX?be{nBLg=0WJlKF(2ljP9 zz6*VV>Eq+s>A%=p8&4c!`r;j4Y?Mt`q;KWYAE&~*!m|>0MX3QHn2L4kE#nnYirZ|E z;*1-TP2!@}UJ5r&7$$cMU;G&^88dDOW}Ie`>bb2y)Kx3oeaQW4v`aY-Hfq*lHu(1|C_JJs4E#dim3d=hb-q`N{bF{C zlJXA1wr8nPPQ^)ezBSdwjFNrvW}2WL)=|IU^WM76C(i{KoCZmbVom0@E|>WGU$_v| z8!kG!&*A3enyc0rDM)@D<#A}(bBlpIsYd~b066$NJb?H8BYFRq!cgeXJg{Z_bMSN* zbx67c)wjxnKxpU}&|$%elz~Ao!ZlXDzpC78EPtzwNp{Z>Dqj#;qyz|)ne1MfgJHrX z7o_rqE`8`;g(dVy4M`vYj|D>of&*S%Z?Fz40pHmQfT(lN3CQbUClblxhnk)%D#bz}ZlZ%z69hDC6 zGESLz1sS$9?TaTzLz4{8hmB{9XEw?n_gHGo_8(Q2YC65}G_7_Zq^ZN%HwfEVxt9FQJ@%~bW1%M&$0dqRbjjOE9=I1m^79B+y1VAjTPRM6$@k+5sQ z-&Ic@lQXr>R;?Ud>xe)8jtyNRn0z5Ts|Qm2DVROZg=2P3Dz3GA+_>G~_*|1%iNva! z;59GBL0o4yAt*Ai*k3gPF(RTX5W|#C12F~>+OJg!f=&5s7N2Q!jFVjYuq^hS=M_HtOa0R|-oj<>X6rpVH89WjOlvE@uy>;f7+c3-9D#e4$)<})^qX!78C&jtTsM=G z6}1r4n6@K2zog1Kg`AB({@{zBTR}qG+=w z>Q%K+IwjIXCk|VZszsbZ7I!S}+tLDhh--=fo|5VY{Q7y5L{;CA2GRC*dI-aYkTUd{ zf*Ek(An{I|svc}%w^ea#Ey$_OK^L(qhh)o9d{gyz*~H!s784LMvK$=P_WD>uIuqF) z|ILDBn;EkDrp!|&6N2Aw+v z;~?%>*YxSesTC|h(SI!~Kp-Ug^%O>rm8+BF zv?K4P*QxtpYGro`Ps*N?^yuPsi6!@$PU95u=t&s+U~ZhIv*(%K!4`H&SU6%x!_K80nA}sY7r7Y4_WE27!Lb!TU4}G6<%ZkN5HRO6Zj{O>(Ki z>`0Gy18BL0zr0R&epP^0MlkT&g755&c`fz0>6Tq=f}cOsuFajK zamqDSQ?HTDRb_-Uv0l`10>jogPO@Qj?FhZpl+TK2B~fitdXahNNLC?}H#MheV7q)b zzk!>BH{AAzt=!SUd0fA7YfX)F5NRvYjNhA9LMj)UFKq-R;AOR)tUQ>Yr0qr0jfc)1(QL_?x6=w1> z!WFyGV}~@(gMU|LKa@;`!LUhpLlnYm={s!OwThcm)rEwYS&&nMf+#a>czGFut}~$M zbc6qF3S04jaa)l6xH(cYaNFXkGx6+mt~2B4rp2|V@&GmeX1YT)CqOH|0F*mvWU_ep zR@vHN@JI5*c7h`ED) zo;P9)%H}^7}lg?2$QJ)4uSL^s-AGa~Q10Slajl&E7it)|W?UuE{prxJ^`nwz7c#7&3SBPp*2IRX}hT6r8&w!;g9rQ2m=GdI=p zUB@c37flXZbWC$Ejuv(rT2cat8lQUjeOtf49A*FCepz9M0*_zfN&7o?JjwHJX@D#&J5x2kW9i?tG&poMiPJI?1h1+QCdZV$9(KpuF}N0A4}MbMb$iujx@M6%f+r5DDhH{ zyG*XOkrOoL`+mskxAtE}N#)j2;<*)vawO)*Oc`IH%IRr@@n`Dc8o5F6knr9zHFLlr z?bFMeV2hzz;aVKpXFI$5sIy-s+XerqASGPL``H7IlB+oN-|ycsGPEWeEVZU;4fAb1 zoaqfZNQ1w*=shT%`6%-$1T9mY!&-ml`*~Y63=<7im|$aU2ZY0OsJlih|NOgW{f=Gs(vB{IzL~`q{xB3jV1fu^n#g`Q1w>Y3zI7 z(igob`WS-jHGR4U*ps-KSOvc4?H{eP5zhJbtq&PtP5vyAqI0{FRL|5E^WS!VzUVxz zzveEZZ*C1ga;`ycS!w96R#+8oJ2Gl$V7*%8HN85z_r{F>3{FF%QBr!*+OOQqujz*w zMY&l(r}3wIZRK8n2Q*|rJqFZPK)^wz9W0opVBC zw{%o%^0W&jm73KUI;|;<85*;3OsH^q;8iW6GYn)yZk^QK^Tfd<%0VmQiobM)H;$y3?bb4YL% zgHH6#I$Cvm300x>zVSdee+z%x^8ly?OXDfcV>Sb^w{6Mu>gNtRYq9H5psGP6ZW}b2 zkL^nK8AI&+8p9+6IGEtmfG)lFWnDajFASTq3uki;SrRf49jMw(KGK-An+p4LXCfyu zWpWv?iaq8*B^bn4NJ9i#W_{BJAUNVnkGu!_|3nlGC%W!LGdnS*%wS->S@?_m1wm zIJ>zY7Gl@3dpDTAOf~n>uC~c#l(%%&{Py}6695?v%rF&ja0=v+gE4{C8yrjqh-F|} z2zL?hK!$3pryq)3wPNzd=58sE5Uw)aE&28tGk(Y@HWzETE~l(K8nZXbb)oXjN zTHyp&(;lab$|$#!O=ag#hfx=|>e?Xx7L~!u$ z8x#tm-(V1k3=71*q{sVM;{^DW?h=|>_>KjueIO@T-Ea*t%9)w}1~CE)%w9+EGP`LS z%_Z==S?#|r?LQm(Bf-vVEeka${;vT}r+msv2t*+S6#&o&RG9VNiv6YYJcu-af5-IC zr#6JeHMv&5(0(7H0E>$3zC-A<3}}4+skQ*-G|mpAtf(^qB=H#!Nuk`Ct;+fG0t;Q7 zfRoj@wcG8_%kslPu#4O1x?**BC`5TmTz`F*=ahYdHd(Wlqd~yBE<7r%liqzW6stws zvR0vZ9#-}uN<60oM^p|-ns02~u@(eLFj+~_t~v+d-tzC_@t7s4O_-c-rmq;3JH zNju7%L9V>4=#!sRh)^1fOj;)p4iJ?1L-JNxZr_a@6j9dXao2;@gsv}~BLwO$d}`7N zwMcOzMl_N`)Epevag4WbV;C7s-JI5Wlb5tp#G31A^dP&dwmU>=yFAW)31WJ~L`SdI z9ZBhTIdb^#Kz`aQId3-3eD5y|K!~~4`EyX-074e}9Nz1dz~B4un`h88aB*>e1p(kt z=uf`+K8pUC&1>G)=@QLL@5Z9~+otA%$!xc7bE9pIvUY+ESM?1-3f^O_h!Ghncso1W~-`&TG8a*~^Xp0}x?P+_|grfK3+SIn| zln4fesd~K-M5+-(YKz(YQWdXzeY;`0Sy3^RcYgHo#_RE3>DJjh{Y2RldR;c{>^gmA zj*+*MEABHfN#bKtV{GnL#uc^}b#a0kP9BOo)y-9o<(EIy@V>Y!U1LGw-l=N|sN%eS z;qBhS>JrswHQ}O4zkveXdLDfW_E)JH-}QwKT=YKvBLUp&d;-z{6NI4geRu%xi=u{o zLwZKk|G4x#SqrJzu=G*YabI|4|L%h1i}08+rqT4U(HrCJquYMuL0gZZ#5ICAA2-*9 z%k2YGgs*xx*=s&Ja!5+=XFO=5rzlEp-^H3Y*ARz0^_25+<{W(U<|UzVx~PZD9u$7I zEjfukSb!M!3$K!9am(29GrHOzTJOJ{*(Ocn%@L!TLMw9?#Q)*y^99#linI8PXO&HF z)SD-{^l@Rk{T)c4a>vdKq73O*m~)bL%{)pSJ20j1+G{@2)8|W&;Xwoo z3TTuzj0JBCinzt}1?jeOuVZLR^_RO(=4G4%_Yl?BQ^S|uiG3|HrRwt7_oft_62P+e ztpH1;fd>uP#(|ryd;UNpCLeUB}8EQI<}_BT}L048^+hBvBnu~y)LSb zyND6%^%%7zQ!8E_$!0b>%ytupe2tcwkZrR>h-a$p=uwkXbHs}3t}RV7t#qON!{>`^ z6ZEb-nwr;BHQR7nxJ%w%A2m4U!9R68^JXr=)_!ra;0AtPxw7$@b5)16In6qOOZv;c zX7dR;PsXe*EjG=NUhjoT9$j1BZwJHMoaTjQ4$XzykOryL7U>0*hpGM%OEi_mjiIh_ zO)@64Hgtp$JexDgiV)+;>b_l;IlBwh_5Ofb|C8&5W*xma3&-7JhcP@;|E3jp?{^2^ z&qo()t9ETFC+V-JvVUFH{p+)LzX|%@?}-4DpaE*e=>Pk9FbHJn*;s%iay4NnwmliD zU%UiH^kdM|ZthScVi3sbuWe4F=0~Hc6!DJ~go;`^tTlPM@_(i|;_RuhyQFTHLbhYvo7k-EMQd zK>&<0VCcWrQYY}J{W8)35O9$I{Qd}k*>BJyiQsq4RM1kucmu%`%F@m|)6!&lhn|J2 z$lM?tz3?k_=$`c9KQ1ZVX-VQ(IQqVwBj?jo+8d)%hyt5x=v5g%HLTJ0d@p`BZemb5)QI+CLc+x+7e*YDG$>Evz< zddJkSbr1umZ0aEO&BevBweQAns=0@PWG=!V)@;|Y>ZP47WcER#R9Zw-m+Ll1GV%#! zT`Gz=HP@&h9-}7T29T^hhr&->8Z_=I5AB7tRokE)<=F1Tl2S74BU)=kNs8GFBwny04=wF#mKoNtS|O&6?^63MQ)B*lHEv z%36miWM|DSmAO>Q80ma%n;cxEb4lbM%!CbU87zOJVCFP+d(k}0pgt>&vhk$ZU@cDc zXqiJGVY4P&ZNkBT=?fMatOS)W@=1X1D4*t;#Z;`06K&OTq8_93w0^i)sZ)++x&v zTaU$yotqe?j`FT1()MbzLhnE&xYoep3I@R-KluDxP5#?%NFf9)C`@ud-vYv)_Y?pt zkwK3UD`T8|9AdX^T;dDtB1Y2)qf30|y&OshU0$>uILKu==L_<$xwIs>;ql&xA8F&k z9dkA&hd22&GeXd(^ffw5<5cW-O-+u%iL-8q4;wwwTneR=`ydVHwV%Z`Pr~7vc9cwU z>U6xQM-CSkAo<@c?m+3cm2PW#)iTMY#={wwN9#Rby)?d6*4s`b+d7P}u)1{zRdm^f zu2rsc(~PALSG6_S2pA=M9qVx|3-E7)Teu+Jz8bwwH>K^mGO{;h;S9MqNI&g7bvN0& zJR59*^SptLuIm~1Z4&M&wvK8Y_Ec_@=4}VdYyac4cKgI0uZy@NCrHtajXV#=(0tjS z9#sE>74|nTDnO>i1I|alibQ?{thsvy4F-!nT5F1_u5$NTi{dPsxALYtWQnaScBO6& z*V@$dP5SpKsj|0Mi|m$T;}$xsvljK5&bBs1W{qo&+HN{S>K)@7&2}Z9Ri`{{blIwT z_4pww^p`ftd-XhfLA(_!n~wE8y7LZl&ur>#9Lz0kkNWDzxEi1zn#oO3To?BqePbZ$ zQXqdRqKa}#1Mw{MSTwEek+Keowy?3SYb=>#2-49hn$k`6s^+;0-H|QFnZtq|0A$Z! z2JkP7v*NEJQEB90Kmh~9m^7eW5bn$~1c#ky6sEk= zD14PVq1sjGGxg=-{Dg$$`@xz2a+SGWeZTZhD{M%Ij z{_P#tE2LfnKy$(*12ib8S_RxKvH+4C+Vrj5Q3pq|ANEn12^(etLR=>l~0*H^s7sIB2lz5(a^6GoFp}{ ze%hSSyKs=2Mr;!5v8JRYEe*DbTex|cm$MY*RKiGr=S?uV{e&}FH+EAp*MquaGA&bg z%os99$FPeo-Jl{XrMy)h<@xJiCm1RT?v=k^wET+UCB}FE*q)#Yqng#|2oC$&8KY=KOezgicAAtx$kx&=#2hFGPU76hc5ZPzc3K?>A6$NgBGJ{-PX! z-*2(MWMaEMkp1(F{Lf`C>U)p$A4(kzGW-W=!rkzOH!nqL02jBHqJS$K71WnSA0UeA z-dz!J%7p%Y`(i>pI3EE{oIni71|SCf6rnzy_X#K(00hxM$6gCK8In@~a}9XaeUJd0 z68$8g@q4I`A`nXhJp%_}P)9_-DG_?he2))Qf&QT0iGWj^uMgnL&ie=i3j`P#B&Z)g zEFv5T9szKCM+9MG;vhZ3dW=h@PsT39#LB@e{}zv&jZ&0?nuSyN6OHc|z}Ni&3=9Yc z0rr+5Yq|MNAuG5md1nS1X@Ccz(S7Q#=-*&}WPjKA7rg&~{ZaZ?!Cxtjf9>d>3;xUA zfR_KG27r7IoB1`4zp{Ujao^=%)&9b}FSsB6@6x~ey-)p-{WlK%y{UVG{=oaI<=?5l zC;(9Y-p7C0JQOcnRWEHb(i&#Dc6&FLI@suv)(XbA=Xl8(Da+%#j9z-pdO0^rt%`Lp zO#IHx>fBH9h2#~|Ozuv*U_*u5tlSSqw-1`~jMOc8@RnIRS1$QqHkO?s+uqz=E)D zW@3BUVLTsH00|}En$C)Q9hZti7F z{mb^TLZf#9C#ddK&iU$8H6O(gn!fF-*6wR}<%rZzF35}88V4Hbr_7KV1cM@b;L6I^ zVs$}CXY>4w8_Thr;S%<)@`dMTcN%#es3%vC*~z!3O0$g zXAKq}n{W+n-GTJRB^(Jbg^BR5z7?+b^hCIP^bw;o#!Jh*1GO7pC|4fW!7<=Wk@{tB z81Ulde@lMd{5r-1oR?&dDM`S4)Q^xe<0#g%`PF^@Op)Jc#c%BA)f$m3U3Gwkq(NbU zg(~xhmH7o3nQlQ{cF%3}t2d$Yl^jOLLOgUW=aWiLxIZ0%lk3LfcoZSB+ME3;+zz=f z9M^ti{5mv3ELQW+tk7yqk? z7ysK0{;yN`KWwn>e~m4B|9|lLKS%N64s^{it=C~{ue~Rg((6$7!i5^VS~nlZ8wvRh z0pI4Wc%#smPK30hKDZ{j*W!b{%FDDGS6eL#S&k9Uab~==UuHuDA?J+B!==s6VipxRWhWT zyg9dm{D}x=iwGk2a}0tbf9ZTzzbK7No!hjixvMk$+wCDUtQdy{^%$E%JT9eD#F;>C z#mxbH5AlybvR`tgASc9!YI?3tOv-f7IXe~WRAvme_HG6>*o4&{cHe=>*3wozX9NdA z9Xp;F-W2=@D9csu@66tX5s5{`3a!#HWGQ@Je7gH7Dp1jCx_CiZviPLsWYAV91GaJ^ z?3)!9IW=y4d9$L2ptJ^p+=bp%!X4fqasGdONtWijboyqc44QKr>-^AlIp z+=kRsjto3mf5_APQmbX`67b2*)hVkNEQD91D{OAa?!{DQxZ(J$LJ++|q+-Qb`cvd( z&D%C?z#(rnhVTfkAYn5(b>?lrsBNnO_$uav?T9sv7NWUq(?a8ieYG7ftBhMWux8YXp zc3u4l=cyhI$V)Mv)-R6JemoGRXHzmvJ@I;nsaPQ$IaETK0Hti!pM=%-%qREc^qpC1 z?}tvEpS8!x3XGljAFN@e*mgR!-ZngV^G<2jL_VgwX&#ZxR8TG8Q_>Vh;d|40%B2d9 zW6|EI2@p+cxltjedSc3p{IUzHjP6X5kI4Olp_qag)1SSBa1^2~ub;oIz`LkTwT2|Q ztuMO$TOxkW#HY0Cv-r4Un9L)2i|+_8+B&_@L((f1U+L+{_rs34EzhnRKEGUJR$kxH z)8&t~a?3ltoGa3a@E*vW9L=2(Yjq)h*jl<=`C8i|Fo4-yia~$HEOq7%L`0fTXpkn( z3Kiv(q}#K!jF&`Eq_#_?ep15)(O+@7P1S7geUT{rB@~%YzmCoTrJK!x46dlm zMlu>HcuB|gOTFX}gPRU|Bu9UG9*bYL%E=N+$vd1f#xDrGVH1Xlsvc6EEuyb@&4kih0803V?NT7=yDa;~e7 zbA`kWs(1m|bMSiV)! z6q~VP`VEJ|t3DwqMKSXz(Za~DnT0Pd*?vPClfi&%)H`L@S}SF-prOC(^)gBScIKP= z^AfhHUASv@l)6xAGhZ&);-VNAl&>m@lUZMP75Y)lOEjtSsH#d)!X_wAup1nXJ}eC2 zu4yh>s)(KS6u`d`E}32`@-1-2y08*68FzQK_E6zSz()`cXhf5zwdTr&-+rsjk^)I` zA0@QbdRW9d;;Uk!SwS;s6`(Jyxf^xur3gp#)LuTfrYK=(W@|X+A-_vE*FNs&dRmbW zR3rIn?^SEC0{IqpD^hgg3q)J2Yw#(}2dQeO+)1?#6rzjfpVDNcXL@(3>mf#2x~t`t zd|S}tgf%}2(gO8%9`{ogi@9kAB@MDaCKP($HAPCQ=BSH`F?S%5*xsf3W83bzr0c2S zk2?@QnWl7Ulvs1SlrudI&qAbHaf8E=ZOzK3`U4 z&sAcAK*)W$Yibe)yIra~-tg%I6tj$Sb86wzsQ&JZLlgO&$c=>1#0r6 zrk-q=9C38tO#;~AZ?t;q1~f&OVH6CH2+8xZOT=jrQmr0%(0!}=mg;1_Gx^~7n<$-c za{wZTN54hb$%M9fQS=vF75xbLR$2tzH$~jem^0fruBmcQ01B!L7BX6h z-2*iD&oW;&KD}L*jVt_C?jcM#5hwJ$BJlzCp2^eWAD`;5IsD3d(cfXsGd-d78&Fkm zzUH1if6>MrXl5Pu{!G&)`hxbdK{IRioBh&ti{-==cd?x;ES4d`Eg% zY)!diG`xxx%>NgP$7J!^ZF*Dc^?I zD|S+_z8$DJ6Z$A@C59Af@&f*ITPjvbo_VJQ`K0#6+n*$tec5-Q9^DD0FC{!ZLZfP> zFk8%K^bx1QM|4x>HaP2v^X!dH@&5LKKd_kSyNttie`3lK{6t7(ecSIV<8QzR>3Q}R zlPdBjXs_`gFkZ&b$n@u_R8Cm;I8n3#8Yz2DekrI!!Ux9RIboODvR(;uUqdpa{L4qA zfw}4j-IdiD*q>AR<8@@{1YraNnD0QXr{=fV6?q!FFmH@f@b#@ZwI-%#b>@oy4|#7H z)Mm7X0pg`tvEWjQ6o*gwSpKs2|e3^4{&ig*ks|M`{Y>WS}3@X!j)}k9-h8slaEFA49wvBiaU@`uw;gI-jpnqxbjhg&(HUGRIe1rl_3 zRSGeLzW!xF@|jqryJUE1a4~vtBcjksWa7{AOu}K9?6a5vsOtjVKdc{|?|=Qn5_mRm zcra{B&Dd%z3Y9-0XvOO8IN2$G;srK^s$g8p{lzEx zg(=a>FXSI}=2N4+Zi)A3^0Ny|7B4$X%0$+pk7=+Y8VY)*=;R_RbttYSSl0X|bx~N@9He{HKA3Yw$}g3re;#m>xqRuv@unQtnlnLOkzywMFzt-X0Iwejg7ULn0l zWjIc90;C{nheghV0~S=b0TZtY02*eg35tAGYc^;hX(q;IE$z|H2t=FRlmclu9;1ax zwItMboG5h*4=382Qh`=Cvb9lD^)&5?IK#;tHsMasRX;!$I~nfrjR zYW&ns1uAWkZ2}1?nxn}T3a)`o6^R_RgzX3wY-(qTVsiiJ^d64wmZ|$ooX^b?DKIf| z9pYFlh^v65PO-S7eXXGmL2Z=}vvFiUwz$Zusl>a)L0mm*tV2Q^{1ZHtf*OZS6Cs$Q zq0}puszzgkfcmsLRqB?rRoFhfF^9%u<}9fq;pFAW&)zp5&x0>Uj@Hy}#9EYJWx-H; z^Ob*TEv8#jPQY!5R}n(3woB7f9+J1uKJgQ~T8(``jF0~6V5uEu)TWT^K1<{pSpFNG z`t_o3k+HR(@=j1^o&S>;Gw%-)_uyG~4x3yjm(Xp_Hve1x_fF*ns7~sNA9F>jUBB7! zQTDsF9(O^j0t{hdai@GwuQ>EyxpQtx*YTO-yj(C#a~41jcVGyO(?2Xf+e@>Azi`hC zu?DDgt9;X}3xzGa#5#dsqWP;^Vs`_Ve^?sVPy3|=hN=JJefzVq?&evRji4);`Nk9Q2k7RvT zQ97>)+>W)g_1v~@Ujix;u~t$PYUPI2cFSWcfiA*;<2r45gWodImEAoCC4ULRZ&dAU^Q{|R9!+zX%MlUZ zGJ6|+pCfjQ6iJM@`s5UfncS^WidQRI+;_9Mq zC+&RCq&ZjJg z4@Slq0xsgo6iRZjh1PC+Cbv@=bd2n@=Mn3Tv7KaN`(^%t`-xj_tIVy0Fr>n%D(5@v zT}9SgEDp8oa%tJvPkaeC=R2Gd<*LlxR;{RUflWoQ6H*r zq|u(MXhSGp|25RkVtfU<%xfim?Tz132CRS8U%Yl<=2>RnML6&VH00Zvn3q0I_C-S* z>2o4W^xFC6t~ES^{~_BhgXIsEV#u5-`i^K4T?EB+F*c9R@^iY5<`RT+X6L~Q zPzQcee#sZ;<4(eyY=zMOp zm5qJ$XQDC1$rdu_zG|?J!2g-rY*s)PShIC}vdqEo^J;=BtYO`OSzA*YSQ`RtqoAD+ z9Bld@RO-nz^#W?=12rbywwnJI0JE7gYX-TiP1`OH!)$u8k!2>v; z(A&YZz4EHv%<}T1_YL{4ms|mhaXBMum9!D!Yb?^%E&QC|?6QIAiCpXG z<_B(amOwgv-`>aLYh=^Mbnm;0FTRb+cwWXf+KxOdmwMhUO{o!6RU+&~eKpt8x<=3A zxQ8vnh$~9WBCNqz=gxtrnBE3|8hZ}LTQynMtvg^fjlbgF(99F#88|o5K&kRIsw0%5 zr&d?CZX;Or`FYB(P+JG_>b=kS2f`5$foY#*%=;Kz#0(tXEsg{+n zob}Ip30mr*HaffQ3}GZu^@n}F@UliawvqV7er7|sCDE|Qb$lB&GszE^xZEOfD?h`P z*F$Abn&8y!x0Wwl78yx12zuYLmpV+p9Juzf3G?(+Y_506+e<}i&>6KfwmEcziBMDG zm0qQu$ag}Op}TrPF^t@PtsZyQ7w0ag1}nsIcXDC^MaW6L{(bkZUn_xAt#t|1^qo&p z%SA2z`#)BU@vF@KVQJGF?U;RWK~IDp!lB}94x3<&R8!$~^i*?;#82-d_o7OiP*VX& zOPTg?zzh3E7*DYgxT#fx>cL}#iPIQu-ej`nNm5oIh@MX|DSuw%#rm>cb-G@ZG{;D* ztt?QEx~n8f8!EUR;EaZw@CLm`Bb5bLZxuYtx38UQx6hICHj)-tuYE&!yyv4p0sF;R zSQ3Z+g42u>ADgPH)(!il@OWNmlg0oq9#>JeWSw}G7H?!+g?&K}m9M5uwO2t04hCKI z=HM>H(Ay+&=|{JonNtcKH($c>tNMVRQT6X^HCM}Qcj|IQ+T_8HOP?&3{Txa#bNjpB zAr<^!`C&9>D#j!-cTWZ9{5D?DMFsJ(#bqv1)N@%tbq+dt%-*SLUufp{CiwEn!QN!k{Q<L5gQRaVhIt2_EQs1lJhmETd zs!`(;%>GP!jaT<_sR6rz{oYB4t}m)G0Qf9_Cf-o}(lSAtz1BW*uEeYKu@-k1>R5c9 z^Oa*L>8Wfr$w=fe39wAH4w}^&Aa#DZW+M99Q)}4TX!tv)5ue(=qD?6ofvQ4tVo-bc z4F|Z0X41GVe*K&$i^HaL<8gw}>O!#xNUT=dMXas6eR-Lff;K#G`8`kn9}0wc#T|fr z*2$n(WeyL%eS3-hSqZ7P@Lpkk-J*3q@`xPa>@Eh~+n6HhH{0z(;Y;2-;cw8r^0rd= z{o1oF&saA=76(axFt1059=7L@f-DiP5`TEO%)U-mvxlm#fVh?{Q19x<2It;3pIx$L zPQmK9icsyNkI??x4sv}RqHT`!J?;6YNN(Z|K13Y-MzM!Zm}^`9hytiG%Nu%;j0{2l*;=Q?SdtkZ-x ztX*s7_;~mHpx&>IR{7m_Mrvm%n-Oax(?-)k@(v@!bIKKOOys@HnhM!>QA_3RKitt9 znyZrt()Ok`F^{)Ia&4tZz`afCU23O;>EL=mJ2N&(IFJWd8kr_1Uw|-15}82GMn5c$ zO~9x+@W7&#X;zglr1;&C1*aFw>vY-Yq3a#i^-V6Hv&$2VRnpgrkMOWox2)iXjdU^C z(B#+FPvDdS+3F$C#+6J9yBie`@90#Ju-Kh_j91OXywSFm%bq4gjV%^N2^J7!g9P+m?$2O^XzrKE2|r|&?lgVDWRd-aO+oCL_-n>WrIq>^ z_&N;Oq3@NDD}!pLReo75c(1#}rBh=??EN|Pp@-#MH>0-z&z@c5*IQ1q{zVR+6$|5f z#W0UxwPNCcgZuIGqynTdKm=uxLl03UIFj}6^vH86<_EH&J&AJKt%l{0i%Q-ff4*RF zf2pSoej$|4Xa6e_Y>hi|6w_~L_eodlP8J7R@phw;rht??MFfI?C!<% zsLF?^xva@=$or!oCc5H>WQ8*$7Rl6&g0UVymE7(9I5JoqUt?rlAz=Qw04qPmu8?2;37d$ za-&JH1@!K5p~b1fT;t{(#z1NVfHKytw5s-I_G<*$bki=QyL>n(pZuUA#EyYsm&j%S zi8a*?{dw0{z{Gb8D2Y4g*K%g#yneEKM(z}fW9U=ScIwz4FVwNAQxnA>w1Br1np5{` zW5G!1o#VVCy^iebjpvODhvHU6bTzWGp-;6s{hD96St05%=A{%**4-c>Yf$UnVp@PA zWno8cY(v$G99vQda(>fRldk1sMF(L>>z~rQ51mhgbd|YiVbrk~H;C|61o0cV96FdpbOr@2-?Y=~l@KMOPv;m9+^+?akEnn#=)>3&HzHE{J9xoEXP}PntT}@ETwq94;lVk`ZzIUZ+ zK%m)PJFkrDRRb?i1@%x|KCJ2k6#a-wu8_}4E#V;tQ0cw&o$c^r6G zibrnCHs(luwT$Y}$;yDlX^+wz>j}-*DfYEx7hc2@ho z$=0Xw@tWYXE+9vduKB+Bz4W+1&e{;?^o(s+V5b2|+UhlzvT@EN@_nh97z2dlJP6e4 zU^hj5)X=O^n11{Dl(Y9sO=`U*o8c}MmR6;rP(fVFkOmBgw_sou5foH+2WV9Hor(}J zUw(87U>&AWdGY@5IXa-*ahmB$T_)!Phu{AfA3&Qg_s)oqu<)C$t86?A1nW+w;t65X zdnIk2yEdR83WGm+ZFGOuTxNmA%DNDDB0erS?85L$*zKwg&(uZsYt(LRAnCsA&V>BO z^TS7x9hpPG2lG00rHE_j*YV-R>MnT`3O=j-uTfGn0rHX5;!BX(_?PJ zPC+z9?%4!o^yzOOhy?RHeyjuv$lv4t!+Lew<|LIvBYVq-Aq$hJXR&ox?)TSk=`3an zzJ|s6YzEweX#U2-lM1s{wYwDe|2WL#2Sk=wtV4{fjClUu^{HyD^Z33f8JM>+DiR9A zg;@b;?NTGAnL-C8K!2ETMyA%uFn7i70lgV>Och3w`f#*yKO|ES$;9WX9W7t+#SS1d zSo1T+v}YJomDjDz>F_e2fOMwf0!0cTGrbx`> z`14&gw)O8p8R~p{kMEr7xd;7&{lgZ_p2V<*#gbu25IvjqZu~hv4(PP+rOKETX#70=#dP1sx@J3J(uyLY0wliE7V1Zw70@4O8 z;~Z=WxUa+={`=)!65xL5zLrfmry#Qo1)%MDZU*$di;M}UFpYb;$z2p;Ra6z%`TaoE zYng@|ZO#;Y`dd0+c)i;3K@y`Qw^yq0JW3sgEx6VQ5XPv&W=G9Acw;qzmM6Z^mRBvm zsUWl2Y3nJxIOw|j*j1bIJ*;Fr3q;So3ea}`zcq7!cXHrvO4*u5tIWiZveRW z&dP5Z!ZGGm!>Am~?#ecwkEW+X4Q;x`ykO44oQ?+d5aNe76)&mHXm!o~Ts~y@b{SYV z6jL8MWF&FM){RU04b>)xDIMhe!%8P7(L$rzSdV||fz(q+WhP2?>HC$>zWtHT(bdkF z)##n(d*IB#CCIE1<#9w{ExIvOXphjotV`K7WBe*)-84yiTD=xVYOO{@hN>7XFfU#v zrITo6HzC=7)`DwjTaVN4>yb)F`wbW4`Oj&dL-%|rs-tj$ymJ+;zK9!XTiFh6JSi%wDy<`2jllIFb zLjA{^NB%ppR68TG49Qt;hMk*`Unot15Sp8{@_jpJqQ$u5(_r5-de3PeK2@65Bpy8> z_K%In_x{5EhDz*j+PT(5+{kRjPQK3xj?ulLwjfntZaH%Zw<^mzxhzn#`r>fJ^E% zhQ3c{d$lC9ZWhAhSb3a<-(dz@W|UZkXwgcGf!A1!>!MHRh+VHvE$R-yd;(#lfkWn* ztv+J;6-6#htvi`YxD;r1e4U@RO-(zeO8D&e!4H3qHT^C`d5g$8%&bd(au5+uneo`+ zC3Eg3!1-;$U+WOL+0|im3D%DQ5VHi*$y!NifhqrrVJaGB)wy zz>>6YQKKx%YUHK7vpTs$8{tzEbl70azSU^_b=I|ieqq~WYOv3sWq37DC@9iK$Mept z9T}H`0?=8o8TDvGGEngVzIbU%tEpbYXsP|)OCtU^{e$C^75KG~Rg#v<0L&^D*~pM` zlwvNVoX>R37&Z=^a#~vW8I~Uz>xrrmHwhT=rYc!W9X(K&9zeIrLjx4-trnP@1)Ve- zuw_i{m-ZyLdzTLINd(vo|M2fF0JB)@095*N*Kb2U^dElq`zHCL?Ds;%;s5&wzH)uS zrOetQisvF7leD;Z* zC-Ygr#GpRSYc+nwFZHA{)Xvn5y9-b9{$!%CpyI{o%O<#yTEOi)`FedXj7L)mOIYr} zUC|GaY+hIRC+-%zp8na6aEvg0zC}1vjpY+(cvnL{ZVT{T)pY+$%LGw!9zy3wi{k?O zflwy_w&5N#{E$3SO@fbHQM*43^exHsC0e^SA|d$)sFn|Qu$Y&efxwcByx=={LjtP; z83Ey@|4+5*U=>bWL&54$m&m(DFlXaQ-(}3nukRhmkO^X6v>{BYj`_@w(GYqO?(8D3yx`5p#g4u9|b7!%2-c?hkbUQ!0nsFotKuQT% zg%Z~c|Ga9YBnHG&8~npcbo`-zOt^h5__!k>R4h~Z71McYtNZ4&{cd!-U~gKHq2gOG z$90>Raus((^s|^%hWVx^n*afh!y$o@Znk%bQn`7ejK|S4d3@o-Wr(N~X~FAF3f-Dj zZg?Q)dGjXd5-kXJYO(o=CBIIi|GU|DlQJo2Ie&k_OHRKJ>KjN>rTyY;XS5 zl|kvL-Ol}|Gg@>8!jYlw$?farZr^QFMod|XR`wfzlCmv=6g&s87@xadpWEBn)%n%4 z#t@VHxPMr>G#W?T84=5zc|_WU;{BMm?$c7EP3US#nEKgiQc*?o?A+^F!Ar#u@hUj~ zHEYU0tcVs%2jbrmFNb}8*WYAAhw8V9=JjysOs38?@AqMebs~3(KdfuwLsR_LE%@CA z=UE+KLsZM{&1{jCt%!k{f*r`$CR4lk#;nnvYX@slWO>mq$n5RNmDjOsn_f_sTT5&u z!Gbl2*xnMl~q;aIvNu#&WWAQuPaZru)(Ebw}lirJoDEyaL)mT9St#I zl6E>=LHOld+pOkfLje4mN=)BNpEy4e=x<}LfCT094`!F9l52@E6uxSe8+(UZn)-ym|Sp***|F&ZCnm2b%(z@E=Tf{5;_O&HaHD8VLA$F(JDwzC8{ergk(kd-3Xj&B z=#x50d3!zzcHk`*igQyq`UbrAeVjGOEOlQ*H9#kE|E8P%VBo#`R6y6JDs$V(L<94N z8Yc9_fORhY0%m;p*pLE1TAoDC$Rqd&{zsX$H&W%vogEg6#&?*0luu0>)N+)gO8Mi(G#F58{8n8^!mZm23SX zYGmBdwVN|C zF?6+`%5o!Te0OjIUcbd{HPfWYG5B@gSYG?G3-!^aePNXLjK5^pC4vJB?hIDVUIT0f zhm{AJm(Toyz;)c65+pJ;OT#ZsSy!J z5Ihr+T`iI8TpCyp3{m8M8Cqp!L8N*oO7z-W)#%+RY+1?-;N zR8ggiP#Vfx(lD|0oniQ|;_AYh&@Eo(skcN^yp*Y@&U9;G;ir7!rJ|-)8h^?$bo#=+G^1L6r4Ny*(!>a)h92`E7!S#{E(8-DaBiwwDdk;#-d@ZA8jT*Z5?mSzj05{*d|p$b z^LWnz5hwqv+ne)9+hWC_d4zh}GD+Z@7nh21FeR+Z8e+F(^{eilAD(I9I?rxLac#E& z(M+$j{SaXK1?EyQ*jgDr_-3v6pr%Q&*`?N0l(0cFju~O0$L{pz!|nc}rXl__??9 zfJ(59^65$q@IEZ&`LPRv>EV}$&&upiiHGH@r@JXxIo$KWsvfWnVEJv%%Y{Y-(JxXE zq*3PcR9FJwbp;i)*}&h>4rSv!g{FFChKZy6wF4*N$s;^eIRhw!p2(|EY7Uj}ky`pg zj`Y=MsN)5?7BPLn7ehxrK{$#=VD>6pt=jGY1BE^RuPN>dn08`hY3kGzF&Pa7UtDN2 zC?GT?ZpTk1Hh$4aDZ_6LxN&jQsBr_(8HT1r%-Bl2u`y%@dCFr_lUf*I%w($S@A#CI zJDnNZJewc~lx6y>y=Rl?V^iIS99ys6)Ttzne#=}StbHR9R=m<<_>Cuc;%bHuS*gTC zr(gwvX{qNJ$3vrGu>?-h!2St2CR1I<)pb?1WZu*W@%_oKnS(8q&7KC%fBTv3VmJOX z!7ybnuM$PY0O#hWn4e%vR|$xH>}+DLPK@Qa!#j-q6+ZFkE!X?DfXZhG@s;}#fYVD&J^i>KM10Uue@xD6C6L$sW~W#?|} z;7v^Y9dN-W$w|%G8F%h3z zJYdpAr0;K4^>HOpep>6zw1*fFCK{nJl}OA&GA+TM;A|WCo)K7TqPX!WikL2~O*OY$ zXQ$l8_1+`fR>;*pjIz~h7Rb&}il>m@O|&%aj};#I<8kichjcIR*fg@Hr#l}tQxyRz zrkqPEaH%vnI@9BXN1RFA*mjDVhOr~X=w)O2Bc84M;*d{{skmz?qlzG!^p?P*{O)+e zx6ittT50OfHZ=wZc#e z>U)>EVB7Z&ujy>s8QAVWcU+BZKrnGIU}$^L6C|1;fH_Qp^kn?7?BV{q(I^rS7XS6a zYF!!K4waHzhki=6H@id6+9cU~@S28}9OFbb|(`h1cQa8E979~@e_T@s# zGLQg6>zKE0%pXTS!IAHdi+Ow)SCOe)Yz**kw(yrjL8s#ac&F&hpia_v+;B0+A^O1O zE+p|2W?F^cvMOdDUKy~^R^V+=UN97drT@c<%i5BE_UN}Tp2yTUVB#20=C~p>u|->@ z7(dN$^mLj`lQ2z3=&6-9;wfoPqgoHdQPl_OGq$U=h#w8deFR#zBp*zjf#pHeyO(0m z7D~*sXdKI%}ttG zKqFl{EAqpvu@y(GptLK9ZOy55a(i|PhZbo|{Pv?Fcb9Ps$SHY5Ohkqezlq3iEDNg|GIAAW&TL-djDbNzFa_-OvN9y1X`tdVp?@wiQz1X*|6PzSTuNWh{|IgLkJvtSqZ*1yZ8_RR-&!_w z+;pp-20RBCBb~~t?E}{}#Xs#5-*z{D_G8rTSYzyOHKvqpz4B?}n|76PEgbn0u7uWi zI_W@~Y76qcf)y5ilZ+AAn)c9d@a9Vk^tEr|dp91h?;+EKb;)JWmfZygRjyJAB>rsc z`mSw)-&zQ^xR5ia{u=NsskPbBdLs!78Kko`F>%+Z)sVInSI{71?o!{Wd$qKZ$k>&-ls$?YjsmF}#d>#*nOTGf$na&?T3Z?(iH?s$|E{+^)+7MJ+R#r86i}xnHw@kY`@*vimKs>v zcO{UfJnG)&m&?)xm=)j6UXHi9SIh{U>nRBe21n3C+@?Beiu$|&@&>OFC&7D9^V8NBuA zZV{ZK!_6P)wvcOu;Bc=6`haj$_5FGSWP?5GNyB#R`s}vo(#+g@+aVw29fFUeR-I_I z20m>Q)OV1_b7|A;xI*%!w@XpZK^JW`n z*rWgGDY2W;s64K2yvUmwLpXtS&qFruO`^j`<$0oGUG>ZV;B`gEc{)8jzu;RchQe0}ry({5bwC*TeCp_+Hv{ar z!XqIeIxC`VSqGvd^tAHXU zD`(}sROgF}mnfSz$S)KiPvfnlHn%aTr!*khw?lzV14bHT6h9}NCh!Ir+W?FTBD^ZOp9& z*oxiKQaiGkLTYk6;9av2bHYH57uuBI1EZr%_Z3AG(?bgPk;(}-Y7+5L|CP(}EzxwJ z!uZI1i3UZ(rS=2lCDibse0UrOmGEZv#uDlv+$t_q>qfj0NQzrQZp`kSD71%?%!6Sj zr+4~h*4~oE74j?0z0@-f|J0cCU>vE*NGo{NJD!Co74_QcWiG#fbJ9$^J7n8D+ml@a znKSp#E;omprgxRY;!HY&N4js$5~%x58W>;LU?E=xK8|NdiYNadL_0QWdjqnNAXrS{ z%|5A_A?zSYn6f|9rpumnbgCz1wE^S3a#~oEv$0R;b#CtGKv>)EXzcnuqS@vGKSvXd!Gl3eAilgG{74XuguN)Jzmt|YeL#s07&rZlx3QG zCz&uQo;&!V)2HTZ-Oe=lWES0Z5Y&YqiLyymd3CiMKjb2M=wKcT%Bb2CJ)65Q>r}@o zkJvOU7#b+0XO=!CmbUPFerzU{lW~pQEYRI>_6KqKnKZ&B+0{~hG}fD)!-HAQ3lSAQ zg^K^M{sT``abSd4&^EC8CJ8+F$#{lgpJE_^;FrDofPRN_AN0c_213)+8J2|keV`ZsS2G6s}M#cU!!)LS@^fLL(Q!=_Zm^Ya-*1-l;Z zVyB*~jrU+1!TCxU#;AQ%;Ql(#q9&ruTMfRht(Ynl@yq^rrt7{1Rf_YG6AIM-u$*If zOomo-K8;V%lwJ=|>#7muxS|D7FiwM$kF358P1?yjfIC<}SL&T+m8}h!rpjyI91Cv+ z_Hrr>$jyunUN^3uZ+bq<$V7=V6)#LH7LgWd-D#aP4G?`lVGMN?vR%JJ-*PelglP4i zV#lFAuV$_i6liBCo3by}8pqHcd+qBQx!4_6NWLzml8x-A=t9KkRaSKnP0JbU{;vMb zL+d#a1}zdbb?G|iEXs$36~~C7nzA|1PA`Rrt$N0kPZd&b^*avJ8c=tmZSY>Htooae z--87_uf9Mwy?T(1L~M~W&R^NnlCfQ`D_so1f0+Km_EAdTn_x6(yUxubbB6C4DAKt! zofbI~zQn;Q54GgHkt0*0>(oj{9)`+az((Y1Wc6j0HfObymEY8|_4DQGujOK!yeA35 zLnsFT=I(wZ-#IW<^4sHSX&UK4(MOBrFRS{Suh#EjF7l>(!Wy#ZC8Ju)`cwU5_ZK=Z zpm9|};SJ$)S!O<~@LZP0jR)$rRf2a>EzZL9v#KT_i~KNhU<^;jPZ(W$z{H$O>ONG7 zMSR^vFhO)xHkd5^CGfO;J_2M~KW{Lf4FgO?Ckf?63t!Fy4rpR!@AMkLDaO`k*?9{g zEs_biE26^8bo+5A|CYLTzFN09%aTey0T}H_@2(Cj+b!^wHIH$F7B?&gM)QIJF7O}n z1WORxmXOF_F;nrZ>)Yn#D~}PZjFK~vgEqz=YOrTXqtkVZFy^VtHjFsNK!h0EA^SL! zFZ{%}ajAlZnY^KmV?{6gG|eBi^t5Ie8V8X=>@MG1s{BAHYK_Nj9=Y%c3povqTV2dD zLBj0Do3K|>g1x?YQh9G^3t{)C2l(V=d8YGZR9}z^=S?^?(-)w0i9Ywt^z^+;JtVWy z1*)A<)i!m*9pPJT*@{Zg9 zZQ}(!Uk}vgV@kQ^ll4>DGht?YX-ldV&dyoFz1uc{Z=2T{+R3bc+=^_YhGmf_x9d<6 zGh3j4VN&076$9H++QPHcak1H4HLslcbEo7wz?tH?<$I6E%QPdWnP90A(*6)Uup(Bz z5SkL3j6@`Fm+tGs@7)l&la_TX5^7IvXiZQS!h3j>Nj7iuM(j}c({$!g zmu^9SKA6mU2Fx5rG@B{8?dQ>L-v*0*OaI8^z0<})IwAERBo)o9izykwj;fsAXPw!< zWb*!hQd6sgA$+YP)xvI`Iq8>T9^bOub^EqkWNjBA@1XeM4(QnQR>jF{r8QQv0 zDr$X8NF6&gi5lreU&E7RcMQ0dn+;rMZxIK2j<}IBCO$Oi##;73>$4~ooTP0K255dy z_&|?c;OQx@vo;JMoATz<5zz-w3~Php%c;8{moB;%^x9H>m*g#rhfu*ZGpVv=?^))_ zOorCmdV$+Yo;#mh9_4q<49&%L2%l|Bx~iMj2r!|)ez!;h zb5P~=+IWKecJIVEJ}01mClji*PU;oO{KC#da0sZz!tSuI8CsH@rS^FsHm37H8D)9z zbV^s7W%ePsmG80h*;xYBW+!1ljKNv zq>o>~w(uWTX7``(CC4J46=~Ust0O<>$KLAv;1B1e+L?f%4-&bH&0|1YPSLlw45tRA z-9f&*2cKPmOvFcUBVp|0uRO=Ex{h(ip8a1GM*>FI0Z^t<39TlaB+p12@AV@~gVX>g z=amdqT3D*s(;ev&d=TVy00)2)Y}eZUNsjppvgBJ9h5<;r;e3%Bc*!MdPNvj@dWPzypVp@8+YdiH<1emw1tc0+fv#SYvuP%P(J;aLT0V`J$W!X}N9P zC=$fbJdku;Nv;8{d@%$~(++UVo)Aqo@KVqp{fdKd73^s+NF6JD^$YN)4~OMUt3j_< zy#b1OxlD>mBP?|?QymWa%!zjm7$r{~+Ac!V&A=da!YyL|!AWcE-=yQ&t$j?`Wy}db zh>aMP`*gf!Xxu=PO2nvF#ieei{OS1pb%@Jak13ZdFL#XGbcxaEKJv>wcC&t>koDU`V_ms^k?4dW7h ztQ!`wyaKkpDvjSP4rTAAvT;0b87E_wDx&2J)o&!&FKq<+Zh!&Ok-~}f=h)IOH@HyE zVb0fz{(nuMc`gX&=Od&UMyu)53C6mbj~Lg!JbpR0f(7N<*pr=Z0YJeG8rt;Zde~~) zyEM7sQ#+A0ELICmXGzZh?fiuEm8J2!^<6a;Tyss=e5rRB?gK){37{Y?K{O52u9z*0X_o6JAwImLt9^Ad z`HSeNo2{(wsaLs#e#wP@piK$QteQvaD)s z4>0``?^178>a{74RGuRx-!N%|3F{q~KIT!751L8F$HBF@TmVFGT7smBe6b3pT%I3YX8rpOJ)&$$|~^Yx{Lm%FHrlS zZ@naMiAd|D&9LQxwB$1C?7b6$kKA)%j4j3j*B#x(?$`bzdOnbR{8i?Bfuqy9dSw7Z zAFOb*Zv_6mN!*)jLIHIUy&Vy76{=t$(j&9rBd9e_!Gn3_ThRo-)40JEQWQIx5;YG>;o#$>cKxVf_v|5u&OgLB z!eh#MB;`zMVW_EU>kPDd13BwfOh`97cb_vMLI!9J7#Oy@)EqjHUbNB-O3NZt7}&1W z9tHsmaaN@o(h9W02S>HeV&D48Je{VgoJT$GEBq=QHkwR^-{lkjU1gQ%P-1x_$WZzt z10<0k|6f**`|ze&Vwc)k%CTt2;(#sPPt=_IkHq(qU4D(wvpK$u;BBM>qxp$ z^2yn(Nh!V#nZzCqo$n-$tX%Z*+%1D@m}w?gnGByKAd~uAL3t8mEot%DtkKKe3Eo6D z3Rt3#2~a+X#gEBV5=L3znBqA3P-()q2amrl+Lig~^W8xri<3#4B9SfKltiCm%d=L?H$=$j7nL4riqSCMm~!(sv}XFbT462_)T6TS}rXb%&!_ z@&v$Kv&=ECaJoq#i370iKP!}Da+Jtq|E~p=JTi1o(z~r-;Wsf`8?wYy^j+(Zkj;C* zct18tM1qe4-ukZ9u%A5`zb{gi-v5)0WaqwL^UOKIDrT9{xoDLi*QH-9__B|*>0w&&2xgauz=ZyUT4XjIX1 zEo7Bs8B(OS8VUuro{cou5OaF-tyz!nO9KPXq!~l%ZQ+hJ1HsjkL{%(IU_cgscnUa| zWACA5=nk~-tu|G?u;A72M2w10)(ppOcM}}D-e8PYSML!9v{WLtZjR@ls*O$mc7|#R z>o zoN;|>*c2i2j?B7jy7xfJw)VTwV2m4L9eBF4=@GLkY*cOabEhq}i;**A#Ne3;NVe^6 z91;=b;3<|u&vElWy%kSWw)uYiYI*VIA;Pt$5z^6kk6PyxUB}RnZ2Z{>KQSe z2*GG43-;lrY9?iR7(E6se{zvn;KPvoJ#?w;VqK4(LHe)O`q?}bil{BwL9*N%DVAj_ znGPhu0Od@j9&{RS!r+lPogXHTTS9GWMxxBw+BtayxWJ8I`sFkC*F^3~tUQKxzdfEd zeLOQ`AM~FTZ!Y=;NczB99o=p%|K@~8Vtb|&+jY?ha2oZ6*O22Td8TK58qMgKx=ZIs zH$j9GhpknEin{o(dnKx4e1RW$zUc!P?}N~?oZ8Q4b|l&sw}=4~-oM7U_NS_CJ#Exl zph9sJx95Y4=kMs7RoA}IR4{!@6voE7kMC27)cl`mRVEK8?{81%w>??5OF4NTsr|oU zdDwb*Z`W!V)sSE3rruuQT7=2UaVjS1pONXY!WqZMArRt|Nm$?=wB&awqdBHbiL)N4 zAPDkRx8c%YeR;;R_l2NhvB49w^=W^nH!q-$t7j-)(vQ1U2_c#+m~|k&$bC@{%TX4EDseci2zQGgZ7djup9y$=@n9Pt zQ=Dl4z)RA##m*l;ZJX%?C^2zF5&rKiyq)>}|LDfWefYnBj%2 zY+O8COu0=gY%B_Lpdt>Nq5b94N?bh3XTnMbF*(DF+xQ|1c0O&z)Fe%4AV!tg=jFHY4@+!%9yvwz)- zvK}Ok|9bw0e3RZyD4pV=k16t?%?tg=&8kDpb=PeCO+Xr&eplu>L)T3AAH~^=H2DkM zpAY#ir%#n8O#r$M4Pk%d(UE(4Cf8I z<2~ZVPhI_CV&deI&OOso97`^qybADtMJ~$>t|?b{Ax+Eg>7hijtb20w=zs(9ZB=+Vp?;Uip{qx^IoQZmAtUhr1 z4ARDK2fw9h7w~JkiebKxk21MU$X)P_&$oHOziQy2)>3MJk}&cltWhm};KvY z>S#)-WS-85?#HiDaQ>9xEw^QnqTy{_g7jk9qxn!)ZuOtCO0jnq)eP<2f5toh5BAO~ zx{V-M(@xCHEHg7RGutsUvmG;YY{$$TGc&~`nVB(Wwqs^y%#p2dE18;1R@)fj<6ZHcugx0Gv1+K2%=ulWP} zTS{F6S_@Z#zk`9GMp7HsvD~iJ00|W@;$zn?3u8?NDm;#gSNuhUVp&<<<*`5wH$qXh z=w?laF%?gku@hG+hwgo2JLam5f+?_KlLmkH@wv9C&pD;T+Z(Yv;?3SVCXZt=P{mIq zV^PyJrCfSm#2=;;TOfsWAF`6nM@$FM__fgpub9@a*oA*&zEK!laLoD17<7#N728{5 zpypT(zrCpLw@x)xq`R=@x1XsGSy>EW;E~-CBuZKafyEVfAxN4Y3=-SO2$|a$68RBn zlEvU)kXJWEP@Q7eKkE^kS{y3E94hyEX zJ1bcIo_U8Lw?{WhpyZ~R)r5DLT>^c;9@sye!E{31&{zE)gIWfDkKhd#$LkO06m`o) zJP(O&38{dSrLX2`#El43R2mp@wO_*q7qE-pAkdTRG`wNhmtVwgPlL3mpLglHFm6aE7r=3O6WiGQ-z*-w*hXC_diHvYsmvr2@JA663BVySXqU5#H~mx4uE!$Ixr^uL>UXyrK#Ev>W0 zr>2r|4JxX%+x@oi7_~rEJx9JpHAE;IMO7pWxk@J2MPDC9TivO#lOM&xJYwm`YbwI+ zVYQsd{=7)idPusCX$F4N(3Ebkst+k^(9nrf!aswE{YyvOK$0e-sV<>+BYu7C`P`-Y z3NJycPy#ph9Ubr9Qv6_VEP%IJC+GHcfEBUmO*lD2BxtEQz~hDpiZ7sK7+b-AdT%m-nLgi=^X zmB?OA)1<0qR6O#1ki~=PGjP13zMlpuK)aJZ1OwW<20eL@Ja%C}>^$#iQOM6XKI|N= zTVK;=*(|;qGC_eVl{)`izOJ6?>*NoU@z`=?N6Y%{DqLbUTzYn%4C%WX9GB`UPNOIB zW2^wLsv1-6@E)VcZFn*_i!4m_tg6!MV!OQDHv0p{SV)74I89v-L;T=MdipaiiK;5H zJ9fV`Q7xM=T#Z~sinIM%#iw4kOdUY6g;`BTBYK;H5!{qTdB?LLHL3mf8?6?>COnau zsggam`u2Mg*qn&`hdF_Q`T__46&eci%YT`ZuViduXkc?v2#G=J5}ed93q{V#F8a>w)zw1M6vtq+ zQIa!ZK7XKSzu-X8zs6t{a7oa6*oJ!F`70XlgKV>M8hQjQ*1?Hd7$EaH`e35N$vWfDJ(*HZE z@P+AkRMyM1EMiFL;SGv0VZ~Y1w=ZR;WnSRtQ{U%!e3(Qv_vteN8MSt=te3O6{vuMd zFg;1n3Yn#sD2LZX*X&}3J$FJnrNFd_|5@MycwSy+ch zPPV^0zo21n$*SZoAB4?lCr@||AN!C=(jK{KY*pQGpEjy~E7lCSY(;qVAyX8_3fPT! z6mpJ3OT4<#C2iEyLbl#$q?slKeK>&A$k z{5?@WCZT(&V<A-14cp?*I8bUvF`^NHvJwW(4 zJh_N{p!y4+hf6Q+&Jg?#R%k_uJ|cey_}paPLNQkrpE}zvPdU@LX$&7n0?vB#;LkR; z={X7D6HLUb;wEsv*Y;-|tEoOG43L%WCZOQk>%I)Hmb9vB(WB|VijTg!AdQutMMAn> zUcVa=$$Tvk$sBcqtwsyahsQtmDoS|vXC1=&vW0u`z0-*b_4-qpc95f<<{!j4UrW+G zFBzr?ywKo;m&_j-I)L(1z6MLXX*XRK^I{fR6k!!RTt%0*v~0L8!(VFA)7`>{@cX+L znc|?ms~hRl9ponlc zL)g?aGV@q|dTod6gCxz^mWx#^Y~q}Iq|d|O(tIITAIO9rUQBMOxPEWLirXkzhPPt$ z-Md>L7E_AjXlf5IPtz(ka=Kfh!#Q zsh?@=kG!A!sI{vW4$D5yna$L#?mh|rCD|5KVbi4LA+EXZ-uundn*sRn5}fAJ^uA(d z5oxwf$pN=`(}=NEmmM%p7n0|)h1jjG&&8q<#_u~Th?nf79etvJ7BwMx-%9;Ob5 zRZ*4tH@CVBjK8e(P7#iVc@7_KI7N>6|0{V1OecIDfjjE5cEa<~Lp0&1GKMyyx zwGQsTEEiX`^=c!lrnIv&h0C|jmr7d3wr&5U$oJdoF{aO zzmutU6jqISkcWLM+>+n()IeQ|ZWAAIH%`C^HoB| z6{ky*pXPb2U0N^y**i9yQB{3m%aUif^xRH9&Z0-|j4)QZB8V^elvS%~S2KPI+6l`f zpzx@gX!6G~%)yawl(xK{_+r7BB}u{VjPbVzz&as0XK}R+o|@ZVn69KUW|$`?CT{D- zXPpFDy0Bpd{Kmc|y1y0XogIWf)0XHOf_gZS@;#+REA}s{gm0&eC3(6Qb!Q8=Y~BVv zYM#<@5cV42LDuWHHH95#yW!Suikn*sQaxN2?lN0sfm_?{ZMqoYPeoW+>{aYXHd%hl z6Gs`}6?2Li8K1QgMWkB|(~_!wpC6yiHtqNmpPpC#$p0f=HJaH@UNPC;QDs8aW#}|8 zM!+6zcUb{(`u8WOUUZV7{Wp;TPSs@W&AYRfxHJ(yyt&ur`!(DYes{Iz{?8v@w-hTT z!9#(Lf{$_V6eN;|@Kg91!>SI{CsK9%HW~i5_*C@lRrFlA8Qr>>YIIh7MIo-C7Pw%i znyOfMt3~t+pFdhTp;I%Ya@!6|muOKvVK&75wLrnQ9YgO!6&s<@IN?j=wr_ibKtcc8 zmaKl$+kbc>I$)iJFOcBS77`8y{DS`q3yyOkpwOW)Fv-}k$l1kIOQUR&)&9MF>JDik!Uw=z1ptWASR zfRuD09Qvw6@l`zbwltZ0qx@AUPmb6=|B3sgD-6-nhv`y9)=}M@;Mcm`kWR@?6H4aG zHGh77{XM%f#2qIbAM9jM=>%HwLjK3#^+8)4AVAHIf{o0A7YQ0hJxvJiGYX83v%w6S z`Teo|$8U_n)>-_gF}t0>%AY|((qbR<4~V3@)|B#RnOfYmiMBiQI|!Ywwi_}qZIWyw zmL2t;W}eKGhs~PL=w!rz6yTs|yx{99{*Wy;S2%k0g#l$y$V-GwQHmq)6M^Ps3-cW0{l zE33WF0&$b^kSqU4o;))~`*R-V@tW7TcU=IP=`XgS`v#Ge|SD`R*FZ(V_A zlg`DNTwe6Hcb>RmzzqwxgJmZJtq9wJu~yKH^+1c8g8A?Lf#L0ZM>e&Mk#Z$U)(*x= zfS0pxf?o7q!^A7UIF@0u;44v=%SEv%QAq~ob!&A)gm6$scNr)hwz(q)y3j38rVw_z zFoeOYy)6}^p%QV_gEA}LKE^uQ+9Bq92?vKSg1&wSPh;*vvuO^iGyfg2`<0U^*H95g zE!Zn{S+;vw%626+VX@qS-rPBxxvds342zroeDoKPw$nNPZqbbf9HT@*m+(b;D0ZW2 zQh`fTEeJegxPr`YovUq$*}^>Dfq0v8(IntTQr!!z8mOp_0gCTZZGw2Gs0M+UGA1jZ zjXJI~nMSQ8Eg+EJM490`r%3@zC6}AcW3v7Pl(;lX5X-wQ3)$RJGLq$}%jUz#TE$Tq zNQ(SYU9C3lC#VwhyAR|~{5wb?8#^-mqAdzb!Aulqx65M6C62)>8WcEJ#HshHxw#{i ze(TQ+_FL}jpZ&;n2eo;9;jHj9w7LbKDmQ_+B7$V)GlP+AdY_F?*Kvl1($4qTa z5TM{K<+E=+Yh68Yt!0<`Y&&H?bmNcWrBd33O#=OrV9#Qenn>&c)xi~v4HI!INlp0< z0f6}YYal%{^4x|JzZY2GCqr;x`UZ8( zPtRB+YcECZvGqNq1mtFYE4VhxadY0%T+=kBH)8C4!;X#z-%>a;M?UlXs48&TY#^4< zhTAE=1yTzra)4FjnSxb(QVstD4 zI}Y1KS4SCLon^Ef6E#S-wV}`mo_>sPIiDV&JiBGO< zJ>A^Jui=%Jc<{$kBi@=iZ}<{1Zi1oN2_Q9CkaIhd%a=^vXkc7B0$V9+pp_q()O@ox zJ}en)3H&`Q`luEDXNdHN0?nLkn5(A` z-o_LtU7+pY10F<6lW6clK+&ME;%y+zvV5{koaWRZ{=zL3Xh|Y8_}7t5dM3dDA#h~yh?w!?~07rx}U6DXQt+LPwf4&d9#_(jjT9_0V#gWc53&CZ}7pW zqq^LcpG7)=^zj}f{y4og66ViNyk|mqv-~PJqH>>Y9nP0ACpF~&3gN|_;~KdaD*m9@ zzJVe5f->oLmh%rn9#L&qg4nOud`4uhtr>-ay>4^R8Y?R20z$1NZQmKmq@=--__ZzF zc4}yIq|BQ|}g)cZ!q!g3ilc@xr5W7~o$q|)>D zmJtPbZ9MF08oEY3u1ANw5C{(lG@}sxk-I|N!@akBL>e2qK){2OZVNSN?s`;;nB75p zl#REsT7x2Sv?DhLPOFy}C}Pfc;EP^M>>v?sZrX~g;EU{>>3L;gmmrw@r2G1mu>Dy- zQ(x<9cgj#vSJWQ;--rL*5Oj)nsl1j)2@~AV3>Z;9+Yja=d#CKwWB7CJs)TpST`&Ll zNB=z<|L^`cBEae*4i-9@j}OBPZvyWM?_iL}|MmMZOxPdH*!>`pD@ktPEgT}9XNsc_ zs>*QBeR0sOR_#vKUW<&dC>3`a#UUu(UZB!XBC^<9JW+psNcz=JZjFkt1pR_a==~pr zrHm_SI#i;gDmS}KJ$Yc@yo-YiQ@1D!oO(#$>)w`*(VG4Pd$VcC+haFnvI6VGP_FKhq8Fe4DoF%4g?jV5!RIM|Y1LSOT|tvGTbt4QRkll(s7rD zbmC5MwX;F%Q^M+h zl7kSvOVLiJ!JlKERPqlZF39PrX!{dPLTm|iVEN?v*v=NUlwd%XVvUK-lUZuv3ZUP` zX3cw(Lx;S!o5ez&Hz@g5=8JOZYX2Mb5aUzCM0Bd3y2G<-V)rE5nod@cTsAERJKGuf z-RDIkhT+BnLn>oE_9-Hb{`V+D2*Uw-Lzx@sg0`?rN6*LWI;N2!i5Lv zVcmUeSbLE^e6lpu9u45^8&In$`f=DCQ~6t3pe~-lZMC5po*AY>13ApynUxl@SF4ZjOW!t{MRqytbx1ojEaF za@+;0W*Kts1rI@JA}rSlo>r}&%+zutFadRy&G*&WxqOS>%x3^4ND)FO=HfEDtwUMj zH91@+q|mH<`P9CT#17EEaw|E2Iq@38uzSEIS#m%y<$I+r+b!0>;f}t-# zwHtmT=Vect`Cb1Y{Fld%K&t)0d&#_?6-gr^)3w$yI_(SP%tgCv3TEiRXP}PFAv>3{ zLawmd)Ep>%f6H}zM!Ao)vSY9gGA@Sn?S^4*=PK6iurH>zmKP6dkR#*PElmbMYJE|e ze_{E~PECn&ma=g@4M18F8g@Sv81MJee5OMxM|82rc*}M>jRNgo)Z}B)p+hFfP)SZ} zq1Nr+9;^8?$Z89$U*N75G~5IF5Ut*jtl8^77;6O`KEU+l^iT04g9w(~# za-E+^Zi^-RiA9t7nYb$(m6sjQA(;#Tn6?r8PJ}A0p7b#ky}Km_7)5wmrWdPU2E(Xt z*IyRYHzyPNrw5~)+5JBq7#dcZ&+OenC>v7WL~rrA-0babZdKffH%n8$Kiz>l%xJ&D zWhh`iGDMczSSQ#S=fZ_3TMK2fi$}FJm%jqdTm+oK>A~vwYec@w_UM-5Frufgb3d#w zhL686o~;clnb5zZ%SEO=^Tt5NQCX7r*u$rE>y2m zv2JClE2B)_f@IwHXB~XQzFOsO(+XCukH1+KHupxh81%D_l#|qM13CRHB%X*L?5@1b z{*3szT1)RznD{x{T@u=Rwr1I6aeeFcAok%hw|^BR%yw>=z)EIb#hihuyD|ZN5ZQ8y z`H@m&A7%e_B{}mVzImgKR$vH_?iJ4*;A+A-bUV{dSD$>sFv7Uo$Wxp;d(!OG)@yHR zX2knNLC4s7Yo5QVt?g^M!0Oq_Icp#d_L@P=$T|~XC7W-+?fX0C9p)=EQ*EBC)G-ei zPNDqoazM_6Nz?!$n)?#NNQjDI%prPy2Ect`h3&GOldBopcygi5K4iIac)j;i(dF$? zo~3%9vf)=>4SOidWGPL zoA2-rlh-&R^0>z9YxVmTIt=K%AE_lY3oKfr>OkLh$w_a|)cg9|6n^!ra2h@m7u7LO zaH6j#Q|oFY;}aLv{`EcxzQk̖Bq!QZu3=w|ivug8^EF;yoMezfr!Y*@%tbjX$E zh-KT>xq=T+dfj`(ap3ak12OwI4}UBvc=_r?RnEQW^im3y zaxQK#MK1>B9&=DQsx6F^WW4z)@vn35!J*q+SWXmE*8uart~5`ACH&*WDpHQ{9By0A z-uCjU>KbqA6nXl$%ADQeR>@?pplbRH)2ASJ0S1GvPQOrMJbX$(d~@NppAV2N|I(mD za+(kT4#Yn4RNi`~dz!!<@p@T)^bxrP_vmwm=41QFcy<3DL6vvvHvQ2GOoRWcYpaZ`u@-_e8qSA5|9Y`^m)Q>^)_NwuzbXq$0jT=~m%!?S@FL6@^1S@nxa}|UyreQN&>v92kpEu?kioy5 z1!SQxo0A=W5r%0;n%8afkL}a8blyzElAD`sb5{cXK}ZmVP;{0&Y|sm2USv)7_=S-j z!lv7ngnJ*v`8M*BY6IlM0gk(lmwU^c_;~DjCJFp)-8Pd&(3`&jRw)T3k2-kPF>7F8 z5dD=we_J34A8gG0w$!gM)rBnf0YTSc{&rqc4I5^17SfGqfMrBQ+0JPF?+b@=Ug1CW@FNqhS{NbTYvn*egbw}UrqXa7v0xAi=hJHoJ^T94( z(U*g|QEtqX2Og>wn3qpM=XTX(EYH(^Flq7}CsNapbDhphTyZI+;7va& zsf9^fDdTBjJT6UTIocGU6ot?nGW0Gm!D9`&vYi8GAA+~6O^1NNbz6MeXS~OrSUg8U z&^49UBp!vq-<2_Dp5B#K4zniGmmLt@+Q!f+K_~}W{#r}ZGgs2o)J~7FW2px6KM5U1#8{kfCo7`^jn8b?US|3G?rK7T^;4T3|5fC$``{T+dbKvG{(P< z;AeW`3@(nvcJJ=jv!@`jIl8^H`N4|6X-|vs0t_n~8zqFEJZKgk(=G=mQn?`&rz&ZN zx{`k;?6KhKC(x(mXaqkU`z$S)OMP+uM(`0D>YsnjDG-FB|MG+NGUF$Pi3acYV2y)9MfSo z_u+&@5R&%tXms8!4T!p5_gpYT<2IBwH+&Ck$$W~eS`%r`w2y~5THhF=oH*Uem1cjN zD)r{^0dsheL(S5t+rn`jqc6XRY(K1s2F}C4pXBZq^eoh4>?%0-;}yo3(Fv)jr|2!H zD<+K%wa0|3__>$|N52SRuhk?4CYTSHk0p53*V^ySnArvwkDxx7DRsREYTjmacOJz6 zUO(_^5j^6t+xVkl6TkEj5?0m{3#3EJrJvz4<((XCA_Z`$te63#A_<=%P>ghkQ22Ea z4er=FuE3%ui%#YVEdv%y^9q)q_YQ&|XA4^SF7}j8rY>$I*qf2D<@$ET8pCsRhp)By-J$_puD3;+ZG7A_ zos&j6OvNy5sM4-3eBTiAUFsnkYDvbs#7?r1BGfiHIWI;^TA7ToD_av1i&XB~?Tl9v zWLI%yv|LD(1-fDaSd)3E{lkMCY_3mc*N0D#HdGx80#sx74#VEeb?n&ac9f8Q@Dg9K z8Pl5R|Ln+{fMan8=c&ALzk{4>_KQ*Z1B?Ouh+;etI8bym$^lC}JleKrVHq*CoI%`} zxT_yLEoD-&OIeka+~{v66bBl?U{|bsCbTrQhT5jpjIs&)20e4RGNr?zt&k1sd{aTM z);BaXN!EFU!#Ki2yEtuoJmP}FH!lYQ8`jab&%Jy|lv~Wwov9k-%&8wDO}O!0@_)&E zU-g)O4u{;yfe+FOc;H$LH&bt+lGtQJ?&Z&MAF}1){s&Q5lLY@cK({IAeSLp)rZ=4l zOS2%GJ{S})(K52(v)ED+2xkt*pbie*Sf zgnF#UTh(Mt*<-#r>@DE^JoUoH;}c>~4cXT57ZM-!+&lPth>|tCASz})x@m!`QKVO*`dbo=(#x9II zOR5;j3mmRR*gCGZZIXQ(Al_>=`pZ>~%q#vo#wPeL67$7~2zMLwUJ1s=ufwns-d*Mm z6Tdj8aE&y#*kTK-o_`S3L7&CyTii8&DU*4Br&flICO)|=92R%?nA#E#vE)~&q%jmb zO5;QMyl>OMVzXy#US1z;awcO?ryHH46&^7J9Zk2Kc+YOwEzb%jM-q~HIivYi%XH5_ z=x1j~5#TLt9v~$jL6mJX2BBt4N4rHDeL#8vZwGwl^iQrw0ES`dm%K7w6|4D9ddA6w zQHe&*Gao4<`2!t#Shwr?VLVlhqsM%4KMr>4MmpHNQ%ZwxES%@*l2Csp>xMX?Rj9?qb{->}QQO*u|}k7l*P@%G^_Sa&Mr z`cn+vxqDDqIJtSk6LFnHT^oLtVWl-%eeKsN_%9`y=9=k>PR@Kles%rQPJ2iUJ*KYt zyv{0JMn=+Thw|P+FFy{Inp0aWFF|G`R!J}Cl*$R8lsiF=;l{x|q7!mXkIkh_BEFKaaIidG^y@O!9?j=IG}F_LBh)xdCVwW z0~Q<00Rby2l>B19#C?eIkc)#pO_yyF^3F4!;O6ms*F0}qKBt7X%q`Qoo8tmZ{EzFz z_y9Mg^_pIe#eHUlr@ub@Hm$N`{w{1CFNG4zI_^KjXj6zT{WXD1!9^$sW4epdyN_#i z32vxIq-cHf=)8rhs_?uyozwX6X(pXS1g9@ z_pBxAW~0Q^%Y=52m=l1;ae8;JO8N42H;$7#AM`R`0A#TBf{~ITc>im*t+q`aT>6Y#pi(!Xn*$^UI zh!=;?N7J5JbG`$#+8?GIwyiU33=s%jl8S}AbFMRu_x_xWNm66Zx5l!@M=w~xTO4kx zsFCwyG{Xv~Xq5zOEpaFz56W>WEm9gpb6@LAVZqke{Zg0K*QaIL7t!PGB3f4^{2$%M&;;*eG05De1{`l9W;u^!{s zA;+s$#eHy+DE4`NBVwNcxeK4zzc#N#GC0AkmIDF+Ip#OKLbJ+d>zN6E!C7xCX zfB&*9fL=~OuQq2kX^kQUknqb6NPZMhRRGTcyx7}5k}62EgiKlkhs2y?n6jP)R(=2|By%bU^%%w{&Qx;(B}4KhBEqq8^S5%{ZT;E5hSUGez8E@S9oV}j!Y zz3G$+UMf@xseO}3{w4rIO0XLsTm%n!D&W46yU-CmKb$aOy~|*v;PE!Zg&ip+0~cSM0D-NfmoB z07QFOL;1q#P}ClEH0%j;WI$IZiL`g&M!dF3IV0e50FWbe5&8#VoUH=H)wXxw>P#L( z*ciq7{dT4@Px*_f37+7u+bz+oxqi=!VkQ{hp%}4=TXq-7U>5-0OB?>5K&SVf_Lwr}kU2H578b z{iAaFbD=`$Egt928|B;W^&*OMGYdfWTygHDnNG>@2s7)}Y4RN5s6|`C5JoE_gVwfS z9Kz}lHBl7eR8#PiMx3=9QUAy;+ue|hgO%kIl2FgQJKB2oOF3?u1Ow4CQXm^V_@UHyiwt&eaVd^f3&_=M-;XB zkJ8Q$hTonQZ`N=5wMrJ$Mhn%gLr2lJ=2^0tmI)6Iu}{56D%L~`D(<07Xo1)DXFO~J z;5C{GZx9;|UNEtN*WEnU-H-=XV)1ut?S0fzK47aH5Wqb@6#y>s@KoCzJ&N`X9~a7PU(2=zot8hPjr_^!|If#2FMv=_gwl$O65#>z^(&#+(qQ8o6F@{ z&dbs-&}id^SV`#iQN+dQt>M@GrE2{F40t5%FH3!*0v{h;;l#P z--eOGT4h9CD+q2>kCNI6(EOOmz_xF@Yb&jjW-dD0#Zb8^M*+p!qjP!=S!E2rNvOa%V>`ix1o6hS1#v)yv z=xwFP5Iqt5q%rfxG^f8A`H=K?EA|P#6H0CpPGgxzH6f@RsTqyfE;;XMdn#mfBYeqVs3J%z{v2^w3(5NKUxWanJg< zT#RX`o8rvc_t<-o%vmq4z)p#b=yPS zP%)ZK`6bbX@m;7CugQP#8(H#C71e|_|VW;HA14aBv$6FH16 zzmu{ay(AX}KefF0v^@IM830VM6ZN`|@%3Pz7-Pd!YYJ!YrtbvEV#qV>#8~w zUSP1%32}FI=qgaNbTe1AY)6)OMN$Ls>PnL4U!Wf%VAB;y>ewk#`DB)vCA%BOOns;i zf&7p(sRh;$Fi&qLxuy9e;d;n1N3%1Jvw}_izz;I5PX>Zr2$|C1Wtzf(uDQV17a=AP z-3+=F#WbVO$HQ%TwxpK6QUE0#hdb>Y0`$c|#H6o^ZueG;NM*nlM%xReE}eD_ zSq*K%1v95Ln@FY3zY34}fm(JEB2TcwBGKb^+D*@~17-KSa|U6j3Z!?_<(W1?{KbUp zw$$gh>rcU%ZFMm2I0hGtJk}mF$Dj|OoY=%WXlywXnAigo-tzrbKwaq954S`9zd%6G zHlUImI%Vp9Qp(YZ9vRj5nmn&v*+^DOhE3|c7Z$zUTUqW_qz+G%pSwSkWE%^QM_uW+ zwW8dFvuX1)vfN#s1IJrl#5rF1U;Nm<@xKgi`^@a=sZXCLJ}&sR@jr}#7uvJ2tt$c( z?X&v`$)PLvFI|9(_*N4%(q{=d7-=fgR!3oOFckB~_lZku*9>B<(_qQj^%wef#e&Rj5*U z1yx@wZm|etlSc0>ryP>7muJK6-JOTyPOG3@cqSj%4hDQ&NKO zP#A5g`JD`wAbRgf&d`fTD{cYgDZBq5YS!?B*+AcFv_-<4zZd--dgMul-B42U0yu&= zkmN|yZntv{^h(?G{X#R%ce??fTu!jouL5qrq#q{(_wqC*5TG`^*iLm`Q;t-*Hl)?j zH*y~dRq830io3j5Hl?|1I<-cLbM5q3iWodt;*}|gwmv=9msNfk9tj$D2X?=vdx2hc z!zoP$oroir3X=YQm4#W^gclF}W7dHLOzNt08=#n3-d5cZvqadCAVHyq#3N1(lK0Q= zOwhDqqK(E~oBG7)Y%mNtMPX{7K~wh5#vQea)#7egCp+{+XIU^C*xUtq@QI2wqd^-_vUjMBvA0R z?b6NGWeR5G>3iApBuV)Fc$vr*tf!9~5^cCTzaYd_xhl^dbNun2qF|4+z?GDzlF6kuEf>>QPlq?6K{$y}d2~U3%4)jGWNY zu7mgq{MH$P<|S&DKc1|zhPPHtfKC{a@<&%^>Yfa`dbAnNpvZKQ+YtNvnsisa09*v@ z95Y1^%GaPBJsupIWVqr~*&P(L9EYO=mA(X9x3=s`^9x}Q=cT2FervuIn;Z3wH5~~j z0S|ZM)e|`{p&T`Xayhu8C-8R=A4j*Rn;6DTA#s3K4TFS0&_5xw>M%yy(BA02bkArU zoN~`eH)06szVxri!Rb9Y(pq*ZpRq=++wH1!9-3h`nzYJ7j7+xCui_o$R78h1)OycAPb1QHE$w z1bQ&yTswpt1HKQXb@>n^D-hDw=DsV2=E^}2n&}vrCbbiwBI!7HU}wf)8;j+IgxzQP zqk84sAiTUT+a{Bo5&o|pK(Tz!;YBe++*}FxRax6=EX8vsFv4;rq(le>Qnv!9>nhX< z@hv&*z^!{;QZ_)&=cgGcVL1UnB(*La2VmKhqNbQoLZWpq434J-9`(T)L6Pb}3go5x6?hT`2PJHb(rJwKNmtib5eNg1hksOAwPMN zT#8@?c+f=XLFqc12cQr2%zV1bBRQ^%SRRaW8JFq83sxsIw@6q^_)CacU|W=Ra5#e8 z)|7&iwKW!-+^**9)}0CxZ3D%qad;l~BZAHTx8nhOx;tzvC5&Htq(ys)Bl6y5ao{{5 ze1HW(;D9xDLlC;ye zq}k-*ac=v1Ws7!=iXG^3vRwX}FD$;h4OZ(Bxm^NLbpjRa%jMz$vp@rf&D|OL=7qWh z%XoJ!gpFyH#E0_pxhu9De)crWr_kvR`i-j$FQnACOh{ixNNgu3q9e0k3wJ|Ib@d4P zx=aqt=(ODZ*Mt-J@1;KzK63GORkoMXZye9fevY3Fa8D{@N1k=8YCm#g>PcYNxb(~q z>HyDQLeHyDEL)@&7!Pr7M>>xCcn6No@22!ujO46+LFk-C3am1y#Kkm84;2@?veUU( zNdxZtUTOQ&8-d1g@{in=bh3F`Sz7(nu;prYM0z_sZNVgFt{YRaU!Jn&cNeopNBrNp z;LbhfN@J#RHGk8u275LV|0aDOBqx3gLb-z}9d7IQP$BZUk1zw80H+45V?hm^R|vWNjNR#~2x z_0P_HDOyh)*oJ><;(fnNP?tm%OU{>oIM!XS8Y9+Q-_Ary{z2eAC%n$xZf&&riQ_0u z#9P09zt~Yt3C@bYU1$itYyLeVk#K*@8KO%b2ApA(Ycu@^5gl4No|I^}#5dv8mMTHK zIIZ&!qO=+4k=QjxhES$qVx4&l_A0q1gICGb2Fdq7u>sYIb%o(Op&tXYJv$=9-5T;_ zQ|De}wG-C%reb|Wa9p=u+QDT_pad`M;?PJFDwn^Hfavb71nmsfR=+@)N8k?aSpu_% zW$6YbFyjUVv)A-{`kiCW-7+WRb3}90PD(gh-sQEMp5-4Gru-8;FO2dspWAB0YP1;# zTcjenM{G5HJk`7|`u@P#d)DRo@UJq z_C|YBM;^7OeIT*2hAUouiXSFI0_|nIJg@t5M)qDy-l${~6k|uIHK58K7J$%!c}-zu|%AZExvRapk_mNIMhk{F(u`cIwF)-LZd z<5*lr#&SACm@Q>8H@h2R1&I$f(PXWA^38!mk(cI&>1*4NJ(K4JUOFDP8MngaD-Rt3b$R2kkn{>?WU6t@d=t6t0?8`(WYo!1*U0 z7V$wAL-qvs7vAr30j(6}wTMc5u^GVM;);H7S9K_SZ`CT%GtEZEErV`bTLyy?(v>r? z6dA%|QuaKayHgHMn+0DljDwK6fx{JXAzd8ICz#D-= zbq*eO(X)6>hhp0^s-cDJ5yU(~=%20|I$4X3=6-ZbI*N7{s9ofUV^TIeabKsGP_g`?&t}evGn=B_eygyZ6fd#`g4XtC?#2?vZ3)U>$)a5@@AQZj zjTjavkSHELM9skH#}QLp40AtoUhGn12{ZYv>EG-Erb#^s@(GIFz-TfTOa;gx>dRaS z&CN?NgBo3Qvf^j%yu%r=*&9>kAH*EQZPH^ST3a7>x#yXHf=!+EU)f#p4UPwuZ8_Vo zlE-B1V;!XN-jG+HSWk~xip=C*7!)&;7b4mj{4acNCTG}P7jrN&fV<;>OzaY!PW0bh zjJ5P2aTs6CgVM;@Y(;pB4Bo9k@Niv*6udH${DCA?A(32p~^C zb~(9IsyKP9c5{sNl$r7G1z?DT>8^_5K2+}PHU1Cc-ZH9I^UDMW@hi1 zJ#*i`>$*lpLUIEZ@vPZ4CabkLSH7ho9r@Q9U#Cd7zhdX4 zY9e-qdL1&6{@benJ5?edYm7mORz#8rEVcbiQYTz;Zbc&pIRGeu{bPJXwWkDYO7)VO zLsnLS6Fflv^d{&g;_-Fnr5-rCd-q%r^L5$pPjipD6f0V>~)p^}b;g21omZ-kb@K1AJM*i`SnzgOCWADpi&6BEtc|;~G*AyoQxmyE zbx~}3jYcF1+~zz>FT2!kkfXIGp@}HVg(`+ppAtLQnC=9CFwHXvH!9cvDw<@k^=yq2 zc48=xdma}xe^i}>oG==5qsh5Q)iE_?2tYZEkBD1|y(U z&~f_I)Y%Kke^LbMOb_41#D9`?0JZo6kqfpsgVp(=#^8(#1@OFO7!K!c6>0SX^LVgC z;tXNC{oO-F$;bD#!_)V(dQ)A0awM+p;$md&&q1jiu^&n9Yx%np3#r>jyV%KgGMyQP z2=TKPzbHpLSmHGPP-_|si00KyLGLMhQ|$%c&*L|~a?ofoG8}90Ks;A#O5mL=n4(pc zimj&1SXh^Q|LyTOy-1KX8J~3T*Dxo&i-ISAo43jR%9Y0Qhh#iUUAW#Y zP?jKgE|BpasmYnP7KxV0POl7H%VR}F8mDWyVwk)@Ai`-M<3e% zHWQxEN#_d199O)ncKrO`@M*7T(VGuxFK$lV89b6k*KsaP7zp(6n6Ro3(7jHUQ+ug) zpXDlNB@i7Qn#R#@qKsPG`jkAZoVm4s8nw^F{pvP3bhBL?rQ9-m!@eYq-LCL>n>8F` z?gjz~8XAk#jNKc|lwpyYeJ>>S5(2QZzI>1v+m0Hh_DIe-HP{j4bi5=Vb7%02liJhT zKPo~3zOO{lL+@)PF8XC9#}8LGtk=Sg2A*>bG*#hLs*}zI=SSGK_S$SEi4QE&H>OOF z{w|pkk+-r0R<>Rs3yamvUpEH`u~w1a^d6t<4^2l6FE5~QbnGTs)BK<*s2}8`e;3m92NZ*aXv|X>s_1L1JAQcLb!(< zL*OiKBc#o_)$8X*6cR2~1B)A931?7;#{5L**i`zZv`T)%U?{nid@Hd|BdPW{X~+?P z82pj=Z|X78#Wh-*ac!s{2U+4FUQ`2o9z;&w*kbdc%JZW-%d6gAo^DD-N*HH`m28>3 zg(F|f07`fi!$7OVPA(`&EDEPqn&yM*W7-nLGwJL@3C5N~Y>6H%;=ifC@_!fc#CYexey3T&a3*R_URjNMigMN!j!SSLuVrHjR-3r((SUsBi7(&? zd(azAB?#q_{lPEygOkCij;bd=Ifha%RlPOVm7$23Zy(f*Hz`}~aT9;}AqF1mnFW>G z&cSn}f7ILO(Y!yJt53jN_1xgzx%F(>ZS!%c8P73~(RzwsEfFjslnD>$KSbej1@*#MLAjs{+7-SoXA^q*yam8Oz?#)8{xTMril<&?MB7rCmr zK>(%D#=7B5&5yz7@s}OG)LBN6VMy1^<^WMrAr*GpX}(jF=Bv(Gu+{W>W5ax%k?piU z=i-_XYxh%uX1cpM^Hqw&bT8j}`Dy@%j&HXd>K4(6+N!Il@hyhv2Jf%-e<9{^D)`p$zwPUAQidM$ zHTSfQ0Kha@-anQlmSI4amyAKrqP{ zN9taaiakxz#$WuQDZkm*O5j2Z2)D19o_RFdgSWcHBQ_Q_MrVc!ZGsTvHJ2>ES@Hv8 z^_DK;Q?HL9o`^zwegBl+sl~!=kiUPF{xOS#3S3=ok3<6eldd?XSco_+Z4s23aw&AU zZoF~FK`cXPemLuAoI1P3ACVuOki!1t$zsMpJ8$@t2fxD zEL^QU$Wc?)8WM1I8HVZS^l#%9jucZR@p(A^Phts@aX*rr7kGQ50WZw=OTVqFGMTyC z&0#;Wqz;L-uUlnVnP64YO2bJ&ntrxqf9AB?t$F&4nl9=~S$FBKq7^6Wy?+7Y zyEfDeT6}|l-gOcz~sjSn5vWi!^&e9l!2XOx->ki`#g#;FJ7xj>sU}^?TK1!35r& z<`e#}+bF>!DolyIcuXU3!kMi1z07-u1$+?(#zj|cZ$ zp4I37koJr@E~ocr`;>Zy{X2$Ha+6XL#5!gztyjb3h#sP2PkdW;IWP2LW!rx@=Qz-b z_0khrR%>tRBgK)?WHTK!2A)nzdJGX~`ok)}B3UA>qaVM--`m_#78kQUyQu&?E9@eD zQMwI3(~&lJC{JGuebB-{>$LQy@1{U+u78RO-F00~ALf5rHV3Np9m%=xF~YK^jA75* z+liM7l0gJYOGF9mr)4Oe<>YpUhMs15oD20%zWqDW&djL%E_hU@rM#=rtDfEny3t1r zMfB&}=>S6CSrJQ!mJU(HQbp5pDg;SR%Vs#7x6Eg0OzmzV`i5aNut|y9xe->CeX$92 z0HU#B3j$f#TlsXa{tr3k2qC;mRNm}Vf&2dZ{YZDFSAgNknqEfurZvs8T~f@)p@qvX zm*q;0Nv|vE`2@FI21{2bG|2zo6iNf_(j7$wJv8;zT#O$tnA)pgYizeAJzG+5W}efK z)T?UGL7Al8QEeZwklS2sN8K=*J2r{Gm*WWoiUAzf5X9-FRUD09Tf+i|k>6I+{eCb* zm8B-G{0sCt6~+j3R5qu@Hd() zz&FFMfD^Ku%lZq?0u=XF-HhJ)LDZjE4wSevZkIT>MZ_5C6-sm4$CPNq9vTg$Za zM=ZZRO%iIOBR-1~|GRi`E*fYVf}jL?1`&Vq?-X+LCQX%QX~JT?KmMdUIiH@@KOXXR z)wocRE|Ll`3Ml0iugmsDqF4Vd${F&arag*1zFl8vQpd;KWzNc=t+Eu`i$(O zNn@ao;<(Lmc8~i}=7C`9GW_t*jm2{&-68|S9@KuWi{&^CV8M6XuQQfRs(T&^4e>L4 z2^3R)dEw1uU4@$b%hulH5r%tHI6(S+`l;lFUe@fVKM)j=*R|`UIKN>0$}z%Q?4t|m zvQO?iJ@DtL2ZinEh@=mhfn@P-SE%!hE8E_$!5;N|eCotzcUzMsF3?p7vi$UILTQc_`Zhgg*w7S@~GHTNo9 z5Ry!h372YbnyN5QhX9s={qVWfD_TYZ7_@lk^n@oo{y8;x#P*B&|Lt7>c*3nc$@{xW zKx0bEq#;-L$OC_RG-juN)>w-@^VN0&a6rO287VZmrcZ&tV^2wbwL-wjNui80*d2WN zRdg&nIP6l#qI*m8(Sw0SJ(EmTLzeoM=aFQSahzXcz$2A*O@9>`JBn>Msf>m%6cU44 z!|}!9NT5~xlM2jxTN6bvsVC7M?!iU|p_h~g{6_|nVmgw#w@_}`9`#@vQuNHx?Pt+I z>o0R-&k2Y~UD?|t$)?)t7M;{jgY=pU8L`6@<*#1c+g}aX&$ykOSJ33~)p;H-6-D3v z3e-*e5IS9bp$8+4x`)AN0{r)Wx9AUDREC%phztfb2sOEPsaFW=M|)Z^X2sJPOsIFt zwC!lZvLG2Rs2T3%e9_BE{d~V=nzF*mOpf;RqNjX+!~ObisuK%&1LXMTZgHN;?WRNa z+$YaT^@cc(M~`^|wmXw1C+SBVwrJGxVm*|9h-I2j@=FKIoysZ_AFVcKpFLGp(pF7H z>a{>Hp4=V@Y-@zlCNspYC3f{G`rQ-NHmYP_KIPATxBKbRG`Wl?A3W>jNrTU$kSong z^T1Leco_N72W3rfId`bdg|xY&g`~LFSZi)sOaSWZOGX%iN5Kc`1y zJO$u9(Vb}oOAz7rjm~OuDhu?j*ec&S0CJ#-QVn@G4S-}X z28Pv0K4}kPNoNoJtK1L;d*?t(dzadf)b#FswMkm>DwMW?ckhqnuEnGCEKc##|`kz5JdqD?(ebRtpiZ8NOzeH2i(k|=R}QDIdd%aMv) zvsrG%V~Awx&nNBE4hnN0J|`9Xzm~d1z&5<@J-vF<4|~4+?NR+ZfmdbSxIs3Iq4DG1 z&tiW$Sp{=Da_GywAbcO90WKn0ihDUR%9YAIxttXZdrSd2l1+_)J;OyhfAM+nEt(QO zk2)VF1$lR+DvYu&QB(D$flPe@$0a?P}+^HbFxfbxVN z!lF7eBt~^uCd@nVJuk-#UbAS*Y%5RmZxpJnlU0z=#=^V%C;%pjzeJS4vLyl;dlT?6 ztDYM2#i(CllC9g7y^df`WYXyn+%!t$vwmh> z7IV${a1~gbJos7tIW)F^O)mdZn_dyf_de(4pmV{MJ#ibFs=D@(c4FJnpR4T&LMh~r z!QnhQBgS>$1lSq(x@ZCO+cCCz?bu+xNLqbGsA%uooh19O(_i8^<30isnmlw*2hvVr zrsM|uC9f`Yn=IqrP>n>wV`EFVWjp^unXtD;ExP+mkG`lGqVCm3@+jwyAFHC-ObJ#3 zZ}D_auhdN&4gvgxle+>-9$Zh9DO1+YdBquZ(2v}^d@RD-A-1_FRto`8vdy>TLBI=x z2w|mlugN#}5lqvPj8pNa9(O_#CAd_@52?Tn-_1!~7p&qNa%^tyH@UohFxv43$g`NM z`n@RLJ4l1a@0xe#www+1hs|5YDQPs|_%_aPB}gR4jN!ZQ*f{~Tivlji*+i_7RC!!= zPPA!`F+gMvjk#6ys5m(pfv22^8z3+AsTyhH5%-((N|UWAr(ETBrR65tvgIM9?0+Qb=h)U^dWKkGP)y}}Rxx^fdTPY=>(HmnvT=N(Oz4hVZFjjx@A zhuysgx@>s2ja-P`HOcRSZI+ZOV*HkZ3ubQJK~s=*@FqxOM{KcDA2f43fU=5FVEA-w zFtxbuV9@%Or0{y#ZQF9-u>1|4tcT;;gnfEgYigQ;ZLiW5isi-{SuN2xzJL46m10%1 zQ?$U8u=rAilv@twH+bU) zc3n6@vX-q{zNJIUa8YFvV^;-Ud4uj_*2&W0s$>iLb;A>i(1h@i$Y67fXj1a*fF|g} z1ex+RW14!Pi)ib2`{Y40yZJ1)vuUl$HEjE;t*?6MmUQGP-7Q0z8d|RM;@Z@fJe#PMe}yWpG4^tGG9^%`5qwhWN(KZBW+xm}&Sz>CjBmrn>{~zPmx}yn(pT zjVnmweK2z1`SZ`d)i+TH`>;ts#GF?W%I5X0Vl9H2A#ve0AvT&iS60b8kSlgyang33 ze->ra%n{Hbxx(yji>xt$9kzSRS1Redy?)Salj@_}y`TQInRS>x@&k{h?EJN1-{u^=iJGYvOiDq$K(zj2N?XSV59 zn|>IHO1?FvSigtkMVuEETXVBf>3W;Ns~=t=j@~x%pvr>axUc8;jSDf$2Y%^+DfUnL zzAZ`a37ThcXakRNO`{Q@Wb99t&=4Vg%_hGMAGC_jmhf6+yBln&xg`j_)DjpZ?I4Ls@#r zxl8X<)uSKG!l18^63sxHl6s{rmze$~8}8jRou<^VZSJ7``B68n{#JwUi5pWn_9LpT z&@pi^UR>tkAp`!8oB|@n;m`yN>#HVPKzDdWwfYDiZ-Bh@6X6L;1CcC_o__U{zkFdW zFXbuPMT=aMY<9pof}oFL=S74ZIgMeygeqJX8k-Z8_3)?N=e|+nVSpDw_Dx}`>scaK z?%E_aCY-PIc6@5Yv*b)KHju}YqIiV-s@^7HTjhmJ^Gdbq41dFo?%v(-RJscqt@y`- z)k$t@fPUrX?`n@#wk2}|8#^?*$fmm&fFSYMOzDG=W6t#Q0N$CAIWwhhK$6GnWOA>8 z2Hm}K`cb@_(7@dx7OPK2wy&5JMrX2+*@cxOkXE(kneS!|9pTsy4^jS#_MX`-rn4l7 z$Yz^liv}{yli1!^kpu-EzzscjoL{>?>?lx3L!!+OpB*NUV|?L1<6C%W8HenDaYQ-X zTJN2@13F8Z)j-%$yjkrz9a@5dHG+tq8zL?2@i>iJ1Bn5I{&Y5#% zd&V1#Ql>c*oj8}&pmWP#;#t-}L9(j@l=qy-l2dG(-E59_c0i2yk>>1;U>7Cs5+?5Z1J}97s><#bR(W9jm#N0-D zxrwBDW8z2X24vgq=_YUXSMVyIo&OE;PpnK;~QJe#^1G}?BD`YdHTORA&;faw^&^^!BvXYk;FqP5C9*EVe@1JSs3~Q5mx~_|&_gAVLnH|o=`o5z0SKnYoV}?SMf1(o zV(3c{f&?J+KcWrA|A?ka1MzOR7yl7y&F*fX$AH^MX%LBj&zs$3a9~qEVkYQ?c6i3H6 zb8e`AL+i^Kr$IUZP4vZdrvh0`n0HDD(e5e+AqBCgH_|R5vU(~kPM61QBzxyfx3Vam zRET{n*Y4T4%40<7>ACKzzDs|aUh+?Xpcj3DBy+6EZ9-!l+Ob!m$8k^7EZy{I+-Nnn zS@Bt_{G%OE#s>ryiOY$HwoN2daAKp#hv31!(j4cYWgn#-GK`Lp*vM_knOySytSRCI zYS2p#b+g5(SlyFgo8MBaG#gC94lq9fM3_JIIo|fpXq(3G4;x__C*Sp~Yq-TOq`3GO zZ2QO2=coVjYPzL%aB?VBx3EZ%O!R3d(%2<0%9}y@eqxR3uK5AA*Q~A-8+97s#R`Ms zGD}8C&(5Jo*3?|@z{$w`uzdrE*4HjQ@gdY`MsZR5v*;3hO{Yz=4GCWb*85T~r^f69 z!ikowH_;QY6-OvmcQ$1=4teu4=G7RM{?!k?INpD1LcQ2@_*5gz#D2Ds>PK*QIlShQ zs4Av?{<_OjJ^!HGM0J>;`i~PPIb>U)drV+(M-#UJY5}hF;g^l~=*p$h7c6#;=gy;# z^gWa$H_mhx^G?Bb=F;g**gT4woK}hyfLhjT!dCBIipFxWkJ{J0|GUBN<91T1cTYAS zwj2K%5+jzjv!Qn>&?NqC64wYo6*HWkMgI~%f{n=D~zRjhQusXv1@!t#j%n9!& zc91HTC8-Av-V=$r#!*4z^y$2NyzAnW#=q9%G>ePta@5-2@jHp(<2M^WbYRG>LsNQd z#!G<8u_`j--qSCua7+@zRE*5K$$J}mvKa=fM&8JkEuHMqc4Dq*-Kl-Wu>787HOwMI zG@hC_1wWcR!a@!u{u;*kB%bSk=B54rnU@S~9F5Lvm9uG(34VjBtLeLl7G4l?kn0Z; zE0xiX21=CF6iw`}j$M~Ff;}W{3hj|Mc{4ee%4r_`do+YIMv2?OOli9M<}lqW3?17z z-oA1`VrbH1HjCzCw%j!{P98`B8?-1qLOC69QtpdBk6l1}K9u+o`q`&RUMg$Lr?$Qp z?#700cz5=E)~3+V#K2TE=eMm`!KnDYnZN?f{lU$OiKZJ}?5Zw`3cMW^hFo8RepID2 z)V4)Q>Aytcm`GkJHDy1hI~^>nGhCoca&u?w1=9mKWx|W=V$x7ii^g2ISFFqZvc-({ z`#?NRK)oQ|iiJ${cxGr*WZd3uif=(?rZ&nXo)+v%>gsJx$b^#3qgMu!I6}|HQ;HV{ zMDsiZ&|ph2yryeIL9aHOrOo!AHXyo1QW^gcMh8w6n|2DDXHV3a5d21TroTBZ+B%we z08Vy*pz%~K%yzKV`+ktvWrj;1HJle<)3K1%^5i8fX6V6+a(6nw?pLFY`-Y;pz z0&JOH?w=k9=H<_}CPj05!-tLHAz3-5FvlTx$dB+)08eb~4dLa&t+)X5#yS_~LM>g+ z;Wp$ishic_)>Vc|`it$)s`H8MNb!V}Zgb##BmNn!#IW|u1~sJS>L}%OtN*EZ@mVn5 z6efC`?$g-4!&pQIUZ@C|*ce2X)NHp&?pfRQ_CNKq%+-`?5{KiZrB_JGD|}EUK#T} z417NRdrBiu95q-Cc@>?6mo(`auM`Es9(aSl^{`e*5a)RN=#_d*fjS{9jStKlzJLFW z#;B7HTiPjnC~yNO-{#++P-Adb38L?VR=@ay={(-h^Q2j)bhquz!*FcQQ3e(0+>|Y9 zHu1oH0>m}jGqgWqJqo3jGPC%8k}(3pJ$ zkME{3HNLHmDIzIIo#3PLheCnv!LPxtA1AM-oC|>-*~MU+hpBHkqa=;GW0sy9)3$zR z|BuLHk|^*AMw1`Jd;jlfek%COOc$>BMa;puXYF3zkyL+hx!|9obb`KBzv6rU-}8w$ zdbGEtEG7H>nd!g(R$_nJVD*}wXHUW<<-G}#h+mD<*}tbO!{M&FFF)RZ)p>*m&zxvz z#FAZ05h?yWT||(=8joPS>;q29Ka0!v(w&@3LtOW5l`P-JHV5oAw1m@Nrf>8;n!8D% zuV1!2@M(hU1iiUqdu^{o=f5vUwd30mu4;eHZZcxeCNpA61vYQ{l)}meC}e#@lTWUc_fF{IX`bW z@xu(|@fkX4o!aXMWSR}uz5fw4Qr0rp<#BvGR9byf7)@dP#Gx?TiztQ9+ign|LbZr| z3Kf(}ar9Zb?tfkNJ5_7u*;|#XQa#_FU#t%z8Tf341l(nxeh`xswufol)LyyL zXxqPT0f}^!GCUCXXNJ|!Qa?apJ|Kr=*y={0)uWB#P*H27w8SKKfE=*-uH1q5{W|^N zKAWdf93L}T8XeQ$@ya9|j=L~tK~H;r##G?Z-rmlJmR;?lLXkC-NSaX5@$4NPy;70S zJ+d=DhF)TnegeO<`k556JT*16Vb4N1f;^l)d22m7*^z?WZx zbds(WLsJ#I(*{0skz>H(zQk00%h=tEiv74PKF}>zL1lhU{HxZQ76>iHelx$^ZITVb~uf={-@RtKIKnR`dfAY4N}if16EA?<$d%8 zR|Kn2_O)GSHAXlOAT6WhST5x#N++fZ?9!i#-U_M z>rRV4`n+e=>T8QMhkuA3A<}J(Ejqw+G!Gh^f1tdvxiy_Kdy_h4Jz|%hZ!$m5M(t3x zxS83D2IOja8nTc0`w?8jH25mbn;Ea?o=`vS4yL)L5_}UZtHr6Tzl(fxL!&H{i{Au{oj?WdPy+PL>@|_VjjQwl-fLU{Tnd z9C;Ub8ZMW@mkX9w`!YfI@go{emSYwx8&~XgFq)YUZ%Q(0mLzzpKX%6E%vb30#%vVJ zfjJR{4o>vM+Efx&o8CGJhuSfNuDcANcj&E4ReDky~=Rmrh8 zi@o3UG8z0T=4frQLL!OM(#gw{G-T;rpG^C-ymDa%kf7$CKieS06M-D;+wlxzuY-4a zuJvwg4vwlAMl24awdT`40XWkrUf#&2YVv-F2-&70#4U+xhV14S~-=6WRZ2wl(2JGHg(8b<+iHtto;vfyZ-6MuCxy;ldj>PwEMm zZ;1*u6rbsKS zvlQ>IY31pcq|R3ELc>@Ff3-q)rkCm7i=L-LLuCw&KNA=p913#)C$H;kH*w4D&%v1d zXt8bdNHJzybfCWfe0)}$m1s&_U#?Rq;`GrgSe#CVh=czqoquzQQaxE!z8h0OLeKZv zL0v*9^Z`q<(|sPVrE_PO{la*iX||+62{$Jv@^KFGw-&%PEqgx=pyQY2m6`esb30Z= z`5A9o=j%6nr`*+(wCtp6Kf4EB=KSJs3~@F9q2(#*y+Xc{CCS~USUG`R9%RRM$_-BJ z#UfIbi|eZK{QF-r<0)fbz7}&FBy2@=*zQs+EuIe7Hsx8s@EzBq|F zT=0AZ+^6@vtK>k`$iVC2s&ccnrV^;Lu4DR{H&olcMWGga)wcD#YT|*COl)`Xzn5>N z9x$K&nB-l^G3Pz8aQHMzJ7`0tN2aV9swwnrmbp7*-?vC)r66nqdhMdxB!21MeJ=~> zkh=^T0rex>Z1dH;3!OFD z<`06z5!}32>gADGOgqp3_Uy=6pf||>ey#OjFSjK@!OH2WLbFHzLyGD#=`#s&&C97C z#{Y=?m3v{4aPT9KfBp+8e<)vtzgWhvedOiMYa|!!D7bWpB3oQ33_8YqHkv9!c(KAXA-f#(+-MfIj+2n2l(XlloR33AEZbTP&5H9mc>%yfn* zp+>zTFJsJSRYbjGh(Af(hkl+nURJx9jgj;6ZQs7}Y8QEXh0n3ct(#j*>eV5S0+^OCpH`cUjxAEjCbq zqHr7xb`>SuD3~g@4W|VB zm7(ZK2eUo8P z3v54eX1Imo^(8WkGnC?6Y)=1TgfgtP=vQ;IbP;CI2uiTv5sv3-B~-_a15e4+T$oyU zUN+eYRHZvL;a8x7Ik})tg{~4cJ2F_^5YP6V)b|?1@_Z?!cC*PI#r5uJISj2H9o^Z? zhEtnS`!P*8No?fSv0sjZ?Pr{e^A$MpEEpr_UXGA0&=W4;4F8iBm}VMOX%X}YZcY{4 z;2Dpq{!z+f$13*gPkGEn3%8=0LFy8E+f&O35Z^%c#P2^M=I(}-KpX0O63NDhBAiXe z74eu@?!#Ya9zkOONEC^U%fUvW@t;`;dtXi=b(8I%hacE|Zu%RHz9v)%1FoiqY94Zb zYHONC{e=`aC%w*p7sfKQzfq~_F#;>9v3qo0XwVO^jRw71$kuN~!dfM(*4hjJ@eX6L zm?^pUuoo87fT@bztPc-bVvpo7Nx-8Gt%9V(Rjpu_7g#)DS6*_O2SL;CkAcYw8(c@R zfK1uDf#K6L_%!?Wx}b?yW3jb~*%1igh9zGvS@nOVys?O>dzA4F@5vvdd|V~3$|N9# ztou zR^EFuE4~w7WMVi7ZmbV?3QXg7u$c$R#qg~)WjJWNxVZka^J~o?DXr90%fVMm=w%nt zhZ9L`3%JY{+O;Iv`>Ca>pzEpca%vc2eD?b6&J)eX%gz(JA+2pP&k-Y{zN}aTl=b_N zN^PX%S9@Ttc5ADC6SJbEN%_dg-3oV|Y1N7+tq^KrvSbhG1@B4=BZmblJq~OVTOmE63=>AqjK)#^PLuFC{^l@aH%%Ey`jA#Chz z8{V+Xs9P(4;bUV{BYSZ%j@8%M=IF%%jeNozq?JF9v@txZ#ADqp&Ye&6u@kGsk@HJY z<5sur*N;TsEYBnwS!Xyl)j0kW(w8_}uM{Q!%aLC8=)KCsm*91s;Mr`oMj&T~4NhIA zmhnIaSkZ0hI&+_HAtgTyfI=)~7uA zl1AW$CI9TXajuKsGgXzp+kT7yT)2XB!C=usXE#zGH({mV9ZPVwk-g#^kW}-jCR;1> z$U1!YJju|aOK9W;1baM^tzMkYE~AfY?{X>-vXMUC(L<&5|910se^O`t@j(|;aG|EX zD0gD<=<@FGYR1M%#gxk`PM!Y4H_3j& z&QE&zjib~>DBimJ_8>;F<^FgUi=Ji4FxX` zF#Pt--(%PkF%>>YxqB!e?kZWS{B^v&DYTWy)5AyibkKF|>u@hK51;&P6A3E^CULGqa{;2wXAmy#@Qanz6xQ+5!`9eQPK7vr?IZ!@iUL$;&v0ayUG4}?h{D1vh;r~P9 z{+~MD|9xD#{~xZ||9%YruX+2l5ZNTLy13vQon81(u%6%qMU|0KRF>tf?bFSo{Zt-2 zyI*d{C#hDJCGemS zH<-A$DlR7cA^DrknBzk0VRrLI6pN7qfnn=Kg(At(<{|+`2Bp6I`M^kNZ8H|#RZ`)pc%^DoiKnvQ1cc|wTMu(F5ZUMH+*b1 z8R1Mk3;Y$4!rP%3pVoBgagd<)QN`F-{x?srrBY!nkVEi)OrJhvTG)9CXg7_ZZ-@h0 zmF(aAK@nh5d1-2sfkB_ik=lHOE;R4gx8M%PmA%`9^gB<03^(D-6B(F$Ew4zJ`P_S* zRd{IAN+t3g8ulm;#R=A3n^t7cl_+Z-UoI?eYC1FoKhDrPrG@wqhUzqMn2<&xYS!$;cT{BT?Tk;lhE}04W5(=n|oUkf&sCwOcr*Z-^fgh zJ42U-g<8WX5G8ZYjc4!Z7ISHqb2mr4yH^~!#5NcWC{~VTx)&UhI(L5=Hy6e6O5IX_ z9-c(J3?Xe-j;bO>Uw1m-J><2`L&hMEnR=G7H*70Okfn=#Fc&CTp7ZOJtDHCCO|KpH4;`VUwIn6z1 zg3f*Uc!=9eON~M2*@&IL6+}+LQ~c=-9YW(vR-i(I^FK3{L;ScOkMhAqy_N}jZ)s#1 zBS2_*{*IHpUym8NY<2j$$mTzT(pQ@{Y}ysOCRLGbL#QtI6mGw6Q+TchP^Em~j_|2s znA^UKeEjkaAN*B+f%~T0#pl6rSAjvcQNNp?%Cc(<;`F`-=QT{lgZ`&veaNc-{vcYj z0?u7LlRFt6?jB`o4|pLjdJ|9KWMzO3@H48v?kwi1yDgSV%4!NHzo%kt3cL#dQa&D>EQ_ZQ)t(V1Ia3I9MQ*NN>9 zY+GD;1W>8~X~uxqEU;~#>0v<#+O#jcM&%%#*^Ju#$S_5H+RgcSS{&_0=N?@-jli9` zxG(5I&J+0!rv=fHc)97*Qb$Pa{EvqxGTUgFf{UHp64`LaNy3%?sm~M&gT0^7pT+U# zqyLQq?VaFqYI=l_Oue=OZ`--R`{)Rq1f85sw($U~NH9HKZ1q{nzollmWn(YW0aC~W>UWE zDOX0_Rzmyo;Vr-aBl;FFY_+Q&{Y?YJr~CCU8e=3?((^IXCrdZ8AJN*N+{&YI>+U^OUcteMaf`bgV!g^49{KtV7q&E(dpOQ zG*Jtmf;0;n6An=CqNZ_*IrCSNU zBj1U8&V5@;JYNom*tj^+GuA~KwJ2Ac!h{zTq{VREx7gzb-?lPIIByBaIgBm#KD3)GmE3mw*NpuVShFGrMo^>aQnhfSN2$lWGrJj0H=^vp&A${P(@wRECyD z7>e#)Y-g7XLFSdR#7FwoIx)S)Rjk2yGS?`jpqyT!r80eswB!U~1H?!swte`R14jOo zo6g{0J-@*$vf=7AjdG)3szGMk%A)#Rf>PT`<9=$&vny>x+e-HeE{CPOs|BvGrr=8`${odMwK zs8j#^lf40#wlYGiXQ6OjPz;-JaCRhz`s=Qf<1y`N#3Zfi$MbeR?q^r|2=|5u4AvC8 z0wdQoZgd@B^ylLCRraDX?xqfYrr(J#se-JhEA^{|c=Dr!*Ij*P5JQPFbw&yE`64FpGrdB0t@lR)DbH(bw0C0rtG6bJWb{=Edy?)S1L`qtlGaoq#K;oQXjs>de3x} zyRd1N8Xx4w1B%(BV@eohz5Oo3|08+|zqy<_eaw+vWuChB3;KqEvC2=h(9F1(X?d+t zKOva_Y@k6uP#YuOe6t?iFlbbL%yc zYDovTjwEHBj`^k32#Ho;3-$EBH*c6@KdU?NL^=VCn6N)}Duj?sd9uYnQF*e+$k8OulxbnhX%SLdRAh>-11U&3HY5dblC)+)iIJ7n z(gJuOPy5Y4Dr2bGPm#>nclda6qnz0;gP#=T$!j3Xv90@G?7e4DQ(^Z#iXx~~LFrX` z@4bpjlio|{MF?w|99@EJNMI_ zxij}uX3oi+oO$w`efHXWueEUQGw_vod>E;81%xin^V{|Q2E{Lz^$5WsryFuf{n|Uyuk%CCQ-{4 zpH0Ip@O)DrrQq+F*HRlYV@BJSREw}ij!&4^*HDZ~P?9{t+ zAE9`}QU-$}6z;sfkP?>v<^Xi3KjEj8N^Io*PZJ5z+K?!7Vc)1O5TT~t2H(E`oF|XK zh|}0#Kmh9m4nH1G_yUL4h zZYQ^8bOrlK4JF34ARJ2+`BpG=>)7wHYx#!z$VnxWdqGt~QSCCO%jb{Aw68<20xjLM z1ewn3D+ay}jE3BPz{zw^=}Zs%0upO}i0$H?t|iL_|AuBytgFP@ESw!aL|&d&k2e=1 z;7XiPKLPncspNSUbY9ic7J1_$PKWRFcb`#;QHu6hIho94dkW>xuU#ZCeaV{}U~ks6 z4?MO(eHI-Mzhw*l>QLGsEY2t7l>b(&|3wk3BP&LwBhH~gc#QipRMG`3bbD55E!9RC z($@a#A6`~_;G`aD&rGdy@~0rlH+h>0OO-)nTE?#D;zJKyc!~3E27|sgWKTnHT}Y1H z%pI7TZsRG5L5VvV4R=oy{W?MJDqS&n%N(UzR@R(%S zK4lTtWYCzTI9)2gtV(aTu9IikIwYxF`~}{y6oltMKIQG^nL$eO)`H6icS(g)PRc<> z2#)F$0q}y+{>gFKj_3$7$?pu^t#j`?NcNUO} zkNIAV2>z1p=OPjlsLGt>?}${gdXAr%5jW>syM!YzkhhHI_)i`xwUwSJQR!{b%=4RH zZ#V;;Kb>3fsYkE7+Y8H5i}zmx?PL85PpIbEvbBIQ^CK)X%=0_fOO8sHdbw>^T2L;j z$2IBiMM@%*pU1~=n8@rMkErrM{$va6rpoOS0=Xb*j$pC?{p4g(_``s=V*&s0dKuv9 zQ$M@=R;TRW@(({5nxc5Q3b(%ypGo~wmBQCh(Y6=y^yt!tbFcDJlCO+0r z;jqUC(zvR~x62}gB=1q`-hpPg$5v%4Psi$UmUlP=RyoO@O?mSQl&`z3`z~V3OpPYf z)gMypefQ{PRb0hYj4gy*(1}Mu=F1`OIU_F+rupio@XDEUbCF z(}mf$igFlehR)OWL#0y9WuaEXaD?;<*R0d?Rv%IwMqaLg=vhkbeaLxsbno|(N_i>u zh9mScGy#=fvLM!!k$A^18ePTO5 zlH6689|)C-b<)>lESA5%3ebJ8A3ehvt<+#^xhn!VC?4?CMf<$ZYwT4VMl5OHNhPW2 z+})PusgN9aYABmT^BG~(+V@FeC>;+MLU)|Rx(-e+-4)9P8 z{)Tggf@4W^VAxFH2d2xb#!)_%-)7`v3~2oP;Fjz5fZ<=-w5SDtS)+@%m3dVTud&J_ zk&Ri1q+-fv>PfG~oMgpCz8#~NwU)b&yS-EmlWb`r^Eyiu5~*lhZ~q{PKi$@w z`+mKq@Voft#?sstBMZG6qFbx;Xj0%%#XmfY*7{Js8Xte=z>SS?RlQe(pSE#kIN{Cp zS_O+xt%ktwWNWf~#@CP5c|j*5a$2=>L^+rETf?ZL`n{}Ju{UNV*v(_&J(kn&EDvMT zmPf&c^O#b~$7-`yShkN$1PaHNgsFNn_F1p~;q~0>yxxRyMlsK20%MZQ%chMZ8g2at<|ib-X$-MW6#29DI` zZ^{R0aj{k37Y{F(tcu86j2Ge->{kA?O$4nZuKJ_71$*|I2^O}IG9!vTh;V3H&iPmV z>sc8|s`@7HKQSQHQEy%d$|U+x84Nc0nMA9eMz*60XK35xAXWF!8Kc}AIksQ&Q_Gkd zl-m_lEuN;PWu8Tw*t%))Q;|@QFPIQXIQ_Lzr>{rXH^0@5sxdOQ^A@oGeD=fa24r?_S7>%%D|L@o@)rcJ6{pFK03+`1g|Oq?Xm)T`M&s_62f+e zZC`mB6j}E*nRUNh!97c;MGnvL8s<;sbY%i-2yzhd!`GM~3PU&kM>MJ2q{Rd4ZTndS zYYksY!)r}4aobbWvaj1zKFPd>d(q9ni-kms{msq55OWFC*A)=6uCA6fD9&=QLB$yb zgBr!oMh8~cv$43NO%e9U776tOJV~TCg_VroTX@Msm%wZv_Ac5B^G~sNJqP{Lw z=5FFw5G0|C{l(K`$(~=#;-rea%( z(NeO~v0QgW0C%w&=45~KK1(PKx_Um>T=6VtTQ%Y=hMI0I3ejUFQdH=BiAeZ_RbIL` z(+Y92SWj|ARi2G&dWgovovVT?cb+3NX_s(~?q=Xmu!paIYoa_VvwcdCt0!Z8IA{irC9l z$CpIYuRnKFd)?dIp7?l=d3sf-Tgt0Zw7_yFF~k$8D5Iv*6w}ZcM_JKw$iRfbN^l{w zxMNNN(d_Hf^INYqU_#jtLnJowBCQb;ZVTXqixJNjorDt%QQL_Qv`2j#zow-WhSz_Tp&>P{nk;t%_k{ebPo zPvq-6sOJp9+~=GNb9Fu76(w!=ikr7h?Wq6%Qzj)Tc}BZpD*87nT^sV)F6sEPB9|$eFaE9TK(1SK-jU`q)5mj>PDl780@ovb`rT;PpN(#%y4Z)SGLzcxnhFen&Q9ESYvgQ;=+ z+CU)Epw)bPwilU$-)pUD66fhM9`3qH@6w&DSz0bwLU0_x=f|C!7pLEg4;s%r$9os< z1RPn!fe1@mPYCPNI{$DMHVqsHx2ZK(vDC>Slj4nh|6=}pa_DEp*2+AtR1=Ki=9<~z z{NHLng4_~rh|n|9wfr}33`0KJVpYqK(b5KXHV)xrZ|HP0dzJ;lUuWS@ceS$JhG~ZX z`vA|36?|pcok$~&eHVO^SnaKz;EsxzcO!zQ_dIT7 zoy98Mn}4~$G=sgPpEFvizYI#U=G|k)cM;Ha%%Ji3!j{nVHd*mBMP`>#H972t^|V5Z zUq>FHr=TN5(xv##@p5K+NYq&f+)WuP`+had7jOf)Uiy3b7-ZOqMKq=oM0FE}w6B!; zX%^IWbF)=XNr92`zPg~dE8e3_8hnEx-)5b5-6lPk^M1UEK3SNQIKW^keZD;?d8}~d zI0NI-Dt4`cF27!^-rOk@v_4c=j^i$4auY>Qwhqb2FdmLg?pL^ng4l=SxyNPaKM&ja zN=jlt-1k}NM1Cqqiv_9el%M3y?IKF&$wwSZ(Qf`{Ace}hu|}``aRyYTu>kHL%Iiiwu%F8KpbOf zeB~MM=}^_9Hec@j9yEq*iBFjpkzB0MzH@?qcq3`& zBf`LB9qKGuQBAI!5G)nT->F(>9NQx|l$L7IT;6~5V?OgfI?iiC)1k((dCq!ZY?0@T z=LG9ML>SqCXO*x(QIVYiHWl+^lq6Yn-m4H?S4mf@{QL2GFwz4taICzaEI!tUk0is?HyO80-{ z?@jnNSEql-8ID~DI$qp7@heneT_PFqDV-gKgy4Zo%l-((PyjtvTX4wW;_}|{L zFk=O*bOGpjo{`qQ-?r+(LC3Msqe+0#*bjiVM(<09(FGHALq4 zT#wgRDZ9lxiebioctjDSBnO37qzih8dbJZo+PS-as~B&+oUhocbxu*x+ZzH`^VW=R zIeSk54*b&~-*T96wdK{kuAX2|q;gCzu<6757;$8$vu9JU{a7L6VRw>*Cy4HPlOC zZOUgZK6BT-VdICJyM)STncj2PQDLUk>&N(CpfSfAlX;p~njoq=%uZ$BVSn}XW@~)x zY%KRvm*s?s&_saghx2A55!y35!?R@~%w@dKo6s-}P8NwH^!!TE;c;I6{>i6d#Q1ZU z&<{111j9Qs70)JhyoYFLK2G>DExBk604Hvuh_x7u?HA*ish? zLA^KVQianI+x~uH!7l*wq&%$IPYV=VUhaaL`t@Gp&5sQ$2$32az})1so~-h|&-D-N zo5-hb0gT2w<0TfkHJ!?%a0^b%wlf%iv|rlpUc|KImNh<*Cdq@TzVdaZ#)P#EO;phN ztiv%&l$%^=NtJMR(AT~$0nY$t)e!epzxtiv;%MH{nT?-+91mb&8Dbg#@P6XVJ==fu z1g4JkT!}7TDa#>uVws@iBAVP3p5`>WAS#JlSas13Ee+w)Cx-U5?ftU7;CCPHIoU6b zF`S=NG;=qYG-Zek(BzPIU+U**<juaz5w?>q|H!b(h{*VrG>uK<8&zckN^V({Ob z`1|lr_As4}DmgSB9DJg#}g_?-?)U}SPs}toH!6o8^ zwb(mlDgM$cvWUjyJ;Ak=E>9U!_OG2Nwd3p%Jw}{a`MApA#xmH4J<3exec8H7mpMpDK3+M=G0_o>u5mVQJT*j*H2*qMAGvUExpF z#gZ%%BMm0KoDtbl2x+2UJ^D#!qEj=M>l#M88fevrYGj{_c>9ZZpE^4=+n@M zbm;xZZ2Uf%$}!8r(>smZ{e8yqhC%s3XxOm3_N6SpCrD{?KFkAroP3CBkFu_)%Kwej z9hIbJ1zn*-@9Ha2#{exlf7h9Dq&j5=)A*ij#pA-yk%HxmwcN3_vU@n^F}D|+*|}r^ zBLrwNF}pxxTr5q}#3nkV3jR$CA8Ot$>&=Pu&(NvYKYo~JAyv?E`~2kXTu~qG2&BOC z{d(2>7F9u%Glf2uT~^`H@{4F8Ok`og2~}BWtX&_Rc|0P_;vDy+X3Q8zW8s?h zt2!MabVo4LmEfwmA6D~{O-&`e29Z$)`(?rs3kDug_(%Tv-IoC*q)=vu;vH!N%l5y2 z;S4q&B_#wIU>D2GDgy!Thh&{!)WOo6#Bj z_g0wHkG!(Y;(X?NIs0bj z)|Si+au~m4d>k;eV46ws+CIrVJwr?s?pS)R+Kw}Z+Pgb!zpM?tEEh_BG_$Vq`HOJS zXZSCzW>?RYca-1UcJi`?h9)C_dfX^^PMuMY_|C>TFtpPfx70^(K3f&&XLvT^;!IE> z(oO3~ob6t=^G7RVn-7K0(w6<_b%eh)j7z@fz0pCD`FV~1yl94^jxr%fd<=TY0Si7= zmN3+$RDj@2Y-G#NK6I@E7=nZzUYo{H-?(BPrRbX3r!noeWtFJw{|%zDPjOQsNNiD% zTFha`2cDK@hlou83v%SU9!q+bgD7F`TQBscuUmObaiJp9K8>;e1h!P@f%F@@=N{$f zMb%^LU`)a@Ukumu2%?Q3ZI2SItBaUI+B~!OwJvcd26`$lw!A=MZzsHt)c3;zmu}{i zabwTH4F5?C7p4EkXd$HkvJv>?L`WI@3^Dc>zyCG<960|cgr&nA2QIt?}AUIc|trsHOFn+&^4 z^^lw28&;kz{Hpz9*k@mIHoCX6FOsOZ_~GwX4H{w61A6e801!IC|I@OI+dSH{WFefU z@Y=GTIG9Q3aS=T8lZ_Va)6tktJrq5FxAcBE`SY#C;v1`2sI<~pDdCoGy*8>62f_O5m9;V)7L8Qg=skb78 z)=}8M{D#y`+5yyOVqf!`b!RYi0Y7jV2^#GJRH*g&@UgtIoOmwV+L50c<@1(_jes`i)Ts(BeZD?FP}}p zm>v9MdbXRDc4n%MJ3FWeY8J<+RM^?~X)Bmi1ZdzGOuWtLq#eH}|4LtN@$T6Z%fc$- zUU1LAg{tZg43IC|G2chkw{f;LVYj2mg};~TYwa$m|=o|I?Q7m~jwiY^GWjTHi`kr-MVuxfZ-r;`3 zg{eCRn@`tJ-f%+N?*QwX&ndhN68XK163w{T)^?RjZ){GY=H5X7uN8;IaSA2eq{t=1 zEec?=P%_2ys=#lucz=HCi5f`d*pr@+2N%acetsKB3Hsx^Hj___n}%?`0T)FK z?LQM-Z4MVA*T{ZBdpq?j_Q`OOuX^)W=B?&jj||u6;@;AKAX*`vE6#-s(vCeHVf532 zfmTYre0|OS0c*Ziu7&1tTMj*|dxLwO5}O3W;!S}wviMZz)6>^LzIW(EGdtQcM? z9Xc8NW_#HlVp&pLZ!_E4jkmVAnMOVejE%~J&xM*ihVDtnY_Ady>6#nPXOJC% zLc0Pm!*`-m0nBG=%X{B{cn730dUY+F)oh$kWzd5%JsYE5jkMX&tLH~5)$@DL&$}}A zDv0?dMv0-VUwIF$P-rkvh0a{P)N=>QclCOL*+D0U%84pvoBjg-P$v29{H<{|TeX2LJG)!{(>Ik3Hi_I|Mnc+=6bNL&2?g&#h zt=9P*b@7%?C(#|N^H#k#al+$@S!R0X7Y=^%>??uo2NkHs#>6)ZRw2xL*8yX!{HuwH zC!ze6Efy%TDzw|x)uRis`ka@hN?Q~--i20h*`bGwLBF8mCob?Xp_iPF(!9A^vCLpr zF5k;`PwDTX{{Fi*Ee|Ryt+k7fjt&|&V z8^I4@4lc@bm4a9+d@xO?_QMsDjDyB&GC1p6YkG_T)v71B^87nJ`)G>qTSB|VJZAL$GJA>W@J`JLz^6tK~w|tl8au**dUi}Ym zIDb#+&*STD95kI?o1Cpjf?Xa#K}=?&ZEv>TM+ia%L7a`CW(wMikh%NcGYB<7J1~x? z!({r@3Yp6OK+kuACe|eJiQ+Mwnqu#{v!}Fx_GnZd*@g{|POauXPJQ!cdyP6>j)4~h zXlA}eJEp9ug~&oIo%j${7fzSfb89dYD)c#<@IQ=f*~X)WKAUG6Z-j z)gR>pLW*?V`x7`nJXi~W?2G`L{Bp~Eea^vyf!qP4&sJ+rzL#qGJ+SnPe=PJmm0)Gy z)CeP&tvNEq_E6qb2MbiXx&-(US0dJ*C1|uvLFh)ff0YWSp=?4uLTk>BVUOo!st}uV z%T^jSNx{K`0EpWRr(#~PPJe-OGoeN&M7|LwuTz&UX4Fa(uB#@hX{;AFdfri0joezxYnOO3;cfu6wzpn+ zG9+ubz84&m^8~RQS4msbr<)GbB+R;c`HTDS0md(x*=u$_jBi}fkA&ZH%V6G`@Pni0 z^6+(yDOQWZLyMR44;t$_Duo{xc4fgeH(!mPq~#Im#AeQZ zFUZczz%*0p;1OrNsm8^J@Q1TA)r8;wlVZ1icj{wEOiT8B?@&nt*3r|Sz}Azlb75p} zJJM`<@{L#okTc0?1+g$x zS2iM%<^yk^?1)Ukw>@bS)<(yZEf)%Y0)`TR*Oj6fB1=$d9=C} zuzwmL!&E{0XZNb{Y(rAPjCutmjnFuAyX;6FVjit8U4lVFs!31ULfQBM(kQ8Ej*Mjv zb%tWWF)yK3QA@$AEz!+Ph-Ia_z*oLOW2Yw?Fo1Dz)vV`MN-=6A?%Fr?VX0F6`>rh} zm@{Q$598?BnyH-JNmD4tUB6M*jV=KY*{q4IZP6?t692SW&@2f(Q?#HUxb*exi!mK~$%>|L%JzVkck+(CFNtAAUdU)Jp2 zV6JBx+hn*@il$!Hlycl^Gl#wBA29rlk?`%AK>XT9K4jjy)F}gmIW;vWlSY1y^{+q* zSIodG(p$#$Uo}52T~&xN>)wNb?We9eE8L#)L%k#Z;rTKbL`nX97eV_+6vb3?>W2E= zpGt-*=c~ZgVdUap*U!@EQ;MmQ!olS!JoZ?-_jqzgWjK3Dd+LH#lO~tgS*mxSa1}5& zRoYhM4$GF#|DeLSZl5fU2P_wf0$jAiT8ZUwJI7MKAZkeqmYxn@uMpWJ$(Os0hyl`(DQVd(B5yzq&7Wn z*O_=-3H+Wk@gOQm+ntt3uc;^?mI=F_FqGQ11?2o$pP{z3Pn7B=T&P!gYx^!haq-LB zW$tHH6W77NPe!Pb@CZUBFp4??qw;J^?yFe zZr2fs*QYn;$ga?424M9_`f-H~0&^$Bxw9M#iT>mI*R<)MGqAa4)C@9gX}i!D^pFWj zv$UL_jOZmZQI+oK73)SwChFek%yF-|j$lS!2@G0jc=lm6jm7L+2Mkh(YKs%$={oz_ zqKfPd##H@SWs82Jcyt#jUW4)h^o(Ow&qB$@EEA&PdxkQW&ftGhw)Fz`CW-MK}y zqu{M15swu^U}DEVJolfTH$WLkWe(XIrm^$%KcMhGD^G8xBR9>Y`$~Z5(M_37w+#>TAPn^XEmZB$P!fULg6K#}oXq`;af$ZUWUo@VD8jnLYY7kmH29f#oK&6G&FBFu* z99Bo0s^)}7{gE30*e+{$t3!ws7B#7#>$ZO)EqjIliRL~Rk;Ugl2&%;j9 zGqg~}|8$;Omb;%cXFrV5Hg@^iXIWp@lqA~&W)rL3GkkG28S=n-?e{|GNQmNerz@mz z^JjIy!8ak+IB&VfPo(%=@r1PvQi;v&eW!~OcqK40Gm0bsecFBjassQKF^2OI_F;AA zcI_j>;-hG-?w$oJw&=T5KfZrAxUyp-B(>kC@ZRNC=YIfiK9KA;HVCJPjB%Sk+t8M} zvhMy-iPE)) z{%Ru|7^ksSnzCWm4)xsq!yC*&;boU)Fad+@{*gu^WtU$vxOQyyToO&OHB1ItCPEd9 zK5}Ae`?g?lAQN?Zr6;M95Bmxp-E4BTX7KC2@;~o*I4Ln}%Ie109FL!bQ?oY!&PS!d zvt5T%;68^`HB;{xw^sZo1?44JkrdUU3(TSPlQ=hD-;m&Ns#NAf2l3gtZ8Kk6V7ced zE@vYq)a~!1P1CEWvy7U}qbNs-r~9JO$M)eyn{}_cJZZBZOFL=jhef%G1LoidfOay< z>QR4Yfnafc;8o&Bch9yfjg-cL4A_?io1 zkTw~JVA-NziuG+ig>8iYRdlb-*#`UOdN)M+hfI+!Oi6W|tTb57x;;gKYMSF1nv+9p zYJxSNCt24>RyH5CubfE!5JY4$^~in5VLVH$!qoLUz^^L;>6iBhD=D5LIdCK5Cc!S? z(g*DkIHPOGNF#@>HWqSSaWZzz{E)>nBu_a?)z>>>A;Cdid&5Ow`mB1vl$T>>(5x`T z>Tap6^5Upa%bReTn;}V|!XRQyJ8oG3x?CeIZ_((I(yLy!_vb}-D@tZAGJGpaOS0Y3^FWin$dVjd(S=(9Y1181dLQzsgg9mfS{Y2TX~9$cW8tN-}L-B zDk4RF2ay#0Q20infm&y+<)+Z|tk~WwZA#jr6HM#nYvALrEyf7?CLBa2E=6hfwL~z} z5usP{37g-uHd^=Nk@oM|i5Ijr`c=fo!m@;ybLtpa=NyHn@t0;L>XtOAN}o6To~xXU z2zFt5eu)xskV&QOmt+8`d1i4MT~vI%eEs86vqT@be@(Xd6#bxtmj6{ZFuh8{%=bD= znOh13g|u1koK|cXfjTp$#J!OlJ_&y|(2=In0hv$c{L3;_Eu8uc3b1DLQMom?#Kr=q zvdRL}bz7D`o$m5{#4%he54cN~!z~l*dONcRJ?ZF1*H9*HS1p;f@Nl7PrdsxZDwerT z9HHiweYv?mo##CfIjtV`K9e*0mYw&YW>qimnQLehpRQt#yDk!0uN5DUa_%0gF(b}z zD0iB&iyr1y=#x5377HTMde;(O3T||yB<%_Qfz_L=G~EKcGfOYdi6-3p=p$Pu$yw_! zEF1o3VFa9qxjBT-6xcsgaNSeWUT&d#P%W(RX9}x1sk+u8{bp1$U@>nt&EF%e$)t=tgO3KgNLrPZy`xj8m9h5qjDUJ)c? z)Um!qN3rVkdH>%k7Q5F@4$V-YvTeZDTF8^u`eWl-zq#e&1_$RSNs)_ zYy>N_J{$wTEfrNWYlhTt z%lyM*>OQFOpH6U?t;I3OfdBAJITjYThx|p27NI`{zXS;#U_C?k<*W_2_U1h4Wc)L< z_%dS2t#J7F&cx+=wM_D9PWw^kYJ1RadZC-|xrhDAD|YM`=g({*`6lJ+?m?tI5i@H1 zPovimu#>-BN$Yo8V%a%bt>HuKhXMyxyV(Zb8=-t1Z$5l|og-grWg&n4gAiJbQQf z9iWAN!j?g>napK-kew*FC$Z}=p_RYm$W%t{b^W`n^341dTgTg7%jC~=sA-t>!fx-+ zR^KmsU4%3x?};v7KrkvNnf%=*;Ke<%^rKoW;QETXU;c3Qr(6)7(LRh>roq3-4_kPa zDhnWSa{P6Kayy%t**Jm0e?GR^M8_QFhZA4M{lh!S4-)#`+xHJ|D75bEr~)L!Y`8_~ z9m`^>R24>M8{*~~=_Xi#SJdx-*lOJ#z%oTIw-5@D7ul*Yht?k@*KUPG2u z^H=Z9r80;I6;HB}+`HafgAvA+p{OR>C}tJUek z@;|)K8GNg1n9>QyRGJgeYWa=3O}6=&M&M%smw~P)-G?xF2fi@FoG#JRjLLV1SMgrk znauz2&fG7KuYYJ&{A8j@{eHE(%IBWhSl=-189WgmVAO5PL3{M<>a74f)>e_mFWOtFS@it< z?4YJgge=r7_8vGFpLRrbwOoezj}T9#bc%L|i`yG=KCkp~K&-?zP(~g+s(~XAox9-T zU2wQ$;hY4Sea694@+a8IF(w@5SM@<=m@!=V(pG+;X!0GiDShUUZFpwca_BGFr)u#+ zIcCF*rvFo489L=z*mcyw9Xn1(IsLTB3a-@y`iHkq9&?A&L_L8gdXZRQ@8NVc4Ip&U z!CDC+87}jo>$mlVCBJRXRu*M;XFNa;?S?2nM7dK~VtRvkqw-e*e^c󅣚V%g5 z_H1}l(}hNSG|rIuOUSdu8sG(@XZbKNqRgCra)ZZ>XXdl$7cv+R&6E2AglC5G#dnhlh3Bq=>< z4@@tzE*ImI!8}C3oq;3WZBY5U_-<#_>nN!#uJS7egPI_jNIts88fKwy>oAx0=0vWB zy3tK@p)<7QJ0SR}g4A}8K9+a?q@tW)w=uEOQPq>D6SR@;HsMyQO8uK{XGHnB9fsU5 z`9L*^Hst~*HhhjBW1oOKPYw&zbc(!1;(MutL(F{7(0|+Vv5lmi#)k!bmt+~p`!f!y zpf4pi0XQYMii+qdVHf>mfjGQ*r83*+mcuk+02P_`x5k z_A7%D83=i@LuM6ft$mZd?KV-j?R0W}z$K0>2MAQ+piQ+j=C0uACqG9&;13GIw9Q1GF{` z(e*JUQET$AJ~qfG4bDpPwAWf|R}kN}Rz!5q75wkg<^ObmMkF@9C`T80@00fJmwZtx zG^G_zax&_gIh4@#8UMmyey#dwInhC7T;EQ=!QI>vJYht;a50sl9ifqHpB|;|=J_Y1 z>xl`K9s2pnz=*^)(c`c7P~t`95bupxuH>Em<|uzhFAC&8Jiniy8(yb)z4|!Szner6 zyu}n{kW2CK;c?S@Urq`0p4UfnhEYQ82+zl*W>NrYvr)9Ra{x|N2>CP^qQf{|S%WkN zrvU$Rfh5&+rsw*q3`u8gCnvU8x9+@u8+C|zOW~c#otm)v$A}|_i2-6tM_9D-is4|? z$Y%q1W>l+IHtMscCd~qR=12DV$IpI=nN1MUiv`}Ew+`m5Wy~wa z%~_8hv__IJD0M9rx+j{oBuB?RgvCh|vt0pjO*39wr-y#^5#Gympg5&Og^ zetH2`&~nrscJi6vNQ)YV#2bO@IMT8saT25K^xudtjM?jYW5UcZOk)AXfT0h+1QVex z=JxTNP%pN*&198h0dQd-{RytRk=TA;2{-5EjN1Wx64|4VGekdGusslNg2wUl2d<={ zVxQb=JqebCOI`jKN`KKI(tfsQy`9T~OR=aFRZ5da*9j)`9eHCqPa>7g{NEdSW6jT* zM&ORzGZ7fHsyEHIbbQCd3N(N}P|$LPOLye~9ZGfuRz!WkIoMOq0byl`VZ8ibxHvAn z#vqOIDN7{(^0}dxYRG4wJ-W`*V)uAg7w3a4cG5W2hWcnfy+;`$zf1pEbP^s$FQaGz z+QO}+eo+il+{g7S5{n~bEyceGeM>(#8Kz;Bl|fPtg%5+?j;MDbV1Hqn|Kfapr<%&xGb<-UjqwV( zK=UN`y^>TNr5R1ywXE-kI{u*#LURAJ_6_G|M6`xHZCyeH|2bAbyX?UbMwB|LPowm3 zo~(OSm8!J?`4#UzabTcbXxRU%STSHBE1K7+Dmc11X3tT}DbK>;cTf#;+n}6(mJ7O? z;?+=-4y1=%yTI025(Q5ICa}0(fd+3{5-oQd!-cu5&J4ILLek5$+>1NGAQ$;Abyqa5 zl|tJKoB$p$H0Ql|`$)@UEy+1Kg(}3WyaQq8Z*T~GbUj^k{bCxnwx0bHm?`k1ife(* z^B}`2j6Ml9IEz@4JCySJUDggvl&G64T1>vpU(}A=T$Cw0+0`8oe49s-0vG!a(q*;= zvNpCxJTB;FOvTd)vuKJV+YEzx_?+Hsxq@7xgP}S%taq*Anu4fI=g$yF6Rkpvueo*s zuCD~AL`NFbYYOsL#0YHNsFSJwAWZw!*C1>9tpD_kc_r^t8*;+_!)jh z|9e5s)7DD1!&pX|luxU_6%Ng$aPVX&#d4S}tNGP?m&||ycB59rm%8~5Y4HK2nJ{s9 zm>gotfa9xG)Ss@%ww(p);t;h7VxEtKJ2}B2Hx+Q;`!_oF`K!pM2lKXW3GdD)2dF+} zidAyG-H7=`*66itusCdr6a6;hI5J3>0C4V*dT%#6{1;yV1yA~2>Y@Uu-Seujj0d9E zZVa~={vdYBbzO7jd0`h{s=@M3Q7N$L%$46+fyAyidxq@WPV`1HNEIsa>NAH*!{y%% z8QbfUdUFTF1Is^M0e20)H?nbX__V~uZtpT19cxZ(1fe%3N~fZRS$mp1Db)_;;PNw4}XX7O8kY@xnfjz0WG@utcr7G4b-M}fDt|w28A_%@B0K} zQmW!2o2Mr=@E+E4M#B-#^h&8*^~5X}&ZAN$(QQ*xrU(t#o=lEQPLpouYFj#4fuo18 z=K#>0B(Vogg4CL`BApI{eHnn^Be;8oWW8h(ek~7d5P?=64;z&$ zeY`SMJnALEG0hx5RAY2h$`q$7P3xTERpSMbL#_Gke%?4+MOV&ia#lh(T4VZceM@ox z&~#PIyFC^LqWmr4{{-w9vIOhwyxA1~q%!1vopt@19BXE3Hi+nlfR}Ruc%KBe9U8hV zB%1jqJ<$D)iTY@`nCGi4Nvx&u96j*uYvb4=fu3*4rgfcec$PLysxOUMFank!UhW># zut}%5(zcbsoiCZnb5Yf}Ua_s|KPyV?f|?7!asG^e^UejHEvn?aKq>Vniee!lU(V$c zlZiHB*peP`F7-Mtcb-pC)5B6NhJ1>@1(vMvJN_sDS!vB77yOZMB;wVm>BE0`vSm(F zd#rGmwZ#uY`zl5Qpx_6aj~1RM;siW^!vEoMT%d*aHpkvPMOy;&+`niKh?-(XlD?iz zWj4Wq#C_9(=+F?n&EcuH8=5#L?we~}C%wR4fF&`QvvJA2N6o=_b!qe79(`JIT*}wnrCKx!7O)_*{ ze?IC7#7$$fw@*@Ey*qp*9wlpCG?@;}z_=0|m68_ruMje+$;~uDwtOrBQs2c|z-rCO zdayN1;(6U{zb|0LtVTb~^HI_BTtCUMxv!Yt#6ma+=&|N_cE1ijf%@+9b&al0 z`scj#DL#7&AF2GV3|%4?gUv6Lbsf~vdEKl@e&q|+RxQ~k@EyS_PWh~&^ULE^UO)K? zw9V8|H@r^s3tS^4tjFCV*<3_$-!&5sLrFJ`1uz%UqWD)a0poiRiA}Ueo3+%&UUk|H zCvp25e+Q)+47{(`8G6K==&k+_&-J$cs2r+4EKiUB_c2{{#$itdqg#2D&5MvH6~F?M zrbgW-S9DUK%^j*A!(P?jl%d=Vf_ra-ZQrcuJ@6eMfZs@`I8{qk$j1lE*k|odzKi+F zol>1vOksR>_$w^@2mkZmf*K!3=Iif4X1nT-VCgIGusV@MJ9>`}B7d1cQ?`w)#=2Oh z7taF^ZnGQX7Un?koB@|+gVQ3HRptAAdlkfU!qEjH`C4V3nvC&v?@#+-YU}*RVU(Nu zuE^*2pF>(QaW2d(F4GKJQv!l#iY3OPDI|6giuop_`+ry4k#SVimkkulG5a;N+iM!N z=ttj8LsB10d+z5R9aVp6Kf}qvY{E1PUxg5q3Rq)?SZ(MFel%|N9l;2`6?j5GK4p^t z%|F(~Dj3E3fYQI`dWv5VljjdhwVvuyJW%{$hUi5RSt|lMQ#dbEtOERN&xrCl)@5NZF z!nR8OrUTMIOtL?Ny_@gd@_^1448Lp{j zagU^E=+Jr7h1TDAOI7@MzvMdzv2O3s!KC4DGX^&s6nv$lpiwm0Ea9tqy1K5rWMwwc43g>D5&9NV zLymX6usK>CHB-cuO8_+&#T*3qdZE6@=``gv-8a-k#}|0IYqtVqRAJ3#7nWOKtxzxq2{sG3H$_aUWw9G-UhlcOaO8M98wi-~y!*i!lsxo)q z0M(PIFYRCW2f_-LOf#Rdmk!J}_?CJdaFh;TlLv#`5$Bnt~p^$TS1Hb#Gx^)X1Bs5)ICIjdR3sL1(= zl!wg-AC_%g@yBvM2c^f%@4RQc3U>2BBF+PZPiB3Ks>RRWF{guk`EX_Z;7looo5#FY zeK*|s^UI1on!^7Fac>zF*R#D1LLdeNg1ZC>4#6ElfW|dJ8+UiN-~_keZUF)fK^th? zy@NHb_H7@3uE^s+LeTiLtaSd{l+X^ zB7_4mWVcLR#oWClUoV}DCE_T*R5WiPNQR5z3ui8|xLG5TzRO;HGS+$%At+nKMA&4V zta;%v?wrME{n%~ziAqEccMzb{MVlrYA&}(D!$hxU8m;3xOtGgh5dF!4gz|YQvci;< z2D7*MT!pJ~3xpt%~-*OvEC+k`VgTX{URDyRz^Ko%XHQxY|w|Y zFQ>Md6EXoFcfcCoKMk>#C1bM|W{Ji4o9%ruNrn3@^iBEn9Xw9g^ z+Ek|*v|-E|^}~fLZhkkKo1UvAvhq8MGMBU_o9jHKvTy@#s$1G$4A{JBo4S62TY& zLlm#e_ec8vxV)aRaj#wGjLr`~VSM z3~%`8K0g&?Lk~eN+7#=0fC1aveH#bH2xe+CUGc}Y%d6RMr5w3dmFPP!eZ(D{#MQn+bO7KUHr_7RnW& zOrn0c_)#_B!y}+^xWBb_y6kl@WH7fA2?ly%%7qQT7@z5Hk^NOX`+e~#cvB{rVJy40 z`$MEh`~9Q8vG= zTA21sO;~en`QUHcP34Y8MZcl-&4>u)U!ys`T6s=24zR~{ zx85a!Jgbour5}ypOo)IryJ)F+6W0*gjFJ}hMQW%+^2~7JN&xICda8K37{Tc)SjI@f z6saXqzp9X~od}1x>r$X;;q4u~T5oICp<{oGpCNiCHY=VTV4HTG1b929;RMid*)vF7 z>EiH3LcSgh4d=4263lEeOSV^5p6kW0bF5p_JH*hqG=NJ*UA9SH!jH_b}zWo4?%Y_Jr3SCrW zQHm=DztHm0Ka4fstjR3j2?}=;l^?T85qwq>v3N$hozR!mOs}~-8=nUz^C;$SOF)XA zPBF%V=}iqs-8lBmGtYj#Zkhy>vLQE!t<%ReK)X8+Y%PJ6*s?J)aEEso`&++gw^$0T zG848B%6Gz+%#Fkc#tf@txh1uC2`o)aAs_k1oXx}p$dYxm14fewUS5?r zekf_p##bgojn9$&C4sN%fC zSP~@iwAo>vN!r3G6^(ldPGi<1rCWwzwLAO&LHRc_DiRa5B#Y(5%0vC8dCI?{B}mGu zLgLl5lZdISdkyGI(@0TVYI9&W-zi(a3WcH1hcXXxe@K8mI02-Mn~oZt{Sl3?FMlg_#-A-H6N zKE;M5ZJaPvDn#!JibSgQxP#xVnfm5cOw12gx>&SPYBlok5W_!Bd8e7Dy(6^9^kR%{aYc?84L&w`iA@k;iFqPvs zp}Q$Yj2?Ca3j}JTW^Qlx2#OKDR)kOcv)N!xTGe&>jC@OdUT)W)Bp!3xoTeOv!$TI= zhN=X-z#J~ImSI|dP~g?`KzPC_wFCsjADdsfcGCMf1`#N_KcE;4l@GP5(yu zOjg^zafoZMM2i2ge;S2$iUP|3<6n8F12gs1-;TGf9{6Z(`C5z`&5zo3YUah(eDg`uJApXybBRIxT%ULUpo*gAUK!MXb@shqs26Yh#=@vXk|KdI$pv7}JOI zRYL$Gye;&yM?y$0M&dmpb>F$?w(rK0WgF}{N7S2{YXOZC{`9M) z6AqH=m-=VWRU_s`N&$BA#TYvu?T6wZSM5`f@ZyT1dj?B9>fmc}p)HSb+is_7`zv_& zL*`eYDQK3{8*-@GneTxtdl_3nYjjf7;`yVl{S7qm}RV zZU3lV^ke|0F!~eh#~QoSp(b8NJLs${D5_$A>ac}Bm*=aMKoNDJvHzkfZZs+548$2u z)}PIs{(@_WuphYB+iqhLlbvs$e>nGhMm-eAp~aDc!u3f_CB+TKENxv|^yP0n(evU6 zj%}Zm=o@a6C_37mSul2sn9ocK|MynI3X(<3Xy=4KDDQ4(zqN1T((U5{-b(&xMeenH zE#rgTiA1tpGW1=EaUW_vgX}zc6k}ExraYalaz@S4%bGfrlmkLb%MKK=iaNS~fa^iF zgK}BSWv}0j*FMi%F<{-gY|1mUB3%x8*>dkb)rtG1E+bW4O}HB=0u~6goxTkI(X1as#TV@hB;0YMP~E$y+A5v`ozKU z^E^Y%Gn2(__idtM2foqjqi2T#Oa67XN4v^z?c@-G8U{qG17Dj|{h+Bj-3$*6ZrhQs zN>STnM?icz0a!oUt2*u-6V6FM92>iriOVux&Y$~$?00s`^)04`kNfP>&&~uL4z9gy z1#jUtQGHJK(nexGR7$sM?azW&jDt+v=VnU-cq>bKmGb);R|ML$Jf z&YTI-zqGoA3>M(!lM+KLKmF~9$rbTMjbBx2+wzo5v`jKo3S25Vyz}=9o@ac$afGh} zG)V}Q-pS&MdD4)USjt$czN9M~>&I2A9d#fX29*~QPXbuYkm^afa0M(YSQ8+IEFhJH zuzQ^m^Uz`Yw>G}%DHqsNXd@_zuuG^H>l{=^+qx@glC`3aRbZkYZ(3zvwm#0#e2O|M zUX=DB+MFWPETfP|iu9|yD^jv{;jg|&de7Y`q2TSy6F-hwRe!(>pbmu~0lT5eVz~|? z)-la=3v08(x>ISqvPlV!FpQXwtw0ga2!5I9VNqb){LP#Q>*q&}85j@K+EBI-4o+*6 z!K$nW2FK7W&HBS`E@_zDTL}bz+-e+8I4V5J-i=p)$(|xML0DITImzeQAeX)gx~Wmq zYsY)*l4wdCO_L-^TBKAts~)WHh~@8eoeel1NCw2|PWSY=5xy!N#I}rEID5`vFZa+u z&jJ~wncr0!`CdAq6AX)_da*O8Li?;t4zUqu)JKT&ELDMHc3?98D}C~d+(Cdj`cLe_ zAR$tMWNv1UlUj;?o{U5Y$5cN+?gA7psf5(1)fy`PN095|I(OJ@70TBGcuy_}Rai_g zm6X@Lxvl1A_1F4|H0rdWLz!w(Gw|gXie{#bl$zBsSCdxz@>iIZL;O~gu!;8)ae>%b zjey6U2x_L?23{5uI1eP{m48S1x0KCnVLe%5gqga-R9tQ$CP{$D_epXRd7`myxt)0`L* zV}D)!$;0&AXqjWD_2rrSfP;|XehdnEh-X>qsMfzHv3Ww6X%zJ5Fqcd81vc)w(s*h3ll1$-#z2q zErO#*+}7x-?UbDHlsT@OIf74GP96rT*+3hwC>to`cNu$jdpZXi`rA7~FH-v?W6gu) zueD0c6ko?7LPX7}VRSx^eB~L4)V0Reh#4U#d@k}%ELb+#0CnTi7i`tYB%%Atk9Az( zKou%#aiqa5ma81@j)>Xw1FA+|mi;;0!G5lrjY62!Gy<+-((;>!ik8DA2X_J@Gu!8R z@=!reh+S-M+Frj|p<_{Ay?9f|u)rfCo}5D_6?u z8(h}K{U>`Lh!qjfASSj2s~Bi{ZM3(q^uuu^?@03b&)Hl!6CjTvvHWZZ^r36u37p=M zTFlGp<`XgC4MYBG_THO;vV%`oO}}bv?DLgf@~eHB?kd5aVTTz|aW|#f#fjD*R}SP2o3{N(eL5q8oZ2sEZf3YY#E71cB=&@znGW8#l`6vL9hPDdp1U7* z<)ml4_-AjGD-rawJNf0n!KX{FuYybhhG{>pX20VMJ%P;#XaLrsk5nE`uT5DB-Y`1>j&*jpP+x}pJmebtAFZZwX+jEF|=&KN=fdtdnYahDLzS*Pp=20}jd%VO4U9LyJ?l%3wEp z_O}UU-yJ8+Oj2!UI1Ueu{a8t<1U6Nh0Pu~jL8RgeNA)gHy5;?F|FvZ`2jO8^`j>;3 z!PybAX|}s6hppae%Xk1s*0qR>?Zd)v^WFA{1&EYb?~mL0!8dYRtm1G;+c&`a=4$M; zJVWDGt;va#;U)n4^7d#dn^*b|_|P)pYObD6#tht`Yf47Yu}ZWP!+=|`mj!;hlOj&# zt$t^{z;N-(9a~WHW_JoX5J#<#7{k$1M9&*hwU9T)NSziQOq4|H6*{%$U|o z7L?l>V%c#z{#hAmWabF^U4(Rg#l5RI8O%M~k_*z{l^yxp>n{ zfRpY1o?U6-1ok$e1Xf|L-y?MxWgy72x~vUu^tz`|XKgZIGhOs2Q2`qioY4^woxr=6 zkX4?yYYNx_GC=t=r;i)*Y$KgT8!0j5AwJiEWgyG|t%D1T2BN!yOkmhl%Es}X7&C&y zB>HUN)>h}emYoOVA zd7d=8OMm?BCR(0%F#P0^u%Ne0pJB6f&N}erL?4DvzDna+XybCXLz^TxcHM2cCgnDP zR0Lz0VhQalDF9`s(Z|6k=JoWfcaRq_+x-$G(74YdZ>;TQs;T*L<(H}kt4i}s6DSC5 z9w9F~S+Z~+&vLsmrBfPVJXzmA?J04u88e=|s0_wd`h(KRXmg)_4x)P74%U6s2}r^U zW#Z54NM$nz^_TWpwMEk0Nmh;ydZumctmu}e-qvp9gbALi)0}t zK4Whni^#V(%~O$6sNq9OR4kV|EelYmp71{?EA~=pR1+ShdNFrqZe4NS`sxtDy=WN3 zV1^&E4u%gnw`|QM>7LY7^HCRom5#KbACCwnhKIjcp+KGZxduMY9Y2fDvKYTTiUV~W z7vi}Molz||=iN#=Ir!O;MEeMFZ11;#0uca&@IFCib8{rchAu=kE|1|B198HnD1o zXOjF{Sp|u5WaNqt;e5zfhk$dRCy!JKJkmWss`(oFamH{k#~ah#bV)EU&pl$x;U)Kr z`RcI&26CMQ4$Yp%4sdgN^-w96EnK~mB7jPyVvb7d%teKs4m!OcPkB|qHl=dLy>t@e zht$=lcNWT4_#ndGd+DFlnGf6D)oL}&Ma|7#gfm0C;Cw z2k%NsVmhV(zcFIA1d~D=LJBF>`iLHEeSs! zu$JDdMv1mZG-gBYkWgU^7pA2U_Hn5DXM})e4*1=dGVjzpQEwHY=-JP|QwNW=8j9YG+sij$p3S#x}L{-?*+F>brHfSE_eV~}unW1R5Jz~lz@gqHUf`sbKx ze*(PB3az*Lq%tjw-(H0 z7c1qX+CbOiP6dB1-_FzJHE9cj|2K(IgbHsy1& zgx?)K13#h#1Cj-Aa z2rbYtM49Lk{)%8llf4x7zNu=gcms7fvZPhmAAUp=_@YYFvV@KWG11a~4@eYJlTj-d zazIOc@!PJK`Xfc9{g*nTSUq=%&iiR^M)2BEokLIXrpne>E7E%dwovq5)nuz?9s+7}E~# z4u9TpdMVM1!UT<{T$&g<0v$NyT=!m;MxMGWR0U>J zb|s^K+~S4qdr_&ZvJXQK0oLLZFkZ?grsOv@{HBpf-Z)y5E^JG$6j)+eSvHYvB!9Kk z_gF6Cpx4;Y7^c6vjNcoVZ5t$9Ppy!mJd3pCIg}ZY4X>w&Lb^a_5s4F@LZ4Q2&Dx&0 zA)fu@ez$kAEKCl-g;#A?>qcq-g#5ny9mJTX^l~-51Hi$fIVP$NvsHTSv9G&5?*+HP z>4Af1T8|#(3#xcMKjnJxBo3)CgTtJ`E8y`e{d^!N422U?98vaK9aRq3Os&vId?Xvjq>Kai`P|tQHnd0hXzv%hfu#Ix zbMp|0fz@|h6Db;PT#FU#&1pTcTvUPk7WI&LA3`s}k5IyAH6B*B?hDi=uZNa2j~ym( z=(J$tY?j)YTAHSTaX7Gw?Wu1O+jFg$R*uIG20-Ym5E&az3^Q`^&1I<9X=Qh*o+K}k zD@hLY%|}-3LT3pcSzVMb-fs=csso{$Bi|5-?2U(b8QW2+Z+0Z;6z#+=xR$7|EL#4c ztZNge)#}PyVfhWEW`EvRxy@QAS|d0dTg|hpgRe^Q{y{Mz=c}kJDzkvtdBAs2DE^=b zPgi4cMYMGChq-MDyn}9QQ|9qKkm5{Ug~H@TukN0MRM{JZUEzZ+^mNfsNb7tt-_j|3 zK)Al?sSAPw&%4#}<5bq-$`z>kuZYN5&=oM6O_hSinRRY>!BF=YPyL$KBJYuf4Jjqtm*fXeuvv*Y?f(J}x;J?r6 zAfZ-IY*1*H8TVl34p#aqIF`og`xX%q-qv4^e)xtg*6ep7l0Mh+Y2&ipSC` zA>l9*xxTXYN!47vc>peAx6v+`Nqlj}{TFSFJJB$k{noizUdPCf#w@sUvSI~)SoqQp zqpFp4h4l0!AjA!0FqdzYP;co?%9k=a2Yt|T>*6@o;HQr;0n(4!)TNvS5h@F8ToFgt zQpTTe%GvWQbj#3@!aLG6kH7?^YI9?(_(+5_LZ&aS#ljJ6EW`2P~Z* zeXHkr(;kO5jC7;np}4TE8|G+c+My&I&7b&#sOiU1^Y$#fr!!Kbrv}Fg&j56=00$QC zGE+*NR; z*-&veAiKmuiETGug_wWoL?sLVdKT-4w7f9X(}7}5@>c9W@!!T&r;XDuWX&?Y17l9?M{&Guex zTd;`8+5580tDEz4&|9c-rW19etTTd`i;Ph;Usa)V*3@8H$F_dx!=?3bZ$fYWvJvBs z73S+1+!!#;bKLLi?3^?$7O}~+iTtd}2(N3r1;XX|fmv1J5ATNwnyyyiHRSd1gb#t> zC80UfCP4BFL4Ro@`~ecDN4|n@$&*W}ghMIrXqW27N6@m?#){IkJsn%_>NhRkgXxKU zXQsgX2g+AVZI*$yLLEJ;0S3diUVW{e6Eu`_$2Y#P1Q3{L=LI9XixYi#F=kuby6=;A zJJ~jgh4qejd3uVT8u7sWtPS#V!xc`7@5__du(l{4G~R1l(SFT$q=!?rSahYg%;9tC&)~gHLXkd;qRugU#Lh`oy zz5=YX)7uT?3bug@)yD(uq`>)6&uwPFt|I!Z>2yoZ*1x<=Xxr)ycP7KLI2ox2YTlB? z9a7Kj-ZGh^iU#gaIbLD~#>s7|9dRd(kD@=!RtA1aWlZcF%@Eq!ywOUc-dmP)(AE7ZmIp+Jki zVR;ip3-@})pP;$>(XcDLQyzZu35no3ci;?4qynYfcwOif&_?NuiNrn&cLZ}3`efZA zIayqiA+57DoDZ$5*ZtOD?OtJf<+oQRU*)-$EbsRLby>_kIXp5G9qONZo$eYJE-4l3 zg*gR_TbSg;zYEVcwYw-9tR4U>Q|{3eHr2ak+| zVHcpXi#04q&3HZSeexy$${)I&WRIsrxVFy&aPro-qvy12I0$;!XPgkDu7yavH6L*399IHyM#Z7!h&Q++vhXrz^l;UQM zA9jCgzlnx7I9&Aemr!~eBmz(F&mnwZYxrLDfRL|NSFzJKAvIchbf54dIN(^{t!m8* z7EG71Cm9{m3ndKU7I)ldxeI?XLK2@zz|8~vA>cdrCc(ovHo?K<~lN!w!1)gddiV6K%_Xmt_eXNzy&U2?W$a^E4ooFvsn($eG(W%lfVIq!8AKkYhJgB4Z6TYY_!=Pnw14`4GlQf=X%* z7V;_oW5*h=$`1cEIjV4)81yZ{!(@=0?G zcLNZ@SRzi|&W5ZV1ZK^SIQ#sgqYT!_JM#v2MHlSKG~vC!TFH96r&XqzhAEQyDH#H3 zL1WCksEjG+*i0jL$yCUHCF|u>w%BXM$g7x{p)h(dWQ+uPGG-XQOOLFbiv)u#ZD?N2 zJIb`OGzsjI44)ks&6(Eeyg+Vz>4=^m6Lz<>M>G3=Wz4v~)g~5FavZuScPwBi%=D_D zqo}OA`V}{T$d7)=5I(n~Fk z)%qa9uet0DO&i%AsiG{7+R54wr0*6195vq*{Xr=)zBR(}gGXC)RBK@3TJ;}4wEzB= zubf358^4La3`KGp9Q;Ob@p3Zxc{&1J4vtF{N1N9?cL)=BuGJwMB~_=HG)Bzgx2#s8 zuKFj}hr7YDO6xXl>Q0LS$0;NeT!6_^mHDK|WQH?neruyVXo0c0RvAiNxQ`0re+5{9 zN0z(BD_S}34furWwdw&E+JybqqRcI0MuQxpGOeCK%F3s|--e`HMmSqF|!V@c% zR^>cz5NFl&xKT$XNhT3*1+flo#Z-QQz6W0{?2)5|-b@XPR+5RJYxocUVmX^r1PAx$ z2~I5yX)2nD03;mPw`0|>LOe;n1@8Y46zx|m-G40&#>BDKWzYD^n&Wf9N12YQoai25 z7ke&GL0OFCo00mqcf!zr@x?+^YcZ*;q7o#2`xM;SgqrXQOjq#>>9I%$d_#BL+2+di zi#`!~%FI_VSf<30g_*(&dA>ixeCn&&pOfw)>%PSQy58%{2F{l41`rsAw2db_j;fQ; z>2P;v&3S4%rK|dQK1H=?AX0yt-pkf9G+4t4S8MDjb~CB`@Fh1GXy!OH#2O#y@m;xGf&C361fQVp zObeb9dkbsvD@TwSAQo7x3{{#j^F3`x;F2@+ozo?+7HL-d<5AA-l|?EgMVG1A+X?Q(Sk(?gqv@N>NF+D5)urs*QxuY(47F>o z?jiA_UZi!M+H6F7!^y^Y`-H?YShc&;!8TxBhH3^hc9o^FeN3{i(6aae(5D7as)gRM zjO^S#ZmPWt_clwhEu!$~+PB-LNI#Q8KNei*r`%O8?mf8H9v0{@vB6s&`Gcakyk3aY zK;5T>bf%kGbx4~Y&_xNe?83l7LXFyxMz9;?F&1b#RZTu#KRPE^-bZol=-KTkX3+L{ zgfzI)3w@&qP~S(yTOHS=yjxTp^niTnm>d=08Gqqzn&;B#nl;y)4r`{0eDZuKwXbahoNagsIgIbwIc-)&$qpm7JH|DUGB3l3s{5X|mDZ{$lSNf*G4XCa0W)eK*z{ z`D@zXJy5LJN|MT>>N8uWn$ToxRXTPlC3n3}5g}IV?Tr*4JF8qshW!NHM_e-aWXOq5 zr>(wcf$Fz75=Io3Rr$NE%cJg;+-OynFEWx%*I~-7x=8Yvr$k&_%_uGEyeGk1E#0vX zSn*)1wdrve?0rm0V>`Q}ODv7o5fRzC7DNa<>>y1TwFUk)4LBkFDzsTA7U0jJfh;y; z#j9FCA$%|Q;y=AqliN$0YAVMNduo#sPu6ce#RK@*-{SHfHAplZxdJ>?xm5{AP=#r| z7^!;-VH^NaNPNj?&WspX%h+ep z`~p~ijZ;JNKe_yCgMo}ekly_GPT=>{Yet~Wf6z7@s*l|WLGx0A!B8U$k&KDdbngk# zanz-QP?3(Z3d0Qb2U)N_IZ}Bex#ytu@tS|LPJ0n|Zfwu(V0|K@d`ZcQjpVX9#e$)9 zeG?&OA38gbV!>X?Y4u-udH^ZQ)z|YJ^>)7*fb}s(6OUO5R_f%54cluLqhGL2?>tC< zMyU!%xvPjPd+Jyl?vqY;RvDRWIPK$lue&=SKy7^XBx3tjycum%YXns+5AaD)rxisd zT4IF*y<}Ia0(XLxBE@171RTdNOB((u!RP!BN)_O@01E@9e{8$SLPf66_}oN~hq=rC#1$D-w^g=CAsDphj6hP{RnNivDK zjKqQ%Y~LAHJ+YH-)(sU=b*Gm2e4YA_B~#0L$S7|C2cqSeT7o4mJ_#?VYxkmWm)gS) zr(Ax)6e5>LYSaSbyu}cJgPi2M+1--yNKPX zs+3yb$>IpWVjT;=*{wWmEG=#8P@m)VXBL=KG1RgJvW%G&w?;#H-`NKG2ebZ%VFWt9 zf^zrh_zP`WcThsFdq<*e@V{Tgv?t~JaXlmaZ?X;o+&Mx5n-Zr;3h99ms3|&*Zh3TCp!LYVrpb%_@=~5X-V72P(S^=Y});?Cx)_aLT_6? zC5?_Ep{_c41NZ4{)xb+la@XBz$-74flWNmgzDlZz+TA^E&&lhfZ9U~am&MYD?KunQ z{Q*89C&xgL>f3UdV>BeajxH22p$uH@%JTQbcf;l3Q3S6DSuIE@Oee24oOmPHCq>>* z2%(O_5K=*JNtcW##sV%ywcib5aAU?8WRCX9lZvkxHoOWD6^N(s9b2>$`yA;5ua zvC%aWUlVh|6TNuNTn7B(B=#6DGSiFuAjGlsHt~qouVasDt zfr%pe9v&qS$k$^BngenzdYknhG-cL!Ncx96zXrZI3GgAaVQ&n!d(I}cpm}<|)1+r` zB~*XA@;c?L0(Nx`mUET*BJEAG7p&(*_KTx5fA%Vp60rnn>Gv-V$6jbAf?_^oKHDfe z1u0xv9Nxfae9!`v9G36x7X{1|06#Gq-^9JZxP?m}V!-PM*=Y{o|^EWOoA zK||`PoLM5KKl%_{DcWaj5AU`J;{?bOfw;RpNR}xw&E263CfZl`x{e~sP}3jHISxLA zZP49`21R&z)kXuDb{N9SB|@DzA*&RueXCOG!k^>!ah%{+zhL>GXhz`3B(-|-he)-A z82Y}5h4z-+8ifoS0a_dW>p{|z?dzi8R*%aWb3M4 zgDu^+fv=738as})iEGU+15(X)kH;PBXT!hh4C2&PuLY@9dtV`q9!n75 zjr){kT2!jl-n-=g5@sK-{%1<>_}m`%FVB#>ogGgz=MRx0N z!{&c$_)q=FUjD1Xe|7p_ssD7kN!3307}=|T5|JTfF+Wv@l@Z?tU%!~CVtS=MI>MuF6PAw+%h%itbc$xb6E zECa?6wR`SI6^5S>ev=cJ_kLiganW6(*Ucp!1#!;{?j;kO=TL8b@<&P#S8 z#;%^3yOqw)XUt}=y%$LhRBHWYuQ5Ru4Cg1N8Q?i}ewoqO;_-o`nabiCsb}+mtw3yg ze&*ujHo0jk>z}0BQe`|Mr6S@3&yU%C-XGn52(dZc4zghDr*#}?S$o%*6*6LTI?qMP zOTD7u=pV6o%R{YzMKQ;i{la)HE;L`2njUp6Ujtr1G~ukojeMAl2nhO; zrm#XlJ@Ghs6$vPB+>q%)$V95Xtr|$Qp1VaL*w51*(+s z8lU_e=LxsW6G(&&mY7q?hI|Q$v#=uc{$+?#O3l=(-e!YqGqLuKn%87sd3TQJGteU7 zHi)=AiSojqrCo{&?OFSt6|%o!uE_<4EZJfoX%~tOcy*DQ`%4|qwNHqvYrlxX(@sE1 zerDv>&H7W#6*?ma04{;qnz6EymG4%B5w6W4BpmP4-rUuw8ydzAsi#K|K5VQLI`OXD}Ikr^`Hlhw9hApRkY@Gj+EX7d&^3> zca8BYGTkaXg2+beC+@w4o4(t|13f};=SEcazA05czj9!E z%_uYt?-gjxmY_!?PcHitlH+*aO~I_*E&D2)#QpFrfYgRB5*$6tUI@(74c~ zmo|SDRP1hl^Ytu!XX6-8bnfX9x0qf^iia2lchJZ#O>)*Wz%sYpHf^{&m5gOzBC$rG zs-G1TL?_FaUh@5lfyqTauvW%7+$Hx}MaE4=P`o2ANP zB}7hB5#_JL55KUqwuj5NvALNfV>yjwHIt)^S)!E3|&)6d0G-g`L=MUme1!^et;T}LGCWkPr90j@k= zULKCztpdnwV96pE(NPOdv%DJha=6TjP%F<)fnm7jbznfWCoKCLrwDjnnK`NIRE}PT zWPKbVnf~}D{O!%x9^rbrFNeM_Lkik5Sq`NEAJKwRpS&!ze+t6|$QpJ$$D5 z5f?YgsU9eylq8edYD4NlyxyH_Uq-`otPk&0(AmFW-}QV(Yd}F!hp+WtDvB=W;}7PC z=09;eIp2gv=xcv4?7GRX_=EEKuZGdz>)$um$h#AX|3pImxq0|c`0pq5=YK-TynnBo zKPX65jMe|dJ|fk%{<&8E`FQ-V;>Z6<`-75yi7e82_dgNH?f>5k8Ph?v%S%kHdm^rh zEs7JKpB=Efv+8pLUI}!#{@)$A{y)*^|B)yC|Ji83|Guvz|Nr1P`2T)8*Q;GO_xJUe zOOG-6_Z$+cg9+4+B%(gQg-#eHaKuF?0@3z`aiobu9^u|F+bu{bmf*`~~{X%%(D#qHtX=(M-#=9H|qXvCQw<*{w1`HQ}F${V*6#Q*C(*g$k&SAnQ< zL8ko~$A{qe5N4~l>nmoVlNeNur*5}C^Bl3`$!Ac?J`;~6=0E|8JsBcBEYd|u9(i*^ zXgCcVu$dw~8$FO~c8TY*Ie0I>3GK>W_Pr-qV!|v?3((Pi;TAT+dhv#?s8pJkJ4lfB zRC<6)BgfoPedb_(V9y{uRD*KV1PdzoG@ic3@e0(qFd2l`C z#xFuL1U-I}LWg$O%}%N49{w+~zB#;-Z)tbOwyjAfwr!g`wryu(+qP{x*|BXq6HJ^; zW_~y4obP_mxzGJ)b@!^;Yp;Hu?q0R3>V50?Thtb4v_1!pnY*#n-2PC2U)OHV1~(4f z*@V*~5&>$e5S(_%-ZT=1<%h~(dDYH07YLEUws1$DJS=vKt7^7Apxz2_L82J*hBxl` zTg1c}335^V_>3O;doj$)uk-OJ^+_=;_0*~E^q7hg?hNLu?7-j zepq$?0{|3VtsDE+siSB21=SntR%wTr!F|+q0LODDFQHr{&%;!nnVe?D@Y$J&$IH%uZzcH*>DBX*!%SX(;@R8KaDo*IN)AlUb42^#@K%@3ztm}N|0R} zA_|u0yF?{YGzKiqcd9d@`xE5hxho?G;oE|dTW4A}z$i=AbO}Yq*w5{EF5MMr83Hgl z3afk5@!5<5xr3=Ebj5dmOCXAq<<3-U)ChN7&wep?8!|%sz=)km`*HqijLt;5wU+*n zUol!@95fXuJzF@1F7B@~f;v348(LFm4-S9wJ(ifE&hFHVNZIDm5uqkA!PcgN)s?O) zzpUI}p<&3}js(Z7(RJ1iiV4a{jxk_cdWDPjK`f2Ri@nLy9#9IJxtU9?BqN}gDDpul zB%N>`W$178t_uwCL-$0=%y=2&)_b|dxILSlkF%KO8Q++czPu*KvkkotT0 z`2J>9E2Ki7ZIG}eQ5d@DC-S(AYpe)pB`<9E#CEQ{EeS!jg6xkR zG>nA=Y6Ha@ABz!=Ny{7}38jL@4;6|7uh}QRLnIdg`2M@K?>s*sI5vEo@2Qb87cyRa zhE~HEB!CxpXoql%@>xvrpVJD4p2~wKJx>Ymv^p4yVXLUib{K4p{?nsG(d2K0-M>)& zjQp=1HFJKzuLLc`Rgf}1GCwjtGCnpJASHxA68Y=+)S3HUP>T6Yy+cQ=gqIWw;D*Q; zZ>m5ae@n*n$du=n@t*gvH~YuLqrA3Y2a$S2Bp9r=!I$gYC5gp$YZj5qef~Lr=_p`AEVl3GQRw8eOrT$8A^;JV$&Vf5bL1Fg78F=j0k# z?DP{|6qeK5gX^$b>07$Ln4a8;PhAVoU$wr0kf<9Td;OsN>E^F^Wq6ZUx9sw2W1U#?+PPA z6p-Y9-yq7OS&j6)FuBkJb1{WpaMzXu__y0Cg=9N9`zJg)%khs9xyLibPMbK(T`Wf> z(JpTo(`T1N+tdt|s+z zpds{;Uf~7z8MHP5J3YOen;e5;IRU7KyvG8jBR(GyWxGk|nCQT#W5G=9npe@Z5F!k( zOBX6nZ~dNWaDFu>t&Zpr4}mny(|EkrfpUbm5B?6#R|f&NZH%Og7_uGLM;qpvR!Oo= z$ezUqA(QJNp;-gAJK>|~}M&wYV6B=CjthtyMI3>$J$!{ri`Nqs*ns1|r`+JsJ zUgvqHJ37{09YXq1gY^R^a)mI4n>0-kfP@uxM{w`RLg}-wWKE7`g4akuYos zjwv@w6v2jW#Zg_g&sMM8LjJfyL&U!*Q5+-xkmY-kvBa6^Hz`T5{WH1uXX!Y?OQ(=I zB0I8-*1(I9GW!T}2!bNW+dccVD8%|HARkT$4)ee)-`I3`Kt1iOcrYESS(dTyiJQ?L z#+n$7@A6QS7`mj=S4*3)q?^z)E_9hgA>EZr5zzRDSlQ^D104>yaHX3d2!~@5phv)qFlx4m#v!q?=SmT zoN9c687Mo=;3J3>&lygG(-rCI2&a#nH2Dl^Yo;HYf?R^twgt8us-r>v(kU^EEwZSsrgZzZ%#26GiqJ_HW^I zhmWFje5M9nofn2pTS;My3Ov^`1>xMPpn?gFLzzr{O=k=;$kKMDt!d$XYDX;_e29aK zCCe`ZtAO7n2;_|Col*^Uv3Srlw!YH9n33i0CsN!{gGQm`(V<|XD-Z_Us=y~k5+2>i z!4-_P2P@2GZN^^%woOH1xAoy^+Gnu7S9?rJWuWlS3JLYmtpM|k86PNfL>CMm*$%n( zMEkRf&I6!dG}4q_7B09$epw-UR(aaHjC(i0$k?y- z)UocO`Xqp_-;s!-DP`LLZ?d@yxk{L*SJt>J*-Y?1MkPJrC7$&i{{aN=nvWaF__3RI z8mrRT&k}k|;G&5?x`lT`NM~rAj~VObhl#;UY=vw(KxAg8yjtDBD*5AId-Wb+Cw0Z?RGQdkU zKKY$#@Co}&?LSSxh#Tr@K$YU15UQX`X^{VQJVlLU-ojUMcsN`3m$2{h!K*CQEx?)? z5OkW?3ENeHWfQCaW1OUy>CT(4%)qMw_b1;DA+rfLcyXlE322nDWN*j0k zA5!ICWyQC8EuP*YP*H{Ch&Ga8GUYdcxBJ@My>6# zKSjcqq19T41~63u>K88-T9NB!U-Byy??u&D69~`(*boB8?*UT~~Nz%X$<9@S__mgf04xa<(~-dtXLr zUU&^`^l#^VXgdCk-0h-UJtdwESSu`_a;KS&Av?uK=svE$6YHVJ<&g820PPz^c{;S9 z(BCPBScYM`Z08isG*eS>)lP@0M6_k>W*%KJd#ldqU8y23@J7Ew{14Y~uca2XD$r!}H@oLr z#8WfbNSRVSZT}=zCQh_2{R7Ay)6?J*W>jPrK)+*mjx$s7%Wsrr_{Ac87i69kJ0L7t zcMWGLyUW(`I%iaP$lf?^nrXd0FMQsuw3!Jix6ug+K}*)=Z2~$f@T&`7d{+$8#CMx3 zo98#r0V0Zgu*cu?uWk{#!JziKhfuM=N7;gC19c@wPr6j+5S6)Di8{qqsg>O@D>)V9DF(sBk z>5#NmpVD+Cx=cpasc3jQM6^CFvStT2GCnU^bQ*J`6V|+#kJ;sNS7d$6L>oFE6VP^S z(&>Y&Auf8$Hb*(WDA!P~K1E>KKOwJiL{ zhUAAUE|UkpiKQDZ9F6(z*`a$mi>pk=oI9$<{8{OFq78#PnU3CEQ3SI&4@6vmS`ndy ziz#ViFkr*v;bX>~dj=EI%M=q^BZZlJE;e3t>M}&dh;*H^rLbq)sp0z|jI+k`G`B_o zB73L=D}{<8?TR-CUAT`9Ao`4N-ykX^LkSC&;?$;N>N?&0HzHiP=U|H-t>!a1V>RcG z-JT$a$<@GS_o@vd(^A+W$AT?jE? zp)m|Xgahn=;+oH-TQGJgy5`hJZeDi$_qlbqt3D&`rU!h7rpH2%qaipSHqCS3j0Bhn zPr{g2K1u{y0!Z;qUQ4X@jCp;0{Rt%qCG>4_K8hri*k5xlI=n}Yx_{)P6sB}M4NCvF z*X5|B3T24x{=9)DpFswe-nalmsz!t*t_S`#lni8_E@}Z3tH}=h5 zV>e*e#KFf!@OB@#NUsLUR!neV;63lj{_}fEUF#mV(P6}S0d;|ZbdZ8<@!w>eyo>K%qOxlp-@^g~G*5i51!#IyJjPO_$oI&0t`s-r-;2 zx!u~2nFa9hk50ppC$Gc&tHm6N!=V458{$+4aLbI;Ky{O((!&iZzr?sy+Df&Mkgx0w z5BD{cocmMMt&@w4uLf8RD=9rM6gH_ly3U)mZO@sXv)LzhgdKCo5QbRi*HNs!#2At3|T-Lx`A}X9>?SXH~Pmi)RZ@e zJ>yj|b=n9|+U`zJ!8{s}Fb&puLnp4b0A0q1s6cj+2bv#1yFdDVpu2TcEZ9ORjk%m4Z!i~}uY^}$4l(@oqD#SLq@N(`KE1b`hwJ*ock=+rFXkOH@n>tYWWLR!iWNLG?0K4fg-CLpSc&G6XTb~+}gi7_#Jj!64=QQ)5;E~=mCqMqAd~KCGLlr(qTh&e36LaPAiDB znh$GGd?Dgtz96NB?9KIZz5hk4HRvaQejteKXFC*oeV@7ofu|heLT|(p~3sJ zo|wwe$bN;UC9{esErXU7DlHPNWJ3HWIMzd`TbBL;CHToX3;GO}3NBWWMXJ>j_V9kG z0unET6GQS^A^lUEtYFC{kC)t9G=r`d7WTXn>6Ap8W+)STeLNq2mQ5XNg=Dscvrz`i z88Ti%1|Fgt1vpuniooDKKSWt{%8*d44)kZK3dFXP-yfyRK{Xh>FtpkcvnF5CDIYV* zWj;D;=5OfP{kTkYLrUyz$|K)zzS?d()Y2NmP-z05AgyZ1^3&>-=KT4N0h*X zpd)RMM{5l{7lB}9kQ;-gH^kH_SQzP6kGuG9yXFu$AY1Pc8rBj4QD!wb;i?CJ z?SM%1$e0IPZ|ietsZY&5(sO1&gMR8{uE>if&mA)><|U(RY9CYN^(=<#pk_ma>`Cj$ zE5eRkWuv1;$`J0_3~K`2TdKgo?s*MUT?jt=9ry|z6)9{rp*xR$KB<{1Twm@y>W>a* zn~GQdGYd(Rs#a$r?6&yAF_(;ufZ=ge!UTNLg;0x#CtX(LVscIESqjq%Ai|SsUs5(I z7*J2pd6?XREhxdbs`YMuZiy=gwqSopTc(p64y}^RumWB%THD!^5lNCJC5K#}?W!8- zuu?tAmVzRfSaF(HUaPur$OZ@vqNQiG+E(qW-l?sPzagB4f+JPkm$N@fD*{_H#++<| zP?lnLgr8p%;?WO5FwSK)AyGhpuNH%kBl;MRPz2#a^Z#beXC8kIz2*0M^LpF-pD+f$ zU;WqHF>ywW-9O;NFRETSTAPtPK=~Znz@yr9sFv{c9u2n~8ep9tczqA_3awHzAXYx1 zi~lu?o4#&{O!1L&MuKqQb+I0W3uN{T1Am(x^PT~jrEp1+#y?0Ei6ItczehF zy^=XQS_-;2m?IRmhTPW#R14@22EQ0nF>r%=zUY8f&7&vExD`gj${D^_tgY zAt-XNxx~Vt&Zly0yEhfpwd%pv)?RoU7DzArjGAAl^2&B1t1t7&I8fEZix*d9H=0V< z_#*ET><8V*JzioV6njr&ws3y?0b9FWu*INVF|7TxU=;p~?R~)?7&ieG9@D|F14O-m zRy>x6;}e&V*fVH@#bSY=`8I7LT0_YFeT5n#<)SF{z#oyzGg(|&i7xG+Fs-4lJPAr@2YpxIEFK_d^WpLV+n-8P@ zn|?HV^m(lr&aiSoRmsv1r%7t(S<{gS7pf10pB84lq#=o|q^ZeozXZ4$(xcX$QUY;* z_8GEa?9ZQt2(Q+DPj92MU1qCBKi+lchhtTfp^)8V^wawLQ{XgQbJ5~vb*>@ueuOVD zo98(yS=EneHn(doM2Q$yrp~HxkFw!iFgc(Ego3vTyt7s*5_l0G@54m zC95SI1s9OBV&)aLCHBtDY(sKi1GLpW^I7VYmL`N>V+j7EE(gHHh;dt!aZ{RQp?e!z z%-wyaVxzyUagL75UB0WJQV*$}EOgXSP7Zn#C9VJF4A3022hCWy0wJAA@@ht1HzEAq0CahXml^r<>6w-R2}+rg#JIcgcH^Yc*%? z;{rn=cmc37Qt?L>U2}Jo@FsDxp!X*%FZa3s5cQlv4}?%hXr+fHLb z9gB~zpoI~@e)cQZXk74z5d9xdq2e#p07AkNF*cF#pe~czz=y{(LU|TISy52AY0+4H zyYBqVpblXvH~2kv&|r>RkdU6m)#2Kv+rmbVz;8Wm|F8Gs`@7|J*B>0AH@$#@1Y)5h zrT_NeKYe=r`YM&XM$G?7_=Zt{Gg3foDFk-p#d0rbDD*ucq97t6BJw|GN&q%n!?4${ zUv6*Qxn3kFhQuc9xk*Ob$~bj-V5=5P)uDn37beWJ1G@9eEl2yrwC7zMwPA=E#3L?JZ~314gW*EC_GK5lTt9ArA_|6$zrl zK>(B?gKXh@LAE9~wYw%q9d8(Fjz#M)Q5aSkrirZv7*P_VEpUZHjQc2`jI8D}^&x?B zd`^Ix(ShWd)s2HFc+n>`8!fIlpAkt7`71sc*P@O>a!v3JUk!+&Qw|J=5wkm`+F}Gm zjpX+np*Atr|OnitasS|}24mhI= z(={C&g2o}4IPHV&obPDI?0v4Ch^M`dP?Ppnx5nRgndOwr>PoxZDLKagQBQhsMz|X1 zgEaGOu#=Voo^X&FP2*`I9^xotK>^w5yS5TWx%TNa}>?CJ^x~R|Ph>QobL7hG`Ok(W>xC;Ta-WNWut?SO~k1QaOn4 zE1Jdkt}wcUPv3!qx=ZE0>0$~il)Y1KTzH}9!mCMNw-MPHlM3ACq0o(l`v)K!t-0qX z9CqSyEwZcp9Iivrk4<}3+k6OVfJ9kWj#BF1l!~eAMg|y9JZMKLQ~WLm`Hk0z6as2w z({cjR!=z=YJhq3KJ8giA>cD%IX&45~*J}?Dlmu{G{h){=ci1d^komFElesl9;_A+8 zyg*%UHFZ6>9y=0=5RARn5nNd$cg*a>+%cD6lcU_jLu%@KU4qKsM%jrNTz0b`;LS^u zGcn5_uAv!x8lHh4MpIkxx{6{E*6xc;@!ew$W`fGF6-j}_Kr(LBj4<~U3eo|&5ZG+4 z(^~oAH%wf#%shREmx%LX@jelYO_*Iu)Cca9RtWx`H5z0;plNc8cwHf@Hq(_jn^JFS z#y`e~w&vPh%Rf8UK))t5qjgY3o{b&9sXrM_ZHoQ~gLFaI`ynn;U6k!xf$I)&AY^SJ z3~ek>I0$g%$%sZC=n=D!Ko@pn!SGhXk|}foWac^hD7SIa>KFn!n&=cLmMB_AC#tDL zG;PrgX2-aVPO_JJ-kgImtQR3e!xjeR7_bqFz>%LZw2k{GHMhg!x5~Q{y>!I%;?Nvx zDLvLuPmZR>FnEEh&3i4ITb721)|`>80;Ut^I%NKVM8FR$A=9Hi10-D_2dKov?kezG z_W_)l^UfymQ(6i08Q#xP-FgI6#?)sK)WSmUAZJyZCA{$HeQ`6yGvyzl-I+Y|S&-V` z$YUHA7Kap2|do%`VQ@N@{)#PQHPu0AjoevWd*t=Ea zb8vqx79VuuMY2Gmb;M6%B&r(;>m#ytwam?oY8a@L)ZTt#1Q!@0%)KM!MW_dOP*mp{ zq^=yTQ;9nfI_%DT64FGqiL|o~K)Z7hK&n)9o6e%TQw9x!yT4oY3OFRE6I#Ju^5eM> z_bvqEPT1B43~i*=BBHRz#W6U#WT-6?(89!o8yaTkUF206Ri7iaRTd$!RwSWx80xlY z-i_2?z%A|Whw$l^hz|0E&7B=-Xc5bQvwlNlg>jEYCPoknOkat==iCBcmuHsFb9K zd+7Rv)5n0?X^JS+=k!&MMxrc!dM&x|_Q(LR?Yt4C%`_tM)j}8zy8a zra{u4E@f%eLAh9xFlsiRNj7%H)kbbapeaIxBP|Ze7u*}v!uTj_OIsOV0ls$PP(7n# zE=E42Rq#%T%4xPP=bXlIx%?J_Mvh{r?tRqyK$kXUyo5DIp(yY@^lTy|Iln!fNGk>& z4*CM(i8uzaR$ZX@Gms-fnztC(3e_3M0j2gK`MRyfcX;xUYXH$+O)U|OZ}rp_4jElX z22%(m|3-TZVA5t;guS64>H%$6r{CWdzi;@iF?ljmCr9NOLvWO{Xr4GQ>%uI8r~U8vfeBQJ~)>8=AF zW}wU>T}D7zNrJTvX?dMGB&w9FjJ3f=CBN@X18p7;el%thfnA+cB~a8KZ7Ocd%1(=v;iuIA z)Vna5h;zj&jq!6J)`5Kk??k=A5a8xBWIfcX8L6RLx;U$FbQZBG=HpmcA-E!u@_LBp z7_eRsNs>*qnz1IjOSp6`16s(QjC0)=MWNJV^520ZYPqa?Z0l|&WoyVd0QmOVn#wnI zW{))aZ(6{Rze?m{_Sm(YtjQ5X#pVr&A}FGb>>X<`VEjmznmEf04qT{ZC{&Lne6=7b zI`@r?bk1&9wSkd|Xh?d%u4GEBnCMxu%LhqGjv7Ba4mAojF@NyMx)bzi@0Dy-@=A*4 z&yX|J)WsPHqpb+kc?s4l8g!5){}rlvi2Yd%jp~AswgseIc4zn_Pw$23{d152G!!MY z1h4CinB24xLNkzsTJIreU21sl&6kmJXZ(~c&DcC1+|O-rd@iy$$4pClGMuS%MMh>re(-Q?wRBG! z?B^(KfttK+#t4sVu`G?TuE<|}sTq?yJI0_)W2j(i7X8zemNVZ*^xP;M`ab-{U7hw@ zS|487O1Q}x4()4Gpd*y9nz9LeAByraCMZW}Fbr%#mi+w^~h~TDM-~Zp9WSoFrg{5?C3w^ zEzh@dYQ0>XV7do>OZC;(9VsX5iCr!M)G79}UW?rXEPgsTfe&<5QJAtzIM&o6CexA1 zA=Eg5=I-@had1k&nAvTOI5-n^+t+S-&-iAv?tF6ws(IG6OlW?`)g>AuaVRO&h<&hABFUds$pC>mNqfbPZ7 zl19d*=f(69=|-5-pC*CJfzr=#_c2$3;&I|U@fJ=F?wpi#Rs#AD z3p_HH5n)du$n8eVR6?yTL4<}*K}D3tEf~1mg7Kj39XZTQvjem)7L;~X=KCykJ>4ER zd;eZg^&QFWoGfnPrBi1*b`OQpb?wf|vcse2f`JFC-s3HCYq>2n%q zaouV}Rdb9xMj}lb^4aX0_8XMM(kbABU&C#lY{?2zsTpHIKfGXbGLYR-(bO_AmD}-( zF|UT|%B}cbsKD0nndo!4VjdyIh_ki{Jn{DINYNtbxEKYei}}h}p5}Lq3|msoJ!Bg$ zkXvtf(~zl-Z}pw)a5BWLMA;k=D7^S8Mqq^|m=t_#3nEVkzu-k*sBhi@*quRNb*A+z zqu`Lb~igkHx{R5bc-1W1PX!8=1 zGAsf^sZ0<@Q3uz6(&@PV2auxmkuup0?}8Tw6OZDMWjH879^{X34w_O3`6?e3!gMKp zZ3x{Z;U5Qeb6@$ZwHtF8elc`osrnVpcMEW1X94Bq^_qg#;18>hp9g{K0lJBe)scD5 zlCH0P-=PiIyd;J;sS`<9Ll*BbehwpNuCQ9moRdrz9NwmOXiM>%1r5U4IIAR52BXM} zOJY*%)}$%u1&*v{Jy0mIu5ylvKKCLP7L{sSpn9w|*T)zXyq`z!l+5EIhsViUsLF5M zUJ6By_7ZiI36>CGs!L7a`BRXgq3Y}V@Jh@Hpq8x`nF<(56cul1PaK(iTzLzB>%&XY zJg+FH^vh6)t0j>N%gtoR@N)NEgtK%p_iB!9Ev$3ZiLex$Y2A@;EhmV@6*T7cHbNoO zwjWV;!dIuqS&42@dd3G|Q{;&k@e@Xhee^02rIZX+>q8#bG|v--5BA z4y6;e*LExjTVQbK+~ws@AG(mV1Gy&%Ub4+AQW7>R(R??}L@O{<)o#hn(g@6Ur~V!M zvz03VPj92&*&NRV3bB{mBajVlrbSA16dYNr@Gjm*{>SDR!PH~WO0|DEW1JAhe|GK( zak-!I0oY%-s`05K=L5fZ<0GqsLGu+kGRa{$G+O*SWCWkVM#M$4Mb!pEHj>En2H@-m zvtC0xx<(1Aa1jg0xRn3~-Xm7avu<(^<}lA}So&EDZVMlslL)BGC@h#^JkKN@uB z^iyFgHc#Ng(@~KAQF0XoS0;dWoTHSd$ zIchh-!A@i_l0=qm_quxLuU%C?tF&=(XkW9e#$IH5^pQj5ty)Qc-{m#>n<0>=F|JfQ zX;N)HTzr?Sq!b5vAhZtWu^>3sq9=j8Zf7=^%m02pp$pC0;^qZX_c#7bJi-$ZHN=Y0 z0$Q>}W8+_a<#CrZ>bs!8kW>pA-w(j^A)MJTIqSKnVf46TqjUT#IA z@1CZOn_jRdYN^>^Eh77xXhAG&1djOp#fqrtMEy1DZcuiYVXA~2sr!#^Vx#~F-qlCjArvAR<=MI%ae9Xjz!=x z_>Rw^{uNHP^$;|PwpyY)WwcU?A(Y?0uxNhnAJOlt4@hunHtpDkygea3D!}3iCmVt3 zh)flwoGmVRFYz3La`>aANvWOI34GbcBX(BB=HKY+`KG^+3u1!fpf#y;Lqc&X59tqd zxqph+kn@jNlqZz}`=)1bg3sjZ-gf6gb|o{LAol3=)WT?U*+wyF{UI_!#$&UW@k!W))F)Y|+gaz?e$;&itlROC zObu&zrtj~>U#5lR2F3N}F}u3_QE3MaU0=J!+<(KN1RZFpPwlM}BzmROhKO97RrbpW zLJnQ3?Q0M{h)k#1iQK;DHtQXOBxJJNFJh2K6%~sVIrg7D^0T}&=z5x>4=deqUx-VgJt2}FfSSMN zqbF>MLMvElpwf~~VV$3bl?+2a9U@0p^N5v7m};^I%2#R1mF<`sf}zm-c!!xkKmA|4 z)noce^<(rni8TAN(oUQ{f0+$4BVpg)!w>^76yvmK)#b%HVf^4$G8c}NVe-q!vFauh zk3+^`5(5ORHsx7R0f8qSjniTjMw9h-!AEe2v-Rue73N z`9U7pdloBt;z+l~(f0Vy`eX<==#Xsc@u#4RbUwHSl7!CwiwUF>-X(O%R ziLq1(sN5~M4OufikGEQxJ~M4B5m8&I0T!Ihl5HDCPx+u#>WQ4P30soQG^yk7ZkLd} zEp)nRCM#jvQ!LjCn649o4G>Kg>NO%mYhCe0GuIMOR*M0cJ2ie$;EPy}$?64y%H`4A z4vna`>QCD>ssu=K^UxFa2y~p9?yT!8%m_Rr+%2;Q{=&yo9WdZx*y$Gn9Rz>*7CL3j z_|QvoR4ch#2NdmZFkeE4Ga{gDJO1+gmpj|<>KIj4y=WUPr7=054i|reM7=w_mtjH! z-Wr~<$xPaxWmPuy&Nl-EewBXF!m-_)B$6}Pg41>-6DNmfuo6N2kY(7Wy%C^{OL--8 z_7A{xgcHG4r%^M@$wM->7X21ys?g}cgTs}(#0Ov}21(?7Fl{sEt$PgHxxWjVyZ~#Op6Q05CUC!$>ai4s3NRYE%-|g19(s; z>*PhQN+1kM>_#r08^nQ2gI|uJH3UKO8+3^q;EMPnr?R+g;G;l;kT_t$R@LBqDTb1I zO*fzz-(zMnMUiD6d8g`p7h!P%ZA-<jTdl@KY**gf414=z%9<@_hUY4axJ~5JB?209i=gZ{*Mt==FFwA0Y^N4!S=d&zc_! zhodK?sBnDO&0y5)aygy;?*r)nx%z))r_<^G{}2AH(!Yh{a$2ANpF|G#xA$Mi;|a*7 z4+$_Mk)QFV|DC9Ck1l>9ADwZ!)l$D}k>jJ#=EPj}U~v$dtMw6D=TqBI?978l?Y-Ka z6}bM*xbK5%A(mqoVFz-ojT%-{O`Lz~k|7CG^KYaOBOEo^J;CW3e_;@+oKXb=<0-8O_QrP+_eHiM=KST~*0O zP2=B>$^D*xgc(eT7tVd$sgHwnNciau0isD0e-~hvSU+J*@x6LO}09 z-GTZBfX@oaD(Plcc$Xs{gsUI?AHtCech+9iiR5i8mP9dd_`jER<}s zXvwEPQtRz5tF2Lj%=<|}E17|+>`|f&WV=6uy!L)O2dc4&U!PtyjyTiLfrS`wJW= zZe2p6U|(iw1WXIs`^Y5DB%1yUsyI$fbe`gHoVZ_~+iku^ePyJ6AjLeIMM}D~o5Tl9 zDXdwe)msM;dmAYI41!(2Ms9x&lfcG2652UE@n`*>#f>!KCMiRYeLvTg<2B0Ka*j9! zVWJrvr{N6tRgeH+i&s#Dc^X2C7tgz z_WQRGz)%GbY0+B!EsUnz575vf(%jBpy8u`8Rw)YAj zDs!E6pVKR zlqcuF7$ZGv_~dZhW4E@32TzMInju zWD^VMBw+MD6q5(O>6_2(Ol^ivj-+O~UV^2O@(HQ@PK;#6ee(|~IUyBYRt%8WDYmCp zlZhzWqU|0mRenhg)1bs-%`G#mg|8WYr<0Rxijs*i4w!gD_OiLNkeHbgd9F#DDP`6K zrG!?;D~G~~ho`!sA7z@)rFQn4h;YB+>VdV-HLt#00!idzZU0b5b8~B|MEEjQP;me>`NIBbn5tl~~ z0KrNX5Abr!iCgHz!#qX+<+xSF%uWG*)foi5?8Idq$Z}2ku1FU9+MW|!qvgx$bPx+2 z8R_Q$8P{Om87MH1fl-MjC*8nTM>Yp3oS#V}D8Q?PC3?b)qNiBW8VaDd_Z3VlgGKMH z#4t;r8R6$WpBKJ0^?0HSM|1{LHg%0(tII80WiG>1Sg}fUa41J=aHKMVtE>Duc{rIOw!QZ{1Ey|2&KB=x;8hG_wb;Jv-xMI?>~P`+`E9y1d2GU;9J!G*-fj zI@(Rktx`pMR~jby=1lOdG>&7|mWWT*<2lKlUhXMX?nt!J+WMu^xDW#uR(WjCWs5o_U(b5l6j(4hFCVE65|=F<-i_xy3&JH(Gj=5rw4gAr*7GbwL|{^SZQ^+ zKyvP?3EyxT9sDEP_JsO~6iP0k;Y(Rt9NYQ zvJNlvqPfSl&ywKDedbbS7PAU+TTD6Uk&Uc z%ljGV&&U_@mgbS+bqFvf+|sA3E?-2+j^t3`==`^B-p-K2lfYPSjpKa*3b?S)>fFk1&+P3e?X?sX7dAJg+nd=vBe}ZG3+V1q zRp)D@Y&QL)tf~$L3EegY$5Hxgk>b)_P({$b;~8u0P{Ymu^^p1~Y85_)I6qETNdE z`$JT6J{dV#) z!NYKxPH{WFBzFcqRTE{K4#Uo*T5RuBxsz*IK=LbywZDfRH2@2sQ*dJX&0N z=$>)_n=m1Cv%Esj!*<&;3)Uk>F?9|fXIc-4$uV)P* zm59$lylu6&jk4a?qa1OC-2+1yAh%Lmg z*xBj`3=KXQv77AV0`Bj&$xXwPCOC&U{L<0aGS^SK6Mo180VEuH?l;*PMBzsv&j!4x z7^ycxL$K90^&H~*>bOb%xP$kB7}`uDGP}40XWu1NWTN7<@3VKRpgw?KenC-=!w--H z=+Pqhw&FO|NIgDC0{H&Ketl5+3sB(VcqQdj`g>y^xoV5SU>$|yVc+Ae~G3{$ctBz<@XY0s?Oi)FziMu<$39dT8r9K(rk3dlrlo5Ah{6~A%U#p@0x;Z%0@*pQnb9IrVV2I zj1hL9!OiUPY2?2unP;b}EzbqHRUoR#7IHuN1)DS{DsGa7B42?RQSb-@iW(h~mW01_ z5z%zAWl_~V{={J{5N!=Gu@PJdS2yf~)}c&agD$S*Vl#{)#WCEv2Goj6ZAAn7}eyLEoH zmO7d@s2|*NBR0Bf4SoIHZdO=3kXIxxI0dx?R^vH<@)yUT=e#Zhn}F_V_kLOaIsZB5 zho_LN;0_F|R@YXVvPFW}ldi)m%`|%a0+5r_m-xwv$01wN;#kvF#2e>?TddtO%LLz8 z`UsdFga1f(n@Z-2Y+Y{YnqttMtHCIp8)gy93H?*KmecMQQ&dtASvM}Y@UakvdXo)c zw+I8U4TjA4(@b!O$hyN9}-U|OE z{J(0hf7|@s(;2w+@;}x;uLC~}{^jZ)gMSMje*eSZZ{Z)mU;nG;AL0Lc{x7f(Z~x`s zpPqjLyZ#XVYtWC2`FF@4HdB9x)AixtAGLp7^T#+p|F-$J+W!gvMDSk@{w;j;{Nv!? z7w7t)4nBnc`Ukh(Lammpn@vI_4%|sBDISa%@N@^RWtCO_jG%MEt#u*1;f6ISe32F? zS|ylg`|Q;imwr?cU4h5(hI-xG0URmk*K9Lf84opgqSR*y=(EM9ws;sS!j(A^I{7*X zcSr9=|5jSB*9;^Q87{r~pywSVMVpBB&`Dc`Y1lO8v&7RoK>Yk|T4wdAcV;YCryCx( zti)w?4i&@o+^ogV?vi2Yf(_v~Qi+wFq=`7yCDs^g_2@evThs7 zWPZ1&zdTdD9Ud{&&)XB&#{M0vYJ&x?(_zH%DYF|dQnrp8rAD)1LY?0kSf`3SH^veiMyd#$s6TJ0eI9D1EWtvaul)iZBQ9n~8N% zkfl%o`mImq4iuE?1&mC^kn#RBSD%CoWK;LnX|;Xg4ue@WHztJNCkB`P@OaSw>T<%M zzFFSrMVIix%DxFWHuA2zY2TIK>8PsED<*}+fH_7nKew3pgpo<`s}YrVS2sJMC*t2#DHSL z@a$+ie2qB|QFAnf0D7I(JrwtL%sfHQ!baGe&#V1z^*PhMv1J{LDJC`{jYvp2uiR5;R1@21S zid9r1#*%{fMIdU?YLcJj2M_8H8&sbQ1KQ>uLtDp|LDBzUiJrAy_uW)DnH` zH)qg1t_vO~y76W0!GpiHZg&&ZC85D-dfCMnQVe(sn3&T(Ni@)%F3RM8tu(6@Cu?|Hv8A1}gW z*9+JsCN-8haL$=${nIZGwR;BF2uuo zs_YXmV=vGoS0<^U-KEP75r?3P5E&xMr1PM33LPvAfI`*!_F1K%*ih#H8v(B-iL=BRbyMXS^NFDbcWpK5?aSjTC;)1HIP3+~cFWkrR<}AE6YQgO`|xO^*FKgUwp$ zm^$+hxWf-1Ca>P=Nz_?UI{D)}mqWvY6B5 zKgs&7ovaaBatfzLLTY=HB*0ozF?!bP#J=Ce2a{k1ApUq%Slb(Yq}MSoN z#~Ep8j4#`R0Dzg;(Z^l+7oc+RWA=Wf`_qor>iub+6m2GaZbDe?-xyba&+I|7!hU}N zVucALNb1`#R@%&D9M&{s-35BQEqd1vOXE-pfwuN$u4g<4oh6AUMZMAT{D^|f7-s6G z=%jY;8(~uoktlh(#T|6=cIcy@&yR2LMQml$PU~-h?8fn*ANm`=S#GtCM$N3!XYTH8 zDOq2v0{+-ZXIPeWf3^YfB2|W1(a%XsS;LbUSX?rdp zBV{t%MPe(O)G4v3qFGv>!lV@FcSH=@yp^_F32@u6u{iiQyMG^+)*>FPT_aAP<7#0A zOI4x=(a-ePs^M3$A0U&+lB-5={~`gVB?-=bYY)zi{{nD%YVYI6nkJXgK^}a_5=hJZHPI!)X{#A#fQ0K9awru&wfn1 z4J!8Qjv~MI6X-ttH9`R>fPB>3^E>TmW4yJOTNG|83vYDC$WcM}%@e3ntVP*i^@Jx@ zXR}nci`aUD*m4Loa)Z!%Xlp_Jv{O`&UDHr%h6ey&zzd-+_DhcO1!I-m*O1e@9B15# zD>do*6J~iBIMypbXweNAVmmWY-a}U1ciCJ?B_EW&a4~+nW5jh^Fz_P9Vcu^Zie=`1 zktCRBNUi0+JiuORL}}77Ii>8wmZR2>s7n&1{Z;5_~=P%s{syy~T) zuOc-o0240rQ=SLH7VI#0p%g>wfAjsMKw6Ln(d2n7USQ4zOS z&X>+ac$Iu-5YMASWDllcK`x9ME(1U&u^W1!!}j$YEG_M6$qCKpp!O6(j7?E587?pdB2$o*Pq~hT0e9!=gemgU5bvCWJ>+ zCnNt9W{OwNo3&()I-BRpqNVk_6cHDlT^~B$kgQ&}Q1J8?k2&%f0rWGe6B9B)WK$0- zDJ3THB;K=qrU%q(LB$IyBO!xLNTbYbutM{aF0B&Of}hC|YZJ3zp*L-4*r?DP;*K*y z>VT-{q5fT)8Ms%8KN2mfAo9+A4ucYtK%QXj-4o*dn#U4%d1|&82;1(|J1ii+Umo zvv^PheJ9CdE&mx}nr_`BKOua1a2;Jeo<}XK1*x(?c&6SG=tBR5M{aM$t+SUMmR!Bw zeU-C$mN`&Xjjp!u5C8&scBFRV%NRVdbPA2#TRpW`19y#fVxnc!?o^QAIYYo|jLMK< zJ5qA+HEv;FrTa3-NOY2zSOWj>z&q}1EM^yuiJ+Z^((@8cow7l#i(A9a=dv^KwyMm) zQ#~k;*MaWwNI5P|RdRyY-pDalzIpRL7)=B!s5$^TiN5nTAVJB((6Ml<_?g>3$Xl=AYy+2abMVWZAm)wn~qE@Mc-|^5%@fZW}DtiZp;7Kq|2;q}T%<*Ju>O1<&eR5!q z>6@A=OTYKQK)>U$4lJu|wNG8qPfW3v@V?CLh1~+$X`g>q;##nJGZO}AOJ28y-eEkQ z3cR4Y=7iLkj?K7xhnF|P^^t^^NTdDI7cIfcY!LQoK_37Nz*cmy_N&t{d9>Sg@7OT2 zb7RPq5`I|#cvW4~h66P@FM0yv<#5|aAZe1Zp7|~gFeCZ5xQ$&}P=Y3*xP`=}$){v0 z6OImh5#-ZnP>4CC)qa{IwWV}PNLqAjzt8YCMr@tebhH@;PQt^3&ov$T8>(BU>B*MW zN`hHK-p+MyUr~iW770gWTz{8N!lL-%h3cZb3p!M})h?C~ODM)+ZtiA-GE)<(d9reJ zfIf!v428*hDJrYbydFQ?$!4QvoKIUs4#~?im#DwzQ+E(3uo#$}lCKiMDW!n-SA0;~ zWUA6_PbCZ=knTXIGZ$4nX!qVUnDHeCRpu<9MwL7nz=j>% zBGg$mYpDMjWbT`5uKs=5H=!sn^_yrp?m$yML$%EVpHd`v77Q_+SGwdfrf)vZXqsu= zzvMp{0J$IPJnFDDM1y^ng?2-gOWDNNVC?Sp^-Er+E&#aS38ZW*KZYgVDw8vg$?W3I7Y)Ah5D34KWHp) zh!sg%s3T@whz_{oE<~%vVYbJUorlyzh-5PvooF2np>U4SOVKpzSsv( z#XLI$3V}VSA*X9pxuH*Him62PkVBM9?wA+o{vel;w-o% z*3O}d-Xl9~q(gbw?3^pftm-aaz0BDcq?ksOZWVAQ^S!u;2Yts)k-r!7O1$?2^=YjT zUZ$o|&lvv?y1Q*^RcVJ(aLG*W1BAzziY4NnEXCdvw{H^fh~loBEo)cgbyAL+^E-Lm ze&!0u;$~fDvE&#Y^Ms94<8o6dFm5db??`o3Bqc4r=r8X;Q$EM&}jArC2?VD^+=S!*{7TnI*)dRm9}5&t6uHZu0J3Aq5n}J zPSWdF%f+v6$>R2e;UoBPW7GD7%x()wD&}qDOXWlE!5zMBhg$p9m|Y4vZ4KZka@ zPtR9>0T$V7;}yqNJQ(=m!F5HeY`EIdJqU@Wp^%wvjioZ z$B<#V>HAl)I@^ifB0b2=V@}oii~)Nwy88>mAzQC-d+D$}W>37cuilne3G%}F@W#{O zA&MrK&Gmr^a(!Bsh%KK;);Lf^rMo5n0j@kpS|0xD?vvaQURdM%qc7*pL|6{+c`%*Qid(aexxTUgG zy}UaI>>jyEqn;2t)MVZaZwFU{Xt9Q#tY**JGeq8!F(aeERsN7sU zJGmQMXx>)M?fK~ZK7^i~^cT&8wH#kV>6x8+#;99~) z!NagyOEg8cfRQAz8KTs*nb-TPw8OXi(0r>x*ii$|HVAwjP%ISaio_&}+3jMh3iOeDTPv!M#KqXfOqxCk|N2{96sKH#HXJqbCBR{2Ir^k~3-L!84kt;E0_nMi-*gD@aK9COUC z7^_Y&Ps{Cq5ZOTAsC9utdER$lCZYvZR~!&HJd}=v>5OqSS_DOhs9)U(1iCu3KgToG zw)vDzRzn-2kQ_AceJ>d>%Aa{#%N5d(InA8s1K(MedGj-ikG9TWOtn-MrWK zTEx>R3DoTPyEMccBVf}fW(Q8;7(3b!xqBRX@IPu#qc6iOoPJjq;7tmNqPy`g%y-a~ zLU~w#I<8liPKSZ?*xXYUler=>eSiyxj9X~)7IZoFukr|cI=j+n?}ks0@!mv%F>(8W zUNSF!)gOjKh|uktLrGkkZIS>;jVGBnI6N1r!Yn^Uw4h{|49eN_BHXUeJW~jSM@ek zSU{tL!g2zgO-rZaMQ8_5N-3&T|8$9%W2cZ7fX#%|)TC}=uM&5pk(0A`JEKcvGYLRq zx?zcA*BY0yR=vHXzJBp!c@X_@Om8X?5PTRGagxnbrXQxJw&b2yXd-@b{Fkx2|dTtq%rNGR- zq7f@qGuE=dm~zx6ZH8zQJS^Brp;;e;?W-sZbwpibAWYD4FAW+S$>-AH@I4mwNHgG| z%aD&DJ4UfIJlMm7Vx+@62X4@#KZm{U$*XPpE#l+NO!H@Z7S(~+*yOUZ0dOaARP&CM2>qH7#kq1Fz|Wp>cjbzd+Ay6{0WgQH!DhetlzfIp zgPRw~IGu77O*J6vdEdD_$jlJVa9W78FLp}l{C@c^_6XV-V)*JJ=nD!enL*BU#SPU= z;}=1cY9C>2LVd)YN@u-(=SlX z2>QPK_Ir~9{=E@LePdZjr6s{7LH^ymw~J%flprMLD8}tEQMQb-K83m7CRj}J{94iw zV%LLV%d(g$GzR3z{|yF`Joh!`y!Tq2oT(!<*tB-zdUTfj%uVx@ ztC2Qw=P7sba8}1>K`p=&Mi|4mH()>At&ye0HD60`WGb3%(reh>g=J2`573d}FMq|)W9D`GfZ;O0IT~)T(lA96^aU1 z^UoA@Hw216_cR-|9ZZV<*x{$OOI;r^nZe+)$k-;w?o;WhmD(K#)C;<}rlxyiFGWY| z9f_5F`X?Gd{>qOdzTM+2g~9Fk!Cl+0&@Wauggi-bRS<%-(zz0$f59J)2@5t%LB$5?hG89n9Y?02$M8f=2-uzLN{-M*bH40Rm~b-e5my1 zx_;R#{YD4AxA|}+NJ6i4Bi!FlHNxx1w$#GO$TY; zAOlaPUQgiCID=Qg8ZKDM0}ueO)15dUuy=uuX=fH6h`V#6OxEI>9$)^$EDiRz{cz^8 z?BbtKq@oKeud4srmyNkVgN2YlA+?z}7}Q$RYS!OV2u1dCd!YTyTKT(DE;N(3?*!f3 zE`a^4Nhc(hh~LTaA#5(M*7aL<{G&ocW`%Lhkz2%jgn3b;B`197hQ|*o=>XMeI{}Iq zX6L}saSw=b;0J7JF2gli6&>~H6$(ZJlh4frKI8!Eg_?WP7ab|5I%cc zKh&Ye@B-&QU)6MefE}5wG+#nM{1hxG8kmVUE#qZ}W_MT*GDvC4;r7*ghyPmhL{q6> zGTWHtNE3ZMUljq15v8)ketev_LR)tdB2Ft=BhIpgZn=pQ(3vetA^C+xnf@GfNAptc z8NVdp$!_CF;9oYRJdP#_OAD4u$x*N~j#q8IPPMng!f)qKC&akA@E$$sG#=W9b zp&{8rG*6#D4%9RY45y)HfSXaNDA)JX#QQ_^6F~KwTu@PTG8vv)_(wT_NNLUf#o@HD z;P0Sc9~t@494~U=-$z2^IP!ynKZ*ZBe~BKD8@RDRN0R?lQFIgx{vdy6={{R!RyT0) zhKp%jvPe@~HL=X&(_>ICTGWqCrLqK;n9!K5bAoSKlDH9TAAV&(Vt(~dIns-W<(LX$ zO5V=bRbxZyhF(si0&hiXeg39dT)S4wT=gqAaejC)*n5jld%Fe0>ikg1Iw|u9Ch9S% z2Kv}KN)pGD%2Y?RDz8cNi2?5RKoIUZ&x3z!aW;d3%vZr7kiy!upy<7(!~Nm9n{ePl~HPxkTfa5>%00-&FWL1kR9v*^-7$ zT1&Y>hu(AoI1JDT*XO2Qc4n?={>*#7{4r_uIKd@s6t8b?#0m$>l~afqEeZ%*U7Ug+ zsUnWHdfHH|v&A@$cezNbzv7;UQgjnuis@Ce>wv~6iehC(E)5a*a?l!|DMq2#jA}7}OEqjFw+X1wUaTc1_~!;JEWt z>ad<=y9ZstPJ3?R8Zu*h^6(U-$wpQl;n$L*L>Ad~@J&nwJpxjA1x`_I;vzxvfg`O)=Swbhr0hC~#YNGd zS1jfCpkV93t0Z9JS+;3$ghNVf!VABS7wXMFWH59e8~H)QNB19vC8Wf^*M^hR=A!>D zQSFBdCjosCHzisjk(KJLhCpzrH=V^dsT=B6@f)MK*18(1nO=#jZ_doetbm$p;j-vZK{or4PLoP_ z{3V>mfL)!nZ_=>j^R?Owa?1Kl{)IiER})-N7s)i~&F+QS50C*$^MdbEp0?G>b9UzI zsPfxgibj;3Q&so746B-(gWxcOWo=8Qfx6J_&O}xIpQdGdB_gkr&lAQ+QOtZ*?-mau z=M6|~pDZjRdMjLeyDPNi;d5E?+OHJde`Qt)<;xxUqIlv|<`a@aIs$YE1}HIm1}SZe zAM|^5+lN1(WoL$HeEo6>t>YrWWmEy~LtM@(kk<8q5DUa3$IDQpT{Z%U6H`oyTv8|H z=RqeOZO0SDIT^903tCS_a+jePaR&){T!V?S19c6&nBRF{IhcwB;aJA)uxeFbl?_W% zBy8EOURQrqvTX4lzlRybFUFsiM7}Cw1&>3_xT~%kM{$hqWCRG|ku`Ku@x(PbeQ1Cu;NtK z-Z+7YXTd^$5?gqQ`Z-fu&`cJBM!4&$pinb2n_VR~tf^}9@IJPO={Z?@;g3A)BNrVx ze^>oInKrI6#lZZ#?Gl+@?JP1}=&IQQ73Nex*f;fIY19hjsdA@M3=>R$=F!;G*sU5+ z-pdye_rs5mva*jG{#V*yI*DFd6}uk~0UCXCzwe&qB6RwCjd5d%wYc$0)omKnWP>-d zTMDBkYg;~W5zc5O1Y-aoTv5-{AehC9%baw$5=}o4mS{MAX3cqB=i*3^@WML5e6*>p z%F?iix2Hajln=0>^6VA(Q$L@?PhVW}rbeE;BcUI3Y)QZqteU1FNG<};O)bviQ^_uy zj4XoCrQ2sMZ4^<$aO|LG%zJ!x_9?>Y3x#Wd{I8nUll0dl`-dLy4wrmoOi5!#h-W`gAcZZ?EA&JpGY)nKGofv~V*SaVq zqr>Z#`D<-=+P6(QtBHlh3fai{SLwkOZ40la{#&I;4AH6THddHEe783MUzJki%wUVx zEjz|M*0kAXZjo@9?mWvp&JtVxfa-!vW*P&m@+*v7l}ZKEkqYkg7nTi3xs}F(2?kvd znj{=NH=gODx-#~`>k>hgPNE1wkaBTQR&0RO&u-oqfIE}^3|?w5xq&nz>RBGE9h-V+ zAwA-wJOCC-;{Mm|d)iA#+CTgFj{9;M7eWpg+@dw2&GEl7^>CK#))+PdUI}Z`7l?mc zqhe!D`xY1bRvZj(NamA>QD`JS15D|cX6ooOx7^?h5`U?K*@uG}xwe&M5}+yz zs?LZZ4CT7b@WE;&#j^1Z6@YDML8&$NBlZphg6r3VtLJyd+p6 zx{45pQw%rj54uX%)MPNMcFU@Kul_-9cPUP3EwDHWEe$qjt-+=U#ChO6S~N}yx_jqh zqr=h(O`@>WR=Vzd*I{rZl(^tRHd$D8$*auq%UUP{AdT~*)^-=WA?Xcdo?u+7x+~A$ zLOiw)9CCLyGs(*}DQtsIo~#E`++_(|-1Y%D*$UP4;@zalHr$C8JNQD8xjfDVDTh(U zs5_ALip8S7vslq|r5FVXoJh1LX=45+R8lGh-poCm^+FFw*8WnIYmNb07p(mLaeNzy zJ(k&xS~CicsDe~7RI&4Jh&U<*$5h&4pI1XtZQV+J^@Lcmy_IhbvF}+?#Uz#rCLXI0 z-I*7Rw~HM>NEtc>G}F4NwmMDqRC<{GH5B!)(@9e784{%eLUu!GxLQ8P&HX) zV{?!TO)FRUq{`EdIK_d=b|x3xH{Pc5FVFRK9~Hh!*j!FKN6%C?nhhOeX28)nv}ETh5cTPRD}`V=eY`E*&?q@y*h4y<^P*QePUI>}Qajt7R>r6^dna#3jd{-k2D7Fm^wT7qG-A4f z3iyTGf9jEMf_^||F|2f2e8C?8n#W3}D>a!GIeag?V+C9iN(h$-?e%`rtSA6&*^mg$nAqmjA#;fu90cJ@h$Ku(zF03W0+Z)xwY0L$m(-d zk7(+SCee~Cgh*r)s{gc7=Fn>u2U|A~a0pd{{7+1P<$&>4?Lqll`Cik5krghUI$7yY z{)yWM6zx%n%qvEJ;sXj_z}HeFfC|f=AmhU-6w>?5^5AJ%6id+coY${Rgfr&Ego;)l zBK}a~aeZZ08P;tF?LJ#3YR$1zA#r|QZ#MM&y?hU*Yekio(2O;`B2sE0PU~+;cNGF} zdE2ZA6Thu6D+lw44Knyds;cZ3Qa16B?m_F2Lx|tSF&K37hijfNgo>KsQaXJuxErJ? zuQP{t*+uOVHzIZ5@=!zi3;qI_8SG9hrwLiYVGoO&-5{CXB@>)XD{C9$nv$b!2GVJd z{tC(#9OaO%pfYn6zp`D#Y4?75cqt=_0V^TzVSYRpuJGOjV;%%1G@s3od?S?oM}D=% zPB=zp;b@RC(t$Wm1yIBv6Nom$t8&^80JQqd+(cx;z_-e6F;;!zpF6cvtvka*& z(EcW>g$$Gfj!%CO)C&9EexI8O;(rnT<^Edw0nmLbff5Bt&*MY}3$3wWA*4gz;p6FM z#seX)@{6Elh3?9=39|`Xizh~CfmaZZOdS-v1u3@*31ElA@+}x**>*?>hw&MXxq&B5 z>6D>|DpyT)sA#KIo{O(%`*st|U*A@6E@-^B7EusoZ@CnqxK|hPkr29styqDkFjkoI zszPyI^gweulGta`;=_e-p)NlP4K=9_&PEksWZu$JWhz&+j6~q6mFW%hI@5>>PE?~U zRY7~Z`8;%MA15S8vmI9a@n*xSJ&XKu%rrn!jHkme!4y<=g}yjH`h0;4y{(8; z3uES>#j9k@QlX4t04kUEaX_F(#KKuDDpMqZD?67RZu^NOl^(0Ics($-F~V@!@YyOl+9^1Blc(pv(F3_) z3!*6i$*Zs(cCF3KD8hB8Hm)pQNGbGIa*NA;@;IRfRfvYREGYir!4X0r0l5iDc%nm? zt+Z^FF~0iY!p4BtoRlToO(F-QGLbNGmB12bVzFzxk%Z9C5HLf<{C_ z(70eCetgE*P{_`lg~!Z$9)!9mygBq8V{42+%c$?gsmJ<@;EQTTcsKTOFdj*HJ|x~U zmGyk3%*y*>k^HD3um5Z_PPf;qlkb$$ zzV7NALulDsCGy=oR!;pKrvE<7F~S-jZL*YaCfZX0iE2*iTxp~V6O6jQc(YB)HB78< zI>S+=bRn9{*H(|NR55^P-+jS`gmdkL=wH~RTy&*$0EIG2xv0+T8ekr|E>eQNtF9XZ z#7@vuAVk42nWd4D=C@{(m`mrE7}#;F^dqT^DC)s#ZL4FyZzxDkFQ+_U#dt6EFK&kE zL#4qXYEYfJUWK1zU2dgkX&!56orwtEaDlth>3-n6Q+l-TVd5Km9V{II*}DoQS$s#v z(aFKDabe=ygVHzSiwjiRzGN^cjGUunp~-<4h6BU4#8i@BaU(?&^BV#?OZSy4;DAIMi`j6}>_;^|$NM$N>u`7cyFEMO#Zem%&hHtc58@_=k?pJiIm zYwV8Q#oTomPQux?L&*e#D3jVeohXd@HJS>+3By}7>-=3D-Y)LtfVvQSi?IbOon*<@ z&Ir~Ib*y-~5(@&YP&+7`I@Z)iMC3x(Z@xtl)!Vq0p>52M(=NQXQKdX?24+s*u*&fYMjUxk>@JgBIpcaFrFd>w z8(Pig;VwiP>jWni)Gp!sdV>=u`)+@3DtV3uyP?8W2kmu7!h`oj zEb6vsi=-C$k&$sQO0hoG$l5}0j`T>b(ull!Yb$#-MMNhyqMWm)|CTD}7EhUZ&MQKr zR&Flzd1Jhicgtr=`}^=iVz}$6%MX2t{(Kahu5IS1d?ntWbNYVlh%p-q#~An(LfoaJW?rwe?@*agmMGaabQq8 zBwoHg#(7@Iu2$~C3>q_|{?CCYOxkDs1@`r5%8|g53d;7nUHe!WrIwm(~%Vl!wy^K#)-C<%#bSVxJ}o&q^`i&-&9_onS8+ZOb6ns zpRKHgh;SGK-8JStO~wY00_kdHxXS8IgFQ`*I^^I01HC`fg!^^-6_87ktE=UZh&0aeIX>l!uBT5T94 zi7QjOaK{rsFYlCFv*v6Nx2rNGQbe6Wc{k2ODH&GPLa(Pa``d+9@oF(+tmeEgAgIbW zX@$|kbC*QHZ>|}Be@NHFsb{oKLi=S=Z+OLTmY89b)UBgL zFs&e>?l7xB1Bjb^^dlBgw37+w7SE2>jo%h=8q1As%13dXOP&7xk?=7Ok+FZQqW-nB z{hzdeY@z$JP{&h+DkHEujrHULH13uQ9n#FT7_iS8&LQUYgxs#7b(7hnZISv@PTgFD zUcKt7VPd#85p1;6iuF{G=QZXjmV#~smLWQb8!2Hu_)~mg5c+J6vJm$pem1xO@94Wk z_TJIOYuKAj#8m>2(H?JYf~mc&zSOKg{%_c0YO&1yey>e~9q;;iJt5HOs5*<74WiNQ z=v0ZhC-~y{bRs8owzb$%s;wUWxPoMSl=BnkYX3^37Dc$A^=eN24Jsp3R4ZIHq)-mRapU8lb*NURgE1q6rv@F&7X_=+xq|X38r{ zrg@LLqRU%5G!+qvc7@wc_^=Sx70NHUZ2L68I1iwc9`^r1_n{PnBO?-cA^y!ALN%V8 zF>*LixUh12kCyfi)xy0g>c=vgIHc+&dgwQ@kW6lT&i6EB$0*%Mfpo-rrMhUf{p2rV z+!I>)Q>dW=n7>O46Q*#}qEeqOoU&ybV-1oR-BY z#ESYcrCFUi^2!v^t0odUa2bz>yjF5UrwnH5$eP?q1{VS>RwL9D*>lTFyRek&XjGl7 zq)mEl$Ann9+*2{b5QfL~u$>@XE$B-qnAC6Sq#&Hx%xV3q=61ff$n+O7GL34`i?W#q z7f2XvPcwTVE9Suh-Zp^fKB`@rUKae5Qb}bb*)6yL;3F`86o(@Tn<&v|Y8`?k1r8JJ z7FZ;F%Hn)L18ZA{k9n>$(w!_aJFy^Ds>jwGG6&2;xisHH^n=dB-E>M_x^qc@u)CJ2 zdN5He7hwjuCT3E1P-o0#$?s6DucIiFUcsF4LvxHoC6cwq2lVoN3p|PHIBcNuu!T-s zM~prV|1}r)p?I~BgVG5Wf5~e9_|BkF*IL?#R|AqAQ(l5A61S#|%y%yh=61g7Po3qe5W*;E_Jc|2 zziN8O@P+uVozXW1bT_W?Vu+mT3l8?a3+0%X)bytipm-4oAhQ{NWR7vN6q+La2Q~Fa zEyX{3iGss}pe|)=e#b8yRp-(u?U!1|@bdaf3-)p`t_!GD{{Di?5HTzuHa&R(IVf*} zbzPIYQAKC&)&-*us^t!E<$!Aq0!u?hMoYfJF!c~KvN-dFl^i#Ev-Vm6H7eJJHn9U8suS?FU?ChM!J z_LLNu%xbemQM}gy)b6yAst5wfcnjUS97)t(+-m|vP#>GUxYCnS+^>;n3yH7LxZhaJ zwv2J>%Z6bqFpEO&bgiy=ToiwSlVrj)w-1&|2|MX_MC`2lJhYo}|3Av!101gIYa5?Y z2ZPZ|v>-8LFlq*)*XSe?B6>s@HCpuETY?}uA(7}MI-^7#Eu!~MqKpRg(N=8L{9Z{D{!e34Hw87zV5gc-eU?QLKWw=-HR+$c zZzz3o8Gdu$Ck4>pQ-1!@{;|+BvyfUWDp8MnVgkB}Hcq{7V=j?o^5(G*N0XI3DztP4 zH)-<)F~B1c*os)VpQL2#4SqB*_TfxM$(F#~p^P)sKvpEdKxKGqNfX*st|Re0B#E@X z3P3B4L$n}3A^^1@D|x$N@S5aOSGkvVf&a1EE z%WPb6UK)mlkHoXdr@KC-Dm`oPDz!#b>6F?(JPw>@aCaQ^8d}Z$N!lIfN_BU8~`o=0DuUhn1oPJS4B3=HWGjjefTp)o1Yf9 z2THLB$nTTVjfb9x0w&23`FpfcxgQN>p^W%|NqN|TEp6~eLHXMNM$V?nRnWEu(^!Z& zG72ehL64HZ6|X^ct<%d}bQC>|NTY9AK_kb0A~8c!7&PJnjWE=LuI!~4qMN3)kO$<* zhiD{bPfGU-PBB07Kn1y2UvIJtZV#u-L6-{>(R1Jmqeu{PrT}qG+C|Rta0T&XaP`U; z1d3M>1s3in6MYcFIR>Ltv#;C&3vQ~HtAXJtu(-JcPDClZm$?w0?M##bFhD2>fCFNa$73S|KxCM1%K`xSfbw<_6^aQ0 z0AY{9alqODfHpA*E=yg}1z;lvAL1i&$%W-fAur2|7MGbyPCVbE< zoCu~*9DuF_u#LqbE4x7`GGPlae5p_PP?J+e18$CnnP~{4;t(hTaMB<^D3ZxS9yZo5 z>>5bFPtJLuCVUVGOAbZ4bRdPoVQ^Jgz7}9kIf?@#XDT`-hssm_gx@7(}Ic zby$=&wr`jrm^_*A3YcxBUl^k)EISCt#%rnTZ{Ns}V}pRhP-?ax#$>#im7%b5a^!(B z^|R?sSoiGa-qnv2xLbrqMaClz0zEAwlNv#iUzVa6$c&nTAr->Dgr(_c-PcX z+z-iPBYC(IBaBi6<&k0ihV=~cp%(RWICK#$d@x9Th|Lf}1U9&bama&yWQ7(}#Sj$J z2E}0KjPSkrs!j_E!Kq`5CG#vlAg|em&U*>*Fh<(*a`Qcv*f0>%lMW&*)TxIQ?_I_* z9mG;@1~-}G)&FR0Jk;Xck3^Pe&{v@UO}O$T7j>3=<^O%c?GIfS6g;5)1?tb9(qnd4 z2%Cwp#BRk`{w5vPA$ORKAj6!z;cGChM1fqQkrfA*iE_Y9*`#0_nx(YNxgPLM7zUXH z`=O91q-z(TBi`fdS*smcrfO$@zNE-P2G!vofb669NF6X!M4mQlfIA2R2$~*tj?RBqI5K3<*vH`t zw9Y796>g6}bdbW^LGVB@B#@L11rSE5!vkGMq^&I5YjZSC9X#H;y_S5AqOFF+vWUX!s=P40W2zQ(g=Z=PjNL!xuH!v!aQDZf3IU`y6UtZ2Xk1ac1Fa~KZ5 zmTVErq-+CZNZp$#U}GwL<2N$6U@%czkbirc>6g2cDb{rg-sAhhu;g&0lRQ!o%W(ZL zEE>wuAm_FlhJ)v2<@Fc2g1=6mTylH}0;?gNP+%w7zYNy{F2_p~{9mN%ps6e4p;c&VOb_*8Jd<`j>_F?UH8eJ7keL2|tzlNS-=kpne=yW{@M8M2 z$L#hb(8!8^to0)?J%IgC&KxuoL>Vt3hK&kJI5-{=sQ4FJ5pau8@S&2|SzqB><;jE~yerh+9DUeF zp|m6ddPf`rs%~;*CHhTBJDzbHDhxIjy-J{Jl4%mJM;jMZ9bf#>KJ0{0WtQaO z{&r%YXu+wwICLuX3s2>^Di_6&V|VPgud2nWNzg-P9&GK@z!b-)CBVAxDEMS)EpU}H)@76vZw{V%?} zfdKSBSkV2y!2%Qu#=QQBc*!<@E$CkqL$%5OFE|Ybn+ruJ$rb_47Chx)@Lo=VV9sP* zdO>+kfv_8qASe%pchkcM=&>Y#`2#q6Da`6y*898f2I@Lm$Qy>c2`W@K>IV6Tp?vv< zW(*H$EqpK`tTY#Y0N5PCe&p0DyP^Txx*KO@j^li3}b9i2Vo1 z2>?K_!Yv5f#ACyrjDze5;6%xQD2Ie00Rj8ukpG9eg~GBgJ^(X_c!)-hfDj$AQ0;$^ zO7ff;~}qLC|+aIC3O?1gJ0 zG4Tjja%6HmBKg0u1?~v%e_IT?N6bE1vz>DEDl2(|hW$%4ACGCBk**_t&_$wM@{hlj z0otK~tZ zqUu^1eu_CSG(2!{LDdfuPF28cz4WH5{@dqJ8^H&F@P3 z`-Psyp`r4V@f-x-v*Kj%U7CJHAcL`NadGPk34BcbpT5EW?Hl-}Zx8?WE%|@+?J&H# z*lO03kdd7=YmeRKwTN#VAKVhy`T8`BMF+U*VF)kv`-hWsZ~VsguisQ}{HF8QZ~q5Q z3M5m#V7kIjynF~$v^&H$NPZ+|0F&mSbcqI#2WqwzN^a$_wXiuo^V ze^~^ZY*5_@_(~|C1AS|nzBpmL%u{SO44hx|EgOMzrsZX&z9eshN%gtqzRBzHSJ}Y+ z$q?+7K19R*$q=XiGna#fz{C%}+%HmFTqtOc>C5;oEBg<(+*CoK5KgbzrnpMXL}e{pMev4;Q|5tI~B@6*PJI;>+V`y zPu1&XqU8SoR>;{!lxJnPMcim21NYeEZ=ec6f!P8f?cYU48&UwnJz2cJNBXIax048j+_HgucT9oM}s_O1=Gg<3Ukbj_=Wx} ze*6B4UyZ-wSMk5aFDB6J(sHj_g-p20m?nZB_=Vn6PVJ>%pNDxnLBM~>E>tDHgBf1cBSl9yr*r4kES5Sw^kd$CHiht4#gk*R7CxqlTmfTG7XEuw z*kS;_qAt7=cjFHf_V!2}{HGJZO98+E0txW}I5@aK;0;LwDFC+xWOd9EbN8JCE80gO zOWFr;8B;c=0PNj22#7sP8iL&?k_lYDR&xZX3zYdqIMVh9ka^9$^ZMxzl|^qafNux9 z$K2TL`514TpSnlf!z{L$PB$-7gQG%Ht2~i|Qcjt*kn^w&HDA?_W1Hct5xaZa%m$Ja zWig+iV|(|7v5PIJUq$lD2eAhez54#1+kpfEsb;I@zfxO(V;9SQv;vp}o16s^1fggE z&LWjk7Fw18`qGy{z&pGFLG+gb*Y9$b54^(yuStmoZb>Mc^<0to1H?i1p5u@E^UKom zG*GoeG!;bLXX-p1csj_XEa#zsc~%8kOr6T$libgr3mH7QM?ZZxtBJW^R(KsqT$VdA zF{C{q6}?ao(6uia4Q>d_9%FuB+>;Yy#vM|)6Yt)Dp-IkzCbat31AW~HQ6xU@!A zNM{K5h<&|NDj%zu{hffrsjF$6NSH^8fk%@oy7V?guLu!vT-aTkME; zXqZb6c(-Y`lXodY(mL|lMZFEzYodx48SkIPzf0n&$H#wz$6x`(!;R@QBjrs^3_s;_ zeRw3*CJR>k;qP~E{@GfgOV9E%P1c2|{%(G?-I^nR5#a#AFvF=;)i&b|X(xyb`*|A? z(zvND!2X{531~nQOv8_Tho?0~PEFuvi~KzxWzc6I#%MOS4h^u%C_MX~Sc$PEx@2@J zp(e1{^|+aXdaqh|T|lT!Ww`CzDp^5%!tfW}dksJBY3|jcJKZ*Y^N<6G;%;*EH&9mL zJkIV8so2b{@&wwMCd3#xUL1)XMska&=?iDZ?%)Hkn;_a%txJ1e3sb-Kt`o3h22_|fANFMciUeCF3G@S9L3Y;+w! z5ZayPUrD*(5ERzvaC!!upbmJ^R!mQp6c^x~jjWb6yGxrheT^)U<=OjWX5iu9`CP*u7=%k@@UxDOk2pKIOD?*wuG;7;{p-z&z|$Q_V@=c_qk$m-iM#=_}uY+ zvoODef3V4m%X$Y7A8k%J`YIfl9k`n~%@a+1Xa?EQ*_XUXN$7X}1Ar12V~3-zo|;^L zzMTJUa_#ntJOYrQ$)SpgqkKT{2M_>$#AN*I*)!O=cEgw9Vf>Drx>Jw=%eJUdZ>q$3 zbb#G3i%{zA>_UDvQ_bieaV;RS{2O$e88J@?-OcR=FX5zKW3rG#{n#SedUiHL3STMU5@0|F2ayFB8PnDpE2 zVF`4>pZ#@+qkjZ%{L*_EoPn^#l`fA4Uye2zEkZ#N6$l^cVm&@+xSA3(H!m=8-;521 z#<=Hb^Fae!kH(JUu-?fA6AkbWU^h^&T`GilkFlnWYWVFy9tXkWVcM!U5C%t}l;+5n z;PNcc$A;aO4(-=9ayHFeW*3m@UdPl#A{K=ch(6O3?@M^b;cVb9NF+nzhnd2o*UcYx{hR<6c=>O+8Sl?g`oIu}WL>qe|i5ZkStRd0AyR-@R1 zc;%{fXFa#MOE|>9k%{fFn-6LCPL7CNG73J9z**@OCTH{DcnKMnas`zRe2)KCoEbQt zxJ__RVCoORmKaDkRX2%?@6GYmSV08T`T8>IQ_hcz004!j(`0IbDA%}VzGU*@?Y#Sb zv~bZf-v;PZ%`w<&;;OV$jLg03tP-GCEHZz{+lJDGk{s zBc8F}CBSc~FlPZ{7ahPII|7MIvM98D0>m0RV)h%=BM&7-XK-GR|b3?C^W>*^$anOuaR~ zll0RbpRP~V%m~N^;8UwQcaOk+1XMgs0DzQVDE6oF$R2U+c@{V9$@4os49y-FDOpLG z>Enk?%+`{0KF;)SOW$OV&LL<9?ZFYMAXyneL(>Fgt3N)M_j|u|AAK&N5KRn)$@NIH zwM9*^O7H$7kh&`uZg|j~?_`%6Zu#fS_Dlkzw!lwH`b^5-j_U(cEaf_Zr{=Xq2Aztd zpPX^EwTjo9Us4c4$O^sJDkjBjSeh(A%3PHtW7yYZ0Afy3sbE$igp+xuCrk6<363Yg z)4KijA~rTRj8Xl{E5z65B1Q7O$D}#UyxBF|e#edJeU=Z~@J|`l2#GjIr_QB|KQf!a zhUDAi=m#--foTDJOL&-Ug#fy-_M+mGH+R?rf*R?D-leq@eP-DYFkt>Dfdgwdun~b! zF+QTnXD)nTwKKrk|FHai;~zkcK~?FHcpH^~v-rC-_tdY?pZF=lf>Pv+$hAT0MJ{V+ zeHIyvtsl;UUXbPC1X2^XL568Lru_0!0?ccrZ|8E5e?l+5A!=iA>TFJ(B*BZ0u)(!m z3xZ@l6Aobn+OXLYg#bcB&o4+B5EyGH!5L8RtF1-;T8YaFzlu7GKJzja zWs;Hd(+G02blF~ll~f)5&emuC0|>T2kA%gif~?I7glGKs4!riNfr-&sOK`9#P2i-w zrkQ~!{dG%wFz?PSVbs10+LG*9!PbCB!8&?hgT**g*y@cx8#OKiQNJ!z)w})v$gnK- zk8x*T=afcB3C*@hf!GpB#z;eo8}cD}SUMr(@pBte@H+Yrz?}GTyzKq4^S26%+5RJ~ zUfOhJoZbN-FWeICkgD@s?#7m~COGJWQEo1nrIWNbHH`H(C_hk~5XSlW3U^nosr_Nj z!m2Poz@2OLlf%NdP3A@B2P~PlA?==ov%=uRPo}chh3h2WSXMZETUxhu5`Q@QYmZ>L ztp|wWe0e6dL4?!ksJvPSd30CazkCrKX6N@h%E3EKMxWHIkpHSodzfIa*mYJEKWiZb zxIIi>ufi^llB4$_pC#*2X3k|>;qxk!X3y#G`H;wnlarWhlEGG(wB|AMTHQ6Kj#9Vp zuy%(MySU`t z{=vqtQm%P7Jnig7h^=^u8BzLc{eJ+j}38JbKgToT^-TD6W; zC=j-U!w0TKa6hMpx$oga=+sih^l@}MmOj#}x6(B(6RFJ|z!gMl4S!Qt0)kj$*7_Jz zNgdEW?k$WnXCk$NHl&Y@vFvvC$RvP<5Yv{x?T}x*yhkbPGTGwMtsM>`2HLXyF4`v| zNeMQ(9}Y9gZZTsAD+XVO;8^p<1w>D5WU-ZSq#TaIlDLTBVA702}j4i z8eyZU{|6BBXa@al6D-V0-@d^gH5;5N_PFfLZFxC7Gej)SA3#}!HUT>ccE^C`YoG!X zo6I+?wCJ(?%C_w*s~w@Jp#QjyTsw~sb>JH_mon5CdmG5a1`_n)cU`k0Upoy4+lt8O?oV)c)FiU9@G;GvdNf?cS=z%YWJN0 z0K`HoAc=Kclfj!Zd14M|=cEVs{{TcCULCRnWGg;@-gJmc%dxWXC@6Q6sJ@yC4h$G9 zc6fPWH zM#ybw8IDr?kxv^VjBB{4U~2*%Vp+d_s_=Z0aBiv%I>72u7@)Ze^D|45w;?o@>e3nB zW#Y|S)QlZ8ue2u*PeR_|Eps|vu8bv1?$DpPG-4ESA;mlMQQD7&s59BQy<7lTv0vV|$&F}6Eh zsiN#j!n{;#I0_4hYY39t$3Ol&91|c8l%kwJV1DLg5->ZtIdQl8R}RSTq2{|{UMe%g z+-}`~Vm&1q+$rXU?oXY+ukEKyh8WtOi?_*=BzdIHkBUcnMJqT*~VZ zY}9D+r?{qd#_>4PPv6{l0rjRHBPccfqgS!nRs1kF<*WK z=WgH6P!)S2@rhTk_u=DMwcC5atWKzdX*SJ~zdd=U90w=LY1y2p3*8-0Z#%g53)iZe zp!6`nwY27)Jz&GYRFf^MhEcE7?BRW21=m8oB4{n=JS<1Rr?rT3st#h68q)gAi58f= z+v41ovt~wKdFXdCLD_3@+$A6Bb6F?$@JVy~EhCVdaTCDZZ~%{HL!h&Ro)@qkDYab1 z|6ydBa?1m?s?O1Voy$uSJoh>>;C^#|EZvwTW(XcioP$imr&YTd1UzNiRe(AB1soIK zt%Vr784}x(+Ia!IxOCm_GXAVPagUq*kqR&wOn2J)oUR&_{QQE=I^s$J#A!~@wO9G( z`|*XgP7~qVK|3Nh^QOyMu8noN^H|E$Mc1!kqqOO<(m8$i7;v|*r~%qXb4Yn#GG8%O zaXgRuJv_Y5`&P${K|eNqeB`(S%2}JK1!Xd{kBN(HR+*c3gAVFW2&ZgGbO^#%N zK`h$UEMPXmHd6F>`F1VWI9s`)Ui!sif2UPBi-rOoz+6~sL#cs89&)fd1*r;L{pBmK zOt&zC|DgnPIhAwQ1YgH$GaJxm`qXQiQetGRLR>mbU!|h~C97|(v&I^Qk{L3rS!{na zbHVW~AozJzr?A>|tQv@Ejq7-Uw6H&n09uPfMXRRpg-d%Om{dYnzeqd%%Twh*)vqq%UN<^pY;BYh;^kZQM z6moC=7cO&l&NO3!K5y?Su(^3=^Y^aNMfmyFO3|ty znOgtQmi68dfJLNK1m+Tb3Vb0bj)UaA+m23qLIn#9mjuaw|9wHszIWc8x{`R8(u8t~ z9B4;`N7R^!&?PQh9=h(2nei3n_(lu}k3$x&Eh7%80yk}6W1Iwop-UD)l4r^)O=NL-3D=A^9kuA@IcMI}8 z{2Py>epra>31I|KjfEwF#`iuupdwoBbh5*2&uCKIY@9*c?#JoQmjuF5Sg|CS!!-Ah z+FHYsq{qUjRU7aCu(Xo8#$)6Mn>`bVv?l9Jl2p3axBkg9MAJkvO^zvTMPjY3$MR*Y zla44sQLwDh!|g(z%5?`xhOx3mx<3G#IO9MmyvkXYLeeE+yrV<^alEJq0EoQ3Z1u-A zY#iz!cF8dnnjrhl+GNhG7~nFpcb$HGHm;f??iIed9UzLM4~q|`szlY`|4#8VgN^Y? zbf^Gg{5l}yP){6^_PW!s1vBW|8p*)@$AQc^g0JwIehDsHE)#$C_yfrI|2v%m1ORbx ziLehS-pr@`kLeWWz{FhaY|1`l=|J0*4KDNVbP9Iz+za_pCV%Teb3i5 zM|b=MK2^_in||_MEyrpFl3GvLE8>W%vb2jV8narltBZnq5ijKi{@x)qk7-3B7GL>6 zy0jM7hFTM%IMjI##Lls*zsT(cne%tf?Vs#l{Kn9*_@fw;7}no++fRhfx>F4Ng$xwA z@161bALU^+X~GL(ZW>YzAGdn(5GVuOj;g9sZ{-Th!w56 zHUZYu0hbfL{CHzn#zJkX$*!gKzLC9<>w`pmT;nz^`3Pu71o>l6+yBjTcQ4s>Pya<) zW*_<;8XFG9vHoNA2!VdW$KTqCz+Hk=SKJV42~MVbtl$`pD$tnNzaNl?}X_O zOA{1Osx)^{C+2bLj8nT}AFhAUmWxt&@%h>MDe>~5_Zlm3QmgE{J;dFJK=~+ z4Jh#_2l)#8#~@zL`PlLYp021{U}^f8Y@bqnsq_Jn;PHqZ&PaRZYev&O@s+UK2*uM@A}8c7Lf)WVH*W1olYLikoN~E4Nk|2I;p1_Lafy1HDMtK03rmrIuw9n^K&jQ=y%6EBbJC}47M#le2tttjJ$vHk z5&Sb(9QDtP8aigKO6?w@BR-(xW2A z#g+4mInFn0Ek1@HMBi-q>q=cc(@FN2{fN4o)vT?u;uzw7psrC~VsvywPD3PkVi?iW zFyN+~ED~`m47s%9G7itMs(GKXqsi$Dy9$L>`VVz%FUhR%wonV5^yZyC7Rh|PFeLg1@X;Wc+QN_P`TUzAFwv&@-qlE^_|++W-#a{Y zl3wxoAeoJnJ6~PYp{?9MN3Tjg04HDl0f6&%R|+nQ_N<)~4-`v34N2`NBvu&vj}`%^ zI%qkvRe8fFhYrug9;oQ9N#8n`eTyd@#=F+FO3#F}SPKf+-VHTSKh?h~-y zlVXE(_4`=;s%Dj>{aiy3{GVwXR_l2dtji7TO# z)a+RAlry7IztKDvUyC14ML%dJZdaHf7Srvg-WESMe&)P0pL%D)TT$Z6vjvIj2a;mS zGrW)GBf{e(cR<54ZUfFQJoP$XHyutyvJH4upvfj`AWy#!v9_Kk+qe+z7AOu_D2@u5 zV#A@K?;793b+MgDZ%3&yFVWkclLGxJZNa=FP*%U^a4c%XQF?BtQR=g5oIv?=EB-~o zJNm0rr9|4t%etM}PknURJF}9v3ZHi}6QZwkZ$G>3b^BNDcBY)qqp4R~ak1$NS&s@* zAjm!Mu!lPaB?9N2C!YqaZlj4a4?|bG{LcNYIgL0z)1h9f+n5am5AXpC(E#;>YE?f7w!z80)YfO*o)f9W>zkQC?d2{)NvUfK40edyem3 z4WHKEd{PXsUpMxdaR3SWdLOxGPi$Ml<~d4FBSv}F%mg~_N{l%RHrMq8iH#3^I)3+S zWPz*|Ih|HxmE&3PUV7Yc2=OSa&?|Cdt7x@NIYhGcSm|zLyHzvkhArlH5!gC&YENBz zFghK{-;4%&FIui-G~)9B03j9Otyg zeOuBf@#GzIv3^((u)wWt>tSF{CauqSeHN>0ftYFH__4<7gpYTTVg1sCs~BVwJ~*?1RS7{Wfb^;eMMqh-0f}jbMKhlSS;Bbbf|LyC-#t{Z+e+hJlai zQ4LRQ@`d1Y zmP-OY9hqDH3fjSM85OXd6dkSdIY$n8TF9u3UUGEv#`1Oq@P0_I-<$YClIc#@M99z) zG`dDR--7ElI-lMg6+C>N$q%(~o<~G}*$?sc!ph+p5H!s58+O(p_x_Opgc^4A2PoMOoiB-&U z*%{9SR)^ep>3q@}_uUt~+n;i|1a+WMS1)nJQ*_ESnB6~6#V;r#X09EdccppoHt3Cr z$a`wd*m`t$YW+&09*LhbraIIUEGl>ll99qeVyI^9rb{mwwyz3OK8du z3V$}a-08vXY`+k%-R9*RYBjEi)na>9!t-5>uzT7ue6MkWb4^le z!)V#ZC-2b6ZIzr~n2I7ijg^bB{uk*M@-b&dqYv~pM%iv8jUjh1zV^|yU){-@3vwl? zIhlo(U)|GT7XEU6Gm2--iW0)Kwpv3+@)jaLC0%Bo$R1tAs;lKns_HZ;dulx|<{a_p z$4RjkxS%8N zM@bHGr5?rj^I~TrX)kw&dnFpqhhjFY431^Ty>aL0G{Rq=L)2IKq1XFGqc)4JJSrAQ zu-+uID+spW@d4`=3Jx(W`2??j5wmoxq=;aA$PU+(Fm?^A~tGBD`R71F-1 zD-H@RpL9XJ1yD2=^my}zkJ!R`tBRP4>!w#uuAZJERfFzxguVH6S6CmHpZaNpQiLW6 z7Px#>-5mR~%F;U1-_y3XCA5_o(e!Z>xnZh7m*Qr98Hw5;QE!(*vJfvJebE96eJLAN z{Rv7|%jr;%s9VKc*^duAr$|3&Wy82d?fA!jgXP5O1PzvhoCmIvOPbt6R`L65x?d`&?- z=@Rn?@TOF=YmGRx4&=sCHBuP(f@(fm##<(~>8|NsWWXkLIdM0hMl1*M_@WSMy zaLd|7DW5I*yFY@wniKOOo5=MlQvaG3(0W|j_aOTn{zjf}cm2kCO!imkPCw*(tA1^i zE^E>Yfm1ATV&@+XPMfo=+efXcI)8uQW6H^vsQlu7QSan6!KvNklqo8^mD`FpEHm)r zGnb*lZeHKWT6CSqE#bV*h+CJvM^hy9CLc}SWO{sG92{w-lv*e+q7KcCbDByHrFz9Z zf%=G85{koB3D$t4St(dE{S?R7&omIQ6o7MS|OYu;Wl?_emf{Db0D=M^^HHIN?(tazP zr(+!O(*4QLF*N}(pRD6A(_@zAn(mngd420A7rVAXB}%W9NepxQqDd)+qcZEK z$KOF<$QJ{3i>u6HhKQQ_C897VpHim`Asly2}sVOLlM6uwa#p=l+jF>y}ex^iMaks_i7#;-Iyk8)1EPR?0b&qwP5w z^y*Cl>Qt4UkHR{K>1_|CE(8zP&ROr6%S+=mH(JWZ>~2d3?N5s(cggLI8EDoxx$pNx zIn=wpnDQVQ!S3I%%T?@EdM1uuUQ}P&@bA+|cM-XtK4yif`N&K2W!h05%XgI}FN~R$ z^9__Y#PYts(Ro>OshIDf)zL2!Eb>NgnY<-EdOvRdqrZT4$>;3&rqjGh-3Qc_{Ys9l zL7h6bX&3R{yx6Ys|`c>~w*X4+ETvmyVDSXyOusTIXi-}t%=Lt$|iNAv z3$AJJViLiue90fj219N+F~uCDiuwD&vG;GI$f)P7kT!R+n45JQ>?onm?w?yD*ab^o zxE5DiK6D<9HdB0ek2ps3VKntjdYsFV7AsGH52w6gKK4OcaUumlqdy zNL~Ck=;z+r8`B8W8eh69l1aun)U3-%{GM`m_Um05JMnPcH!UB`QvD2H4dBHN8HWy9 zcf2~kNIeV1d8%SI_bux?Wfxt<(D#I^7!RmI@=lMBZZP=>OJCQBN{nyFNweZ|fv_z< z^|Rzni`KK=aA(PQ5lEp%_}ga}yC0pVd!&EvAf|K`)}AmFv#(v|q}=1Sk$ak8;2$_- z2mK6Hu~YSk9*BbNChl@UiXqI+s&8>4CG{|}c;-R}DOB3;+`O;j#fgM$l3cF5#T3D6 z8$WH^mc}}|stca;3XEDbDRo2>wSH`|X?k2k8-F0+J|369oDB_6OVeM8#-h2d($CdkwZl_{((eyVqCI% zS=*K}}g;Q-LS#k0SP$dGWFM1K@n4K#RvAjutl!JY#KZByidN~Jn5M!NL3x46w zy}g2WT+}7Jtimk(30(c)TeiSNNbqB6FJEsWi}mhX0`76b8ALj+!~yIpOqMi&tec7uB7Oyr# zRdI1U>H_OYm?R&U<5o2tXEo^U8`TL*e6HU&IE1X{9mLVxm*6UKINf}c3yyAK!)Q~y zxo)!fq!3_^esxLGNKEl~2qDWnZ@5|iy1oTb5=uWeXCfCi(>wdk<<9#tl>tUcwA-wK zIpR9hKpv-YF=eavQMbu@f4TjYU-9!~5B*;{vDJsn(@AtY7N;K}4LmyxSBtqdweB6` z7B7o@MJU}@dwlFvA+3pyZ%kd6u1czhLm5o=^dCQKSQ<(pynS&raqF(M>*{c#r6jii z^p29J%WHlKbL~k+H}db#H@z-uOk?pNGv8ZHy7BhcXx^+j)?FQllrrkySKqo)fZ`)8OjC2N^kEJuY}j3XCX->n$NEDkZu(_OJI zCnSE)DDL{c)g)-S8gCazKgb#s{Wy<%8a&RX0o zx9Tgh`A=+PC$3vvxuG_{G<9x$cuKi$HL~YDx-Oo7^}X46EA~9`lm|PtOZHMz&-&Si zj}kRt-1wQCC6W6HZK#+tXx9phVA;o*t~KxWKC&9v-Kk9$9(G)=`j}JUSBkV`3Vs(9 zeeYmsyAMwi^HOO2zixJMHVvLNt-#!wop8M z>m}b<-Ccfd)8_RAlg;$(y=7NY=(+WkQ1UxB`5~)RRiU=|gH4Odx0CG_As=xb#2j~v zbq<3AGT$A`TY0X3nDnM}w0`B=7n)BcrL#!!@Jc#|MC+Gpj*+0sjL^G zSD5wP`!6GhtDEkusj*M+w?4lLRflx$ri0lg9cud#d+UMSj~SG>7RIvWK1NKNa2hxb)nP!3lJ%sQ|73Sn z?lR~%e93-aVVJ-JDI?yFbT99`&lHgdnRKRmE2wU8)o2)~0vcg;s)2=b9>3eJK&j>Q zh8$IA+vyHk&0o*oE>yE%7r)o@^qW+duhQ}t*}9Ld4)-A7LK4byuCV@qQ>rT@0>Np^h&pBMxLtHJNyfh7$hpG;Ju_kl*^1n z*neWMWTx0ra^GyQ#r4)Y;t9+3?*&tNCMGJ3w9w+Zx^=!wfx=BM! zi4yyGB2D0&)JPBbqhn>~)J0EU{)5}|mGNcx-1q^(y}ON@iQ!Kw)@=>bwH|onb~W*4 zLq&(pZISE`izKL%I>}Y^G0l?WVsi&f=@g@@q2xxk>|lO{+6!SJU@DNx;fj*Rx)<`;06D`4;$p?tSwIzw!5aSLKMZ_|#P ze3Z%{&tvv}DbqdOYDuaLQ1>)Nc{AEQN@Q1(Se$AcY9B2i!FeF~D;Fxk6?O77q0kcf zoTKIJ{TZk?>(v7O`-U;il2_s^w&ONZEVCB(Rvjh$Gx+g&KWr8#G5MR#aRUWEMXc#~ zPBZDBJm%2*`k3zzV8dUS?M6WTFTTDrtf?hxm)=37_bNyyA#{-5d+#0TQbSdwgLF`8 z5Tqj|AiW7n37`-uf+&JW(IB88B2CJ<6VLgc@6WyW*#u_K%v$SRYm%_unb~_=$@*{8 zuB;p8{lWeImY34&&g-?+D%?rp1YMi9qwl6}<@Y6Pj5%12gv8MI(%l*8`Kcsrq`3Q1 z_pG3uPdKGA7eA64Qzb4naJ^IM7)Aa;HqpV{pB=Zm72X)>FcigRY?PPf_?q*9y$2@5 z+zzjvOenldxa{dtfAHCwaLZ0cgH=JH91Vr$|X2I~MX!y2ozB-0>YF>}xu{`Ng4H`x++sw`|4!pyzetc5Af=xcZJ?eK;HZu(^-=%S+}#hBmVim z;i&D|^QshDuL39dXoSZiFfaJcm2r_j?VWg+vKTCV+urq@cU*& zrQ=Ll3689vE7m`xxcbWM7yU6@hiiK+o$hr^$C77nLQHhmZ5G^D*A9bq7rx4Do4YHM zDnH&?EPNed=tSAEnPubl{+^zv}@w;|4aIrK2u zS!^OXSzCQ|ukA(tBX@BDr|rnR)&1)|dQ?!csVB!ZnVYoplvkb$ctnifB#U$ve{J9Y z?Ln@6gM0k_M?PCB^NaP2jFrlHO|H-8*S-@J2p)ZuS?H)5i4 zwHbzcmyl`pX8E^0)1dbwrvj~h*WMJfbcKE*&T9T#*kMNF;)qc&2q@jCYonVIhHV!RygpH7}4*CRG){S9gIF`^;Oz9x9wztm>4vq>xb@MngJ0mIx5 zW=HH=t(@c28=^{5GtL&YF$}Ubhm42{{$(XWg$_ZKF#lssKd^T787#F5P=g!6;NcSB z5`yd2{#|Otx&HUcwcvQ_hm~NdwQZg20P^>uHLxhFOudV!+r%ij4^E&X`o^~uQcfuM z;Jy3N>RRp?*3Z;?In1Sd@V@DFO{?KQnJ!uLCmMbCIU82)bJib~Ywvh2f4fv06|X*m z`u~opUIZBIZLdT zA1`tiyg>o0zkXv16tY0gSkK%aL@6l90|AAc>LUm+RB==^_b0~|Yca6;h^pgX-C9@; zFwx&Jbx2Uymzn!hA~EB&LkU!2O{*jSD4X{JJoG?AB^K%`c$GARlgHx!I#A~i1n<5H zjd>dNA2KX{3M`-&=YJgu0NT`%pcd=-U#Q#wVFK{AE_Ucrn;&$$kNrEQPTE3q(Mi^N_P45%>p@1GP|K z<*@`%%nxk)0ucIypav`c*AyS9(Ut~6*n$RDAgugfz<;BU1%Vwh8Q>@x1pt8!>tFkg zKpi)bG1~lgX?(?dB=g^xRJ_N6!Ulc`6v`(4vxN^%5SgGh0C=Ga0@L6MG-clbHBA3` zTQ3G+cmtJK*Z;mrC~ZN(1zWQW1RjBi*Wm*o3U5G=|H0w@lVb|rF8KeWXHO|-ffks_ zr?US~A`OJDG6P76VZ)3a+}EIUp#o5r0ph~}#$SW-KTLlk=LQ00x&!p=gV!6-H<1+! zg%gbBkKZv>*iq2OT5tkLrF?!cg>LWN3(X{GE###PfcMQq4yj;NaCuMpmFOWZeLSjV zm^gof;TbO3?ri*m;m|(&UMPAiXt{VFj-0P?{ltQKhC3Is_m0fJKL@(9`FYrb=H!8T zaWu=RF;7rw-p}mM)N?<>1*9%r)1M2VJym0y*{ogr9=()uh^)mcZbS5)>SegTh+BWa)!WlVm#3&Uv6?d;( zsg@XT@14@?6N}b0LLED!#y*=ZDZ#IeRFm8_AHC&&)t9o_ki_d^9$EL|$cZ9`nZT;& z!6P5JtPR$RDOVjNljT#p2Rq&yL*NeEGF5D6SsVPfRO}u$4kyX4;y+6*Pj=FtdPX2g zoESum%k^Bw`wx_Zz=kk0LfFY|UeNjR8^7Y4(u^hj*^UmolBn7w1zc8@G(Q_Tm7kUM zaZ(ea%o_>0U=t&0djzOVN;- zb<~(jnaaE8-FxR245SDH6-Q!CmUbx27Ix!Z8)04xwHo1v?REl@A{TzbdI<$-xULIt zQht3zl})^5t+i=~t<(&X1}}0XuadY*^oNK)!>^Guu0i25Ky>!hqP`L@#nKNpo(7C&Lhcz zZd^b$1k_kR$)}_u@o@|vJ`PP66Xs1zZe3_1bkKiIh0tO#v0({RyAe2WUjt9jR%NX} zUngCtt1#$iDKB%h=;^O1$UAXHcA5ZEOFFgcQ1gdbnh-mVxk`0ZPmPCufu59@XmML- z5yqjWVS73Rnc zF(;nkB5?_zsolXgWNoYnJT3#PwJ7bjZB&uCSsf%Hr$Lptrv0TP{YTmJTSSv|5eMB; zsI6{^%wsl1f?kQQVMOze^d>T+k2a}OUzK}QC{6}Va5|A!$UO^oqfBxh5PJ%1S`;8; z#D6UzxRGWMXH%%a zQbfn={+|s=`Yq$X@u{|qq4460lwT60H37{*(i;k8!IBH}i!PK5mbtzbZ_7UPxy({C zI^}XDA*eThaJUZ|NuddKy>zTs_|m_J6_PL5v|K9~H9j-JZQM`@MoGFk+V6a#WSiwQ znJ6^*a9^Y-ko5y+@OG$)oBv0rBb})}ow+!Qr3EBvx;OK63TLMu#Dupy9_OoFf)2ON z{vZ8fk2^#=CoKQqxRRKZFp!<;#z>@-N_LRbbmQK!@m7!4b-^Jl60s|t9^$?Qv9m*t z9kHL1@hsEyFPUcPar@BNTC76NZzdm^&^PF@bkO4_ESJR+HsP9894Zad(MxiLC$Znn zl$^Dzi2quM;d@-^Zsx*99+|TH4Np`650UcrAdWMz?Hemy1udIEUmT7Np?7~#AK5I9 zXx&0^Ny_Mrt`oBHET_;hQ}(>Y!H_u|&qIp)UVmD`$JN*hQF7fv1T_<`q{W{ZRjY>S z3di|*?iJ8Rhtzv)$rTL=`(FgR<+5xziC1i=SiPx6+O~` zlkbJD{ubwj7OLgc@cm3n%ecpFP}`2kckW$ub&e#Q)U)o>%XjdDJ{uT&!N;jlHHdbo z{+6oeAT&c$%P5FQKN7qx{DZ6=m*tr`-C6##;3iLz;)G^_zEt%e)H7+iI)p;>&hpJ!&|^>d7@-DZ51aB)LJyIX7F7tHcTYSxHPnBQ zp@eC2s@#G#gq7TwvhLT4ahKE5JZy}fR7$mkP(;Q#;B#+zO%E!$E*q_`Ve9%fu_Pz}kNO&Az#`<`NDH@t>hm}J#Jc1NPanagAK}3Wo8^GZ}qjGsdi9dK73m%Vv5-e#F|l*RBzO4U8KwY2(O z2R)=@mnNtBo>pAlqTqPOR_Z7I=Fl|%dNtxF+-ICVP^ESDozMwrORhcTomZ%ecZwXm zgGSFw;GDrkSqKG*Pj$w*ZCQN zu6%4crJ%XsOC~`m`EJU}+-8cNg-L8mO{_O<$gc2)2%DpRl~+^O@Lb~}k5)6muW4_F z#>R2cBFr+)Q?}m-k?xZA6H-<7L~HU7>!T)3x;zB_6?gn?9XDbO`EbDH9xlT#6JlFW zX(3QyQ{^SQ2SYS3KQKKQ?vyS_>ooXNASA0YMLg1je|dU?LId@YeWu+kyt0$9gO7`8v6$LRNfg_yovk=``W>Nek%`y_JSe zq(r+0noRg)P^tiB>~vv;TckZ$A9Zhty|D(P&~r6M2q%1OxUbd z;~yMP<}jBT!Ju>=RIker83is1IfM?1C)^1lG1s%VrfHj0-kaT28BlRJ3 z=Pg>1LT?q%p;dVvvZrw>#Ym9cAg5$gB@(sluOJZ}iAqvj`%Q!+d(#j#0eLl$eJ`f^ zH5&43G3y<&1&vmFW&cNusQNK&&ebR(4jo=x_E|ymbX3Z09E&&a4iqN;hW9ix{BIUF zw6csi)ecPc&XkT!Qj98{8G(!Y6hmGfQ(8x)h{SA1Ts}R3$?PRhV6vS1l`k6}pBQlV zJI0o9UN&493_Jf|b1n(kjVMu;?6{g8J9~NrZ8}jY|HPsk8hdUwc`@gFT>LT=edQf{ z{PYOMxEF7Y$pKgWI)ZIV+LsvP&kV7lK!=d=8>OyQ-;G0XMOA0@)$BhwKa4kAt@j@M zgQFK~4s$+NdHI9vW$2sp>gShrfuEEc02IR567s9OKZuYkpQDyTnZ1nIj|36V$6o#r z`3GkJ9^-x9au|U@ybK*%-G{|&=bh;1d;-@@`&hrlxLktn*@17M;m;=+F<5vpK9>f* zmvar6dqX*&#Ck64)DI0gOI(bPf&8bl>VI%PK7J`_e>E3)uD1W_+EwXQ9caV)0W^AB z#Q0=%t-4&!O9AlqSM#Tci#sSRsGq_Y^Nd(Sz`i-y+xG^>St1kjjXuUl6@=|`2_b+p zj8&@NbZ9_-H3z&_2bZ!!IZJL_ZTDTxTVqlJ-zYbftL=j*MHeA149KtEZk`x??st23 z3_{~;2^46?_&h$*EB^$E*}k}A@-GN6Wl7ZE0Q^DZov7q|5}7#%JvguO|H0X*&O6lR zQg3a0bTdzP?E$SWIxzrIy)eb{LWF!&>FAwhM0<46()|a^a$6o3 z<(w}|VsD(?zVbPCh8VYB>HeCI`kZlcXpAXeQhr!IrW9TNGP*sM;QZQ4;+gW(m(gb@ zbY~^8*CzIN%HJr>DVN+YT2_jQxf0L$%y*G@dh;kc=Im$mRbbBNVWp*m^V1ix(PsxS zXBubXPU+ACR{AIj%c6R7CN(`OU-Vm@A))yszdM z@tksj^4Ch3^09;SFUr-MCm)|K#S&Z*-7lKDd1CyMalgy>dpX|;!Ikde#@S`w{_x?K zm%o*tTwVEGI&;2E+&nokUOPRznE(Dl|IZ8MSecpqa;3m>CG|bs<7YYLLgjaEu9$yO z?$`vrb{n?=|2YN9V*)?Fm^xKbj`f2QBAMS7^V#Q2*)- z@Sg0KGwyd9w`08({Ka_(YYO9YyfU*X>mh95SIzQm{2BJoAdJ4w?f1wt1EJqw#qQnq zf>0*3B~$444*hVJJH^;`@gR(`&aD*2uwML>Lbw`Q3S(#1pJ!M>T(VWM6=b9zm>AmzWy|d>tK#=WZkf==d6sD=D+t=EOzmI5h|Klk zapvqy;p)GL#)JOVbk|edK&W%1EyZ2d)ndJP5Q<#SvO<7vOrFpbx8LJU27XMy@L213 zTMGSMPgsi7T=6$hJ03LBk>ZvKkOQn%KzWvZiaV35BXf3kojhMgg*S#h&so`llwy_2O^nzjZwnzMUYfmOfdwDN>n`rg^9lKnsH9 zRJ;fQ4U0h|4WlgIK*?H5Y7St`bS<7{2ERZ=eHOrv5E{~mHA;sKl{};of(~_eWFPOx zdIVI?CA(7y0SiFxF9+-M-=B^u!oa~d zeIOzVqkv%x5C^3hX!I2J+$pLoLM}p_ZFHq);3ecUEZcogX>0KsA~0$m{>1Gp5p&;l zaTal&D02I_S9#B0$R5s7gwzE^rEiwRxnK6}sy(g2UatwjY4w#9z+zQ=CJ>d*I( z6Q%amUl%h-8MFgj4ik*F9vIx?*ji-8LP6YH`7?EREjSo}dtUU!;|vRs4K8k9ZsUiT zkvQpn7Ijo^J0AkXonhHtY-5L%hvN5g`i|01$|8u-+kG>TlWXvnEyo#T&%mFZ`yPW| zw-9$%Uc$10s=;Zwa@#13IPl@_%HW=p;nckuBqwZFsr7{Yc}BLE;;6%f=LP`&KICEw zBq;8CPEk3%e#I}m6sHau(P8MGf!)5NG8v_gUHJfxuY+5L*x<+l?YoTV!94{TM)a-W zzfON0{JI+yJ#`NR2bkFIi^OnjDb66f&r&{3L{E3%DW^_&AF@y1x}bd1Tb>ktnvy!| zm8w30KwsQkm-P}^KMgDIOJu)$cFm;BwF=ImI9e{zhLU~2aTEH!;Z)loLix+(H1m0q z%+IybkzmwU(g~LA%jx?wBVjohw#Xt%Zj`cV>3K?JUybV=J9G;rTY5KT{bejw$5X_4 z(%TqwBqn$dz6X~C3Y{Sz;T+N01|Uh?2rWI&uAV4=AaH>3N9}TWU1lQ|+0IHixf>Q0 zyl$o%zaN_!2`%r{=Gd~)7Ee3XqTWPB9k4&z;;5WK%)CrY{ZV4%S`)6F16f%w??XrI zDf*fJ%z=DVPD9IZqQZ6*jez}O*(2E_%G`y>QtBc~+7nK61h9TPf{H({_<$sMgY7H_ z@Uzh)c_ZeY`n}LYxs;_IniKl#ZewVhzM{0K#Nt4+Lq?^FwG3jVijf^B4~&z?dQqVh zQ|+FE#Td$_^?=A}ZLO%dKe2DTVt8R-3E<%&`OYeq)`q$_Mt4-AD(Z&Aa&qJ~Jm&4q!x ziI1rGcAQ8gE{2E2#LpSTHojyKn*@tX91&4f>^W6!h;X6?^+$=sJa(L1zGfc@OuMkV zvAad2m7(NO;vw1X87s&=q6mROlz0$@C-)-my#mlODISusQgtFQ?css0>cQC+00+K8 zK^BmapWMfu3)^D*4gGsI?!nkw4Ej^=QV&k96b_^nKbk4{Wty0=qcPSOwI7)#D7Jgo9yyngQI4rlp`-en>o|qfc|sv=plmXP3Ge zwJ#i%?*tUEdw2zrtyD7?tP;rx3{Jv|AJ}T!I(}tBS0k&D>PTdOl?*k2o9_jsYR_(? zYR|;rE}CXeiU(1(Donx<_UM*h0Ly{!Ks6HhI1cmyNVZyV0DB(<0@$8}BEV^fM0R_2 zD^>e*tT(8s;^Y9}i`51L2orG>Xx|0Kr#B+?eNxgUh&xj zgvp`2C%ktD-g}mPa4RR)Bt>I_B0WI;?lPqihDgf?@eQ;+Y*|0xJ#WBUm-QxUd&gDh?-JlVod7~h&OJv?|D+^c=>6gxA#7gnMLU2#Rd)aDRc@R&8; z{s)KFXJ;{bf#G&rz2S1E?b_#FCLh!Web|||rT53qel$`2Ps0%cCT$aS4G*#SoV(}V zZOnw-uzcs$R(xA;VnJdJCu@}vJv0W6{SHoQzVK()f+RJMYG4%A5h!jHM!pnUNLncm~@PAK6| zsgQqg4EFeBudn~kl$-JV6*OVnMvx|#QrWu$9j3jGVKcg=9<+i9D^nubfr0OIxzbVd z9P_q+aNdw}5-JSY<9((xzipvOvOK0Kktwk*o)na=<=+tMOVvgpMdct@qS{1GECa*4 zy-4%Q`?`EM!3*4AO67_NIJHdrHxKUKG={9~aweg6sk{g<)C;@p9W|tXP8-nMKecI* zyhsd$8x@uP+C0Z(>&u3MdjndE{ow{{sWRI{@CKa2wGLLSC12367+Ol31Ntmc>Mg7# z)q9`DLUW)?Ou>{!9=-&!4A}bx^jg>`JCxX>Eq*DC0D7;*clMeQRtd z+Zoy!-hb}yGXLs0q5Y;(0<2q9br9~;Uy_9E45aEG}??N>UBWK7;9g6 zeDS48t$xU^zWX(k5z3Yk&>^@d(W7c;LtwDtdUuvR)d4l!7OA&8m(4_0kuS^k*5lE% zaq3|FTvRaR)?1xV6|EIEvu@~T$pO~qqQUQ<<@VC_P|_Bc9OB1#`m(9KPqWP))H~;K z&BnyOcK(i(c=5Rc?(pqc8pCVa*2NaN9!u=eB1@Z@^r(Ii4z%Y7sgF=ARuDrT#ICsy z;N~T7`|?VeN4(h)5YAAeeR|`QMJJ3B*=}`z)MSMzYqW}=>G1*8O^(Xmz|SK+@=*m> zBNWDyUJ@O`9ACXwFce0&jCa15FYm-bC}mPb9zl=ea`|@%#F{lEPPp)%+Zr@2TFQ|S zl6as|mrFMme*~$sc1I4AlRt`kO_YZc%@nP+A$ZMD7N0hz7VbN5t?}$UlAM$YM^i(m zW-)~Jq9*UU*=%=-2zeJ8fe)>@HU9Ycj5{}8)`dMsUOMf zjY=P}Pe1YSWCi}Lwcm`K2<8j;2dCq<1W6@_k|H^&dLiMIihyWR+j=v#L5Llb#45gm z?MM9@#^lfso{SJf=E74^0?eZ~@913yQC0d6nW+{N)R+X19i`&p^2HXiP1n4?5>;ptlg^yXJ4FZ#R#(+wiWNs2*UAH%J)TNOKJDFR5-D4wv}y z>)P$cs&wMosaygyfzcY69Ia641OFZm`Q_7Ss1+txL2gNF8$U43rLySZ6}*7lOcb%q* zoBIm^3EUne)k1!$ER-8~ab1Lk@$*r{DPwh-Kdu$*g;05`kY)J3Q)y`D^z}u?6X@5i zh1CAmWnHm>s=KPm*l{ha^XE4XwlEufEB?*rEfm)U7a1Mtgpvga)~$G)&WaXM2!0TF zU0n7e;}HoPpJ-`?Lqt^<36qPrXozL?5mC$(UdHR$Oj)v_`rsxaPYHX`HJciWlkOgx*Oj7NOY~v}R zPByiu=x^^LYVtR(fLJmp=GHp6u0E#LaUWU`?y@Q1F(IreO3g)*?6&IFi>QYDRyXB4 zqij6INs(+-85<$Mxh664bX#gd0B^mfa8#pc>J4e=l7Hq)`-H55&^vYl-L)@^bnOl) zCs*C{(y}I3C^1%~wh8ME_Ss8sU3MlCYFxOA&}>4F$n#+-geQ3UyOzUN8l+k)5CglJ zBSjo?dM1jolVK9BgNoKAjcQBCO`593g_hKxUUTu?aGk<{$+$mUi$Vf)mhw3|hvgs2N|2h(``ZUy_M^ z7k#Sw;HCzJ%YX|GQ~tFyYL{NFiXj0{!G}&;Jg-z(lajNR=cjdvbt=hu!^@BJO3cfE3itDneKR%z>trn?N*B6o2AL8*B@}X@XBQ(GWqc zXU}3Or~W1-2dRxqL_wd449IPb4itv&4i)q=!Gsmk>RIy_K@1vf!LXnWG^W4a^3WR< zB95fovyu@eKn@k8GOHBOg0D)N9@@+J1`{a037;N#{}4scUgt1t_2lOXAnFii-5`np zId$3OO0%a0)d7@t;Hg{z!Uh0Yq0pOXNbQiDO$u6Ksf4S&`)Si#sh?`jIPAM|D&Sxs z#t{FD+&ywz*vUnv&pvI{I_YkQ5+Owp8k!l{g;;e*>Zt`pP3m22_ za7vtJIWR14$FS~*{gVF1^O$t#_v4vo{OVRW`s4|iU)v7|HZQs=(H|i{b`rI#$*7Xj zf!nGJOq%kgCB@^LDB?Te-4pc6>@DWAQxq~$q1$t!M)40E>}1DdiR>lgzCBmji8Z$VBMs zcH6ffyk%)^Y6;8O#-EK`U!boh*Zs8Iz1j*dzq{`$p_irm6>&`x?tCB0tlX#9|Ql5o{sbqNDbzs46qpl017hxcOjSFKVpq)&hXfNtgBipL z95h$h^(X4(5)n~FeRqq9#CWDw27t&EnoV_KaClT48o@}jw&Mge^XxeBePuL(iwAp* zp$3On251h6sQC88Z0{zDUlfV`U&ue0R)`RDVAq^t1b$o((Oh7g8WnSL!vHtL*46s)jw^%)Y56)xGrPHew?4jJj9=l{)8v6k(L187!mw`Q4`MLbn zm2%Iu?-S0)5z@_c;^5xRlrOUqeC$j(GyaW#@|JQJAz~4|{ z5w2gB=lmEwhw?ry!7DM6|3ss;~EyA`FX5j><6RR{fXoCnLU1wJ`~-C@LTALbxrq?=(gyf zk!zp-j_}=t&FfCN_6r!{xAu1nS8ID30)pi{y6VMs19by+TuU|YYTk_|e{26Xv~=vQ z>fd6fexT_>_YpnN5pDn0-mdU>!tc^)zFt)K5#hEh&@rgQK6O{$&usP4>Z27m`?utF z3BON!YOn{x5q+}}Q2$IfAeeAlbenL{$OCKgAW%nKr`Z>V{EKZ{E@82@cVf7~f5#pm z(7zjPpQ#W2Xx=rt3DBen~T%2@`XV1DYS64ni7}{G+TY> z^l$<6mObrZ0!_cmxJ9?+RRIds;52M(urAPd060#$b|4(U*tY06*C5{@Z$qGQ_M?vr zd_BOliG46T8pFt%HNGdq+J|_I=ygP|1guA9jqG`D!ewCK2l3d`mk|ad?<>g~$GE~_ zvWVUlF;7NV+T*N+H{+WTFc{1n()SqAP-+0`>jFGIW#BL=7%KwR&1lkByn;rHZHBP| zXna!$JXfPm6O{F`Zk$b;HI! zPD@uQ{_ZZvc^-~Lw)Q z-jlNr)|6WSANT5XVmM38tg;XxO=@v1o!u~d`(xO_tumNVfKBsPs;lKNbG@M^X|h=@ z*QVK3z_3%Ub8aF@f54^SeOg9K#U9UDYZ+5Q$J_|L1g@tJnm06UE2~=+`WbUGd)j2! zol=j!u6o?>UZH9l`VmbXYK3? z2s#+iDnz4`qCK8o@^UYcwBPg?q@{FWX(h?yd!C-_;p2N&hlG#QR>4FhYM&O&22W0} z4~}Bzi>FWH6QK%2)29zY4Lz~RHOOj55mN{oIQ~F0#yTqR-wb*bP4%m%_-_i099s2a zJy!wwIuIZK>J<#_MXa0%4LAFEAHuv(k*Y3DO~n z=R@Obeh>vPAFL3cH8j299=unO2!-}OMpJrP$)G5}d^Ugpcz{O)$n9ik2X;YD4Q7S0 zS%22hqDLSEg0YIAjRNWWJ{9cmO!oMOA1rIy7BG-|Abs8!9xw>7I>aqA#y%>g-st-`K5)Tv`3Lcar=xCc#CtB&2`scqT^A7_egMsARKA1+ zqQ#qB)$@ARbvBc(xWzBhX6lt8a%9VA?@eE@x}^U~d&F9>NB=``{w{ffy7iz5MYtGc z9|5{m;MT^QiyA3<2IfFhWA@E0Vq~%lp^)eR?#J<2u2Qp-h9dY2+o2DL>94M6fd^I% z&_tneBsqg749AXzaJ6wt8a44skAU6`sVCC`GYRF3YDh29PBnkTJ)+-FzlRnNE;Q1= z*P1nZqjycUndf~qenr0>GL`n^bCc|{ZpEG)G1c3wUJK+4R}H=QFq~es=J6)&)wTVVqeD!OUloTs&D0M}_SjS$dbm^@|58Q>?+jMwB5l*<&B~GrW9RGCbR? zpPxENVa%$qNn{`nmK>s`Qbadt54O1U*tJw%Z-1x(r=o9o#TFzr(2Tk%y%elcZnC&j2(%4Yi?oPPxzx>IqnFF1)$SxL)cF+ za&mgj16*;i=)*J-oV`U`9Kc#S5mQ+O`CPA#!oa~EI`z|f{m(x&dgWy{>p9?_mVCVC*?7SL`d=3y+REHyD*o|6qn}hkRbFZ)SRtYuON7#3dg=DEy z&Bn#q*;EYAJ`RXPf(No4J@}-aQ^9a+y|B+5N5F2DqmExg*AFc@@J{{7uC`dKXLHlL znFYbZ8cE6p0jCycx4B=FqIY_y1j255x81@0@X1YD_Ct4-ExBr(|7q>YbDwZXA$9d! zi~!C+aiTfK$G%~5kKD~rmW3LJs^I!$(pv%E1jKrx6CqP21h>j^Xky)|CP=WGr1)h) zLSv~hmA`_zc(|FCP|_Woes-#A-^w??W|xU7RQxI{$epD&(Hca}8TFq5#p@GzV z0~>`Y-CS>ivl;esO(ugV9;@vyvnc1-H{EEl%jR9oe zSDYc6c9!Herj0o`E8d2gdRaovxubZ`7MbG0dD5;Ge_+Cq#K9#Dc;NTTA^2__LVzvd z?Fgx@73upbhVRsL1B*{XC5VfgDSz!EDySn;y&do!d4?-ux@Q@VR(?G@_ST=d6@{o~ z5A}Ge@~+#6KS6=Y8J z#%YpQAAD`PAAHNs%KzS7LD*uA@IB7xT#!?XvXb&nZ0nq7c!MY+nz$V**f?xAR6R*4 ziVt5*P()eQj(sGzxri(3@)nSE*`{(B@o81(!rZ{uY?=JvWFCFN5h^d&NOIF0vPD~G z>BKPSTA9&A&)Z>o4j$x(-_khx+NHR}eY(;@uPtS7jWz#i%a9013SWxOT2EL(M?e5m z*-Z-GzPE7f8pAo3_H4>w?t3X-z<>T_F;^>Cek6yb9$U)CfH-*_|K%t%KW2W6u4CEL zPmuiwZa#6pEROZG_{(oTPy9!+VzBA|&wHnvhp|#24Shvsnq|_ii7zRY?1T(^v&y6=$rpT zw44FI0+7M7{ngB9=;HYp%bodV5AXL)B3ULEma4^UlFu_;a$iX#O(Ne?8fj&V&R$Nw z5VH|9Exk9HSXf_VrJ*{Psyc2UE-E2n>YNlscc#72NLTe~A{BY+<<`pn%F9KmQUx z;4Fw52Y+a52C3;x02m0-v|H~IY&m3Q2Db)WSfbC(4Cf3h?4{Y;AY~a>; z5HR}rFO@6k6-c|%$givGY>zYfv~+z$`lg9Ldwj5Kjua=oaOm|va({D+#04i(URtGJvjQnV@lP0G2^!A!;s z(kPKC7%wlFj)0u!VQZrnF@>@K5pwSNI3}u;G|J){nK{bke!PN}9IJqO9@40=iPlzU znNB98`j2&wcy6C|uB80r_`#?AbpFoLESE^L;y*=CTd4yD8135Ejx3?Wd1dL7Qp|L( z=3V>Q1YIUe9}v!qJsZo&nIA43o3-1OWb=glA~+@}k`s8y^tdKje5OObAXM#X;X*Q` zgWr>(rRfH)W#c!0b%>dU0O=zp$sQXxbk07~&wPn=)vbSX@3CSFMu+UhWd(go!iRn8 z9LwvZE@6sOmb?u9F4=&bAkBw6(=-LI&Le!;1<*-uf)KJkc5u-lRp^- zw58PZB~sFnYZ`~uzPaRPIa-Wr!{Nx`x)ilvg@M&nmSMN!xa;jr9fp!#ZJKpHudM1A zn?mo#*5`9wkF40v{-%+39MICuyK_;S?12Yq`+3R&BGuH_e zaa?K`;zbNJJXj`fw1nKOZ(=!!O2YNYsAVj?#%vh@30A|AN#T)bT23%X^xhzx=Y-hh z&^acCk>ugZ6Ycm2bWJg@<(BY0m!pK6vd;OW`AX6;Pp{>em5{gh*fx(@lQbBn-VXYG zr&tIQr$S%T75BQ6$DAj?@gtcdaas~W7WwEMbN7LXGZ&}&eQ~$xpZ5q{GtAcT3+XC9 zIT8pm;-L|VZ8BloBAlcQM{+97g(ZYfC99Dd=^0_Q!cIT!4G6Px_iYLi9QiWg&y1Vn zL+xAYZcz~SvpXe66c`!0Hp`G03$dvxz}#9Xc*$&B9!Sgv6!anFX|xk9?_|JH15nKG z-IJK>^l9Yy@dIHFy92UJ90sF8&5I|u8SZWV3=u#`eY7%4!O)9tmb{04>2a_1-Z56$ zCnkKejx$r-*e>t%sn5mFo%K#ryL%S@Prkc04#@F{FO0N|OD(>_x;lNIy$271-g-CG zQImWL^Rj6(s8M~}$w>DU$v@s&L1pE@h4=1LF|p_fHTkSU9Gl5hZ?JTR96_MAO~P1K zR3jDf17lmeg7RP}t&@kQ2d$G!oz+HwHAdbefaqd!Scnk2mlA!#+;CY%7HHPvbZ0SIOT5IL8aok;UDv z_~Nr7EVS+XKylIT1Jkqi8(e-U!_&09jkXttd z!^nbTjTMTj*hd}sP~}&}M;v?sRs)m6!W^~k3lzCf4nCLopGUX6Ma=2V#aJuNrs_OMPt z{ZIZSVqblyic)llAg;CQGLt~Bxt3P*rygVeC+;F+{x9PVAK7Lch|hnejO#O*Uf^o` zA|C4Deb2xV#v3xcXtCJzSf{D~I#dp?cV|-f-h7uJVQaEbuW%4qG*#oB;K+_bS3S+9 zZGGX6`_iZ;rXJiT2O$RO0g zSR*)k!-~Fs{iDRJH;&|2TBMYp556?oVa#k0rK=`RMlp-D5N=E&39Bcd@_n~5fR^vh zkuju5d~Fh*rhs1)#cl4flk}|B;nAA|dWfxV(2!6+!LGtn!ABI1Wnb^{^H)#e)-C0! z+ImP*zPsN%U$T>n_>j;nuCpEStwoZAqHlp1Je^Gwch=OiO_8&@;Mli*bxS!N#xe9;UBRxFDQfZ$ucWwk_l(G?^t}t!(5gL2LRiE%| zr)JU0BNC-jJ44x{isCxGX(6>%LKdU>zdI}a)L6DZFl3gx`adYX7-{?*DVG8HZNE{- zoD)ptcdxx#;-NZsvT{W>*2xDnR84{ z;W+SkBb(|;g#If_hEIXTd62<$iXb-X2(c%6k8EQNw@m-R5gh4FCCa9w6F*i}Oi6bw z;C*QI2J0+`Zf#+fUId`}uxwzyZ!uZLfsv|#BJ!0lpJxJ2G zs*fgbleJf@QlQE8>wP=IEr@!&coJ|zY(*dvTiS`zB^o|7gyQAd35tnq@06b8iV7~p zXAv16+wfD95ZdtI;(2A#*If6UK291wG z!PG+TM7#_&AtXh zbP##M$m$n-`Nfenz=3jHJe7R^u(py$WuS5h0)v6p5&q1o9gt%MHE*lE;X~R@a zI@Sqsi0P^Af>OwuR7C7ZbMMdSv*4%CBLxdh54{`m2yG{qY~DbV2`1u&D;b&!R3p6f zde|Rlz*N$4-EsA-ugeoI>?{T|u?)XeG?~E-;TF*yEC{ge__hvVXDFTE4?&|(3zuRB ziYNwJZN49T=<%Yncd>vmaxZH*T0m@D_@37M)K^IjN(jrgbXYa{xNOM>>{^p_R zY65vMWpaG&P9_+YcS%iFMU4n4Y9_QQ?tPhj#Ld==f_6)VDL7uBhsdT+?^)vri|sDJ;_NOO~XXWUYO zafo5K%`dKORQsJrJEQ%cU2N1Ilk?s_z6M2c z-e9z7?i-Fz?Gw!-seGO4(H=C^xQL(WJRFu-Y9go=EPh|Vh&+>@2AIP$oDB(I8CByTq<80?5et1DbG5ys)C*-eX33hfBo z`Gnac@!W;eSC}CrWwV|#Sthz`I%%Tm6S6vqc?8Z1=Pb$7*&KvxwH-$7pX2fsly%sA zKvddwv0az!ZP(BUcJdn1pa@xdJmwc zw(kuz1VTvwLknH$LPA2XB8HA3A~irL(tAgW*yw~_q$DUx3x+DaiAo6|5RfJ+f>Hz# zg{vYq#QP5S|C{$_-VDQ>?Ci42IUM%d-}=@Iev2&fX4CC9FFrm25&8(;E(mS`GSGJdbiYZy08gx)C2;Y$$L$RQ!5f z;V61Uo_%M{FZ`sWLdSWLoX3+OZ-4B|NDZz89L%{+U3n1h_+}VOpcu~VBm8IT{jXz7 zIc*j1U!Id!rd1a-8mv>D&I`q8F-kp@%Yoh{oi zJ&~8etO0V;C)OT%;{5jl~v$;4qFGw;tdE1W`k8uz_URLX3 zad(D#nO5q2>ilS&ECUa3v{mk$bGnrAf&sjfhFIMpNlTO3(vg8?Auxr(zhgGk@}$C10M^GUwsX z@QJ~#5O4tN*@;}glkfF6eFM1laKl@y*2hQzwZ8)|hVMlz#O))QflLL?X`%gdpDzFT z4=8krbzdPpu&P)WARc z7c=}rmEb?^%p8^~xY5^K`reaUu-UJ zb!_vtbz`hN)RWPdRSWO?@@rDAd>xgG=tf5GG4a8)Vuj!Jed7rC|A%dG>%=*^6~Ggn6{B>5ksWCE>CD-ac{0z)l<*2>Y3Y|BK3gc?nTXD>*J*nRTu4u&@= zHQE=}DMWZv(;m=pT=1aVpz)cc%7x*g7L|DaaJ@}RO1-n=3yalc&ynYt$ z!N=cSZp(H8uUYhfQy2KGqqz%MP(f7y{`py}u@$}>YTcRu(n~ayM1U$+HYmGQ{a>f`AM(s zRA*ke9ndw*$dTG*XR76WkQJ32#?L)w75R>HXMZOIf+32?`fJU(?l}+?ESexpfjinJ zC1nnZhFsn_VUfHU?PY2HXejnO^ckVZIi-tDC6R9hf>w)^2+hocLN!v}wK)oj7QJig zITPq8Z_TNEqS)%W;Cc6ozMhZc_e>9RZu881{D?^~WMc{}JW{j!J_cc(mKVFg^ByzC zG&ARPqsnjj{qmpFE@S)LdKYi{8_-YCuT3B0n&)J6rSJbQ-D%bD?Qmn$m3uuGBmf*t zXq5I3ogXMQ^N4lApMiJ3sB^`0Gy>y&#uqYQp!mE5Fq zXZ%X>AkK(>_9Yqy{)HfVEHyG_eQPe<^dPt$mdE6%!uUb{0nX_qWe{qj1|lg!V0wl7r;G+zp4bNCop|3gvp$jQxz^=%NJwT67m zVQ6H?@6qMQWr-n=_jR`51w`b~c9DpsMEEN#R#6#sF9LYb9!`7oy#K&=vU=3diMX$Q z`sDqS72b)YFBC_~vqzOxH#Ux+HPWZtHTqoCNwpKo8+4uhlWIW!Ew**SeNN#6@rf6d z>9sD-$z{h62z|Mmp?8zenhl6=<2cx9Spny^=1hygxyw5r0-JJdz&_;syQ=VPJBjo- z->~bMvJ&cTh{uZ(gRiVJ2^LNq>HDSUcScDc2PV2W`+_UZgM8UkYifA4z#9zdaG|0&W&)V7Gl)d}rAP`MZC?enr?z+JM+KhV?nkdey2F zsz1V&KWUwIQMtYeqW{smg!A1c*2U&=zwtNLhC9WEiAxJS8s|N^YspQDR!FW(cIo-@ z9q-@~@9aET*gZ9HE)`Gr2q18d?@U*7l{>WjbmcdZU?ICxh0ZlN=ROMuYeG0ru;D}} zd3B_=u^3bh+Y*`2tGF1DjAY}MjBb@6zX6FtlrCFojlX;TW(m=p4$rrGE6Oyp+CPKw zA-vy;%C9ub?X3>QEYoPvVHCuUcoRoT@n(!=DsxC1ujHvkgvJ>DW&kmrjoKnk<&=BJxX z(k+kR(k>-G%*qJg;5|@Mi4e5Sv2@I$h1vW-xVTs>i%$YbJtJb)_A`X@MYG-FF9G@b z;Z>!a%V-uWA+$OX4FXxVns~%$ady65ubVq?);yJfpv8c9?mU%X;8Zx1neRiM9F1<*s%xQETyoh3cNaAYo z7&S*Gt@?Ya2uXTZqV3wMdl%JeLxgW7c1=sH(WjxVIq3Eac4&>uL-&;>JLo7;aVeD~ zb`^D+V&pz|XdZ|iI*`p~ZtQQ2ZBIeYfa)SY1tJP>%UCtHFz`}!QHBDJHb6!*vjnKP zrM_cGSx?bfr)2LAx76iqT5CVDq8k3o=qOOX(u$oucUGdjLL(02!ljUtNapjsk|NIg zL)X)dBkn-yWMw;ik-8J^$@%1Ca+1rX?~1M?;|T5w!2dg(;s(o)%!pYh#82ZbhEMQB z0b`C66j9+SyfS!t2F0cw!8#|EX;;G8FfE(%6{(@1|t6OzI{qX}pHhuSVq zBRDxmf$eB&C>|+XB9Z`LgWH)STe%Rf=q#JMd~`tD#L0OLS;s2*fxBMkQ_$vPo{P|o z45thdr5H&Nwvxcn8+qHo1X&XtuxKmt^dZWo!jrYaxEKXjJ0{8CQ9*@kpiWl!5`26K zo47Cg675=1n&Z&pXDD?9Ct;h4Z*3l>#~@H+vPn6N0j_=^b#JdkFx`Geax z+oug8AAL(s6p)$lcP>`s$nY&uY}(>7X-rpb+T)qY2x*8(r6jY0(=-T*JA)&N&qJZi zqRWw4pF)M~#>Si2poA8u~MUy@Q6OGRalLPfX|A6t0xVq z{u+$N_#)ks`52GD2G3u4ZxiFOnQAAX#MMVF$^s^Vtj3As{RTcAiZIrM`i1D{X`eE) z(n>C!H@wn-4MD2JeH2@mR~h8UGUJTr9TNptw+RKSAfiuZ?$E?a7CJA*8-sK_ZW6mS zzsCxf$UU{L0AeRLb!5p}L3VFfb5?tG>(CO8LY|AkDwbaWfIa=J^C{+dcHTjopW&zu zk=FTq+qTl@;p);Y+3mTl(69=z1+?f6L}J`M-Hkci^rLL1w`V_#p`Otl`fRl8kJ;A4C!XP{>UD2-b92?GmsPJ1oBJj%-TBhx-@&IzASY& zTI>=!dZr56P*dkz3?TU9i}P$c!FG*sS?nNiKkyRPy)%Fm1C(k7Zh>negOm?M=_QOA zbxw&T0D^PjLWIDsK<2VT2jOSQ3*Oi3u<(Z^Z+V4culk&Zx=i%Ap>qk(SLfIJ2oyMC6uw^yG z6Y0s;cH0H>+{Cy+r<#+@Cl;Hlw-?ylM> z{d`K_G$`YfW8w(Eh2rXLKym$6Nt<-)OHj&n+1>?AZIsTgxY2?V@A8hGR1CsWRWZt* z{`=yB4uz7st`!_jpBmaZBW1@K37*!|2@R;8xV`t#0ol+SqI>T=BXq4BZW^B9MlM`nFpU*PU}L{FA-|#xbQns(RE7xNEwq zD-g8=%K@YYTr&!owr4>Q7-xO#64(+jAYei8*r6LXfI~y8W6_KYCSDN_Ge<(5ZCY`5o>&p3TAUAHsS)VjkjYSI{8ZbLd)xA)PqUV_V2x}MM8U2FpdE;?;#HSmQ2`G^f>KlQsa(1J3?g)Bgs6CV_ z7&>Vdoq4q0>M|0XIT!({3z>|7BmsJdN=FN%GS;2(7*v#Y$ui>Q%5?AH1+DLS_d2c} zRX;kae!naJ&#v~{rKl$zTL1mLzv=(awaaPQ$6s;%lbgSHXqJ6+|IDFf?DsoBQr zdJiqdjw;{p>b~DSdsO@S(9HSJ?Aen3jhX%L>GwK5-s@2J+tqoyr02KG4fGD%J#o%I z;$80d|IWVoJO6g+>hU!9pLFOQRX#epFM4RndAy9#v!#e99h>)nW}wXs z=me}AcD&Xpy>IElhrn(k=;rZ!ddC6+%ZR*P5`DX*`*!K<+knA)9nnuZt~^^3^8<7e zmwfc!)PU@O$du!uSNG1k zZuj>*;9BeZo%Z7kBS5O&W1X)aPX}BY-8s6?dgFK|z-IpmEB@b#fHGG%YJPmbd%Vhh z{IRxY9?$0--FG>vT=`xOSm&SJQ|ADwi~w^_-PV#s#FBef^&> zfb{^iKRr9PD%XE*_;1c*4+4^xACEp3{@VXcsDA@6^L*{GPRGBK&jpPB{BUfM_H)2I z0rTgMO$Au^$+54_0+zg60MMiB9Gdywm<7BDs0ip4`@LN4*rVEjJppg~?TUx}pR~tD z`R@(@ZXKW*aDr&m_uL=f$(eRRyKoXwgZ!M~&`ScZV!XCVd$0;2)2A%Y9+DE|~4O`be*9CTf;kF{ZX1`SK zsqr%aqBy3=OuV&9c%6x16ST;ImU>8j5_QTL1u(>+PRi*T)+vzKeu)75ZuO}yRAb3{ zX}i((bz44x9f5Gz4;7(WYcopruT-2JKFlfYv9KY zL3Fz3(P+I!o+=4E+ju3RH`B`rK*xC5F$@6VSm+!GsraPD)RI($NxJoEA5+i{-QLjJ z0umV17&D>x1zL2SioZ<$EhkSNBlC>)W_nngJeJeXz@-9OY24#!03=nNq!UdCWM{J& zD19GayILv4gx$!nO^Ipi7E{!*sv~rzWuudF`lQ>5IF0Y*-sFE+y0wP_YRshKNe;9{ zIjKxNhP8@YEo$L}i-|waHPR~*#Ozvv!;sscX;Cee->})MhEs^l2>M5)XYrb8QH~Ro zPQ|;RY{Ofq(^#TfngDbRVBs5Wg+H*SvHg-CtIKp(S_s_aze4V{aL4$m4vJ>*sr0Nc z7N!OmP~T9k8;Tpi>bn)Ciyztu5Sv(@0tA@$@PN@ja;a&FGD2(J1O524L}_niJqgBPaD`*= zzLu>{F~GWcd#I($Q#6W$si);EYE;O?hO73U{*LGS{LkdSM)*Ah_pr1s-r$2ms}lKT zb0B`dD>x7B3ELK zKAh|gmLKp&xKx_vcojpnNRBQz{d6mkEArOYSK0+_m}H9XO~hMPBBPtyU9mS}?j`K?DO;Ge;#uTxrZv!As>{I3*7z!ZP>aj5ynlc? zi)SjxJ}yHqCemIxO)x>YRA%?HETL?+;9(of;a5ohb7w+CbY#23PW%i2p)Ips0*$7m7a5n;3`=H z2{CtGL>Kr#y1KL?^866y!aOYa!KYO&?!y-!huZaSR#`XjBZec^Un4%~@*WQ4`O~kc zkIrQp+*S@nNK0y&m%tjGO^A@TngD$jF5XJf`?Z!|KMlN`C={_aq}P_H6*et@P&1a= zuM%=@&0S}Y5+rUi6O14XL^(fLl%2mb-H`Z4sER#lX|5jB_;@Wk*KX3TrT!nWI1~H; z#9_iascWFf@bDV@7<9pC+UN;)f{*v3p$8R}-8NXK^=?w3alerB%WmtQH-2tge;`^( zHJ91%@mG4*4d^uF?&%dU>vqXOkVI#jR@Zy{#bPM&rc0SB`plYGB*hBm0;g7Xfoeo6 z=7!c^^ltO_Tos#au1}9SLLGouq=9ms3QGcKpo!~zV9@ty>Pm2 zNA!;AIkt?Q%Xh};dKM`kGN!BRrmNSZzU)NQ?eJ0PA9NN@^HDyoEgxtv9DJGQd+|mj zeXQ=|>T+})V_pBWi_z*b@bGPHEJ!z*M&H?qzk6SK@jm{V$ern)yu7=&UJS2CXy=ha zqv;V8OLd#C`DP+nM>Z*J_$;0(ch;Y#r40vW1QVq1E4 zghQD^Wjh6WgDgH01x200x>Zbv62l)MB@#6plwx@_LxZ4b=TNHPrj-@Cd(XneDq=v+ zsc28c>vc$Y{TT@jLOm^$E>i-^Pk22*U#WJTZ}d~#wewz=m+`Ow;{40}DK}W%pXa>6 zuyy?Okq^)+7-vKq8iOw?c6OTWr3O|q_g zGVvkinjsIBgU%vuVLQY4bi(TqpQZieC$nFaaR`KSlfH<-EG^|~$fu>*f;ul)L#$*p z?d{@{xgSRSvEp2L>;K31&nZs0g$5o#}qwK8V45?BD+4dc<(GIXERG1g6R)K)eq>viAtl9X)R^fl;9%Qn!@PI#sIE;%(zI#$PU zxv~Vr1&|BK4n`1&k0_bzHxirK3xcy_C5e3`5DEe&z02l6r7g-3D=P(4bwxe~+llOD zZnq9ezH!{{d_JHie5=Qi+LJ?_Wh(Qs{A(c!JS@lLQ)kDz&0yOloeJ)cp`VSsovR1A z{vm}$Y^aqV(+BBx>q^WK5B&eBo1~1cZC$;)o@wyaCk~R4^BXz96=(h{k8;#=`8q0M+70r2sZ9(hYO!^II8L1_y|oYvRXkxyx<8H|9Hb;yRbak6@c<*boI~nfE5L8e{PDq z8!Ts7pUhJMvas~`l1~O$#ecO$s@HloP4}h?-~E~PL-%6+oU3&@0kWF4?#Z4nQsN|_8v~hqEGxDXgOQYG?D*It$f%y4XMQ>B%+S? zE!&>V``uwqvbi&xImo4xnt8~rGmLrrHR}q%lhhH4Fu6=CjA_j=t`S01d|%n4sSK&) z#zH4rQ8uX$wak+Ad?R{CH%2|49O`cA`}KT`YWA4+JGKM)N_iBDLp>+^QDtq}^xJGA zOU#Ri&_+MoT0fU*{IjT>FWgZ8FVu$0Yx2h^K#N?)SoSbujqyWg*|-{c<7 zS3Y)U*wSk&3NX4?)3c~%_YzyIgb+=BWD#(Y=z7HC)A(V=4{bGo6-wRrYOzdWrMqaP z@F23cJW8CBM~)x|MU_7b|Iqg{Ukn$MvX(2zjatG;7Hx#TR|6QO04l0^wVYuf&jhGx z5yAk}@Cjux&;RlQq2Ek;hbPGd?mtk97*1=1O9%Qx?PNic6+!By(G_q+fGI;1M4!N? z>4~W&SPA&Bg#R=$vcXieZR@0)&;|-i2mC7AQQAyNYDR>uimzSl4@SF}v_F;%wAey` z0;?z03T4?VNRmdvhSJy0!&oW#iXOrjXFgY#*|oD*nD2@wW@j75X1wyWgPkg1K5rmu zx@nBbvpAs&6=;S_-CudHUZ%eZij5|%E5{bT1Xu>4MRKe_hU`JVi@<$ zoBsj1Agq35oBj(L=PVKqFF8|8d+cl}6$}52B=(f<^L!*eby@;(*yO%vrKY9oEsXTEaAu}# zS0+eDG#wi#-?DY*DX@ymOew8!-diF)94oD z-NHCO^Av4K=p&EB^_6Dx0Xca(bJgc610e$tNbPdS)2UabkcW+7mc@7Vkt78yB-K;> z1zdp-_DYff&vkrn3=I^P!C1?wFq#dqfFpg^XhE*xW7-$ zW48vQDjIrcAi>}41(7od1$S9i%r}7+`+7L0viZOK7XZlz4AV0r7?;JIFF4;sHTGgMU z1a3+U!FYw+%PT;{Y85kG;iW!SDQyjvGlGC2%1@Fr(9P2(*A(v5`8i)1pGjr zA7#Fl`rNpQ|4eYVasjI>ho-^AWS=}TTIk*HeF(QtN$~nrX=j#U0ot_!S-7;MW*f>d3e&QTA^bUVwE6(4U zdGLB{8iy>lYKvMF&^M`Q-d0uBGIUt9mJp!e#q4ODx%CfrVx}5aF z^)v7Vc&EJEB2-635<11r?Ti#!>zHRJhj^q7hSRe3yR&%TIGNzj>;9 zqaFyT8z)knGmxs?U?3dN!hU;8QK_V%Qf5~@yug772uULvg@b+9Dmip$w` z=zU+vOwk#}hNw}H3su24ArmcyDA}DF^7}{*zk$O*q0lUU8Bj;0P=`Gil|+@8|144I zN0=P%^1cm~S2n7Pn2F|OZM zfdhE39mzoSKBG{E0|@u3w(}A^vGns!#k_L*s7Pv{T^%v;3o%i@MFVMf-Wlk{E>wK4 zY~e)8*a&W+5nD{LB@27{dZ{LgRvKCi0(a`ex#RTL0hn!>*=%_=rD)XL)y)(m_9sKZN24*Gq z^q86pcj&1vQLdxTjT1emQwviaIu|#-XwNv@m|Nw9*=PI<8U#57F1b4j_--*V$3%EA zoHYA2;Nm9-T#3E*&ZZBbzeZaj=SBSO+dAZH-&=K9!kHH&xfQ|h)0lVyJ9Z>KzkMOW zZPX5tnaGkSl_j(xL+Zf=6fZG8^{)Bsv5<5$Yv9|q-AAj_vAQ4BBs`S7@ahE}v>J6^ zQ_y1%(pXUf#+0+ZAzlSV96^A>p?x3UMo&d1^LV0h^0z|{&BsA@%dV@EbM10XkDTJz zb!w}vG@4wi13Iq|tnT`-OH2ra%-n`F8ud-(Ip*wf4q8fB-6!@n*{mfG6_*P)hFgfv z!V*uX^1s5itWE|`#F9VrW_e^XTT_d?r*|->X@p&s`%M8st6A2jOhNKX67y@y6`z;S z1Q?3)1q7$dt|?ARTA3EU4(_Y7JR8e3gZA=SePojCrzMtUB098GKgO9Z0)d#KAWID^`;L)z9bD=bj{cNpnoSK7!Q>pL@ggP!re)C0i9qb|# z5a?sK(K^zlf|W|(F{Q|w;ePfJVYB{B*M_842KZP5-9?DY;ZjfRyBp9I$z_3#F;{Be z^5agUL>j72xExAO$b`&zRo&gW4TXugvPiSG-nX_HfkQ@~_%4_DhdUc-kp+WrvTkUo zGpM7}cmB0+W!K;`>iV$9MHbfl=asGYtO*WGg0c`4@-w`gI{&2{-7+|Dty;4@(}+xP zZXixA$Mk(I&*<*=p(|Th#K%I@NsCe^v=Aw)EhzIyr}A65x0-yd^m##%j_!N)d-L+& zuIBm>@mtk()x;X%GL&`vn`-|*;V^b_RJM$VV}8y_b=Id1+A=f6kjbhJ2$!$=-Xno; z?`^u%4A-u@#fxM|0CBQD$}L~)nZlhdk->NthI4_a&o+TpUa$2 zVSt@J!!kX$VHKR&Zs2Gkqk92!r~Zy$y>4eYv-ioseb-lE=dPcak7JlWH>@k-PS{>*yjG(M$>wTT{jfWX;PQ`w-d!Z_03_cT?D>6YzmO8TH>Q-4_QOnCG$*=^>YG_gemu(ppYZXw()Wu78Ne-(X2@C60Py20FG z*L|2OkQ3V~Jff3rci^d&P7|V&mHry$O`-pg(q5%xe?~4f)-Z6;s3@xZKVi`u!YO4I zP^H2!R5Q}Hqb&~n+;i6z#3v{MgaAbtf#cpI@c_otlix1z-IFxPwS?)%tEaylyW{Qb7H9p4fYKylPKN0RAWZ-Tx;Eq zLjaL}z$}uuWOsn-Xr57{l>`!eysW>V;u4n}{Dl{QJZNedFEu7{NwzE_vKx?e$sxcg z(Ucm*BQ3kNkK%2wbEaRz?IH=S!1&oS$1k{DFvXc}Irq?v-n7mJ%-^^Ji2z>`_%*}j z93Cd>(?&$zm&5N=UXY78i~AQOCq-1&RBYzREo`UB*A8%q5_y!`&*Da@G06ovDK-ZS z4I?`Q4J09&&7gj6(r}ttx%pPxq9eVWTO@+b@siNYd)v&0p7n^h5l56#O?(UQ3zKQF z_k2$b*g;EIl^3jK=Nm@KIfpL}oL#k(dUzP$fC&*>vB+t)hjcYyd$jZ5!O}BM!IdT{ zH!6mVi)H1zBdV*(7NZACoMsiKm0rS5P{jC{YL$M4LQG%%)WnyjttH|K|JRQrxo$hN zX;_^;%6?=AhPoM5cEFoI^^R3;6IJ{LMoFUtN1>Yca#c_G+Xe#?D{1*Ed>xHD4*um; zp7F)~xZ*~@?Hx_nyVO9ofF0KV8SjmhH{EjP47S>)y>2JIxDmU1)|h?(9Nc?Z0R})u z(S##-UpXf|z4y+XXysq*rftDH)o&j}*Y}hZa1%-ZpoolkF>6$FWETA4jn{ z0SwBuRHKoLW+g&VO3|QAY~GK+*oM$=qTqcI)1TeoG%L&V@}~{>?P48Sck6pwf6IX+ z9x_&3mLE#6&d(UJPQtL>WZA?UUI52#Qf5|3DyGt=Rq+*Q-rjYU0h7lx&PMdx{V>fU za)j&#OvZp87Odu=TNd>=|)F zcs{E>;ro~dx$^SU0X*#CGG=O%>rJ@2uvbSB*lie~X{r{JbH#FNmRs}nz}1uu!+u&RA@;%u@eLS0AtCN zap(x$4%8+=14<-44`z5$QP4MDeQ@51MyiE3tS+~=86=$Qnd_V<=kms__o{_Om}sGg^)}6+eyGd&zDH5pt~teuO5_tn zu-){+^Y3SI&+6>A4LtB^;JMd!;5Qxl4>RU_b*QwS=eWhUDihh{jvwL*?o$0G+w#KB z;Y@zj6kmjvx2Snyn`Iz~gr8v&S0BjYyf&k=;YCyojw;%i+MX%bgnEm$2DJGGx@pTY zJ7t>f3-acnH4Xs$;on>fS3=>Ud@9%7d2_Ccw;+!XZ146%LIn$)+)g5wb@9d@SPaPW3ZO9>FKvPDNXc%Of%^}Km!wMF4I*C{j&1QqH_ z8cGd;v%jQ8_ncx^;1`VMXr9%6o?40e#I&aZ;0Eu#1FF4T{3>_W82I=21?B%p76FW| zR3L$!x5B;nFa2MTr?1=}<8eM^4OUrSxr+ai75S`Hc4PpcE^e6hx-p~a3c#M{&S)CQ z;ME~G_A$-vH8&xmj4NgPoM7rD+x8RN{r2J7!u4bN(~b+m7k2%*sW-F5EQgtUN$<^h z7Uu}BQKy}*tifGh1ab@Z8IdoQKw-D6_0%0Uh z_Ufma*DYHrYTfT?vILatWZi>{y2PfKWw}^%_tgd7KGV=2xaaUTt1L@Q!&326>a%Qf z=m~b+POFo(>BxH5gG9+)tVugqk+?h5)7sWugb(c1OZlmqBx*cSIPhZbqnkR)Q5 zhJa&czc6Nj94-`D7FEyY*d{T|w8~Ab$Sy8<8F(4R^;xIarBu0Lxsq02G{Yhe3fP~< zh6(|ham6!dGvvNE2-XC55M*li--%+{<%>Xzk}lRMFWXs9ato;Oo$9egAUq{8F|eF>=g$hFj^rMN2l=u9F(1!iNFi&GmTP=I>l1_ zAi^!gSoCG|{m28cnK7X^xwVD4w_@Xmcw!;cPOsL7Vg zh0Vm5C284YGK8wXL)6x7eIAl)@AT3xMRLw3sqs0X3&RX;_B+)t+$Np{kBc) z=K1!ZekQXZd-Ce*$HHdZUm<=Y2?$8lSbY_T`|lEbvJ(e=|b zIx$Z{8h?3=qRJ>u>TX_Yow^e8*2y!l!nrl_aRm9QNo#&(GHBDprEzeMKf5u&+m1h+ z+V;;MOU2-A4SlgFV7a-3&<9m9--)#l6#4CT6Rf{#}is?%|aVzOU z$-tu&S~rfVqHSst4?Pi4MD!z>w=jhASv1#Iqr$cDNjcn>`Fk82nuy!1jMvI$;mvyq z3RjxUjy}NLI;hT@Wd7{?ju4n5v$)jNV!!f^)c$_Pvn#rvvYaQoDP<|+N$i(F^KYzi z4kd8{9;}J9U@`Ok?!>3}vjWfFj8SA>2_txZI;*wI4iW36W>RXavHRvhgE`*#AMXha+ZLiqfA9^xAd)ky<0Q!`6hjTl&G<8T-0)?!R9r9*$AsbvzGqu3=#f z0q>H8H@RyCs25iHEOz1AjZNw*8hbOyeWvQ$Lhi(+eR15bb%Q@4kHteSqr>Tb2e|2h zqE+)Jv2>?lc*q0Av8L#;I>iqt|A~`ei-EUs`EALiRkK6PuSV1vky&!dEJg)%NSMB# zU+~25z~3DPXMcc*LZB_Tntws2713=J?|#b{_-MKrzN7sA5xGo9D~g#Onr_63?utG>J?Fa?3()YbYh4QzG_Af~89Q1T z{zgMd5C4`=i$0}G>GCZ%JhXUId)0z7v?u3#&iB+I;A7?GK;NG^8&>^0zLnQ2;})jA zh&IcGk$Qk>@Qm-2`?hC+=2$fs{A}Hob-^Xy+7Oz)Tp;k}TRsi?qaCf+;r)S^NUjmE z(aP&pKPitTqv@ERIWKs6rbM!GrLQa~iBOs~V2>qZ=~G|S%JCb=^HoRF!#bvY!!pX& zegAI=&}+K#@(v)$d+P}LGk-U^h&n(M7t=3wWt5IEk<{hsXwhA@C5$%E@5;iI2(Zxg z%4quLf}(b{FV%22#AuQ(PCl+@0zk=k z|D@0L*5VGbX40f;5xEaxZJDVctvKRS#R(?k(Y5a%pATb|xO{_@zy1D$xcjGDt=tS- zPGK@-&8WbtNu!R% zs7&uRhOsr3mgQyPcqIy=vUm5IUMF|LmcToVkAzUYB(o3uB}I!6s9K-#(_=V7( zEZ{!#6QSI}jI2nU9WO zN>xB`C>cDan9mOaC8)@^>)!eu_4|WTls0p=p%Ws4aY-aVDghJ~-)PYuIx^sfscMli zUO&UhqAnCROon#NQf^qpEK*~Yn56{}pQr@2bJp@2W$+fMVEkRFlMT;hU6{!rXo8R| z$g34+avu#Mgc)xQmB3dNBAbTX1_-`sqPtvD0ueNuWC!cF*9=5iGIK(k<=b!z&fysq z5A)(84OL6HI@tXErxa6K4~mbr&C+q47)&8qDJWQeLV>lcS_7fb<;l88s@_4G;VWGu%G`Y~v`(?-Ntid?jDa0%*a0hSzIUcRC zf-;V}$r)FEO6+j|734_<7>Eb6DDig&Cj}nie8E*xJTMZe_q;`s3wRSFb%eF%VY*Qv z$dl1Qop7P5X89nQ*UTXkcE-k4%xid@i>ZW~JdFdmFu}QmlX{J7s5mSRV?&j{jm05t z*7%KGYN*$EeiV%j2r!Y@M`V%Ub);luv6!qHQwHvUDY8@{l2TNZK%!-s`e1BqY*vxB zy!reSF121MHPyW2q9R&04ry&Il;Be9DJz{)>#n9?OdY`Dd~H?pGp|!mK^cw0H$Zjg z@dI`>RJx%;27bcnGc`VeQB%Vzg`nF}2kcA=ByhG03XxfPlnx_hemc&j#@OVV0_8kT z7PUZ)FQT&zWlHFSs%)hH;ZY!GNlB6cA#m1w@wGl$$}&F@#n6#ji5> zs!%x}uVosLn0v_^|5(C3gZVTGUbc?{5^*ni14TS1hFO|``V;O9e0&l+TsD-I!wF!S z(b^(tFk1opYEQ3)2W@gfl;WSoeKt_D3t3TU;sr?UI7IB5gO|bulT}M zGyVc(I>1&F;J~?nTL$)%NrbbwF`BT1rySKi5y{GN>C?sU$2B(a1!~Mzo&?W87OuF& zCn_3zC#$f3fMXdTUlb4QUjalu=R_hYeF?C#Fv&z<&yLldQN5i}O6P zJM5S51);wjEk9qii^=uiKc|f6s+}8G4G#P1i@*8H7k^vTD@6`Sk^+W4#pguid?9ZL z-?}CVv?~3S10G|U@q*hN1-F4V-(ZoZurEF$k7B2W zHIOcCyl^F1HPaKILXyPOnDu?!i@~h2hCao&=wOFmNNb>$Fh5RZi^bY)lYby{a^3nH z)(*^+$HV!PZX;Pq4f z)`Ml8~(MKHm|^#YkUb9NweBWUU6L11rEee~~1~`HD;#+;=D|bzy|WDqQCw4uN2O`9EQ{u6$Lr&fNN%IT z;8siw4_y30^R$mp*2uWi3b~I4k@64xk!%|7hL*XnkD+p~r5bIT~y2Mef zu{mYeb~bzYLzl=utN>wlkoiC~S=s!)b%D!!9(Q@>o+eh8*4`j$P`JE&h~`(bKRa9y zQw?l%yhm;1#Mo%v&M8s;%$bq)PC*iLjGflAIqh@S6$4tnQmjg9SdDSuYFUxN$4vi1y+SQ?Jh`w-QiXE8IlpD4`FwSyy0Nlu&h; zdtzbh6!)nYqvOy18QCc1iTXwdbFpSxLINlJvf_;f8X_HZA`B$mAp2;77w~&7pc&C{PdG zDld;6fi5ny_59$u@+xA%X;JiFP~l%QksAfkCdI~UJGMIXCtKV)zfD=HTMDeWimexb z4M}0Uxbecq+6$mYQ`6X*itgmEZ`xSo0Js4%>6KvQL{OiND}4sPdd^%6VBT}wO}7dA znF)RQ#J1x4d&`-|mEh(6{pNz82UTuLUzGHYWLIzU{yCDQ7}%AHQ^)59+ku?rYj(ts z-%2~|UY?EP&=w8-SxjztP`w)Vx4`wOG@7vI3ph27jzT#YTP- ziCW_JPe?>miOPC~+JGs8Xgj)ucn-R@cW4Zo&g8Pr|KSL#ZB-d4srN}7PMa)#< zlfIc9H97Av5UM0aBJNUB%EVLBYwJFVxogN{%h8*VH;AMduJ=B6m0-X46G%c$jFq3W zK}_cf^!YR0t3yZ8(>~4Gc_FJXf20UP6)D%+LxxLRZ{_n`$j!8G5E_rn?L5oj>-7lw zP>#;PDm;Yduy!qKGg8-3dP8R&>@b5WT3dqEGu!cTArd`V2?7L)q^AQqxz0^7U0aqH z5gEL)p7$)(%nNfcmqN=6x?J{-yPI9FRIF+9SQ_k*`o{bHM*QV-UeOYTfP6Ts=Qg^C)@8dt<^)7ZI> znz)%E3nDBRx^!iTOD}9^(}JMQf{!vGq&u^u*3H=!I}qQnf+?jnY1Bz#kTMTfX_n*V zTH;#{KN;M~)=1o_CKuOubEU7frN({NGfC|>MJvN3nnX^BOyNCBeLm5hHnaDq&0+2H zg0^pGz?>+dyPkn>8g)5NbsX)7!C!c$T68?@Lc9uNJfeiz$L$B0xiw5{#WD%=2>Q}6 z)W_BQ$y2mjc{6EX2X?A~UcGD{l5JhDa0R=ByPG}tw0x{M_O~u9^yKJ*dEvodja8a0 zs3L3S6ZS~pP4oM44i=)Q?0$;e`VJ=LRU0SLQ!i@D*dB$ByG5|24QydBsZLOlJ4pj3 zSF!>AY1z?NXfL;&!AG^8DChy-QQxDkG3{iXF~aQ+6F&&cr}4ZM+LDg8J>P|Ms%Y%( zgsB)C#tKkGxpZxK!*}Prv{ybTCZbxin3`v-M}~@fI_*Ro{z>H_htBeGe2vr1^0Uil zBq|_S*{m+)9yzNOBgekfyK-*DQ#kVswfv|A-`f<*eJ8`V#s;S6cJsPc#AlsWlGK+n zYX4OEzR-P6c)`IEW#^}r+@7LGyw6|CmLQr6=1Ub*FWaP#wjlTjJ!H>UPOY05ZCO{6 zMtrw7Z5<2VQpjK;EfRnp__LOmGsW3f269o?f!AOLjJ0HOjm%{Ml7;1#*-s8(LIzL} zB}IY(&rIq4)-O?}9of@6Vab~kNS>yzY`H$ZMV5NB^oxq-+F_LS9m1D4V~1m`JnTr5 zel>p0AmG)sM4dBnl1C7N6e-0>HA*O6h40y|&bd+Xk@O}6)iIG6G1iNnw5?ezyGdVS z3)fDUlPkN*UzciV(!XqnahuvT60|N04lq-Ov$;LhlnKa_W%{Lk4^bRitJ7$^B7To= z$zSnxV9=~)FXeF6NcjzObR|^{iLmp$lgI0>9MksH`OnYpTzxHcB57^k@TMr_|MLJu zlQLN6w~ZH+9G=j!t3$AOK{@Q>+So_U7KF}`U!*8HBsE_Tdf<;sK;5J~#;o%T#zM>U zy}55Az7m!r0gR5e??q*R#Q<*2P95V)}Qru$d6;ncH zdmPn5%<>6PmDc{eL7~YbXIv2K_UeHAhs+$EFUsB^^^WXl>^SuW zLDngL+3#(xE>!6h;&c&(rF*{WUQ5Hy3PsYI(%OGKbMjJ{b2~>#+?faZheeffVI!0V zr7o?!xu2~vnj)%HY-e5%n@ufj?TUs|gfUVmH-w&3I1`?i_N-M}gVovHX{(yF60DQc zyOr_^d=-dI4Y?R)ImL2)zm8}&&&v=c?$R-|KTr0jL5mjTg;8s(zMn2RGXElfx4&sQ zuS-fgpO~UfE|NcJ7u@Ts;i7kjhbA$_Qqc1MOS-n%I87iZ)+ADj?8mZ5ike|%P#d$Ck6aKpkVka} zGlZcHVhPGkWeR_in7hG*Dat)^B z7zwj2i)ZEaU1Bmh#+F89ji=O<@ps2L*z<2%!_eo<#14{`x4rrZnfSEIe55!<`u*Vw z4hdq@yq_wQNGd^KQ%Y~kM~qpW)<_T))`|1ojO*v{IETVmZ;Eyk-ljCw+z1LN!@%^6 znvUF3w;Y7;tiiSZN{;dXJ*1u}e22-KFhh?zprM=AZ0Cz|k@EBz@u10S%?%=hTdE?t z#(UVYhl!yXTkg7~#v&b+efYD-)T|^Ryzb2@D`yg3t#i%wamp0-)?FgWpJTDo63jLQ zI(+RTSD+#3xwR4^vTgt|o?322=@~-Z) zAihBY(m=0nmSe1 z3tu=;<%wG=t(y`sL_6Qr^{1p2B_)PU%Fn~KX%)3+&(Fz6^G;#@4}U16ia46nRT+sW zG1JMQ63PS#)E?Y~_ z{JHfWyh16u%4}8B*+rMtl;_WI9C0g%S%X9;rl8gEevU`6(Sh_cmu}lbnIC@V9FK&E zg2?N~;9G3ctVk@2R@VAd*~>K5rtM&tEmckJT14ILw9uOSFJulSv6cN>wPg*oiux5? zG0j@y?U3Nw2U8MVr2$Jtvz&?V=c%^+jhL+ohe>sbqhCY_v<2vQD``C zix+3{78D%!Zh9tnrl@;G(4_!Z|nC<_A4@|MXB2ws`kR9JI$fX6*OIB#AX)N)rrf zgOYde;$^C0!z;VBbW!)X!(t;jVgpx{6wNz1AKvpI_qB5<>=xo?_i*nfeVSaNa#x(7 zD!aEox&F0#=R3~sD_tX-)h#A@YZB)e0$I7XA1-hXk3ngSvk0F z5uv^b3T{dI@KHO1$k%t6J0}q_1$p#Cnj9}U$zxm@h|H0=TF8A2s-8&HlvV&|v%nV_yk>`q0$n)SPu z5;V`rh#6J!^tGS)275~AqNjTA5RiNRbq9N=1E{{bv-?y3=bg`Y7J#>4;Mj}r|IFXq z{dMo;zb1AiGe=K^zn4t?Bl!Nu<7YqaU|;`!ayJu@ZdSVZBmCtFY6EEgDcKSK{lq8f z`#;$wyT7ynZ%@3w1HjzOkFq5bM^E&>CtW@H@XzZD$dj9kKD*yK~+<69c zYT5mIr{lNrlZh{xK%fa=q>mi^MnIrxxTkmGf%R|IVi(+2ZZTbAdDQ~Ch;qrwS*J{y zVWl_FCMxC*&|fauH~a& zXWY^*d4|FS>6@c{)%eGGl^?4B>Y)38IH;FQT9~S7N9F&-cteW-Qn^QW0NC>h)&;Ae zQp`)si~Go>$5^?Y@IcknrCSYyld3=fd%|-?QwHLfl4Sxk1l}10l*Y{0_t787)${MiCdpFUVsGk1_0V$cEGU$O!}XF zK+mhzkrx59km~?p1O(QH!AUbJ9I*hf2m+U5cOnt@ zp{4lLkm3#3^gM-=dhMH(alqh9L?#vKTPkr62u2KVPsYcq4l$?H>E0g_Gg{$WW+KsX zXAW})*XZ(UX=O6iF7W5X%RWcS-VOk{v=^ix0I4^#riJ?H6< z!L&dJ0P(U5j&3D$C92wurvqC1J{U|dKyKl=8;M-vzyN}0fz_TN5Qxrf6sE;o8HvL! zP+^b@5RPBtz?j;VsIXFiMj8tQ<>=`a#sQE*c$OjhudhU#U4Bm+Si*iR6;NM9U&|_{ zmOz7a<4d3}Vb>d1a_2KM($s7Z^TDn=5;j2|XS5WNskLhPD48&TFY1~yN^TDjNu=fk zG#CMWML=ktDgKGwQFU_VeHHCdJTWGimsY+F5%{!ZVE4(G{vRHZ46sb zPxsA*g>Ul^#W21vx~+$ArJF~sI5hLbVckOf1kWn;7r9p#qVCUbN{yH!kz3PY{EsE) z83yK^TzT3|<889LXV&>FD`Qx6W4|OhM#+mDRXuLM1XFYAuG?qt?c%v+^2uPqV_1M! z%l>H?8E{eZ(Y>j4k*Ph(t~0ovHiVSp-qC+Kmr6gxCkOxkMIqzK0BK1nzTy1329OLC*zDw-7LALzi)r%@q`N#kBz`pih#ODobj9&BU|P^r?ED4huHV82#~>!0_?8{ zeQ<|Lv4`JQM!DfSphBOE_T@BOr-q;}*;`WZA5}6cu#JY(>Kd;hjgQ&uRygMt$78$2+={0LkU1nHI@Qv?jxxDSs_rO24MKwZHjoV(|)A zj@=fzB?7RLokja6=qkUbhBcJ7UgKlfuS0q-EoNGNT(~hnmW^>DqnDfb`yPa)p1YX= zl*GMIN$z2FQ~B=d>Kc|?H>~_s`74nCwXxwa1?vB(*n9E&Wb$*5$lT{1UTC&`IM4_qBHf9M1^%dGSN6OxHo(E$q~P{5xJvB4 z6~@uo3uC=6j0XB#H*MD&FB$D(UrtZRs80jtX!Ny@3|B9VBj7aS+6d^L;o%I}5#bs` z#MOr`#c{^K5AZ+ko?33x>qhDjBD>gqVW5W_kb;m3kdNE7pKnBVxfwtj)34<^a7|~| zv9Dc6=Dq}u3`}1Fz9!_l0FE^mz`6LtWFT5@6OaTD&($xu4Tu0__T0<9?ef-yU2zC) zh%!WFU40bzmtOY00AW27tEywCM+TH+*_m*i^w6j$An$;N%-}II`)uE(pGn>}6^@Sm zv+e3KGTqD&QP!d7m#Gz7JIq?_J{sOxWoE2ziQv;sj2|Exs*q4f2=J zW|b7TZw%|%L67=!h}765nw93y{Dc|iz_}~)|C}v;P^`PJkm57XYucQo6z0%KwqLy0HEW0Ismx%jTXYyoAE+rU7_a$7lBji9mN3n#ZT9`*?-}ZJ&~CJ ztnwOai78?$x}QA$JrM_t5b{5uWae|Xef51c$W57D82}Vpd`-J3a{vKAsS`MLppQxt z`V-JyEpdI~VR4B3y6L3}?n{pVKQRdr-d(ID6+Y_(7O)X4u*pp`!&N%070PEjftw1d zI*bCdaZ|4DnFY%Yw%9yTfy(Uf^n3uEu3`s|G4PRK&}pi-lkc#|^AUmv{$LhcElD*K zlvuPDY`aO=Xt*lSAv{|L4$PaCOx;;736o9T*+{8O%)U(ppOs9p_Oz)tl3(GwTl~U^ zAy0(wBj2IKqTOJCE#2Z>23%F2krn3mz@QBx!wa zz?p+fsk=!*b^&B}$G3GmWO7Ko3D-u-+CufZx{H(w>hsDF_fw6krL&Ku+{yd`G({{^ zT1m$^*Gt^3?=FXu2ho7*pBH}^v%VZ9aSZ2z*IP><^P zfT`;X2BgfOdZpFM5}gj3n-4o*fLentYsolT7ZjexENt;%1U?@Pt+ItE%`e$1W`{A7vfCTfPV5N#-8ZL?RABD>H8Au&{_5&swt^+ zkBqcpg%?)D^ZD)(GIZOlBT@tM?@~v$X$!T87#X8z>_xOZJ~O5K$fR$@YOc&OI2OE+ zd+Fa3@YEMd=5IMexYae%0aoyjOhQSxi#z9uS;)HJx`{=XIZmZ1Nx~hb=naZ3=YSd7Wv36(XbQwq)p%$F1( z==Yl}0MTwAa);<2z5PHIXn#81V3xiweV--yny7^aw?5~gd_Ak;7r!QUQ4;NO(7F)C zkzxwdfq9jT!e6P@`wVU3BAYy3TSg(W*Yh!myzzP`X>~wi#*=|~U2hh<4Z8PPapcY# zGEy2b2hG&hb=8K_sB>NoUd25s;JsK;h@m^%qQU#Qt&yW-R{e*j;fzGSJR}hxhIA{3 zeXI)Jj))rw}F9J1$&>T`$=XZY<6{F0`18)#=lpnrBhHeo1a8H&bl02mj zyr6emVDaXIag4+i*Q&HwDHdR+hM=!qC;JVUqp1V;00CTwHVB|ym#%vXX5B&yRB#3DbU!e8!!YY{ z8Lsf9v2~|n_yzNY{NNwE@(ZFXnx8VJvsHmrl*>um>xK=6J(g2{nlHrK9NfSm&LdW) zv6e8BaC4?}$M9m7~8BZ^6MLVSxWh^$ixb~PoMja!pwsVVY#Hd}LT&iT9e+jNNs z7js#nR~n|t!jv%W4{qXosdi4aV;GgH1Dpc`mQFm@EVsGdfeQ*!nJa4)z*JRetB&&7 zB2jCWU04?nXI9lJKw(IrAu#66k*XO%D@2&B(mKQXRn&rXNh)7CemYs^Y7KnULIR+_ zlU!vZBz^Jy@ir_CkKG&tIfGRQ%3_0N&tyhTUq0z0ZLSho^FKQ9-hf;8>U?E7yHgn+ zVw2h8n{JXG&`(%Vk?sSYW1;GJAg!9w#iE)o-3gQqdfx(QQx&91g;nF%90d=c7gADT z*C(P<-(jM#U&+|x8#PaFGW;?cF9k{iYkTw4^=tiZIK)1L22CeQn^<`sgbtMEMIMFhRdfBGcbp_k6+*-;PMr6CxF6Tk-Pl4@Invg@vc+@5}Lg^VuR4@1GV&CPT`k;COSnh6+v1 z#)srm$!;aSMAg4^h7r4e3EJA!&z@su=bzqKH zH(KHO#E7@|z0Gr#-v~TNSEa^V`!TD`Z(_Gs86KXb&Ke!sb=nEK3~U}{ zYORd;DRif{k6>_g{--hchwk2 z(%|)MV%&ta<}f6yP+%xxW%9EyZI(|L*H1q4&am}&;1>^iaZX2zhs$e#H&W3U{V0jlNQQ7_^T{l|z zkqAKwF@4Q5Y#W`OxeX79@STm9EQm!{PQyhaD2<%AwL-7Y_*-Gq6X?!MIH?)tkkCHv zt#?C)b7%EzF|P(;eEimqko8drjlO$CEU-M0i!La_u2ahv{g#!z6@6f19)~zW9KlQP zIYk0o+|k<=+rP)dGA2h+z9B$s_miqN=J*pM{l&LfadQ;?dfnXM`8!4cId5SsYcv#< zTk6QrktCy+?MvEAykxr9>^_)a!RyD-q&r4Z(AmJr0eLiC4ARH5a~l|(n9^bgD=Ksg z49+FkKHjG<{jBSd9MmmZ(B16h8T74RKAPW$a1GyVP3N#=UhesxFv0YLj$9A@#(svr zTnD}K<`TghO>BFON@X30hy0_s{DU5mwJKfP9Ox#QP*zmD47(knh7r^v?H5(4`_!37 zk;o)h+q@(x#O))~SQ*JI2|U(~;p5J!Bw1&b7_TEQ(!Yg%TP9q*e7<+%89R!}^c$_F zXldYrIQIPX0gm#IMi~(~n9tvUp~^6sXd6H{Vit8!K|}2IFI*jP4Ey&N#r0VR zxQDAnEnp4URcRzM0A#!XZlw+?3-mDqaQn5{z|(_An+<3L5(7{bvA+fub=RmCLBrf+ zvkr!9Lx3dMf&vD_Fvtd6i3v1fW0QfSfYG%-zyhEM0RF%PH2}lwJb)H}q!F_q&n_Cm z>+wT%c-UE^!A{T>ye=nN+RKnX^J&P5lz2=Sd-73i$hN;KfhANy-D0&~t(}}B*XSl) z0k*q`))VwYq5@T0VKFxti2tX3ZG8LY1LiqzYt>?MiO5}S9)T;Zi5V`8E%=zHlbS_N z(uea-ovHsKo>We(ptzwQRwZ)5obSWIBS%HrWzPD7GQ_ojaN~eJM@$)QKrq`K9^X4? z%}dWp7~J9Q%f4u%Kvu^jw)K2y=~l*rhQmDgS1VjEl&Z`P8H>B2PMyZET+YTw`04cx zn(5RH2itO~(ebwr3Z%X!+EnvKH6#|f7ur509E&hJpNMg($qivyvqmIN&yllUU8REhv!$Ff zr;%XSs)OzJ|Mbm-iW`#NHq@~J05aa3{ z6%@XjDA`m{iM}>NP(id)pAJGqqi0TEXX>nyvmn|-O$xYwCyFICzsi~RP!h#f6EWdy zWLRtD3QlKgtYC>y>F;DYee7M#t8Sj3%26JBlaH@;9hAe$eC%7GN0<$tTu+wdv zb6p~&wDqXFJ8D*K#wr;R;P;6%p-IF@Z!qzFFZNKVG>@QMe0S5hgOem|xq#IHJyt1}0fvRmTKF?Og&Uvkf%C1VZlZyB8@ z9215XjW9MIU+DaK1Y3i9_*(2(G|k->mlb5_5)W=SRC`1=#nmROk_ePj3EP-;sH8QH zvnQ+MGN|U5zT&zar3E`TRMSp&q7X;CWuTK)$uSi4B`#OZc@&z9GJP!46OgfYM(ubJ zGzPMX%-?kM7{(2pNwB`$o52ABg)?(|2f^Q@gD-mIe$9LWmJG-8$p!{L@9j%R+}fJ~ z%pb5YT=u-&+qWP5e9;@dHIttlmA^?nV1yg|ytD5V8LfK%&xW`J49KpZA7SSvc~g>BCqC zfR#}oS!r311BCOAbY$?au}>@vzh>5Zqw=Nf*`oJ`fvo?A+mtH*7EcEBy7n~uNqWHE z=#!NFKp^!1Fap}0{jkIe`NxE^?M zJG2!PiwN>hyXb&qj9ol^JT;vTFx3D6ucQaEkRwv^q1Ux^7b-<_9xl0gLBp!Qsj*mt zELPK28ABW}k12?y6_%A%$td@1}rlC=B*?rYqpq^SK8FeAf(4I-h5yy~S zQD>JV2NZA9$%-T7rtyMLvIkX)ZxbpPJL?99uxg_&xk{Kbq5BrK?8$imT>`*aqYfl; zhZBp_XG9mqCdze?W3eB_gS-CAS`L-d09wR1VusI4PTX+DPh)F+;a&#Xs1Q{h?6tUP z&`>hQwrFUEz85Ii&8y~`#okxWFrv!%aWQ0kDG6+wpwrcwkCyEV$II@d(eXc7odWSRv_!_%L@h7Cu>B4fls|{GJT$T`s+C~-){REqj+9ik2sSZ;1JUt5 zIw>iUm;^szW{xYEE6?vZgtc)Q!-adjRy_(t>>Q`eY2+#j)rZD*$Fl_GkcF90dsu&W zxxvsS&w$;D1NbxR5Dce8b$L5FU(gwODc|2Mi6coD&tMI~kF;cugS)Ocm@CVWw@;R_ zF0iEMuA;3(%zEDUosU4KHTBkaT&Kh)EtsuL&Jx>$6I~BhL@T?xodXe~`{Kq~o-@&3 z%@PLL3sNf+EVbz`uwUg;&wc- zr$Eys<*EDInApj1Ap)Kr`8Ulq9rKL?wAji#C(o{cE`NYsy~Hmg%EX}EoLU`e!5M)QCB?U9DWm-8 z4k2&kLqfH#8aj@99l{+d8gdYOW-WRiVcyiS^#RwNkJW20Wn_uWRgg=-4gvbRG-GAs z1WW;-Wlyek_)YPck+G2m*x{IFF>effTcm;cWjuWbh)5VFzy$;8i>7e~bP9|JIm5HL zTN>-Hhp~aH=%P{BTSjPqkzAFh5@Ns*cVDK@)zn!h9p7Zyp4aG4&0?%DWp+>bwk#?OK)|n_gN3P zz0asT25RKJ%LA4Rp&YM&TcYqzt5S0arVvKBrsMPMpPe19nGTE}z-O^4}wMnibubuZ}&3V;(B-NvvQ8dm+({k0)2v^m^ zBh+I!ilnLL5^G+HwLiB!X&SLuJ#;(GW#UB8G@U91kFEv!*QZ?i_VWD!0XJENUp0t$ z1xaHlH4N{QEzZ;BNZ2M2ZzujkRSNR1L4W=xIBlcpZR1kdmWALKhp_SJ1WQwb^Q4cKz&STz_@17bS~ zJ#d1fA;yG9_OC}KrRtSyVF3~WlW!wb<~Daxw=G(2`Zarc$P7eXvIs&bG$qz_(pX$* zXHICdKbDKh5s56wsjM??D2TGTYjnL0Z=->YDT%Nojv6GP`RbxEzX^ zgQe$mOjhmN-@8lVka@&#L^BfYp2nw`(dk;cuK(asGy6&f zd3CNZXA_Ao9hl);?w3OiVCMlM!}>h8+>F_|oGM-TB-7Vr2=c6v?0zhc%&0%1ctNZh zKAq0v%#!Tjk`vx8=oi>V=RXp=?(;H*CdS%6bl3tMYP@aiE*SiWu|C!XF+cgFNHom3s{&?0pgbf- zrP0*`K~V{uO{d6&*;wvZsIAc{mR4EzV>m*GY;{X*Ohj=HpO8N_U-hcotiElaLC64HJet|X8z_{nzBThind}mYp|5?VB$o z!~EZPEBmIN?b@tAKK!n6YYMu*A@6-$%^Nu-VOw@5nv*u>g}B-WPKM%*HwfoqbV?=T zsZ_geZe^ERN3xnj$KEM9Jz5lMJoDtCK2Lc; zRAwz=joz@xF_=(&`MY(TUDn2`n4=H&edGtp-B%Gm)`s6dbu51Xzg7B{og8Mb&jJ7N z0Oa~9SSf(7#WGejyx6kMq`vPR1)UBeXI|u;hq)~2EvNbafJW@XgtX4py%o#Zv0Q2T zB$ZlqD@?|1K51tp(*@k);DF6Nj{OOE;}SO?b0O37&eY6F#iQ;wkd<8%-HAiD4jv5} zXW2=K{9%^Bwgt!r{eM6*Qfhk>O|69K&2K^&;^e;C8G`!dUjJ!vut5IIyS;QUANqW! zu?JXDkSx2qA{a!cqYLJ9VU-y04v1k=f9kg!I71?m{kfqCoXK4&7?XizP|JDW>Y`v; z(%1$%d|_oQp(wFF(jVPrL1W!7+s%k}n19HM*7y6=)KX3ZEsMXK>`?z;{{W>S9T|1g z7@1b(IaN42TyZO?+Z_^ zEy%W+rjfUMK8v^`RdRx!b=8eaZ*EV7zU#SZy25<@m@lQv^9ENiJ?SKybUSUkj%A))HCXT{qzbCHj`JPX8TY@$ zUiI84k$39p2|N12bJX523*1lqOT%FQn-jRlJyJIn7P+7SKBBoo{=OW)vlqK{hbHy@ z{Qh&!>t394u?v@%Y*G(`+pRs?i@WUg6gK?dk^rUuPgzo6Sh4Wm*QBDhdG!IY@Cy6w zn>aVz-#Zh`QqZ^S%A}s7+uJ|?Wh=lbPK2}^`TPgO|0lWPXF+c2%$pczh7?WFhdsnp zg51b7q@FIf*=Yf7*emy`QfB;}qIs7+n#IJ#)=YX%-J#(Cu&7dNTviliDJgu4mJ8x$ zL_()B?l&UvJ>InP6HHh=r>QhOQIe|mwwSJ@WKh1?)=ftDwLinH!}U=4iM45ZDbvXh zdkr4#m$pU{>@kWu`L|rF(!F`S$hspI;JY!OI+_Y7?NVjH)da0!i_ZeUGwL4ebYlXi zpe<9j{x(IU-yD$Y$<9{;zX}_XV9SjiK96P3H|n%#@A9orJ^Usdm`J_HA5%HX!M(Ld za5IE3Vc~r`mh;Z5`tt7~X;gaVA_RnmDjbHr+MfpdY&9gsEhvW&mcB?ISNFH5T3Ybv z{9x)MqqoWo$f^d{g=#Xqwx1fhyl;L7rt+F|^DM8^yRhrIxR0b2h38i3oo9&Z^z4s~ zf#EW5H15`Lj?@ItQ$KE?-KpOuq>NHNciv$}Giy4O$`f{Ve@iy$sU=S-Y%=K=;dYz5 z<1m!t1eQNuVHa(cmc@9T?+nY^vaILw9K0rSTj%c_&)GHLny<0;-2PZty-fW=A^_zf z^>Mh^mz>*7yC}tgOm8oEjKLYCQJ%K)BQBUI9J#Yej?%5={#paISfgTl08(XLm6!A- zenO7gZs6hQE;ZxX7NK;W=H9axXWt`=WsmUOdlkU^a!i=IGo$jERkbFL{#Elni)Q7j z**6glL91a|WJMZ_sM352s0&g}r8ohjQil;3tsArSwIYZ3ryKmM)UY5BNZc$Yqn;>u zDM1iFOizj~v=ePJh@-aUea=9TwUY(h=r!NLQikxp8^uG$0J`HR#j(X|t=q2hx*5?OPFl@}zPVA)qeM_REf^_1fx(s%9K z9@^B1_YgMP>z~O>8Bx8b>pgg)#~$WIuXaQ*9CAzjjW@z~Og$8S)aV2u^;!F#+v}1L z7&f;(q*)f1rHn6VxbPiv3T;&-7}zo+k3`TZ8@(U)wY3{%N~mJ#+%zk?#dfdoD?KQm zlX;EU<&A27+xlBe90xa<^b7mX2hi2eoNw^;ih@TpUk!#|AShkgpz#y75|oo5W&KVC z0FF6v6!u5^-Vwmi%K!RE$?5YGU(Uxh_wWb*=sSH@e_V6(bMPPiOgsREyiNRSwPY>* z&F|tT(1Wkacg#zE+&Iy8`W*I0|Nc?v9{?kq{PW|TF39_jD!`Pw2B1Z_IbHN*>dn_1 zd#11IUjNR#;(dZu{-a-l4}VyAzu|;$03NQh zdi8_*Iu`d6=+e*3E8#nzZ?0xu@wfbdWa5v17T+MQ-*Gsj=PVb7$)fS)~tpLn>k-?<9S6C#d92`2xU+ zZcZlnG59EyEVA|!Gl)ZS?KI3(uRQ7Z(@!?nstrGeh6m|aF5IV*~cpH?T9n=Y=b0=mpj8*nW`ko!CHhX<7|t9CKN&R zl6iU@4a-iq+fbZ|%|c!aFQ_%vvpj$5Tb-{rAc9Xnth~)6%&p7`?GoSN&=z#0J~SVQ z8+?~QFa)9lkb2~^+ZYx@+cv3QdOyLXMs6QpA_8h_4ca9X8d1jjM3cJoOANxtI<5F| z{VxPK|663=(Y?hGiaC2eVj-;(_w)uAtXf&{^Bn5*{wbHOu+-a2A}dX?fh5hO+&6M+ z9V}Ye?_0SKY_saJw#W_H`g*MRP)04x(!@40)D3iF<_YH2Op-;cDCcbgQNP6$aQTLW4exmZTZ73@;>22KxGyPQkdv2D zL_+KmF-d8d7P#C|NKFb&{>x6^2|qWikxeoGH};u4$rWRO3+{0hgbVgC*=<;1)stXXNo$piF?n@vidy4?F^3Gq59jp1n_{A*rRX$q6}A25 z+>PT|vKC2I#dwPv8+G0aP)Q4=v6mIMkZzFB$|y|1gDeR~Q0S}mLJ&jZjEw?>r*c@y zSZd4)QWE)Kpzjmu8c@16Z%_*1s?+B7;OOiUv1aES=gSRlD0|7x?iTetHLpFVIyfwC zmao2Lx|ws;i~hTRYk=n6aj{X{G^;HcVXY**20DL*^9izmzJ_mls_%nTX(z37_wWJ9JpL&v_ZV!jHIonV& ze%*NEGLcSom?EBJtV)TjR%H@NLJm&oG1U`8h_th7jR{T+3!93AXIqraUQ;`;lDy$}~@KH0_7{4Ub>HxveL1a$Di)O9vR6UjE2GD{30Vgg}eVc-8&Ll^Uk1^sU= z0RDF^z!Zx-ShBq+HZlj)f!i)~cV0$=9#_oFMI@-IgBgCdZm!v&Iu6(Rookyj$ z5MboT-Add(1+#*jkhirHs!@aW>lZ%8O--wq(n~8xcs$<`4TxmO>hCQmifBNUmLtoB z-*kB|7erUfY5LU8A40?05l(qkt_@OpjwgAkaO)1OowZb)?&fL+V<*XN8ip(o-^S)v zGduLwe9wrFECHP^sF==qC5DD{$lwEKk?Cl3jV?S~uDI)`kN+Fe`>2G7k99nqmF)#) zgdE>Io1zpC#Cp9#afv6Czo+S{A$==nI)BI#3G8b$U4}j~{uJY@pS6_2#721d_K=oJ zc2~<&?2UDGRUvY1-aM!IS}8?Mnb7sJ;VZMm)T97Iigh?Ig0tGXgq%E6k7YEBuqj=S zG?{XI5>3bg1;5kKAF3et*JSJ$G zNM@aX#h&mGtR%8Wh4*y`GL#30XkDRZAP8L|S=SGqUo}WtK`-?9cBIs%poT1u6@f(NiQC&oMR*P%^f+Rr7g?85cDYgDiV2 z$OxH|T}>yvZQ?*D^g7LMG3DLN7L83f=nonsN}gGp%z&bjMJr~Zy45vYg62qi9Ykle zC|D7jty0Be=c=qsg#{}qj&~GiniOr+^rTbos7KORUh1(N5Vrkr0GT<7f`~P#&2kmkrBajM3RssC zm^DnlxFM*eSz6Xj3w90Kfp6SULmWDTJY1(LZoqOKT_irE=!sh?7D$B{1KOrp;Oq@b zj3Nc!{4Bm&H!ltqDAaD%^R{;q7RRzhlst9+1V34}7~Q@dLE}PHl}b$nYGu-Tm&jyJ zhp2XJow+2V-8(RTxt*FW_e<_;Z`7!ChcvtEG4()*H0Rg~tIENS;g!dg>n>mtKOlGR zl3y(IQ0CFhCfmdHS27RfejhnuqA`(6($*eV&b!8gIKV7j?)S_b`X%}n2JjZ)@!_w_ zFtP}bANg?=458L=N2X!tt>NhGInw%?df z^C#*-oP7vO2N~{VAW*7y$)XB`FO~`3PJQkPsWaSBSo1z2%MqN!zL6PAyE2Z~c+U~j z<`?3hV_|ON_CQX)BF{jOw3IscFxNyG?awk;)SnfQ8dZP#>0Q#nn>vNT-GZ zh@nc2H#XW5fm+Kp72^HXH#xH&Nor&0sz|UitUb7V5=BNg8;@&^0|#8hjq?#ebM$m^NxBeY>*U$OXQ!@~VAsJ7yd#M?gc zYN@UuiKQ3^-JXZO&T`9aI1cSmwZuISg6!amasjcgf9`P7DR-AjCfo1}VcLeCQMeIP zkK0R3=nWh1>`_MLi+D+`kvk*(_O|?>K2twu-n?aPZzA$<+f>KQUlptdpP;zxxF*-27{u+oqEHDh~Uq*nwDv>K1tRJxjbkQQ48VTR{T?O`&K(| z&ZVg24)vjQN@|v;J!Z<3H{AhZV0@jO^cRWIeOnfzMTwYFsR$Q=PO*AqxGUuw)2J`^xV%R`inOWDs7K~l6s2YEj(B$9{#}F8 zDq0Z653sNu6MeL(t*M3E7Lo2Gxw={rh!S*GN&SrD&^;?fk|&h=7Npx&=YJ^pQgh$9 zb@L9t3K?aZS7*7%k#+C1#-=sQXP(N^uT)6J=p%U>adt?2EFDr7tfK;|pN-WEv}vS( zwzl0g8<(B&cJ_+&$~sCv}Mo-qAp?kH{;8#aqXNmZwj;)M#~@Ym-_& z@D=5m4&Akb6-uhCe29_}gbz8tzso~vZQmN+1EtqhlN(w$OOp$rNo+$Q$Uw2WtBSOS z2=efZ)9NKyopF?YQw^4R-ZNjsUe42?jNIp5^t`&KvAHzh!ZKO##sWH~YRV{0H#Pi( zk&Q6XT<)DBG6zcBMEUfg_GB7KH%!EKF>cSQuq^f9@@uhM3Rw(qH(%a`yH;r08(A1- z9&=mwD~^k$pG;!wSo>+Jlp#BY#Dyu!W?pOjajg%2?1Fu+!V){-&5j>ekbR`rfLc)y z=QNywHTshNKf2xns);Uo_YS@HUZqPX^p5l{(mP1+AfbbzbP_s92?9!&-b+GJN+1Xk z5CRAyLXglDMMSXQ;eFrxzxRG?eQUW`narGh_RN|&X3p8q^NTCqE?NuBd)0#TR!jG{ zVGi=TOpnPxz~}1*Z5nIbo-SLDn8(1MiO4qREq1`Nu8xYb7=k|&bgOZzal{6z901*Kr65cM~WL)UF62( zA>h-E^3BUveIl?^kfso#r{f zv`1Ik*O%e<&EJu#>|stzKtc4B>uuAW8&%0~MY$-uS;LH8KjI?-1#KKA#@A?Z)MSSw zDar-#EhTp_C-=(NnAEInIOAiU57DE+s>ogGmr!+s5>a~T zu(#mFE7iU3y3#LaALdP(#3OkDmcRz;9D zNsY<8d6Rr2%fRKeP@I6Z5aYhwPb;ZmIks|}ff#6tvay+@70W@m(+rQ@o)c7#%TBl+ zN;pxV@+U7EqzxYG3JhK3Ja6H*Z){y)vg6YD*)}p*m?;SAB3@Znc^?1R+aGOd-5N)N z@LvsX4J5knfj9gDwGK`@ANCq7Vvg6j?hwS#Z9C3p4Cb^GECip@FTuvft=FXW2a=d) zDs@*rei{_n-b|Ne(}LUQs2K5qX#mui2!r%zj_N=!#*z0I$$B)9#O-2@u5^o|=Y$C8 zobd-=szEv?Il-it)(S;y&9LY7mAd|5r@@|p?P){9U~U1O*~;Y5;e>`WTd zin7mL!x%E#q!fShMO%n3ne`6!T}n&n&G|+J?T%A71UCVv<#lMVnnctOM?HV*p{DZS zq$bM7y)RA*FpkCnCykf+H$$#fn2kf~N{~Q^_Gqm0` zU6ah7NGT)cdXb#R7i>M)#2zi7p}$q@4RhxUX6$cv!ilKB+5rZEFZ20@toxgIh2yXtOCzQWKr45?7*jOkU=vT#AQ0g?l$S5qO1Y_A zQ3BNlY2w0mGLC4k*7~B%ArczeXa>0;k$xf#)5&IcVSi{jPNe%P13pjeEyi9H9fO8G z8i?qEZ4a`iF-3EhHB zNA~?p-1G>qW5ICaMIBVbP@O0|Z$?V{pontnDVv|9t!J{BPj~iLynFJYNZE|}HLOG;s&m!0> zF@Ad#BDyhQ-N0<2@`nC1l#-yDAD7Jr&FOHEluUFjtTpEfX?w%cC8n9ny zi4NtUaU<7GWQ!0DJTd&D6uQXTGDf{ccst;X)<)Zm`GUz6SK9BH&m9VVm#b0>*heyZ zkqA7^u4cdfCZmkz`YH${ddSWz>g!@jB;E~saEziyNthWc#JYN~q zgu1t9Q>2c+;uh*A@SXiwEiJTe-X+j_Gr4bA@FQ;-UeYR+%y@{$Fju;(qy3#@@>lji zeMwH~K}&BBp_F9ZWGG8fUhoiz!+~*QSSIBF)NdE>t$$qZYj`x$RjxuopaZE6rpG3N zGzpVR+!1W~Z4&NI89F*joKgxdd7rUM6f2f|QVy;tsTAE0%+Wc4ww^xSw@vCubP@DT z9{a6>;xY_YS)E+LYw>;^9UdFcK=ijm&^CB&cTUwv#b57o;r4=3h%`1hPV!FBlv zxmA;N{cLgibJ%;Hy4{p~z)S{3D0p$qYYe=`G~t^lY_n@xv4lB{^fkY7lBzvYLRZq+ z2@j)GQi)R20*DAm`GQe9XEe3{IXKeFivR22xIi8XeRL+4kiz&6e8HCV*X+1Bv7$In z??V*DkH-zBKZQL?I>7?nC-&?NbAT-)DIZ|Ox2Nv&{IMQQX$qR-}HfTu0QP!E#H>m8`Zdp5V{dA|aPCNR@9_}0`C8OBo z<6Sdp|1G@B>ZPK*Y)Pu_q}O2UvLNHPz4GCfod(jqs9kTbW-@svDshJP*>qbo04c*i zPJ1A85SaXC2_*DQg(F9Eth-u#;m7bvOvzu+jL4%Y)++OQl!|R>S#tk`(nrIWj?AYVXUjgr-5i04A#3te;u@Nrj>UH0?l2q)i?SEmGi0)I z43oa)OevMXQT!I^Io9||r@scH#AsvJP|BNZ=m*tbS*cw*P004trhnZAj6W#xuh{`D zmLu-94k<76yqly-sM60l_zxbv>8SE}&+gemNwPWo0$lZO#`CkDQ9M~ef^2rCJrtPg~R5~>KsAvUjx>Ed}`4aq&V z0jAO&BjI_kI!l`#eB-G{+9IFVL7y^sXg?uBN=#4J1IxMW6B$O4VO5{^wYJ(xHu!+O z%gvRwsI_au=9WLWq~y+5nsBhYIC5JUd>9BW`xeI^7a5vzke;EX#o@00b)%(wE=+K$8jOfrAt5;gb z-XE_%ocs1C%n0L-4r+92PUbpP#^k|!T);*o^1e9H(O6tJB_Jy_4p_!sp0`3Ki2AgTbKwiY!q1%b*KtDTbF_d=jt6SBUh zUIJ=%uLVH%)G7A{%iZnge#)xI*5?Qzpv`g?zRSC9gId#nZQtx#!f9vgs=Zt%MQd5% zJ^OP;_l4;3)EapL3OEk{M zI5lCjrwfy;wX98FWe~sq`ErAYn2*%x0*dWG0 zB}q01x=baWNS9Wb4Xw-Un76p8Ar#-E7{80gJ&u%^QekzZbTGBi!!Q1`lrLW0VNXKj zZIFHjjgm-7raQc_vDh%)d*ryrU|hoakc9r_hoLq<4!bS$Z`^>XRsLMZ>&M8F$_Y<} zglBIcbOFybGL9Y%FGVUm0h?&MP{W>`9x%yYD+}mSni^9T&~tVI5mvJEQ}oBE-;*;e z#mRjb1@Y04C#SaZ`~|tP5XTtoCc~GWv1mVj3aV~*^0s$8`JTE`F5;~~RNXU_Bt?ao ze<{)>iWB0YL=pc`S&GgPwQ3!mOy40I02khtplWLSAs(*z`;EkwOWkZg<(A-$M`DY_ z<|Ld;W0d2^1!2a9tOM2^C6-YpEOUg(&Ox9LyN(&f4R#Z9$m^s6v?ADkrjLwKmbMKw z!J*5NK{he7Awk`CgWJ;l`1&M;k`W5W65Uwcactt$!FGB)t0I)K{zYd9l!iUD+^R zNM%d6h=X4!>pY~bcFB!po{YgWoh)IAc$C%P(GcVW~BkQ80qish&ur1$Gc=w1X3|^8OSC(LxCtr>XktG_rjj6mk&+$R@}rl-bRI|yfZ;Q8vvF{ zwO#`M3veb8kjLA*{o<1N_&J+cn%tnL3Qz0gr^G>K-1>5i*;ITYVlrcgy&j|^p)KDZ zMsR@&)2CYLjvDxurwB}4kLXOo;<0WxX+@bn9xp&gsFs~;0O${`zo6W_Xrq~h@0tPP zL*TG2;ce8&5nX@^b`&S=3JBxAmA!!_HeAWsGpci&PsXuH|svL9Xv z8xg4^fMyYhE$wOmi0Ui>m7^@6QLHkX1X}M~MK%oqVWm&WXa#^!fY7neH3-Ne4v^c8 z!{XK$PdoVDqqwiWA_aQfprr=V8I-+iuqE&w@J-b1+_x#LidU3ea)WS0Q)_evJ8pHj~;$ks!L4SbntGGUXJx_t!E4IB=^ zW$>RNVFyWr!wl>$Fy^fQ+!1}tHdH#UtpIjYKGL%QMb4$OOT+L& zv)tHQ97=mRN1kT6`5w+LL>+v5S~1l}(xe}@;l(>64I*8~{xykun`u*Jjg7=bMOP(z~?t)wuI!fE|T%JbBe9fl7FYTjN7JkDM z9W$4x!M6U(rQx@r#Ofjtsm2I+uj-CG6M<24)!w5a1U$%+6%?S#Q_$+c(Z9%u>RzW} zUQU8G(7b2IWV7^{DkZ08N}9_D{wgRi4?w(bTS>lj+Wpj1hL8&(wdwHw8lSr94ZZ@+$b z(jR_TAVZVhX!9p|LIEhbGk{V3eWJJa3i9`s+prLEs-^FE7io;3RdvIPypG2!4}3L; zr)^SAP}0B#A0ijeInpwuxMZcCH*3nr+;|5v-EO~cCrx38x??IH-=dr7Nxm7}MjXfu zdk9VB206M&Z!Wo-MmY+Uu-y_FHoHtAvG2397jL0Z(YA_NVx!?NXKCG|D)c#4UwNF( z;1JOupU+NHO1`{7zNVXEO<<-z@gk`kL_bUrJ%mv|)pJiW+H8GB&zl4~rDH<*;k$J+ zOJ6&Fspf0;S#^!|=Cq@15I68}t2BHYqp<;%iIa{dK*v7O5fIP`t4z7>XVsSpG>zk@ zeyu|T#Vcc|?FId98Rywsefd%ZQas5lz2ZiTDzdwWjDJV1!u6ejH$VcAoVc={pZc6) zbaHIV?gpt_&f2w+!CpaU_jD0LD>ENfY2l;)$L}VgEEVi~nVRBy`^Wntbcm%1tvRhAESlY|IW9Nl z^Um}or7t_%VsC{X%{3ct+?{RSB`( zq+Lvy>!G+k;Poump-Z?;&tUW_3Q4{4>l4BDb}nO~EHmfB1l^SMm8qbgY&S_rSS-Tm z#R@g`8GbmM(a2`}1v!H)ZLB`&h0N(#cKJ;HSv;V?*$wfrEZGXCoAY-uB@y;O=$)~0 zl2nEK9f!sezIPmyVDy%pzR8L-`T{Bu0-yE8ysGyq_#%W*=@G2L_;!y2^Gb9b&FVBpf z6_j=4_%<6TS(WtHD>;%LaUEK z%+h8JJl+|e0&%R$rEQnT8EX`pnyo)_Mj*FZG5(Wj6c+?~4sJ zO3UGNM5~w0Vx>TGk^$!J#ZlSUzR`|Emp#|?*!x-bs&%zItj=!LYzaS0ZK=;3(@Ywyfk!#2Y(=x}Y`9Fb27x^IK zOWZNthq=EXwYfjY-^d64P6@w(t%UJEa;Kl#M*nOB2!{B3(PiJFvww&G!SKW#1Km!& z`1#~bS-zXcrv<0@i`Cob<7+3KRDBIX(J8ng2=`{4zU$@s$Wvdjya-^VgHzDWb= zb@KTBuJZbHK_;_#`>bsQcpU+%zPcaGcSDZb;(pJ)J8>U5FH60U;T@VocXUPE-`@R$ z&fgrlhPbhIV~~vOc7FOtVJFrwns~ zqogcdIG{-tk6uheCyJS)<$r2M02d*LKY#pws z!usLFyqEh;plxE!Zer4o60;E+_Oe<#%9`LP|4PJP&=Xjhc zp4b>*bqkuId}~)Zqqf&-K29hzr)A2rA*mB&$Izl-vuP`1AeoFdwj$gYc^I8M$v zc!|aARi!q~wef&YK_7+E>3LTjl`JRQ#1~y9X33j9Q;wPpkEeOT`EYy!K-rS}DBHou?_6y59vz=N$UB z-bg6DtJN$LO6rcz$`TgGBK=G^k&U&I*qK0P{?!$QN@-ewB_d|!)`3#uCtUR(lE`15 zvsa3VPxY8m#iVoyJKZEaRTXGCA7dhqBw;O`y6J3qN-OafbiB$3sVSj^xuF!_r+g%+ z-H|KQGjOMi#ZJt~e3x40$o>jf>E> zTdE;REgl!?4WdsQ>Xbw9UJmp;0kki0TRH_IhJ6|^zc({D<0Qee9~;n2?< zw=$6{IIPdz#kEksOAc{X&__kJC9B4SymriXSs}{Fh|=vMAy%sQVIzDm46!5MCM3{F z`*Y2aQtKwOJ6j3p9oSjVzi&g=jTy|O3PMHNbC7U^D&+Am34K6;Ls|~hO!EWbyax@j zg*60V@xu}G?naqY%B3w;l2s-TWMS%bNc^mxnZesBHo@o@3dSBp$(GWUR0KZsLejW; zdxeRu?txLW*mSy!4|!W~)4>JmgFl2@?%jtW7I<}qwpK-?O@mnIpiEW6BfWg4PI#zl zzLsF)gVzu>i$t{5?!sho+?mquwiyO^%$L6~Z&u|N2Y z5-vK!n~iQv&sAh2oi&pXN2gmP(zL-%#nvU7``&u*E}pfFmwb#sXTyH#N8BEjL>9ZX zD3aZqxL^By0<+|Y$&-@zl~gCOWIw>5RFauwOBw>y_2{Jz7E8O9&X}+#r^O(W`1qu9 z%Y(N`Ag=p8BRlpfN!1@!@~9m%N@@$tJw@mx=;t{Z=et@g)XYe5cbawX#E=h?bb0it zq;5TF^QK)9*B~K@PHyOL^pxS0{Q;_F{8U5smV830*kc&P(5ADqqCFTZtD#t}IBVA7 z?-^BJ4dQ|BRdq3KaW-x`$U1Vp8VxqE^Qs=*HVoh}faK`I+}aM?S?sb({d}J^Io>l6 z&`~GNreP3bWZNbpD`-uT)e#UMkHHTTpEyp{*yX*PeX8V;*29O*rx3@`HkOKbJ_Yl& z7U)NeImCFhDF5<^z=f(J612$IH5tc;RMWeUri@ci>y1<*g)~9MEp4`~1{wF0L^Vu_ z!+H|>Rx2XbOM?|X=XV*h#nfB$?Z|sq0l_*hAW=TbqIl2!AXB6IvM; zwGw)peJxx*>a7y4rkv*mlg{G9x<85tXJC*MgZG}ObV@3noKuDywsZjmcO(-^Q+$Sq zf?CeNB)lCR!m7%CcfgV~rIc^&-wd^iZ&!R~`bwZfjY~lVuvy4hQfLEZbW*KB=N#uE zG-8&+?7`vTmi%iB$#LcnSz6C5OA~yXRPB}RTYFWljtu&gq;$*FNGeG^xaX)$tpZ&1 zS~G>iT78d3dYzFdEy;kEMe5eUkfAb?jwXf6Ty`R6F$OUSnB5opL=Y%0d6ACx$?|VK z^UnbR1TrIBVU$VreIlaSbsti(1e*Huvc2r*zh_#qNcc_76&flfJ+qHDQZ@%r1GO=n z9i?)ia~xP!ef?Q-Dd0!O?dEuUR#ICMBuY{39%tozcV~8$mQ!3AbbMi~Y^Qk@pk&fl z`QOgDg+;gUr#nAQs{hXcBrDN>Zvo7-Uw=9z;3wKyjTf) zsb^vbpCoV*m0bS7?U59d8_PDVjht#*(`>TU`JrFM$5=40ofVkPP)-)mpGq4`O8OU+ zmF}3F^iBFUyA6E^#3B6CwZ6pC`RdUOu<0T${jrNq_8a{Ne?gBv_Y-$X_r}2<+!G&a zYA-Z`sIN;Mh?$D-(n12$#!RWq8hNO~$cent(Qq>DSj$PqmlC$FDl~^FB~f4TR010= z-=+8o)47CdT$p@ahchm{p5dq?%`Cz!Kl21S^I6%sov;NXC58;?!!Wwx=0+bqB}l=h zgPHv!-&UHZnj!Ckv$E4i+-(Rv1fw)aa(xD_)wg%SNnY=%R`(xD=A2D9i;6PTgEuiX z?@YZaw<=M!2GqFm7;g=HlhxAzycgl}9CResF7$bCv6 zJ_#ah2~&<9GX`lmQr>h05wjB!G54F+bd|CxsbWK8%pM^Z#0*(brLEjK0Hokjnb0NINV!n$V2UZ{C)`BA>9q z8F$1_y3topEKh}3mSk9~eJyMX!PT~SbxL{6oBN5NsSS=c@E0^mm|O^9gpA}EKQXre z7s;#`LfqfRp*7iz!UMd|z@!+YG$qWV-xqI25t`CS66Er!YJFyVD1a@bhOlae#ZjVW z=%p=@7DZwgC4tW%JJhi;5^6j;VDDnopRVnEn?ywdR${KcDm?IrnmqL{2tMKoA#p?# zu~CGk)LGLQ~LV>izXiI$TjU(%B z9~Y-*vgxBholKJQTlmP_^`K>?N}35STPbXUGwg?2I-i0vsOsmWPgpTNlK|&#R@1ZV`dFvRx?tlvmtwySf;Th@21MUGgI$emCxVih+L_!FI z&Pgm~Z_dO=^TR_7JwB`6clYTEc2t^Q?3ehF(CCR-n4s}5YxtqrGvkzrq=5R;uWLFV z(v)|93GD==ChUvSquVCYC{z zGdD9bl~oC&*}F6nw}Vo;2!(qe>j=Wd}N=6B5*k@ zq?{D4-HhVTl`i_7@s&rHt<7|r+{cRQwMrkA;BpZlF zh*A`b^iYMoU@_({apb6V$r<46x&2C*ypi=|gw(9x=}gf%G+Ft3%Jpb^p1`74 z-BH$i9!auZ5gR9a_Y9(kUxWr)(U^H{pQ?ojrnl&pd5XKD|AKCoc^)2<)jo9ejxMav zUh$nPJ4pFWi8Q^SaM2Xw&@P^y0>Mwn^kSHE1uGj22ZU)hYEwQeGf#RFF2IN*d}s2R zWOpTE<_5xiavwUCAur}MmCXW&AE+ZP8iE%?+sS3E_V0l_K4poOccf6c?P}+-N zkrAo3^DV2oZlJNxaJ0xcR~Mpmq;+ovYsXOA^fcJ?eLGMw5}r|B~~hLl82_=Z)l4@K&KfZl~Ozf12X>jcnIhO&TP0 z`)FJ!ik?zgawxBq67}~SV~MiTKQVX7eC=hP(pJoyjCeuRQvp7NTdxyr_0X8ggqyc) zY_`5QHP63W-%VruwZ_9T*_7$!P_6-(XSeZI7w_cMD`OS0bGfge6_3Dp=-udt2w%sS zX3W$HJxbJFi+$n?nvU6_F|OUTn)JGwUCe5ug^8YTTS`K=nx$(}@&$kR zB%6tXef)Mf=fBGMx5-}bP9JWd+;bf1qIpwo2J(<{R_l_Lu&(y9_YD(jw(b|VHE}F~ z7Raknh=~jRhlRJ_3$ty${l3|{7hsip*|yK3nw? z-nhFDtAh&@Gn+Bmg?EV`DMA@iAExguSQPp*@!Vq2$RW^4!io6kr^JlfCl(>TnQGpu ztv|2}8aB;VlasJjK@B~&m;O?CxtG@IOkvK^KcMdXhKg)4DTZ7ztx+=8uOgX16#SXq zqk|^3kuUznluv<6&3ITjPE8I zGo)`3=xcl|%fy8fk=?j?9)Q{0YU%E8AKl9*G|b*|hhA!3qPJQGA;!d_)NYl6VRi-J z75f%yUj2IYrP`&1`U!S8m2s!A6x80^fXw5hmf{VAvvoexhv5Zb$+YDIk64~LVpi*% z>(Ha=2kuRnaHc@Irbc0;f$LYsuNSHBLmpM7cIA)?fgB|A9GS$^^bjumPw4!2mXoV{AG;oRCj5-H#zAA_^WbI0_dSp=| z&1n=6D03^WP_0<%aUP##4G3*Ul~u!Q)JjP8#)}hNU8r859qD2AO7yx8VXn(dJsR;! zmUd}50!saE!ALXhPFsq;UB_O}96FQSdTYhQbiE7)IyTBYdr46Kl1f1r(|Ys~NIOTy z!<%Zsk@be1!c}K!H!YsNf{4&B+jYfSvQg4+2Do8qYM>f#qo1U zeB;h^Tva4S38**R*D$j1f7Z1t54bkt)i&c6HPo_oK1ynIii zrhOinw>fWqN+B>15^)NT&*Z>y?*l(LkM9{_G`<2R z)saf?7`FD!&r~;+@S(`nz-y>izbztBE-6DVT>;{++LB`%vsKtV;Z}I;(lnEU;R`ki z;;IQ29g=GFm~FOc6mTpQBOlJG%F z3D7N(fm{iv2jla!p4Ta}bSAN~CwEXfa=pzor$H}RDv!}HiLj@Fa)SbRAn+2CI4%pF z4|7HbHxyYaFK16U#N^+pDlx#BKnlGWJ^0 zeC5-hql6b`sYaxj>!uvYjO0jhB0X(iENw`8xFrg%89HPw!`5vN71+4Dw>b_EnaMsj zOz7103}aLtO7W4?qT6H*%);4N>lH(F6_eK=z9qA>-i=AlO%CFVZN(T>Q{L2{EXrBA z8Aa9jtfl)tPeJ-JkyS*X&cxA=*_C?@uQZBNUYUp4+jg~t&_|K1EL+2vWFLtw0S3)p z9=W%})1M@!651M2Aslo>4@zKEf{UM=C*t5i0W4k2(59d-X*DgHsoC@;XzObqVQ?x# zQT-4&hk7_y{m<`~0cu%f?~LHZiYpemM==9lCCpl*x`y>_6crQQ?0nQCD=dpk|(ujY8vAErIiU%YcTErs@KY8Ta zRL@kjuJpHg@38Mrmzd6%9t0)&@2K6{6wHro6D&iUTpH5vqT)|^9v-Wl)83m;{CcSZ z9J>@rBiN%653ESM-+2N6V?Nc#oi5#H*gvOvZuQH;6Y)o|(@hX{tQLRx@1#ucIiSit zRk>mL#4+Fr;*U4t45u!LfGAX=p?dlB`gMN$SwedZ_j~G#zDMW?g7w!MwU5{56sPsBJrd3B>urCnV(8$myO+ssmtH?U_FNj^os^nuKxPwO<>a_@P$#mEm~q{r9GU2b}W|Q(B+uR!RS37gOKi=g%_!pBy9q$ zqY%v&MJtk;{?L((j6r{b_5sOUj7*z)sBCDZ(9QH!X}Le$AJu1QXl1Dw+9O120s^?Z z7r*=k&DMDINjqvYbg}4oq?xl=jtGap7vWM?k#TfiBBj%v5CuyK*Z3(lua4Ce_;px9 z>W_l;Q^bd2SsocuF1CeIvxEuHzJiF8QiC-cC^1nrjY?b6ZVt2n)IBU6PV43 z^^b6S&u*ePM`HO0pd&dplf?Q`CeSSQ6ZunqH!%W6y5c0i(n#K;sL!I&Mi=Z@>o`er97{{y<$1;a@RFy5f5!( z2uJz#C+qVu)R~B}4u5&hvY2wKm5xQtQoU@RAQ-E?udQCi~ z@6>{-QMuJ9QoW?pGNMWUs5PQ%R}-YfnXMcWpo8Mk$=+}s(ZRSHU`Bw#hZEX{T`cz; zW(2VI3kOgrqjMN!#2FdmxiqloT82Pi0mHxMh*LJ}Q@|FGOjg(46{v&wcgdC1eecAT zcM0GJMf?QFC)V2l;$$3!jL!xt9n3aIihjzS9?|a2r8Xh|XUSED8W~>(A1Z?nr)Efw z%w+?Xf@Yh@IH0r(DAH<@`)M{#dfV?G9(>Qme?0iI4Z6UDRAgc;P9^|Yai#adyN(>u zIwJqUyWAjZ(v%igN|lKr6JqB`=;|-M5ixS^Im8mf@saaup1AmuXNO6>UWe~C*f6Jt zRZx$wt?s_B)HW!Jh`5i2h^WS_GyJzg9b(zIY>SStepbx}dcM-5x0-bGr2YmnWZ@oui5+X+2mJz2YKvd;O*Cho+@$0ov}rf%pAe2<3m3zcBy5=5W8`neiNm1 zx}-Ww2(xD_BS+Ll22A1WK|{~@DEF^>qE8SWAi!hOfNtPLtnlNyp9%E+zMQEwV`B%T zax>}xU)oO9OZ7Ro^ftIqZm@cu7#>Ge>xVCzJeF&c zT-R+Lgx)c)1zD02dstQRRWqwvwW%h3TB$9cw*-|NU><1lqsMTx)qe!$Fx*%7WA->3 zLoAs!aMO4Ipq&%}x)S*_RI=JViSM;`2KWIo%QCu>5Zm=@xRN5Hm_Ag2flSl=fXBR*JmUO+;o2+^)gR zpVRP}x2@i(W#pnamFH{rc$HQ0k(mARN#q=I5^=XGR;xG6yTkiLYv+V_-)+)xUjv;x zSv9W;c*Y$13RDjuO|A_?yvIhJoD$CrM55(OcTOOfSRfKwzGL@O_-^De zO(d-{9ppk4&xz;4tKqe5QXy-y`@o*OXqq#cGgW-_<{|Pt6LAdxSrw~_hX8FCz-!>$ z$c~+-k&nIScRT!7xx=D1_udDQ&6TT_!Ai0<2 zFD;Q}*Ke4D`v@o9;_~Gx5iv8E!_ks=lU;{`hX4-LpBE2&M&!QCO)~S$y@U6%@z!S1 z3ZQt#$7OE3^*Y7?rL0i3)K11THr|Hch2c|}=cv)|Wf|_j#(}yNvvC=)FOJsIcNgml ztZ+yCnNiRFGrk5356`xIz~H;T2|O>3*;Fag?8B$5SL65i0umDEyL~2e-(w2eed6lw zySq68v^?qdq8%}t#M4?uvfUThDf^z<42i#BV~EDP(pp91C8ucI=6+30N|W99-7ce~ z6`t5Ddx+uyN^v9pyoeJ%#;}jv1#WWp+l+r^x=H^l#Jzfs&SbRqrhsuB07p$o7DnT* z9;N4UXKY%yW7P8=sqtBv?`+^mpxQp)Dq32Gto+{*KDCHe;K-d^ZhO1zx$J}2$n56~ zKH2boRspa z<2GFkOYU81@3wU&7S(V+^6X5#UYJ2oNd!2SYZ?Li!`lq!5~zLH0#gSdEJV`-8$Wc1 z%^eudui5a_967-9mf28=dRTPe*C!?m3@x}w)GemRBI>v5cVS;MuVjpBQHed zsRSUGTshTxm?s?f#N=xU4uaA&k14?=USHy^>kyHFp&2x8)oTL(%x^P2zV2oo^TaqI z50M)KpMMJM08*h}V>*=GU~vUD^no}$Pj3RBi~yaZtg8`L{IaU83=8Z~JK}wM(;_aj z$susfhNn^8^i=kZ4NpT{C7@_byv}{A{mljnYL{?Sbc4TBx(g+>!Pi0Up4uG) z2AauOLRQRl5o+^IkJ}S;ZbNfhvYdwY2k&8(Od)#43$7hX8W@53NY#;6COwe~%Qk_W zrn{ry8sQU4t8H!rH1R7|^4B(x-#K63M(aGL6sve9a9hu+rK#3+V2+e~U+2-mUhN`@ z^ILthewPBXZE*=ZgxVzJCaG>aVV55%M0945L|eFzdV^|I6vW*8BCu-8RvEqm++iKBB%Eez??GX zf+mdHkJlRye6cf%c7c^o@3sRJr<{3ZlrnN2U^7K(E`*=)glYK#*9&MiztcWn{&?r< z73&G@@^~)@=r%GJoimGSGs+pm90@)1M;u3Xc+UHi`m1Nc%FDKQOy(Gn>_6Hb$4@|PXd7eo{3TuE1G%7rb-@?L)~MXN6Rj_<^EL(!5A|>Kl z=HT-Z$^`V?rmP=1dQBxpd~9`Cyg0etWjKp(GFJ+7*jEI#L{*}lE74Y)=cj<BA`H%mtR7)JM;3-O($0(uF$fixDG9hDMt#ZD1ZJfslbqrfrP|J8~ za>NNyt@7^7ga6}wook`U%OBhMf84Ke(Nz#l-2`01C9npfc)H5@_~}0e*tY-#X8G|p zP95@}1NJFkHdlG1oMYiV&;OJGz)Y+@Q(O3#G7*K+xEJnqjr9NP0qLBhVF9nyL&a(W z98Bee5`-+%2)jqBkooNN9snQlv$+c^LmRUTC?YsCw9_EvPMeJvVxzN@5|V9T{=RlR zsfd8SF*V&$$;jBagsdXK^TH9+_}RxYG4>+ho9446TlUYEW~a@YW0OoHZC8XZbJJDdF#86NlKd+-Z)5h7w%Kt)hd6fOSlA!bC#HB<(e*ga zCWtHa;qgx9-$ zI=b=%0t|Iv;9!5pz{(R1U;^_(&ElUiG!BD{$mht|w-Ww;aeX!&R|bgXKQ5oW-v>x_ zh*%3?1m;<8+lQP1EIWXowqBn2V)`;u_410A*9}1KG6s3duOiX<11F3CW-H?};NL4x z?&iaf0LGn~1vN0@?%vb$QPi9#k1yNI$XS4#VeSEgte-cY8$hY;M*@^U;0i22u=jvf zLDjTa zlWcT)0yeh8SUc(WY(Hcn?ql>CHSFB%`8}rv74do!C!%4-R}2+r`C}klc0yrk1~tZt z>084a@9DEhc3PUH-$wd4nNRWhmY)$rP4q8hSzUWZ=VUekfm1Y;Ttvg%2G0`EFeQ%@ zGw=PK?&ZXK8_{4Oi}#}Jv*Gn66<}=iee%J&+=t?c+^ldx3XAnj(0aCpj)>MW;|u>+ zlC^-tlQ9raEX7djRPu*_I0Z2p+IY`EveZlh%cSKev)RMfw9-u>i4YcG&ho~H?-kF< z9#gZ%sRparoc5|{y8Nr z_Jo1bK$@>9Da+M{-dIFKM;r&;YQ2Vz#{)|Y5;`i*Xd^qf2I_7PYEWtT;20LVf2}r zSw>A(+U-1k#QVH`2Edh*<$rSnxC=4Is^9VK*Keho zJ4UKp2cxchbN!ET`~O1@z;G-@R~GGGnRI65y?zfkXwUxVo2#gr7sd%-JH4AD|F>^0 zMI=y<^)Hsk8a$;(jCbW&;-1T^1@1pRhIdnVcE{5BuFF^7VGHOR#QS@fcmP50;PbsF z)c5Irf&YTmZg2zBjF-FbFZY4M)d#!BDw%)EF}v^og3vcE1v%FKg08>l{2le(p9wno z7bKT3xeLD+4K!PgJVP&B;|5keZ`@9Oe|cXe=fT%`Z<+_6IsunKt>-`PlRp4rtgC(( z1URi%XogK(B+X?9l)lzj(?)c=O*jNB!r{1Y&I zP6Dh+cKo&a-Ne?|$=T7wz~=9fouTFT?`%v23TBj7)EzVq>Y|Bq+to_*N|1PfSqvp@e?&IXP>A8`1;U;og`d_jBuSjP58_EAeBLDZOozj+xBk8i~e*Sgh zdoeBRzmeT304FMo%pH}_?eBBD9rq%mqV^oErw2T6e^;TXfFhzuQsvol zZ2!4_N`Gwg`76}jmN@t8PuYUs`@*ZAoFB*6Az+NkpOkLqLo>J)FS5A28P_L&78gQ$c%uyg z%UT(>q+fKY`cWFFRfq>3Zig#EaWtOm)t$nF&8Yl?94E7SuBjKF2^k~1R`v7%CS zFln$_`iaOtf1p}WSqh1rl}WA0A~I(L!*nHlap)gvIEbcsibv*KJhXiEyb*gI?8x-a~Kb;8Ss>Qm}A} zYAz`v|A|t;Sf0!v9A*;rO!XKcC$ZT0mHtvy#~+zuF=xNy1VHm*nU}f>2Qp+y)L~?m z@TPVl#4$&h++yb<5W>2xOGh3E`7`;@Q?AUn@+(KHK|0!0Zlsp5?#DHn~IsW_!JE^^2|^?ahYNs{@e7Pk>PyNMRmIn4!^6`7tGAV-0ax|Q z=XLGaxbL0yppgt`MncAo z2Z{?5ImQQ;aVLz{*1*$PuxjUQusL~-Is!)&AC!=WoTNeanQVQ}I4>TC@T<@*o@U@w zd>PvEdkB5)VUqC}Xnr$zgEr7bt^<-!dMcm!Kv=p--kFO&9{;o8j{njO@twDLyrYAM5EtXmr5d_cC48ncYBP*op!RiRdMV4d{ z8Oyz>=jrN7KB6zCVGbX8DXk(_HW}$!TF;4!MYQ9n7;p239@rUj5oXnBR|eDzXDC~2 zD*rB0T^1-2q~6Qx+aBuvuXe((JUL zn=OdyK*v}DEQL2?2u!A+#$say@_>M_* zN?juy>y%%TTGzCYGsP2Uu^3M@M+|P6V{p?RrCTjIHwrJ7m2EVKSeQh3C>Ms-@^V6O zqkvwLUAI7pT*R}BX?c?F zrjB4A$yiibZBh!NggoM8he0-qC{-RQUImgbVsY@4m^URv zrkY$;zw1Ppf2aR(?H0uT>y%6z-PlK4&}TK@7M9p!n%1RNfSRKnvk)5{*G(=gMC*oG zgPUQnobalh;N;0SwpXWs`lp69%E-_=o8||<1#XW7feBWVtkD=p(G~$X`+&xEILHA!0&M`x@RqD<;<(iU6B}&-ArS~GIQMzW-vE4z`;nX~FvY}jC z5ta-?lB5Ejyxa>D*1*OTq0%5keMr^lQwfC&rLXfYf=(~6-ytB0%m21t>;R=b(l$& zJ7|uVADab$9w;g6lc0i}d?cKU=&4Y@m+cWDM}B`3PxUq@uj!82-s-g~aZkwwRcIrP z)}O@MEkVRQTKJ(jhlhR!mmzGEFe7jOF6~sRM7gN6;JDvTpns2%k-jOj>|>A_sO!mDp6(RG$~R8(iDoCQ59T6kThrHj8K^+#f= z=#Mqm8cX)H$?dJipI$T9ok4itmcgcWxf@?+t099r0d3rtKloDd_VC`@ zue`zHe)Uat^l@y&5U6*ADbFSrDMZfRk)NKV~>dJ|Rq+V>yVIz%QEq^;Z!74XHr0_dguXwC|Q3L`~H zH{VD)C4dX~f?QzxO(KRO3;S_~Mdw&Bs~yyYWk1pFF=SHD z9+j33yp49VyF%nrr}Tv9#XVR8e3#U6k~+I4F5psIj<(_>+9fL862X%Y-)=#qdLCf7 z)U)KH)HUy>bA;J7HJY03@&}P$Nnqm*BjVI%DOD6xm@PtNJ>HMaMQN2yk{ekGYrt26wKk#nG?LQiLh3eJuYVIlv9 zoO9TKBt205c$to|VyOO22>2=(-8Q>m-6&9m*Ksfn^r&ABVtW~S@u|RZK>KWc4 zHy*ZsX9+#hePelLGo+a6#QD#z+>eabD0W;^Q{BLmN!_fE>yOr|DV*mTe&A3YfsKO0 zzm&C5&O(*>U{3v|KhV|NCOFNn)x;im-*zMsTh)2|Nn>U01;RLt6;~81!F1M7$D_H2wqg2e9TKyMv zdp3TN{;T}U2a;;WS%2WZgZ)&8Ek8<08P=-(*}JS)X*IVSouhlJy zQ~~Q|@eHC7i}-l^hLtv3 zs)4`~xog5Us;{9tQ*|2(-O>9n!8%!2T2Xh>AadRz78pxTJ>;HKM3q(vXS1`%yDBTD zSha}U@hDHWx%%x;ZJ;QtnZGFd(6fh zW|p(F=`+}m6mg?OUoYj7_C-Jw&Ad_Q4BTDZe4t*AT) zh}HsTwnmNlg*vf7<6xFvT(r)mCPj6F%{4rLf1L%CKf*iw;3uXKE_1YP*#hNB*p~f> zV?!@KkJJ4AtZ%9w`4NRgoKV`m(Lwhq4jPqCKQqfFX3cdWwSPY9tJQU=)i%9;S#jqP&96eK9O%9mjU$$G3~fP(#QS z9#Ns8XwN{A=S`My>mGUFH8e8kzDx1!pR+kX8{hXx3F+TFam-)ObWi#^f4Z7rdK7&e z`_Q0oC$vCfTD<;#0;F}a^j73m{O!QG!f_fWv13$AVg()qV06IA$&mDn^$TxwZyu7_ zIub59wMIU8gv+w+NK#i5x(00td)kXKu5Yku0%jq6DMO9@90O~Q5&x1-B$NAHqCE`1P!9m}G?T$#m(E)zHIeQC*Hx z|9pIt;`%*+OjTI<(UjH^X^-qz8UB6uu7>ElpGTV($j^_KFHRe=}aMZ z;ML>tf#wgGYw@5>+h4W6B82AQ2?+Hkdq7a(YBYE280iOUD>}HrCwpQeWOoqc{dopf zTR1={%enocl#)eVwbq4|Qh)-NzUh_mj@6O^8R@MXA8cT^rhn%Xm_v78DkcW!Wr0xP z57QB&hMRai%{?e;I(NZ{OsW%RFgPPZgYfMPnFw4}kNhoQ(*8Y{nFB)sI|`1B`bZe5 zYhI*m|-=_(*5~ zzm_H}v2$#6MpL5nVE`|xGpkK7%<&N(B?b-aE||~zQfTo?_R#D=J+52~{or-LBm)Uf zbkd&a{Mm{))0K;!u(;`(F@?#hbxxq_xiy>^so7NqE%6DlJ*G>xu8Ufd6S6C~d-=9j zrp7XkmD;(~@0YuNXAtC3j6NFlZF0+_l+tGMH<) zikSClobm|b3HQ2Z4`NiWc|v7LDZ(eIsVhkwRp2K`$2tLSHvTq=(=>8+#h9;xhZ)-(QkSyv_c< zX^)Yh#icq;oXE!dPKb}0cE>swy3mH=oop?IUOTFpz0wdw`CdecbAkh){Y%mLBc`ITu7{RQ5{Kq(OUc2w z?|V(al8&vO zV8@ufyUtheB#ietlhWpNFnqC(9K%e72J$zD-+ZvtzAkvE-t}_L_XMU}Su+fmm_=CI#A zz+Ny3s0bnwIuKyie&Ljj!BQQ9B?hkz!G8E<>Rt6C+XVtC6ahW4E^u_OoI;fV=G{o5-WUuLwyE3>c+M4liD+BQF>BkEb?6G3N1?_6B^--;1j^tdL@fJM-lw^mXFd z6h~e9m3NCB+G<|9R%lJ!$k~gPP8+{}3RS^OAC`)8PJCQp4&m!=lvkN%z!a68>i0geOb4>QldQ@ZjT0_S(98SC6jXLy2BcJRTf<9^pc6 zwVON@)DM4|UZT|j5qgmrfyf+Mht5M}uJX{CA&JKIOy7>;huzx6v2gE!JD0K$LEA4I zq7&oa-PtcxDu!OuJry&JoQt?77msP{xwCi>e_Pp|T73_WVzBKOs8D$%C>CfK!{3yc z6LTyO$6p?8qo*rb@oieHtIM(vaVu&lO|zq=2hC8#5v@}cU;uYoJCdaEt>N8ETu~ zz9=<^4(vRO#8IzYkna?UMRk+<##DR$s|cM zdWm5RS`P7g<=MyJX$ABhIrD``Cq|WWw^A)$JX#YCsn5xSo5#;h3b9I9DW{9AQz!*- zuL&$78U6`sJbw2!!Bi7^Es|IWFQD2aYkZQIlpngl$AabNEGw+29>uN;*HEcvS3_}~ zHZNY**2|}@s~L-tU2kdnH#xKfcY2eXb*cN(Ku)i2DzLEqclSC~o6h{cvy(4Q#XSv; zt<^LXHE5fRa*5hE)4YSA`-;N1pVJzJi}X^L6P@7fhZd#H*U)F4&lStI5rT5DS^-A$J+Z{1xsyuWL0NR3;WQndD) z`_fxzK`|afi4COl1Pel1Tn-jTbB>5Vhk5o|GIgWn_tRne(T=yDtF2v_eDpG_M-BP> zVqc=dfWLZ0{2f)Zs$1@zFGtuj$!!=1Tha|TeIZe=prrB&ILU}EW=5(8^x!|PmQp^O znwDg`18SQ}+6uA!CYu-^SJ$G)(3ew3n0UI5pBL}6VhbQq2h5}ulWHRBB<=wl3$2#+)fga4vuA&v2noRiu8j+6Dr zjRp47VB%An8)DUDQKWj+WRfamhHk$S#ELRRMNidudAlbwtdAqvL2Gm4>BrZW^rjDj zb8>|fb4@d`PCI;R=QPg5NY~mrd>&syx~0q8yy-{iX%fBX!&IA3J(9FloL89aXGzYD z$}`g(T9sGlZrjEpTBVun2|nt5T*Co4zpm_*k8fjwM4y+^pA8#2Rs~#hd_J-bAXf(W zH#HAXSh@$KwC>r%)bHN8FU~JMh2XzkNubCyZgF3VpVP?n_E5V7p09emBM?UZovK`{5PsP}8=qDQbjYVlPKCXN^tktC>G`-~F`B z$I1UEMf;0me-(|5gM!Y?iikG)Y=Pl9Apdyz{g9fcC(wJ3iD|g`ax~wO+<@G-l?df>I z?{oLPr;I=M%hUFjGuMj#Sia@hQ`X}%{_e8P#$b{8ovten?CY{et{~;u(N@cA`uIGM z?wA*A#wP9uuU;|gYzG^E>(5voKV5VZ7g(SX)F#>~11tDo*Gu2*&$}?C6Cb!dDs6O@ zs$Zkbx)3Fo?%`4$_)!SULJ25K%|-Ai?fd=%>CEUqf+8vll+(-Gn{q7*rLWFU-BH5o zFaGeP52^&(JkaLsy1^NI!rcRX7dQ)FcVa>%R#d4D=Z?_IxDfd!7^W0d9{agbxA`wa zGx&Eyg8&$sIG#n=|7mEIZ9**nG&DGXp?QgnFzv;gV$>pX+H-CL8*t4hTL2MBR!t{D z?$lN!636`^7=eKbB~#s>%}yXDX|AnE$&NqLENZ_cM(8Wsmv;GeQd@=$g%-4sEY|P` zNO8DsGQ-H3Xt01j>y*)FG_HL{qy#2R zp19nzV0Bv(Pz@Rnih+M+*}+WqowYS}YLuxOoCRylFhW>Mb4<3#0t&qy45nUH8x1lW zl|^r=7qZn;x(Ln-At3Eh)>p-0460R{tJk(5pOG7)P$hCtN%0Uu2xoc;#De&n2d#cD z*RP+5KViggVuzuJ)Zk4Aa8I}ymX_RhSkR-xmr5Pr7iTx5vfqZ~)?fEGK%kfXN#=l) ze6smvC3O!dBe>h5dGp(Nz;VTq2!S!v-@j2Z2T}4a)%@tU=i_OG)ITiLg#7tk$mc0= zX!d_1G>`s@;kADf8vef%8r{DW8cV^d++RXFMm_&eLgNAuS_7ssGK$k3cdplJ7~&vBO2HjC@BUD7MT$F~=EG zNIGic6LYbKu+MV953h>tACC~wq{%Ep$rw*4vEADNiM{NNeT!R&SI~{gPKg~e&MZ8H zdrZsC*&Jh9Q9#QKGGta-nzJwyVOCnr{;q;(&q+D@`$O(ugeLKygcc4Uw0a2R=cjLj z)Wdo%#8}ABww8-(@MH~OFCqTl*1I9fpeogSG+*7>aKmJ@I|zB*eT=ct#f#|wWV<&!TN-h zj|`1*G~8S%7eZ@U3)*fT6;37+dpOsf=aESsd!d7;GaaX}xWWuiMqx7mMUu%QgHXX= z3ADm7iorw;Cuy9-kc_4qN>@YE!18J~D}nF=ehv?)zFO8OEGNYjlPsFJ(10anGDd0= z;S=h+ov7qoIEBC;y=nZhWv_!!tC29chH5}3X{EYM$6zVWUQ(jkQ!p0hP0!H=fl^V{ zW)NxRtgIrWq7YHk%7Z%;xz_f@g!Bb(gwH5G}7PqCG0%3sX%ux9}%a%I?D&1b# z_;R2QP&9+Kj+NH4A5KK`074u87oj;j2kPX`>Vq-d=-Xlka(afhZ}}3KHK|X=)`Br? z&N1?~x7Is`SB|H0+$5WT?wtHqTl7W%&tP-G+_XtS+cqLGN7bp!YN?z z=8wr#Rkx?J{${|<S8~bmBW)?*L z>y!jQXdVDU%gDEdBDOdV<!XfeaWT4#V}k%aMM9B_Tm@YsfkDZ zt@D@AK5QEAzlxha$pVrs7P*#4I|%5Qq~^fBPF($D3*nU))l-X1Ox~b^`)DOUtJ~`I zYaU1Z4!%S;BwUO`)=Yx-21k>*E#-KI{`KDeD&5;V6&q;|r2YZgg{#fJ~L}X2uQ@Xddy)#*uQ!gwgb>zzS zO=q9_^rbloe7w_W`KxH|HCXOnIHTU6H^pSiFsz|p9*v`YxgcNk>6CVQN91Z;*Ee!;sdqODkp~zsXPo2vb#i= znmqS5DxP84?!3cRK2A*-0u4@Z<*k2Hv_>;330rW|^{Bh_FZ%nLVdlk&8tA|?>a)+$ ze<|AhUqx$QWsKG=S0EFa89MhHaJXOZ>#<#YJ&bb#NTZXi?_ArGouI|8NhR z7=MUpUt29}VOu_x=ZXugc^^4+h@H}X;#4nS;T8RG@Y4~s#AD<#evH0l%k{z0vKr}G zK?81ToW1-ifo4i2@#M916aEnE-%^7E2(@xuR7I;$&C}tj9W>%hc8hi8U}F{|zcRQx z933brSXOv70kPyA z8w_TYa+ecVuP0K~fd;wLrcVDH3glbpBy~6`6gM9A-R?MvR^AAdQ{iC2{sQe^6iOm> zh+I9WCV&E%hsRswLeQ|6Le5|)E2oD`B0_Pn{>PsXAFH4nfK z7BlAuQ#%w)3#8CZ6rwg3&6Aje=)A>45TpT|sGc!d1ZCoo<~Rz8Kh@Nc4o4}_Sw zT>wUl&IT}=F@Vu7{xTZpKN&6iKN-#JpNzKE1zS-ll(JLx`P*EW#?c8Z4<-9%MchnGhNCJm#oYSOVC^Ug4J z{EYDX;6R?>%Ma%sp(Os*7MR|Nk|Nwa-DKBO^M57gfhW;gR|k&BC5-v%@V84x)*!nC zm`xG5E5+a@yVl9Ty0+dbFhrdz`doCYX#5Pe)tBl+yQm4(QyV zOAF{|xj9kTC2pv9ERwQSbMhSXAb-?`WG{ z76_}|07e4`Fxshjr$#~I&qnXt#Q3yLJP1wOO=#Zqv>Y7`(Oh%CuDHWJB#)^0gw&2^ zeCYOk<2zO7uxNa~xV4@K%ml5@6zNBfl@knu%Sq*Vmv^D!p(a|}J2rAE8LKRUUvBBn zSviC4Sei&1IBQY#iDSQ;m%h&i@5oW(e2js4M&|wM{&1CiIhBTHDCzlFe%0#^bK?Jc zO55(S-X-milTVJ0!y8Vk^;w;l8r5rtfghLps#nR!LVHXr8xiKo~FtX`B0iG2SbQ>Cc z$^7KsS+Fg?Bi1z%(-ejry0Itg^%6uH37p1?Fq4OrKvc2j4mnDDQmxiVa{g{|EGHMC7)DA;!VRv5Ag4CI+3BMnB4+nLdJ zvoGy~nW#xwCOzA(Q4b9vee~UnRbOp6gq_dshtKOT&$Vee1khh* zodoy76+2(83PNh4OUJH!xE@yCI5 z`O8FTWBH(;6@0$^l!#HtPgVxKh=xVb@NI|Y;gKu84);ssMDzN9{m1mhszjNtz`#oo;hZ*OoILLdY?^-_yv5rB87%2NLhZAWgqNG+r~ApOHA;bN4#eu#j)ZwXM~7*krz+XC)!R zT4y1K?SjV+>KD$J^EFgZ)I)CLGv`-H5G#be+y&>{(!AI`{vvRalE`Cw({^A0r)p)%t}U>7YYwu<+S3U%|JBi>Vy&z`@Ii zhp-%yP%MN7grY!7SI+5++k4om=8Feauv1hY8}fVLDm~cf<%t3-pp`&~rS42TII>;4 zQbAt)^#}~I?^HE?e{Lp*+gw&_(*yF6wndOK1r>w@Tue3+d~U}vt(keIh*Q0&*&ekS zuBQ+)y>ho87+Dg`!ZVKt*ckSfOtVHRdVZwDUo~2c*D48=@VjiN@-&G8BdeVdltF0a zh3n~Y?n={cD`RdCMx#x5IhH~kF{_{wohq2-a`|Nt0523S2jMoiiozQ9WN5}K{$+8Ok{c!M+Z<0SS*TN+Zbiwq zuKY>V5Yc~!5C-M#hCSUJLhs_%{P@JwI-)O4iP5Q0oSt(mh?k3U*wxGg9$q4G!PNW0 z_61a^kg+q`f6E&5sHqR)OLZ%rc_{@q3PUbUZDXsuP~|Qxj&sr`+ujpIXRqkW#hlcF z0BzOBuEW^9R?m7waLq9N^0+l;>@VFF7(Mips=I`wIXmnOEym33C8{W^-WB}N)InZb z6?)V%Aupr?$%dG+)Y&a?jQWneVci_!n-hhxBcCCU1zdxhvqi;e zSB~}FG27ubXn%Q+aoFLQv4~$23tKzZp=dq==9lw|dn6x=v{jIfKTT8*+Z+@w=;y*dh|eR5`;Bp;UNUc7Bd+^QE?QI5AM1^dUmqo*5rFIwAo0f_=V$*JDbdK$TLESex(hj43H{8S_-PCC@=cxD96YWoGJa zhirrOjdE>_8)n=kv2|*J(+KzKUNE}u*~ahbC)KvI`FtIS=|Mg$KLKt?1`=}=^(T`Y z4;1b(EbFMY<~pb`ri%8QHgsx3VH4vh)SFzmM80kBc{2;(Yb?7*2!s7rFbkgNuI}ZK zR2gE?+ZY#xCfopKi&-XFH5K;ATLvD7pmND<%gGjAD{uAncs=9S04PTr;j3UP`Q`hr zr~nz>h~ZLjMsm~J`prl~-ghHk?0qw<_G>K^)F~mQ*40ICBtyf4gf7LDFuHWBhUlJP zb3aq_GgYf>aD^cb;cr`7bF$r@X4-6;ujFvz>*NK*WrSgq`Hnpie_qJ(bO%h&`#R`$ z1*;7CAn#JMS;XDg5jL28*FU1n&ew}v-oML4QjH|pbs}ewN2lj+@x1dK>RpkJ1M$(c zVehe?%rz$W#c=>NJC+m{M?}t2&>?~tWWHvGhn4TlCFYMCzp} z;F=|*O)LHD$ePz$orRKQAVw*b@{TP6_LOoe*|^F z>mSxbPGqIM__85U_rQAwa<6IZW$iS3Rg0J)>&Q!e`!SVeuY%8XL7DvqZ@6GLK$d; ze9(o*qA13&`>FP&N~B#C26dLu?8@gzN6N8v#?G{>AfoN#Z-3*DRvHC!wFX292dq0+$cm<{FNef}UqT13y?(r_gDx0f=76MPqMM~$?ECufb!je35 zhjD4<#?C2>0pH2Fq*THUHR$5Ignv~MePf3y+WDwOnV^l2 zP8J@H0QL%b&jjyOzr#n$=RUBzPo^+SwI>KT&;DFS!sTJ(m7rS&+ENcmH?<(|WE=IE zIALF4fBZnzyx|*3*EcEqTT?cVA9CXTU{-SU>X|zppxd}&bfM@oNkZCroo7>6#u6y1 z{tK-4B@^Jk-uc%46c0S2SV}tDC-t%fKSPe^c!BPF^NPJQyFkX$A?+mZrO}=zZ#7|M z&!_tN{BX1JHQ~CI1(TD@Ot_EHLCAbgE0)Y^KzU;JVy=RkcV9FdE~$<1=~U>@uyCb2 zusK$rmXX)ZUJ3hIAa1GE&|2%maD%;*DO}3Nq@xG zeM0Qn`BEH-hjQqeYs8*K{J}9BPkz`730; z&`EO(_wdWuTLu33fx0f5{!fba7pMNASnRBv|EXB)e=BPL{uWT;`yaJn?0>6%|KDoC zHg%-zNH`t4mw%1k11BcgAt8K^*GvT3{%zYE79w}3!yZiq!kzZ>XnwYzw`1=kgZ6bJj0bL50ZSVDo_SfYf5ETE( z-Q{Bj>1c5oR^qF{Ulk4LK%kd!u!S3EPD8HMPFV^LHP9PN=G{(4jgY`!_g9fyDTpa1 zr9Trz)^?-AtL=E3O*04Y==j-DqY}~sECKs@!3DyZkrzjX&HBxl>xn8?lm!$d039D< zK`x-ROCuvFNV4S$e_JY*4Ba>n0$u=Yo4SRT}}(4c5wL#o*MoY}nXN*%N}y;cvh4k-@f4jeLAy#@vO4BQ~^JE5BAWrqD`m4@iOsZ3e==;)j!I?1ZUTTO%K+ zMUinc@42ylmo4p!te?dwW@OR;$x&5hVanK~R6qqf4hrOG|03%37nq3WC&LrI8A%nr zDaSVc9e#*HU?l)&2QARa@=|3pXo$2WlJmz<(2Na;8xcW&yJcrq5baux-fm`K*fwRB zPMkd#KVulman{Udnz~KJaHVjV+B66bM1=wo-kNJ7JC#hS8=uRVkQ#RATP4M#%y5Q( z4(TQqE3Xb2XyBGuND=5sFK~Nz?G%=h?PDfQfb3d-k(7eIM&o7K^-%<|SenT3A>Uo5 z*Pmg~5?T&_VWnayqI)kF{{je3A>#qT2pXi!`F^YX2FfTJnfLEpkbx`uZwBTtmsC;* zO(cb-#X1M0R1|XpLWN9Y?D5R+g_^c24};iD8`bhG+GL>CrX+2yqV8xVtPK{&7^uZj z^NLlvb0|X1=r|j=k&{Z%nMhcuGAgsm%7zp*aqtNE=W5W5JeeQD;bWJJG6Gpt04 z8xp9KxM?H{j1XjM2p)ca@@OxS$VQ2qM`e!XM4QvQrX!@1$^xpuz+G&cC>N`-gtRmZ zE2zz9SCctKU(qzz8(Mqg=_qL#S4-2al{9O}*r%IknGr3#GZ1o=H$?G#fa0ART>@2d zXLrEzTd@t!Hz1vlUAlP*%^uZxa1G$~+YR+Ko!Lw*&`nZk?e`>-z!6T0=zkpx0CEYU?6Z^4{U#86CnaZSjmD~WGPQei5oAS~Oa9Fxy;7{x8o8vHOu zWmsVgS=xn^(vKL=_bTd2Ez};`G7Pm1losS+o!KaC=L~NAZzv>9awKKL`zaE}inL0x zDo*UHX(SCO5M@q9PA<)Fc2IGHCxVALYx22Z<#8cI=cmipqzh3mWZ<_J??XFEHV3Cx zbB7)B?{$?nOn%s}yUG8ZTz@ziA16KS zgW#R*ls@USPPmwb-MicfuKg+Q`Z!jeBI}Ma3F0JrGm)`uI3L#1QTJA*&`XC1a^{z1q-8t;5o37TFw|e{Y>t}yi5)Z zQ5idn61`lep^%-88p(keW>`*j^XrJaK+>*Nwg}38(f0ee^XekO9KYFe^2q9YsVRTr zyFW^rVw=oQGbh~z=w!(T*Xzp^@KsA_ZEub2#tXJ1!3*cB* zX1Gs(tYc9EaV$WKM@CI}r%0di?KF?-j@`Co$^HLMEMPTl&QyaXbgfJmrYV`sc%q9- z@lP1yvn;WMp`5}*-J)$T=!#Y~h>wjWBMZ*csbILUQCdzI+=ESS;7ZkS3ORI>ztJke z&i0LpE{Fr#c~-xj3E%9&C2NcbJk}uECn*1q4~w+fG)9qxr8_KV96l1}ep9&M*0qLKIJ^Zer_VNc$;K}-U_y}-(#a_VwdYqf&kkwjdi zOZ`rfodm>G>&G8KzIoZ>NWifKV(Cv3wZO`oM4Uutn`vI9 z4?^TCkEEbViZ9RlnhIZw=-sZVYK_)L$;1mx{6042&; zld*7@3YrDgpNi2C{0+Q$L|0~B(oq_l%UucM0z9?(R--Cjo*x1b26Lhv4pR!QI{6-Ti&YIj3*; zcl)dR3n-|~Uc2U4b4-7Mwo7ybTppBUq?RO+HK?3VhRT=A?8O7s(>;bQ0?RrZ(B8_b z(ut7ii7i1*-y_Byu$AdY2WcZylU95J0Pb`n^1V8_=oUm7lRZPg5hX%2DrAq~$3(3b zxu-o_R?Xe4LT#A_gwo$45@zBnj%&wkbZ3Cs7p#1ntTE4N+QpK-xP29Fm0;aDdUuw1!Z zStu+#N;w613GLugZcFE)@c>$3(&C?Mce}Xwt1}Ya73eV&ZudhvR19sR`AAD3X`+u zvfP=tNm4dW0T&Xg`lA)r>Qrd^6`O6TT8h~)K8P@8sq3gJ{<*DH*3r7gtq;Th6o!$E1m@T!kzlP5L3TbL?^a9#i^{ zHH9jNNpE}mPs^r_X&jCfGLB2cu~}v4QP6cJOtbl?)2Ni1#Mj?bSrsj6l1+aw&5nSZ z3MImxl3I@48GO%5P9>HUVv-sbN&aG}2=9nIiVZWV{9|#I*_lDg&>5X$>)SoP8$t70 z7DYzi2hhS6!|G`xw}{Av{rk-cI*mNJw`wSLWW+zr2ySerGW~!iF|BMcjYUiY%d?-J zpsNZO6p(2F2bw9oCc-#ho9}(7fm1Wxbtqy*{>6-`A3ei)Qh%a85f5UIJQUY=Y}no4 z%)UOFa@42b(6%7i4t*9VCSiYh4Qw}N`J)&XI+jmejiM_EIHs&;rGax$VGXd%0!cG- z+3PTAeo|v1#Y?n%Zw26~n=iy9a_O8K8QI5qdyTr!C`nf^C9&P-3+!C_BTWb~WFy0g zZS+FL3+L^ICVI8@o!VsW&b3X1JBPPX4G(}=RNPl-X%Si>5>DC9-!W%1Ns?NLuo+); z@9R7#^77bT&&L$uU~%CPmEt5raYkkeYosl|P+HlwPBAw?R{snXz{^EmP?3>J`_g?0 zD28F$EuVlL2woJR-o5R7;^`e%U2n(xKj-@l3JqF1{2;6}0C93#C9G&EM- zT6adJuB*X&RtmqJDSC!Y&@GbtKE??Xr3CIi#61eI6%UVO<4mUEW{Osh9&BMLdG!Be zlR-{#Q#kP~VZ_sisoIyT+zR=?S;fj)altwI8Q|lMjQ6q?t1ej5zEkziARq4{g0b?;DElJ>UAfo4Ey$TB)4`_JSjP-gk#!7$!yC z$6>PasdN>XCTC~NSQPl?1B#g`E3%H48BUfrAz`Cu--j;q38eesVWSDO*O-O3QWLRo z`0vl(i;C~zc06aoWOpv6fXRF_s0AF}*I@VgHu}j(Y6_mV+*L{J*?zuy2TETH@_pOD zd5nwfj|lD8=$d5Om?lCtox0Atb#=RevZB|43@B*_m5$3UE7H_SWe+Y{BZC`&s5ux- zV)><_D$`rHfh-Yo;b%HUbdrMO@H3i<%RfZ3?^_{%fQ!w!>AGdhTg5zlZ7@8&812Jh zC!MFxlOJf<{L1@r2gpl9XM`-Lcni)8B=)Ef6lfDx(NEQx#xpygXohkG3LGd?JuRsxygjN5LVTN|C$D%&Kcf%yU z9#=g@x}gLi=%6CdGczRc=zRG1J_U+A_vK%o53C!#lQf=8`%YMst;=)zlDX{GT8PFj zu85?=XLDwxoHqy_ej9BQux84>h2ma^eC79XBt_FBmLS#_C-dZO?_S-rd zA#ISGwSL1Qx@K@OfwoB^ST1z6{i++x3}v~2*cQx_fum8w&LtKJ(FXRzY7SCUszfV{ z)SbdzrQ{l%dfOsJhWM#Em{Jg=;|glbj~ggn^* zG?~W`IEDsMDSerV39;^muR$E~7PuS+VMr!o4=>FxV?JT65EV042?pn4$wWTS?3O<0*+fl}yxjCwg~T{cZVM(F8&|>l2rTKFkIWSI(%glu5nJY)NM>=2blLl4h~ReG1WOfGk&`mS-;GBBM3F4v3& z?H{Ph#ZvG1PwOSWozsVV`BqC3C_0-FpygtWwMRrd<=%oS2Q*cb`mkT+;XJOCNP@9I zk<4*3Y<8s~(UhV}-YFhKT9PIE5&jPp>3r2=ZRi+7P0tS3)D{#UG{acsakMC9HTNklA#nJx#G4OeFTLu_Ay6U zi0jw;qR-a%SGX2u}TS1R?CXv7xw1(Efl%7?oi|U!z{ZG%-j$!X$?&pw(z%AmjtEq$2iKjgs zZSC%-rn$4M$-vuX4bH1qqqD)*#{0Ju)QrY^9li>@w$eNN^Icu5&97`azNcOFmiu*< znN5+r-1j;veyy@0otxFi?q%s}(Pty3p4PWBj^OSCmh}B}Y(k}syx+;`n2DfWS4q1uN-R@;sD0F{f_h9?sX3F1%xip=Ji+ey#6abt^1fQ zD4}eWovt!4B`CJ z=Ry@J2ws+PcAd{VX-xXlrhVLd!T=K98Y4pj$pdv5lO)3vv2J9`4)Ese2fTo|I!Fi>@@!Q-m#fe5utE z$b&h~DZg~RKaMx5Mm;it25&<#g$=9a3wBmY`#YU3W0%o=fMIRm}Fm&G7pv&dSY5pmu{p ztaQWMGd|+hyTIUiLKw7`-sj%dPIVJ~@WdXyWpuq^j0-)Au;U1C9rCGV4kz!JCU9k0 zv36e$|F*_eDVcg*us7< zjqwe?C-*m$^Kv;^wC2KnIlH6T-`QlEG3$0HIme=PRs%nGMs6N?;&pl2zFIFxZX@_F z80!z6`U_*R(*F;}V*cM4>%(&Re_^ayEh#H%F3Yv~io#o`gReA3yK_wg;F0x9`HH#a}LoJ*3jxKI0!)n;`6}$f5Svjai8H zHqlzE=01*vPf~t<8E?UQk{4Aek$Ps^l#85)xiakX z<4^|#?RKY1IEQZ3fW$(wGu-l1cq?iH*ryVo?=7$s*k`z_MXR_@8!SHx8iyKp*;hzm zH!9`jlhT1b?5~g%r*_GNl=e-%!w|h%NhkC&Rp&nc04H`5+4tWo0dwDgo54BQE9R=a zf$i3BI9q|GnHfhiTYWH5A2)NL)&h`}VS%4ubN3-wZ1=;XmsZQsK(h({5mYL0j&@w%t z;U4o{xqNFv$fTt=KmwsX20=(FZA4VECMPvR|24d=zB6<+;Un5I5o|G?X>_t2#1H4& zN-Zs#{GeEU^UWX{ib6-E0$<&4H9CW=76mF(Z;)#+29n>53 zLS5>-SNrP_7=y9PrBW8LatS z4)r8|_UY+xWPKIwE)YK@XyVzvs5BOn^y@)0JuI(&fXGm=j)XM=!geReLn=DYT;T~^ zmKR|G{G{<+E5+Cu$Kc#vI^Y|{(%FQ^rooGB{RhLs{8jbAuw+$g|1d0c;6xDt>}gL# zJ^n1i0X$?n!UugRBBvQxMzbDUs3<1gU9n6=V> zp;b?Pg~v*|LSV4oxLUKwdrXmmw{#P=QwuwG#+YOjRjoP&E&)MW8&|@MRtYiAE z5qCH8BTZi^idIsp!bM0CW>MYR2A-Tzj=@yYSczF#Kv5wyyOEFMh#%c|3zz0ML8&j@ zq^Y#9jwa)Mh`14vDygGdykI|mik84Z+pBX^u|yhL^aL79EY}x+-6a{J{vU)@Los84 z2@o0nL0G-D0EC6Rv?QUWC!QFW0N_{B^%OL!u~98DKRcNoIaz7qfJ5iVn5p5r>4E=9TJ#&Q{0B*h}o0RQ?{Yhn`| z$@*PK)zW6hN9o5t(I{vabwtB4md5!$zbY(j1+xj8;IMhMa7}=qZX9iCwm>MMdq%R^ z4g$Me5VcZd^irtPXC8Ci2_0-hK(Lnm0e@g@D|A}B>_QA;p3o*fn4SC# za0N`BEDGuC1&1orQj;ZAcguPV)rFZ_B@k_x5Z785Tm)Q^qEgMlFA5km)z0?AN<^rr z^Fzfb0Z5Z^I(};v;B-2ZB8{@fGd5teCf-Nn7=!G&rcA*qm26B-)8klY2|tn9jEpdM z`S;uM8;||6mYz9$to@5CGd=)ThSh5$0AM{^{ROaeKLA$A2f*690RXJr?4?>98Lqzo z)@{Rg`!0j+Hp2b9+SxcXcb^1XCs5}sQJmB8GUjSCF=uRvRwdK)iQ0~j64puYnhKzV1v{Q&m=!|v!LLgGfB2QmxYRu4 z?HStu4uD@RF{Rpk@GBtzzjArpwy8j$|$Qim)xMPpjh6LD=dws51-ebCyZe>J-QOq+UZgdWpBYn~(m5Vk}qUojeik^wADx2uQtyid_z{ zNk8JhO1P6qUaZe}J)D*V!dV@oe1_-LB3Y`Rw-9NoeU2>#2k2oz81NFg=8-_`V3ovT ziR6uQGSz|B__BmrJz8fkJB5aURShb%#BM1W64D;4E_+N$3 zwYk&fW0+_FHbd-JFInkKGJwrcy+2392?%M8*jwHx4*$#Gr*&rk9}P?gNn<0!ajMRD zJhm@oau_Ny(=Ei+vtjuIatiQlfHwf3ho!?6gA1-$dB3_dd+q&m$rFWpJcQnmZ0-OKrex>WI4tf<`vXMc2x&C7H+~V zp?>Qb;2serAjGK)(#AifeQCiBnIhHrqf%Wke^H(MaFL8s=RGA%#Qe-TPA(JrQN&7> z^{tell67{=0Jdi+PAQR^OH@sc0N10>p?#4?A+I0n4x*BAlo!#6BvH48B)v=%<@k$U z5d{l;2n}oZ|DspsMZdFn0YXD5c#--Z+8@ykK85^?N-wOEsOpv}PUdXJe9$ieo%v+> z$9}ZOLOogx{rjAfsM2=T!`o8QxB^n;8d*#z*GmNh4S&(A-dX^?DlkU$;{wpDyFc{G z1wgNqfI_yH3HxdVh$AUvRsjFgMXO;VdGZRsL{lHpSx2DLune|pb}sj-BB@v%P?jqs z=w6inrdMbGL$8?s3%%0+PkPn#7rpYx0MIKfwF>0s(#UA6{p{xO)PLxel56NiOi*Ed zsp>BC5`dvk7bz<+Pq~Gl31A@3#(h3wuZR&o>Q)|dmo4jO_=X^1V5#bA&dGy z_$`P?eaUGjsrh74)kT8Jw38v0k`jmX@ag0l>oT&(F=gW_wOzl1*@RmAy)Er)aohMb z@?35t6ayLo;u7ae`Mj^#jvw$!bCTgRC!Z*0{HPM*@{f_TC33!|A45ix+cJfN4R$j~ zackxxf&2X-aGpbT*;nV&_ip| zWLxGe2^ps&d|ko1PC`VC??SeeNY#Fc6g7RX*2MwMq$q!SN2Xjg#f)>bHTU~*4#?pV zX#K1;ha!MoS$(jpwhwl7$T*vSJPk|fO8opil~&QhG1+vFadrgER4ftagI$e%uq!%= zxPWg73GjwL;$-+*WtbH)a^#YCe@^f8QrGPY?F0q3`CdRw-onXTGJ7NfJ0;uJ3IL>r z`Pdc{y;+T7!yAYr(!!~Zi8Mu-z%>0BSu$n$m#V}va?vs!_$DR?9P70&^)~#>FLk5d z8>)nOgo|bx)1CHZ5vwLPPuXm>VKvFy@EMO2`T(n8CbV6gP~^uM#kl?lUU?TB+7u)= zhnfOO3}4TGz^jUnIu@F?w59>TYKSIKYdvcYfLAmISVn=Q9T8hIruGX}e_gT&;qox3 z`XrX@=ix(M4I$ z59+^q+eWRfSo^7DTvPGQ9Mx{BIK3@qYkQMfu<6>x^Q#(0b-ZXnJvBBDS?yPs@>hZM0(%a7(ecUI**v@!A z?dPL8=Sx^WzmdVhMuWR?0PYt{19t9irR|Dzi^S4|M~7*8OuxN=klMlHy&Xr~Bf&DH z&x|n^zOLlvGxV4UKVq~q9ygYalp|XBA$^I%*|FK!k`F24k-P9-H`E%*(v!^B8G3cunXYGl18yCcWju^hs=+OfK2&>->Q9hBZ`! zM*aTrC&)9p>67=D$l-ck0Kh7L@E$>q2LP--0KgJ?9ry=e6%;j?=6ICDDw`qej|OGLHIJYt1U$Qc4b=ta`3j@5rG|~`?a4uI&~f##Lb3o`4~;h z0k2%Die%o?y!?C>_n_-uu6<7>ygtKuZxZ$Eq+62&%dT)-uri*)j` z0W)~Ccc>D6J_7XbpL%+~ujr3>?@c-QDx86!LoRi%qVO}3wVG~@2>b}pS_uaU^FD$; z!dD_PAcF|S?trF@In&x6`${|U_1yeP?MRKp-m|VjfA~&2(|vIMa+(e+ zfoDZ`HMB%?fwz8XmFcO{{T%Uq5~RJ~U0l<~>U9yC+s3NRb8XF4Gq3gH7LnFryY8%$ z&7G^l;(es;e%CpU9?4_DLfPhx)!pKjzQ_ShQ}pGG3#eCs8PDzHI|>SieYS4>68gP@ ztjq(JxJuZDoA-P3J}-77hXhwON}-2bKknY?JNkJzBK8?^I@qf0ce95*NROI3(EZiA zOrQPW13^7fO6qTN^_q~24e~CsfioHP^YUHn?cVo-84%+Kq89`$j`v7{y5|}1=LaaZ zDFrbs5}T);I1}~RE$Pq)(!i?Qn>o3YgbC>Rki4u>rS{IxxU(#U?kV$cOjYv^3GPO| zhfK7tnZ>D#`dlHCVr`BxRj-#jVCB;tgLhwQe$-W1WHS6-&K{&+#v{U>=g6aFvS-LdarJVo zy0+;R#D)FH`_Cm1rknUj}%A_YAufvSl>q@K@s&(*` zyu3|bb!3qw+|6xGIgymJKG;eTIyad6#X7^!hBy^@wnemG*LybU)FO}g;&VgQWDe3t zYed5g4A6sd3Hs4#1d||j8=FxDDp@nI2eN#ds}um+f)4%LhG?DLuXVa1{l9W9WR3O9 zXzlTQ!z`Oj_Bm5Ue_)umnCLVH8HG!6s+5ziQ^f~{SuqtGcy#;@l^3VAg2(aW1xmvC zMdd4{ybDp>OBi)g;S}7E5(VK+X+Gnc@Kb)fITzf+L6sTx0d?)1_iIk4)H)-#8y79H zEX$0KXSO5mHN?agg;y(>{~i82GPU`_Q?8d4(*c=^#B;IyJ=wVOJbL*MsO7ONXgtaR z7<|M0Wj$d;5hMC*p$b*{>m0|CdFP40+HWZ|m-4Hx^5BI}g?>RyvySy_8~%y`;$UyS zPvsb3W-W)Z77b;p))<75k}Y7eP1$L8eGcoHhwkARAQCh^j#uI9g4~;$0WYH(a416E z0tPl?KDLk3-`ce7>^NdTkCWa&$}WMSFVab(A!g?A);Eu*vm@?H<{4HPpv<`5so#xo z*N2(m+V8pK17YufI%WmJ6I;Q~mwA{s?hyFnI4iD=3wKY*IJ;fmsIp(`GZ9{vh!+BXQUxL{kN?8pP?NVHu`_7T(JG`top+x_J3v7qkycMxW#e}Fu&sf z#Ff_o3Insiv<9NDQd|CJ8eVtxUd%wOZxb{rfbc@(u8s?ZeZOTy0;Is8~wbaD8g?Ud{ z8~1sCUjOgrupNpl$MKgfSBITPSM8`;7Eo-}nR@2gIe>>Q9^9qd9BQ zO(f&8IF7fU@;~Nx^Z@faO8OC6pJBm^1HOLCI+}CI_hxLWDA1>YGhDoNrVlCsT|Us{ z?C#+3d$dYImj_}LTgiw`#)wWa6z^qCVIQ`q5VKVm$5&_aa9kK#f}zh^Lf zQXSzz7l!R7JFJkJ$uORK3Qkqnd^@SCZi-k1=GM7TEvyG-#x_vg24N;GJ&H18>ctUY z4$F~bf=v>I(;92wPl{kR)bI+LD!wNERLII=yQ6@Il0@Kby2S!FipU|j1)b_L2x(%; zQap|4{h1fUD8*GIkSATd5+f~-J7p9;iZQ}40y`I(K-PUxEAmjtW5%79a@|4T;(})C z%&cb2J%u7Ql1eoGcbdYrIAO4Y##uHLi%$`H%61v?4Pbo7=kgFRzQd_d+|^|MBjJ!m zZ&Dmriuh?t^5;}ON!kG#{eY&82EMh*gc}nG(Z&fwI_HT1sLmW$uW~O1*#`3=P@un0 z-wAfm9J!>lM6521LV5|rRT$7tofq(RYqe-4BYqbbC*4ZB3q9V7cRR?mmOF&3-S40U zbIyBy=+U~KCM&nPbiOg3N^4kgBpUj~{>SZKJ0j&Vjj_WEAeh7Y6W+v#gi+pufM1j; zX-e^!lDP1Cvr7aB3w=~jj|F3?2E7$lPKzhW#~r-$)#V457=CWZ3UaEcjvV{Uf`*eD zM$`7|v9McyXOskXV;Y`Uk3oNMmah=QVgbHl#sHz?NA2R-o7Ozlx$XP10H`hfmF;&% zss79u3tmyQ!>BFg8@L$5B%DJR0jcZ@umHCh>SUnWIlTlbuSq7^@9;HK5U>vj4JXsB za3hENyr0u5pPYry;2{~$f=*&);Kb51$gJ4)y{gz?;5tZ&pSlOVLstRjFk*l?O#j0i zmImmV0wQaOi%YOtoDJ;Fu3AK+phv|80a5veWKQ^|e?`{x9wbTsphy8k)`yFa>C(P9hS?0{tc=Qk)h^;!i{z1k6JveMSO1Buq2UQ1w#m`B zkHF(uzH@*LU`BN>gCJC3c-DohN&jvsQq<*18bRA2`}FDL88?lzaO?GGcYDzsn-%gj z;AZ17+9VA>y#2sIXV3zv8y8lGfyu*|^#&{Ux;W6XL|u&6!OK%2_K~p(N5y*NR`+EJfi2pWJ~GJU<=pp4HyE3G%x$ zZd@4*y8B)Lw%PXk5ZQPzi@==MKR`y`SWb#r1`G!-njxvc3$?p>zC>DGjlX&>0E!5U>pVo zGkD)yT9-OX5gI;h3)_fZ(IDA?I6fH-t-o3q=b+8LN`@bqwE&%W0U)!!-{*IP4KHLi zG0NU0RnJiu`qa z+P@yK9g_hNhY142VH&Iro&a$eAZ7oPS(l79tFg>6~DoPuhn_~V;9Om~S4g*{s zBVWWx=FT^4jtvPh1B{#eomoeM!|O~7G|~|5@ydbNEFk?4yIBb0$K)fIZ|(vWp8Q1 zc*ccQ(qh9ScVK>lG?K4n9NP4YJ%!}L6c(^~BALJPuswXZNSZ66M{_o1gGoW%o z?NM@u!2FKA*~f*dDe}wQEOk&0S$!)W1@L9+LQ?Z(>HcGVC%pM%mH~Z>tutmZ$5cw}{~0(Uo2P

afU#U94__kM{&r=b{vLqmJ+fGr*7IdJpnpY##!xeM_T7--|5}8Kwb@W&9baHUD@q&{CDlq?WTFxJ=ksok_xd{-a;^e6UBfLGq z5fC0#`Z<4vGasWskwHiIiD-1V-10Nb|4*qAZy64EYjmIhrpZ(es1k~+{?WDlf2fjp z;~kDLgT+9)k0H!}So*i1zNzNcD|S!mpBdei%%6c?3HaC5GR^jwnHnbYKD@5=-3PhgZs~` zGFWygvB5H!Ks23&kq+S;JOhA%<=?0gIq=wlTJc5{{6H2YB|t_+$H1}~XypP2i=AB) zJpw2UmXJE@C;b!7WQe60z+`kGl}3iy10O7YXzg#oiZ@x|A3p=&Ohr1G2Eb_)aP#asqc{w!X(@I z)shZi#dCd_)xrZyceIp5Nc3>R8U{wGUmN7Qaiuq)`3*< z925=~u4^Gr0ji7!CpcTkr?&H}j2*y=7d-R9g2x6=0U`z9;H(6mqVp@Q9l(kg6!XE- z!3U#9;SiI-Sqan_&jcqhS-}zU^T7*$X;=70*Fo)Yg zuOR;mQZbke3R=9OK=8|eFj(LvI?or-=k7nc3G8t9 zzaL`h3>4(xr+^t?shod41?*zu0167e;%SM$*XJm zXP9|)G5zUU@iYDePgl~PF6N)by#e`O`DZMxaTk)8xHlpHGyZfj|BPiw?@IFOV*VLh z_3KLf>0Q>{)$#HBU@}OnaZZ3)ok< zW#BBtzDVGoQW*f=17MThW3!HO3v z(qP{Uwr!bcPlg755+yFdPS;^NB?`C`FD2$JK^m0?5Yd4obh7{@jfZE!+qb_&;dY`` z*fyjX76g_H2ST7jU^CDT`$8OnPsTIF;JaU#bUR_Qn3w;MdxU*HIJk)R$jORGp#?`i zM8S5(Wbxb-4U84k7zREd7B+@pFo1ziu<<4ew-Y8~au8;+796gHQ(@Rk_3+?2p65rJ zWCW+Z@JuuKTL_966J6o>q9XPW8FCC6d3#|;x8ZgUa`q~ShSR4urLO2`D|u`gSOZc>B41@CY*(y5A0aRq@kEmxD49T39@7` zY3LfNa6M2u(729e&=zu}bu2^mP=2kBZ8`bTC%ha&Z$EggkF9ow>)=)IB-WgI$Kc*inm%R~o3 zMC*yt0k8DXkZ%&M2W{D+`i$zK2Rnu9K?*P?y7nks#sCS4@(XDS@C?1&4hN1%gB2XEG~9^lMGS8O}Lg?a>D(I7jsXgw%H$D@VY z0;8Csb_8Y#M?yQ+1GsFO2+pV;dN8F!e@q6P=IvMpCPPNoUq$PQ+8`uX;}C5DqGOT% zXfRla+9i#}W}~cg!Y}|X9X(DXT!!iq%Gh+KsJ=j3CdxS1p)J&7iSU%hfp^D5bQju! za~Ej~^+ai-ao99b+8{;+B^PZAtQUa+N5(j4BSRQJXbX<0V;QO^YSRb;!M8K%4D{Nf zaDS+tsBed}c^pw)1Gp?v-lKZx9kLGnQR!@=Ucvbx5qiOqutoKXPJTtFhyhuWuP6R z^}tw(W!MXt!t^p=geUk!7E$k^9(ZU148ph%^+0f<_2Bd=v5X>WM+_K!i7@EE210*~ zPGA7mgn9&9g@fK?A`A%Q2yGcK_Y&<71VStWvTp$z5= zB4umTyKJRR)_5iIGL?!H7wa zImC4YTwtUj@DvUli;j(KI^@hJz~B&KQJ8_D2U9!p04Bu*7z_v+2=(abz_LhNrszBX zW_c`h&qSmiOkzdLm=K^6%CG|@9os@+N8l9`f(AlcCc)>hnJkoSSfoF~T%5sXfnkc) zgTRvjg9Vd1LOnWqTf8F-7Uaezlo95{0GC6QIXDCY445JkV6b7yLlg!QFrf^XMJNNn zgfb3M<{UCn=DNNIL@#+o%lo!QHNj+h~U@Iupmk=2VNc( zwS5kmM$jP+tQHX4!fZ%{SKv7beiv9J8WTdS2gcg5Es7IG#}t^jzy^p&J&3Q+VGm)w zf_en`LNrbholipxL+(n8w1J+xWLQD1RI2_bA<5-=F^0E87xZ?#y1!$ zMAxMtXd?DUgQ>WP++Z0I9E=EUNDoBy3d#t4fj5f?whFU10#6yRIwHzvaK!|@hcaS+ z5MUATV`C50caR$ldITMZ0ge!>FyT(As4ST<4Iq@k@FAj;utY%|rZ7CeWn8E_15#<4g%t04MI`E1E8Fz$YJ;=-91euDY z;R5>tr&V0EW==A3bA#84Q51{z1W;NX_y+x8-?SAi6sK#^G_`fuIuMbt;GsDVhph=u zIde2&5eP8Tpu?K|KUYDo96**CEk`b-rSNu9Bx&mC=rZZL+DvU4N1Lq0p=f9^G<4w$ gN0X&XXVTD)gr^szSHhO}v2}Eg^!V{QM!M4f2OJTh`v3p{ literal 0 HcmV?d00001 From deb23fb7e3c4c5976e83587f73c0d1c8ea3727c1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 12:53:54 +0100 Subject: [PATCH 0217/1450] Revert "Add cure53 audit report" This reverts commit ef68fc1890bb00b57956180a6039873d11046df0. --- resources/FLO-04-report.pdf | Bin 597408 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 resources/FLO-04-report.pdf diff --git a/resources/FLO-04-report.pdf b/resources/FLO-04-report.pdf deleted file mode 100644 index 57205665f6fcd913d823361d1455259a79c442a7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 597408 zcma&NLzHMu)FfKAZQHh8w`|+CZQinN+qP}nw)yV&cdz#b{RTbDm1mIW#M-eVSH#(* z@*-lijC3qeq=Q9+U4t!yxll|53Q;2>BTIpolP9+#jFjS zO+-wL?2JwL_@JDe9Zd{upxm>jwIySZxEy;f)y{YXl83WFut1fc4f|T_vF{A_lr|1S z<1O@0nEZB)uav1$UnhXEgUVy%3IhArFkmQmUoKX9Y5g=>e|oRJG&A&mKkz4ee+<5F zk7FG8p}NteOr#+&fa z|H&yNm7V?02yVlPB%w&f^~syV1y>hq&2loqpz2Ht%YRU{6cH}pN0h}(Te-J$uKB(E07U>;-fvyaqXHwT$Uu}iXkA)w1c-){0j6mE(A;ldX`e3RSOvYA zH1BaDZeqgvIo(F}p&+J7Nn1#uNq{s9w)VNKXI-R7aeHr$P!CpzcIU|84#rH z^uSUS1Jd!t$xg?a2AnjU}f;bMD6r*!N{k$oVGd4%Y@Quh4_n zx5Sv{k^OVy{;L@$hwg5S1Uz$zix6H_hq$yaFS0@>kvf_ z)Dmx`MtxOo7nWS;c?1ExcMq9_n}=f{xQb{J{zD!g#6oVnxVrU5b@IH=AyROOfZ;kk zuOEA|#sKX&Qi)AELSu!C*H>gtFm4GWseyc*rPmG80w`~~1%^{W8}Il5B?1eMt! ziib_{9^J>LKl;78;GT?5`k80MR90f&3H%+RcIegxs~QJt6Su^q0fb9U-6T!s_Jl@JoGQJ=*F=93eKLo6fjz35q?Z^hjZ5!WlwiI zhc}F&QQQ|DfdyOecg zg$^N>3svRZEFu<&BHEA5L~DMtCnoD$zzuWrpE&YvV-hn$6W@GBr9FKVRD*=2XQ`1D zp0sX|ScFRFgVr$*0iz8(@+7N?7usVXT$1M%E1*B>Z@TF5@1Y1!U_t-aqNL4Gil-VN zTA(r0r=6N~+NA#$7$U^doP6bt$q>U1uy_g>rI~KKy|~hf91aV~Nv_9eE~d2jGe%S_Y6}Fu9a;Dm$x_>~>C< z$M+4{0t|$qB5w4Ed9b%v9zqXtFH&owa9orKVj#wy+Y=9%41>yQCTEOecPq$GG&KyG z0UPGkOcGa5W}nN52%}rOiwWhEy6ld|1^n@0*Vz#7CnKYOKOJM zhFPzHz6dQE#3NX7N3CC0T2O-6T7cv&J8E>apZ$E4n6&VAKe{#mYLhL6-OiaRwGv1? zFfnDGW)UnN5)Kh}7l_7ZieUvqKKg^XMa#;i&SzBxI5D|J=2zOHf@Q--dNonR)=}N+ zn}Q;X`Y14&?^uH2Mq9W2O;RaC#1c_EIGpm_wrva#FvKw2{f9E2;&M8k5sM@&Ul4>N zc{+JoXd3Ci4@T!wY!bc_UyKXawo=Wf{2}h$dZHm7@nAW}KT0U!^@$064wI|UEbc0Z(QXrYK_=E2BDQppO8X7Mo|1dl z9W@F?%IO5o|BP9@n}!?`iMVLv0ND)b#7#_RX|n^9jY^hJ zJkF05@-o%MCpt(M)>L&!x0=-&hwoGipe~_H>hLYgKADEWL{m~SE)8n<{xr@|ttV-@{+v>h_~~(OZq^x8SV$_Ti^n@c{k|c><$`UI zDLXlM-8H#3{|DwxV=Y}D;WZ33GH6@XzJ3*4%XEkM~CzAOT zl#?)?(S)0Xx7=hqhf>kav{1oZ!1D*>Jk*L7H?5erk-+ zgRqsS(IIoyx*qj!d-Ju@kSZqVWsdM!uq$7-eBU%vkk>TCTqQGo?=}rEIAEL{T-ENC`eE^ z_*3Gm6YOu;g^hsPqi=!Zwo-6OID{whm1;P-v8=92#Cu~5EUzx6!CBN$F8}^*9y`Y!AR+g%XpZ!73|9t z;v&;T3noHAopHPVeERHP#G9U_bA zL2lC-M^s!2U>+P4@>UoQC-37Y{>`_F6rhS$~r0KcS*mq^%rrbdf<jw;`65h@MlxnrahhZ*8biNR=a$^pYr>xZ)M{9 zX(KJ{cAo8Sy_i7T(fO_)w8iaQq|(Ay^i_Yn9Gs&uncLC(TzzI*9k%Ftg-+uH2?{wh8GoIQ^1d@iv;fd;>H0nCYI0KUU} z>|psh(%O>n(r4H^aoY&uCyDR%TJ9ZYq`#nme};to!-77!DOCckQ%;8*_5ybCWX}q> zeTJepx@UK{C9@nn(o6A@t25=+OgQyrWbP1j9)JU{+-a{XeZ&gZaN?tpuW^s5@p`3) z{Cg_;K@!hr+nq54Y6cQBBB#srQM5KDy{8Y=s@YOH$%M4ETeAN9j-P7dgDH8}FaXX( zzXtV_O3gYH4E{{a8g0_?FvW!Io8j3lt)6Suq1-g_seU=C#j!F7O+gg(o7|ci$$-qS zEP{9bP(p;{v`()`|CPcE?5GBzqg2$ zC7j;#vffdVZK}Yod>vZynQO;^{q@ZUQd#u-gA!cu3FtgKulMm3bF(cAdRV+uPl2~k z#e?7L9;wIPMJ&`nu1*>EIn)oHun3CO#5^%!rhQhPiYJO$sFP7+&Fbzf5`o`3P*RVKa~Vv8hKj=x z8ck$Fgw^S9g!&OX?(_^;H_=8@4oLf;qqqoWE$@neFnvGo@~ub-$r58bhDdRV5%QAm zRHUhscCM-KjgE$XGrChOsTlH&G!UP^Oc$HoEw(j~TjvC)De=Q6753(5Ytgd@hru%A z@%E%kKn_Q>Po?6_ zSoP%OF`NE#`N#;9kPGn6i_n>OH%b;vZ;;EJ?+Wf)3;FFdj}1jlN75w4KzTbNM#UM|9Q3I? zK%Tg-yIXPr8fCv{=6%4f`9)P4Mh4S-v9si=SR{j-u+1w4VF6asWo1=2g{)QM*U|(< zdmexPy6%bdnLECeE+r@JACbz(C6^2?ImYqqpWk`+<4SK*={APkWYc4%?05G#5=2Js z&ZS%0IOWugMD63KeP!FHId&jNQd!L#?Min-G2HSx){FnKW;dZwWaxSTD+ZB2LbhI8F1VID6N^ zt(SMKTX(Eo3sKG_&)ze2z+TNRqvQU4`Y7>~e(4UGvzWK@8T?K1@pNV*Y_s3xj#sJ8 z%sTEB2twESDLpG_%5=uMV?3i`+xpJ*Y=;;R1v_{AC2uq=<=)1d`76t0>t(#??YceT z>Jl5BEnO3__ugChIIVh;wWEy#9aieT`W|hKcF6Ii=@DB|Q*9lY45K&Ma{{F2U9OcJ z?yo&6&f4YQ49KO@M7BfehIKV%!psaPH%FGN7_m%q>~I+HVGTbKPFXW$Bhsy~CETSQ zvg+>^83@)dk>4gBY&N_e_#bVd&76jGSez;X*Ukt$S843<*~FzI0tl}@?4lvgSCTxyP+W` zmTtLxZ;UoF!r=wFldAnnui{!xwW$cW0g((vFZ%TqXMUR0G11fSQ2CnZ%Ak9Q>4^?6T_0D^+bEUT)HlCMn z@%ZDP57GUv@8qZL1V+__^V1feMwkxJ84cFR`(DtWl)?b)%<3;8Oe{+fIXJrK!&nAq z0>s*dTNA7E$raBCi3(194YSQ8^`D&% z^`DFW--4Bsf%U(~|Fg;Zf0*rT|2Jm4j#MlOr)|$^?O0;~RoD&^14Uj%>88J(75rY% zzS8>Te{TD0gWv8!W@PkKRsU7LdS0kra3B$7LIFm6_ofxc@AXsaBipZ0PD#_$eez@B?T&4g>AK&CPm_>C)dh> ze9CqfcvRb;y1zZe%wOzb48PbXpeX)Rh^?!}WMV}nnuu~ptxW4t0D*9+U<$b3&4*4# zj#>)P22ec97!Hm`&S)S%=!3BT9CxZoX${g?=K)m2O%7A*YL*C8VIN#7G-5{JzgvWg zI3TQM0r{t;B=>21k&OeOtbM%2kc+>mf5}2b*YBBQ>2&FyNHKR|2 z{26@c$+sN@?r&)4PtEH`eA7wOqp1H_HdE$75` zP;rogY@g}uKPV(<q!^2E{s1$p7^X^+@9BHD_B2Bqj~y)#af5k$8^XSCyyKQ7dfCw zn?;VYA&Gc$ZD<@EXfpu!HMf*dQ}=IHP|Ub-O2IYUb*gUm?l{|;0-9!!A+-|gTzNx5 za`}~PNGL>G7K(A^PZR(!5Uuc!x;tV&zIgqf0()5%;v}Vjr2w2Ayg--X*D{+SBjjy~ ztk1JPla~K31Vr7fmwiTFhy zevJFxoX*K3kMU$|i7;xzq9TU8sD&-l4A2)HW=qxic?SW)6Qd;#sQ@_|!_+{FrF00b zWdlgZ88V_yB+z8xH_s!B91dp(Pe&GhVOhHwp0xZ%D6|BNXa)h3pE5WD?-(W%Hr$Ow zJVO$iZYbT2uBpX?+MFc95ZETX@LppGx9N(6PIDHuh#0RQI#OS7 zbZd8L4tWtd+P@4eQ*yu;eF7CAoSTQN;K}cY7P!|pzzziU4DZVAV^dr5MaZ9g$0RzZwj|o*oO4WJ+&-T%jUQ#vl!#wLL~fp8 zP`@out5jrpSez$2Rksd4GnRN?EE%Td+X(m2d6&)OmQZo!TaZSWLUQly$$$2Sb6%Yb z|C8v7rfHi@s`rib%yCnIX*7(Eb>dUl;8hzHkO8W1wlXI$Tp}e<(wZPAGJZ35!brQAt-PddWme3P6khT~^yJIxexE@%;3Bv(in^2v zda=TgaGF&yNUGUCKaH^6cGl*_MY9!{JH8P>C??~u3M$z8${A=MQd6f|uK#qj}GL&&}3;ljLdC$AVp;idvyxLj}7HAN>7XEa7bfK0LOR*!+n zW~)y9PwnjFIRw%KUH;+cfF~Oe^>z{$9UUqgI>59*I3WSf@}ZFMkWXxODG3mHBkSs1 zFMajDiu5pkW(3<}a%dctnX)X=-(?FfzO9Lq8kBK{<;1Y~m3jbL{Yzn+5aS1Dzn>em zl1Q;-!}MWMB&983;69>KjVUw#n}$Cih`)^6nUh~^Je|J5B5*-_jCp|Kk1L0nF4E#S z5l_*C1IzzrpX&mTD7j!$^thsX!w9>iF`Pz|9@WZWP=_#?g4Pi;3J!l`*19s>MfthI zVF!W!BSw1Kw#@2xKMQQ>T3uoELYp4Lg*Q3H_WD_y-rbk_S?LI6Oj*BoMu(YG6uqdp zQAEN{{NjG}V3)<~tCJu)PU@^?jhFG)UdId_v*CiQ4}G#`Y%Fl#Qi8}jG+jzlkc}YQ z1(100d)=5sm5$5$XQdS-iG>A8k$*t* zv|6xp2;ID;6UaQ%0qW74Od(d(qFUob@H*#|iYSVk!d zr`!tXQ}Z$PxjMo`Qq}9pCvUS4j?9tKD5vYieo0c9FJGKsCjJ$>sNQsEfrncG+r&p| z6ctVmkCRzxz+?{zE_k`_om5purE9Z}+POHi;Bi%1z*MVa3Krvl&m$K{VjAai+37bV zt$_>Iq8>Cqsn2Gom{=yOp#68KE`G*pBJtcQWq2LtuLvTvKI=?!_IbYfuXOQLNl06` zA4}kW`17C_bD=vZ4yq34CEWp#c1Qx`b14KJ5=i+hpr&n4=NNU;Q>|(ruDnp*v~rDA zX(u~L8kQqd#^^PoGA{%Dmz{z~V+w}#C4aiK3OxDd1V^<7AC(YGs)%wyT=q#hi_C3i zm>1m>A!oZtX*PmI4^APXdJkk}0 z(_59f@2Oyg=$|fO6OxV*?dudvSxPM*OLfBhS9%N`zQu~^J+pb_b9lu(9aY;S7qlI? zjUOh}?6^HSn^ng@&1u3;_OO*-C0b6XWS+bqx8#nowqfS~M#XfN4i3=1rMCg1R!|pK z*vwORgLvsAh`5m7Vp%)bnoG;8DC!Nt111*9imY$n7giL_B#NVVkCJZakbJ$c+(B>Q z608rI3N;#WIXjefcnkpr{>M|D{kjFIz^Vre^!6k|jIM$Pn$WJdVmmI}0j~{*iWd*C zx#{wY7&;X_T@@sLs@E7P)yzgqu2j-VHaE z)|m(M>a{=@0L{HcqLC(Hl2|L5t-QUr^6f0qVukr4ajkc7>>JP-SjYSIif)grS=L;x z419KDl%J%5?&h0`IC`gap;c^lAif7qp6HA_;{m^r4`=h7N>YSB2(hc!Sp-(IE?;=1i z&lw88dJLt^tXD@ZOUDFUz_GE~jf#%V#Z}hK@<4a*gjLT%6tM znXIDcBQ9e@qm}ann9#p(`2JKVSQ8YiP6R%Df9mkA|Gmnt( z);#75+3JbNDETpU%oP67PE#eLIF~vov_ zsaE3LLyZ*I8}o2FI1^sZOnBqdB28XyoRJ@xbBZGX*Pg6Fy+oLrqHy1V#wd$UycWYY zhyECEjWWV_iDO|BFByz141;Ga+}VM?XRvNnY|vl*%;>yu*Jke?hB1my9RF$4P3DY2 z`2s4B@MQM>2VDgqN%feX7kiRa4Q++cj!Y5zQ&aG__6HLZ6h^TB;h}Kf<NRy|TAkq(>BHWOEYd^9K!#hn?PU@7Rt5&f_N%-q)|v z@fLjN^9DbnHyG9)!k&Jp72Tbz>wDDh*ZbpV^IVSGXA*39AfShE{}IznV28nu;;wY( zaAai=RM^(RjQ490X*f*nP%G49Tnu%plmu&D$J&lQnO?dubOL7tJA?UP8K$M4vZsGf z@4mgWL{ivS0q3`jY1anU;RIiQ7`9X#3GYnTL4hnPCPMA8zG|)Njkw`vy%+8MRP=-- zo!_=Qoup_FWM)QAm+HN!CO(s34`u&q-B(vGZttgM>WBW@9{)Ut0 z7mKXI{|>i|4)u7}A8bazs1F<>6b1=2i6W?&oRh#M6s%tsFp)9cwcTH?#|dsMLE-+Q z_5+-AnwyX&)+Z4LdIKy2n@G(R8fSO%n**0{;SqQ$QBXStjfY5#UaqWQ-MbFzGETlu zGzwCj44Pup6P@H_bq6O;=v?Y;CkBfOJ1RI!}HHDJfE)B*YSME zN`BP7zaAmrK7V=&1{xAbwczcZVSYFNP?2#ygY>{Tj!B~U0C({+gy4r_rfw;CPgH!= z_Is$?6uo`O9P}`uUd8<{YUwXriU0Z`TRDb*!*6q4YLB6|xH=f>zPV5`w*AaxQT>j~WzIOV$X z9CprG{H+uKPwI&YK3)KRsl33h&Xlxk77Tp*T;ux5#9bTc-zjGAfpg0TS2LV)n;ui! z>r+kI2LW2w2T{*9vSzBb8J?#!pOOqOpjnErXX>3M&>=*R~YSdYXa#^Ri)dqEFAc^GGx z=VkTx0*C{cqj*TVxJ^jws~Uu3gfS|%(KoiiH6@lTBp^he1R(9L$|gvSp(dNPfNbT%nC(+SOgOhkc`nU#46UiU9E zh7bMe3_hn@=&#-_2P~m3n3;T#<^DPE4!cOEUD-K_`<-LF#i;B$&R$((22SO%h5Q7) z$^;Im4{tncy^Q#2PF$T1W^}l*S%E@*ok#W~u9);fBx9_Io zk=bj3MSw+t?O5F7466=Ye^D=p3+1!#WJ`*P!;H-z!h_GToZ zD8$~?X45k0|HPL&dX2Qf4L6pp(U)`!uCS6-Rd}ocx*W_h*w%QfgKTgbq-xLK#4aH5#KjHR~Ak>gw@|* zg9ovgcpM|Tk%7k4c|lR5J9&em?a__0h(xsDIQft|LBb7UjtgwTAqC?A+35CLpo6*n ze&6OL*9jr>%aVbE&-^b|nUvxeb(9046``OP_T$;fwKv6kt;1rrsoL!Rb8O)eL5koY zA!ALRlR1vz=s0nSM{F@ zatr9U%Cw0bHtFq_Ib_lj7MsGUYB9dcAG!md<-yu{x1!={$l&t^PuC3d*-6vP@cBu@ zdQz!8F)i31siX!bI*pa2Cv@m4Y%_UdLtAA2>T*9NpW>urQRWqNis#)Jfc!BHb7{c4 zq~A)T@vw*zv^;%BqMgmq`+A4pAt{92qPnsn%iQYfMeLRwQ*CXgMoEZI&-6p`x>Mq8 zMnC67gxg#M$OKy8bFzb(Z-z^r%;d(Uxfl~VUDk8VcI6{t1b8MZH(SYskh?vIJKN(* zbmUReB+FPSlR~r&|MQ@cG22?bZ4eDAc5^iCn>=jgQ~KGa zL^~3MOwHTvnqZf_`RE|)QsmD|{H^0vSgD1Db{(4y@cZ1UBOI=|u8fJx^7<+cUtR~! zJ@=WpQZ3HO!*7nzsWgQIbn{^owccJZOt&%h;UM4ar-uwa-NtXCfVYgXhUVc+>Nt0q zFlAlF&1Sl8{hF~)jXz1y`8a%Su{D0)0vZ*XdBe}Hgh%H)BT{!P588y># z-9iw}*E)E!Sf6F0T&jf@#@+1I8-K1os5UexL_IP(fm`{NUzmqu_fUy`Xklf5x={=V zy_`ujWK;g;p#F?HGH^#A=f3~+J>BtrYgsjF74v)W-Em@2dg3ePY*N#u9hcyA@4}hz zQLRR(_J7`i=S=mT|0Eq z^FG#5zv&`nvoYdq)>s_ckYtd6^Sqh#`glN>+UgU4)oE43V}Lb)b0aYbL_cG)Rt|#;X`dV&o)#v z&C@E|yLfO@{N*5}*#jjZn3?5j>{z?M!nA<5urM{{@B~Ly9-}Dkh1Ys(hu0~2)q1Pi z`;anh;3uTZx!BlMRH?u{F?Y`#dx%dUdjF(n~m6NT21ocEY;ar*!7t+VkW-o zwS`-F)(F7|cKnU?QQ5G)Gn4?Ww{27WXh3e4Nz_R>&;i=68;@O26Lp`j>+S-D-wnw1 z!D6OzCALl8IeOSUtcQ$Sb*A$rP!>Aqj|2RE`X>Ejf*<7t2OzT4xJdE#ofQ5Ax;wdFYz55IiG-ADgC z&*Wpbm*cb60M$CUdYG>?>e-3Z`$B*La^ z9t3FzO&Qa+W~`9!3CkiV%9kNBZu!|50rtn)ma4LI)AviA*C_a7sOTv1+9ILvH!7G| z%|Ap(O7XYmtnG}4t{*MgySux##rGBSE-!MC(nW3bLC!O`mFDIq<%KHDsyBz;VyvzB26Yug)#vE}tzJ5jW z(9fCN6Gr~eFqJd*oy`@XxB8p%ONW6m)>`+~ZDzEayrSv!%rHhCmr&7|KEqCtV@j(1 z_vdl#YVog{P?s&O?(d6Us^9P8vmbr0?yu+efmByYhpw=O?gZ=cPuON^stshd_GqtF zwc5z<%Wi62HT|WFR!gdPH}{omcKu7kv^vEqb}#GRd3NrSs^*Q~E!<&G{c}*ly8p9yNRmuGLTy| zqFE#AjyCimN#Rtv)1GW(2q58%fQ_bg)@4_MOTfG}T4{7F!NiIG&;$}l;Z?O|&;}Gb zNeEkjw)&5$#7(;@6@lL2>68sd4>6|9#CWRo9fQ~>f)O?&7#HrtAT=u)XCKh!Sd4!10R433{XSdn)hfG^>Prp2yt~@1Z#H;hR;<)y8**Js~>2hdv@sX z*RUcuYy!kL3FzCb#zy(G`$itUC~QRU>EaQ)_)7@k=o8!-$)`h}FB#nq?5WR$iP}aZ zI0ev#yN3euUqVeE{_PayGMJ4c^kqfPJp?F>(?+hZ;Fqggp35A4lefqEJOv#+2Z5I| zjN5z$On|7`gSbGT0J0)4T11XG`t!6GYT7wZeP6;)Ki5hKKuqD@iIC=TP`bCGCmge6 za1ipuMKL+Zeej6N0XkG`G|4TI#0a!y$x+f< z7zU`8+c*=U0TJz-hX{K9w~B;-Hhk@g^&c3nJ`ivL6kNg4KEpe8__TK;+V;lY9dQOU z4J(9zFi_yC8h-)DEf4roQz;^C5FnUm5LK63kem(xmeHPRLRuS4ZZgN-V20VoSUzT@ z4pnwgud-wMi?W2=z`vyE#ctMMRr5e!^_R0L3(hb!_GeI#N>Mu*96KQrTt4K8@(}tk zlSY%-9L9{aR6ImrpsK^qjDw8?6z!s59#nDl+y`-to_9pbZqd$zIET1^L?m8l9nU2U z&e19D=qC>A>MZR5*dJm+f`XLa$Yv=MwA90BS11hG)Oj8gGkU_<&N zwerJhP)@~8IEFmO>x>!Y+`?dm@Qtu7#{H2IF+BCPL`nychSlNRli7*FQK(XePdq%? zVu=%6HLhHJqDAX@c^LsM+1CVu6&5jsU&Ijsbikp6$wvO7!69Yz@uV2CFQ!Cfd|_S< ztj)n5;FpEg)F6o}XfjoysHI9avgJuI7MnXgQKC(`YjBkEeCGwjG@vep{-YBEo{`oi zW0|PrtlD9)~t4P`?0%Xuy8@ZmTu4BOfB9ng0|uTV0~(&Pjj+5Zyu#Ntcr*dIfN&rqe!u)A%-@yniA5rWmoJ98 zg>{@*fKCds!@|V^Bz!Kz4K+*1H6VGy{lR2LHdDx>8n?QmQ{b8cECqe-?1~hJ28cx{ z%pS&{MClxKEY?IQZw?qv{c%*7Y?KW;}n2UNEgOuSu9f^M^ z6T2Zop+>R=Im}KU!AF9wF6x_$!Rsq87U-f^j2M;-lFj~&g2b-JYW-86+5Zr&;~brj zmnk5sJr1rfskP?eJfkd(iniKPDUkOEqR_*@eFt`))Ui zhUQ3NI$?(Ie6;QUo*1+%87+7y#_-TKE?Y(SY<+%BAr*~+wefJs8=K|NuEBY49U&=3 zTa1qaojuA)3PabQNf{Omtw#SaCHOLoK-^W!R1Y zWD+XrLDYm@;zV+B)U>d);#}8%O2;@e2P<}-HJE2(bcvMS6VDLl_ zw0p!U>Cl9#Jwh?q_>V16v z(NPICTx|X3p>Ysq%J4Xt8w~h(il%lb7UwMex?!MMZXxWp4dre9!cQj{q}wJ-l=y}b zHXj~F;|LJ{KN(qz>Q#%9tUN_R zo=YGn^(g-;+PcgmQU_zuM%r>95v?bl2z5;5qIin;&k}42icJjPa3H1}XDQFI2(L|o z?G`Rus7Ewq`oC!_8^eqY4fRE3G5tIAU=>S9AT>j-H|Pv}pzo&m2;s7Mj?C~=Q?}fo zn7RWz=VT50D?G9^43k*(pjUsGE%1dRCGf6ZNVm)UFR7WR7Pb@ zRo4otz)68k)tL8;&4t+;bU?8x1nr9*0yXT?vP5Nz2J=3_u($DzCb*Q0rbf#8S;I+a zD?Ne?<}?PVnnePbEx6Bo*+3(v>P=D8p7W*ZrQ1yWJ2&$+-f{fSl2>#hYcH1F3VY|`ns{Ydioy%oyNQo z?!@c;mX4^x=%-y)^U-R1f=xkst{9m#QGXFxmNeKKm!?fS!LaL=P}P*|Q2yzY0?_-m zku;N8z7=X3k!=v=xA&z@pw5cs+6{0c%nJ8y9h1>j1~mHo<4t!ilO+qY$Rd5lJT1IS5TA+Gb_ld6)VXnGH%o zwjs|BOzb_73V0mb3FaV4+W$k?IR;18H41koPA0Z9v2EM7Gnv@z*tTs>Y)qU?Y}>Z& zjh5|?)s;4 z4OUbO>&$GutZ<9k#sGouY=`h(RZ)q|i%e}JNc}}S*9r-+qAw9cDSK9_#`?L^w(VQNQ4X?|VfDJkJcjE0W9)NXdi6fy3BI9#G$B+3UmSAi3K zKF>JaTfteWGMLW@#n@qD}li}p0*($O0x zN~Kj%_!4^W!&Ji?YC2^OG;Er}Zkyv$JeZ!9XvjfGIK1wDP&jtN1S<|teLwq z)G@LpA$vTtr<93BD@2Mh_)`0S zJA{Jc_8xo(5VmIjDUpAn?Zq5TEPxZMhq4-({_n-fge-7;*;re20%Gjvn6GSQ(KKy5 znW9kw4vF==(~Ar>-8V{+fJrtqoE#CpzNN(mvT!Ud)k^@h!?Z_(nHBm`4>LF~L(c{PFGn=+Jc$+sEvJVra(h5^ z7sOSyIZoCvWFV&iY#SSb8(le^O+3fI4I6>8sJ+mReB}KM#6N!t^MG+7aEt<^ z>3u$00~a|y0#*M!9sTr#8(k#r2!3-K-tB(T>Y_6iz+stRq>oFt^L=>v_2}gRXWhO? z(AB$ZJB2Xt2Cnz^q1Aj2+2GYw-B2V@qML$AbnyFGQxQl=pz z#yrTNpCHc(|HF7c2je)wsCBJ1gQQR&YC=q|6E#tCnV4D7m$GLb{?)z<7WC1D{k7}k z*0{wROYF)!=o{0I8q_yiZnix%lzU>fNaNsh=24w%ixcm(n$9UeX*0F0VdZ7@aVo+O zUnJ2zTMu62K;Tor#3KwT#gQ7v2m1}dwGW#ghZ4R=r>M~)q&O_ zFRXB}!Hz*pGGVfvfp&2J=ur^Z1HV79eGq@PlqnD|z~7~WofgNl1!su9Q-?S^o8Y03 z`X;~8ER0KIVqt){PIazu85isMRF5S=8FATtr+(wNR2BMcc|xR{w!q%x-Ne+irDEJ| z%Y!KQK_`9rxo1q%-IWC?JA|S$X`{0x_Twq+XRcQiF~{{Qj4d&ifI`X~%z@pTVJf8V z7x95p;Vs==bq!qS$ppHkNJQ_r=ik=uEoyFZ{(!5YA+_&n?UY`vwl&6nrL`c_8p!!p z-z25hf+-qwv*4;Er1& z=QHS}$!jWrkn!9!a@c^-18u)qSKjNV?^D(8yNG-DHU1rD#RivrwsCGv1Q^5i-x?xc zw8YFaR!TI(B30S#A&3AmGSEZK^b@63cO?1EmB6c4@(o)rfALaeWDRY;+L4gmn*}=i zA;_lvPp4YZkwTi`W_0m*y**u$awERe>^Z@SK3bZ&=(eI{MP(y=iGGdA%Q^gv=cX5p9%@P-Ssn03V}-^P z(CsvAq|)lxeK?(G+P>pIceG-Df%GLN#|mrLSFXqnj7^6snKXeXxUL9uf+J49L zh3Dcgts%4^aF>zVUC{b5>~;`1mtIrMx4b@Xq@~xpeq*PM9yc!FSJ9a42unUQ?tw~y zH=ON5ZB-vEs@vE>4WGDp!!g_$tNBLT7-k&eUpUC)JDQDxfIlK%j+_xYJYp3KkE-gS zT@XZb6)gj3tV9-%d&Bt!bGA#-j+u2zEs9isJ$PONpLUE@?RKh_G__nxEvRQdzA~1- zs4jlRNgi0mo5sLw#FI80)n!MHh*yNMcv*=gDgW$_7{`MS@x9Ih_OK1ZlmYBS^7Uaj2&^F;=JRl>9Z_uK0BYfWytam%sdSW$TSQn4 zHPS?$B6HFHc`s#AHSXxyt8WRMHI~c}(<`9kw0yRR$u-qxG8bvQX>jr*CS*V9s@spp z_TwVHWmx-OdnmVh$uOP=M9F4zjKyh=+656Y!BHPAXNoGDpxrg~g zlG0UWpV-5tsij7s>S5&cTayI#(7ZnRN!48f9QjvEJ@8WY%n=?hh6a}JSbOs!?yL+Y zvvrivji)M&K%&AXB&2dVk%TJ=0u{d4<;N0I z0iFWGgx8pAM64J>GT!!SCkB@kzIS>aQC9Avd15o%vPh3#iH|yey*XOkD+nO#sBrNT z%rke1dS*lrO$KrUn@dq=o3U{wiD|2K4vrQ1RC&1Zy3@#y+b>+!G5z|Z zZ7}i3!89uXBd8BfD?OaWiKphJw$!ANtkV*g7lXXm79}HauPLDuBwg3r9%pyCdZoE0 z2NF(#FHI!7FF0b+tMe|OaWGJeYXPHLtb3dJFk&fR>|mDRCm7^|G$aX}A7 zc(dp>RnwB=olIJfCCNK>Do0nyt@#nD^CH#xb6XV+rg$(ZnV?N%dI=80AuTifJvzFc z+il4>roo8bgD&Z?8BQs*W12NIyIABGEP4$g<(z4kCeR{XSpH}O)jQI1-2vgpqKG} zUY>4~?;q1AqRa4b-_1_e&1v*hMdpFXPd`W=Q3Sqn1t5@2dOZ%?%qHV4fO;zSgVDF2 z>xBe}RlEvg8P*nKhX(&@BUbxy3I$nVA1vUpx+{qSBEz+BIhp*yOvl#>TUfms;7IxW zV0Bz;wr8#WN1^xIKH0E_SMqN3Mk`D4bxUy6>)HIAi&U}qa%qzGwO$^>gpO+jJi?E0 z--BHcZp=Xi@8ALtAl_~dEVOKkSqH7J&dwlPZf11FwYg7=&YO%1Yoyu$zEQxFlU`Q@3f?Cu9uXN zhpXh!@~BKp)llZ@Z;yNf?>w-T6dEa)L~EM*$b%(6h9k@QP8ixCYt-q-u2Esq9A}eD z5&%NOan>1l$7j%lMLCoF?bQnmYj9+>TY{11?l)@K2-+^psY(H#1AD$HYdKc@c)gs| z{nxM=>@c_d*GXc&pO9w>)hs$^ELd<3$EXDumK)A_bHC+d=Y$B3mIZ@fpFKik!rjem zsdVo}P|{rtqqZ|cFEuUbTpcd8ee`RxfO;cd+3+b^-g$kbWDT;?b&4PEd_cR0wOcOS(ViE-&^tgs6jd9k0u#W%eTY=T{S30N~V` zzo@}-*b10Yc@HCqT(zNnrjP;Cgh9nDBIM(z8b_)hMCJAXCREnQ>7O5X;DccY49BM zq;&eR{p!3gZQ&Z7#tNbSg$v2jNAIJ`z9fxw6P2NJaZf@OFtAZn5J5EfNS6a{vHLm5 zkm3SznWcw@kz!ddHcvs>H8HOqUf7!m;1BDV3R~)7gu-xRZyGidjla+K8IivmPv+1O}dQM9m8(2E#ziuhtKCer0;tC zEHUs!CQ#$RY{u2AxvT#q{eanqnBWxz1}r|J(>l?K%Zk}soswg;l27{VmKtH_G57WM z8!@gH>;fJ}K@sz8*!&U7Sz-2D2u|0$*8|rYsJDMWw!uziInwD*6`dc;jc-%A=T{F0 zDjE9Q`KKv646gbfJnpV8Gnu(Zhxi)5IOrvLN~_NdvTi7ey$*PESw5E>VWOV%2tx=K zWiysLgSz_rHj(_99E2t-`4JPY)Nn>dp6)Y*cx!IMAN#ISB9E+m-Xgzs+LKASy`?UF zrM)`k-lft*IP+<@v5P`5+lE|PAjpZtUF=nb*NXO0CoM+#J>~wsdHy-RTb~mFvnxLS zczVh0*8agtC$7!d?DZhT6<6TjwM>%u?*7i-Lvz9Rf1vrl%>5rU&&kR8-{v(V< zTSzl!H2&s^_;T^EHCPY*$;Hwd30OPj3u@)HmDW9V)T=^irSX`{ImHjE(<#K5YUA5{ z);)H6>yVRJ!3K$DF0;g*T|k05fAQjfe?};tT1n+&ZI&}*$%!-Nk(YYCMlJTVrk^*WrCk)n)KXo%tBE^OhjXisWD32ovC!}b2wzHxnpr}nY$xGf@4KzVSOW>KQpI8da0)~bmwv#q z-{nPeXqt>D-$+1aBGpEDJuS#2XfP%oRv9oNvnq_@<%b32nw$j!b||BKOaU~+a^`_w zGvYu~_R*ncvx8+&5EU)#lSRH1%SPe4u|RN|NHDP0VuuU>gz-E`7FPT&W{ zhih8mAr?ZMB~gQ!S;T`qju6Wfy{f?}MlOW=QkRB58}erM)L!bj2rYQ1UD%sq5%9`T zU%63@iRR!aHcxy_B4+L$qD+CL!aIFtt1Tp*8ViO=a3R&fOb)}^oDwy}Q~|+)J!}vr zqMbf0R$mIu-U;VYZ~}kQ)d|NhU<}s;H%C=u>o-@C<&Sn-YFFY zIOc_dq3Y8(63IVZ3J-BCV1hRFhavyU*VaxZoS=W@>lX&vEc5QRRAZbICw(jaN5L)M z`DA=I9ukQb-a1JoZXKr+`GuO?fLd07a~BoKO7E~=L`Rs*7qGp~x}WUyXKq#@vhCOg zfuKuXAWo1RVy+B;J|u&;3YBQ98d-BQ*nafCVs@*Np@b@)ip zLm2e$g%_MYLu9D8rdfZFW&D=yYdDmHlH22DbFT%K@j*_cA~7 zT7S$@v9p49Jn>3A+boFfHGP;lT)ESW?=+E$$Ax8aB}P+oO6RE8YV|yQpb%))fC>S~ zXJMl>1@TUSwOqIYWFbPmV5&YK=c0VW6f@ACEAGK&)d1-*j|n9cjozR3&Qu&n5r3eI zp&K?@K`3{7+|&iW+-5=+>mzZ*vqxpk&zbgI8<%Ug34jdN+5IBC zShLKUOmUJC$^2{C_@N>k8H*|Ggd`_#>&bXN^Z0HI97~OQ4{j0qYX+8NMHW)FsQKv5 z3%D5Caaluy1v|@gECD#iqc73D3cIX*RB%~Y36=XUg^hf$#lP02okYYnsa8@L@Edw6 znP&QjRfllVe@!ujk|`s)SNrHy9e@;zlQf90_sfZ?L}ZZ#Ub4aG2uOp${k$h+sW=h# z&}uiAnaYdsz`#uMFgu?#03lm1YIrir@vM{o+0wGaaVj(^Qh4hm1W*Fn*9}1XTHzQ> zGkZ!OoZ(vE2FIWCuYH{zSFc5r9bE&?us+2Iw69%O38|>GcmCANGJg?os?E=aL~5nE zB#iIek}=|j)Uv?J;O@{IzfBc`qeSL4$X!6!czKZFuz73 zu3^*#3$iX;BUk0B* zA%bf(EPNrt7s|MxK8eUOo9zuc4fH*ZtSi#Q-*(QUjW``#6{YZ0P{E5&o}Whu?wOk* zgeibzX)&+W#gLC;l?f@ETt`QtDo;-y`Hw;T^+GX;sx>JSiPVEQV{l5wQE7TxOE*zS zohZF0V(N8%tG~PzY7u&wvnrR3R-qo0`1r7BMK>1>cO7cF@gJA6kM=3Rw8o@X5f|fj)$IN=xAC3IFVTFCtC6(rJ6)aBH2CLH9Y6Ur7TSFAx!KCH z_m`h`5e^?}>pBceeI*nkoGT|%qn`2j`*sL*0$GX%9jWimye&5llCGhW2rSiqmoyTz zR$-k9S*T6buqu1U*%g{rcoiDbFb5@^z@m52;|M-e>gW$JbwqVn{47{jPn3CmHtM7= z$G2xP^!3oOd6-Oap=d})BXd{kn!RyDl($GaxkzXW@)GhG z8Udk1Ghd^e6G^@K961f{JnCKky2>?})dzqGv4mp?=J~2vt%XT`wjIs;LsoDrd)GK(wfUW;b zR8sUScuY)~cNy+Z=*d`dnVVYEQ#?Q=nc^6y6h4IDKvmvn5~WqYt=+8kBJMiikgGK^ zRFJ!|L#2$D4ic=CEUXSehsGRq-QNlTgPU|<5Ep0Gc2w77>QWfHCqYbTO|5>%k}|g0 z*)V1~x!E3I^X2a$=5BbIs)Pz?|4mc%Lt$^i6;pE5?8t~hh88d1*G-^+^FV*z*g1*S zVPh@hDo1mTghk>`qfGYE$GFvj_K!w=*QNro(s<%d1avOopNn z3I8PBTY-+d+2kT41qf<~x?T1Z_-czk(7$eqQ$HM!qBk^v#T=4eX!hDUx7g)myLqSC zf7vo)^flVYRNxSgmXe00VAmpN9+Ap%GICE?gBdZWA2IykujI#(SEp~2gG!$)d5+gb za4Z#~Ul7v5?F)EleVF}z20wuy`={NCD_QYDah_uWY4lRwH2Ers57VY_>88n0e|I+4RH-;t8`eK z;l(y>l~G78GY{@79_pUh#^Iz~vUZYStMrW9p}7sCo^+RQvsOJM*RN0sUE`|1xd^nH zt*#ALD-Mjc4h$DDMELILvg8fc&75jlwEBlhSufQpc2uzgvyTpONC-!XxAaRV)YetX ztDW&cv?kHmT{cSYL~|0rr8W%pupz2hhO21p3TtKLtG+E>G65M+;gE;G97eK-D9TX5r&_F3ffyzz5~; z4_K%m(NrhQzJ2QVdi`k;oZz>trH?82ai3T4;;gH+El;_o9zjM>(USEErCdDO+gN5k zGjtIlM!Uh?-pA8TmZLvSfD3|zPuzH!JVu~(2fx1d7)ItMubR%=llRWiOPr2Yu?YQl z{?Xu@Q!58cGodyK#Gl@4Xo8`?4n2szPd6$6PC%^2mEm;>2f6@c;D>8Sg7uzBBuY3o z4r>@H9%m@6f3O1Le8tNs{Qh{$11P(iByW7-|4+EZZ`in>FI7>QE!3GNKHlniDW6M}s zqe0pp$sRxjdjK1v7A-y$BM)fx8g68qzG{0HBW$1}=W_4%*yX$lll!qR zQVhx4!4=T}D4N}uwoyr+1hl@2^{L_F2hSNfG?O5JY5$+YBM;0{H@=GO*{qMIu9*|v5ATfcLiB1H)ekMn9@4n znL+w;gb=2$ck#O?Ve5L{aL!p1?4MCQpn_dMaUNZO_n)dtJWiO|<9VH}g{govHfRHP z`LSn2p(XnAJ%r?@Rkq_Vw8bR6{M|`5xNdnO0-|M0clANoj^zsgjQcdshK3FLQx7va zP{9^|_BM!)2P)W__{1*7_1Yx>X!%7zahoGX)>p8~p{5S%5z?l~Kr%jj-Ll{n{Tn2(?ZUpc&&dG>;;Ntpn_eN@Q;FRJ_Z;*mYaKB28ZiMtZ|EM4aahVjJVif z3AO4{09hd;y9*wTh;x80)_64Sa^$tDK~ z4)2v8!DI1z;yZa_F%vbpQm38N)=x9`ETokdzCLLd_IJ=$-LR5V$$DgbuXfP@XlM1c zp1hDXvo;|7AW1m4u1Cv-?*0S@PkmYhWS;dWwuZ?-)7*?`PBXggzQfTx&WS;+V!~Z1m zi6y|sDs*z{iT%t)owaln2;Zya4k9WEquPD*KkiZyJCa`#&||$D zQgCByP$8a+kLfMZwXIA;|1}uC`OA^eR{-u4Z=j4fKL{m@PZ>kuUC7fDrJC7i@V5Ys z1*TkUg{}T6SUOJLKC!u*Q7}XGho!haoNB%`y~Y>GKTN$Cq_$k1s?%9K zbNA<>TxeDRAHKr*$rnV{YpR=J+{+3&dh`!pGrbL0TQ|crkE5Fb*fQa~U3Zs1*7sQj z06A)TN0}pL8L0bIDI?ilk)M14j$0`WdRKhWv~CSvZWeuns^Lw$+rPc5UW7arD#9PE0*4;&V*UW!HC-ki`-aeY!E@vFg zl;x>4@Lv{4P9kgBIDi7QnQ4cx*y$YrY}2m&BTnTAFX?|DeJ}|Se9gQffW0KT9Et2(RQ!0wVL2^flO($s95840mrqybpQkOoS0xv0 zb;p@tEb^cB|A?2fu3Mrn;Z=ylQude+?R!tBfl@+%yVXNbnCPXekk(ezl5&4s7TQ`& zgH2S3%PYKF-G%cyx>5+JIb%%Ha-sA)8(cte*>x~wzc6Hve)@{mJ?%Wkr}_tiZ%=t) zw^m+pkK9L`)z%>1Y@Y6=BA&3kQhA94)D*?d5nr&N84ae5bd_^^gVnnS?|Iu$9Xq2J zfedR;Xl5gszf+`EJX+994L6AfCQM5r0`c42acNV(yVqbjQW5WSF%dz`2$JMl`3wjMvM9mL zBGHAiSs^1lSX>^AuZtkf;9OZP$OSY3I7cws?27RA?mvgp+v=B39v@u^}} zWKd>;?oax|4P$)@Im))!i~7=U0X9mVNkc&@NuaXX3(ENw5Y{c5bb@P@G9+U>()nk* zzpbm)#ui{Acdn}=iBQKn^Zg@yTNt|mze_2j*<2u07^=Rk#dEPcJsP^>xvhht6&@{=+kDC$!>>LE0!oAd%#lX%a%#yt=V0 z9a;&}aEkM)@sT6W8=>4&UX;g*ICW|pD(pJn{PLHAA4%}+4qN(yB7n`CHONYeoCj7V zaK{3Yy#9OO;?P2XC{gf)^Wkz+$k|KGUgJ$L8PDqEP!*XjS)ESRF+y-yf{r!>z7`^f zU32rr0#2m6)jm7osR=729}_OStH(DAGE!Z#-mk>4tIW`ClEi1t(@wILeuKXaWr8I? zh|0NMeVJ>$cAM_gg*T*N(|c)+etR3lpYa#&t24diqW2})G4$o#CfTugQQ+rgHmI`0 zD>mJ|M!sQQ;_z!D=$re!_p!iF$_nf6rJ+p%L6ZqP)1q@q!Vf@U|#M&$&S)wQv z_#@?!Y>&Ko_*%R_OLkb}-|W!%ao;5ZF4eAAF4fCj-`=&#=ol&-PGr^Zk!8q!Ql^~2 zqwB8aC2+Rut2KkO1{d(OZ$nag?5O2A#I(5)tS$1!g3~ug;hETBzf`;WAQ{I&-r4YU z_Hx>U)VJp-900^=c{ZPI-`m`PBBP1#CLF=oXA}4B=8k&?f<|E|KNhZT!D>|nf-sb0?YsA3V$oF|39uU{y$CETM*5ExI&zOs!Jn~E8zd- z3j28MkusodDetf7n<_>kYLn4$9@xs`^g@DhsFIQ@BKJ4Q6F%JU`|ZHMP@m)Z_1hwU z&c{8%;V0Mo^;?Q#6#cc%iaWfq8|7i*AVN!5`yA<=LvYvP!h}C?yR~A4#gu!Ul$ZF) zN9gql?YSQ(=s^yh!^#4-+0WgNQj@!fUP3bqh<2HZx-$ye9^V_>E(VVm`7?zqg}p57 za;D7qh$mguq;d?=iVwYIgw|X{l~hiGHyDqCLCYA$fM5YswMR=ocSK3M$d9Szve=8( z*?9S`g*mhyOxjkOt9KI!7F;kf6uvP1wf@pDpAFxpW{i+KS|40{05eOEj+zRm~LYD^k3@nQzD=r> z^8C7fjC?Q_NfN_mh{A2oBJg84Hy>j8iu4QpP!deR+G200gO7qi7-YWB5*M4eE~F0w z{XQOLW~~gPm>&em6KsOvG1A$CD^8!0L)wic{qnmp?joZ@q+B4!y|E*2k;}8xhTJ| zGe^Ztu=GIDqxNcn4@-<25nEgIgxP>(wWAe-gP4NPvolYDPT=>J_M(ey8Fwh_pk+FM z$R)trX;74mP57Bb<@Y7BJa;3`w|IP?gc8t0IbxWkwgh7aMQ+c#?Ky9Q-0g-l!(kYk zXWL>S`^yy^T^gn|q%&80)K8yx*Fe6h`;kn8Bvj_`%SmnQQH60g-_hpQu0g^{AQOUM zrM`XnFRnz4DO~fn>N@&w)m7U-IqDQT1Y7%C3<5EG zyH955B;wzyYtt=CY^oIp5(}{Ex{7Et1gyFa+)VkJ@J~^%n&{9k{YLS_jcm_K9h zHo}XE6U8ocMeFc0!ZHzW?acqB@ProZ8B3G)r9sU!nb~)mSvdoIL@B0o}M61pd8|^3|4(u25%b6g6;}USX?eGQf_#-A(9Sw5DZmw*nF5(>V_ z1UXRDYw!D;4+A#%h(Kr2*4wus7P(ll%{#8@J@l}jF*pmD?b}S%SNQRYOxC7(>$pWrw^gm=_py#)lOb{us>*_vFPSlDDo-DrVJz$f~ z;Q(+0aPx~RI!-R7<~E=~#+rq*2pWBq!0WrmG8?hsuEmK8scX4nwYGSq{Tk*Ekn{h} zw&ab8U8HLmmcKDvLTR4DSw|&h^zX%^|8B~>gUKwyM(nmtQ2sU_p*}P5a3gb%R^o4( zi7cuMLzu( z7{A|gH6tk4?O#w4(0>zZ3L1D!3%XluI2&#xnu<2fz-3f6j$ z)`%~1)J^A~uq)a>Vb?ok*H-UbCm(pg?0BH{T{ zn{enPSy^G@qXUJF{Df=Ys}d=+EGa%j(l+9R!5Sc0P_(biPU=x0N}q|CTAkkNF6V-J zgx17USIB@U(d?GUb}VyFF#{K06b78aa@NE2p%IZvfMNdD`J99!P`LTxW3%*SZ;+o35lTMgau_mf zj8rg+Qrf!a)8yuqAvxa>RHBeq``?-@_eVxaj|s_W%{IsZ+_rINQ+PY)Yk^mKNoUyV z#S0e8PPqos@f1lb-&w}#rGVqa!~PCUN3gy3_QHA@H(`}od0w9fZfrk2IHMQ^#7z?VdGrQ9o1kAGR?>OrEJ9mA?@z9okDV- z524sM%o|ljMt=XsdSi(r)%%MU{%N~f)ARcVYy#V^z(M$*wrhK=X`o`FmE%M^Nl}8R zt3=Rl2{mmy?D|^AS>ZEk7T7ccne_HB%qB@3=U&;pQZ2si9NvF{y|n$YqB=!+)h3)r zAl5q^>a(h9J76y=I)g6`4D9&)# zapT&jVpM*3%Nzxt-)N?s;$!hQS9M6oq&6t8O8r{cJ@@_INTTTcr$3&phIU9yb*qHM z79A_BF#_Jh!=5yVgfuF!AxdZ3g07`2t6|J=(sV=sVT^F%FBQV)2Tbrkk2 zcp?jpSpZC^Mal4rJ!^T>c#bve#?IW9d+n{<^V8!+Fd_fU1z0fvwvFNYaN)%BTrjgV z3tu@owsf%*O-d-ZBAi=jxy_n18iyUsfh8cp;TJdIQU|hy(rrsb$;*lh=sZRfEY?nx zqzT+}%-3Z!lDZ1kj2YZdO?Ym^Ab4@&jMLcB80O^6VZ3obKpsQly&D=cmf1)pDzDH7C)tj*kaWe7CyzItgN zsZ+8@rg$-OJ)p5yWYB>x0?=yYnmbuVQ)kZb=d(d>EjLt;ouYo5_mU>_PF&JN+T&*7 zZ>*;~2f!KNp0me#uq>jR_4)k*d;ZoBeq{qDn;@LQxbj9y0YxufSWP#>aq=%+;Jw5q zvj)oBr07>=g6qLA@V{&kU_9IeovU*Sk+1sO0FDZ>##9+ob}g zP~LBRNsQgVaIH$~)ru{E-5_A!wRPv@BV#T1$KMXnardT|353SM#tnuOji>Z%&K)r8`scZ?AcUHM3g;El= z>6We=;?QpZOqJwb)Dww8@dK?M=5BqDsXQbp0IIBe88tQ;U-;Ou0fR%I9; zu3E}SeFKAQvGAKvSg(~&`VU^n_#1f50pf+spWW^(mt{6l`_qjEaB5#m{9Gb1|Kf!z zmTO=C-C}1)^duqCBy8(#1h%!W6QB;)nh{w%(T8R7c=JuCGcf$W?26H4;em94Kd^N6 z+OF~>eXgE+x};w`BqbHi$^q=(zAJ92PZO~3nvZaFFhQPP;ZgRt?`r*ug*0u|>z*@p z{)P*#jnLTd>@QP~!Q2ySrgUD}BTbawQm2ikpFM z9}J0$4qS`oI)VmB^$JL@tB+|_u1*mb}t+p<=q5y`%aanr!m^q7viY7yyC*; z5VSg85Y0=0Y=MNGYMeFeVxnZJ^+DLv2)W@N#37H*y6C0B%U!@J z!btCI)}+jqO?lnAsC8Aq`lvOp7f9-}bzlLHWMMN`sm1%EX;^5B@GdCpXu(ISCd=yp zPGH~F7z5aMef<6=1mMo4%s$hG*xDbNhPS7eYIA4+4u>0bAdz+8MLM6LdoA;ZXrM9l zb#6?bu#E%giaL7*6jm1X=EJmE&g}xq@ zKS<8sY%4tjM1&f9$i^~+4ruo^V$(YF{JTQ6Z;PWdYXdjPJps}MyuWlI`Y&C8h`8u5 zM_ld%(gjo$_x^2(_J0GfJEVm49zeR_cB*$Y(Qb7)!gM3>y7;O=*GUYt`^?=I9}I=q z6J_K?*@vFC?@QjLbC6p4#fRsjv$CR*eox4dW)1R-Xl1VM5EXMOny0UVxwZA?t{##6 zR$b)oj>^OHjFVw&8rSos1MAZId8tk}rTXT1f1aY;BX4TqOZdLOIr(|To4NX&^5gT) z7_kv!I)A&wSB%SWvD4suuD&DbY4@+PU2L!o`G%ce@;QH+N2oIh zY`Y4y^04%c*y`E*ZM!~C@G*U0({^nUg7=W@jS9Jf9!HeSqQ8zh25~7>{e$zP zI+0h*!_MCB%U&!*$UbW)kqG|o$5R*&&*{FG#>=1eXYKT(xo=%t~I!ii&@u4YR^u;(J$bGlsA4YzbG*D+B5Fm~9vZ6vQ zqr8phc^;7?=sY{(PpxF0eL~-qz(}H)Yk`*WMc|#vVxnfz;(Pq^mTvy=#Q>5n7eeGG zGaRi)h;Hvg>ep*}uXJ3qEZa~eFQ#BuIPP&XS+Pb&mV&q&+m%DR7!5P8@5H{laB?og zl9&breF9)^h|#F0B~KM9X~v{j?MEz1l2|jY5!6rFY!}v``wbWi4wQm-v9jyFsbbh+ z6wtg`!B8nu8~BN%K{;H*D?dfs?2)4?YOox3a$fw*JG2-kQu+V1FY_|k3!4UG z<(Yp&%erd}1=YrJoca9}x2Kc1P-z>N`hD00k@amn<#)IIIWo)z5A&len^U|~oE3I_ z)>~}`t3T&B_9xxEjtL1y)vWH#r2JYwoAy$zHZ0ZyGVz`6kmoNha%0VIQmNS0lQ&Ou z>&*77A<6|&M}**w^!w*cCi!_$f(#UlRaM)kXMbkk#-{5@Vh@D;PthuTGo`582Cxh( zS+d@fcgZkMMx|7z>f>vB#N69BZcwsP_QSS09HM?+r)26@a|W~Uir!kZjW1`DXUh6q z4;n7VX&F(gvG}s_`t_82)AM4p9G?rvF4!BWwDKK!;}{KeGrct_h%@!)Dt_ag%y!72 zG2q`bs636CMX;wZjo`X5eLQ(jh<3$kJq%Oh$@F2M@AORt9xNsTk6$?Sy`dA?iMxve z8TSR)lF<)0%x}rPo9VRaJ+sk!xR-L&Ia8ZKe#KB|Dy~oKPjDaKc&MzK_lwX!qz3F~9k*~W=`f)p~=j21#0!Xj3-|Om-RXubU z6foBA32{usWYrB;?!wfqW^@k6z_^6@JlrE815ana4q3CllGpKr6`b7+#76QLSP$es zU}G;JOg=&1{`m9+-fJ9krrhnicJcq5u&X0Edj);v?>0$!P%h!7x>Ff)a@zwD?&w0> zhx)VG=qF!+4f+)~r#|x_|DGWc85JG3VDAx%P;tla1`Ag8fZ($E%ySl2!PV`nrGB_K zROS;LTN7-}_zWdUIci>Wj41K%kY>-~doRBkQSWs%Nb21d2A+1y6V=GAGFaGO&>pGfu++E>58kCL zC0YINhb~y*&U=T1gf#_@j$-E0m$f>7ni+`LEv3;?3qWW0=P_z!br9cpCgvtQsp6w( z*D#mfXtSFqxG|#Bd|wLAkciC^RO{sHEC?yR+BWgjmEZZ+cp~O+{yF&_I~H=J#*gw;LglfnRTu8;m!aVl(2Kvn(z2= zK)R&$C2x!b^$aJ>y4+3}##4<_ySBbxidI{$iOcGdFgn`GkL1lANX-pu=N4_ zCV>$hb*6PTIA3clgZ<9An5Dtj%FUoU5_0(~{~jcNRT3u}X_3_6_|l41AD|B0Z{|S_ z;uu2wWEqlRm3RBo2PQJ++q5kZ*lD7rtZcmH;WEVsiwjGo)Ae4JYXJ+!V%C4Vsu`!M zu%rxZuf+TDY465}Y{nBQZL)dfkWyJ(r-*{D+b4iWA17l~*d^8!kP@2e{G>~lF#fC- ziy}Tl3�JfG?;KJ^Rlxa-EI;{Du&ipAb)Xso3FK=Ls!d38kwCDJS5|(zdhcBV(3| zfrnzv%Ol;aW?@nmvX^YfKTj6XbN`$d=5i^ART zFNT+xNCv77@I-hDc9f4-U_gCG=I8^^@(yIz_T>^h^PI9yn2Xl17V-o(C0L@chlJwG zSk8to<$uaVr3BvIncaVlarb7*}6Q+_?UCCC&Wb_ zrs+xXxn_^%Ed^-c>^^v1AEV3YrEuqPdbsA5y*;3;%1vnDc}6De z(rkyR<+J?G)t2)am9X79RPaK}y znfC~CPv$g!1>@%5uv}cMa+fbzT%w%EPNEsI@)kx1Zyl~WURe$qn$8%Okv|T{3vRcv zG_?+P$IJ6INctFLLp`O&m0k5{}BH$biD|u$K1B$bn)Ol&+f2r z?tO1LiEDJ&IMHhVU8C&9)kU{7s~v+ut?9B+&0RD| zdolLv7sYeZ(>oeBlOav~`}42jJ=hu^!=-^d25p59dEeRMbWfWe&qXPyD)g=&^E@&y z*}^Z{L$k$(#pKlrg617w)K+IxT+^s|5Cu(dEqQ?gZu0Ff! zgz@K?{sP*hR=V>{(&h?srdao!&HN zG0nIyn5~_&43X>VPf7h`(e7A02v7<^c-=ec`EbtM^aOA94f3%8u;Iwp7!i0+x+*`x z;(>puK$}}sh5L1~w?`^%5K+8)I@|?`7MUbmct;iQEL_c2=RLrAAUv|kpEUuKj&Gk} zWGVCFc4QMdbD-c{N8)zPoL^qrU~%du1=V;K95H6RYNg46b^eIufcl~*0jrZ<1?*Ms z`yNIW*RaV}=JWs|H~|!Ce;a|d0rYkUw;-@K1RaNd{4g_s`a8Y4N4!L+#Zk*0dwufi zf_WBmNl(p@I-MX2b_0uJ(^Xh3yjw>cw48TYqJ704Dd_XWdusn{c8 zY>!8$o6$@gd*1;(2fV0@O`WVfzJgSSk*x!(zhC)syV@`t@+RzbTsb+RX_&{`QtK3gh(Zwi#RH> z6z?e@bt^T;vgj1L8NLj3_DfUJ3YCh_R*mskjlt`8ppKG2D%_5W7J3%7o$onKuys(k z>3(Damkw2atAj2eNBgG!zM;ii2HQ^{qfBcpGwbr%F&=J}VO^DedL3tR7md+IotgW%`f*68jm|KY!3zZ9YCEFF)RNYxBk!QC>tB=|Hp@8`=8wU zBVYUfgIilux7e;vR3y~_QI3h-0O3GRGVwdf(*6#Nj{kW;kOZY`{c_*qhVI@h#>wy# z16{SGA~mYyXO$XtwPV77&D+V*#DO6|hT~qqoA7?zIoj}ce#@M>nDFLZc)*y*|8pRp zFkmO^`ttjJL|22 z!fzme4Ttxy4fg@9r&{R=Oq@*+@{JMDTZR&2oyW$JMxGo zp34K5K}JwEyGxT{3!jm3S z^=ZTPIsaz;ms&608ZrT>^-AvfP05QkIcU7~Kh$~+K&@T-iYA$jm3U&3dnsftISjw0{eMN@YS<^0tV2m#9sm3YM7WGm;0wO@pFj1;EyUIir-6*Rh0Q_P6}Uke&4a9WH&L z0BIBsaR)8}UFQc61}a;YWv9IAiqDK1JrNpq|C)jjaRPfoVCMYIK@*r!Ij}?-7?~!Y zcgBYg_tUv{y1}R44xgDIH1Knbv~d&`{9dUU5^DQ%jC5F}4lxNe=*i++dk~f?0=WJU zAo`93^$DcGBI<_T60C`@@GJ=lth^DcwXZkAXRtwCvFtV+8$h8$K`;U!{y(eXM8Wx@ z)vZPm;7sm7+N!PkZ~P3okQV(ug*eW)n6g|f(>&jB)p=~21U<*RgKuWg$v^Z4A%@aE zgg7fZaC*1-n8TjhzY-wpebg)R6(IVL9N@mVDqQ!2uY>}_XVEe-!&^n)J*$J5Wa;aJ z#%C&^L+@+4y#V0WQ3~YsAQ%8{ zom}E+xF<|7h903E25UH>$Xa#d8+z7RaGP03s|YaS0`ESIxIKUohX*j?7#Dw|WBJdC z790u}4u**qRC4@L67Jl~Bhb9x0A(kXXEKQThCsBa|HJaS2oohCR>-@r|k<+v0gw+iYZ(C5oaJ47K+m|BO1t2Z-lut>oNxPBUBru{AY<1dGpUHB*f zT#Jpu15_UuVzfoa_(yJM_3PXrfD*@y0BNo7yuouq`89Pt^%Uz(v+RF3aWOFt$;K)ok+7Izj@y7m(z8z|E|$%pQ8RnV zCLNKPiTDaYuC?M4sLKKKpwZ=$QpHX}GdTZ{>%5HP-nil^d1X{(5o?^jy&-uxz^<02 zLk!yV((-?#xO{*VcLk8*#wD}$5M>Go{;IrlYmITpMunJ0HQ%KFGNE%yL2TDt@&u;A zV-DzRnXEj-S)OK04f25poYd|t!pY9(3xmRNE}dp1e`Y3s-c3loiKwAvCMSxo_?jc# z#}H-$<0F{$=c}-*pg*e5W>nrc*HxIDW8 zz>15RJHv+!EY1_!6?HaADdpq6g;&mOAth5%VS$U!4i|C_mz@Wfjw(@_%HRE} zP|a5D0z1Y$fJ(Xm0E20g!m;j1Zd_R0F3J#FoP;Ag&}K7VSfnr{c*xD1BUNl1c!X7H zo9B6O3+DYUhNgW9MICJc8gc!-Ip_>(bvIU@XmTUQhUm&Wg2o8lws^AWpYQ6`FlHj6 zl$;0n+J6t&pM*tjO*v9j>a7VJtQ4-T=Z5^o$wWm6CCy5|(Oi?r?AgFo^T$(E>5O`{ z7?pGX*v9)g9kA~xn0SLW1iwbO{%OTsmD@W0{IjnOL4_70JTwcQZR)A;lrymumOHTt zy^Wh8MlJ-mA~z<)?nE`?a6P-G|nBtY~E8^sCHO`b+w zi|4L~(gqR0u46vgwIru79)MkQNh0$yTP)cD*tI)=U8j&ceb}2hv31eo^Q_bRp|LPV zit@xjXN{;twk7~}z0W>#7#_bK35l?I+;9vpa8-e1)jDIQAUuq=^6PFknlv)6(qsED ze%8ojWkk-T3jm*+(=Kv%XVKMJ1We&~F}J8C>p2eU4P?nvw+K-)0AAcbH(_Kd9bn54 zPM;AygZfGaCt098g%0)XN_35Ir%3h%6S|ydChbUx^|<)hX@`^0WS^IjHT9(YF~am% zw$e%yGvBsNclJR>zPW1Jwr%r`VNxz$8%H61rPwTE4z3*(H=aZCNz^G=A8%izrXv#| z#x;4&+pH0rBV?FgOcQgS&DLub-??xRh_gt<;o2}1!a2aSDxk4bjiri+=A7m9tmA1* z5=uw{#5iJA=2WSDYjT>K#hYa3Nw7`MYy}U0w2Nlc?AV2vzB#}!X=HG8+~@YI(lnu6 z5*KrdK74)4sFiU9O~tv4qeD%8_rKSuD5vJif5B^Y0KAT5)A)ebNr3;6t;pG3dyJ|E zLl5Z3J%h6zJPk_hIr>l2uyp*zpNt$?0{S^dimp4dvA(m{8xj4oxhLH?&~B zud!GV3*QF`QN05S)ZZg?BjsQHwwcVl zM#@8stTK%p7X-Kj>CKOfMi#q#AHJox2#3kff2whipY%FyQUu8zK(D942>^$s5Rbod zsNouiI;RNMEOFGzp<9jQt2W)!Kzl5ZC#x(RQHMIPMX1W8O5zv0q*N8($fK@7+ez0Lp7>qxqP={3mA*H;(+UI4wOQ7fuZA^(?Nw{9O_M@RzRP3l>*Yhumz zD(x!y9NSKV4~d%A*lx>pXjjig)WM=#*h=-{3HwA6e?7im6xL&DBTU7ImpjS@7uRjN zZ-XjP(Eg&T7oPabyfm^)61L)+sOxVplt5Il=MhxSDpw1{`2Cxl4`qKNR1o&?elKiSr@gmLOp4$lIP z&vjClLEiIp2T`i>u0jC3j_>fLzm+$Xz_C!_Kotf$&N+3KQbt)a{keEPS&#l8s5=#M z#0hvc&~B?t4I~;BLl-P9p|*q$v6u`hLo){*M|zg5MjT4oYks_-P8%PQ(?PeOVU}|p zRSnHYqx!>G)WEaA*J-xXoI)OKi$k$dwA@SB3Kb-jl!m6z-gJ9#H&+SR0BT(9fI@}a zf`VrgZT{tVXlJvj-OiMeN1-H6T!e*^0tud$uMrwArJu9W?pEtf8jMMQ#a-m$%4EM@sOK#dCrsBv-ssBv5$YFxHG_Jzvm5DR0D-^*Ygfh81?&RUmH zthDXA_z2mQr|1A7g$Mpo*(q)KB6{K7B+V;Ivs5N!1Xnh#^TDBvqT3ZF?m0dar$;45W%9@or$d(=ZSD?I{Q%}a@EYqMcpWn}1qjoQ z3}U9Yi;EUQjOlnnH^j{x*~MVT@2AN+8!MG*GZWwfG%Utgd)NDU$3huysAUbHWcf_i z@1DzmanfdyYT7$fra89M;`0xFoyF>~HmPR@fY+-yhvxuzEk8D6r(h)77vHlc>>Nti zJWSn^N()i*xBN7R-|~S6@<)gj1oIgAa{|z^-H}OfBYM6z=kkA^n*V{-s8mYMnIlbylA$dbv!wvo%X_Ffrj;R!WpA28W?EhKQiJrl6 zXbX5hO?+*j5Qq{=yz$&UcW|6=^@yj;3q!BxA1InF53pM*A87 ztMzbN_EJ9LA|OjNPKVbVlJb8PDtDr7mB`;<_hj7j7-mR=xfCvp(V0<%CPzJIS7LYaJ(K12;BwyhMjuAaW`lj^QNyD z{Fx&g#*VBo2ixFm>*f<(Ylb(Z72|PX;}TP+CrdU*dP6rf*7u3X+UHEy)=yU2RXn_@uFpX>+McPd#MHh7f4LC!aP#5ZI^y$sPMmqRF5Ix*)kcRzbJ~T2Ix#*4 zTKR`vE0~w@;LuypSk(seCFQ!@n|cgS(j67~JjDrRrJ;^VXF=hCbt2iHxz0Lx>mptk^c5n>%=#*Z*OQi4P$)e*9Rh^ zki0@Hn7IVNNVI3m;RMM%^1+^i;pLi?nQ5>~wN@7q1fvy&|#RE62Ms!fL_hvSG`CU{ISGnNUqt zY)yAYgPM{4Q3=PRy@V;Wg1w_v=P|49hEe69SvLJr$iMz|1GfsZ%Q4THf^+bS;^dpv z7mR}QYf-^{a$vp*3rJtEh_9&Vh%+e#3)Ck}E20Fx9taaHW+70`Yk%`^(*=o!4KG04 za8WQz2NJX2LEgK1@Ck#GgS{K4#CZ^^)V#KX;t2GEX&zPg|IZwiRaB$ z!!&WwAMG2$&N+t^5T)L-GAVbMLa>O;TKjz_KzOC1 zL70At4%`sv$!|hXb}@z^5QN1ijb+%iz2tSt4Rq6?2%Cx{-Pvq6Hcp0p(H4dirXYY# z9)2=PMeEeaZaPmc9k+XqZdI@oY|6ky+v`xe(Q;<&5_SyjR@znX&pvyop+3yVJKls>t-u8_uYvL;n3a`dB6dr z7|r537|ABx6H%j@s}hw}(bJ+^J;L5GPQQ)JbLf~CoZrM;w!~WBXA*Qfypo^cgS$08 z>D>TzGpn2T)89v0KT}2Zd*h#CYs@&)$yKLmrmIYf370^*Q|Pqkxbb*}oa?K(St~MZ z=4StD7spphXsj6*Tgqlc7K&m{7=4 zj8}~vgZ7k5*s{Mtm?o|R7D2X2P=1pxpdo|S= zEx1(b?hp8h)y=LC9Z8Y4Nk6x(tKPAOjSd8B9cQ4ECu-f)VjQXdpzteCOnnO9uDOOZ zipE{f604)wY=fEc@@BJ326TDkP%Ru2@2u=`G;Kmvq}%w;*|_^SP$7nw2xi_lG@*AI_drfjOR0?@LO* zR@6}B;{;#bQl7GMVh=8$#a!i?#L_;D z?^BViY+1=j!m)ac6#0!qcL>OSb5x(>Wxn{`Jw~!R1{FHe#fNi1!cwRYg8>CzkkbAA zues+E^+RgBHT8&?mvJD@Lq?Eo?fkw|!pxh*>P?y-Vnb<4hq6!;l*OwT2;cYR?>%&q z(&Zz9L>l-AbCtAvos&v%5=2PLhj7o$*0pf;{O+RWL8PfF+O+6*a3f9-oNe2f4}mA4 z+br4r6>d%Wn8XS2)2m&*V`-;h;f~?3kL6DV$0Og-<+h!khcH%bz~RY)4B$53Z0`JG zk>^~WxHG@@a}D%lLk1i52x%`njaw1z*OmabuBvF5Ln?x0(8UGJXKHw^8)s6k%Sr<% z&Lhya+vKyxr2-yhheU%`lwzcW*4;eK71EoGNVM#|<|e5_tAo|a;Rvi$EknOhv^GY- z5^T@ZN{g~o0+XO|%cB~N)EWFD!e~YaWjG)h2@CHVUG-#xNmwu#P-Sc^7prie3G4$) zyGf4mFTuv8Nt9lt_SvnEO2`E}PvAg9kl|`23O=-tJ)a=5CgZa(dZHQq76@Qdc(m_O zQO?e&`Q4+Dm1`u@4DoiV^Hm{2vIb)Fm*p*kKfl413)D+V{XPu0CLSL!{mY6TN3%5L zmYAqMkpO5q*Vp@Z*_$p{_tK8@M-nGK*N1I@Z-h@>&>a5_CfC9)&{af91(A`P+?F>s zVzWEMV-Tw8NwojLwI#V3NBL(bToyHXIEJk~(+I7Q-xzG9tgXTx81tQVX4J{8%dtCw zA!2+d0>>c>Y;>SjRk6QT4qh{nb&VVc$NLf7^vc7?P&DG4ja>O$3Fba1i#p;V_rY*n zm+8CRB(kF%%bD4sE;yJ2ESG`>MCBIjT9#oCN1kolrRzj{iZ(MpmCkH8Ltp1>US$MK zJKp_lDNfv*_d`-Ji9`k&Zv}9#+Bf00-m~mcDC$q#fwLP{JUxa}`cQo0N7a=f-Y$vpUexYe z!8k6UvLdOfE`XK{?wfc;huNR}ja{_4CPSTL>m7^;%LAI75P4`Zgo*@co6=+~=Qmlc zJ4?RwEl|QagE#*uOQB?Vy^DI^pvK%ty78`&FnOxy|K9~C?zOS#lm4>gZ9eHAhIC9y? z-j92AY72_hnS_Iixx2xP;xpayB=TAYbk$JOc@O;2JGGJQ$PMIZ*_qKFuXNt_LbqEZ zqh)1SYRQ1;w1;8S(K_!kBz2k=q$O8$93M00NRdrb6xZyx2=z`dTr<4#7`|!e*xLBA z{?L9#dqI!!Fsvu?A||?90)sFM!xb>dXWPl(IpIF*to`hV)))JBncWoQ(E6t!JHTKO1dS+>J5f{Jlqny(l-j9g+J2zwh@rS`qZ*16G`+uzQ>vzP{WKc#!vK zDm_?ZObLj*m}~w;UF+2jtMHF?Y@QE@r^v>4+vbZx+B8bnAz3nbE46M`oB`_3il{mj zYPk?fbe**QWzjcvs2jUu3cYiL*by=1imU(Cwl#8BobqfKsK=p<|#*ZnK(wy^9L@y zWMWDJtoC@K_6>Bb_r7k4Q-shnMA55|(NhN7UUUOe{ z7EZ%SNw@Sz-R}jzd1QxXiVcM|pKd&7^12rNPHQT@g&6($(?dMeO4^*8KO`;Tiel?P z?C;m@q+Wbz0oxKNcrIUuzmFgXWLqNcl8RsXGCK=lxcgWy=Rw&xiJD1pd(K3Onyz6y zkVWLsPAxzexiVFfd>-`r+%EM*_TT_6(f=(Z8nfn?l~2in;FMNS5E9!LP$TN zH2f!OBgOt~%f8x{PJdwwP8MS3ttNbQqg3#V%h46*L7^20RFy;xZBi_jZ|YZI{=H>l z5RBez_|SD+T1M1}G=y-tb~WUn<($9DP=BO2fcLFSf`;#e53o+%LIm`-J^$zB=!_qb zF?AOLTIMbJ4S!lR2@yDqIVT9ScZ~XOTQ2FH;xGP!4SOl)I>i@pOzHM|^A{Mu{EhA) z>if_Cjq3hqYm|+Jnd!f5WJdb`L3J5F!l(alsw-nn!eiBbUvYQ?yc5?>s;k?XQ3bMF zKLoQ|IXDD3+j+w z7QnQ}-I+6%@dDl2#p$w~J-x14IImw^wSU*Lfa0jm)-%t2HcnpwhO=|w!Vvw`K`Sa`_xj*~l7D z>ktb%zegaEvxyoDY4K5}GxK*=eAQo6fgHK}(Za~NwXH&^W}x5cmE(?MyY4a zJ9DDB6U6`K$DiiONHtE<=>BfluIAq?%X%~d7ww$W=X6~3hitWQ2rCVflI=8{27-qH zi&)}7{G$*DIQQCtk;AEqkQeo3x6TLXq_tYKl98Z`i<7Pukiq0S=il%(EpG=YY|<6B zU`=<=3N)gzJ;&y=JczPKpw1OpFyfmEv}DRuwcrZjhZoh6l{UhB_+C9`We^Qd zsUvbhpdK_Aoq=A90{ugGnEaz~Y7S@A1e^pYoZiuY^PCJoupQwYJL%N&I`{8{D$Nwz zz4}eC6FEpLab`1L%;(yJ3G%B=&*p)Ja0*`*Uh7n*6@-8=Dgw8~U5{_yZjrQvP>kJY z4Smwd$36gJMl_9ZKdKv^(XV-I)^+gv@X02-bj%68k8A!sJ3jGXZ(0Zw&l)>}${Z>; zzjz(Lf+fz7dhC7^uLvCA<7>1Lfka76Z%3Gb27OFBOnPr{n$`B&x6?^?;B~vEHS9bP%zk<%0F1&^}U2E};&-X)##S+C5ZvcVQ z`_Tv}$rT&m&;s$V!uwIjUkV^Ngp7K+uqly){yT6A4S>0ey3cwhNlxjcVNYba1$o;0 zgJu-bfW#urM`H1Z%1E*dpNmjX3u;)+Usmh8eC=T9<( zkf|cNS$k)cpCf+;PJ8xbMQhQyXdpLGWdVUxa5%jiN@fczK;SgTl)Kk&uKVrEyNnR$f2JgmmPgjhL>qDu(0x-9D z-he--&Vwc=wg{4Rj*;|H@Ujaj8BSooiW32Wbin?0?D~OnnS`fRXa7aH%`>TEL{X-- zzlo}d$;@!|D%V9aRq~7Wf^%iYs}>=rhJIfciiAf!m=Nx}?y>o<6DTh|iZcn&OK$Ex z12|en9R!`hEGSZeD+OM_ft4PdC`Q?jt9igM7RT3SJ-ONArz(n zeN#W5qp<1(K;P6Zo2K++U__+ILw*(~CSmM@?pr@+g6kX&X~ z7MV|y8ztKh(w$4G>`3{@A9or-jW@%%CLt1RepZGOggh0e6Rhbi5zibfk9( z^!HHc z#gi*1{@)rg6wd$&+37<k=U8iP5Hdjr*d)tjfiNP@?$+O%q$=Hv1UP(-FJbz66 z0J+UsOCG_jna!wrF$)QEw=iL=mA!qeD;818WW_M@Vc$I}^% z5@#>5gs0j1ZV|Ec6BG{E6pluxBC9gje1#JljC?OqV9AGX28EiE8ak92$t@Ow7aOFn;^rjz2Iiku$XdkHhpiVTeZa5~H(CmRI%#Z8TLJ z@+x-oF-SiCWZ+R0m^O;-{M8`|_ZKMZ82%!JxGeS|6 zImXh2Jx$~#GZCrX#In9IM}f{``+$|moIYI%uMW)|H{MBsl@;HEU?ORCk#bPSEmDp= z6U%Yp@9wcs_pPMV%K;+W6G&*@ePwYp^6qC2KV5CguH33{x8mW?9Wa;g?MO!19guluAF}>O0MA3xL&CXSr$&Fy% zN?VhsFJJ*;2r>!1lt!@?entE%N-uh1sLD<$YV};T_+VZ_x-(%%%~>Olgg?uZcFY@c zp$j;clmQTz$7EO;#vy2*_nEl~n<36f=M&<7-pv4rI}d=kjwjSn^IU)d_jym(OFj^(y({8Ym}d_*`HZ5Ia93J@=)KX0-w#M_WW5I zZt(S%uU#8i9A&VUJf}?NJ{9ECYbdmxE<(gD2F3UDq3vuj{K+-X%tOU{=6nt!oaHDc z;+&PB+m9d30Ih;>JN6$1`Ot28B_L5)*m=NByJRZ6_EMwdzZK-e^N=jfPX*bT;~d6} zClV@HoT#DYBXD|Zgccuis4N2b_y7b>$Htl6W&nZHzJLJwlkW&l8OQ$>IJNo+oN{~y zPSpT`Q!?yApmpv;6h5^`N|{%lHB~Ha!{AQ4YO4E^a#lwt*#on!^~~K*1$q2aK|Tg3 z$f{Cy>1jnd|51>iFDLi%*e_}g6EWU|2MA4GFie%;ox|8!jqm7BA1Gm+Jqno51Ao283G8LGVT5oI1K^>PUl4+rU57TzuA8TPJ_>DCCCKa z=?KuVMvTm;R|>Ib@5JZ(sw@int(aI=jm#S1W+Sb*IH_0t@Q3<3ZP+B@f~+zU!WqAn zl;fV01$`Dyt6MOy^%B+J8W< z*$2pN0)Sk;;fk;JaXABkFC7LuXU^b!N!3eO8s{J`X9YNd50JYiPx}FKudY4<+zH!K zfB-jHc?&6jZB8hT3K#67V_cR>?#}_@&(FhQE-wRy8q&lMkgMu|BGkFhfJJ3Ai%Q+> zK0{Fb8iYJqkTeNaNNij6339RNpj?;EY_s;}+a~>80U+0KHxvMJ)o8tle;_eV+W{P8 z0rWWO_OSEcS3L&`1Bnd8cHs>%#kde$xWpF!fZUK;0LYbT-v@-_Ex+!b!N*$F#4f4` zZGf@`-))5(RM%PF0y_{s%s`8I+xcc}S5&mWIY~a0GSPI#z1?LVc)KASc)guPc|WuV z9zgO5Dlqc8VPy8)c}h(XdT%gtQ%t-*tN5Bdl<;|nzl34@IlW~~yUvx{K|RD!xXr3saYH%!+e;qQ-|$pkc&g8r_)s5j zi0prl0-o65P?YSxH8-)=@g9l?gK&s8AvSjweC6cgHs0!@?+f0%mIv0q{~@^%k$&%I z{jg1wqOXGh4cX*}Ld_(Aiy)eeaKjqq!!+$_x5o zZJQiQx0Flz#Ku7^?>lOZe+=o_BJRz#$iL6W4=rTvJF-0ue+nIlol_a3$8{Ev zg*@EZwJ>%6ij1>!Eu1;NJp=cw8T*8xm2L6(L$0mc2CWy8KF0wswq>1p$x;gT0x&f$>UuH|OjnA;bjUi+9#2Zr}3_rP?ve=om<5 zu$vc4M;7y8z5#yM1w+b@a&lc%m!Jw-F zsMsdQ9FcRwb%A?TIWuz}UFOgTI_1a+ zwZ;hlwbCT@F>NnSur45M*fu7dqV_TI3Wc2H+}SW2f|Gr|`bqMpl3s>x1B5_d0C%N7PuFe)NOcMzH(A)g&el#`#!!kMs`I?50!AAL%JHtPXe?Zxy4F`PFDN;-ql3|^Im-mteu+a<@I9H zy8P^KV&*2(1EPfjS*;6+Pa(*Hv5k==yw}RvjSQozwV+wA64baF&Hf%2qnRv2)JpA0 zPVi-B0eaH9&n)RXnk2T9Bk_rqMPYT`&hsyHE682djDXm6&)$3lr(tCa1$h z$zwIF{rG$aJsq1wtd}(iPJr{t4RpP~vQ=O67^-*eOX$$4_S4h*0vOVk| zT2ato?WJnqTC+-aX0g5{E}{udDDcpYywpX%bcy(l7KtCD;Z?doU977jekd^NaL+E+ zmV9}!azX?ns_5N%4BeuVPZC`;#&`A;Opn(VUP6|hPK^qpN(43QNPOEBNbFa2?4b%U zc!-Sab^N`249*5Xalb{}X6oKLJLqj&Q%${0I-6f?e}o2jYhKBR>S8u4^e1fRZtTr( zGGCYT#%;C|cl*2Wy~p}n7?NY5N|g6%hBfgIXxwZFOFhk_Yd9Xml38%sEm{Ck^SYN6r^A)xc_xE{C!V+_|LtgqI*_9B!lzz+7 zPY=Bn!Tw-=U)e%O=Bu%Q#l#mjlwp`6~A<+$L><=*I%JEB=-#bpS zUc)n^TdPANoXAl39K*7atsn$r>_^9BOuStfVV%R$T*tWIVCEHTJf33HgR5co3 z%Go=qa~y}HeK1R#I0E_pmAeN5r%1XUv`*ClH8Pba;~8tO(jxsCVhhcM8{h0VfG^=2 zyoF|bD+9PW+%+n*6YE(mN=H>VB5E|~&N+^6*VkucOXgy{vbi@b-YP^QMDP!Lh$bgC zI>MTYwdM94Vsg6Rh5@~?MnRkg&1Dd*PsTHMiwJg!7ry%tjBPEsNh{+I&eZecuJ*Er zS{h$bz&xsZ#wd#U+{GYExzyNd{7RAsg`4|o>xu`%>EueV#pTwE)R)nW5Ee)ctIH&{ zu=6g5Qb@j0rGv-!AgEW1Zyw;YA-!*cnKduHqLzR*g4pbW*@36+GCx+~Ti%*_E6H}n z&S6xWS)3y-1$w)*@K6UjNjQIL#C-0Da(#2~0p8eJn)rP-j|fQ;b@e z+C3?EV16TCqS~&YI@3CP;9gE=N@SVmf6f_rQ*pIpkZ-0u<^?uEzQHHT8=azq**OUf za&6h_J`abPm)q*QJ|b%H3~+T__m*3hd+2{&zkQyXo(NDo+rgPi^RMrrbK0)Vb72y- z`B6POBUGE!(t&w^Y5nwSpKc3Ft;1r0G!gULawYURt*fbJp{KFu;L;0aeWK08Qqd)h z*b=4k&(az?CW=qWk}D79{8>!}1(j&w&6}aP>KkErv~<4NNP!pK>C!qMMbdoV5<*dE zf~D@hHjeq!rEL;-#!>SR;dU%ZU%vibxrDj=(`}85IbL%`^`g0xu0r-P)7l!S`bDMl zx}>2*`b;H7r1!%S0a8Qk$U`Sdt7NXl%9$K%2+3;Ys+5sP;?)++Uua47a?uE-&506h z2PF06p>si40|@9cM5~uXnXf={+u4zqm;_Bz?**K?JO<(S_vt#V9d2yYbs%_U`J1TT zr(YhDkMWhdY`a_BOVBPEE3v0(DLnR=+%`e+i`vx-LOYIj$lmA1e~;BzK;xjJQ|g*9 zmTibXjB%EIvy1BHn`M-B?ytldnL0=z$b~165~euk7Ft+c>(`l&?}PM;sI}*&TT~o5 z%D|J^m9yph=5;9tesPY3A~k8S(`r9~&hVmuiSjV*n}19>HL}(M$(Y+(6$0BM^%byX4?_al1e5fk~S73GFW$J6FKyZ z?^z80;GIt7OvoOIy~dek(JA%S)6Op#+uLQGCe%Uu5f#64iRUd#E-UWn0xOKP*wUHJ z3TDNjX!4PE(~ikzWMw6xJ5OnSuNfX7IZFfrEqpf0M;DPo|t~|MG;zf56?i{>* zXHTfj_TFYQbMZRdKe)Z+z}05LwrNz%TadSY;{1AQgZke2vD@7xD%Q2t-5-T3vbx1p zB9Z?>?qO2o zea@ezH6K|-`n1@UH%LgK+Xr+fnYV9qxT)UT*5>>ON#1@``V|p)S4ESC?2VMq8nZ3HH}&RL*LI=FZ#tYfL)`&;VvUjYFLyxL}Jd zUn1YDo^74eZE=sKVB7OA>K%1T+yN@t9WPnIRd^A_xRFR+`ol<&k}1{kCSaI&?cqv! z*KaJ-f^bdNBUNa@)u;R1YQ5@yf97b)E;kOf-YZT3bBc_?8#>+e3`8t*zg&wr4&8T=0^-pV zjM24d9@!HnmjsL{-i}VUfm0t3>4yscNEwn`j`P7@1I2RvW(5PP0@mk*oyD=r)BL@K z=d#m$RMs}$cEq+(2CGvqJBywRcI6i>pjl7jH!w(kQI>W!N~( z7#qw}CvFkf3s9mOtsGZv05WAN$CF}>@35oY8S07At8-~ zba!`mHwZ|Bbc1wBN+aFfCEeZKEe+D$-QPrg_u2b9`?}6={;(!%&AAxkx$m)^P;A*k zEvdal5wzG)&682X4S_0-+ySa;Ms;k~B6InDPg3(L+jqU_xmD4u_GoTVR48+DV>N}6?Eah?2$44`QQ zMWlm!Hp8k&@O4tiZ&e#llxepDrW9{zR5|-!o5mxV2%cOrNP(WynzU4ynz9tc-_=)Qm-K?C z&NzTvEN0kZEgL}I%^~7`6&{N`xZGR53Xj$7weX0_8uE3dVASu3Yun!#-!T*$?mZX5yWnYMFb&z6BRYWG8!Znk|RQ~PXa*@n8>jbt==hX z=rgumdFZVXYnFiUnDu{z$JfI~Df&tgw31R~u40O?^J-sg5Xc$j7|bM1l$ezT6cs`; z>-jkL`BlEHIgZ8> z&4n?cWs!(jOY*yEbg-(Tn6~`gG!{~sjL%eah~B|k9*Jmv7LSjKOR!LsuBD(+iT>j| zhFB#Pjt#ckoIroWA*Mpcz6A}Z{U*2x@Z^Q^J89o6!u-p3j0!fDRb(m^Kwf0w{a!AK z*^3{~&ZPucQY;-qlt@>2KR@an*EBqys$PraBAxAr5`@E`Z~z;6C40|ICBj4Jk84{y zAQ~9w9m8j-uDPBanlKxyfn9?i`=@9O**Lln`}x2zt}N6=C9@DZ&X`O+QJguhk_%&Q zGM*)#ZoG}j0Z#j#5N1X{=NcGNL|8#;I zi7~xn1h9s}e1ShjBe$bgF;Fx*ilisg^rEt|(9Ha~%-FgkD~4DqkNQ)wIKI8-q6F{eMb`X92AN{Y#9?2`LqO9YwprqNCFS|M zFgmkRa&5M$@dJ40=63G$r|+~07R@S~%`vq}lUZ`(AK}Aab;qEKhPT#JgR!wvliv{3 z$D3t#fo;E~ak%w^CExNAamTBHf>=?y$8JVUVHaP%d<~?7kdWgW zXN*X8#T3Ta^AhEIXZy9F-({Nkjms1=T&gH3>#mvnQnukK)WNUN%l_^TY$G2dtWXES3}E7brA7CKz4fYq}_{ z5?N~z5(hxj*jj+aOiUU56^x_HTGeV!iFQA8*I@(r=v{n(V<<{2T?jEX5v^b?Wt80T z=qRuaQEaT7uxa~scb0+oE}uOM^MYbOt%tf5oAaF%O0|ep01x~|-puNdZ|NLesjFt4 z$tkd<*fbm{!8P5YWX9795A{(BnMM0cMGmS3Or-+q9Mwp?h^XFC@sPHTv;={;1Q9;Z zCt7os_$AL~)5O`dRTr-1H&*ZWmz_+i3N?^OU5*k**z^0Rfi1;w5?nt zBiFf;F2ik2C(`)(GGHUFntWbg@|flvji5(R7AGlF+i(y^1`(Co*0XnAQ8(wO;3x9g zt5KWHH&L;6{M$^GD(bfUtyP>23QG4`Oo~$UROB<-F~;35)z63AGTDc$1iQT1W@U%L z)}G{_2h!Gr$ML z(Qfl7n43}s`s|Ig^O^^%P9is~-8;+8l2%9}ON^LBJc3>88)TqVdBmKL#9co~cdR%? ztBgS|n7$~SHj{V8#BN4sP&N|>5c4Eo3{QLZ`#P;`l3FeipV|2av>8~{{y?D7#J(fU zwb?OLzr;wV3;g;)>xbOu#oZ(P#HQd#spDpfaICUP{7d1sB?1XGG>`zBX^EZ!^+U^9 z{EV8?1nCxqy&_&RgqVsxaqCe^m5)hsOAv5(TSav^Jj?1;o9@hU0xcIfgKoqcc5#HR z%~&^z4X#Yz*q)l#tW4Q#>>NpH`5P?46kIGOn0Vg0r9}y|vYj0Et}jg_WK`zxhU0-k zNTdd4nO3w^=8X1a71f?09ic$C@xVP|t3ZmgRwRxeCO~Mx4I1HAc;T~MF^j9rja zB}rCZL_M5D%@&&UEJc)qDL)eE8i|4gR741cs&`ffj11P-Eebm`cyHfBNg;^TcGDU~ z)&X7PywW49B&wQKlCuSy2_MX(;OD9Lz+-pz>UY;@hm-r-HEx}ekcMZFsL+gK1iKt5 zZY~DqF<&t5nk{5SZd0g(ufYRdqq~Yj5p{SPY6upp*ZOU3AcH01fWG8=r+y5eYt&bu zP(mr3FnaFrck#9hkp3FSy~2HM(~}pb_rS8}$CpcQP4lC67MylE3(w_iMYCPIm)7tL@ zj4Ad|k_ng9=HxP=pCpMz6>SP*Y(-|^n?n<-jf4bH#;(^-#c5^D2Zsra-!V)USmXuI zvFba{irx*dDDo;|S_{gwre?=wTpCeva`Sz%zg5&O-lZQw#d)fn4f$RTW%-pt*w(am zoGyy!Ic9j;9drs$BZ+> zhCdQvro(8t7G#!EQU|*EnRI|L#V%?Zyuo4eWDn#VF`q5$@NXqHg^1l`%rO&6XDYa8Wce=r<7`;%9y^%uTwxc+&h2!=YylSf%U=5m}e^BglP{_YxGo)?-jG|#UR$GiK0uSg-(J^AB=foP>kG(gwrXR&cO zzPUp#TOt~O6XGvy7-gMNzafT(RlB(nHhWUV#5u?hl#OPTd9ygf$tQUNn`ba283B5N zWSU{^0jOp{l0$Ubpy!x6;b1g6%P`9cv-Q9C6t6FM<3cnxX#|DUTWeaRcY~t_G$wE` zA5R-*?+j(bmmXUT%=&s|`=H#!@_ddr&?C`qSlb2`vCEi`EPaZXbtn4v!E2SL(2Re6 zX}%>)>|J4X0|5XfQ@?D!KYNNgp41?~o+38&Uigdl%T`y3!_!$l-*aVy3c^c$PLAj0 zcw6I9JWX@s?GW0UfNM#c1xA67%+*!M4yoR_cH3pEby;ag{qrpq@3a3?#Euj8?Q>G@ z5!m9&5#me8;u|hV%h5IuZ-(QmHjl@}^Jo1#hkWaWU*%si%3#=e*J1mywjH3K2aK2I zTgaV6H}uK|?D3ihzgN#TE$$79bV1L^2{(ZbL5S60aA zDM;*?e0Na;WDcRj;PClhiVWQvXd-?+^Nu{9yfj)Ipo{y|q4GuC3FiKKsb>B`#OB*nvGV8{NMhqUriPmkIN+T`L34_vgH|lyY##KSEOlI@^ zH822=wx!*p`C7}h4?_nf zf36$j9amSt!)}1@uct(DX2dqlBw<2ChhIX7B(|^?k|?e@7fsBd@0?L zc)#3RU61DVjjUB8>d&}+XFUDng!ty_PLP8=SqA><+W8IcxucP^)?_QhvZWv!;U;8k z3szMMCrib5=e(yB#q1e9)0YS-JW0q&PlrqmOWX54(9KF1A!$<(o{W4pO(=1PWv+W< zZVlgrNm_9^bni+2@4D$p>9D7ZD|dXROgC^gUjC({eV>*!$l5ylPeUiM=1?9L^qTdZ z_Zg`1_b}4AYp7uwXWaRlEl*Y+TA0kwcQ<}|@o{>_a0j}Xh%~#);+`?Pobo>|zJFmJ z_~u8c+vfh{zj^jj9RTsTvWpkeE1`N$6WB9y*v7@jiFiuIA!_ZeNAq}nRR`nh4CVY8 z^|77q_A7cuiaEWaPo8mu?E(=3i;bxhuFoOUX0MQRJl9u*F9{MK()JpLRS|DBKX#rGmp*J4O>bKF9Hk&_nXjuo9X1}?W-i#!qSh<@d-nS0y za@jP_K3|i(ws&;8@9f}-4ykHEnzmV!T zhMnL$n!>(%6Q|5@?CQRd1pg8W zR9xq1Jt>}=EA7xgFrTZxpO|~gJ&X}JLupmJ z&7R@yzvKg`4{$|_(pBdQ~kd)3o z^A0`MK|+Lr5P=;9f#r%vcsMCqc3ruNqxp!E|7SUD+hS%LC*u$Vp1SKd9e^> zAITL%HAx;Ep7=0uh>ibSg8R=*9SbuX%l{;}tp7W~ef0wV-wCdkHFb++>#9!0EXZM4 zE6J~RFLw*{U9AQ5U6FArwmpFg+K8pi6P3q2BjZ_FP!tiwwy&bdA|HuKY>dXPKa6_v zJl!>qyv!huS$1FOJUidttfs!~Ts~Z+kJ0e<+8u3S?_aBqQH=3Tw(``{e0TMKiCY=- zc{$g~A0O1`s4L;wzS!}h-QmFuw+t8L(J??7Z(?YxFA3v*@t_sI#{>*7_sj6FCOGqxX#pI7H<&Yf;r!s~-b^DcSzU>;#Hz5PA8|)sGu%E#Aj1tp z%x|^$o8h9zp4bV{-(v1v*3576j>L@gp=L`08LrD~hD!rvxS^l-{kEN{pm}r!qCS6Z zEIRU+jWPQ|mz-$m3a82()rTC^S{;>IZ3@lS_!jp3(-Im~3M%vJNIO)$n{+IAetqg2#hl8Ur847MJ8;Gy{X7+g z+ZVo4p)G!W0g+rQZL;0Q?_d+Vy@&4L#ibpWpg7r4qTSyyZUs@>8oQVXRO#$?)+UZo zUE>JjLlV)Ekyc4RlFV-dDQ*Ce;yOi8cL6Cb43Of|m2XD>PH`csG(n2fY>?d&VtGwE z0_qLZw;euP@zn|Z@|_t2%;4e?Hev?xIUe=<%xTSQ-$8m;=-D5WB6bnTAZdRhTfY(S z*Vpem)}9M*z;O&R>qmnBb^5j%=NI-`M>Udh;9Y+Cx9=HNOb)o`G3T7@@X?!`u%ERG z*-HDMD(T7ArRCUUzbiYuML_&WBd_#(x6Yw7{B^gE+h_>_`A2s7@7=m>8j(0#gT24I zbsNtI%)&!*M8^5Qd66c77ZC$^5jcPs`I#{{2=F4DY7>J>j`@OG;F_}UDrH_|ygn288LQNcx3@RrH5zlhdI2%;-#bnssj>r^N7!2pYa5c;$Xs zDP4Zx)b0Q~%xROsTxDMV*jw+68-)#W5Y7rOU0jQzUZuG#QmKrPu)y7qD5|(eJBf8J z>-`gd?0+LX7kWOEteX5;6qDeQciEg?djg{o^IygZ1AKwwqKx)7mcVS?ssNb)B9;Xo zEZkISm9T;aqnYG_VOX(0G6rMN0%3aQuUo^Kl=;hVbOz2EnI^ZIh~;XLn+vGAG?KtD z7A?J*I9qP6N?R6%|08vMJtRtEJ_id4GiTC|%)){mg{5@tnLo!J*CIxH<4ssdvkGWp z-3)VzqKl%qQvN-~ZInvEjU2~?i+@dV53BJls8V>n<6tp6w-rt1nEkJ-g{PFpGegV) zUWBGPRP4X-B1wU;&zgwJlvde+t#8P|8#y~D{(~1e{=1G>B&td2lv&*AAOejl9F?+9PLWGL-qHcx$?APPf)%%zw069eKv>(W#?*wur5 zVG}zf6fqT+!gHazzFQ27p^T~y+)Us{Z)gn*vg%D>b%UWv_I{2)t9>1}-AXBJ@JVq|Qi+&HnAbHu9^_0y*V4ha3%{DZCfau&r%YFWt z0;ITlN+?+|wf;bgJNY-oeI2cHGWpkNod+$Tv?XfDM0#R^5? zLC4y}*UdU!3Eh|Od=Y#TAAhp~L^c>l=ZqTQg zQ}nw2X1I1z@{Lu0Gu(7cAj5^YFx^iZp#d^nOsSaH43`Q10?2RyfT3K6_rPYEXajQ0 z!7&jj+Hv2laN6}N4q{Fm@!)HQi}O3f1+;&^Gu$6TD|lKG1QHT}_K!-XCQ0hp+FJc* z&5qNG0Grp?+mU0g>bvO@sOVCR1mXc620p+(XovnQj#_G4!TLMtcnIGJjQ>;6vG#a|ikU|<@i z!}uIi?LQCxLyJsU0kp_{rQymi{wKi`Ey7fJ$uBgQg$USBUbNDl)Vo=MRbgUeYarsz z(cpsa8Q?tksTO9Jkj|5=s8wbF7o5j_01?Q>q5s3WlUe~-99Q}iXoz3pT$xqQ+|xBI^uw; z9|ZTz{KZ8u+`eCKzv3cy-A54vbUH0ZyIViiNlvmWu#-~D;D56x%iEXUV^z{D2%SHXc=kwhKGba&3BU*)5;s!T~%?f%!KQVEzpUtyt`#bpNLsE)P}h zXH+k=*9i9rabQF8y~`ebyUx%ip zt!l^jf}BTF7NDUxo0GVV75d5D-Z@CEgSPB511>fw(lOE1Ng6e->m|tY@Q~B#{wKd!)HQ?TeO(1VR1VdNYzVMoLjRa{zORa3k)E?l~;uMRr0A3By z6aqg~A>4J;CJCAjXo`98Q4iPeB#7!?F1_xzVQNYgAt7{Cj^srLmp;xkVhLTT{%5fc zvtv|oxvm7{Z4{b{(DA36x7t!AY6{IkpTj{{k}OgnZnp&TZ#y;;CYe{J+;b?X)`q3onx4K)MRqm?&+iI#G0H-MOGKH ziv8u#3OVB>A?(A)-?WGhvGF5CV$rMg&!aSJ1L=Gtc(k0Yft8H&xqOw}mp3OX8_ya2 zb+JxAI(QW7?_wR(ri_(Rk~wErOSaxY7TDfCacyivN>S5ICYxoH#P|wKzhAFyBIeN5 z-n$x}D0ds`_`-@NX*j1u%wy1+?8Pv6fW0)fWuRY*CzkA@mm3Org+=gINd2i`C-R4F z0a!#YZegF`U3b^2!0oqPk8iKA2;&<%l`zLZV}*s-Y@FY;tpRsba*)Z*u`S9KQ^wW@ zu^xv?E%pX`J-4fF$U3f*La`t24@*c{ikhMugmD(?aw7c<* zagR71vTgDJ+yL60hko}d4r=8_u(9!t(Jv0@GjF0kZI-oQ4U*`jL(6>SZmh2z{`eIJ zm{jd_sCygusXC%-6kf<940+nje(tQF*ev9$|9Kdm+OWkyUuwbXUs{Csl@`IFZUh2c zg9pDqv`9SBnXaEYp#2Mp_ia8r0BDgSw@k>3$|k_E2y?`DqTf(2vO;K(v!$^JJf!3q zU8ov`dJ)paQgyb!_tR)g+J7&1GNRn$eI}S(UqNGYNq!%j*CG>9$3@*(BCDqX zX9;ZuchrMEVBog6|8`gKRE`S!DH`Sy#k2MPe34>J&RE@x;hMw2&s4p%}@VUa!Sw8JPyaaTnypWGa*oqKhV^8Op zO+zT<4yU+&?NYqc>lhW?uyQxSndM|CxF^_C_$SXpAK^=Le+uzMUx`YzFG@=L{M~>M zN%}O4?R)SP!W5px@Ui#A^=-6OF9&?UKbBy`9b-%$fc7sJ(Ec$B(f$c=F&3Prseu5u zCaFN@Lmp+xAk*&sc}&>Rsh5AjzUR?i9>G$#4rZ2MW3y>s=idPL;e-hC-DTB53W@E3 zOS{+H`tYzuDm06QZc((yVj7v66}^uql|G}SM3z5>U*dFK-Dzu!#fiq^`XFs>xg|x; z5eJXlBQ6=sL(l2E7ArYXI%IuB7MDtn51YqSSZNmdV$Ft8nhy*Y9tWN`x!vj6#kI?l z&gm~97j23KmdIF>8ZcYCdzzu?pL>s#)rm6LU1Ch9&9xe4wK@jh@Swvz#pu$`EV@HD z6R=mlTt}lhNM3M%+Za5rlew$I_%NoM+o1w41`(!@nQvw27XEp`3AJcApH5Mc{>B32 zLST$J6hnJJ-x$GJdt%sHr`V>@)Zv~gucDHMw20#8A_T};u(?WEk0h#!U8&pPA`}fz zU((8?61i{lR)n@*lH7p|US2uv?OD5Cq8AdR-bikOU=Gble~2Q=_n-@&AjDP)A zI2{3%-3~-EFJl3#`?LHvZcudkYVVEv!t?2(&30e1uu^-5X)$Lot;k%2WX`l1X41{TowTX>8;%RREU2uj5vp{zN(gGI{lS#TGpPZSHJWJt;D zsVq8<6zc9n?T&| zh=g{6=;jUfK|`9Us02^Er!4%;jCoOEfC5Z8fj>{Y{&0PRs*mIManH##+D6$|Zf>A$u1=$NDHF61+zB z^dq{t2vR)wG315ByIX3J>#1PWGW;v9Vwx5^9BO`5%K1Xh%V;TK0;U`Pu8JeI9oVv9 z0>MiRAPMfiJ0bJ2ZL!Xp*n-}KFq*H`0&}0pC5oKk6P3>NI zRyl>8&bS6|edmMf@Ra#Q=gIxD=cELan`T;)S8RTnQHfFN2z^aYkKKjQ`&Ujz& zcQnV`*!-%`jI=IMknqvJm?+MzzUu(*G2F@!O9$6Z@6Xp4Mu2s8#lMl;+!-hOG%)7K z>@#TJ%1P(Ifu5V0Z7jzjw6>zWc9u6{mwAD}Dc_=KHl~_<1^P=Uh4fma{(}gjJSiHM z_gTe6damDnbQ;Rj{5(O>huF#SZ~YJs`e~AjrcoBg!ZA2;M6sz~ja29c<*@I6#C6F= z5<$n`SgD5!4f#1{;PfI4%Gp~)j_C8+FrwFR7fWPZ7%VYjgsJZy!h|=mMyFU0lb`eY zfbE%lHy;jusR^ zXBx0gM3Wscd{Uap818{=7G(4pn#pDTvT9O%4*vB?UW3`r!)Vz7sdbf2NkCGWN@0N} z1F6Fa=h5D3hpE}9@}y6=0`D38Y_X?=z*RO%Ubnuh_K``%c86>RK8Mpp270}xmDrB! zEADP_LcIJq_h|`t->BVc-YwSpa>>(?gq6mu!;gTJ-30dCD8{lQ*F>iqPNmA*^HA9;IlRY=T%VN9#5Xe9P48;EtAY<%29zW-(Tyg9F~E;HGYl znuVg95b~k&loC!MRO&kZ2L~m{7vz&X8j0pJmNO7&rV3=YJ_+I_GZ_z7NUSbA26g(z z8#zs&@(pH_275_G-nHc6j;J1`@q%49JhJl{d>};A6UKA52s1#|2r;Z9v*~~t7_T`G3$}ak&#nSeqtg2c2mrol`VAKPQr$r_joJAM$Nfu@= zKH%o5mLrHB_gcl&l&Xo!+Bfy~T~`wiR5RJlTUAXr2hl0qiq2EFrRz-9aszuJ;fcHH?G`zJvC1y70VAx(67(A z3X9k>Y|cd9X}0BN-)eSAtGLLf$#s<;TVnf!SvEo&jsDW=6SH*78$ISYoBU|6<=0_B z5ngcp^$Jut9E0_P;!nmytTMXeChg_;rz_=e_0Bh_a&;3#1X+*Lp6wPJzrEVrM$s{0HDceJ{%nCiVOtYE z%S!F|_QZ{2Qe zrEMMaB}v7K3YuFD(5&`p2F(~!dEw+%3OCIIEg)fdzmR%@<+5vr-96Jxqo1_>T79?F zwyOn?tgF0!2ZOh*=c#;m!TxP-KHHgl|+g8KZvt)t8Y@>)M%Tff_4OYgFA}YUSsXb&oP+@R|s{NbT(Y-@5--BK=%Cc zluk-<6OMH4srF;Tm)4&Af`a~GOg1!nw8btu!7TCM9Af{M;Bbb&k;mNPD z*y1Rih1UAXV>V_OuBlBo3A3w}p8iN%H}}#aE4}~^j%}<|JN{Q7r}=zq`5Wr!a1d;{ z`wev*0Z_*i0Ci|0{5#ZP3_u<40jPss;T7r-hHEJM19kLrC;T_4BdzN%)PeXH>R@LH zv@IG#efTd>humf6_X27r!&vG`5MyBr_k#+SDdIS%yM{v5@7=J|wgKWci1zGU1j^jL z&#M@(0=X+@dS=F7l^zhC)qb>7;KDIcp=3z>HHDD`;k_B{_8>~{%NPpA`jL=z=BB04 zavGF}L;-=EGeU~hF$PXpb;Rct3@NqgWITMsL&bCsQ5XVQcbj_Lsenh5+XSUnV9Maa zIHzle5u(nN)RMLIgW)?n(H_DeVo_b!07?Udyfl-rI^f$nDKT_!UX!NPu5cm5Y-O5S zmEbz_8%E@MqtbVMPg27b&$Bup%WCPjI!M#$I@#&D}A~cLRts4eI#r;P_?G%&I%FEIx@K(ApC&YgaQqD>jh(@b-2yII8zP zYZYov$Np&hZb3CxkJZIHHJoUrZzQrfNX<3ILZZ-JB-b5jEfGv;!v)?(37_(Fl8)gU z8jR=W|5Ou~-?8Wrd4q*MBKVp0!$KA5S2&(hH2V%*kS}eR^P{-pWrVZsdHZ8vvMjY| zxH|&J&M%sQa_E3R4kZ2x9!mO?CKM&m2iCw$Zk`?g6sxMm1^3VTyJ=^ z&5}XKSNE6d;QmW>aHTlx|Nm5nVe=W=8{*B{3Vju-!v?wlP(w&|G1YO) zZj7v#=sAHT#kxICHWx`39P9uITO0`bvT4knY>vbPKlZ7q(D(YEv^v0im0*ZxdLvR; zOw%r^X4_fc)M39H7IBo(K~DaXTP8}F>K(NFDwJDiT2h8_C@4RA1KWo^edbu^p^r#e=*V! z1^=}d_6nMpv+1eIVqgz(a|kE!haI&5btJ%VZ?*226hH&|KI z&Syo;FB^Qf9kj8vVgyss>H-kR$u4wd0|GgpZ(+q8 zXu=CO2d_*(AZGvwS_0Bd07i9jKU0ThB7MpI)9l;Y^Qxynz%0M?=K#r8k2 zjtMLw8#mi&Z(4{R9(7+KRY;wznS{XR)`2BT!qiaB#3fzjcR1fnY~N#L-D};-x5SQUJazW!`g_WZeg$VI zZo7R?d-bl~3ZP?Cu5Aw@lfmTA2(M`V`3*|zr&wUlSV0i=4*!sv(XOoZzjGZ>f4L5t zv47(_XkNJvzl5FGRd!$t%xH&b1iXVhEdD^QI&I9m6cbb1bkfQqdHYhb-zT-P+DGS`U9fz!|yZm_}sxC)#9U=vglX( z*C%KcLzR>?sfs>+kQ7#QMRMiC;&u@sTLX5S`cRefp?_q5CVu+OKqT&8yJeG&)eb$+$y+ zk4fvs`mO^*x6UQ z(ZA*7;+bIlzJTBD`Lprf&hsj5a+@K0HM_k319s^B2iRfp7wkYKJpK7UV280U8U1`V z0CqewbbfOZ*GETMpZf!LoaB_d|62YHc8~*L2M+*tsGa-+cC7pXJHGt?UKeDrn{A;vu7eVw-sUFv_@@yvJN~CuXw*IT-OXY>w(?Sy)y$*uy+q{^1pO`dj zAg9K^>sewO#`IqKC~UFG?hT6eUHSC&g?f+!4mq>o`~o*Lrn|~La%zQfHe1d^n-6Ry z&uL`#9ga3LM~x!i{&C1<9=|%|Y+fC51!vwNBqg6UB0_((Yn$@EI^>K~ukS4+-w8-! zg6uKasTDPBK5s}3ao;?SEbf7RNtL&56-t&_4yGS4AF{aT5XtN95?8&={86nGqsj6CT$=RQ%0}K6@Rd=PVQ41Q-K@7iCo!9sKdy z3IYPn?6O4~G=?ugD~JU?a+0mfsi^;*v~Z0jFvB`(kAS(CI(yK%c``B^N1rdrM>wX% zNI7YPZ?I2>j`3rPSoE_3EzKW?oZ1O$%IizsZnr`@mqM9gNIWx?9tOct8=$O1Xx1e8 zS@H2ujHA>kjOe#Rj`1Y21!x7&$%>+}L~_SC8C#%@AaVhR-1pn`?ex@q(-`0eJYuYL z6sd(IVwIfLxRvH^?i* z-txvV_!tAA>8}nsrrm_m;h`86mrEX7U};K9?{YxiCv|#yUF@` zKRQJy6WvtSSbZ!0xvqU7ueW7({x^eBN>N&li#%@GX31~k@1Gu_B?c>@*uR&^Qi{&# z$u&WMlsNPl?EfADbIG{m5p}iw)DShmwR zIbu49Jc+GVIc~Z^)qcXMS)?h*cQp;dBdiFFIC)Om#8LViErcOcm@0onvN~oC)1i^8 zWQ1C&W26)uc&Kqq-arIGn|=Ni{?~leeC|@?H(K9+Z0|;0Z7AoJfPDB~0K@nGZE(p2 z{kr57oKoaZONls59|`V!h0$SCV)r~3DZO!#$bQ75R;Nn9BFC=rgTBD&8MJd!D3YWi zL~XMOpHiL`wJr3cNL)0j)gs(NIA|NbPM`NCMUNt)^I^kEyJq%To6yF7wup zx12%@>F&Wxp(c_{bim_Di+Pe;I0Ro)x5Ksi_=i>O)IwCVbL zTmSTh5mlvks3K<7iJs-UyuZE*lJZL7>fpMy=_!g;93@o)wO~RSnli7d9oGX=o^*PE zl)`LIB(P>0WofSp)Pj`hKrIOSrxwH%)|MN-IJ(0H}Tu^6^cHcjMJpC&n$1pm1Q=?W_;5*FyUNg@{_s8HN+ z)Zq5{3J^zfXdOkau^zHgQz9u;1>2`0(l-PQ7MMV16GeO_0n--8LFX6C zOcLr{GStt%WCt4pWeOSJ1F4i(7bJ>ppi=0VqmOdhLYdAAyav@>uNWyZBf`{!$ z%velsw0v}v-6bh`%X~0=csMFf>tF~f5U*rqv$?hOi${<5$`C|JRRLRIVYiBmic>6r zSW;S~k8raOHI=n>GmK&4Z1FbKrwE`qTsycb!ZasLla=g~ruJvla&nVoqv;y7O-uKf zFG7P$Lf~_%-p_sN+LB&wVdXK6miD>U=BJ&`>rzS%lS`MMCsIRSv`;W=>QZ6~C^UkX z=W0AOc_p5R--C@T5i4Les;Seyf*p>|Nv~jsO5&FN)MgiT%O9`T`HW?9Tjnw@CJ1qZz9cU6$S_V^C#58a`JJE5gtnh*Ue2dsn9>^}}1L{*r5P9Yf z#j+t&z!;d(;Rv>l^R`U50N^;K9adoFfzbN-(7&{2L8P1nCpUE@%k;YzjN4gUdAk+0 zXe{_1F9di)8&I_Rq6skD%us`5p~@Iwxdo8&iP@O3EF7x-VGnz7_$uehNvxfkSH?zn z$-zL99|{T+v{mS>k7d5~Z=g%^BlP&nvg3HOQC*T!(zH24_nR-_LaJN+<~rB`u7i8x z+7)l8$9j_r;5v>MfX9@;z-G}dJeJJH;g0EW&y5a7T`Kc zesdj@eTT1H2ixfI+U=##H{{I-~)vL-l3tH`meE=DxTz(8Whfv3J6A zNml2+*g4Q+t>Fu~r_^Q%U>#-qdjl6#dgHQkEk{EGEW5LKZR;B+bMP*$x_vi_aZY%* z$IFgqt4k1b9L_tBd(ijwQ*AG|`CCtY=MS>0)g4A_{5t66p4~_hY~K%%AET{p^bgj2 z3E0}IaG$%7@0#SEC_3v6vSGIskwZ;zDoKa1 z>A>*LK8wzm<}I`{fcV1ht3k7P;ouE^Q)hbV`P^ryk&X|otpZGe2?L$roq>PCZia^e zg#1)&SwZ5i*}gH00^h9v4`wR5jDrIT?8P-`xX788L7)>HZbyKNB+y!67G6(|=fdH? z!FzGv`39PMevF>mf+$piJ#_1^$p4EsQu^w@+ zA0b&)d$1pRa~ZqR0d0zT{cs)jt@F!D3kMKGSS)f@5VTw!&Qp9q7WM+6f`6PStlTQQ zg32s9t3+Mhdmvn2HMmtq(&9AR3V8`TiV1++YreB=k7DrHN zf~N&i^GW<^AUPn&eeXeN^zB>VFwJ)OZb8^A-SJIH*Y3~`&+Zpt)IA9Y!G{a8;x_&AYHn}yJ1axl!A zrbz#Um6(LXFyYw*3g3Nb3HA=t&^fq8LukDv(3cN8$$xn9=5)Oy{^9#&i=~`Z0mJyf z4y}CU*jH%0i2!7w?<)-&RefDoig`HSS?*Rs<26rn4<;KWxTID)rTW);9A@Y1f|C(= z1C|y&5Kh**8Y1+4j3cOyli1e>Oj&J=@4Z206+N7ZrdDPMzgjyAToe8)@Vo?&$| zd)nyEmz3;&a4bE~fxt9>56hE))9k}O|4RUJ)p4Fb&rUu3!4;W`6e|T?T=dxCS6bL- zR8Mb~lCdSKgmK~=NW%KYA*w#YrLlx?hz^~}m44XtswcX#IwwD9nqxcv0hfp^tDP^> zJp^^BVPijzflg8R`J1CE;)k?f2Zp$rfnpUga#Rg^N+8w*? zm2&(#cO70Sp!@PdjO4sj^_GvnEDdfzUxM>I@MWbRW{#!Shta-r!#;bL@YS)dPuW{% z3%+;q{8e(yxEJcO-N8#&fDPHlmCI)ixq40u=_w;+xPSW9&-40=M$?=;htKLDpAfXk z(?;Eff)rvpm4$B_&;8(ja~mD4w&{IJlSp--ln{dCT+Ag)Age}Gm85Gi;pUy#-a(|H z(2C1k8N{7_1s=@S#^}TINk_gGiuf;Wd+5}Z`f1;|L%X!OA70-qgkJZ%_Uu} zvGYmLsu7kc(J^!1iMpzkB6GSBm zB@Vax(MMC(Axn4))>iTH0UZfUmY@n&t)}kTUl;B5t1?_|yA0q6U*GE5vEqM9W9ORexai>gm8NGYmtMcsZcDafs$s+( z2vE;px4z+u9VbHML4eul=?t!w7iZtOi5a^KF1x(;qHXJU1m29Tna5R2{o#1SNDQG4 zfe))x<7w{8Ko|5`fAY9tZ5_kp$-xUK3dM@ae+j~W=i9G#BNlf0{|UmG82@(={wh5B zKZ9^BDRUYL+m&=3o1YK^u_w~?P?z$Dxk@l8hS@aFRwUi*;Al)G? z-5}i{BGS^Fbax{yjdZ7ggmfby-QC^YU3);Uy03d5&$Hk6GhaAPh8g(%XRXyyDVCnX za15X^hVDlVKuP7QhUldU3`fydGf;jZGx9X=#m;H22Z!%`?lsGzjiAkC5YLJdwOgo? zddf`&%#jmSWX81psh6Mwo_xqw4KfZ#zTews1v?Yos7&eofsx;OBg^Gi&1}~({f7&9 zEw>hNSb*M0Y?dG@9y=nzScFGnwp)(@9EQvG7aFtCzFL`q*@Etv&$PVSzDWzS%-~1! zhu(-_>k|!0rB&~&DhQRv@0#ODZ-n!tH!^OP6~~YR-8+bMyv~p;gO3wMRPUb}S&JQL7|H_77y*h*!9Y^eCjLM2A6NX0|=qr;6pfO>;(U`!0qA^QPXbf-1rf`6i zR^_1XbvU6+YH;^O4Uyw-G^VjPx^DwOV?d8+Ogw^jdUA;#YZSl_facQkQ zgOL1nbWxR!rsp$GiBVPnIjSy*oEtQPN^c8?jSfU;kvV9L+~d4ZEYIQu@z06C84{C^ z^OqyhEaPoGN8SkP+9L|%qLb(9bus{Yqg?3Y&;LxRJZG4_KmEv84dDizQ*(`&wC;^! zH3`4(g_+%ZAkDpL!j>X+i=_Q@KQnDV-z^G5&Z74ViE=2Aahj_Q+m%pX-z2dS4&K z>LrFnh;T(aVl?>Zy?ifLt2y|V$`veDE|MJ0a~!AF8fx)(N+rD2|I-s1L;r}zc>jsU ztcGVHahKqS&l=q$|=CbYR|8I0|}FdNtGW$T4NlU zx}!V#)Bb4+&)TLkO@hf9%W#rJQ4XcmMZ+Q#H-)yJ^+@(Jx&p1@*-BHCq0>1SHJxrQ z%f>W^mWCq*Ipr8BCG-*L0`Le)Tp^Q($f+?ycw*ykvvPm zxjVFoUj}p@@b|?b5jFJr`h{X{jkw+sbJw(ZzLKB0?70xaQ%k0}*5^osLdA0VYN2rS__z!ENo@NC4# zo49OgG1T;TN@cExR^}cNNU6*MDHY?Vl!`OuQ%a@xUn!MK0l!>~Za;wBNW_pR)Id4U zu+_60fD%R6$|?W6t<16(o(h%xJEijWS4w4{Bd9|$?O!Ps*)@fylnOeKQek8a$dP|c zsn{z!_>PdGPG>F|Q<8E8Cu4rPfQ^+)%l7swxkANZ>r3aQn_|HLMEmn3^ zzN&`U-yDVtl&Ep8mW-loXxZM_zRtP@4J~65(*4|3ZbaKeeEY>Gj0Fv{3{tbG*oZe3 zVvdzHV>l~0J4WsI5I*-o$X_<-)LFkMUU5-ZP%qv6^Qh)eA)_)kAr~uD3^RJ*-T1g7 zsvWi-Qg!;rPx#0hvNzA`SVD0>?R4B<{F&Ibtgnu?UJ^qtq$-q*`% z<_M%t{drvK=@@u(@IxWNp>?^fKocSU8$PzqC@OHb+&p&=A<{^v`Bpbc6&QRoW3=%g zv2!T{`zScVk+Kq0|0y+u@vv$C8;yy{)Yk{lm}SiD2LO%v@Px*c|3YKlBk~KPe8nNJ z3~oCZ?Eexg)h#4FJ$S1=xK=M_{l+06%m%K-MJC^bR<=-Q%r3)NEs`pEnuw*4K~n3K zOU&vNUtQ3(q_!hFvZ=kkmALLSkCc6p5SfaDgtC5^3QZQU)xUGHl5a_ao)oE zLVUt_C-(jVZ(<4E5p4l4GGb`3Oa6l>moUbbXFG>vsoQ4flrySlMqL!X#y3=MTPv!A zp)SX)vLn&yS60@E@#rk#Ke)_&#p^48k_u-(%Q#R{A<%}#^myk08AUnXk~Rnd;%_oko`K(Dv;EeF*RptD(OUjWavXimcyzo#|fjw^xfTu zL8y+kGV=-E*Y1`YhOsZd8|5|v4yld~FhOI9j9n-!sp;lQB3wJK%wg9LdSv58+voS2 zs<0BOI4?ja>SN~gzD*4v6}N$ddLQ~{sc;Fc4n`;0YABda_$qTYf)P7MjDLN`P$!=4 zmc7lgu~W(4B5bT25;E)PFc5!VpNjVLT_U^AE1K#-+I>xrC$FSN7`&T?eL}#s@`_AMJ4e3 z#4bTJ3N0z0q!%cc@Wy76(^gt}eQmmc=Y|04ew;F1spptJ(6l0h{6uQJuMZ%g#wK9G z@I}~t$gfV!197edpz$pb29QKPlm@w?j{3%qhG)3gq{O!;N;|I8X%A7*qI!f_o+!_D zy+0%F&@aHso{WzL4R!EoAzv}py-WRBIW!_@Wr#r;o8%-_f%d33dc&_tOszry20gPK zz5dSZzI+FHa9WwRXyNOrNUIo!!#pqkO4}cf)pRP8E95B0Ejz|H@T`_oX>KTcyQe@>4T2F{0jrS$ zmStf>`)6_v?pM;nnaEcakim|0-g7`-2$*nds#PvGe7wRTIOV4^+C~>e5-al^{ z7m6ac3YuCiBziT-hT-v{AfsCXt!fW(&(Le(aRdkMCp}m6Iz=CVl*)Uk5%t}Cx4Nc)xYc8xiCzFpQT z)eCFy1QmR>h#X)^2y(s9yBf@t+uWa*vz>ZOsgUAL4=^)l%y^wW{+r;2ZpuH(&JE~| z6nbHpGo-4jUNCe8>`yyu*k=NFpo(2pj9+&k;EQ#bf>n2~B(j)hv*)lzos-ZIBZT*D zE5t$*r}}7Ly&NhCI;|o4XpO|W13Jwydm6z@wnxzLc*fjjaO8<r=XH&;4bc|7HVMWFn83E zGp8ffHxTC=R3moKg)!D5vYzxtbHV=f$;(EUtO zsY58!i5L2ZlCw_NxdFYA{iEJ!cayOXAJ7}I2Yp`sq^$)Tp{`1I8oc_sNpjt}77@59 z>})!Ix~wULPi9|ir@-T4N^zV2%?bfcfZ_L8I)Sr|O9C7vzD%hjF=ULh%?%?1*w`t*m~ViUyo>@J>up7f*0Z>Tfv4^{J#%gujOj zw@PNu9Kz4-!%qNu zqckHCKyQ@(TW^#ZToy4?O z3%qu-Zxdhwo>7_UI-(lQ88_xQ!j%j1;M3@6wQ1a_7VkG@->bT>kP|c9IO7>zZEJ2e z*YECjzb?(Z+i;`BT8OBEc?r52|J72Ne`=}hC~U-X0xgw^$Ce5-J}KVcTPpK^wp3)< z56CLV2DzKB1~pwHq$?{66+DR{Jye%A<>&{MZqLSI7i3>}*yTW3Zdp7y-FIAA?r$vI zpC0g69-=RaQAxJDV67-lx|?oMuM(>H!L8*zOumvwusF;0@2m=Fc65%@O-*g_+*n`3 zs=p0d3E#lwyFAJ3Zg8l-7~x0t_=I2yW6AI{7uu16=dQ!z!S(uTW($eit><~-Q%hyz z4?ITf36DYiv!zm}yrSsm^hZlY!&DCG3xjl~UpHPmS_1R(7<}b-YEA7!Tt0^p7Eq@J zddEURuiOcsH$r^U8!dVL#$zTEFZA0C+72S@2JXLireeiM=>d8p$qBr?2Qy z+obG*Kd4)#%I+?C1ifx{Uf(p`j)1uN1yF8zR-j)ajl$kf&@ivQfj%Q;_Do236YG1E znxk0|c2eYR5$GvjhW}rf1vGFx}GpZxNV7NTA=g%zzCeKGW(MFbY$yj?x1tR5vgT}D{KR3m8`VN+19P;&S*A4XN$|%16Jg%s7mkgc4m5@IIQV5a-lRjp zgz~)n&ewhNh#?)&I?|DYpZPf@m_=)?Q?ezYAlJ!=vBjaBtKZJOSbb+hkqm*ODfI>V ztHW|m*+6riB1)e-$=gVkc`8ag1e8jaI-|`Tmc;l9L~bVGc!+~i{-MSr{d=EznRX`* zh$dHJGIMri;#Tg0q|RZ945Q~ldJBuN>K?Qyxm_9@AgXYxkqT-WF&2=gIIXixAES?h z40swJV*zM-q^gCy^8(WdV!nGGWDS^gfeGvM*Y*W+~tuh zZmUYVPEvCmk;{fJOdVVI8X?mn>xWd*pqWicSVy}0W6Tm+ZL3upGcdwxz20XT7?)!) zOI>N6uQ41bY(l-HKMMa`3nXyu(B`n2=+j3MtoFSX-Xc*edX{k1+Ish?=M>v)Q}0u+ z2f6&KmJ~g?Z&_WE1FYyDtJ1Wth#ic6>Q$*VMw;*cDArFbYOIpQy6r?yr9wSL->TPn%eWw! z2wCUWLHZ&L(vGC-ItVNX)>4#0k{lbQ0A22t)t7vzJ(t@ygdHeh5YF`}Ui=l}cs^__ zdjoHB%Fzdi8C_eO_V9D?MUg-8g6GB|JYHL6Lt$%(A(Xs%n+AsdWIFF&y+MA{Gg{g8REEyqhlCQ0>(ZU+=fc&8hFXLbERsS|p8-tyf%;w% zIwZaq@8H&9UgOOP)(|076;(;}r}n}Wclw|(WQM6Q<*RUv2|$?kVe7NnP0KL3dMa5x z;RRLM2U&ZSy8Af~HC(TL3c*$Ts{ktheu_ScmjtC%2<_Eoq_pe;nK%3JiKflH$;Bl8 zsu*^lS_$fCQ1%Kw?DX*2bXqw`jOoVwIVyYXH#z4X{&$)*(EO~lV<4aAqY90q7mh6K z?4Fp}TXW*I-{tyf*nMKiLfTATruqGFYlPH^jLKP+pf8NC{%Rh-Pw$dl@vLjer_x|* zPWxOUS1;BvOkLtgK7-k}FJo=7Agyci#{v{W?Y@jhTtL-GYAL@O=UCrRB6D{kk8{kh zbo}g_?7O2}6n5rO-9dobH8tZW#vLslF09TqJwN>5NxRqUciG zbC+fxT4e{BaJ9QU$hjE^QrRh&HHpL7(|YrVwMztiAGO+jQ@V}f)thJbpRrslZ1idlKrjZ&M@p?pn=LSHy%Aasev zp7YFljrDso>LPWE57dXS6!j4%uY;YvB!!W?77~@#`Y6A{+X-#j3#o5CNd*#7!spUA zxsWw4+)69%H#ax+lN!$)47_LasHVPMN`zPs<`ZpSIG*-x{Q@$SH|gEGgT|B@7y78Z zid_^T#XZ}1#x)LocBnqnfQlN7H6__us+5cgE2lou^nIb4b;6SYgoN;OXa(V+S4I`i zKL6_n!EYf)Z_MZPlIXZ4IzHZgHO70LPQzm`{j7m(OPPnED~|1D7RrkZ%ev<&`eBmY z5xZR#G}9GWtym3pcuUOQ$ra;l@N_6hnU=VsHlrB?#EOG}ftN9d-@2N&lkC4UIPZ~7qOP9{SI^M_8sH+Yg zDx@=y$+Qi&!cs2%h#%lo5Y;~gO&97?Xq$L+!#j+ftdLB%=p3o}Q|*EZ{P})hRc;MV2gFn-3Ph45%QbCllfszB)9R30cG> zP>#Cd4P{PTF)EHaAN!6k-cdl>cv?gcIr#2C2&ZDy z>>IOtlQF6943Hnr^o6KvhbY)5QPsxRHW%qMW3Ka{QJlQ&AJ)D$P}g77`h_J3wtA&{ zA<=fO7mFRp*CVyI^se=zn#?2YOFvkj*^AB(+b#37ipFA8N!i#PtE4QC2lLmsZdDr< z8(g+2WIEuEmVP|@n&@fK%!J`FT_?j!YVMf!18c_1U7pliXWt;=Bj=ll*}M(G;;pLK zL%i#l%8NpOvjVmF2a@UIa~mn`x8KdpToS1)5J1%@{iGh|1L;3G1!=1^$rlf@DR1AH z#^2iA1S+;>G1Uw9a7YJMN|=gUm_?#cJ{O$M66|E73_CHrn@0l``OTc5<6pa72!AHM zHwP2q#KBN=ZL{ho1rJ(sn=XT zwL`62zJnbojL9An%WSmho7UI5^mt`N8A2IM2T6QYfFQAeZ$#YV;f7-&HQEk}WJgk#tye~a@rseL{q!KEC1N1aO4QHFoS1txDDe1d4{ z0Ee@@l=(>SD)c2Yje|3AmOPP>qtSNRbSV6yZa4JgiX%r=b?2DvrRWFN97<27(P4p| z;5mq}PjR|MHEw$mELrhRt)w<2B@QzDLP_^=Xfh^ES+RR(oy<2w%yGsrD7PFr9_9dz z9q6Xa)@W_;HLPPl$$t|;xj<0r&HhNk$D*xR72o;R;3au0CU-x5kn=v2w0O_E7V_0b zm`nd^3$i^s^1Hc$DGlwzDr5UnBUbNgn=*6uK@wI6^hqP#wuN9GvdIQ=uKpS2j2GMt zu9KdM3Tr4V)jUV+os$Er3O2>(mX}Pq^u&AOsIDf23tn;n+~QdJMq(9wE-}`kk%x2i z=sfpJSr$I7Z-s_OZzp?y6iV0`ng6ohF|+>rWbaXg_dlNOssDwzfIlHF3Ia{to))_7i>)oW zO?rY8Ons#qh6SN-AwR)N!Kz9pk zRcFN}N5$@atcCOz#ZCy{A4m_XCQ55!lrKHohrd=S5HB(|DVrAHw>vuchD3ONOv02<`7!7q#Wl`ZLK#7sIJkyD_v~G&nqYiX-m#Jr{Itj`1C)2kvIrTo+a_)9g*J%_Rz+~LV@8cO zy5+Fo4=4M6d|yz$=;wTk6yaL@98hS%TWOH+^O(Mg4I?-r&P$a5nHtd>@lko_Kls3( zX#*(lQl9&XKHuG;L(ZYIji(^Wh&JU3e3ma00`J8394ZGcEx|EF&`q>I{IVrSvy`Z> zP?hbP6uH@D(bi^Q(>BW&@}&PmcgFlJB(-kpbuW`DjMa8<>scJ%npkT`)-mvgYO+NH zVrmceY)*XnRJBetb?-}zV6sST-!1(7aNaoQ49@wt0&;QTWY~%O)-{=E**NMw&IVhW z5SVAH--R<6`t-=nB!BptgNM{(#6p1=cj@L#hf`^V8g_td9R2Gvu1V95d(y=+W2SX?{#CCJ*RM!eiF1wVkI0>n5)z|A#C;xxGi#M zk5xDkAia2PezF@mifEX89mW0)`{OP`NNX`n;C%^pNf`S*qUWbsHv3&;--gq*63KT$ zp^VS!tpaR)%coTx+G% zn@{8D8E)*AHH{rvM$u>Eeugvoe35O1@2_l0>RY{6YSERyvL(<@*%D3YDct18Y)Q;x zwuIH4vga{df;b%am@VO^NqEYZ1bVtDAa@)RLSiEuy*%#t83l7cISfN!=hKVxJqcV7 zsdLE;EFku|M@7g7>6W^$iduA=y%Zm@z`=KKFlq7ij@-|V&$&!@*VIuWU(WZ%*p3Y)OH$&@aA4?(f->Klm1VpJkN4WlI+H%rPSRMT?~OOJ4bg3bNFA z4~hYbO{FLfI+AocV+x1Y8D*2NiCtqk+`#Exj@I<$$X9{j@j-z(MQMU{P8-;3E=DHB z%iuz_S>-?V5_L*tKs5=o95ZiBNQSSti1XjgiV?Vhh1=NLdTXQ%E<&YM<7)5B!q{%u zH8c6-B)KDRN9Tnag-$i0dvX}GvSP!?&jtve*HP2(;BfnN#Ae( z)Brc4gGE(5ViEL6%(E+tFj4O=81D(@#b(#ji#(+Q|7-1DrIkLNeLK_3inF zrI9}`JJvL&pSdF1jtw44M%j~=_mW7lm{6S-*=i#osG@J3^s1Bk|ImM zfN8bGFL#?iEI$OD20GTyOkm%zS%9?dC1O)d+vUe>c&ZS0ddixoVShEzG5(>o4 z){ia(4M9bPTm&V>4!>7aJ$<3ty+p9;m9Oxz4*tPRwWics!ue1TE@9%u-VVzDfVUJ4 zOa(U-F2XLOrHJ$hU@SP=#j%7+dY(G56k$z4bt*i^!9;$MW6G-%3Xjh=$Dlzunz%sZ z;0+k>0P4bu05O#P2>1ZEpjDq+D@yrLktPpriV0RCVQ_{eKoVKZ3k&5&1R_i$1c{Zy z6KLbtM-aqw#PvyAZj*h)FM9(yKMe#mJ~M~ZeArs~dZ;jHj1lrE${EP{<-8DsK<>^@Oa|R>gMz53(*Jl_9VjDcx zN5HJk2`hv}Ziplxhv_pqf#^~q84hB6x#p|!6`xu`p^VpE?BUF}ertX*YiR^Q1ndC$ z#1=M$T$Zqu&l~4wfNruvl?i+TpIgNp0Hcw!u@!JX2HzZ>}XoZiUEvh13exGiS(~e zSvzHLGju3qM4yGyWHqTbQD>7Y2G-~4Uf?740s7#hXd89ViqO-+9{y+GU@uyU8U`VU z=EO==%i#m9&LVdEB?NHZWej8C$InAD`@G!~aT2|i zI~nL7Vd(~FuXX19^G?8dS0$q`XFI$PIPYqwhUF~N+%pd7Q|zg_;@NG-pex-4D03Ll zrZKF>zZ;?aKG%aH7Z)x4K`E0ywFl3Y%Y5>BO^M(x0B_;!MQc9jI!3rMVF>+-dV75x zxWk^|Eqy25GGK&qnU~SzB{a(26Kg)nfKhxONh7EPDDNa{**7Bc?!sRT)OX2DS4%8! zz_5FCB>~F2gldjs5y_R_p7KrRqQ9~wTSW0?K(?eG$d){v>j^i_6Fp^1zK=a+OF(~R zOEglWpd}Yx>I{lzskRu`R&2{C{Oz@c)Btar*SXVO#3{Z)}UTz<;nUTK_Ay zh2T%N#r^aDf3^jF;x;eMZbh5NC@}CF{#&#p_E)szO7tmOGWBP) zB;_$$BE~?3WjvytFVm5W`z};`yp0V%XL^ZotXDff9s)pnp`U2c$7l(=M6{oIOib`= z=I$K)6p93D_#q|WRFCC~QR?8B+WKc}is0oN+Xf*;o{&f79RRfih$&1*Xa4bEYW^%- zeq}!udHr&*Gz4sV)EH-h1XLSr>I{IJ=^L)Y$209Amc#Tn2nmrFLqD?M=pHCJj~qoEbW2 z&0VfT)%aP5*8MHW#)9D9Nf!Q;q343I#{$}I z1US<}bJO^7k0K^8&sZdNDA(8lDDTkxW^bFFFOj5H3Hi<}P}<3H^%+wmjf781>KpXj z2Sc`B+Zb6G$%e_1P8z@;Vc>YQx;x0ACER9AK4|JUKGH1<&HqWae1D`{cuNVUnkcSL zNZi6ZW7RDFpj%@9PPgw17fo_x0(Ez#rQPj>!^}1bT=h#^YiQrskL+$1Pk2vT+_9qE|^AO zg#5FfKymA=39j|q+sXDsfiE+Lu9hvQ*MO{((DJ%YIES*}g$Gsz_(! z*zykEKF2DzIS|h1(3Gg2)-JAf7FuV0PUQ9+K?cs0+MKcd8rKLy=;Ftg!E+mLWMbDC zz9x&DBkL1dRrYm1zul8D=*!{Osvny_taq3uUQ%k2clzTHe4S-KRH{#h`$9H*hozMo zys{ipv-hSHAY z7Db4wn+=Q8l9eM~U2#6@xy~ROB(-Pgs@l4w8r4mai`^v1@P~14+~=?Gu{hK}Ys7bV z%f7`(P7U_|@`>MQ?=}eh`Ds|#x9G+!q0!s@FV?Uwgfsr<<9t^q4R+3`=e)Uuyz8Xe z78JYK{)8~Lm#wb*gp`8~H2$m`VH$0OGdot0%TW4Z9&SszG@SO9bobgj985p?mCn-b zlDMPyu)nnVftfc9k$_b$I&!(x`%_lt5iIXDlC#woYld={Q{vZi7afq<3Zr4pasr;D zgUAb6xg|ng8-9dpv6&w?>7v`!d&)To{JqlM>|BDGEtbp9O}Uny4a#w9C&QLnu9^|% zH8pz>^PYrT4^89|d=j*$ENRZUzI7lI{QLH zC_$0p91i^~cNhgyMFz9Qo7kzwkO+6R2P9J_7Uuspy8aOrVP)pzc>MY!S^>+<@$b>~ zQ8o1cG`ea$dW94O>>Pf1h5UWxK*hMCIbL%;_in**3K1yrtYugO&*pC5zy@WB2fd|o zak1K2h;1rTd*J78idmm%x|=vY@KAklxH7xjQN0b;vXLq1nUT^I+Vv2>Ie*JGaSZE` ztE$}WadXi24TdnTG^;&3n4lfOrcG~9r_ZRb0S*DXh09>wzCVRGvX^9z$$tCNAzY!u^irPsAg zG#EBm2~x;mG<-)JDXxQ_!}gBYh4D<-ras#WTy<)z2z#bZ0l zI=`%?zX-9{;R z6vn;Q&lz2Oq9%1eY`sC7|4C=UUJT}T#R(mX_Ff}#<0zbHg>8Ud;?8n>%k9_?1LAW- zy458H@em;|D;y z>?-w|oh2ScmmT(x`nMKIVe5K2n7=Y3D!(!#;qP#TtjDvQ`WZAKW}eY9_y468a*KV` z3Z4F`6{-NVLTsJ$TYqYWg8!)%%Kv6$@VZVhgC4vn*qg)ef$WE;Ku6$*1Qb?{X++VBf9fuqH)9PAV6c#Zt zJHk#uW!C(HEP+G@Iewu40-m??B?&H~YL>W>BwVpqQ4Sqo6=ME}Rmen2SVp3*GeSu| z!|SO9NMv{^QZZYy<;$*D4P-{DWndn>iWb|{IR+^S6e0`GbSsH zzJ6L=4cQKkte0LBqGR}E88Y4Y1GbhCBFRi>7GDrS0e#BvS~U4%En4QEwdl7`wP@O3 zwP=46eI;0-KqE4zUh1dhCY|vUNNv6gqGvDJ(Rb=u=qB2lc$Qr3?MK^BSoa9K@N zf6cCMQcy${uoD5Af(c*rQ(ZV`Xu@!dNgB}N6ivuALJ=Op7KKGxS$vvZPwRow2(F#a zAHRMGJqU^2qP*yH=Cc%#rUaS92CS`0bxa6-RO9XMMM3He*h=Pq&aRl(>6SsH`An%9 z`zpPwQbP(KGScWuxgVuMymyZk&b#IOwSP&4?EfhhlJ#mBu2%tYihi!Wvo<_xNX}sx z@v!(FXCO7g-&o#jGq6yfO#iIv#Tk$qnfjF)>0Rf|?MwoAiWK)W{m0O60O~qe$UgSm zq=sl&nP`7kIl9oq_jlN~tW^8J*}x~eLqvmjNf{h`(a-3l5C)q&MSH|mzIYFQtbI*r zcxqSIM)EvV`?H%*+Kn!Yv|&GXri8I00*R5-YYUhVrXC=Wt;}UzuDdH{Lxhq&{!P;6 zR_v;JOGGs2#AukmJKO)<72oHzz_<%k>;DY4#}Z&3Co3}PVoZ&D$USwE@b z12NjZQ&eKPRn*S`6ikn<-9Kkn-GTp@UH6IN8-UsM9GG44|51xp*v`^U1Y#{u9Jz^`g}e@WsNwV*-GpS5TTA->z;WLcjQ8M&n6>J%_rru>9Lsqrx7 zc*#ecLfM@H7Tu-4H9+pE7Tps`TLT&8D7(V(s}>#kGp&Fmf_S?2ms7~)owmHk6&g$! zK@e@AMlXpLl!8}j-lZ9ylHL?ZXUcrg9sSbxM-Il{YtdpD(l(_%D-;w>|Jq&uszv{` zyN(C7g`jyZJ68SLT|+7Mfs>R`^Y#pDd4<)_Y$r%;z0gVAddp?2M{D1klufs(Dz&0C zFBM@=#xlC0P4*4>TcWp4EUC8>SW2%l6iP!7X_#m}tfA4i`v?-X=w{t(v2Kk%jV+8CKQ~73(!ABYH3JoewLrY;1z42W zSKtUr^)yb*h>4iE_xkiXw;Y>;8a^x;-8y_ts0|<$N`A^k|3fMiqboUb^IxPw6_$kz z)&ojL-#@H<+8m2vu`^iFI1#u0l0=osgNm+4CrDOsbtu1<^-C&rF5E%1d5aBt$7b^@ z7u|joWwL%L4VrzyTEi_yC%Dy@vUzyvn9-{2bR_H#;u{)DYyb{pB#c&akh`*{-dK={ z0kIKIz$z4U*Bclr(itXaJAE0+-7ef=vBC~p#Kt)^1UDaOw~Cfr*%c^j^9eNM)ljND-t2_DC&QfAyk!t;z*?f`->QrvG?2#YF_LEzqmI z<%dx1#!l-~ky%kAlPT!TVHa1$aqj1)Ycj(_M)0WQM7||ECXTGgVMUOh*#3}=nTyqs zu0LuJ%D`hYq&w&ytp#Tjozam7-jJfn?q*NDtt@hK-z6BsQV)_&t(R;PY<&FZfGCN6h?K_ej znWpHR#;0)WmHnv3YG!4C*x}C*3HoMMhLr}_%wK4E3h)$)w^!R$sZu{u`_Z8luTS_V zJgzNGG(7It2DI2OwwI7%qff&Ku9d6Y=2{AZwW?r{hE48j_0wS4#wHk25(5NX?uKs~ z8)}~)oOLW59y#p#^LQ)<9~7%h^Ofw)H7+;RB9zz+uHWupId(MMcMN!_%zMx`?VZZt zq64v!TF(P9JTRx$YWilvtIxPL?EV>zIR{VV;hW#JXr4r%7Tx-* zHWEwrP%lnMcDy!TC#Y^Ix@dH}Dn*ex%J~|C1FxkpW^b)h!29Ng<+|zqq_hy2UgzHf zVjfW7 z6-=eBFl8I^p;j5L5=ZdDqg+ovnR0;w;xr1YMb0sXRsU!}#t?c}`h z;jU7N=CY>bvNbEZl~OEc-;vq~XDWocBZ66$p4c{M&n0%xhfFU%?XJ&D=*I}*9EOeq zL|obA7Sj6R{7u#d&vjfKTUE^kK?o8?GfmTosWKj8@A^!_jpHT{4=Mfr`mOXnsZ&=? z=;>iL93-<#M@O~`)4)c;r=R(IHVP)WXWzp~mU&|}q`7+?50OyXs@uKo@Nb>>pn^&( zVvWUKceDiNmHZ^s80s@T7J=5*LLbWvsQ?dJU>|B(Yk@`N^VNg zqtIVhmK8rbH#28NxGspwK%O`Kq5g1OYrn-VO03gM&7CBTKcGCM&G!?0#shsyDhjvX z9mzEXaL^{5x~o;6m<~9f!gXRt0rrLNw#( z6E14&1jdNc;2=s!_*%51TE>M;I3_Z}7MIISZIopPXtZ<8Yi9tF%x%w9Vkj?_Qt#*= z@|Q$*p}H*tiW3J8NwhSII52r`uMj@%h7AiiMLs{R;E#L`K3|+reu>x|)_*-NGm@O~ zpnS_Mf4@Robgk~de!*`fo9AGZo?OSuCHDij-cV{UI!dmzn!(;F1Q&=K&hcMqsTdwjU+*nkg%uosy%@OS9wStlsGtIDi5ZR5n4hlcz@sF=7jrqmbWo?{<&Q%GI{<`yKdB{)!}Dd zd$F+{+21a1@^2KVgG2Gvb9o>=Vi87cW5Cadu0xq(=%Z$f3(w zHrQ6>Ce4O#*khLQ>}U_e7J)tlnN?599oS>cUkAQ`g zumeID8k>f_Y(3E`pZOalk4Cl2-Y@EoGdO-usDZYVEp`n>5L@%iWsI(v9_uJxhgzYV~DDCAjLng1GqS(yGc0JA(QcK+u9 zSSFZ^*Sc|{_-k4EOrFIHKfnDe#>>icI6myuX-%Y@?h==&CW|%)Dw+c0c@50oAJRP3 z`c&vaFure8${GNnj;sfl#fcok(X1%X!&Q^)lTe2j5bEUG1Q-7j>NGqGbr?VknomNV zrtFKdMgE5i>hfdNelwHeD_4z21Hnqgp2F9S;CiUj{p8fy_hKm?T3BRm2w)u;6?A=| z9hgt{2X{PoM})HJ7o2X}mKuY*jU)q($H857Z=n@KM+}8r>+=v_@HP*x| zAHL#9`ugUp?ZjhtuQsNH8d_2HnD_dKsFP2ME)2iC?<4N@Xm#}j59eAwPmpd4c&9|O zEV%rh!UaWOaA}w*KeNf+)k4~w#+X>zYlB5JX%;&f%ImJpQi!lSAWA=n2Z&AozyM;? zITpWS)A+y!tne6{PT+tsZkH9OOc}m?H0mrz8(^2bLwN>*6{1TDhXH8X3kfLCvGSETKVH!ZW!USRr+M2nR@j=;2SnED=z$Sfgv-^8ts040|HQrRYh)s`F+m_DlcW@`Y`UoY*_*Pa zFP~ych+Z)A&5qd{%A!BkrX%!K5sX+O+fV~5f!ege2&y@t)X^)frh8QCG$sN{or^fp zC#4Q<@@@Wd44P%4t>@e?rOpm|TW(g5oF7MW0rYX`lTzoVzErg2HBmD+4g-r8ZydwE zz=Bs^Q6ofdjkfSETZl`Vp8>tqJ}$r6#()hHtvW=cFr4(c)jbcjQ$#M={_5*<&+%hy zTOx^1FnS-4(Xx8sb52L=U|)<}oi37iehD@vE_nriHU-DlimQy2^Ksx=oYug%4H&(5 z5iUAPeH$-gaa`bl<6Vb(kCcD`bZnA9h}aW|@VMP-6kA3riW_vjZZwtE{^LP!gQh`W zJLXj7UG4w@L{UvyX@i%S)KlvwSrLfDnj!~8Dt>bjDOjWEuv#CxD7zwG2$&%l)PR2g zlseapbZ*1mNK8F^V>>@)-S>TdfEA>QtpYRfT4*N)FawWmxt01cb78Bse!MVwlfj#W zSN%b%9)gG{ECiv>MVo)aezL8ASd_!Fm?3TNSqBVKPAJEl-X>VwP8ef0n|`5`x9ZTX z+L6-!VBcuY+Rv~BG1rBYwzk^6zHh5HgMWI5fSw#e%4s~zH8JrubnjWt%L}jSZK`j8 zQ>P7Z>O^GYsa#Va@-0px?p8nWAjGeYbxv)?N#{^c@5_5^jZGz+`rzxQvr<*QR>Dty zO`{s$z5ecNuxF2iVC9krN}5obK_>wm1IgqH)jE&y^Dl-!tzpCQ!T|&fxft7HEW}89 zwk}Tr_|f)aF0zAzo8Ay4QGC_8GhSO6v&Cbx+VeYIyo&(M5`{Ew+Vroo9chO>H|#}B zhPN|9fy1lqaZT|zy&77V_uVZ=e{P$>!bWWf<{k^LHhyTUfedqv&3cZSh6aaiprbaH z+k(mZ0bJuWB!EIBbZy8z$ti&{bXS8wqd!bxbdnhf*nwN2$P##Dkn{NS!6tb+v0u|5 zs**`yOTsY-VNJxSB;3+$lEJw8ocR}Nm+jChjK+Ls&Ysdg|3_|mENSaB3Q5mVmDr-1 z9%k~JxXxZs31&8LfeXVQx#{#S|68iZ+;m=U4JgRO_MMWDl0tB1HUG=}UnSob;^Yv9 zp?ql|X#MJq zeg1Dr9)%heCA*0kC+b(7WGz}vUS$9976@~Xo~ zroq#YH#Z?wQU*UlF&=$1$MxoP4yavlCo!yeeESxPac+o-7YHg^2jq9ha2!VKKVRHr zdp`=iecN;Ol4OgfU%1jHZH-pfCO4*!Ck!+iPBKLL+!$Z`us)ctP*Pz)PAoA=cL*gT zig-;f5i|DEh;-dzkUYshORw-s|e5d7jQ%*E$cf69;#J{ad`9k`m;Y z+}Q-vddXO$)Ql0poBlnL5k>5-nP6&w3E17n`Gh2sKwW;$ZuyJWfuK+@-1MtAEm_Ic ze#q~tcunvxZ<_P3H~oWPWaF_a;X9!WvYt{qe@`{uVD})+X+oX4bLLvH`stz?;pRg7(CzcbF;2@K* z(ETWKiZiMP-y2f`V_>)mY_h4~+2fIZAga?YAfYrFc z2Hyowi3_>9eR2GwdHSpyCNie<^KmnCTc`s`9fFsn&gyGYhn(dAczSz;`GcbtNa|4I zU&9d)qCQTrbs{szOUs>`S)7vX8qvs%VX)&%@eU>_dh%id&gyN^Zi7fSQtJK=12N>` z#I@|ts~fg=qRe8^8ZX+k9bAPBIvdqcfRJ$JA)rlb{f9QaWywmrKX;zuID)X!kUr}k zz(Ux7t{py|I@yGYRu88k4mx)30o1#v7dTk?G5d!30iM`c z+!~kw^90Sk1fZxRCz2bxq4=c$ zDC*okS3H?<2{auvyxaLx)akYDS(_BVJR|@s&H13V1%sHYwX;Mf>o4nLnj!7}?h?G= z<70h#FmWgcL5eTbyH!aP=*u7!wD&4&QMn^#4v6^UG0yd8RAJ2`-Yu76xsw$OWDzBb zRZbp#i3`AQa#1P?mjjw4r1;tPBFf~MH{#qfY--x~k9z30r1@|kf{27{Z3z*dOQ!j<^d~F-eJt6UQ}1j*$&%BBy;?Eo zKA$GQU>jHdTC`@1O6bDvd`Wr}=RZC&>Ojy7#Ip*_N2#0GTs3?I?cX2cm|0sG!GBTU z*Xl$9jq;TeoUOjmRN&w4%L=Zs{_cPY)54AL0Hy>b$}*ZTVipfXmkKQKM!nL@F6=~= zfS?Y_Yfy(=ADROQ>I4)03F^$`qUV{U8G$iD=2HWhLvK+uFI{L=a$5=&pJ^7s=G zQ&riYY1-at2FEa(mZ$$_$|FV8KnsGO-EImV7VV&zYf9ROpG+XHDD0l=E>{$owgyjauA>15L?>GVvFhvOUbff-EaHalx` z6;WH1uhw)GU`-DfS8^r(wWg~AdHz__tbjFLz?vuXPiy*DYdzmEuUd6d&#mTpM%Jx| zfXk{h< z@fua*44|f60czShSHzC9OcT?NomaT+ETef=EZn$8M|cNWqo7IBDM-XlX=*<*1QB@n zA6ZS+|N7wr&7JuRg|F5vhEx{!NcIS>fcpw2K$O_AVUDC{=)wR8J#0ror~&A_aq$nC z;4~R0h#1Kb5&ZzBzqr!&%QcW_qN?f$^=gZlPPEkqLZ@^-+^|ljW!8+XACNe1k#b+A zzo|#mA-NR->Fl#Ht_pHVwhqGEHmgfoo197+Lb@s7I`SH0WA)!0OEES$uw{gtJ1Irg zfTXG;e`mOdGeqI+d>aDe%h>Tux6AI|* z`HtxMkEFcT74U(8p*<7FPZ}o-_ejjXF5RatIh_G_Ws8m<7EY*S=fAiy7jJaa;gR+B zF8q6_$BKp%kd(&;lJdeMdy{#h;>;;Tto1TLQXbw>q-#zHd~8yzh?y?bL{#!f{82X{hBhOoUUU$&e2Ea1yB=_T6}yAi?*;0x36^{fM>VUT(pG! zMfnXLPKj709|hAG26hd4yJ)H>1<(Qmc)y)MjXokuKIygSgJ_oE9lj0AtfKz6m=4P5 z5g<)hGp3UP&u%A8AU%Z`n1b={-tiCx}%!c;CBog<)e=q+Z24&!hNA4J=TRtx1DxNY}IZ3rz#FUjUk3`kd>6XZBBMn(`Hzt{)2eJibKUyN{2t zsQA9T#J>ij*5Bb&h+%fAMin&i?ZY&z$n)l(SGNxipKrz!Fusa;-v2)5eS+ThcsdMw ze$t1tM1F!5>I24FZgBH)v`u~w`U5BFjh7$P-V|uddAbHI2*P*I4;=~BL5v(@|)4LD?L{Kz$Jk}TzXlx}K6M^ZkPS-N=e(IxX z#IvRzV&v`mR1zOQtklZE!A4G`SF0aO&aqB?Rcvhk>2vGwHm;2Qa=9mu@6I z&3v?nQdW~*Kg2x|6E9=`E9&tVYx8W4SA==AkQ&d-t@NOJ^zx?6UC>?OeLEHH30Mm-(DCxCqnR&>uPGKN_-Qv*=yn zZ~57Vvi;^rXp!#b&IRXldHCLhVwVQ?5J*_Lji$4=w(?td)Z~sDB5S*LfZla#R#@8L zd6zLg1?sMCSrWbRSrdNeaTU&)DR`bJ9lQtZ=$WSpm4x6SYI#(trP=Spt*-FWM^-oVA`GU7%pCW=B!&Ee2_yjz0!~&hL~p@qD^iq4Qn;0jn|#*$Wz( zNx_9G82$AdY9X-rtxWvfJxz5DLLZ^F@Bk8Jo-3S^Pxyonsf~Sc>s6n%F;WD6s{;IK z8+b=7y0Vik6(e8Mi|{i-2|0prO5d%ok$3p=Gt)?|YZ5UoSgetf0GsACnuomxy?bFJ z3mKba-K9iZm~Q3V!q=0Jy;Lsu3{AP2NXyeAQE!Sndz#)X4OMdYL&*8t=8r3)nCE;F zLo0fhmj&HQ)tqfP7vFx(Dxu7W4 zV%vQaw%$X^&8UlXR!2FMiRs>BQZ0waL+6jZ8G1>-LEoydU;*2-O6Z7K3ST{Hq)!C0 z3qiaTM+>;vmJ4CI|({TTD%)&gak@ulVGBybq7$7XXrC> zqEE7xkoo5?eZJ7wTD#s+C_9n)I6K|e^sA`&uXyQHSBsPd2047})wjrV*-@VJw)2!0 zNAj_BA}IOnu~<5{l_T8OJF;ZoKt*gaN&uVtNjDzc=pC&J=@#a)yCp}=l5cquxoq8h zqz^;#cfn7=cO@YVxbr?nLKs@IL`U&mx})aI@<@z2NcfX$?VQc>f}Hb}UT+Ka%xb=1 z?VCAfhj4_jhEA}&!N3+4N9X$D_I?q<-1({V9uGXu;(`BeG!4lu*)s4w56dm4HNu5- z5KNVnl{(T`!(2Yk>eE$hTxPLOa|J6D_>?&ujKE)%0r9m>ztl*3C>Vv=w!1*|9QW0Q4ID8(N;BNu1c^s)mn~V|Q zWCUew$7v!yrJWh&oFPe$nHPE`s0le~^@Z7^=-2Wf7=JkTZ*?5guWJfPf@~UJCCV4C z$_`Ag9iM5Jk-&+^W7Ce^V@b`N39Z}^PiQ8sT&z&D1>Ht>VpWFRQ$o~YE7rFU0&MOR zWzyiA=`aS?9l*;;|;0i&{wp4)D9x zg(y16Rd;j;%O%BYl95VZi<8qq5V*O~U2s{0kGvx=sg7N)tgj@it`TOgz_K#q*!hxe zV!~QeU5dLxyqY-d+Y~Rt8DDjrd0ZJd%JS1_ff?~`9}2uQ*+*3^!sK$M7wRql^BCBL5=5}I#*?jfUw^4tb<`gKz|zSG*Oa71zB z7BpCA##1}iH^N!&dj6<(gQD$H&&y#&UiXGe)>2s@oAmcF7xNX)m#gbrY4lDa3^Y@X zI>F1skO~+FVW(-_M_o1Q%UrB(mCq`bXj?oQ)E){!14+xm*(MijL%M9|Gn<6zLsOx1 zm9>TMkz0O#ePWsr;+kdd%9~A|AMz?vicil~r325Vbs_I6@WAXJ6iMxt%R`nNm#Dqg z=LpSUNn##hFSTQTx_;jszHZJp_`65nf^-`y1sgNt5ZW;cy$DLs6GSbvFm@FWpKLSR zrFN!o2njXR(6G+;*>ku=^kI@rRC@?@ql~3LC1yjxQhKO9>i2KYB1r8#S(o~mYItwJ1z&p zHA!5Gbz*WupDBdwSgdfDX{)SZ9}k$0Nj=P><{~6kQgLZHQK^p0L07J8Il=2ZixxGe zZp6b*_eE5d%HqI_7jhr&tYZf$k4nVXSff^RxAYc|)a}|HW6tO7+lSxK;JqnUHQK6N zuu@rFanwW%38+=jHN3eOVq4lIR0DhJ)URdbS~3S))?4uHy>XmhwZithUsficf@6)O z3YSlmmt-Hk_N#=xak>rdulTVTx1+H&FQ%r73hRiIQ9+!M>?I%_$%8X5S8#Q+9K>2oQzb)SPM65KnCVN*t5e&Ct zw>Ydqrr|L{J?O%$Of57Y05j~ilV00ca_?%j7F$b(#q5-KJm(5TM%3tr#s}ccBJ_$F1}2-UTIf8pxUBEj4&wH+6`Y)@c*NxH3Jpl^~^S`JDCZ_+nT6$@`{I9De4Y4qqdTU^{)LZFg z@jh+?jEiZc5Oi4&Y2{nGoZ8tp8U0VTqsy$iNCx@}*FWsaAkWF0B^aRwvGix4!m7KpRN^}%~2x{uW0K9|81-k zXzSep3>OK)v#izg+%pYwh?LR@M6CjZqk+MiyG9*(iXm);Fw!Wj9H8g&h4`iCvRvaE z@sWt~WAj3ci@FgTvlNA(GvQiLVtpT&wosyc4T*x+z zMo6(=PhJG)60dZpAvAnUC-AEcMM{n<1%Utt@UIZqXMz~@nVpF3bG-K(Vg*ynO10OlZ&Jh5y*mC8J?^P^L0mR})Lm=p4kRxs56jx@} z(TMnCcbf%Ty=-obBrE^|yH*5I%p^cF?+Fb7jvPxwVEdwwUxzChk8M853H%e^5jB*< zdAmpGZkd>(K#0{#(B%kZ8XCzzq>ldwFAHKg0h5{kutut^MnJ1}B!2+tO^j+5uglw> zbyv>${+g?scE#7FG{uEc?SzaEYm1>Egd#@}d?cB(27hOhzS!jcfl(y$c> z&yrp+-mw`@3o}7)!`v$Yrh(#>X_)eQWg3!BU%}$0LP+2@w#^L8gZK~A;6)5D4NHUo z(-1RJBI=k5fW_F(^VUhAFR9CfY_ z%bZFrr{^=K<_I_HXX4X)$_M@G^5vr*3tnS{5WkYD6E?>$$Ap}|Wxn@(;kahJ5(wiZ z<$^NHdK1xA1Ia4rWDI&JlVUsqZKne!?3KIkEqkqM`Dd*XUcBOoIqX%H=o*?5t*`PC zC7;C$9faf%Z)Ha6q0kcYIGD+paS{tMf9`~2)p5Tm$fy)>4wGspqV0||VkXbbw}h?j z7sY(9lwqYD-QM~xk)Lm;>2X$L2wf^n)F`Z>Fy)8Q2ZzMB&GU7@MhTtCcQS6I%mne! zxGy&&UBK{~?ju$0$Q&UVuu+mU?(5^()JyBPv8}eQ@k<4~;sM{C>@}9}Sa4qa>BXo; zXTJUvAYI>b%%NjgOZtbPVIb2ymtMAc1LHM<`HFNW>GLx&Bs7c7Q4T@5D4xx zy7`IT`6Tw*AyyseOE|hzs&3JTV91g>bn+LI*iE^P=Lu1o-0m7hRZ9P58phU0coG9= zOCQKbaI;~dUQY{PxHPn0PYaAq1aklnjFzU9q9UA29_8y0oh^=CyA7_VOQM z{cH*h7%{m2ezitAcVV^4K=hR(t7w2G%&K7|w(D|zml%zQq5x5BVDAdazkOnihzd9@ z$T2Qg!ITcEmIx^Ly@-ZNm6WKizjN?9viG{k|BRmUnFpE7l_aXCOu|-nbX8R&x?P?) zu|Igk)w1lofCKo4aQ2{2kV7$ZevI^xnmmFnUfB^2EYYxA;KnBhMqzqA-bBK*)^RXx z#>dmpW9U+T_UO1|*4FO0=FhxF<}IIzUV|=_bb-N6lnrZyi+jJtE`t2`#_gDf%$7eX zFJvaSDCEImysnf))HIAo-|xyGUZ+FLhoH=Nt<~=L{c##x(w!4VoM%a9ftAvHJJQd2#h@s)!R&NCuqkUs!L^*BOtcNQapmBcC0Aek zy4&IgfsqGOU)ydHIwy}!of!6Oj|5OfR-9t13RcXxS@%=fy9qgji4K&}`fG9iACBpW){Bz}2^3TDV~# zpYrl<)C-w^pIX8)RW5U6I9q}gst7KsSOV%d-791K6LhnG4^3EQR~iVqkZ$v_13?#> z=l9RHCw4;>1HS3EKN6QKs51u-W-=89XvRLt?Q`d6Y~6DFQuq+L}jBF(S)Zt&Z-ID)vduWD&&% zO!`l;_SUw*XY3u$YK`uA*GlYzhhy-I)L?E21uT}z^vrF@@?k#wBuXk7a@I4kWLQmg zgo|R)j=VAT4Q?4a1a1p#)N5SI&1<&xRWHi-;fM(h;`X9uSQX z-@0THmWD^ugn50VwXfNeFZQSfs0Npky83hBoZolJ#9!|I+!iE_HLf}IZUBt{PM5iA zjGy;LGy%fv)bdxNxm&;=Zf*;f|7@13UzgFHv^T(Q0To*94=NU+-xtvb`cx=ghmGPN zx7A0L)4xYI2V#OoMFX3qrqkl@(Zf+9hVDJ$RY{^ZhsGbalpS0EG_{X$#tq&$V+}Nvvf^cdaYLbu0|r8A#+s3Ac8a77dM!sOX2RqpZG?c; zz~KqLIw}xDX&tDt`2rRzp|{M-2t}lj)6L_*g2l@AU3S37R6PI|Pu+|i^046rEUqiXkbD7)pOJH= z(gI8;N3tUpF+)_{9Gn2Km>d9$3GrUQ;*jH58bTnLwYYE{M82O|z-0KcToM*$nlIBN zx6?ez`nsP{Gba^p9I7K6k1Q$WT6hxq!{|u4w9ll9nzk`lp)m6x`xYeyLR*;0QEu*UNV4zyKrWhmnv_g9LQ^g23c3lj@}IU#me52{Co;=w-XK zRL8hsunkxZ9HxqBmc;Q{UbPswd7w*NMu63TCzp8V+AzfA-;e0Msi$ZmBw)UC;4@t8 zr{)^%TEZXPg@f6dUqd=wAL2-@xPkLVhR>Ol@)az;Ud`wevtBYDAR2uP3KbZ6u^JAJ z(8^1P4>IOY<#vu1Xr2 zgnezoo&|Vy)_y1=YVC@M4g1KVBuY+3Qr>3f;E(U70l$Kd5dC+kDi16g+~RW_H{ZTl zTfKhgM%1vFPMLO43*S0`FT&ZGMR6FKh5z@HGZHt*==!k2@&#*PfHZPc9KXd7n^w@9 z#wB%Ux zOb{?U;J$HW=Rh4}(Kc>hKfYKWYyu)geP(|A-KOu5F(W8U1o)DwL|f(uzNG55azRGF z@dGjo*?LpJDPG0xdU^k4@y%rqq$y0B#GYUT+JIwB21O9=>8Rqiv0(jU*$d8I*+}oWh1Imn}<R0TKIPqTK#@It(VC$*34%Jqkw<*N^vnXhqA5Qv#Q18&m zYCnd^TE`U$S=kt81(N~F=Ti}?WJT{ggyoR|B}5jAU$$|hYcZ%iKB(S5KT^n=EG1x8 zVKW#dDHny{YfSqE~eo_R&IPgw>o~D+W;Gs zDnh`!dWGhdb{QrXu~{ypSyTuZ4q~rG#%KBm**0utV#a*-1tu;+)`QqK?)5%g32peY zp}BJRdx~CUf;)2gJ|N)wVpfPM&7he?>j7(ENKPe|`7 zbNy9+<;cf!g~|IY9fO)!ORPjJWH1MV0oe3|h%O>R^Wi0AXHD@Du?MQfP7FMWf(IUn zIX%t6H{#GWt8}Og2^U0#+Q%H8`zOd&4m=3nG+OGg0e#Tal)EWDQC3&YhSEH|DhprK zwD3!!kCN~};bD#y8kM!5co<+|hh#I2vvCdt5Ka36 zRQ45YXJVq~U2>8QVI)eCsN~Ih;Hi_X%MmLu*p>rrmq?hjR-xYFUR@zJbiORIwK|G@;I^zB@ z>t35ZF6twR%6EHBYvS@zu#am*-U@qEJ&Xva;nn5h2`bnV1m>t(-Mo_cmckwM53TqE zWc8;WX6B=@od+cE%PE$bSwOZbA`RZ6#;~F$Eb3_h=hY{{*Gf#!puA;m;eyWb#q7T` z;7eKjjjl%Okp_Y9Bhf7@nK82*1w%T4GmFB^reN?xN&c}b+ZxH_=6$^7pdkj+P==^2 z6D-4pwz6=BpK{D_cnqA(#w}s)vaS_0(2g|&cyKqU-!u+wuZlQG72D*uI=_Zp3=J-i zd+TnW*w}W0W>Hk+`6J!j^5KxYpXRS%YyRQ>M$C!^kL%2hV#>2rd1qFEYuD*bUL~pY z@tE9pOq0K-^0mFMz?jBThYVc5m$yJ8%Qj7!Ue4&}MaZ2E2Q&2qILKsVbV8P2n}Q&@|$-Vm|3o68>2d_sjb zn(RWKHNI6$Ey?lQRu#yG_>n3Zm-6e*Fj#zJd#X{pqD^6E;BzZv4gb?*W7@oeSY5S5 zjgMoC$)N!(@8O$yL%cx)MYhdbd)kz(?E1MiH-XjF?;9=(G3M4P?Qvx4RKMl%!XL{P zg3~0LXE?ufbN*^2$__4yd%Qbx>Voe!7kZy1O|wqlbtN=n+;ZloYks4^E4gy3A%W?q>Y})25JpFl42I#mt2_a zNw;>qx`jtSPtFP~R5=JsQd-npD0@q$&c@ua@_v%q-prmadJrD!2E-}Z;0=QuQoHMq zlG3VKo4!#p&KC4%{>-V`Z%>(_d3JQ0W6rAUY5zSORlTMzQJ}dA`_7~`QlO3_C;n=q zfz(cD-vr&h+Lo&ElSB#CEWd*U@VXh>;-L5w&%Gb;*5-R2oOS>*GLv^5l3OWBSkqbi z#I;qmY|Wt3K=gj!xsk@;y|5uGdyT^s3~_~K#kWe-U$ZsdP?0y z?HRXLbe}ksk~~SSQ0j}lIl|KM3KK4+5W@4UAVto0_m5;`Qt3Ib^Gxk-$q)#eZwg>B zpV2YH6CpBQb%&l|u!0!)^xHve0ZSk9tMz)%$9M-MeRte$H^_6u2!Bf5E=RJERh_`& z>)C*J_X)>p;1AGC52BXO@P$9vL{IG>zD?CrTO4Re&2-{$>ORR8qnaiN9H6h+ek|Od zkJng&>R@={#Dh}}S)Cg(H^Ml9F&pn5H|H|Xeta8tNl2FCF5;D$C$UF>PowIivWFM2 zHw|v?qP<_cdq=k3*pG9>ibKzR|M8p7scQ(s*9$L z_!L|Qqi@(V#XA1xtLs!f?a~G)b(;4V69ERxS6X7f6S#~l$R=-H6^StgCwZ!TQIE z(hZOBuQS_X$q{=)eRH1np5D;6>+Xz2m0^fm*1hG|$Y0*3q<`ifETWDIY=BB&pLn$K z-_a-ZVAT~A)=|2cX<_Ccxc_{+3Ek7MGp|Gk^_7zP+x(*5&v3Gz4abs&3qt zL7}LJcY5s_IOawt7DlTW6Hcyc1NBa9y~X^S1htA@^#o%4K!?vu`p&7KZd*ib1GEV@ z%o3l=EP&(a2(JN=eevV#$<^~RSF?Q#M{C}u?m#4&rG2NV zlucx>22N_COeuZts!PG7AcS{SLwZYGrNiL540QOG;Kgv81_h z7q)4+KlMB?T$*!xdHh`eu!*$)Ow&^AsTS;cYFc7!@9f%V8u*9=+*|c;scNns%kNX& z96wjrMQVsf3?o?#&|dMDqDD4@18cDuTDzCESirRh z4X_qlGdbLo3)lw|B-kq5m9lpPg=|gNx+rTdRFRqLh!;V8NC02XV>^r2hQA0>6+$>(Hx(N z%avmVVdrmyMy$Qtv2x%qaDsk3#!eXsq`GAK$i(nf%hLO!dBy+}C~}V8x){V4^F6)Z zN_vWq8X%LMrto`=HvXNMESHgQjE^QOMhU&4m%#IqT!r&UXi4K8yJayhkKT)7-%l8Z zj`9b}Y2lUhTu}1j@Q}wGa}YV*V(gyO|7bH$6iW)B7EWkSmMIq{4w8wV18!T|CQye? zW5Hb7eM#G9?BWLSQz#}^RHqoluW`!q--nT*xEqsG8_R*w*`XS3yzu49=xFoiURzd| zJ5qC5f99;_CWId}4#vlQHKJ5qaCs|Q(@sV`ASeYD3a2xoby{2FYQ_lJ!UkyI_ zDA{QmHLH$jae29bEUI6E#5R9*I+#lNmEm`%sZ)&0OS`XM9O_5?DbgskZ*FQJbAwJ= zY+*PDA9QGwJ^xcAG=XT(#+&RP@C_FeoNzFE>NGQN%B)9eAPl}`aGSOpIIWxTVIE+E zTo*sqc_V{dq0hxy&uc@srpm6alW`dYEZ|D`P>zDOgSF3d23 zdO!db=TPu{jihI4xg`l0JG_n7|Ks3RJrdsgq6U`V>qLCr=BXNycdJF?_ZtY*kXWt) z>nGIwnY=WR2U%UqpyA>3-Ju%AWpT}Tia{p5$dD`hs1#7G?Cm}lB*SkX!#WYik{cwa z>-*&T_gB~?BKJRfIp-{~5f1fr(sU-IS|npt?!gkg%T|5&lf{3dNbEdWs}ZsWv~H*l ziBw)qXWi+Y2;E*DT0%cYj^)Y*xVL$$_kCDSQ0z3{mDIK#R&3@b;vuHykL5lFWf_db zZ%hW{rs;rQZa`kiNw!D)RST_?{(%z|641*Z=ub&~cx#w^L>Avw3e)6)%!1oEse!EJ zv}u`>U__nJ?M*1baa6+0_<4ccH@^{wQfbs`YHWhX{Uyo&>)oQ0yB-c^FW>Q9vZGB> zXPHol;~*q0xPlQfl37E)`V_f%Ga-i_5w&C&NC8ENWOss>2H7G8GdIwk_u&!t%YxWx z1#4(7AHtEdI8UVUmb&v7iOX!Q*kP069YPfer3(fc>t~6scWn?kv}}N0o(<^buJ&FT zQ0xMF9elxND6hSr#VVm#@@6PnpLZ-X9#}X6zxq*}&4cnOjWO9PV1cK6;rSA02pjM% z`LVbxO()*)($r`O(=eb(*kUCq$WxhBKo5#t_|0x+)kOg-Q&%|toA=kg#OG*PxxT_e za_CIx)mY!}qp}dIaM8kykP)@<-GUT#iO=RD>y-pKaO)ZBI||S^AV)V~`3Vnyk1I&7 zRR#Liij1rF;B_?FRH-$AG{}14ag3ozYVdt?7~gtj4nF)><^VXf;(s}` z;<^KSw+$Rx{o=}KgZpI7+CEi}yfeJ-;>tI?SFVh&jr6ra=c{T}QqBL$986S%^!~-m zgH%O~iX6xCR4DhH=`X@7C0Y2Z;9v1_6aX*hDqUF1fAe#2SR@g~M+Wc1G;3ArZ|@Qu z98Kdf3*T6kSG;^FhOQ`sFPPXpHNkY_ZJk6Qjr{M3xnL(~ZZoYBO*}y{;LZvLbR1h~ z(Llv_!0!sE7-`a}Z}H2}i@IRgdSLZRawB9ix$w)yZ#OW~8;G}Z;$LvoAZP^NzGVOL4(X&AohYjz(izk;$OohAsnBg;p&XGhh0%Sh1# z;X*mBGq^S4$_>f0YlCY;(uVYmxhgzK>Uqw$A?l;KMkMk!)cw+u`;PgwUQ@h=ee{!blX#BI^V?*}3>I&$xGUcT#a zH>Cb8w3J48nk%RUo#TxA}F_iQD;yVqDZ6hiA_L|$O zOn{L}fhf{d3~W_PQlJd9&ZWnsc27o5ZPg3ggXFv3hDKT<3egY@)U_PHH715@jB0=K zb}ZGa@ea*;071M;w-{;W5pIkBU1^*=))-;vD}&a(n(Qnl5rDi(rx%))TXh1s6y~F% z=V-J(MmQa!tJ-MIVwtPqV*9UpIW7|^Rg@bzdxxd6#f&`SUdE2~I?%sA$3mbl#4efp zW^5!}&Jqf2#a!Be_>^2j#i(`D%Bgi0A#5I7CeAtKUTT*_vl$1hI9ipEQ~)>PdhX=% zfUm;=rqW`G8q-aiExv|uXEy$x3{^D&Ar!<?)9mFK%4pYXZ zA9AzbW@jUZ6EMbA|7UJ%8pv%y{YP$V!U;=Ensi3L&Wh(f8SrXr{(eo%mk;py`$b#E_tQcjGRm^$E6kjsfgYCYkT^{JIi>15#Zs!RL zVLSmxmq`qvln=sOYzrZS-T+&{;`FmfsKbv(BUluft3(Ck&}Rxl)}~%jYXZqTk@_m5 z-_!II;Cf9;RtY1akAvQe#2axG1-cACH9H=hqasq_h|sD2bCGV&Oqh-OF`fwGI~8^) zy(JRY95Sd4+`=eap_~sK4AuWdIXL>?lmiT4DW=AojyfI(bNHQYU%3hz=~H_W>DxUY z6jBnE72wwDzyUI4Ji$2uxV7>S3_ZT{)t+Q>7bjL5GW!02W^Zeo^0v$+^kgQ&jxpYc z`Nm3o} zmN>_H3s{L^Ph$%5{GgkBUuJ$`7e1)c)k|i$6x|c_x)Rf}2+yVo_Uf2<&23#(0l6(z zC5haneBg~$ANc0t|5-UW{x{`d={`gKMMv@YhmL}RnXb+8ttZ%vPxgJLk*ZngALW2$DRWV%{a6&7w`USGQqqi^i8B}YIh_4Lg7J1E zHx+Uh{#QaOie7A?#)d37-!^uRF~dg3hs9kc==rL(=$=dX^kA7uJdFyE#{Md1kZ;J< z=ZrGxGaN`HB}|Ka=*Ek&dVOT^owhiegUP~UhKaSLkcZy|{f(}hqK0}qyJltm_#QVM z-_dZRsi6Fd7ixyh1k;y0ou^RHV>e!_SxjH2IDzw)bd-3JSYD2;dbT+}|DS7H|NLpT z@_VyC+ECb_5G!&G)V5$hS-Yur# zvo)8|0NtpW&_7~ZazbWF^uJ8A9ySswU-5Es$L)MFil*7`h+$#q_|5+~w_(TuutCOm4Mg zcr~ZQU3^Mwjmg~FAYLev7U{V1yupW0m_7hqevqb~o_BLT`FlCei#LT5G56x$v*`J3 zYpTKHdB4SdVWBX9S6z0D*JVd*@yZ&ml+I&;m`k+uay{0YYDQj**U17nM!pm{zTcf> zb}Hq4`VrRhm3QM7UF+d0G3O9rzIj&ZL8KPc0dX$b^AY5@ZrbztDQ|QBdb9Rhv+=i~ z_Mm3EmHU4v2O|Hj96-G)2c`d^9C-9Tq~lKNZ;fbS5-2zzQ-^vgbjsHZ^|&iM#m;^QU+@uYSu|mHzA=Od?Uv@z zI}=L*MDh-z1(R9L5;)R2Pl>GOeZn~NM-Z`-hP5{dNb;~x=ONfSncwabus=yEEoB*G z7XGX?$@C~eP%u{H@h(Zz>Zr%(Nhhkf({gSyg=RdF6VMZlb3}-^+1liT8hO0;Ok)qv zO4C^1WO5@aMbNrAs3|t%aa)qjV;D20KH66lm?=1a{IXX2;qi8U>pm?()tzsHV|hZ& z#b-B}#~!VQb#Haded$Q8c2$56f1x7*LNbNVzpZ`RHn+JB1S~aZ?H9q*dpNFg@UX)5ts^C5(sgS0o&PiCf_X@jmeDKl_po>R?~ z98v6RB?vimq}8srmhRFRjh^{tor%}k7W;ed!a0H&!+EYvx*v96>khd;r$QadEeEpW zyRR=g>(uO@XPjtB-{w$?skT@pdk?8Uw`4tCaEno|Egrba*>KWSr8;FOk)28B9PaEL zOV9tdgC8PXpsShr^mOv3TJ)$mU{48Fg+Xh1kw;HuvCTYHzjnCJ@SNw%iPlKrvJ_Lo z*`_Y&iR(fT2#kt6d{RhUM9DIde&o5?wXgjyBJ10_!ZN>;pDj=WQMJam<-Jb(x`}E@ zYpM4p&`)&^%nXDaVsTw9i%I@v=9k?uz3*#D;;!SDEkE3rr!}*BTe4wGGcE7YTQ|$a z@ffDntdZn><4jmqVq4|?{XoFWnymM9LwbIXf@pi(v|Qs=60=k);hFa?aZ!EA>KKSs#46aDro8LEXK3&iFO%C5U`}bHPKSMP$I|N@I;@p39 zLDNJLtU-^bxK+{gHRLhpWNA`l7?1vqn zT<*&E+~>q%9bx%Zr##a@&7iu{09rb%s~II2mQ<+|HtT(`6VCqe`9nRM#^r{+*2BO4yG}64+;;v zb5y{vGCv1?Q+7gmXy4JxRQ6JfI;EsyU??=4X2AfTIDw=5L$sP*uU)s8dCo1~l-`t0 z6I}5=_gs~>%s;!{KR)F(`Nx&T#X4#&h|lWccxEp)$#1*Pu0GdSYn-G#+nzJGY&138 zMPAMOl-wg<#<>VKA1FD)?R0SR))ikcJuP97y1xetr7oaD{5!fd^L$v`Qo{vCm-9Zt z*XSzUg)gJay2fi=(lL{(BFh|0X#Y`(3U+;4+*u7{!o zqi#uebn?9Mc+*0N^aX@L#Oi}}B34AAi4d2lmGjGs{uiNjY+k(M`fjBrbMNu3Q~qej zO1BXv#1rNNzB?5O)qsQw8DIqfov0BJvzJbkoAd4;D}d{rEFMJ4ixm)N{opCI&5-$- z1VJJMzV7JyQ~VX1o~l=%Z15>5SU!tA!^SKYT0D=B$r>|c2sXRG8k|&EwqSCr6 z|4Te$0frbU{daNPf-hk4E*b1gHiFX1uR`l*_w-jQK-d5q5Lyvlh1Oy{5_6MIKMT;5 zSE2QnkI65|5$+O#j-QXn5G%|gd398E8%}?P)`S#LZ3oyFD*y@*TK`x9wCNo$RzMNF z=!yR@+z=~VcQDil;@9{>{8ko>A6|?8wvJUJGvWtBr{fJ;S6eDCFZ#C<%-mbdKEGH2 zoOKr@>GfPt2%;!NAiD{TUeQ5q;i)c|M0_d1Zb4%c_FZ!Vz#P$LzrH-Rm4_=7Yl#WtZ zfM~_GN}*i^1&CIBPKU~N&2F0+(gGq8td~d>!3)vq4-lpm_?US*B|BfyT|BNoxHGN)3mrn4c@~#H!5bq4>a9&22so9nr z{}^2s2glZmg#x3??S*K4VlY2Q@pTYtIKS&_OVW z9LMnpbL1u?!~`?;G4%%;u@4{ZDfn3uzr)DO;3WO11o`#ZC60-E5d#=qio^h;%U-a% z@^V@nxurLfv7ZdxNz%n-zN*;a876N9k%+_zO+T{3Cc1V5qs!udj4q+uJIG`mjpne~e3rR%5L6B4!m7ma| zIFb(K7@bVF6HKxSyx$P7!a`r|*wI2?B|_gZTrUz>TQ zmzbdBfk-Ps^J{Wqju^8Te%4826vNR%-(A@KKjtwx=8z=^_`vGOrkJYW6HV&Ji7xUAKXF%}<%dp4r*||^Z zgkc$X8-9ypdrKv-gL_OxO|7-|BL)+JaCq~r(5{eQ$&G1H4nux0?WSO#hRKc`osAg& zm>ChsKwM^=TiEn_1wS3I5fz%1m+DdWI@_9fT|V@2BZ_Flbsa;VP6GXpq1Cmn3H)ei z9UFcD7+P8WGPJ60_hMsLQjKo<*O4Q7_xS*Ue%z-(|JXVDeuq$ORqcB%WJVpuQR{e6 zt+v^a!NTf#8zw!PD&PuW+YAi89es2KPynugq(XYNa5mYSuR{YUt28Oexfa=lLfb*r zJy306YE?(7I>L|&5Ju#?B$J%%70vm$HU;A3(a_

7|}RZnzql0bnDlT1FuShQxI! ze?~SN9k>5Q>nVId!If5b`;M=OHr`e3aYU$HXnank$Ley2d zf2jgi^#8C+cE$GiOvISYM|LUSd4}@HE=9)xb{Soa39w7>*xjhL5cme~nBoOX{yFUi z-(dR)(5S;E6@J#_lYcgU|)gMLcUuR$L zdhVm5wGf}f2L2iQ&L_0)*Lxk7`ck?buk<}Jk2Nf>p?LDyptowqB1jOcwdxukL;dY0axCkWY+px zpTobl2$}QKGNV{xrk$S~NWD~)!hXHYh1*p4MA3~jR~$17Gk^tUQt1W*OQ0IC44M^ykb z$f@^970@E6R^E9>!l0hyWQBGk8L{iT+W({qXmeZ3tX%tKZ|YMiMhaa+*G2LV|PTM0+ZybU{j+ zCL^k|A41QO;hIShZh0SEO+j4nAk4sU^rKS)%;a@kllulPwvx*_H!t!YZP+`6nKP^Q;jeq`WEg7ZlBiXp7 zF-Yr5?vd*%Z7{4F)%|&|$))T~Qtd~ruZ(7mx2P|qkyPV<5Shf4`s52bQF~^52_dGC zovX%i#D(!BT5{}i)Eaj33Q45dxEwVp@G+NjHeUF##$nd03hx+T!GEJthcgmqq6^%d zw3tWTL)e9C+kDQ<=2hph`@n7;JEkz1ANlDFWN<`}6GwmG9R~n${S@aSdiIC%g4tL9dSE{#Ks}-BU6FN(iUWPlz;%O9u~dwC=Oh zQNJDu32_8&PObqvMdp=Xji2KDjJuEYvSZHr>^Hqk0qAAbcrv814(y~H(FaaIQH z4JOWCXm}pa#}37I#wa8-IEtqMgbZ0t-AjWt-s`V{7`wh!Sw`eusUgglQw zj3$5b80H7$tSgGK?CWN}C9q#eX2>JW#E56y8}>BrUYSjILRed{rP)R~&V!u43yq$P zJMfvqY;qEE-&;8lUrMeilUmCD!cJ_espGcRW%wx4H<#ktbl9JQ?+d(In@R**eSB4a zFceicHf{Qq6(_x9HqB;-{wpMDaZAm2nqIP+AwP2dN12iVmFG)qfL1Q+D*UV?Hu zs^~bcl2K#-qL-;@-PJoYD+9QLkMvS|R_#CNrERm#YcFnPKAG*(ho*=2z{T17U4nEu>Mh|tT-!F^kDcG|p5OR3O}CmXi|P>^-T9Fa z+G0(bUMl0;8SXCo5!Jl^hJXJqxNR(NnXR?f2>fhA8715d|K}uwKfx>TbsO$AO)|^U z7<6@#hB&V2?&{ykm}H82sIpHoIRf*}Z7is!o`Ng?pNcx{XYkZ5Bjn+y~P9 z@Nqs5>w~YT#)R(r0Z~Ay0N5nAu;2oqmre2jy=?L+S=3#v!)wYU3c1$v@Gt}DWnKW~ zXL zl#`N6+={|`Iy7v`a8vs04IM0vUXK&K=NVi4KXvbKkoV@lU+pc-H4tR`{{nxxj=UT& z{soJK?BGgqd9-+={LX>lIs7Gu$vOKESC>U?p|W9WkxO>0&7o-nnC(*ixqxnusYZn2 zuLJ`kHCe`&8=7VrNLo$6XCkO6%emp@kFf8g0bKyyzurv`$lL`2sjI#=J|0<#Jd*dk4%kbD=u^@kQ}|%lJsad!tdw57Grgf zUT(#>j|w=n#SbSsvbkVhOYFF08;5{Ggt}&(YOz9lRpg`bgBPC7GY8o+gbL;tK^;5N z=4`97M#8W5XCz$VTUY!hr8ljtrEhL`a;F*nvl z`in!j%TsQbHb?xQW>1$9hgRuw?H%vsb%VAO%^qGZ!Ywa-dcav&oncbG)B7mDb@tiq zL9dZwX*0SR_1Bwdf{HT=hS>Lx9Ovn4n{8}ry~c0c2ALap0>{x;J-r7^zJL1`U1R9Aw>_Alu?RIB(vy-}HC}GpbEWvb-L?Xq|?< zphucH;J_Q|DA`{^X1%i<4M@OvVmSuY1@C^~{86L;1A?K0z z?XFC8Js)x}Zou)I$pR~vs9NrqaXS@;bVK{pCU-^8gWQ_PbQbZb-SNC%Xx-cGokhuI z$s1zdZ%3^DM8iADLcrHJi}AjmpEf-Z{SNoyqKA4mLY#O`xLxBR1q|b~9AJ(rE7Zwl z;{V)Gwe}LD@DfOa_my=6H$ocm9 zREItvviWvQC~cE^j=68wb<3U07N>kC@W;{`>FI)uk1P>LI&Ndo~7yp+ahDGGUqAE&V3khMVve-KfOZj_doh1PKX;$|0Rnp?W@DcE645RP5PnXQ#?UebohTK zi+u#Zb36ZA7K`u?0Q^5>u}=W_U$R(-zhtp{yL8C8bdE{ngxRrHyulD(Wz$}{vctmU z!e=Ib2p94Y8~l9PmaAJ%IPhJQ{TlEDxGgz43~f2)_(PuzzU|FkxPzuL%((7n(tKgJ z6WV^3$iFV$-j#Cf5~Fi;jcrVD0oL2LUzZXrEy@!!N8DP?w z{iqQ;2LRyNy2>X2j4pxF3bmaG0N^O0g!GT5PXM?9f}K9uzr~8N(o}Zpm8~}2mJc7) zk|$ev8sBGKP>HwfM8@+}i#JFEw7YhoLRv{6)#+nKkypcZ-=dayvcruni5J@uG!}1 zaFue!!wrLLqZ+E|v_ko*z>`jNeokdGPd^ErY+;9}0VDx_ z7SdL@NNe4oyV!roVmaSGlmW6>Za@~B`l?;2axUwx?LTC(Ga4iPM$UPnI?#JhvRK0Z zEsJ#%M6`t$Y-GJGwEkg$vH(iEwh%I9hipJb)?cjA-zE&bC`_nHcxPB6X@;4DQyM9= z`iyH!C*wrUCI+iI|0rTQ6VOx9t$53-C-u!3^<0Pq(i(j!!1^=k@~tpuHaj>zKAVLA zlP;d6h>WL%ra@MmW>K=j%90Yyu?GuZu2?fJq zqr^!zd8aO8PT05SV)B1pHuuk71_E>}Bt2CuZJM!<(aNrTLY>%n-LrsPta9+uTDpQ! zy1{ttaK71BpWJK=5j!vYac^hemDhA_L`A*~BNj5Ex?0Q^Arht}>f|nOFrd&dgUX=<;4{eh7t zE!--?xalhi79qxv)%ELupC??ysv_+)vNPes%%QX+MOniQqyB8HW{NpOEDqtg&l2FG z{CBvN++HJP1@6Pog!)pN+dY22+~E9K+R*oP!|BtFU48z2+LY9=l0ycANKkbJc|x&b z@@6l`c-3@@{=*gfJA4W7U&=Tqfd9S(1N_$}$>Nd!YW$P`(s08~!i59;ms?f=?>GOI z$wuG%H|3)k*RX3T)d4qA{yD!ma)|=^Po1KKmX5n(g3Sjx%Lmzi^4~_u`-MOJHzgiy zZhQmLwzl!*UM-A1(W+5>tueMbc{E#oSP8LN2tOYirn>KNF*okFDz-Ay_3>U7l{$>D zvO4GYtyseOtS3KC%z2+Ok}fzwsu(r-C*~Iyk3ro%YZ!Ipj6+&Y*soJ76YoYjsUb%< zM{0GAFbT!qn7tJwO)Nh%;$n83a%^@4?scBNb8v01zVcPLMxMNX-x$mQ`>#~xn{7Wa zftTeT`Q5JLq!6xSC5UIpnZso}-3w>d?XU#1jYvk>sG$n9&5ZBK>Y!^$=(uzNhFf-XjiFM-2 z9Ps4Y8oi{q0|>*jO~5 zSk`Bwh8yK-4n22W3GuE6S1C1PFiYH73wNK`Qvgpu^dxYgZlWbUdIGkeYr@(q%llHk zOCR2f7zrOUW~H!POO=ska>SGN|5rfRg%P}h)^U^tZKh%I2~mt)Qw+#g`@xRIU2%d- zd1x`1-oG;3!-1YB0Kel_HVh*#SY`{#r0Z!UV(p{__tNQZcaKDr5y%P=_v%(q4;&G! zujXRDp&A5BK2RoL>|b%i8hh4|1!n88I=O~*WD1nzxhx2SN}Ku z{o54l^kj;C!oR;wv3yVX_Zq;z@~871V~Av2f8k$)YvwGS*QR)(7|W0nA7Y?|brgJz zNa5W_(URu}Gaa~D7?gF_M3dDu3IY zUz<4bcAoJ<<7Eh8G$yM{dgSmW34v9!`u!oGH-J0m>P z+zsg&$BA1w<8sYxbc;A$E3zm1;@V|B{29nX;cab?CzJgGm%Z9avsK_H)<~{E8(AH2 z6NoM3Ao(yhgmVz@jLKmuzVa-#&jcr~3x#hC`0!McMh?e=HZp?<;c(Q_J0~ArGfM1; zqREEt$B{YFW9-j#YE?E!T;iE8ZPs!NmIn{`nRKxN=V6N7k7quQTI{rU9AnBp{q|L% z+7^UcykJ(@-)kx=Z7DBfIF zJKxmhJZBb+IAKr}w)F;qRU#56NB0lYp4C1>uhOY;MXP4=?}vG48-<`aq@Qy`o_wZu8*|J67of2cRYlfOUQj4uSdfJj zw9}rtB=OlY^*Vpv&(%c6AX4VMLK5b=fcXFr8L@?06mVpcM=HEw3)igdC#g*QjBMiZ z(Kn4ErJ)!RCK^Loqy&5b-At_-*k7x}H6 z+IsTDMEzjrcE4`zPt3Ya>dLo8_QIzY(#hNohb6A0by9M%iuiCZ%i{^7C)_{eD^W!} zx1J_TF5bd|P9q=*?=|@vWX)pYVjY{I&9ct&<%o2A?Etq5`U{5^u;o(r=!pgXVO4iL zH7Uh>V~#RYOC@S=UOkM{^V&z1+yk> z%`H>4ed*}i`?{xoDz{yQ2RApFONPzi6Zi1CU_)?91xXT?*#>#==wb4g$0?Wc?ZCWX zlb0fnaT;xv|yKvdq-f8D5X;DEC0G={=*Vm%_Nwj z`DBT8iITPbT*-QxDzE7|%Snh0&|gA;{)zzf*AhFiWTK3lPVSNZPNi`DO@H4$(O=;1 z)IGOtMWULFAV0P*$Kr%J0TCU)IlBO}9zAO+j7k7J9bssMAY}n}Cv7(APi7$0>CT0$ zo*~6l&2V-e420lb(nZ0emPlH5tDafB(u)cf?q0!`4JHff+)4EQ6t^+L<4b>(VG*V* zR5|gbftOXHU)C`hAYH>}R|Wfu-Lh~_uuXv}7m69(UxszHpeAC`$0-+MVIC=RJrI)F zVf&_TR{|5C{Yg!90Uizy9?2eF(#!e?JyA{V*;{fwhsM#$YPfReKuLlM)G0Mtt<V+09$HI4QI|)b+ZBA@J((1h!oC+`R@y&k<%9_G#`p z{>rXG1KHJw%X@~tn~U{}|6keF-v7$3(l~myUmPTpvtEJ99>n8Z34rXX7u5go#2R!6 z5bs9aNk@C><{+V5+3yYz(sPo$XZ1X$ijm*JO@hQlTvqElx7Q(Tz4O4n(|d58{we<% zx|Bxu^OfkAC9ei15gA7X0T!tI?OyS58ArA=HQDi@sx0b(Uen>TK1!^RYS>bP($#91U(yjyT3K=?wgWm=4 zyLl9EGCR(l;1OAc!~|#r?$eE;7q3>T>Fp5HAT5yFHV15N)4u%TUX%0M7FjghJM20r zXk}k%xl9jnOd&+S%oZrPL>J%1m|vLtNw+(k{zY2t#tTjbHsxHmdeeRn{*wsy&XN&9Gt6(M@nU$;|9swc& zS4xumBAVrnW%HK;0-lgw6I_y;?;C5qXJd<dH50bsVP$e#-g`8U zYuy-KG-r81+Bz>(-8TyajHtEaG)?5;n?SP0nriJXzZep5sh1w{?O5bsp+>QbknA@ti+e?0Sqe4392kY=AaQYpcr%Zta^XT=0}Ld=N9bW{%kv^&MF7Pk}hrT=6Cp` zo%r63Y7D}~Y7jqzaQQSA(${2>-ScJo>z+wlx8=kx zj>QbpmQT&>^#jjL_j>vve_|>afWzh~ppP$R#g&Y_&N+8oZ!xhBIv#>Oe=-Zi-0^y5 zUI#4*WC#}}5=aoIZMR+(kypkTS$j#fH{#X2MGCt((UkMikRur8`~e>GcyHpRD0Z?y zz+s$cat~@3@@BsMVU(FSRv(`(lj61lbC^c=ps4&@j+4Wdce2)RRdKJNGg`tkZeyB& zLqVYUsv_*7|D}0@WJy<;fYv()Q~4hJ$i8w|SuqcdQQ- z7>k-Vz84~v4EStjn0A(Z`}e)nrWY0HW~sXw^fs46*Ru8;v6JAUyZ-&=`Pr_3bR_QV zg*BuLvZyQmiKA9WwAw8UM;zFPTm;pKrY0piHbFZ|!MnT|P10R}o4ycu2gCR~H46u&CSPrJ)c7F*$j>4i>-=F*4f45;V?{|lS`wRp|O!ovP9 zY|8%M*z|D(;Qtw$0z241Y<9CW$N@?faUbPSL9iIs-Le6a;8jNNm?tAMLcjLLFD-2l zNX+P`8=tQogT}2e3Q+j3@?)M9uem)t-89~RFxgBPy**A4NV~sFSoe}|ruWhf@j8_* zF}HK|=$8(<6X~7oDzA^nyiBpsfqqzTmM_Was*J7T?ObQhIw=S3msv&i^=W8Aem6f! z>$4BNJ7Fd&;6Z+$s;D8NuH{BpX?}5cdc#1WZmFI@txY~&IMmIY9yjV-v@(8hL;Ay5 zofK4OwT0(v!;?$U@*%tmf5pi#DVSJ2 zY@7^)X3L*Kv#QK%x&&y6^q(F>vuCfTfzWK>#~wKIl7II78~D;B7=ML*q1~Bq`OJJ? z5Qz&$C6e>7tHmE{xXr&wRA~aHERWbm4;`*YGEzePjSdhGk31AYH$pzlAz1N8l=x|RVB z^H<+L8tD5|FTTm<#)Quahgf6thCKn?s*Egztu)*WXnM3;2ppLuUo#m6LqhDOwDpKa6A_NMgP6<4+sba ze;5939t;1+?gq?KT`oPNDN!KmoDb;VeT-h4h<{8UR-$zGA^JrsO%72!k+}X!{}h&@ ztn1q-1;Pi^nxgqe*wgJzEKa$%PUh)1B0gcWybYui?TUHlYY6cFD*UIu;*3P`f*>TS ziNkBqd?#?@_?GM`H9J6|!2Zd>4`yC0mFQaB;JLZneD3bt8r8bfdtCA!C#;rQC2QQs z4I_OypzvSvpN0R`RD$o1so8!`Sd_1HWp=!uNiffJLS7k%Dsj9&_HJR zI+wb6Ec|Z+g@63;#U56m@Q>}wD)w0T?+p=qEc|~ZUUFAL7QfK@lbZeE3#4X8UjV7u z{-@L|Lie&YWKaU^pVVx=GVnj!Pp(h#?AhK8Mk;sr%H7WTzTMPRG0F_gcIOGn7^e{8 zb^XR>S6*FUbIEYMM0kr6=}RAfiUMlnB!&YAKHxJ92$f$r>?P`2;xc z%o@dIN=WW+pGp|4Dmr7ezLQI5##H~Nrq(yxk3-l1HFd2EZ`??40*0{R5eY}o%ze6V zb@BAKga(nP-zyM@`aL#|x2$@JrBR!G@GLsI zk#TfZ;4=f*)bHmxB|T$~w3IZ!Ovz_s;|qJjE9g#TM6vbAMJdp`y1@((_7T-`-+EE8 z8zInKNUYLuybl@&Ycjeu_%P(fr=Su`uo5xSWHn|$8piOcA4YQ^p|7|4c3qLPPVAAQ zPT#OaZR46v_r01gFv5%KV%3z0ntF{|bw2#|SB`vzlFG^0u*e|$^otR5!gcu=41%K( z(f-w5vIwcqy?gFCNrYP+M~)sKAUC=7HETJJd|%8gNiyE-r@~gnBRAd3k;pLJz~+MH zrx3;XdLyw9;`PI?W-wzw%+3jfPk8G5>j0hqG5??axp?xJ^d~|<=idUO!VBp9vjLs| zdJ&-W&$PQzP?l@1ep;7gp#4sHOaZ}>oziB+{P5EurIhjG61Kl0ag2D44BO)pwnprq z;Oy+k5^&*p0c=G(XbU-EXL2Kk<)kTAC5h5ZrQkOfY$CWwKmMu57rrXE`8~I`&u^*n zf*&aTE5Fm}_z0)1y?9;r@T>Bt9$6G~xLRKQ8emry>q%MrHLx=z0Zd_AJWXNi2`0`p zrZ%I4;mL7+p>r{aYsmsr*jtK-HH1hi;m>A`FKx$Sev{Kv!IP&OTDb^EP>lm>TRHLc z1O-?Pd%6nD8&9e$2ekfwPhszMETlh8VT1C#spCI5C9*zEVY8NCPQ!F7!eV0}!{u7> zX+*rjQ`2G40q%HuL^ZyQz7_*kGj{lh5tv6EgazBrxe?ZKlVKIbX0k>ieP{`&?eR@f zJ~dJW2gs42;{5pnfg?5iwEIUZt%;8^1>|nx8{)%J6UCPXspkD1QnuoL&l#tS>xC5V z_}ju=Bn;7Cue_ag^i1x425ez_E&*HE)|u7}i{8HT`8bZcHemh!&1qISbKP#1Hp-WV z4ug%Px$QykF`2s*A75QKvKx;`IAEqhk1z&AwY75shSdNOay|z1-6OI2Od`dkHJt7@ zp6$SUi*iLIPz?@nbfnCh1!>5-OxVbXu!K~V#VKNM!i&X8r;f&jN1VW1M8e-GaCW?& zNR(H+pfx!(9#MRook>>CvuB5;&Ubg0I{aq01C+3ff#7+l?UsPgWFA-_Cso`v3n^qF zncWFbA7ANXEyT_Zb1rpa5*789XZPErxI+%|ngj_UpBVkFIep#3hcV_zzUC8WZpg>pycrn8=AuwmdZp8)@@{xK zvlf)sNAl2rocu!W?f&40sF zvOn;2z*{u7%0xAJRiL*|mVsF*RXpZik)E$|a~CTXvV4K&^6__0LTCVWGbpNb8C@sv zGd*`SA}iDuICPAA+a*;-VBE046@e>QZjadAD0VI-jo7WOM!^vx+9@CXt8Y~z1Zq~9lX%+K{JcgRBG!h67Ah5 zITZ4xh)cRxp=gFvq)ZeTEhl;hSb;A z$-HkmDiu$Iv`B?9ug&e-bfXRS2{{~Dk`8$ zB&mS`8CW(h*^#fgXERBdd8W;j^m`1OS7GLWWS*-~Thd(D4u|z|3>ya+!#3#w#;|=q zuG7TU0Atv+fm=sk=Uvu!WRVuePk_|@{Eva@^h=0d~4ji%lj6eQe{kPI7Zvv|StU&eOX~Q&Iuxyhz>@sH? zLN&)pBbqEhA7#iK*K~t5nt!a3lxeF-!YIgjo@Y8tMmv=c;HMn-&)UF&#LAESR14sz zMF2k)N7rypuC?MYn}v55(VsvcGZx-lCpRcbTy?+`|Ev37lS!mbH~c2VbzgbSMpQZ3 z_08X>^ztkCpI}#Yr$XAu67*0U3W$y)o7aXjgwb8Nvf4zZmj&}-p!Lk`?l;yO3|5Jl zoa#>ib->V8-D-!jS~o`XQuXD@&+J}!%Mw$)w%F~n_f$K{;}x!8#qw}O8YY^z>*%zd zzCwg;);ae&?LmP%)`IFMp4q+id6WaM-wju1;J`Z?oU> zMMVdwM~#JB)-b47WxyDG8?QBGBwkeTSLtu|Y}gcvc<1~`C7QH*B&Zc8pnK$2+3&EHz!%Bc#$XcWh0zL_K-PG1*nT<0t6(=m?xu;j;b4+;{eQ^B5VQ zYF$D4@!SEGlxlhPe59|e_p!+$YDFgV~^BVS}!az(H|Jxh%(y_S&| zO>s$}E69MP>%+<%(0GEV>VH907fnwcE<$WiYXG83t;v!){D!DZJZY)ArvcGr><;eB zNtk@F)^1mx1`*|3Ok0g}e+B?(KP1z;By+haA`qIpHtp*u(ARm8vmTW_JuDuPIiiR{ zsSltLYK{n2mpPjqJE7&Nfjc5VBH7G6913%XB%uge$M#*jcY9$G%*fyB!jnU`onQeE z0&5U&Qx^28g3Oj*`|A&7!eol(SDn&=x~u1$!}hznTb+%a3vtG4-qn*gZ|UiyYF@lH zud}@2%3_fsw*_%LQPi6Ret@D*{-LNv07d1F^a`outhrKM*!b|p+y>QXAJLazjN)5y zay%zXz-k9(59>ztH2kptQXcxb=i?yuBru5019Q70W5<}&d^dS4PheBfXWRVHRWrfo zdih>b(rY)%%YL_pjkoU7I{c83Z^G6R_N%_4$Hzl$0HThGl-}H~VOQ=(>Kz`@{1i#I zojSaulAeAZ|9zJHK1B@MJmh;zcf(yf? z(uYxzwPk1TTRx{OzC{vvOYC)0;1x2=Fiq)u6)Q@T9JszsbmD8Hl8_|gChYLh9lMns z9IBpw8?cWki<;~Xo_bI;Ug*Ly7$VT`KyMI7!B#1(r9=gFwSZl<)Od?7Ny=@e1<0>l zqZTCBfH~~6+NH3Tk;@(t@{DmNW<1WlHoExz&2?zFgHq*R57$F^POhIwKWH5K^h4pn zJj})c_5bke^vC*tQ}$#1e-a4LKGy$L(uF1y^1j&yK7S&p@__-2c#CYJ0gkR_K|eSc zIJiF@G~W%SLmf%)V3FCMjD8b(n=#q=lkL>&t5@?pFLW@v&4EY8ns1?{T|q^!rN(!L zI}Q6n8p|WQ0eaWXU)}3zl*D0Uicr`0oSql$>{~jO_sx2Ga}K4bKO;ZatJvzWx!lo0 zD`>3klVe5WCqwYaA;d$+!064VXhltEnVvN@71cdB6;jNeI}e$qV$W!L>>E#nOlO2< z4sbj?bE*%VM|-Ber4}@-y{9A4Fg(3^#z#KBRW(K_b}{E@{ajCb%fJ*P(?#B}gZCQw z+^fN#ID#UKDSn|$!MpE8MWjE*4Bny?S3lyRy9!>jY22a5RV3@7q!sL9M$4yPavRN8 z_%##nU<=+**aqE9W!$`U{MeSd)Z{118~(=BjA8RIS!_}PNA3DJWw>VCz?a*VgsFDGrhnVhzd)QPWNNO(5m z$RWB>8x-tR9o3$f@5*4-FNHInZ-D8JRlYyvp})^>9M7x~r9!I~Pk?@`e{O{IeusGn z(nST1)Jfl0xpZg+-DrFNh`VRvRJmP#A_>Al4AFuloNyXQ(Gtf_ATsb5!O7PyWR36dL!>k@^uxnvWT zD2;sV;wud*4m%@o1L=X6D~B+MUPHaIAbs~y{Xq3t_}5mFy8Vb0E{^##Fh*tC0lcXD z00W<#+bUM&25*yZhoavxqYwg*%q)|I((Xngl5DtqB))K5FZD)(=tH^XJzZSgKE!2+ zDGO6j?^6Aq`tb99%+87HjG(6LBO~QI$}~RLsV-BeZ%uchgPh_fiyz*2-dR_7W!bsF zeob=3xn+HsY!hyKZfmFyoSFrPj)udoHAjzi3Yp1w=5Pag zE8lnI%wX&=0|<6RRZTxqB$5J}g59hS1?|4duF}GFoThZ?+QmiGGQLhPwAKhWU=x-v zQxwVZbn|ISZm50R<0#xX?M;H7+dLclP8!x~Ot~<2Q^B_Sy()}pU|9m12ZQ`%bS9#I z%W1&4>ihmHDt?>!<=oOy32{Tc=Va}+9P~7~nCe36k?Q<}sLV{w*bsTNHi*r6$+*Gu zKiU=M-itejV{?40LG1pn=g)akf3TZhf$90dO|TPk5(`NE*(I^|rZWxY;)Bfw zE6JI2Sj&Tb;%Is={i}$(nhv+lC?y2305GxnKn36~#umo)rc+2=$jVXYu3t}~DUR`?unl(OIIM=Ks!NQKO2)Wh!yR>V z-_E_PZr-vq_;zP!M!p>^W1X&H!y~9sT63v4XTK+BZ(Q*s>6L=f2G5J=?^vz1O~oRo z>NimeM)Y579C6&~`p&SIAThD0<+k41Af_Ois{d-q6wApp`QpkIv$>KD4eg65HQ%+k zRrN|U2akE^W@fZkhy#UV5>u9Zgz35TblU1OOur+#1o399bcV)@0V@#%4N^rTtAsAA zsPOE;FxfP_+6oMWOB|+K8+q8g;X+DrE!TLB$=${S_Y}Lt?@J?f3XQi#wJimv?s2?$ zZL0+?1P+{6awQQJ)*0Ja^_$cVQf|#ik&`yL-~)!#%)re{41=Jf`R4>H4Q}DTAVjta z$T|sPA-$Y__9EYTydl1gF@z%wk0h8MyYa&Ra!40X5KELWP?&Ie1oMW!9=gtDdv#|2 zr?6A$Jci|ifFq9|@Wah-Im2NZd3r511=_TJU9H+OF0|S%l)4)?Rv`s4%yNrdo_&lI zSir}uAA-ijzdz1fztB5?TRCz$3M2H_V|0YNHr4wWNN_*Ve6}vSlQDE>ejq=OL>O@1|(vI?0{kVOOc6KOs zwTXu3b1Rx$tC`x$@Kr|#GidA8xAm>TGV&&Yku%?#gFB7=47ellyk+u^kc4Lo>PR>7 z5rw~S=cF-difjuVKEnW``2qdMkS>tgEiO0nH%yc6OR|Bwzp86L>>s_IYr>|%7xlDr zS|=qpxIkZY`>>Cu`$k`J;bv?nnr4t|kpne9H7G!xQNg{IrwpSpID6mbWe8?f0kEwo*fhY%c|&&I$jfl%|9?w^1L=$TOmV>8xDA03F_fu?yVNfW9+KK7WF}6 zd}(I5vpv{9x{}=;chZf6DwTy)oV2yi=^pCRFEY=^g+dXbPcY`=` z+GJDWi(>%~14J!eP`reYQ@D0sGGjmd`c-J6C0BGmeSev`m23H8VuXMv9H+$^L-4G9?HMCX*Ow;X?{S7Z)=9#=_j8 z?DJ5vRUMXt66;+M1+}@4O*s}Nm;b3WmVq*mj zLW|+-D3W-|kS}q2MY7VB!*u%ZD@V&)^jU`8Yv9B(C!l<|afL*69h?UXrKIIDjYlCR z;h|)wxR6cr^0~g~c)lQYqQ~FDg85+y2{q|zD64PW;^XpC*Q)6Q1Qb#x0YqXUK?@v4 zn8Z9`?Q@M6=O|i>>*llkHTa^n0i>ZAetU*Dyl-58=F!r>ezzP6+OtVhxV14Zxo+fmIt#gEg7-}5_6FRT_n#E2r zFF%Fr(%tG0cR~FkQpD669zwWjbD}LQ1z~4o=(S*Cdra4)8Y=^ipk6EcPl$e>H-VsOPSGmp2{!4h$V*h8688D;W|P1GPDg(hTwTa~Hk$ z{P%Ae-*BA=EQ($u4j;l)LVd1JT#~E?imir zqt+kJOD%U@=K1jnlEQhjM#=Fj>k)ei_&Rgj%u|vW=R!&81@T*r6$V2paCvPyXsPnB z$Eo)ekYvyr0jp&}s7(0cNj-+|6hI_V%H9W%WZ(G&k9yZ^s})1dKXSnDgg$Svg7hTP zCoKEb3MV+RRYOS-IoA1Za@iP^m>Are2nXEb8Mt==MkhgIB2&fQQ= zJGz!3L;*^~F%XanFVMjZ&aN^Vjjig7)(9s}Hj^61xFUZUp~v1Qo8sB)9VSPUijV+9 zl!9(vtn+#vq%pM92_qD~Wm0**qt3edIm18I&DY?BH7_?;j6#`>8NG&6>e?Yw&e55Y zU__ED$NJcKCQOo2Q#wvJX=`WgD=uP+A{v&A10|(LWpiy|L)-Ri`2CUhRm#X29dhv5 z)x_(l=Ea#rdrf`;^Y&X3mh9d>h-o@n$STdkHy_546Gzd(Y!qG5F@{uq^AnvD7|s;g zz6|gyDIukbId28go)M(IPsn2xgQUhcnF(M-ZQA(5B{M}?KpHbh^g4$DkJ-p3R6ouONAI^;Bb5o1lRN-0>! z(8vXed>Ins7#YrrA#&68w~R--)JE3IUlcQ8*vLAq^dNDQL_u%R2CmadC6u%5eI%On zMW#-xMs+V#=|hr5W-97V+C|@OZzCs+;IQVIrxnuAV{0WL4x~4bk+U+fHCSXK9BXM?XKyNNS@2%ZFQ zQw6VNm^#8HVCx#xH9z)l8RJ&wgq!h)8QDQOVdMTC{=52>;&1x~U~>9>+g08NDC;{H zx*Xw{i8_WZ7zafLkoqln_Kqu{MGg&aHbJ7vd-bQcVmvtiYhT%rqtwy}4^kKZ{)j6O1VsoePjsjH^Cm5B@c+wqN zYlY-VOz_aTb~fiVjyA}??PQBpF)!W>Qh7rWE{bo6{d4LW;EvmD%4 z^aC*suUFhLnRk@k6_t<1&ORjxjaFiq+s0p_ylOhE4Hq-nqHIJwG6*VE;46>ce6zUY zp`7snu~NDl&XTD=ZI4{YHO2Jz@@aDJ!DA?{OW%5t&3%5UL3c$N)Uf#QM#A1~R;0}~ zX$S6sS4ag?_z2**Nm0|u_%znV>=Omr+;O~QlqyhDu+J(7 z9f$ST=V#-4wRRfF<#my{iSx3Pcde`lc~gnvZ@}i?k;lJ~Va<1JRqA%%R*uNaO5rMt zT(ZIsZKRf_M3AG9S&obmt-V{=KfiDgGTlkwm@RQ*y;^oi(J{@*PPW1ba&4j%(oDe4iHQNW2dm%s7Z5pO^0#i|AclhEqT6F{5Z_(gm?aO+ zGnuH5Z?Oa!(RG9?B-^VgB*dFJ##`mh4IKy*@9I|I&|PJmt(&O4;To!-c_2;Dnd#fa z(uVx%p?+AG$#UlK+&MBxZ@Fl&W1!SQ2?1h_YW&Arw)hSR!(K8T zui%VEu3_58Yo&}P7YwF36Th6@!wGG$WxKQ*;)ZqFv3^5q8dZqTz-tqfbA35+|K<~w zZ2^LQ@(s^`EzHeP?Gr41y|60-?aUwbs3SA*hvNOJbmXl%09uE#fgE z_iSD(w1lxJJIx1qEOx4+Si|gaU@uIpP=L3wGedt$tt=V?J^jJi=PnmHR#JE1Q>F`7 z!6jFzCRK0Vi}bjWQC{+u0dG25+{YSlJzEfU;+4;X^!`vSP$hg zEhmprb8m`+;`fM)CjrAjiyPBOi?1A`pQMy;hk+kBdz|Et9;SeYIqOEu>c$B6h-1{_ zV81m+b*i$i&Nq3GI**zpU=wHhiU42v%`YcPE0O1=(824mk0%W37=Ig-{{vkfsh)VF z?CnEunmD))FG)i-^rI^8rMf3*jwVHxqkA9jyx*)6f5q1z5 zTw)<(bOByoFko2K5bpek^qiNLZg7dqR8J-^p2N>t&>8$xDiOF#5#%Mz(g%G5N|#sM zd;H_d!Qh{?pItteup6lx297|s98pfwIco-*G(KUZ8jr0E+r^U7{>V!LK4&`Twc5N% zRH#m?|;8)W(7>CZ-c#DTX& z)bSIpl`A9Bc?^d#(HPg$hGVf63&E#e&e=i<4`$}YJ32qs_`Nz?U<={%Nq>K=EWP=1 zPohHON32!V?J_lH>BR}x=;cJysEF%eW#PA{;iqY5!P=u4wwNpMO& zE|x=$6D{Wm5wKsL%hAnW(&C*zyYW0(t5wQK16TRJxY=E*5%hjvY}<0Pspmb@q0}ju zj!&@9|5481&R9;4{I0^(Q$F>Q(c@Ktf|8H>htW>d?lHJyFK-mMp0*V{_v_a;A0SWA zJbemgPlc`by(O-xcRq-;);vlhc`NODIkj~ASA*P&Qn%ZT7|x(66~PFvTx_<{|gZjV$!y`@Tuqxz+DtuW;6>6Cl?O*;%b21`;B9-)k9Go4?KP?C-< z?uMA#W{lt0ob~eM+&KBj485I|tlYnm+<*{!M_$+0^80->_gP9?36+um-s`YY)TWaY za9Wf4tVn@6m&?}<9(di5+Mzi54+i0?&jZM7a@>493Wj@ETCKOGTm*{4E8NxBvF_e; zE4L&@=uEfVlYEMZ*P4pn82lL1q`5y~tl&Nno_$_QC!EKr{SkW8HH-%DjWI;+%PwF) zVC#m2x%lo<0^z2XHl7Qj7JrRKDo)_H%+Dsl6u$ueFcAU+0yKQA^aMJrO7Yq zC3q7-R)^mSlYP%AqRjP-$dKWzqj0^JR%`#5`=I*G7Eb2{OVzqm(WJmadS%?dpb84?K#XsWb`||P? zld-AeT%RVho~Qe1;?(Vuv6x}J_9N~0vNIav_Y2{L83dYO*an8)yky9acrhZE2(< z?gUGA#2?EtZxBN4yitUmn;!ivD}C?uesZm9OaQH+-I-tt@Gwr*t0fIGydxt%XSDO} zn|mvpz%q=Bifa~)c&flgVM!_QK1?-MkPX$DKKLw>E$prTcb_(-1wutgO2K3Mn0

N*l#(#QE8m)1#?4S!;=L7-na?bR5% z9}c#W_2VS?8Uu@>ph)kCRAxuU$%1U+mDTx!M{TDI?eSV^o6HFCy?zIp$lpGQxXP(o ziK6i7$7Jvi#VYd!msfDb)G;#!ONoa5pmCJ#7aP|wVzzspJ(7q6Z(4>FPW+%S+S*2a zBelCK_yc&XC6AV>A-A(6;9Ml}8vG^LwY13{BCqg9F@arYZr+|>jF#Oh_^Y9ceStDT zA%-Cf(c=T<#IMWgwnjBMOuI1k&GK)`I1l?eJYxE!i*&Uai_>P*Xr^ax77rtvZkp*B zHRY^`6sE19{urG>sFlv9=%R`Lu&s5=g1Qlc&Rd^M1N-dRiZTJfveYob0rE*5)Twr6fK zsy{JovUybM;A#&Fo}51ueVxNw4DL`5kxxh%vWk&kT~&Ojjvy|gx7SQFgc-lWx$I;|3EP%{lg=WLQoC3I9v;3*y_+ao5^deM)sn3s*hLcz``7}wkY{~)Bg1i?Cy-=Y?A%S3>qCD+mF@h2Ka9l zbT$cMkL>GhG%n1U=BA7K>sivM3%qlaHmCHEI9uMb?AH(zC}Eo(nn#-Z6I9F=>Tqvu z7=;pg+J0`_)p*a%yCl{IS8gu@>=Eaix!Wba+pQ+$R=Gu+Jj%eUb9?}+mitSJ7HQOw-R(b%3*R76?S*vR&cF{8Ax zjVaJ13ky3p@N#!XB^d(;OEL}?=*0$^fB=evqrI_#HOk%e-FMKV*J6@lAQ%`JkOW8^ z1iG68iGbi>VWB@Dzym*o2M7r8@CYbKNQe(mQBYAIqC9+vhK}_J4ILBx;loF`k1!u& z}d_5n~z2o&6hKMO%Hu)qiq?`A=$a6rvRaF0MBm>YQ* zP5Qh~FyS6x4hc{uUJS~xwGv>vunO2UOXo248hIu-1f9NN4phQ_)6GYq5P>MY+#7{| zYhr}|raVyDs4WKnr?D6x0lfh4jQ{R-;7Z6 zdi;MS61t+uKeCwOO2_y3Kl=!j-$&HngPYj@(P1${wZ>QF#96>1^@<2R)-(t2RdCXKw}Zvk0 z?)k~fwwE&}YbX0bK||Sb&-0UGF?enRY+W_e-Y;6$HLu95L$Wafk4QuC4mW~0>$4afGiXa!V&_a`v64- z01SE}AYrM10{0xOEOW%e~vbuhvnC{HDMB~BK4iiSJdupik_)Uk+T8a{fAeVQ< z^@aB-ZjVq)`lz?>^&RMvVYL?ZmZ6^~je#db2qWz)g^(mB1vM2+KnfzFyM#pNh{i$R zwbiYRhd%pJ8sbAfebz21uT&;V14L9S1T_~RrO!mLTwFbik`^$a;^MXq6k$yrPoXS*c2vawL1hTvf7?MCO;eda%pY`^_WlDY=8b2Wy3=SL z`fL|ZVDiqU*GYJ>KOdb?YchzezYz=dV7Rpy^DYj(MCYDf6X4?e$Tv++i5bgGVDvj; zf;^WNQ|~nX_zzKANI(9^@(=y^4ly*8^oA_m{~kS;mKgBI`CDs$wfjF#QL><_{ullK z6HWgCQ;xqU@&7}VPDTSPSm;uP|MVHzR}%gcux3Als9sW02~*L)P*DkiXn=JpiTp?s zSlyyfGyowU*%yirO;ZWMf06{z!0KZO1B)8|6Rha(iZ7uF=)#9q0pR-3EEGYX238b6 z#`=X253~;w{qP9}i$Vx=|AUu+!2*FE08bHx5WEDC5cLHC0SW{H6b?qwswqqSSTpf_#^kls-$pESKSW@l zMP9fn7Jb--3CFP2#t6C$$jZ-LUK#?vjl>Gziq^02q z6r3+gs&rJsp#=G0DvLL3`!Wg?iA)9pQTa+sy#GM;zLo0z2Z`VZRK6f-&|^>}@B>N1 ze*m(eNEl|O$1oJgWRb|^6j)>c96$hp5S+WRdj#mK=P())h&KA}! zQugpFgr*eq%x%ATH^|eVo#a$I(x1~c@19dSdk0dg=(m6n6CuDb0i8pGxr?Tv+rG%! zjF~47Qg=>6k5j-49IcG0I1Ivr$Ry%q*`p>(o=?CGg5Z#Nqpw)Uz1(n?GKO#(1?c=T zKh;=y5qr3`c#Qv?{P7uVZNIlp!b8Wg-(=xXojV!ORMDEhW-^_)8?G<(YkC2;0#o%E zI&xTjX<(rMU?zBEfEp@aWHNXt`wC{iADl`)#(Jp_f`1QPsKOL9f2~riM-sulu)r$4 zM}V$0ePEeki6uE9M!JZ+UI?SI>5g>zcOY$B&BU;VBQJ_l^AaO>Is^(Y_hGG*79H!C+dqzU z3<_sG!J?fYX;=y12g8I#VJHEN1(Fs^DNu3Mv2y!vxGU2)-5A8i0|4;<4T_ z0V@d@F_tg<7nrBWK=$2JVAMcM`mX^dK;f-406u&x&=L*&7a$Gu6#BfuFagznaSZF- z?~2fbFVO6L6`*~f!Cx!|D1xq6pgRBpwD8CL0-U}Nz;pKB1lS6VXiK};+-W0zvB8Sz zi!SZ>%Qn0 zDu4h4EOFM&_Tbhq=fR^|m0rP@%RMw_o9gUcf+F&lC=N?f zIq|DYUX?!z)>w0Q2v%HccEg=idbZAi_cHjrjf!+$5LkIF$Gbx?-KfQx?YX7owg1?Z zudRN!(iQD0`)14dt?XH7Qs2pqzn&@iE;cy4x{p*-9KYx+xxtA@s>z*}YW7$=xo&WO zMWk`@=~O)UYfS1~kg<}+nAf&o)JckVoug&TsJHG74kS3q^0>Qqd=+>t9`|ifg=GCY zu^@`Bj^dt5V#(F<9q7TDdr1?-1VRQQ1TcXHHbR`&Kf;lHiSCNVAs(Nu$>JJqPUYBY z_8Ujo3xzUERt)D{P(}50Z@qbin*PK}Qg_-GM<3WL$t8%~vZCDcvEjjFQh=@Vn`)lX z;Ze_|$^66{Z$=fyt%4Da~sJLnCI;~jbK#N~u zBobIQ7984@7(*w#cqz7mBZsvlI885?uFHPPoMpp;ZE%Jn$HMySpH*D74NBVYUe3on zx0_0C0P|!W@mXwz*uK}*&ezf8-mBm#{G=f@@6c3|-Rx@J&$EG9kYP#ugf8YpmQ;e* z^TIb8zVj0ZBrOSwkEel^e+*1E)&puR(aul6>=^2UK$OD4gHv^NCTmG!35GIGLDXAk zf`on4EP^8WU#mUUej3+uL%JNz($$R0xMln5DMODtTnh~dI8vo*Lsic{@9)`G_Fl4T z;qi|5Xv$}lR)XKsZxsw;aF%UxznUz49pKZWx zw(^P0c%2hYSb2apsOByWl^M_g!vsX|Sbz`)alhhOnP^P&dB1l#4=f?UUb`!lMegcq z4F|4d=ib_*Qi%`=L6>!nu>yC8#;ZaViAdH2q)!y2(}jNReQknrX?be{nBLg=0WJlKF(2ljP9 zz6*VV>Eq+s>A%=p8&4c!`r;j4Y?Mt`q;KWYAE&~*!m|>0MX3QHn2L4kE#nnYirZ|E z;*1-TP2!@}UJ5r&7$$cMU;G&^88dDOW}Ie`>bb2y)Kx3oeaQW4v`aY-Hfq*lHu(1|C_JJs4E#dim3d=hb-q`N{bF{C zlJXA1wr8nPPQ^)ezBSdwjFNrvW}2WL)=|IU^WM76C(i{KoCZmbVom0@E|>WGU$_v| z8!kG!&*A3enyc0rDM)@D<#A}(bBlpIsYd~b066$NJb?H8BYFRq!cgeXJg{Z_bMSN* zbx67c)wjxnKxpU}&|$%elz~Ao!ZlXDzpC78EPtzwNp{Z>Dqj#;qyz|)ne1MfgJHrX z7o_rqE`8`;g(dVy4M`vYj|D>of&*S%Z?Fz40pHmQfT(lN3CQbUClblxhnk)%D#bz}ZlZ%z69hDC6 zGESLz1sS$9?TaTzLz4{8hmB{9XEw?n_gHGo_8(Q2YC65}G_7_Zq^ZN%HwfEVxt9FQJ@%~bW1%M&$0dqRbjjOE9=I1m^79B+y1VAjTPRM6$@k+5sQ z-&Ic@lQXr>R;?Ud>xe)8jtyNRn0z5Ts|Qm2DVROZg=2P3Dz3GA+_>G~_*|1%iNva! z;59GBL0o4yAt*Ai*k3gPF(RTX5W|#C12F~>+OJg!f=&5s7N2Q!jFVjYuq^hS=M_HtOa0R|-oj<>X6rpVH89WjOlvE@uy>;f7+c3-9D#e4$)<})^qX!78C&jtTsM=G z6}1r4n6@K2zog1Kg`AB({@{zBTR}qG+=w z>Q%K+IwjIXCk|VZszsbZ7I!S}+tLDhh--=fo|5VY{Q7y5L{;CA2GRC*dI-aYkTUd{ zf*Ek(An{I|svc}%w^ea#Ey$_OK^L(qhh)o9d{gyz*~H!s784LMvK$=P_WD>uIuqF) z|ILDBn;EkDrp!|&6N2Aw+v z;~?%>*YxSesTC|h(SI!~Kp-Ug^%O>rm8+BF zv?K4P*QxtpYGro`Ps*N?^yuPsi6!@$PU95u=t&s+U~ZhIv*(%K!4`H&SU6%x!_K80nA}sY7r7Y4_WE27!Lb!TU4}G6<%ZkN5HRO6Zj{O>(Ki z>`0Gy18BL0zr0R&epP^0MlkT&g755&c`fz0>6Tq=f}cOsuFajK zamqDSQ?HTDRb_-Uv0l`10>jogPO@Qj?FhZpl+TK2B~fitdXahNNLC?}H#MheV7q)b zzk!>BH{AAzt=!SUd0fA7YfX)F5NRvYjNhA9LMj)UFKq-R;AOR)tUQ>Yr0qr0jfc)1(QL_?x6=w1> z!WFyGV}~@(gMU|LKa@;`!LUhpLlnYm={s!OwThcm)rEwYS&&nMf+#a>czGFut}~$M zbc6qF3S04jaa)l6xH(cYaNFXkGx6+mt~2B4rp2|V@&GmeX1YT)CqOH|0F*mvWU_ep zR@vHN@JI5*c7h`ED) zo;P9)%H}^7}lg?2$QJ)4uSL^s-AGa~Q10Slajl&E7it)|W?UuE{prxJ^`nwz7c#7&3SBPp*2IRX}hT6r8&w!;g9rQ2m=GdI=p zUB@c37flXZbWC$Ejuv(rT2cat8lQUjeOtf49A*FCepz9M0*_zfN&7o?JjwHJX@D#&J5x2kW9i?tG&poMiPJI?1h1+QCdZV$9(KpuF}N0A4}MbMb$iujx@M6%f+r5DDhH{ zyG*XOkrOoL`+mskxAtE}N#)j2;<*)vawO)*Oc`IH%IRr@@n`Dc8o5F6knr9zHFLlr z?bFMeV2hzz;aVKpXFI$5sIy-s+XerqASGPL``H7IlB+oN-|ycsGPEWeEVZU;4fAb1 zoaqfZNQ1w*=shT%`6%-$1T9mY!&-ml`*~Y63=<7im|$aU2ZY0OsJlih|NOgW{f=Gs(vB{IzL~`q{xB3jV1fu^n#g`Q1w>Y3zI7 z(igob`WS-jHGR4U*ps-KSOvc4?H{eP5zhJbtq&PtP5vyAqI0{FRL|5E^WS!VzUVxz zzveEZZ*C1ga;`ycS!w96R#+8oJ2Gl$V7*%8HN85z_r{F>3{FF%QBr!*+OOQqujz*w zMY&l(r}3wIZRK8n2Q*|rJqFZPK)^wz9W0opVBC zw{%o%^0W&jm73KUI;|;<85*;3OsH^q;8iW6GYn)yZk^QK^Tfd<%0VmQiobM)H;$y3?bb4YL% zgHH6#I$Cvm300x>zVSdee+z%x^8ly?OXDfcV>Sb^w{6Mu>gNtRYq9H5psGP6ZW}b2 zkL^nK8AI&+8p9+6IGEtmfG)lFWnDajFASTq3uki;SrRf49jMw(KGK-An+p4LXCfyu zWpWv?iaq8*B^bn4NJ9i#W_{BJAUNVnkGu!_|3nlGC%W!LGdnS*%wS->S@?_m1wm zIJ>zY7Gl@3dpDTAOf~n>uC~c#l(%%&{Py}6695?v%rF&ja0=v+gE4{C8yrjqh-F|} z2zL?hK!$3pryq)3wPNzd=58sE5Uw)aE&28tGk(Y@HWzETE~l(K8nZXbb)oXjN zTHyp&(;lab$|$#!O=ag#hfx=|>e?Xx7L~!u$ z8x#tm-(V1k3=71*q{sVM;{^DW?h=|>_>KjueIO@T-Ea*t%9)w}1~CE)%w9+EGP`LS z%_Z==S?#|r?LQm(Bf-vVEeka${;vT}r+msv2t*+S6#&o&RG9VNiv6YYJcu-af5-IC zr#6JeHMv&5(0(7H0E>$3zC-A<3}}4+skQ*-G|mpAtf(^qB=H#!Nuk`Ct;+fG0t;Q7 zfRoj@wcG8_%kslPu#4O1x?**BC`5TmTz`F*=ahYdHd(Wlqd~yBE<7r%liqzW6stws zvR0vZ9#-}uN<60oM^p|-ns02~u@(eLFj+~_t~v+d-tzC_@t7s4O_-c-rmq;3JH zNju7%L9V>4=#!sRh)^1fOj;)p4iJ?1L-JNxZr_a@6j9dXao2;@gsv}~BLwO$d}`7N zwMcOzMl_N`)Epevag4WbV;C7s-JI5Wlb5tp#G31A^dP&dwmU>=yFAW)31WJ~L`SdI z9ZBhTIdb^#Kz`aQId3-3eD5y|K!~~4`EyX-074e}9Nz1dz~B4un`h88aB*>e1p(kt z=uf`+K8pUC&1>G)=@QLL@5Z9~+otA%$!xc7bE9pIvUY+ESM?1-3f^O_h!Ghncso1W~-`&TG8a*~^Xp0}x?P+_|grfK3+SIn| zln4fesd~K-M5+-(YKz(YQWdXzeY;`0Sy3^RcYgHo#_RE3>DJjh{Y2RldR;c{>^gmA zj*+*MEABHfN#bKtV{GnL#uc^}b#a0kP9BOo)y-9o<(EIy@V>Y!U1LGw-l=N|sN%eS z;qBhS>JrswHQ}O4zkveXdLDfW_E)JH-}QwKT=YKvBLUp&d;-z{6NI4geRu%xi=u{o zLwZKk|G4x#SqrJzu=G*YabI|4|L%h1i}08+rqT4U(HrCJquYMuL0gZZ#5ICAA2-*9 z%k2YGgs*xx*=s&Ja!5+=XFO=5rzlEp-^H3Y*ARz0^_25+<{W(U<|UzVx~PZD9u$7I zEjfukSb!M!3$K!9am(29GrHOzTJOJ{*(Ocn%@L!TLMw9?#Q)*y^99#linI8PXO&HF z)SD-{^l@Rk{T)c4a>vdKq73O*m~)bL%{)pSJ20j1+G{@2)8|W&;Xwoo z3TTuzj0JBCinzt}1?jeOuVZLR^_RO(=4G4%_Yl?BQ^S|uiG3|HrRwt7_oft_62P+e ztpH1;fd>uP#(|ryd;UNpCLeUB}8EQI<}_BT}L048^+hBvBnu~y)LSb zyND6%^%%7zQ!8E_$!0b>%ytupe2tcwkZrR>h-a$p=uwkXbHs}3t}RV7t#qON!{>`^ z6ZEb-nwr;BHQR7nxJ%w%A2m4U!9R68^JXr=)_!ra;0AtPxw7$@b5)16In6qOOZv;c zX7dR;PsXe*EjG=NUhjoT9$j1BZwJHMoaTjQ4$XzykOryL7U>0*hpGM%OEi_mjiIh_ zO)@64Hgtp$JexDgiV)+;>b_l;IlBwh_5Ofb|C8&5W*xma3&-7JhcP@;|E3jp?{^2^ z&qo()t9ETFC+V-JvVUFH{p+)LzX|%@?}-4DpaE*e=>Pk9FbHJn*;s%iay4NnwmliD zU%UiH^kdM|ZthScVi3sbuWe4F=0~Hc6!DJ~go;`^tTlPM@_(i|;_RuhyQFTHLbhYvo7k-EMQd zK>&<0VCcWrQYY}J{W8)35O9$I{Qd}k*>BJyiQsq4RM1kucmu%`%F@m|)6!&lhn|J2 z$lM?tz3?k_=$`c9KQ1ZVX-VQ(IQqVwBj?jo+8d)%hyt5x=v5g%HLTJ0d@p`BZemb5)QI+CLc+x+7e*YDG$>Evz< zddJkSbr1umZ0aEO&BevBweQAns=0@PWG=!V)@;|Y>ZP47WcER#R9Zw-m+Ll1GV%#! zT`Gz=HP@&h9-}7T29T^hhr&->8Z_=I5AB7tRokE)<=F1Tl2S74BU)=kNs8GFBwny04=wF#mKoNtS|O&6?^63MQ)B*lHEv z%36miWM|DSmAO>Q80ma%n;cxEb4lbM%!CbU87zOJVCFP+d(k}0pgt>&vhk$ZU@cDc zXqiJGVY4P&ZNkBT=?fMatOS)W@=1X1D4*t;#Z;`06K&OTq8_93w0^i)sZ)++x&v zTaU$yotqe?j`FT1()MbzLhnE&xYoep3I@R-KluDxP5#?%NFf9)C`@ud-vYv)_Y?pt zkwK3UD`T8|9AdX^T;dDtB1Y2)qf30|y&OshU0$>uILKu==L_<$xwIs>;ql&xA8F&k z9dkA&hd22&GeXd(^ffw5<5cW-O-+u%iL-8q4;wwwTneR=`ydVHwV%Z`Pr~7vc9cwU z>U6xQM-CSkAo<@c?m+3cm2PW#)iTMY#={wwN9#Rby)?d6*4s`b+d7P}u)1{zRdm^f zu2rsc(~PALSG6_S2pA=M9qVx|3-E7)Teu+Jz8bwwH>K^mGO{;h;S9MqNI&g7bvN0& zJR59*^SptLuIm~1Z4&M&wvK8Y_Ec_@=4}VdYyac4cKgI0uZy@NCrHtajXV#=(0tjS z9#sE>74|nTDnO>i1I|alibQ?{thsvy4F-!nT5F1_u5$NTi{dPsxALYtWQnaScBO6& z*V@$dP5SpKsj|0Mi|m$T;}$xsvljK5&bBs1W{qo&+HN{S>K)@7&2}Z9Ri`{{blIwT z_4pww^p`ftd-XhfLA(_!n~wE8y7LZl&ur>#9Lz0kkNWDzxEi1zn#oO3To?BqePbZ$ zQXqdRqKa}#1Mw{MSTwEek+Keowy?3SYb=>#2-49hn$k`6s^+;0-H|QFnZtq|0A$Z! z2JkP7v*NEJQEB90Kmh~9m^7eW5bn$~1c#ky6sEk= zD14PVq1sjGGxg=-{Dg$$`@xz2a+SGWeZTZhD{M%Ij z{_P#tE2LfnKy$(*12ib8S_RxKvH+4C+Vrj5Q3pq|ANEn12^(etLR=>l~0*H^s7sIB2lz5(a^6GoFp}{ ze%hSSyKs=2Mr;!5v8JRYEe*DbTex|cm$MY*RKiGr=S?uV{e&}FH+EAp*MquaGA&bg z%os99$FPeo-Jl{XrMy)h<@xJiCm1RT?v=k^wET+UCB}FE*q)#Yqng#|2oC$&8KY=KOezgicAAtx$kx&=#2hFGPU76hc5ZPzc3K?>A6$NgBGJ{-PX! z-*2(MWMaEMkp1(F{Lf`C>U)p$A4(kzGW-W=!rkzOH!nqL02jBHqJS$K71WnSA0UeA z-dz!J%7p%Y`(i>pI3EE{oIni71|SCf6rnzy_X#K(00hxM$6gCK8In@~a}9XaeUJd0 z68$8g@q4I`A`nXhJp%_}P)9_-DG_?he2))Qf&QT0iGWj^uMgnL&ie=i3j`P#B&Z)g zEFv5T9szKCM+9MG;vhZ3dW=h@PsT39#LB@e{}zv&jZ&0?nuSyN6OHc|z}Ni&3=9Yc z0rr+5Yq|MNAuG5md1nS1X@Ccz(S7Q#=-*&}WPjKA7rg&~{ZaZ?!Cxtjf9>d>3;xUA zfR_KG27r7IoB1`4zp{Ujao^=%)&9b}FSsB6@6x~ey-)p-{WlK%y{UVG{=oaI<=?5l zC;(9Y-p7C0JQOcnRWEHb(i&#Dc6&FLI@suv)(XbA=Xl8(Da+%#j9z-pdO0^rt%`Lp zO#IHx>fBH9h2#~|Ozuv*U_*u5tlSSqw-1`~jMOc8@RnIRS1$QqHkO?s+uqz=E)D zW@3BUVLTsH00|}En$C)Q9hZti7F z{mb^TLZf#9C#ddK&iU$8H6O(gn!fF-*6wR}<%rZzF35}88V4Hbr_7KV1cM@b;L6I^ zVs$}CXY>4w8_Thr;S%<)@`dMTcN%#es3%vC*~z!3O0$g zXAKq}n{W+n-GTJRB^(Jbg^BR5z7?+b^hCIP^bw;o#!Jh*1GO7pC|4fW!7<=Wk@{tB z81Ulde@lMd{5r-1oR?&dDM`S4)Q^xe<0#g%`PF^@Op)Jc#c%BA)f$m3U3Gwkq(NbU zg(~xhmH7o3nQlQ{cF%3}t2d$Yl^jOLLOgUW=aWiLxIZ0%lk3LfcoZSB+ME3;+zz=f z9M^ti{5mv3ELQW+tk7yqk? z7ysK0{;yN`KWwn>e~m4B|9|lLKS%N64s^{it=C~{ue~Rg((6$7!i5^VS~nlZ8wvRh z0pI4Wc%#smPK30hKDZ{j*W!b{%FDDGS6eL#S&k9Uab~==UuHuDA?J+B!==s6VipxRWhWT zyg9dm{D}x=iwGk2a}0tbf9ZTzzbK7No!hjixvMk$+wCDUtQdy{^%$E%JT9eD#F;>C z#mxbH5AlybvR`tgASc9!YI?3tOv-f7IXe~WRAvme_HG6>*o4&{cHe=>*3wozX9NdA z9Xp;F-W2=@D9csu@66tX5s5{`3a!#HWGQ@Je7gH7Dp1jCx_CiZviPLsWYAV91GaJ^ z?3)!9IW=y4d9$L2ptJ^p+=bp%!X4fqasGdONtWijboyqc44QKr>-^AlIp z+=kRsjto3mf5_APQmbX`67b2*)hVkNEQD91D{OAa?!{DQxZ(J$LJ++|q+-Qb`cvd( z&D%C?z#(rnhVTfkAYn5(b>?lrsBNnO_$uav?T9sv7NWUq(?a8ieYG7ftBhMWux8YXp zc3u4l=cyhI$V)Mv)-R6JemoGRXHzmvJ@I;nsaPQ$IaETK0Hti!pM=%-%qREc^qpC1 z?}tvEpS8!x3XGljAFN@e*mgR!-ZngV^G<2jL_VgwX&#ZxR8TG8Q_>Vh;d|40%B2d9 zW6|EI2@p+cxltjedSc3p{IUzHjP6X5kI4Olp_qag)1SSBa1^2~ub;oIz`LkTwT2|Q ztuMO$TOxkW#HY0Cv-r4Un9L)2i|+_8+B&_@L((f1U+L+{_rs34EzhnRKEGUJR$kxH z)8&t~a?3ltoGa3a@E*vW9L=2(Yjq)h*jl<=`C8i|Fo4-yia~$HEOq7%L`0fTXpkn( z3Kiv(q}#K!jF&`Eq_#_?ep15)(O+@7P1S7geUT{rB@~%YzmCoTrJK!x46dlm zMlu>HcuB|gOTFX}gPRU|Bu9UG9*bYL%E=N+$vd1f#xDrGVH1Xlsvc6EEuyb@&4kih0803V?NT7=yDa;~e7 zbA`kWs(1m|bMSiV)! z6q~VP`VEJ|t3DwqMKSXz(Za~DnT0Pd*?vPClfi&%)H`L@S}SF-prOC(^)gBScIKP= z^AfhHUASv@l)6xAGhZ&);-VNAl&>m@lUZMP75Y)lOEjtSsH#d)!X_wAup1nXJ}eC2 zu4yh>s)(KS6u`d`E}32`@-1-2y08*68FzQK_E6zSz()`cXhf5zwdTr&-+rsjk^)I` zA0@QbdRW9d;;Uk!SwS;s6`(Jyxf^xur3gp#)LuTfrYK=(W@|X+A-_vE*FNs&dRmbW zR3rIn?^SEC0{IqpD^hgg3q)J2Yw#(}2dQeO+)1?#6rzjfpVDNcXL@(3>mf#2x~t`t zd|S}tgf%}2(gO8%9`{ogi@9kAB@MDaCKP($HAPCQ=BSH`F?S%5*xsf3W83bzr0c2S zk2?@QnWl7Ulvs1SlrudI&qAbHaf8E=ZOzK3`U4 z&sAcAK*)W$Yibe)yIra~-tg%I6tj$Sb86wzsQ&JZLlgO&$c=>1#0r6 zrk-q=9C38tO#;~AZ?t;q1~f&OVH6CH2+8xZOT=jrQmr0%(0!}=mg;1_Gx^~7n<$-c za{wZTN54hb$%M9fQS=vF75xbLR$2tzH$~jem^0fruBmcQ01B!L7BX6h z-2*iD&oW;&KD}L*jVt_C?jcM#5hwJ$BJlzCp2^eWAD`;5IsD3d(cfXsGd-d78&Fkm zzUH1if6>MrXl5Pu{!G&)`hxbdK{IRioBh&ti{-==cd?x;ES4d`Eg% zY)!diG`xxx%>NgP$7J!^ZF*Dc^?I zD|S+_z8$DJ6Z$A@C59Af@&f*ITPjvbo_VJQ`K0#6+n*$tec5-Q9^DD0FC{!ZLZfP> zFk8%K^bx1QM|4x>HaP2v^X!dH@&5LKKd_kSyNttie`3lK{6t7(ecSIV<8QzR>3Q}R zlPdBjXs_`gFkZ&b$n@u_R8Cm;I8n3#8Yz2DekrI!!Ux9RIboODvR(;uUqdpa{L4qA zfw}4j-IdiD*q>AR<8@@{1YraNnD0QXr{=fV6?q!FFmH@f@b#@ZwI-%#b>@oy4|#7H z)Mm7X0pg`tvEWjQ6o*gwSpKs2|e3^4{&ig*ks|M`{Y>WS}3@X!j)}k9-h8slaEFA49wvBiaU@`uw;gI-jpnqxbjhg&(HUGRIe1rl_3 zRSGeLzW!xF@|jqryJUE1a4~vtBcjksWa7{AOu}K9?6a5vsOtjVKdc{|?|=Qn5_mRm zcra{B&Dd%z3Y9-0XvOO8IN2$G;srK^s$g8p{lzEx zg(=a>FXSI}=2N4+Zi)A3^0Ny|7B4$X%0$+pk7=+Y8VY)*=;R_RbttYSSl0X|bx~N@9He{HKA3Yw$}g3re;#m>xqRuv@unQtnlnLOkzywMFzt-X0Iwejg7ULn0l zWjIc90;C{nheghV0~S=b0TZtY02*eg35tAGYc^;hX(q;IE$z|H2t=FRlmclu9;1ax zwItMboG5h*4=382Qh`=Cvb9lD^)&5?IK#;tHsMasRX;!$I~nfrjR zYW&ns1uAWkZ2}1?nxn}T3a)`o6^R_RgzX3wY-(qTVsiiJ^d64wmZ|$ooX^b?DKIf| z9pYFlh^v65PO-S7eXXGmL2Z=}vvFiUwz$Zusl>a)L0mm*tV2Q^{1ZHtf*OZS6Cs$Q zq0}puszzgkfcmsLRqB?rRoFhfF^9%u<}9fq;pFAW&)zp5&x0>Uj@Hy}#9EYJWx-H; z^Ob*TEv8#jPQY!5R}n(3woB7f9+J1uKJgQ~T8(``jF0~6V5uEu)TWT^K1<{pSpFNG z`t_o3k+HR(@=j1^o&S>;Gw%-)_uyG~4x3yjm(Xp_Hve1x_fF*ns7~sNA9F>jUBB7! zQTDsF9(O^j0t{hdai@GwuQ>EyxpQtx*YTO-yj(C#a~41jcVGyO(?2Xf+e@>Azi`hC zu?DDgt9;X}3xzGa#5#dsqWP;^Vs`_Ve^?sVPy3|=hN=JJefzVq?&evRji4);`Nk9Q2k7RvT zQ97>)+>W)g_1v~@Ujix;u~t$PYUPI2cFSWcfiA*;<2r45gWodImEAoCC4ULRZ&dAU^Q{|R9!+zX%MlUZ zGJ6|+pCfjQ6iJM@`s5UfncS^WidQRI+;_9Mq zC+&RCq&ZjJg z4@Slq0xsgo6iRZjh1PC+Cbv@=bd2n@=Mn3Tv7KaN`(^%t`-xj_tIVy0Fr>n%D(5@v zT}9SgEDp8oa%tJvPkaeC=R2Gd<*LlxR;{RUflWoQ6H*r zq|u(MXhSGp|25RkVtfU<%xfim?Tz132CRS8U%Yl<=2>RnML6&VH00Zvn3q0I_C-S* z>2o4W^xFC6t~ES^{~_BhgXIsEV#u5-`i^K4T?EB+F*c9R@^iY5<`RT+X6L~Q zPzQcee#sZ;<4(eyY=zMOp zm5qJ$XQDC1$rdu_zG|?J!2g-rY*s)PShIC}vdqEo^J;=BtYO`OSzA*YSQ`RtqoAD+ z9Bld@RO-nz^#W?=12rbywwnJI0JE7gYX-TiP1`OH!)$u8k!2>v; z(A&YZz4EHv%<}T1_YL{4ms|mhaXBMum9!D!Yb?^%E&QC|?6QIAiCpXG z<_B(amOwgv-`>aLYh=^Mbnm;0FTRb+cwWXf+KxOdmwMhUO{o!6RU+&~eKpt8x<=3A zxQ8vnh$~9WBCNqz=gxtrnBE3|8hZ}LTQynMtvg^fjlbgF(99F#88|o5K&kRIsw0%5 zr&d?CZX;Or`FYB(P+JG_>b=kS2f`5$foY#*%=;Kz#0(tXEsg{+n zob}Ip30mr*HaffQ3}GZu^@n}F@UliawvqV7er7|sCDE|Qb$lB&GszE^xZEOfD?h`P z*F$Abn&8y!x0Wwl78yx12zuYLmpV+p9Juzf3G?(+Y_506+e<}i&>6KfwmEcziBMDG zm0qQu$ag}Op}TrPF^t@PtsZyQ7w0ag1}nsIcXDC^MaW6L{(bkZUn_xAt#t|1^qo&p z%SA2z`#)BU@vF@KVQJGF?U;RWK~IDp!lB}94x3<&R8!$~^i*?;#82-d_o7OiP*VX& zOPTg?zzh3E7*DYgxT#fx>cL}#iPIQu-ej`nNm5oIh@MX|DSuw%#rm>cb-G@ZG{;D* ztt?QEx~n8f8!EUR;EaZw@CLm`Bb5bLZxuYtx38UQx6hICHj)-tuYE&!yyv4p0sF;R zSQ3Z+g42u>ADgPH)(!il@OWNmlg0oq9#>JeWSw}G7H?!+g?&K}m9M5uwO2t04hCKI z=HM>H(Ay+&=|{JonNtcKH($c>tNMVRQT6X^HCM}Qcj|IQ+T_8HOP?&3{Txa#bNjpB zAr<^!`C&9>D#j!-cTWZ9{5D?DMFsJ(#bqv1)N@%tbq+dt%-*SLUufp{CiwEn!QN!k{Q<L5gQRaVhIt2_EQs1lJhmETd zs!`(;%>GP!jaT<_sR6rz{oYB4t}m)G0Qf9_Cf-o}(lSAtz1BW*uEeYKu@-k1>R5c9 z^Oa*L>8Wfr$w=fe39wAH4w}^&Aa#DZW+M99Q)}4TX!tv)5ue(=qD?6ofvQ4tVo-bc z4F|Z0X41GVe*K&$i^HaL<8gw}>O!#xNUT=dMXas6eR-Lff;K#G`8`kn9}0wc#T|fr z*2$n(WeyL%eS3-hSqZ7P@Lpkk-J*3q@`xPa>@Eh~+n6HhH{0z(;Y;2-;cw8r^0rd= z{o1oF&saA=76(axFt1059=7L@f-DiP5`TEO%)U-mvxlm#fVh?{Q19x<2It;3pIx$L zPQmK9icsyNkI??x4sv}RqHT`!J?;6YNN(Z|K13Y-MzM!Zm}^`9hytiG%Nu%;j0{2l*;=Q?SdtkZ-x ztX*s7_;~mHpx&>IR{7m_Mrvm%n-Oax(?-)k@(v@!bIKKOOys@HnhM!>QA_3RKitt9 znyZrt()Ok`F^{)Ia&4tZz`afCU23O;>EL=mJ2N&(IFJWd8kr_1Uw|-15}82GMn5c$ zO~9x+@W7&#X;zglr1;&C1*aFw>vY-Yq3a#i^-V6Hv&$2VRnpgrkMOWox2)iXjdU^C z(B#+FPvDdS+3F$C#+6J9yBie`@90#Ju-Kh_j91OXywSFm%bq4gjV%^N2^J7!g9P+m?$2O^XzrKE2|r|&?lgVDWRd-aO+oCL_-n>WrIq>^ z_&N;Oq3@NDD}!pLReo75c(1#}rBh=??EN|Pp@-#MH>0-z&z@c5*IQ1q{zVR+6$|5f z#W0UxwPNCcgZuIGqynTdKm=uxLl03UIFj}6^vH86<_EH&J&AJKt%l{0i%Q-ff4*RF zf2pSoej$|4Xa6e_Y>hi|6w_~L_eodlP8J7R@phw;rht??MFfI?C!<% zsLF?^xva@=$or!oCc5H>WQ8*$7Rl6&g0UVymE7(9I5JoqUt?rlAz=Qw04qPmu8?2;37d$ za-&JH1@!K5p~b1fT;t{(#z1NVfHKytw5s-I_G<*$bki=QyL>n(pZuUA#EyYsm&j%S zi8a*?{dw0{z{Gb8D2Y4g*K%g#yneEKM(z}fW9U=ScIwz4FVwNAQxnA>w1Br1np5{` zW5G!1o#VVCy^iebjpvODhvHU6bTzWGp-;6s{hD96St05%=A{%**4-c>Yf$UnVp@PA zWno8cY(v$G99vQda(>fRldk1sMF(L>>z~rQ51mhgbd|YiVbrk~H;C|61o0cV96FdpbOr@2-?Y=~l@KMOPv;m9+^+?akEnn#=)>3&HzHE{J9xoEXP}PntT}@ETwq94;lVk`ZzIUZ+ zK%m)PJFkrDRRb?i1@%x|KCJ2k6#a-wu8_}4E#V;tQ0cw&o$c^r6G zibrnCHs(luwT$Y}$;yDlX^+wz>j}-*DfYEx7hc2@ho z$=0Xw@tWYXE+9vduKB+Bz4W+1&e{;?^o(s+V5b2|+UhlzvT@EN@_nh97z2dlJP6e4 zU^hj5)X=O^n11{Dl(Y9sO=`U*o8c}MmR6;rP(fVFkOmBgw_sou5foH+2WV9Hor(}J zUw(87U>&AWdGY@5IXa-*ahmB$T_)!Phu{AfA3&Qg_s)oqu<)C$t86?A1nW+w;t65X zdnIk2yEdR83WGm+ZFGOuTxNmA%DNDDB0erS?85L$*zKwg&(uZsYt(LRAnCsA&V>BO z^TS7x9hpPG2lG00rHE_j*YV-R>MnT`3O=j-uTfGn0rHX5;!BX(_?PJ zPC+z9?%4!o^yzOOhy?RHeyjuv$lv4t!+Lew<|LIvBYVq-Aq$hJXR&ox?)TSk=`3an zzJ|s6YzEweX#U2-lM1s{wYwDe|2WL#2Sk=wtV4{fjClUu^{HyD^Z33f8JM>+DiR9A zg;@b;?NTGAnL-C8K!2ETMyA%uFn7i70lgV>Och3w`f#*yKO|ES$;9WX9W7t+#SS1d zSo1T+v}YJomDjDz>F_e2fOMwf0!0cTGrbx`> z`14&gw)O8p8R~p{kMEr7xd;7&{lgZ_p2V<*#gbu25IvjqZu~hv4(PP+rOKETX#70=#dP1sx@J3J(uyLY0wliE7V1Zw70@4O8 z;~Z=WxUa+={`=)!65xL5zLrfmry#Qo1)%MDZU*$di;M}UFpYb;$z2p;Ra6z%`TaoE zYng@|ZO#;Y`dd0+c)i;3K@y`Qw^yq0JW3sgEx6VQ5XPv&W=G9Acw;qzmM6Z^mRBvm zsUWl2Y3nJxIOw|j*j1bIJ*;Fr3q;So3ea}`zcq7!cXHrvO4*u5tIWiZveRW z&dP5Z!ZGGm!>Am~?#ecwkEW+X4Q;x`ykO44oQ?+d5aNe76)&mHXm!o~Ts~y@b{SYV z6jL8MWF&FM){RU04b>)xDIMhe!%8P7(L$rzSdV||fz(q+WhP2?>HC$>zWtHT(bdkF z)##n(d*IB#CCIE1<#9w{ExIvOXphjotV`K7WBe*)-84yiTD=xVYOO{@hN>7XFfU#v zrITo6HzC=7)`DwjTaVN4>yb)F`wbW4`Oj&dL-%|rs-tj$ymJ+;zK9!XTiFh6JSi%wDy<`2jllIFb zLjA{^NB%ppR68TG49Qt;hMk*`Unot15Sp8{@_jpJqQ$u5(_r5-de3PeK2@65Bpy8> z_K%In_x{5EhDz*j+PT(5+{kRjPQK3xj?ulLwjfntZaH%Zw<^mzxhzn#`r>fJ^E% zhQ3c{d$lC9ZWhAhSb3a<-(dz@W|UZkXwgcGf!A1!>!MHRh+VHvE$R-yd;(#lfkWn* ztv+J;6-6#htvi`YxD;r1e4U@RO-(zeO8D&e!4H3qHT^C`d5g$8%&bd(au5+uneo`+ zC3Eg3!1-;$U+WOL+0|im3D%DQ5VHi*$y!NifhqrrVJaGB)wy zz>>6YQKKx%YUHK7vpTs$8{tzEbl70azSU^_b=I|ieqq~WYOv3sWq37DC@9iK$Mept z9T}H`0?=8o8TDvGGEngVzIbU%tEpbYXsP|)OCtU^{e$C^75KG~Rg#v<0L&^D*~pM` zlwvNVoX>R37&Z=^a#~vW8I~Uz>xrrmHwhT=rYc!W9X(K&9zeIrLjx4-trnP@1)Ve- zuw_i{m-ZyLdzTLINd(vo|M2fF0JB)@095*N*Kb2U^dElq`zHCL?Ds;%;s5&wzH)uS zrOetQisvF7leD;Z* zC-Ygr#GpRSYc+nwFZHA{)Xvn5y9-b9{$!%CpyI{o%O<#yTEOi)`FedXj7L)mOIYr} zUC|GaY+hIRC+-%zp8na6aEvg0zC}1vjpY+(cvnL{ZVT{T)pY+$%LGw!9zy3wi{k?O zflwy_w&5N#{E$3SO@fbHQM*43^exHsC0e^SA|d$)sFn|Qu$Y&efxwcByx=={LjtP; z83Ey@|4+5*U=>bWL&54$m&m(DFlXaQ-(}3nukRhmkO^X6v>{BYj`_@w(GYqO?(8D3yx`5p#g4u9|b7!%2-c?hkbUQ!0nsFotKuQT% zg%Z~c|Ga9YBnHG&8~npcbo`-zOt^h5__!k>R4h~Z71McYtNZ4&{cd!-U~gKHq2gOG z$90>Raus((^s|^%hWVx^n*afh!y$o@Znk%bQn`7ejK|S4d3@o-Wr(N~X~FAF3f-Dj zZg?Q)dGjXd5-kXJYO(o=CBIIi|GU|DlQJo2Ie&k_OHRKJ>KjN>rTyY;XS5 zl|kvL-Ol}|Gg@>8!jYlw$?farZr^QFMod|XR`wfzlCmv=6g&s87@xadpWEBn)%n%4 z#t@VHxPMr>G#W?T84=5zc|_WU;{BMm?$c7EP3US#nEKgiQc*?o?A+^F!Ar#u@hUj~ zHEYU0tcVs%2jbrmFNb}8*WYAAhw8V9=JjysOs38?@AqMebs~3(KdfuwLsR_LE%@CA z=UE+KLsZM{&1{jCt%!k{f*r`$CR4lk#;nnvYX@slWO>mq$n5RNmDjOsn_f_sTT5&u z!Gbl2*xnMl~q;aIvNu#&WWAQuPaZru)(Ebw}lirJoDEyaL)mT9St#I zl6E>=LHOld+pOkfLje4mN=)BNpEy4e=x<}LfCT094`!F9l52@E6uxSe8+(UZn)-ym|Sp***|F&ZCnm2b%(z@E=Tf{5;_O&HaHD8VLA$F(JDwzC8{ergk(kd-3Xj&B z=#x50d3!zzcHk`*igQyq`UbrAeVjGOEOlQ*H9#kE|E8P%VBo#`R6y6JDs$V(L<94N z8Yc9_fORhY0%m;p*pLE1TAoDC$Rqd&{zsX$H&W%vogEg6#&?*0luu0>)N+)gO8Mi(G#F58{8n8^!mZm23SX zYGmBdwVN|C zF?6+`%5o!Te0OjIUcbd{HPfWYG5B@gSYG?G3-!^aePNXLjK5^pC4vJB?hIDVUIT0f zhm{AJm(Toyz;)c65+pJ;OT#ZsSy!J z5Ihr+T`iI8TpCyp3{m8M8Cqp!L8N*oO7z-W)#%+RY+1?-;N zR8ggiP#Vfx(lD|0oniQ|;_AYh&@Eo(skcN^yp*Y@&U9;G;ir7!rJ|-)8h^?$bo#=+G^1L6r4Ny*(!>a)h92`E7!S#{E(8-DaBiwwDdk;#-d@ZA8jT*Z5?mSzj05{*d|p$b z^LWnz5hwqv+ne)9+hWC_d4zh}GD+Z@7nh21FeR+Z8e+F(^{eilAD(I9I?rxLac#E& z(M+$j{SaXK1?EyQ*jgDr_-3v6pr%Q&*`?N0l(0cFju~O0$L{pz!|nc}rXl__??9 zfJ(59^65$q@IEZ&`LPRv>EV}$&&upiiHGH@r@JXxIo$KWsvfWnVEJv%%Y{Y-(JxXE zq*3PcR9FJwbp;i)*}&h>4rSv!g{FFChKZy6wF4*N$s;^eIRhw!p2(|EY7Uj}ky`pg zj`Y=MsN)5?7BPLn7ehxrK{$#=VD>6pt=jGY1BE^RuPN>dn08`hY3kGzF&Pa7UtDN2 zC?GT?ZpTk1Hh$4aDZ_6LxN&jQsBr_(8HT1r%-Bl2u`y%@dCFr_lUf*I%w($S@A#CI zJDnNZJewc~lx6y>y=Rl?V^iIS99ys6)Ttzne#=}StbHR9R=m<<_>Cuc;%bHuS*gTC zr(gwvX{qNJ$3vrGu>?-h!2St2CR1I<)pb?1WZu*W@%_oKnS(8q&7KC%fBTv3VmJOX z!7ybnuM$PY0O#hWn4e%vR|$xH>}+DLPK@Qa!#j-q6+ZFkE!X?DfXZhG@s;}#fYVD&J^i>KM10Uue@xD6C6L$sW~W#?|} z;7v^Y9dN-W$w|%G8F%h3z zJYdpAr0;K4^>HOpep>6zw1*fFCK{nJl}OA&GA+TM;A|WCo)K7TqPX!WikL2~O*OY$ zXQ$l8_1+`fR>;*pjIz~h7Rb&}il>m@O|&%aj};#I<8kichjcIR*fg@Hr#l}tQxyRz zrkqPEaH%vnI@9BXN1RFA*mjDVhOr~X=w)O2Bc84M;*d{{skmz?qlzG!^p?P*{O)+e zx6ittT50OfHZ=wZc#e z>U)>EVB7Z&ujy>s8QAVWcU+BZKrnGIU}$^L6C|1;fH_Qp^kn?7?BV{q(I^rS7XS6a zYF!!K4waHzhki=6H@id6+9cU~@S28}9OFbb|(`h1cQa8E979~@e_T@s# zGLQg6>zKE0%pXTS!IAHdi+Ow)SCOe)Yz**kw(yrjL8s#ac&F&hpia_v+;B0+A^O1O zE+p|2W?F^cvMOdDUKy~^R^V+=UN97drT@c<%i5BE_UN}Tp2yTUVB#20=C~p>u|->@ z7(dN$^mLj`lQ2z3=&6-9;wfoPqgoHdQPl_OGq$U=h#w8deFR#zBp*zjf#pHeyO(0m z7D~*sXdKI%}ttG zKqFl{EAqpvu@y(GptLK9ZOy55a(i|PhZbo|{Pv?Fcb9Ps$SHY5Ohkqezlq3iEDNg|GIAAW&TL-djDbNzFa_-OvN9y1X`tdVp?@wiQz1X*|6PzSTuNWh{|IgLkJvtSqZ*1yZ8_RR-&!_w z+;pp-20RBCBb~~t?E}{}#Xs#5-*z{D_G8rTSYzyOHKvqpz4B?}n|76PEgbn0u7uWi zI_W@~Y76qcf)y5ilZ+AAn)c9d@a9Vk^tEr|dp91h?;+EKb;)JWmfZygRjyJAB>rsc z`mSw)-&zQ^xR5ia{u=NsskPbBdLs!78Kko`F>%+Z)sVInSI{71?o!{Wd$qKZ$k>&-ls$?YjsmF}#d>#*nOTGf$na&?T3Z?(iH?s$|E{+^)+7MJ+R#r86i}xnHw@kY`@*vimKs>v zcO{UfJnG)&m&?)xm=)j6UXHi9SIh{U>nRBe21n3C+@?Beiu$|&@&>OFC&7D9^V8NBuA zZV{ZK!_6P)wvcOu;Bc=6`haj$_5FGSWP?5GNyB#R`s}vo(#+g@+aVw29fFUeR-I_I z20m>Q)OV1_b7|A;xI*%!w@XpZK^JW`n z*rWgGDY2W;s64K2yvUmwLpXtS&qFruO`^j`<$0oGUG>ZV;B`gEc{)8jzu;RchQe0}ry({5bwC*TeCp_+Hv{ar z!XqIeIxC`VSqGvd^tAHXU zD`(}sROgF}mnfSz$S)KiPvfnlHn%aTr!*khw?lzV14bHT6h9}NCh!Ir+W?FTBD^ZOp9& z*oxiKQaiGkLTYk6;9av2bHYH57uuBI1EZr%_Z3AG(?bgPk;(}-Y7+5L|CP(}EzxwJ z!uZI1i3UZ(rS=2lCDibse0UrOmGEZv#uDlv+$t_q>qfj0NQzrQZp`kSD71%?%!6Sj zr+4~h*4~oE74j?0z0@-f|J0cCU>vE*NGo{NJD!Co74_QcWiG#fbJ9$^J7n8D+ml@a znKSp#E;omprgxRY;!HY&N4js$5~%x58W>;LU?E=xK8|NdiYNadL_0QWdjqnNAXrS{ z%|5A_A?zSYn6f|9rpumnbgCz1wE^S3a#~oEv$0R;b#CtGKv>)EXzcnuqS@vGKSvXd!Gl3eAilgG{74XuguN)Jzmt|YeL#s07&rZlx3QG zCz&uQo;&!V)2HTZ-Oe=lWES0Z5Y&YqiLyymd3CiMKjb2M=wKcT%Bb2CJ)65Q>r}@o zkJvOU7#b+0XO=!CmbUPFerzU{lW~pQEYRI>_6KqKnKZ&B+0{~hG}fD)!-HAQ3lSAQ zg^K^M{sT``abSd4&^EC8CJ8+F$#{lgpJE_^;FrDofPRN_AN0c_213)+8J2|keV`ZsS2G6s}M#cU!!)LS@^fLL(Q!=_Zm^Ya-*1-l;Z zVyB*~jrU+1!TCxU#;AQ%;Ql(#q9&ruTMfRht(Ynl@yq^rrt7{1Rf_YG6AIM-u$*If zOomo-K8;V%lwJ=|>#7muxS|D7FiwM$kF358P1?yjfIC<}SL&T+m8}h!rpjyI91Cv+ z_Hrr>$jyunUN^3uZ+bq<$V7=V6)#LH7LgWd-D#aP4G?`lVGMN?vR%JJ-*PelglP4i zV#lFAuV$_i6liBCo3by}8pqHcd+qBQx!4_6NWLzml8x-A=t9KkRaSKnP0JbU{;vMb zL+d#a1}zdbb?G|iEXs$36~~C7nzA|1PA`Rrt$N0kPZd&b^*avJ8c=tmZSY>Htooae z--87_uf9Mwy?T(1L~M~W&R^NnlCfQ`D_so1f0+Km_EAdTn_x6(yUxubbB6C4DAKt! zofbI~zQn;Q54GgHkt0*0>(oj{9)`+az((Y1Wc6j0HfObymEY8|_4DQGujOK!yeA35 zLnsFT=I(wZ-#IW<^4sHSX&UK4(MOBrFRS{Suh#EjF7l>(!Wy#ZC8Ju)`cwU5_ZK=Z zpm9|};SJ$)S!O<~@LZP0jR)$rRf2a>EzZL9v#KT_i~KNhU<^;jPZ(W$z{H$O>ONG7 zMSR^vFhO)xHkd5^CGfO;J_2M~KW{Lf4FgO?Ckf?63t!Fy4rpR!@AMkLDaO`k*?9{g zEs_biE26^8bo+5A|CYLTzFN09%aTey0T}H_@2(Cj+b!^wHIH$F7B?&gM)QIJF7O}n z1WORxmXOF_F;nrZ>)Yn#D~}PZjFK~vgEqz=YOrTXqtkVZFy^VtHjFsNK!h0EA^SL! zFZ{%}ajAlZnY^KmV?{6gG|eBi^t5Ie8V8X=>@MG1s{BAHYK_Nj9=Y%c3povqTV2dD zLBj0Do3K|>g1x?YQh9G^3t{)C2l(V=d8YGZR9}z^=S?^?(-)w0i9Ywt^z^+;JtVWy z1*)A<)i!m*9pPJT*@{Zg9 zZQ}(!Uk}vgV@kQ^ll4>DGht?YX-ldV&dyoFz1uc{Z=2T{+R3bc+=^_YhGmf_x9d<6 zGh3j4VN&076$9H++QPHcak1H4HLslcbEo7wz?tH?<$I6E%QPdWnP90A(*6)Uup(Bz z5SkL3j6@`Fm+tGs@7)l&la_TX5^7IvXiZQS!h3j>Nj7iuM(j}c({$!g zmu^9SKA6mU2Fx5rG@B{8?dQ>L-v*0*OaI8^z0<})IwAERBo)o9izykwj;fsAXPw!< zWb*!hQd6sgA$+YP)xvI`Iq8>T9^bOub^EqkWNjBA@1XeM4(QnQR>jF{r8QQv0 zDr$X8NF6&gi5lreU&E7RcMQ0dn+;rMZxIK2j<}IBCO$Oi##;73>$4~ooTP0K255dy z_&|?c;OQx@vo;JMoATz<5zz-w3~Php%c;8{moB;%^x9H>m*g#rhfu*ZGpVv=?^))_ zOorCmdV$+Yo;#mh9_4q<49&%L2%l|Bx~iMj2r!|)ez!;h zb5P~=+IWKecJIVEJ}01mClji*PU;oO{KC#da0sZz!tSuI8CsH@rS^FsHm37H8D)9z zbV^s7W%ePsmG80h*;xYBW+!1ljKNv zq>o>~w(uWTX7``(CC4J46=~Ust0O<>$KLAv;1B1e+L?f%4-&bH&0|1YPSLlw45tRA z-9f&*2cKPmOvFcUBVp|0uRO=Ex{h(ip8a1GM*>FI0Z^t<39TlaB+p12@AV@~gVX>g z=amdqT3D*s(;ev&d=TVy00)2)Y}eZUNsjppvgBJ9h5<;r;e3%Bc*!MdPNvj@dWPzypVp@8+YdiH<1emw1tc0+fv#SYvuP%P(J;aLT0V`J$W!X}N9P zC=$fbJdku;Nv;8{d@%$~(++UVo)Aqo@KVqp{fdKd73^s+NF6JD^$YN)4~OMUt3j_< zy#b1OxlD>mBP?|?QymWa%!zjm7$r{~+Ac!V&A=da!YyL|!AWcE-=yQ&t$j?`Wy}db zh>aMP`*gf!Xxu=PO2nvF#ieei{OS1pb%@Jak13ZdFL#XGbcxaEKJv>wcC&t>koDU`V_ms^k?4dW7h ztQ!`wyaKkpDvjSP4rTAAvT;0b87E_wDx&2J)o&!&FKq<+Zh!&Ok-~}f=h)IOH@HyE zVb0fz{(nuMc`gX&=Od&UMyu)53C6mbj~Lg!JbpR0f(7N<*pr=Z0YJeG8rt;Zde~~) zyEM7sQ#+A0ELICmXGzZh?fiuEm8J2!^<6a;Tyss=e5rRB?gK){37{Y?K{O52u9z*0X_o6JAwImLt9^Ad z`HSeNo2{(wsaLs#e#wP@piK$QteQvaD)s z4>0``?^178>a{74RGuRx-!N%|3F{q~KIT!751L8F$HBF@TmVFGT7smBe6b3pT%I3YX8rpOJ)&$$|~^Yx{Lm%FHrlS zZ@naMiAd|D&9LQxwB$1C?7b6$kKA)%j4j3j*B#x(?$`bzdOnbR{8i?Bfuqy9dSw7Z zAFOb*Zv_6mN!*)jLIHIUy&Vy76{=t$(j&9rBd9e_!Gn3_ThRo-)40JEQWQIx5;YG>;o#$>cKxVf_v|5u&OgLB z!eh#MB;`zMVW_EU>kPDd13BwfOh`97cb_vMLI!9J7#Oy@)EqjHUbNB-O3NZt7}&1W z9tHsmaaN@o(h9W02S>HeV&D48Je{VgoJT$GEBq=QHkwR^-{lkjU1gQ%P-1x_$WZzt z10<0k|6f**`|ze&Vwc)k%CTt2;(#sPPt=_IkHq(qU4D(wvpK$u;BBM>qxp$ z^2yn(Nh!V#nZzCqo$n-$tX%Z*+%1D@m}w?gnGByKAd~uAL3t8mEot%DtkKKe3Eo6D z3Rt3#2~a+X#gEBV5=L3znBqA3P-()q2amrl+Lig~^W8xri<3#4B9SfKltiCm%d=L?H$=$j7nL4riqSCMm~!(sv}XFbT462_)T6TS}rXb%&!_ z@&v$Kv&=ECaJoq#i370iKP!}Da+Jtq|E~p=JTi1o(z~r-;Wsf`8?wYy^j+(Zkj;C* zct18tM1qe4-ukZ9u%A5`zb{gi-v5)0WaqwL^UOKIDrT9{xoDLi*QH-9__B|*>0w&&2xgauz=ZyUT4XjIX1 zEo7Bs8B(OS8VUuro{cou5OaF-tyz!nO9KPXq!~l%ZQ+hJ1HsjkL{%(IU_cgscnUa| zWACA5=nk~-tu|G?u;A72M2w10)(ppOcM}}D-e8PYSML!9v{WLtZjR@ls*O$mc7|#R z>o zoN;|>*c2i2j?B7jy7xfJw)VTwV2m4L9eBF4=@GLkY*cOabEhq}i;**A#Ne3;NVe^6 z91;=b;3<|u&vElWy%kSWw)uYiYI*VIA;Pt$5z^6kk6PyxUB}RnZ2Z{>KQSe z2*GG43-;lrY9?iR7(E6se{zvn;KPvoJ#?w;VqK4(LHe)O`q?}bil{BwL9*N%DVAj_ znGPhu0Od@j9&{RS!r+lPogXHTTS9GWMxxBw+BtayxWJ8I`sFkC*F^3~tUQKxzdfEd zeLOQ`AM~FTZ!Y=;NczB99o=p%|K@~8Vtb|&+jY?ha2oZ6*O22Td8TK58qMgKx=ZIs zH$j9GhpknEin{o(dnKx4e1RW$zUc!P?}N~?oZ8Q4b|l&sw}=4~-oM7U_NS_CJ#Exl zph9sJx95Y4=kMs7RoA}IR4{!@6voE7kMC27)cl`mRVEK8?{81%w>??5OF4NTsr|oU zdDwb*Z`W!V)sSE3rruuQT7=2UaVjS1pONXY!WqZMArRt|Nm$?=wB&awqdBHbiL)N4 zAPDkRx8c%YeR;;R_l2NhvB49w^=W^nH!q-$t7j-)(vQ1U2_c#+m~|k&$bC@{%TX4EDseci2zQGgZ7djup9y$=@n9Pt zQ=Dl4z)RA##m*l;ZJX%?C^2zF5&rKiyq)>}|LDfWefYnBj%2 zY+O8COu0=gY%B_Lpdt>Nq5b94N?bh3XTnMbF*(DF+xQ|1c0O&z)Fe%4AV!tg=jFHY4@+!%9yvwz)- zvK}Ok|9bw0e3RZyD4pV=k16t?%?tg=&8kDpb=PeCO+Xr&eplu>L)T3AAH~^=H2DkM zpAY#ir%#n8O#r$M4Pk%d(UE(4Cf8I z<2~ZVPhI_CV&deI&OOso97`^qybADtMJ~$>t|?b{Ax+Eg>7hijtb20w=zs(9ZB=+Vp?;Uip{qx^IoQZmAtUhr1 z4ARDK2fw9h7w~JkiebKxk21MU$X)P_&$oHOziQy2)>3MJk}&cltWhm};KvY z>S#)-WS-85?#HiDaQ>9xEw^QnqTy{_g7jk9qxn!)ZuOtCO0jnq)eP<2f5toh5BAO~ zx{V-M(@xCHEHg7RGutsUvmG;YY{$$TGc&~`nVB(Wwqs^y%#p2dE18;1R@)fj<6ZHcugx0Gv1+K2%=ulWP} zTS{F6S_@Z#zk`9GMp7HsvD~iJ00|W@;$zn?3u8?NDm;#gSNuhUVp&<<<*`5wH$qXh z=w?laF%?gku@hG+hwgo2JLam5f+?_KlLmkH@wv9C&pD;T+Z(Yv;?3SVCXZt=P{mIq zV^PyJrCfSm#2=;;TOfsWAF`6nM@$FM__fgpub9@a*oA*&zEK!laLoD17<7#N728{5 zpypT(zrCpLw@x)xq`R=@x1XsGSy>EW;E~-CBuZKafyEVfAxN4Y3=-SO2$|a$68RBn zlEvU)kXJWEP@Q7eKkE^kS{y3E94hyEX zJ1bcIo_U8Lw?{WhpyZ~R)r5DLT>^c;9@sye!E{31&{zE)gIWfDkKhd#$LkO06m`o) zJP(O&38{dSrLX2`#El43R2mp@wO_*q7qE-pAkdTRG`wNhmtVwgPlL3mpLglHFm6aE7r=3O6WiGQ-z*-w*hXC_diHvYsmvr2@JA663BVySXqU5#H~mx4uE!$Ixr^uL>UXyrK#Ev>W0 zr>2r|4JxX%+x@oi7_~rEJx9JpHAE;IMO7pWxk@J2MPDC9TivO#lOM&xJYwm`YbwI+ zVYQsd{=7)idPusCX$F4N(3Ebkst+k^(9nrf!aswE{YyvOK$0e-sV<>+BYu7C`P`-Y z3NJycPy#ph9Ubr9Qv6_VEP%IJC+GHcfEBUmO*lD2BxtEQz~hDpiZ7sK7+b-AdT%m-nLgi=^X zmB?OA)1<0qR6O#1ki~=PGjP13zMlpuK)aJZ1OwW<20eL@Ja%C}>^$#iQOM6XKI|N= zTVK;=*(|;qGC_eVl{)`izOJ6?>*NoU@z`=?N6Y%{DqLbUTzYn%4C%WX9GB`UPNOIB zW2^wLsv1-6@E)VcZFn*_i!4m_tg6!MV!OQDHv0p{SV)74I89v-L;T=MdipaiiK;5H zJ9fV`Q7xM=T#Z~sinIM%#iw4kOdUY6g;`BTBYK;H5!{qTdB?LLHL3mf8?6?>COnau zsggam`u2Mg*qn&`hdF_Q`T__46&eci%YT`ZuViduXkc?v2#G=J5}ed93q{V#F8a>w)zw1M6vtq+ zQIa!ZK7XKSzu-X8zs6t{a7oa6*oJ!F`70XlgKV>M8hQjQ*1?Hd7$EaH`e35N$vWfDJ(*HZE z@P+AkRMyM1EMiFL;SGv0VZ~Y1w=ZR;WnSRtQ{U%!e3(Qv_vteN8MSt=te3O6{vuMd zFg;1n3Yn#sD2LZX*X&}3J$FJnrNFd_|5@MycwSy+ch zPPV^0zo21n$*SZoAB4?lCr@||AN!C=(jK{KY*pQGpEjy~E7lCSY(;qVAyX8_3fPT! z6mpJ3OT4<#C2iEyLbl#$q?slKeK>&A$k z{5?@WCZT(&V<A-14cp?*I8bUvF`^NHvJwW(4 zJh_N{p!y4+hf6Q+&Jg?#R%k_uJ|cey_}paPLNQkrpE}zvPdU@LX$&7n0?vB#;LkR; z={X7D6HLUb;wEsv*Y;-|tEoOG43L%WCZOQk>%I)Hmb9vB(WB|VijTg!AdQutMMAn> zUcVa=$$Tvk$sBcqtwsyahsQtmDoS|vXC1=&vW0u`z0-*b_4-qpc95f<<{!j4UrW+G zFBzr?ywKo;m&_j-I)L(1z6MLXX*XRK^I{fR6k!!RTt%0*v~0L8!(VFA)7`>{@cX+L znc|?ms~hRl9ponlc zL)g?aGV@q|dTod6gCxz^mWx#^Y~q}Iq|d|O(tIITAIO9rUQBMOxPEWLirXkzhPPt$ z-Md>L7E_AjXlf5IPtz(ka=Kfh!#Q zsh?@=kG!A!sI{vW4$D5yna$L#?mh|rCD|5KVbi4LA+EXZ-uundn*sRn5}fAJ^uA(d z5oxwf$pN=`(}=NEmmM%p7n0|)h1jjG&&8q<#_u~Th?nf79etvJ7BwMx-%9;Ob5 zRZ*4tH@CVBjK8e(P7#iVc@7_KI7N>6|0{V1OecIDfjjE5cEa<~Lp0&1GKMyyx zwGQsTEEiX`^=c!lrnIv&h0C|jmr7d3wr&5U$oJdoF{aO zzmutU6jqISkcWLM+>+n()IeQ|ZWAAIH%`C^HoB| z6{ky*pXPb2U0N^y**i9yQB{3m%aUif^xRH9&Z0-|j4)QZB8V^elvS%~S2KPI+6l`f zpzx@gX!6G~%)yawl(xK{_+r7BB}u{VjPbVzz&as0XK}R+o|@ZVn69KUW|$`?CT{D- zXPpFDy0Bpd{Kmc|y1y0XogIWf)0XHOf_gZS@;#+REA}s{gm0&eC3(6Qb!Q8=Y~BVv zYM#<@5cV42LDuWHHH95#yW!Suikn*sQaxN2?lN0sfm_?{ZMqoYPeoW+>{aYXHd%hl z6Gs`}6?2Li8K1QgMWkB|(~_!wpC6yiHtqNmpPpC#$p0f=HJaH@UNPC;QDs8aW#}|8 zM!+6zcUb{(`u8WOUUZV7{Wp;TPSs@W&AYRfxHJ(yyt&ur`!(DYes{Iz{?8v@w-hTT z!9#(Lf{$_V6eN;|@Kg91!>SI{CsK9%HW~i5_*C@lRrFlA8Qr>>YIIh7MIo-C7Pw%i znyOfMt3~t+pFdhTp;I%Ya@!6|muOKvVK&75wLrnQ9YgO!6&s<@IN?j=wr_ibKtcc8 zmaKl$+kbc>I$)iJFOcBS77`8y{DS`q3yyOkpwOW)Fv-}k$l1kIOQUR&)&9MF>JDik!Uw=z1ptWASR zfRuD09Qvw6@l`zbwltZ0qx@AUPmb6=|B3sgD-6-nhv`y9)=}M@;Mcm`kWR@?6H4aG zHGh77{XM%f#2qIbAM9jM=>%HwLjK3#^+8)4AVAHIf{o0A7YQ0hJxvJiGYX83v%w6S z`Teo|$8U_n)>-_gF}t0>%AY|((qbR<4~V3@)|B#RnOfYmiMBiQI|!Ywwi_}qZIWyw zmL2t;W}eKGhs~PL=w!rz6yTs|yx{99{*Wy;S2%k0g#l$y$V-GwQHmq)6M^Ps3-cW0{l zE33WF0&$b^kSqU4o;))~`*R-V@tW7TcU=IP=`XgS`v#Ge|SD`R*FZ(V_A zlg`DNTwe6Hcb>RmzzqwxgJmZJtq9wJu~yKH^+1c8g8A?Lf#L0ZM>e&Mk#Z$U)(*x= zfS0pxf?o7q!^A7UIF@0u;44v=%SEv%QAq~ob!&A)gm6$scNr)hwz(q)y3j38rVw_z zFoeOYy)6}^p%QV_gEA}LKE^uQ+9Bq92?vKSg1&wSPh;*vvuO^iGyfg2`<0U^*H95g zE!Zn{S+;vw%626+VX@qS-rPBxxvds342zroeDoKPw$nNPZqbbf9HT@*m+(b;D0ZW2 zQh`fTEeJegxPr`YovUq$*}^>Dfq0v8(IntTQr!!z8mOp_0gCTZZGw2Gs0M+UGA1jZ zjXJI~nMSQ8Eg+EJM490`r%3@zC6}AcW3v7Pl(;lX5X-wQ3)$RJGLq$}%jUz#TE$Tq zNQ(SYU9C3lC#VwhyAR|~{5wb?8#^-mqAdzb!Aulqx65M6C62)>8WcEJ#HshHxw#{i ze(TQ+_FL}jpZ&;n2eo;9;jHj9w7LbKDmQ_+B7$V)GlP+AdY_F?*Kvl1($4qTa z5TM{K<+E=+Yh68Yt!0<`Y&&H?bmNcWrBd33O#=OrV9#Qenn>&c)xi~v4HI!INlp0< z0f6}YYal%{^4x|JzZY2GCqr;x`UZ8( zPtRB+YcECZvGqNq1mtFYE4VhxadY0%T+=kBH)8C4!;X#z-%>a;M?UlXs48&TY#^4< zhTAE=1yTzra)4FjnSxb(QVstD4 zI}Y1KS4SCLon^Ef6E#S-wV}`mo_>sPIiDV&JiBGO< zJ>A^Jui=%Jc<{$kBi@=iZ}<{1Zi1oN2_Q9CkaIhd%a=^vXkc7B0$V9+pp_q()O@ox zJ}en)3H&`Q`luEDXNdHN0?nLkn5(A` z-o_LtU7+pY10F<6lW6clK+&ME;%y+zvV5{koaWRZ{=zL3Xh|Y8_}7t5dM3dDA#h~yh?w!?~07rx}U6DXQt+LPwf4&d9#_(jjT9_0V#gWc53&CZ}7pW zqq^LcpG7)=^zj}f{y4og66ViNyk|mqv-~PJqH>>Y9nP0ACpF~&3gN|_;~KdaD*m9@ zzJVe5f->oLmh%rn9#L&qg4nOud`4uhtr>-ay>4^R8Y?R20z$1NZQmKmq@=--__ZzF zc4}yIq|BQ|}g)cZ!q!g3ilc@xr5W7~o$q|)>D zmJtPbZ9MF08oEY3u1ANw5C{(lG@}sxk-I|N!@akBL>e2qK){2OZVNSN?s`;;nB75p zl#REsT7x2Sv?DhLPOFy}C}Pfc;EP^M>>v?sZrX~g;EU{>>3L;gmmrw@r2G1mu>Dy- zQ(x<9cgj#vSJWQ;--rL*5Oj)nsl1j)2@~AV3>Z;9+Yja=d#CKwWB7CJs)TpST`&Ll zNB=z<|L^`cBEae*4i-9@j}OBPZvyWM?_iL}|MmMZOxPdH*!>`pD@ktPEgT}9XNsc_ zs>*QBeR0sOR_#vKUW<&dC>3`a#UUu(UZB!XBC^<9JW+psNcz=JZjFkt1pR_a==~pr zrHm_SI#i;gDmS}KJ$Yc@yo-YiQ@1D!oO(#$>)w`*(VG4Pd$VcC+haFnvI6VGP_FKhq8Fe4DoF%4g?jV5!RIM|Y1LSOT|tvGTbt4QRkll(s7rD zbmC5MwX;F%Q^M+h zl7kSvOVLiJ!JlKERPqlZF39PrX!{dPLTm|iVEN?v*v=NUlwd%XVvUK-lUZuv3ZUP` zX3cw(Lx;S!o5ez&Hz@g5=8JOZYX2Mb5aUzCM0Bd3y2G<-V)rE5nod@cTsAERJKGuf z-RDIkhT+BnLn>oE_9-Hb{`V+D2*Uw-Lzx@sg0`?rN6*LWI;N2!i5Lv zVcmUeSbLE^e6lpu9u45^8&In$`f=DCQ~6t3pe~-lZMC5po*AY>13ApynUxl@SF4ZjOW!t{MRqytbx1ojEaF za@+;0W*Kts1rI@JA}rSlo>r}&%+zutFadRy&G*&WxqOS>%x3^4ND)FO=HfEDtwUMj zH91@+q|mH<`P9CT#17EEaw|E2Iq@38uzSEIS#m%y<$I+r+b!0>;f}t-# zwHtmT=Vect`Cb1Y{Fld%K&t)0d&#_?6-gr^)3w$yI_(SP%tgCv3TEiRXP}PFAv>3{ zLawmd)Ep>%f6H}zM!Ao)vSY9gGA@Sn?S^4*=PK6iurH>zmKP6dkR#*PElmbMYJE|e ze_{E~PECn&ma=g@4M18F8g@Sv81MJee5OMxM|82rc*}M>jRNgo)Z}B)p+hFfP)SZ} zq1Nr+9;^8?$Z89$U*N75G~5IF5Ut*jtl8^77;6O`KEU+l^iT04g9w(~# za-E+^Zi^-RiA9t7nYb$(m6sjQA(;#Tn6?r8PJ}A0p7b#ky}Km_7)5wmrWdPU2E(Xt z*IyRYHzyPNrw5~)+5JBq7#dcZ&+OenC>v7WL~rrA-0babZdKffH%n8$Kiz>l%xJ&D zWhh`iGDMczSSQ#S=fZ_3TMK2fi$}FJm%jqdTm+oK>A~vwYec@w_UM-5Frufgb3d#w zhL686o~;clnb5zZ%SEO=^Tt5NQCX7r*u$rE>y2m zv2JClE2B)_f@IwHXB~XQzFOsO(+XCukH1+KHupxh81%D_l#|qM13CRHB%X*L?5@1b z{*3szT1)RznD{x{T@u=Rwr1I6aeeFcAok%hw|^BR%yw>=z)EIb#hihuyD|ZN5ZQ8y z`H@m&A7%e_B{}mVzImgKR$vH_?iJ4*;A+A-bUV{dSD$>sFv7Uo$Wxp;d(!OG)@yHR zX2knNLC4s7Yo5QVt?g^M!0Oq_Icp#d_L@P=$T|~XC7W-+?fX0C9p)=EQ*EBC)G-ei zPNDqoazM_6Nz?!$n)?#NNQjDI%prPy2Ect`h3&GOldBopcygi5K4iIac)j;i(dF$? zo~3%9vf)=>4SOidWGPL zoA2-rlh-&R^0>z9YxVmTIt=K%AE_lY3oKfr>OkLh$w_a|)cg9|6n^!ra2h@m7u7LO zaH6j#Q|oFY;}aLv{`EcxzQk̖Bq!QZu3=w|ivug8^EF;yoMezfr!Y*@%tbjX$E zh-KT>xq=T+dfj`(ap3ak12OwI4}UBvc=_r?RnEQW^im3y zaxQK#MK1>B9&=DQsx6F^WW4z)@vn35!J*q+SWXmE*8uart~5`ACH&*WDpHQ{9By0A z-uCjU>KbqA6nXl$%ADQeR>@?pplbRH)2ASJ0S1GvPQOrMJbX$(d~@NppAV2N|I(mD za+(kT4#Yn4RNi`~dz!!<@p@T)^bxrP_vmwm=41QFcy<3DL6vvvHvQ2GOoRWcYpaZ`u@-_e8qSA5|9Y`^m)Q>^)_NwuzbXq$0jT=~m%!?S@FL6@^1S@nxa}|UyreQN&>v92kpEu?kioy5 z1!SQxo0A=W5r%0;n%8afkL}a8blyzElAD`sb5{cXK}ZmVP;{0&Y|sm2USv)7_=S-j z!lv7ngnJ*v`8M*BY6IlM0gk(lmwU^c_;~DjCJFp)-8Pd&(3`&jRw)T3k2-kPF>7F8 z5dD=we_J34A8gG0w$!gM)rBnf0YTSc{&rqc4I5^17SfGqfMrBQ+0JPF?+b@=Ug1CW@FNqhS{NbTYvn*egbw}UrqXa7v0xAi=hJHoJ^T94( z(U*g|QEtqX2Og>wn3qpM=XTX(EYH(^Flq7}CsNapbDhphTyZI+;7va& zsf9^fDdTBjJT6UTIocGU6ot?nGW0Gm!D9`&vYi8GAA+~6O^1NNbz6MeXS~OrSUg8U z&^49UBp!vq-<2_Dp5B#K4zniGmmLt@+Q!f+K_~}W{#r}ZGgs2o)J~7FW2px6KM5U1#8{kfCo7`^jn8b?US|3G?rK7T^;4T3|5fC$``{T+dbKvG{(P< z;AeW`3@(nvcJJ=jv!@`jIl8^H`N4|6X-|vs0t_n~8zqFEJZKgk(=G=mQn?`&rz&ZN zx{`k;?6KhKC(x(mXaqkU`z$S)OMP+uM(`0D>YsnjDG-FB|MG+NGUF$Pi3acYV2y)9MfSo z_u+&@5R&%tXms8!4T!p5_gpYT<2IBwH+&Ck$$W~eS`%r`w2y~5THhF=oH*Uem1cjN zD)r{^0dsheL(S5t+rn`jqc6XRY(K1s2F}C4pXBZq^eoh4>?%0-;}yo3(Fv)jr|2!H zD<+K%wa0|3__>$|N52SRuhk?4CYTSHk0p53*V^ySnArvwkDxx7DRsREYTjmacOJz6 zUO(_^5j^6t+xVkl6TkEj5?0m{3#3EJrJvz4<((XCA_Z`$te63#A_<=%P>ghkQ22Ea z4er=FuE3%ui%#YVEdv%y^9q)q_YQ&|XA4^SF7}j8rY>$I*qf2D<@$ET8pCsRhp)By-J$_puD3;+ZG7A_ zos&j6OvNy5sM4-3eBTiAUFsnkYDvbs#7?r1BGfiHIWI;^TA7ToD_av1i&XB~?Tl9v zWLI%yv|LD(1-fDaSd)3E{lkMCY_3mc*N0D#HdGx80#sx74#VEeb?n&ac9f8Q@Dg9K z8Pl5R|Ln+{fMan8=c&ALzk{4>_KQ*Z1B?Ouh+;etI8bym$^lC}JleKrVHq*CoI%`} zxT_yLEoD-&OIeka+~{v66bBl?U{|bsCbTrQhT5jpjIs&)20e4RGNr?zt&k1sd{aTM z);BaXN!EFU!#Ki2yEtuoJmP}FH!lYQ8`jab&%Jy|lv~Wwov9k-%&8wDO}O!0@_)&E zU-g)O4u{;yfe+FOc;H$LH&bt+lGtQJ?&Z&MAF}1){s&Q5lLY@cK({IAeSLp)rZ=4l zOS2%GJ{S})(K52(v)ED+2xkt*pbie*Sf zgnF#UTh(Mt*<-#r>@DE^JoUoH;}c>~4cXT57ZM-!+&lPth>|tCASz})x@m!`QKVO*`dbo=(#x9II zOR5;j3mmRR*gCGZZIXQ(Al_>=`pZ>~%q#vo#wPeL67$7~2zMLwUJ1s=ufwns-d*Mm z6Tdj8aE&y#*kTK-o_`S3L7&CyTii8&DU*4Br&flICO)|=92R%?nA#E#vE)~&q%jmb zO5;QMyl>OMVzXy#US1z;awcO?ryHH46&^7J9Zk2Kc+YOwEzb%jM-q~HIivYi%XH5_ z=x1j~5#TLt9v~$jL6mJX2BBt4N4rHDeL#8vZwGwl^iQrw0ES`dm%K7w6|4D9ddA6w zQHe&*Gao4<`2!t#Shwr?VLVlhqsM%4KMr>4MmpHNQ%ZwxES%@*l2Csp>xMX?Rj9?qb{->}QQO*u|}k7l*P@%G^_Sa&Mr z`cn+vxqDDqIJtSk6LFnHT^oLtVWl-%eeKsN_%9`y=9=k>PR@Kles%rQPJ2iUJ*KYt zyv{0JMn=+Thw|P+FFy{Inp0aWFF|G`R!J}Cl*$R8lsiF=;l{x|q7!mXkIkh_BEFKaaIidG^y@O!9?j=IG}F_LBh)xdCVwW z0~Q<00Rby2l>B19#C?eIkc)#pO_yyF^3F4!;O6ms*F0}qKBt7X%q`Qoo8tmZ{EzFz z_y9Mg^_pIe#eHUlr@ub@Hm$N`{w{1CFNG4zI_^KjXj6zT{WXD1!9^$sW4epdyN_#i z32vxIq-cHf=)8rhs_?uyozwX6X(pXS1g9@ z_pBxAW~0Q^%Y=52m=l1;ae8;JO8N42H;$7#AM`R`0A#TBf{~ITc>im*t+q`aT>6Y#pi(!Xn*$^UI zh!=;?N7J5JbG`$#+8?GIwyiU33=s%jl8S}AbFMRu_x_xWNm66Zx5l!@M=w~xTO4kx zsFCwyG{Xv~Xq5zOEpaFz56W>WEm9gpb6@LAVZqke{Zg0K*QaIL7t!PGB3f4^{2$%M&;;*eG05De1{`l9W;u^!{s zA;+s$#eHy+DE4`NBVwNcxeK4zzc#N#GC0AkmIDF+Ip#OKLbJ+d>zN6E!C7xCX zfB&*9fL=~OuQq2kX^kQUknqb6NPZMhRRGTcyx7}5k}62EgiKlkhs2y?n6jP)R(=2|By%bU^%%w{&Qx;(B}4KhBEqq8^S5%{ZT;E5hSUGez8E@S9oV}j!Y zz3G$+UMf@xseO}3{w4rIO0XLsTm%n!D&W46yU-CmKb$aOy~|*v;PE!Zg&ip+0~cSM0D-NfmoB z07QFOL;1q#P}ClEH0%j;WI$IZiL`g&M!dF3IV0e50FWbe5&8#VoUH=H)wXxw>P#L( z*ciq7{dT4@Px*_f37+7u+bz+oxqi=!VkQ{hp%}4=TXq-7U>5-0OB?>5K&SVf_Lwr}kU2H578b z{iAaFbD=`$Egt928|B;W^&*OMGYdfWTygHDnNG>@2s7)}Y4RN5s6|`C5JoE_gVwfS z9Kz}lHBl7eR8#PiMx3=9QUAy;+ue|hgO%kIl2FgQJKB2oOF3?u1Ow4CQXm^V_@UHyiwt&eaVd^f3&_=M-;XB zkJ8Q$hTonQZ`N=5wMrJ$Mhn%gLr2lJ=2^0tmI)6Iu}{56D%L~`D(<07Xo1)DXFO~J z;5C{GZx9;|UNEtN*WEnU-H-=XV)1ut?S0fzK47aH5Wqb@6#y>s@KoCzJ&N`X9~a7PU(2=zot8hPjr_^!|If#2FMv=_gwl$O65#>z^(&#+(qQ8o6F@{ z&dbs-&}id^SV`#iQN+dQt>M@GrE2{F40t5%FH3!*0v{h;;l#P z--eOGT4h9CD+q2>kCNI6(EOOmz_xF@Yb&jjW-dD0#Zb8^M*+p!qjP!=S!E2rNvOa%V>`ix1o6hS1#v)yv z=xwFP5Iqt5q%rfxG^f8A`H=K?EA|P#6H0CpPGgxzH6f@RsTqyfE;;XMdn#mfBYeqVs3J%z{v2^w3(5NKUxWanJg< zT#RX`o8rvc_t<-o%vmq4z)p#b=yPS zP%)ZK`6bbX@m;7CugQP#8(H#C71e|_|VW;HA14aBv$6FH16 zzmu{ay(AX}KefF0v^@IM830VM6ZN`|@%3Pz7-Pd!YYJ!YrtbvEV#qV>#8~w zUSP1%32}FI=qgaNbTe1AY)6)OMN$Ls>PnL4U!Wf%VAB;y>ewk#`DB)vCA%BOOns;i zf&7p(sRh;$Fi&qLxuy9e;d;n1N3%1Jvw}_izz;I5PX>Zr2$|C1Wtzf(uDQV17a=AP z-3+=F#WbVO$HQ%TwxpK6QUE0#hdb>Y0`$c|#H6o^ZueG;NM*nlM%xReE}eD_ zSq*K%1v95Ln@FY3zY34}fm(JEB2TcwBGKb^+D*@~17-KSa|U6j3Z!?_<(W1?{KbUp zw$$gh>rcU%ZFMm2I0hGtJk}mF$Dj|OoY=%WXlywXnAigo-tzrbKwaq954S`9zd%6G zHlUImI%Vp9Qp(YZ9vRj5nmn&v*+^DOhE3|c7Z$zUTUqW_qz+G%pSwSkWE%^QM_uW+ zwW8dFvuX1)vfN#s1IJrl#5rF1U;Nm<@xKgi`^@a=sZXCLJ}&sR@jr}#7uvJ2tt$c( z?X&v`$)PLvFI|9(_*N4%(q{=d7-=fgR!3oOFckB~_lZku*9>B<(_qQj^%wef#e&Rj5*U z1yx@wZm|etlSc0>ryP>7muJK6-JOTyPOG3@cqSj%4hDQ&NKO zP#A5g`JD`wAbRgf&d`fTD{cYgDZBq5YS!?B*+AcFv_-<4zZd--dgMul-B42U0yu&= zkmN|yZntv{^h(?G{X#R%ce??fTu!jouL5qrq#q{(_wqC*5TG`^*iLm`Q;t-*Hl)?j zH*y~dRq830io3j5Hl?|1I<-cLbM5q3iWodt;*}|gwmv=9msNfk9tj$D2X?=vdx2hc z!zoP$oroir3X=YQm4#W^gclF}W7dHLOzNt08=#n3-d5cZvqadCAVHyq#3N1(lK0Q= zOwhDqqK(E~oBG7)Y%mNtMPX{7K~wh5#vQea)#7egCp+{+XIU^C*xUtq@QI2wqd^-_vUjMBvA0R z?b6NGWeR5G>3iApBuV)Fc$vr*tf!9~5^cCTzaYd_xhl^dbNun2qF|4+z?GDzlF6kuEf>>QPlq?6K{$y}d2~U3%4)jGWNY zu7mgq{MH$P<|S&DKc1|zhPPHtfKC{a@<&%^>Yfa`dbAnNpvZKQ+YtNvnsisa09*v@ z95Y1^%GaPBJsupIWVqr~*&P(L9EYO=mA(X9x3=s`^9x}Q=cT2FervuIn;Z3wH5~~j z0S|ZM)e|`{p&T`Xayhu8C-8R=A4j*Rn;6DTA#s3K4TFS0&_5xw>M%yy(BA02bkArU zoN~`eH)06szVxri!Rb9Y(pq*ZpRq=++wH1!9-3h`nzYJ7j7+xCui_o$R78h1)OycAPb1QHE$w z1bQ&yTswpt1HKQXb@>n^D-hDw=DsV2=E^}2n&}vrCbbiwBI!7HU}wf)8;j+IgxzQP zqk84sAiTUT+a{Bo5&o|pK(Tz!;YBe++*}FxRax6=EX8vsFv4;rq(le>Qnv!9>nhX< z@hv&*z^!{;QZ_)&=cgGcVL1UnB(*La2VmKhqNbQoLZWpq434J-9`(T)L6Pb}3go5x6?hT`2PJHb(rJwKNmtib5eNg1hksOAwPMN zT#8@?c+f=XLFqc12cQr2%zV1bBRQ^%SRRaW8JFq83sxsIw@6q^_)CacU|W=Ra5#e8 z)|7&iwKW!-+^**9)}0CxZ3D%qad;l~BZAHTx8nhOx;tzvC5&Htq(ys)Bl6y5ao{{5 ze1HW(;D9xDLlC;ye zq}k-*ac=v1Ws7!=iXG^3vRwX}FD$;h4OZ(Bxm^NLbpjRa%jMz$vp@rf&D|OL=7qWh z%XoJ!gpFyH#E0_pxhu9De)crWr_kvR`i-j$FQnACOh{ixNNgu3q9e0k3wJ|Ib@d4P zx=aqt=(ODZ*Mt-J@1;KzK63GORkoMXZye9fevY3Fa8D{@N1k=8YCm#g>PcYNxb(~q z>HyDQLeHyDEL)@&7!Pr7M>>xCcn6No@22!ujO46+LFk-C3am1y#Kkm84;2@?veUU( zNdxZtUTOQ&8-d1g@{in=bh3F`Sz7(nu;prYM0z_sZNVgFt{YRaU!Jn&cNeopNBrNp z;LbhfN@J#RHGk8u275LV|0aDOBqx3gLb-z}9d7IQP$BZUk1zw80H+45V?hm^R|vWNjNR#~2x z_0P_HDOyh)*oJ><;(fnNP?tm%OU{>oIM!XS8Y9+Q-_Ary{z2eAC%n$xZf&&riQ_0u z#9P09zt~Yt3C@bYU1$itYyLeVk#K*@8KO%b2ApA(Ycu@^5gl4No|I^}#5dv8mMTHK zIIZ&!qO=+4k=QjxhES$qVx4&l_A0q1gICGb2Fdq7u>sYIb%o(Op&tXYJv$=9-5T;_ zQ|De}wG-C%reb|Wa9p=u+QDT_pad`M;?PJFDwn^Hfavb71nmsfR=+@)N8k?aSpu_% zW$6YbFyjUVv)A-{`kiCW-7+WRb3}90PD(gh-sQEMp5-4Gru-8;FO2dspWAB0YP1;# zTcjenM{G5HJk`7|`u@P#d)DRo@UJq z_C|YBM;^7OeIT*2hAUouiXSFI0_|nIJg@t5M)qDy-l${~6k|uIHK58K7J$%!c}-zu|%AZExvRapk_mNIMhk{F(u`cIwF)-LZd z<5*lr#&SACm@Q>8H@h2R1&I$f(PXWA^38!mk(cI&>1*4NJ(K4JUOFDP8MngaD-Rt3b$R2kkn{>?WU6t@d=t6t0?8`(WYo!1*U0 z7V$wAL-qvs7vAr30j(6}wTMc5u^GVM;);H7S9K_SZ`CT%GtEZEErV`bTLyy?(v>r? z6dA%|QuaKayHgHMn+0DljDwK6fx{JXAzd8ICz#D-= zbq*eO(X)6>hhp0^s-cDJ5yU(~=%20|I$4X3=6-ZbI*N7{s9ofUV^TIeabKsGP_g`?&t}evGn=B_eygyZ6fd#`g4XtC?#2?vZ3)U>$)a5@@AQZj zjTjavkSHELM9skH#}QLp40AtoUhGn12{ZYv>EG-Erb#^s@(GIFz-TfTOa;gx>dRaS z&CN?NgBo3Qvf^j%yu%r=*&9>kAH*EQZPH^ST3a7>x#yXHf=!+EU)f#p4UPwuZ8_Vo zlE-B1V;!XN-jG+HSWk~xip=C*7!)&;7b4mj{4acNCTG}P7jrN&fV<;>OzaY!PW0bh zjJ5P2aTs6CgVM;@Y(;pB4Bo9k@Niv*6udH${DCA?A(32p~^C zb~(9IsyKP9c5{sNl$r7G1z?DT>8^_5K2+}PHU1Cc-ZH9I^UDMW@hi1 zJ#*i`>$*lpLUIEZ@vPZ4CabkLSH7ho9r@Q9U#Cd7zhdX4 zY9e-qdL1&6{@benJ5?edYm7mORz#8rEVcbiQYTz;Zbc&pIRGeu{bPJXwWkDYO7)VO zLsnLS6Fflv^d{&g;_-Fnr5-rCd-q%r^L5$pPjipD6f0V>~)p^}b;g21omZ-kb@K1AJM*i`SnzgOCWADpi&6BEtc|;~G*AyoQxmyE zbx~}3jYcF1+~zz>FT2!kkfXIGp@}HVg(`+ppAtLQnC=9CFwHXvH!9cvDw<@k^=yq2 zc48=xdma}xe^i}>oG==5qsh5Q)iE_?2tYZEkBD1|y(U z&~f_I)Y%Kke^LbMOb_41#D9`?0JZo6kqfpsgVp(=#^8(#1@OFO7!K!c6>0SX^LVgC z;tXNC{oO-F$;bD#!_)V(dQ)A0awM+p;$md&&q1jiu^&n9Yx%np3#r>jyV%KgGMyQP z2=TKPzbHpLSmHGPP-_|si00KyLGLMhQ|$%c&*L|~a?ofoG8}90Ks;A#O5mL=n4(pc zimj&1SXh^Q|LyTOy-1KX8J~3T*Dxo&i-ISAo43jR%9Y0Qhh#iUUAW#Y zP?jKgE|BpasmYnP7KxV0POl7H%VR}F8mDWyVwk)@Ai`-M<3e% zHWQxEN#_d199O)ncKrO`@M*7T(VGuxFK$lV89b6k*KsaP7zp(6n6Ro3(7jHUQ+ug) zpXDlNB@i7Qn#R#@qKsPG`jkAZoVm4s8nw^F{pvP3bhBL?rQ9-m!@eYq-LCL>n>8F` z?gjz~8XAk#jNKc|lwpyYeJ>>S5(2QZzI>1v+m0Hh_DIe-HP{j4bi5=Vb7%02liJhT zKPo~3zOO{lL+@)PF8XC9#}8LGtk=Sg2A*>bG*#hLs*}zI=SSGK_S$SEi4QE&H>OOF z{w|pkk+-r0R<>Rs3yamvUpEH`u~w1a^d6t<4^2l6FE5~QbnGTs)BK<*s2}8`e;3m92NZ*aXv|X>s_1L1JAQcLb!(< zL*OiKBc#o_)$8X*6cR2~1B)A931?7;#{5L**i`zZv`T)%U?{nid@Hd|BdPW{X~+?P z82pj=Z|X78#Wh-*ac!s{2U+4FUQ`2o9z;&w*kbdc%JZW-%d6gAo^DD-N*HH`m28>3 zg(F|f07`fi!$7OVPA(`&EDEPqn&yM*W7-nLGwJL@3C5N~Y>6H%;=ifC@_!fc#CYexey3T&a3*R_URjNMigMN!j!SSLuVrHjR-3r((SUsBi7(&? zd(azAB?#q_{lPEygOkCij;bd=Ifha%RlPOVm7$23Zy(f*Hz`}~aT9;}AqF1mnFW>G z&cSn}f7ILO(Y!yJt53jN_1xgzx%F(>ZS!%c8P73~(RzwsEfFjslnD>$KSbej1@*#MLAjs{+7-SoXA^q*yam8Oz?#)8{xTMril<&?MB7rCmr zK>(%D#=7B5&5yz7@s}OG)LBN6VMy1^<^WMrAr*GpX}(jF=Bv(Gu+{W>W5ax%k?piU z=i-_XYxh%uX1cpM^Hqw&bT8j}`Dy@%j&HXd>K4(6+N!Il@hyhv2Jf%-e<9{^D)`p$zwPUAQidM$ zHTSfQ0Kha@-anQlmSI4amyAKrqP{ zN9taaiakxz#$WuQDZkm*O5j2Z2)D19o_RFdgSWcHBQ_Q_MrVc!ZGsTvHJ2>ES@Hv8 z^_DK;Q?HL9o`^zwegBl+sl~!=kiUPF{xOS#3S3=ok3<6eldd?XSco_+Z4s23aw&AU zZoF~FK`cXPemLuAoI1P3ACVuOki!1t$zsMpJ8$@t2fxD zEL^QU$Wc?)8WM1I8HVZS^l#%9jucZR@p(A^Phts@aX*rr7kGQ50WZw=OTVqFGMTyC z&0#;Wqz;L-uUlnVnP64YO2bJ&ntrxqf9AB?t$F&4nl9=~S$FBKq7^6Wy?+7Y zyEfDeT6}|l-gOcz~sjSn5vWi!^&e9l!2XOx->ki`#g#;FJ7xj>sU}^?TK1!35r& z<`e#}+bF>!DolyIcuXU3!kMi1z07-u1$+?(#zj|cZ$ zp4I37koJr@E~ocr`;>Zy{X2$Ha+6XL#5!gztyjb3h#sP2PkdW;IWP2LW!rx@=Qz-b z_0khrR%>tRBgK)?WHTK!2A)nzdJGX~`ok)}B3UA>qaVM--`m_#78kQUyQu&?E9@eD zQMwI3(~&lJC{JGuebB-{>$LQy@1{U+u78RO-F00~ALf5rHV3Np9m%=xF~YK^jA75* z+liM7l0gJYOGF9mr)4Oe<>YpUhMs15oD20%zWqDW&djL%E_hU@rM#=rtDfEny3t1r zMfB&}=>S6CSrJQ!mJU(HQbp5pDg;SR%Vs#7x6Eg0OzmzV`i5aNut|y9xe->CeX$92 z0HU#B3j$f#TlsXa{tr3k2qC;mRNm}Vf&2dZ{YZDFSAgNknqEfurZvs8T~f@)p@qvX zm*q;0Nv|vE`2@FI21{2bG|2zo6iNf_(j7$wJv8;zT#O$tnA)pgYizeAJzG+5W}efK z)T?UGL7Al8QEeZwklS2sN8K=*J2r{Gm*WWoiUAzf5X9-FRUD09Tf+i|k>6I+{eCb* zm8B-G{0sCt6~+j3R5qu@Hd() zz&FFMfD^Ku%lZq?0u=XF-HhJ)LDZjE4wSevZkIT>MZ_5C6-sm4$CPNq9vTg$Za zM=ZZRO%iIOBR-1~|GRi`E*fYVf}jL?1`&Vq?-X+LCQX%QX~JT?KmMdUIiH@@KOXXR z)wocRE|Ll`3Ml0iugmsDqF4Vd${F&arag*1zFl8vQpd;KWzNc=t+Eu`i$(O zNn@ao;<(Lmc8~i}=7C`9GW_t*jm2{&-68|S9@KuWi{&^CV8M6XuQQfRs(T&^4e>L4 z2^3R)dEw1uU4@$b%hulH5r%tHI6(S+`l;lFUe@fVKM)j=*R|`UIKN>0$}z%Q?4t|m zvQO?iJ@DtL2ZinEh@=mhfn@P-SE%!hE8E_$!5;N|eCotzcUzMsF3?p7vi$UILTQc_`Zhgg*w7S@~GHTNo9 z5Ry!h372YbnyN5QhX9s={qVWfD_TYZ7_@lk^n@oo{y8;x#P*B&|Lt7>c*3nc$@{xW zKx0bEq#;-L$OC_RG-juN)>w-@^VN0&a6rO287VZmrcZ&tV^2wbwL-wjNui80*d2WN zRdg&nIP6l#qI*m8(Sw0SJ(EmTLzeoM=aFQSahzXcz$2A*O@9>`JBn>Msf>m%6cU44 z!|}!9NT5~xlM2jxTN6bvsVC7M?!iU|p_h~g{6_|nVmgw#w@_}`9`#@vQuNHx?Pt+I z>o0R-&k2Y~UD?|t$)?)t7M;{jgY=pU8L`6@<*#1c+g}aX&$ykOSJ33~)p;H-6-D3v z3e-*e5IS9bp$8+4x`)AN0{r)Wx9AUDREC%phztfb2sOEPsaFW=M|)Z^X2sJPOsIFt zwC!lZvLG2Rs2T3%e9_BE{d~V=nzF*mOpf;RqNjX+!~ObisuK%&1LXMTZgHN;?WRNa z+$YaT^@cc(M~`^|wmXw1C+SBVwrJGxVm*|9h-I2j@=FKIoysZ_AFVcKpFLGp(pF7H z>a{>Hp4=V@Y-@zlCNspYC3f{G`rQ-NHmYP_KIPATxBKbRG`Wl?A3W>jNrTU$kSong z^T1Leco_N72W3rfId`bdg|xY&g`~LFSZi)sOaSWZOGX%iN5Kc`1y zJO$u9(Vb}oOAz7rjm~OuDhu?j*ec&S0CJ#-QVn@G4S-}X z28Pv0K4}kPNoNoJtK1L;d*?t(dzadf)b#FswMkm>DwMW?ckhqnuEnGCEKc##|`kz5JdqD?(ebRtpiZ8NOzeH2i(k|=R}QDIdd%aMv) zvsrG%V~Awx&nNBE4hnN0J|`9Xzm~d1z&5<@J-vF<4|~4+?NR+ZfmdbSxIs3Iq4DG1 z&tiW$Sp{=Da_GywAbcO90WKn0ihDUR%9YAIxttXZdrSd2l1+_)J;OyhfAM+nEt(QO zk2)VF1$lR+DvYu&QB(D$flPe@$0a?P}+^HbFxfbxVN z!lF7eBt~^uCd@nVJuk-#UbAS*Y%5RmZxpJnlU0z=#=^V%C;%pjzeJS4vLyl;dlT?6 ztDYM2#i(CllC9g7y^df`WYXyn+%!t$vwmh> z7IV${a1~gbJos7tIW)F^O)mdZn_dyf_de(4pmV{MJ#ibFs=D@(c4FJnpR4T&LMh~r z!QnhQBgS>$1lSq(x@ZCO+cCCz?bu+xNLqbGsA%uooh19O(_i8^<30isnmlw*2hvVr zrsM|uC9f`Yn=IqrP>n>wV`EFVWjp^unXtD;ExP+mkG`lGqVCm3@+jwyAFHC-ObJ#3 zZ}D_auhdN&4gvgxle+>-9$Zh9DO1+YdBquZ(2v}^d@RD-A-1_FRto`8vdy>TLBI=x z2w|mlugN#}5lqvPj8pNa9(O_#CAd_@52?Tn-_1!~7p&qNa%^tyH@UohFxv43$g`NM z`n@RLJ4l1a@0xe#www+1hs|5YDQPs|_%_aPB}gR4jN!ZQ*f{~Tivlji*+i_7RC!!= zPPA!`F+gMvjk#6ys5m(pfv22^8z3+AsTyhH5%-((N|UWAr(ETBrR65tvgIM9?0+Qb=h)U^dWKkGP)y}}Rxx^fdTPY=>(HmnvT=N(Oz4hVZFjjx@A zhuysgx@>s2ja-P`HOcRSZI+ZOV*HkZ3ubQJK~s=*@FqxOM{KcDA2f43fU=5FVEA-w zFtxbuV9@%Or0{y#ZQF9-u>1|4tcT;;gnfEgYigQ;ZLiW5isi-{SuN2xzJL46m10%1 zQ?$U8u=rAilv@twH+bU) zc3n6@vX-q{zNJIUa8YFvV^;-Ud4uj_*2&W0s$>iLb;A>i(1h@i$Y67fXj1a*fF|g} z1ex+RW14!Pi)ib2`{Y40yZJ1)vuUl$HEjE;t*?6MmUQGP-7Q0z8d|RM;@Z@fJe#PMe}yWpG4^tGG9^%`5qwhWN(KZBW+xm}&Sz>CjBmrn>{~zPmx}yn(pT zjVnmweK2z1`SZ`d)i+TH`>;ts#GF?W%I5X0Vl9H2A#ve0AvT&iS60b8kSlgyang33 ze->ra%n{Hbxx(yji>xt$9kzSRS1Redy?)Salj@_}y`TQInRS>x@&k{h?EJN1-{u^=iJGYvOiDq$K(zj2N?XSV59 zn|>IHO1?FvSigtkMVuEETXVBf>3W;Ns~=t=j@~x%pvr>axUc8;jSDf$2Y%^+DfUnL zzAZ`a37ThcXakRNO`{Q@Wb99t&=4Vg%_hGMAGC_jmhf6+yBln&xg`j_)DjpZ?I4Ls@#r zxl8X<)uSKG!l18^63sxHl6s{rmze$~8}8jRou<^VZSJ7``B68n{#JwUi5pWn_9LpT z&@pi^UR>tkAp`!8oB|@n;m`yN>#HVPKzDdWwfYDiZ-Bh@6X6L;1CcC_o__U{zkFdW zFXbuPMT=aMY<9pof}oFL=S74ZIgMeygeqJX8k-Z8_3)?N=e|+nVSpDw_Dx}`>scaK z?%E_aCY-PIc6@5Yv*b)KHju}YqIiV-s@^7HTjhmJ^Gdbq41dFo?%v(-RJscqt@y`- z)k$t@fPUrX?`n@#wk2}|8#^?*$fmm&fFSYMOzDG=W6t#Q0N$CAIWwhhK$6GnWOA>8 z2Hm}K`cb@_(7@dx7OPK2wy&5JMrX2+*@cxOkXE(kneS!|9pTsy4^jS#_MX`-rn4l7 z$Yz^liv}{yli1!^kpu-EzzscjoL{>?>?lx3L!!+OpB*NUV|?L1<6C%W8HenDaYQ-X zTJN2@13F8Z)j-%$yjkrz9a@5dHG+tq8zL?2@i>iJ1Bn5I{&Y5#% zd&V1#Ql>c*oj8}&pmWP#;#t-}L9(j@l=qy-l2dG(-E59_c0i2yk>>1;U>7Cs5+?5Z1J}97s><#bR(W9jm#N0-D zxrwBDW8z2X24vgq=_YUXSMVyIo&OE;PpnK;~QJe#^1G}?BD`YdHTORA&;faw^&^^!BvXYk;FqP5C9*EVe@1JSs3~Q5mx~_|&_gAVLnH|o=`o5z0SKnYoV}?SMf1(o zV(3c{f&?J+KcWrA|A?ka1MzOR7yl7y&F*fX$AH^MX%LBj&zs$3a9~qEVkYQ?c6i3H6 zb8e`AL+i^Kr$IUZP4vZdrvh0`n0HDD(e5e+AqBCgH_|R5vU(~kPM61QBzxyfx3Vam zRET{n*Y4T4%40<7>ACKzzDs|aUh+?Xpcj3DBy+6EZ9-!l+Ob!m$8k^7EZy{I+-Nnn zS@Bt_{G%OE#s>ryiOY$HwoN2daAKp#hv31!(j4cYWgn#-GK`Lp*vM_knOySytSRCI zYS2p#b+g5(SlyFgo8MBaG#gC94lq9fM3_JIIo|fpXq(3G4;x__C*Sp~Yq-TOq`3GO zZ2QO2=coVjYPzL%aB?VBx3EZ%O!R3d(%2<0%9}y@eqxR3uK5AA*Q~A-8+97s#R`Ms zGD}8C&(5Jo*3?|@z{$w`uzdrE*4HjQ@gdY`MsZR5v*;3hO{Yz=4GCWb*85T~r^f69 z!ikowH_;QY6-OvmcQ$1=4teu4=G7RM{?!k?INpD1LcQ2@_*5gz#D2Ds>PK*QIlShQ zs4Av?{<_OjJ^!HGM0J>;`i~PPIb>U)drV+(M-#UJY5}hF;g^l~=*p$h7c6#;=gy;# z^gWa$H_mhx^G?Bb=F;g**gT4woK}hyfLhjT!dCBIipFxWkJ{J0|GUBN<91T1cTYAS zwj2K%5+jzjv!Qn>&?NqC64wYo6*HWkMgI~%f{n=D~zRjhQusXv1@!t#j%n9!& zc91HTC8-Av-V=$r#!*4z^y$2NyzAnW#=q9%G>ePta@5-2@jHp(<2M^WbYRG>LsNQd z#!G<8u_`j--qSCua7+@zRE*5K$$J}mvKa=fM&8JkEuHMqc4Dq*-Kl-Wu>787HOwMI zG@hC_1wWcR!a@!u{u;*kB%bSk=B54rnU@S~9F5Lvm9uG(34VjBtLeLl7G4l?kn0Z; zE0xiX21=CF6iw`}j$M~Ff;}W{3hj|Mc{4ee%4r_`do+YIMv2?OOli9M<}lqW3?17z z-oA1`VrbH1HjCzCw%j!{P98`B8?-1qLOC69QtpdBk6l1}K9u+o`q`&RUMg$Lr?$Qp z?#700cz5=E)~3+V#K2TE=eMm`!KnDYnZN?f{lU$OiKZJ}?5Zw`3cMW^hFo8RepID2 z)V4)Q>Aytcm`GkJHDy1hI~^>nGhCoca&u?w1=9mKWx|W=V$x7ii^g2ISFFqZvc-({ z`#?NRK)oQ|iiJ${cxGr*WZd3uif=(?rZ&nXo)+v%>gsJx$b^#3qgMu!I6}|HQ;HV{ zMDsiZ&|ph2yryeIL9aHOrOo!AHXyo1QW^gcMh8w6n|2DDXHV3a5d21TroTBZ+B%we z08Vy*pz%~K%yzKV`+ktvWrj;1HJle<)3K1%^5i8fX6V6+a(6nw?pLFY`-Y;pz z0&JOH?w=k9=H<_}CPj05!-tLHAz3-5FvlTx$dB+)08eb~4dLa&t+)X5#yS_~LM>g+ z;Wp$ishic_)>Vc|`it$)s`H8MNb!V}Zgb##BmNn!#IW|u1~sJS>L}%OtN*EZ@mVn5 z6efC`?$g-4!&pQIUZ@C|*ce2X)NHp&?pfRQ_CNKq%+-`?5{KiZrB_JGD|}EUK#T} z417NRdrBiu95q-Cc@>?6mo(`auM`Es9(aSl^{`e*5a)RN=#_d*fjS{9jStKlzJLFW z#;B7HTiPjnC~yNO-{#++P-Adb38L?VR=@ay={(-h^Q2j)bhquz!*FcQQ3e(0+>|Y9 zHu1oH0>m}jGqgWqJqo3jGPC%8k}(3pJ$ zkME{3HNLHmDIzIIo#3PLheCnv!LPxtA1AM-oC|>-*~MU+hpBHkqa=;GW0sy9)3$zR z|BuLHk|^*AMw1`Jd;jlfek%COOc$>BMa;puXYF3zkyL+hx!|9obb`KBzv6rU-}8w$ zdbGEtEG7H>nd!g(R$_nJVD*}wXHUW<<-G}#h+mD<*}tbO!{M&FFF)RZ)p>*m&zxvz z#FAZ05h?yWT||(=8joPS>;q29Ka0!v(w&@3LtOW5l`P-JHV5oAw1m@Nrf>8;n!8D% zuV1!2@M(hU1iiUqdu^{o=f5vUwd30mu4;eHZZcxeCNpA61vYQ{l)}meC}e#@lTWUc_fF{IX`bW z@xu(|@fkX4o!aXMWSR}uz5fw4Qr0rp<#BvGR9byf7)@dP#Gx?TiztQ9+ign|LbZr| z3Kf(}ar9Zb?tfkNJ5_7u*;|#XQa#_FU#t%z8Tf341l(nxeh`xswufol)LyyL zXxqPT0f}^!GCUCXXNJ|!Qa?apJ|Kr=*y={0)uWB#P*H27w8SKKfE=*-uH1q5{W|^N zKAWdf93L}T8XeQ$@ya9|j=L~tK~H;r##G?Z-rmlJmR;?lLXkC-NSaX5@$4NPy;70S zJ+d=DhF)TnegeO<`k556JT*16Vb4N1f;^l)d22m7*^z?WZx zbds(WLsJ#I(*{0skz>H(zQk00%h=tEiv74PKF}>zL1lhU{HxZQ76>iHelx$^ZITVb~uf={-@RtKIKnR`dfAY4N}if16EA?<$d%8 zR|Kn2_O)GSHAXlOAT6WhST5x#N++fZ?9!i#-U_M z>rRV4`n+e=>T8QMhkuA3A<}J(Ejqw+G!Gh^f1tdvxiy_Kdy_h4Jz|%hZ!$m5M(t3x zxS83D2IOja8nTc0`w?8jH25mbn;Ea?o=`vS4yL)L5_}UZtHr6Tzl(fxL!&H{i{Au{oj?WdPy+PL>@|_VjjQwl-fLU{Tnd z9C;Ub8ZMW@mkX9w`!YfI@go{emSYwx8&~XgFq)YUZ%Q(0mLzzpKX%6E%vb30#%vVJ zfjJR{4o>vM+Efx&o8CGJhuSfNuDcANcj&E4ReDky~=Rmrh8 zi@o3UG8z0T=4frQLL!OM(#gw{G-T;rpG^C-ymDa%kf7$CKieS06M-D;+wlxzuY-4a zuJvwg4vwlAMl24awdT`40XWkrUf#&2YVv-F2-&70#4U+xhV14S~-=6WRZ2wl(2JGHg(8b<+iHtto;vfyZ-6MuCxy;ldj>PwEMm zZ;1*u6rbsKS zvlQ>IY31pcq|R3ELc>@Ff3-q)rkCm7i=L-LLuCw&KNA=p913#)C$H;kH*w4D&%v1d zXt8bdNHJzybfCWfe0)}$m1s&_U#?Rq;`GrgSe#CVh=czqoquzQQaxE!z8h0OLeKZv zL0v*9^Z`q<(|sPVrE_PO{la*iX||+62{$Jv@^KFGw-&%PEqgx=pyQY2m6`esb30Z= z`5A9o=j%6nr`*+(wCtp6Kf4EB=KSJs3~@F9q2(#*y+Xc{CCS~USUG`R9%RRM$_-BJ z#UfIbi|eZK{QF-r<0)fbz7}&FBy2@=*zQs+EuIe7Hsx8s@EzBq|F zT=0AZ+^6@vtK>k`$iVC2s&ccnrV^;Lu4DR{H&olcMWGga)wcD#YT|*COl)`Xzn5>N z9x$K&nB-l^G3Pz8aQHMzJ7`0tN2aV9swwnrmbp7*-?vC)r66nqdhMdxB!21MeJ=~> zkh=^T0rex>Z1dH;3!OFD z<`06z5!}32>gADGOgqp3_Uy=6pf||>ey#OjFSjK@!OH2WLbFHzLyGD#=`#s&&C97C z#{Y=?m3v{4aPT9KfBp+8e<)vtzgWhvedOiMYa|!!D7bWpB3oQ33_8YqHkv9!c(KAXA-f#(+-MfIj+2n2l(XlloR33AEZbTP&5H9mc>%yfn* zp+>zTFJsJSRYbjGh(Af(hkl+nURJx9jgj;6ZQs7}Y8QEXh0n3ct(#j*>eV5S0+^OCpH`cUjxAEjCbq zqHr7xb`>SuD3~g@4W|VB zm7(ZK2eUo8P z3v54eX1Imo^(8WkGnC?6Y)=1TgfgtP=vQ;IbP;CI2uiTv5sv3-B~-_a15e4+T$oyU zUN+eYRHZvL;a8x7Ik})tg{~4cJ2F_^5YP6V)b|?1@_Z?!cC*PI#r5uJISj2H9o^Z? zhEtnS`!P*8No?fSv0sjZ?Pr{e^A$MpEEpr_UXGA0&=W4;4F8iBm}VMOX%X}YZcY{4 z;2Dpq{!z+f$13*gPkGEn3%8=0LFy8E+f&O35Z^%c#P2^M=I(}-KpX0O63NDhBAiXe z74eu@?!#Ya9zkOONEC^U%fUvW@t;`;dtXi=b(8I%hacE|Zu%RHz9v)%1FoiqY94Zb zYHONC{e=`aC%w*p7sfKQzfq~_F#;>9v3qo0XwVO^jRw71$kuN~!dfM(*4hjJ@eX6L zm?^pUuoo87fT@bztPc-bVvpo7Nx-8Gt%9V(Rjpu_7g#)DS6*_O2SL;CkAcYw8(c@R zfK1uDf#K6L_%!?Wx}b?yW3jb~*%1igh9zGvS@nOVys?O>dzA4F@5vvdd|V~3$|N9# ztou zR^EFuE4~w7WMVi7ZmbV?3QXg7u$c$R#qg~)WjJWNxVZka^J~o?DXr90%fVMm=w%nt zhZ9L`3%JY{+O;Iv`>Ca>pzEpca%vc2eD?b6&J)eX%gz(JA+2pP&k-Y{zN}aTl=b_N zN^PX%S9@Ttc5ADC6SJbEN%_dg-3oV|Y1N7+tq^KrvSbhG1@B4=BZmblJq~OVTOmE63=>AqjK)#^PLuFC{^l@aH%%Ey`jA#Chz z8{V+Xs9P(4;bUV{BYSZ%j@8%M=IF%%jeNozq?JF9v@txZ#ADqp&Ye&6u@kGsk@HJY z<5sur*N;TsEYBnwS!Xyl)j0kW(w8_}uM{Q!%aLC8=)KCsm*91s;Mr`oMj&T~4NhIA zmhnIaSkZ0hI&+_HAtgTyfI=)~7uA zl1AW$CI9TXajuKsGgXzp+kT7yT)2XB!C=usXE#zGH({mV9ZPVwk-g#^kW}-jCR;1> z$U1!YJju|aOK9W;1baM^tzMkYE~AfY?{X>-vXMUC(L<&5|910se^O`t@j(|;aG|EX zD0gD<=<@FGYR1M%#gxk`PM!Y4H_3j& z&QE&zjib~>DBimJ_8>;F<^FgUi=Ji4FxX` zF#Pt--(%PkF%>>YxqB!e?kZWS{B^v&DYTWy)5AyibkKF|>u@hK51;&P6A3E^CULGqa{;2wXAmy#@Qanz6xQ+5!`9eQPK7vr?IZ!@iUL$;&v0ayUG4}?h{D1vh;r~P9 z{+~MD|9xD#{~xZ||9%YruX+2l5ZNTLy13vQon81(u%6%qMU|0KRF>tf?bFSo{Zt-2 zyI*d{C#hDJCGemS zH<-A$DlR7cA^DrknBzk0VRrLI6pN7qfnn=Kg(At(<{|+`2Bp6I`M^kNZ8H|#RZ`)pc%^DoiKnvQ1cc|wTMu(F5ZUMH+*b1 z8R1Mk3;Y$4!rP%3pVoBgagd<)QN`F-{x?srrBY!nkVEi)OrJhvTG)9CXg7_ZZ-@h0 zmF(aAK@nh5d1-2sfkB_ik=lHOE;R4gx8M%PmA%`9^gB<03^(D-6B(F$Ew4zJ`P_S* zRd{IAN+t3g8ulm;#R=A3n^t7cl_+Z-UoI?eYC1FoKhDrPrG@wqhUzqMn2<&xYS!$;cT{BT?Tk;lhE}04W5(=n|oUkf&sCwOcr*Z-^fgh zJ42U-g<8WX5G8ZYjc4!Z7ISHqb2mr4yH^~!#5NcWC{~VTx)&UhI(L5=Hy6e6O5IX_ z9-c(J3?Xe-j;bO>Uw1m-J><2`L&hMEnR=G7H*70Okfn=#Fc&CTp7ZOJtDHCCO|KpH4;`VUwIn6z1 zg3f*Uc!=9eON~M2*@&IL6+}+LQ~c=-9YW(vR-i(I^FK3{L;ScOkMhAqy_N}jZ)s#1 zBS2_*{*IHpUym8NY<2j$$mTzT(pQ@{Y}ysOCRLGbL#QtI6mGw6Q+TchP^Em~j_|2s znA^UKeEjkaAN*B+f%~T0#pl6rSAjvcQNNp?%Cc(<;`F`-=QT{lgZ`&veaNc-{vcYj z0?u7LlRFt6?jB`o4|pLjdJ|9KWMzO3@H48v?kwi1yDgSV%4!NHzo%kt3cL#dQa&D>EQ_ZQ)t(V1Ia3I9MQ*NN>9 zY+GD;1W>8~X~uxqEU;~#>0v<#+O#jcM&%%#*^Ju#$S_5H+RgcSS{&_0=N?@-jli9` zxG(5I&J+0!rv=fHc)97*Qb$Pa{EvqxGTUgFf{UHp64`LaNy3%?sm~M&gT0^7pT+U# zqyLQq?VaFqYI=l_Oue=OZ`--R`{)Rq1f85sw($U~NH9HKZ1q{nzollmWn(YW0aC~W>UWE zDOX0_Rzmyo;Vr-aBl;FFY_+Q&{Y?YJr~CCU8e=3?((^IXCrdZ8AJN*N+{&YI>+U^OUcteMaf`bgV!g^49{KtV7q&E(dpOQ zG*Jtmf;0;n6An=CqNZ_*IrCSNU zBj1U8&V5@;JYNom*tj^+GuA~KwJ2Ac!h{zTq{VREx7gzb-?lPIIByBaIgBm#KD3)GmE3mw*NpuVShFGrMo^>aQnhfSN2$lWGrJj0H=^vp&A${P(@wRECyD z7>e#)Y-g7XLFSdR#7FwoIx)S)Rjk2yGS?`jpqyT!r80eswB!U~1H?!swte`R14jOo zo6g{0J-@*$vf=7AjdG)3szGMk%A)#Rf>PT`<9=$&vny>x+e-HeE{CPOs|BvGrr=8`${odMwK zs8j#^lf40#wlYGiXQ6OjPz;-JaCRhz`s=Qf<1y`N#3Zfi$MbeR?q^r|2=|5u4AvC8 z0wdQoZgd@B^ylLCRraDX?xqfYrr(J#se-JhEA^{|c=Dr!*Ij*P5JQPFbw&yE`64FpGrdB0t@lR)DbH(bw0C0rtG6bJWb{=Edy?)S1L`qtlGaoq#K;oQXjs>de3x} zyRd1N8Xx4w1B%(BV@eohz5Oo3|08+|zqy<_eaw+vWuChB3;KqEvC2=h(9F1(X?d+t zKOva_Y@k6uP#YuOe6t?iFlbbL%yc zYDovTjwEHBj`^k32#Ho;3-$EBH*c6@KdU?NL^=VCn6N)}Duj?sd9uYnQF*e+$k8OulxbnhX%SLdRAh>-11U&3HY5dblC)+)iIJ7n z(gJuOPy5Y4Dr2bGPm#>nclda6qnz0;gP#=T$!j3Xv90@G?7e4DQ(^Z#iXx~~LFrX` z@4bpjlio|{MF?w|99@EJNMI_ zxij}uX3oi+oO$w`efHXWueEUQGw_vod>E;81%xin^V{|Q2E{Lz^$5WsryFuf{n|Uyuk%CCQ-{4 zpH0Ip@O)DrrQq+F*HRlYV@BJSREw}ij!&4^*HDZ~P?9{t+ zAE9`}QU-$}6z;sfkP?>v<^Xi3KjEj8N^Io*PZJ5z+K?!7Vc)1O5TT~t2H(E`oF|XK zh|}0#Kmh9m4nH1G_yUL4h zZYQ^8bOrlK4JF34ARJ2+`BpG=>)7wHYx#!z$VnxWdqGt~QSCCO%jb{Aw68<20xjLM z1ewn3D+ay}jE3BPz{zw^=}Zs%0upO}i0$H?t|iL_|AuBytgFP@ESw!aL|&d&k2e=1 z;7XiPKLPncspNSUbY9ic7J1_$PKWRFcb`#;QHu6hIho94dkW>xuU#ZCeaV{}U~ks6 z4?MO(eHI-Mzhw*l>QLGsEY2t7l>b(&|3wk3BP&LwBhH~gc#QipRMG`3bbD55E!9RC z($@a#A6`~_;G`aD&rGdy@~0rlH+h>0OO-)nTE?#D;zJKyc!~3E27|sgWKTnHT}Y1H z%pI7TZsRG5L5VvV4R=oy{W?MJDqS&n%N(UzR@R(%S zK4lTtWYCzTI9)2gtV(aTu9IikIwYxF`~}{y6oltMKIQG^nL$eO)`H6icS(g)PRc<> z2#)F$0q}y+{>gFKj_3$7$?pu^t#j`?NcNUO} zkNIAV2>z1p=OPjlsLGt>?}${gdXAr%5jW>syM!YzkhhHI_)i`xwUwSJQR!{b%=4RH zZ#V;;Kb>3fsYkE7+Y8H5i}zmx?PL85PpIbEvbBIQ^CK)X%=0_fOO8sHdbw>^T2L;j z$2IBiMM@%*pU1~=n8@rMkErrM{$va6rpoOS0=Xb*j$pC?{p4g(_``s=V*&s0dKuv9 zQ$M@=R;TRW@(({5nxc5Q3b(%ypGo~wmBQCh(Y6=y^yt!tbFcDJlCO+0r z;jqUC(zvR~x62}gB=1q`-hpPg$5v%4Psi$UmUlP=RyoO@O?mSQl&`z3`z~V3OpPYf z)gMypefQ{PRb0hYj4gy*(1}Mu=F1`OIU_F+rupio@XDEUbCF z(}mf$igFlehR)OWL#0y9WuaEXaD?;<*R0d?Rv%IwMqaLg=vhkbeaLxsbno|(N_i>u zh9mScGy#=fvLM!!k$A^18ePTO5 zlH6689|)C-b<)>lESA5%3ebJ8A3ehvt<+#^xhn!VC?4?CMf<$ZYwT4VMl5OHNhPW2 z+})PusgN9aYABmT^BG~(+V@FeC>;+MLU)|Rx(-e+-4)9P8 z{)Tggf@4W^VAxFH2d2xb#!)_%-)7`v3~2oP;Fjz5fZ<=-w5SDtS)+@%m3dVTud&J_ zk&Ri1q+-fv>PfG~oMgpCz8#~NwU)b&yS-EmlWb`r^Eyiu5~*lhZ~q{PKi$@w z`+mKq@Voft#?sstBMZG6qFbx;Xj0%%#XmfY*7{Js8Xte=z>SS?RlQe(pSE#kIN{Cp zS_O+xt%ktwWNWf~#@CP5c|j*5a$2=>L^+rETf?ZL`n{}Ju{UNV*v(_&J(kn&EDvMT zmPf&c^O#b~$7-`yShkN$1PaHNgsFNn_F1p~;q~0>yxxRyMlsK20%MZQ%chMZ8g2at<|ib-X$-MW6#29DI` zZ^{R0aj{k37Y{F(tcu86j2Ge->{kA?O$4nZuKJ_71$*|I2^O}IG9!vTh;V3H&iPmV z>sc8|s`@7HKQSQHQEy%d$|U+x84Nc0nMA9eMz*60XK35xAXWF!8Kc}AIksQ&Q_Gkd zl-m_lEuN;PWu8Tw*t%))Q;|@QFPIQXIQ_Lzr>{rXH^0@5sxdOQ^A@oGeD=fa24r?_S7>%%D|L@o@)rcJ6{pFK03+`1g|Oq?Xm)T`M&s_62f+e zZC`mB6j}E*nRUNh!97c;MGnvL8s<;sbY%i-2yzhd!`GM~3PU&kM>MJ2q{Rd4ZTndS zYYksY!)r}4aobbWvaj1zKFPd>d(q9ni-kms{msq55OWFC*A)=6uCA6fD9&=QLB$yb zgBr!oMh8~cv$43NO%e9U776tOJV~TCg_VroTX@Msm%wZv_Ac5B^G~sNJqP{Lw z=5FFw5G0|C{l(K`$(~=#;-rea%( z(NeO~v0QgW0C%w&=45~KK1(PKx_Um>T=6VtTQ%Y=hMI0I3ejUFQdH=BiAeZ_RbIL` z(+Y92SWj|ARi2G&dWgovovVT?cb+3NX_s(~?q=Xmu!paIYoa_VvwcdCt0!Z8IA{irC9l z$CpIYuRnKFd)?dIp7?l=d3sf-Tgt0Zw7_yFF~k$8D5Iv*6w}ZcM_JKw$iRfbN^l{w zxMNNN(d_Hf^INYqU_#jtLnJowBCQb;ZVTXqixJNjorDt%QQL_Qv`2j#zow-WhSz_Tp&>P{nk;t%_k{ebPo zPvq-6sOJp9+~=GNb9Fu76(w!=ikr7h?Wq6%Qzj)Tc}BZpD*87nT^sV)F6sEPB9|$eFaE9TK(1SK-jU`q)5mj>PDl780@ovb`rT;PpN(#%y4Z)SGLzcxnhFen&Q9ESYvgQ;=+ z+CU)Epw)bPwilU$-)pUD66fhM9`3qH@6w&DSz0bwLU0_x=f|C!7pLEg4;s%r$9os< z1RPn!fe1@mPYCPNI{$DMHVqsHx2ZK(vDC>Slj4nh|6=}pa_DEp*2+AtR1=Ki=9<~z z{NHLng4_~rh|n|9wfr}33`0KJVpYqK(b5KXHV)xrZ|HP0dzJ;lUuWS@ceS$JhG~ZX z`vA|36?|pcok$~&eHVO^SnaKz;EsxzcO!zQ_dIT7 zoy98Mn}4~$G=sgPpEFvizYI#U=G|k)cM;Ha%%Ji3!j{nVHd*mBMP`>#H972t^|V5Z zUq>FHr=TN5(xv##@p5K+NYq&f+)WuP`+had7jOf)Uiy3b7-ZOqMKq=oM0FE}w6B!; zX%^IWbF)=XNr92`zPg~dE8e3_8hnEx-)5b5-6lPk^M1UEK3SNQIKW^keZD;?d8}~d zI0NI-Dt4`cF27!^-rOk@v_4c=j^i$4auY>Qwhqb2FdmLg?pL^ng4l=SxyNPaKM&ja zN=jlt-1k}NM1Cqqiv_9el%M3y?IKF&$wwSZ(Qf`{Ace}hu|}``aRyYTu>kHL%Iiiwu%F8KpbOf zeB~MM=}^_9Hec@j9yEq*iBFjpkzB0MzH@?qcq3`& zBf`LB9qKGuQBAI!5G)nT->F(>9NQx|l$L7IT;6~5V?OgfI?iiC)1k((dCq!ZY?0@T z=LG9ML>SqCXO*x(QIVYiHWl+^lq6Yn-m4H?S4mf@{QL2GFwz4taICzaEI!tUk0is?HyO80-{ z?@jnNSEql-8ID~DI$qp7@heneT_PFqDV-gKgy4Zo%l-((PyjtvTX4wW;_}|{L zFk=O*bOGpjo{`qQ-?r+(LC3Msqe+0#*bjiVM(<09(FGHALq4 zT#wgRDZ9lxiebioctjDSBnO37qzih8dbJZo+PS-as~B&+oUhocbxu*x+ZzH`^VW=R zIeSk54*b&~-*T96wdK{kuAX2|q;gCzu<6757;$8$vu9JU{a7L6VRw>*Cy4HPlOC zZOUgZK6BT-VdICJyM)STncj2PQDLUk>&N(CpfSfAlX;p~njoq=%uZ$BVSn}XW@~)x zY%KRvm*s?s&_saghx2A55!y35!?R@~%w@dKo6s-}P8NwH^!!TE;c;I6{>i6d#Q1ZU z&<{111j9Qs70)JhyoYFLK2G>DExBk604Hvuh_x7u?HA*ish? zLA^KVQianI+x~uH!7l*wq&%$IPYV=VUhaaL`t@Gp&5sQ$2$32az})1so~-h|&-D-N zo5-hb0gT2w<0TfkHJ!?%a0^b%wlf%iv|rlpUc|KImNh<*Cdq@TzVdaZ#)P#EO;phN ztiv%&l$%^=NtJMR(AT~$0nY$t)e!epzxtiv;%MH{nT?-+91mb&8Dbg#@P6XVJ==fu z1g4JkT!}7TDa#>uVws@iBAVP3p5`>WAS#JlSas13Ee+w)Cx-U5?ftU7;CCPHIoU6b zF`S=NG;=qYG-Zek(BzPIU+U**<juaz5w?>q|H!b(h{*VrG>uK<8&zckN^V({Ob z`1|lr_As4}DmgSB9DJg#}g_?-?)U}SPs}toH!6o8^ zwb(mlDgM$cvWUjyJ;Ak=E>9U!_OG2Nwd3p%Jw}{a`MApA#xmH4J<3exec8H7mpMpDK3+M=G0_o>u5mVQJT*j*H2*qMAGvUExpF z#gZ%%BMm0KoDtbl2x+2UJ^D#!qEj=M>l#M88fevrYGj{_c>9ZZpE^4=+n@M zbm;xZZ2Uf%$}!8r(>smZ{e8yqhC%s3XxOm3_N6SpCrD{?KFkAroP3CBkFu_)%Kwej z9hIbJ1zn*-@9Ha2#{exlf7h9Dq&j5=)A*ij#pA-yk%HxmwcN3_vU@n^F}D|+*|}r^ zBLrwNF}pxxTr5q}#3nkV3jR$CA8Ot$>&=Pu&(NvYKYo~JAyv?E`~2kXTu~qG2&BOC z{d(2>7F9u%Glf2uT~^`H@{4F8Ok`og2~}BWtX&_Rc|0P_;vDy+X3Q8zW8s?h zt2!MabVo4LmEfwmA6D~{O-&`e29Z$)`(?rs3kDug_(%Tv-IoC*q)=vu;vH!N%l5y2 z;S4q&B_#wIU>D2GDgy!Thh&{!)WOo6#Bj z_g0wHkG!(Y;(X?NIs0bj z)|Si+au~m4d>k;eV46ws+CIrVJwr?s?pS)R+Kw}Z+Pgb!zpM?tEEh_BG_$Vq`HOJS zXZSCzW>?RYca-1UcJi`?h9)C_dfX^^PMuMY_|C>TFtpPfx70^(K3f&&XLvT^;!IE> z(oO3~ob6t=^G7RVn-7K0(w6<_b%eh)j7z@fz0pCD`FV~1yl94^jxr%fd<=TY0Si7= zmN3+$RDj@2Y-G#NK6I@E7=nZzUYo{H-?(BPrRbX3r!noeWtFJw{|%zDPjOQsNNiD% zTFha`2cDK@hlou83v%SU9!q+bgD7F`TQBscuUmObaiJp9K8>;e1h!P@f%F@@=N{$f zMb%^LU`)a@Ukumu2%?Q3ZI2SItBaUI+B~!OwJvcd26`$lw!A=MZzsHt)c3;zmu}{i zabwTH4F5?C7p4EkXd$HkvJv>?L`WI@3^Dc>zyCG<960|cgr&nA2QIt?}AUIc|trsHOFn+&^4 z^^lw28&;kz{Hpz9*k@mIHoCX6FOsOZ_~GwX4H{w61A6e801!IC|I@OI+dSH{WFefU z@Y=GTIG9Q3aS=T8lZ_Va)6tktJrq5FxAcBE`SY#C;v1`2sI<~pDdCoGy*8>62f_O5m9;V)7L8Qg=skb78 z)=}8M{D#y`+5yyOVqf!`b!RYi0Y7jV2^#GJRH*g&@UgtIoOmwV+L50c<@1(_jes`i)Ts(BeZD?FP}}p zm>v9MdbXRDc4n%MJ3FWeY8J<+RM^?~X)Bmi1ZdzGOuWtLq#eH}|4LtN@$T6Z%fc$- zUU1LAg{tZg43IC|G2chkw{f;LVYj2mg};~TYwa$m|=o|I?Q7m~jwiY^GWjTHi`kr-MVuxfZ-r;`3 zg{eCRn@`tJ-f%+N?*QwX&ndhN68XK163w{T)^?RjZ){GY=H5X7uN8;IaSA2eq{t=1 zEec?=P%_2ys=#lucz=HCi5f`d*pr@+2N%acetsKB3Hsx^Hj___n}%?`0T)FK z?LQM-Z4MVA*T{ZBdpq?j_Q`OOuX^)W=B?&jj||u6;@;AKAX*`vE6#-s(vCeHVf532 zfmTYre0|OS0c*Ziu7&1tTMj*|dxLwO5}O3W;!S}wviMZz)6>^LzIW(EGdtQcM? z9Xc8NW_#HlVp&pLZ!_E4jkmVAnMOVejE%~J&xM*ihVDtnY_Ady>6#nPXOJC% zLc0Pm!*`-m0nBG=%X{B{cn730dUY+F)oh$kWzd5%JsYE5jkMX&tLH~5)$@DL&$}}A zDv0?dMv0-VUwIF$P-rkvh0a{P)N=>QclCOL*+D0U%84pvoBjg-P$v29{H<{|TeX2LJG)!{(>Ik3Hi_I|Mnc+=6bNL&2?g&#h zt=9P*b@7%?C(#|N^H#k#al+$@S!R0X7Y=^%>??uo2NkHs#>6)ZRw2xL*8yX!{HuwH zC!ze6Efy%TDzw|x)uRis`ka@hN?Q~--i20h*`bGwLBF8mCob?Xp_iPF(!9A^vCLpr zF5k;`PwDTX{{Fi*Ee|Ryt+k7fjt&|&V z8^I4@4lc@bm4a9+d@xO?_QMsDjDyB&GC1p6YkG_T)v71B^87nJ`)G>qTSB|VJZAL$GJA>W@J`JLz^6tK~w|tl8au**dUi}Ym zIDb#+&*STD95kI?o1Cpjf?Xa#K}=?&ZEv>TM+ia%L7a`CW(wMikh%NcGYB<7J1~x? z!({r@3Yp6OK+kuACe|eJiQ+Mwnqu#{v!}Fx_GnZd*@g{|POauXPJQ!cdyP6>j)4~h zXlA}eJEp9ug~&oIo%j${7fzSfb89dYD)c#<@IQ=f*~X)WKAUG6Z-j z)gR>pLW*?V`x7`nJXi~W?2G`L{Bp~Eea^vyf!qP4&sJ+rzL#qGJ+SnPe=PJmm0)Gy z)CeP&tvNEq_E6qb2MbiXx&-(US0dJ*C1|uvLFh)ff0YWSp=?4uLTk>BVUOo!st}uV z%T^jSNx{K`0EpWRr(#~PPJe-OGoeN&M7|LwuTz&UX4Fa(uB#@hX{;AFdfri0joezxYnOO3;cfu6wzpn+ zG9+ubz84&m^8~RQS4msbr<)GbB+R;c`HTDS0md(x*=u$_jBi}fkA&ZH%V6G`@Pni0 z^6+(yDOQWZLyMR44;t$_Duo{xc4fgeH(!mPq~#Im#AeQZ zFUZczz%*0p;1OrNsm8^J@Q1TA)r8;wlVZ1icj{wEOiT8B?@&nt*3r|Sz}Azlb75p} zJJM`<@{L#okTc0?1+g$x zS2iM%<^yk^?1)Ukw>@bS)<(yZEf)%Y0)`TR*Oj6fB1=$d9=C} zuzwmL!&E{0XZNb{Y(rAPjCutmjnFuAyX;6FVjit8U4lVFs!31ULfQBM(kQ8Ej*Mjv zb%tWWF)yK3QA@$AEz!+Ph-Ia_z*oLOW2Yw?Fo1Dz)vV`MN-=6A?%Fr?VX0F6`>rh} zm@{Q$598?BnyH-JNmD4tUB6M*jV=KY*{q4IZP6?t692SW&@2f(Q?#HUxb*exi!mK~$%>|L%JzVkck+(CFNtAAUdU)Jp2 zV6JBx+hn*@il$!Hlycl^Gl#wBA29rlk?`%AK>XT9K4jjy)F}gmIW;vWlSY1y^{+q* zSIodG(p$#$Uo}52T~&xN>)wNb?We9eE8L#)L%k#Z;rTKbL`nX97eV_+6vb3?>W2E= zpGt-*=c~ZgVdUap*U!@EQ;MmQ!olS!JoZ?-_jqzgWjK3Dd+LH#lO~tgS*mxSa1}5& zRoYhM4$GF#|DeLSZl5fU2P_wf0$jAiT8ZUwJI7MKAZkeqmYxn@uMpWJ$(Os0hyl`(DQVd(B5yzq&7Wn z*O_=-3H+Wk@gOQm+ntt3uc;^?mI=F_FqGQ11?2o$pP{z3Pn7B=T&P!gYx^!haq-LB zW$tHH6W77NPe!Pb@CZUBFp4??qw;J^?yFe zZr2fs*QYn;$ga?424M9_`f-H~0&^$Bxw9M#iT>mI*R<)MGqAa4)C@9gX}i!D^pFWj zv$UL_jOZmZQI+oK73)SwChFek%yF-|j$lS!2@G0jc=lm6jm7L+2Mkh(YKs%$={oz_ zqKfPd##H@SWs82Jcyt#jUW4)h^o(Ow&qB$@EEA&PdxkQW&ftGhw)Fz`CW-MK}y zqu{M15swu^U}DEVJolfTH$WLkWe(XIrm^$%KcMhGD^G8xBR9>Y`$~Z5(M_37w+#>TAPn^XEmZB$P!fULg6K#}oXq`;af$ZUWUo@VD8jnLYY7kmH29f#oK&6G&FBFu* z99Bo0s^)}7{gE30*e+{$t3!ws7B#7#>$ZO)EqjIliRL~Rk;Ugl2&%;j9 zGqg~}|8$;Omb;%cXFrV5Hg@^iXIWp@lqA~&W)rL3GkkG28S=n-?e{|GNQmNerz@mz z^JjIy!8ak+IB&VfPo(%=@r1PvQi;v&eW!~OcqK40Gm0bsecFBjassQKF^2OI_F;AA zcI_j>;-hG-?w$oJw&=T5KfZrAxUyp-B(>kC@ZRNC=YIfiK9KA;HVCJPjB%Sk+t8M} zvhMy-iPE)) z{%Ru|7^ksSnzCWm4)xsq!yC*&;boU)Fad+@{*gu^WtU$vxOQyyToO&OHB1ItCPEd9 zK5}Ae`?g?lAQN?Zr6;M95Bmxp-E4BTX7KC2@;~o*I4Ln}%Ie109FL!bQ?oY!&PS!d zvt5T%;68^`HB;{xw^sZo1?44JkrdUU3(TSPlQ=hD-;m&Ns#NAf2l3gtZ8Kk6V7ced zE@vYq)a~!1P1CEWvy7U}qbNs-r~9JO$M)eyn{}_cJZZBZOFL=jhef%G1LoidfOay< z>QR4Yfnafc;8o&Bch9yfjg-cL4A_?io1 zkTw~JVA-NziuG+ig>8iYRdlb-*#`UOdN)M+hfI+!Oi6W|tTb57x;;gKYMSF1nv+9p zYJxSNCt24>RyH5CubfE!5JY4$^~in5VLVH$!qoLUz^^L;>6iBhD=D5LIdCK5Cc!S? z(g*DkIHPOGNF#@>HWqSSaWZzz{E)>nBu_a?)z>>>A;Cdid&5Ow`mB1vl$T>>(5x`T z>Tap6^5Upa%bReTn;}V|!XRQyJ8oG3x?CeIZ_((I(yLy!_vb}-D@tZAGJGpaOS0Y3^FWin$dVjd(S=(9Y1181dLQzsgg9mfS{Y2TX~9$cW8tN-}L-B zDk4RF2ay#0Q20infm&y+<)+Z|tk~WwZA#jr6HM#nYvALrEyf7?CLBa2E=6hfwL~z} z5usP{37g-uHd^=Nk@oM|i5Ijr`c=fo!m@;ybLtpa=NyHn@t0;L>XtOAN}o6To~xXU z2zFt5eu)xskV&QOmt+8`d1i4MT~vI%eEs86vqT@be@(Xd6#bxtmj6{ZFuh8{%=bD= znOh13g|u1koK|cXfjTp$#J!OlJ_&y|(2=In0hv$c{L3;_Eu8uc3b1DLQMom?#Kr=q zvdRL}bz7D`o$m5{#4%he54cN~!z~l*dONcRJ?ZF1*H9*HS1p;f@Nl7PrdsxZDwerT z9HHiweYv?mo##CfIjtV`K9e*0mYw&YW>qimnQLehpRQt#yDk!0uN5DUa_%0gF(b}z zD0iB&iyr1y=#x5377HTMde;(O3T||yB<%_Qfz_L=G~EKcGfOYdi6-3p=p$Pu$yw_! zEF1o3VFa9qxjBT-6xcsgaNSeWUT&d#P%W(RX9}x1sk+u8{bp1$U@>nt&EF%e$)t=tgO3KgNLrPZy`xj8m9h5qjDUJ)c? z)Um!qN3rVkdH>%k7Q5F@4$V-YvTeZDTF8^u`eWl-zq#e&1_$RSNs)_ zYy>N_J{$wTEfrNWYlhTt z%lyM*>OQFOpH6U?t;I3OfdBAJITjYThx|p27NI`{zXS;#U_C?k<*W_2_U1h4Wc)L< z_%dS2t#J7F&cx+=wM_D9PWw^kYJ1RadZC-|xrhDAD|YM`=g({*`6lJ+?m?tI5i@H1 zPovimu#>-BN$Yo8V%a%bt>HuKhXMyxyV(Zb8=-t1Z$5l|og-grWg&n4gAiJbQQf z9iWAN!j?g>napK-kew*FC$Z}=p_RYm$W%t{b^W`n^341dTgTg7%jC~=sA-t>!fx-+ zR^KmsU4%3x?};v7KrkvNnf%=*;Ke<%^rKoW;QETXU;c3Qr(6)7(LRh>roq3-4_kPa zDhnWSa{P6Kayy%t**Jm0e?GR^M8_QFhZA4M{lh!S4-)#`+xHJ|D75bEr~)L!Y`8_~ z9m`^>R24>M8{*~~=_Xi#SJdx-*lOJ#z%oTIw-5@D7ul*Yht?k@*KUPG2u z^H=Z9r80;I6;HB}+`HafgAvA+p{OR>C}tJUek z@;|)K8GNg1n9>QyRGJgeYWa=3O}6=&M&M%smw~P)-G?xF2fi@FoG#JRjLLV1SMgrk znauz2&fG7KuYYJ&{A8j@{eHE(%IBWhSl=-189WgmVAO5PL3{M<>a74f)>e_mFWOtFS@it< z?4YJgge=r7_8vGFpLRrbwOoezj}T9#bc%L|i`yG=KCkp~K&-?zP(~g+s(~XAox9-T zU2wQ$;hY4Sea694@+a8IF(w@5SM@<=m@!=V(pG+;X!0GiDShUUZFpwca_BGFr)u#+ zIcCF*rvFo489L=z*mcyw9Xn1(IsLTB3a-@y`iHkq9&?A&L_L8gdXZRQ@8NVc4Ip&U z!CDC+87}jo>$mlVCBJRXRu*M;XFNa;?S?2nM7dK~VtRvkqw-e*e^c󅣚V%g5 z_H1}l(}hNSG|rIuOUSdu8sG(@XZbKNqRgCra)ZZ>XXdl$7cv+R&6E2AglC5G#dnhlh3Bq=>< z4@@tzE*ImI!8}C3oq;3WZBY5U_-<#_>nN!#uJS7egPI_jNIts88fKwy>oAx0=0vWB zy3tK@p)<7QJ0SR}g4A}8K9+a?q@tW)w=uEOQPq>D6SR@;HsMyQO8uK{XGHnB9fsU5 z`9L*^Hst~*HhhjBW1oOKPYw&zbc(!1;(MutL(F{7(0|+Vv5lmi#)k!bmt+~p`!f!y zpf4pi0XQYMii+qdVHf>mfjGQ*r83*+mcuk+02P_`x5k z_A7%D83=i@LuM6ft$mZd?KV-j?R0W}z$K0>2MAQ+piQ+j=C0uACqG9&;13GIw9Q1GF{` z(e*JUQET$AJ~qfG4bDpPwAWf|R}kN}Rz!5q75wkg<^ObmMkF@9C`T80@00fJmwZtx zG^G_zax&_gIh4@#8UMmyey#dwInhC7T;EQ=!QI>vJYht;a50sl9ifqHpB|;|=J_Y1 z>xl`K9s2pnz=*^)(c`c7P~t`95bupxuH>Em<|uzhFAC&8Jiniy8(yb)z4|!Szner6 zyu}n{kW2CK;c?S@Urq`0p4UfnhEYQ82+zl*W>NrYvr)9Ra{x|N2>CP^qQf{|S%WkN zrvU$Rfh5&+rsw*q3`u8gCnvU8x9+@u8+C|zOW~c#otm)v$A}|_i2-6tM_9D-is4|? z$Y%q1W>l+IHtMscCd~qR=12DV$IpI=nN1MUiv`}Ew+`m5Wy~wa z%~_8hv__IJD0M9rx+j{oBuB?RgvCh|vt0pjO*39wr-y#^5#Gympg5&Og^ zetH2`&~nrscJi6vNQ)YV#2bO@IMT8saT25K^xudtjM?jYW5UcZOk)AXfT0h+1QVex z=JxTNP%pN*&198h0dQd-{RytRk=TA;2{-5EjN1Wx64|4VGekdGusslNg2wUl2d<={ zVxQb=JqebCOI`jKN`KKI(tfsQy`9T~OR=aFRZ5da*9j)`9eHCqPa>7g{NEdSW6jT* zM&ORzGZ7fHsyEHIbbQCd3N(N}P|$LPOLye~9ZGfuRz!WkIoMOq0byl`VZ8ibxHvAn z#vqOIDN7{(^0}dxYRG4wJ-W`*V)uAg7w3a4cG5W2hWcnfy+;`$zf1pEbP^s$FQaGz z+QO}+eo+il+{g7S5{n~bEyceGeM>(#8Kz;Bl|fPtg%5+?j;MDbV1Hqn|Kfapr<%&xGb<-UjqwV( zK=UN`y^>TNr5R1ywXE-kI{u*#LURAJ_6_G|M6`xHZCyeH|2bAbyX?UbMwB|LPowm3 zo~(OSm8!J?`4#UzabTcbXxRU%STSHBE1K7+Dmc11X3tT}DbK>;cTf#;+n}6(mJ7O? z;?+=-4y1=%yTI025(Q5ICa}0(fd+3{5-oQd!-cu5&J4ILLek5$+>1NGAQ$;Abyqa5 zl|tJKoB$p$H0Ql|`$)@UEy+1Kg(}3WyaQq8Z*T~GbUj^k{bCxnwx0bHm?`k1ife(* z^B}`2j6Ml9IEz@4JCySJUDggvl&G64T1>vpU(}A=T$Cw0+0`8oe49s-0vG!a(q*;= zvNpCxJTB;FOvTd)vuKJV+YEzx_?+Hsxq@7xgP}S%taq*Anu4fI=g$yF6Rkpvueo*s zuCD~AL`NFbYYOsL#0YHNsFSJwAWZw!*C1>9tpD_kc_r^t8*;+_!)jh z|9e5s)7DD1!&pX|luxU_6%Ng$aPVX&#d4S}tNGP?m&||ycB59rm%8~5Y4HK2nJ{s9 zm>gotfa9xG)Ss@%ww(p);t;h7VxEtKJ2}B2Hx+Q;`!_oF`K!pM2lKXW3GdD)2dF+} zidAyG-H7=`*66itusCdr6a6;hI5J3>0C4V*dT%#6{1;yV1yA~2>Y@Uu-Seujj0d9E zZVa~={vdYBbzO7jd0`h{s=@M3Q7N$L%$46+fyAyidxq@WPV`1HNEIsa>NAH*!{y%% z8QbfUdUFTF1Is^M0e20)H?nbX__V~uZtpT19cxZ(1fe%3N~fZRS$mp1Db)_;;PNw4}XX7O8kY@xnfjz0WG@utcr7G4b-M}fDt|w28A_%@B0K} zQmW!2o2Mr=@E+E4M#B-#^h&8*^~5X}&ZAN$(QQ*xrU(t#o=lEQPLpouYFj#4fuo18 z=K#>0B(Vogg4CL`BApI{eHnn^Be;8oWW8h(ek~7d5P?=64;z&$ zeY`SMJnALEG0hx5RAY2h$`q$7P3xTERpSMbL#_Gke%?4+MOV&ia#lh(T4VZceM@ox z&~#PIyFC^LqWmr4{{-w9vIOhwyxA1~q%!1vopt@19BXE3Hi+nlfR}Ruc%KBe9U8hV zB%1jqJ<$D)iTY@`nCGi4Nvx&u96j*uYvb4=fu3*4rgfcec$PLysxOUMFank!UhW># zut}%5(zcbsoiCZnb5Yf}Ua_s|KPyV?f|?7!asG^e^UejHEvn?aKq>Vniee!lU(V$c zlZiHB*peP`F7-Mtcb-pC)5B6NhJ1>@1(vMvJN_sDS!vB77yOZMB;wVm>BE0`vSm(F zd#rGmwZ#uY`zl5Qpx_6aj~1RM;siW^!vEoMT%d*aHpkvPMOy;&+`niKh?-(XlD?iz zWj4Wq#C_9(=+F?n&EcuH8=5#L?we~}C%wR4fF&`QvvJA2N6o=_b!qe79(`JIT*}wnrCKx!7O)_*{ ze?IC7#7$$fw@*@Ey*qp*9wlpCG?@;}z_=0|m68_ruMje+$;~uDwtOrBQs2c|z-rCO zdayN1;(6U{zb|0LtVTb~^HI_BTtCUMxv!Yt#6ma+=&|N_cE1ijf%@+9b&al0 z`scj#DL#7&AF2GV3|%4?gUv6Lbsf~vdEKl@e&q|+RxQ~k@EyS_PWh~&^ULE^UO)K? zw9V8|H@r^s3tS^4tjFCV*<3_$-!&5sLrFJ`1uz%UqWD)a0poiRiA}Ueo3+%&UUk|H zCvp25e+Q)+47{(`8G6K==&k+_&-J$cs2r+4EKiUB_c2{{#$itdqg#2D&5MvH6~F?M zrbgW-S9DUK%^j*A!(P?jl%d=Vf_ra-ZQrcuJ@6eMfZs@`I8{qk$j1lE*k|odzKi+F zol>1vOksR>_$w^@2mkZmf*K!3=Iif4X1nT-VCgIGusV@MJ9>`}B7d1cQ?`w)#=2Oh z7taF^ZnGQX7Un?koB@|+gVQ3HRptAAdlkfU!qEjH`C4V3nvC&v?@#+-YU}*RVU(Nu zuE^*2pF>(QaW2d(F4GKJQv!l#iY3OPDI|6giuop_`+ry4k#SVimkkulG5a;N+iM!N z=ttj8LsB10d+z5R9aVp6Kf}qvY{E1PUxg5q3Rq)?SZ(MFel%|N9l;2`6?j5GK4p^t z%|F(~Dj3E3fYQI`dWv5VljjdhwVvuyJW%{$hUi5RSt|lMQ#dbEtOERN&xrCl)@5NZF z!nR8OrUTMIOtL?Ny_@gd@_^1448Lp{j zagU^E=+Jr7h1TDAOI7@MzvMdzv2O3s!KC4DGX^&s6nv$lpiwm0Ea9tqy1K5rWMwwc43g>D5&9NV zLymX6usK>CHB-cuO8_+&#T*3qdZE6@=``gv-8a-k#}|0IYqtVqRAJ3#7nWOKtxzxq2{sG3H$_aUWw9G-UhlcOaO8M98wi-~y!*i!lsxo)q z0M(PIFYRCW2f_-LOf#Rdmk!J}_?CJdaFh;TlLv#`5$Bnt~p^$TS1Hb#Gx^)X1Bs5)ICIjdR3sL1(= zl!wg-AC_%g@yBvM2c^f%@4RQc3U>2BBF+PZPiB3Ks>RRWF{guk`EX_Z;7looo5#FY zeK*|s^UI1on!^7Fac>zF*R#D1LLdeNg1ZC>4#6ElfW|dJ8+UiN-~_keZUF)fK^th? zy@NHb_H7@3uE^s+LeTiLtaSd{l+X^ zB7_4mWVcLR#oWClUoV}DCE_T*R5WiPNQR5z3ui8|xLG5TzRO;HGS+$%At+nKMA&4V zta;%v?wrME{n%~ziAqEccMzb{MVlrYA&}(D!$hxU8m;3xOtGgh5dF!4gz|YQvci;< z2D7*MT!pJ~3xpt%~-*OvEC+k`VgTX{URDyRz^Ko%XHQxY|w|Y zFQ>Md6EXoFcfcCoKMk>#C1bM|W{Ji4o9%ruNrn3@^iBEn9Xw9g^ z+Ek|*v|-E|^}~fLZhkkKo1UvAvhq8MGMBU_o9jHKvTy@#s$1G$4A{JBo4S62TY& zLlm#e_ec8vxV)aRaj#wGjLr`~VSM z3~%`8K0g&?Lk~eN+7#=0fC1aveH#bH2xe+CUGc}Y%d6RMr5w3dmFPP!eZ(D{#MQn+bO7KUHr_7RnW& zOrn0c_)#_B!y}+^xWBb_y6kl@WH7fA2?ly%%7qQT7@z5Hk^NOX`+e~#cvB{rVJy40 z`$MEh`~9Q8vG= zTA21sO;~en`QUHcP34Y8MZcl-&4>u)U!ys`T6s=24zR~{ zx85a!Jgbour5}ypOo)IryJ)F+6W0*gjFJ}hMQW%+^2~7JN&xICda8K37{Tc)SjI@f z6saXqzp9X~od}1x>r$X;;q4u~T5oICp<{oGpCNiCHY=VTV4HTG1b929;RMid*)vF7 z>EiH3LcSgh4d=4263lEeOSV^5p6kW0bF5p_JH*hqG=NJ*UA9SH!jH_b}zWo4?%Y_Jr3SCrW zQHm=DztHm0Ka4fstjR3j2?}=;l^?T85qwq>v3N$hozR!mOs}~-8=nUz^C;$SOF)XA zPBF%V=}iqs-8lBmGtYj#Zkhy>vLQE!t<%ReK)X8+Y%PJ6*s?J)aEEso`&++gw^$0T zG848B%6Gz+%#Fkc#tf@txh1uC2`o)aAs_k1oXx}p$dYxm14fewUS5?r zekf_p##bgojn9$&C4sN%fC zSP~@iwAo>vN!r3G6^(ldPGi<1rCWwzwLAO&LHRc_DiRa5B#Y(5%0vC8dCI?{B}mGu zLgLl5lZdISdkyGI(@0TVYI9&W-zi(a3WcH1hcXXxe@K8mI02-Mn~oZt{Sl3?FMlg_#-A-H6N zKE;M5ZJaPvDn#!JibSgQxP#xVnfm5cOw12gx>&SPYBlok5W_!Bd8e7Dy(6^9^kR%{aYc?84L&w`iA@k;iFqPvs zp}Q$Yj2?Ca3j}JTW^Qlx2#OKDR)kOcv)N!xTGe&>jC@OdUT)W)Bp!3xoTeOv!$TI= zhN=X-z#J~ImSI|dP~g?`KzPC_wFCsjADdsfcGCMf1`#N_KcE;4l@GP5(yu zOjg^zafoZMM2i2ge;S2$iUP|3<6n8F12gs1-;TGf9{6Z(`C5z`&5zo3YUah(eDg`uJApXybBRIxT%ULUpo*gAUK!MXb@shqs26Yh#=@vXk|KdI$pv7}JOI zRYL$Gye;&yM?y$0M&dmpb>F$?w(rK0WgF}{N7S2{YXOZC{`9M) z6AqH=m-=VWRU_s`N&$BA#TYvu?T6wZSM5`f@ZyT1dj?B9>fmc}p)HSb+is_7`zv_& zL*`eYDQK3{8*-@GneTxtdl_3nYjjf7;`yVl{S7qm}RV zZU3lV^ke|0F!~eh#~QoSp(b8NJLs${D5_$A>ac}Bm*=aMKoNDJvHzkfZZs+548$2u z)}PIs{(@_WuphYB+iqhLlbvs$e>nGhMm-eAp~aDc!u3f_CB+TKENxv|^yP0n(evU6 zj%}Zm=o@a6C_37mSul2sn9ocK|MynI3X(<3Xy=4KDDQ4(zqN1T((U5{-b(&xMeenH zE#rgTiA1tpGW1=EaUW_vgX}zc6k}ExraYalaz@S4%bGfrlmkLb%MKK=iaNS~fa^iF zgK}BSWv}0j*FMi%F<{-gY|1mUB3%x8*>dkb)rtG1E+bW4O}HB=0u~6goxTkI(X1as#TV@hB;0YMP~E$y+A5v`ozKU z^E^Y%Gn2(__idtM2foqjqi2T#Oa67XN4v^z?c@-G8U{qG17Dj|{h+Bj-3$*6ZrhQs zN>STnM?icz0a!oUt2*u-6V6FM92>iriOVux&Y$~$?00s`^)04`kNfP>&&~uL4z9gy z1#jUtQGHJK(nexGR7$sM?azW&jDt+v=VnU-cq>bKmGb);R|ML$Jf z&YTI-zqGoA3>M(!lM+KLKmF~9$rbTMjbBx2+wzo5v`jKo3S25Vyz}=9o@ac$afGh} zG)V}Q-pS&MdD4)USjt$czN9M~>&I2A9d#fX29*~QPXbuYkm^afa0M(YSQ8+IEFhJH zuzQ^m^Uz`Yw>G}%DHqsNXd@_zuuG^H>l{=^+qx@glC`3aRbZkYZ(3zvwm#0#e2O|M zUX=DB+MFWPETfP|iu9|yD^jv{;jg|&de7Y`q2TSy6F-hwRe!(>pbmu~0lT5eVz~|? z)-la=3v08(x>ISqvPlV!FpQXwtw0ga2!5I9VNqb){LP#Q>*q&}85j@K+EBI-4o+*6 z!K$nW2FK7W&HBS`E@_zDTL}bz+-e+8I4V5J-i=p)$(|xML0DITImzeQAeX)gx~Wmq zYsY)*l4wdCO_L-^TBKAts~)WHh~@8eoeel1NCw2|PWSY=5xy!N#I}rEID5`vFZa+u z&jJ~wncr0!`CdAq6AX)_da*O8Li?;t4zUqu)JKT&ELDMHc3?98D}C~d+(Cdj`cLe_ zAR$tMWNv1UlUj;?o{U5Y$5cN+?gA7psf5(1)fy`PN095|I(OJ@70TBGcuy_}Rai_g zm6X@Lxvl1A_1F4|H0rdWLz!w(Gw|gXie{#bl$zBsSCdxz@>iIZL;O~gu!;8)ae>%b zjey6U2x_L?23{5uI1eP{m48S1x0KCnVLe%5gqga-R9tQ$CP{$D_epXRd7`myxt)0`L* zV}D)!$;0&AXqjWD_2rrSfP;|XehdnEh-X>qsMfzHv3Ww6X%zJ5Fqcd81vc)w(s*h3ll1$-#z2q zErO#*+}7x-?UbDHlsT@OIf74GP96rT*+3hwC>to`cNu$jdpZXi`rA7~FH-v?W6gu) zueD0c6ko?7LPX7}VRSx^eB~L4)V0Reh#4U#d@k}%ELb+#0CnTi7i`tYB%%Atk9Az( zKou%#aiqa5ma81@j)>Xw1FA+|mi;;0!G5lrjY62!Gy<+-((;>!ik8DA2X_J@Gu!8R z@=!reh+S-M+Frj|p<_{Ay?9f|u)rfCo}5D_6?u z8(h}K{U>`Lh!qjfASSj2s~Bi{ZM3(q^uuu^?@03b&)Hl!6CjTvvHWZZ^r36u37p=M zTFlGp<`XgC4MYBG_THO;vV%`oO}}bv?DLgf@~eHB?kd5aVTTz|aW|#f#fjD*R}SP2o3{N(eL5q8oZ2sEZf3YY#E71cB=&@znGW8#l`6vL9hPDdp1U7* z<)ml4_-AjGD-rawJNf0n!KX{FuYybhhG{>pX20VMJ%P;#XaLrsk5nE`uT5DB-Y`1>j&*jpP+x}pJmebtAFZZwX+jEF|=&KN=fdtdnYahDLzS*Pp=20}jd%VO4U9LyJ?l%3wEp z_O}UU-yJ8+Oj2!UI1Ueu{a8t<1U6Nh0Pu~jL8RgeNA)gHy5;?F|FvZ`2jO8^`j>;3 z!PybAX|}s6hppae%Xk1s*0qR>?Zd)v^WFA{1&EYb?~mL0!8dYRtm1G;+c&`a=4$M; zJVWDGt;va#;U)n4^7d#dn^*b|_|P)pYObD6#tht`Yf47Yu}ZWP!+=|`mj!;hlOj&# zt$t^{z;N-(9a~WHW_JoX5J#<#7{k$1M9&*hwU9T)NSziQOq4|H6*{%$U|o z7L?l>V%c#z{#hAmWabF^U4(Rg#l5RI8O%M~k_*z{l^yxp>n{ zfRpY1o?U6-1ok$e1Xf|L-y?MxWgy72x~vUu^tz`|XKgZIGhOs2Q2`qioY4^woxr=6 zkX4?yYYNx_GC=t=r;i)*Y$KgT8!0j5AwJiEWgyG|t%D1T2BN!yOkmhl%Es}X7&C&y zB>HUN)>h}emYoOVA zd7d=8OMm?BCR(0%F#P0^u%Ne0pJB6f&N}erL?4DvzDna+XybCXLz^TxcHM2cCgnDP zR0Lz0VhQalDF9`s(Z|6k=JoWfcaRq_+x-$G(74YdZ>;TQs;T*L<(H}kt4i}s6DSC5 z9w9F~S+Z~+&vLsmrBfPVJXzmA?J04u88e=|s0_wd`h(KRXmg)_4x)P74%U6s2}r^U zW#Z54NM$nz^_TWpwMEk0Nmh;ydZumctmu}e-qvp9gbALi)0}t zK4Whni^#V(%~O$6sNq9OR4kV|EelYmp71{?EA~=pR1+ShdNFrqZe4NS`sxtDy=WN3 zV1^&E4u%gnw`|QM>7LY7^HCRom5#KbACCwnhKIjcp+KGZxduMY9Y2fDvKYTTiUV~W z7vi}Molz||=iN#=Ir!O;MEeMFZ11;#0uca&@IFCib8{rchAu=kE|1|B198HnD1o zXOjF{Sp|u5WaNqt;e5zfhk$dRCy!JKJkmWss`(oFamH{k#~ah#bV)EU&pl$x;U)Kr z`RcI&26CMQ4$Yp%4sdgN^-w96EnK~mB7jPyVvb7d%teKs4m!OcPkB|qHl=dLy>t@e zht$=lcNWT4_#ndGd+DFlnGf6D)oL}&Ma|7#gfm0C;Cw z2k%NsVmhV(zcFIA1d~D=LJBF>`iLHEeSs! zu$JDdMv1mZG-gBYkWgU^7pA2U_Hn5DXM})e4*1=dGVjzpQEwHY=-JP|QwNW=8j9YG+sij$p3S#x}L{-?*+F>brHfSE_eV~}unW1R5Jz~lz@gqHUf`sbKx ze*(PB3az*Lq%tjw-(H0 z7c1qX+CbOiP6dB1-_FzJHE9cj|2K(IgbHsy1& zgx?)K13#h#1Cj-Aa z2rbYtM49Lk{)%8llf4x7zNu=gcms7fvZPhmAAUp=_@YYFvV@KWG11a~4@eYJlTj-d zazIOc@!PJK`Xfc9{g*nTSUq=%&iiR^M)2BEokLIXrpne>E7E%dwovq5)nuz?9s+7}E~# z4u9TpdMVM1!UT<{T$&g<0v$NyT=!m;MxMGWR0U>J zb|s^K+~S4qdr_&ZvJXQK0oLLZFkZ?grsOv@{HBpf-Z)y5E^JG$6j)+eSvHYvB!9Kk z_gF6Cpx4;Y7^c6vjNcoVZ5t$9Ppy!mJd3pCIg}ZY4X>w&Lb^a_5s4F@LZ4Q2&Dx&0 zA)fu@ez$kAEKCl-g;#A?>qcq-g#5ny9mJTX^l~-51Hi$fIVP$NvsHTSv9G&5?*+HP z>4Af1T8|#(3#xcMKjnJxBo3)CgTtJ`E8y`e{d^!N422U?98vaK9aRq3Os&vId?Xvjq>Kai`P|tQHnd0hXzv%hfu#Ix zbMp|0fz@|h6Db;PT#FU#&1pTcTvUPk7WI&LA3`s}k5IyAH6B*B?hDi=uZNa2j~ym( z=(J$tY?j)YTAHSTaX7Gw?Wu1O+jFg$R*uIG20-Ym5E&az3^Q`^&1I<9X=Qh*o+K}k zD@hLY%|}-3LT3pcSzVMb-fs=csso{$Bi|5-?2U(b8QW2+Z+0Z;6z#+=xR$7|EL#4c ztZNge)#}PyVfhWEW`EvRxy@QAS|d0dTg|hpgRe^Q{y{Mz=c}kJDzkvtdBAs2DE^=b zPgi4cMYMGChq-MDyn}9QQ|9qKkm5{Ug~H@TukN0MRM{JZUEzZ+^mNfsNb7tt-_j|3 zK)Al?sSAPw&%4#}<5bq-$`z>kuZYN5&=oM6O_hSinRRY>!BF=YPyL$KBJYuf4Jjqtm*fXeuvv*Y?f(J}x;J?r6 zAfZ-IY*1*H8TVl34p#aqIF`og`xX%q-qv4^e)xtg*6ep7l0Mh+Y2&ipSC` zA>l9*xxTXYN!47vc>peAx6v+`Nqlj}{TFSFJJB$k{noizUdPCf#w@sUvSI~)SoqQp zqpFp4h4l0!AjA!0FqdzYP;co?%9k=a2Yt|T>*6@o;HQr;0n(4!)TNvS5h@F8ToFgt zQpTTe%GvWQbj#3@!aLG6kH7?^YI9?(_(+5_LZ&aS#ljJ6EW`2P~Z* zeXHkr(;kO5jC7;np}4TE8|G+c+My&I&7b&#sOiU1^Y$#fr!!Kbrv}Fg&j56=00$QC zGE+*NR; z*-&veAiKmuiETGug_wWoL?sLVdKT-4w7f9X(}7}5@>c9W@!!T&r;XDuWX&?Y17l9?M{&Guex zTd;`8+5580tDEz4&|9c-rW19etTTd`i;Ph;Usa)V*3@8H$F_dx!=?3bZ$fYWvJvBs z73S+1+!!#;bKLLi?3^?$7O}~+iTtd}2(N3r1;XX|fmv1J5ATNwnyyyiHRSd1gb#t> zC80UfCP4BFL4Ro@`~ecDN4|n@$&*W}ghMIrXqW27N6@m?#){IkJsn%_>NhRkgXxKU zXQsgX2g+AVZI*$yLLEJ;0S3diUVW{e6Eu`_$2Y#P1Q3{L=LI9XixYi#F=kuby6=;A zJJ~jgh4qejd3uVT8u7sWtPS#V!xc`7@5__du(l{4G~R1l(SFT$q=!?rSahYg%;9tC&)~gHLXkd;qRugU#Lh`oy zz5=YX)7uT?3bug@)yD(uq`>)6&uwPFt|I!Z>2yoZ*1x<=Xxr)ycP7KLI2ox2YTlB? z9a7Kj-ZGh^iU#gaIbLD~#>s7|9dRd(kD@=!RtA1aWlZcF%@Eq!ywOUc-dmP)(AE7ZmIp+Jki zVR;ip3-@})pP;$>(XcDLQyzZu35no3ci;?4qynYfcwOif&_?NuiNrn&cLZ}3`efZA zIayqiA+57DoDZ$5*ZtOD?OtJf<+oQRU*)-$EbsRLby>_kIXp5G9qONZo$eYJE-4l3 zg*gR_TbSg;zYEVcwYw-9tR4U>Q|{3eHr2ak+| zVHcpXi#04q&3HZSeexy$${)I&WRIsrxVFy&aPro-qvy12I0$;!XPgkDu7yavH6L*399IHyM#Z7!h&Q++vhXrz^l;UQM zA9jCgzlnx7I9&Aemr!~eBmz(F&mnwZYxrLDfRL|NSFzJKAvIchbf54dIN(^{t!m8* z7EG71Cm9{m3ndKU7I)ldxeI?XLK2@zz|8~vA>cdrCc(ovHo?K<~lN!w!1)gddiV6K%_Xmt_eXNzy&U2?W$a^E4ooFvsn($eG(W%lfVIq!8AKkYhJgB4Z6TYY_!=Pnw14`4GlQf=X%* z7V;_oW5*h=$`1cEIjV4)81yZ{!(@=0?G zcLNZ@SRzi|&W5ZV1ZK^SIQ#sgqYT!_JM#v2MHlSKG~vC!TFH96r&XqzhAEQyDH#H3 zL1WCksEjG+*i0jL$yCUHCF|u>w%BXM$g7x{p)h(dWQ+uPGG-XQOOLFbiv)u#ZD?N2 zJIb`OGzsjI44)ks&6(Eeyg+Vz>4=^m6Lz<>M>G3=Wz4v~)g~5FavZuScPwBi%=D_D zqo}OA`V}{T$d7)=5I(n~Fk z)%qa9uet0DO&i%AsiG{7+R54wr0*6195vq*{Xr=)zBR(}gGXC)RBK@3TJ;}4wEzB= zubf358^4La3`KGp9Q;Ob@p3Zxc{&1J4vtF{N1N9?cL)=BuGJwMB~_=HG)Bzgx2#s8 zuKFj}hr7YDO6xXl>Q0LS$0;NeT!6_^mHDK|WQH?neruyVXo0c0RvAiNxQ`0re+5{9 zN0z(BD_S}34furWwdw&E+JybqqRcI0MuQxpGOeCK%F3s|--e`HMmSqF|!V@c% zR^>cz5NFl&xKT$XNhT3*1+flo#Z-QQz6W0{?2)5|-b@XPR+5RJYxocUVmX^r1PAx$ z2~I5yX)2nD03;mPw`0|>LOe;n1@8Y46zx|m-G40&#>BDKWzYD^n&Wf9N12YQoai25 z7ke&GL0OFCo00mqcf!zr@x?+^YcZ*;q7o#2`xM;SgqrXQOjq#>>9I%$d_#BL+2+di zi#`!~%FI_VSf<30g_*(&dA>ixeCn&&pOfw)>%PSQy58%{2F{l41`rsAw2db_j;fQ; z>2P;v&3S4%rK|dQK1H=?AX0yt-pkf9G+4t4S8MDjb~CB`@Fh1GXy!OH#2O#y@m;xGf&C361fQVp zObeb9dkbsvD@TwSAQo7x3{{#j^F3`x;F2@+ozo?+7HL-d<5AA-l|?EgMVG1A+X?Q(Sk(?gqv@N>NF+D5)urs*QxuY(47F>o z?jiA_UZi!M+H6F7!^y^Y`-H?YShc&;!8TxBhH3^hc9o^FeN3{i(6aae(5D7as)gRM zjO^S#ZmPWt_clwhEu!$~+PB-LNI#Q8KNei*r`%O8?mf8H9v0{@vB6s&`Gcakyk3aY zK;5T>bf%kGbx4~Y&_xNe?83l7LXFyxMz9;?F&1b#RZTu#KRPE^-bZol=-KTkX3+L{ zgfzI)3w@&qP~S(yTOHS=yjxTp^niTnm>d=08Gqqzn&;B#nl;y)4r`{0eDZuKwXbahoNagsIgIbwIc-)&$qpm7JH|DUGB3l3s{5X|mDZ{$lSNf*G4XCa0W)eK*z{ z`D@zXJy5LJN|MT>>N8uWn$ToxRXTPlC3n3}5g}IV?Tr*4JF8qshW!NHM_e-aWXOq5 zr>(wcf$Fz75=Io3Rr$NE%cJg;+-OynFEWx%*I~-7x=8Yvr$k&_%_uGEyeGk1E#0vX zSn*)1wdrve?0rm0V>`Q}ODv7o5fRzC7DNa<>>y1TwFUk)4LBkFDzsTA7U0jJfh;y; z#j9FCA$%|Q;y=AqliN$0YAVMNduo#sPu6ce#RK@*-{SHfHAplZxdJ>?xm5{AP=#r| z7^!;-VH^NaNPNj?&WspX%h+ep z`~p~ijZ;JNKe_yCgMo}ekly_GPT=>{Yet~Wf6z7@s*l|WLGx0A!B8U$k&KDdbngk# zanz-QP?3(Z3d0Qb2U)N_IZ}Bex#ytu@tS|LPJ0n|Zfwu(V0|K@d`ZcQjpVX9#e$)9 zeG?&OA38gbV!>X?Y4u-udH^ZQ)z|YJ^>)7*fb}s(6OUO5R_f%54cluLqhGL2?>tC< zMyU!%xvPjPd+Jyl?vqY;RvDRWIPK$lue&=SKy7^XBx3tjycum%YXns+5AaD)rxisd zT4IF*y<}Ia0(XLxBE@171RTdNOB((u!RP!BN)_O@01E@9e{8$SLPf66_}oN~hq=rC#1$D-w^g=CAsDphj6hP{RnNivDK zjKqQ%Y~LAHJ+YH-)(sU=b*Gm2e4YA_B~#0L$S7|C2cqSeT7o4mJ_#?VYxkmWm)gS) zr(Ax)6e5>LYSaSbyu}cJgPi2M+1--yNKPX zs+3yb$>IpWVjT;=*{wWmEG=#8P@m)VXBL=KG1RgJvW%G&w?;#H-`NKG2ebZ%VFWt9 zf^zrh_zP`WcThsFdq<*e@V{Tgv?t~JaXlmaZ?X;o+&Mx5n-Zr;3h99ms3|&*Zh3TCp!LYVrpb%_@=~5X-V72P(S^=Y});?Cx)_aLT_6? zC5?_Ep{_c41NZ4{)xb+la@XBz$-74flWNmgzDlZz+TA^E&&lhfZ9U~am&MYD?KunQ z{Q*89C&xgL>f3UdV>BeajxH22p$uH@%JTQbcf;l3Q3S6DSuIE@Oee24oOmPHCq>>* z2%(O_5K=*JNtcW##sV%ywcib5aAU?8WRCX9lZvkxHoOWD6^N(s9b2>$`yA;5ua zvC%aWUlVh|6TNuNTn7B(B=#6DGSiFuAjGlsHt~qouVasDt zfr%pe9v&qS$k$^BngenzdYknhG-cL!Ncx96zXrZI3GgAaVQ&n!d(I}cpm}<|)1+r` zB~*XA@;c?L0(Nx`mUET*BJEAG7p&(*_KTx5fA%Vp60rnn>Gv-V$6jbAf?_^oKHDfe z1u0xv9Nxfae9!`v9G36x7X{1|06#Gq-^9JZxP?m}V!-PM*=Y{o|^EWOoA zK||`PoLM5KKl%_{DcWaj5AU`J;{?bOfw;RpNR}xw&E263CfZl`x{e~sP}3jHISxLA zZP49`21R&z)kXuDb{N9SB|@DzA*&RueXCOG!k^>!ah%{+zhL>GXhz`3B(-|-he)-A z82Y}5h4z-+8ifoS0a_dW>p{|z?dzi8R*%aWb3M4 zgDu^+fv=738as})iEGU+15(X)kH;PBXT!hh4C2&PuLY@9dtV`q9!n75 zjr){kT2!jl-n-=g5@sK-{%1<>_}m`%FVB#>ogGgz=MRx0N z!{&c$_)q=FUjD1Xe|7p_ssD7kN!3307}=|T5|JTfF+Wv@l@Z?tU%!~CVtS=MI>MuF6PAw+%h%itbc$xb6E zECa?6wR`SI6^5S>ev=cJ_kLiganW6(*Ucp!1#!;{?j;kO=TL8b@<&P#S8 z#;%^3yOqw)XUt}=y%$LhRBHWYuQ5Ru4Cg1N8Q?i}ewoqO;_-o`nabiCsb}+mtw3yg ze&*ujHo0jk>z}0BQe`|Mr6S@3&yU%C-XGn52(dZc4zghDr*#}?S$o%*6*6LTI?qMP zOTD7u=pV6o%R{YzMKQ;i{la)HE;L`2njUp6Ujtr1G~ukojeMAl2nhO; zrm#XlJ@Ghs6$vPB+>q%)$V95Xtr|$Qp1VaL*w51*(+s z8lU_e=LxsW6G(&&mY7q?hI|Q$v#=uc{$+?#O3l=(-e!YqGqLuKn%87sd3TQJGteU7 zHi)=AiSojqrCo{&?OFSt6|%o!uE_<4EZJfoX%~tOcy*DQ`%4|qwNHqvYrlxX(@sE1 zerDv>&H7W#6*?ma04{;qnz6EymG4%B5w6W4BpmP4-rUuw8ydzAsi#K|K5VQLI`OXD}Ikr^`Hlhw9hApRkY@Gj+EX7d&^3> zca8BYGTkaXg2+beC+@w4o4(t|13f};=SEcazA05czj9!E z%_uYt?-gjxmY_!?PcHitlH+*aO~I_*E&D2)#QpFrfYgRB5*$6tUI@(74c~ zmo|SDRP1hl^Ytu!XX6-8bnfX9x0qf^iia2lchJZ#O>)*Wz%sYpHf^{&m5gOzBC$rG zs-G1TL?_FaUh@5lfyqTauvW%7+$Hx}MaE4=P`o2ANP zB}7hB5#_JL55KUqwuj5NvALNfV>yjwHIt)^S)!E3|&)6d0G-g`L=MUme1!^et;T}LGCWkPr90j@k= zULKCztpdnwV96pE(NPOdv%DJha=6TjP%F<)fnm7jbznfWCoKCLrwDjnnK`NIRE}PT zWPKbVnf~}D{O!%x9^rbrFNeM_Lkik5Sq`NEAJKwRpS&!ze+t6|$QpJ$$D5 z5f?YgsU9eylq8edYD4NlyxyH_Uq-`otPk&0(AmFW-}QV(Yd}F!hp+WtDvB=W;}7PC z=09;eIp2gv=xcv4?7GRX_=EEKuZGdz>)$um$h#AX|3pImxq0|c`0pq5=YK-TynnBo zKPX65jMe|dJ|fk%{<&8E`FQ-V;>Z6<`-75yi7e82_dgNH?f>5k8Ph?v%S%kHdm^rh zEs7JKpB=Efv+8pLUI}!#{@)$A{y)*^|B)yC|Ji83|Guvz|Nr1P`2T)8*Q;GO_xJUe zOOG-6_Z$+cg9+4+B%(gQg-#eHaKuF?0@3z`aiobu9^u|F+bu{bmf*`~~{X%%(D#qHtX=(M-#=9H|qXvCQw<*{w1`HQ}F${V*6#Q*C(*g$k&SAnQ< zL8ko~$A{qe5N4~l>nmoVlNeNur*5}C^Bl3`$!Ac?J`;~6=0E|8JsBcBEYd|u9(i*^ zXgCcVu$dw~8$FO~c8TY*Ie0I>3GK>W_Pr-qV!|v?3((Pi;TAT+dhv#?s8pJkJ4lfB zRC<6)BgfoPedb_(V9y{uRD*KV1PdzoG@ic3@e0(qFd2l`C z#xFuL1U-I}LWg$O%}%N49{w+~zB#;-Z)tbOwyjAfwr!g`wryu(+qP{x*|BXq6HJ^; zW_~y4obP_mxzGJ)b@!^;Yp;Hu?q0R3>V50?Thtb4v_1!pnY*#n-2PC2U)OHV1~(4f z*@V*~5&>$e5S(_%-ZT=1<%h~(dDYH07YLEUws1$DJS=vKt7^7Apxz2_L82J*hBxl` zTg1c}335^V_>3O;doj$)uk-OJ^+_=;_0*~E^q7hg?hNLu?7-j zepq$?0{|3VtsDE+siSB21=SntR%wTr!F|+q0LODDFQHr{&%;!nnVe?D@Y$J&$IH%uZzcH*>DBX*!%SX(;@R8KaDo*IN)AlUb42^#@K%@3ztm}N|0R} zA_|u0yF?{YGzKiqcd9d@`xE5hxho?G;oE|dTW4A}z$i=AbO}Yq*w5{EF5MMr83Hgl z3afk5@!5<5xr3=Ebj5dmOCXAq<<3-U)ChN7&wep?8!|%sz=)km`*HqijLt;5wU+*n zUol!@95fXuJzF@1F7B@~f;v348(LFm4-S9wJ(ifE&hFHVNZIDm5uqkA!PcgN)s?O) zzpUI}p<&3}js(Z7(RJ1iiV4a{jxk_cdWDPjK`f2Ri@nLy9#9IJxtU9?BqN}gDDpul zB%N>`W$178t_uwCL-$0=%y=2&)_b|dxILSlkF%KO8Q++czPu*KvkkotT0 z`2J>9E2Ki7ZIG}eQ5d@DC-S(AYpe)pB`<9E#CEQ{EeS!jg6xkR zG>nA=Y6Ha@ABz!=Ny{7}38jL@4;6|7uh}QRLnIdg`2M@K?>s*sI5vEo@2Qb87cyRa zhE~HEB!CxpXoql%@>xvrpVJD4p2~wKJx>Ymv^p4yVXLUib{K4p{?nsG(d2K0-M>)& zjQp=1HFJKzuLLc`Rgf}1GCwjtGCnpJASHxA68Y=+)S3HUP>T6Yy+cQ=gqIWw;D*Q; zZ>m5ae@n*n$du=n@t*gvH~YuLqrA3Y2a$S2Bp9r=!I$gYC5gp$YZj5qef~Lr=_p`AEVl3GQRw8eOrT$8A^;JV$&Vf5bL1Fg78F=j0k# z?DP{|6qeK5gX^$b>07$Ln4a8;PhAVoU$wr0kf<9Td;OsN>E^F^Wq6ZUx9sw2W1U#?+PPA z6p-Y9-yq7OS&j6)FuBkJb1{WpaMzXu__y0Cg=9N9`zJg)%khs9xyLibPMbK(T`Wf> z(JpTo(`T1N+tdt|s+z zpds{;Uf~7z8MHP5J3YOen;e5;IRU7KyvG8jBR(GyWxGk|nCQT#W5G=9npe@Z5F!k( zOBX6nZ~dNWaDFu>t&Zpr4}mny(|EkrfpUbm5B?6#R|f&NZH%Og7_uGLM;qpvR!Oo= z$ezUqA(QJNp;-gAJK>|~}M&wYV6B=CjthtyMI3>$J$!{ri`Nqs*ns1|r`+JsJ zUgvqHJ37{09YXq1gY^R^a)mI4n>0-kfP@uxM{w`RLg}-wWKE7`g4akuYos zjwv@w6v2jW#Zg_g&sMM8LjJfyL&U!*Q5+-xkmY-kvBa6^Hz`T5{WH1uXX!Y?OQ(=I zB0I8-*1(I9GW!T}2!bNW+dccVD8%|HARkT$4)ee)-`I3`Kt1iOcrYESS(dTyiJQ?L z#+n$7@A6QS7`mj=S4*3)q?^z)E_9hgA>EZr5zzRDSlQ^D104>yaHX3d2!~@5phv)qFlx4m#v!q?=SmT zoN9c687Mo=;3J3>&lygG(-rCI2&a#nH2Dl^Yo;HYf?R^twgt8us-r>v(kU^EEwZSsrgZzZ%#26GiqJ_HW^I zhmWFje5M9nofn2pTS;My3Ov^`1>xMPpn?gFLzzr{O=k=;$kKMDt!d$XYDX;_e29aK zCCe`ZtAO7n2;_|Col*^Uv3Srlw!YH9n33i0CsN!{gGQm`(V<|XD-Z_Us=y~k5+2>i z!4-_P2P@2GZN^^%woOH1xAoy^+Gnu7S9?rJWuWlS3JLYmtpM|k86PNfL>CMm*$%n( zMEkRf&I6!dG}4q_7B09$epw-UR(aaHjC(i0$k?y- z)UocO`Xqp_-;s!-DP`LLZ?d@yxk{L*SJt>J*-Y?1MkPJrC7$&i{{aN=nvWaF__3RI z8mrRT&k}k|;G&5?x`lT`NM~rAj~VObhl#;UY=vw(KxAg8yjtDBD*5AId-Wb+Cw0Z?RGQdkU zKKY$#@Co}&?LSSxh#Tr@K$YU15UQX`X^{VQJVlLU-ojUMcsN`3m$2{h!K*CQEx?)? z5OkW?3ENeHWfQCaW1OUy>CT(4%)qMw_b1;DA+rfLcyXlE322nDWN*j0k zA5!ICWyQC8EuP*YP*H{Ch&Ga8GUYdcxBJ@My>6# zKSjcqq19T41~63u>K88-T9NB!U-Byy??u&D69~`(*boB8?*UT~~Nz%X$<9@S__mgf04xa<(~-dtXLr zUU&^`^l#^VXgdCk-0h-UJtdwESSu`_a;KS&Av?uK=svE$6YHVJ<&g820PPz^c{;S9 z(BCPBScYM`Z08isG*eS>)lP@0M6_k>W*%KJd#ldqU8y23@J7Ew{14Y~uca2XD$r!}H@oLr z#8WfbNSRVSZT}=zCQh_2{R7Ay)6?J*W>jPrK)+*mjx$s7%Wsrr_{Ac87i69kJ0L7t zcMWGLyUW(`I%iaP$lf?^nrXd0FMQsuw3!Jix6ug+K}*)=Z2~$f@T&`7d{+$8#CMx3 zo98#r0V0Zgu*cu?uWk{#!JziKhfuM=N7;gC19c@wPr6j+5S6)Di8{qqsg>O@D>)V9DF(sBk z>5#NmpVD+Cx=cpasc3jQM6^CFvStT2GCnU^bQ*J`6V|+#kJ;sNS7d$6L>oFE6VP^S z(&>Y&Auf8$Hb*(WDA!P~K1E>KKOwJiL{ zhUAAUE|UkpiKQDZ9F6(z*`a$mi>pk=oI9$<{8{OFq78#PnU3CEQ3SI&4@6vmS`ndy ziz#ViFkr*v;bX>~dj=EI%M=q^BZZlJE;e3t>M}&dh;*H^rLbq)sp0z|jI+k`G`B_o zB73L=D}{<8?TR-CUAT`9Ao`4N-ykX^LkSC&;?$;N>N?&0HzHiP=U|H-t>!a1V>RcG z-JT$a$<@GS_o@vd(^A+W$AT?jE? zp)m|Xgahn=;+oH-TQGJgy5`hJZeDi$_qlbqt3D&`rU!h7rpH2%qaipSHqCS3j0Bhn zPr{g2K1u{y0!Z;qUQ4X@jCp;0{Rt%qCG>4_K8hri*k5xlI=n}Yx_{)P6sB}M4NCvF z*X5|B3T24x{=9)DpFswe-nalmsz!t*t_S`#lni8_E@}Z3tH}=h5 zV>e*e#KFf!@OB@#NUsLUR!neV;63lj{_}fEUF#mV(P6}S0d;|ZbdZ8<@!w>eyo>K%qOxlp-@^g~G*5i51!#IyJjPO_$oI&0t`s-r-;2 zx!u~2nFa9hk50ppC$Gc&tHm6N!=V458{$+4aLbI;Ky{O((!&iZzr?sy+Df&Mkgx0w z5BD{cocmMMt&@w4uLf8RD=9rM6gH_ly3U)mZO@sXv)LzhgdKCo5QbRi*HNs!#2At3|T-Lx`A}X9>?SXH~Pmi)RZ@e zJ>yj|b=n9|+U`zJ!8{s}Fb&puLnp4b0A0q1s6cj+2bv#1yFdDVpu2TcEZ9ORjk%m4Z!i~}uY^}$4l(@oqD#SLq@N(`KE1b`hwJ*ock=+rFXkOH@n>tYWWLR!iWNLG?0K4fg-CLpSc&G6XTb~+}gi7_#Jj!64=QQ)5;E~=mCqMqAd~KCGLlr(qTh&e36LaPAiDB znh$GGd?Dgtz96NB?9KIZz5hk4HRvaQejteKXFC*oeV@7ofu|heLT|(p~3sJ zo|wwe$bN;UC9{esErXU7DlHPNWJ3HWIMzd`TbBL;CHToX3;GO}3NBWWMXJ>j_V9kG z0unET6GQS^A^lUEtYFC{kC)t9G=r`d7WTXn>6Ap8W+)STeLNq2mQ5XNg=Dscvrz`i z88Ti%1|Fgt1vpuniooDKKSWt{%8*d44)kZK3dFXP-yfyRK{Xh>FtpkcvnF5CDIYV* zWj;D;=5OfP{kTkYLrUyz$|K)zzS?d()Y2NmP-z05AgyZ1^3&>-=KT4N0h*X zpd)RMM{5l{7lB}9kQ;-gH^kH_SQzP6kGuG9yXFu$AY1Pc8rBj4QD!wb;i?CJ z?SM%1$e0IPZ|ietsZY&5(sO1&gMR8{uE>if&mA)><|U(RY9CYN^(=<#pk_ma>`Cj$ zE5eRkWuv1;$`J0_3~K`2TdKgo?s*MUT?jt=9ry|z6)9{rp*xR$KB<{1Twm@y>W>a* zn~GQdGYd(Rs#a$r?6&yAF_(;ufZ=ge!UTNLg;0x#CtX(LVscIESqjq%Ai|SsUs5(I z7*J2pd6?XREhxdbs`YMuZiy=gwqSopTc(p64y}^RumWB%THD!^5lNCJC5K#}?W!8- zuu?tAmVzRfSaF(HUaPur$OZ@vqNQiG+E(qW-l?sPzagB4f+JPkm$N@fD*{_H#++<| zP?lnLgr8p%;?WO5FwSK)AyGhpuNH%kBl;MRPz2#a^Z#beXC8kIz2*0M^LpF-pD+f$ zU;WqHF>ywW-9O;NFRETSTAPtPK=~Znz@yr9sFv{c9u2n~8ep9tczqA_3awHzAXYx1 zi~lu?o4#&{O!1L&MuKqQb+I0W3uN{T1Am(x^PT~jrEp1+#y?0Ei6ItczehF zy^=XQS_-;2m?IRmhTPW#R14@22EQ0nF>r%=zUY8f&7&vExD`gj${D^_tgY zAt-XNxx~Vt&Zly0yEhfpwd%pv)?RoU7DzArjGAAl^2&B1t1t7&I8fEZix*d9H=0V< z_#*ET><8V*JzioV6njr&ws3y?0b9FWu*INVF|7TxU=;p~?R~)?7&ieG9@D|F14O-m zRy>x6;}e&V*fVH@#bSY=`8I7LT0_YFeT5n#<)SF{z#oyzGg(|&i7xG+Fs-4lJPAr@2YpxIEFK_d^WpLV+n-8P@ zn|?HV^m(lr&aiSoRmsv1r%7t(S<{gS7pf10pB84lq#=o|q^ZeozXZ4$(xcX$QUY;* z_8GEa?9ZQt2(Q+DPj92MU1qCBKi+lchhtTfp^)8V^wawLQ{XgQbJ5~vb*>@ueuOVD zo98(yS=EneHn(doM2Q$yrp~HxkFw!iFgc(Ego3vTyt7s*5_l0G@54m zC95SI1s9OBV&)aLCHBtDY(sKi1GLpW^I7VYmL`N>V+j7EE(gHHh;dt!aZ{RQp?e!z z%-wyaVxzyUagL75UB0WJQV*$}EOgXSP7Zn#C9VJF4A3022hCWy0wJAA@@ht1HzEAq0CahXml^r<>6w-R2}+rg#JIcgcH^Yc*%? z;{rn=cmc37Qt?L>U2}Jo@FsDxp!X*%FZa3s5cQlv4}?%hXr+fHLb z9gB~zpoI~@e)cQZXk74z5d9xdq2e#p07AkNF*cF#pe~czz=y{(LU|TISy52AY0+4H zyYBqVpblXvH~2kv&|r>RkdU6m)#2Kv+rmbVz;8Wm|F8Gs`@7|J*B>0AH@$#@1Y)5h zrT_NeKYe=r`YM&XM$G?7_=Zt{Gg3foDFk-p#d0rbDD*ucq97t6BJw|GN&q%n!?4${ zUv6*Qxn3kFhQuc9xk*Ob$~bj-V5=5P)uDn37beWJ1G@9eEl2yrwC7zMwPA=E#3L?JZ~314gW*EC_GK5lTt9ArA_|6$zrl zK>(B?gKXh@LAE9~wYw%q9d8(Fjz#M)Q5aSkrirZv7*P_VEpUZHjQc2`jI8D}^&x?B zd`^Ix(ShWd)s2HFc+n>`8!fIlpAkt7`71sc*P@O>a!v3JUk!+&Qw|J=5wkm`+F}Gm zjpX+np*Atr|OnitasS|}24mhI= z(={C&g2o}4IPHV&obPDI?0v4Ch^M`dP?Ppnx5nRgndOwr>PoxZDLKagQBQhsMz|X1 zgEaGOu#=Voo^X&FP2*`I9^xotK>^w5yS5TWx%TNa}>?CJ^x~R|Ph>QobL7hG`Ok(W>xC;Ta-WNWut?SO~k1QaOn4 zE1Jdkt}wcUPv3!qx=ZE0>0$~il)Y1KTzH}9!mCMNw-MPHlM3ACq0o(l`v)K!t-0qX z9CqSyEwZcp9Iivrk4<}3+k6OVfJ9kWj#BF1l!~eAMg|y9JZMKLQ~WLm`Hk0z6as2w z({cjR!=z=YJhq3KJ8giA>cD%IX&45~*J}?Dlmu{G{h){=ci1d^komFElesl9;_A+8 zyg*%UHFZ6>9y=0=5RARn5nNd$cg*a>+%cD6lcU_jLu%@KU4qKsM%jrNTz0b`;LS^u zGcn5_uAv!x8lHh4MpIkxx{6{E*6xc;@!ew$W`fGF6-j}_Kr(LBj4<~U3eo|&5ZG+4 z(^~oAH%wf#%shREmx%LX@jelYO_*Iu)Cca9RtWx`H5z0;plNc8cwHf@Hq(_jn^JFS z#y`e~w&vPh%Rf8UK))t5qjgY3o{b&9sXrM_ZHoQ~gLFaI`ynn;U6k!xf$I)&AY^SJ z3~ek>I0$g%$%sZC=n=D!Ko@pn!SGhXk|}foWac^hD7SIa>KFn!n&=cLmMB_AC#tDL zG;PrgX2-aVPO_JJ-kgImtQR3e!xjeR7_bqFz>%LZw2k{GHMhg!x5~Q{y>!I%;?Nvx zDLvLuPmZR>FnEEh&3i4ITb721)|`>80;Ut^I%NKVM8FR$A=9Hi10-D_2dKov?kezG z_W_)l^UfymQ(6i08Q#xP-FgI6#?)sK)WSmUAZJyZCA{$HeQ`6yGvyzl-I+Y|S&-V` z$YUHA7Kap2|do%`VQ@N@{)#PQHPu0AjoevWd*t=Ea zb8vqx79VuuMY2Gmb;M6%B&r(;>m#ytwam?oY8a@L)ZTt#1Q!@0%)KM!MW_dOP*mp{ zq^=yTQ;9nfI_%DT64FGqiL|o~K)Z7hK&n)9o6e%TQw9x!yT4oY3OFRE6I#Ju^5eM> z_bvqEPT1B43~i*=BBHRz#W6U#WT-6?(89!o8yaTkUF206Ri7iaRTd$!RwSWx80xlY z-i_2?z%A|Whw$l^hz|0E&7B=-Xc5bQvwlNlg>jEYCPoknOkat==iCBcmuHsFb9K zd+7Rv)5n0?X^JS+=k!&MMxrc!dM&x|_Q(LR?Yt4C%`_tM)j}8zy8a zra{u4E@f%eLAh9xFlsiRNj7%H)kbbapeaIxBP|Ze7u*}v!uTj_OIsOV0ls$PP(7n# zE=E42Rq#%T%4xPP=bXlIx%?J_Mvh{r?tRqyK$kXUyo5DIp(yY@^lTy|Iln!fNGk>& z4*CM(i8uzaR$ZX@Gms-fnztC(3e_3M0j2gK`MRyfcX;xUYXH$+O)U|OZ}rp_4jElX z22%(m|3-TZVA5t;guS64>H%$6r{CWdzi;@iF?ljmCr9NOLvWO{Xr4GQ>%uI8r~U8vfeBQJ~)>8=AF zW}wU>T}D7zNrJTvX?dMGB&w9FjJ3f=CBN@X18p7;el%thfnA+cB~a8KZ7Ocd%1(=v;iuIA z)Vna5h;zj&jq!6J)`5Kk??k=A5a8xBWIfcX8L6RLx;U$FbQZBG=HpmcA-E!u@_LBp z7_eRsNs>*qnz1IjOSp6`16s(QjC0)=MWNJV^520ZYPqa?Z0l|&WoyVd0QmOVn#wnI zW{))aZ(6{Rze?m{_Sm(YtjQ5X#pVr&A}FGb>>X<`VEjmznmEf04qT{ZC{&Lne6=7b zI`@r?bk1&9wSkd|Xh?d%u4GEBnCMxu%LhqGjv7Ba4mAojF@NyMx)bzi@0Dy-@=A*4 z&yX|J)WsPHqpb+kc?s4l8g!5){}rlvi2Yd%jp~AswgseIc4zn_Pw$23{d152G!!MY z1h4CinB24xLNkzsTJIreU21sl&6kmJXZ(~c&DcC1+|O-rd@iy$$4pClGMuS%MMh>re(-Q?wRBG! z?B^(KfttK+#t4sVu`G?TuE<|}sTq?yJI0_)W2j(i7X8zemNVZ*^xP;M`ab-{U7hw@ zS|487O1Q}x4()4Gpd*y9nz9LeAByraCMZW}Fbr%#mi+w^~h~TDM-~Zp9WSoFrg{5?C3w^ zEzh@dYQ0>XV7do>OZC;(9VsX5iCr!M)G79}UW?rXEPgsTfe&<5QJAtzIM&o6CexA1 zA=Eg5=I-@had1k&nAvTOI5-n^+t+S-&-iAv?tF6ws(IG6OlW?`)g>AuaVRO&h<&hABFUds$pC>mNqfbPZ7 zl19d*=f(69=|-5-pC*CJfzr=#_c2$3;&I|U@fJ=F?wpi#Rs#AD z3p_HH5n)du$n8eVR6?yTL4<}*K}D3tEf~1mg7Kj39XZTQvjem)7L;~X=KCykJ>4ER zd;eZg^&QFWoGfnPrBi1*b`OQpb?wf|vcse2f`JFC-s3HCYq>2n%q zaouV}Rdb9xMj}lb^4aX0_8XMM(kbABU&C#lY{?2zsTpHIKfGXbGLYR-(bO_AmD}-( zF|UT|%B}cbsKD0nndo!4VjdyIh_ki{Jn{DINYNtbxEKYei}}h}p5}Lq3|msoJ!Bg$ zkXvtf(~zl-Z}pw)a5BWLMA;k=D7^S8Mqq^|m=t_#3nEVkzu-k*sBhi@*quRNb*A+z zqu`Lb~igkHx{R5bc-1W1PX!8=1 zGAsf^sZ0<@Q3uz6(&@PV2auxmkuup0?}8Tw6OZDMWjH879^{X34w_O3`6?e3!gMKp zZ3x{Z;U5Qeb6@$ZwHtF8elc`osrnVpcMEW1X94Bq^_qg#;18>hp9g{K0lJBe)scD5 zlCH0P-=PiIyd;J;sS`<9Ll*BbehwpNuCQ9moRdrz9NwmOXiM>%1r5U4IIAR52BXM} zOJY*%)}$%u1&*v{Jy0mIu5ylvKKCLP7L{sSpn9w|*T)zXyq`z!l+5EIhsViUsLF5M zUJ6By_7ZiI36>CGs!L7a`BRXgq3Y}V@Jh@Hpq8x`nF<(56cul1PaK(iTzLzB>%&XY zJg+FH^vh6)t0j>N%gtoR@N)NEgtK%p_iB!9Ev$3ZiLex$Y2A@;EhmV@6*T7cHbNoO zwjWV;!dIuqS&42@dd3G|Q{;&k@e@Xhee^02rIZX+>q8#bG|v--5BA z4y6;e*LExjTVQbK+~ws@AG(mV1Gy&%Ub4+AQW7>R(R??}L@O{<)o#hn(g@6Ur~V!M zvz03VPj92&*&NRV3bB{mBajVlrbSA16dYNr@Gjm*{>SDR!PH~WO0|DEW1JAhe|GK( zak-!I0oY%-s`05K=L5fZ<0GqsLGu+kGRa{$G+O*SWCWkVM#M$4Mb!pEHj>En2H@-m zvtC0xx<(1Aa1jg0xRn3~-Xm7avu<(^<}lA}So&EDZVMlslL)BGC@h#^JkKN@uB z^iyFgHc#Ng(@~KAQF0XoS0;dWoTHSd$ zIchh-!A@i_l0=qm_quxLuU%C?tF&=(XkW9e#$IH5^pQj5ty)Qc-{m#>n<0>=F|JfQ zX;N)HTzr?Sq!b5vAhZtWu^>3sq9=j8Zf7=^%m02pp$pC0;^qZX_c#7bJi-$ZHN=Y0 z0$Q>}W8+_a<#CrZ>bs!8kW>pA-w(j^A)MJTIqSKnVf46TqjUT#IA z@1CZOn_jRdYN^>^Eh77xXhAG&1djOp#fqrtMEy1DZcuiYVXA~2sr!#^Vx#~F-qlCjArvAR<=MI%ae9Xjz!=x z_>Rw^{uNHP^$;|PwpyY)WwcU?A(Y?0uxNhnAJOlt4@hunHtpDkygea3D!}3iCmVt3 zh)flwoGmVRFYz3La`>aANvWOI34GbcBX(BB=HKY+`KG^+3u1!fpf#y;Lqc&X59tqd zxqph+kn@jNlqZz}`=)1bg3sjZ-gf6gb|o{LAol3=)WT?U*+wyF{UI_!#$&UW@k!W))F)Y|+gaz?e$;&itlROC zObu&zrtj~>U#5lR2F3N}F}u3_QE3MaU0=J!+<(KN1RZFpPwlM}BzmROhKO97RrbpW zLJnQ3?Q0M{h)k#1iQK;DHtQXOBxJJNFJh2K6%~sVIrg7D^0T}&=z5x>4=deqUx-VgJt2}FfSSMN zqbF>MLMvElpwf~~VV$3bl?+2a9U@0p^N5v7m};^I%2#R1mF<`sf}zm-c!!xkKmA|4 z)noce^<(rni8TAN(oUQ{f0+$4BVpg)!w>^76yvmK)#b%HVf^4$G8c}NVe-q!vFauh zk3+^`5(5ORHsx7R0f8qSjniTjMw9h-!AEe2v-Rue73N z`9U7pdloBt;z+l~(f0Vy`eX<==#Xsc@u#4RbUwHSl7!CwiwUF>-X(O%R ziLq1(sN5~M4OufikGEQxJ~M4B5m8&I0T!Ihl5HDCPx+u#>WQ4P30soQG^yk7ZkLd} zEp)nRCM#jvQ!LjCn649o4G>Kg>NO%mYhCe0GuIMOR*M0cJ2ie$;EPy}$?64y%H`4A z4vna`>QCD>ssu=K^UxFa2y~p9?yT!8%m_Rr+%2;Q{=&yo9WdZx*y$Gn9Rz>*7CL3j z_|QvoR4ch#2NdmZFkeE4Ga{gDJO1+gmpj|<>KIj4y=WUPr7=054i|reM7=w_mtjH! z-Wr~<$xPaxWmPuy&Nl-EewBXF!m-_)B$6}Pg41>-6DNmfuo6N2kY(7Wy%C^{OL--8 z_7A{xgcHG4r%^M@$wM->7X21ys?g}cgTs}(#0Ov}21(?7Fl{sEt$PgHxxWjVyZ~#Op6Q05CUC!$>ai4s3NRYE%-|g19(s; z>*PhQN+1kM>_#r08^nQ2gI|uJH3UKO8+3^q;EMPnr?R+g;G;l;kT_t$R@LBqDTb1I zO*fzz-(zMnMUiD6d8g`p7h!P%ZA-<jTdl@KY**gf414=z%9<@_hUY4axJ~5JB?209i=gZ{*Mt==FFwA0Y^N4!S=d&zc_! zhodK?sBnDO&0y5)aygy;?*r)nx%z))r_<^G{}2AH(!Yh{a$2ANpF|G#xA$Mi;|a*7 z4+$_Mk)QFV|DC9Ck1l>9ADwZ!)l$D}k>jJ#=EPj}U~v$dtMw6D=TqBI?978l?Y-Ka z6}bM*xbK5%A(mqoVFz-ojT%-{O`Lz~k|7CG^KYaOBOEo^J;CW3e_;@+oKXb=<0-8O_QrP+_eHiM=KST~*0O zP2=B>$^D*xgc(eT7tVd$sgHwnNciau0isD0e-~hvSU+J*@x6LO}09 z-GTZBfX@oaD(Plcc$Xs{gsUI?AHtCech+9iiR5i8mP9dd_`jER<}s zXvwEPQtRz5tF2Lj%=<|}E17|+>`|f&WV=6uy!L)O2dc4&U!PtyjyTiLfrS`wJW= zZe2p6U|(iw1WXIs`^Y5DB%1yUsyI$fbe`gHoVZ_~+iku^ePyJ6AjLeIMM}D~o5Tl9 zDXdwe)msM;dmAYI41!(2Ms9x&lfcG2652UE@n`*>#f>!KCMiRYeLvTg<2B0Ka*j9! zVWJrvr{N6tRgeH+i&s#Dc^X2C7tgz z_WQRGz)%GbY0+B!EsUnz575vf(%jBpy8u`8Rw)YAj zDs!E6pVKR zlqcuF7$ZGv_~dZhW4E@32TzMInju zWD^VMBw+MD6q5(O>6_2(Ol^ivj-+O~UV^2O@(HQ@PK;#6ee(|~IUyBYRt%8WDYmCp zlZhzWqU|0mRenhg)1bs-%`G#mg|8WYr<0Rxijs*i4w!gD_OiLNkeHbgd9F#DDP`6K zrG!?;D~G~~ho`!sA7z@)rFQn4h;YB+>VdV-HLt#00!idzZU0b5b8~B|MEEjQP;me>`NIBbn5tl~~ z0KrNX5Abr!iCgHz!#qX+<+xSF%uWG*)foi5?8Idq$Z}2ku1FU9+MW|!qvgx$bPx+2 z8R_Q$8P{Om87MH1fl-MjC*8nTM>Yp3oS#V}D8Q?PC3?b)qNiBW8VaDd_Z3VlgGKMH z#4t;r8R6$WpBKJ0^?0HSM|1{LHg%0(tII80WiG>1Sg}fUa41J=aHKMVtE>Duc{rIOw!QZ{1Ey|2&KB=x;8hG_wb;Jv-xMI?>~P`+`E9y1d2GU;9J!G*-fj zI@(Rktx`pMR~jby=1lOdG>&7|mWWT*<2lKlUhXMX?nt!J+WMu^xDW#uR(WjCWs5o_U(b5l6j(4hFCVE65|=F<-i_xy3&JH(Gj=5rw4gAr*7GbwL|{^SZQ^+ zKyvP?3EyxT9sDEP_JsO~6iP0k;Y(Rt9NYQ zvJNlvqPfSl&ywKDedbbS7PAU+TTD6Uk&Uc z%ljGV&&U_@mgbS+bqFvf+|sA3E?-2+j^t3`==`^B-p-K2lfYPSjpKa*3b?S)>fFk1&+P3e?X?sX7dAJg+nd=vBe}ZG3+V1q zRp)D@Y&QL)tf~$L3EegY$5Hxgk>b)_P({$b;~8u0P{Ymu^^p1~Y85_)I6qETNdE z`$JT6J{dV#) z!NYKxPH{WFBzFcqRTE{K4#Uo*T5RuBxsz*IK=LbywZDfRH2@2sQ*dJX&0N z=$>)_n=m1Cv%Esj!*<&;3)Uk>F?9|fXIc-4$uV)P* zm59$lylu6&jk4a?qa1OC-2+1yAh%Lmg z*xBj`3=KXQv77AV0`Bj&$xXwPCOC&U{L<0aGS^SK6Mo180VEuH?l;*PMBzsv&j!4x z7^ycxL$K90^&H~*>bOb%xP$kB7}`uDGP}40XWu1NWTN7<@3VKRpgw?KenC-=!w--H z=+Pqhw&FO|NIgDC0{H&Ketl5+3sB(VcqQdj`g>y^xoV5SU>$|yVc+Ae~G3{$ctBz<@XY0s?Oi)FziMu<$39dT8r9K(rk3dlrlo5Ah{6~A%U#p@0x;Z%0@*pQnb9IrVV2I zj1hL9!OiUPY2?2unP;b}EzbqHRUoR#7IHuN1)DS{DsGa7B42?RQSb-@iW(h~mW01_ z5z%zAWl_~V{={J{5N!=Gu@PJdS2yf~)}c&agD$S*Vl#{)#WCEv2Goj6ZAAn7}eyLEoH zmO7d@s2|*NBR0Bf4SoIHZdO=3kXIxxI0dx?R^vH<@)yUT=e#Zhn}F_V_kLOaIsZB5 zho_LN;0_F|R@YXVvPFW}ldi)m%`|%a0+5r_m-xwv$01wN;#kvF#2e>?TddtO%LLz8 z`UsdFga1f(n@Z-2Y+Y{YnqttMtHCIp8)gy93H?*KmecMQQ&dtASvM}Y@UakvdXo)c zw+I8U4TjA4(@b!O$hyN9}-U|OE z{J(0hf7|@s(;2w+@;}x;uLC~}{^jZ)gMSMje*eSZZ{Z)mU;nG;AL0Lc{x7f(Z~x`s zpPqjLyZ#XVYtWC2`FF@4HdB9x)AixtAGLp7^T#+p|F-$J+W!gvMDSk@{w;j;{Nv!? z7w7t)4nBnc`Ukh(Lammpn@vI_4%|sBDISa%@N@^RWtCO_jG%MEt#u*1;f6ISe32F? zS|ylg`|Q;imwr?cU4h5(hI-xG0URmk*K9Lf84opgqSR*y=(EM9ws;sS!j(A^I{7*X zcSr9=|5jSB*9;^Q87{r~pywSVMVpBB&`Dc`Y1lO8v&7RoK>Yk|T4wdAcV;YCryCx( zti)w?4i&@o+^ogV?vi2Yf(_v~Qi+wFq=`7yCDs^g_2@evThs7 zWPZ1&zdTdD9Ud{&&)XB&#{M0vYJ&x?(_zH%DYF|dQnrp8rAD)1LY?0kSf`3SH^veiMyd#$s6TJ0eI9D1EWtvaul)iZBQ9n~8N% zkfl%o`mImq4iuE?1&mC^kn#RBSD%CoWK;LnX|;Xg4ue@WHztJNCkB`P@OaSw>T<%M zzFFSrMVIix%DxFWHuA2zY2TIK>8PsED<*}+fH_7nKew3pgpo<`s}YrVS2sJMC*t2#DHSL z@a$+ie2qB|QFAnf0D7I(JrwtL%sfHQ!baGe&#V1z^*PhMv1J{LDJC`{jYvp2uiR5;R1@21S zid9r1#*%{fMIdU?YLcJj2M_8H8&sbQ1KQ>uLtDp|LDBzUiJrAy_uW)DnH` zH)qg1t_vO~y76W0!GpiHZg&&ZC85D-dfCMnQVe(sn3&T(Ni@)%F3RM8tu(6@Cu?|Hv8A1}gW z*9+JsCN-8haL$=${nIZGwR;BF2uuo zs_YXmV=vGoS0<^U-KEP75r?3P5E&xMr1PM33LPvAfI`*!_F1K%*ih#H8v(B-iL=BRbyMXS^NFDbcWpK5?aSjTC;)1HIP3+~cFWkrR<}AE6YQgO`|xO^*FKgUwp$ zm^$+hxWf-1Ca>P=Nz_?UI{D)}mqWvY6B5 zKgs&7ovaaBatfzLLTY=HB*0ozF?!bP#J=Ce2a{k1ApUq%Slb(Yq}MSoN z#~Ep8j4#`R0Dzg;(Z^l+7oc+RWA=Wf`_qor>iub+6m2GaZbDe?-xyba&+I|7!hU}N zVucALNb1`#R@%&D9M&{s-35BQEqd1vOXE-pfwuN$u4g<4oh6AUMZMAT{D^|f7-s6G z=%jY;8(~uoktlh(#T|6=cIcy@&yR2LMQml$PU~-h?8fn*ANm`=S#GtCM$N3!XYTH8 zDOq2v0{+-ZXIPeWf3^YfB2|W1(a%XsS;LbUSX?rdp zBV{t%MPe(O)G4v3qFGv>!lV@FcSH=@yp^_F32@u6u{iiQyMG^+)*>FPT_aAP<7#0A zOI4x=(a-ePs^M3$A0U&+lB-5={~`gVB?-=bYY)zi{{nD%YVYI6nkJXgK^}a_5=hJZHPI!)X{#A#fQ0K9awru&wfn1 z4J!8Qjv~MI6X-ttH9`R>fPB>3^E>TmW4yJOTNG|83vYDC$WcM}%@e3ntVP*i^@Jx@ zXR}nci`aUD*m4Loa)Z!%Xlp_Jv{O`&UDHr%h6ey&zzd-+_DhcO1!I-m*O1e@9B15# zD>do*6J~iBIMypbXweNAVmmWY-a}U1ciCJ?B_EW&a4~+nW5jh^Fz_P9Vcu^Zie=`1 zktCRBNUi0+JiuORL}}77Ii>8wmZR2>s7n&1{Z;5_~=P%s{syy~T) zuOc-o0240rQ=SLH7VI#0p%g>wfAjsMKw6Ln(d2n7USQ4zOS z&X>+ac$Iu-5YMASWDllcK`x9ME(1U&u^W1!!}j$YEG_M6$qCKpp!O6(j7?E587?pdB2$o*Pq~hT0e9!=gemgU5bvCWJ>+ zCnNt9W{OwNo3&()I-BRpqNVk_6cHDlT^~B$kgQ&}Q1J8?k2&%f0rWGe6B9B)WK$0- zDJ3THB;K=qrU%q(LB$IyBO!xLNTbYbutM{aF0B&Of}hC|YZJ3zp*L-4*r?DP;*K*y z>VT-{q5fT)8Ms%8KN2mfAo9+A4ucYtK%QXj-4o*dn#U4%d1|&82;1(|J1ii+Umo zvv^PheJ9CdE&mx}nr_`BKOua1a2;Jeo<}XK1*x(?c&6SG=tBR5M{aM$t+SUMmR!Bw zeU-C$mN`&Xjjp!u5C8&scBFRV%NRVdbPA2#TRpW`19y#fVxnc!?o^QAIYYo|jLMK< zJ5qA+HEv;FrTa3-NOY2zSOWj>z&q}1EM^yuiJ+Z^((@8cow7l#i(A9a=dv^KwyMm) zQ#~k;*MaWwNI5P|RdRyY-pDalzIpRL7)=B!s5$^TiN5nTAVJB((6Ml<_?g>3$Xl=AYy+2abMVWZAm)wn~qE@Mc-|^5%@fZW}DtiZp;7Kq|2;q}T%<*Ju>O1<&eR5!q z>6@A=OTYKQK)>U$4lJu|wNG8qPfW3v@V?CLh1~+$X`g>q;##nJGZO}AOJ28y-eEkQ z3cR4Y=7iLkj?K7xhnF|P^^t^^NTdDI7cIfcY!LQoK_37Nz*cmy_N&t{d9>Sg@7OT2 zb7RPq5`I|#cvW4~h66P@FM0yv<#5|aAZe1Zp7|~gFeCZ5xQ$&}P=Y3*xP`=}$){v0 z6OImh5#-ZnP>4CC)qa{IwWV}PNLqAjzt8YCMr@tebhH@;PQt^3&ov$T8>(BU>B*MW zN`hHK-p+MyUr~iW770gWTz{8N!lL-%h3cZb3p!M})h?C~ODM)+ZtiA-GE)<(d9reJ zfIf!v428*hDJrYbydFQ?$!4QvoKIUs4#~?im#DwzQ+E(3uo#$}lCKiMDW!n-SA0;~ zWUA6_PbCZ=knTXIGZ$4nX!qVUnDHeCRpu<9MwL7nz=j>% zBGg$mYpDMjWbT`5uKs=5H=!sn^_yrp?m$yML$%EVpHd`v77Q_+SGwdfrf)vZXqsu= zzvMp{0J$IPJnFDDM1y^ng?2-gOWDNNVC?Sp^-Er+E&#aS38ZW*KZYgVDw8vg$?W3I7Y)Ah5D34KWHp) zh!sg%s3T@whz_{oE<~%vVYbJUorlyzh-5PvooF2np>U4SOVKpzSsv( z#XLI$3V}VSA*X9pxuH*Him62PkVBM9?wA+o{vel;w-o% z*3O}d-Xl9~q(gbw?3^pftm-aaz0BDcq?ksOZWVAQ^S!u;2Yts)k-r!7O1$?2^=YjT zUZ$o|&lvv?y1Q*^RcVJ(aLG*W1BAzziY4NnEXCdvw{H^fh~loBEo)cgbyAL+^E-Lm ze&!0u;$~fDvE&#Y^Ms94<8o6dFm5db??`o3Bqc4r=r8X;Q$EM&}jArC2?VD^+=S!*{7TnI*)dRm9}5&t6uHZu0J3Aq5n}J zPSWdF%f+v6$>R2e;UoBPW7GD7%x()wD&}qDOXWlE!5zMBhg$p9m|Y4vZ4KZka@ zPtR9>0T$V7;}yqNJQ(=m!F5HeY`EIdJqU@Wp^%wvjioZ z$B<#V>HAl)I@^ifB0b2=V@}oii~)Nwy88>mAzQC-d+D$}W>37cuilne3G%}F@W#{O zA&MrK&Gmr^a(!Bsh%KK;);Lf^rMo5n0j@kpS|0xD?vvaQURdM%qc7*pL|6{+c`%*Qid(aexxTUgG zy}UaI>>jyEqn;2t)MVZaZwFU{Xt9Q#tY**JGeq8!F(aeERsN7sU zJGmQMXx>)M?fK~ZK7^i~^cT&8wH#kV>6x8+#;99~) z!NagyOEg8cfRQAz8KTs*nb-TPw8OXi(0r>x*ii$|HVAwjP%ISaio_&}+3jMh3iOeDTPv!M#KqXfOqxCk|N2{96sKH#HXJqbCBR{2Ir^k~3-L!84kt;E0_nMi-*gD@aK9COUC z7^_Y&Ps{Cq5ZOTAsC9utdER$lCZYvZR~!&HJd}=v>5OqSS_DOhs9)U(1iCu3KgToG zw)vDzRzn-2kQ_AceJ>d>%Aa{#%N5d(InA8s1K(MedGj-ikG9TWOtn-MrWK zTEx>R3DoTPyEMccBVf}fW(Q8;7(3b!xqBRX@IPu#qc6iOoPJjq;7tmNqPy`g%y-a~ zLU~w#I<8liPKSZ?*xXYUler=>eSiyxj9X~)7IZoFukr|cI=j+n?}ks0@!mv%F>(8W zUNSF!)gOjKh|uktLrGkkZIS>;jVGBnI6N1r!Yn^Uw4h{|49eN_BHXUeJW~jSM@ek zSU{tL!g2zgO-rZaMQ8_5N-3&T|8$9%W2cZ7fX#%|)TC}=uM&5pk(0A`JEKcvGYLRq zx?zcA*BY0yR=vHXzJBp!c@X_@Om8X?5PTRGagxnbrXQxJw&b2yXd-@b{Fkx2|dTtq%rNGR- zq7f@qGuE=dm~zx6ZH8zQJS^Brp;;e;?W-sZbwpibAWYD4FAW+S$>-AH@I4mwNHgG| z%aD&DJ4UfIJlMm7Vx+@62X4@#KZm{U$*XPpE#l+NO!H@Z7S(~+*yOUZ0dOaARP&CM2>qH7#kq1Fz|Wp>cjbzd+Ay6{0WgQH!DhetlzfIp zgPRw~IGu77O*J6vdEdD_$jlJVa9W78FLp}l{C@c^_6XV-V)*JJ=nD!enL*BU#SPU= z;}=1cY9C>2LVd)YN@u-(=SlX z2>QPK_Ir~9{=E@LePdZjr6s{7LH^ymw~J%flprMLD8}tEQMQb-K83m7CRj}J{94iw zV%LLV%d(g$GzR3z{|yF`Joh!`y!Tq2oT(!<*tB-zdUTfj%uVx@ ztC2Qw=P7sba8}1>K`p=&Mi|4mH()>At&ye0HD60`WGb3%(reh>g=J2`573d}FMq|)W9D`GfZ;O0IT~)T(lA96^aU1 z^UoA@Hw216_cR-|9ZZV<*x{$OOI;r^nZe+)$k-;w?o;WhmD(K#)C;<}rlxyiFGWY| z9f_5F`X?Gd{>qOdzTM+2g~9Fk!Cl+0&@Wauggi-bRS<%-(zz0$f59J)2@5t%LB$5?hG89n9Y?02$M8f=2-uzLN{-M*bH40Rm~b-e5my1 zx_;R#{YD4AxA|}+NJ6i4Bi!FlHNxx1w$#GO$TY; zAOlaPUQgiCID=Qg8ZKDM0}ueO)15dUuy=uuX=fH6h`V#6OxEI>9$)^$EDiRz{cz^8 z?BbtKq@oKeud4srmyNkVgN2YlA+?z}7}Q$RYS!OV2u1dCd!YTyTKT(DE;N(3?*!f3 zE`a^4Nhc(hh~LTaA#5(M*7aL<{G&ocW`%Lhkz2%jgn3b;B`197hQ|*o=>XMeI{}Iq zX6L}saSw=b;0J7JF2gli6&>~H6$(ZJlh4frKI8!Eg_?WP7ab|5I%cc zKh&Ye@B-&QU)6MefE}5wG+#nM{1hxG8kmVUE#qZ}W_MT*GDvC4;r7*ghyPmhL{q6> zGTWHtNE3ZMUljq15v8)ketev_LR)tdB2Ft=BhIpgZn=pQ(3vetA^C+xnf@GfNAptc z8NVdp$!_CF;9oYRJdP#_OAD4u$x*N~j#q8IPPMng!f)qKC&akA@E$$sG#=W9b zp&{8rG*6#D4%9RY45y)HfSXaNDA)JX#QQ_^6F~KwTu@PTG8vv)_(wT_NNLUf#o@HD z;P0Sc9~t@494~U=-$z2^IP!ynKZ*ZBe~BKD8@RDRN0R?lQFIgx{vdy6={{R!RyT0) zhKp%jvPe@~HL=X&(_>ICTGWqCrLqK;n9!K5bAoSKlDH9TAAV&(Vt(~dIns-W<(LX$ zO5V=bRbxZyhF(si0&hiXeg39dT)S4wT=gqAaejC)*n5jld%Fe0>ikg1Iw|u9Ch9S% z2Kv}KN)pGD%2Y?RDz8cNi2?5RKoIUZ&x3z!aW;d3%vZr7kiy!upy<7(!~Nm9n{ePl~HPxkTfa5>%00-&FWL1kR9v*^-7$ zT1&Y>hu(AoI1JDT*XO2Qc4n?={>*#7{4r_uIKd@s6t8b?#0m$>l~afqEeZ%*U7Ug+ zsUnWHdfHH|v&A@$cezNbzv7;UQgjnuis@Ce>wv~6iehC(E)5a*a?l!|DMq2#jA}7}OEqjFw+X1wUaTc1_~!;JEWt z>ad<=y9ZstPJ3?R8Zu*h^6(U-$wpQl;n$L*L>Ad~@J&nwJpxjA1x`_I;vzxvfg`O)=Swbhr0hC~#YNGd zS1jfCpkV93t0Z9JS+;3$ghNVf!VABS7wXMFWH59e8~H)QNB19vC8Wf^*M^hR=A!>D zQSFBdCjosCHzisjk(KJLhCpzrH=V^dsT=B6@f)MK*18(1nO=#jZ_doetbm$p;j-vZK{or4PLoP_ z{3V>mfL)!nZ_=>j^R?Owa?1Kl{)IiER})-N7s)i~&F+QS50C*$^MdbEp0?G>b9UzI zsPfxgibj;3Q&so746B-(gWxcOWo=8Qfx6J_&O}xIpQdGdB_gkr&lAQ+QOtZ*?-mau z=M6|~pDZjRdMjLeyDPNi;d5E?+OHJde`Qt)<;xxUqIlv|<`a@aIs$YE1}HIm1}SZe zAM|^5+lN1(WoL$HeEo6>t>YrWWmEy~LtM@(kk<8q5DUa3$IDQpT{Z%U6H`oyTv8|H z=RqeOZO0SDIT^903tCS_a+jePaR&){T!V?S19c6&nBRF{IhcwB;aJA)uxeFbl?_W% zBy8EOURQrqvTX4lzlRybFUFsiM7}Cw1&>3_xT~%kM{$hqWCRG|ku`Ku@x(PbeQ1Cu;NtK z-Z+7YXTd^$5?gqQ`Z-fu&`cJBM!4&$pinb2n_VR~tf^}9@IJPO={Z?@;g3A)BNrVx ze^>oInKrI6#lZZ#?Gl+@?JP1}=&IQQ73Nex*f;fIY19hjsdA@M3=>R$=F!;G*sU5+ z-pdye_rs5mva*jG{#V*yI*DFd6}uk~0UCXCzwe&qB6RwCjd5d%wYc$0)omKnWP>-d zTMDBkYg;~W5zc5O1Y-aoTv5-{AehC9%baw$5=}o4mS{MAX3cqB=i*3^@WML5e6*>p z%F?iix2Hajln=0>^6VA(Q$L@?PhVW}rbeE;BcUI3Y)QZqteU1FNG<};O)bviQ^_uy zj4XoCrQ2sMZ4^<$aO|LG%zJ!x_9?>Y3x#Wd{I8nUll0dl`-dLy4wrmoOi5!#h-W`gAcZZ?EA&JpGY)nKGofv~V*SaVq zqr>Z#`D<-=+P6(QtBHlh3fai{SLwkOZ40la{#&I;4AH6THddHEe783MUzJki%wUVx zEjz|M*0kAXZjo@9?mWvp&JtVxfa-!vW*P&m@+*v7l}ZKEkqYkg7nTi3xs}F(2?kvd znj{=NH=gODx-#~`>k>hgPNE1wkaBTQR&0RO&u-oqfIE}^3|?w5xq&nz>RBGE9h-V+ zAwA-wJOCC-;{Mm|d)iA#+CTgFj{9;M7eWpg+@dw2&GEl7^>CK#))+PdUI}Z`7l?mc zqhe!D`xY1bRvZj(NamA>QD`JS15D|cX6ooOx7^?h5`U?K*@uG}xwe&M5}+yz zs?LZZ4CT7b@WE;&#j^1Z6@YDML8&$NBlZphg6r3VtLJyd+p6 zx{45pQw%rj54uX%)MPNMcFU@Kul_-9cPUP3EwDHWEe$qjt-+=U#ChO6S~N}yx_jqh zqr=h(O`@>WR=Vzd*I{rZl(^tRHd$D8$*auq%UUP{AdT~*)^-=WA?Xcdo?u+7x+~A$ zLOiw)9CCLyGs(*}DQtsIo~#E`++_(|-1Y%D*$UP4;@zalHr$C8JNQD8xjfDVDTh(U zs5_ALip8S7vslq|r5FVXoJh1LX=45+R8lGh-poCm^+FFw*8WnIYmNb07p(mLaeNzy zJ(k&xS~CicsDe~7RI&4Jh&U<*$5h&4pI1XtZQV+J^@Lcmy_IhbvF}+?#Uz#rCLXI0 z-I*7Rw~HM>NEtc>G}F4NwmMDqRC<{GH5B!)(@9e784{%eLUu!GxLQ8P&HX) zV{?!TO)FRUq{`EdIK_d=b|x3xH{Pc5FVFRK9~Hh!*j!FKN6%C?nhhOeX28)nv}ETh5cTPRD}`V=eY`E*&?q@y*h4y<^P*QePUI>}Qajt7R>r6^dna#3jd{-k2D7Fm^wT7qG-A4f z3iyTGf9jEMf_^||F|2f2e8C?8n#W3}D>a!GIeag?V+C9iN(h$-?e%`rtSA6&*^mg$nAqmjA#;fu90cJ@h$Ku(zF03W0+Z)xwY0L$m(-d zk7(+SCee~Cgh*r)s{gc7=Fn>u2U|A~a0pd{{7+1P<$&>4?Lqll`Cik5krghUI$7yY z{)yWM6zx%n%qvEJ;sXj_z}HeFfC|f=AmhU-6w>?5^5AJ%6id+coY${Rgfr&Ego;)l zBK}a~aeZZ08P;tF?LJ#3YR$1zA#r|QZ#MM&y?hU*Yekio(2O;`B2sE0PU~+;cNGF} zdE2ZA6Thu6D+lw44Knyds;cZ3Qa16B?m_F2Lx|tSF&K37hijfNgo>KsQaXJuxErJ? zuQP{t*+uOVHzIZ5@=!zi3;qI_8SG9hrwLiYVGoO&-5{CXB@>)XD{C9$nv$b!2GVJd z{tC(#9OaO%pfYn6zp`D#Y4?75cqt=_0V^TzVSYRpuJGOjV;%%1G@s3od?S?oM}D=% zPB=zp;b@RC(t$Wm1yIBv6Nom$t8&^80JQqd+(cx;z_-e6F;;!zpF6cvtvka*& z(EcW>g$$Gfj!%CO)C&9EexI8O;(rnT<^Edw0nmLbff5Bt&*MY}3$3wWA*4gz;p6FM z#seX)@{6Elh3?9=39|`Xizh~CfmaZZOdS-v1u3@*31ElA@+}x**>*?>hw&MXxq&B5 z>6D>|DpyT)sA#KIo{O(%`*st|U*A@6E@-^B7EusoZ@CnqxK|hPkr29styqDkFjkoI zszPyI^gweulGta`;=_e-p)NlP4K=9_&PEksWZu$JWhz&+j6~q6mFW%hI@5>>PE?~U zRY7~Z`8;%MA15S8vmI9a@n*xSJ&XKu%rrn!jHkme!4y<=g}yjH`h0;4y{(8; z3uES>#j9k@QlX4t04kUEaX_F(#KKuDDpMqZD?67RZu^NOl^(0Ics($-F~V@!@YyOl+9^1Blc(pv(F3_) z3!*6i$*Zs(cCF3KD8hB8Hm)pQNGbGIa*NA;@;IRfRfvYREGYir!4X0r0l5iDc%nm? zt+Z^FF~0iY!p4BtoRlToO(F-QGLbNGmB12bVzFzxk%Z9C5HLf<{C_ z(70eCetgE*P{_`lg~!Z$9)!9mygBq8V{42+%c$?gsmJ<@;EQTTcsKTOFdj*HJ|x~U zmGyk3%*y*>k^HD3um5Z_PPf;qlkb$$ zzV7NALulDsCGy=oR!;pKrvE<7F~S-jZL*YaCfZX0iE2*iTxp~V6O6jQc(YB)HB78< zI>S+=bRn9{*H(|NR55^P-+jS`gmdkL=wH~RTy&*$0EIG2xv0+T8ekr|E>eQNtF9XZ z#7@vuAVk42nWd4D=C@{(m`mrE7}#;F^dqT^DC)s#ZL4FyZzxDkFQ+_U#dt6EFK&kE zL#4qXYEYfJUWK1zU2dgkX&!56orwtEaDlth>3-n6Q+l-TVd5Km9V{II*}DoQS$s#v z(aFKDabe=ygVHzSiwjiRzGN^cjGUunp~-<4h6BU4#8i@BaU(?&^BV#?OZSy4;DAIMi`j6}>_;^|$NM$N>u`7cyFEMO#Zem%&hHtc58@_=k?pJiIm zYwV8Q#oTomPQux?L&*e#D3jVeohXd@HJS>+3By}7>-=3D-Y)LtfVvQSi?IbOon*<@ z&Ir~Ib*y-~5(@&YP&+7`I@Z)iMC3x(Z@xtl)!Vq0p>52M(=NQXQKdX?24+s*u*&fYMjUxk>@JgBIpcaFrFd>w z8(Pig;VwiP>jWni)Gp!sdV>=u`)+@3DtV3uyP?8W2kmu7!h`oj zEb6vsi=-C$k&$sQO0hoG$l5}0j`T>b(ull!Yb$#-MMNhyqMWm)|CTD}7EhUZ&MQKr zR&Flzd1Jhicgtr=`}^=iVz}$6%MX2t{(Kahu5IS1d?ntWbNYVlh%p-q#~An(LfoaJW?rwe?@*agmMGaabQq8 zBwoHg#(7@Iu2$~C3>q_|{?CCYOxkDs1@`r5%8|g53d;7nUHe!WrIwm(~%Vl!wy^K#)-C<%#bSVxJ}o&q^`i&-&9_onS8+ZOb6ns zpRKHgh;SGK-8JStO~wY00_kdHxXS8IgFQ`*I^^I01HC`fg!^^-6_87ktE=UZh&0aeIX>l!uBT5T94 zi7QjOaK{rsFYlCFv*v6Nx2rNGQbe6Wc{k2ODH&GPLa(Pa``d+9@oF(+tmeEgAgIbW zX@$|kbC*QHZ>|}Be@NHFsb{oKLi=S=Z+OLTmY89b)UBgL zFs&e>?l7xB1Bjb^^dlBgw37+w7SE2>jo%h=8q1As%13dXOP&7xk?=7Ok+FZQqW-nB z{hzdeY@z$JP{&h+DkHEujrHULH13uQ9n#FT7_iS8&LQUYgxs#7b(7hnZISv@PTgFD zUcKt7VPd#85p1;6iuF{G=QZXjmV#~smLWQb8!2Hu_)~mg5c+J6vJm$pem1xO@94Wk z_TJIOYuKAj#8m>2(H?JYf~mc&zSOKg{%_c0YO&1yey>e~9q;;iJt5HOs5*<74WiNQ z=v0ZhC-~y{bRs8owzb$%s;wUWxPoMSl=BnkYX3^37Dc$A^=eN24Jsp3R4ZIHq)-mRapU8lb*NURgE1q6rv@F&7X_=+xq|X38r{ zrg@LLqRU%5G!+qvc7@wc_^=Sx70NHUZ2L68I1iwc9`^r1_n{PnBO?-cA^y!ALN%V8 zF>*LixUh12kCyfi)xy0g>c=vgIHc+&dgwQ@kW6lT&i6EB$0*%Mfpo-rrMhUf{p2rV z+!I>)Q>dW=n7>O46Q*#}qEeqOoU&ybV-1oR-BY z#ESYcrCFUi^2!v^t0odUa2bz>yjF5UrwnH5$eP?q1{VS>RwL9D*>lTFyRek&XjGl7 zq)mEl$Ann9+*2{b5QfL~u$>@XE$B-qnAC6Sq#&Hx%xV3q=61ff$n+O7GL34`i?W#q z7f2XvPcwTVE9Suh-Zp^fKB`@rUKae5Qb}bb*)6yL;3F`86o(@Tn<&v|Y8`?k1r8JJ z7FZ;F%Hn)L18ZA{k9n>$(w!_aJFy^Ds>jwGG6&2;xisHH^n=dB-E>M_x^qc@u)CJ2 zdN5He7hwjuCT3E1P-o0#$?s6DucIiFUcsF4LvxHoC6cwq2lVoN3p|PHIBcNuu!T-s zM~prV|1}r)p?I~BgVG5Wf5~e9_|BkF*IL?#R|AqAQ(l5A61S#|%y%yh=61g7Po3qe5W*;E_Jc|2 zziN8O@P+uVozXW1bT_W?Vu+mT3l8?a3+0%X)bytipm-4oAhQ{NWR7vN6q+La2Q~Fa zEyX{3iGss}pe|)=e#b8yRp-(u?U!1|@bdaf3-)p`t_!GD{{Di?5HTzuHa&R(IVf*} zbzPIYQAKC&)&-*us^t!E<$!Aq0!u?hMoYfJF!c~KvN-dFl^i#Ev-Vm6H7eJJHn9U8suS?FU?ChM!J z_LLNu%xbemQM}gy)b6yAst5wfcnjUS97)t(+-m|vP#>GUxYCnS+^>;n3yH7LxZhaJ zwv2J>%Z6bqFpEO&bgiy=ToiwSlVrj)w-1&|2|MX_MC`2lJhYo}|3Av!101gIYa5?Y z2ZPZ|v>-8LFlq*)*XSe?B6>s@HCpuETY?}uA(7}MI-^7#Eu!~MqKpRg(N=8L{9Z{D{!e34Hw87zV5gc-eU?QLKWw=-HR+$c zZzz3o8Gdu$Ck4>pQ-1!@{;|+BvyfUWDp8MnVgkB}Hcq{7V=j?o^5(G*N0XI3DztP4 zH)-<)F~B1c*os)VpQL2#4SqB*_TfxM$(F#~p^P)sKvpEdKxKGqNfX*st|Re0B#E@X z3P3B4L$n}3A^^1@D|x$N@S5aOSGkvVf&a1EE z%WPb6UK)mlkHoXdr@KC-Dm`oPDz!#b>6F?(JPw>@aCaQ^8d}Z$N!lIfN_BU8~`o=0DuUhn1oPJS4B3=HWGjjefTp)o1Yf9 z2THLB$nTTVjfb9x0w&23`FpfcxgQN>p^W%|NqN|TEp6~eLHXMNM$V?nRnWEu(^!Z& zG72ehL64HZ6|X^ct<%d}bQC>|NTY9AK_kb0A~8c!7&PJnjWE=LuI!~4qMN3)kO$<* zhiD{bPfGU-PBB07Kn1y2UvIJtZV#u-L6-{>(R1Jmqeu{PrT}qG+C|Rta0T&XaP`U; z1d3M>1s3in6MYcFIR>Ltv#;C&3vQ~HtAXJtu(-JcPDClZm$?w0?M##bFhD2>fCFNa$73S|KxCM1%K`xSfbw<_6^aQ0 z0AY{9alqODfHpA*E=yg}1z;lvAL1i&$%W-fAur2|7MGbyPCVbE< zoCu~*9DuF_u#LqbE4x7`GGPlae5p_PP?J+e18$CnnP~{4;t(hTaMB<^D3ZxS9yZo5 z>>5bFPtJLuCVUVGOAbZ4bRdPoVQ^Jgz7}9kIf?@#XDT`-hssm_gx@7(}Ic zby$=&wr`jrm^_*A3YcxBUl^k)EISCt#%rnTZ{Ns}V}pRhP-?ax#$>#im7%b5a^!(B z^|R?sSoiGa-qnv2xLbrqMaClz0zEAwlNv#iUzVa6$c&nTAr->Dgr(_c-PcX z+z-iPBYC(IBaBi6<&k0ihV=~cp%(RWICK#$d@x9Th|Lf}1U9&bama&yWQ7(}#Sj$J z2E}0KjPSkrs!j_E!Kq`5CG#vlAg|em&U*>*Fh<(*a`Qcv*f0>%lMW&*)TxIQ?_I_* z9mG;@1~-}G)&FR0Jk;Xck3^Pe&{v@UO}O$T7j>3=<^O%c?GIfS6g;5)1?tb9(qnd4 z2%Cwp#BRk`{w5vPA$ORKAj6!z;cGChM1fqQkrfA*iE_Y9*`#0_nx(YNxgPLM7zUXH z`=O91q-z(TBi`fdS*smcrfO$@zNE-P2G!vofb669NF6X!M4mQlfIA2R2$~*tj?RBqI5K3<*vH`t zw9Y796>g6}bdbW^LGVB@B#@L11rSE5!vkGMq^&I5YjZSC9X#H;y_S5AqOFF+vWUX!s=P40W2zQ(g=Z=PjNL!xuH!v!aQDZf3IU`y6UtZ2Xk1ac1Fa~KZ5 zmTVErq-+CZNZp$#U}GwL<2N$6U@%czkbirc>6g2cDb{rg-sAhhu;g&0lRQ!o%W(ZL zEE>wuAm_FlhJ)v2<@Fc2g1=6mTylH}0;?gNP+%w7zYNy{F2_p~{9mN%ps6e4p;c&VOb_*8Jd<`j>_F?UH8eJ7keL2|tzlNS-=kpne=yW{@M8M2 z$L#hb(8!8^to0)?J%IgC&KxuoL>Vt3hK&kJI5-{=sQ4FJ5pau8@S&2|SzqB><;jE~yerh+9DUeF zp|m6ddPf`rs%~;*CHhTBJDzbHDhxIjy-J{Jl4%mJM;jMZ9bf#>KJ0{0WtQaO z{&r%YXu+wwICLuX3s2>^Di_6&V|VPgud2nWNzg-P9&GK@z!b-)CBVAxDEMS)EpU}H)@76vZw{V%?} zfdKSBSkV2y!2%Qu#=QQBc*!<@E$CkqL$%5OFE|Ybn+ruJ$rb_47Chx)@Lo=VV9sP* zdO>+kfv_8qASe%pchkcM=&>Y#`2#q6Da`6y*898f2I@Lm$Qy>c2`W@K>IV6Tp?vv< zW(*H$EqpK`tTY#Y0N5PCe&p0DyP^Txx*KO@j^li3}b9i2Vo1 z2>?K_!Yv5f#ACyrjDze5;6%xQD2Ie00Rj8ukpG9eg~GBgJ^(X_c!)-hfDj$AQ0;$^ zO7ff;~}qLC|+aIC3O?1gJ0 zG4Tjja%6HmBKg0u1?~v%e_IT?N6bE1vz>DEDl2(|hW$%4ACGCBk**_t&_$wM@{hlj z0otK~tZ zqUu^1eu_CSG(2!{LDdfuPF28cz4WH5{@dqJ8^H&F@P3 z`-Psyp`r4V@f-x-v*Kj%U7CJHAcL`NadGPk34BcbpT5EW?Hl-}Zx8?WE%|@+?J&H# z*lO03kdd7=YmeRKwTN#VAKVhy`T8`BMF+U*VF)kv`-hWsZ~VsguisQ}{HF8QZ~q5Q z3M5m#V7kIjynF~$v^&H$NPZ+|0F&mSbcqI#2WqwzN^a$_wXiuo^V ze^~^ZY*5_@_(~|C1AS|nzBpmL%u{SO44hx|EgOMzrsZX&z9eshN%gtqzRBzHSJ}Y+ z$q?+7K19R*$q=XiGna#fz{C%}+%HmFTqtOc>C5;oEBg<(+*CoK5KgbzrnpMXL}e{pMev4;Q|5tI~B@6*PJI;>+V`y zPu1&XqU8SoR>;{!lxJnPMcim21NYeEZ=ec6f!P8f?cYU48&UwnJz2cJNBXIax048j+_HgucT9oM}s_O1=Gg<3Ukbj_=Wx} ze*6B4UyZ-wSMk5aFDB6J(sHj_g-p20m?nZB_=Vn6PVJ>%pNDxnLBM~>E>tDHgBf1cBSl9yr*r4kES5Sw^kd$CHiht4#gk*R7CxqlTmfTG7XEuw z*kS;_qAt7=cjFHf_V!2}{HGJZO98+E0txW}I5@aK;0;LwDFC+xWOd9EbN8JCE80gO zOWFr;8B;c=0PNj22#7sP8iL&?k_lYDR&xZX3zYdqIMVh9ka^9$^ZMxzl|^qafNux9 z$K2TL`514TpSnlf!z{L$PB$-7gQG%Ht2~i|Qcjt*kn^w&HDA?_W1Hct5xaZa%m$Ja zWig+iV|(|7v5PIJUq$lD2eAhez54#1+kpfEsb;I@zfxO(V;9SQv;vp}o16s^1fggE z&LWjk7Fw18`qGy{z&pGFLG+gb*Y9$b54^(yuStmoZb>Mc^<0to1H?i1p5u@E^UKom zG*GoeG!;bLXX-p1csj_XEa#zsc~%8kOr6T$libgr3mH7QM?ZZxtBJW^R(KsqT$VdA zF{C{q6}?ao(6uia4Q>d_9%FuB+>;Yy#vM|)6Yt)Dp-IkzCbat31AW~HQ6xU@!A zNM{K5h<&|NDj%zu{hffrsjF$6NSH^8fk%@oy7V?guLu!vT-aTkME; zXqZb6c(-Y`lXodY(mL|lMZFEzYodx48SkIPzf0n&$H#wz$6x`(!;R@QBjrs^3_s;_ zeRw3*CJR>k;qP~E{@GfgOV9E%P1c2|{%(G?-I^nR5#a#AFvF=;)i&b|X(xyb`*|A? z(zvND!2X{531~nQOv8_Tho?0~PEFuvi~KzxWzc6I#%MOS4h^u%C_MX~Sc$PEx@2@J zp(e1{^|+aXdaqh|T|lT!Ww`CzDp^5%!tfW}dksJBY3|jcJKZ*Y^N<6G;%;*EH&9mL zJkIV8so2b{@&wwMCd3#xUL1)XMska&=?iDZ?%)Hkn;_a%txJ1e3sb-Kt`o3h22_|fANFMciUeCF3G@S9L3Y;+w! z5ZayPUrD*(5ERzvaC!!upbmJ^R!mQp6c^x~jjWb6yGxrheT^)U<=OjWX5iu9`CP*u7=%k@@UxDOk2pKIOD?*wuG;7;{p-z&z|$Q_V@=c_qk$m-iM#=_}uY+ zvoODef3V4m%X$Y7A8k%J`YIfl9k`n~%@a+1Xa?EQ*_XUXN$7X}1Ar12V~3-zo|;^L zzMTJUa_#ntJOYrQ$)SpgqkKT{2M_>$#AN*I*)!O=cEgw9Vf>Drx>Jw=%eJUdZ>q$3 zbb#G3i%{zA>_UDvQ_bieaV;RS{2O$e88J@?-OcR=FX5zKW3rG#{n#SedUiHL3STMU5@0|F2ayFB8PnDpE2 zVF`4>pZ#@+qkjZ%{L*_EoPn^#l`fA4Uye2zEkZ#N6$l^cVm&@+xSA3(H!m=8-;521 z#<=Hb^Fae!kH(JUu-?fA6AkbWU^h^&T`GilkFlnWYWVFy9tXkWVcM!U5C%t}l;+5n z;PNcc$A;aO4(-=9ayHFeW*3m@UdPl#A{K=ch(6O3?@M^b;cVb9NF+nzhnd2o*UcYx{hR<6c=>O+8Sl?g`oIu}WL>qe|i5ZkStRd0AyR-@R1 zc;%{fXFa#MOE|>9k%{fFn-6LCPL7CNG73J9z**@OCTH{DcnKMnas`zRe2)KCoEbQt zxJ__RVCoORmKaDkRX2%?@6GYmSV08T`T8>IQ_hcz004!j(`0IbDA%}VzGU*@?Y#Sb zv~bZf-v;PZ%`w<&;;OV$jLg03tP-GCEHZz{+lJDGk{s zBc8F}CBSc~FlPZ{7ahPII|7MIvM98D0>m0RV)h%=BM&7-XK-GR|b3?C^W>*^$anOuaR~ zll0RbpRP~V%m~N^;8UwQcaOk+1XMgs0DzQVDE6oF$R2U+c@{V9$@4os49y-FDOpLG z>Enk?%+`{0KF;)SOW$OV&LL<9?ZFYMAXyneL(>Fgt3N)M_j|u|AAK&N5KRn)$@NIH zwM9*^O7H$7kh&`uZg|j~?_`%6Zu#fS_Dlkzw!lwH`b^5-j_U(cEaf_Zr{=Xq2Aztd zpPX^EwTjo9Us4c4$O^sJDkjBjSeh(A%3PHtW7yYZ0Afy3sbE$igp+xuCrk6<363Yg z)4KijA~rTRj8Xl{E5z65B1Q7O$D}#UyxBF|e#edJeU=Z~@J|`l2#GjIr_QB|KQf!a zhUDAi=m#--foTDJOL&-Ug#fy-_M+mGH+R?rf*R?D-leq@eP-DYFkt>Dfdgwdun~b! zF+QTnXD)nTwKKrk|FHai;~zkcK~?FHcpH^~v-rC-_tdY?pZF=lf>Pv+$hAT0MJ{V+ zeHIyvtsl;UUXbPC1X2^XL568Lru_0!0?ccrZ|8E5e?l+5A!=iA>TFJ(B*BZ0u)(!m z3xZ@l6Aobn+OXLYg#bcB&o4+B5EyGH!5L8RtF1-;T8YaFzlu7GKJzja zWs;Hd(+G02blF~ll~f)5&emuC0|>T2kA%gif~?I7glGKs4!riNfr-&sOK`9#P2i-w zrkQ~!{dG%wFz?PSVbs10+LG*9!PbCB!8&?hgT**g*y@cx8#OKiQNJ!z)w})v$gnK- zk8x*T=afcB3C*@hf!GpB#z;eo8}cD}SUMr(@pBte@H+Yrz?}GTyzKq4^S26%+5RJ~ zUfOhJoZbN-FWeICkgD@s?#7m~COGJWQEo1nrIWNbHH`H(C_hk~5XSlW3U^nosr_Nj z!m2Poz@2OLlf%NdP3A@B2P~PlA?==ov%=uRPo}chh3h2WSXMZETUxhu5`Q@QYmZ>L ztp|wWe0e6dL4?!ksJvPSd30CazkCrKX6N@h%E3EKMxWHIkpHSodzfIa*mYJEKWiZb zxIIi>ufi^llB4$_pC#*2X3k|>;qxk!X3y#G`H;wnlarWhlEGG(wB|AMTHQ6Kj#9Vp zuy%(MySU`t z{=vqtQm%P7Jnig7h^=^u8BzLc{eJ+j}38JbKgToT^-TD6W; zC=j-U!w0TKa6hMpx$oga=+sih^l@}MmOj#}x6(B(6RFJ|z!gMl4S!Qt0)kj$*7_Jz zNgdEW?k$WnXCk$NHl&Y@vFvvC$RvP<5Yv{x?T}x*yhkbPGTGwMtsM>`2HLXyF4`v| zNeMQ(9}Y9gZZTsAD+XVO;8^p<1w>D5WU-ZSq#TaIlDLTBVA702}j4i z8eyZU{|6BBXa@al6D-V0-@d^gH5;5N_PFfLZFxC7Gej)SA3#}!HUT>ccE^C`YoG!X zo6I+?wCJ(?%C_w*s~w@Jp#QjyTsw~sb>JH_mon5CdmG5a1`_n)cU`k0Upoy4+lt8O?oV)c)FiU9@G;GvdNf?cS=z%YWJN0 z0K`HoAc=Kclfj!Zd14M|=cEVs{{TcCULCRnWGg;@-gJmc%dxWXC@6Q6sJ@yC4h$G9 zc6fPWH zM#ybw8IDr?kxv^VjBB{4U~2*%Vp+d_s_=Z0aBiv%I>72u7@)Ze^D|45w;?o@>e3nB zW#Y|S)QlZ8ue2u*PeR_|Eps|vu8bv1?$DpPG-4ESA;mlMQQD7&s59BQy<7lTv0vV|$&F}6Eh zsiN#j!n{;#I0_4hYY39t$3Ol&91|c8l%kwJV1DLg5->ZtIdQl8R}RSTq2{|{UMe%g z+-}`~Vm&1q+$rXU?oXY+ukEKyh8WtOi?_*=BzdIHkBUcnMJqT*~VZ zY}9D+r?{qd#_>4PPv6{l0rjRHBPccfqgS!nRs1kF<*WK z=WgH6P!)S2@rhTk_u=DMwcC5atWKzdX*SJ~zdd=U90w=LY1y2p3*8-0Z#%g53)iZe zp!6`nwY27)Jz&GYRFf^MhEcE7?BRW21=m8oB4{n=JS<1Rr?rT3st#h68q)gAi58f= z+v41ovt~wKdFXdCLD_3@+$A6Bb6F?$@JVy~EhCVdaTCDZZ~%{HL!h&Ro)@qkDYab1 z|6ydBa?1m?s?O1Voy$uSJoh>>;C^#|EZvwTW(XcioP$imr&YTd1UzNiRe(AB1soIK zt%Vr784}x(+Ia!IxOCm_GXAVPagUq*kqR&wOn2J)oUR&_{QQE=I^s$J#A!~@wO9G( z`|*XgP7~qVK|3Nh^QOyMu8noN^H|E$Mc1!kqqOO<(m8$i7;v|*r~%qXb4Yn#GG8%O zaXgRuJv_Y5`&P${K|eNqeB`(S%2}JK1!Xd{kBN(HR+*c3gAVFW2&ZgGbO^#%N zK`h$UEMPXmHd6F>`F1VWI9s`)Ui!sif2UPBi-rOoz+6~sL#cs89&)fd1*r;L{pBmK zOt&zC|DgnPIhAwQ1YgH$GaJxm`qXQiQetGRLR>mbU!|h~C97|(v&I^Qk{L3rS!{na zbHVW~AozJzr?A>|tQv@Ejq7-Uw6H&n09uPfMXRRpg-d%Om{dYnzeqd%%Twh*)vqq%UN<^pY;BYh;^kZQM z6moC=7cO&l&NO3!K5y?Su(^3=^Y^aNMfmyFO3|ty znOgtQmi68dfJLNK1m+Tb3Vb0bj)UaA+m23qLIn#9mjuaw|9wHszIWc8x{`R8(u8t~ z9B4;`N7R^!&?PQh9=h(2nei3n_(lu}k3$x&Eh7%80yk}6W1Iwop-UD)l4r^)O=NL-3D=A^9kuA@IcMI}8 z{2Py>epra>31I|KjfEwF#`iuupdwoBbh5*2&uCKIY@9*c?#JoQmjuF5Sg|CS!!-Ah z+FHYsq{qUjRU7aCu(Xo8#$)6Mn>`bVv?l9Jl2p3axBkg9MAJkvO^zvTMPjY3$MR*Y zla44sQLwDh!|g(z%5?`xhOx3mx<3G#IO9MmyvkXYLeeE+yrV<^alEJq0EoQ3Z1u-A zY#iz!cF8dnnjrhl+GNhG7~nFpcb$HGHm;f??iIed9UzLM4~q|`szlY`|4#8VgN^Y? zbf^Gg{5l}yP){6^_PW!s1vBW|8p*)@$AQc^g0JwIehDsHE)#$C_yfrI|2v%m1ORbx ziLehS-pr@`kLeWWz{FhaY|1`l=|J0*4KDNVbP9Iz+za_pCV%Teb3i5 zM|b=MK2^_in||_MEyrpFl3GvLE8>W%vb2jV8narltBZnq5ijKi{@x)qk7-3B7GL>6 zy0jM7hFTM%IMjI##Lls*zsT(cne%tf?Vs#l{Kn9*_@fw;7}no++fRhfx>F4Ng$xwA z@161bALU^+X~GL(ZW>YzAGdn(5GVuOj;g9sZ{-Th!w56 zHUZYu0hbfL{CHzn#zJkX$*!gKzLC9<>w`pmT;nz^`3Pu71o>l6+yBjTcQ4s>Pya<) zW*_<;8XFG9vHoNA2!VdW$KTqCz+Hk=SKJV42~MVbtl$`pD$tnNzaNl?}X_O zOA{1Osx)^{C+2bLj8nT}AFhAUmWxt&@%h>MDe>~5_Zlm3QmgE{J;dFJK=~+ z4Jh#_2l)#8#~@zL`PlLYp021{U}^f8Y@bqnsq_Jn;PHqZ&PaRZYev&O@s+UK2*uM@A}8c7Lf)WVH*W1olYLikoN~E4Nk|2I;p1_Lafy1HDMtK03rmrIuw9n^K&jQ=y%6EBbJC}47M#le2tttjJ$vHk z5&Sb(9QDtP8aigKO6?w@BR-(xW2A z#g+4mInFn0Ek1@HMBi-q>q=cc(@FN2{fN4o)vT?u;uzw7psrC~VsvywPD3PkVi?iW zFyN+~ED~`m47s%9G7itMs(GKXqsi$Dy9$L>`VVz%FUhR%wonV5^yZyC7Rh|PFeLg1@X;Wc+QN_P`TUzAFwv&@-qlE^_|++W-#a{Y zl3wxoAeoJnJ6~PYp{?9MN3Tjg04HDl0f6&%R|+nQ_N<)~4-`v34N2`NBvu&vj}`%^ zI%qkvRe8fFhYrug9;oQ9N#8n`eTyd@#=F+FO3#F}SPKf+-VHTSKh?h~-y zlVXE(_4`=;s%Dj>{aiy3{GVwXR_l2dtji7TO# z)a+RAlry7IztKDvUyC14ML%dJZdaHf7Srvg-WESMe&)P0pL%D)TT$Z6vjvIj2a;mS zGrW)GBf{e(cR<54ZUfFQJoP$XHyutyvJH4upvfj`AWy#!v9_Kk+qe+z7AOu_D2@u5 zV#A@K?;793b+MgDZ%3&yFVWkclLGxJZNa=FP*%U^a4c%XQF?BtQR=g5oIv?=EB-~o zJNm0rr9|4t%etM}PknURJF}9v3ZHi}6QZwkZ$G>3b^BNDcBY)qqp4R~ak1$NS&s@* zAjm!Mu!lPaB?9N2C!YqaZlj4a4?|bG{LcNYIgL0z)1h9f+n5am5AXpC(E#;>YE?f7w!z80)YfO*o)f9W>zkQC?d2{)NvUfK40edyem3 z4WHKEd{PXsUpMxdaR3SWdLOxGPi$Ml<~d4FBSv}F%mg~_N{l%RHrMq8iH#3^I)3+S zWPz*|Ih|HxmE&3PUV7Yc2=OSa&?|Cdt7x@NIYhGcSm|zLyHzvkhArlH5!gC&YENBz zFghK{-;4%&FIui-G~)9B03j9Otyg zeOuBf@#GzIv3^((u)wWt>tSF{CauqSeHN>0ftYFH__4<7gpYTTVg1sCs~BVwJ~*?1RS7{Wfb^;eMMqh-0f}jbMKhlSS;Bbbf|LyC-#t{Z+e+hJlai zQ4LRQ@`d1Y zmP-OY9hqDH3fjSM85OXd6dkSdIY$n8TF9u3UUGEv#`1Oq@P0_I-<$YClIc#@M99z) zG`dDR--7ElI-lMg6+C>N$q%(~o<~G}*$?sc!ph+p5H!s58+O(p_x_Opgc^4A2PoMOoiB-&U z*%{9SR)^ep>3q@}_uUt~+n;i|1a+WMS1)nJQ*_ESnB6~6#V;r#X09EdccppoHt3Cr z$a`wd*m`t$YW+&09*LhbraIIUEGl>ll99qeVyI^9rb{mwwyz3OK8du z3V$}a-08vXY`+k%-R9*RYBjEi)na>9!t-5>uzT7ue6MkWb4^le z!)V#ZC-2b6ZIzr~n2I7ijg^bB{uk*M@-b&dqYv~pM%iv8jUjh1zV^|yU){-@3vwl? zIhlo(U)|GT7XEU6Gm2--iW0)Kwpv3+@)jaLC0%Bo$R1tAs;lKns_HZ;dulx|<{a_p z$4RjkxS%8N zM@bHGr5?rj^I~TrX)kw&dnFpqhhjFY431^Ty>aL0G{Rq=L)2IKq1XFGqc)4JJSrAQ zu-+uID+spW@d4`=3Jx(W`2??j5wmoxq=;aA$PU+(Fm?^A~tGBD`R71F-1 zD-H@RpL9XJ1yD2=^my}zkJ!R`tBRP4>!w#uuAZJERfFzxguVH6S6CmHpZaNpQiLW6 z7Px#>-5mR~%F;U1-_y3XCA5_o(e!Z>xnZh7m*Qr98Hw5;QE!(*vJfvJebE96eJLAN z{Rv7|%jr;%s9VKc*^duAr$|3&Wy82d?fA!jgXP5O1PzvhoCmIvOPbt6R`L65x?d`&?- z=@Rn?@TOF=YmGRx4&=sCHBuP(f@(fm##<(~>8|NsWWXkLIdM0hMl1*M_@WSMy zaLd|7DW5I*yFY@wniKOOo5=MlQvaG3(0W|j_aOTn{zjf}cm2kCO!imkPCw*(tA1^i zE^E>Yfm1ATV&@+XPMfo=+efXcI)8uQW6H^vsQlu7QSan6!KvNklqo8^mD`FpEHm)r zGnb*lZeHKWT6CSqE#bV*h+CJvM^hy9CLc}SWO{sG92{w-lv*e+q7KcCbDByHrFz9Z zf%=G85{koB3D$t4St(dE{S?R7&omIQ6o7MS|OYu;Wl?_emf{Db0D=M^^HHIN?(tazP zr(+!O(*4QLF*N}(pRD6A(_@zAn(mngd420A7rVAXB}%W9NepxQqDd)+qcZEK z$KOF<$QJ{3i>u6HhKQQ_C897VpHim`Asly2}sVOLlM6uwa#p=l+jF>y}ex^iMaks_i7#;-Iyk8)1EPR?0b&qwP5w z^y*Cl>Qt4UkHR{K>1_|CE(8zP&ROr6%S+=mH(JWZ>~2d3?N5s(cggLI8EDoxx$pNx zIn=wpnDQVQ!S3I%%T?@EdM1uuUQ}P&@bA+|cM-XtK4yif`N&K2W!h05%XgI}FN~R$ z^9__Y#PYts(Ro>OshIDf)zL2!Eb>NgnY<-EdOvRdqrZT4$>;3&rqjGh-3Qc_{Ys9l zL7h6bX&3R{yx6Ys|`c>~w*X4+ETvmyVDSXyOusTIXi-}t%=Lt$|iNAv z3$AJJViLiue90fj219N+F~uCDiuwD&vG;GI$f)P7kT!R+n45JQ>?onm?w?yD*ab^o zxE5DiK6D<9HdB0ek2ps3VKntjdYsFV7AsGH52w6gKK4OcaUumlqdy zNL~Ck=;z+r8`B8W8eh69l1aun)U3-%{GM`m_Um05JMnPcH!UB`QvD2H4dBHN8HWy9 zcf2~kNIeV1d8%SI_bux?Wfxt<(D#I^7!RmI@=lMBZZP=>OJCQBN{nyFNweZ|fv_z< z^|Rzni`KK=aA(PQ5lEp%_}ga}yC0pVd!&EvAf|K`)}AmFv#(v|q}=1Sk$ak8;2$_- z2mK6Hu~YSk9*BbNChl@UiXqI+s&8>4CG{|}c;-R}DOB3;+`O;j#fgM$l3cF5#T3D6 z8$WH^mc}}|stca;3XEDbDRo2>wSH`|X?k2k8-F0+J|369oDB_6OVeM8#-h2d($CdkwZl_{((eyVqCI% zS=*K}}g;Q-LS#k0SP$dGWFM1K@n4K#RvAjutl!JY#KZByidN~Jn5M!NL3x46w zy}g2WT+}7Jtimk(30(c)TeiSNNbqB6FJEsWi}mhX0`76b8ALj+!~yIpOqMi&tec7uB7Oyr# zRdI1U>H_OYm?R&U<5o2tXEo^U8`TL*e6HU&IE1X{9mLVxm*6UKINf}c3yyAK!)Q~y zxo)!fq!3_^esxLGNKEl~2qDWnZ@5|iy1oTb5=uWeXCfCi(>wdk<<9#tl>tUcwA-wK zIpR9hKpv-YF=eavQMbu@f4TjYU-9!~5B*;{vDJsn(@AtY7N;K}4LmyxSBtqdweB6` z7B7o@MJU}@dwlFvA+3pyZ%kd6u1czhLm5o=^dCQKSQ<(pynS&raqF(M>*{c#r6jii z^p29J%WHlKbL~k+H}db#H@z-uOk?pNGv8ZHy7BhcXx^+j)?FQllrrkySKqo)fZ`)8OjC2N^kEJuY}j3XCX->n$NEDkZu(_OJI zCnSE)DDL{c)g)-S8gCazKgb#s{Wy<%8a&RX0o zx9Tgh`A=+PC$3vvxuG_{G<9x$cuKi$HL~YDx-Oo7^}X46EA~9`lm|PtOZHMz&-&Si zj}kRt-1wQCC6W6HZK#+tXx9phVA;o*t~KxWKC&9v-Kk9$9(G)=`j}JUSBkV`3Vs(9 zeeYmsyAMwi^HOO2zixJMHVvLNt-#!wop8M z>m}b<-Ccfd)8_RAlg;$(y=7NY=(+WkQ1UxB`5~)RRiU=|gH4Odx0CG_As=xb#2j~v zbq<3AGT$A`TY0X3nDnM}w0`B=7n)BcrL#!!@Jc#|MC+Gpj*+0sjL^G zSD5wP`!6GhtDEkusj*M+w?4lLRflx$ri0lg9cud#d+UMSj~SG>7RIvWK1NKNa2hxb)nP!3lJ%sQ|73Sn z?lR~%e93-aVVJ-JDI?yFbT99`&lHgdnRKRmE2wU8)o2)~0vcg;s)2=b9>3eJK&j>Q zh8$IA+vyHk&0o*oE>yE%7r)o@^qW+duhQ}t*}9Ld4)-A7LK4byuCV@qQ>rT@0>Np^h&pBMxLtHJNyfh7$hpG;Ju_kl*^1n z*neWMWTx0ra^GyQ#r4)Y;t9+3?*&tNCMGJ3w9w+Zx^=!wfx=BM! zi4yyGB2D0&)JPBbqhn>~)J0EU{)5}|mGNcx-1q^(y}ON@iQ!Kw)@=>bwH|onb~W*4 zLq&(pZISE`izKL%I>}Y^G0l?WVsi&f=@g@@q2xxk>|lO{+6!SJU@DNx;fj*Rx)<`;06D`4;$p?tSwIzw!5aSLKMZ_|#P ze3Z%{&tvv}DbqdOYDuaLQ1>)Nc{AEQN@Q1(Se$AcY9B2i!FeF~D;Fxk6?O77q0kcf zoTKIJ{TZk?>(v7O`-U;il2_s^w&ONZEVCB(Rvjh$Gx+g&KWr8#G5MR#aRUWEMXc#~ zPBZDBJm%2*`k3zzV8dUS?M6WTFTTDrtf?hxm)=37_bNyyA#{-5d+#0TQbSdwgLF`8 z5Tqj|AiW7n37`-uf+&JW(IB88B2CJ<6VLgc@6WyW*#u_K%v$SRYm%_unb~_=$@*{8 zuB;p8{lWeImY34&&g-?+D%?rp1YMi9qwl6}<@Y6Pj5%12gv8MI(%l*8`Kcsrq`3Q1 z_pG3uPdKGA7eA64Qzb4naJ^IM7)Aa;HqpV{pB=Zm72X)>FcigRY?PPf_?q*9y$2@5 z+zzjvOenldxa{dtfAHCwaLZ0cgH=JH91Vr$|X2I~MX!y2ozB-0>YF>}xu{`Ng4H`x++sw`|4!pyzetc5Af=xcZJ?eK;HZu(^-=%S+}#hBmVim z;i&D|^QshDuL39dXoSZiFfaJcm2r_j?VWg+vKTCV+urq@cU*& zrQ=Ll3689vE7m`xxcbWM7yU6@hiiK+o$hr^$C77nLQHhmZ5G^D*A9bq7rx4Do4YHM zDnH&?EPNed=tSAEnPubl{+^zv}@w;|4aIrK2u zS!^OXSzCQ|ukA(tBX@BDr|rnR)&1)|dQ?!csVB!ZnVYoplvkb$ctnifB#U$ve{J9Y z?Ln@6gM0k_M?PCB^NaP2jFrlHO|H-8*S-@J2p)ZuS?H)5i4 zwHbzcmyl`pX8E^0)1dbwrvj~h*WMJfbcKE*&T9T#*kMNF;)qc&2q@jCYonVIhHV!RygpH7}4*CRG){S9gIF`^;Oz9x9wztm>4vq>xb@MngJ0mIx5 zW=HH=t(@c28=^{5GtL&YF$}Ubhm42{{$(XWg$_ZKF#lssKd^T787#F5P=g!6;NcSB z5`yd2{#|Otx&HUcwcvQ_hm~NdwQZg20P^>uHLxhFOudV!+r%ij4^E&X`o^~uQcfuM z;Jy3N>RRp?*3Z;?In1Sd@V@DFO{?KQnJ!uLCmMbCIU82)bJib~Ywvh2f4fv06|X*m z`u~opUIZBIZLdT zA1`tiyg>o0zkXv16tY0gSkK%aL@6l90|AAc>LUm+RB==^_b0~|Yca6;h^pgX-C9@; zFwx&Jbx2Uymzn!hA~EB&LkU!2O{*jSD4X{JJoG?AB^K%`c$GARlgHx!I#A~i1n<5H zjd>dNA2KX{3M`-&=YJgu0NT`%pcd=-U#Q#wVFK{AE_Ucrn;&$$kNrEQPTE3q(Mi^N_P45%>p@1GP|K z<*@`%%nxk)0ucIypav`c*AyS9(Ut~6*n$RDAgugfz<;BU1%Vwh8Q>@x1pt8!>tFkg zKpi)bG1~lgX?(?dB=g^xRJ_N6!Ulc`6v`(4vxN^%5SgGh0C=Ga0@L6MG-clbHBA3` zTQ3G+cmtJK*Z;mrC~ZN(1zWQW1RjBi*Wm*o3U5G=|H0w@lVb|rF8KeWXHO|-ffks_ zr?US~A`OJDG6P76VZ)3a+}EIUp#o5r0ph~}#$SW-KTLlk=LQ00x&!p=gV!6-H<1+! zg%gbBkKZv>*iq2OT5tkLrF?!cg>LWN3(X{GE###PfcMQq4yj;NaCuMpmFOWZeLSjV zm^gof;TbO3?ri*m;m|(&UMPAiXt{VFj-0P?{ltQKhC3Is_m0fJKL@(9`FYrb=H!8T zaWu=RF;7rw-p}mM)N?<>1*9%r)1M2VJym0y*{ogr9=()uh^)mcZbS5)>SegTh+BWa)!WlVm#3&Uv6?d;( zsg@XT@14@?6N}b0LLED!#y*=ZDZ#IeRFm8_AHC&&)t9o_ki_d^9$EL|$cZ9`nZT;& z!6P5JtPR$RDOVjNljT#p2Rq&yL*NeEGF5D6SsVPfRO}u$4kyX4;y+6*Pj=FtdPX2g zoESum%k^Bw`wx_Zz=kk0LfFY|UeNjR8^7Y4(u^hj*^UmolBn7w1zc8@G(Q_Tm7kUM zaZ(ea%o_>0U=t&0djzOVN;- zb<~(jnaaE8-FxR245SDH6-Q!CmUbx27Ix!Z8)04xwHo1v?REl@A{TzbdI<$-xULIt zQht3zl})^5t+i=~t<(&X1}}0XuadY*^oNK)!>^Guu0i25Ky>!hqP`L@#nKNpo(7C&Lhcz zZd^b$1k_kR$)}_u@o@|vJ`PP66Xs1zZe3_1bkKiIh0tO#v0({RyAe2WUjt9jR%NX} zUngCtt1#$iDKB%h=;^O1$UAXHcA5ZEOFFgcQ1gdbnh-mVxk`0ZPmPCufu59@XmML- z5yqjWVS73Rnc zF(;nkB5?_zsolXgWNoYnJT3#PwJ7bjZB&uCSsf%Hr$Lptrv0TP{YTmJTSSv|5eMB; zsI6{^%wsl1f?kQQVMOze^d>T+k2a}OUzK}QC{6}Va5|A!$UO^oqfBxh5PJ%1S`;8; z#D6UzxRGWMXH%%a zQbfn={+|s=`Yq$X@u{|qq4460lwT60H37{*(i;k8!IBH}i!PK5mbtzbZ_7UPxy({C zI^}XDA*eThaJUZ|NuddKy>zTs_|m_J6_PL5v|K9~H9j-JZQM`@MoGFk+V6a#WSiwQ znJ6^*a9^Y-ko5y+@OG$)oBv0rBb})}ow+!Qr3EBvx;OK63TLMu#Dupy9_OoFf)2ON z{vZ8fk2^#=CoKQqxRRKZFp!<;#z>@-N_LRbbmQK!@m7!4b-^Jl60s|t9^$?Qv9m*t z9kHL1@hsEyFPUcPar@BNTC76NZzdm^&^PF@bkO4_ESJR+HsP9894Zad(MxiLC$Znn zl$^Dzi2quM;d@-^Zsx*99+|TH4Np`650UcrAdWMz?Hemy1udIEUmT7Np?7~#AK5I9 zXx&0^Ny_Mrt`oBHET_;hQ}(>Y!H_u|&qIp)UVmD`$JN*hQF7fv1T_<`q{W{ZRjY>S z3di|*?iJ8Rhtzv)$rTL=`(FgR<+5xziC1i=SiPx6+O~` zlkbJD{ubwj7OLgc@cm3n%ecpFP}`2kckW$ub&e#Q)U)o>%XjdDJ{uT&!N;jlHHdbo z{+6oeAT&c$%P5FQKN7qx{DZ6=m*tr`-C6##;3iLz;)G^_zEt%e)H7+iI)p;>&hpJ!&|^>d7@-DZ51aB)LJyIX7F7tHcTYSxHPnBQ zp@eC2s@#G#gq7TwvhLT4ahKE5JZy}fR7$mkP(;Q#;B#+zO%E!$E*q_`Ve9%fu_Pz}kNO&Az#`<`NDH@t>hm}J#Jc1NPanagAK}3Wo8^GZ}qjGsdi9dK73m%Vv5-e#F|l*RBzO4U8KwY2(O z2R)=@mnNtBo>pAlqTqPOR_Z7I=Fl|%dNtxF+-ICVP^ESDozMwrORhcTomZ%ecZwXm zgGSFw;GDrkSqKG*Pj$w*ZCQN zu6%4crJ%XsOC~`m`EJU}+-8cNg-L8mO{_O<$gc2)2%DpRl~+^O@Lb~}k5)6muW4_F z#>R2cBFr+)Q?}m-k?xZA6H-<7L~HU7>!T)3x;zB_6?gn?9XDbO`EbDH9xlT#6JlFW zX(3QyQ{^SQ2SYS3KQKKQ?vyS_>ooXNASA0YMLg1je|dU?LId@YeWu+kyt0$9gO7`8v6$LRNfg_yovk=``W>Nek%`y_JSe zq(r+0noRg)P^tiB>~vv;TckZ$A9Zhty|D(P&~r6M2q%1OxUbd z;~yMP<}jBT!Ju>=RIker83is1IfM?1C)^1lG1s%VrfHj0-kaT28BlRJ3 z=Pg>1LT?q%p;dVvvZrw>#Ym9cAg5$gB@(sluOJZ}iAqvj`%Q!+d(#j#0eLl$eJ`f^ zH5&43G3y<&1&vmFW&cNusQNK&&ebR(4jo=x_E|ymbX3Z09E&&a4iqN;hW9ix{BIUF zw6csi)ecPc&XkT!Qj98{8G(!Y6hmGfQ(8x)h{SA1Ts}R3$?PRhV6vS1l`k6}pBQlV zJI0o9UN&493_Jf|b1n(kjVMu;?6{g8J9~NrZ8}jY|HPsk8hdUwc`@gFT>LT=edQf{ z{PYOMxEF7Y$pKgWI)ZIV+LsvP&kV7lK!=d=8>OyQ-;G0XMOA0@)$BhwKa4kAt@j@M zgQFK~4s$+NdHI9vW$2sp>gShrfuEEc02IR567s9OKZuYkpQDyTnZ1nIj|36V$6o#r z`3GkJ9^-x9au|U@ybK*%-G{|&=bh;1d;-@@`&hrlxLktn*@17M;m;=+F<5vpK9>f* zmvar6dqX*&#Ck64)DI0gOI(bPf&8bl>VI%PK7J`_e>E3)uD1W_+EwXQ9caV)0W^AB z#Q0=%t-4&!O9AlqSM#Tci#sSRsGq_Y^Nd(Sz`i-y+xG^>St1kjjXuUl6@=|`2_b+p zj8&@NbZ9_-H3z&_2bZ!!IZJL_ZTDTxTVqlJ-zYbftL=j*MHeA149KtEZk`x??st23 z3_{~;2^46?_&h$*EB^$E*}k}A@-GN6Wl7ZE0Q^DZov7q|5}7#%JvguO|H0X*&O6lR zQg3a0bTdzP?E$SWIxzrIy)eb{LWF!&>FAwhM0<46()|a^a$6o3 z<(w}|VsD(?zVbPCh8VYB>HeCI`kZlcXpAXeQhr!IrW9TNGP*sM;QZQ4;+gW(m(gb@ zbY~^8*CzIN%HJr>DVN+YT2_jQxf0L$%y*G@dh;kc=Im$mRbbBNVWp*m^V1ix(PsxS zXBubXPU+ACR{AIj%c6R7CN(`OU-Vm@A))yszdM z@tksj^4Ch3^09;SFUr-MCm)|K#S&Z*-7lKDd1CyMalgy>dpX|;!Ikde#@S`w{_x?K zm%o*tTwVEGI&;2E+&nokUOPRznE(Dl|IZ8MSecpqa;3m>CG|bs<7YYLLgjaEu9$yO z?$`vrb{n?=|2YN9V*)?Fm^xKbj`f2QBAMS7^V#Q2*)- z@Sg0KGwyd9w`08({Ka_(YYO9YyfU*X>mh95SIzQm{2BJoAdJ4w?f1wt1EJqw#qQnq zf>0*3B~$444*hVJJH^;`@gR(`&aD*2uwML>Lbw`Q3S(#1pJ!M>T(VWM6=b9zm>AmzWy|d>tK#=WZkf==d6sD=D+t=EOzmI5h|Klk zapvqy;p)GL#)JOVbk|edK&W%1EyZ2d)ndJP5Q<#SvO<7vOrFpbx8LJU27XMy@L213 zTMGSMPgsi7T=6$hJ03LBk>ZvKkOQn%KzWvZiaV35BXf3kojhMgg*S#h&so`llwy_2O^nzjZwnzMUYfmOfdwDN>n`rg^9lKnsH9 zRJ;fQ4U0h|4WlgIK*?H5Y7St`bS<7{2ERZ=eHOrv5E{~mHA;sKl{};of(~_eWFPOx zdIVI?CA(7y0SiFxF9+-M-=B^u!oa~d zeIOzVqkv%x5C^3hX!I2J+$pLoLM}p_ZFHq);3ecUEZcogX>0KsA~0$m{>1Gp5p&;l zaTal&D02I_S9#B0$R5s7gwzE^rEiwRxnK6}sy(g2UatwjY4w#9z+zQ=CJ>d*I( z6Q%amUl%h-8MFgj4ik*F9vIx?*ji-8LP6YH`7?EREjSo}dtUU!;|vRs4K8k9ZsUiT zkvQpn7Ijo^J0AkXonhHtY-5L%hvN5g`i|01$|8u-+kG>TlWXvnEyo#T&%mFZ`yPW| zw-9$%Uc$10s=;Zwa@#13IPl@_%HW=p;nckuBqwZFsr7{Yc}BLE;;6%f=LP`&KICEw zBq;8CPEk3%e#I}m6sHau(P8MGf!)5NG8v_gUHJfxuY+5L*x<+l?YoTV!94{TM)a-W zzfON0{JI+yJ#`NR2bkFIi^OnjDb66f&r&{3L{E3%DW^_&AF@y1x}bd1Tb>ktnvy!| zm8w30KwsQkm-P}^KMgDIOJu)$cFm;BwF=ImI9e{zhLU~2aTEH!;Z)loLix+(H1m0q z%+IybkzmwU(g~LA%jx?wBVjohw#Xt%Zj`cV>3K?JUybV=J9G;rTY5KT{bejw$5X_4 z(%TqwBqn$dz6X~C3Y{Sz;T+N01|Uh?2rWI&uAV4=AaH>3N9}TWU1lQ|+0IHixf>Q0 zyl$o%zaN_!2`%r{=Gd~)7Ee3XqTWPB9k4&z;;5WK%)CrY{ZV4%S`)6F16f%w??XrI zDf*fJ%z=DVPD9IZqQZ6*jez}O*(2E_%G`y>QtBc~+7nK61h9TPf{H({_<$sMgY7H_ z@Uzh)c_ZeY`n}LYxs;_IniKl#ZewVhzM{0K#Nt4+Lq?^FwG3jVijf^B4~&z?dQqVh zQ|+FE#Td$_^?=A}ZLO%dKe2DTVt8R-3E<%&`OYeq)`q$_Mt4-AD(Z&Aa&qJ~Jm&4q!x ziI1rGcAQ8gE{2E2#LpSTHojyKn*@tX91&4f>^W6!h;X6?^+$=sJa(L1zGfc@OuMkV zvAad2m7(NO;vw1X87s&=q6mROlz0$@C-)-my#mlODISusQgtFQ?css0>cQC+00+K8 zK^BmapWMfu3)^D*4gGsI?!nkw4Ej^=QV&k96b_^nKbk4{Wty0=qcPSOwI7)#D7Jgo9yyngQI4rlp`-en>o|qfc|sv=plmXP3Ge zwJ#i%?*tUEdw2zrtyD7?tP;rx3{Jv|AJ}T!I(}tBS0k&D>PTdOl?*k2o9_jsYR_(? zYR|;rE}CXeiU(1(Donx<_UM*h0Ly{!Ks6HhI1cmyNVZyV0DB(<0@$8}BEV^fM0R_2 zD^>e*tT(8s;^Y9}i`51L2orG>Xx|0Kr#B+?eNxgUh&xj zgvp`2C%ktD-g}mPa4RR)Bt>I_B0WI;?lPqihDgf?@eQ;+Y*|0xJ#WBUm-QxUd&gDh?-JlVod7~h&OJv?|D+^c=>6gxA#7gnMLU2#Rd)aDRc@R&8; z{s)KFXJ;{bf#G&rz2S1E?b_#FCLh!Web|||rT53qel$`2Ps0%cCT$aS4G*#SoV(}V zZOnw-uzcs$R(xA;VnJdJCu@}vJv0W6{SHoQzVK()f+RJMYG4%A5h!jHM!pnUNLncm~@PAK6| zsgQqg4EFeBudn~kl$-JV6*OVnMvx|#QrWu$9j3jGVKcg=9<+i9D^nubfr0OIxzbVd z9P_q+aNdw}5-JSY<9((xzipvOvOK0Kktwk*o)na=<=+tMOVvgpMdct@qS{1GECa*4 zy-4%Q`?`EM!3*4AO67_NIJHdrHxKUKG={9~aweg6sk{g<)C;@p9W|tXP8-nMKecI* zyhsd$8x@uP+C0Z(>&u3MdjndE{ow{{sWRI{@CKa2wGLLSC12367+Ol31Ntmc>Mg7# z)q9`DLUW)?Ou>{!9=-&!4A}bx^jg>`JCxX>Eq*DC0D7;*clMeQRtd z+Zoy!-hb}yGXLs0q5Y;(0<2q9br9~;Uy_9E45aEG}??N>UBWK7;9g6 zeDS48t$xU^zWX(k5z3Yk&>^@d(W7c;LtwDtdUuvR)d4l!7OA&8m(4_0kuS^k*5lE% zaq3|FTvRaR)?1xV6|EIEvu@~T$pO~qqQUQ<<@VC_P|_Bc9OB1#`m(9KPqWP))H~;K z&BnyOcK(i(c=5Rc?(pqc8pCVa*2NaN9!u=eB1@Z@^r(Ii4z%Y7sgF=ARuDrT#ICsy z;N~T7`|?VeN4(h)5YAAeeR|`QMJJ3B*=}`z)MSMzYqW}=>G1*8O^(Xmz|SK+@=*m> zBNWDyUJ@O`9ACXwFce0&jCa15FYm-bC}mPb9zl=ea`|@%#F{lEPPp)%+Zr@2TFQ|S zl6as|mrFMme*~$sc1I4AlRt`kO_YZc%@nP+A$ZMD7N0hz7VbN5t?}$UlAM$YM^i(m zW-)~Jq9*UU*=%=-2zeJ8fe)>@HU9Ycj5{}8)`dMsUOMf zjY=P}Pe1YSWCi}Lwcm`K2<8j;2dCq<1W6@_k|H^&dLiMIihyWR+j=v#L5Llb#45gm z?MM9@#^lfso{SJf=E74^0?eZ~@913yQC0d6nW+{N)R+X19i`&p^2HXiP1n4?5>;ptlg^yXJ4FZ#R#(+wiWNs2*UAH%J)TNOKJDFR5-D4wv}y z>)P$cs&wMosaygyfzcY69Ia641OFZm`Q_7Ss1+txL2gNF8$U43rLySZ6}*7lOcb%q* zoBIm^3EUne)k1!$ER-8~ab1Lk@$*r{DPwh-Kdu$*g;05`kY)J3Q)y`D^z}u?6X@5i zh1CAmWnHm>s=KPm*l{ha^XE4XwlEufEB?*rEfm)U7a1Mtgpvga)~$G)&WaXM2!0TF zU0n7e;}HoPpJ-`?Lqt^<36qPrXozL?5mC$(UdHR$Oj)v_`rsxaPYHX`HJciWlkOgx*Oj7NOY~v}R zPByiu=x^^LYVtR(fLJmp=GHp6u0E#LaUWU`?y@Q1F(IreO3g)*?6&IFi>QYDRyXB4 zqij6INs(+-85<$Mxh664bX#gd0B^mfa8#pc>J4e=l7Hq)`-H55&^vYl-L)@^bnOl) zCs*C{(y}I3C^1%~wh8ME_Ss8sU3MlCYFxOA&}>4F$n#+-geQ3UyOzUN8l+k)5CglJ zBSjo?dM1jolVK9BgNoKAjcQBCO`593g_hKxUUTu?aGk<{$+$mUi$Vf)mhw3|hvgs2N|2h(``ZUy_M^ z7k#Sw;HCzJ%YX|GQ~tFyYL{NFiXj0{!G}&;Jg-z(lajNR=cjdvbt=hu!^@BJO3cfE3itDneKR%z>trn?N*B6o2AL8*B@}X@XBQ(GWqc zXU}3Or~W1-2dRxqL_wd449IPb4itv&4i)q=!Gsmk>RIy_K@1vf!LXnWG^W4a^3WR< zB95fovyu@eKn@k8GOHBOg0D)N9@@+J1`{a037;N#{}4scUgt1t_2lOXAnFii-5`np zId$3OO0%a0)d7@t;Hg{z!Uh0Yq0pOXNbQiDO$u6Ksf4S&`)Si#sh?`jIPAM|D&Sxs z#t{FD+&ywz*vUnv&pvI{I_YkQ5+Owp8k!l{g;;e*>Zt`pP3m22_ za7vtJIWR14$FS~*{gVF1^O$t#_v4vo{OVRW`s4|iU)v7|HZQs=(H|i{b`rI#$*7Xj zf!nGJOq%kgCB@^LDB?Te-4pc6>@DWAQxq~$q1$t!M)40E>}1DdiR>lgzCBmji8Z$VBMs zcH6ffyk%)^Y6;8O#-EK`U!boh*Zs8Iz1j*dzq{`$p_irm6>&`x?tCB0tlX#9|Ql5o{sbqNDbzs46qpl017hxcOjSFKVpq)&hXfNtgBipL z95h$h^(X4(5)n~FeRqq9#CWDw27t&EnoV_KaClT48o@}jw&Mge^XxeBePuL(iwAp* zp$3On251h6sQC88Z0{zDUlfV`U&ue0R)`RDVAq^t1b$o((Oh7g8WnSL!vHtL*46s)jw^%)Y56)xGrPHew?4jJj9=l{)8v6k(L187!mw`Q4`MLbn zm2%Iu?-S0)5z@_c;^5xRlrOUqeC$j(GyaW#@|JQJAz~4|{ z5w2gB=lmEwhw?ry!7DM6|3ss;~EyA`FX5j><6RR{fXoCnLU1wJ`~-C@LTALbxrq?=(gyf zk!zp-j_}=t&FfCN_6r!{xAu1nS8ID30)pi{y6VMs19by+TuU|YYTk_|e{26Xv~=vQ z>fd6fexT_>_YpnN5pDn0-mdU>!tc^)zFt)K5#hEh&@rgQK6O{$&usP4>Z27m`?utF z3BON!YOn{x5q+}}Q2$IfAeeAlbenL{$OCKgAW%nKr`Z>V{EKZ{E@82@cVf7~f5#pm z(7zjPpQ#W2Xx=rt3DBen~T%2@`XV1DYS64ni7}{G+TY> z^l$<6mObrZ0!_cmxJ9?+RRIds;52M(urAPd060#$b|4(U*tY06*C5{@Z$qGQ_M?vr zd_BOliG46T8pFt%HNGdq+J|_I=ygP|1guA9jqG`D!ewCK2l3d`mk|ad?<>g~$GE~_ zvWVUlF;7NV+T*N+H{+WTFc{1n()SqAP-+0`>jFGIW#BL=7%KwR&1lkByn;rHZHBP| zXna!$JXfPm6O{F`Zk$b;HI! zPD@uQ{_ZZvc^-~Lw)Q z-jlNr)|6WSANT5XVmM38tg;XxO=@v1o!u~d`(xO_tumNVfKBsPs;lKNbG@M^X|h=@ z*QVK3z_3%Ub8aF@f54^SeOg9K#U9UDYZ+5Q$J_|L1g@tJnm06UE2~=+`WbUGd)j2! zol=j!u6o?>UZH9l`VmbXYK3? z2s#+iDnz4`qCK8o@^UYcwBPg?q@{FWX(h?yd!C-_;p2N&hlG#QR>4FhYM&O&22W0} z4~}Bzi>FWH6QK%2)29zY4Lz~RHOOj55mN{oIQ~F0#yTqR-wb*bP4%m%_-_i099s2a zJy!wwIuIZK>J<#_MXa0%4LAFEAHuv(k*Y3DO~n z=R@Obeh>vPAFL3cH8j299=unO2!-}OMpJrP$)G5}d^Ugpcz{O)$n9ik2X;YD4Q7S0 zS%22hqDLSEg0YIAjRNWWJ{9cmO!oMOA1rIy7BG-|Abs8!9xw>7I>aqA#y%>g-st-`K5)Tv`3Lcar=xCc#CtB&2`scqT^A7_egMsARKA1+ zqQ#qB)$@ARbvBc(xWzBhX6lt8a%9VA?@eE@x}^U~d&F9>NB=``{w{ffy7iz5MYtGc z9|5{m;MT^QiyA3<2IfFhWA@E0Vq~%lp^)eR?#J<2u2Qp-h9dY2+o2DL>94M6fd^I% z&_tneBsqg749AXzaJ6wt8a44skAU6`sVCC`GYRF3YDh29PBnkTJ)+-FzlRnNE;Q1= z*P1nZqjycUndf~qenr0>GL`n^bCc|{ZpEG)G1c3wUJK+4R}H=QFq~es=J6)&)wTVVqeD!OUloTs&D0M}_SjS$dbm^@|58Q>?+jMwB5l*<&B~GrW9RGCbR? zpPxENVa%$qNn{`nmK>s`Qbadt54O1U*tJw%Z-1x(r=o9o#TFzr(2Tk%y%elcZnC&j2(%4Yi?oPPxzx>IqnFF1)$SxL)cF+ za&mgj16*;i=)*J-oV`U`9Kc#S5mQ+O`CPA#!oa~EI`z|f{m(x&dgWy{>p9?_mVCVC*?7SL`d=3y+REHyD*o|6qn}hkRbFZ)SRtYuON7#3dg=DEy z&Bn#q*;EYAJ`RXPf(No4J@}-aQ^9a+y|B+5N5F2DqmExg*AFc@@J{{7uC`dKXLHlL znFYbZ8cE6p0jCycx4B=FqIY_y1j255x81@0@X1YD_Ct4-ExBr(|7q>YbDwZXA$9d! zi~!C+aiTfK$G%~5kKD~rmW3LJs^I!$(pv%E1jKrx6CqP21h>j^Xky)|CP=WGr1)h) zLSv~hmA`_zc(|FCP|_Woes-#A-^w??W|xU7RQxI{$epD&(Hca}8TFq5#p@GzV z0~>`Y-CS>ivl;esO(ugV9;@vyvnc1-H{EEl%jR9oe zSDYc6c9!Herj0o`E8d2gdRaovxubZ`7MbG0dD5;Ge_+Cq#K9#Dc;NTTA^2__LVzvd z?Fgx@73upbhVRsL1B*{XC5VfgDSz!EDySn;y&do!d4?-ux@Q@VR(?G@_ST=d6@{o~ z5A}Ge@~+#6KS6=Y8J z#%YpQAAD`PAAHNs%KzS7LD*uA@IB7xT#!?XvXb&nZ0nq7c!MY+nz$V**f?xAR6R*4 ziVt5*P()eQj(sGzxri(3@)nSE*`{(B@o81(!rZ{uY?=JvWFCFN5h^d&NOIF0vPD~G z>BKPSTA9&A&)Z>o4j$x(-_khx+NHR}eY(;@uPtS7jWz#i%a9013SWxOT2EL(M?e5m z*-Z-GzPE7f8pAo3_H4>w?t3X-z<>T_F;^>Cek6yb9$U)CfH-*_|K%t%KW2W6u4CEL zPmuiwZa#6pEROZG_{(oTPy9!+VzBA|&wHnvhp|#24Shvsnq|_ii7zRY?1T(^v&y6=$rpT zw44FI0+7M7{ngB9=;HYp%bodV5AXL)B3ULEma4^UlFu_;a$iX#O(Ne?8fj&V&R$Nw z5VH|9Exk9HSXf_VrJ*{Psyc2UE-E2n>YNlscc#72NLTe~A{BY+<<`pn%F9KmQUx z;4Fw52Y+a52C3;x02m0-v|H~IY&m3Q2Db)WSfbC(4Cf3h?4{Y;AY~a>; z5HR}rFO@6k6-c|%$givGY>zYfv~+z$`lg9Ldwj5Kjua=oaOm|va({D+#04i(URtGJvjQnV@lP0G2^!A!;s z(kPKC7%wlFj)0u!VQZrnF@>@K5pwSNI3}u;G|J){nK{bke!PN}9IJqO9@40=iPlzU znNB98`j2&wcy6C|uB80r_`#?AbpFoLESE^L;y*=CTd4yD8135Ejx3?Wd1dL7Qp|L( z=3V>Q1YIUe9}v!qJsZo&nIA43o3-1OWb=glA~+@}k`s8y^tdKje5OObAXM#X;X*Q` zgWr>(rRfH)W#c!0b%>dU0O=zp$sQXxbk07~&wPn=)vbSX@3CSFMu+UhWd(go!iRn8 z9LwvZE@6sOmb?u9F4=&bAkBw6(=-LI&Le!;1<*-uf)KJkc5u-lRp^- zw58PZB~sFnYZ`~uzPaRPIa-Wr!{Nx`x)ilvg@M&nmSMN!xa;jr9fp!#ZJKpHudM1A zn?mo#*5`9wkF40v{-%+39MICuyK_;S?12Yq`+3R&BGuH_e zaa?K`;zbNJJXj`fw1nKOZ(=!!O2YNYsAVj?#%vh@30A|AN#T)bT23%X^xhzx=Y-hh z&^acCk>ugZ6Ycm2bWJg@<(BY0m!pK6vd;OW`AX6;Pp{>em5{gh*fx(@lQbBn-VXYG zr&tIQr$S%T75BQ6$DAj?@gtcdaas~W7WwEMbN7LXGZ&}&eQ~$xpZ5q{GtAcT3+XC9 zIT8pm;-L|VZ8BloBAlcQM{+97g(ZYfC99Dd=^0_Q!cIT!4G6Px_iYLi9QiWg&y1Vn zL+xAYZcz~SvpXe66c`!0Hp`G03$dvxz}#9Xc*$&B9!Sgv6!anFX|xk9?_|JH15nKG z-IJK>^l9Yy@dIHFy92UJ90sF8&5I|u8SZWV3=u#`eY7%4!O)9tmb{04>2a_1-Z56$ zCnkKejx$r-*e>t%sn5mFo%K#ryL%S@Prkc04#@F{FO0N|OD(>_x;lNIy$271-g-CG zQImWL^Rj6(s8M~}$w>DU$v@s&L1pE@h4=1LF|p_fHTkSU9Gl5hZ?JTR96_MAO~P1K zR3jDf17lmeg7RP}t&@kQ2d$G!oz+HwHAdbefaqd!Scnk2mlA!#+;CY%7HHPvbZ0SIOT5IL8aok;UDv z_~Nr7EVS+XKylIT1Jkqi8(e-U!_&09jkXttd z!^nbTjTMTj*hd}sP~}&}M;v?sRs)m6!W^~k3lzCf4nCLopGUX6Ma=2V#aJuNrs_OMPt z{ZIZSVqblyic)llAg;CQGLt~Bxt3P*rygVeC+;F+{x9PVAK7Lch|hnejO#O*Uf^o` zA|C4Deb2xV#v3xcXtCJzSf{D~I#dp?cV|-f-h7uJVQaEbuW%4qG*#oB;K+_bS3S+9 zZGGX6`_iZ;rXJiT2O$RO0g zSR*)k!-~Fs{iDRJH;&|2TBMYp556?oVa#k0rK=`RMlp-D5N=E&39Bcd@_n~5fR^vh zkuju5d~Fh*rhs1)#cl4flk}|B;nAA|dWfxV(2!6+!LGtn!ABI1Wnb^{^H)#e)-C0! z+ImP*zPsN%U$T>n_>j;nuCpEStwoZAqHlp1Je^Gwch=OiO_8&@;Mli*bxS!N#xe9;UBRxFDQfZ$ucWwk_l(G?^t}t!(5gL2LRiE%| zr)JU0BNC-jJ44x{isCxGX(6>%LKdU>zdI}a)L6DZFl3gx`adYX7-{?*DVG8HZNE{- zoD)ptcdxx#;-NZsvT{W>*2xDnR84{ z;W+SkBb(|;g#If_hEIXTd62<$iXb-X2(c%6k8EQNw@m-R5gh4FCCa9w6F*i}Oi6bw z;C*QI2J0+`Zf#+fUId`}uxwzyZ!uZLfsv|#BJ!0lpJxJ2G zs*fgbleJf@QlQE8>wP=IEr@!&coJ|zY(*dvTiS`zB^o|7gyQAd35tnq@06b8iV7~p zXAv16+wfD95ZdtI;(2A#*If6UK291wG z!PG+TM7#_&AtXh zbP##M$m$n-`Nfenz=3jHJe7R^u(py$WuS5h0)v6p5&q1o9gt%MHE*lE;X~R@a zI@Sqsi0P^Af>OwuR7C7ZbMMdSv*4%CBLxdh54{`m2yG{qY~DbV2`1u&D;b&!R3p6f zde|Rlz*N$4-EsA-ugeoI>?{T|u?)XeG?~E-;TF*yEC{ge__hvVXDFTE4?&|(3zuRB ziYNwJZN49T=<%Yncd>vmaxZH*T0m@D_@37M)K^IjN(jrgbXYa{xNOM>>{^p_R zY65vMWpaG&P9_+YcS%iFMU4n4Y9_QQ?tPhj#Ld==f_6)VDL7uBhsdT+?^)vri|sDJ;_NOO~XXWUYO zafo5K%`dKORQsJrJEQ%cU2N1Ilk?s_z6M2c z-e9z7?i-Fz?Gw!-seGO4(H=C^xQL(WJRFu-Y9go=EPh|Vh&+>@2AIP$oDB(I8CByTq<80?5et1DbG5ys)C*-eX33hfBo z`Gnac@!W;eSC}CrWwV|#Sthz`I%%Tm6S6vqc?8Z1=Pb$7*&KvxwH-$7pX2fsly%sA zKvddwv0az!ZP(BUcJdn1pa@xdJmwc zw(kuz1VTvwLknH$LPA2XB8HA3A~irL(tAgW*yw~_q$DUx3x+DaiAo6|5RfJ+f>Hz# zg{vYq#QP5S|C{$_-VDQ>?Ci42IUM%d-}=@Iev2&fX4CC9FFrm25&8(;E(mS`GSGJdbiYZy08gx)C2;Y$$L$RQ!5f z;V61Uo_%M{FZ`sWLdSWLoX3+OZ-4B|NDZz89L%{+U3n1h_+}VOpcu~VBm8IT{jXz7 zIc*j1U!Id!rd1a-8mv>D&I`q8F-kp@%Yoh{oi zJ&~8etO0V;C)OT%;{5jl~v$;4qFGw;tdE1W`k8uz_URLX3 zad(D#nO5q2>ilS&ECUa3v{mk$bGnrAf&sjfhFIMpNlTO3(vg8?Auxr(zhgGk@}$C10M^GUwsX z@QJ~#5O4tN*@;}glkfF6eFM1laKl@y*2hQzwZ8)|hVMlz#O))QflLL?X`%gdpDzFT z4=8krbzdPpu&P)WARc z7c=}rmEb?^%p8^~xY5^K`reaUu-UJ zb!_vtbz`hN)RWPdRSWO?@@rDAd>xgG=tf5GG4a8)Vuj!Jed7rC|A%dG>%=*^6~Ggn6{B>5ksWCE>CD-ac{0z)l<*2>Y3Y|BK3gc?nTXD>*J*nRTu4u&@= zHQE=}DMWZv(;m=pT=1aVpz)cc%7x*g7L|DaaJ@}RO1-n=3yalc&ynYt$ z!N=cSZp(H8uUYhfQy2KGqqz%MP(f7y{`py}u@$}>YTcRu(n~ayM1U$+HYmGQ{a>f`AM(s zRA*ke9ndw*$dTG*XR76WkQJ32#?L)w75R>HXMZOIf+32?`fJU(?l}+?ESexpfjinJ zC1nnZhFsn_VUfHU?PY2HXejnO^ckVZIi-tDC6R9hf>w)^2+hocLN!v}wK)oj7QJig zITPq8Z_TNEqS)%W;Cc6ozMhZc_e>9RZu881{D?^~WMc{}JW{j!J_cc(mKVFg^ByzC zG&ARPqsnjj{qmpFE@S)LdKYi{8_-YCuT3B0n&)J6rSJbQ-D%bD?Qmn$m3uuGBmf*t zXq5I3ogXMQ^N4lApMiJ3sB^`0Gy>y&#uqYQp!mE5Fq zXZ%X>AkK(>_9Yqy{)HfVEHyG_eQPe<^dPt$mdE6%!uUb{0nX_qWe{qj1|lg!V0wl7r;G+zp4bNCop|3gvp$jQxz^=%NJwT67m zVQ6H?@6qMQWr-n=_jR`51w`b~c9DpsMEEN#R#6#sF9LYb9!`7oy#K&=vU=3diMX$Q z`sDqS72b)YFBC_~vqzOxH#Ux+HPWZtHTqoCNwpKo8+4uhlWIW!Ew**SeNN#6@rf6d z>9sD-$z{h62z|Mmp?8zenhl6=<2cx9Spny^=1hygxyw5r0-JJdz&_;syQ=VPJBjo- z->~bMvJ&cTh{uZ(gRiVJ2^LNq>HDSUcScDc2PV2W`+_UZgM8UkYifA4z#9zdaG|0&W&)V7Gl)d}rAP`MZC?enr?z+JM+KhV?nkdey2F zsz1V&KWUwIQMtYeqW{smg!A1c*2U&=zwtNLhC9WEiAxJS8s|N^YspQDR!FW(cIo-@ z9q-@~@9aET*gZ9HE)`Gr2q18d?@U*7l{>WjbmcdZU?ICxh0ZlN=ROMuYeG0ru;D}} zd3B_=u^3bh+Y*`2tGF1DjAY}MjBb@6zX6FtlrCFojlX;TW(m=p4$rrGE6Oyp+CPKw zA-vy;%C9ub?X3>QEYoPvVHCuUcoRoT@n(!=DsxC1ujHvkgvJ>DW&kmrjoKnk<&=BJxX z(k+kR(k>-G%*qJg;5|@Mi4e5Sv2@I$h1vW-xVTs>i%$YbJtJb)_A`X@MYG-FF9G@b z;Z>!a%V-uWA+$OX4FXxVns~%$ady65ubVq?);yJfpv8c9?mU%X;8Zx1neRiM9F1<*s%xQETyoh3cNaAYo z7&S*Gt@?Ya2uXTZqV3wMdl%JeLxgW7c1=sH(WjxVIq3Eac4&>uL-&;>JLo7;aVeD~ zb`^D+V&pz|XdZ|iI*`p~ZtQQ2ZBIeYfa)SY1tJP>%UCtHFz`}!QHBDJHb6!*vjnKP zrM_cGSx?bfr)2LAx76iqT5CVDq8k3o=qOOX(u$oucUGdjLL(02!ljUtNapjsk|NIg zL)X)dBkn-yWMw;ik-8J^$@%1Ca+1rX?~1M?;|T5w!2dg(;s(o)%!pYh#82ZbhEMQB z0b`C66j9+SyfS!t2F0cw!8#|EX;;G8FfE(%6{(@1|t6OzI{qX}pHhuSVq zBRDxmf$eB&C>|+XB9Z`LgWH)STe%Rf=q#JMd~`tD#L0OLS;s2*fxBMkQ_$vPo{P|o z45thdr5H&Nwvxcn8+qHo1X&XtuxKmt^dZWo!jrYaxEKXjJ0{8CQ9*@kpiWl!5`26K zo47Cg675=1n&Z&pXDD?9Ct;h4Z*3l>#~@H+vPn6N0j_=^b#JdkFx`Geax z+oug8AAL(s6p)$lcP>`s$nY&uY}(>7X-rpb+T)qY2x*8(r6jY0(=-T*JA)&N&qJZi zqRWw4pF)M~#>Si2poA8u~MUy@Q6OGRalLPfX|A6t0xVq z{u+$N_#)ks`52GD2G3u4ZxiFOnQAAX#MMVF$^s^Vtj3As{RTcAiZIrM`i1D{X`eE) z(n>C!H@wn-4MD2JeH2@mR~h8UGUJTr9TNptw+RKSAfiuZ?$E?a7CJA*8-sK_ZW6mS zzsCxf$UU{L0AeRLb!5p}L3VFfb5?tG>(CO8LY|AkDwbaWfIa=J^C{+dcHTjopW&zu zk=FTq+qTl@;p);Y+3mTl(69=z1+?f6L}J`M-Hkci^rLL1w`V_#p`Otl`fRl8kJ;A4C!XP{>UD2-b92?GmsPJ1oBJj%-TBhx-@&IzASY& zTI>=!dZr56P*dkz3?TU9i}P$c!FG*sS?nNiKkyRPy)%Fm1C(k7Zh>negOm?M=_QOA zbxw&T0D^PjLWIDsK<2VT2jOSQ3*Oi3u<(Z^Z+V4culk&Zx=i%Ap>qk(SLfIJ2oyMC6uw^yG z6Y0s;cH0H>+{Cy+r<#+@Cl;Hlw-?ylM> z{d`K_G$`YfW8w(Eh2rXLKym$6Nt<-)OHj&n+1>?AZIsTgxY2?V@A8hGR1CsWRWZt* z{`=yB4uz7st`!_jpBmaZBW1@K37*!|2@R;8xV`t#0ol+SqI>T=BXq4BZW^B9MlM`nFpU*PU}L{FA-|#xbQns(RE7xNEwq zD-g8=%K@YYTr&!owr4>Q7-xO#64(+jAYei8*r6LXfI~y8W6_KYCSDN_Ge<(5ZCY`5o>&p3TAUAHsS)VjkjYSI{8ZbLd)xA)PqUV_V2x}MM8U2FpdE;?;#HSmQ2`G^f>KlQsa(1J3?g)Bgs6CV_ z7&>Vdoq4q0>M|0XIT!({3z>|7BmsJdN=FN%GS;2(7*v#Y$ui>Q%5?AH1+DLS_d2c} zRX;kae!naJ&#v~{rKl$zTL1mLzv=(awaaPQ$6s;%lbgSHXqJ6+|IDFf?DsoBQr zdJiqdjw;{p>b~DSdsO@S(9HSJ?Aen3jhX%L>GwK5-s@2J+tqoyr02KG4fGD%J#o%I z;$80d|IWVoJO6g+>hU!9pLFOQRX#epFM4RndAy9#v!#e99h>)nW}wXs z=me}AcD&Xpy>IElhrn(k=;rZ!ddC6+%ZR*P5`DX*`*!K<+knA)9nnuZt~^^3^8<7e zmwfc!)PU@O$du!uSNG1k zZuj>*;9BeZo%Z7kBS5O&W1X)aPX}BY-8s6?dgFK|z-IpmEB@b#fHGG%YJPmbd%Vhh z{IRxY9?$0--FG>vT=`xOSm&SJQ|ADwi~w^_-PV#s#FBef^&> zfb{^iKRr9PD%XE*_;1c*4+4^xACEp3{@VXcsDA@6^L*{GPRGBK&jpPB{BUfM_H)2I z0rTgMO$Au^$+54_0+zg60MMiB9Gdywm<7BDs0ip4`@LN4*rVEjJppg~?TUx}pR~tD z`R@(@ZXKW*aDr&m_uL=f$(eRRyKoXwgZ!M~&`ScZV!XCVd$0;2)2A%Y9+DE|~4O`be*9CTf;kF{ZX1`SK zsqr%aqBy3=OuV&9c%6x16ST;ImU>8j5_QTL1u(>+PRi*T)+vzKeu)75ZuO}yRAb3{ zX}i((bz44x9f5Gz4;7(WYcopruT-2JKFlfYv9KY zL3Fz3(P+I!o+=4E+ju3RH`B`rK*xC5F$@6VSm+!GsraPD)RI($NxJoEA5+i{-QLjJ z0umV17&D>x1zL2SioZ<$EhkSNBlC>)W_nngJeJeXz@-9OY24#!03=nNq!UdCWM{J& zD19GayILv4gx$!nO^Ipi7E{!*sv~rzWuudF`lQ>5IF0Y*-sFE+y0wP_YRshKNe;9{ zIjKxNhP8@YEo$L}i-|waHPR~*#Ozvv!;sscX;Cee->})MhEs^l2>M5)XYrb8QH~Ro zPQ|;RY{Ofq(^#TfngDbRVBs5Wg+H*SvHg-CtIKp(S_s_aze4V{aL4$m4vJ>*sr0Nc z7N!OmP~T9k8;Tpi>bn)Ciyztu5Sv(@0tA@$@PN@ja;a&FGD2(J1O524L}_niJqgBPaD`*= zzLu>{F~GWcd#I($Q#6W$si);EYE;O?hO73U{*LGS{LkdSM)*Ah_pr1s-r$2ms}lKT zb0B`dD>x7B3ELK zKAh|gmLKp&xKx_vcojpnNRBQz{d6mkEArOYSK0+_m}H9XO~hMPBBPtyU9mS}?j`K?DO;Ge;#uTxrZv!As>{I3*7z!ZP>aj5ynlc? zi)SjxJ}yHqCemIxO)x>YRA%?HETL?+;9(of;a5ohb7w+CbY#23PW%i2p)Ips0*$7m7a5n;3`=H z2{CtGL>Kr#y1KL?^866y!aOYa!KYO&?!y-!huZaSR#`XjBZec^Un4%~@*WQ4`O~kc zkIrQp+*S@nNK0y&m%tjGO^A@TngD$jF5XJf`?Z!|KMlN`C={_aq}P_H6*et@P&1a= zuM%=@&0S}Y5+rUi6O14XL^(fLl%2mb-H`Z4sER#lX|5jB_;@Wk*KX3TrT!nWI1~H; z#9_iascWFf@bDV@7<9pC+UN;)f{*v3p$8R}-8NXK^=?w3alerB%WmtQH-2tge;`^( zHJ91%@mG4*4d^uF?&%dU>vqXOkVI#jR@Zy{#bPM&rc0SB`plYGB*hBm0;g7Xfoeo6 z=7!c^^ltO_Tos#au1}9SLLGouq=9ms3QGcKpo!~zV9@ty>Pm2 zNA!;AIkt?Q%Xh};dKM`kGN!BRrmNSZzU)NQ?eJ0PA9NN@^HDyoEgxtv9DJGQd+|mj zeXQ=|>T+})V_pBWi_z*b@bGPHEJ!z*M&H?qzk6SK@jm{V$ern)yu7=&UJS2CXy=ha zqv;V8OLd#C`DP+nM>Z*J_$;0(ch;Y#r40vW1QVq1E4 zghQD^Wjh6WgDgH01x200x>Zbv62l)MB@#6plwx@_LxZ4b=TNHPrj-@Cd(XneDq=v+ zsc28c>vc$Y{TT@jLOm^$E>i-^Pk22*U#WJTZ}d~#wewz=m+`Ow;{40}DK}W%pXa>6 zuyy?Okq^)+7-vKq8iOw?c6OTWr3O|q_g zGVvkinjsIBgU%vuVLQY4bi(TqpQZieC$nFaaR`KSlfH<-EG^|~$fu>*f;ul)L#$*p z?d{@{xgSRSvEp2L>;K31&nZs0g$5o#}qwK8V45?BD+4dc<(GIXERG1g6R)K)eq>viAtl9X)R^fl;9%Qn!@PI#sIE;%(zI#$PU zxv~Vr1&|BK4n`1&k0_bzHxirK3xcy_C5e3`5DEe&z02l6r7g-3D=P(4bwxe~+llOD zZnq9ezH!{{d_JHie5=Qi+LJ?_Wh(Qs{A(c!JS@lLQ)kDz&0yOloeJ)cp`VSsovR1A z{vm}$Y^aqV(+BBx>q^WK5B&eBo1~1cZC$;)o@wyaCk~R4^BXz96=(h{k8;#=`8q0M+70r2sZ9(hYO!^II8L1_y|oYvRXkxyx<8H|9Hb;yRbak6@c<*boI~nfE5L8e{PDq z8!Ts7pUhJMvas~`l1~O$#ecO$s@HloP4}h?-~E~PL-%6+oU3&@0kWF4?#Z4nQsN|_8v~hqEGxDXgOQYG?D*It$f%y4XMQ>B%+S? zE!&>V``uwqvbi&xImo4xnt8~rGmLrrHR}q%lhhH4Fu6=CjA_j=t`S01d|%n4sSK&) z#zH4rQ8uX$wak+Ad?R{CH%2|49O`cA`}KT`YWA4+JGKM)N_iBDLp>+^QDtq}^xJGA zOU#Ri&_+MoT0fU*{IjT>FWgZ8FVu$0Yx2h^K#N?)SoSbujqyWg*|-{c<7 zS3Y)U*wSk&3NX4?)3c~%_YzyIgb+=BWD#(Y=z7HC)A(V=4{bGo6-wRrYOzdWrMqaP z@F23cJW8CBM~)x|MU_7b|Iqg{Ukn$MvX(2zjatG;7Hx#TR|6QO04l0^wVYuf&jhGx z5yAk}@Cjux&;RlQq2Ek;hbPGd?mtk97*1=1O9%Qx?PNic6+!By(G_q+fGI;1M4!N? z>4~W&SPA&Bg#R=$vcXieZR@0)&;|-i2mC7AQQAyNYDR>uimzSl4@SF}v_F;%wAey` z0;?z03T4?VNRmdvhSJy0!&oW#iXOrjXFgY#*|oD*nD2@wW@j75X1wyWgPkg1K5rmu zx@nBbvpAs&6=;S_-CudHUZ%eZij5|%E5{bT1Xu>4MRKe_hU`JVi@<$ zoBsj1Agq35oBj(L=PVKqFF8|8d+cl}6$}52B=(f<^L!*eby@;(*yO%vrKY9oEsXTEaAu}# zS0+eDG#wi#-?DY*DX@ymOew8!-diF)94oD z-NHCO^Av4K=p&EB^_6Dx0Xca(bJgc610e$tNbPdS)2UabkcW+7mc@7Vkt78yB-K;> z1zdp-_DYff&vkrn3=I^P!C1?wFq#dqfFpg^XhE*xW7-$ zW48vQDjIrcAi>}41(7od1$S9i%r}7+`+7L0viZOK7XZlz4AV0r7?;JIFF4;sHTGgMU z1a3+U!FYw+%PT;{Y85kG;iW!SDQyjvGlGC2%1@Fr(9P2(*A(v5`8i)1pGjr zA7#Fl`rNpQ|4eYVasjI>ho-^AWS=}TTIk*HeF(QtN$~nrX=j#U0ot_!S-7;MW*f>d3e&QTA^bUVwE6(4U zdGLB{8iy>lYKvMF&^M`Q-d0uBGIUt9mJp!e#q4ODx%CfrVx}5aF z^)v7Vc&EJEB2-635<11r?Ti#!>zHRJhj^q7hSRe3yR&%TIGNzj>;9 zqaFyT8z)knGmxs?U?3dN!hU;8QK_V%Qf5~@yug772uULvg@b+9Dmip$w` z=zU+vOwk#}hNw}H3su24ArmcyDA}DF^7}{*zk$O*q0lUU8Bj;0P=`Gil|+@8|144I zN0=P%^1cm~S2n7Pn2F|OZM zfdhE39mzoSKBG{E0|@u3w(}A^vGns!#k_L*s7Pv{T^%v;3o%i@MFVMf-Wlk{E>wK4 zY~e)8*a&W+5nD{LB@27{dZ{LgRvKCi0(a`ex#RTL0hn!>*=%_=rD)XL)y)(m_9sKZN24*Gq z^q86pcj&1vQLdxTjT1emQwviaIu|#-XwNv@m|Nw9*=PI<8U#57F1b4j_--*V$3%EA zoHYA2;Nm9-T#3E*&ZZBbzeZaj=SBSO+dAZH-&=K9!kHH&xfQ|h)0lVyJ9Z>KzkMOW zZPX5tnaGkSl_j(xL+Zf=6fZG8^{)Bsv5<5$Yv9|q-AAj_vAQ4BBs`S7@ahE}v>J6^ zQ_y1%(pXUf#+0+ZAzlSV96^A>p?x3UMo&d1^LV0h^0z|{&BsA@%dV@EbM10XkDTJz zb!w}vG@4wi13Iq|tnT`-OH2ra%-n`F8ud-(Ip*wf4q8fB-6!@n*{mfG6_*P)hFgfv z!V*uX^1s5itWE|`#F9VrW_e^XTT_d?r*|->X@p&s`%M8st6A2jOhNKX67y@y6`z;S z1Q?3)1q7$dt|?ARTA3EU4(_Y7JR8e3gZA=SePojCrzMtUB098GKgO9Z0)d#KAWID^`;L)z9bD=bj{cNpnoSK7!Q>pL@ggP!re)C0i9qb|# z5a?sK(K^zlf|W|(F{Q|w;ePfJVYB{B*M_842KZP5-9?DY;ZjfRyBp9I$z_3#F;{Be z^5agUL>j72xExAO$b`&zRo&gW4TXugvPiSG-nX_HfkQ@~_%4_DhdUc-kp+WrvTkUo zGpM7}cmB0+W!K;`>iV$9MHbfl=asGYtO*WGg0c`4@-w`gI{&2{-7+|Dty;4@(}+xP zZXixA$Mk(I&*<*=p(|Th#K%I@NsCe^v=Aw)EhzIyr}A65x0-yd^m##%j_!N)d-L+& zuIBm>@mtk()x;X%GL&`vn`-|*;V^b_RJM$VV}8y_b=Id1+A=f6kjbhJ2$!$=-Xno; z?`^u%4A-u@#fxM|0CBQD$}L~)nZlhdk->NthI4_a&o+TpUa$2 zVSt@J!!kX$VHKR&Zs2Gkqk92!r~Zy$y>4eYv-ioseb-lE=dPcak7JlWH>@k-PS{>*yjG(M$>wTT{jfWX;PQ`w-d!Z_03_cT?D>6YzmO8TH>Q-4_QOnCG$*=^>YG_gemu(ppYZXw()Wu78Ne-(X2@C60Py20FG z*L|2OkQ3V~Jff3rci^d&P7|V&mHry$O`-pg(q5%xe?~4f)-Z6;s3@xZKVi`u!YO4I zP^H2!R5Q}Hqb&~n+;i6z#3v{MgaAbtf#cpI@c_otlix1z-IFxPwS?)%tEaylyW{Qb7H9p4fYKylPKN0RAWZ-Tx;Eq zLjaL}z$}uuWOsn-Xr57{l>`!eysW>V;u4n}{Dl{QJZNedFEu7{NwzE_vKx?e$sxcg z(Ucm*BQ3kNkK%2wbEaRz?IH=S!1&oS$1k{DFvXc}Irq?v-n7mJ%-^^Ji2z>`_%*}j z93Cd>(?&$zm&5N=UXY78i~AQOCq-1&RBYzREo`UB*A8%q5_y!`&*Da@G06ovDK-ZS z4I?`Q4J09&&7gj6(r}ttx%pPxq9eVWTO@+b@siNYd)v&0p7n^h5l56#O?(UQ3zKQF z_k2$b*g;EIl^3jK=Nm@KIfpL}oL#k(dUzP$fC&*>vB+t)hjcYyd$jZ5!O}BM!IdT{ zH!6mVi)H1zBdV*(7NZACoMsiKm0rS5P{jC{YL$M4LQG%%)WnyjttH|K|JRQrxo$hN zX;_^;%6?=AhPoM5cEFoI^^R3;6IJ{LMoFUtN1>Yca#c_G+Xe#?D{1*Ed>xHD4*um; zp7F)~xZ*~@?Hx_nyVO9ofF0KV8SjmhH{EjP47S>)y>2JIxDmU1)|h?(9Nc?Z0R})u z(S##-UpXf|z4y+XXysq*rftDH)o&j}*Y}hZa1%-ZpoolkF>6$FWETA4jn{ z0SwBuRHKoLW+g&VO3|QAY~GK+*oM$=qTqcI)1TeoG%L&V@}~{>?P48Sck6pwf6IX+ z9x_&3mLE#6&d(UJPQtL>WZA?UUI52#Qf5|3DyGt=Rq+*Q-rjYU0h7lx&PMdx{V>fU za)j&#OvZp87Odu=TNd>=|)F zcs{E>;ro~dx$^SU0X*#CGG=O%>rJ@2uvbSB*lie~X{r{JbH#FNmRs}nz}1uu!+u&RA@;%u@eLS0AtCN zap(x$4%8+=14<-44`z5$QP4MDeQ@51MyiE3tS+~=86=$Qnd_V<=kms__o{_Om}sGg^)}6+eyGd&zDH5pt~teuO5_tn zu-){+^Y3SI&+6>A4LtB^;JMd!;5Qxl4>RU_b*QwS=eWhUDihh{jvwL*?o$0G+w#KB z;Y@zj6kmjvx2Snyn`Iz~gr8v&S0BjYyf&k=;YCyojw;%i+MX%bgnEm$2DJGGx@pTY zJ7t>f3-acnH4Xs$;on>fS3=>Ud@9%7d2_Ccw;+!XZ146%LIn$)+)g5wb@9d@SPaPW3ZO9>FKvPDNXc%Of%^}Km!wMF4I*C{j&1QqH_ z8cGd;v%jQ8_ncx^;1`VMXr9%6o?40e#I&aZ;0Eu#1FF4T{3>_W82I=21?B%p76FW| zR3L$!x5B;nFa2MTr?1=}<8eM^4OUrSxr+ai75S`Hc4PpcE^e6hx-p~a3c#M{&S)CQ z;ME~G_A$-vH8&xmj4NgPoM7rD+x8RN{r2J7!u4bN(~b+m7k2%*sW-F5EQgtUN$<^h z7Uu}BQKy}*tifGh1ab@Z8IdoQKw-D6_0%0Uh z_Ufma*DYHrYTfT?vILatWZi>{y2PfKWw}^%_tgd7KGV=2xaaUTt1L@Q!&326>a%Qf z=m~b+POFo(>BxH5gG9+)tVugqk+?h5)7sWugb(c1OZlmqBx*cSIPhZbqnkR)Q5 zhJa&czc6Nj94-`D7FEyY*d{T|w8~Ab$Sy8<8F(4R^;xIarBu0Lxsq02G{Yhe3fP~< zh6(|ham6!dGvvNE2-XC55M*li--%+{<%>Xzk}lRMFWXs9ato;Oo$9egAUq{8F|eF>=g$hFj^rMN2l=u9F(1!iNFi&GmTP=I>l1_ zAi^!gSoCG|{m28cnK7X^xwVD4w_@Xmcw!;cPOsL7Vg zh0Vm5C284YGK8wXL)6x7eIAl)@AT3xMRLw3sqs0X3&RX;_B+)t+$Np{kBc) z=K1!ZekQXZd-Ce*$HHdZUm<=Y2?$8lSbY_T`|lEbvJ(e=|b zIx$Z{8h?3=qRJ>u>TX_Yow^e8*2y!l!nrl_aRm9QNo#&(GHBDprEzeMKf5u&+m1h+ z+V;;MOU2-A4SlgFV7a-3&<9m9--)#l6#4CT6Rf{#}is?%|aVzOU z$-tu&S~rfVqHSst4?Pi4MD!z>w=jhASv1#Iqr$cDNjcn>`Fk82nuy!1jMvI$;mvyq z3RjxUjy}NLI;hT@Wd7{?ju4n5v$)jNV!!f^)c$_Pvn#rvvYaQoDP<|+N$i(F^KYzi z4kd8{9;}J9U@`Ok?!>3}vjWfFj8SA>2_txZI;*wI4iW36W>RXavHRvhgE`*#AMXha+ZLiqfA9^xAd)ky<0Q!`6hjTl&G<8T-0)?!R9r9*$AsbvzGqu3=#f z0q>H8H@RyCs25iHEOz1AjZNw*8hbOyeWvQ$Lhi(+eR15bb%Q@4kHteSqr>Tb2e|2h zqE+)Jv2>?lc*q0Av8L#;I>iqt|A~`ei-EUs`EALiRkK6PuSV1vky&!dEJg)%NSMB# zU+~25z~3DPXMcc*LZB_Tntws2713=J?|#b{_-MKrzN7sA5xGo9D~g#Onr_63?utG>J?Fa?3()YbYh4QzG_Af~89Q1T z{zgMd5C4`=i$0}G>GCZ%JhXUId)0z7v?u3#&iB+I;A7?GK;NG^8&>^0zLnQ2;})jA zh&IcGk$Qk>@Qm-2`?hC+=2$fs{A}Hob-^Xy+7Oz)Tp;k}TRsi?qaCf+;r)S^NUjmE z(aP&pKPitTqv@ERIWKs6rbM!GrLQa~iBOs~V2>qZ=~G|S%JCb=^HoRF!#bvY!!pX& zegAI=&}+K#@(v)$d+P}LGk-U^h&n(M7t=3wWt5IEk<{hsXwhA@C5$%E@5;iI2(Zxg z%4quLf}(b{FV%22#AuQ(PCl+@0zk=k z|D@0L*5VGbX40f;5xEaxZJDVctvKRS#R(?k(Y5a%pATb|xO{_@zy1D$xcjGDt=tS- zPGK@-&8WbtNu!R% zs7&uRhOsr3mgQyPcqIy=vUm5IUMF|LmcToVkAzUYB(o3uB}I!6s9K-#(_=V7( zEZ{!#6QSI}jI2nU9WO zN>xB`C>cDan9mOaC8)@^>)!eu_4|WTls0p=p%Ws4aY-aVDghJ~-)PYuIx^sfscMli zUO&UhqAnCROon#NQf^qpEK*~Yn56{}pQr@2bJp@2W$+fMVEkRFlMT;hU6{!rXo8R| z$g34+avu#Mgc)xQmB3dNBAbTX1_-`sqPtvD0ueNuWC!cF*9=5iGIK(k<=b!z&fysq z5A)(84OL6HI@tXErxa6K4~mbr&C+q47)&8qDJWQeLV>lcS_7fb<;l88s@_4G;VWGu%G`Y~v`(?-Ntid?jDa0%*a0hSzIUcRC zf-;V}$r)FEO6+j|734_<7>Eb6DDig&Cj}nie8E*xJTMZe_q;`s3wRSFb%eF%VY*Qv z$dl1Qop7P5X89nQ*UTXkcE-k4%xid@i>ZW~JdFdmFu}QmlX{J7s5mSRV?&j{jm05t z*7%KGYN*$EeiV%j2r!Y@M`V%Ub);luv6!qHQwHvUDY8@{l2TNZK%!-s`e1BqY*vxB zy!reSF121MHPyW2q9R&04ry&Il;Be9DJz{)>#n9?OdY`Dd~H?pGp|!mK^cw0H$Zjg z@dI`>RJx%;27bcnGc`VeQB%Vzg`nF}2kcA=ByhG03XxfPlnx_hemc&j#@OVV0_8kT z7PUZ)FQT&zWlHFSs%)hH;ZY!GNlB6cA#m1w@wGl$$}&F@#n6#ji5> zs!%x}uVosLn0v_^|5(C3gZVTGUbc?{5^*ni14TS1hFO|``V;O9e0&l+TsD-I!wF!S z(b^(tFk1opYEQ3)2W@gfl;WSoeKt_D3t3TU;sr?UI7IB5gO|bulT}M zGyVc(I>1&F;J~?nTL$)%NrbbwF`BT1rySKi5y{GN>C?sU$2B(a1!~Mzo&?W87OuF& zCn_3zC#$f3fMXdTUlb4QUjalu=R_hYeF?C#Fv&z<&yLldQN5i}O6P zJM5S51);wjEk9qii^=uiKc|f6s+}8G4G#P1i@*8H7k^vTD@6`Sk^+W4#pguid?9ZL z-?}CVv?~3S10G|U@q*hN1-F4V-(ZoZurEF$k7B2W zHIOcCyl^F1HPaKILXyPOnDu?!i@~h2hCao&=wOFmNNb>$Fh5RZi^bY)lYby{a^3nH z)(*^+$HV!PZX;Pq4f z)`Ml8~(MKHm|^#YkUb9NweBWUU6L11rEee~~1~`HD;#+;=D|bzy|WDqQCw4uN2O`9EQ{u6$Lr&fNN%IT z;8siw4_y30^R$mp*2uWi3b~I4k@64xk!%|7hL*XnkD+p~r5bIT~y2Mef zu{mYeb~bzYLzl=utN>wlkoiC~S=s!)b%D!!9(Q@>o+eh8*4`j$P`JE&h~`(bKRa9y zQw?l%yhm;1#Mo%v&M8s;%$bq)PC*iLjGflAIqh@S6$4tnQmjg9SdDSuYFUxN$4vi1y+SQ?Jh`w-QiXE8IlpD4`FwSyy0Nlu&h; zdtzbh6!)nYqvOy18QCc1iTXwdbFpSxLINlJvf_;f8X_HZA`B$mAp2;77w~&7pc&C{PdG zDld;6fi5ny_59$u@+xA%X;JiFP~l%QksAfkCdI~UJGMIXCtKV)zfD=HTMDeWimexb z4M}0Uxbecq+6$mYQ`6X*itgmEZ`xSo0Js4%>6KvQL{OiND}4sPdd^%6VBT}wO}7dA znF)RQ#J1x4d&`-|mEh(6{pNz82UTuLUzGHYWLIzU{yCDQ7}%AHQ^)59+ku?rYj(ts z-%2~|UY?EP&=w8-SxjztP`w)Vx4`wOG@7vI3ph27jzT#YTP- ziCW_JPe?>miOPC~+JGs8Xgj)ucn-R@cW4Zo&g8Pr|KSL#ZB-d4srN}7PMa)#< zlfIc9H97Av5UM0aBJNUB%EVLBYwJFVxogN{%h8*VH;AMduJ=B6m0-X46G%c$jFq3W zK}_cf^!YR0t3yZ8(>~4Gc_FJXf20UP6)D%+LxxLRZ{_n`$j!8G5E_rn?L5oj>-7lw zP>#;PDm;Yduy!qKGg8-3dP8R&>@b5WT3dqEGu!cTArd`V2?7L)q^AQqxz0^7U0aqH z5gEL)p7$)(%nNfcmqN=6x?J{-yPI9FRIF+9SQ_k*`o{bHM*QV-UeOYTfP6Ts=Qg^C)@8dt<^)7ZI> znz)%E3nDBRx^!iTOD}9^(}JMQf{!vGq&u^u*3H=!I}qQnf+?jnY1Bz#kTMTfX_n*V zTH;#{KN;M~)=1o_CKuOubEU7frN({NGfC|>MJvN3nnX^BOyNCBeLm5hHnaDq&0+2H zg0^pGz?>+dyPkn>8g)5NbsX)7!C!c$T68?@Lc9uNJfeiz$L$B0xiw5{#WD%=2>Q}6 z)W_BQ$y2mjc{6EX2X?A~UcGD{l5JhDa0R=ByPG}tw0x{M_O~u9^yKJ*dEvodja8a0 zs3L3S6ZS~pP4oM44i=)Q?0$;e`VJ=LRU0SLQ!i@D*dB$ByG5|24QydBsZLOlJ4pj3 zSF!>AY1z?NXfL;&!AG^8DChy-QQxDkG3{iXF~aQ+6F&&cr}4ZM+LDg8J>P|Ms%Y%( zgsB)C#tKkGxpZxK!*}Prv{ybTCZbxin3`v-M}~@fI_*Ro{z>H_htBeGe2vr1^0Uil zBq|_S*{m+)9yzNOBgekfyK-*DQ#kVswfv|A-`f<*eJ8`V#s;S6cJsPc#AlsWlGK+n zYX4OEzR-P6c)`IEW#^}r+@7LGyw6|CmLQr6=1Ub*FWaP#wjlTjJ!H>UPOY05ZCO{6 zMtrw7Z5<2VQpjK;EfRnp__LOmGsW3f269o?f!AOLjJ0HOjm%{Ml7;1#*-s8(LIzL} zB}IY(&rIq4)-O?}9of@6Vab~kNS>yzY`H$ZMV5NB^oxq-+F_LS9m1D4V~1m`JnTr5 zel>p0AmG)sM4dBnl1C7N6e-0>HA*O6h40y|&bd+Xk@O}6)iIG6G1iNnw5?ezyGdVS z3)fDUlPkN*UzciV(!XqnahuvT60|N04lq-Ov$;LhlnKa_W%{Lk4^bRitJ7$^B7To= z$zSnxV9=~)FXeF6NcjzObR|^{iLmp$lgI0>9MksH`OnYpTzxHcB57^k@TMr_|MLJu zlQLN6w~ZH+9G=j!t3$AOK{@Q>+So_U7KF}`U!*8HBsE_Tdf<;sK;5J~#;o%T#zM>U zy}55Az7m!r0gR5e??q*R#Q<*2P95V)}Qru$d6;ncH zdmPn5%<>6PmDc{eL7~YbXIv2K_UeHAhs+$EFUsB^^^WXl>^SuW zLDngL+3#(xE>!6h;&c&(rF*{WUQ5Hy3PsYI(%OGKbMjJ{b2~>#+?faZheeffVI!0V zr7o?!xu2~vnj)%HY-e5%n@ufj?TUs|gfUVmH-w&3I1`?i_N-M}gVovHX{(yF60DQc zyOr_^d=-dI4Y?R)ImL2)zm8}&&&v=c?$R-|KTr0jL5mjTg;8s(zMn2RGXElfx4&sQ zuS-fgpO~UfE|NcJ7u@Ts;i7kjhbA$_Qqc1MOS-n%I87iZ)+ADj?8mZ5ike|%P#d$Ck6aKpkVka} zGlZcHVhPGkWeR_in7hG*Dat)^B z7zwj2i)ZEaU1Bmh#+F89ji=O<@ps2L*z<2%!_eo<#14{`x4rrZnfSEIe55!<`u*Vw z4hdq@yq_wQNGd^KQ%Y~kM~qpW)<_T))`|1ojO*v{IETVmZ;Eyk-ljCw+z1LN!@%^6 znvUF3w;Y7;tiiSZN{;dXJ*1u}e22-KFhh?zprM=AZ0Cz|k@EBz@u10S%?%=hTdE?t z#(UVYhl!yXTkg7~#v&b+efYD-)T|^Ryzb2@D`yg3t#i%wamp0-)?FgWpJTDo63jLQ zI(+RTSD+#3xwR4^vTgt|o?322=@~-Z) zAihBY(m=0nmSe1 z3tu=;<%wG=t(y`sL_6Qr^{1p2B_)PU%Fn~KX%)3+&(Fz6^G;#@4}U16ia46nRT+sW zG1JMQ63PS#)E?Y~_ z{JHfWyh16u%4}8B*+rMtl;_WI9C0g%S%X9;rl8gEevU`6(Sh_cmu}lbnIC@V9FK&E zg2?N~;9G3ctVk@2R@VAd*~>K5rtM&tEmckJT14ILw9uOSFJulSv6cN>wPg*oiux5? zG0j@y?U3Nw2U8MVr2$Jtvz&?V=c%^+jhL+ohe>sbqhCY_v<2vQD``C zix+3{78D%!Zh9tnrl@;G(4_!Z|nC<_A4@|MXB2ws`kR9JI$fX6*OIB#AX)N)rrf zgOYde;$^C0!z;VBbW!)X!(t;jVgpx{6wNz1AKvpI_qB5<>=xo?_i*nfeVSaNa#x(7 zD!aEox&F0#=R3~sD_tX-)h#A@YZB)e0$I7XA1-hXk3ngSvk0F z5uv^b3T{dI@KHO1$k%t6J0}q_1$p#Cnj9}U$zxm@h|H0=TF8A2s-8&HlvV&|v%nV_yk>`q0$n)SPu z5;V`rh#6J!^tGS)275~AqNjTA5RiNRbq9N=1E{{bv-?y3=bg`Y7J#>4;Mj}r|IFXq z{dMo;zb1AiGe=K^zn4t?Bl!Nu<7YqaU|;`!ayJu@ZdSVZBmCtFY6EEgDcKSK{lq8f z`#;$wyT7ynZ%@3w1HjzOkFq5bM^E&>CtW@H@XzZD$dj9kKD*yK~+<69c zYT5mIr{lNrlZh{xK%fa=q>mi^MnIrxxTkmGf%R|IVi(+2ZZTbAdDQ~Ch;qrwS*J{y zVWl_FCMxC*&|fauH~a& zXWY^*d4|FS>6@c{)%eGGl^?4B>Y)38IH;FQT9~S7N9F&-cteW-Qn^QW0NC>h)&;Ae zQp`)si~Go>$5^?Y@IcknrCSYyld3=fd%|-?QwHLfl4Sxk1l}10l*Y{0_t787)${MiCdpFUVsGk1_0V$cEGU$O!}XF zK+mhzkrx59km~?p1O(QH!AUbJ9I*hf2m+U5cOnt@ zp{4lLkm3#3^gM-=dhMH(alqh9L?#vKTPkr62u2KVPsYcq4l$?H>E0g_Gg{$WW+KsX zXAW})*XZ(UX=O6iF7W5X%RWcS-VOk{v=^ix0I4^#riJ?H6< z!L&dJ0P(U5j&3D$C92wurvqC1J{U|dKyKl=8;M-vzyN}0fz_TN5Qxrf6sE;o8HvL! zP+^b@5RPBtz?j;VsIXFiMj8tQ<>=`a#sQE*c$OjhudhU#U4Bm+Si*iR6;NM9U&|_{ zmOz7a<4d3}Vb>d1a_2KM($s7Z^TDn=5;j2|XS5WNskLhPD48&TFY1~yN^TDjNu=fk zG#CMWML=ktDgKGwQFU_VeHHCdJTWGimsY+F5%{!ZVE4(G{vRHZ46sb zPxsA*g>Ul^#W21vx~+$ArJF~sI5hLbVckOf1kWn;7r9p#qVCUbN{yH!kz3PY{EsE) z83yK^TzT3|<889LXV&>FD`Qx6W4|OhM#+mDRXuLM1XFYAuG?qt?c%v+^2uPqV_1M! z%l>H?8E{eZ(Y>j4k*Ph(t~0ovHiVSp-qC+Kmr6gxCkOxkMIqzK0BK1nzTy1329OLC*zDw-7LALzi)r%@q`N#kBz`pih#ODobj9&BU|P^r?ED4huHV82#~>!0_?8{ zeQ<|Lv4`JQM!DfSphBOE_T@BOr-q;}*;`WZA5}6cu#JY(>Kd;hjgQ&uRygMt$78$2+={0LkU1nHI@Qv?jxxDSs_rO24MKwZHjoV(|)A zj@=fzB?7RLokja6=qkUbhBcJ7UgKlfuS0q-EoNGNT(~hnmW^>DqnDfb`yPa)p1YX= zl*GMIN$z2FQ~B=d>Kc|?H>~_s`74nCwXxwa1?vB(*n9E&Wb$*5$lT{1UTC&`IM4_qBHf9M1^%dGSN6OxHo(E$q~P{5xJvB4 z6~@uo3uC=6j0XB#H*MD&FB$D(UrtZRs80jtX!Ny@3|B9VBj7aS+6d^L;o%I}5#bs` z#MOr`#c{^K5AZ+ko?33x>qhDjBD>gqVW5W_kb;m3kdNE7pKnBVxfwtj)34<^a7|~| zv9Dc6=Dq}u3`}1Fz9!_l0FE^mz`6LtWFT5@6OaTD&($xu4Tu0__T0<9?ef-yU2zC) zh%!WFU40bzmtOY00AW27tEywCM+TH+*_m*i^w6j$An$;N%-}II`)uE(pGn>}6^@Sm zv+e3KGTqD&QP!d7m#Gz7JIq?_J{sOxWoE2ziQv;sj2|Exs*q4f2=J zW|b7TZw%|%L67=!h}765nw93y{Dc|iz_}~)|C}v;P^`PJkm57XYucQo6z0%KwqLy0HEW0Ismx%jTXYyoAE+rU7_a$7lBji9mN3n#ZT9`*?-}ZJ&~CJ ztnwOai78?$x}QA$JrM_t5b{5uWae|Xef51c$W57D82}Vpd`-J3a{vKAsS`MLppQxt z`V-JyEpdI~VR4B3y6L3}?n{pVKQRdr-d(ID6+Y_(7O)X4u*pp`!&N%070PEjftw1d zI*bCdaZ|4DnFY%Yw%9yTfy(Uf^n3uEu3`s|G4PRK&}pi-lkc#|^AUmv{$LhcElD*K zlvuPDY`aO=Xt*lSAv{|L4$PaCOx;;736o9T*+{8O%)U(ppOs9p_Oz)tl3(GwTl~U^ zAy0(wBj2IKqTOJCE#2Z>23%F2krn3mz@QBx!wa zz?p+fsk=!*b^&B}$G3GmWO7Ko3D-u-+CufZx{H(w>hsDF_fw6krL&Ku+{yd`G({{^ zT1m$^*Gt^3?=FXu2ho7*pBH}^v%VZ9aSZ2z*IP><^P zfT`;X2BgfOdZpFM5}gj3n-4o*fLentYsolT7ZjexENt;%1U?@Pt+ItE%`e$1W`{A7vfCTfPV5N#-8ZL?RABD>H8Au&{_5&swt^+ zkBqcpg%?)D^ZD)(GIZOlBT@tM?@~v$X$!T87#X8z>_xOZJ~O5K$fR$@YOc&OI2OE+ zd+Fa3@YEMd=5IMexYae%0aoyjOhQSxi#z9uS;)HJx`{=XIZmZ1Nx~hb=naZ3=YSd7Wv36(XbQwq)p%$F1( z==Yl}0MTwAa);<2z5PHIXn#81V3xiweV--yny7^aw?5~gd_Ak;7r!QUQ4;NO(7F)C zkzxwdfq9jT!e6P@`wVU3BAYy3TSg(W*Yh!myzzP`X>~wi#*=|~U2hh<4Z8PPapcY# zGEy2b2hG&hb=8K_sB>NoUd25s;JsK;h@m^%qQU#Qt&yW-R{e*j;fzGSJR}hxhIA{3 zeXI)Jj))rw}F9J1$&>T`$=XZY<6{F0`18)#=lpnrBhHeo1a8H&bl02mj zyr6emVDaXIag4+i*Q&HwDHdR+hM=!qC;JVUqp1V;00CTwHVB|ym#%vXX5B&yRB#3DbU!e8!!YY{ z8Lsf9v2~|n_yzNY{NNwE@(ZFXnx8VJvsHmrl*>um>xK=6J(g2{nlHrK9NfSm&LdW) zv6e8BaC4?}$M9m7~8BZ^6MLVSxWh^$ixb~PoMja!pwsVVY#Hd}LT&iT9e+jNNs z7js#nR~n|t!jv%W4{qXosdi4aV;GgH1Dpc`mQFm@EVsGdfeQ*!nJa4)z*JRetB&&7 zB2jCWU04?nXI9lJKw(IrAu#66k*XO%D@2&B(mKQXRn&rXNh)7CemYs^Y7KnULIR+_ zlU!vZBz^Jy@ir_CkKG&tIfGRQ%3_0N&tyhTUq0z0ZLSho^FKQ9-hf;8>U?E7yHgn+ zVw2h8n{JXG&`(%Vk?sSYW1;GJAg!9w#iE)o-3gQqdfx(QQx&91g;nF%90d=c7gADT z*C(P<-(jM#U&+|x8#PaFGW;?cF9k{iYkTw4^=tiZIK)1L22CeQn^<`sgbtMEMIMFhRdfBGcbp_k6+*-;PMr6CxF6Tk-Pl4@Invg@vc+@5}Lg^VuR4@1GV&CPT`k;COSnh6+v1 z#)srm$!;aSMAg4^h7r4e3EJA!&z@su=bzqKH zH(KHO#E7@|z0Gr#-v~TNSEa^V`!TD`Z(_Gs86KXb&Ke!sb=nEK3~U}{ zYORd;DRif{k6>_g{--hchwk2 z(%|)MV%&ta<}f6yP+%xxW%9EyZI(|L*H1q4&am}&;1>^iaZX2zhs$e#H&W3U{V0jlNQQ7_^T{l|z zkqAKwF@4Q5Y#W`OxeX79@STm9EQm!{PQyhaD2<%AwL-7Y_*-Gq6X?!MIH?)tkkCHv zt#?C)b7%EzF|P(;eEimqko8drjlO$CEU-M0i!La_u2ahv{g#!z6@6f19)~zW9KlQP zIYk0o+|k<=+rP)dGA2h+z9B$s_miqN=J*pM{l&LfadQ;?dfnXM`8!4cId5SsYcv#< zTk6QrktCy+?MvEAykxr9>^_)a!RyD-q&r4Z(AmJr0eLiC4ARH5a~l|(n9^bgD=Ksg z49+FkKHjG<{jBSd9MmmZ(B16h8T74RKAPW$a1GyVP3N#=UhesxFv0YLj$9A@#(svr zTnD}K<`TghO>BFON@X30hy0_s{DU5mwJKfP9Ox#QP*zmD47(knh7r^v?H5(4`_!37 zk;o)h+q@(x#O))~SQ*JI2|U(~;p5J!Bw1&b7_TEQ(!Yg%TP9q*e7<+%89R!}^c$_F zXldYrIQIPX0gm#IMi~(~n9tvUp~^6sXd6H{Vit8!K|}2IFI*jP4Ey&N#r0VR zxQDAnEnp4URcRzM0A#!XZlw+?3-mDqaQn5{z|(_An+<3L5(7{bvA+fub=RmCLBrf+ zvkr!9Lx3dMf&vD_Fvtd6i3v1fW0QfSfYG%-zyhEM0RF%PH2}lwJb)H}q!F_q&n_Cm z>+wT%c-UE^!A{T>ye=nN+RKnX^J&P5lz2=Sd-73i$hN;KfhANy-D0&~t(}}B*XSl) z0k*q`))VwYq5@T0VKFxti2tX3ZG8LY1LiqzYt>?MiO5}S9)T;Zi5V`8E%=zHlbS_N z(uea-ovHsKo>We(ptzwQRwZ)5obSWIBS%HrWzPD7GQ_ojaN~eJM@$)QKrq`K9^X4? z%}dWp7~J9Q%f4u%Kvu^jw)K2y=~l*rhQmDgS1VjEl&Z`P8H>B2PMyZET+YTw`04cx zn(5RH2itO~(ebwr3Z%X!+EnvKH6#|f7ur509E&hJpNMg($qivyvqmIN&yllUU8REhv!$Ff zr;%XSs)OzJ|Mbm-iW`#NHq@~J05aa3{ z6%@XjDA`m{iM}>NP(id)pAJGqqi0TEXX>nyvmn|-O$xYwCyFICzsi~RP!h#f6EWdy zWLRtD3QlKgtYC>y>F;DYee7M#t8Sj3%26JBlaH@;9hAe$eC%7GN0<$tTu+wdv zb6p~&wDqXFJ8D*K#wr;R;P;6%p-IF@Z!qzFFZNKVG>@QMe0S5hgOem|xq#IHJyt1}0fvRmTKF?Og&Uvkf%C1VZlZyB8@ z9215XjW9MIU+DaK1Y3i9_*(2(G|k->mlb5_5)W=SRC`1=#nmROk_ePj3EP-;sH8QH zvnQ+MGN|U5zT&zar3E`TRMSp&q7X;CWuTK)$uSi4B`#OZc@&z9GJP!46OgfYM(ubJ zGzPMX%-?kM7{(2pNwB`$o52ABg)?(|2f^Q@gD-mIe$9LWmJG-8$p!{L@9j%R+}fJ~ z%pb5YT=u-&+qWP5e9;@dHIttlmA^?nV1yg|ytD5V8LfK%&xW`J49KpZA7SSvc~g>BCqC zfR#}oS!r311BCOAbY$?au}>@vzh>5Zqw=Nf*`oJ`fvo?A+mtH*7EcEBy7n~uNqWHE z=#!NFKp^!1Fap}0{jkIe`NxE^?M zJG2!PiwN>hyXb&qj9ol^JT;vTFx3D6ucQaEkRwv^q1Ux^7b-<_9xl0gLBp!Qsj*mt zELPK28ABW}k12?y6_%A%$td@1}rlC=B*?rYqpq^SK8FeAf(4I-h5yy~S zQD>JV2NZA9$%-T7rtyMLvIkX)ZxbpPJL?99uxg_&xk{Kbq5BrK?8$imT>`*aqYfl; zhZBp_XG9mqCdze?W3eB_gS-CAS`L-d09wR1VusI4PTX+DPh)F+;a&#Xs1Q{h?6tUP z&`>hQwrFUEz85Ii&8y~`#okxWFrv!%aWQ0kDG6+wpwrcwkCyEV$II@d(eXc7odWSRv_!_%L@h7Cu>B4fls|{GJT$T`s+C~-){REqj+9ik2sSZ;1JUt5 zIw>iUm;^szW{xYEE6?vZgtc)Q!-adjRy_(t>>Q`eY2+#j)rZD*$Fl_GkcF90dsu&W zxxvsS&w$;D1NbxR5Dce8b$L5FU(gwODc|2Mi6coD&tMI~kF;cugS)Ocm@CVWw@;R_ zF0iEMuA;3(%zEDUosU4KHTBkaT&Kh)EtsuL&Jx>$6I~BhL@T?xodXe~`{Kq~o-@&3 z%@PLL3sNf+EVbz`uwUg;&wc- zr$Eys<*EDInApj1Ap)Kr`8Ulq9rKL?wAji#C(o{cE`NYsy~Hmg%EX}EoLU`e!5M)QCB?U9DWm-8 z4k2&kLqfH#8aj@99l{+d8gdYOW-WRiVcyiS^#RwNkJW20Wn_uWRgg=-4gvbRG-GAs z1WW;-Wlyek_)YPck+G2m*x{IFF>effTcm;cWjuWbh)5VFzy$;8i>7e~bP9|JIm5HL zTN>-Hhp~aH=%P{BTSjPqkzAFh5@Ns*cVDK@)zn!h9p7Zyp4aG4&0?%DWp+>bwk#?OK)|n_gN3P zz0asT25RKJ%LA4Rp&YM&TcYqzt5S0arVvKBrsMPMpPe19nGTE}z-O^4}wMnibubuZ}&3V;(B-NvvQ8dm+({k0)2v^m^ zBh+I!ilnLL5^G+HwLiB!X&SLuJ#;(GW#UB8G@U91kFEv!*QZ?i_VWD!0XJENUp0t$ z1xaHlH4N{QEzZ;BNZ2M2ZzujkRSNR1L4W=xIBlcpZR1kdmWALKhp_SJ1WQwb^Q4cKz&STz_@17bS~ zJ#d1fA;yG9_OC}KrRtSyVF3~WlW!wb<~Daxw=G(2`Zarc$P7eXvIs&bG$qz_(pX$* zXHICdKbDKh5s56wsjM??D2TGTYjnL0Z=->YDT%Nojv6GP`RbxEzX^ zgQe$mOjhmN-@8lVka@&#L^BfYp2nw`(dk;cuK(asGy6&f zd3CNZXA_Ao9hl);?w3OiVCMlM!}>h8+>F_|oGM-TB-7Vr2=c6v?0zhc%&0%1ctNZh zKAq0v%#!Tjk`vx8=oi>V=RXp=?(;H*CdS%6bl3tMYP@aiE*SiWu|C!XF+cgFNHom3s{&?0pgbf- zrP0*`K~V{uO{d6&*;wvZsIAc{mR4EzV>m*GY;{X*Ohj=HpO8N_U-hcotiElaLC64HJet|X8z_{nzBThind}mYp|5?VB$o z!~EZPEBmIN?b@tAKK!n6YYMu*A@6-$%^Nu-VOw@5nv*u>g}B-WPKM%*HwfoqbV?=T zsZ_geZe^ERN3xnj$KEM9Jz5lMJoDtCK2Lc; zRAwz=joz@xF_=(&`MY(TUDn2`n4=H&edGtp-B%Gm)`s6dbu51Xzg7B{og8Mb&jJ7N z0Oa~9SSf(7#WGejyx6kMq`vPR1)UBeXI|u;hq)~2EvNbafJW@XgtX4py%o#Zv0Q2T zB$ZlqD@?|1K51tp(*@k);DF6Nj{OOE;}SO?b0O37&eY6F#iQ;wkd<8%-HAiD4jv5} zXW2=K{9%^Bwgt!r{eM6*Qfhk>O|69K&2K^&;^e;C8G`!dUjJ!vut5IIyS;QUANqW! zu?JXDkSx2qA{a!cqYLJ9VU-y04v1k=f9kg!I71?m{kfqCoXK4&7?XizP|JDW>Y`v; z(%1$%d|_oQp(wFF(jVPrL1W!7+s%k}n19HM*7y6=)KX3ZEsMXK>`?z;{{W>S9T|1g z7@1b(IaN42TyZO?+Z_^ zEy%W+rjfUMK8v^`RdRx!b=8eaZ*EV7zU#SZy25<@m@lQv^9ENiJ?SKybUSUkj%A))HCXT{qzbCHj`JPX8TY@$ zUiI84k$39p2|N12bJX523*1lqOT%FQn-jRlJyJIn7P+7SKBBoo{=OW)vlqK{hbHy@ z{Qh&!>t394u?v@%Y*G(`+pRs?i@WUg6gK?dk^rUuPgzo6Sh4Wm*QBDhdG!IY@Cy6w zn>aVz-#Zh`QqZ^S%A}s7+uJ|?Wh=lbPK2}^`TPgO|0lWPXF+c2%$pczh7?WFhdsnp zg51b7q@FIf*=Yf7*emy`QfB;}qIs7+n#IJ#)=YX%-J#(Cu&7dNTviliDJgu4mJ8x$ zL_()B?l&UvJ>InP6HHh=r>QhOQIe|mwwSJ@WKh1?)=ftDwLinH!}U=4iM45ZDbvXh zdkr4#m$pU{>@kWu`L|rF(!F`S$hspI;JY!OI+_Y7?NVjH)da0!i_ZeUGwL4ebYlXi zpe<9j{x(IU-yD$Y$<9{;zX}_XV9SjiK96P3H|n%#@A9orJ^Usdm`J_HA5%HX!M(Ld za5IE3Vc~r`mh;Z5`tt7~X;gaVA_RnmDjbHr+MfpdY&9gsEhvW&mcB?ISNFH5T3Ybv z{9x)MqqoWo$f^d{g=#Xqwx1fhyl;L7rt+F|^DM8^yRhrIxR0b2h38i3oo9&Z^z4s~ zf#EW5H15`Lj?@ItQ$KE?-KpOuq>NHNciv$}Giy4O$`f{Ve@iy$sU=S-Y%=K=;dYz5 z<1m!t1eQNuVHa(cmc@9T?+nY^vaILw9K0rSTj%c_&)GHLny<0;-2PZty-fW=A^_zf z^>Mh^mz>*7yC}tgOm8oEjKLYCQJ%K)BQBUI9J#Yej?%5={#paISfgTl08(XLm6!A- zenO7gZs6hQE;ZxX7NK;W=H9axXWt`=WsmUOdlkU^a!i=IGo$jERkbFL{#Elni)Q7j z**6glL91a|WJMZ_sM352s0&g}r8ohjQil;3tsArSwIYZ3ryKmM)UY5BNZc$Yqn;>u zDM1iFOizj~v=ePJh@-aUea=9TwUY(h=r!NLQikxp8^uG$0J`HR#j(X|t=q2hx*5?OPFl@}zPVA)qeM_REf^_1fx(s%9K z9@^B1_YgMP>z~O>8Bx8b>pgg)#~$WIuXaQ*9CAzjjW@z~Og$8S)aV2u^;!F#+v}1L z7&f;(q*)f1rHn6VxbPiv3T;&-7}zo+k3`TZ8@(U)wY3{%N~mJ#+%zk?#dfdoD?KQm zlX;EU<&A27+xlBe90xa<^b7mX2hi2eoNw^;ih@TpUk!#|AShkgpz#y75|oo5W&KVC z0FF6v6!u5^-Vwmi%K!RE$?5YGU(Uxh_wWb*=sSH@e_V6(bMPPiOgsREyiNRSwPY>* z&F|tT(1Wkacg#zE+&Iy8`W*I0|Nc?v9{?kq{PW|TF39_jD!`Pw2B1Z_IbHN*>dn_1 zd#11IUjNR#;(dZu{-a-l4}VyAzu|;$03NQh zdi8_*Iu`d6=+e*3E8#nzZ?0xu@wfbdWa5v17T+MQ-*Gsj=PVb7$)fS)~tpLn>k-?<9S6C#d92`2xU+ zZcZlnG59EyEVA|!Gl)ZS?KI3(uRQ7Z(@!?nstrGeh6m|aF5IV*~cpH?T9n=Y=b0=mpj8*nW`ko!CHhX<7|t9CKN&R zl6iU@4a-iq+fbZ|%|c!aFQ_%vvpj$5Tb-{rAc9Xnth~)6%&p7`?GoSN&=z#0J~SVQ z8+?~QFa)9lkb2~^+ZYx@+cv3QdOyLXMs6QpA_8h_4ca9X8d1jjM3cJoOANxtI<5F| z{VxPK|663=(Y?hGiaC2eVj-;(_w)uAtXf&{^Bn5*{wbHOu+-a2A}dX?fh5hO+&6M+ z9V}Ye?_0SKY_saJw#W_H`g*MRP)04x(!@40)D3iF<_YH2Op-;cDCcbgQNP6$aQTLW4exmZTZ73@;>22KxGyPQkdv2D zL_+KmF-d8d7P#C|NKFb&{>x6^2|qWikxeoGH};u4$rWRO3+{0hgbVgC*=<;1)stXXNo$piF?n@vidy4?F^3Gq59jp1n_{A*rRX$q6}A25 z+>PT|vKC2I#dwPv8+G0aP)Q4=v6mIMkZzFB$|y|1gDeR~Q0S}mLJ&jZjEw?>r*c@y zSZd4)QWE)Kpzjmu8c@16Z%_*1s?+B7;OOiUv1aES=gSRlD0|7x?iTetHLpFVIyfwC zmao2Lx|ws;i~hTRYk=n6aj{X{G^;HcVXY**20DL*^9izmzJ_mls_%nTX(z37_wWJ9JpL&v_ZV!jHIonV& ze%*NEGLcSom?EBJtV)TjR%H@NLJm&oG1U`8h_th7jR{T+3!93AXIqraUQ;`;lDy$}~@KH0_7{4Ub>HxveL1a$Di)O9vR6UjE2GD{30Vgg}eVc-8&Ll^Uk1^sU= z0RDF^z!Zx-ShBq+HZlj)f!i)~cV0$=9#_oFMI@-IgBgCdZm!v&Iu6(Rookyj$ z5MboT-Add(1+#*jkhirHs!@aW>lZ%8O--wq(n~8xcs$<`4TxmO>hCQmifBNUmLtoB z-*kB|7erUfY5LU8A40?05l(qkt_@OpjwgAkaO)1OowZb)?&fL+V<*XN8ip(o-^S)v zGduLwe9wrFECHP^sF==qC5DD{$lwEKk?Cl3jV?S~uDI)`kN+Fe`>2G7k99nqmF)#) zgdE>Io1zpC#Cp9#afv6Czo+S{A$==nI)BI#3G8b$U4}j~{uJY@pS6_2#721d_K=oJ zc2~<&?2UDGRUvY1-aM!IS}8?Mnb7sJ;VZMm)T97Iigh?Ig0tGXgq%E6k7YEBuqj=S zG?{XI5>3bg1;5kKAF3et*JSJ$G zNM@aX#h&mGtR%8Wh4*y`GL#30XkDRZAP8L|S=SGqUo}WtK`-?9cBIs%poT1u6@f(NiQC&oMR*P%^f+Rr7g?85cDYgDiV2 z$OxH|T}>yvZQ?*D^g7LMG3DLN7L83f=nonsN}gGp%z&bjMJr~Zy45vYg62qi9Ykle zC|D7jty0Be=c=qsg#{}qj&~GiniOr+^rTbos7KORUh1(N5Vrkr0GT<7f`~P#&2kmkrBajM3RssC zm^DnlxFM*eSz6Xj3w90Kfp6SULmWDTJY1(LZoqOKT_irE=!sh?7D$B{1KOrp;Oq@b zj3Nc!{4Bm&H!ltqDAaD%^R{;q7RRzhlst9+1V34}7~Q@dLE}PHl}b$nYGu-Tm&jyJ zhp2XJow+2V-8(RTxt*FW_e<_;Z`7!ChcvtEG4()*H0Rg~tIENS;g!dg>n>mtKOlGR zl3y(IQ0CFhCfmdHS27RfejhnuqA`(6($*eV&b!8gIKV7j?)S_b`X%}n2JjZ)@!_w_ zFtP}bANg?=458L=N2X!tt>NhGInw%?df z^C#*-oP7vO2N~{VAW*7y$)XB`FO~`3PJQkPsWaSBSo1z2%MqN!zL6PAyE2Z~c+U~j z<`?3hV_|ON_CQX)BF{jOw3IscFxNyG?awk;)SnfQ8dZP#>0Q#nn>vNT-GZ zh@nc2H#XW5fm+Kp72^HXH#xH&Nor&0sz|UitUb7V5=BNg8;@&^0|#8hjq?#ebM$m^NxBeY>*U$OXQ!@~VAsJ7yd#M?gc zYN@UuiKQ3^-JXZO&T`9aI1cSmwZuISg6!amasjcgf9`P7DR-AjCfo1}VcLeCQMeIP zkK0R3=nWh1>`_MLi+D+`kvk*(_O|?>K2twu-n?aPZzA$<+f>KQUlptdpP;zxxF*-27{u+oqEHDh~Uq*nwDv>K1tRJxjbkQQ48VTR{T?O`&K(| z&ZVg24)vjQN@|v;J!Z<3H{AhZV0@jO^cRWIeOnfzMTwYFsR$Q=PO*AqxGUuw)2J`^xV%R`inOWDs7K~l6s2YEj(B$9{#}F8 zDq0Z653sNu6MeL(t*M3E7Lo2Gxw={rh!S*GN&SrD&^;?fk|&h=7Npx&=YJ^pQgh$9 zb@L9t3K?aZS7*7%k#+C1#-=sQXP(N^uT)6J=p%U>adt?2EFDr7tfK;|pN-WEv}vS( zwzl0g8<(B&cJ_+&$~sCv}Mo-qAp?kH{;8#aqXNmZwj;)M#~@Ym-_& z@D=5m4&Akb6-uhCe29_}gbz8tzso~vZQmN+1EtqhlN(w$OOp$rNo+$Q$Uw2WtBSOS z2=efZ)9NKyopF?YQw^4R-ZNjsUe42?jNIp5^t`&KvAHzh!ZKO##sWH~YRV{0H#Pi( zk&Q6XT<)DBG6zcBMEUfg_GB7KH%!EKF>cSQuq^f9@@uhM3Rw(qH(%a`yH;r08(A1- z9&=mwD~^k$pG;!wSo>+Jlp#BY#Dyu!W?pOjajg%2?1Fu+!V){-&5j>ekbR`rfLc)y z=QNywHTshNKf2xns);Uo_YS@HUZqPX^p5l{(mP1+AfbbzbP_s92?9!&-b+GJN+1Xk z5CRAyLXglDMMSXQ;eFrxzxRG?eQUW`narGh_RN|&X3p8q^NTCqE?NuBd)0#TR!jG{ zVGi=TOpnPxz~}1*Z5nIbo-SLDn8(1MiO4qREq1`Nu8xYb7=k|&bgOZzal{6z901*Kr65cM~WL)UF62( zA>h-E^3BUveIl?^kfso#r{f zv`1Ik*O%e<&EJu#>|stzKtc4B>uuAW8&%0~MY$-uS;LH8KjI?-1#KKA#@A?Z)MSSw zDar-#EhTp_C-=(NnAEInIOAiU57DE+s>ogGmr!+s5>a~T zu(#mFE7iU3y3#LaALdP(#3OkDmcRz;9D zNsY<8d6Rr2%fRKeP@I6Z5aYhwPb;ZmIks|}ff#6tvay+@70W@m(+rQ@o)c7#%TBl+ zN;pxV@+U7EqzxYG3JhK3Ja6H*Z){y)vg6YD*)}p*m?;SAB3@Znc^?1R+aGOd-5N)N z@LvsX4J5knfj9gDwGK`@ANCq7Vvg6j?hwS#Z9C3p4Cb^GECip@FTuvft=FXW2a=d) zDs@*rei{_n-b|Ne(}LUQs2K5qX#mui2!r%zj_N=!#*z0I$$B)9#O-2@u5^o|=Y$C8 zobd-=szEv?Il-it)(S;y&9LY7mAd|5r@@|p?P){9U~U1O*~;Y5;e>`WTd zin7mL!x%E#q!fShMO%n3ne`6!T}n&n&G|+J?T%A71UCVv<#lMVnnctOM?HV*p{DZS zq$bM7y)RA*FpkCnCykf+H$$#fn2kf~N{~Q^_Gqm0` zU6ah7NGT)cdXb#R7i>M)#2zi7p}$q@4RhxUX6$cv!ilKB+5rZEFZ20@toxgIh2yXtOCzQWKr45?7*jOkU=vT#AQ0g?l$S5qO1Y_A zQ3BNlY2w0mGLC4k*7~B%ArczeXa>0;k$xf#)5&IcVSi{jPNe%P13pjeEyi9H9fO8G z8i?qEZ4a`iF-3EhHB zNA~?p-1G>qW5ICaMIBVbP@O0|Z$?V{pontnDVv|9t!J{BPj~iLynFJYNZE|}HLOG;s&m!0> zF@Ad#BDyhQ-N0<2@`nC1l#-yDAD7Jr&FOHEluUFjtTpEfX?w%cC8n9ny zi4NtUaU<7GWQ!0DJTd&D6uQXTGDf{ccst;X)<)Zm`GUz6SK9BH&m9VVm#b0>*heyZ zkqA7^u4cdfCZmkz`YH${ddSWz>g!@jB;E~saEziyNthWc#JYN~q zgu1t9Q>2c+;uh*A@SXiwEiJTe-X+j_Gr4bA@FQ;-UeYR+%y@{$Fju;(qy3#@@>lji zeMwH~K}&BBp_F9ZWGG8fUhoiz!+~*QSSIBF)NdE>t$$qZYj`x$RjxuopaZE6rpG3N zGzpVR+!1W~Z4&NI89F*joKgxdd7rUM6f2f|QVy;tsTAE0%+Wc4ww^xSw@vCubP@DT z9{a6>;xY_YS)E+LYw>;^9UdFcK=ijm&^CB&cTUwv#b57o;r4=3h%`1hPV!FBlv zxmA;N{cLgibJ%;Hy4{p~z)S{3D0p$qYYe=`G~t^lY_n@xv4lB{^fkY7lBzvYLRZq+ z2@j)GQi)R20*DAm`GQe9XEe3{IXKeFivR22xIi8XeRL+4kiz&6e8HCV*X+1Bv7$In z??V*DkH-zBKZQL?I>7?nC-&?NbAT-)DIZ|Ox2Nv&{IMQQX$qR-}HfTu0QP!E#H>m8`Zdp5V{dA|aPCNR@9_}0`C8OBo z<6Sdp|1G@B>ZPK*Y)Pu_q}O2UvLNHPz4GCfod(jqs9kTbW-@svDshJP*>qbo04c*i zPJ1A85SaXC2_*DQg(F9Eth-u#;m7bvOvzu+jL4%Y)++OQl!|R>S#tk`(nrIWj?AYVXUjgr-5i04A#3te;u@Nrj>UH0?l2q)i?SEmGi0)I z43oa)OevMXQT!I^Io9||r@scH#AsvJP|BNZ=m*tbS*cw*P004trhnZAj6W#xuh{`D zmLu-94k<76yqly-sM60l_zxbv>8SE}&+gemNwPWo0$lZO#`CkDQ9M~ef^2rCJrtPg~R5~>KsAvUjx>Ed}`4aq&V z0jAO&BjI_kI!l`#eB-G{+9IFVL7y^sXg?uBN=#4J1IxMW6B$O4VO5{^wYJ(xHu!+O z%gvRwsI_au=9WLWq~y+5nsBhYIC5JUd>9BW`xeI^7a5vzke;EX#o@00b)%(wE=+K$8jOfrAt5;gb z-XE_%ocs1C%n0L-4r+92PUbpP#^k|!T);*o^1e9H(O6tJB_Jy_4p_!sp0`3Ki2AgTbKwiY!q1%b*KtDTbF_d=jt6SBUh zUIJ=%uLVH%)G7A{%iZnge#)xI*5?Qzpv`g?zRSC9gId#nZQtx#!f9vgs=Zt%MQd5% zJ^OP;_l4;3)EapL3OEk{M zI5lCjrwfy;wX98FWe~sq`ErAYn2*%x0*dWG0 zB}q01x=baWNS9Wb4Xw-Un76p8Ar#-E7{80gJ&u%^QekzZbTGBi!!Q1`lrLW0VNXKj zZIFHjjgm-7raQc_vDh%)d*ryrU|hoakc9r_hoLq<4!bS$Z`^>XRsLMZ>&M8F$_Y<} zglBIcbOFybGL9Y%FGVUm0h?&MP{W>`9x%yYD+}mSni^9T&~tVI5mvJEQ}oBE-;*;e z#mRjb1@Y04C#SaZ`~|tP5XTtoCc~GWv1mVj3aV~*^0s$8`JTE`F5;~~RNXU_Bt?ao ze<{)>iWB0YL=pc`S&GgPwQ3!mOy40I02khtplWLSAs(*z`;EkwOWkZg<(A-$M`DY_ z<|Ld;W0d2^1!2a9tOM2^C6-YpEOUg(&Ox9LyN(&f4R#Z9$m^s6v?ADkrjLwKmbMKw z!J*5NK{he7Awk`CgWJ;l`1&M;k`W5W65Uwcactt$!FGB)t0I)K{zYd9l!iUD+^R zNM%d6h=X4!>pY~bcFB!po{YgWoh)IAc$C%P(GcVW~BkQ80qish&ur1$Gc=w1X3|^8OSC(LxCtr>XktG_rjj6mk&+$R@}rl-bRI|yfZ;Q8vvF{ zwO#`M3veb8kjLA*{o<1N_&J+cn%tnL3Qz0gr^G>K-1>5i*;ITYVlrcgy&j|^p)KDZ zMsR@&)2CYLjvDxurwB}4kLXOo;<0WxX+@bn9xp&gsFs~;0O${`zo6W_Xrq~h@0tPP zL*TG2;ce8&5nX@^b`&S=3JBxAmA!!_HeAWsGpci&PsXuH|svL9Xv z8xg4^fMyYhE$wOmi0Ui>m7^@6QLHkX1X}M~MK%oqVWm&WXa#^!fY7neH3-Ne4v^c8 z!{XK$PdoVDqqwiWA_aQfprr=V8I-+iuqE&w@J-b1+_x#LidU3ea)WS0Q)_evJ8pHj~;$ks!L4SbntGGUXJx_t!E4IB=^ zW$>RNVFyWr!wl>$Fy^fQ+!1}tHdH#UtpIjYKGL%QMb4$OOT+L& zv)tHQ97=mRN1kT6`5w+LL>+v5S~1l}(xe}@;l(>64I*8~{xykun`u*Jjg7=bMOP(z~?t)wuI!fE|T%JbBe9fl7FYTjN7JkDM z9W$4x!M6U(rQx@r#Ofjtsm2I+uj-CG6M<24)!w5a1U$%+6%?S#Q_$+c(Z9%u>RzW} zUQU8G(7b2IWV7^{DkZ08N}9_D{wgRi4?w(bTS>lj+Wpj1hL8&(wdwHw8lSr94ZZ@+$b z(jR_TAVZVhX!9p|LIEhbGk{V3eWJJa3i9`s+prLEs-^FE7io;3RdvIPypG2!4}3L; zr)^SAP}0B#A0ijeInpwuxMZcCH*3nr+;|5v-EO~cCrx38x??IH-=dr7Nxm7}MjXfu zdk9VB206M&Z!Wo-MmY+Uu-y_FHoHtAvG2397jL0Z(YA_NVx!?NXKCG|D)c#4UwNF( z;1JOupU+NHO1`{7zNVXEO<<-z@gk`kL_bUrJ%mv|)pJiW+H8GB&zl4~rDH<*;k$J+ zOJ6&Fspf0;S#^!|=Cq@15I68}t2BHYqp<;%iIa{dK*v7O5fIP`t4z7>XVsSpG>zk@ zeyu|T#Vcc|?FId98Rywsefd%ZQas5lz2ZiTDzdwWjDJV1!u6ejH$VcAoVc={pZc6) zbaHIV?gpt_&f2w+!CpaU_jD0LD>ENfY2l;)$L}VgEEVi~nVRBy`^Wntbcm%1tvRhAESlY|IW9Nl z^Um}or7t_%VsC{X%{3ct+?{RSB`( zq+Lvy>!G+k;Poump-Z?;&tUW_3Q4{4>l4BDb}nO~EHmfB1l^SMm8qbgY&S_rSS-Tm z#R@g`8GbmM(a2`}1v!H)ZLB`&h0N(#cKJ;HSv;V?*$wfrEZGXCoAY-uB@y;O=$)~0 zl2nEK9f!sezIPmyVDy%pzR8L-`T{Bu0-yE8ysGyq_#%W*=@G2L_;!y2^Gb9b&FVBpf z6_j=4_%<6TS(WtHD>;%LaUEK z%+h8JJl+|e0&%R$rEQnT8EX`pnyo)_Mj*FZG5(Wj6c+?~4sJ zO3UGNM5~w0Vx>TGk^$!J#ZlSUzR`|Emp#|?*!x-bs&%zItj=!LYzaS0ZK=;3(@Ywyfk!#2Y(=x}Y`9Fb27x^IK zOWZNthq=EXwYfjY-^d64P6@w(t%UJEa;Kl#M*nOB2!{B3(PiJFvww&G!SKW#1Km!& z`1#~bS-zXcrv<0@i`Cob<7+3KRDBIX(J8ng2=`{4zU$@s$Wvdjya-^VgHzDWb= zb@KTBuJZbHK_;_#`>bsQcpU+%zPcaGcSDZb;(pJ)J8>U5FH60U;T@VocXUPE-`@R$ z&fgrlhPbhIV~~vOc7FOtVJFrwns~ zqogcdIG{-tk6uheCyJS)<$r2M02d*LKY#pws z!usLFyqEh;plxE!Zer4o60;E+_Oe<#%9`LP|4PJP&=Xjhc zp4b>*bqkuId}~)Zqqf&-K29hzr)A2rA*mB&$Izl-vuP`1AeoFdwj$gYc^I8M$v zc!|aARi!q~wef&YK_7+E>3LTjl`JRQ#1~y9X33j9Q;wPpkEeOT`EYy!K-rS}DBHou?_6y59vz=N$UB z-bg6DtJN$LO6rcz$`TgGBK=G^k&U&I*qK0P{?!$QN@-ewB_d|!)`3#uCtUR(lE`15 zvsa3VPxY8m#iVoyJKZEaRTXGCA7dhqBw;O`y6J3qN-OafbiB$3sVSj^xuF!_r+g%+ z-H|KQGjOMi#ZJt~e3x40$o>jf>E> zTdE;REgl!?4WdsQ>Xbw9UJmp;0kki0TRH_IhJ6|^zc({D<0Qee9~;n2?< zw=$6{IIPdz#kEksOAc{X&__kJC9B4SymriXSs}{Fh|=vMAy%sQVIzDm46!5MCM3{F z`*Y2aQtKwOJ6j3p9oSjVzi&g=jTy|O3PMHNbC7U^D&+Am34K6;Ls|~hO!EWbyax@j zg*60V@xu}G?naqY%B3w;l2s-TWMS%bNc^mxnZesBHo@o@3dSBp$(GWUR0KZsLejW; zdxeRu?txLW*mSy!4|!W~)4>JmgFl2@?%jtW7I<}qwpK-?O@mnIpiEW6BfWg4PI#zl zzLsF)gVzu>i$t{5?!sho+?mquwiyO^%$L6~Z&u|N2Y z5-vK!n~iQv&sAh2oi&pXN2gmP(zL-%#nvU7``&u*E}pfFmwb#sXTyH#N8BEjL>9ZX zD3aZqxL^By0<+|Y$&-@zl~gCOWIw>5RFauwOBw>y_2{Jz7E8O9&X}+#r^O(W`1qu9 z%Y(N`Ag=p8BRlpfN!1@!@~9m%N@@$tJw@mx=;t{Z=et@g)XYe5cbawX#E=h?bb0it zq;5TF^QK)9*B~K@PHyOL^pxS0{Q;_F{8U5smV830*kc&P(5ADqqCFTZtD#t}IBVA7 z?-^BJ4dQ|BRdq3KaW-x`$U1Vp8VxqE^Qs=*HVoh}faK`I+}aM?S?sb({d}J^Io>l6 z&`~GNreP3bWZNbpD`-uT)e#UMkHHTTpEyp{*yX*PeX8V;*29O*rx3@`HkOKbJ_Yl& z7U)NeImCFhDF5<^z=f(J612$IH5tc;RMWeUri@ci>y1<*g)~9MEp4`~1{wF0L^Vu_ z!+H|>Rx2XbOM?|X=XV*h#nfB$?Z|sq0l_*hAW=TbqIl2!AXB6IvM; zwGw)peJxx*>a7y4rkv*mlg{G9x<85tXJC*MgZG}ObV@3noKuDywsZjmcO(-^Q+$Sq zf?CeNB)lCR!m7%CcfgV~rIc^&-wd^iZ&!R~`bwZfjY~lVuvy4hQfLEZbW*KB=N#uE zG-8&+?7`vTmi%iB$#LcnSz6C5OA~yXRPB}RTYFWljtu&gq;$*FNGeG^xaX)$tpZ&1 zS~G>iT78d3dYzFdEy;kEMe5eUkfAb?jwXf6Ty`R6F$OUSnB5opL=Y%0d6ACx$?|VK z^UnbR1TrIBVU$VreIlaSbsti(1e*Huvc2r*zh_#qNcc_76&flfJ+qHDQZ@%r1GO=n z9i?)ia~xP!ef?Q-Dd0!O?dEuUR#ICMBuY{39%tozcV~8$mQ!3AbbMi~Y^Qk@pk&fl z`QOgDg+;gUr#nAQs{hXcBrDN>Zvo7-Uw=9z;3wKyjTf) zsb^vbpCoV*m0bS7?U59d8_PDVjht#*(`>TU`JrFM$5=40ofVkPP)-)mpGq4`O8OU+ zmF}3F^iBFUyA6E^#3B6CwZ6pC`RdUOu<0T${jrNq_8a{Ne?gBv_Y-$X_r}2<+!G&a zYA-Z`sIN;Mh?$D-(n12$#!RWq8hNO~$cent(Qq>DSj$PqmlC$FDl~^FB~f4TR010= z-=+8o)47CdT$p@ahchm{p5dq?%`Cz!Kl21S^I6%sov;NXC58;?!!Wwx=0+bqB}l=h zgPHv!-&UHZnj!Ckv$E4i+-(Rv1fw)aa(xD_)wg%SNnY=%R`(xD=A2D9i;6PTgEuiX z?@YZaw<=M!2GqFm7;g=HlhxAzycgl}9CResF7$bCv6 zJ_#ah2~&<9GX`lmQr>h05wjB!G54F+bd|CxsbWK8%pM^Z#0*(brLEjK0Hokjnb0NINV!n$V2UZ{C)`BA>9q z8F$1_y3topEKh}3mSk9~eJyMX!PT~SbxL{6oBN5NsSS=c@E0^mm|O^9gpA}EKQXre z7s;#`LfqfRp*7iz!UMd|z@!+YG$qWV-xqI25t`CS66Er!YJFyVD1a@bhOlae#ZjVW z=%p=@7DZwgC4tW%JJhi;5^6j;VDDnopRVnEn?ywdR${KcDm?IrnmqL{2tMKoA#p?# zu~CGk)LGLQ~LV>izXiI$TjU(%B z9~Y-*vgxBholKJQTlmP_^`K>?N}35STPbXUGwg?2I-i0vsOsmWPgpTNlK|&#R@1ZV`dFvRx?tlvmtwySf;Th@21MUGgI$emCxVih+L_!FI z&Pgm~Z_dO=^TR_7JwB`6clYTEc2t^Q?3ehF(CCR-n4s}5YxtqrGvkzrq=5R;uWLFV z(v)|93GD==ChUvSquVCYC{z zGdD9bl~oC&*}F6nw}Vo;2!(qe>j=Wd}N=6B5*k@ zq?{D4-HhVTl`i_7@s&rHt<7|r+{cRQwMrkA;BpZlF zh*A`b^iYMoU@_({apb6V$r<46x&2C*ypi=|gw(9x=}gf%G+Ft3%Jpb^p1`74 z-BH$i9!auZ5gR9a_Y9(kUxWr)(U^H{pQ?ojrnl&pd5XKD|AKCoc^)2<)jo9ejxMav zUh$nPJ4pFWi8Q^SaM2Xw&@P^y0>Mwn^kSHE1uGj22ZU)hYEwQeGf#RFF2IN*d}s2R zWOpTE<_5xiavwUCAur}MmCXW&AE+ZP8iE%?+sS3E_V0l_K4poOccf6c?P}+-N zkrAo3^DV2oZlJNxaJ0xcR~Mpmq;+ovYsXOA^fcJ?eLGMw5}r|B~~hLl82_=Z)l4@K&KfZl~Ozf12X>jcnIhO&TP0 z`)FJ!ik?zgawxBq67}~SV~MiTKQVX7eC=hP(pJoyjCeuRQvp7NTdxyr_0X8ggqyc) zY_`5QHP63W-%VruwZ_9T*_7$!P_6-(XSeZI7w_cMD`OS0bGfge6_3Dp=-udt2w%sS zX3W$HJxbJFi+$n?nvU6_F|OUTn)JGwUCe5ug^8YTTS`K=nx$(}@&$kR zB%6tXef)Mf=fBGMx5-}bP9JWd+;bf1qIpwo2J(<{R_l_Lu&(y9_YD(jw(b|VHE}F~ z7Raknh=~jRhlRJ_3$ty${l3|{7hsip*|yK3nw? z-nhFDtAh&@Gn+Bmg?EV`DMA@iAExguSQPp*@!Vq2$RW^4!io6kr^JlfCl(>TnQGpu ztv|2}8aB;VlasJjK@B~&m;O?CxtG@IOkvK^KcMdXhKg)4DTZ7ztx+=8uOgX16#SXq zqk|^3kuUznluv<6&3ITjPE8I zGo)`3=xcl|%fy8fk=?j?9)Q{0YU%E8AKl9*G|b*|hhA!3qPJQGA;!d_)NYl6VRi-J z75f%yUj2IYrP`&1`U!S8m2s!A6x80^fXw5hmf{VAvvoexhv5Zb$+YDIk64~LVpi*% z>(Ha=2kuRnaHc@Irbc0;f$LYsuNSHBLmpM7cIA)?fgB|A9GS$^^bjumPw4!2mXoV{AG;oRCj5-H#zAA_^WbI0_dSp=| z&1n=6D03^WP_0<%aUP##4G3*Ul~u!Q)JjP8#)}hNU8r859qD2AO7yx8VXn(dJsR;! zmUd}50!saE!ALXhPFsq;UB_O}96FQSdTYhQbiE7)IyTBYdr46Kl1f1r(|Ys~NIOTy z!<%Zsk@be1!c}K!H!YsNf{4&B+jYfSvQg4+2Do8qYM>f#qo1U zeB;h^Tva4S38**R*D$j1f7Z1t54bkt)i&c6HPo_oK1ynIii zrhOinw>fWqN+B>15^)NT&*Z>y?*l(LkM9{_G`<2R z)saf?7`FD!&r~;+@S(`nz-y>izbztBE-6DVT>;{++LB`%vsKtV;Z}I;(lnEU;R`ki z;;IQ29g=GFm~FOc6mTpQBOlJG%F z3D7N(fm{iv2jla!p4Ta}bSAN~CwEXfa=pzor$H}RDv!}HiLj@Fa)SbRAn+2CI4%pF z4|7HbHxyYaFK16U#N^+pDlx#BKnlGWJ^0 zeC5-hql6b`sYaxj>!uvYjO0jhB0X(iENw`8xFrg%89HPw!`5vN71+4Dw>b_EnaMsj zOz7103}aLtO7W4?qT6H*%);4N>lH(F6_eK=z9qA>-i=AlO%CFVZN(T>Q{L2{EXrBA z8Aa9jtfl)tPeJ-JkyS*X&cxA=*_C?@uQZBNUYUp4+jg~t&_|K1EL+2vWFLtw0S3)p z9=W%})1M@!651M2Aslo>4@zKEf{UM=C*t5i0W4k2(59d-X*DgHsoC@;XzObqVQ?x# zQT-4&hk7_y{m<`~0cu%f?~LHZiYpemM==9lCCpl*x`y>_6crQQ?0nQCD=dpk|(ujY8vAErIiU%YcTErs@KY8Ta zRL@kjuJpHg@38Mrmzd6%9t0)&@2K6{6wHro6D&iUTpH5vqT)|^9v-Wl)83m;{CcSZ z9J>@rBiN%653ESM-+2N6V?Nc#oi5#H*gvOvZuQH;6Y)o|(@hX{tQLRx@1#ucIiSit zRk>mL#4+Fr;*U4t45u!LfGAX=p?dlB`gMN$SwedZ_j~G#zDMW?g7w!MwU5{56sPsBJrd3B>urCnV(8$myO+ssmtH?U_FNj^os^nuKxPwO<>a_@P$#mEm~q{r9GU2b}W|Q(B+uR!RS37gOKi=g%_!pBy9q$ zqY%v&MJtk;{?L((j6r{b_5sOUj7*z)sBCDZ(9QH!X}Le$AJu1QXl1Dw+9O120s^?Z z7r*=k&DMDINjqvYbg}4oq?xl=jtGap7vWM?k#TfiBBj%v5CuyK*Z3(lua4Ce_;px9 z>W_l;Q^bd2SsocuF1CeIvxEuHzJiF8QiC-cC^1nrjY?b6ZVt2n)IBU6PV43 z^^b6S&u*ePM`HO0pd&dplf?Q`CeSSQ6ZunqH!%W6y5c0i(n#K;sL!I&Mi=Z@>o`er97{{y<$1;a@RFy5f5!( z2uJz#C+qVu)R~B}4u5&hvY2wKm5xQtQoU@RAQ-E?udQCi~ z@6>{-QMuJ9QoW?pGNMWUs5PQ%R}-YfnXMcWpo8Mk$=+}s(ZRSHU`Bw#hZEX{T`cz; zW(2VI3kOgrqjMN!#2FdmxiqloT82Pi0mHxMh*LJ}Q@|FGOjg(46{v&wcgdC1eecAT zcM0GJMf?QFC)V2l;$$3!jL!xt9n3aIihjzS9?|a2r8Xh|XUSED8W~>(A1Z?nr)Efw z%w+?Xf@Yh@IH0r(DAH<@`)M{#dfV?G9(>Qme?0iI4Z6UDRAgc;P9^|Yai#adyN(>u zIwJqUyWAjZ(v%igN|lKr6JqB`=;|-M5ixS^Im8mf@saaup1AmuXNO6>UWe~C*f6Jt zRZx$wt?s_B)HW!Jh`5i2h^WS_GyJzg9b(zIY>SStepbx}dcM-5x0-bGr2YmnWZ@oui5+X+2mJz2YKvd;O*Cho+@$0ov}rf%pAe2<3m3zcBy5=5W8`neiNm1 zx}-Ww2(xD_BS+Ll22A1WK|{~@DEF^>qE8SWAi!hOfNtPLtnlNyp9%E+zMQEwV`B%T zax>}xU)oO9OZ7Ro^ftIqZm@cu7#>Ge>xVCzJeF&c zT-R+Lgx)c)1zD02dstQRRWqwvwW%h3TB$9cw*-|NU><1lqsMTx)qe!$Fx*%7WA->3 zLoAs!aMO4Ipq&%}x)S*_RI=JViSM;`2KWIo%QCu>5Zm=@xRN5Hm_Ag2flSl=fXBR*JmUO+;o2+^)gR zpVRP}x2@i(W#pnamFH{rc$HQ0k(mARN#q=I5^=XGR;xG6yTkiLYv+V_-)+)xUjv;x zSv9W;c*Y$13RDjuO|A_?yvIhJoD$CrM55(OcTOOfSRfKwzGL@O_-^De zO(d-{9ppk4&xz;4tKqe5QXy-y`@o*OXqq#cGgW-_<{|Pt6LAdxSrw~_hX8FCz-!>$ z$c~+-k&nIScRT!7xx=D1_udDQ&6TT_!Ai0<2 zFD;Q}*Ke4D`v@o9;_~Gx5iv8E!_ks=lU;{`hX4-LpBE2&M&!QCO)~S$y@U6%@z!S1 z3ZQt#$7OE3^*Y7?rL0i3)K11THr|Hch2c|}=cv)|Wf|_j#(}yNvvC=)FOJsIcNgml ztZ+yCnNiRFGrk5356`xIz~H;T2|O>3*;Fag?8B$5SL65i0umDEyL~2e-(w2eed6lw zySq68v^?qdq8%}t#M4?uvfUThDf^z<42i#BV~EDP(pp91C8ucI=6+30N|W99-7ce~ z6`t5Ddx+uyN^v9pyoeJ%#;}jv1#WWp+l+r^x=H^l#Jzfs&SbRqrhsuB07p$o7DnT* z9;N4UXKY%yW7P8=sqtBv?`+^mpxQp)Dq32Gto+{*KDCHe;K-d^ZhO1zx$J}2$n56~ zKH2boRspa z<2GFkOYU81@3wU&7S(V+^6X5#UYJ2oNd!2SYZ?Li!`lq!5~zLH0#gSdEJV`-8$Wc1 z%^eudui5a_967-9mf28=dRTPe*C!?m3@x}w)GemRBI>v5cVS;MuVjpBQHed zsRSUGTshTxm?s?f#N=xU4uaA&k14?=USHy^>kyHFp&2x8)oTL(%x^P2zV2oo^TaqI z50M)KpMMJM08*h}V>*=GU~vUD^no}$Pj3RBi~yaZtg8`L{IaU83=8Z~JK}wM(;_aj z$susfhNn^8^i=kZ4NpT{C7@_byv}{A{mljnYL{?Sbc4TBx(g+>!Pi0Up4uG) z2AauOLRQRl5o+^IkJ}S;ZbNfhvYdwY2k&8(Od)#43$7hX8W@53NY#;6COwe~%Qk_W zrn{ry8sQU4t8H!rH1R7|^4B(x-#K63M(aGL6sve9a9hu+rK#3+V2+e~U+2-mUhN`@ z^ILthewPBXZE*=ZgxVzJCaG>aVV55%M0945L|eFzdV^|I6vW*8BCu-8RvEqm++iKBB%Eez??GX zf+mdHkJlRye6cf%c7c^o@3sRJr<{3ZlrnN2U^7K(E`*=)glYK#*9&MiztcWn{&?r< z73&G@@^~)@=r%GJoimGSGs+pm90@)1M;u3Xc+UHi`m1Nc%FDKQOy(Gn>_6Hb$4@|PXd7eo{3TuE1G%7rb-@?L)~MXN6Rj_<^EL(!5A|>Kl z=HT-Z$^`V?rmP=1dQBxpd~9`Cyg0etWjKp(GFJ+7*jEI#L{*}lE74Y)=cj<BA`H%mtR7)JM;3-O($0(uF$fixDG9hDMt#ZD1ZJfslbqrfrP|J8~ za>NNyt@7^7ga6}wook`U%OBhMf84Ke(Nz#l-2`01C9npfc)H5@_~}0e*tY-#X8G|p zP95@}1NJFkHdlG1oMYiV&;OJGz)Y+@Q(O3#G7*K+xEJnqjr9NP0qLBhVF9nyL&a(W z98Bee5`-+%2)jqBkooNN9snQlv$+c^LmRUTC?YsCw9_EvPMeJvVxzN@5|V9T{=RlR zsfd8SF*V&$$;jBagsdXK^TH9+_}RxYG4>+ho9446TlUYEW~a@YW0OoHZC8XZbJJDdF#86NlKd+-Z)5h7w%Kt)hd6fOSlA!bC#HB<(e*ga zCWtHa;qgx9-$ zI=b=%0t|Iv;9!5pz{(R1U;^_(&ElUiG!BD{$mht|w-Ww;aeX!&R|bgXKQ5oW-v>x_ zh*%3?1m;<8+lQP1EIWXowqBn2V)`;u_410A*9}1KG6s3duOiX<11F3CW-H?};NL4x z?&iaf0LGn~1vN0@?%vb$QPi9#k1yNI$XS4#VeSEgte-cY8$hY;M*@^U;0i22u=jvf zLDjTa zlWcT)0yeh8SUc(WY(Hcn?ql>CHSFB%`8}rv74do!C!%4-R}2+r`C}klc0yrk1~tZt z>084a@9DEhc3PUH-$wd4nNRWhmY)$rP4q8hSzUWZ=VUekfm1Y;Ttvg%2G0`EFeQ%@ zGw=PK?&ZXK8_{4Oi}#}Jv*Gn66<}=iee%J&+=t?c+^ldx3XAnj(0aCpj)>MW;|u>+ zlC^-tlQ9raEX7djRPu*_I0Z2p+IY`EveZlh%cSKev)RMfw9-u>i4YcG&ho~H?-kF< z9#gZ%sRparoc5|{y8Nr z_Jo1bK$@>9Da+M{-dIFKM;r&;YQ2Vz#{)|Y5;`i*Xd^qf2I_7PYEWtT;20LVf2}r zSw>A(+U-1k#QVH`2Edh*<$rSnxC=4Is^9VK*Keho zJ4UKp2cxchbN!ET`~O1@z;G-@R~GGGnRI65y?zfkXwUxVo2#gr7sd%-JH4AD|F>^0 zMI=y<^)Hsk8a$;(jCbW&;-1T^1@1pRhIdnVcE{5BuFF^7VGHOR#QS@fcmP50;PbsF z)c5Irf&YTmZg2zBjF-FbFZY4M)d#!BDw%)EF}v^og3vcE1v%FKg08>l{2le(p9wno z7bKT3xeLD+4K!PgJVP&B;|5keZ`@9Oe|cXe=fT%`Z<+_6IsunKt>-`PlRp4rtgC(( z1URi%XogK(B+X?9l)lzj(?)c=O*jNB!r{1Y&I zP6Dh+cKo&a-Ne?|$=T7wz~=9fouTFT?`%v23TBj7)EzVq>Y|Bq+to_*N|1PfSqvp@e?&IXP>A8`1;U;og`d_jBuSjP58_EAeBLDZOozj+xBk8i~e*Sgh zdoeBRzmeT304FMo%pH}_?eBBD9rq%mqV^oErw2T6e^;TXfFhzuQsvol zZ2!4_N`Gwg`76}jmN@t8PuYUs`@*ZAoFB*6Az+NkpOkLqLo>J)FS5A28P_L&78gQ$c%uyg z%UT(>q+fKY`cWFFRfq>3Zig#EaWtOm)t$nF&8Yl?94E7SuBjKF2^k~1R`v7%CS zFln$_`iaOtf1p}WSqh1rl}WA0A~I(L!*nHlap)gvIEbcsibv*KJhXiEyb*gI?8x-a~Kb;8Ss>Qm}A} zYAz`v|A|t;Sf0!v9A*;rO!XKcC$ZT0mHtvy#~+zuF=xNy1VHm*nU}f>2Qp+y)L~?m z@TPVl#4$&h++yb<5W>2xOGh3E`7`;@Q?AUn@+(KHK|0!0Zlsp5?#DHn~IsW_!JE^^2|^?ahYNs{@e7Pk>PyNMRmIn4!^6`7tGAV-0ax|Q z=XLGaxbL0yppgt`MncAo z2Z{?5ImQQ;aVLz{*1*$PuxjUQusL~-Is!)&AC!=WoTNeanQVQ}I4>TC@T<@*o@U@w zd>PvEdkB5)VUqC}Xnr$zgEr7bt^<-!dMcm!Kv=p--kFO&9{;o8j{njO@twDLyrYAM5EtXmr5d_cC48ncYBP*op!RiRdMV4d{ z8Oyz>=jrN7KB6zCVGbX8DXk(_HW}$!TF;4!MYQ9n7;p239@rUj5oXnBR|eDzXDC~2 zD*rB0T^1-2q~6Qx+aBuvuXe((JUL zn=OdyK*v}DEQL2?2u!A+#$say@_>M_* zN?juy>y%%TTGzCYGsP2Uu^3M@M+|P6V{p?RrCTjIHwrJ7m2EVKSeQh3C>Ms-@^V6O zqkvwLUAI7pT*R}BX?c?F zrjB4A$yiibZBh!NggoM8he0-qC{-RQUImgbVsY@4m^URv zrkY$;zw1Ppf2aR(?H0uT>y%6z-PlK4&}TK@7M9p!n%1RNfSRKnvk)5{*G(=gMC*oG zgPUQnobalh;N;0SwpXWs`lp69%E-_=o8||<1#XW7feBWVtkD=p(G~$X`+&xEILHA!0&M`x@RqD<;<(iU6B}&-ArS~GIQMzW-vE4z`;nX~FvY}jC z5ta-?lB5Ejyxa>D*1*OTq0%5keMr^lQwfC&rLXfYf=(~6-ytB0%m21t>;R=b(l$& zJ7|uVADab$9w;g6lc0i}d?cKU=&4Y@m+cWDM}B`3PxUq@uj!82-s-g~aZkwwRcIrP z)}O@MEkVRQTKJ(jhlhR!mmzGEFe7jOF6~sRM7gN6;JDvTpns2%k-jOj>|>A_sO!mDp6(RG$~R8(iDoCQ59T6kThrHj8K^+#f= z=#Mqm8cX)H$?dJipI$T9ok4itmcgcWxf@?+t099r0d3rtKloDd_VC`@ zue`zHe)Uat^l@y&5U6*ADbFSrDMZfRk)NKV~>dJ|Rq+V>yVIz%QEq^;Z!74XHr0_dguXwC|Q3L`~H zH{VD)C4dX~f?QzxO(KRO3;S_~Mdw&Bs~yyYWk1pFF=SHD z9+j33yp49VyF%nrr}Tv9#XVR8e3#U6k~+I4F5psIj<(_>+9fL862X%Y-)=#qdLCf7 z)U)KH)HUy>bA;J7HJY03@&}P$Nnqm*BjVI%DOD6xm@PtNJ>HMaMQN2yk{ekGYrt26wKk#nG?LQiLh3eJuYVIlv9 zoO9TKBt205c$to|VyOO22>2=(-8Q>m-6&9m*Ksfn^r&ABVtW~S@u|RZK>KWc4 zHy*ZsX9+#hePelLGo+a6#QD#z+>eabD0W;^Q{BLmN!_fE>yOr|DV*mTe&A3YfsKO0 zzm&C5&O(*>U{3v|KhV|NCOFNn)x;im-*zMsTh)2|Nn>U01;RLt6;~81!F1M7$D_H2wqg2e9TKyMv zdp3TN{;T}U2a;;WS%2WZgZ)&8Ek8<08P=-(*}JS)X*IVSouhlJy zQ~~Q|@eHC7i}-l^hLtv3 zs)4`~xog5Us;{9tQ*|2(-O>9n!8%!2T2Xh>AadRz78pxTJ>;HKM3q(vXS1`%yDBTD zSha}U@hDHWx%%x;ZJ;QtnZGFd(6fh zW|p(F=`+}m6mg?OUoYj7_C-Jw&Ad_Q4BTDZe4t*AT) zh}HsTwnmNlg*vf7<6xFvT(r)mCPj6F%{4rLf1L%CKf*iw;3uXKE_1YP*#hNB*p~f> zV?!@KkJJ4AtZ%9w`4NRgoKV`m(Lwhq4jPqCKQqfFX3cdWwSPY9tJQU=)i%9;S#jqP&96eK9O%9mjU$$G3~fP(#QS z9#Ns8XwN{A=S`My>mGUFH8e8kzDx1!pR+kX8{hXx3F+TFam-)ObWi#^f4Z7rdK7&e z`_Q0oC$vCfTD<;#0;F}a^j73m{O!QG!f_fWv13$AVg()qV06IA$&mDn^$TxwZyu7_ zIub59wMIU8gv+w+NK#i5x(00td)kXKu5Yku0%jq6DMO9@90O~Q5&x1-B$NAHqCE`1P!9m}G?T$#m(E)zHIeQC*Hx z|9pIt;`%*+OjTI<(UjH^X^-qz8UB6uu7>ElpGTV($j^_KFHRe=}aMZ z;ML>tf#wgGYw@5>+h4W6B82AQ2?+Hkdq7a(YBYE280iOUD>}HrCwpQeWOoqc{dopf zTR1={%enocl#)eVwbq4|Qh)-NzUh_mj@6O^8R@MXA8cT^rhn%Xm_v78DkcW!Wr0xP z57QB&hMRai%{?e;I(NZ{OsW%RFgPPZgYfMPnFw4}kNhoQ(*8Y{nFB)sI|`1B`bZe5 zYhI*m|-=_(*5~ zzm_H}v2$#6MpL5nVE`|xGpkK7%<&N(B?b-aE||~zQfTo?_R#D=J+52~{or-LBm)Uf zbkd&a{Mm{))0K;!u(;`(F@?#hbxxq_xiy>^so7NqE%6DlJ*G>xu8Ufd6S6C~d-=9j zrp7XkmD;(~@0YuNXAtC3j6NFlZF0+_l+tGMH<) zikSClobm|b3HQ2Z4`NiWc|v7LDZ(eIsVhkwRp2K`$2tLSHvTq=(=>8+#h9;xhZ)-(QkSyv_c< zX^)Yh#icq;oXE!dPKb}0cE>swy3mH=oop?IUOTFpz0wdw`CdecbAkh){Y%mLBc`ITu7{RQ5{Kq(OUc2w z?|V(al8&vO zV8@ufyUtheB#ietlhWpNFnqC(9K%e72J$zD-+ZvtzAkvE-t}_L_XMU}Su+fmm_=CI#A zz+Ny3s0bnwIuKyie&Ljj!BQQ9B?hkz!G8E<>Rt6C+XVtC6ahW4E^u_OoI;fV=G{o5-WUuLwyE3>c+M4liD+BQF>BkEb?6G3N1?_6B^--;1j^tdL@fJM-lw^mXFd z6h~e9m3NCB+G<|9R%lJ!$k~gPP8+{}3RS^OAC`)8PJCQp4&m!=lvkN%z!a68>i0geOb4>QldQ@ZjT0_S(98SC6jXLy2BcJRTf<9^pc6 zwVON@)DM4|UZT|j5qgmrfyf+Mht5M}uJX{CA&JKIOy7>;huzx6v2gE!JD0K$LEA4I zq7&oa-PtcxDu!OuJry&JoQt?77msP{xwCi>e_Pp|T73_WVzBKOs8D$%C>CfK!{3yc z6LTyO$6p?8qo*rb@oieHtIM(vaVu&lO|zq=2hC8#5v@}cU;uYoJCdaEt>N8ETu~ zz9=<^4(vRO#8IzYkna?UMRk+<##DR$s|cM zdWm5RS`P7g<=MyJX$ABhIrD``Cq|WWw^A)$JX#YCsn5xSo5#;h3b9I9DW{9AQz!*- zuL&$78U6`sJbw2!!Bi7^Es|IWFQD2aYkZQIlpngl$AabNEGw+29>uN;*HEcvS3_}~ zHZNY**2|}@s~L-tU2kdnH#xKfcY2eXb*cN(Ku)i2DzLEqclSC~o6h{cvy(4Q#XSv; zt<^LXHE5fRa*5hE)4YSA`-;N1pVJzJi}X^L6P@7fhZd#H*U)F4&lStI5rT5DS^-A$J+Z{1xsyuWL0NR3;WQndD) z`_fxzK`|afi4COl1Pel1Tn-jTbB>5Vhk5o|GIgWn_tRne(T=yDtF2v_eDpG_M-BP> zVqc=dfWLZ0{2f)Zs$1@zFGtuj$!!=1Tha|TeIZe=prrB&ILU}EW=5(8^x!|PmQp^O znwDg`18SQ}+6uA!CYu-^SJ$G)(3ew3n0UI5pBL}6VhbQq2h5}ulWHRBB<=wl3$2#+)fga4vuA&v2noRiu8j+6Dr zjRp47VB%An8)DUDQKWj+WRfamhHk$S#ELRRMNidudAlbwtdAqvL2Gm4>BrZW^rjDj zb8>|fb4@d`PCI;R=QPg5NY~mrd>&syx~0q8yy-{iX%fBX!&IA3J(9FloL89aXGzYD z$}`g(T9sGlZrjEpTBVun2|nt5T*Co4zpm_*k8fjwM4y+^pA8#2Rs~#hd_J-bAXf(W zH#HAXSh@$KwC>r%)bHN8FU~JMh2XzkNubCyZgF3VpVP?n_E5V7p09emBM?UZovK`{5PsP}8=qDQbjYVlPKCXN^tktC>G`-~F`B z$I1UEMf;0me-(|5gM!Y?iikG)Y=Pl9Apdyz{g9fcC(wJ3iD|g`ax~wO+<@G-l?df>I z?{oLPr;I=M%hUFjGuMj#Sia@hQ`X}%{_e8P#$b{8ovten?CY{et{~;u(N@cA`uIGM z?wA*A#wP9uuU;|gYzG^E>(5voKV5VZ7g(SX)F#>~11tDo*Gu2*&$}?C6Cb!dDs6O@ zs$Zkbx)3Fo?%`4$_)!SULJ25K%|-Ai?fd=%>CEUqf+8vll+(-Gn{q7*rLWFU-BH5o zFaGeP52^&(JkaLsy1^NI!rcRX7dQ)FcVa>%R#d4D=Z?_IxDfd!7^W0d9{agbxA`wa zGx&Eyg8&$sIG#n=|7mEIZ9**nG&DGXp?QgnFzv;gV$>pX+H-CL8*t4hTL2MBR!t{D z?$lN!636`^7=eKbB~#s>%}yXDX|AnE$&NqLENZ_cM(8Wsmv;GeQd@=$g%-4sEY|P` zNO8DsGQ-H3Xt01j>y*)FG_HL{qy#2R zp19nzV0Bv(Pz@Rnih+M+*}+WqowYS}YLuxOoCRylFhW>Mb4<3#0t&qy45nUH8x1lW zl|^r=7qZn;x(Ln-At3Eh)>p-0460R{tJk(5pOG7)P$hCtN%0Uu2xoc;#De&n2d#cD z*RP+5KViggVuzuJ)Zk4Aa8I}ymX_RhSkR-xmr5Pr7iTx5vfqZ~)?fEGK%kfXN#=l) ze6smvC3O!dBe>h5dGp(Nz;VTq2!S!v-@j2Z2T}4a)%@tU=i_OG)ITiLg#7tk$mc0= zX!d_1G>`s@;kADf8vef%8r{DW8cV^d++RXFMm_&eLgNAuS_7ssGK$k3cdplJ7~&vBO2HjC@BUD7MT$F~=EG zNIGic6LYbKu+MV953h>tACC~wq{%Ep$rw*4vEADNiM{NNeT!R&SI~{gPKg~e&MZ8H zdrZsC*&Jh9Q9#QKGGta-nzJwyVOCnr{;q;(&q+D@`$O(ugeLKygcc4Uw0a2R=cjLj z)Wdo%#8}ABww8-(@MH~OFCqTl*1I9fpeogSG+*7>aKmJ@I|zB*eT=ct#f#|wWV<&!TN-h zj|`1*G~8S%7eZ@U3)*fT6;37+dpOsf=aESsd!d7;GaaX}xWWuiMqx7mMUu%QgHXX= z3ADm7iorw;Cuy9-kc_4qN>@YE!18J~D}nF=ehv?)zFO8OEGNYjlPsFJ(10anGDd0= z;S=h+ov7qoIEBC;y=nZhWv_!!tC29chH5}3X{EYM$6zVWUQ(jkQ!p0hP0!H=fl^V{ zW)NxRtgIrWq7YHk%7Z%;xz_f@g!Bb(gwH5G}7PqCG0%3sX%ux9}%a%I?D&1b# z_;R2QP&9+Kj+NH4A5KK`074u87oj;j2kPX`>Vq-d=-Xlka(afhZ}}3KHK|X=)`Br? z&N1?~x7Is`SB|H0+$5WT?wtHqTl7W%&tP-G+_XtS+cqLGN7bp!YN?z z=8wr#Rkx?J{${|<S8~bmBW)?*L z>y!jQXdVDU%gDEdBDOdV<!XfeaWT4#V}k%aMM9B_Tm@YsfkDZ zt@D@AK5QEAzlxha$pVrs7P*#4I|%5Qq~^fBPF($D3*nU))l-X1Ox~b^`)DOUtJ~`I zYaU1Z4!%S;BwUO`)=Yx-21k>*E#-KI{`KDeD&5;V6&q;|r2YZgg{#fJ~L}X2uQ@Xddy)#*uQ!gwgb>zzS zO=q9_^rbloe7w_W`KxH|HCXOnIHTU6H^pSiFsz|p9*v`YxgcNk>6CVQN91Z;*Ee!;sdqODkp~zsXPo2vb#i= znmqS5DxP84?!3cRK2A*-0u4@Z<*k2Hv_>;330rW|^{Bh_FZ%nLVdlk&8tA|?>a)+$ ze<|AhUqx$QWsKG=S0EFa89MhHaJXOZ>#<#YJ&bb#NTZXi?_ArGouI|8NhR z7=MUpUt29}VOu_x=ZXugc^^4+h@H}X;#4nS;T8RG@Y4~s#AD<#evH0l%k{z0vKr}G zK?81ToW1-ifo4i2@#M916aEnE-%^7E2(@xuR7I;$&C}tj9W>%hc8hi8U}F{|zcRQx z933brSXOv70kPyA z8w_TYa+ecVuP0K~fd;wLrcVDH3glbpBy~6`6gM9A-R?MvR^AAdQ{iC2{sQe^6iOm> zh+I9WCV&E%hsRswLeQ|6Le5|)E2oD`B0_Pn{>PsXAFH4nfK z7BlAuQ#%w)3#8CZ6rwg3&6Aje=)A>45TpT|sGc!d1ZCoo<~Rz8Kh@Nc4o4}_Sw zT>wUl&IT}=F@Vu7{xTZpKN&6iKN-#JpNzKE1zS-ll(JLx`P*EW#?c8Z4<-9%MchnGhNCJm#oYSOVC^Ug4J z{EYDX;6R?>%Ma%sp(Os*7MR|Nk|Nwa-DKBO^M57gfhW;gR|k&BC5-v%@V84x)*!nC zm`xG5E5+a@yVl9Ty0+dbFhrdz`doCYX#5Pe)tBl+yQm4(QyV zOAF{|xj9kTC2pv9ERwQSbMhSXAb-?`WG{ z76_}|07e4`Fxshjr$#~I&qnXt#Q3yLJP1wOO=#Zqv>Y7`(Oh%CuDHWJB#)^0gw&2^ zeCYOk<2zO7uxNa~xV4@K%ml5@6zNBfl@knu%Sq*Vmv^D!p(a|}J2rAE8LKRUUvBBn zSviC4Sei&1IBQY#iDSQ;m%h&i@5oW(e2js4M&|wM{&1CiIhBTHDCzlFe%0#^bK?Jc zO55(S-X-milTVJ0!y8Vk^;w;l8r5rtfghLps#nR!LVHXr8xiKo~FtX`B0iG2SbQ>Cc z$^7KsS+Fg?Bi1z%(-ejry0Itg^%6uH37p1?Fq4OrKvc2j4mnDDQmxiVa{g{|EGHMC7)DA;!VRv5Ag4CI+3BMnB4+nLdJ zvoGy~nW#xwCOzA(Q4b9vee~UnRbOp6gq_dshtKOT&$Vee1khh* zodoy76+2(83PNh4OUJH!xE@yCI5 z`O8FTWBH(;6@0$^l!#HtPgVxKh=xVb@NI|Y;gKu84);ssMDzN9{m1mhszjNtz`#oo;hZ*OoILLdY?^-_yv5rB87%2NLhZAWgqNG+r~ApOHA;bN4#eu#j)ZwXM~7*krz+XC)!R zT4y1K?SjV+>KD$J^EFgZ)I)CLGv`-H5G#be+y&>{(!AI`{vvRalE`Cw({^A0r)p)%t}U>7YYwu<+S3U%|JBi>Vy&z`@Ii zhp-%yP%MN7grY!7SI+5++k4om=8Feauv1hY8}fVLDm~cf<%t3-pp`&~rS42TII>;4 zQbAt)^#}~I?^HE?e{Lp*+gw&_(*yF6wndOK1r>w@Tue3+d~U}vt(keIh*Q0&*&ekS zuBQ+)y>ho87+Dg`!ZVKt*ckSfOtVHRdVZwDUo~2c*D48=@VjiN@-&G8BdeVdltF0a zh3n~Y?n={cD`RdCMx#x5IhH~kF{_{wohq2-a`|Nt0523S2jMoiiozQ9WN5}K{$+8Ok{c!M+Z<0SS*TN+Zbiwq zuKY>V5Yc~!5C-M#hCSUJLhs_%{P@JwI-)O4iP5Q0oSt(mh?k3U*wxGg9$q4G!PNW0 z_61a^kg+q`f6E&5sHqR)OLZ%rc_{@q3PUbUZDXsuP~|Qxj&sr`+ujpIXRqkW#hlcF z0BzOBuEW^9R?m7waLq9N^0+l;>@VFF7(Mips=I`wIXmnOEym33C8{W^-WB}N)InZb z6?)V%Aupr?$%dG+)Y&a?jQWneVci_!n-hhxBcCCU1zdxhvqi;e zSB~}FG27ubXn%Q+aoFLQv4~$23tKzZp=dq==9lw|dn6x=v{jIfKTT8*+Z+@w=;y*dh|eR5`;Bp;UNUc7Bd+^QE?QI5AM1^dUmqo*5rFIwAo0f_=V$*JDbdK$TLESex(hj43H{8S_-PCC@=cxD96YWoGJa zhirrOjdE>_8)n=kv2|*J(+KzKUNE}u*~ahbC)KvI`FtIS=|Mg$KLKt?1`=}=^(T`Y z4;1b(EbFMY<~pb`ri%8QHgsx3VH4vh)SFzmM80kBc{2;(Yb?7*2!s7rFbkgNuI}ZK zR2gE?+ZY#xCfopKi&-XFH5K;ATLvD7pmND<%gGjAD{uAncs=9S04PTr;j3UP`Q`hr zr~nz>h~ZLjMsm~J`prl~-ghHk?0qw<_G>K^)F~mQ*40ICBtyf4gf7LDFuHWBhUlJP zb3aq_GgYf>aD^cb;cr`7bF$r@X4-6;ujFvz>*NK*WrSgq`Hnpie_qJ(bO%h&`#R`$ z1*;7CAn#JMS;XDg5jL28*FU1n&ew}v-oML4QjH|pbs}ewN2lj+@x1dK>RpkJ1M$(c zVehe?%rz$W#c=>NJC+m{M?}t2&>?~tWWHvGhn4TlCFYMCzp} z;F=|*O)LHD$ePz$orRKQAVw*b@{TP6_LOoe*|^F z>mSxbPGqIM__85U_rQAwa<6IZW$iS3Rg0J)>&Q!e`!SVeuY%8XL7DvqZ@6GLK$d; ze9(o*qA13&`>FP&N~B#C26dLu?8@gzN6N8v#?G{>AfoN#Z-3*DRvHC!wFX292dq0+$cm<{FNef}UqT13y?(r_gDx0f=76MPqMM~$?ECufb!je35 zhjD4<#?C2>0pH2Fq*THUHR$5Ignv~MePf3y+WDwOnV^l2 zP8J@H0QL%b&jjyOzr#n$=RUBzPo^+SwI>KT&;DFS!sTJ(m7rS&+ENcmH?<(|WE=IE zIALF4fBZnzyx|*3*EcEqTT?cVA9CXTU{-SU>X|zppxd}&bfM@oNkZCroo7>6#u6y1 z{tK-4B@^Jk-uc%46c0S2SV}tDC-t%fKSPe^c!BPF^NPJQyFkX$A?+mZrO}=zZ#7|M z&!_tN{BX1JHQ~CI1(TD@Ot_EHLCAbgE0)Y^KzU;JVy=RkcV9FdE~$<1=~U>@uyCb2 zusK$rmXX)ZUJ3hIAa1GE&|2%maD%;*DO}3Nq@xG zeM0Qn`BEH-hjQqeYs8*K{J}9BPkz`730; z&`EO(_wdWuTLu33fx0f5{!fba7pMNASnRBv|EXB)e=BPL{uWT;`yaJn?0>6%|KDoC zHg%-zNH`t4mw%1k11BcgAt8K^*GvT3{%zYE79w}3!yZiq!kzZ>XnwYzw`1=kgZ6bJj0bL50ZSVDo_SfYf5ETE( z-Q{Bj>1c5oR^qF{Ulk4LK%kd!u!S3EPD8HMPFV^LHP9PN=G{(4jgY`!_g9fyDTpa1 zr9Trz)^?-AtL=E3O*04Y==j-DqY}~sECKs@!3DyZkrzjX&HBxl>xn8?lm!$d039D< zK`x-ROCuvFNV4S$e_JY*4Ba>n0$u=Yo4SRT}}(4c5wL#o*MoY}nXN*%N}y;cvh4k-@f4jeLAy#@vO4BQ~^JE5BAWrqD`m4@iOsZ3e==;)j!I?1ZUTTO%K+ zMUinc@42ylmo4p!te?dwW@OR;$x&5hVanK~R6qqf4hrOG|03%37nq3WC&LrI8A%nr zDaSVc9e#*HU?l)&2QARa@=|3pXo$2WlJmz<(2Na;8xcW&yJcrq5baux-fm`K*fwRB zPMkd#KVulman{Udnz~KJaHVjV+B66bM1=wo-kNJ7JC#hS8=uRVkQ#RATP4M#%y5Q( z4(TQqE3Xb2XyBGuND=5sFK~Nz?G%=h?PDfQfb3d-k(7eIM&o7K^-%<|SenT3A>Uo5 z*Pmg~5?T&_VWnayqI)kF{{je3A>#qT2pXi!`F^YX2FfTJnfLEpkbx`uZwBTtmsC;* zO(cb-#X1M0R1|XpLWN9Y?D5R+g_^c24};iD8`bhG+GL>CrX+2yqV8xVtPK{&7^uZj z^NLlvb0|X1=r|j=k&{Z%nMhcuGAgsm%7zp*aqtNE=W5W5JeeQD;bWJJG6Gpt04 z8xp9KxM?H{j1XjM2p)ca@@OxS$VQ2qM`e!XM4QvQrX!@1$^xpuz+G&cC>N`-gtRmZ zE2zz9SCctKU(qzz8(Mqg=_qL#S4-2al{9O}*r%IknGr3#GZ1o=H$?G#fa0ART>@2d zXLrEzTd@t!Hz1vlUAlP*%^uZxa1G$~+YR+Ko!Lw*&`nZk?e`>-z!6T0=zkpx0CEYU?6Z^4{U#86CnaZSjmD~WGPQei5oAS~Oa9Fxy;7{x8o8vHOu zWmsVgS=xn^(vKL=_bTd2Ez};`G7Pm1losS+o!KaC=L~NAZzv>9awKKL`zaE}inL0x zDo*UHX(SCO5M@q9PA<)Fc2IGHCxVALYx22Z<#8cI=cmipqzh3mWZ<_J??XFEHV3Cx zbB7)B?{$?nOn%s}yUG8ZTz@ziA16KS zgW#R*ls@USPPmwb-MicfuKg+Q`Z!jeBI}Ma3F0JrGm)`uI3L#1QTJA*&`XC1a^{z1q-8t;5o37TFw|e{Y>t}yi5)Z zQ5idn61`lep^%-88p(keW>`*j^XrJaK+>*Nwg}38(f0ee^XekO9KYFe^2q9YsVRTr zyFW^rVw=oQGbh~z=w!(T*Xzp^@KsA_ZEub2#tXJ1!3*cB* zX1Gs(tYc9EaV$WKM@CI}r%0di?KF?-j@`Co$^HLMEMPTl&QyaXbgfJmrYV`sc%q9- z@lP1yvn;WMp`5}*-J)$T=!#Y~h>wjWBMZ*csbILUQCdzI+=ESS;7ZkS3ORI>ztJke z&i0LpE{Fr#c~-xj3E%9&C2NcbJk}uECn*1q4~w+fG)9qxr8_KV96l1}ep9&M*0qLKIJ^Zer_VNc$;K}-U_y}-(#a_VwdYqf&kkwjdi zOZ`rfodm>G>&G8KzIoZ>NWifKV(Cv3wZO`oM4Uutn`vI9 z4?^TCkEEbViZ9RlnhIZw=-sZVYK_)L$;1mx{6042&; zld*7@3YrDgpNi2C{0+Q$L|0~B(oq_l%UucM0z9?(R--Cjo*x1b26Lhv4pR!QI{6-Ti&YIj3*; zcl)dR3n-|~Uc2U4b4-7Mwo7ybTppBUq?RO+HK?3VhRT=A?8O7s(>;bQ0?RrZ(B8_b z(ut7ii7i1*-y_Byu$AdY2WcZylU95J0Pb`n^1V8_=oUm7lRZPg5hX%2DrAq~$3(3b zxu-o_R?Xe4LT#A_gwo$45@zBnj%&wkbZ3Cs7p#1ntTE4N+QpK-xP29Fm0;aDdUuw1!Z zStu+#N;w613GLugZcFE)@c>$3(&C?Mce}Xwt1}Ya73eV&ZudhvR19sR`AAD3X`+u zvfP=tNm4dW0T&Xg`lA)r>Qrd^6`O6TT8h~)K8P@8sq3gJ{<*DH*3r7gtq;Th6o!$E1m@T!kzlP5L3TbL?^a9#i^{ zHH9jNNpE}mPs^r_X&jCfGLB2cu~}v4QP6cJOtbl?)2Ni1#Mj?bSrsj6l1+aw&5nSZ z3MImxl3I@48GO%5P9>HUVv-sbN&aG}2=9nIiVZWV{9|#I*_lDg&>5X$>)SoP8$t70 z7DYzi2hhS6!|G`xw}{Av{rk-cI*mNJw`wSLWW+zr2ySerGW~!iF|BMcjYUiY%d?-J zpsNZO6p(2F2bw9oCc-#ho9}(7fm1Wxbtqy*{>6-`A3ei)Qh%a85f5UIJQUY=Y}no4 z%)UOFa@42b(6%7i4t*9VCSiYh4Qw}N`J)&XI+jmejiM_EIHs&;rGax$VGXd%0!cG- z+3PTAeo|v1#Y?n%Zw26~n=iy9a_O8K8QI5qdyTr!C`nf^C9&P-3+!C_BTWb~WFy0g zZS+FL3+L^ICVI8@o!VsW&b3X1JBPPX4G(}=RNPl-X%Si>5>DC9-!W%1Ns?NLuo+); z@9R7#^77bT&&L$uU~%CPmEt5raYkkeYosl|P+HlwPBAw?R{snXz{^EmP?3>J`_g?0 zD28F$EuVlL2woJR-o5R7;^`e%U2n(xKj-@l3JqF1{2;6}0C93#C9G&EM- zT6adJuB*X&RtmqJDSC!Y&@GbtKE??Xr3CIi#61eI6%UVO<4mUEW{Osh9&BMLdG!Be zlR-{#Q#kP~VZ_sisoIyT+zR=?S;fj)altwI8Q|lMjQ6q?t1ej5zEkziARq4{g0b?;DElJ>UAfo4Ey$TB)4`_JSjP-gk#!7$!yC z$6>PasdN>XCTC~NSQPl?1B#g`E3%H48BUfrAz`Cu--j;q38eesVWSDO*O-O3QWLRo z`0vl(i;C~zc06aoWOpv6fXRF_s0AF}*I@VgHu}j(Y6_mV+*L{J*?zuy2TETH@_pOD zd5nwfj|lD8=$d5Om?lCtox0Atb#=RevZB|43@B*_m5$3UE7H_SWe+Y{BZC`&s5ux- zV)><_D$`rHfh-Yo;b%HUbdrMO@H3i<%RfZ3?^_{%fQ!w!>AGdhTg5zlZ7@8&812Jh zC!MFxlOJf<{L1@r2gpl9XM`-Lcni)8B=)Ef6lfDx(NEQx#xpygXohkG3LGd?JuRsxygjN5LVTN|C$D%&Kcf%yU z9#=g@x}gLi=%6CdGczRc=zRG1J_U+A_vK%o53C!#lQf=8`%YMst;=)zlDX{GT8PFj zu85?=XLDwxoHqy_ej9BQux84>h2ma^eC79XBt_FBmLS#_C-dZO?_S-rd zA#ISGwSL1Qx@K@OfwoB^ST1z6{i++x3}v~2*cQx_fum8w&LtKJ(FXRzY7SCUszfV{ z)SbdzrQ{l%dfOsJhWM#Em{Jg=;|glbj~ggn^* zG?~W`IEDsMDSerV39;^muR$E~7PuS+VMr!o4=>FxV?JT65EV042?pn4$wWTS?3O<0*+fl}yxjCwg~T{cZVM(F8&|>l2rTKFkIWSI(%glu5nJY)NM>=2blLl4h~ReG1WOfGk&`mS-;GBBM3F4v3& z?H{Ph#ZvG1PwOSWozsVV`BqC3C_0-FpygtWwMRrd<=%oS2Q*cb`mkT+;XJOCNP@9I zk<4*3Y<8s~(UhV}-YFhKT9PIE5&jPp>3r2=ZRi+7P0tS3)D{#UG{acsakMC9HTNklA#nJx#G4OeFTLu_Ay6U zi0jw;qR-a%SGX2u}TS1R?CXv7xw1(Efl%7?oi|U!z{ZG%-j$!X$?&pw(z%AmjtEq$2iKjgs zZSC%-rn$4M$-vuX4bH1qqqD)*#{0Ju)QrY^9li>@w$eNN^Icu5&97`azNcOFmiu*< znN5+r-1j;veyy@0otxFi?q%s}(Pty3p4PWBj^OSCmh}B}Y(k}syx+;`n2DfWS4q1uN-R@;sD0F{f_h9?sX3F1%xip=Ji+ey#6abt^1fQ zD4}eWovt!4B`CJ z=Ry@J2ws+PcAd{VX-xXlrhVLd!T=K98Y4pj$pdv5lO)3vv2J9`4)Ese2fTo|I!Fi>@@!Q-m#fe5utE z$b&h~DZg~RKaMx5Mm;it25&<#g$=9a3wBmY`#YU3W0%o=fMIRm}Fm&G7pv&dSY5pmu{p ztaQWMGd|+hyTIUiLKw7`-sj%dPIVJ~@WdXyWpuq^j0-)Au;U1C9rCGV4kz!JCU9k0 zv36e$|F*_eDVcg*us7< zjqwe?C-*m$^Kv;^wC2KnIlH6T-`QlEG3$0HIme=PRs%nGMs6N?;&pl2zFIFxZX@_F z80!z6`U_*R(*F;}V*cM4>%(&Re_^ayEh#H%F3Yv~io#o`gReA3yK_wg;F0x9`HH#a}LoJ*3jxKI0!)n;`6}$f5Svjai8H zHqlzE=01*vPf~t<8E?UQk{4Aek$Ps^l#85)xiakX z<4^|#?RKY1IEQZ3fW$(wGu-l1cq?iH*ryVo?=7$s*k`z_MXR_@8!SHx8iyKp*;hzm zH!9`jlhT1b?5~g%r*_GNl=e-%!w|h%NhkC&Rp&nc04H`5+4tWo0dwDgo54BQE9R=a zf$i3BI9q|GnHfhiTYWH5A2)NL)&h`}VS%4ubN3-wZ1=;XmsZQsK(h({5mYL0j&@w%t z;U4o{xqNFv$fTt=KmwsX20=(FZA4VECMPvR|24d=zB6<+;Un5I5o|G?X>_t2#1H4& zN-Zs#{GeEU^UWX{ib6-E0$<&4H9CW=76mF(Z;)#+29n>53 zLS5>-SNrP_7=y9PrBW8LatS z4)r8|_UY+xWPKIwE)YK@XyVzvs5BOn^y@)0JuI(&fXGm=j)XM=!geReLn=DYT;T~^ zmKR|G{G{<+E5+Cu$Kc#vI^Y|{(%FQ^rooGB{RhLs{8jbAuw+$g|1d0c;6xDt>}gL# zJ^n1i0X$?n!UugRBBvQxMzbDUs3<1gU9n6=V> zp;b?Pg~v*|LSV4oxLUKwdrXmmw{#P=QwuwG#+YOjRjoP&E&)MW8&|@MRtYiAE z5qCH8BTZi^idIsp!bM0CW>MYR2A-Tzj=@yYSczF#Kv5wyyOEFMh#%c|3zz0ML8&j@ zq^Y#9jwa)Mh`14vDygGdykI|mik84Z+pBX^u|yhL^aL79EY}x+-6a{J{vU)@Los84 z2@o0nL0G-D0EC6Rv?QUWC!QFW0N_{B^%OL!u~98DKRcNoIaz7qfJ5iVn5p5r>4E=9TJ#&Q{0B*h}o0RQ?{Yhn`| z$@*PK)zW6hN9o5t(I{vabwtB4md5!$zbY(j1+xj8;IMhMa7}=qZX9iCwm>MMdq%R^ z4g$Me5VcZd^irtPXC8Ci2_0-hK(Lnm0e@g@D|A}B>_QA;p3o*fn4SC# za0N`BEDGuC1&1orQj;ZAcguPV)rFZ_B@k_x5Z785Tm)Q^qEgMlFA5km)z0?AN<^rr z^Fzfb0Z5Z^I(};v;B-2ZB8{@fGd5teCf-Nn7=!G&rcA*qm26B-)8klY2|tn9jEpdM z`S;uM8;||6mYz9$to@5CGd=)ThSh5$0AM{^{ROaeKLA$A2f*690RXJr?4?>98Lqzo z)@{Rg`!0j+Hp2b9+SxcXcb^1XCs5}sQJmB8GUjSCF=uRvRwdK)iQ0~j64puYnhKzV1v{Q&m=!|v!LLgGfB2QmxYRu4 z?HStu4uD@RF{Rpk@GBtzzjArpwy8j$|$Qim)xMPpjh6LD=dws51-ebCyZe>J-QOq+UZgdWpBYn~(m5Vk}qUojeik^wADx2uQtyid_z{ zNk8JhO1P6qUaZe}J)D*V!dV@oe1_-LB3Y`Rw-9NoeU2>#2k2oz81NFg=8-_`V3ovT ziR6uQGSz|B__BmrJz8fkJB5aURShb%#BM1W64D;4E_+N$3 zwYk&fW0+_FHbd-JFInkKGJwrcy+2392?%M8*jwHx4*$#Gr*&rk9}P?gNn<0!ajMRD zJhm@oau_Ny(=Ei+vtjuIatiQlfHwf3ho!?6gA1-$dB3_dd+q&m$rFWpJcQnmZ0-OKrex>WI4tf<`vXMc2x&C7H+~V zp?>Qb;2serAjGK)(#AifeQCiBnIhHrqf%Wke^H(MaFL8s=RGA%#Qe-TPA(JrQN&7> z^{tell67{=0Jdi+PAQR^OH@sc0N10>p?#4?A+I0n4x*BAlo!#6BvH48B)v=%<@k$U z5d{l;2n}oZ|DspsMZdFn0YXD5c#--Z+8@ykK85^?N-wOEsOpv}PUdXJe9$ieo%v+> z$9}ZOLOogx{rjAfsM2=T!`o8QxB^n;8d*#z*GmNh4S&(A-dX^?DlkU$;{wpDyFc{G z1wgNqfI_yH3HxdVh$AUvRsjFgMXO;VdGZRsL{lHpSx2DLune|pb}sj-BB@v%P?jqs z=w6inrdMbGL$8?s3%%0+PkPn#7rpYx0MIKfwF>0s(#UA6{p{xO)PLxel56NiOi*Ed zsp>BC5`dvk7bz<+Pq~Gl31A@3#(h3wuZR&o>Q)|dmo4jO_=X^1V5#bA&dGy z_$`P?eaUGjsrh74)kT8Jw38v0k`jmX@ag0l>oT&(F=gW_wOzl1*@RmAy)Er)aohMb z@?35t6ayLo;u7ae`Mj^#jvw$!bCTgRC!Z*0{HPM*@{f_TC33!|A45ix+cJfN4R$j~ zackxxf&2X-aGpbT*;nV&_ip| zWLxGe2^ps&d|ko1PC`VC??SeeNY#Fc6g7RX*2MwMq$q!SN2Xjg#f)>bHTU~*4#?pV zX#K1;ha!MoS$(jpwhwl7$T*vSJPk|fO8opil~&QhG1+vFadrgER4ftagI$e%uq!%= zxPWg73GjwL;$-+*WtbH)a^#YCe@^f8QrGPY?F0q3`CdRw-onXTGJ7NfJ0;uJ3IL>r z`Pdc{y;+T7!yAYr(!!~Zi8Mu-z%>0BSu$n$m#V}va?vs!_$DR?9P70&^)~#>FLk5d z8>)nOgo|bx)1CHZ5vwLPPuXm>VKvFy@EMO2`T(n8CbV6gP~^uM#kl?lUU?TB+7u)= zhnfOO3}4TGz^jUnIu@F?w59>TYKSIKYdvcYfLAmISVn=Q9T8hIruGX}e_gT&;qox3 z`XrX@=ix(M4I$ z59+^q+eWRfSo^7DTvPGQ9Mx{BIK3@qYkQMfu<6>x^Q#(0b-ZXnJvBBDS?yPs@>hZM0(%a7(ecUI**v@!A z?dPL8=Sx^WzmdVhMuWR?0PYt{19t9irR|Dzi^S4|M~7*8OuxN=klMlHy&Xr~Bf&DH z&x|n^zOLlvGxV4UKVq~q9ygYalp|XBA$^I%*|FK!k`F24k-P9-H`E%*(v!^B8G3cunXYGl18yCcWju^hs=+OfK2&>->Q9hBZ`! zM*aTrC&)9p>67=D$l-ck0Kh7L@E$>q2LP--0KgJ?9ry=e6%;j?=6ICDDw`qej|OGLHIJYt1U$Qc4b=ta`3j@5rG|~`?a4uI&~f##Lb3o`4~;h z0k2%Die%o?y!?C>_n_-uu6<7>ygtKuZxZ$Eq+62&%dT)-uri*)j` z0W)~Ccc>D6J_7XbpL%+~ujr3>?@c-QDx86!LoRi%qVO}3wVG~@2>b}pS_uaU^FD$; z!dD_PAcF|S?trF@In&x6`${|U_1yeP?MRKp-m|VjfA~&2(|vIMa+(e+ zfoDZ`HMB%?fwz8XmFcO{{T%Uq5~RJ~U0l<~>U9yC+s3NRb8XF4Gq3gH7LnFryY8%$ z&7G^l;(es;e%CpU9?4_DLfPhx)!pKjzQ_ShQ}pGG3#eCs8PDzHI|>SieYS4>68gP@ ztjq(JxJuZDoA-P3J}-77hXhwON}-2bKknY?JNkJzBK8?^I@qf0ce95*NROI3(EZiA zOrQPW13^7fO6qTN^_q~24e~CsfioHP^YUHn?cVo-84%+Kq89`$j`v7{y5|}1=LaaZ zDFrbs5}T);I1}~RE$Pq)(!i?Qn>o3YgbC>Rki4u>rS{IxxU(#U?kV$cOjYv^3GPO| zhfK7tnZ>D#`dlHCVr`BxRj-#jVCB;tgLhwQe$-W1WHS6-&K{&+#v{U>=g6aFvS-LdarJVo zy0+;R#D)FH`_Cm1rknUj}%A_YAufvSl>q@K@s&(*` zyu3|bb!3qw+|6xGIgymJKG;eTIyad6#X7^!hBy^@wnemG*LybU)FO}g;&VgQWDe3t zYed5g4A6sd3Hs4#1d||j8=FxDDp@nI2eN#ds}um+f)4%LhG?DLuXVa1{l9W9WR3O9 zXzlTQ!z`Oj_Bm5Ue_)umnCLVH8HG!6s+5ziQ^f~{SuqtGcy#;@l^3VAg2(aW1xmvC zMdd4{ybDp>OBi)g;S}7E5(VK+X+Gnc@Kb)fITzf+L6sTx0d?)1_iIk4)H)-#8y79H zEX$0KXSO5mHN?agg;y(>{~i82GPU`_Q?8d4(*c=^#B;IyJ=wVOJbL*MsO7ONXgtaR z7<|M0Wj$d;5hMC*p$b*{>m0|CdFP40+HWZ|m-4Hx^5BI}g?>RyvySy_8~%y`;$UyS zPvsb3W-W)Z77b;p))<75k}Y7eP1$L8eGcoHhwkARAQCh^j#uI9g4~;$0WYH(a416E z0tPl?KDLk3-`ce7>^NdTkCWa&$}WMSFVab(A!g?A);Eu*vm@?H<{4HPpv<`5so#xo z*N2(m+V8pK17YufI%WmJ6I;Q~mwA{s?hyFnI4iD=3wKY*IJ;fmsIp(`GZ9{vh!+BXQUxL{kN?8pP?NVHu`_7T(JG`top+x_J3v7qkycMxW#e}Fu&sf z#Ff_o3Insiv<9NDQd|CJ8eVtxUd%wOZxb{rfbc@(u8s?ZeZOTy0;Is8~wbaD8g?Ud{ z8~1sCUjOgrupNpl$MKgfSBITPSM8`;7Eo-}nR@2gIe>>Q9^9qd9BQ zO(f&8IF7fU@;~Nx^Z@faO8OC6pJBm^1HOLCI+}CI_hxLWDA1>YGhDoNrVlCsT|Us{ z?C#+3d$dYImj_}LTgiw`#)wWa6z^qCVIQ`q5VKVm$5&_aa9kK#f}zh^Lf zQXSzz7l!R7JFJkJ$uORK3Qkqnd^@SCZi-k1=GM7TEvyG-#x_vg24N;GJ&H18>ctUY z4$F~bf=v>I(;92wPl{kR)bI+LD!wNERLII=yQ6@Il0@Kby2S!FipU|j1)b_L2x(%; zQap|4{h1fUD8*GIkSATd5+f~-J7p9;iZQ}40y`I(K-PUxEAmjtW5%79a@|4T;(})C z%&cb2J%u7Ql1eoGcbdYrIAO4Y##uHLi%$`H%61v?4Pbo7=kgFRzQd_d+|^|MBjJ!m zZ&Dmriuh?t^5;}ON!kG#{eY&82EMh*gc}nG(Z&fwI_HT1sLmW$uW~O1*#`3=P@un0 z-wAfm9J!>lM6521LV5|rRT$7tofq(RYqe-4BYqbbC*4ZB3q9V7cRR?mmOF&3-S40U zbIyBy=+U~KCM&nPbiOg3N^4kgBpUj~{>SZKJ0j&Vjj_WEAeh7Y6W+v#gi+pufM1j; zX-e^!lDP1Cvr7aB3w=~jj|F3?2E7$lPKzhW#~r-$)#V457=CWZ3UaEcjvV{Uf`*eD zM$`7|v9McyXOskXV;Y`Uk3oNMmah=QVgbHl#sHz?NA2R-o7Ozlx$XP10H`hfmF;&% zss79u3tmyQ!>BFg8@L$5B%DJR0jcZ@umHCh>SUnWIlTlbuSq7^@9;HK5U>vj4JXsB za3hENyr0u5pPYry;2{~$f=*&);Kb51$gJ4)y{gz?;5tZ&pSlOVLstRjFk*l?O#j0i zmImmV0wQaOi%YOtoDJ;Fu3AK+phv|80a5veWKQ^|e?`{x9wbTsphy8k)`yFa>C(P9hS?0{tc=Qk)h^;!i{z1k6JveMSO1Buq2UQ1w#m`B zkHF(uzH@*LU`BN>gCJC3c-DohN&jvsQq<*18bRA2`}FDL88?lzaO?GGcYDzsn-%gj z;AZ17+9VA>y#2sIXV3zv8y8lGfyu*|^#&{Ux;W6XL|u&6!OK%2_K~p(N5y*NR`+EJfi2pWJ~GJU<=pp4HyE3G%x$ zZd@4*y8B)Lw%PXk5ZQPzi@==MKR`y`SWb#r1`G!-njxvc3$?p>zC>DGjlX&>0E!5U>pVo zGkD)yT9-OX5gI;h3)_fZ(IDA?I6fH-t-o3q=b+8LN`@bqwE&%W0U)!!-{*IP4KHLi zG0NU0RnJiu`qa z+P@yK9g_hNhY142VH&Iro&a$eAZ7oPS(l79tFg>6~DoPuhn_~V;9Om~S4g*{s zBVWWx=FT^4jtvPh1B{#eomoeM!|O~7G|~|5@ydbNEFk?4yIBb0$K)fIZ|(vWp8Q1 zc*ccQ(qh9ScVK>lG?K4n9NP4YJ%!}L6c(^~BALJPuswXZNSZ66M{_o1gGoW%o z?NM@u!2FKA*~f*dDe}wQEOk&0S$!)W1@L9+LQ?Z(>HcGVC%pM%mH~Z>tutmZ$5cw}{~0(Uo2P

afU#U94__kM{&r=b{vLqmJ+fGr*7IdJpnpY##!xeM_T7--|5}8Kwb@W&9baHUD@q&{CDlq?WTFxJ=ksok_xd{-a;^e6UBfLGq z5fC0#`Z<4vGasWskwHiIiD-1V-10Nb|4*qAZy64EYjmIhrpZ(es1k~+{?WDlf2fjp z;~kDLgT+9)k0H!}So*i1zNzNcD|S!mpBdei%%6c?3HaC5GR^jwnHnbYKD@5=-3PhgZs~` zGFWygvB5H!Ks23&kq+S;JOhA%<=?0gIq=wlTJc5{{6H2YB|t_+$H1}~XypP2i=AB) zJpw2UmXJE@C;b!7WQe60z+`kGl}3iy10O7YXzg#oiZ@x|A3p=&Ohr1G2Eb_)aP#asqc{w!X(@I z)shZi#dCd_)xrZyceIp5Nc3>R8U{wGUmN7Qaiuq)`3*< z925=~u4^Gr0ji7!CpcTkr?&H}j2*y=7d-R9g2x6=0U`z9;H(6mqVp@Q9l(kg6!XE- z!3U#9;SiI-Sqan_&jcqhS-}zU^T7*$X;=70*Fo)Yg zuOR;mQZbke3R=9OK=8|eFj(LvI?or-=k7nc3G8t9 zzaL`h3>4(xr+^t?shod41?*zu0167e;%SM$*XJm zXP9|)G5zUU@iYDePgl~PF6N)by#e`O`DZMxaTk)8xHlpHGyZfj|BPiw?@IFOV*VLh z_3KLf>0Q>{)$#HBU@}OnaZZ3)ok< zW#BBtzDVGoQW*f=17MThW3!HO3v z(qP{Uwr!bcPlg755+yFdPS;^NB?`C`FD2$JK^m0?5Yd4obh7{@jfZE!+qb_&;dY`` z*fyjX76g_H2ST7jU^CDT`$8OnPsTIF;JaU#bUR_Qn3w;MdxU*HIJk)R$jORGp#?`i zM8S5(Wbxb-4U84k7zREd7B+@pFo1ziu<<4ew-Y8~au8;+796gHQ(@Rk_3+?2p65rJ zWCW+Z@JuuKTL_966J6o>q9XPW8FCC6d3#|;x8ZgUa`q~ShSR4urLO2`D|u`gSOZc>B41@CY*(y5A0aRq@kEmxD49T39@7` zY3LfNa6M2u(729e&=zu}bu2^mP=2kBZ8`bTC%ha&Z$EggkF9ow>)=)IB-WgI$Kc*inm%R~o3 zMC*yt0k8DXkZ%&M2W{D+`i$zK2Rnu9K?*P?y7nks#sCS4@(XDS@C?1&4hN1%gB2XEG~9^lMGS8O}Lg?a>D(I7jsXgw%H$D@VY z0;8Csb_8Y#M?yQ+1GsFO2+pV;dN8F!e@q6P=IvMpCPPNoUq$PQ+8`uX;}C5DqGOT% zXfRla+9i#}W}~cg!Y}|X9X(DXT!!iq%Gh+KsJ=j3CdxS1p)J&7iSU%hfp^D5bQju! za~Ej~^+ai-ao99b+8{;+B^PZAtQUa+N5(j4BSRQJXbX<0V;QO^YSRb;!M8K%4D{Nf zaDS+tsBed}c^pw)1Gp?v-lKZx9kLGnQR!@=Ucvbx5qiOqutoKXPJTtFhyhuWuP6R z^}tw(W!MXt!t^p=geUk!7E$k^9(ZU148ph%^+0f<_2Bd=v5X>WM+_K!i7@EE210*~ zPGA7mgn9&9g@fK?A`A%Q2yGcK_Y&<71VStWvTp$z5= zB4umTyKJRR)_5iIGL?!H7wa zImC4YTwtUj@DvUli;j(KI^@hJz~B&KQJ8_D2U9!p04Bu*7z_v+2=(abz_LhNrszBX zW_c`h&qSmiOkzdLm=K^6%CG|@9os@+N8l9`f(AlcCc)>hnJkoSSfoF~T%5sXfnkc) zgTRvjg9Vd1LOnWqTf8F-7Uaezlo95{0GC6QIXDCY445JkV6b7yLlg!QFrf^XMJNNn zgfb3M<{UCn=DNNIL@#+o%lo!QHNj+h~U@Iupmk=2VNc( zwS5kmM$jP+tQHX4!fZ%{SKv7beiv9J8WTdS2gcg5Es7IG#}t^jzy^p&J&3Q+VGm)w zf_en`LNrbholipxL+(n8w1J+xWLQD1RI2_bA<5-=F^0E87xZ?#y1!$ zMAxMtXd?DUgQ>WP++Z0I9E=EUNDoBy3d#t4fj5f?whFU10#6yRIwHzvaK!|@hcaS+ z5MUATV`C50caR$ldITMZ0ge!>FyT(As4ST<4Iq@k@FAj;utY%|rZ7CeWn8E_15#<4g%t04MI`E1E8Fz$YJ;=-91euDY z;R5>tr&V0EW==A3bA#84Q51{z1W;NX_y+x8-?SAi6sK#^G_`fuIuMbt;GsDVhph=u zIde2&5eP8Tpu?K|KUYDo96**CEk`b-rSNu9Bx&mC=rZZL+DvU4N1Lq0p=f9^G<4w$ gN0X&XXVTD)gr^szSHhO}v2}Eg^!V{QM!M4f2OJTh`v3p{ From 710f96198446ecba70dc21fdacc0995d77b5bd47 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 12:46:31 +0100 Subject: [PATCH 0218/1450] Rework key modification API. Fixes #225 --- .../org/pgpainless/key/info/KeyRingInfo.java | 125 +++++++-- .../secretkeyring/SecretKeyRingEditor.java | 237 ++++++++++-------- .../SecretKeyRingEditorInterface.java | 14 -- .../SubkeyBindingSignatureBuilder.java | 15 ++ .../signature/consumer/SignaturePicker.java | 4 - .../subpackets/SignatureSubpacketsUtil.java | 7 +- .../org/pgpainless/example/ModifyKeys.java | 29 --- .../pgpainless/key/info/KeyRingInfoTest.java | 7 +- .../modification/ChangeExpirationTest.java | 18 +- ...gePrimaryUserIdAndExpirationDatesTest.java | 224 +++++++++++++++++ ...gnatureSubpacketsArePreservedOnNewSig.java | 16 +- ...ithoutPreferredAlgorithmsOnPrimaryKey.java | 15 +- .../SignatureSubpacketsUtilTest.java | 3 +- 13 files changed, 510 insertions(+), 204 deletions(-) create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index a75b5741..a0cf76c3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -22,6 +22,7 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.bouncycastle.bcpg.sig.PrimaryUserID; +import org.bouncycastle.bcpg.sig.RevocationReason; import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; @@ -38,9 +39,10 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.KeyValidationError; import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.SubkeyIdentifier; +import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.policy.Policy; -import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.SignatureUtils; +import org.pgpainless.signature.consumer.SignaturePicker; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; /** @@ -52,6 +54,8 @@ public class KeyRingInfo { private final PGPKeyRing keys; private Signatures signatures; + private final Date evaluationDate; + private final String primaryUserId; /** * Evaluate the key ring at creation time of the given signature. @@ -82,6 +86,8 @@ public class KeyRingInfo { public KeyRingInfo(PGPKeyRing keys, Date validationDate) { this.keys = keys; this.signatures = new Signatures(keys, validationDate, PGPainless.getPolicy()); + this.evaluationDate = validationDate; + this.primaryUserId = findPrimaryUserId(); } /** @@ -251,45 +257,67 @@ public class KeyRingInfo { return OpenPgpFingerprint.of(getPublicKey()); } + public @Nullable String getPrimaryUserId() { + return primaryUserId; + } + /** * Return the primary user-id of the key ring. * * Note: If no user-id is marked as primary key using a {@link PrimaryUserID} packet, - * this method returns the first valid user-id, otherwise null. + * this method returns the latest added user-id, otherwise null. * * @return primary user-id or null */ - public @Nullable String getPrimaryUserId() { + private String findPrimaryUserId() { + String nonPrimaryUserId = null; String primaryUserId = null; Date modificationDate = null; - List validUserIds = getValidUserIds(); - if (validUserIds.isEmpty()) { + List userIds = getUserIds(); + if (userIds.isEmpty()) { return null; } - for (String userId : validUserIds) { + if (userIds.size() == 1) { + return userIds.get(0); + } - PGPSignature signature = signatures.userIdCertifications.get(userId); - if (signature == null) { + for (String userId : userIds) { + PGPSignature certification = signatures.userIdCertifications.get(userId); + if (certification == null) { continue; } + Date creationTime = certification.getCreationTime(); - PrimaryUserID subpacket = SignatureSubpacketsUtil.getPrimaryUserId(signature); - if (subpacket != null && subpacket.isPrimaryUserID()) { - // if there are multiple primary userIDs, return most recently signed - if (modificationDate == null || !signature.getCreationTime().before(modificationDate)) { + if (certification.getHashedSubPackets().isPrimaryUserID()) { + if (nonPrimaryUserId != null) { + nonPrimaryUserId = null; + modificationDate = null; + } + + if (modificationDate == null || creationTime.after(modificationDate)) { primaryUserId = userId; - modificationDate = signature.getCreationTime(); + modificationDate = creationTime; + } + + } else { + if (primaryUserId != null) { + continue; + } + + if (modificationDate == null || creationTime.after(modificationDate)) { + nonPrimaryUserId = userId; + modificationDate = creationTime; } } } - // Workaround for keys with only one user-id but no primary user-id packet. - if (primaryUserId == null) { - return validUserIds.get(0); + + if (primaryUserId != null) { + return primaryUserId; } - return primaryUserId; + return nonPrimaryUserId; } /** @@ -314,7 +342,7 @@ public class KeyRingInfo { List valid = new ArrayList<>(); List userIds = getUserIds(); for (String userId : userIds) { - if (isUserIdValid(userId)) { + if (isUserIdBound(userId)) { valid.add(userId); } } @@ -328,6 +356,18 @@ public class KeyRingInfo { * @return true if user-id is valid */ public boolean isUserIdValid(String userId) { + if (!userId.equals(primaryUserId)) { + if (!isUserIdBound(primaryUserId)) { + // primary user-id not valid + return false; + } + } + return isUserIdBound(userId); + } + + + private boolean isUserIdBound(String userId) { + PGPSignature certification = signatures.userIdCertifications.get(userId); PGPSignature revocation = signatures.userIdRevocations.get(userId); @@ -338,6 +378,12 @@ public class KeyRingInfo { if (SignatureUtils.isSignatureExpired(certification)) { return false; } + if (certification.getHashedSubPackets().isPrimaryUserID()) { + Date keyExpiration = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(certification, keys.getPublicKey()); + if (keyExpiration != null && evaluationDate.after(keyExpiration)) { + return false; + } + } // Not revoked -> valid if (revocation == null) { return true; @@ -588,7 +634,7 @@ public class KeyRingInfo { } } - PGPSignature primaryUserIdCertification = getLatestUserIdCertification(getPrimaryUserId()); + PGPSignature primaryUserIdCertification = getLatestUserIdCertification(getPossiblyExpiredUserId()); if (primaryUserIdCertification != null) { return SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(primaryUserIdCertification, getPublicKey()); } @@ -596,6 +642,38 @@ public class KeyRingInfo { throw new NoSuchElementException("No suitable signatures found on the key."); } + public String getPossiblyExpiredUserId() { + String validPrimaryUserId = getPrimaryUserId(); + if (validPrimaryUserId != null) { + return validPrimaryUserId; + } + + Date latestCreationTime = null; + String primaryUserId = null; + boolean foundPrimary = false; + for (String userId : getUserIds()) { + PGPSignature signature = getLatestUserIdCertification(userId); + if (signature == null) { + continue; + } + + boolean isPrimary = signature.getHashedSubPackets().isPrimaryUserID(); + if (foundPrimary && !isPrimary) { + continue; + } + + Date creationTime = signature.getCreationTime(); + if (latestCreationTime == null || creationTime.after(latestCreationTime) || isPrimary && !foundPrimary) { + latestCreationTime = creationTime; + primaryUserId = userId; + } + + foundPrimary |= isPrimary; + } + + return primaryUserId; + } + /** * Return the expiration date of the subkey with the provided fingerprint. * @@ -668,6 +746,15 @@ public class KeyRingInfo { return primaryExpiration; } + public boolean isHardRevoked(String userId) { + PGPSignature revocation = signatures.userIdRevocations.get(userId); + if (revocation == null) { + return false; + } + RevocationReason revocationReason = revocation.getHashedSubPackets().getRevocationReason(); + return revocationReason == null || RevocationAttributes.Reason.isHardRevocation(revocationReason.getRevocationReason()); + } + /** * Return true if the key ring is a {@link PGPSecretKeyRing}. * If it is a {@link PGPPublicKeyRing} return false and if it is neither, throw an {@link AssertionError}. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index db657a31..8b703600 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -22,17 +22,14 @@ import javax.annotation.Nullable; import org.bouncycastle.bcpg.S2K; import org.bouncycastle.bcpg.SecretKeyPacket; +import org.bouncycastle.bcpg.sig.KeyExpirationTime; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyRingGenerator; -import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureGenerator; -import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator; -import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder; @@ -47,7 +44,6 @@ import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator; import org.pgpainless.implementation.ImplementationFactory; -import org.pgpainless.key.OpenPgpFingerprint; import org.pgpainless.key.generation.KeyRingBuilder; import org.pgpainless.key.generation.KeySpec; import org.pgpainless.key.info.KeyRingInfo; @@ -55,18 +51,16 @@ import org.pgpainless.key.protection.CachingSecretKeyRingProtector; import org.pgpainless.key.protection.KeyRingProtectionSettings; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; -import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.protection.fixes.S2KUsageFix; import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider; import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.RevocationAttributes; -import org.pgpainless.signature.SignatureUtils; +import org.pgpainless.signature.builder.DirectKeySignatureBuilder; import org.pgpainless.signature.builder.RevocationSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; -import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil; import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; @@ -107,6 +101,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { // retain key flags from previous signature KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + if (info.isHardRevoked(userId.toString())) { + throw new IllegalArgumentException("User-ID " + userId + " is hard revoked and cannot be re-certified."); + } List keyFlags = info.getKeyFlagsOf(info.getKeyId()); Set hashAlgorithmPreferences; @@ -146,15 +143,54 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { public SecretKeyRingEditorInterface addPrimaryUserId( @Nonnull CharSequence userId, @Nonnull SecretKeyRingProtector protector) throws PGPException { - return addUserId( + + // Determine previous key expiration date + PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey(); + /* + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + String primaryUserId = info.getPrimaryUserId(); + PGPSignature signature = primaryUserId == null ? + info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId); + final Date previousKeyExpiration = signature == null ? null : + SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(signature, primaryKey); + */ + final Date previousKeyExpiration = null; + + // Add new primary user-id signature + addUserId( userId, new SelfSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { hashedSubpackets.setPrimaryUserId(); + if (previousKeyExpiration != null) { + hashedSubpackets.setKeyExpirationTime(primaryKey, previousKeyExpiration); + } else { + hashedSubpackets.setKeyExpirationTime(null); + } } }, protector); + + // unmark previous primary user-ids to be non-primary + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + for (String otherUserId : info.getValidUserIds()) { + if (userId.toString().equals(otherUserId)) { + continue; + } + + // We need to unmark this user-id as primary + if (info.getLatestUserIdCertification(otherUserId).getHashedSubPackets().isPrimaryUserID()) { + addUserId(otherUserId, new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + hashedSubpackets.setPrimaryUserId(null); + hashedSubpackets.setKeyExpirationTime(null); // non-primary + } + }, protector); + } + } + return this; } // TODO: Move to utility class? @@ -468,118 +504,119 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { @Nullable Date expiration, @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException { - return setExpirationDate(OpenPgpFingerprint.of(secretKeyRing), expiration, secretKeyRingProtector); - } - @Override - public SecretKeyRingEditorInterface setExpirationDate( - @Nonnull OpenPgpFingerprint fingerprint, - @Nullable Date expiration, - @Nonnull SecretKeyRingProtector secretKeyRingProtector) - throws PGPException { - - List secretKeyList = new ArrayList<>(); PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); if (!primaryKey.isMasterKey()) { throw new IllegalArgumentException("Key Ring does not appear to contain a primary secret key."); } - boolean found = false; - for (PGPSecretKey secretKey : secretKeyRing) { - // Skip over unaffected subkeys - if (secretKey.getKeyID() != fingerprint.getKeyId()) { - secretKeyList.add(secretKey); + // reissue direct key sig + PGPSignature prevDirectKeySig = getPreviousDirectKeySignature(); + if (prevDirectKeySig != null) { + PGPSignature directKeySig = reissueDirectKeySignature(expiration, secretKeyRingProtector, prevDirectKeySig); + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryKey.getPublicKey(), directKeySig); + } + + // reissue primary user-id sig + String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing).getPossiblyExpiredUserId(); + if (primaryUserId != null) { + PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId); + PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig); + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig); + } + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + for (String userId : info.getValidUserIds()) { + if (userId.equals(primaryUserId)) { continue; } - // We found the target subkey - found = true; - secretKey = setExpirationDate(primaryKey, secretKey, expiration, secretKeyRingProtector); - secretKeyList.add(secretKey); - } - if (!found) { - throw new IllegalArgumentException("Key Ring does not contain secret key with fingerprint " + fingerprint); - } + PGPSignature prevUserIdSig = info.getLatestUserIdCertification(userId); + if (prevUserIdSig == null) { + throw new AssertionError("A valid user-id shall never have no user-id signature."); + } - secretKeyRing = new PGPSecretKeyRing(secretKeyList); + if (prevUserIdSig.getHashedSubPackets().isPrimaryUserID()) { + PGPSignature userIdSig = reissueNonPrimaryUserId(secretKeyRingProtector, userId, prevUserIdSig); + secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig); + } + } return this; } - private PGPSecretKey setExpirationDate(PGPSecretKey primaryKey, - PGPSecretKey subjectKey, - Date expiration, - SecretKeyRingProtector secretKeyRingProtector) + private PGPSignature reissueNonPrimaryUserId( + SecretKeyRingProtector secretKeyRingProtector, + String userId, + PGPSignature prevUserIdSig) throws PGPException { - - if (expiration != null && expiration.before(subjectKey.getPublicKey().getCreationTime())) { - throw new IllegalArgumentException("Expiration date cannot be before creation date."); - } - - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(primaryKey, secretKeyRingProtector); - PGPPublicKey subjectPubKey = subjectKey.getPublicKey(); - - PGPSignature oldSignature = getPreviousSignature(primaryKey, subjectPubKey); - - PGPSignatureSubpacketVector oldSubpackets = oldSignature.getHashedSubPackets(); - PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator(oldSubpackets); - SignatureSubpacketGeneratorUtil.setSignatureCreationTimeInSubpacketGenerator(new Date(), subpacketGenerator); - SignatureSubpacketGeneratorUtil.setKeyExpirationDateInSubpacketGenerator( - expiration, subjectPubKey.getCreationTime(), subpacketGenerator); - - PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey); - signatureGenerator.setHashedSubpackets(subpacketGenerator.generate()); - - if (primaryKey.getKeyID() == subjectKey.getKeyID()) { - signatureGenerator.init(PGPSignature.POSITIVE_CERTIFICATION, privateKey); - - for (Iterator it = subjectKey.getUserIDs(); it.hasNext(); ) { - String userId = it.next(); - PGPSignature signature = signatureGenerator.generateCertification(userId, subjectPubKey); - subjectPubKey = PGPPublicKey.addCertification(subjectPubKey, userId, signature); + SelfSignatureBuilder builder = new SelfSignatureBuilder(secretKeyRing.getSecretKey(), secretKeyRingProtector, prevUserIdSig); + builder.applyCallback(new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + // unmark as primary + hashedSubpackets.setPrimaryUserId(null); } - } else { - signatureGenerator.init(PGPSignature.SUBKEY_BINDING, privateKey); - - PGPSignature signature = signatureGenerator.generateCertification( - primaryKey.getPublicKey(), subjectPubKey); - subjectPubKey = PGPPublicKey.addCertification(subjectPubKey, signature); - } - - subjectKey = PGPSecretKey.replacePublicKey(subjectKey, subjectPubKey); - return subjectKey; + }); + return builder.build(secretKeyRing.getPublicKey(), userId); } - private PGPSignature getPreviousSignature(PGPSecretKey primaryKey, PGPPublicKey subjectPubKey) { - PGPSignature oldSignature = null; - if (primaryKey.getKeyID() == subjectPubKey.getKeyID()) { - Iterator keySignatures = subjectPubKey.getSignaturesForKeyID(primaryKey.getKeyID()); - while (keySignatures.hasNext()) { - PGPSignature next = keySignatures.next(); - SignatureType type = SignatureType.valueOf(next.getSignatureType()); - if (type == SignatureType.POSITIVE_CERTIFICATION || - type == SignatureType.CASUAL_CERTIFICATION || - type == SignatureType.GENERIC_CERTIFICATION) { - oldSignature = next; + private PGPSignature reissuePrimaryUserIdSig( + @Nullable Date expiration, + @Nonnull SecretKeyRingProtector secretKeyRingProtector, + @Nonnull String primaryUserId, + @Nonnull PGPSignature prevUserIdSig) + throws PGPException { + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); + PGPPublicKey publicKey = primaryKey.getPublicKey(); + + SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevUserIdSig); + builder.applyCallback(new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + if (expiration != null) { + hashedSubpackets.setKeyExpirationTime(true, publicKey.getCreationTime(), expiration); + } else { + hashedSubpackets.setKeyExpirationTime(new KeyExpirationTime(true, 0)); + } + hashedSubpackets.setPrimaryUserId(); + } + }); + return builder.build(publicKey, primaryUserId); + } + + private PGPSignature reissueDirectKeySignature( + Date expiration, + SecretKeyRingProtector secretKeyRingProtector, + PGPSignature prevDirectKeySig) + throws PGPException { + PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); + PGPPublicKey publicKey = primaryKey.getPublicKey(); + final Date keyCreationTime = publicKey.getCreationTime(); + + DirectKeySignatureBuilder builder = new DirectKeySignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig); + builder.applyCallback(new SelfSignatureSubpackets.Callback() { + @Override + public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { + if (expiration != null) { + hashedSubpackets.setKeyExpirationTime(keyCreationTime, expiration); + } else { + hashedSubpackets.setKeyExpirationTime(null); } } - if (oldSignature == null) { - throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + - " does not have a previous positive/casual/generic certification signature."); - } - } else { - Iterator bindingSignatures = subjectPubKey.getSignaturesOfType( - SignatureType.SUBKEY_BINDING.getCode()); - while (bindingSignatures.hasNext()) { - oldSignature = bindingSignatures.next(); - } - } + }); - if (oldSignature == null) { - throw new IllegalStateException("Key " + OpenPgpFingerprint.of(subjectPubKey) + - " does not have a previous subkey binding signature."); - } - return oldSignature; + return builder.build(publicKey); + } + + private PGPSignature getPreviousDirectKeySignature() { + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + return info.getLatestDirectKeySelfSignature(); + } + + private PGPSignature getPreviousUserIdSignatures(String userId) { + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); + return info.getLatestUserIdCertification(userId); } @Override diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 66fa58b5..b61dbbc1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -366,20 +366,6 @@ public interface SecretKeyRingEditorInterface { @Nonnull SecretKeyRingProtector secretKeyRingProtector) throws PGPException; - /** - * Set key expiration time. - * - * @param fingerprint key that will have its expiration date adjusted - * @param expiration target expiration time or @{code null} for no expiration - * @param secretKeyRingProtector protector to unlock the priary key - * @return the builder - */ - SecretKeyRingEditorInterface setExpirationDate( - @Nonnull OpenPgpFingerprint fingerprint, - @Nullable Date expiration, - @Nonnull SecretKeyRingProtector secretKeyRingProtector) - throws PGPException; - /** * Create a detached revocation certificate, which can be used to revoke the whole key. * diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java index 6c84bab9..9c51955d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java @@ -21,6 +21,21 @@ public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder, 2021 Flowcrypt a.s. +// +// SPDX-License-Identifier: Apache-2.0 + +package org.pgpainless.key.modification; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.util.Date; + +import org.bouncycastle.openpgp.PGPException; +import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; +import org.junit.jupiter.api.Test; +import org.pgpainless.PGPainless; +import org.pgpainless.key.info.KeyRingInfo; +import org.pgpainless.key.protection.SecretKeyRingProtector; + +public class ChangePrimaryUserIdAndExpirationDatesTest { + + @Test + public void generateA_primaryB_revokeA_cantSecondaryA() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("A", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertFalse(info.isHardRevoked("A")); + assertFalse(info.isHardRevoked("B")); + assertIsPrimaryUserId("A", info); + assertIsNotValid("B", info); + assertIsNotPrimaryUserId("B", info); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addPrimaryUserId("B", protector) + .done(); + info = PGPainless.inspectKeyRing(secretKeys); + + assertIsPrimaryUserId("B", info); + assertIsNotPrimaryUserId("A", info); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .revokeUserId("A", protector) // hard revoke A + .done(); + info = PGPainless.inspectKeyRing(secretKeys); + + assertTrue(info.isHardRevoked("A")); + assertFalse(info.isHardRevoked("B")); + assertIsPrimaryUserId("B", info); + assertIsNotValid("A", info); + + Thread.sleep(1000); + + PGPSecretKeyRing finalSecretKeys = secretKeys; + assertThrows(IllegalArgumentException.class, () -> + PGPainless.modifyKeyRing(finalSecretKeys).addUserId("A", protector)); + } + + @Test + public void generateA_primaryExpire_isExpired() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("A", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertIsPrimaryUserId("A", info); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(), protector) // expire the whole key + .done(); + + Thread.sleep(1000); + + info = PGPainless.inspectKeyRing(secretKeys); + assertFalse(info.isUserIdValid("A")); // is expired by now + } + + @Test + public void generateA_primaryB_primaryExpire_bIsStillPrimary() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("A", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertIsPrimaryUserId("A", info); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addPrimaryUserId("B", protector) + .done(); + info = PGPainless.inspectKeyRing(secretKeys); + + assertIsPrimaryUserId("B", info); + assertIsNotPrimaryUserId("A", info); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(new Date().getTime() + 1000), protector) // expire the whole key in 1 sec + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + assertIsValid("A", info); + assertIsValid("B", info); + assertIsPrimaryUserId("B", info); + assertIsNotPrimaryUserId("A", info); + + Thread.sleep(2000); + + info = PGPainless.inspectKeyRing(secretKeys); + assertIsPrimaryUserId("B", info); // B is still primary, even though + assertFalse(info.isUserIdValid("A")); // key is expired by now + assertFalse(info.isUserIdValid("B")); + } + + @Test + public void generateA_expire_certify() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(new Date().getTime() + 1000), protector) + .done(); + + Thread.sleep(2000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(new Date().getTime() + 2000), protector) + .done(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertIsValid("A", info); + assertIsPrimaryUserId("A", info); + } + + @Test + public void generateA_expire_primaryB_expire_isPrimaryB() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException, IOException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(), protector) + .done(); + + Thread.sleep(2000); + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + + assertIsPrimaryUserId("A", info); + assertIsNotValid("A", info); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addPrimaryUserId("B", protector) + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + + assertIsPrimaryUserId("B", info); + assertIsValid("B", info); + assertIsNotValid("A", info); // A is still expired + + Thread.sleep(1000); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .setExpirationDate(new Date(new Date().getTime() + 10000), protector) + .done(); + + Thread.sleep(1000); + info = PGPainless.inspectKeyRing(secretKeys); + + assertIsValid("B", info); + assertIsNotValid("A", info); // A was expired when the expiration date was changed, so it was not re-certified + assertIsPrimaryUserId("B", info); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("A", protector) // re-certify A as non-primary user-id + .done(); + info = PGPainless.inspectKeyRing(secretKeys); + + assertIsValid("B", info); + assertIsValid("A", info); + assertIsPrimaryUserId("B", info); + + } + + private static void assertIsPrimaryUserId(String userId, KeyRingInfo info) { + assertEquals(userId, info.getPrimaryUserId()); + } + + private static void assertIsNotPrimaryUserId(String userId, KeyRingInfo info) { + PGPSignature signature = info.getLatestUserIdCertification(userId); + if (signature == null) { + return; + } + + assertFalse(signature.getHashedSubPackets().isPrimaryUserID()); + } + + private static void assertIsValid(String userId, KeyRingInfo info) { + assertTrue(info.isUserIdValid(userId)); + } + + private static void assertIsNotValid(String userId, KeyRingInfo info) { + assertFalse(info.isUserIdValid(userId)); + } +} diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java index dbca56d4..f7d4d181 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java @@ -10,6 +10,7 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; +import java.util.Calendar; import java.util.Date; import org.bouncycastle.openpgp.PGPException; @@ -19,7 +20,6 @@ import org.bouncycastle.openpgp.PGPSignatureSubpacketVector; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.util.TestAllImplementations; @@ -32,18 +32,22 @@ public class OldSignatureSubpacketsArePreservedOnNewSig { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .simpleEcKeyRing("Alice "); - OpenPgpV4Fingerprint subkeyFingerprint = new OpenPgpV4Fingerprint(PGPainless.inspectKeyRing(secretKeys).getPublicKeys().get(1)); - - PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getCurrentSubkeyBindingSignature(subkeyFingerprint.getKeyId()); + PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice "); PGPSignatureSubpacketVector oldPackets = oldSignature.getHashedSubPackets(); assertEquals(0, oldPackets.getKeyExpirationTime()); Thread.sleep(1000); + Date now = new Date(); + Calendar calendar = Calendar.getInstance(); + calendar.setTime(now); + calendar.add(Calendar.DATE, 5); + Date expiration = calendar.getTime(); // in 5 days + secretKeys = PGPainless.modifyKeyRing(secretKeys) - .setExpirationDate(subkeyFingerprint, new Date(), new UnprotectedKeysProtector()) + .setExpirationDate(expiration, new UnprotectedKeysProtector()) .done(); - PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getCurrentSubkeyBindingSignature(subkeyFingerprint.getKeyId()); + PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice "); PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets(); assertNotEquals(0, newPackets.getKeyExpirationTime()); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index 98d79556..7c6e0b10 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -5,18 +5,14 @@ package org.pgpainless.key.modification; import java.io.IOException; -import java.util.ArrayList; import java.util.Date; -import java.util.List; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.JUtils; import org.junit.jupiter.api.TestTemplate; import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; -import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface; import org.pgpainless.key.protection.SecretKeyRingProtector; @@ -106,24 +102,15 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { throws IOException, PGPException { Date expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(new Date())); PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); - List fingerprintList = new ArrayList<>(); - for (PGPSecretKey secretKey : secretKeys) { - fingerprintList.add(new OpenPgpV4Fingerprint(secretKey)); - } + SecretKeyRingProtector protector = new UnprotectedKeysProtector(); SecretKeyRingEditorInterface modify = PGPainless.modifyKeyRing(secretKeys) .setExpirationDate(expirationDate, protector); - for (int i = 1; i < fingerprintList.size(); i++) { - modify.setExpirationDate(fingerprintList.get(i), expirationDate, protector); - } secretKeys = modify.done(); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); JUtils.assertDateEquals(expirationDate, info.getPrimaryKeyExpirationDate()); - for (OpenPgpV4Fingerprint fingerprint : fingerprintList) { - JUtils.assertDateEquals(expirationDate, info.getSubkeyExpirationDate(fingerprint)); - } } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java index ce5b1690..d990c4b1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java @@ -60,7 +60,8 @@ public class SignatureSubpacketsUtilTest { .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys()) .done(); - PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature(secretKeys, "Expire", Policy.getInstance(), new Date()); + PGPSignature expirationSig = SignaturePicker.pickCurrentUserIdCertificationSignature( + secretKeys, "Expire", Policy.getInstance(), new Date()); PGPPublicKey notTheRightKey = PGPainless.inspectKeyRing(secretKeys).getSigningSubkeys().get(0); assertThrows(IllegalArgumentException.class, () -> From 3aa9e2915ab94db4368edf211bb0cecb2d2ef1cb Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 13:28:16 +0100 Subject: [PATCH 0219/1450] Re-certify expired user-ids when changing key expiration date --- .../org/pgpainless/key/info/KeyRingInfo.java | 33 ++++++++++++++++++- .../secretkeyring/SecretKeyRingEditor.java | 7 ++-- ...gePrimaryUserIdAndExpirationDatesTest.java | 11 +++---- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index a0cf76c3..19e73220 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -349,6 +349,38 @@ public class KeyRingInfo { return valid; } + /** + * Return a list of all user-ids that were valid at some point, but might be expired by now. + * + * @return bound user-ids + */ + public List getBoundButPossiblyExpiredUserIds() { + List probablyExpired = new ArrayList<>(); + List userIds = getUserIds(); + + for (String userId : userIds) { + PGPSignature certification = signatures.userIdCertifications.get(userId); + PGPSignature revocation = signatures.userIdRevocations.get(userId); + + // Not revoked -> valid + if (revocation == null) { + probablyExpired.add(userId); + continue; + } + + // Hard revocation -> invalid + if (SignatureUtils.isHardRevocation(revocation)) { + continue; + } + + // Soft revocation -> valid if certification is newer than revocation (revalidation) + if (certification.getCreationTime().after(revocation.getCreationTime())) { + probablyExpired.add(userId); + } + } + return probablyExpired; + } + /** * Return true if the provided user-id is valid. * @@ -371,7 +403,6 @@ public class KeyRingInfo { PGPSignature certification = signatures.userIdCertifications.get(userId); PGPSignature revocation = signatures.userIdRevocations.get(userId); - // If user-id is expired, certification will be null. if (certification == null) { return false; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 8b703600..51ca0a3a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -146,15 +146,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { // Determine previous key expiration date PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey(); - /* KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); String primaryUserId = info.getPrimaryUserId(); PGPSignature signature = primaryUserId == null ? info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId); final Date previousKeyExpiration = signature == null ? null : SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(signature, primaryKey); - */ - final Date previousKeyExpiration = null; // Add new primary user-id signature addUserId( @@ -173,8 +170,8 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { protector); // unmark previous primary user-ids to be non-primary - KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); - for (String otherUserId : info.getValidUserIds()) { + info = PGPainless.inspectKeyRing(secretKeyRing); + for (String otherUserId : info.getBoundButPossiblyExpiredUserIds()) { if (userId.toString().equals(otherUserId)) { continue; } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java index 51c60383..26618b7a 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java @@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Date; @@ -151,7 +150,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { @Test public void generateA_expire_primaryB_expire_isPrimaryB() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException, IOException { + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); @@ -165,7 +164,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); assertIsPrimaryUserId("A", info); - assertIsNotValid("A", info); + assertIsNotValid("A", info); // A is expired secretKeys = PGPainless.modifyKeyRing(secretKeys) .addPrimaryUserId("B", protector) @@ -174,8 +173,8 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { info = PGPainless.inspectKeyRing(secretKeys); assertIsPrimaryUserId("B", info); - assertIsValid("B", info); - assertIsNotValid("A", info); // A is still expired + assertIsNotValid("B", info); // A and B are still expired + assertIsNotValid("A", info); Thread.sleep(1000); @@ -187,7 +186,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest { info = PGPainless.inspectKeyRing(secretKeys); assertIsValid("B", info); - assertIsNotValid("A", info); // A was expired when the expiration date was changed, so it was not re-certified + assertIsValid("A", info); // A got re-validated when changing exp date assertIsPrimaryUserId("B", info); secretKeys = PGPainless.modifyKeyRing(secretKeys) From 447755200b971ab478896b98cfbbc9b7f430ea3f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 13:28:21 +0100 Subject: [PATCH 0220/1450] Update changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0c72507..1dc05b44 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,13 @@ SPDX-License-Identifier: CC0-1.0 - `EncryptionOptions`: replace method argument type `PGPPublicKeyRingCollection` with `Iterable` to allow for `Collection` as argument - `SigningOptions`: replace method argument type `PGPSecretKeyRingCollection` with `Iterable` to allow for `Collection` as argument - Prevent message decryption with non-encryption subkey +- Rework key modification API to fix inconsistency problems with expiration and primary user-ids. + - Remove methods to change expiration dates of subkeys and specific user-ids + - Rework primary user-id marking logic to unmark non-primary ids +- Added [Cure53 Security Audit Report](https://gh.pgpainless.org/assets/Audit-PGPainless.pdf) to the website +- Reworked tests for cryptographic backend to use custom `InvocationContextProvider` implementation +- Source `PGPObjectFactory` objects from `ImplementationProvider` +- Fix typo `getCommendHeader() -> getCommentHeader()` ## 1.0.0-rc6 - Restructure method arguments in `SecretKeyRingEditor` From 310e8372ad442beeceb86f50b62c935ddb24173e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 13:30:08 +0100 Subject: [PATCH 0221/1450] PGPainless 1.0.0-rc7 --- README.md | 2 +- version.gradle | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e4732090..77ca26db 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.0.0-rc6' + implementation 'org.pgpainless:pgpainless-core:1.0.0-rc7' } ``` diff --git a/version.gradle b/version.gradle index 171e7946..2f6ec04b 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc7' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From 9ad13e844be54cb02cb08482a472bc3327510896 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 20 Dec 2021 13:37:59 +0100 Subject: [PATCH 0222/1450] PGPainless-1.0.0-rc8-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 2f6ec04b..2b85bb72 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc7' - isSnapshot = false + shortVersion = '1.0.0-rc8' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From 09e65969119f5f3d926c8ff55861aead743e504c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 21 Dec 2021 13:34:00 +0100 Subject: [PATCH 0223/1450] Add audit challenge secret key --- audit/audit_key.asc | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 audit/audit_key.asc diff --git a/audit/audit_key.asc b/audit/audit_key.asc new file mode 100644 index 00000000..478a5c3f --- /dev/null +++ b/audit/audit_key.asc @@ -0,0 +1,23 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: PGPainless +Comment: A16D 7A3E A645 F32B FFD2 9B30 DCDE B25E D526 4E4C +Comment: Audit + +lFgEYUhIQhYJKwYBBAHaRw8BAQdAz7UK1857JYHm+09xETHXsMYAyJWYir4SCVZc +FLfA/EsAAQDmVE2Xe6wd/pTQ0t3mBxfYC0pUAQwu7SYtJCgUONvcGQ3ctBxBdWRp +dCA8YXVkaXRAcGdwYWlubGVzcy5vcmc+iHgEExYKACAFAmFISEICGwEFFgIDAQAE +CwkIBwUVCgkICwIeAQIZAQAKCRDc3rJe1SZOTKgAAQCbo04CbWJr8rhoHmOqogDs ++SU8PB9kkoRbQ20jbyjbdgEA0A0mrqkx8TYeQ85B8Wb//q/99CYcI+3KVvirXfN6 +7wycXQRhSEhCEgorBgEEAZdVAQUBAQdALQgXzvFtuwJnvmZmq5zXicV3yV3lY3yz +Id+x478zGl4DAQgHAAD/Xjz/qhlcoSF/FNFEzM2NMjOg2KKJUxnStLn+RuQ4wHgR +koh1BBgWCgAdBQJhSEhCAhsMBRYCAwEABAsJCAcFFQoJCAsCHgEACgkQ3N6yXtUm +TkxtyQEAxwO3+lFKW1p7RfpMLiePjccEtc0YSe/y844rOvAtt2IBAImUOlYILwYt ++6MSxoOY8Knn2FCIa/iDaljbPMSCJy8CnFgEYUhIQhYJKwYBBAHaRw8BAQdAednV +2MFcpleGezP3TmReiazJY1s2SV9I2nS0lHlr+g0AAQDh2QeJnrDnwT/rLJ1Kkdwl +Oe+WqUHJ9pHIA1fGCkemqxGSiNUEGBYKAH0FAmFISEICGwIFFgIDAQAECwkIBwUV +CgkICwIeAV8gBBkWCgAGBQJhSEhCAAoJEBPUPQ7ll5OWutIBAO1P/SIsaisKjmda +EPDn8x6hLikzPzjOJlZmQYHBOCNXAP9wMQMInGDYAj1Sz67Z7Rjl6f4sOB/P6Tv9 +V4rbZwyNDAAKCRDc3rJe1SZOTMgWAP9EBlU8v/Nj8rDo6ZT4RFAdVwV/YqOj1UgE +e/paTFhPSgD/ezgwk4xFUTvWjgYsHwtm94hgQfpu5P7ZdWhNMEBwHgg= +=OXTo +-----END PGP PRIVATE KEY BLOCK----- From 31c7ae245a6482a6784cd6f4d49e3d341ab5eb4d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 21 Dec 2021 13:34:29 +0100 Subject: [PATCH 0224/1450] Remove audit boobytraps --- audit/audit_cert.asc | 21 ------------------ audit/audit_key.asc | 23 ------------------- audit/booby-traps/trap01.asc | 43 ------------------------------------ 3 files changed, 87 deletions(-) delete mode 100644 audit/audit_cert.asc delete mode 100644 audit/audit_key.asc delete mode 100644 audit/booby-traps/trap01.asc diff --git a/audit/audit_cert.asc b/audit/audit_cert.asc deleted file mode 100644 index 6d02434f..00000000 --- a/audit/audit_cert.asc +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: PGPainless -Comment: A16D 7A3E A645 F32B FFD2 9B30 DCDE B25E D526 4E4C -Comment: Audit - -mDMEYUhIQhYJKwYBBAHaRw8BAQdAz7UK1857JYHm+09xETHXsMYAyJWYir4SCVZc -FLfA/Eu0HEF1ZGl0IDxhdWRpdEBwZ3BhaW5sZXNzLm9yZz6IeAQTFgoAIAUCYUhI -QgIbAQUWAgMBAAQLCQgHBRUKCQgLAh4BAhkBAAoJENzesl7VJk5MqAABAJujTgJt -YmvyuGgeY6qiAOz5JTw8H2SShFtDbSNvKNt2AQDQDSauqTHxNh5DzkHxZv/+r/30 -Jhwj7cpW+Ktd83rvDLg4BGFISEISCisGAQQBl1UBBQEBB0AtCBfO8W27Ame+Zmar -nNeJxXfJXeVjfLMh37HjvzMaXgMBCAeIdQQYFgoAHQUCYUhIQgIbDAUWAgMBAAQL -CQgHBRUKCQgLAh4BAAoJENzesl7VJk5MbckBAMcDt/pRSltae0X6TC4nj43HBLXN -GEnv8vOOKzrwLbdiAQCJlDpWCC8GLfujEsaDmPCp59hQiGv4g2pY2zzEgicvArgz -BGFISEIWCSsGAQQB2kcPAQEHQHnZ1djBXKZXhnsz905kXomsyWNbNklfSNp0tJR5 -a/oNiNUEGBYKAH0FAmFISEICGwIFFgIDAQAECwkIBwUVCgkICwIeAV8gBBkWCgAG -BQJhSEhCAAoJEBPUPQ7ll5OWutIBAO1P/SIsaisKjmdaEPDn8x6hLikzPzjOJlZm -QYHBOCNXAP9wMQMInGDYAj1Sz67Z7Rjl6f4sOB/P6Tv9V4rbZwyNDAAKCRDc3rJe -1SZOTMgWAP9EBlU8v/Nj8rDo6ZT4RFAdVwV/YqOj1UgEe/paTFhPSgD/ezgwk4xF -UTvWjgYsHwtm94hgQfpu5P7ZdWhNMEBwHgg= -=/5mN ------END PGP PUBLIC KEY BLOCK----- diff --git a/audit/audit_key.asc b/audit/audit_key.asc deleted file mode 100644 index 478a5c3f..00000000 --- a/audit/audit_key.asc +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN PGP PRIVATE KEY BLOCK----- -Version: PGPainless -Comment: A16D 7A3E A645 F32B FFD2 9B30 DCDE B25E D526 4E4C -Comment: Audit - -lFgEYUhIQhYJKwYBBAHaRw8BAQdAz7UK1857JYHm+09xETHXsMYAyJWYir4SCVZc -FLfA/EsAAQDmVE2Xe6wd/pTQ0t3mBxfYC0pUAQwu7SYtJCgUONvcGQ3ctBxBdWRp -dCA8YXVkaXRAcGdwYWlubGVzcy5vcmc+iHgEExYKACAFAmFISEICGwEFFgIDAQAE -CwkIBwUVCgkICwIeAQIZAQAKCRDc3rJe1SZOTKgAAQCbo04CbWJr8rhoHmOqogDs -+SU8PB9kkoRbQ20jbyjbdgEA0A0mrqkx8TYeQ85B8Wb//q/99CYcI+3KVvirXfN6 -7wycXQRhSEhCEgorBgEEAZdVAQUBAQdALQgXzvFtuwJnvmZmq5zXicV3yV3lY3yz -Id+x478zGl4DAQgHAAD/Xjz/qhlcoSF/FNFEzM2NMjOg2KKJUxnStLn+RuQ4wHgR -koh1BBgWCgAdBQJhSEhCAhsMBRYCAwEABAsJCAcFFQoJCAsCHgEACgkQ3N6yXtUm -TkxtyQEAxwO3+lFKW1p7RfpMLiePjccEtc0YSe/y844rOvAtt2IBAImUOlYILwYt -+6MSxoOY8Knn2FCIa/iDaljbPMSCJy8CnFgEYUhIQhYJKwYBBAHaRw8BAQdAednV -2MFcpleGezP3TmReiazJY1s2SV9I2nS0lHlr+g0AAQDh2QeJnrDnwT/rLJ1Kkdwl -Oe+WqUHJ9pHIA1fGCkemqxGSiNUEGBYKAH0FAmFISEICGwIFFgIDAQAECwkIBwUV -CgkICwIeAV8gBBkWCgAGBQJhSEhCAAoJEBPUPQ7ll5OWutIBAO1P/SIsaisKjmda -EPDn8x6hLikzPzjOJlZmQYHBOCNXAP9wMQMInGDYAj1Sz67Z7Rjl6f4sOB/P6Tv9 -V4rbZwyNDAAKCRDc3rJe1SZOTMgWAP9EBlU8v/Nj8rDo6ZT4RFAdVwV/YqOj1UgE -e/paTFhPSgD/ezgwk4xFUTvWjgYsHwtm94hgQfpu5P7ZdWhNMEBwHgg= -=OXTo ------END PGP PRIVATE KEY BLOCK----- diff --git a/audit/booby-traps/trap01.asc b/audit/booby-traps/trap01.asc deleted file mode 100644 index a57b55de..00000000 --- a/audit/booby-traps/trap01.asc +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN PGP MESSAGE----- -Version: PGPainless - -hF4DEr34KT0hCm4SAQdA1t9dOL8VcV8jGyd/P//stxC/ykhbnNrIX9Nl6d/0Lgkw -BuLTZ42dBR9IV0yy3MmeP+WLRX5riCcianAdkKbJZ980DdGQY6SRchbh7I8EbdVB -0ukBPauvl6C36FDfJO05ABM1jUAkxQih8qMQRsonCi/8l1EtdaHjU2VVv3NFkx9X -3+zY7sChquM9EZKjJH3ZeJ5kyxLLfPHFU9+EUz1aZBdQ5tHqFru9ifZNZ4mkVR+A -sp8RuQIkbpFLtf1G+DA3fnGf3QdtwYkCjwAoRWxo5Lkjjgi1vIMo4+a1NyJaSjec -LI8Ypz3S8zqvCmr9ZjMjMFLZ24VwLzo+NoYli19i08o9WY3r/8wD5JVBuR7fRB+f -sns9V9NSMMgesW2AXV0HJJ8zbZvudMfjtfEmaEdf3d7i1ykqD+uiudQ7JxPg7wUU -ejABmE0gYJAyqG78Wiw90wHHUlu26O+VPalDcPjL4opeweDzco/Ukm6TLotf+vIi -AmRlt5ZvTjEcBV2NEsZxEBPIOsd8mXdCWVulIvXD1l8HwtgoZIOL/qFs9nZBTM9/ -JcL0hyAn1EIxahZ6+lkGGwUe7EiJ/ynrXIAHzv/Oq5VVmSv0eqk/SCsi75EdsFB0 -FjRt/oiYtBV+QA9VU4RmttV5bT/K7vcLLNHLBkjbSUHUajZoZxFh4Bsh21kOE9V2 -oGZTkb3ogjogGCHUywBKpPikeMWnOskdBlHAAT+ScBciv+xJLbH+l1KERcLwFtx9 -ybLnKcRfJazrJgb9kQ8tBcttKixd6bKjWPRl0esIwjaCtela4k/O0dCGc0UxcraH -JmsnYU19DP+DERhgsJZhAZxKExbN4LmScbe2FvcxQPELrisDuNiiaed5/w7QaeBr -QfumdN+R+3wAtutbU/EiT1GEpRQEzPvSAb53bO2r/3s/pIAnAOaaKalDBo85OY8X -Sor7OE/X6ys5xAkQt5lnKG3lOeKzlhzhokEBvwdSlITwOt9PgIvQul5UNn6xvtMV -MQbdkzTdAePibggl2GV6CPo4MH9Y67Mv/1D30u0N2kxmtEZe1YS4hE9jvBybqoYN -ksmU7yuKq7hQmdB50Qi1uEEYUT72Nw5QGDo4JHQRnSeB4jVie9c4+LT4nDlM2yOL -osu4VOQTUrEF8ydlP06+yOD85X2isRY4OU/mwxaDmNyC+7uOywbkju5FpXPrI5J1 -P3siIR0TAr8zS+1lZbsZseGGaSPDmz+U5RJrPphnk5VIVXuTHzgH1kmC5vwZ0Eoe -xZnWhByBaGU34kyGGJcQrehB7twicuEdGnppDg5nULV8OB+7Su54Om3uqiznQNJl -hiOA5TT8jzz3k7V9wWjM/oFe5KU7yb33pvm615nHzxe/8balk552h6bIXgnkmj9D -hR5byVdmNw5/n+OpkvyziPrcUsW3h/Mk+tmsQsKcvpO/RrFPXWp39BZlgOdb7hB/ -u7YR3gs/KXObohQSsGjZWZJqSOlaSc5rzFieMYclPJWH/+XJQ7BD8s7FJtI+dvu0 -Q989W9qIHVFZyihT//sXD/jnKNSnbiYPQWBJSPQGfyCw0GJSB5AWCT0bFuuq1pzl -IRh93OHGhAPZ/NstkcMjJZk+xWDRtCrwR2tu16p8d38UloIlMxFQxiu8qwR7RHFI -Ow+ydVkdIcrVR8PgGO3MdNfN9ONhriiLIVTs7k8QDY4YTPc0qzwAX+taidE7rqcr -aSANnMF2t/+I9pYFysesn9b7l+82bpc9KbUss8BkV9qrCeowNNJ+pQOdOMdhvmNs -xd7RXT7SulqDPMfcv4KhledrxmvcRHHUhyoIUGZ+mv0VLi+isi67Yz6mPFtfnj6H -Tvn2oZaI7QX71oYiUHqDiA5en46Yzt9Di4t/yGm8Wr8QCj/ubZcgfT6M0WvuGPpC -47E2JHiB2hMaB3/ACBruwR5WaZsDPWewHXtb2QQmGQT1fkSdDYT/pDTTfB5S6DBg -pmNOhoH7sl262wvZQ3UOztLcbpWu25j6nBZJXWnt3VaNm20pf5uwXl/PSX0xIEfQ -aZLKFk+cFmmUUf7PnRcXfMFfLrUr1W6KeFQOVtZTEjq5SRzzI7BZHaHylpQMWUNK -V7rjRRiQ23sI7bE5+/+SUKDMrLe452Jn5BTEVnJ6igwL/PBVFLRCt8OLJoZNJdfJ -9R5Ugrhe+xuotUsQWd4df+by0hxpMXl/qV8M6zRVXkLyvl1gJIpwusCTVZkbo0T0 -l1zGqkDnhAJrRTQ9ejBmEa2b9zCAmakME3xEc7wF7iU5Dut3MifuJKe2RbnmSk60 -C2rsAikjAGfIJpDu/QQ55DR7JAKdCCzvZ54S9nveAkXOgQzlWNHdk+6B24VMtyX6 -MjH2xlLl7MmGGQ0e42N/KUbPgVQdcCN1ctlCt/QuntP52Ah87nMKEIlQ0JY0 -=LTKS ------END PGP MESSAGE----- From 56e60e88f468379985dbce1a307942aa7463810d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 22 Dec 2021 12:40:40 +0100 Subject: [PATCH 0225/1450] When no user-id is marked as primary: return first user-id --- .../org/pgpainless/key/info/KeyRingInfo.java | 30 +++++-------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 19e73220..f30c36da 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -262,25 +262,25 @@ public class KeyRingInfo { } /** - * Return the primary user-id of the key ring. + * Return the current primary user-id of the key ring. * * Note: If no user-id is marked as primary key using a {@link PrimaryUserID} packet, - * this method returns the latest added user-id, otherwise null. + * this method returns the first user-id on the key, otherwise null. * * @return primary user-id or null */ private String findPrimaryUserId() { - String nonPrimaryUserId = null; String primaryUserId = null; - Date modificationDate = null; + Date currentModificationDate = null; List userIds = getUserIds(); if (userIds.isEmpty()) { return null; } + String firstUserId = userIds.get(0); if (userIds.size() == 1) { - return userIds.get(0); + return firstUserId; } for (String userId : userIds) { @@ -291,25 +291,11 @@ public class KeyRingInfo { Date creationTime = certification.getCreationTime(); if (certification.getHashedSubPackets().isPrimaryUserID()) { - if (nonPrimaryUserId != null) { - nonPrimaryUserId = null; - modificationDate = null; - } - - if (modificationDate == null || creationTime.after(modificationDate)) { + if (currentModificationDate == null || creationTime.after(currentModificationDate)) { primaryUserId = userId; - modificationDate = creationTime; + currentModificationDate = creationTime; } - } else { - if (primaryUserId != null) { - continue; - } - - if (modificationDate == null || creationTime.after(modificationDate)) { - nonPrimaryUserId = userId; - modificationDate = creationTime; - } } } @@ -317,7 +303,7 @@ public class KeyRingInfo { return primaryUserId; } - return nonPrimaryUserId; + return firstUserId; } /** From 6c9c683c8599ecac9a909dc1181b3937d2045681 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 22 Dec 2021 12:42:31 +0100 Subject: [PATCH 0226/1450] Rename method to getValidAndExpiredUserIds() --- .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java | 2 +- .../key/modification/secretkeyring/SecretKeyRingEditor.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index f30c36da..76046aef 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -340,7 +340,7 @@ public class KeyRingInfo { * * @return bound user-ids */ - public List getBoundButPossiblyExpiredUserIds() { + public List getValidAndExpiredUserIds() { List probablyExpired = new ArrayList<>(); List userIds = getUserIds(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 51ca0a3a..eab2d8c5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -171,7 +171,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { // unmark previous primary user-ids to be non-primary info = PGPainless.inspectKeyRing(secretKeyRing); - for (String otherUserId : info.getBoundButPossiblyExpiredUserIds()) { + for (String otherUserId : info.getValidAndExpiredUserIds()) { if (userId.toString().equals(otherUserId)) { continue; } From 047cf1996d8d8c259c6406e8e80ca47078d8055d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 23 Dec 2021 16:22:08 +0100 Subject: [PATCH 0227/1450] PGPainless 1.0.0-rc8 --- CHANGELOG.md | 7 ++++++- version.gradle | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1dc05b44..93036c79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,12 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog -## 1.0.0-rc7-SNAPSHOT +## 1.0.0-rc8 +- `KeyRingInfo.getPrimaryUserId()`: return first user-id when no primary user-id is found +- Rename method `getBoundButPossiblyExpiredUserIds` to `getValidAndExpiredUserIds()` +- Remove audit resource material + +## 1.0.0-rc7 - Make `Passphrase` comparison constant time - Bump Bouncycastle to 1.70 - Use new `PGPCanonicalizedDataGenerator` where applicable diff --git a/version.gradle b/version.gradle index 2b85bb72..3c1906ba 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc8' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From ad5399e0837b41c792d18a04fd77100486cd4124 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 23 Dec 2021 16:28:14 +0100 Subject: [PATCH 0228/1450] PGPainless-1.0.0-rc9-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 3c1906ba..ee368537 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc8' - isSnapshot = false + shortVersion = '1.0.0-rc9' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From 31b7d181838cb2840d31986e055c8897fcfc929d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 23 Dec 2021 17:10:44 +0100 Subject: [PATCH 0229/1450] Properly resolve earliest expiration date when primary user-id + direct-key sig have expiraiton Rename getPossiblyExpiredPrimaryUserId() method --- .../org/pgpainless/key/info/KeyRingInfo.java | 35 ++++++++++++++----- .../secretkeyring/SecretKeyRingEditor.java | 2 +- 2 files changed, 28 insertions(+), 9 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index 76046aef..efff9115 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -644,22 +644,41 @@ public class KeyRingInfo { */ public @Nullable Date getPrimaryKeyExpirationDate() { PGPSignature directKeySig = getLatestDirectKeySelfSignature(); + Date directKeyExpirationDate = null; if (directKeySig != null) { - Date directKeyExpirationDate = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(directKeySig, getPublicKey()); - if (directKeyExpirationDate != null) { - return directKeyExpirationDate; + directKeyExpirationDate = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(directKeySig, getPublicKey()); + } + + PGPSignature primaryUserIdCertification = null; + Date userIdExpirationDate = null; + String possiblyExpiredPrimaryUserId = getPossiblyExpiredPrimaryUserId(); + if (possiblyExpiredPrimaryUserId != null) { + primaryUserIdCertification = getLatestUserIdCertification(possiblyExpiredPrimaryUserId); + if (primaryUserIdCertification != null) { + userIdExpirationDate = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(primaryUserIdCertification, getPublicKey()); } } - PGPSignature primaryUserIdCertification = getLatestUserIdCertification(getPossiblyExpiredUserId()); - if (primaryUserIdCertification != null) { - return SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(primaryUserIdCertification, getPublicKey()); + if (directKeySig == null && primaryUserIdCertification == null) { + throw new NoSuchElementException("No direct-key signature and no user-id signature found."); } - throw new NoSuchElementException("No suitable signatures found on the key."); + if (directKeyExpirationDate != null && userIdExpirationDate == null) { + return directKeyExpirationDate; + } + + if (directKeyExpirationDate == null) { + return userIdExpirationDate; + } + + if (directKeyExpirationDate.before(userIdExpirationDate)) { + return directKeyExpirationDate; + } + + return userIdExpirationDate; } - public String getPossiblyExpiredUserId() { + public String getPossiblyExpiredPrimaryUserId() { String validPrimaryUserId = getPrimaryUserId(); if (validPrimaryUserId != null) { return validPrimaryUserId; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index eab2d8c5..9c88e6c5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -515,7 +515,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { } // reissue primary user-id sig - String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing).getPossiblyExpiredUserId(); + String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing).getPossiblyExpiredPrimaryUserId(); if (primaryUserId != null) { PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId); PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig); From 3a69f9040195d3bc8dc5191d3c8bb587b4c3ad89 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 23 Dec 2021 17:34:38 +0100 Subject: [PATCH 0230/1450] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93036c79..b7ac003d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +## 1.0.0-rc9-SNAPSHOT +- When key has both direct-key sig + primary user-id sig: resolve expiration date to earliest expiration + ## 1.0.0-rc8 - `KeyRingInfo.getPrimaryUserId()`: return first user-id when no primary user-id is found - Rename method `getBoundButPossiblyExpiredUserIds` to `getValidAndExpiredUserIds()` From 245376d7d03d841092f172c1a42616e304fbf05f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Dec 2021 13:35:58 +0100 Subject: [PATCH 0231/1450] Remove KeyRingUtils.deleteUserId() in favor of revoking SecretKeyRingEditor.removeUserId() methods --- .../secretkeyring/SecretKeyRingEditor.java | 22 +++++++++ .../SecretKeyRingEditorInterface.java | 8 ++++ .../org/pgpainless/key/util/KeyRingUtils.java | 46 ------------------- .../pgpainless/key/util/KeyRingUtilTest.java | 46 ------------------- 4 files changed, 30 insertions(+), 92 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java index 9c88e6c5..66336c6f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java @@ -190,6 +190,28 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { return this; } + @Override + public SecretKeyRingEditorInterface removeUserId( + SelectUserId userIdSelector, + SecretKeyRingProtector protector) + throws PGPException { + RevocationAttributes revocationAttributes = RevocationAttributes.createCertificateRevocation() + .withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) + .withoutDescription(); + return revokeUserIds(userIdSelector, + protector, + revocationAttributes); + } + + @Override + public SecretKeyRingEditorInterface removeUserId( + CharSequence userId, + SecretKeyRingProtector protector) throws PGPException { + return removeUserId( + SelectUserId.exactMatch(userId.toString()), + protector); + } + // TODO: Move to utility class? private String sanitizeUserId(@Nonnull CharSequence userId) { // TODO: Further research how to sanitize user IDs. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index b61dbbc1..65d92330 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -69,6 +69,14 @@ public interface SecretKeyRingEditorInterface { @Nonnull SecretKeyRingProtector protector) throws PGPException; + SecretKeyRingEditorInterface removeUserId(SelectUserId userIdSelector, + SecretKeyRingProtector protector) + throws PGPException; + + SecretKeyRingEditorInterface removeUserId(CharSequence userId, + SecretKeyRingProtector protector) + throws PGPException; + /** * Add a subkey to the key ring. * The subkey will be generated from the provided {@link KeySpec}. diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java index 9848ced9..400414c2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java @@ -159,52 +159,6 @@ public final class KeyRingUtils { return ring.getPublicKey(keyId) != null; } - /** - * Delete the given user-id and its certification signatures from the given key. - * - * @deprecated Deleting user-ids is highly discouraged, since it might lead to all sorts of problems - * (e.g. lost key properties). - * Instead, user-ids should only be revoked. - * - * @param secretKeys secret keys - * @param userId user-id - * @return modified secret keys - */ - @Deprecated - public static PGPSecretKeyRing deleteUserId(PGPSecretKeyRing secretKeys, String userId) { - PGPSecretKey secretKey = secretKeys.getSecretKey(); // user-ids are located on primary key only - PGPPublicKey publicKey = secretKey.getPublicKey(); // user-ids are placed on the public key part - publicKey = PGPPublicKey.removeCertification(publicKey, userId); - if (publicKey == null) { - throw new NoSuchElementException("User-ID " + userId + " not found on the key."); - } - secretKey = PGPSecretKey.replacePublicKey(secretKey, publicKey); - secretKeys = PGPSecretKeyRing.insertSecretKey(secretKeys, secretKey); - return secretKeys; - } - - /** - * Delete the given user-id and its certification signatures from the given certificate. - * - * @deprecated Deleting user-ids is highly discouraged, since it might lead to all sorts of problems - * (e.g. lost key properties). - * Instead, user-ids should only be revoked. - * - * @param publicKeys certificate - * @param userId user-id - * @return modified secret keys - */ - @Deprecated - public static PGPPublicKeyRing deleteUserId(PGPPublicKeyRing publicKeys, String userId) { - PGPPublicKey publicKey = publicKeys.getPublicKey(); // user-ids are located on primary key only - publicKey = PGPPublicKey.removeCertification(publicKey, userId); - if (publicKey == null) { - throw new NoSuchElementException("User-ID " + userId + " not found on the key."); - } - publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey); - return publicKeys; - } - public static T injectCertification(T keyRing, PGPPublicKey certifiedKey, PGPSignature certification) { PGPSecretKeyRing secretKeys = null; PGPPublicKeyRing publicKeys; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java index 9f2546ae..45552664 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java @@ -6,17 +6,14 @@ package org.pgpainless.key.util; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; -import java.util.NoSuchElementException; import java.util.Random; import org.bouncycastle.bcpg.attr.ImageAttribute; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignatureGenerator; @@ -33,49 +30,6 @@ import org.pgpainless.util.CollectionUtils; public class KeyRingUtilTest { - @Test - public void testDeleteUserIdFromSecretKeyRing() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice", null); - - secretKeys = PGPainless.modifyKeyRing(secretKeys) - .addUserId("Bob", SecretKeyRingProtector.unprotectedKeys()) - .done(); - assertEquals(2, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); - - secretKeys = KeyRingUtils.deleteUserId(secretKeys, "Bob"); - - assertEquals(1, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getUserIDs()).size()); - } - - @Test - public void testDeleteUserIdFromPublicKeyRing() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice", null); - - secretKeys = PGPainless.modifyKeyRing(secretKeys) - .addUserId("Bob", SecretKeyRingProtector.unprotectedKeys()) - .done(); - PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys); - assertEquals(2, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); - - publicKeys = KeyRingUtils.deleteUserId(publicKeys, "Alice"); - - assertEquals(1, CollectionUtils.iteratorToList(publicKeys.getPublicKey().getUserIDs()).size()); - } - - @Test - public void testDeleteNonexistentUserIdFromKeyRingThrows() - throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { - PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() - .modernKeyRing("Alice", null); - - assertThrows(NoSuchElementException.class, - () -> KeyRingUtils.deleteUserId(secretKeys, "Charlie")); - } - @Test public void testInjectCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() From a0e9c1f5553d823f5dec5696fd532a738aa79f96 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Dec 2021 13:36:13 +0100 Subject: [PATCH 0232/1450] Add SelectUserId.byEmail() --- .../util/selection/userid/SelectUserId.java | 27 +++++++++++++------ .../selection/userid/SelectUserIdTest.java | 13 +++++++++ 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java index 3f5cc98b..25ee5a33 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java @@ -10,6 +10,8 @@ import java.util.List; import org.bouncycastle.openpgp.PGPKeyRing; import org.pgpainless.PGPainless; +import javax.annotation.Nonnull; + public abstract class SelectUserId { protected abstract boolean accept(String userId); @@ -42,35 +44,37 @@ public abstract class SelectUserId { return null; } - public static SelectUserId containsSubstring(String query) { + public static SelectUserId containsSubstring(@Nonnull CharSequence query) { return new SelectUserId() { @Override protected boolean accept(String userId) { - return userId.contains(query); + return userId.contains(query.toString()); } }; } - public static SelectUserId exactMatch(String query) { + public static SelectUserId exactMatch(@Nonnull CharSequence query) { return new SelectUserId() { @Override protected boolean accept(String userId) { - return userId.equals(query); + return userId.equals(query.toString()); } }; } - public static SelectUserId startsWith(String substring) { + public static SelectUserId startsWith(@Nonnull CharSequence substring) { + String string = substring.toString(); return new SelectUserId() { @Override protected boolean accept(String userId) { - return userId.startsWith(substring); + return userId.startsWith(string); } }; } - public static SelectUserId containsEmailAddress(String email) { - return containsSubstring(email.matches("^<.+>$") ? email : '<' + email + '>'); + public static SelectUserId containsEmailAddress(@Nonnull CharSequence email) { + String string = email.toString(); + return containsSubstring(string.matches("^<.+>$") ? string : '<' + string + '>'); } public static SelectUserId validUserId(PGPKeyRing keyRing) { @@ -116,4 +120,11 @@ public abstract class SelectUserId { } }; } + + public static SelectUserId byEmail(CharSequence email) { + return SelectUserId.or( + SelectUserId.exactMatch(email), + SelectUserId.containsEmailAddress(email) + ); + } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java index 6e7ea39c..3a49247c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/userid/SelectUserIdTest.java @@ -19,6 +19,7 @@ import java.util.List; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertTrue; public class SelectUserIdTest { @@ -111,4 +112,16 @@ public class SelectUserIdTest { PGPainless.inspectKeyRing(secretKeys).getUserIds() )); } + + @Test + public void testByEmail() { + SelectUserId containsEmailAddress = SelectUserId.containsEmailAddress("alice@pgpainless.org"); + assertTrue(containsEmailAddress.accept("")); + assertTrue(containsEmailAddress.accept("Alice ")); + + SelectUserId byEmail = SelectUserId.byEmail("alice@pgpainless.org"); + assertTrue(byEmail.accept("alice@pgpainless.org")); + assertTrue(byEmail.accept("")); + assertTrue(byEmail.accept("Alice ")); + } } From d0ef8581e8ab338dc9301d68da1ad2c1f6a10865 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Dec 2021 13:49:31 +0100 Subject: [PATCH 0233/1450] Add RevokeUserIdsTest --- CHANGELOG.md | 2 ++ .../key/modification/RevokeUserIdsTest.java | 32 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7ac003d..4d0b5547 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ SPDX-License-Identifier: CC0-1.0 ## 1.0.0-rc9-SNAPSHOT - When key has both direct-key sig + primary user-id sig: resolve expiration date to earliest expiration +- Add `SecretKeyRingEditor.removeUserId()` convenience methods that do soft-revoke the user-id. +- Add `SelectUserId.byEmail()` which also matches the plain email address ## 1.0.0-rc8 - `KeyRingInfo.getPrimaryUserId()`: return first user-id when no primary user-id is found diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java index e416bf04..a8c732b4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java @@ -14,6 +14,7 @@ import java.util.NoSuchElementException; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; +import org.bouncycastle.openpgp.PGPSignature; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; @@ -54,6 +55,37 @@ public class RevokeUserIdsTest { assertFalse(info.isUserIdValid("Alice ")); } + @Test + public void removeUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() + .modernKeyRing("Alice ", null); + SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .addUserId("Allice ", protector) + .addUserId("Alice ", protector) + .done(); + + KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); + assertTrue(info.isUserIdValid("Alice ")); + assertTrue(info.isUserIdValid("Allice ")); + assertTrue(info.isUserIdValid("Alice ")); + + secretKeys = PGPainless.modifyKeyRing(secretKeys) + .removeUserId("Allice ", protector) + .done(); + + info = PGPainless.inspectKeyRing(secretKeys); + assertTrue(info.isUserIdValid("Alice ")); + assertFalse(info.isUserIdValid("Allice ")); + assertTrue(info.isUserIdValid("Alice ")); + + PGPSignature revocation = info.getUserIdRevocation("Allice "); + + assertFalse(RevocationAttributes.Reason.isHardRevocation( + revocation.getHashedSubPackets().getRevocationReason().getRevocationReason())); + } + @Test public void emptySelectionYieldsNoSuchElementException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() From a86de0591bf4ec3c3518aa3196a05723d378c7a0 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Dec 2021 14:04:09 +0100 Subject: [PATCH 0234/1450] PGPainless 1.0.0-rc9 --- CHANGELOG.md | 2 +- version.gradle | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d0b5547..91abf04b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog -## 1.0.0-rc9-SNAPSHOT +## 1.0.0-rc9 - When key has both direct-key sig + primary user-id sig: resolve expiration date to earliest expiration - Add `SecretKeyRingEditor.removeUserId()` convenience methods that do soft-revoke the user-id. - Add `SelectUserId.byEmail()` which also matches the plain email address diff --git a/version.gradle b/version.gradle index ee368537..49bf67b2 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.0.0-rc9' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From e2707258fb3d813521bf622a5600a4fbdcdf0e6a Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 27 Dec 2021 14:10:53 +0100 Subject: [PATCH 0235/1450] PGPainless-1.0.0-rc10-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 49bf67b2..016f35f5 100644 --- a/version.gradle +++ b/version.gradle @@ -4,8 +4,8 @@ allprojects { ext { - shortVersion = '1.0.0-rc9' - isSnapshot = false + shortVersion = '1.0.0-rc10' + isSnapshot = true pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.70' From 2d319051d44126b639d837bf5fbf52622783935f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 01:19:43 +0100 Subject: [PATCH 0236/1450] Add quote to README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 77ca26db..d7b5a61a 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,11 @@ PGPainless currently [*scores second place* on Sequoia-PGPs Interoperability Tes > > -Tom @ FlowCrypt.com +> Finally, testing irrefutably confirmed that the library removes many associated difficulties with PGP use in its provision of an approachable and uncomplicated API. +> In this regard, Paul Schaub deserves the utmost praise. +> +> -Mario @ Cure53.de + ## Features Most of PGPainless' features can be accessed directly from the `PGPainless` class. From 376e234baf463b7a9c28d010f4b5e78f9fa55a00 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 01:23:47 +0100 Subject: [PATCH 0237/1450] Add documentation to SecretKeyRingEditor --- .../SecretKeyRingEditorInterface.java | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index 65d92330..c7655134 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -69,10 +69,28 @@ public interface SecretKeyRingEditorInterface { @Nonnull SecretKeyRingProtector protector) throws PGPException; + /** + * Convenience method to revoke selected user-ids using soft revocation signatures. + * The revocation will use {@link RevocationAttributes.Reason#USER_ID_NO_LONGER_VALID}, so that the user-id + * can be re-certified at a later point. + * + * @param userIdSelector selector to select user-ids + * @param protector protector to unlock the primary key + * @return the builder + */ SecretKeyRingEditorInterface removeUserId(SelectUserId userIdSelector, SecretKeyRingProtector protector) throws PGPException; + /** + * Convenience method to revoke a single user-id using a soft revocation signature. + * The revocation will use {@link RevocationAttributes.Reason#USER_ID_NO_LONGER_VALID}. so that the user-id + * can be re-certified at a later point. + * + * @param userId user-id to revoke + * @param protector protector to unlock the primary key + * @return the builder + */ SecretKeyRingEditorInterface removeUserId(CharSequence userId, SecretKeyRingProtector protector) throws PGPException; From 2f446216578cd81b14d96d6f7d21473ca282354c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 01:34:50 +0100 Subject: [PATCH 0238/1450] Add documentation to CollectionUtils methods --- .../org/pgpainless/util/CollectionUtils.java | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java index 91b48ba2..e4414b31 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java @@ -15,6 +15,13 @@ public final class CollectionUtils { } + /** + * Return all items returned by the {@link Iterator} as a {@link List}. + * + * @param iterator iterator + * @param type + * @return list + */ public static List iteratorToList(Iterator iterator) { List items = new ArrayList<>(); while (iterator.hasNext()) { @@ -24,6 +31,13 @@ public final class CollectionUtils { return items; } + /** + * Return a new array which contains 

t
as first element, followed by the elements of 
ts
. + * @param t head + * @param ts tail + * @param type + * @return t and ts as array + */ public static T[] concat(T t, T[] ts) { T[] concat = (T[]) Array.newInstance(t.getClass(), ts.length + 1); concat[0] = t; @@ -31,6 +45,13 @@ public final class CollectionUtils { return concat; } + /** + * Return true, if the given array 
ts
contains the element 
t
. + * @param ts elements + * @param t searched element + * @param type + * @return true if ts contains t, false otherwise + */ public static boolean contains(T[] ts, T t) { for (T i : ts) { if (i.equals(t)) { From f3b7286eafd219e8364c74b15224bfdbbc874359 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 01:35:12 +0100 Subject: [PATCH 0239/1450] Introduce and use DateUtil.toSecondsPrecision --- .../src/main/java/org/pgpainless/util/DateUtil.java | 10 ++++++++++ ...ExpirationOnKeyWithDifferentSignatureTypesTest.java | 2 +- ...evokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java index 3f00ddb3..890d4703 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java @@ -45,6 +45,16 @@ public final class DateUtil { return getParser().format(date); } + /** + * "Round" a date down to seconds precision. + * @param date + * @return + */ + public static Date toSecondsPrecision(Date date) { + long seconds = date.getTime() / 1000; + return new Date(seconds * 1000); + } + /** * Return the current date "rounded" to UTC precision. * diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java index a12b8b6b..9acb08f6 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationOnKeyWithDifferentSignatureTypesTest.java @@ -157,7 +157,7 @@ public class ChangeExpirationOnKeyWithDifferentSignatureTypesTest { throws PGPException { Date expirationDate = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * 14); // round date for test stability - expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(expirationDate)); + expirationDate = DateUtil.toSecondsPrecision(expirationDate); PGPSecretKeyRing modded = PGPainless.modifyKeyRing(keys) .setExpirationDate(expirationDate, protector) diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java index 7c6e0b10..606b69f4 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java @@ -100,7 +100,7 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey { @ExtendWith(TestAllImplementations.class) public void testChangingExpirationTimeWithKeyWithoutPrefAlgos() throws IOException, PGPException { - Date expirationDate = DateUtil.parseUTCDate(DateUtil.formatUTCDate(new Date())); + Date expirationDate = DateUtil.toSecondsPrecision(new Date()); PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY); SecretKeyRingProtector protector = new UnprotectedKeysProtector(); From 6eac50c5b54bd1cb475ec96bdd2a76d6bf39602d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 01:40:30 +0100 Subject: [PATCH 0240/1450] Add documentation to SessionKey --- .../java/org/pgpainless/util/SessionKey.java | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java index cea8639d..72bab826 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java +++ b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java @@ -9,24 +9,49 @@ import javax.annotation.Nonnull; import org.bouncycastle.openpgp.PGPSessionKey; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +/** + * A {@link SessionKey} is the symmetric key that is used to encrypt/decrypt an OpenPGP message. + * The OpenPGP message header contains a copy of the session key, encrypted for the public key of each recipient. + */ public class SessionKey { - private SymmetricKeyAlgorithm algorithm; - private byte[] key; + private final SymmetricKeyAlgorithm algorithm; + private final byte[] key; + /** + * Constructor to create a session key from a BC {@link PGPSessionKey} object. + * + * @param sessionKey BC session key + */ public SessionKey(@Nonnull PGPSessionKey sessionKey) { this(SymmetricKeyAlgorithm.fromId(sessionKey.getAlgorithm()), sessionKey.getKey()); } + /** + * Create a session key object from an algorithm and a key. + * + * @param algorithm algorithm + * @param key key + */ public SessionKey(@Nonnull SymmetricKeyAlgorithm algorithm, @Nonnull byte[] key) { this.algorithm = algorithm; this.key = key; } + /** + * Return the symmetric key algorithm. + * + * @return algorithm + */ public SymmetricKeyAlgorithm getAlgorithm() { return algorithm; } + /** + * Return the bytes of the key. + * + * @return key + */ public byte[] getKey() { byte[] copy = new byte[key.length]; System.arraycopy(key, 0, copy, 0, copy.length); From e96d668ee2aee0b0a88c30de43e1345d6c072a78 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 12:18:17 +0100 Subject: [PATCH 0241/1450] Clean up code --- .../cli/commands/GenerateCertTest.java | 14 +------------- .../cli/commands/SignVerifyTest.java | 3 +-- .../misc/SignUsingPublicKeyBehaviorTest.java | 11 +++++------ .../java/org/pgpainless/policy/Policy.java | 2 +- .../consumer/SignatureValidator.java | 19 ++----------------- .../cli/picocli/commands/VersionCmdTest.java | 3 +-- 6 files changed, 11 insertions(+), 41 deletions(-) diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java index 87ce74a4..4c0e5fa1 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java @@ -10,34 +10,22 @@ import static org.junit.jupiter.api.Assertions.assertTrue; import static org.pgpainless.cli.TestUtils.ARMOR_PRIVATE_KEY_HEADER_BYTES; import java.io.ByteArrayOutputStream; -import java.io.File; import java.io.IOException; import java.io.PrintStream; import java.util.Arrays; import com.ginsberg.junit.exit.FailOnSystemExit; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; -import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.cli.PGPainlessCLI; -import org.pgpainless.cli.TestUtils; import org.pgpainless.key.info.KeyRingInfo; public class GenerateCertTest { - private static File tempDir; - - - @BeforeAll - public static void setup() throws IOException { - tempDir = TestUtils.createTempDirectory(); - } - @Test @FailOnSystemExit - public void testKeyGeneration() throws IOException, PGPException { + public void testKeyGeneration() throws IOException { ByteArrayOutputStream out = new ByteArrayOutputStream(); System.setOut(new PrintStream(out)); PGPainlessCLI.execute("generate-key", "--armor", "Juliet Capulet "); diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java index cd2adc89..4c31f7ca 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java @@ -41,8 +41,6 @@ public class SignVerifyTest { private static File tempDir; private static PrintStream originalSout; - private final String data = "If privacy is outlawed, only outlaws will have privacy.\n"; - @BeforeAll public static void prepare() throws IOException { tempDir = TestUtils.createTempDirectory(); @@ -72,6 +70,7 @@ public class SignVerifyTest { aliceCertOut.close(); // Write test data to disc + String data = "If privacy is outlawed, only outlaws will have privacy.\n"; File dataFile = new File(tempDir, "data"); assertTrue(dataFile.createNewFile()); FileOutputStream dataOut = new FileOutputStream(dataFile); diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java index ae1148bb..0c6eac2b 100644 --- a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java +++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java @@ -15,11 +15,8 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.PrintStream; import java.nio.charset.StandardCharsets; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import com.ginsberg.junit.exit.ExpectSystemExitWithStatus; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.util.io.Streams; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; @@ -96,8 +93,6 @@ public class SignUsingPublicKeyBehaviorTest { private static File tempDir; private static PrintStream originalSout; - private final String data = "If privacy is outlawed, only outlaws will have privacy.\n"; - @BeforeAll public static void prepare() throws IOException { tempDir = TestUtils.createTempDirectory(); @@ -105,7 +100,7 @@ public class SignUsingPublicKeyBehaviorTest { @Test @ExpectSystemExitWithStatus(SOPGPException.BadData.EXIT_CODE) - public void testSignatureCreationAndVerification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testSignatureCreationAndVerification() throws IOException { originalSout = System.out; InputStream originalIn = System.in; @@ -124,6 +119,8 @@ public class SignUsingPublicKeyBehaviorTest { aliceCertOut.close(); // Write test data to disc + String data = "If privacy is outlawed, only outlaws will have privacy.\n"; + File dataFile = new File(tempDir, "data"); assertTrue(dataFile.createNewFile()); FileOutputStream dataOut = new FileOutputStream(dataFile); @@ -138,6 +135,8 @@ public class SignUsingPublicKeyBehaviorTest { FileOutputStream sigOut = new FileOutputStream(sigFile); System.setOut(new PrintStream(sigOut)); PGPainlessCLI.execute("sign", "--armor", aliceKeyFile.getAbsolutePath()); + + System.setIn(originalIn); } @AfterAll diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java index f89b811c..7bbb131a 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java @@ -294,7 +294,7 @@ public final class Policy { } /** - * Return true if the the given hash algorithm is acceptable by this policy. + * Return true if the given hash algorithm is acceptable by this policy. * * @param hashAlgorithm hash algorithm * @return true if the hash algorithm is acceptable, false otherwise diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java index 8d4f682e..3bd059a2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java @@ -213,8 +213,8 @@ public abstract class SignatureValidator { * @return policy */ private static Policy.HashAlgorithmPolicy getHashAlgorithmPolicyForSignature(PGPSignature signature, Policy policy) { - Policy.HashAlgorithmPolicy hashAlgorithmPolicy = null; SignatureType type = SignatureType.valueOf(signature.getSignatureType()); + Policy.HashAlgorithmPolicy hashAlgorithmPolicy; if (type == SignatureType.CERTIFICATION_REVOCATION || type == SignatureType.KEY_REVOCATION || type == SignatureType.SUBKEY_REVOCATION) { hashAlgorithmPolicy = policy.getRevocationSignatureHashAlgorithmPolicy(); } else { @@ -385,21 +385,6 @@ public abstract class SignatureValidator { return new SignatureValidator() { @Override public void verify(PGPSignature signature) throws SignatureValidationException { - // TODO: Uncommenting the code below would mean that fake issuers would become a problem for sig verification - /* - long keyId = signature.getKeyID(); - if (keyId == 0) { - OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature); - if (fingerprint == null) { - throw new SignatureValidationException("Signature does not contain an issuer-id, neither an issuer-fingerprint subpacket."); - } - keyId = fingerprint.getKeyId(); - } - if (keyId != key.getKeyID()) { - throw new IllegalArgumentException("Signature was not created using key " + Long.toHexString(key.getKeyID())); - } - */ - Date keyCreationTime = key.getCreationTime(); Date signatureCreationTime = signature.getCreationTime(); @@ -505,7 +490,7 @@ public abstract class SignatureValidator { public void verify(PGPSignature signature) throws SignatureValidationException { try { signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signer); - boolean valid = false; + boolean valid; if (signer.getKeyID() != signee.getKeyID()) { valid = signature.verifyCertification(signer, signee); } else { diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java index 6a4d628b..98ea58e2 100644 --- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java +++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java @@ -18,12 +18,11 @@ import sop.operation.Version; public class VersionCmdTest { - private SOP sop; private Version version; @BeforeEach public void mockComponents() { - sop = mock(SOP.class); + SOP sop = mock(SOP.class); version = mock(Version.class); when(version.getName()).thenReturn("MockSop"); when(version.getVersion()).thenReturn("1.0"); From 59f1a8588783c3eef065fb9cffb2118b50d3bbcd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 12:30:52 +0100 Subject: [PATCH 0242/1450] Fix more code issues --- .../pgpainless/algorithm/AlgorithmSuite.java | 2 +- .../DecryptionBuilder.java | 2 +- .../encryption_signing/EncryptionResult.java | 2 +- .../org/pgpainless/key/info/KeyRingInfo.java | 2 +- .../MissingPassphraseForDecryptionTest.java | 6 +--- .../provider/ProviderFactoryTest.java | 35 +++++++++++-------- .../DetachInbandSignatureAndMessageImpl.java | 10 +++--- 7 files changed, 31 insertions(+), 28 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java index cc416ea2..e155e367 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AlgorithmSuite.java @@ -16,7 +16,7 @@ import java.util.Set; */ public class AlgorithmSuite { - private static AlgorithmSuite defaultAlgorithmSuite = new AlgorithmSuite( + private static final AlgorithmSuite defaultAlgorithmSuite = new AlgorithmSuite( Arrays.asList( SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java index 0611ae99..239e47c8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java @@ -24,7 +24,7 @@ public class DecryptionBuilder implements DecryptionBuilderInterface { class DecryptWithImpl implements DecryptWith { - private BufferedInputStream inputStream; + private final BufferedInputStream inputStream; DecryptWithImpl(InputStream inputStream) { this.inputStream = new BufferedInputStream(inputStream, BUFFER_SIZE); diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java index 21d42254..566238d3 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java @@ -145,7 +145,7 @@ public final class EncryptionResult { private CompressionAlgorithm compressionAlgorithm; private final MultiMap detachedSignatures = new MultiMap<>(); - private Set recipients = new HashSet<>(); + private final Set recipients = new HashSet<>(); private String fileName = ""; private Date modificationDate = new Date(0L); // NOW private StreamEncoding encoding = StreamEncoding.BINARY; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index efff9115..fd399eec 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -53,7 +53,7 @@ public class KeyRingInfo { private static final Pattern PATTERN_EMAIL = Pattern.compile("[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,6}"); private final PGPKeyRing keys; - private Signatures signatures; + private final Signatures signatures; private final Date evaluationDate; private final String primaryUserId; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java index 87ae2fed..f7d36aba 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MissingPassphraseForDecryptionTest.java @@ -18,7 +18,6 @@ import java.nio.charset.StandardCharsets; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.List; -import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPPublicKey; @@ -41,7 +40,7 @@ import org.pgpainless.util.Passphrase; public class MissingPassphraseForDecryptionTest { - private String passphrase = "dragon123"; + private final String passphrase = "dragon123"; private PGPSecretKeyRing secretKeys; private byte[] message; @@ -63,7 +62,6 @@ public class MissingPassphraseForDecryptionTest { @Test public void invalidPostponedKeysStrategyTest() { SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { fail("MUST NOT get called in if postponed key strategy is invalid."); @@ -88,7 +86,6 @@ public class MissingPassphraseForDecryptionTest { public void interactiveStrategy() throws PGPException, IOException { // interactive callback SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { // is called in interactive mode @@ -121,7 +118,6 @@ public class MissingPassphraseForDecryptionTest { List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY); SecretKeyPassphraseProvider callback = new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { fail("MUST NOT get called in non-interactive mode."); diff --git a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java index a7da6ca9..60c0bc19 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/provider/ProviderFactoryTest.java @@ -8,27 +8,15 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import java.security.Provider; +import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.Test; public class ProviderFactoryTest { - @Test - public void providerFactoryDefaultIsBouncyCastleTest() { - assertEquals("BC", ProviderFactory.getProviderName()); - } - - @Test - public void setCustomProviderTest() { - ProviderFactory.setFactory(customProviderFactory); - assertEquals("PL", ProviderFactory.getProviderName()); - // Reset back to BouncyCastle - ProviderFactory.setFactory(new BouncyCastleProviderFactory()); - } - - private ProviderFactory customProviderFactory = new ProviderFactory() { + private final ProviderFactory customProviderFactory = new ProviderFactory() { @SuppressWarnings("deprecation") - Provider provider = new Provider("PL", 1L, "PGPainlessTestProvider") { + final Provider provider = new Provider("PL", 1L, "PGPainlessTestProvider") { }; @@ -42,4 +30,21 @@ public class ProviderFactoryTest { return provider.getName(); } }; + + @Test + public void providerFactoryDefaultIsBouncyCastleTest() { + assertEquals("BC", ProviderFactory.getProviderName()); + } + + @Test + public void setCustomProviderTest() { + ProviderFactory.setFactory(customProviderFactory); + assertEquals("PL", ProviderFactory.getProviderName()); + } + + @AfterEach + public void resetToDefault() { + // Reset back to BouncyCastle + ProviderFactory.setFactory(new BouncyCastleProviderFactory()); + } } diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java index b1558a90..34d2f618 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java @@ -37,11 +37,13 @@ public class DetachInbandSignatureAndMessageImpl implements DetachInbandSignatur return new ReadyWithResult() { - private ByteArrayOutputStream sigOut = new ByteArrayOutputStream(); - @Override - public Signatures writeTo(OutputStream messageOutputStream) throws SOPGPException.NoSignature, IOException { + private final ByteArrayOutputStream sigOut = new ByteArrayOutputStream(); - PGPSignatureList signatures = null; + @Override + public Signatures writeTo(OutputStream messageOutputStream) + throws SOPGPException.NoSignature, IOException { + + PGPSignatureList signatures; try { signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(messageInputStream, messageOutputStream); } catch (WrongConsumingMethodException e) { From 39686949d21ae7c4a5c20d775f6ce82086f02274 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 13:32:33 +0100 Subject: [PATCH 0243/1450] Bump dependencies --- build.gradle | 6 +++--- pgpainless-cli/build.gradle | 2 +- sop-java-picocli/build.gradle | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index 15ee13a1..277f1a8b 100644 --- a/build.gradle +++ b/build.gradle @@ -65,9 +65,9 @@ allprojects { project.ext { slf4jVersion = '1.7.32' - logbackVersion = '1.2.6' - junitVersion = '5.7.2' - picocliVersion = '4.6.1' + logbackVersion = '1.2.9' + junitVersion = '5.8.2' + picocliVersion = '4.6.2' rootConfigDir = new File(rootDir, 'config') gitCommit = getGitCommit() isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI')) diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle index 1b807c46..eeacf5fa 100644 --- a/pgpainless-cli/build.gradle +++ b/pgpainless-cli/build.gradle @@ -32,7 +32,7 @@ dependencies { testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion" // https://todd.ginsberg.com/post/testing-system-exit/ - testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' + testImplementation 'com.ginsberg:junit5-system-exit:1.1.2' // implementation "ch.qos.logback:logback-core:1.2.6" // We want logback logging in tests and in the app diff --git a/sop-java-picocli/build.gradle b/sop-java-picocli/build.gradle index e5d208fc..81183a09 100644 --- a/sop-java-picocli/build.gradle +++ b/sop-java-picocli/build.gradle @@ -12,7 +12,7 @@ dependencies { // https://todd.ginsberg.com/post/testing-system-exit/ testImplementation 'com.ginsberg:junit5-system-exit:1.1.1' - testImplementation "org.mockito:mockito-core:3.11.2" + testImplementation 'org.mockito:mockito-core:4.2.0' implementation(project(":sop-java")) implementation "info.picocli:picocli:$picocliVersion" From ce7b69269bd6ffef4d27b1cb93a8feaf72fc5880 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 13:32:50 +0100 Subject: [PATCH 0244/1450] Various code cleanup --- .../main/java/org/pgpainless/PGPainless.java | 1 - .../DecryptionBuilder.java | 2 +- .../DecryptionStreamFactory.java | 67 +++++++++++++------ .../MessageInspector.java | 9 ++- .../SignatureInputStream.java | 26 ++++--- .../encryption_signing/EncryptionStream.java | 5 +- .../pgpainless/key/OpenPgpFingerprint.java | 1 + .../key/generation/KeyRingBuilder.java | 1 + .../key/generation/type/KeyType.java | 2 +- .../org/pgpainless/key/info/KeyRingInfo.java | 8 +-- .../SecretKeyRingEditorInterface.java | 1 - .../pgpainless/key/parsing/KeyRingReader.java | 2 +- .../java/org/pgpainless/key/util/UserId.java | 2 +- .../pgpainless/signature/SignatureUtils.java | 4 +- .../builder/AbstractSignatureBuilder.java | 1 - ...irdPartyCertificationSignatureBuilder.java | 2 - .../main/java/org/pgpainless/util/BCUtil.java | 2 +- .../util/CRCingArmoredInputStreamWrapper.java | 4 +- .../util/StreamGeneratorWrapper.java | 3 - .../org/bouncycastle/AsciiArmorCRCTests.java | 5 +- .../CleartextSignatureVerificationTest.java | 21 ++++-- .../DecryptAndVerifyMessageTest.java | 1 + ...tionUsingKeyWithMissingPassphraseTest.java | 4 -- .../EncryptDecryptTest.java | 1 + .../org/pgpainless/example/ConvertKeys.java | 7 +- .../java/org/pgpainless/example/Encrypt.java | 3 - .../org/pgpainless/example/GenerateKeys.java | 33 +++------ .../org/pgpainless/example/ModifyKeys.java | 14 ---- .../java/org/pgpainless/example/ReadKeys.java | 12 +--- .../java/org/pgpainless/example/Sign.java | 9 --- .../pgpainless/example/UnlockSecretKeys.java | 9 --- .../java/org/pgpainless/key/WeirdKeys.java | 5 +- .../KeyGenerationSubpacketsTest.java | 10 ++- .../pgpainless/key/info/KeyRingInfoTest.java | 3 +- .../key/modification/AddSubKeyTest.java | 5 +- ...ithModifiedBindingSignatureSubpackets.java | 2 +- .../ChangeSecretKeyRingPassphraseTest.java | 10 +-- .../RefuseToAddWeakSubkeyTest.java | 6 +- .../key/parsing/KeyRingReaderTest.java | 15 ++++- .../CachingSecretKeyRingProtectorTest.java | 2 - .../SecretKeyRingProtectorTest.java | 4 +- .../UnprotectedKeysProtectorTest.java | 2 +- .../OnePassSignatureBracketingTest.java | 2 +- .../signature/builder/ProofUtilTest.java | 10 +-- .../util/GuessPreferredHashAlgorithmTest.java | 4 +- .../WildcardKeyRingSelectionStrategyTest.java | 6 +- .../XmppKeyRingSelectionStrategyTest.java | 6 +- ...ncryptCommsStorageFlagsDifferentiated.java | 4 +- .../org/pgpainless/sop/GenerateKeyImpl.java | 2 +- .../java/org/pgpainless/sop/VerifyImpl.java | 2 +- .../picocli/SOPExecutionExceptionHandler.java | 2 +- sop-java/src/main/java/sop/util/HexUtil.java | 4 +- .../main/java/sop/util/ProxyOutputStream.java | 2 +- sop-java/src/main/java/sop/util/UTCUtil.java | 5 +- .../src/test/java/sop/util/HexUtilTest.java | 1 + 55 files changed, 182 insertions(+), 194 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java index 6813434c..57dd29d5 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java +++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java @@ -71,7 +71,6 @@ public final class PGPainless { * * @param key key or certificate * @return ascii armored string - * @throws IOException */ public static String asciiArmor(@Nonnull PGPKeyRing key) throws IOException { if (key instanceof PGPSecretKeyRing) { diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java index 239e47c8..6cc28a7f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java @@ -22,7 +22,7 @@ public class DecryptionBuilder implements DecryptionBuilderInterface { return new DecryptWithImpl(inputStream); } - class DecryptWithImpl implements DecryptWith { + static class DecryptWithImpl implements DecryptWith { private final BufferedInputStream inputStream; diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java index aa6d409f..6d7cb069 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java @@ -104,7 +104,8 @@ public final class DecryptionStreamFactory { long issuerKeyId = SignatureUtils.determineIssuerKeyId(signature); PGPPublicKeyRing signingKeyRing = findSignatureVerificationKeyRing(issuerKeyId); if (signingKeyRing == null) { - SignatureValidationException ex = new SignatureValidationException("Missing verification certificate " + Long.toHexString(issuerKeyId)); + SignatureValidationException ex = new SignatureValidationException( + "Missing verification certificate " + Long.toHexString(issuerKeyId)); resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, null), ex); continue; } @@ -112,16 +113,19 @@ public final class DecryptionStreamFactory { SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID()); try { signature.init(verifierBuilderProvider, signingKey); - DetachedSignatureCheck detachedSignature = new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier); + DetachedSignatureCheck detachedSignature = + new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier); detachedSignatureChecks.add(detachedSignature); } catch (PGPException e) { - SignatureValidationException ex = new SignatureValidationException("Cannot verify detached signature made by " + signingKeyIdentifier + ".", e); + SignatureValidationException ex = new SignatureValidationException( + "Cannot verify detached signature made by " + signingKeyIdentifier + ".", e); resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, signingKeyIdentifier), ex); } } } - private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) throws IOException, PGPException { + private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream) + throws IOException, PGPException { // Make sure we handle armored and non-armored data properly BufferedInputStream bufferedIn = new BufferedInputStream(inputStream, 512); bufferedIn.mark(512); @@ -185,7 +189,8 @@ public final class DecryptionStreamFactory { resultBuilder); } - private InputStream processPGPPackets(@Nonnull PGPObjectFactory objectFactory, int depth) throws IOException, PGPException { + private InputStream processPGPPackets(@Nonnull PGPObjectFactory objectFactory, int depth) + throws IOException, PGPException { if (depth >= MAX_PACKET_NESTING_DEPTH) { throw new PGPException("Maximum depth of nested packages exceeded."); } @@ -226,9 +231,13 @@ public final class DecryptionStreamFactory { return processPGPPackets(factory, ++depth); } - private IntegrityProtectedInputStream decryptWithProvidedSessionKey(PGPEncryptedDataList pgpEncryptedDataList, SessionKey sessionKey) throws PGPException { + private IntegrityProtectedInputStream decryptWithProvidedSessionKey( + PGPEncryptedDataList pgpEncryptedDataList, + SessionKey sessionKey) + throws PGPException { PGPSessionKey pgpSessionKey = new PGPSessionKey(sessionKey.getAlgorithm().getAlgorithmId(), sessionKey.getKey()); - SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance().provideSessionKeyDataDecryptorFactory(pgpSessionKey); + SessionKeyDataDecryptorFactory decryptorFactory = + ImplementationFactory.getInstance().provideSessionKeyDataDecryptorFactory(pgpSessionKey); InputStream decryptedDataStream = null; PGPEncryptedData encryptedData = null; for (PGPEncryptedData pgpEncryptedData : pgpEncryptedDataList) { @@ -254,7 +263,8 @@ public final class DecryptionStreamFactory { resultBuilder.setSessionKey(sessionKey); throwIfAlgorithmIsRejected(sessionKey.getAlgorithm()); - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, encryptedData, options); + integrityProtectedEncryptedInputStream = + new IntegrityProtectedInputStream(decryptedDataStream, encryptedData, options); return integrityProtectedEncryptedInputStream; } @@ -271,14 +281,20 @@ public final class DecryptionStreamFactory { return processPGPPackets(objectFactory, ++depth); } - private InputStream processOnePassSignatureList(@Nonnull PGPObjectFactory objectFactory, PGPOnePassSignatureList onePassSignatures, int depth) + private InputStream processOnePassSignatureList( + @Nonnull PGPObjectFactory objectFactory, + PGPOnePassSignatureList onePassSignatures, + int depth) throws PGPException, IOException { LOGGER.debug("Depth {}: Encountered PGPOnePassSignatureList of size {}", depth, onePassSignatures.size()); initOnePassSignatures(onePassSignatures); return processPGPPackets(objectFactory, depth); } - private InputStream processPGPLiteralData(@Nonnull PGPObjectFactory objectFactory, PGPLiteralData pgpLiteralData, int depth) throws IOException { + private InputStream processPGPLiteralData( + @Nonnull PGPObjectFactory objectFactory, + PGPLiteralData pgpLiteralData, + int depth) { LOGGER.debug("Depth {}: Found PGPLiteralData", depth); InputStream literalDataInputStream = pgpLiteralData.getInputStream(); @@ -342,7 +358,8 @@ public final class DecryptionStreamFactory { throwIfAlgorithmIsRejected(sessionKey.getAlgorithm()); - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData, options); + integrityProtectedEncryptedInputStream = + new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData, options); return integrityProtectedEncryptedInputStream; } catch (PGPException e) { @@ -375,7 +392,8 @@ public final class DecryptionStreamFactory { continue; } - privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, + postponedDueToMissingPassphrase, true); } } } @@ -405,7 +423,8 @@ public final class DecryptionStreamFactory { if (secretKey == null) { LOGGER.debug("Key " + Long.toHexString(keyId) + " is not valid or not capable for decryption."); } else { - privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, true); + privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, + postponedDueToMissingPassphrase, true); } } if (privateKey == null) { @@ -437,7 +456,8 @@ public final class DecryptionStreamFactory { PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId.getKeyId()); PGPSecretKey secretKey = secretKeys.getSecretKey(keyId.getSubkeyId()); - PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, postponedDueToMissingPassphrase, false); + PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData, + postponedDueToMissingPassphrase, false); if (privateKey == null) { continue; } @@ -524,19 +544,24 @@ public final class DecryptionStreamFactory { } throwIfAlgorithmIsRejected(symmetricKeyAlgorithm); - integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey, options); + integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream( + encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey, options); return integrityProtectedEncryptedInputStream; } - private void throwIfAlgorithmIsRejected(SymmetricKeyAlgorithm algorithm) throws UnacceptableAlgorithmException { + private void throwIfAlgorithmIsRejected(SymmetricKeyAlgorithm algorithm) + throws UnacceptableAlgorithmException { if (!PGPainless.getPolicy().getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) { throw new UnacceptableAlgorithmException("Data is " - + (algorithm == SymmetricKeyAlgorithm.NULL ? "unencrypted" : "encrypted with symmetric algorithm " + algorithm) + " which is not acceptable as per PGPainless' policy.\n" + + + (algorithm == SymmetricKeyAlgorithm.NULL ? + "unencrypted" : + "encrypted with symmetric algorithm " + algorithm) + " which is not acceptable as per PGPainless' policy.\n" + "To mark this algorithm as acceptable, use PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy()."); } } - private void initOnePassSignatures(@Nonnull PGPOnePassSignatureList onePassSignatureList) throws PGPException { + private void initOnePassSignatures(@Nonnull PGPOnePassSignatureList onePassSignatureList) + throws PGPException { Iterator iterator = onePassSignatureList.iterator(); if (!iterator.hasNext()) { throw new PGPException("Verification failed - No OnePassSignatures found"); @@ -545,14 +570,16 @@ public final class DecryptionStreamFactory { processOnePassSignatures(iterator); } - private void processOnePassSignatures(Iterator signatures) throws PGPException { + private void processOnePassSignatures(Iterator signatures) + throws PGPException { while (signatures.hasNext()) { PGPOnePassSignature signature = signatures.next(); processOnePassSignature(signature); } } - private void processOnePassSignature(PGPOnePassSignature signature) throws PGPException { + private void processOnePassSignature(PGPOnePassSignature signature) + throws PGPException { final long keyId = signature.getKeyID(); LOGGER.debug("Encountered OnePassSignature from {}", Long.toHexString(keyId)); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java index 6ded10bb..a9948f1d 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java @@ -7,6 +7,7 @@ package org.pgpainless.decryption_verification; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; +import java.nio.charset.Charset; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -74,11 +75,11 @@ public final class MessageInspector { * * @param message OpenPGP message * @return encryption info - * @throws PGPException - * @throws IOException */ public static EncryptionInfo determineEncryptionInfoForMessage(String message) throws PGPException, IOException { - return determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes("UTF-8"))); + @SuppressWarnings("CharsetObjectCanBeUsed") + Charset charset = Charset.forName("UTF-8"); + return determineEncryptionInfoForMessage(new ByteArrayInputStream(message.getBytes(charset))); } /** @@ -87,8 +88,6 @@ public final class MessageInspector { * * @param dataIn openpgp message * @return encryption information - * @throws IOException - * @throws PGPException */ public static EncryptionInfo determineEncryptionInfoForMessage(InputStream dataIn) throws IOException, PGPException { InputStream decoded = ArmorUtils.getDecoderStream(dataIn); diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java index 44a4a468..33e6139b 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java @@ -93,7 +93,7 @@ public abstract class SignatureInputStream extends FilterInputStream { return read; } - public void parseAndCombineSignatures() throws IOException { + public void parseAndCombineSignatures() { if (objectFactory == null) { return; } @@ -117,7 +117,8 @@ public abstract class SignatureInputStream extends FilterInputStream { check.setSignature(signature); resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null), - new SignatureValidationException("Missing verification certificate " + Long.toHexString(signature.getKeyID()))); + new SignatureValidationException( + "Missing verification certificate " + Long.toHexString(signature.getKeyID()))); } } } @@ -150,13 +151,16 @@ public abstract class SignatureInputStream extends FilterInputStream { } try { - signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(opSignature.getSignature()); + signatureWasCreatedInBounds(options.getVerifyNotBefore(), + options.getVerifyNotAfter()).verify(opSignature.getSignature()); CertificateValidator.validateCertificateAndVerifyOnePassSignature(opSignature, policy); - resultBuilder.addVerifiedInbandSignature(new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey())); + resultBuilder.addVerifiedInbandSignature( + new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey())); } catch (SignatureValidationException e) { LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}", opSignature.getSigningKey(), e.getMessage(), e); - resultBuilder.addInvalidInbandSignature(new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()), e); + resultBuilder.addInvalidInbandSignature( + new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()), e); } } } @@ -165,13 +169,17 @@ public abstract class SignatureInputStream extends FilterInputStream { Policy policy = PGPainless.getPolicy(); for (DetachedSignatureCheck s : detachedSignatures) { try { - signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(s.getSignature()); - CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), policy); - resultBuilder.addVerifiedDetachedSignature(new SignatureVerification(s.getSignature(), s.getSigningKeyIdentifier())); + signatureWasCreatedInBounds(options.getVerifyNotBefore(), + options.getVerifyNotAfter()).verify(s.getSignature()); + CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(), + (PGPPublicKeyRing) s.getSigningKeyRing(), policy); + resultBuilder.addVerifiedDetachedSignature(new SignatureVerification(s.getSignature(), + s.getSigningKeyIdentifier())); } catch (SignatureValidationException e) { LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}", s.getSigningKeyIdentifier(), e.getMessage(), e); - resultBuilder.addInvalidDetachedSignature(new SignatureVerification(s.getSignature(), s.getSigningKeyIdentifier()), e); + resultBuilder.addInvalidDetachedSignature(new SignatureVerification(s.getSignature(), + s.getSigningKeyIdentifier()), e); } } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java index e7b0cb23..317b8cb2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java @@ -254,10 +254,7 @@ public final class EncryptionStream extends OutputStream { // One-Pass-Signatures are bracketed. That means we have to append the signatures in reverse order // compared to the one-pass-signature packets. - List signingKeys = new ArrayList<>(); - for (SubkeyIdentifier signingKey : signingOptions.getSigningMethods().keySet()) { - signingKeys.add(signingKey); - } + List signingKeys = new ArrayList<>(signingOptions.getSigningMethods().keySet()); for (int i = signingKeys.size() - 1; i >= 0; i--) { SubkeyIdentifier signingKey = signingKeys.get(i); SigningOptions.SigningMethod signingMethod = signingOptions.getSigningMethods().get(signingKey); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java index 318f7a05..af0051c8 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java @@ -18,6 +18,7 @@ import org.bouncycastle.util.encoders.Hex; * */ public abstract class OpenPgpFingerprint implements CharSequence, Comparable { + @SuppressWarnings("CharsetObjectCanBeUsed") protected static final Charset utf8 = Charset.forName("UTF-8"); protected final String fingerprint; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java index 3e1cadca..537bc255 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java @@ -54,6 +54,7 @@ import org.pgpainless.util.Passphrase; public class KeyRingBuilder implements KeyRingBuilderInterface { + @SuppressWarnings("CharsetObjectCanBeUsed") private final Charset UTF8 = Charset.forName("UTF-8"); private KeySpec primaryKeySpec; diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java index b62fa190..48efe25f 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java @@ -35,7 +35,7 @@ public interface KeyType { /** * Return the strength of the key in bits. - * @return + * @return strength of the key in bits */ int getBitStrength(); diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java index fd399eec..2d146f63 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java @@ -163,11 +163,9 @@ public class KeyRingInfo { // Subkey is hard revoked return false; } else { - if (!SignatureUtils.isSignatureExpired(revocation) - && revocation.getCreationTime().after(binding.getCreationTime())) { - // Key is soft-revoked, not yet re-bound - return false; - } + // Key is soft-revoked, not yet re-bound + return SignatureUtils.isSignatureExpired(revocation) + || !revocation.getCreationTime().after(binding.getCreationTime()); } } diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java index c7655134..435c9b90 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java @@ -48,7 +48,6 @@ public interface SecretKeyRingEditorInterface { * certification signature. * @param protector protector to unlock the primary secret key * @return the builder - * @throws PGPException */ SecretKeyRingEditorInterface addUserId( @Nonnull CharSequence userId, diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java index 6e900a95..5c347f75 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java @@ -29,6 +29,7 @@ public class KeyRingReader { public static final int MAX_ITERATIONS = 10000; + @SuppressWarnings("CharsetObjectCanBeUsed") public static final Charset UTF8 = Charset.forName("UTF-8"); public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream) throws IOException { @@ -141,7 +142,6 @@ public class KeyRingReader { * @param inputStream input stream * @param maxIterations max iterations before abort * @return public key ring collection - * @throws IOException */ public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations) throws IOException, PGPException { diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java index 3cd0a444..ca233759 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java @@ -112,7 +112,7 @@ public final class UserId implements CharSequence { } @Override - public CharSequence subSequence(int i, int i1) { + public @Nonnull CharSequence subSequence(int i, int i1) { return toString().subSequence(i, i1); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java index d31233e5..33bedfa2 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java @@ -195,7 +195,9 @@ public final class SignatureUtils { * @throws IOException if the signatures cannot be read */ public static List readSignatures(String encodedSignatures) throws IOException, PGPException { - byte[] bytes = encodedSignatures.getBytes(Charset.forName("UTF8")); + @SuppressWarnings("CharsetObjectCanBeUsed") + Charset utf8 = Charset.forName("UTF-8"); + byte[] bytes = encodedSignatures.getBytes(utf8); return readSignatures(bytes); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java index 9eaa70b4..08e496ac 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java @@ -114,7 +114,6 @@ public abstract class AbstractSignatureBuilderSequoia Test Suite - * @throws PGPException - * @throws IOException */ @Test - public void missingCRCInArmoredKeyDoesNotCauseException() throws PGPException, IOException { + public void missingCRCInArmoredKeyDoesNotCauseException() throws IOException { String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Bob's OpenPGP Transferable Secret Key\n" + "\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java index 7ca8592f..2bb20eb1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java @@ -79,7 +79,8 @@ public class CleartextSignatureVerificationTest { public static final Random random = new Random(); @Test - public void cleartextSignVerification_InMemoryMultiPassStrategy() throws IOException, PGPException { + public void cleartextSignVerification_InMemoryMultiPassStrategy() + throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); ConsumerOptions options = new ConsumerOptions() .addVerificationCert(signingKeys); @@ -104,7 +105,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void cleartextSignVerification_FileBasedMultiPassStrategy() throws IOException, PGPException { + public void cleartextSignVerification_FileBasedMultiPassStrategy() + throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); ConsumerOptions options = new ConsumerOptions() .addVerificationCert(signingKeys); @@ -135,7 +137,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void verifySignatureDetached() throws IOException, PGPException { + public void verifySignatureDetached() + throws IOException, PGPException { PGPPublicKeyRing signingKeys = TestKeys.getEmilPublicKeyRing(); PGPSignature signature = SignatureUtils.readSignatures(SIGNATURE).get(0); @@ -157,7 +160,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void testOutputOfSigVerification() throws IOException, PGPException { + public void testOutputOfSigVerification() + throws IOException, PGPException { PGPSignature signature = SignatureUtils.readSignatures(SIGNATURE).get(0); ConsumerOptions options = new ConsumerOptions() @@ -177,7 +181,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void consumingInlineSignedMessageWithCleartextSignedVerificationApiThrowsWrongConsumingMethodException() throws PGPException, IOException { + public void consumingInlineSignedMessageWithCleartextSignedVerificationApiThrowsWrongConsumingMethodException() + throws IOException { String inlineSignedMessage = "-----BEGIN PGP MESSAGE-----\n" + "Version: PGPainless\n" + "\n" + @@ -205,7 +210,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void getDecoderStreamMistakensPlaintextForBase64RegressionTest() throws PGPException, IOException { + public void getDecoderStreamMistakensPlaintextForBase64RegressionTest() + throws PGPException, IOException { String message = "Foo\nBar"; // PGPUtil.getDecoderStream() would mistaken this for base64 data ByteArrayInputStream msgIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)); @@ -236,7 +242,8 @@ public class CleartextSignatureVerificationTest { } @Test - public void testDecryptionOfVeryLongClearsignedMessage() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testDecryptionOfVeryLongClearsignedMessage() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { String message = randomString(28, 4000); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java index da00f7a0..7c44f307 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java @@ -30,6 +30,7 @@ import org.pgpainless.util.TestAllImplementations; public class DecryptAndVerifyMessageTest { // Don't use StandardCharsets.UTF8 because of Android API level. + @SuppressWarnings("CharsetObjectCanBeUsed") private static final Charset UTF8 = Charset.forName("UTF-8"); private PGPSecretKeyRing juliet; diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java index fc3f7163..c86a823c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PostponeDecryptionUsingKeyWithMissingPassphraseTest.java @@ -11,7 +11,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; -import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -120,7 +119,6 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { @Test public void missingPassphraseFirst() throws PGPException, IOException { SecretKeyRingProtector protector1 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { fail("Although the first PKESK is for k1, we should have skipped it and tried k2 first, which has passphrase available."); @@ -151,7 +149,6 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { public void missingPassphraseSecond() throws PGPException, IOException { SecretKeyRingProtector protector1 = SecretKeyRingProtector.unlockEachKeyWith(p1, k1); SecretKeyRingProtector protector2 = new CachingSecretKeyRingProtector(new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { fail("This callback should not get called, since the first PKESK is for k1, which has a passphrase available."); @@ -180,7 +177,6 @@ public class PostponeDecryptionUsingKeyWithMissingPassphraseTest { @Test public void messagePassphraseFirst() throws PGPException, IOException { SecretKeyPassphraseProvider provider = new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { fail("Since we provide a decryption passphrase, we should not try to decrypt any key."); diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java index 32592207..966e273f 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java @@ -51,6 +51,7 @@ import org.pgpainless.util.TestAllImplementations; public class EncryptDecryptTest { // Don't use StandardCharsets.UTF_8 because of Android API level. + @SuppressWarnings("CharsetObjectCanBeUsed") private static final Charset UTF8 = Charset.forName("UTF-8"); private static final String testMessage = diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java index 7a9aad29..2c96112c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java @@ -16,16 +16,11 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.junit.jupiter.api.Test; import org.pgpainless.PGPainless; import org.pgpainless.key.info.KeyRingInfo; -import org.pgpainless.key.util.KeyRingUtils; public class ConvertKeys { /** * This example demonstrates how to extract a public key certificate from a secret key. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test public void secretKeyToCertificate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { @@ -33,7 +28,7 @@ public class ConvertKeys { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId, null); // Extract certificate (public key) from secret key - PGPPublicKeyRing certificate = KeyRingUtils.publicKeyRingFrom(secretKey); + PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey); KeyRingInfo secretKeyInfo = PGPainless.inspectKeyRing(secretKey); diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java index 85266a31..d2f1113c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java @@ -98,9 +98,6 @@ public class Encrypt { /** * This example demonstrates how to encrypt and decrypt a message using a passphrase. * This method can be combined with public key based encryption and signing. - * - * @throws PGPException - * @throws IOException */ @Test public void encryptUsingPassphrase() throws PGPException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java index 4046ede6..f1211e9d 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java @@ -30,7 +30,6 @@ import org.pgpainless.key.generation.type.ecc.EllipticCurve; import org.pgpainless.key.generation.type.eddsa.EdDSACurve; import org.pgpainless.key.generation.type.rsa.RsaLength; import org.pgpainless.key.info.KeyRingInfo; -import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.UserId; import org.pgpainless.util.Passphrase; @@ -55,13 +54,10 @@ public class GenerateKeys { * encryption subkey. * * This is the recommended way to generate OpenPGP keys with PGPainless. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test - public void generateModernEcKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void generateModernEcKey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { // Define a primary user-id String userId = "gbaker@pgpainless.org"; // Set a password to protect the secret key @@ -70,10 +66,10 @@ public class GenerateKeys { PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId, password); // Extract public key - PGPPublicKeyRing publicKey = KeyRingUtils.publicKeyRingFrom(secretKey); + PGPPublicKeyRing publicKey = PGPainless.extractCertificate(secretKey); // Encode the public key to an ASCII armored string ready for sharing String asciiArmoredPublicKey = PGPainless.asciiArmor(publicKey); - + assertTrue(asciiArmoredPublicKey.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----")); KeyRingInfo keyInfo = new KeyRingInfo(secretKey); assertEquals(3, keyInfo.getSecretKeys().size()); @@ -91,13 +87,10 @@ public class GenerateKeys { * The RSA key is used for both signing and certifying, as well as encryption. * * This method is recommended if the application has to deal with legacy clients with poor algorithm support. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test - public void generateSimpleRSAKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void generateSimpleRSAKey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { // Define a primary user-id String userId = "mpage@pgpainless.org"; // Set a password to protect the secret key @@ -118,13 +111,10 @@ public class GenerateKeys { * and a single ECDH encryption subkey. * * This method is recommended if small keys and high performance are desired. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test - public void generateSimpleECKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateSimpleECKey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { // Define a primary user-id String userId = "mhelms@pgpainless.org"; // Set a password to protect the secret key @@ -173,13 +163,10 @@ public class GenerateKeys { * {@link org.pgpainless.key.generation.KeyRingBuilder#setExpirationDate(Date)}. * Lastly you can decide whether to set a passphrase to protect the secret key using * {@link org.pgpainless.key.generation.KeyRingBuilder#setPassphrase(Passphrase)}. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test - public void generateCustomOpenPGPKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void generateCustomOpenPGPKey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { // Instead of providing a string, we can assemble a user-id by using the user-id builder. // The example below corresponds to "Morgan Carpenter (Pride!) " UserId userId = UserId.newBuilder() diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java index 821bf4ac..c9d16f65 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java @@ -90,8 +90,6 @@ public class ModifyKeys { /** * This example demonstrates how to change the passphrase of a secret key and all its subkeys. - * - * @throws PGPException */ @Test public void changePassphrase() throws PGPException { @@ -112,8 +110,6 @@ public class ModifyKeys { /** * This example demonstrates how to change the passphrase of a single subkey in a key to a new passphrase. * Only the passphrase of the targeted key will be changed. All other keys remain untouched. - * - * @throws PGPException */ @Test public void changeSingleSubkeyPassphrase() throws PGPException { @@ -138,8 +134,6 @@ public class ModifyKeys { /** * This example demonstrates how to add an additional user-id to a key. - * - * @throws PGPException */ @Test public void addUserId() throws PGPException { @@ -167,10 +161,6 @@ public class ModifyKeys { * manually. * * Once the subkey is added, it can be decrypted using the provided subkey passphrase. - * - * @throws PGPException - * @throws InvalidAlgorithmParameterException - * @throws NoSuchAlgorithmException */ @Test public void addSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { @@ -198,8 +188,6 @@ public class ModifyKeys { /** * This example demonstrates how to set a key expiration date. * The provided expiration date will be set on each user-id certification signature. - * - * @throws PGPException */ @Test public void setKeyExpirationDate() throws PGPException { @@ -223,8 +211,6 @@ public class ModifyKeys { /** * This example demonstrates how to revoke a user-id on a key. - * - * @throws PGPException */ @Test public void revokeUserId() throws PGPException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java index cc23725b..60256c06 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java @@ -22,8 +22,6 @@ public class ReadKeys { /** * This example demonstrates how to parse a public key (certificate) from an ASCII armored string. - * - * @throws IOException */ @Test public void readCertificate() throws IOException { @@ -55,12 +53,9 @@ public class ReadKeys { /** * This example demonstrates how to parse an ASCII armored secret key. - * - * @throws PGPException - * @throws IOException */ @Test - public void readSecretKey() throws PGPException, IOException { + public void readSecretKey() throws IOException { String key = "\n" + "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Comment: Alice's OpenPGP Transferable Secret Key\n" + @@ -93,10 +88,7 @@ public class ReadKeys { * This example demonstrates how to read a collection of multiple OpenPGP public keys (certificates) at once. * * Note, that a public key collection can both be a concatenation of public key blocks (like below), - * as well as a single public key block containing multiple public key packets. - * - * @throws PGPException - * @throws IOException + * and a single public key block containing multiple public key packets. */ @Test public void readKeyRingCollection() throws PGPException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java index ad3fc0d4..13185e37 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java @@ -46,9 +46,6 @@ public class Sign { /** * Demonstration of how to use the PGPainless API to sign some message using inband signatures. * The result is not human-readable, however the resulting text contains both the signed data and the signatures. - * - * @throws PGPException - * @throws IOException */ @Test public void inbandSignedMessage() throws PGPException, IOException { @@ -75,9 +72,6 @@ public class Sign { * A detached signature can be distributed alongside the message/file itself. * * The message/file doesn't need to be altered for detached signature creation. - * - * @throws PGPException - * @throws IOException */ @Test public void detachedSignedMessage() throws PGPException, IOException { @@ -113,9 +107,6 @@ public class Sign { * Demonstration of how to sign a text message in a way that keeps the message content * human-readable by utilizing the OpenPGP Cleartext Signature Framework. * The resulting message contains the original (dash-escaped) message and the signatures. - * - * @throws PGPException - * @throws IOException */ @Test public void cleartextSignedMessage() throws PGPException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java index f4716211..c6f227f3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java @@ -33,9 +33,6 @@ public class UnlockSecretKeys { /** * This example demonstrates how to create a {@link SecretKeyRingProtector} for unprotected secret keys. - * - * @throws PGPException - * @throws IOException */ @Test public void unlockUnprotectedKeys() throws PGPException, IOException { @@ -50,9 +47,6 @@ public class UnlockSecretKeys { /** * This example demonstrates how to create a {@link SecretKeyRingProtector} using a single passphrase to unlock * all secret subkeys of a key. - * - * @throws PGPException - * @throws IOException */ @Test public void unlockWholeKeyWithSamePassphrase() throws PGPException, IOException { @@ -68,9 +62,6 @@ public class UnlockSecretKeys { /** * This example demonstrates how to create a {@link SecretKeyRingProtector} that uses different * passphrases per subkey to unlock the secret keys. - * - * @throws PGPException - * @throws IOException */ @Test public void unlockWithPerSubkeyPassphrases() throws PGPException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java index 87cea724..b02b07c5 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java @@ -6,7 +6,6 @@ package org.pgpainless.key; import java.io.IOException; -import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.pgpainless.PGPainless; @@ -48,7 +47,7 @@ public class WeirdKeys { "=BlPm\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - public static PGPSecretKeyRing getTwoCryptSubkeysKey() throws IOException, PGPException { + public static PGPSecretKeyRing getTwoCryptSubkeysKey() throws IOException { return PGPainless.readKeyRing().secretKeyRing(TWO_CRYPT_SUBKEYS); } @@ -77,7 +76,7 @@ public class WeirdKeys { "=h6sT\n" + "-----END PGP PRIVATE KEY BLOCK-----\n"; - public static PGPSecretKeyRing getArchiveCommsSubkeysKey() throws IOException, PGPException { + public static PGPSecretKeyRing getArchiveCommsSubkeysKey() throws IOException { return PGPainless.readKeyRing().secretKeyRing(ARCHIVE_COMMS_SUBKEYS); } } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java index 4d6458ef..9a866d34 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java @@ -34,6 +34,7 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec; import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; +import org.pgpainless.util.Passphrase; public class KeyGenerationSubpacketsTest { @@ -105,13 +106,15 @@ public class KeyGenerationSubpacketsTest { } @Test - public void verifyDefaultSubpacketsForSubkeyBindingSignatures() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void verifyDefaultSubpacketsForSubkeyBindingSignatures() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); List keysBefore = info.getPublicKeys(); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .addSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build(), null, SecretKeyRingProtector.unprotectedKeys()) + .addSubKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).build(), + Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()) .done(); @@ -127,7 +130,8 @@ public class KeyGenerationSubpacketsTest { assertNotNull(bindingSig.getHashedSubPackets().getEmbeddedSignatures().get(0)); secretKeys = PGPainless.modifyKeyRing(secretKeys) - .addSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), null, + .addSubKey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS).build(), + Passphrase.emptyPassphrase(), new SelfSignatureSubpackets.Callback() { @Override public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java index 911427ca..16b338e7 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java @@ -213,7 +213,8 @@ public class KeyRingInfoTest { @TestTemplate @ExtendWith(TestAllImplementations.class) - public void testGetKeysWithFlagsAndExpiry() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { + public void testGetKeysWithFlagsAndExpiry() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java index 47e5f43f..afcf9c98 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubKeyTest.java @@ -16,7 +16,6 @@ import java.util.Iterator; import java.util.List; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKeyRing; @@ -32,8 +31,8 @@ import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.UnlockSecretKey; -import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestAllImplementations; public class AddSubKeyTest { @@ -67,7 +66,7 @@ public class AddSubKeyTest { PGPSecretKey subKey = secretKeys.getSecretKey(subKeyId); SecretKeyRingProtector protector = SecretKeyRingProtector.unlockEachKeyWith( Passphrase.fromPassword("subKeyPassphrase"), secretKeys); - PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(subKey, protector); + UnlockSecretKey.unlockSecretKey(subKey, protector); KeyRingInfo info = new KeyRingInfo(secretKeys); assertEquals(Collections.singletonList(KeyFlag.SIGN_DATA), info.getKeyFlagsOf(subKeyId)); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java index 4e1e5c18..e0fa2a01 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java @@ -36,7 +36,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; public class AddSubkeyWithModifiedBindingSignatureSubpackets { - public static long MILLIS_IN_SEC = 1000; + public static final long MILLIS_IN_SEC = 1000; @Test public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java index 0199bbc4..a0ea6984 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.java @@ -131,7 +131,7 @@ public class ChangeSecretKeyRingPassphraseTest { PGPSecretKey subKey = keys.next(); PGPSecretKeyRing secretKeys = PGPainless.modifyKeyRing(keyRing) - .changeSubKeyPassphraseFromOldPassphrase(primaryKey.getKeyID(), Passphrase.fromPassword("weakPassphrase")) + .changeSubKeyPassphraseFromOldPassphrase(subKey.getKeyID(), Passphrase.fromPassword("weakPassphrase")) .withSecureDefaultSettings() .toNoPassphrase() .done(); @@ -140,17 +140,17 @@ public class ChangeSecretKeyRingPassphraseTest { primaryKey = keys.next(); subKey = keys.next(); - extractPrivateKey(primaryKey, Passphrase.emptyPassphrase()); - extractPrivateKey(subKey, Passphrase.fromPassword("weakPassphrase")); + extractPrivateKey(primaryKey, Passphrase.fromPassword("weakPassphrase")); + extractPrivateKey(subKey, Passphrase.emptyPassphrase()); final PGPSecretKey finalPrimaryKey = primaryKey; assertThrows(PGPException.class, - () -> extractPrivateKey(finalPrimaryKey, Passphrase.fromPassword("weakPassphrase")), + () -> extractPrivateKey(finalPrimaryKey, Passphrase.emptyPassphrase()), "Unlocking the unprotected primary key with the old passphrase must fail."); final PGPSecretKey finalSubKey = subKey; assertThrows(PGPException.class, - () -> extractPrivateKey(finalSubKey, Passphrase.emptyPassphrase()), + () -> extractPrivateKey(finalSubKey, Passphrase.fromPassword("weakPassphrase")), "Unlocking the still protected subkey with an empty passphrase must fail."); } diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java index 8d459c33..72dfac71 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java @@ -31,7 +31,8 @@ import org.pgpainless.util.Passphrase; public class RefuseToAddWeakSubkeyTest { @Test - public void testEditorRefusesToAddWeakSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testEditorRefusesToAddWeakSubkey() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException { // ensure default policy is set PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy()); @@ -45,7 +46,8 @@ public class RefuseToAddWeakSubkeyTest { } @Test - public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { + public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException { PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() .modernKeyRing("Alice", null); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java index e281091d..68233c9b 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java @@ -35,6 +35,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection; import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPUtil; import org.junit.jupiter.api.Test; +import org.opentest4j.TestAbortedException; import org.pgpainless.PGPainless; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpV4Fingerprint; @@ -46,9 +47,17 @@ import org.pgpainless.util.TestUtils; class KeyRingReaderTest { + private InputStream requireResource(String resourceName) { + InputStream inputStream = getClass().getClassLoader().getResourceAsStream(resourceName); + if (inputStream == null) { + throw new TestAbortedException("Cannot read resource " + resourceName); + } + return inputStream; + } + @Test public void assertThatPGPUtilsDetectAsciiArmoredData() throws IOException, PGPException { - InputStream inputStream = getClass().getClassLoader().getResourceAsStream("pub_keys_10_pieces.asc"); + InputStream inputStream = requireResource("pub_keys_10_pieces.asc"); InputStream possiblyArmored = PGPUtil.getDecoderStream(PGPUtil.getDecoderStream(inputStream)); @@ -59,7 +68,7 @@ class KeyRingReaderTest { @Test void publicKeyRingCollectionFromStream() throws IOException, PGPException { - InputStream inputStream = getClass().getClassLoader().getResourceAsStream("pub_keys_10_pieces.asc"); + InputStream inputStream = requireResource("pub_keys_10_pieces.asc"); PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(inputStream); assertEquals(10, rings.size()); } @@ -247,7 +256,7 @@ class KeyRingReaderTest { } @Test - public void testReadSecretKeyIgnoresMarkerPacket() throws PGPException, IOException { + public void testReadSecretKeyIgnoresMarkerPacket() throws IOException { String markerAndKey = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" + "Version: PGPainless\n" + "Comment: Secret Key with prepended Marker Packet\n" + diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java index d843b9c2..6c103ea3 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java @@ -14,7 +14,6 @@ import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Iterator; import java.util.Random; -import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPKeyRing; @@ -32,7 +31,6 @@ public class CachingSecretKeyRingProtectorTest { // Dummy passphrase callback that returns the doubled key-id as passphrase private final SecretKeyPassphraseProvider dummyCallback = new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { long doubled = keyId * 2; diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java index 7a547740..a5030f74 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/SecretKeyRingProtectorTest.java @@ -16,7 +16,6 @@ import java.util.Iterator; import java.util.Map; import java.util.Random; import java.util.concurrent.ConcurrentHashMap; -import javax.annotation.Nullable; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPSecretKey; @@ -28,8 +27,8 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.pgpainless.PGPainless; import org.pgpainless.key.TestKeys; import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProvider; -import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.Passphrase; +import org.pgpainless.util.TestAllImplementations; public class SecretKeyRingProtectorTest { @@ -108,7 +107,6 @@ public class SecretKeyRingProtectorTest { passphraseMap.put(1L, Passphrase.emptyPassphrase()); CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector(passphraseMap, KeyRingProtectionSettings.secureDefaultSettings(), new SecretKeyPassphraseProvider() { - @Nullable @Override public Passphrase getPassphraseFor(Long keyId) { return Passphrase.fromPassword("missingP455w0rd"); diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java index 76a90915..07f65a59 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/UnprotectedKeysProtectorTest.java @@ -10,7 +10,7 @@ import org.junit.jupiter.api.Test; public class UnprotectedKeysProtectorTest { - private UnprotectedKeysProtector protector = new UnprotectedKeysProtector(); + private final UnprotectedKeysProtector protector = new UnprotectedKeysProtector(); @Test public void testKeyProtectorReturnsNullDecryptor() { diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java index 65351e64..19f8c5ac 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java @@ -86,7 +86,7 @@ public class OnePassSignatureBracketingTest { outerloop: while (true) { Object next = objectFactory.nextObject(); if (next == null) { - break outerloop; + break; } if (next instanceof PGPEncryptedDataList) { PGPEncryptedDataList encryptedDataList = (PGPEncryptedDataList) next; diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java index 881b804d..0b5d8f0c 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java @@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; @@ -59,13 +58,16 @@ public class ProofUtilTest { } @Test - public void testAddProof() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException, InterruptedException { + public void testAddProof() + throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { String userId = "Alice "; PGPSecretKeyRing secretKey = PGPainless.generateKeyRing() .modernKeyRing(userId, null); Thread.sleep(1000L); - secretKey = new ProofUtil() - .addProof(secretKey, SecretKeyRingProtector.unprotectedKeys(), new ProofUtil.Proof("xmpp:alice@pgpainless.org")); + secretKey = new ProofUtil().addProof( + secretKey, + SecretKeyRingProtector.unprotectedKeys(), + new ProofUtil.Proof("xmpp:alice@pgpainless.org")); KeyRingInfo info = PGPainless.inspectKeyRing(secretKey); PGPSignature signature = info.getLatestUserIdCertification(userId); diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java index fdb10672..ca7a06d1 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/GuessPreferredHashAlgorithmTest.java @@ -6,7 +6,6 @@ package org.pgpainless.util; import static org.junit.jupiter.api.Assertions.assertEquals; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.util.Collections; @@ -28,7 +27,8 @@ import org.pgpainless.key.util.OpenPgpKeyAttributeUtil; public class GuessPreferredHashAlgorithmTest { @Test - public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { + public void guessPreferredHashAlgorithmsAssumesHashAlgoUsedBySelfSig() + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA) diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java index 4346bd75..10907eca 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/WildcardKeyRingSelectionStrategyTest.java @@ -18,8 +18,10 @@ import org.pgpainless.util.selection.keyring.impl.Wildcard; public class WildcardKeyRingSelectionStrategyTest { - Wildcard.PubRingSelectionStrategy pubKeySelectionStrategy = new Wildcard.PubRingSelectionStrategy<>(); - Wildcard.SecRingSelectionStrategy secKeySelectionStrategy = new Wildcard.SecRingSelectionStrategy<>(); + private static final Wildcard.PubRingSelectionStrategy pubKeySelectionStrategy + = new Wildcard.PubRingSelectionStrategy<>(); + private static final Wildcard.SecRingSelectionStrategy secKeySelectionStrategy + = new Wildcard.SecRingSelectionStrategy<>(); @Test public void testStratAcceptsMatchingUIDsOnPubKey() throws IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java index 4de56a8a..2b5f8ebb 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java +++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/XmppKeyRingSelectionStrategyTest.java @@ -18,8 +18,10 @@ import org.pgpainless.util.selection.keyring.impl.XMPP; public class XmppKeyRingSelectionStrategyTest { - XMPP.PubRingSelectionStrategy pubKeySelectionStrategy = new XMPP.PubRingSelectionStrategy(); - XMPP.SecRingSelectionStrategy secKeySelectionStrategy = new XMPP.SecRingSelectionStrategy(); + private static final XMPP.PubRingSelectionStrategy pubKeySelectionStrategy = + new XMPP.PubRingSelectionStrategy(); + private static final XMPP.SecRingSelectionStrategy secKeySelectionStrategy = + new XMPP.SecRingSelectionStrategy(); @Test public void testMatchingXmppUIDAcceptedOnPubKey() throws IOException { diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java index 17ae436e..079f1062 100644 --- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java +++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java @@ -6,7 +6,6 @@ package org.pgpainless.weird_keys; import static org.junit.jupiter.api.Assertions.assertThrows; -import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; @@ -25,7 +24,8 @@ import org.pgpainless.key.util.KeyRingUtils; public class TestEncryptCommsStorageFlagsDifferentiated { @Test - public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException { + public void testThatEncryptionDifferentiatesBetweenPurposeKeyFlags() + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException { PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing() .setPrimaryKey(KeySpec.getBuilder( KeyType.RSA(RsaLength._3072), diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java index e79475ce..6a2c09f9 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java @@ -41,7 +41,7 @@ public class GenerateKeyImpl implements GenerateKey { } @Override - public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo, IOException { + public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo { Iterator userIdIterator = userIds.iterator(); if (!userIdIterator.hasNext()) { throw new SOPGPException.MissingArg("Missing user-id."); diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java index cdfa465c..c874b452 100644 --- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java +++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java @@ -25,7 +25,7 @@ import sop.operation.Verify; public class VerifyImpl implements Verify { - ConsumerOptions options = new ConsumerOptions(); + private final ConsumerOptions options = new ConsumerOptions(); @Override public Verify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption { diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java index dc2a047b..bbd8b976 100644 --- a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java +++ b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java @@ -9,7 +9,7 @@ import picocli.CommandLine; public class SOPExecutionExceptionHandler implements CommandLine.IExecutionExceptionHandler { @Override - public int handleExecutionException(Exception ex, CommandLine commandLine, CommandLine.ParseResult parseResult) throws Exception { + public int handleExecutionException(Exception ex, CommandLine commandLine, CommandLine.ParseResult parseResult) { int exitCode = commandLine.getExitCodeExceptionMapper() != null ? commandLine.getExitCodeExceptionMapper().getExitCode(ex) : commandLine.getCommandSpec().exitCodeOnExecutionException(); diff --git a/sop-java/src/main/java/sop/util/HexUtil.java b/sop-java/src/main/java/sop/util/HexUtil.java index a70346e2..9b88f53d 100644 --- a/sop-java/src/main/java/sop/util/HexUtil.java +++ b/sop-java/src/main/java/sop/util/HexUtil.java @@ -14,8 +14,8 @@ public class HexUtil { * * @see * How to convert a byte array to a hex string in Java? - * @param bytes - * @return + * @param bytes bytes + * @return hex encoding */ public static String bytesToHex(byte[] bytes) { char[] hexChars = new char[bytes.length * 2]; diff --git a/sop-java/src/main/java/sop/util/ProxyOutputStream.java b/sop-java/src/main/java/sop/util/ProxyOutputStream.java index 516d7c92..0559e8f4 100644 --- a/sop-java/src/main/java/sop/util/ProxyOutputStream.java +++ b/sop-java/src/main/java/sop/util/ProxyOutputStream.java @@ -13,7 +13,7 @@ import java.io.OutputStream; * At that point, first all the buffered data is being written to the underlying stream, followed by any successive * data that may get written to the {@link ProxyOutputStream}. * - * This class is useful if we need to provide an {@link OutputStream} at one point in time where the final + * This class is useful if we need to provide an {@link OutputStream} at one point in time when the final * target output stream is not yet known. */ public class ProxyOutputStream extends OutputStream { diff --git a/sop-java/src/main/java/sop/util/UTCUtil.java b/sop-java/src/main/java/sop/util/UTCUtil.java index 646ef25b..8ef7e773 100644 --- a/sop-java/src/main/java/sop/util/UTCUtil.java +++ b/sop-java/src/main/java/sop/util/UTCUtil.java @@ -14,8 +14,8 @@ import java.util.TimeZone; */ public class UTCUtil { - public static SimpleDateFormat UTC_FORMATTER = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); - public static SimpleDateFormat[] UTC_PARSERS = new SimpleDateFormat[] { + public static final SimpleDateFormat UTC_FORMATTER = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); + public static final SimpleDateFormat[] UTC_PARSERS = new SimpleDateFormat[] { UTC_FORMATTER, new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssX"), new SimpleDateFormat("yyyyMMdd'T'HHmmss'Z'"), @@ -38,6 +38,7 @@ public class UTCUtil { try { return parser.parse(dateString); } catch (ParseException e) { + // Try next parser } } return null; diff --git a/sop-java/src/test/java/sop/util/HexUtilTest.java b/sop-java/src/test/java/sop/util/HexUtilTest.java index c8f32ee9..54fc21de 100644 --- a/sop-java/src/test/java/sop/util/HexUtilTest.java +++ b/sop-java/src/test/java/sop/util/HexUtilTest.java @@ -18,6 +18,7 @@ import org.junit.jupiter.api.Test; */ public class HexUtilTest { + @SuppressWarnings("CharsetObjectCanBeUsed") private static final Charset ASCII = Charset.forName("US-ASCII"); @Test From b1bde161b4c365d7c088b61864e0b717d8c9f843 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 28 Dec 2021 13:53:25 +0100 Subject: [PATCH 0245/1450] Fix typos and wording --- CHANGELOG.md | 4 +-- README.md | 2 +- SECURITY.md | 2 +- pgpainless-core/README.md | 4 +-- .../algorithm/EncryptionPurpose.java | 4 +-- .../org/pgpainless/algorithm/Feature.java | 2 +- .../algorithm/PublicKeyAlgorithm.java | 4 +-- .../algorithm/SignatureSubpacket.java | 26 +++++++++---------- .../algorithm/SymmetricKeyAlgorithm.java | 4 +-- .../OpenPgpMetadata.java | 2 +- .../SignatureVerification.java | 2 +- .../MultiPassStrategy.java | 4 +-- .../encryption_signing/EncryptionOptions.java | 2 +- .../encryption_signing/ProducerOptions.java | 2 +- .../encryption_signing/SigningOptions.java | 12 ++++----- .../key/generation/type/KeyType.java | 2 +- .../org/pgpainless/key/info/KeyAccessor.java | 2 +- .../org/pgpainless/key/info/KeyRingInfo.java | 6 ++--- .../SecretKeyRingEditorInterface.java | 4 +-- .../CachingSecretKeyRingProtector.java | 2 +- .../protection/SecretKeyRingProtector.java | 4 +-- .../org/pgpainless/key/util/KeyRingUtils.java | 2 +- .../key/util/RevocationAttributes.java | 2 +- .../java/org/pgpainless/policy/Policy.java | 2 +- .../pgpainless/signature/SignatureUtils.java | 6 ++--- .../consumer/DetachedSignatureCheck.java | 2 +- .../pgpainless/signature/consumer/README.md | 2 +- .../signature/consumer/SignaturePicker.java | 22 ++++++++-------- .../consumer/SignatureValidityComparator.java | 2 +- .../SignatureSubpacketGeneratorUtil.java | 2 +- .../subpackets/SignatureSubpacketsUtil.java | 4 +-- .../java/org/pgpainless/util/DateUtil.java | 4 +-- ...artialLengthLiteralDataRegressionTest.java | 2 +- .../CleartextSignatureVerificationTest.java | 2 +- .../org/pgpainless/example/GenerateKeys.java | 12 ++++----- .../org/pgpainless/example/ManagePolicy.java | 2 +- .../org/pgpainless/example/ModifyKeys.java | 2 +- .../cli/picocli/commands/DecryptCmdTest.java | 4 +-- .../src/main/java/sop/ReadyWithResult.java | 2 +- sop-java/src/main/java/sop/Verification.java | 2 +- 40 files changed, 87 insertions(+), 87 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91abf04b..2937a90c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog ## 1.0.0-rc9 -- When key has both direct-key sig + primary user-id sig: resolve expiration date to earliest expiration +- When key has both direct-key sig + primary user-id sig: resolve expiration date to the earliest expiration - Add `SecretKeyRingEditor.removeUserId()` convenience methods that do soft-revoke the user-id. - Add `SelectUserId.byEmail()` which also matches the plain email address @@ -110,7 +110,7 @@ SPDX-License-Identifier: CC0-1.0 ## 0.2.16 - Fix handling of subkey revocation signatures -- SOP: improve API use with byte arrays +- SOP: improve API usage with byte arrays - Fix `AssertionError` when determining encryption subkeys from set containing unbound key - Add `ConsumerOptions.setMissingKeyPassphraseStrategy(strategy)` to modify behavior when missing key passphrases are encountered during decryption diff --git a/README.md b/README.md index d7b5a61a..6687caa3 100644 --- a/README.md +++ b/README.md @@ -185,7 +185,7 @@ dependencies { ## About PGPainless is a by-product of my [Summer of Code 2018 project](https://blog.jabberhead.tk/summer-of-code-2018/) implementing OpenPGP support for the XMPP client library [Smack](https://github.com/igniterealtime/Smack). -For that project I was in need of a simple to use OpenPGP library. +For that project I was in need of a simple-to-use OpenPGP library. Originally I was going to use [Bouncy-GPG](https://github.com/neuhalje/bouncy-gpg) for my project, but ultimately I decided to create my own OpenPGP library which better fits my needs. diff --git a/SECURITY.md b/SECURITY.md index cefcc181..2448191a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,7 +19,7 @@ currently being supported with security updates. ## Reporting a Vulnerability -If you find a security relevant vulnerability inside of PGPainless, please let me know! +If you find a security relevant vulnerability inside PGPainless, please let me know! [Here](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A) you can find my OpenPGP key to email me confidentially. Valid security issues will be fixed ASAP. diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md index 82a7fcf0..091722b8 100644 --- a/pgpainless-core/README.md +++ b/pgpainless-core/README.md @@ -19,7 +19,7 @@ In short: Communication protected using PGPainless is intended to be private, users can verify that messages they receive were really send by their communication peer and users can verify that messages have not been tampered with. -This is being achieved by preventing a number of typical attacks on the users communication, +This is being achieved by preventing a number of typical attacks on the user's communication, like the attacker introducing an evil subkey to the victims public key, or the attacker creating counterfeit signatures to fool the victim. @@ -33,7 +33,7 @@ through a benign client application (like an email app) on a trustworthy device. The attacker can try to feed the application malicious input (like manipulated public key updates, specially crafted PGP message objects etc.) but they cannot access the victims decrypted secret key material as -it is protected by the device (eg. stored in a secure key store). +it is protected by the device (e.g. stored in a secure key store). ### What doesn't PGPainless Protect Against? diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java index 30aa9a0f..5eda30c0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/EncryptionPurpose.java @@ -7,12 +7,12 @@ package org.pgpainless.algorithm; public enum EncryptionPurpose { /** * The stream will encrypt communication that goes over the wire. - * Eg. EMail, Chat... + * E.g. EMail, Chat... */ COMMUNICATIONS, /** * The stream will encrypt data at rest. - * Eg. Encrypted backup... + * E.g. Encrypted backup... */ STORAGE, /** diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java index 27837b09..9ec7e362 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java @@ -40,7 +40,7 @@ public enum Feature { /** * If a key announces this feature, it is a version 5 public key. * The version 5 format is similar to the version 4 format except for the addition of a count for the key material. - * This count helps parsing secret key packets (which are an extension of the public key packet format) in the case + * This count helps to parse secret key packets (which are an extension of the public key packet format) in the case * of an unknown algorithm. * In addition, fingerprints of version 5 keys are calculated differently from version 4 keys. * diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java index 2069b2c9..fcb1801c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java @@ -124,7 +124,7 @@ public enum PublicKeyAlgorithm { /** * Return true if this public key algorithm is able to create signatures. * - * @return true if can sign + * @return true if the algorithm can sign */ public boolean isSigningCapable() { return signingCapable; @@ -133,7 +133,7 @@ public enum PublicKeyAlgorithm { /** * Return true if this public key algorithm can be used as an encryption algorithm. * - * @return true if can encrypt + * @return true if the algorithm can encrypt */ public boolean isEncryptionCapable() { return encryptionCapable; diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java index 96c2e76f..e3a754ae 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java @@ -63,7 +63,7 @@ public enum SignatureSubpacket { signatureExpirationTime(EXPIRE_TIME), /** - * Denotes whether or not the signature is exportable for other users. + * Denotes whether the signature is exportable for other users. * * @see Exportable Certification */ @@ -73,7 +73,7 @@ public enum SignatureSubpacket { * Signer asserts that the key is not only valid but also trustworthy at * the specified level. Level 0 has the same meaning as an ordinary * validity signature. Level 1 means that the signed key is asserted to - * be a valid trusted introducer, with the 2nd octet of the body + * be a valid, trusted introducer, with the 2nd octet of the body * specifying the degree of trust. Level 2 means that the signed key is * asserted to be trusted to issue level 1 trust signatures, i.e., that * it is a "meta introducer". Generally, a level n trust signature @@ -128,8 +128,8 @@ public enum SignatureSubpacket { placeholder(PLACEHOLDER), /** - * Symmetric algorithm numbers that indicate which algorithms the key - * holder prefers to use. The subpacket body is an ordered list of + * Symmetric algorithm numbers that indicate which algorithms the keyholder + * prefers to use. The subpackets body is an ordered list of * octets with the most preferred listed first. It is assumed that only * algorithms listed are supported by the recipient's software. * This is only found on a self-signature. @@ -180,7 +180,7 @@ public enum SignatureSubpacket { /** * Message digest algorithm numbers that indicate which algorithms the - * key holder prefers to receive. Like the preferred symmetric + * keyholder prefers to receive. Like the preferred symmetric * algorithms, the list is ordered. * This is only found on a self-signature. * @@ -189,10 +189,10 @@ public enum SignatureSubpacket { preferredHashAlgorithms(PREFERRED_HASH_ALGS), /** - * Compression algorithm numbers that indicate which algorithms the key - * holder prefers to use. Like the preferred symmetric algorithms, the + * Compression algorithm numbers that indicate which algorithms the + * keyholder prefers to use. Like the preferred symmetric algorithms, the * list is ordered. If this subpacket is not included, ZIP is preferred. - * A zero denotes that uncompressed data is preferred; the key holder's + * A zero denotes that uncompressed data is preferred; the keyholder's * software might have no compression software in that implementation. * This is only found on a self-signature. * @@ -202,7 +202,7 @@ public enum SignatureSubpacket { /** * This is a list of one-bit flags that indicate preferences that the - * key holder has about how the key is handled on a key server. All + * keyholder has about how the key is handled on a key server. All * undefined flags MUST be zero. * This is found only on a self-signature. * @@ -211,7 +211,7 @@ public enum SignatureSubpacket { keyServerPreferences(KEY_SERVER_PREFS), /** - * This is a URI of a key server that the key holder prefers be used for + * This is a URI of a key server that the keyholder prefers be used for * updates. Note that keys with multiple User IDs can have a preferred * key server for each User ID. Note also that since this is a URI, the * key server can actually be a copy of the key retrieved by ftp, http, @@ -345,8 +345,8 @@ public enum SignatureSubpacket { issuerFingerprint(ISSUER_FINGERPRINT), /** - * AEAD algorithm numbers that indicate which AEAD algorithms the key - * holder prefers to use. The subpacket body is an ordered list of + * AEAD algorithm numbers that indicate which AEAD algorithms the + * keyholder prefers to use. The subpackets body is an ordered list of * octets with the most preferred listed first. It is assumed that only * algorithms listed are supported by the recipient's software. * This is only found on a self-signature. @@ -363,7 +363,7 @@ public enum SignatureSubpacket { * it SHOULD be considered valid only in an encrypted context, where the * key it was encrypted to is one of the indicated primary keys, or one * of their subkeys. This can be used to prevent forwarding a signature - * outside of its intended, encrypted context. + * outside its intended, encrypted context. * * Note that the length N of the fingerprint for a version 4 key is 20 * octets; for a version 5 key N is 32. diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java index 43c327cc..dcbf34cf 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java +++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java @@ -34,12 +34,12 @@ public enum SymmetricKeyAlgorithm { TRIPLE_DES (SymmetricKeyAlgorithmTags.TRIPLE_DES), /** - * CAST5 (128 bit key, as per RFC2144). + * CAST5 (128-bit key, as per RFC2144). */ CAST5 (SymmetricKeyAlgorithmTags.CAST5), /** - * Blowfish (128 bit key, 16 rounds). + * Blowfish (128-bit key, 16 rounds). */ BLOWFISH (SymmetricKeyAlgorithmTags.BLOWFISH), diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java index c0d8284f..7c589c2c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java @@ -87,7 +87,7 @@ public class OpenPgpMetadata { /** * Return the {@link SubkeyIdentifier} of the key that was used to decrypt the message. * This can be null if the message was decrypted using a {@link org.pgpainless.util.Passphrase}, or if it was not - * encrypted at all (eg. signed only). + * encrypted at all (e.g. signed only). * * @return subkey identifier of decryption key */ diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java index 7ccd6129..4a810eb9 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureVerification.java @@ -80,7 +80,7 @@ public class SignatureVerification { } /** - * Return the verification (tuple of {@link PGPSignature} and corresponding {@link SubkeyIdentifier} + * Return the verification (tuple of {@link PGPSignature} and corresponding {@link SubkeyIdentifier}) * of the signing/verification key. * * @return verification diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java index ab5781ca..688105a1 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java +++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java @@ -13,7 +13,7 @@ import java.io.OutputStream; /** * Since the {@link CleartextSignatureProcessor} needs to read the whole data twice in order to verify signatures, * a strategy for how to cache the read data is required. - * Otherwise large data kept in memory could cause {@link OutOfMemoryError OutOfMemoryErrors} or other issues. + * Otherwise, large data kept in memory could cause {@link OutOfMemoryError OutOfMemoryErrors} or other issues. * * This is an Interface that describes a strategy to deal with the fact that detached signatures require multiple passes * to do verification. @@ -46,7 +46,7 @@ public interface MultiPassStrategy { /** * Write the message content out to a file and re-read it to verify signatures. - * This strategy is best suited for larger messages (eg. plaintext signed files) which might not fit into memory. + * This strategy is best suited for larger messages (e.g. plaintext signed files) which might not fit into memory. * After the message has been processed completely, the messages content are available at the provided file. * * @param file target file diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index 705389d1..ed748e3e 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -47,7 +47,7 @@ import org.pgpainless.util.Passphrase; * by inspecting the provided recipient keys. * * By default, PGPainless will only encrypt to a single encryption capable subkey per recipient key. - * This behavior can be changed, eg. by calling + * This behavior can be changed, e.g. by calling * 
  * {@code
  * opt.addRecipient(aliceKey, EncryptionOptions.encryptToAllCapableSubkeys());
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 91e976a1..94b7f0ce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -84,7 +84,7 @@ public final class ProducerOptions {
     }
 
     /**
-     * Specify, whether or not the result of the encryption/signing operation shall be ascii armored.
+     * Specify, whether the result of the encryption/signing operation shall be ascii armored.
      * The default value is true.
      *
      * @param asciiArmor ascii armor
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 1ef1bc4c..45b9f521 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -224,8 +224,8 @@ public final class SigningOptions {
     /**
      * Create a detached signature.
      * Detached signatures are not being added into the PGP message itself.
-     * Instead they can be distributed separately to the message.
-     * Detached signatures are useful if the data that is being signed shall not be modified (eg. when signing a file).
+     * Instead, they can be distributed separately to the message.
+     * Detached signatures are useful if the data that is being signed shall not be modified (e.g. when signing a file).
      *
      * @param secretKeyDecryptor decryptor to unlock the secret signing key
      * @param secretKey signing key
@@ -243,8 +243,8 @@ public final class SigningOptions {
     /**
      * Create a detached signature.
      * Detached signatures are not being added into the PGP message itself.
-     * Instead they can be distributed separately to the message.
-     * Detached signatures are useful if the data that is being signed shall not be modified (eg. when signing a file).
+     * Instead, they can be distributed separately to the message.
+     * Detached signatures are useful if the data that is being signed shall not be modified (e.g. when signing a file).
      *
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
@@ -266,8 +266,8 @@ public final class SigningOptions {
     /**
      * Create a detached signature.
      * Detached signatures are not being added into the PGP message itself.
-     * Instead they can be distributed separately to the message.
-     * Detached signatures are useful if the data that is being signed shall not be modified (eg. when signing a file).
+     * Instead, they can be distributed separately to the message.
+     * Detached signatures are useful if the data that is being signed shall not be modified (e.g. when signing a file).
      *
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java
index 48efe25f..191a22f7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/type/KeyType.java
@@ -70,7 +70,7 @@ public interface KeyType {
      * Return true if the key that is generated from this type is able to carry the AUTHENTICATION key flag.
      * See {@link org.pgpainless.algorithm.KeyFlag#AUTHENTICATION}.
      *
-     * @return true if the key is able to be used for authentication purposes.
+     * @return true if the key can be used for authentication purposes.
      */
     default boolean canAuthenticate() {
         return canSign();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
index c27d3531..bcdac8b6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
@@ -64,7 +64,7 @@ public abstract class KeyAccessor {
     }
 
     /**
-     * Address the key via a user-id (eg "Alice <alice@wonderland.lit>).
+     * Address the key via a user-id (e.g. "Alice <alice@wonderland.lit>").
      * In this case we are sourcing preferred algorithms from the user-id certification first.
      */
     public static class ViaUserId extends KeyAccessor {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 2d146f63..56737b39 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -490,7 +490,7 @@ public class KeyRingInfo {
     }
 
     /**
-     * Return the a list of {@link KeyFlag KeyFlags} that apply to the subkey with the provided key id.
+     * Return a list of {@link KeyFlag KeyFlags} that apply to the subkey with the provided key id.
      * @param keyId key-id
      * @return list of key flags
      */
@@ -734,11 +734,11 @@ public class KeyRingInfo {
 
     /**
      * Return the latest date on which  the key ring is still usable for the given key flag.
-     * If a only a subkey is carrying the required flag and the primary key expires earlier than the subkey,
+     * If only a subkey is carrying the required flag and the primary key expires earlier than the subkey,
      * the expiry date of the primary key is returned.
      *
      * This method might return null, if the primary key and a subkey with the required flag does not expire.
-     * @param use key flag representing the use case, eg. {@link KeyFlag#SIGN_DATA} or
+     * @param use key flag representing the use case, e.g. {@link KeyFlag#SIGN_DATA} or
      * {@link KeyFlag#ENCRYPT_COMMS}/{@link KeyFlag#ENCRYPT_STORAGE}.
      * @return latest date on which the key ring can be used for the given use case, or null if it can be used indefinitely.
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
index 435c9b90..e999a163 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
@@ -175,7 +175,7 @@ public interface SecretKeyRingEditorInterface {
     /**
      * Revoke the key ring.
      * You can use the {@link RevocationSignatureSubpackets.Callback} to modify the revocation signatures
-     * subpackets, eg. in order to define whether this is a hard or soft revocation.
+     * subpackets, e.g. in order to define whether this is a hard or soft revocation.
      *
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param subpacketsCallback callback to modify the revocations subpackets
@@ -192,7 +192,7 @@ public interface SecretKeyRingEditorInterface {
      *
      * Note: This method will hard-revoke the provided subkey, meaning it cannot be re-certified at a later point.
      * If you instead want to temporarily "deactivate" the subkey, provide a soft revocation reason,
-     * eg. by calling {@link #revokeSubKey(OpenPgpFingerprint, SecretKeyRingProtector, RevocationAttributes)}
+     * e.g. by calling {@link #revokeSubKey(OpenPgpFingerprint, SecretKeyRingProtector, RevocationAttributes)}
      * and provide a suitable {@link RevocationAttributes} object.
      *
      * @param fingerprint fingerprint of the subkey to be revoked
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java
index d5b05613..8cdb3efb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/CachingSecretKeyRingProtector.java
@@ -90,7 +90,7 @@ public class CachingSecretKeyRingProtector implements SecretKeyRingProtector, Se
      * This is to prevent accidental passphrase override when dealing with multiple key rings containing
      * keys with conflicting key-ids.
      *
-     * If you can ensure that there will be no key-id clashes and you want to replace the passphrases for the key ring,
+     * If you can ensure that there will be no key-id clashes, and you want to replace the passphrases for the key ring,
      * use {@link #replacePassphrase(PGPKeyRing, Passphrase)} instead.
      *
      * If you need to unlock multiple {@link PGPKeyRing PGPKeyRings}, it is advised to use a separate
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
index a77e4486..2709b143 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
@@ -116,7 +116,7 @@ public interface SecretKeyRingProtector {
      * This protector will only return a non-null encryptor/decryptor based on the provided passphrase if
      * {@link #getEncryptor(Long)}/{@link #getDecryptor(Long)} is getting called with the key-id of the provided key.
      *
-     * Otherwise this protector will always return null.
+     * Otherwise, this protector will always return null.
      *
      * @param passphrase passphrase
      * @param key key to lock/unlock
@@ -137,7 +137,7 @@ public interface SecretKeyRingProtector {
      *
      * As a consequence, this protector can only "unlock" keys which are not protected using a passphrase, and it will
      * leave keys unprotected, should it be used to "protect" a key
-     * (eg. in {@link org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor#changePassphraseFromOldPassphrase(Passphrase)}).
+     * (e.g. in {@link org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor#changePassphraseFromOldPassphrase(Passphrase)}).
      *
      * @return protector
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 400414c2..af06928e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -135,7 +135,7 @@ public final class KeyRingUtils {
      * @param protector protector to unlock the secret key
      * @return private key
      *
-     * @throws PGPException if something goes wrong (eg. wrong passphrase)
+     * @throws PGPException if something goes wrong (e.g. wrong passphrase)
      */
     public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, SecretKeyRingProtector protector) throws PGPException {
         return UnlockSecretKey.unlockSecretKey(secretKey, protector);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java
index d545e5e4..60a02fea 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/RevocationAttributes.java
@@ -157,7 +157,7 @@ public final class RevocationAttributes {
     }
 
     /**
-     * Build a {@link RevocationAttributes} object suitable for certification (eg. user-id) revocations.
+     * Build a {@link RevocationAttributes} object suitable for certification (e.g. user-id) revocations.
      *
      * @return builder
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 7bbb131a..85948546 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -304,7 +304,7 @@ public final class Policy {
         }
 
         /**
-         * Return true if the the given hash algorithm is acceptable by this policy.
+         * Return true if the given hash algorithm is acceptable by this policy.
          *
          * @param algorithmId hash algorithm
          * @return true if the hash algorithm is acceptable, false otherwise
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 33bedfa2..96429da1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -76,7 +76,7 @@ public final class SignatureUtils {
     /**
      * Return a content signer builder for the passed public key.
      *
-     * The content signer will use a hash algorithm derived from the keys algorithm preferences.
+     * The content signer will use a hash algorithm derived from the keys' algorithm preferences.
      * If no preferences can be derived, the key will fall back to the default hash algorithm as set in
      * the {@link org.pgpainless.policy.Policy}.
      *
@@ -123,7 +123,7 @@ public final class SignatureUtils {
     /**
      * Return a new date which represents the given date plus the given amount of seconds added.
      *
-     * Since '0' is a special value in the OpenPGP specification when it comes to dates
+     * Since '0' is a special date value in the OpenPGP specification
      * (e.g. '0' means no expiration for expiration dates), this method will return 'null' if seconds is 0.
      *
      * @param date date
@@ -271,7 +271,7 @@ public final class SignatureUtils {
      * This method first inspects the {@link IssuerKeyID} subpacket of the signature and returns the key-id if present.
      * If not, it inspects the {@link org.bouncycastle.bcpg.sig.IssuerFingerprint} packet and retrieves the key-id from the fingerprint.
      *
-     * Otherwise it returns 0.
+     * Otherwise, it returns 0.
      * @param signature signature
      * @return signatures issuing key id
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
index c667e3e8..1f6114bb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
@@ -11,7 +11,7 @@ import org.pgpainless.key.SubkeyIdentifier;
 
 /**
  * Tuple-class which bundles together a signature, the signing key that created the signature,
- * an identifier of the signing key and a record of whether or not the signature was verified.
+ * an identifier of the signing key and a record of whether the signature was verified.
  */
 public class DetachedSignatureCheck {
     private final PGPSignature signature;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md
index 5af3ccd9..b39097ec 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/README.md
@@ -14,7 +14,7 @@ therefore let me quickly outline some of its challenges for you:
 
 A signature is either valid or it is not.
 However, signature validity goes beyond merely checking the cryptographic correctness like BouncyCastle does.
-A signature that is correct can still be invalid, eg. if it is past its expiry date
+A signature that is correct can still be invalid, e.g. if it is past its expiry date
 or the key that issued the signature got revoked or is simply not a signing key in the first place.
 
 All the little criteria like "is not expired", "has a hashed signature creation time subpacket",
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
index 511261fa..ee6dfc89 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
@@ -38,7 +38,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validation date most recent valid key revocation signature.
+     * Pick the at validation date most recent valid key revocation signature.
      * If there are hard revocation signatures, the latest hard revocation sig is picked, even if it was created after
      * validationDate or if it is already expired.
      *
@@ -65,7 +65,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate most recent, valid direct key signature.
+     * Pick the at validationDate most recent, valid direct key signature.
      * This method might return null, if there is no direct key self-signature which is valid at validationDate.
      *
      * @param keyRing key ring
@@ -78,7 +78,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate, latest, valid direct key signature made by signingKey on signedKey.
+     * Pick the at validationDate, latest, valid direct key signature made by signingKey on signedKey.
      * This method might return null, if there is no direct key self signature which is valid at validationDate.
      *
      * @param signingKey key that created the signature
@@ -104,7 +104,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate, latest direct key signature.
+     * Pick the at validationDate latest direct key signature.
      * This method might return an expired signature.
      * If there are more than one direct-key signature, and some of those are not expired, the latest non-expired
      * yet already effective direct-key signature will be returned.
@@ -119,7 +119,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate, latest direct key signature made by signingKey on signedKey.
+     * Pick the at validationDate latest direct key signature made by signingKey on signedKey.
      * This method might return an expired signature.
      * If a non-expired direct-key signature exists, the latest non-expired yet already effective direct-key
      * signature will be returned.
@@ -154,7 +154,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate most recent, valid user-id revocation signature.
+     * Pick the at validationDate most recent, valid user-id revocation signature.
      * If there are hard revocation signatures, the latest hard revocation sig is picked, even if it was created after
      * validationDate or if it is already expired.
      *
@@ -182,7 +182,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate latest, valid certification self-signature for the given user-id.
+     * Pick the at validationDate latest, valid certification self-signature for the given user-id.
      * This method might return null, if there is no certification self signature for that user-id which is valid
      * at validationDate.
      *
@@ -213,7 +213,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate latest certification self-signature for the given user-id.
+     * Pick the at validationDate latest certification self-signature for the given user-id.
      * This method might return an expired signature.
      * If a non-expired user-id certification signature exists, the latest non-expired yet already effective
      * user-id certification signature for the given user-id will be returned.
@@ -250,7 +250,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate most recent, valid subkey revocation signature.
+     * Pick the at validationDate most recent, valid subkey revocation signature.
      * If there are hard revocation signatures, the latest hard revocation sig is picked, even if it was created after
      * validationDate or if it is already expired.
      *
@@ -282,7 +282,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate latest, valid subkey binding signature for the given subkey.
+     * Pick the at validationDate latest, valid subkey binding signature for the given subkey.
      * This method might return null, if there is no subkey binding signature which is valid
      * at validationDate.
      *
@@ -314,7 +314,7 @@ public final class SignaturePicker {
     }
 
     /**
-     * Pick the, at validationDate latest subkey binding signature for the given subkey.
+     * Pick the at validationDate latest subkey binding signature for the given subkey.
      * This method might return an expired signature.
      * If a non-expired subkey binding signature exists, the latest non-expired yet already effective
      * subkey binding signature for the given subkey will be returned.
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java
index 02558339..4b93cf2b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidityComparator.java
@@ -21,7 +21,7 @@ public class SignatureValidityComparator implements Comparator {
     private final SignatureCreationDateComparator creationDateComparator;
 
     /**
-     * Create a new {@link SignatureValidityComparator} which orders signatures oldest first.
+     * Create a new {@link SignatureValidityComparator} which orders signatures the oldest first.
      * Still, hard revocations will come first.
      */
     public SignatureValidityComparator() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
index 137e5508..8fc02e7f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
@@ -12,7 +12,7 @@ import org.bouncycastle.bcpg.SignatureSubpacketTags;
 import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
 
 /**
- * Utility class that helps dealing with BCs SignatureSubpacketGenerator class.
+ * Utility class that helps to deal with BCs SignatureSubpacketGenerator class.
  */
 public final class SignatureSubpacketGeneratorUtil {
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 53ea375e..b73ddde7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -158,7 +158,7 @@ public final class SignatureSubpacketsUtil {
     }
 
     /**
-     * Return the signatures expiration time as a date.
+     * Return the signatures' expiration time as a date.
      * The expiration date is computed by adding the expiration time to the signature creation date.
      * If the signature has no expiration time subpacket, or the expiration time is set to '0', this message returns null.
      *
@@ -211,7 +211,7 @@ public final class SignatureSubpacketsUtil {
      *
      * @param expirationDate new expiration date
      * @param creationDate key creation time
-     * @return life time of the key in seconds
+     * @return lifetime of the key in seconds
      */
     public static long getKeyLifetimeInSeconds(@Nullable Date expirationDate, @Nonnull Date creationDate) {
         long secondsToExpire = 0; // 0 means "no expiration"
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
index 890d4703..8a1b610e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
@@ -47,8 +47,8 @@ public final class DateUtil {
 
     /**
      * "Round" a date down to seconds precision.
-     * @param date
-     * @return
+     * @param date date
+     * @return rounded date
      */
     public static Date toSecondsPrecision(Date date) {
         long seconds = date.getTime() / 1000;
diff --git a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java
index 4b76cb8f..a9b20e9e 100644
--- a/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java
+++ b/pgpainless-core/src/test/java/investigations/OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionTest.java
@@ -26,7 +26,7 @@ public class OnePassSignatureVerificationWithPartialLengthLiteralDataRegressionT
      * PGPainless versions 0.2.10 - 0.2.18 fail to decrypt this message, due to it failing to parse the signatures trailing
      * the literal data. The cause for this was not draining the literal data first before trying to parse the sigs.
      * This is likely caused by the literal data using a partial length encoding scheme, so the PGPObjectFactory did not yet
-     * reach the signatures packet.
+     * reach the signatures packets.
      *
      * As a fix, PGPainless now only tries to parse signatures from after the literal data packet, once the literal data
      * stream gets closed.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
index 2bb20eb1..4a2a99f5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
@@ -212,7 +212,7 @@ public class CleartextSignatureVerificationTest {
     @Test
     public void getDecoderStreamMistakensPlaintextForBase64RegressionTest()
             throws PGPException, IOException {
-        String message = "Foo\nBar"; // PGPUtil.getDecoderStream() would mistaken this for base64 data
+        String message = "Foo\nBar"; // PGPUtil.getDecoderStream() would have mistaken this for base64 data
         ByteArrayInputStream msgIn = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));
 
         PGPSecretKeyRing secretKey = TestKeys.getEmilSecretKeyRing();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java
index f1211e9d..1e743fa1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/GenerateKeys.java
@@ -83,7 +83,7 @@ public class GenerateKeys {
     }
 
     /**
-     * This example demonstrates how to generate a simple OpenPGP key consisting of a 4096 bit RSA key.
+     * This example demonstrates how to generate a simple OpenPGP key consisting of a 4096-bit RSA key.
      * The RSA key is used for both signing and certifying, as well as encryption.
      *
      * This method is recommended if the application has to deal with legacy clients with poor algorithm support.
@@ -107,7 +107,7 @@ public class GenerateKeys {
 
     /**
      * This example demonstrates how to generate a simple OpenPGP key based on elliptic curves.
-     * The key consists of an ECDSA primary key that is used both for certification of subkeys, as well as signing of data,
+     * The key consists of an ECDSA primary key that is used both for certification of subkeys, and signing of data,
      * and a single ECDH encryption subkey.
      *
      * This method is recommended if small keys and high performance are desired.
@@ -141,7 +141,7 @@ public class GenerateKeys {
      * {@link KeySpec} objects can best be obtained by using the {@link KeySpec#getBuilder(KeyType, KeyFlag, KeyFlag...)}
      * method and providing a {@link KeyType}.
      * There are a bunch of factory methods for different {@link KeyType} implementations present in {@link KeyType} itself
-     * (such as {@link KeyType#ECDH(EllipticCurve)}. {@link KeyFlag KeyFlags} determine
+     * (such as {@link KeyType#ECDH(EllipticCurve)}). {@link KeyFlag KeyFlags} determine
      * the use of the key, like encryption, signing data or certifying subkeys.
      *
      * If you so desire, you can now specify your own algorithm preferences.
@@ -155,7 +155,7 @@ public class GenerateKeys {
      * make sure that the primary key spec has the {@link KeyFlag} {@link KeyFlag#CERTIFY_OTHER} set, as this is a requirement
      * for primary keys.
      *
-     * Furthermore you have to set at least the primary user-id via
+     * Furthermore, you have to set at least the primary user-id via
      * {@link org.pgpainless.key.generation.KeyRingBuilder#addUserId(String)},
      * but you can also add additional user-ids.
      *
@@ -187,11 +187,11 @@ public class GenerateKeys {
                 .addSubkey(KeySpec.getBuilder(
                                 // We choose an ECDH key over the brainpoolp256r1 curve
                                 KeyType.ECDH(EllipticCurve._BRAINPOOLP256R1),
-                                // Our key can encrypt both communication data, as well as data at rest
+                                // Our key can encrypt both communication data, and data at rest
                                 KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS
                         )
                         // Optionally: Configure the subkey with custom algorithm preferences
-                        //  Is is recommended though to go with PGPainless' defaults which can be found in the
+                        //  It is recommended though to go with PGPainless' defaults which can be found in the
                         //  AlgorithmSuite class.
                         .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128)
                         .overridePreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256)
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
index c762feca..fa2759dc 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
@@ -26,7 +26,7 @@ import org.pgpainless.util.NotationRegistry;
  * Note, that PGPainless distinguishes between hash algorithms used in revocation and non-revocation signatures,
  * and has different policies for those.
  *
- * Furthermore PGPainless has policies for symmetric encryption algorithms (both for encrypting and decrypting),
+ * Furthermore, PGPainless has policies for symmetric encryption algorithms (both for encrypting and decrypting),
  * for public key algorithms and key lengths, as well as compression algorithms.
  *
  * The following examples show how these policies can be modified.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
index c9d16f65..a0785993 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
@@ -154,7 +154,7 @@ public class ModifyKeys {
      * Prerequisites are a {@link SecretKeyRingProtector} that is capable of unlocking the primary key of the existing key,
      * and a {@link Passphrase} for the new subkey.
      *
-     * There are two way to add a subkey into an existing key;
+     * There are two ways to add a subkey into an existing key;
      * Either the subkey gets generated on the fly (see below),
      * or the subkey already exists. In the latter case, the user has to provide
      * {@link org.bouncycastle.openpgp.PGPSignatureSubpacketVector PGPSignatureSubpacketVectors} for the binding signature
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
index 507b6723..9e1c35ba 100644
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
+++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
@@ -115,7 +115,7 @@ public class DecryptCmdTest {
         verify(decrypt, times(1)).verifyNotBefore(DateParser.BEGINNING_OF_TIME);
         verify(decrypt, times(1)).verifyNotAfter(
                 ArgumentMatchers.argThat(argument -> {
-                    // allow 1 second difference
+                    // allow 1-second difference
                     return Math.abs(now.getTime() - argument.getTime()) <= 1000;
                 }));
     }
@@ -131,7 +131,7 @@ public class DecryptCmdTest {
     public void assertVerifyNotAfterAndBeforeNowResultsInMinTimeRange() throws SOPGPException.UnsupportedOption {
         Date now = new Date();
         ArgumentMatcher isMaxOneSecOff = argument -> {
-            // Allow less than 1 second difference
+            // Allow less than 1-second difference
             return Math.abs(now.getTime() - argument.getTime()) <= 1000;
         };
 
diff --git a/sop-java/src/main/java/sop/ReadyWithResult.java b/sop-java/src/main/java/sop/ReadyWithResult.java
index 753d41d1..9feeddae 100644
--- a/sop-java/src/main/java/sop/ReadyWithResult.java
+++ b/sop-java/src/main/java/sop/ReadyWithResult.java
@@ -13,7 +13,7 @@ import sop.exception.SOPGPException;
 public abstract class ReadyWithResult {
 
     /**
-     * Write the data eg. decrypted plaintext to the provided output stream and return the result of the
+     * Write the data e.g. decrypted plaintext to the provided output stream and return the result of the
      * processing operation.
      *
      * @param outputStream output stream
diff --git a/sop-java/src/main/java/sop/Verification.java b/sop-java/src/main/java/sop/Verification.java
index e8a07555..2047c3d4 100644
--- a/sop-java/src/main/java/sop/Verification.java
+++ b/sop-java/src/main/java/sop/Verification.java
@@ -21,7 +21,7 @@ public class Verification {
     }
 
     /**
-     * Return the signatures creation time.
+     * Return the signatures' creation time.
      *
      * @return signature creation time
      */

From 760905540477745b603ecf158e90abe87838c493 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 28 Dec 2021 13:59:34 +0100
Subject: [PATCH 0246/1450] PGPainless 1.0.0

---
 CHANGELOG.md   | 4 ++++
 README.md      | 2 +-
 version.gradle | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2937a90c..386b1a20 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.0.0
+- Introduce `DateUtil.toSecondsPrecision()`
+- Clean JUnit tests, fix code style issues and fix typos in documentation
+
 ## 1.0.0-rc9
 - When key has both direct-key sig + primary user-id sig: resolve expiration date to the earliest expiration
 - Add `SecretKeyRingEditor.removeUserId()` convenience methods that do soft-revoke the user-id.
diff --git a/README.md b/README.md
index 6687caa3..2a59ffc2 100644
--- a/README.md
+++ b/README.md
@@ -178,7 +178,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.0-rc7'
+	implementation 'org.pgpainless:pgpainless-core:1.0.0'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index 016f35f5..cf20b587 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.0-rc10'
-        isSnapshot = true
+        shortVersion = '1.0.0'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From e177dafd60382cd3e2695dab3b3fcff2e0cefcc4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 28 Dec 2021 14:07:27 +0100
Subject: [PATCH 0247/1450] PGPainless-1.0.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index cf20b587..0f1f88dc 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.0'
-        isSnapshot = false
+        shortVersion = '1.0.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From b58bdf8ff15d50d26bb552afdd65e54d3f260114 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 00:59:01 +0100
Subject: [PATCH 0248/1450] Fix KeyAccessor.ViaKeyId sourcing primary user-id
 signature

---
 .../java/org/pgpainless/key/info/KeyAccessor.java | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
index bcdac8b6..6c299580 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
@@ -110,18 +110,13 @@ public abstract class KeyAccessor {
 
         @Override
         public @Nonnull PGPSignature getSignatureWithPreferences() {
-            PGPSignature signature;
-            if (key.getPrimaryKeyId() != key.getSubkeyId()) {
-                signature = info.getCurrentSubkeyBindingSignature(key.getSubkeyId());
-            } else {
+            String primaryUserId = info.getPrimaryUserId();
+            // If the key is located by Key ID, the algorithm of the primary User ID of the key provides the
+            // preferred symmetric algorithm.
+            PGPSignature signature = info.getLatestUserIdCertification(primaryUserId);
+            if (signature == null) {
                 signature = info.getLatestDirectKeySelfSignature();
             }
-
-            if (signature != null) {
-                return signature;
-            }
-
-            signature = info.getLatestUserIdCertification(info.getPrimaryUserId());
             if (signature == null) {
                 throw new IllegalStateException("No valid signature found.");
             }

From d264982388803f4ccf35a5610b73d629e47c6f62 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 01:02:59 +0100
Subject: [PATCH 0249/1450] PGPainless 1.0.1

---
 CHANGELOG.md   | 3 +++
 README.md      | 2 +-
 version.gradle | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 386b1a20..43aa5ddb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.0.1
+- Fix sourcing of preferred algorithms by primary user-id when key is located via key-id
+
 ## 1.0.0
 - Introduce `DateUtil.toSecondsPrecision()`
 - Clean JUnit tests, fix code style issues and fix typos in documentation
diff --git a/README.md b/README.md
index 2a59ffc2..d2c01e3f 100644
--- a/README.md
+++ b/README.md
@@ -178,7 +178,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.0'
+	implementation 'org.pgpainless:pgpainless-core:1.0.1'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index 0f1f88dc..480322d8 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.0.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 1cbeafb3adf9b910ee613658c6100e698f4d57a1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 01:06:18 +0100
Subject: [PATCH 0250/1450] PGPainless-1.0.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 480322d8..7c12e305 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.1'
-        isSnapshot = false
+        shortVersion = '1.0.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 9de196d6c5672ce20bff852005c1a34a992fbf90 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 02:29:39 +0100
Subject: [PATCH 0251/1450] Fix test for algorithm preference extraction

---
 ...ymmetricAlgorithmDuringEncryptionTest.java | 121 ++++++++----------
 1 file changed, 53 insertions(+), 68 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java
index be80c4e2..55564d84 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/RespectPreferredSymmetricAlgorithmDuringEncryptionTest.java
@@ -19,80 +19,41 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest {
 
     @Test
     public void algorithmPreferencesAreRespectedDependingOnEncryptionTarget() throws IOException, PGPException {
-        // Key has [AES128] as preferred symm. algo on latest user-id cert
-        String key = "-----BEGIN PGP ARMORED FILE-----\n" +
-                "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" +
+        // Key has AES256, AES192, AES128 as primary user-ids sym algo prefs,
+        // and AES128 as secondary user-id prefs
+        String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: 7E13 2E9C EAE8 7E7B AD6C  5329 94CE B847 EEFB 044B\n" +
+                "Comment: Bob Babbage \n" +
                 "\n" +
-                "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
-                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
-                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
-                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
-                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
-                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
-                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
-                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
-                "vLIwa3T4CyshfT0AEQEAAc0hQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" +
-                "bGU+wsFTBBMBCgCHBYJgq9xiAgsHCRD7/MgqAV5zMEcUAAAAAAAeACBzYWx0QG5v\n" +
-                "dGF0aW9ucy5zZXF1b2lhLXBncC5vcmdNgMRYEX46LCBpUimr3zIek/oZSVT+EcdR\n" +
-                "Y4Rno2QSzQYVCgkICwIEFgIDAQIXgAIbAwIeARYhBNGmbhojsYLJmA94jPv8yCoB\n" +
-                "XnMwAADsbAv/bpWiiT47IuGxe11aReA2ThLy8jwafKEOrHxiUvyJdG/s7Bn0QtqM\n" +
-                "9G/16QDOWbSiXMD2vJYB7ml7oYlSxDS6oVd1bfGRsRbRr6N/wCTMXBaB4TsYqbcl\n" +
-                "NOznt+RSRIWYKCHJDDEdBvuJmf+Mmi09NVHOupjOt51WiVWmm5GpVUl5789yBvN8\n" +
-                "iei7I85KB/bXV0CfUgw9jx8BwAANPri+l4Br5fKMoheguHBm8BLPzWCfvCxZORq5\n" +
-                "Nd9wLhEe+/7M2Y8AGzfn88XgGUXNOh7y8ZSD9AjK14UQilUg8IrYm7oJik29bVyh\n" +
-                "UyY7sAJB5B7TxjE374krsOkl+lXe6bWDguJhrjIR0S0OWXmFpt06uDIOuI+f6ach\n" +
-                "m0kbUELUiQOQ+4i17mph11WiQczT2iS7preLpI5cjQd1cIQczOjxDaRvNPvtxYne\n" +
-                "ijUCkQzPwGAAcuXRe94wW3VtimwswLM5wmhzCgjv7uZMvEg6lHpVRWrJA6oXj6f1\n" +
-                "MnufQ5Li2/zMwsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE\n" +
-                "0aZuGiOxgsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6h\n" +
-                "G8Od9xTzXxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOh\n" +
-                "Q5Esm6DOZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad\n" +
-                "75BrZ+3g9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42b\n" +
-                "g8lpmdXFDcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQ\n" +
-                "NZ5Jix7cZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEP\n" +
-                "c0fHp5G16rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+eg\n" +
-                "LjsIbPJZZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiAC\n" +
-                "szNU+RRozAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGzsDNBF2l\n" +
-                "nPIBDADWML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamX\n" +
-                "nn9sSXvIDEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMX\n" +
-                "SO4uImA+Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6\n" +
-                "rrd5y2AObaifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA\n" +
-                "0YwIMgIT86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/\n" +
-                "wGlQ01rh827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+pa\n" +
-                "LNDdVPL6vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV\n" +
-                "8rUnR76UqVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwz\n" +
-                "j8sxH48AEQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzy\n" +
-                "AhsMAAoJEPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+4\n" +
-                "1IL4rVcSKhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZ\n" +
-                "QanYmtSxcVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zp\n" +
-                "f3u0k14itcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn\n" +
-                "3OWjCPHVdTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK\n" +
-                "2b0vk/+wqMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFA\n" +
-                "ExaEK6VyjP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWi\n" +
-                "f9RSK4xjzRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj\n" +
-                "5KjhX2PVNEJd3XZRzaXZE2aAMQ==\n" +
-                "=d5ke\n" +
-                "-----END PGP ARMORED FILE-----\n";
+                "mDMEYeIhnhYJKwYBBAHaRw8BAQdAfs9SkOSEyAQmvwLwwUPCp3Qiw2t4rm+e7n8t\n" +
+                "oVjAmle0IUJvYiBCYWJiYWdlIDxib2JAb3BlbnBncC5leGFtcGxlPoiPBBMWCgBB\n" +
+                "BQJh4iGeCZCUzrhH7vsESxahBH4TLpzq6H57rWxTKZTOuEfu+wRLAp4BApsBBZYC\n" +
+                "AwEABIsJCAcFlQoJCAsCmQEAAKK/AP4lCifuXpZIUR4PrenGBZFtoZpB5s1i/YrB\n" +
+                "cnCuodQX9wEAyENhlXNYopWdgBZ9g4E1Y0cJfpwCwWhx0DeATmrSzAO0H0JvYmJ5\n" +
+                "MTI4IDxib2JieUBhZXMxMjguZXhhbXBsZT6IigQTFgoAPAUCYeIhngmQlM64R+77\n" +
+                "BEsWoQR+Ey6c6uh+e61sUymUzrhH7vsESwKeAQKbAQWWAgMBAAKLBwWVCgkICwAA\n" +
+                "y0wBAIhAEpQgJRizHitPx3WUpIYbKq3R5jAO34NnlmTzNVj6AP9aWHPsW5r7HuQh\n" +
+                "xJz+8zdCOuAxKv6tvHthSWJ64VWDDrg4BGHiIZ4SCisGAQQBl1UBBQEBB0CEIv13\n" +
+                "/qTXR0wiUG5DVZCWh/KLKrF5TemUfYXA/kBTOAMBCAeIdQQYFgoAHQUCYeIhngKe\n" +
+                "AQKbDAWWAgMBAASLCQgHBZUKCQgLAAoJEJTOuEfu+wRLwC4A/0/VDPPDE6kT/8C3\n" +
+                "9d8ekZkQE38o2nC58E62AjM5O2x6AQDMd0gcoKIxPi9uRi3nVsNS233a3MxFEjpe\n" +
+                "qqgyBnqxBLgzBGHiIZ4WCSsGAQQB2kcPAQEHQP7IGdT9moutwtys4A/ndkWJVWn/\n" +
+                "zkoOn3cSad1bP8y8iNUEGBYKAH0FAmHiIZ4CngECmwIFlgIDAQAEiwkIBwWVCgkI\n" +
+                "C18gBBkWCgAGBQJh4iGeAAoJENcuZc0+RPVgrucBAI+IzpplBIpySOIyzHJdjeFt\n" +
+                "ikwTBOY3OTriY2Z62Ec6AQDhVxO7LZuH3mTCklj4HelfMrhlqUlnYr7qCIjzI5BY\n" +
+                "BwAKCRCUzrhH7vsES4snAP4qzlEbaHpN7ZPomCOHD7J2+CHlyTtsRP45XWVCqNH1\n" +
+                "jAEAmzz5Lu67k97AzArpoGHgYh492w5BfdApV8BCaTW4AgI=\n" +
+                "=XwJQ\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\n";
 
         PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
 
-        // Encrypt to the user-id
-        // PGPainless should extract algorithm preferences from the latest user-id sig in this case (AES-128)
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out)
-                .withOptions(
-                        ProducerOptions.encrypt(new EncryptionOptions()
-                                .addRecipient(publicKeys, "Bob Babbage ")
-                        ));
-
-        encryptionStream.close();
-        assertEquals(SymmetricKeyAlgorithm.AES_128, encryptionStream.getResult().getEncryptionAlgorithm());
-
 
         // Encrypt without specifying user-id
-        // PGPainless should now inspect the subkey binding sig for algorithm preferences (AES256, AES192, AES128)
-        out = new ByteArrayOutputStream();
-        encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out)
+        // PGPainless now inspects the primary user-ids signature to get sym alg prefs (AES256, AES192, AES128)
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out)
                 .withOptions(
                         ProducerOptions.encrypt(new EncryptionOptions()
                                 .addRecipient(publicKeys) // no user-id passed
@@ -100,5 +61,29 @@ public class RespectPreferredSymmetricAlgorithmDuringEncryptionTest {
 
         encryptionStream.close();
         assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionStream.getResult().getEncryptionAlgorithm());
+
+        // Encrypt to the primary user-id
+        // PGPainless should extract algorithm preferences from the latest user-id sig in this case (AES-256, AES-192, AES-128)
+        out = new ByteArrayOutputStream();
+        encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out)
+                .withOptions(
+                        ProducerOptions.encrypt(new EncryptionOptions()
+                                .addRecipient(publicKeys, "Bob Babbage ")
+                        ));
+
+        encryptionStream.close();
+        assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionStream.getResult().getEncryptionAlgorithm());
+
+        // Encrypt to the secondary user-id
+        // PGPainless extracts algorithm preferences from secondary user-id sig, in this case AES-128
+        out = new ByteArrayOutputStream();
+        encryptionStream = PGPainless.encryptAndOrSign().onOutputStream(out)
+                .withOptions(
+                        ProducerOptions.encrypt(new EncryptionOptions()
+                                .addRecipient(publicKeys, "Bobby128 ")
+                        ));
+
+        encryptionStream.close();
+        assertEquals(SymmetricKeyAlgorithm.AES_128, encryptionStream.getResult().getEncryptionAlgorithm());
     }
 }

From e7f583c1af3da277db2099191714de19bb27aedf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 02:43:59 +0100
Subject: [PATCH 0252/1450] Fix KeyRingInfo.get*Algorithm(keyId)

---
 .../org/pgpainless/key/info/KeyAccessor.java  | 22 +++++++++++++++++++
 .../org/pgpainless/key/info/KeyRingInfo.java  | 11 +++++-----
 .../pgpainless/key/info/KeyRingInfoTest.java  | 12 +++++-----
 3 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
index 6c299580..5fa71d46 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
@@ -123,4 +123,26 @@ public abstract class KeyAccessor {
             return signature;
         }
     }
+
+    public static class SubKey extends KeyAccessor {
+
+        public SubKey(KeyRingInfo info, SubkeyIdentifier key) {
+            super(info, key);
+        }
+
+        @Override
+        public @Nonnull PGPSignature getSignatureWithPreferences() {
+            PGPSignature signature;
+            if (key.getPrimaryKeyId() == key.getSubkeyId()) {
+                signature = info.getLatestDirectKeySelfSignature();
+                if (signature == null) {
+                    signature = info.getLatestUserIdCertification(info.getPrimaryUserId());
+                }
+            } else {
+                signature = info.getCurrentSubkeyBindingSignature(key.getSubkeyId());
+            }
+
+            return signature;
+        }
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 56737b39..74b72e61 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -975,7 +975,8 @@ public class KeyRingInfo {
     }
 
     public Set getPreferredHashAlgorithms(long keyId) {
-        return getKeyAccessor(null, keyId).getPreferredHashAlgorithms();
+        return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId))
+                .getPreferredHashAlgorithms();
     }
 
     public Set getPreferredSymmetricKeyAlgorithms() {
@@ -987,7 +988,7 @@ public class KeyRingInfo {
     }
 
     public Set getPreferredSymmetricKeyAlgorithms(long keyId) {
-        return getKeyAccessor(null, keyId).getPreferredSymmetricKeyAlgorithms();
+        return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredSymmetricKeyAlgorithms();
     }
 
     public Set getPreferredCompressionAlgorithms() {
@@ -999,15 +1000,15 @@ public class KeyRingInfo {
     }
 
     public Set getPreferredCompressionAlgorithms(long keyId) {
-        return getKeyAccessor(null, keyId).getPreferredCompressionAlgorithms();
+        return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
     }
 
     private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) {
         if (getPublicKey(keyID) == null) {
-            throw new IllegalArgumentException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
+            throw new NoSuchElementException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
         }
         if (userId != null && !getUserIds().contains(userId)) {
-            throw new IllegalArgumentException("No user-id '" + userId + "' found on this key.");
+            throw new NoSuchElementException("No user-id '" + userId + "' found on this key.");
         }
         return userId == null ? new KeyAccessor.ViaKeyId(this, new SubkeyIdentifier(keys, keyID))
                 : new KeyAccessor.ViaUserId(this, new SubkeyIdentifier(keys, keyID), userId);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index 16b338e7..0cb351b7 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -598,9 +598,9 @@ public class KeyRingInfoTest {
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
 
         // Bob is an invalid userId
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob"));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob"));
         // 123 is an invalid keyid
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L));
 
         assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms("Alice"));
         assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(pkid));
@@ -608,9 +608,9 @@ public class KeyRingInfoTest {
         assertEquals(preferredHashAlgorithms, info.getPreferredHashAlgorithms(skid2));
 
         // Bob is an invalid userId
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms("Bob"));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredCompressionAlgorithms("Bob"));
         // 123 is an invalid keyid
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredCompressionAlgorithms(123L));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredCompressionAlgorithms(123L));
 
         assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms("Alice"));
         assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(pkid));
@@ -618,9 +618,9 @@ public class KeyRingInfoTest {
         assertEquals(preferredCompressionAlgorithms, info.getPreferredCompressionAlgorithms(skid2));
 
         // Bob is an invalid userId
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob"));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms("Bob"));
         // 123 is an invalid keyid
-        assertThrows(IllegalArgumentException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L));
+        assertThrows(NoSuchElementException.class, () -> info.getPreferredSymmetricKeyAlgorithms(123L));
 
         assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms("Alice"));
         assertEquals(preferredSymmetricAlgorithms, info.getPreferredSymmetricKeyAlgorithms(pkid));

From d9e3c6ed91503f066c77e54d9c85cf531eec9a7e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 1 Jan 2022 18:11:00 +0100
Subject: [PATCH 0253/1450] Remove investigative test with expired key

---
 .../InvestigateThunderbirdDecryption.java     | 257 ------------------
 1 file changed, 257 deletions(-)
 delete mode 100644 pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java

diff --git a/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java b/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java
deleted file mode 100644
index d96f7f48..00000000
--- a/pgpainless-core/src/test/java/investigations/InvestigateThunderbirdDecryption.java
+++ /dev/null
@@ -1,257 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package investigations;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.Date;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.DocumentSignatureType;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.encryption_signing.EncryptionOptions;
-import org.pgpainless.encryption_signing.EncryptionStream;
-import org.pgpainless.encryption_signing.ProducerOptions;
-import org.pgpainless.encryption_signing.SigningOptions;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.util.ArmorUtils;
-
-public class InvestigateThunderbirdDecryption {
-
-    String OUR_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-            "Version: PGPainless\n" +
-            "Comment: 47D2 3A5E 1455 1FD2 0599  C1FC B57B 5451 9E2D 8FE4\n" +
-            "Comment: Alice \n" +
-            "\n" +
-            "lFgEYP8FlBYJKwYBBAHaRw8BAQdAeJ7fL4TbpSLUJsxGUFnN5MzDZr3lKoKWEO+z\n" +
-            "hQEFPqcAAP0T8ED8kcch++7UpcN7qZMP4ihbE9Fu9kp/IKOCZDVwGhF+tBxBbGlj\n" +
-            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iHgEExYKACAFAmD/BZQCGwEFFgIDAQAE\n" +
-            "CwkIBwUVCgkICwIeAQIZAQAKCRC1e1RRni2P5PYqAQC/r4R4RFfVIOPAc16PiffO\n" +
-            "GDMzRUYAjIyflvOBIEE//QEAsZGQzIstdIp8gY5CF27pbnnSAA/OGPXbDsNArzPN\n" +
-            "tQicXQRg/wWUEgorBgEEAZdVAQUBAQdAFHEP5NzgON0usvHOsTsROojwVTAqgayc\n" +
-            "fdPdb597u3UDAQgHAAD/ShtbTmAyZJDjcEDfUNblOogyWntCEgb18Cs5rRm1+agP\n" +
-            "mIh1BBgWCgAdBQJg/wWUAhsMBRYCAwEABAsJCAcFFQoJCAsCHgEACgkQtXtUUZ4t\n" +
-            "j+SWdwD/cCXm/ufcaIMMOqRw10Lwefc4euOrpFScWA0rUjnK6yEBAMOH1kGHlLbz\n" +
-            "mk6D7RbBDdC3aW4xGRjSYBkyhbuxevsDnFgEYP8FlBYJKwYBBAHaRw8BAQdAmuvN\n" +
-            "FF+pklSxw3+VVqVu2g2ulpJE7HldtU/Jud/jiEgAAP0RPh7QWqm2hhY6vBNr8fhz\n" +
-            "3GBAfZ4A9HxVymuu1M6qMxEdiNUEGBYKAH0FAmD/BZQCGwIFFgIDAQAECwkIBwUV\n" +
-            "CgkICwIeAV8gBBkWCgAGBQJg/wWUAAoJEIYvdZaRbR0mBesA/2dxyf9vfRnyrNcm\n" +
-            "dguMzYe9oLfD2SU2Sa0jXcURQ+A6AP9uYaehPZvEH0kwdeSi60uCOVznCePrY1mK\n" +
-            "M6UEDMPGBwAKCRC1e1RRni2P5J1FAQDhI3tN5C/klh2j8ptQ7ht0LPlbgVU/WmT8\n" +
-            "kqejd80WVgEA4dg7MZTk+uzwOWEGIHyxWXRzma9a5k1kM+uxX3RflQU=\n" +
-            "=IEzi\n" +
-            "-----END PGP PRIVATE KEY BLOCK-----";
-
-    String THEIR_CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-            "Version: FlowCrypt [BUILD_REPLACEABLE_VERSION] Gmail Encryption\n" +
-            "Comment: Seamlessly send and receive encrypted email\n" +
-            "\n" +
-            "xjMEYL/CRRYJKwYBBAHaRw8BAQdAxaJrnD/gWRGqaAVtQ8R9PI0ZGu/YESJ4\n" +
-            "HsJeeCxUZOvNF0RlbiA8ZGVuQGZsb3djcnlwdC5jb20+wn4EExYKACYFAmC/\n" +
-            "wkUCGwMFFgIDAQAECwkIBwUVCgkICwIeAQIZAQWJAQ/XOQAKCRCGwF2G4DXc\n" +
-            "cttHAP9Axna+jmFhZEajILW7BZ8UJpgz7mCC48RMtRj/pre4nQD/bKJXB+sD\n" +
-            "zti+tRbi7KNncgkSQeau+Vy/ZnpBUUHBWwjOOARgv8JFEgorBgEEAZdVAQUB\n" +
-            "AQdA3dN8Hh18Pqd6OevXWl36y7cM58ZRmUVEEZukXRIholYDAQgHwnUEGBYK\n" +
-            "AB0FAmC/wkUCGwwFFgIDAQAECwkIBwUVCgkICwIeAQAKCRCGwF2G4DXcclpK\n" +
-            "AQC0uUHWUFNao1Fl85+4c8WecGKsGCihNU9H3q+I1gz22gEAtVo1dWnc0t1f\n" +
-            "h1MUYq5FmME+KeFCBZZ9lrMAxRhvigI=\n" +
-            "=+XVJ\n" +
-            "-----END PGP PUBLIC KEY BLOCK-----\n";
-
-    @Test
-    public void generateMessage() throws PGPException, IOException {
-        // CHECKSTYLE:OFF
-        System.out.println("Decryption Key");
-        System.out.println(OUR_KEY);
-        // CHECKSTYLE:ON
-
-        PGPSecretKeyRing ourKey = PGPainless.readKeyRing().secretKeyRing(OUR_KEY);
-        PGPPublicKeyRing ourCert = PGPainless.extractCertificate(ourKey);
-        PGPPublicKeyRing theirCert = PGPainless.readKeyRing().publicKeyRing(THEIR_CERT);
-
-        // CHECKSTYLE:OFF
-        System.out.println("Certificate:");
-        System.out.println(ArmorUtils.toAsciiArmoredString(ourCert));
-
-        System.out.println("Crypt-Only:");
-        // CHECKSTYLE:ON
-        ProducerOptions producerOptions = ProducerOptions
-                .encrypt(new EncryptionOptions().addRecipient(ourCert).addRecipient(theirCert))
-                .setFileName("msg.txt")
-                .setModificationDate(new Date());
-
-        generateMessage(producerOptions);
-
-        // CHECKSTYLE:OFF
-        System.out.println("Sign-Crypt:");
-        // CHECKSTYLE:ON
-
-        producerOptions = ProducerOptions
-                .signAndEncrypt(new EncryptionOptions().addRecipient(ourCert).addRecipient(theirCert),
-                        new SigningOptions().addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), ourKey, DocumentSignatureType.BINARY_DOCUMENT))
-                .setFileName("msg.txt")
-                .setModificationDate(new Date());
-
-        generateMessage(producerOptions);
-    }
-
-    private void generateMessage(ProducerOptions producerOptions) throws PGPException, IOException {
-        String data = "Hello World\n";
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
-                .withOptions(producerOptions);
-
-        Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), encryptionStream);
-        encryptionStream.close();
-
-        // CHECKSTYLE:OFF
-        System.out.println(out);
-        // CHECKSTYLE:ON
-    }
-
-    @Test
-    public void testWithSuspiciousKey() throws PGPException, IOException {
-        String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-                "Comment: 4409 A346 1359 96C9 4595  510E 5A18 53D1 5656 CB7A\n" +
-                "Comment: Alice (Created with pgpkeygen.com) 
Date: Tue, 4 Jan 2022 17:20:38 +0100
Subject: [PATCH 0254/1450] Hex decode data in OpenPgpV4Fingerprint constructor

---
 .../src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java  | 2 +-
 .../signature/subpackets/SignatureSubpacketsUtil.java           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java
index b5b3d4a7..2605eb0c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV4Fingerprint.java
@@ -72,7 +72,7 @@ public class OpenPgpV4Fingerprint extends OpenPgpFingerprint {
     }
 
     public OpenPgpV4Fingerprint(@Nonnull byte[] bytes) {
-        super(bytes);
+        super(Hex.encode(bytes));
     }
 
     public OpenPgpV4Fingerprint(@Nonnull PGPPublicKey key) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index b73ddde7..960d5256 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -89,7 +89,7 @@ public final class SignatureSubpacketsUtil {
 
         OpenPgpFingerprint fingerprint = null;
         if (subpacket.getKeyVersion() == 4) {
-            fingerprint = new OpenPgpV4Fingerprint(Hex.encode(subpacket.getFingerprint()));
+            fingerprint = new OpenPgpV4Fingerprint(subpacket.getFingerprint());
         }
 
         return fingerprint;

From 1447dfc6427ffcb842c7a0634a4f71b99d07f2ad Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 4 Jan 2022 17:21:16 +0100
Subject: [PATCH 0255/1450] Add SignatureUtils.wasIssuedBy

---
 .../org/pgpainless/signature/SignatureUtils.java  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 96429da1..420efc26 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -33,6 +33,7 @@ import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.util.OpenPgpKeyAttributeUtil;
 import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
@@ -310,4 +311,18 @@ public final class SignatureUtils {
         }
         return list;
     }
+
+    public static boolean wasIssuedBy(byte[] fingerprint, PGPSignature signature) {
+        if (fingerprint.length != 20) {
+            // Unknown fingerprint length
+            return false;
+        }
+        OpenPgpV4Fingerprint fp = new OpenPgpV4Fingerprint(fingerprint);
+        OpenPgpFingerprint issuerFp = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
+        if (issuerFp == null) {
+            return fp.getKeyId() == signature.getKeyID();
+        }
+
+        return fp.equals(issuerFp);
+    }
 }

From 5884c4afcd38c080097e7393921f5c0c78cf3c8a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 4 Jan 2022 17:22:02 +0100
Subject: [PATCH 0256/1450] ArmorUtils: Add method to print single public keys

---
 .../java/org/pgpainless/util/ArmorUtils.java  | 31 ++++++++++++++-----
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 38527997..9d73635e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -18,8 +18,10 @@ import java.util.regex.Pattern;
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPUtil;
@@ -43,13 +45,23 @@ public final class ArmorUtils {
 
     }
 
+    public static String toAsciiArmoredString(PGPSecretKey secretKey) throws IOException {
+        MultiMap header = keyToHeader(secretKey.getPublicKey());
+        return toAsciiArmoredString(secretKey.getEncoded(), header);
+    }
+
+    public static String toAsciiArmoredString(PGPPublicKey publicKey) throws IOException {
+        MultiMap header = keyToHeader(publicKey);
+        return toAsciiArmoredString(publicKey.getEncoded(), header);
+    }
+
     public static String toAsciiArmoredString(PGPSecretKeyRing secretKeys) throws IOException {
-        MultiMap header = keyToHeader(secretKeys);
+        MultiMap header = keysToHeader(secretKeys);
         return toAsciiArmoredString(secretKeys.getEncoded(), header);
     }
 
     public static String toAsciiArmoredString(PGPPublicKeyRing publicKeys) throws IOException {
-        MultiMap header = keyToHeader(publicKeys);
+        MultiMap header = keysToHeader(publicKeys);
         return toAsciiArmoredString(publicKeys.getEncoded(), header);
     }
 
@@ -66,7 +78,7 @@ public final class ArmorUtils {
     }
 
     public static ArmoredOutputStream toAsciiArmoredStream(PGPKeyRing keyRing, OutputStream outputStream) {
-        MultiMap header = keyToHeader(keyRing);
+        MultiMap header = keysToHeader(keyRing);
         return toAsciiArmoredStream(outputStream, header);
     }
 
@@ -94,10 +106,10 @@ public final class ArmorUtils {
         return sb.toString();
     }
 
-    private static MultiMap keyToHeader(PGPKeyRing keyRing) {
+    private static MultiMap keyToHeader(PGPPublicKey publicKey) {
         MultiMap header = new MultiMap<>();
-        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(keyRing);
-        Iterator userIds = keyRing.getPublicKey().getUserIDs();
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
+        Iterator userIds = publicKey.getUserIDs();
 
         header.put(HEADER_COMMENT, fingerprint.prettyPrint());
         if (userIds.hasNext()) {
@@ -106,6 +118,11 @@ public final class ArmorUtils {
         return header;
     }
 
+    private static MultiMap keysToHeader(PGPKeyRing keyRing) {
+        PGPPublicKey publicKey = keyRing.getPublicKey();
+        return keyToHeader(publicKey);
+    }
+
     public static String toAsciiArmoredString(byte[] bytes) throws IOException {
         return toAsciiArmoredString(bytes, null);
     }
@@ -147,7 +164,7 @@ public final class ArmorUtils {
 
     public static ArmoredOutputStream createArmoredOutputStreamFor(PGPKeyRing keyRing, OutputStream outputStream) {
         ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(outputStream);
-        MultiMap headerMap = keyToHeader(keyRing);
+        MultiMap headerMap = keysToHeader(keyRing);
         for (String header : headerMap.keySet()) {
             for (String value : headerMap.get(header)) {
                 armor.addHeader(header, value);

From 88e3c61b206f325c31e1fbb54b0d204497e90c60 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 4 Jan 2022 17:22:45 +0100
Subject: [PATCH 0257/1450] RevocationSignatureBuilder: Allow for generation of
 external revocation signatures

---
 .../signature/builder/RevocationSignatureBuilder.java         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
index ebae151d..e2e9c0c0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
@@ -52,8 +52,8 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder
Date: Tue, 4 Jan 2022 17:23:13 +0100
Subject: [PATCH 0258/1450] Workaround for BC not correctly parsing
 RevocationKey packets

---
 .../subpackets/SignatureSubpacketsUtil.java         | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 960d5256..986fcb7c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -10,7 +10,6 @@ import java.util.Date;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
-
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
@@ -37,7 +36,6 @@ import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
-import org.bouncycastle.util.encoders.Hex;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.Feature;
 import org.pgpainless.algorithm.HashAlgorithm;
@@ -581,7 +579,16 @@ public final class SignatureSubpacketsUtil {
         if (allPackets.length == 0) {
             return null;
         }
-        return (P) allPackets[allPackets.length - 1]; // return last
+
+        org.bouncycastle.bcpg.SignatureSubpacket last = allPackets[allPackets.length - 1];
+
+        if (type == SignatureSubpacket.revocationKey) {
+            // RevocationKey subpackets are not castable for some reason
+            // We need to manually construct the new object
+            return (P) new RevocationKey(last.isCritical(), last.isLongLength(), last.getData());
+        }
+
+        return (P) last;
     }
 
     /**

From 5e0ca369bfb905183cc5e2612a581d891f98f1ed Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 4 Jan 2022 17:53:37 +0100
Subject: [PATCH 0259/1450] Document workaround for
 https://github.com/bcgit/bc-java/pull/1085

---
 .../signature/subpackets/SignatureSubpacketsUtil.java         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 986fcb7c..396311c6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -584,7 +584,9 @@ public final class SignatureSubpacketsUtil {
 
         if (type == SignatureSubpacket.revocationKey) {
             // RevocationKey subpackets are not castable for some reason
-            // We need to manually construct the new object
+            // See https://github.com/bcgit/bc-java/pull/1085 for an upstreamed fix
+            // We need to manually construct the new object for now.
+            // TODO: Remove workaround when BC 1.71 is released (and has our fix)
             return (P) new RevocationKey(last.isCritical(), last.isLongLength(), last.getData());
         }
 

From 1cb49f4b121b9f411d3e5d80557c6c590cf574e6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 7 Jan 2022 14:28:36 +0100
Subject: [PATCH 0260/1450] Update SOP implementation to the latest spec
 version

See https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03
---
 .../cli/commands/SignVerifyTest.java          | 17 +++-
 .../java/org/pgpainless/sop/DecryptImpl.java  |  4 -
 .../java/org/pgpainless/sop/EncryptImpl.java  |  4 +-
 .../org/pgpainless/sop/ExtractCertImpl.java   | 33 +++++---
 .../java/org/pgpainless/sop/SignImpl.java     | 38 ++++++---
 .../java/org/pgpainless/sop/VersionImpl.java  | 17 ++++
 .../sop/EncryptDecryptRoundTripTest.java      | 14 +---
 .../java/org/pgpainless/sop/SignTest.java     | 22 ++---
 .../java/org/pgpainless/sop/VersionTest.java  | 33 +++++++-
 .../sop/cli/picocli/commands/EncryptCmd.java  |  4 +-
 .../sop/cli/picocli/commands/SignCmd.java     | 28 +++++--
 .../cli/picocli/commands/EncryptCmdTest.java  | 14 ++--
 .../sop/cli/picocli/commands/SignCmdTest.java | 13 +--
 sop-java/src/main/java/sop/MicAlg.java        | 55 +++++++++++++
 .../java/sop/exception/SOPGPException.java    | 80 +++++++++++++++++--
 .../src/main/java/sop/operation/Decrypt.java  | 16 ++--
 .../src/main/java/sop/operation/Encrypt.java  |  4 +-
 .../main/java/sop/operation/ExtractCert.java  | 12 +--
 .../src/main/java/sop/operation/Sign.java     | 15 ++--
 .../src/main/java/sop/operation/Verify.java   |  8 +-
 .../src/main/java/sop/operation/Version.java  | 29 ++++++-
 21 files changed, 348 insertions(+), 112 deletions(-)
 create mode 100644 sop-java/src/main/java/sop/MicAlg.java

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
index 4c31f7ca..525e3e1d 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
@@ -5,13 +5,16 @@
 package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
+import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -77,6 +80,9 @@ public class SignVerifyTest {
         Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), dataOut);
         dataOut.close();
 
+        // Define micalg output file
+        File micalgOut = new File(tempDir, "micalg");
+
         // Sign test data
         FileInputStream dataIn = new FileInputStream(dataFile);
         System.setIn(dataIn);
@@ -84,7 +90,7 @@ public class SignVerifyTest {
         assertTrue(sigFile.createNewFile());
         FileOutputStream sigOut = new FileOutputStream(sigFile);
         System.setOut(new PrintStream(sigOut));
-        PGPainlessCLI.execute("sign", "--armor", aliceKeyFile.getAbsolutePath());
+        PGPainlessCLI.execute("sign", "--armor", "--micalg-out", micalgOut.getAbsolutePath(), aliceKeyFile.getAbsolutePath());
         sigOut.close();
 
         // verify test data signature
@@ -105,6 +111,15 @@ public class SignVerifyTest {
         assertEquals(signingKeyFingerprint.toString(), split[1].trim());
         assertEquals(primaryKeyFingerprint.toString(), split[2].trim());
 
+        // Test micalg output
+        assertTrue(micalgOut.exists());
+        FileReader fileReader = new FileReader(micalgOut);
+        BufferedReader bufferedReader = new BufferedReader(fileReader);
+        String line = bufferedReader.readLine();
+        assertNull(bufferedReader.readLine());
+        bufferedReader.close();
+        assertEquals("pgp-sha512", line);
+
         System.setIn(originalIn);
     }
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 606f8673..bef260c4 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -100,10 +100,6 @@ public class DecryptImpl implements Decrypt {
             PGPSecretKeyRingCollection secretKeys = PGPainless.readKeyRing()
                     .secretKeyRingCollection(keyIn);
 
-            if (secretKeys.size() != 1) {
-                throw new SOPGPException.BadData(new AssertionError("Exactly one single secret key expected. Got " + secretKeys.size()));
-            }
-
             for (PGPSecretKeyRing secretKey : secretKeys) {
                 KeyRingInfo info = new KeyRingInfo(secretKey);
                 if (!info.isFullyDecrypted()) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index b869d6ba..bb0af660 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -49,7 +49,7 @@ public class EncryptImpl implements Encrypt {
     }
 
     @Override
-    public Encrypt signWith(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.CertCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
+    public Encrypt signWith(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
             if (keys.size() != 1) {
@@ -62,7 +62,7 @@ public class EncryptImpl implements Encrypt {
             try {
                 signingOptions.addInlineSignatures(SecretKeyRingProtector.unprotectedKeys(), keys, DocumentSignatureType.BINARY_DOCUMENT);
             } catch (IllegalArgumentException e) {
-                throw new SOPGPException.CertCannotSign();
+                throw new SOPGPException.KeyCannotSign();
             } catch (WrongPassphraseException e) {
                 throw new SOPGPException.KeyIsProtected();
             }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
index d22c71c3..6c3c825f 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
@@ -7,16 +7,18 @@ package org.pgpainless.sop;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.pgpainless.PGPainless;
-import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.util.ArmorUtils;
-import sop.operation.ExtractCert;
 import sop.Ready;
 import sop.exception.SOPGPException;
+import sop.operation.ExtractCert;
 
 public class ExtractCertImpl implements ExtractCert {
 
@@ -30,21 +32,34 @@ public class ExtractCertImpl implements ExtractCert {
 
     @Override
     public Ready key(InputStream keyInputStream) throws IOException, SOPGPException.BadData {
-        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(keyInputStream);
-        if (key == null) {
+        PGPSecretKeyRingCollection keys;
+        try {
+            keys = PGPainless.readKeyRing().secretKeyRingCollection(keyInputStream);
+        } catch (PGPException e) {
+            throw new IOException("Cannot read keys.", e);
+        }
+
+        if (keys == null || keys.size() == 0) {
             throw new SOPGPException.BadData(new PGPException("No key data found."));
         }
 
-        PGPPublicKeyRing cert = KeyRingUtils.publicKeyRingFrom(key);
+        List certs = new ArrayList<>();
+        for (PGPSecretKeyRing key : keys) {
+            PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
+            certs.add(cert);
+        }
 
         return new Ready() {
             @Override
             public void writeTo(OutputStream outputStream) throws IOException {
-                OutputStream out = armor ? ArmorUtils.createArmoredOutputStreamFor(cert, outputStream) : outputStream;
-                cert.encode(out);
 
-                if (armor) {
-                    out.close();
+                for (PGPPublicKeyRing cert : certs) {
+                    OutputStream out = armor ? ArmorUtils.createArmoredOutputStreamFor(cert, outputStream) : outputStream;
+                    cert.encode(out);
+
+                    if (armor) {
+                        out.close();
+                    }
                 }
             }
         };
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
index 22b6ed32..068903d7 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
@@ -26,7 +26,8 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
-import sop.Ready;
+import sop.MicAlg;
+import sop.ReadyWithResult;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 import sop.operation.Sign;
@@ -53,16 +54,14 @@ public class SignImpl implements Sign {
     public Sign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
-            if (keys.size() != 1) {
-                throw new SOPGPException.BadData(new AssertionError("Exactly one secret key at a time expected. Got " + keys.size()));
-            }
 
-            PGPSecretKeyRing key = keys.iterator().next();
-            KeyRingInfo info = new KeyRingInfo(key);
-            if (!info.isFullyDecrypted()) {
-                throw new SOPGPException.KeyIsProtected();
+            for (PGPSecretKeyRing key : keys) {
+                KeyRingInfo info = new KeyRingInfo(key);
+                if (!info.isFullyDecrypted()) {
+                    throw new SOPGPException.KeyIsProtected();
+                }
+                signingOptions.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key, modeToSigType(mode));
             }
-            signingOptions.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key, modeToSigType(mode));
         } catch (PGPException e) {
             throw new SOPGPException.BadData(e);
         }
@@ -70,7 +69,7 @@ public class SignImpl implements Sign {
     }
 
     @Override
-    public Ready data(InputStream data) throws IOException {
+    public ReadyWithResult data(InputStream data) throws IOException {
         ByteArrayOutputStream buffer = new ByteArrayOutputStream();
         try {
             EncryptionStream signingStream = PGPainless.encryptAndOrSign()
@@ -78,9 +77,9 @@ public class SignImpl implements Sign {
                     .withOptions(ProducerOptions.sign(signingOptions)
                             .setAsciiArmor(armor));
 
-            return new Ready() {
+            return new ReadyWithResult() {
                 @Override
-                public void writeTo(OutputStream outputStream) throws IOException {
+                public MicAlg writeTo(OutputStream outputStream) throws IOException {
 
                     if (signingStream.isClosed()) {
                         throw new IllegalStateException("EncryptionStream is already closed.");
@@ -106,6 +105,8 @@ public class SignImpl implements Sign {
                     }
                     out.close();
                     outputStream.close(); // armor out does not close underlying stream
+
+                    return micAlgFromSignatures(signatures);
                 }
             };
 
@@ -115,6 +116,19 @@ public class SignImpl implements Sign {
 
     }
 
+    private MicAlg micAlgFromSignatures(Iterable signatures) {
+        int algorithmId = 0;
+        for (PGPSignature signature : signatures) {
+            int sigAlg = signature.getHashAlgorithm();
+            if (algorithmId == 0 || algorithmId == sigAlg) {
+                algorithmId = sigAlg;
+            } else {
+                return MicAlg.empty();
+            }
+        }
+        return algorithmId == 0 ? MicAlg.empty() : MicAlg.fromHashAlgorithmId(algorithmId);
+    }
+
     private static DocumentSignatureType modeToSigType(SignAs mode) {
         return mode == SignAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT
                 : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index b08b2466..41fbd838 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -8,6 +8,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.util.Properties;
 
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import sop.operation.Version;
 
 public class VersionImpl implements Version {
@@ -33,4 +34,20 @@ public class VersionImpl implements Version {
         }
         return version;
     }
+
+    @Override
+    public String getBackendVersion() {
+        double bcVersion = new BouncyCastleProvider().getVersion();
+        return String.format("Bouncycastle %,.2f", bcVersion);
+    }
+
+    @Override
+    public String getExtendedVersion() {
+        return getName() + " " + getVersion() + "\n" +
+                "Based on PGPainless " + getVersion() + "\n" +
+                "Using " + getBackendVersion() + "\n" +
+                "See https://pgpainless.org\n" +
+                "Implementing Stateless OpenPGP Protocol Version 3\n" +
+                "See https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03";
+    }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 807c9dd3..d0699ae7 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -51,7 +51,7 @@ public class EncryptDecryptRoundTripTest {
     }
 
     @Test
-    public void basicRoundTripWithKey() throws IOException, SOPGPException.CertCannotSign {
+    public void basicRoundTripWithKey() throws IOException, SOPGPException.KeyCannotSign {
         byte[] encrypted = sop.encrypt()
                 .signWith(aliceKey)
                 .withCert(aliceCert)
@@ -74,7 +74,7 @@ public class EncryptDecryptRoundTripTest {
     }
 
     @Test
-    public void basicRoundTripWithoutArmorUsingKey() throws IOException, SOPGPException.CertCannotSign {
+    public void basicRoundTripWithoutArmorUsingKey() throws IOException, SOPGPException.KeyCannotSign {
         byte[] aliceKeyNoArmor = sop.generateKey()
                 .userId("Alice ")
                 .noArmor()
@@ -189,16 +189,6 @@ public class EncryptDecryptRoundTripTest {
                 .toByteArrayAndResult());
     }
 
-    @Test
-    public void decrypt_withKeyWithMultipleKeysFails() {
-        byte[] keys = new byte[aliceKey.length + bobKey.length];
-        System.arraycopy(aliceKey, 0, keys, 0 , aliceKey.length);
-        System.arraycopy(bobKey, 0, keys, aliceKey.length, bobKey.length);
-
-        assertThrows(SOPGPException.BadData.class, () -> sop.decrypt()
-                .withKey(keys));
-    }
-
     @Test
     public void decrypt_withKeyWithPasswordProtectionFails() {
         String passwordProtectedKey = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
index 3167618c..4736002f 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
@@ -13,13 +13,11 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -56,7 +54,7 @@ public class SignTest {
         byte[] signature = sop.sign()
                 .key(key)
                 .data(data)
-                .getBytes();
+                .toByteArrayAndResult().getBytes();
 
         assertTrue(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----"));
 
@@ -76,7 +74,7 @@ public class SignTest {
                 .key(key)
                 .noArmor()
                 .data(data)
-                .getBytes();
+                .toByteArrayAndResult().getBytes();
 
         assertFalse(new String(signature).startsWith("-----BEGIN PGP SIGNATURE-----"));
 
@@ -95,7 +93,7 @@ public class SignTest {
         byte[] signature = sop.sign()
                 .key(key)
                 .data(data)
-                .getBytes();
+                .toByteArrayAndResult().getBytes();
 
         assertThrows(SOPGPException.NoSignature.class, () -> sop.verify()
                 .cert(cert)
@@ -109,7 +107,7 @@ public class SignTest {
         byte[] signature = sop.sign()
                 .key(key)
                 .data(data)
-                .getBytes();
+                .toByteArrayAndResult().getBytes();
 
         assertThrows(SOPGPException.NoSignature.class, () -> sop.verify()
                 .cert(cert)
@@ -124,22 +122,12 @@ public class SignTest {
                 .mode(SignAs.Text)
                 .key(key)
                 .data(data)
-                .getBytes();
+                .toByteArrayAndResult().getBytes();
 
         PGPSignature sig = SignatureUtils.readSignatures(signature).get(0);
         assertEquals(SignatureType.CANONICAL_TEXT_DOCUMENT.getCode(), sig.getSignatureType());
     }
 
-    @Test
-    public void rejectKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
-        PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob", null);
-        PGPSecretKeyRingCollection collection = new PGPSecretKeyRingCollection(Arrays.asList(key1, key2));
-        byte[] keys = collection.getEncoded();
-
-        assertThrows(SOPGPException.BadData.class, () -> sop.sign().key(keys));
-    }
-
     @Test
     public void rejectEncryptedKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing key = PGPainless.generateKeyRing()
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
index 712df550..c9739471 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
@@ -5,19 +5,48 @@
 package org.pgpainless.sop;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import sop.SOP;
 
 public class VersionTest {
 
+    private static SOP sop;
+
+    @BeforeAll
+    public static void setup() {
+        sop = new SOPImpl();
+    }
+
     @Test
     public void testGetVersion() {
-        assertNotNull(new SOPImpl().version().getVersion());
+        String version = sop.version().getVersion();
+        assertNotNull(version);
+        assertFalse(version.isEmpty());
     }
 
     @Test
     public void assertNameEqualsPGPainless() {
-        assertEquals("PGPainless-SOP", new SOPImpl().version().getName());
+        assertEquals("PGPainless-SOP", sop.version().getName());
+    }
+
+    @Test
+    public void testGetBackendVersion() {
+        String backendVersion = sop.version().getBackendVersion();
+        assertNotNull(backendVersion);
+        assertFalse(backendVersion.isEmpty());
+    }
+
+    @Test
+    public void testGetExtendedVersion() {
+        String extendedVersion = sop.version().getExtendedVersion();
+        assertNotNull(extendedVersion);
+        assertFalse(extendedVersion.isEmpty());
+
+        String firstLine = extendedVersion.split("\n")[0];
+        assertEquals(sop.version().getName() + " " + sop.version().getVersion(), firstLine);
     }
 }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
index d1ee253c..2ccf0477 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
@@ -82,8 +82,8 @@ public class EncryptCmd implements Runnable {
                 throw new SOPGPException.KeyIsProtected("Key from " + keyFile.getAbsolutePath() + " is password protected.", keyIsProtected);
             } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
                 throw new SOPGPException.UnsupportedAsymmetricAlgo("Key from " + keyFile.getAbsolutePath() + " has unsupported asymmetric algorithm.", unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.CertCannotSign certCannotSign) {
-                throw new RuntimeException("Key from " + keyFile.getAbsolutePath() + " cannot sign.", certCannotSign);
+            } catch (SOPGPException.KeyCannotSign keyCannotSign) {
+                throw new SOPGPException.KeyCannotSign("Key from " + keyFile.getAbsolutePath() + " cannot sign.", keyCannotSign);
             } catch (SOPGPException.BadData badData) {
                 throw new SOPGPException.BadData("Key file " + keyFile.getAbsolutePath() + " does not contain a valid OpenPGP private key.", badData);
             }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
index 961869ce..735e9664 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
@@ -7,12 +7,14 @@ package sop.cli.picocli.commands;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
 import picocli.CommandLine;
-import sop.Ready;
+import sop.MicAlg;
+import sop.ReadyWithResult;
 import sop.cli.picocli.Print;
 import sop.cli.picocli.SopCLI;
 import sop.enums.SignAs;
@@ -34,9 +36,13 @@ public class SignCmd implements Runnable {
     SignAs type;
 
     @CommandLine.Parameters(description = "Secret keys used for signing",
-            paramLabel = "KEY")
+            paramLabel = "KEYS")
     List secretKeyFile = new ArrayList<>();
 
+    @CommandLine.Option(names = "--micalg-out", description = "Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content-Type (RFC3156)",
+            paramLabel = "MICALG")
+    File micAlgOut;
+
     @Override
     public void run() {
         Sign sign = SopCLI.getSop().sign();
@@ -51,8 +57,12 @@ public class SignCmd implements Runnable {
             }
         }
 
+        if (micAlgOut != null && micAlgOut.exists()) {
+            throw new SOPGPException.OutputExists(String.format("Target %s of option %s already exists.", micAlgOut.getAbsolutePath(), "--micalg-out"));
+        }
+
         if (secretKeyFile.isEmpty()) {
-            Print.errln("Missing required parameter 'KEY'.");
+            Print.errln("Missing required parameter 'KEYS'.");
             System.exit(19);
         }
 
@@ -83,8 +93,16 @@ public class SignCmd implements Runnable {
         }
 
         try {
-            Ready ready = sign.data(System.in);
-            ready.writeTo(System.out);
+            ReadyWithResult ready = sign.data(System.in);
+            MicAlg micAlg = ready.writeTo(System.out);
+
+            if (micAlgOut != null) {
+                // Write micalg out
+                micAlgOut.createNewFile();
+                FileOutputStream micAlgOutStream = new FileOutputStream(micAlgOut);
+                micAlg.writeTo(micAlgOutStream);
+                micAlgOutStream.close();
+            }
         } catch (IOException e) {
             Print.errln("IO Error.");
             Print.trace(e);
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
index cfa8a3f6..91f0a1e7 100644
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
+++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
@@ -91,7 +91,7 @@ public class EncryptCmdTest {
     }
 
     @Test
-    public void signWith_multipleTimesGetPassedDown() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData {
+    public void signWith_multipleTimesGetPassedDown() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData {
         File keyFile1 = File.createTempFile("sign-with-1-", ".asc");
         File keyFile2 = File.createTempFile("sign-with-2-", ".asc");
 
@@ -107,7 +107,7 @@ public class EncryptCmdTest {
 
     @Test
     @ExpectSystemExitWithStatus(67)
-    public void signWith_keyIsProtectedCausesExit67() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException {
+    public void signWith_keyIsProtectedCausesExit67() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
         when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected());
         File keyFile = File.createTempFile("sign-with", ".asc");
         SopCLI.main(new String[] {"encrypt", "--sign-with", keyFile.getAbsolutePath(), "--with-password", "starship"});
@@ -115,23 +115,23 @@ public class EncryptCmdTest {
 
     @Test
     @ExpectSystemExitWithStatus(13)
-    public void signWith_unsupportedAsymmetricAlgoCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException {
+    public void signWith_unsupportedAsymmetricAlgoCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
         when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception()));
         File keyFile = File.createTempFile("sign-with", ".asc");
         SopCLI.main(new String[] {"encrypt", "--with-password", "123456", "--sign-with", keyFile.getAbsolutePath()});
     }
 
     @Test
-    @ExpectSystemExitWithStatus(1)
-    public void signWith_certCannotSignCausesExit1() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData {
-        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.CertCannotSign());
+    @ExpectSystemExitWithStatus(79)
+    public void signWith_certCannotSignCausesExit1() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData {
+        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.KeyCannotSign());
         File keyFile = File.createTempFile("sign-with", ".asc");
         SopCLI.main(new String[] {"encrypt", "--with-password", "dragon", "--sign-with", keyFile.getAbsolutePath()});
     }
 
     @Test
     @ExpectSystemExitWithStatus(41)
-    public void signWith_badDataCausesExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotSign, SOPGPException.BadData, IOException {
+    public void signWith_badDataCausesExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
         when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
         File keyFile = File.createTempFile("sign-with", ".asc");
         SopCLI.main(new String[] {"encrypt", "--with-password", "orange", "--sign-with", keyFile.getAbsolutePath()});
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
index 8de61409..c5c6e201 100644
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
+++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
@@ -19,7 +19,8 @@ import java.io.OutputStream;
 import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import sop.Ready;
+import sop.MicAlg;
+import sop.ReadyWithResult;
 import sop.SOP;
 import sop.cli.picocli.SopCLI;
 import sop.exception.SOPGPException;
@@ -33,10 +34,10 @@ public class SignCmdTest {
     @BeforeEach
     public void mockComponents() throws IOException, SOPGPException.ExpectedText {
         sign = mock(Sign.class);
-        when(sign.data((InputStream) any())).thenReturn(new Ready() {
+        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
             @Override
-            public void writeTo(OutputStream outputStream) {
-
+            public MicAlg writeTo(OutputStream outputStream) {
+                return MicAlg.fromHashAlgorithmId(10);
             }
         });
 
@@ -109,9 +110,9 @@ public class SignCmdTest {
     @Test
     @ExpectSystemExitWithStatus(1)
     public void data_ioExceptionCausesExit1() throws IOException, SOPGPException.ExpectedText {
-        when(sign.data((InputStream) any())).thenReturn(new Ready() {
+        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
             @Override
-            public void writeTo(OutputStream outputStream) throws IOException {
+            public MicAlg writeTo(OutputStream outputStream) throws IOException {
                 throw new IOException();
             }
         });
diff --git a/sop-java/src/main/java/sop/MicAlg.java b/sop-java/src/main/java/sop/MicAlg.java
new file mode 100644
index 00000000..5bee7875
--- /dev/null
+++ b/sop-java/src/main/java/sop/MicAlg.java
@@ -0,0 +1,55 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop;
+
+import java.io.OutputStream;
+import java.io.PrintWriter;
+
+public class MicAlg {
+
+    private final String micAlg;
+
+    public MicAlg(String micAlg) {
+        if (micAlg == null) {
+            throw new IllegalArgumentException("MicAlg String cannot be null.");
+        }
+        this.micAlg = micAlg;
+    }
+
+    public static MicAlg empty() {
+        return new MicAlg("");
+    }
+
+    public static MicAlg fromHashAlgorithmId(int id) {
+        switch (id) {
+            case 1:
+                return new MicAlg("pgp-md5");
+            case 2:
+                return new MicAlg("pgp-sha1");
+            case 3:
+                return new MicAlg("pgp-ripemd160");
+            case 8:
+                return new MicAlg("pgp-sha256");
+            case 9:
+                return new MicAlg("pgp-sha384");
+            case 10:
+                return new MicAlg("pgp-sha512");
+            case 11:
+                return new MicAlg("pgp-sha224");
+            default:
+                throw new IllegalArgumentException("Unsupported hash algorithm ID: " + id);
+        }
+    }
+
+    public String getMicAlg() {
+        return micAlg;
+    }
+
+    public void writeTo(OutputStream outputStream) {
+        PrintWriter pw = new PrintWriter(outputStream);
+        pw.write(getMicAlg());
+        pw.close();
+    }
+}
diff --git a/sop-java/src/main/java/sop/exception/SOPGPException.java b/sop-java/src/main/java/sop/exception/SOPGPException.java
index a8c98c9c..dfd09540 100644
--- a/sop-java/src/main/java/sop/exception/SOPGPException.java
+++ b/sop-java/src/main/java/sop/exception/SOPGPException.java
@@ -24,6 +24,9 @@ public abstract class SOPGPException extends RuntimeException {
 
     public abstract int getExitCode();
 
+    /**
+     * No acceptable signatures found (sop verify).
+     */
     public static class NoSignature extends SOPGPException {
 
         public static final int EXIT_CODE = 3;
@@ -38,6 +41,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Asymmetric algorithm unsupported (sop encrypt).
+     */
     public static class UnsupportedAsymmetricAlgo extends SOPGPException {
 
         public static final int EXIT_CODE = 13;
@@ -56,6 +62,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Certificate not encryption capable (e,g, expired, revoked, unacceptable usage).
+     */
     public static class CertCannotEncrypt extends SOPGPException {
         public static final int EXIT_CODE = 17;
 
@@ -69,10 +78,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
-    public static class CertCannotSign extends Exception {
-
-    }
-
+    /**
+     * Missing required argument.
+     */
     public static class MissingArg extends SOPGPException {
 
         public static final int EXIT_CODE = 19;
@@ -87,6 +95,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Incomplete verification instructions (sop decrypt).
+     */
     public static class IncompleteVerification extends SOPGPException {
 
         public static final int EXIT_CODE = 23;
@@ -101,6 +112,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Unable to decrypt (sop decrypt).
+     */
     public static class CannotDecrypt extends SOPGPException {
 
         public static final int EXIT_CODE = 29;
@@ -111,6 +125,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Non-UTF-8 or otherwise unreliable password (sop encrypt).
+     */
     public static class PasswordNotHumanReadable extends SOPGPException {
 
         public static final int EXIT_CODE = 31;
@@ -121,6 +138,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Unsupported option.
+     */
     public static class UnsupportedOption extends SOPGPException {
 
         public static final int EXIT_CODE = 37;
@@ -139,6 +159,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Invalid data type (no secret key where KEYS expected, etc.).
+     */
     public static class BadData extends SOPGPException {
 
         public static final int EXIT_CODE = 41;
@@ -157,6 +180,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Non-Text input where text expected.
+     */
     public static class ExpectedText extends SOPGPException {
 
         public static final int EXIT_CODE = 53;
@@ -167,6 +193,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Output file already exists.
+     */
     public static class OutputExists extends SOPGPException {
 
         public static final int EXIT_CODE = 59;
@@ -181,6 +210,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Input file does not exist.
+     */
     public static class MissingInput extends SOPGPException {
 
         public static final int EXIT_CODE = 61;
@@ -195,6 +227,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * A KEYS input is protected (locked) with a password, and sop cannot unlock it.
+     */
     public static class KeyIsProtected extends SOPGPException {
 
         public static final int EXIT_CODE = 67;
@@ -213,6 +248,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * Unsupported subcommand.
+     */
     public static class UnsupportedSubcommand extends SOPGPException {
 
         public static final int EXIT_CODE = 69;
@@ -227,6 +265,9 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
+    /**
+     * An indirect parameter is a special designator (it starts with @), but sop does not know how to handle the prefix.
+     */
     public static class UnsupportedSpecialPrefix extends SOPGPException {
 
         public static final int EXIT_CODE = 71;
@@ -237,7 +278,10 @@ public abstract class SOPGPException extends RuntimeException {
         }
     }
 
-
+    /**
+     * A indirect input parameter is a special designator (it starts with @),
+     * and a filename matching the designator is actually present.
+     */
     public static class AmbiguousInput extends SOPGPException {
 
         public static final int EXIT_CODE = 73;
@@ -251,4 +295,30 @@ public abstract class SOPGPException extends RuntimeException {
             return EXIT_CODE;
         }
     }
+
+    /**
+     * Key not signature-capable (e.g. expired, revoked, unacceptable usage flags)
+     * (sop sign and sop encrypt with --sign-with).
+     */
+    public static class KeyCannotSign extends SOPGPException {
+
+        public static final int EXIT_CODE = 79;
+
+        public KeyCannotSign() {
+            super();
+        }
+
+        public KeyCannotSign(String message) {
+            super(message);
+        }
+
+        public KeyCannotSign(String s, KeyCannotSign keyCannotSign) {
+            super(s, keyCannotSign);
+        }
+
+        @Override
+        public int getExitCode() {
+            return EXIT_CODE;
+        }
+    }
 }
diff --git a/sop-java/src/main/java/sop/operation/Decrypt.java b/sop-java/src/main/java/sop/operation/Decrypt.java
index 4cbd6f35..0811ac2d 100644
--- a/sop-java/src/main/java/sop/operation/Decrypt.java
+++ b/sop-java/src/main/java/sop/operation/Decrypt.java
@@ -35,9 +35,9 @@ public interface Decrypt {
             throws SOPGPException.UnsupportedOption;
 
     /**
-     * Adds the verification cert.
+     * Adds one or more verification cert.
      *
-     * @param cert input stream containing the cert
+     * @param cert input stream containing the cert(s)
      * @return builder instance
      */
     Decrypt verifyWithCert(InputStream cert)
@@ -45,9 +45,9 @@ public interface Decrypt {
             IOException;
 
     /**
-     * Adds the verification cert.
+     * Adds one or more verification cert.
      *
-     * @param cert byte array containing the cert
+     * @param cert byte array containing the cert(s)
      * @return builder instance
      */
     default Decrypt verifyWithCert(byte[] cert)
@@ -75,9 +75,9 @@ public interface Decrypt {
             SOPGPException.UnsupportedOption;
 
     /**
-     * Adds the decryption key.
+     * Adds one or more decryption key.
      *
-     * @param key input stream containing the key
+     * @param key input stream containing the key(s)
      * @return builder instance
      */
     Decrypt withKey(InputStream key)
@@ -86,9 +86,9 @@ public interface Decrypt {
             SOPGPException.UnsupportedAsymmetricAlgo;
 
     /**
-     * Adds the decryption key.
+     * Adds one or more decryption key.
      *
-     * @param key byte array containing the key
+     * @param key byte array containing the key(s)
      * @return builder instance
      */
     default Decrypt withKey(byte[] key)
diff --git a/sop-java/src/main/java/sop/operation/Encrypt.java b/sop-java/src/main/java/sop/operation/Encrypt.java
index b5a92b25..784c07a0 100644
--- a/sop-java/src/main/java/sop/operation/Encrypt.java
+++ b/sop-java/src/main/java/sop/operation/Encrypt.java
@@ -38,7 +38,7 @@ public interface Encrypt {
      */
     Encrypt signWith(InputStream key)
             throws SOPGPException.KeyIsProtected,
-            SOPGPException.CertCannotSign,
+            SOPGPException.KeyCannotSign,
             SOPGPException.UnsupportedAsymmetricAlgo,
             SOPGPException.BadData;
 
@@ -50,7 +50,7 @@ public interface Encrypt {
      */
     default Encrypt signWith(byte[] key)
             throws SOPGPException.KeyIsProtected,
-            SOPGPException.CertCannotSign,
+            SOPGPException.KeyCannotSign,
             SOPGPException.UnsupportedAsymmetricAlgo,
             SOPGPException.BadData {
         return signWith(new ByteArrayInputStream(key));
diff --git a/sop-java/src/main/java/sop/operation/ExtractCert.java b/sop-java/src/main/java/sop/operation/ExtractCert.java
index 7a0de5c6..32491111 100644
--- a/sop-java/src/main/java/sop/operation/ExtractCert.java
+++ b/sop-java/src/main/java/sop/operation/ExtractCert.java
@@ -21,18 +21,18 @@ public interface ExtractCert {
     ExtractCert noArmor();
 
     /**
-     * Extract the cert from the provided key.
+     * Extract the cert(s) from the provided key(s).
      *
-     * @param keyInputStream input stream containing the encoding of an OpenPGP key
-     * @return result containing the encoding of the keys cert
+     * @param keyInputStream input stream containing the encoding of one or more OpenPGP keys
+     * @return result containing the encoding of the keys certs
      */
     Ready key(InputStream keyInputStream) throws IOException, SOPGPException.BadData;
 
     /**
-     * Extract the cert from the provided key.
+     * Extract the cert(s) from the provided key(s).
      *
-     * @param key byte array containing the encoding of an OpenPGP key
-     * @return result containing the encoding of the keys cert
+     * @param key byte array containing the encoding of one or more OpenPGP key
+     * @return result containing the encoding of the keys certs
      */
     default Ready key(byte[] key) throws IOException, SOPGPException.BadData {
         return key(new ByteArrayInputStream(key));
diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java
index 9b9c3a6f..75f4e5a8 100644
--- a/sop-java/src/main/java/sop/operation/Sign.java
+++ b/sop-java/src/main/java/sop/operation/Sign.java
@@ -8,7 +8,8 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
-import sop.Ready;
+import sop.MicAlg;
+import sop.ReadyWithResult;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 
@@ -31,17 +32,17 @@ public interface Sign {
     Sign mode(SignAs mode) throws SOPGPException.UnsupportedOption;
 
     /**
-     * Adds the signer key.
+     * Add one or more signing keys.
      *
-     * @param key input stream containing encoded key
+     * @param key input stream containing encoded keys
      * @return builder instance
      */
     Sign key(InputStream key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException;
 
     /**
-     * Adds the signer key.
+     * Add one or more signing keys.
      *
-     * @param key byte array containing encoded key
+     * @param key byte array containing encoded keys
      * @return builder instance
      */
     default Sign key(byte[] key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
@@ -54,7 +55,7 @@ public interface Sign {
      * @param data input stream containing data
      * @return ready
      */
-    Ready data(InputStream data) throws IOException, SOPGPException.ExpectedText;
+    ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText;
 
     /**
      * Signs data.
@@ -62,7 +63,7 @@ public interface Sign {
      * @param data byte array containing data
      * @return ready
      */
-    default Ready data(byte[] data) throws IOException, SOPGPException.ExpectedText {
+    default ReadyWithResult data(byte[] data) throws IOException, SOPGPException.ExpectedText {
         return data(new ByteArrayInputStream(data));
     }
 }
diff --git a/sop-java/src/main/java/sop/operation/Verify.java b/sop-java/src/main/java/sop/operation/Verify.java
index 30905de2..1bf9fe09 100644
--- a/sop-java/src/main/java/sop/operation/Verify.java
+++ b/sop-java/src/main/java/sop/operation/Verify.java
@@ -29,17 +29,17 @@ public interface Verify extends VerifySignatures {
     Verify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption;
 
     /**
-     * Adds the verification cert.
+     * Add one or more verification cert.
      *
-     * @param cert input stream containing the encoded cert
+     * @param cert input stream containing the encoded certs
      * @return builder instance
      */
     Verify cert(InputStream cert) throws SOPGPException.BadData;
 
     /**
-     * Adds the verification cert.
+     * Add one or more verification cert.
      *
-     * @param cert byte array containing the encoded cert
+     * @param cert byte array containing the encoded certs
      * @return builder instance
      */
     default Verify cert(byte[] cert) throws SOPGPException.BadData {
diff --git a/sop-java/src/main/java/sop/operation/Version.java b/sop-java/src/main/java/sop/operation/Version.java
index ab32099a..0b50993f 100644
--- a/sop-java/src/main/java/sop/operation/Version.java
+++ b/sop-java/src/main/java/sop/operation/Version.java
@@ -8,15 +8,42 @@ public interface Version {
 
     /**
      * Return the implementations name.
+     * e.g. "SOP",
      *
      * @return implementation name
      */
     String getName();
 
     /**
-     * Return the implementations version string.
+     * Return the implementations short version string.
+     * e.g. "1.0"
      *
      * @return version string
      */
     String getVersion();
+
+    /**
+     * Return version information about the used OpenPGP backend.
+     * e.g. "Bouncycastle 1.70"
+     *
+     * @return backend version string
+     */
+    String getBackendVersion();
+
+    /**
+     * Return an extended version string containing multiple lines of version information.
+     * The first line MUST match the information produced by {@link #getName()} and {@link #getVersion()}, but the rest of the text
+     * has no defined structure.
+     * Example:
+     * 
+     *     "SOP 1.0
+     *     Awesome PGP!
+     *     Using Bouncycastle 1.70
+     *     LibFoo 1.2.2
+     *     See https://pgp.example.org/sop/ for more information"
+     * 

+     *
+     * @return extended version string
+     */
+    String getExtendedVersion();
 }

From 987c328ad889b034ed13851fa57cdca869d4905c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 8 Jan 2022 01:07:45 +0100
Subject: [PATCH 0261/1450] Add MicAlgTest

---
 .../src/test/java/sop/util/MicAlgTest.java    | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 sop-java/src/test/java/sop/util/MicAlgTest.java

diff --git a/sop-java/src/test/java/sop/util/MicAlgTest.java b/sop-java/src/test/java/sop/util/MicAlgTest.java
new file mode 100644
index 00000000..f720c85b
--- /dev/null
+++ b/sop-java/src/test/java/sop/util/MicAlgTest.java
@@ -0,0 +1,53 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.util;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+import sop.MicAlg;
+
+public class MicAlgTest {
+
+    @Test
+    public void constructorNullArgThrows() {
+        assertThrows(IllegalArgumentException.class, () -> new MicAlg(null));
+    }
+
+    @Test
+    public void emptyMicAlgIsEmptyString() {
+        MicAlg empty = MicAlg.empty();
+        assertNotNull(empty.getMicAlg());
+        assertTrue(empty.getMicAlg().isEmpty());
+    }
+
+    @Test
+    public void fromInvalidAlgorithmIdThrows() {
+        assertThrows(IllegalArgumentException.class, () -> MicAlg.fromHashAlgorithmId(-1));
+    }
+
+    @Test
+    public void fromHashAlgorithmIdsKnownAlgsMatch() {
+        Map knownAlgorithmMicalgs = new HashMap<>();
+        knownAlgorithmMicalgs.put(1, "pgp-md5");
+        knownAlgorithmMicalgs.put(2, "pgp-sha1");
+        knownAlgorithmMicalgs.put(3, "pgp-ripemd160");
+        knownAlgorithmMicalgs.put(8, "pgp-sha256");
+        knownAlgorithmMicalgs.put(9, "pgp-sha384");
+        knownAlgorithmMicalgs.put(10, "pgp-sha512");
+        knownAlgorithmMicalgs.put(11, "pgp-sha224");
+
+        for (Integer id : knownAlgorithmMicalgs.keySet()) {
+            MicAlg micAlg = MicAlg.fromHashAlgorithmId(id);
+            assertEquals(knownAlgorithmMicalgs.get(id), micAlg.getMicAlg());
+        }
+    }
+}

From f2d88d8a86c7d94aaf80a2a26a48684ad5a4d508 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 8 Jan 2022 17:28:19 +0100
Subject: [PATCH 0262/1450] Introduce SigningResult class to allow for
 additional signing information to be returned

---
 .../java/org/pgpainless/sop/SignImpl.java     | 11 ++--
 .../sop/cli/picocli/commands/SignCmd.java     |  6 ++-
 .../sop/cli/picocli/commands/SignCmdTest.java | 12 ++---
 sop-java/src/main/java/sop/SigningResult.java | 50 +++++++++++++++++++
 .../src/main/java/sop/operation/Sign.java     |  6 +--
 5 files changed, 70 insertions(+), 15 deletions(-)
 create mode 100644 sop-java/src/main/java/sop/SigningResult.java

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
index 068903d7..b3d18043 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
@@ -28,6 +28,7 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.MicAlg;
 import sop.ReadyWithResult;
+import sop.SigningResult;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 import sop.operation.Sign;
@@ -69,7 +70,7 @@ public class SignImpl implements Sign {
     }
 
     @Override
-    public ReadyWithResult data(InputStream data) throws IOException {
+    public ReadyWithResult data(InputStream data) throws IOException {
         ByteArrayOutputStream buffer = new ByteArrayOutputStream();
         try {
             EncryptionStream signingStream = PGPainless.encryptAndOrSign()
@@ -77,9 +78,9 @@ public class SignImpl implements Sign {
                     .withOptions(ProducerOptions.sign(signingOptions)
                             .setAsciiArmor(armor));
 
-            return new ReadyWithResult() {
+            return new ReadyWithResult() {
                 @Override
-                public MicAlg writeTo(OutputStream outputStream) throws IOException {
+                public SigningResult writeTo(OutputStream outputStream) throws IOException {
 
                     if (signingStream.isClosed()) {
                         throw new IllegalStateException("EncryptionStream is already closed.");
@@ -106,7 +107,9 @@ public class SignImpl implements Sign {
                     out.close();
                     outputStream.close(); // armor out does not close underlying stream
 
-                    return micAlgFromSignatures(signatures);
+                    return SigningResult.builder()
+                            .setMicAlg(micAlgFromSignatures(signatures))
+                            .build();
                 }
             };
 
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
index 735e9664..250679fd 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
@@ -15,6 +15,7 @@ import java.util.List;
 import picocli.CommandLine;
 import sop.MicAlg;
 import sop.ReadyWithResult;
+import sop.SigningResult;
 import sop.cli.picocli.Print;
 import sop.cli.picocli.SopCLI;
 import sop.enums.SignAs;
@@ -93,9 +94,10 @@ public class SignCmd implements Runnable {
         }
 
         try {
-            ReadyWithResult ready = sign.data(System.in);
-            MicAlg micAlg = ready.writeTo(System.out);
+            ReadyWithResult ready = sign.data(System.in);
+            SigningResult result = ready.writeTo(System.out);
 
+            MicAlg micAlg = result.getMicAlg();
             if (micAlgOut != null) {
                 // Write micalg out
                 micAlgOut.createNewFile();
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
index c5c6e201..ce0ce54a 100644
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
+++ b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
@@ -19,9 +19,9 @@ import java.io.OutputStream;
 import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import sop.MicAlg;
 import sop.ReadyWithResult;
 import sop.SOP;
+import sop.SigningResult;
 import sop.cli.picocli.SopCLI;
 import sop.exception.SOPGPException;
 import sop.operation.Sign;
@@ -34,10 +34,10 @@ public class SignCmdTest {
     @BeforeEach
     public void mockComponents() throws IOException, SOPGPException.ExpectedText {
         sign = mock(Sign.class);
-        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
+        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
             @Override
-            public MicAlg writeTo(OutputStream outputStream) {
-                return MicAlg.fromHashAlgorithmId(10);
+            public SigningResult writeTo(OutputStream outputStream) {
+                return SigningResult.builder().build();
             }
         });
 
@@ -110,9 +110,9 @@ public class SignCmdTest {
     @Test
     @ExpectSystemExitWithStatus(1)
     public void data_ioExceptionCausesExit1() throws IOException, SOPGPException.ExpectedText {
-        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
+        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
             @Override
-            public MicAlg writeTo(OutputStream outputStream) throws IOException {
+            public SigningResult writeTo(OutputStream outputStream) throws IOException {
                 throw new IOException();
             }
         });
diff --git a/sop-java/src/main/java/sop/SigningResult.java b/sop-java/src/main/java/sop/SigningResult.java
new file mode 100644
index 00000000..2cb142dc
--- /dev/null
+++ b/sop-java/src/main/java/sop/SigningResult.java
@@ -0,0 +1,50 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop;
+
+/**
+ * This class contains various information about a signed message.
+ */
+public final class SigningResult {
+
+    private final MicAlg micAlg;
+
+    private SigningResult(MicAlg micAlg) {
+        this.micAlg = micAlg;
+    }
+
+    /**
+     * Return a string identifying the digest mechanism used to create the signed message.
+     * This is useful for setting the micalg= parameter for the multipart/signed
+     * content type of a PGP/MIME object as described in section 5 of [RFC3156].
+     *
+     * If more than one signature was generated and different digest mechanisms were used,
+     * the value of the micalg object is an empty string.
+     *
+     * @return micalg
+     */
+    public MicAlg getMicAlg() {
+        return micAlg;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private MicAlg micAlg;
+
+        public Builder setMicAlg(MicAlg micAlg) {
+            this.micAlg = micAlg;
+            return this;
+        }
+
+        public SigningResult build() {
+            SigningResult signingResult = new SigningResult(micAlg);
+            return signingResult;
+        }
+    }
+}
diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java
index 75f4e5a8..be518cde 100644
--- a/sop-java/src/main/java/sop/operation/Sign.java
+++ b/sop-java/src/main/java/sop/operation/Sign.java
@@ -8,8 +8,8 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
-import sop.MicAlg;
 import sop.ReadyWithResult;
+import sop.SigningResult;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 
@@ -55,7 +55,7 @@ public interface Sign {
      * @param data input stream containing data
      * @return ready
      */
-    ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText;
+    ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText;
 
     /**
      * Signs data.
@@ -63,7 +63,7 @@ public interface Sign {
      * @param data byte array containing data
      * @return ready
      */
-    default ReadyWithResult data(byte[] data) throws IOException, SOPGPException.ExpectedText {
+    default ReadyWithResult data(byte[] data) throws IOException, SOPGPException.ExpectedText {
         return data(new ByteArrayInputStream(data));
     }
 }

From 1b1a13e7d0eb74abc094465dea50e22911c3a97b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Jan 2022 01:24:56 +0100
Subject: [PATCH 0263/1450] Fix spelling of Bouncy Castle

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java     | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 41fbd838..d1c15455 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -12,6 +12,10 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import sop.operation.Version;
 
 public class VersionImpl implements Version {
+
+    // draft version
+    private static final String SOP_VERSION = "3";
+
     @Override
     public String getName() {
         return "PGPainless-SOP";
@@ -38,7 +42,7 @@ public class VersionImpl implements Version {
     @Override
     public String getBackendVersion() {
         double bcVersion = new BouncyCastleProvider().getVersion();
-        return String.format("Bouncycastle %,.2f", bcVersion);
+        return String.format("Bouncy Castle %,.2f", bcVersion);
     }
 
     @Override
@@ -47,7 +51,7 @@ public class VersionImpl implements Version {
                 "Based on PGPainless " + getVersion() + "\n" +
                 "Using " + getBackendVersion() + "\n" +
                 "See https://pgpainless.org\n" +
-                "Implementing Stateless OpenPGP Protocol Version 3\n" +
+                "Implementation of the Stateless OpenPGP Protocol Version " + SOP_VERSION + "\n" +
                 "See https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03";
     }
 }

From 824b8de40412da3693eef5cb3c4a250523989aec Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Jan 2022 01:25:18 +0100
Subject: [PATCH 0264/1450] Add sessionKey fromString test

---
 sop-java/src/test/java/sop/util/SessionKeyTest.java | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/sop-java/src/test/java/sop/util/SessionKeyTest.java b/sop-java/src/test/java/sop/util/SessionKeyTest.java
index 2d03279d..2891d0d4 100644
--- a/sop-java/src/test/java/sop/util/SessionKeyTest.java
+++ b/sop-java/src/test/java/sop/util/SessionKeyTest.java
@@ -6,6 +6,7 @@ package sop.util;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import org.junit.jupiter.api.Test;
 import sop.SessionKey;
@@ -45,4 +46,16 @@ public class SessionKeyTest {
         assertNotEquals(s1, null);
         assertNotEquals(s1, "FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD");
     }
+
+    @Test
+    public void fromString_missingAlgorithmIdThrows() {
+        String missingAlgorithId = "FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD";
+        assertThrows(IllegalArgumentException.class, () -> SessionKey.fromString(missingAlgorithId));
+    }
+
+    @Test
+    public void fromString_wrongDivider() {
+        String semicolonDivider = "9;FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD";
+        assertThrows(IllegalArgumentException.class, () -> SessionKey.fromString(semicolonDivider));
+    }
 }

From 1c2cbf0e75abd7d8f278bfbefffa7cac951bd2d1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Jan 2022 02:02:04 +0100
Subject: [PATCH 0265/1450] Add SigningResultTest

---
 .../test/java/sop/util/SigningResultTest.java | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 sop-java/src/test/java/sop/util/SigningResultTest.java

diff --git a/sop-java/src/test/java/sop/util/SigningResultTest.java b/sop-java/src/test/java/sop/util/SigningResultTest.java
new file mode 100644
index 00000000..0d35cdc1
--- /dev/null
+++ b/sop-java/src/test/java/sop/util/SigningResultTest.java
@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.util;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+import sop.MicAlg;
+import sop.SigningResult;
+
+public class SigningResultTest {
+
+    @Test
+    public void basicBuilderTest() {
+        SigningResult result = SigningResult.builder()
+                .setMicAlg(MicAlg.fromHashAlgorithmId(10))
+                .build();
+
+        assertEquals("pgp-sha512", result.getMicAlg().getMicAlg());
+    }
+}

From 1aca7112d2a72bb36be50859d2e21bb3b726e741 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Jan 2022 02:04:12 +0100
Subject: [PATCH 0266/1450] SOP commands: Throw UnsupportedSubcommand error
 when sop.command() returns null

---
 .../sop/cli/picocli/commands/ArmorCmd.java    |  4 +
 .../sop/cli/picocli/commands/DearmorCmd.java  |  6 ++
 .../sop/cli/picocli/commands/DecryptCmd.java  |  2 +-
 .../DetachInbandSignatureAndMessageCmd.java   |  6 +-
 .../sop/cli/picocli/commands/EncryptCmd.java  |  4 +
 .../cli/picocli/commands/ExtractCertCmd.java  |  4 +
 .../cli/picocli/commands/GenerateKeyCmd.java  |  4 +
 .../sop/cli/picocli/commands/SignCmd.java     |  3 +
 .../sop/cli/picocli/commands/VerifyCmd.java   |  4 +
 .../sop/cli/picocli/commands/VersionCmd.java  |  4 +
 .../test/java/sop/cli/picocli/SOPTest.java    | 88 +++++++++++++++++++
 .../java/sop/exception/SOPGPException.java    |  8 --
 12 files changed, 127 insertions(+), 10 deletions(-)

diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
index 139cfcdb..a015a688 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
@@ -25,6 +25,10 @@ public class ArmorCmd implements Runnable {
     @Override
     public void run() {
         Armor armor = SopCLI.getSop().armor();
+        if (armor == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'armor' not implemented.");
+        }
+
         if (label != null) {
             try {
                 armor.label(label);
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
index f3c62908..343b1135 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
@@ -10,6 +10,7 @@ import picocli.CommandLine;
 import sop.cli.picocli.Print;
 import sop.cli.picocli.SopCLI;
 import sop.exception.SOPGPException;
+import sop.operation.Dearmor;
 
 @CommandLine.Command(name = "dearmor",
         description = "Remove ASCII Armor from standard input",
@@ -18,6 +19,11 @@ public class DearmorCmd implements Runnable {
 
     @Override
     public void run() {
+        Dearmor dearmor = SopCLI.getSop().dearmor();
+        if (dearmor == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'dearmor' not implemented.");
+        }
+
         try {
             SopCLI.getSop()
                     .dearmor()
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
index 58f49db9..8fc4650b 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
@@ -94,7 +94,7 @@ public class DecryptCmd implements Runnable {
 
         Decrypt decrypt = SopCLI.getSop().decrypt();
         if (decrypt == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Subcommand 'decrypt' not implemented.");
+            throw new SOPGPException.UnsupportedSubcommand("Command 'decrypt' not implemented.");
         }
 
         setNotAfter(notAfter, decrypt);
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
index 77471681..f5c71a2a 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
@@ -32,11 +32,15 @@ public class DetachInbandSignatureAndMessageCmd implements Runnable {
 
     @Override
     public void run() {
+        DetachInbandSignatureAndMessage detach = SopCLI.getSop().detachInbandSignatureAndMessage();
+        if (detach == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'detach-inband-signature-and-message' not implemented.");
+        }
+
         if (signaturesOut == null) {
             throw new SOPGPException.MissingArg("--signatures-out is required.");
         }
 
-        DetachInbandSignatureAndMessage detach = SopCLI.getSop().detachInbandSignatureAndMessage();
         if (!armor) {
             detach.noArmor();
         }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
index 2ccf0477..0634240b 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
@@ -51,6 +51,10 @@ public class EncryptCmd implements Runnable {
     @Override
     public void run() {
         Encrypt encrypt = SopCLI.getSop().encrypt();
+        if (encrypt == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'encrypt' not implemented.");
+        }
+
         if (type != null) {
             try {
                 encrypt.mode(type);
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
index 59656e65..f4559339 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
@@ -25,6 +25,10 @@ public class ExtractCertCmd implements Runnable {
     @Override
     public void run() {
         ExtractCert extractCert = SopCLI.getSop().extractCert();
+        if (extractCert == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'extract-cert' not implemented.");
+        }
+
         if (!armor) {
             extractCert.noArmor();
         }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
index f97fcfa0..28bde279 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
@@ -31,6 +31,10 @@ public class GenerateKeyCmd implements Runnable {
     @Override
     public void run() {
         GenerateKey generateKey = SopCLI.getSop().generateKey();
+        if (generateKey == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'generate-key' not implemented.");
+        }
+
         for (String userId : userId) {
             generateKey.userId(userId);
         }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
index 250679fd..7574923e 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
@@ -47,6 +47,9 @@ public class SignCmd implements Runnable {
     @Override
     public void run() {
         Sign sign = SopCLI.getSop().sign();
+        if (sign == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'sign' not implemented.");
+        }
 
         if (type != null) {
             try {
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
index d731b25a..2702b4b9 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
@@ -53,6 +53,10 @@ public class VerifyCmd implements Runnable {
     @Override
     public void run() {
         Verify verify = SopCLI.getSop().verify();
+        if (verify == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'verify' not implemented.");
+        }
+
         if (notAfter != null) {
             try {
                 verify.notAfter(DateParser.parseNotAfter(notAfter));
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
index 0d5da1a6..6926c5c9 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
@@ -7,6 +7,7 @@ package sop.cli.picocli.commands;
 import picocli.CommandLine;
 import sop.cli.picocli.Print;
 import sop.cli.picocli.SopCLI;
+import sop.exception.SOPGPException;
 import sop.operation.Version;
 
 @CommandLine.Command(name = "version", description = "Display version information about the tool",
@@ -16,6 +17,9 @@ public class VersionCmd implements Runnable {
     @Override
     public void run() {
         Version version = SopCLI.getSop().version();
+        if (version == null) {
+            throw new SOPGPException.UnsupportedSubcommand("Command 'version' not implemented.");
+        }
 
         Print.outln(version.getName() + " " + version.getVersion());
     }
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
index fbf4cfa7..6360a779 100644
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
+++ b/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
@@ -4,11 +4,26 @@
 
 package sop.cli.picocli;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.mock;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
 import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
 import org.junit.jupiter.api.Test;
 import sop.SOP;
+import sop.operation.Armor;
+import sop.operation.Dearmor;
+import sop.operation.Decrypt;
+import sop.operation.DetachInbandSignatureAndMessage;
+import sop.operation.Encrypt;
+import sop.operation.ExtractCert;
+import sop.operation.GenerateKey;
+import sop.operation.Sign;
+import sop.operation.Verify;
+import sop.operation.Version;
 
 public class SOPTest {
 
@@ -28,4 +43,77 @@ public class SOPTest {
         // At this point, no SOP backend is set, so an InvalidStateException triggers exit(1)
         SopCLI.main(new String[] {"armor"});
     }
+
+    @Test
+    public void UnsupportedSubcommandsTest() {
+        SOP nullCommandSOP = new SOP() {
+            @Override
+            public Version version() {
+                return null;
+            }
+
+            @Override
+            public GenerateKey generateKey() {
+                return null;
+            }
+
+            @Override
+            public ExtractCert extractCert() {
+                return null;
+            }
+
+            @Override
+            public Sign sign() {
+                return null;
+            }
+
+            @Override
+            public Verify verify() {
+                return null;
+            }
+
+            @Override
+            public Encrypt encrypt() {
+                return null;
+            }
+
+            @Override
+            public Decrypt decrypt() {
+                return null;
+            }
+
+            @Override
+            public Armor armor() {
+                return null;
+            }
+
+            @Override
+            public Dearmor dearmor() {
+                return null;
+            }
+
+            @Override
+            public DetachInbandSignatureAndMessage detachInbandSignatureAndMessage() {
+                return null;
+            }
+        };
+        SopCLI.setSopInstance(nullCommandSOP);
+
+        List commands = new ArrayList<>();
+        commands.add(new String[] {"armor"});
+        commands.add(new String[] {"dearmor"});
+        commands.add(new String[] {"decrypt"});
+        commands.add(new String[] {"detach-inband-signature-and-message"});
+        commands.add(new String[] {"encrypt"});
+        commands.add(new String[] {"extract-cert"});
+        commands.add(new String[] {"generate-key"});
+        commands.add(new String[] {"sign"});
+        commands.add(new String[] {"verify", "signature.asc", "cert.asc"});
+        commands.add(new String[] {"version"});
+
+        for (String[] command : commands) {
+            int exit = SopCLI.execute(command);
+            assertEquals(69, exit, "Unexpected exit code for non-implemented command " + Arrays.toString(command) + ": " + exit);
+        }
+    }
 }
diff --git a/sop-java/src/main/java/sop/exception/SOPGPException.java b/sop-java/src/main/java/sop/exception/SOPGPException.java
index dfd09540..6b844f59 100644
--- a/sop-java/src/main/java/sop/exception/SOPGPException.java
+++ b/sop-java/src/main/java/sop/exception/SOPGPException.java
@@ -52,10 +52,6 @@ public abstract class SOPGPException extends RuntimeException {
             super(message, e);
         }
 
-        public UnsupportedAsymmetricAlgo(Throwable e) {
-            super(e);
-        }
-
         @Override
         public int getExitCode() {
             return EXIT_CODE;
@@ -308,10 +304,6 @@ public abstract class SOPGPException extends RuntimeException {
             super();
         }
 
-        public KeyCannotSign(String message) {
-            super(message);
-        }
-
         public KeyCannotSign(String s, KeyCannotSign keyCannotSign) {
             super(s, keyCannotSign);
         }

From e374951ed00ccea3032bde77a2783a952642b646 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Jan 2022 02:31:04 +0100
Subject: [PATCH 0267/1450] Remove ProofUtil.

This does not belong here.
---
 .../signature/consumer/ProofUtil.java         | 141 ------------------
 .../signature/builder/ProofUtilTest.java      |  77 ----------
 2 files changed, 218 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java
deleted file mode 100644
index e22886ca..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/ProofUtil.java
+++ /dev/null
@@ -1,141 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.signature.consumer;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.NoSuchElementException;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import javax.annotation.Nullable;
-
-import org.bouncycastle.bcpg.sig.NotationData;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
-import org.pgpainless.PGPainless;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.builder.DirectKeySignatureBuilder;
-import org.pgpainless.signature.builder.SelfSignatureBuilder;
-
-public class ProofUtil {
-
-    public PGPSecretKeyRing addProof(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, Proof proof)
-            throws PGPException {
-        return addProofs(secretKey, protector, Collections.singletonList(proof));
-    }
-
-    public PGPSecretKeyRing addProofs(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, List proofs)
-            throws PGPException {
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
-        return addProofs(secretKey, protector, info.getPrimaryUserId(), proofs);
-    }
-
-    public PGPSecretKeyRing addProof(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector, String userId, Proof proof)
-            throws PGPException {
-        return addProofs(secretKey, protector, userId, Collections.singletonList(proof));
-    }
-
-    public PGPSecretKeyRing addProofs(PGPSecretKeyRing secretKey, SecretKeyRingProtector protector,
-                          @Nullable String userId, List proofs)
-            throws PGPException {
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
-        PGPSecretKey certificationKey = secretKey.getSecretKey();
-        PGPPublicKey certificationPubKey = certificationKey.getPublicKey();
-        PGPSignature certification = null;
-
-        // null userid -> make direct key sig
-        if (userId == null) {
-            PGPSignature previousCertification = info.getLatestDirectKeySelfSignature();
-            if (previousCertification == null) {
-                throw new NoSuchElementException("No previous valid direct key signature found.");
-            }
-
-            DirectKeySignatureBuilder sigBuilder = new DirectKeySignatureBuilder(certificationKey, protector, previousCertification);
-            for (Proof proof : proofs) {
-                sigBuilder.getHashedSubpackets().addNotationData(false, proof.getNotationName(), proof.getNotationValue());
-            }
-            certification = sigBuilder.build(certificationPubKey);
-            certificationPubKey = PGPPublicKey.addCertification(certificationPubKey, certification);
-        } else {
-            if (!info.isUserIdValid(userId)) {
-                throw new IllegalArgumentException("User ID " + userId + " seems to not be valid for this key.");
-            }
-            PGPSignature previousCertification = info.getLatestUserIdCertification(userId);
-            if (previousCertification == null) {
-                throw new NoSuchElementException("No previous valid user-id certification found.");
-            }
-
-            SelfSignatureBuilder sigBuilder = new SelfSignatureBuilder(certificationKey, protector, previousCertification);
-            for (Proof proof : proofs) {
-                sigBuilder.getHashedSubpackets().addNotationData(false, proof.getNotationName(), proof.getNotationValue());
-            }
-            certification = sigBuilder.build(certificationPubKey, userId);
-            certificationPubKey = PGPPublicKey.addCertification(certificationPubKey, userId, certification);
-        }
-        certificationKey = PGPSecretKey.replacePublicKey(certificationKey, certificationPubKey);
-        secretKey = PGPSecretKeyRing.insertSecretKey(secretKey, certificationKey);
-
-        return secretKey;
-    }
-
-    public static class Proof {
-        public static final String NOTATION_NAME = "proof@metacode.biz";
-        private final String notationValue;
-
-        public Proof(String notationValue) {
-            if (notationValue == null) {
-                throw new IllegalArgumentException("Notation value cannot be null.");
-            }
-            String trimmed = notationValue.trim();
-            if (trimmed.isEmpty()) {
-                throw new IllegalArgumentException("Notation value cannot be empty.");
-            }
-            this.notationValue = trimmed;
-        }
-
-        public String getNotationName() {
-            return NOTATION_NAME;
-        }
-
-        public String getNotationValue() {
-            return notationValue;
-        }
-
-        public static Proof fromMatrixPermalink(String username, String eventPermalink) {
-            Pattern pattern = Pattern.compile("^https:\\/\\/matrix\\.to\\/#\\/(![a-zA-Z]{18}:matrix\\.org)\\/(\\$[a-zA-Z0-9\\-_]{43})\\?via=.*$");
-            Matcher matcher = pattern.matcher(eventPermalink);
-            if (!matcher.matches()) {
-                throw new IllegalArgumentException("Invalid matrix event permalink.");
-            }
-            String roomId = matcher.group(1);
-            String eventId = matcher.group(2);
-            return new Proof(String.format("matrix:u/%s?org.keyoxide.r=%s&org.keyoxide.e=%s", username, roomId, eventId));
-        }
-
-        @Override
-        public String toString() {
-            return getNotationName() + "=" + getNotationValue();
-        }
-    }
-
-    public static List getProofs(PGPSignature signature) {
-        PGPSignatureSubpacketVector hashedSubpackets = signature.getHashedSubPackets();
-        NotationData[] notations = hashedSubpackets.getNotationDataOccurrences();
-
-        List proofs = new ArrayList<>();
-        for (NotationData notation : notations) {
-            if (notation.getNotationName().equals(Proof.NOTATION_NAME)) {
-                proofs.add(new Proof(notation.getNotationValue()));
-            }
-        }
-        return proofs;
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java
deleted file mode 100644
index 0b5d8f0c..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ProofUtilTest.java
+++ /dev/null
@@ -1,77 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.signature.builder;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.consumer.ProofUtil;
-
-public class ProofUtilTest {
-
-    @Test
-    public void testEmptyProofThrows() {
-        assertThrows(IllegalArgumentException.class, () -> new ProofUtil.Proof(""));
-    }
-
-    @Test
-    public void testNullProofThrows() {
-        assertThrows(IllegalArgumentException.class, () -> new ProofUtil.Proof(null));
-    }
-
-    @Test
-    public void proofIsTrimmed() {
-        ProofUtil.Proof proof = new ProofUtil.Proof("    foo:bar ");
-        assertEquals("proof@metacode.biz=foo:bar", proof.toString());
-    }
-
-    @Test
-    public void testMatrixProof() {
-        String matrixUser = "@foo:matrix.org";
-        String permalink = "https://matrix.to/#/!dBfQZxCoGVmSTujfiv:matrix.org/$3dVX1nv3lmwnKxc0mgto_Sf-REVr45Z6G7LWLWal10w?via=chat.matrix.org";
-        ProofUtil.Proof proof = ProofUtil.Proof.fromMatrixPermalink(matrixUser, permalink);
-
-        assertEquals("proof@metacode.biz=matrix:u/@foo:matrix.org?org.keyoxide.r=!dBfQZxCoGVmSTujfiv:matrix.org&org.keyoxide.e=$3dVX1nv3lmwnKxc0mgto_Sf-REVr45Z6G7LWLWal10w",
-                proof.toString());
-    }
-
-    @Test
-    public void testXmppBasicProof() {
-        String jid = "alice@pgpainless.org";
-        ProofUtil.Proof proof = new ProofUtil.Proof("xmpp:" + jid);
-
-        assertEquals("proof@metacode.biz=xmpp:alice@pgpainless.org", proof.toString());
-    }
-
-    @Test
-    public void testAddProof()
-            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
-        String userId = "Alice ";
-        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing(userId, null);
-        Thread.sleep(1000L);
-        secretKey = new ProofUtil().addProof(
-                secretKey,
-                SecretKeyRingProtector.unprotectedKeys(),
-                new ProofUtil.Proof("xmpp:alice@pgpainless.org"));
-
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
-        PGPSignature signature = info.getLatestUserIdCertification(userId);
-        assertNotNull(signature);
-        assertFalse(ProofUtil.getProofs(signature).isEmpty());
-    }
-}

From 01839728f0cca74bac981a3814f37aa72aa1c88d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 14:38:58 +0100
Subject: [PATCH 0268/1450] Remove workaround for publicKey.getBitStrength() ==
 -1 in BC

see https://github.com/bcgit/bc-java/issues/972
---
 .../secretkeyring/SecretKeyRingEditor.java    |  3 +-
 .../consumer/SignatureValidator.java          | 11 ++----
 .../main/java/org/pgpainless/util/BCUtil.java | 38 -------------------
 .../BrainpoolKeyGenerationTest.java           | 11 +++---
 4 files changed, 10 insertions(+), 53 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 66336c6f..7eb5a92f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -64,7 +64,6 @@ import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
-import org.pgpainless.util.BCUtil;
 import org.pgpainless.util.CollectionUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.selection.userid.SelectUserId;
@@ -278,7 +277,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
 
         // check key against public key algorithm policy
         PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
-        int bitStrength = BCUtil.getBitStrength(subkey.getPublicKey());
+        int bitStrength = subkey.getPublicKey().getBitStrength();
         if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
             throw new IllegalArgumentException("Public key algorithm policy violation: " +
                     publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 3bd059a2..d0de0d46 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -4,7 +4,6 @@
 
 package org.pgpainless.signature.consumer;
 
-import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.Iterator;
@@ -32,7 +31,6 @@ import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
-import org.pgpainless.util.BCUtil;
 import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.NotationRegistry;
 
@@ -171,15 +169,14 @@ public abstract class SignatureValidator {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.fromId(signingKey.getAlgorithm());
-                try {
-                    int bitStrength = BCUtil.getBitStrength(signingKey);
+                    int bitStrength = signingKey.getBitStrength();
+                    if (bitStrength == -1) {
+                        throw new SignatureValidationException("Cannot determine bit strength of signing key.");
+                    }
                     if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
                         throw new SignatureValidationException("Signature was made using unacceptable key. " +
                                 algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
                     }
-                } catch (NoSuchAlgorithmException e) {
-                    throw new SignatureValidationException("Cannot determine bit strength of signing key.", e);
-                }
             }
         };
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
index 25bd72e9..78e604c8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
@@ -4,50 +4,12 @@
 
 package org.pgpainless.util;
 
-import java.security.NoSuchAlgorithmException;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.bcpg.ECPublicBCPGKey;
-import org.bouncycastle.openpgp.PGPPublicKey;
-
 public final class BCUtil {
 
     private BCUtil() {
 
     }
 
-    /**
-     * Utility method to get the bit strength of OpenPGP keys.
-     * Bouncycastle is lacking support for some keys (eg. EdDSA, X25519), so this method
-     * manually derives the bit strength from the keys curves OID.
-     *
-     * @param key key
-     * @return bit strength
-     */
-    public static int getBitStrength(PGPPublicKey key) throws NoSuchAlgorithmException {
-        int bitStrength = key.getBitStrength();
-
-        if (bitStrength == -1) {
-            // BC's PGPPublicKey.getBitStrength() does fail for some keys (EdDSA, X25519)
-            // therefore we manually set the bit strength.
-            // see https://github.com/bcgit/bc-java/issues/972
-
-            ASN1ObjectIdentifier oid = ((ECPublicBCPGKey) key.getPublicKeyPacket().getKey()).getCurveOID();
-            if (oid.getId().equals("1.3.6.1.4.1.11591.15.1")) {
-                // ed25519 is 256 bits
-                bitStrength = 256;
-            } else if (oid.getId().equals("1.3.6.1.4.1.3029.1.5.1")) {
-                // curvey25519 is 256 bits
-                bitStrength = 256;
-            } else {
-                throw new NoSuchAlgorithmException("Unknown curve: " + oid.getId());
-            }
-
-        }
-        return bitStrength;
-    }
-
-
     /**
      * A constant time equals comparison - does not terminate early if
      * test will fail. For best results always pass the expected value
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java
index 8a8afe0e..969a0587 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/BrainpoolKeyGenerationTest.java
@@ -29,9 +29,8 @@ import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.generation.type.xdh.XDHSpec;
 import org.pgpainless.key.info.KeyInfo;
 import org.pgpainless.key.util.UserId;
-import org.pgpainless.util.BCUtil;
-import org.pgpainless.util.TestAllImplementations;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.TestAllImplementations;
 
 public class BrainpoolKeyGenerationTest {
 
@@ -96,22 +95,22 @@ public class BrainpoolKeyGenerationTest {
         PGPSecretKey ecdsaPrim = iterator.next();
         KeyInfo ecdsaInfo = new KeyInfo(ecdsaPrim);
         assertEquals(EllipticCurve._BRAINPOOLP384R1.getName(), ecdsaInfo.getCurveName());
-        assertEquals(384, BCUtil.getBitStrength(ecdsaPrim.getPublicKey()));
+        assertEquals(384, ecdsaPrim.getPublicKey().getBitStrength());
 
         PGPSecretKey eddsaSub = iterator.next();
         KeyInfo eddsaInfo = new KeyInfo(eddsaSub);
         assertEquals(EdDSACurve._Ed25519.getName(), eddsaInfo.getCurveName());
-        assertEquals(256, BCUtil.getBitStrength(eddsaSub.getPublicKey()));
+        assertEquals(256, eddsaSub.getPublicKey().getBitStrength());
 
         PGPSecretKey xdhSub = iterator.next();
         KeyInfo xdhInfo = new KeyInfo(xdhSub);
         assertEquals(XDHSpec._X25519.getCurveName(), xdhInfo.getCurveName());
-        assertEquals(256, BCUtil.getBitStrength(xdhSub.getPublicKey()));
+        assertEquals(256, xdhSub.getPublicKey().getBitStrength());
 
         PGPSecretKey rsaSub = iterator.next();
         KeyInfo rsaInfo = new KeyInfo(rsaSub);
         assertThrows(IllegalArgumentException.class, rsaInfo::getCurveName, "RSA is not a curve-based encryption system");
-        assertEquals(3072, BCUtil.getBitStrength(rsaSub.getPublicKey()));
+        assertEquals(3072, rsaSub.getPublicKey().getBitStrength());
     }
 
     public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {

From bbc42fd8e4eb9c6fba1da2e13e2e80c2e6969957 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 14:51:17 +0100
Subject: [PATCH 0269/1450] Document workaround for BCs ECUtil.getCurveName()
 returning null for ed25519 keys

See https://github.com/bcgit/bc-java/issues/1087
---
 .../src/main/java/org/pgpainless/key/info/KeyInfo.java   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
index 1cc4b6c8..a37eda24 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
@@ -89,12 +89,19 @@ public class KeyInfo {
     public static String getCurveName(ECPublicBCPGKey key) {
         ASN1ObjectIdentifier identifier = key.getCurveOID();
 
+        String curveName = ECUtil.getCurveName(identifier);
+        if (curveName != null) {
+            return curveName;
+        }
+
         // Workaround for ECUtil not recognizing ed25519
+        // see https://github.com/bcgit/bc-java/issues/1087
+        // TODO: Remove once BC 1.71 gets released and contains a fix
         if (identifier.equals(GNUObjectIdentifiers.Ed25519)) {
             return EdDSACurve._Ed25519.getName();
         }
 
-        return ECUtil.getCurveName(identifier);
+        return null;
     }
 
     /**

From 2e7a21b5b70720def9987626e5f40c48b84e1f9e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 16:16:49 +0100
Subject: [PATCH 0270/1450] Add javadoc description to
 DetachInbandSignatureAndMessage

---
 .../java/sop/operation/DetachInbandSignatureAndMessage.java    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
index 46bd3f77..9e22258c 100644
--- a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
+++ b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
@@ -11,6 +11,9 @@ import java.io.InputStream;
 import sop.ReadyWithResult;
 import sop.Signatures;
 
+/**
+ * Split cleartext signed messages up into data and signatures.
+ */
 public interface DetachInbandSignatureAndMessage {
 
     /**

From fc432901ed8cfcb9076374d6238b226e9eea4d06 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 16:44:18 +0100
Subject: [PATCH 0271/1450] Add information to SOP READMEs

---
 pgpainless-sop/README.md | 42 ++++++++++++++++++++++++++++++++-
 sop-java/README.md       | 51 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 90 insertions(+), 3 deletions(-)

diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 15aa483c..067f85c8 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -6,7 +6,47 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-SOP
 
+[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03)
+[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-sop)](https://search.maven.org/artifact/org.pgpainless/pgpainless-sop)
+[![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/org/pgpainless/sop/package-summary.html)
+[![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
+
 Implementation of the Stateless OpenPGP Protocol using PGPainless.
 
 This module implements `sop-java` using `pgpainless-core`.
-If your code depends on `sop-java`, this module can be used as a realization of those interfaces.
\ No newline at end of file
+If your code depends on `sop-java`, this module can be used as a realization of those interfaces.
+
+## Usage Examples
+```java
+SOP sop = new SOPImpl();
+        
+// Generate an OpenPGP key
+byte[] key = sop.generateKey()
+        .userId("Alice ")
+        .generate()
+        .getBytes();
+
+// Extract the certificate (public key)
+byte[] cert = sop.extractCert()
+        .key(key)
+        .getBytes();
+
+// Encrypt a message
+byte[] message = ...
+byte[] encrypted = sop.encrypt()
+        .withCert(cert)
+        .signWith(key)
+        .plaintext(message)
+        .getBytes();
+
+// Decrypt a message
+ByteArrayAndResult messageAndVerifications = sop.decrypt()
+        .verifyWith(cert)
+        .withKey(key)
+        .ciphertext(encrypted)
+        .toByteArrayAndResult();
+byte[] decrypted = messageAndVerifications.getBytes();
+// Signature Verifications
+DecryptionResult messageInfo = messageAndVerifications.getResult();
+List signatureVerifications = messageInfo.getVerifications();
+```
\ No newline at end of file
diff --git a/sop-java/README.md b/sop-java/README.md
index 86d02008..452576c6 100644
--- a/sop-java/README.md
+++ b/sop-java/README.md
@@ -6,13 +6,60 @@ SPDX-License-Identifier: Apache-2.0
 
 # SOP-Java
 
+[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03)
+[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/sop-java)](https://search.maven.org/artifact/org.pgpainless/sop-java)
+[![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/sop/SOP.html)
+[![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
+
 Stateless OpenPGP Protocol for Java.
 
 This module contains interfaces that model the API described by the 
-[Stateless OpenPGP Command Line Interface](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/) specification.
+[Stateless OpenPGP Command Line Interface](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03) specification.
 
 This module is not a command line application! For that, see `sop-java-picocli`.
 
+## Usage Examples
+
+The API defined by `sop-java` is super straight forward:
+```java
+SOP sop = ... // e.g. new org.pgpainless.sop.SOPImpl();
+        
+// Generate an OpenPGP key
+byte[] key = sop.generateKey()
+        .userId("Alice ")
+        .generate()
+        .getBytes();
+
+// Extract the certificate (public key)
+byte[] cert = sop.extractCert()
+        .key(key)
+        .getBytes();
+
+// Encrypt a message
+byte[] message = ...
+byte[] encrypted = sop.encrypt()
+        .withCert(cert)
+        .signWith(key)
+        .plaintext(message)
+        .getBytes();
+
+// Decrypt a message
+ByteArrayAndResult messageAndVerifications = sop.decrypt()
+        .verifyWith(cert)
+        .withKey(key)
+        .ciphertext(encrypted)
+        .toByteArrayAndResult();
+byte[] decrypted = messageAndVerifications.getBytes();
+// Signature Verifications
+DecryptionResult messageInfo = messageAndVerifications.getResult();
+List signatureVerifications = messageInfo.getVerifications();
+```
+
+Furthermore, the API is capable of signing messages and verifying unencrypted signed data, as well as adding and removing ASCII armor.
+
+### Limitations
+As per the spec, sop-java does not (yet) deal with encrypted OpenPGP keys.
+
 ## Why should I use this?
 
 If you need to use OpenPGP functionality like encrypting/decrypting messages, or creating/verifying
@@ -30,4 +77,4 @@ by swapping out the dependency with minimal changes to your code.
 Did you create an [OpenPGP](https://datatracker.ietf.org/doc/html/rfc4880) implementation that can be used in the Java ecosystem?
 By implementing the `sop-java` interface, you can turn your library into a command line interface (see `sop-java-picocli`).
 This allows you to plug your library into the [OpenPGP interoperability test suite](https://tests.sequoia-pgp.org/)
-of the [Sequoia-PGP](https://sequoia-pgp.org/) project.
\ No newline at end of file
+of the [Sequoia-PGP](https://sequoia-pgp.org/) project.

From 19b6c8b1e3c918f940baed871c80d8b368bd6e2c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 17:11:28 +0100
Subject: [PATCH 0272/1450] SOP-CLI: Implement additional version flags

---
 .../java/org/pgpainless/sop/VersionImpl.java  | 18 ++++++++----
 .../sop/cli/picocli/commands/VersionCmd.java  | 28 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index d1c15455..7675fcb9 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -6,6 +6,7 @@ package org.pgpainless.sop;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Locale;
 import java.util.Properties;
 
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -14,7 +15,7 @@ import sop.operation.Version;
 public class VersionImpl implements Version {
 
     // draft version
-    private static final String SOP_VERSION = "3";
+    private static final String SOP_VERSION = "03";
 
     @Override
     public String getName() {
@@ -42,16 +43,21 @@ public class VersionImpl implements Version {
     @Override
     public String getBackendVersion() {
         double bcVersion = new BouncyCastleProvider().getVersion();
-        return String.format("Bouncy Castle %,.2f", bcVersion);
+        return String.format(Locale.US, "Bouncy Castle %.2f", bcVersion);
     }
 
     @Override
     public String getExtendedVersion() {
         return getName() + " " + getVersion() + "\n" +
-                "Based on PGPainless " + getVersion() + "\n" +
-                "Using " + getBackendVersion() + "\n" +
-                "See https://pgpainless.org\n" +
+                "https://codeberg.org/PGPainless/pgpainless/src/branch/master/pgpainless-sop\n" +
+                "\n" +
                 "Implementation of the Stateless OpenPGP Protocol Version " + SOP_VERSION + "\n" +
-                "See https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03";
+                "https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-" + SOP_VERSION + "\n" +
+                "\n" +
+                "Based on pgpainless-core " + getVersion() + "\n" +
+                "https://pgpainless.org\n" +
+                "\n" +
+                "Using " + getBackendVersion() + "\n" +
+                "https://www.bouncycastle.org/java.html";
     }
 }
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
index 6926c5c9..4a319192 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
@@ -14,6 +14,19 @@ import sop.operation.Version;
         exitCodeOnInvalidInput = 37)
 public class VersionCmd implements Runnable {
 
+    @CommandLine.ArgGroup()
+    Exclusive exclusive;
+
+    static class Exclusive {
+        @CommandLine.Option(names = "--extended", description = "Print an extended version string.")
+        boolean extended;
+
+        @CommandLine.Option(names = "--backend", description = "Print information about the cryptographic backend.")
+        boolean backend;
+    }
+
+
+
     @Override
     public void run() {
         Version version = SopCLI.getSop().version();
@@ -21,6 +34,19 @@ public class VersionCmd implements Runnable {
             throw new SOPGPException.UnsupportedSubcommand("Command 'version' not implemented.");
         }
 
-        Print.outln(version.getName() + " " + version.getVersion());
+        if (exclusive == null) {
+            Print.outln(version.getName() + " " + version.getVersion());
+            return;
+        }
+
+        if (exclusive.extended) {
+            Print.outln(version.getExtendedVersion());
+            return;
+        }
+
+        if (exclusive.backend) {
+            Print.outln(version.getBackendVersion());
+            return;
+        }
     }
 }

From 9800ca8bd4ed4db76ab84706f8ffb4316c1cd20a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Jan 2022 17:20:15 +0100
Subject: [PATCH 0273/1450] Update CHANGELOG

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43aa5ddb..cf32f122 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.0.2-SNAPSHOT
+- Update SOP implementation to specification revision 03
+- `OpenPGPV4Fingerprint`: Hex decode bytes in constructor
+- Add `ArmorUtils.toAsciiArmoredString()` for single key
+- Fix `ClassCastException` when retrieving `RevocationKey` subpackets from signatures
+
 ## 1.0.1
 - Fix sourcing of preferred algorithms by primary user-id when key is located via key-id
 

From c6bc8f9774ed37e5575155f90922315b30ea8ead Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 11 Jan 2022 15:18:34 +0100
Subject: [PATCH 0274/1450] Moved sop-java and sop-java-picocli to its own
 repositories

See https://github.com/pgpainless/sop-java
See https://codeberg.org/PGPainless/sop-java
---
 build.gradle                                  |   7 +
 pgpainless-cli/build.gradle                   |   2 +-
 pgpainless-sop/build.gradle                   |   2 +-
 settings.gradle                               |   2 -
 sop-java-picocli/README.md                    |  35 +-
 sop-java-picocli/build.gradle                 |  39 --
 .../main/java/sop/cli/picocli/DateParser.java |  33 --
 .../main/java/sop/cli/picocli/FileUtil.java   |  98 -----
 .../src/main/java/sop/cli/picocli/Print.java  |  26 --
 .../picocli/SOPExceptionExitCodeMapper.java   |  34 --
 .../picocli/SOPExecutionExceptionHandler.java |  26 --
 .../src/main/java/sop/cli/picocli/SopCLI.java |  68 ----
 .../sop/cli/picocli/commands/ArmorCmd.java    |  54 ---
 .../sop/cli/picocli/commands/DearmorCmd.java  |  42 ---
 .../sop/cli/picocli/commands/DecryptCmd.java  | 240 ------------
 .../DetachInbandSignatureAndMessageCmd.java   |  59 ---
 .../sop/cli/picocli/commands/EncryptCmd.java  | 123 -------
 .../cli/picocli/commands/ExtractCertCmd.java  |  45 ---
 .../cli/picocli/commands/GenerateKeyCmd.java  |  63 ----
 .../sop/cli/picocli/commands/SignCmd.java     | 121 ------
 .../sop/cli/picocli/commands/VerifyCmd.java   | 136 -------
 .../sop/cli/picocli/commands/VersionCmd.java  |  52 ---
 .../cli/picocli/commands/package-info.java    |   8 -
 .../java/sop/cli/picocli/package-info.java    |   8 -
 .../java/sop/cli/picocli/DateParserTest.java  |  49 ---
 .../java/sop/cli/picocli/FileUtilTest.java    | 123 -------
 .../test/java/sop/cli/picocli/SOPTest.java    | 119 ------
 .../cli/picocli/commands/ArmorCmdTest.java    | 101 -----
 .../cli/picocli/commands/DearmorCmdTest.java  |  61 ----
 .../cli/picocli/commands/DecryptCmdTest.java  | 344 ------------------
 .../cli/picocli/commands/EncryptCmdTest.java  | 194 ----------
 .../picocli/commands/ExtractCertCmdTest.java  |  76 ----
 .../picocli/commands/GenerateKeyCmdTest.java  |  98 -----
 .../sop/cli/picocli/commands/SignCmdTest.java | 128 -------
 .../cli/picocli/commands/VerifyCmdTest.java   | 204 -----------
 .../cli/picocli/commands/VersionCmdTest.java  |  46 ---
 sop-java/README.md                            |  81 +----
 sop-java/build.gradle                         |  22 --
 .../src/main/java/sop/ByteArrayAndResult.java |  50 ---
 .../src/main/java/sop/DecryptionResult.java   |  29 --
 sop-java/src/main/java/sop/MicAlg.java        |  55 ---
 sop-java/src/main/java/sop/Ready.java         |  45 ---
 .../src/main/java/sop/ReadyWithResult.java    |  41 ---
 sop-java/src/main/java/sop/SOP.java           |  95 -----
 sop-java/src/main/java/sop/SessionKey.java    |  79 ----
 sop-java/src/main/java/sop/Signatures.java    |  21 --
 sop-java/src/main/java/sop/SigningResult.java |  50 ---
 sop-java/src/main/java/sop/Verification.java  |  58 ---
 .../src/main/java/sop/enums/ArmorLabel.java   |  13 -
 .../src/main/java/sop/enums/EncryptAs.java    |  11 -
 sop-java/src/main/java/sop/enums/SignAs.java  |  10 -
 .../src/main/java/sop/enums/package-info.java |   9 -
 .../java/sop/exception/SOPGPException.java    | 316 ----------------
 .../main/java/sop/exception/package-info.java |   9 -
 .../src/main/java/sop/operation/Armor.java    |  41 ---
 .../src/main/java/sop/operation/Dearmor.java  |  33 --
 .../src/main/java/sop/operation/Decrypt.java  | 118 ------
 .../DetachInbandSignatureAndMessage.java      |  44 ---
 .../src/main/java/sop/operation/Encrypt.java  | 109 ------
 .../main/java/sop/operation/ExtractCert.java  |  40 --
 .../main/java/sop/operation/GenerateKey.java  |  36 --
 .../src/main/java/sop/operation/Sign.java     |  69 ----
 .../src/main/java/sop/operation/Verify.java   |  67 ----
 .../java/sop/operation/VerifySignatures.java  |  40 --
 .../src/main/java/sop/operation/Version.java  |  49 ---
 .../main/java/sop/operation/package-info.java |   9 -
 sop-java/src/main/java/sop/package-info.java  |   8 -
 sop-java/src/main/java/sop/util/HexUtil.java  |  47 ---
 sop-java/src/main/java/sop/util/Optional.java |  50 ---
 .../main/java/sop/util/ProxyOutputStream.java |  80 ----
 sop-java/src/main/java/sop/util/UTCUtil.java  |  56 ---
 .../src/main/java/sop/util/package-info.java  |   8 -
 .../java/sop/util/ByteArrayAndResultTest.java |  33 --
 .../src/test/java/sop/util/HexUtilTest.java   |  63 ----
 .../src/test/java/sop/util/MicAlgTest.java    |  53 ---
 .../src/test/java/sop/util/OptionalTest.java  |  78 ----
 .../java/sop/util/ProxyOutputStreamTest.java  |  40 --
 .../src/test/java/sop/util/ReadyTest.java     |  30 --
 .../java/sop/util/ReadyWithResultTest.java    |  44 ---
 .../test/java/sop/util/SessionKeyTest.java    |  61 ----
 .../test/java/sop/util/SigningResultTest.java |  23 --
 .../src/test/java/sop/util/UTCUtilTest.java   |  48 ---
 82 files changed, 11 insertions(+), 5226 deletions(-)
 delete mode 100644 sop-java-picocli/build.gradle
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/Print.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java
 delete mode 100644 sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java
 delete mode 100644 sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java
 delete mode 100644 sop-java/build.gradle
 delete mode 100644 sop-java/src/main/java/sop/ByteArrayAndResult.java
 delete mode 100644 sop-java/src/main/java/sop/DecryptionResult.java
 delete mode 100644 sop-java/src/main/java/sop/MicAlg.java
 delete mode 100644 sop-java/src/main/java/sop/Ready.java
 delete mode 100644 sop-java/src/main/java/sop/ReadyWithResult.java
 delete mode 100644 sop-java/src/main/java/sop/SOP.java
 delete mode 100644 sop-java/src/main/java/sop/SessionKey.java
 delete mode 100644 sop-java/src/main/java/sop/Signatures.java
 delete mode 100644 sop-java/src/main/java/sop/SigningResult.java
 delete mode 100644 sop-java/src/main/java/sop/Verification.java
 delete mode 100644 sop-java/src/main/java/sop/enums/ArmorLabel.java
 delete mode 100644 sop-java/src/main/java/sop/enums/EncryptAs.java
 delete mode 100644 sop-java/src/main/java/sop/enums/SignAs.java
 delete mode 100644 sop-java/src/main/java/sop/enums/package-info.java
 delete mode 100644 sop-java/src/main/java/sop/exception/SOPGPException.java
 delete mode 100644 sop-java/src/main/java/sop/exception/package-info.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Armor.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Dearmor.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Decrypt.java
 delete mode 100644 sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Encrypt.java
 delete mode 100644 sop-java/src/main/java/sop/operation/ExtractCert.java
 delete mode 100644 sop-java/src/main/java/sop/operation/GenerateKey.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Sign.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Verify.java
 delete mode 100644 sop-java/src/main/java/sop/operation/VerifySignatures.java
 delete mode 100644 sop-java/src/main/java/sop/operation/Version.java
 delete mode 100644 sop-java/src/main/java/sop/operation/package-info.java
 delete mode 100644 sop-java/src/main/java/sop/package-info.java
 delete mode 100644 sop-java/src/main/java/sop/util/HexUtil.java
 delete mode 100644 sop-java/src/main/java/sop/util/Optional.java
 delete mode 100644 sop-java/src/main/java/sop/util/ProxyOutputStream.java
 delete mode 100644 sop-java/src/main/java/sop/util/UTCUtil.java
 delete mode 100644 sop-java/src/main/java/sop/util/package-info.java
 delete mode 100644 sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/HexUtilTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/MicAlgTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/OptionalTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/ReadyTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/ReadyWithResultTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/SessionKeyTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/SigningResultTest.java
 delete mode 100644 sop-java/src/test/java/sop/util/UTCUtilTest.java

diff --git a/build.gradle b/build.gradle
index 277f1a8b..af0936e1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -30,6 +30,12 @@ allprojects {
     apply plugin: 'jacoco'
     apply plugin: 'checkstyle'
 
+    // Only generate jar for submodules
+    // https://stackoverflow.com/a/25445035
+    jar {
+        onlyIf { !sourceSets.main.allSource.files.isEmpty() }
+    }
+
     // For non-sop modules, enable android api compatibility check
     if (it.name.equals('pgpainless-core') || it.name.equals('sop-java') || it.name.equals('pgpainless-sop')) {
         // animalsniffer
@@ -68,6 +74,7 @@ allprojects {
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
         picocliVersion = '4.6.2'
+        sopJavaVersion = '1.1.0'
         rootConfigDir = new File(rootDir, 'config')
         gitCommit = getGitCommit()
         isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI'))
diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle
index eeacf5fa..9db15a5b 100644
--- a/pgpainless-cli/build.gradle
+++ b/pgpainless-cli/build.gradle
@@ -40,7 +40,7 @@ dependencies {
     implementation "ch.qos.logback:logback-classic:$logbackVersion"
 
     implementation(project(":pgpainless-sop"))
-    implementation(project(":sop-java-picocli"))
+    implementation "org.pgpainless:sop-java-picocli:$sopJavaVersion"
 
     implementation "info.picocli:picocli:$picocliVersion"
 
diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle
index 5ce6a7c6..87e893b2 100644
--- a/pgpainless-sop/build.gradle
+++ b/pgpainless-sop/build.gradle
@@ -20,7 +20,7 @@ dependencies {
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
 
     implementation(project(":pgpainless-core"))
-    implementation(project(":sop-java"))
+    implementation "org.pgpainless:sop-java:$sopJavaVersion"
 }
 
 test {
diff --git a/settings.gradle b/settings.gradle
index 7ebc7ad4..aea19392 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -5,8 +5,6 @@
 rootProject.name = 'PGPainless'
 
 include 'pgpainless-core',
-        'sop-java',
         'pgpainless-sop',
-        'sop-java-picocli',
         'pgpainless-cli'
 
diff --git a/sop-java-picocli/README.md b/sop-java-picocli/README.md
index f76c9295..3c9234af 100644
--- a/sop-java-picocli/README.md
+++ b/sop-java-picocli/README.md
@@ -1,34 +1 @@
-
-# SOP-Java-Picocli
-
-Implementation of the [Stateless OpenPGP Command Line Interface](https://tools.ietf.org/html/draft-dkg-openpgp-stateless-cli-01) specification.
-This terminal application allows generation of OpenPGP keys, extraction of public key certificates,
-armoring and de-armoring of data, as well as - of course - encryption/decryption of messages and creation/verification of signatures.
-
-## Install a SOP backend
-
-This module comes without a SOP backend, so in order to function you need to extend it with an implementation of the interfaces defined in `sop-java`.
-An implementation using PGPainless can be found in the module `pgpainless-sop`, but it is of course possible to provide your
-own implementation.
-
-Just install your SOP backend by calling 
-```java
-// static method call prior to execution of the main method
-SopCLI.setSopInstance(yourSopImpl);
-```
-
-## Usage
-
-To get an overview of available commands of the application, execute
-```shell
-java -jar sop-java-picocli-XXX.jar help
-```
-
-If you just want to get started encrypting messages, see the module `pgpainless-cli` which initializes
-`sop-java-picocli` with `pgpainless-sop`, so you can get started right away without the need to manually wire stuff up.
-
-Enjoy!
\ No newline at end of file
+# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java-picocli)
\ No newline at end of file
diff --git a/sop-java-picocli/build.gradle b/sop-java-picocli/build.gradle
deleted file mode 100644
index 81183a09..00000000
--- a/sop-java-picocli/build.gradle
+++ /dev/null
@@ -1,39 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-plugins {
-    id 'application'
-}
-
-dependencies {
-    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
-
-    // https://todd.ginsberg.com/post/testing-system-exit/
-    testImplementation 'com.ginsberg:junit5-system-exit:1.1.1'
-    testImplementation 'org.mockito:mockito-core:4.2.0'
-
-    implementation(project(":sop-java"))
-    implementation "info.picocli:picocli:$picocliVersion"
-
-    // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
-    implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2'
-}
-
-mainClassName = 'sop.cli.picocli.SopCLI'
-
-jar {
-    manifest {
-        attributes 'Main-Class': "$mainClassName"
-    }
-
-    from {
-        configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
-    } {
-        exclude "META-INF/*.SF"
-        exclude "META-INF/*.DSA"
-        exclude "META-INF/*.RSA"
-    }
-}
-
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java b/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java
deleted file mode 100644
index d2e2188e..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/DateParser.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import java.util.Date;
-
-import sop.util.UTCUtil;
-
-public class DateParser {
-
-    public static final Date BEGINNING_OF_TIME = new Date(0);
-    public static final Date END_OF_TIME = new Date(8640000000000000L);
-
-    public static Date parseNotAfter(String notAfter) {
-        Date date = notAfter.equals("now") ? new Date() : notAfter.equals("-") ? END_OF_TIME : UTCUtil.parseUTCDate(notAfter);
-        if (date == null) {
-            Print.errln("Invalid date string supplied as value of --not-after.");
-            System.exit(1);
-        }
-        return date;
-    }
-
-    public static Date parseNotBefore(String notBefore) {
-        Date date = notBefore.equals("now") ? new Date() : notBefore.equals("-") ? BEGINNING_OF_TIME : UTCUtil.parseUTCDate(notBefore);
-        if (date == null) {
-            Print.errln("Invalid date string supplied as value of --not-before.");
-            System.exit(1);
-        }
-        return date;
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java b/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java
deleted file mode 100644
index cd92e6db..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/FileUtil.java
+++ /dev/null
@@ -1,98 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-
-import sop.exception.SOPGPException;
-
-public class FileUtil {
-
-    private static final String ERROR_AMBIGUOUS = "File name '%s' is ambiguous. File with the same name exists on the filesystem.";
-    private static final String ERROR_ENV_FOUND = "Environment variable '%s' not set.";
-    private static final String ERROR_OUTPUT_EXISTS = "Output file '%s' already exists.";
-    private static final String ERROR_INPUT_NOT_EXIST = "File '%s' does not exist.";
-    private static final String ERROR_CANNOT_CREATE_FILE = "Output file '%s' cannot be created: %s";
-
-    public static final String PRFX_ENV = "@ENV:";
-    public static final String PRFX_FD = "@FD:";
-
-    private static EnvironmentVariableResolver envResolver = System::getenv;
-
-    public static void setEnvironmentVariableResolver(EnvironmentVariableResolver envResolver) {
-        if (envResolver == null) {
-            throw new NullPointerException("Variable envResolver cannot be null.");
-        }
-        FileUtil.envResolver = envResolver;
-    }
-
-    public interface EnvironmentVariableResolver {
-        /**
-         * Resolve the value of the given environment variable.
-         * Return null if the variable is not present.
-         *
-         * @param name name of the variable
-         * @return variable value or null
-         */
-        String resolveEnvironmentVariable(String name);
-    }
-
-    public static File getFile(String fileName) {
-        if (fileName == null) {
-            throw new NullPointerException("File name cannot be null.");
-        }
-
-        if (fileName.startsWith(PRFX_ENV)) {
-
-            if (new File(fileName).exists()) {
-                throw new SOPGPException.AmbiguousInput(String.format(ERROR_AMBIGUOUS, fileName));
-            }
-
-            String envName = fileName.substring(PRFX_ENV.length());
-            String envValue = envResolver.resolveEnvironmentVariable(envName);
-            if (envValue == null) {
-                throw new IllegalArgumentException(String.format(ERROR_ENV_FOUND, envName));
-            }
-            return new File(envValue);
-        } else if (fileName.startsWith(PRFX_FD)) {
-
-            if (new File(fileName).exists()) {
-                throw new SOPGPException.AmbiguousInput(String.format(ERROR_AMBIGUOUS, fileName));
-            }
-
-            throw new IllegalArgumentException("File descriptors not supported.");
-        }
-
-        return new File(fileName);
-    }
-
-    public static FileInputStream getFileInputStream(String fileName) {
-        File file = getFile(fileName);
-        try {
-            FileInputStream inputStream = new FileInputStream(file);
-            return inputStream;
-        } catch (FileNotFoundException e) {
-            throw new SOPGPException.MissingInput(String.format(ERROR_INPUT_NOT_EXIST, fileName), e);
-        }
-    }
-
-    public static File createNewFileOrThrow(File file) throws IOException {
-        if (file == null) {
-            throw new NullPointerException("File cannot be null.");
-        }
-
-        try {
-            if (!file.createNewFile()) {
-                throw new SOPGPException.OutputExists(String.format(ERROR_OUTPUT_EXISTS, file.getAbsolutePath()));
-            }
-        } catch (IOException e) {
-            throw new IOException(String.format(ERROR_CANNOT_CREATE_FILE, file.getAbsolutePath(), e.getMessage()));
-        }
-        return file;
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java b/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java
deleted file mode 100644
index d6474e1d..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/Print.java
+++ /dev/null
@@ -1,26 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-public class Print {
-
-    public static void errln(String string) {
-        // CHECKSTYLE:OFF
-        System.err.println(string);
-        // CHECKSTYLE:ON
-    }
-
-    public static void trace(Throwable e) {
-        // CHECKSTYLE:OFF
-        e.printStackTrace();
-        // CHECKSTYLE:ON
-    }
-
-    public static void outln(String string) {
-        // CHECKSTYLE:OFF
-        System.out.println(string);
-        // CHECKSTYLE:ON
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java
deleted file mode 100644
index 8b38af32..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java
+++ /dev/null
@@ -1,34 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.CommandLine;
-import sop.exception.SOPGPException;
-
-public class SOPExceptionExitCodeMapper implements CommandLine.IExitCodeExceptionMapper {
-
-    @Override
-    public int getExitCode(Throwable exception) {
-        if (exception instanceof SOPGPException) {
-            return ((SOPGPException) exception).getExitCode();
-        }
-        if (exception instanceof CommandLine.UnmatchedArgumentException) {
-            CommandLine.UnmatchedArgumentException ex = (CommandLine.UnmatchedArgumentException) exception;
-            // Unmatched option of subcommand (eg. `generate-key -k`)
-            if (ex.isUnknownOption()) {
-                return SOPGPException.UnsupportedOption.EXIT_CODE;
-            }
-            // Unmatched subcommand
-            return SOPGPException.UnsupportedSubcommand.EXIT_CODE;
-        }
-        // Invalid option (eg. `--label Invalid`)
-        if (exception instanceof CommandLine.ParameterException) {
-            return SOPGPException.UnsupportedOption.EXIT_CODE;
-        }
-
-        // Others, like IOException etc.
-        return 1;
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java
deleted file mode 100644
index bbd8b976..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java
+++ /dev/null
@@ -1,26 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.CommandLine;
-
-public class SOPExecutionExceptionHandler implements CommandLine.IExecutionExceptionHandler {
-
-    @Override
-    public int handleExecutionException(Exception ex, CommandLine commandLine, CommandLine.ParseResult parseResult) {
-        int exitCode = commandLine.getExitCodeExceptionMapper() != null ?
-                commandLine.getExitCodeExceptionMapper().getExitCode(ex) :
-                commandLine.getCommandSpec().exitCodeOnExecutionException();
-        CommandLine.Help.ColorScheme colorScheme = commandLine.getColorScheme();
-        // CHECKSTYLE:OFF
-        if (ex.getMessage() != null) {
-            commandLine.getErr().println(colorScheme.errorText(ex.getMessage()));
-        }
-        ex.printStackTrace(commandLine.getErr());
-        // CHECKSTYLE:ON
-
-        return exitCode;
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java b/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java
deleted file mode 100644
index bc0ae3dd..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java
+++ /dev/null
@@ -1,68 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.CommandLine;
-import sop.SOP;
-import sop.cli.picocli.commands.ArmorCmd;
-import sop.cli.picocli.commands.DearmorCmd;
-import sop.cli.picocli.commands.DecryptCmd;
-import sop.cli.picocli.commands.DetachInbandSignatureAndMessageCmd;
-import sop.cli.picocli.commands.EncryptCmd;
-import sop.cli.picocli.commands.ExtractCertCmd;
-import sop.cli.picocli.commands.GenerateKeyCmd;
-import sop.cli.picocli.commands.SignCmd;
-import sop.cli.picocli.commands.VerifyCmd;
-import sop.cli.picocli.commands.VersionCmd;
-
-@CommandLine.Command(
-        exitCodeOnInvalidInput = 69,
-        subcommands = {
-                CommandLine.HelpCommand.class,
-                ArmorCmd.class,
-                DearmorCmd.class,
-                DecryptCmd.class,
-                DetachInbandSignatureAndMessageCmd.class,
-                EncryptCmd.class,
-                ExtractCertCmd.class,
-                GenerateKeyCmd.class,
-                SignCmd.class,
-                VerifyCmd.class,
-                VersionCmd.class
-        }
-)
-public class SopCLI {
-    // Singleton
-    static SOP SOP_INSTANCE;
-
-    public static String EXECUTABLE_NAME = "sop";
-
-    public static void main(String[] args) {
-        int exitCode = execute(args);
-        if (exitCode != 0) {
-            System.exit(exitCode);
-        }
-    }
-
-    public static int execute(String[] args) {
-        return new CommandLine(SopCLI.class)
-                .setCommandName(EXECUTABLE_NAME)
-                .setExecutionExceptionHandler(new SOPExecutionExceptionHandler())
-                .setExitCodeExceptionMapper(new SOPExceptionExitCodeMapper())
-                .setCaseInsensitiveEnumValuesAllowed(true)
-                .execute(args);
-    }
-
-    public static SOP getSop() {
-        if (SOP_INSTANCE == null) {
-            throw new IllegalStateException("No SOP backend set.");
-        }
-        return SOP_INSTANCE;
-    }
-
-    public static void setSopInstance(SOP instance) {
-        SOP_INSTANCE = instance;
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
deleted file mode 100644
index a015a688..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java
+++ /dev/null
@@ -1,54 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.IOException;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.enums.ArmorLabel;
-import sop.exception.SOPGPException;
-import sop.operation.Armor;
-
-@CommandLine.Command(name = "armor",
-        description = "Add ASCII Armor to standard input",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class ArmorCmd implements Runnable {
-
-    @CommandLine.Option(names = {"--label"}, description = "Label to be used in the header and tail of the armoring.", paramLabel = "{auto|sig|key|cert|message}")
-    ArmorLabel label;
-
-    @Override
-    public void run() {
-        Armor armor = SopCLI.getSop().armor();
-        if (armor == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'armor' not implemented.");
-        }
-
-        if (label != null) {
-            try {
-                armor.label(label);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                Print.errln("Armor labels not supported.");
-                System.exit(unsupportedOption.getExitCode());
-            }
-        }
-
-        try {
-            Ready ready = armor.data(System.in);
-            ready.writeTo(System.out);
-        } catch (SOPGPException.BadData badData) {
-            Print.errln("Bad data.");
-            Print.trace(badData);
-            System.exit(badData.getExitCode());
-        } catch (IOException e) {
-            Print.errln("IO Error.");
-            Print.trace(e);
-            System.exit(1);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
deleted file mode 100644
index 343b1135..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java
+++ /dev/null
@@ -1,42 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.IOException;
-
-import picocli.CommandLine;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Dearmor;
-
-@CommandLine.Command(name = "dearmor",
-        description = "Remove ASCII Armor from standard input",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class DearmorCmd implements Runnable {
-
-    @Override
-    public void run() {
-        Dearmor dearmor = SopCLI.getSop().dearmor();
-        if (dearmor == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'dearmor' not implemented.");
-        }
-
-        try {
-            SopCLI.getSop()
-                    .dearmor()
-                    .data(System.in)
-                    .writeTo(System.out);
-        } catch (SOPGPException.BadData e) {
-            Print.errln("Bad data.");
-            Print.trace(e);
-            System.exit(e.getExitCode());
-        } catch (IOException e) {
-            Print.errln("IO Error.");
-            Print.trace(e);
-            System.exit(1);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
deleted file mode 100644
index 8fc4650b..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java
+++ /dev/null
@@ -1,240 +0,0 @@
-// SPDX-FileCopyrightText: 2020 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.regex.Pattern;
-
-import picocli.CommandLine;
-import sop.DecryptionResult;
-import sop.ReadyWithResult;
-import sop.SessionKey;
-import sop.Verification;
-import sop.cli.picocli.DateParser;
-import sop.cli.picocli.FileUtil;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Decrypt;
-import sop.util.HexUtil;
-
-@CommandLine.Command(name = "decrypt",
-        description = "Decrypt a message from standard input",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class DecryptCmd implements Runnable {
-
-    private static final String SESSION_KEY_OUT = "--session-key-out";
-    private static final String VERIFY_OUT = "--verify-out";
-
-    private static final String ERROR_UNSUPPORTED_OPTION = "Option '%s' is not supported.";
-    private static final String ERROR_FILE_NOT_EXIST = "File '%s' does not exist.";
-    private static final String ERROR_OUTPUT_OF_OPTION_EXISTS = "Target %s of option %s already exists.";
-
-    @CommandLine.Option(
-            names = {SESSION_KEY_OUT},
-            description = "Can be used to learn the session key on successful decryption",
-            paramLabel = "SESSIONKEY")
-    File sessionKeyOut;
-
-    @CommandLine.Option(
-            names = {"--with-session-key"},
-            description = "Enables decryption of the \"CIPHERTEXT\" using the session key directly against the \"SEIPD\" packet",
-            paramLabel = "SESSIONKEY")
-    List withSessionKey = new ArrayList<>();
-
-    @CommandLine.Option(
-            names = {"--with-password"},
-            description = "Enables decryption based on any \"SKESK\" packets in the \"CIPHERTEXT\"",
-            paramLabel = "PASSWORD")
-    List withPassword = new ArrayList<>();
-
-    @CommandLine.Option(names = {VERIFY_OUT},
-            description = "Produces signature verification status to the designated file",
-            paramLabel = "VERIFICATIONS")
-    File verifyOut;
-
-    @CommandLine.Option(names = {"--verify-with"},
-            description = "Certificates whose signatures would be acceptable for signatures over this message",
-            paramLabel = "CERT")
-    List certs = new ArrayList<>();
-
-    @CommandLine.Option(names = {"--not-before"},
-            description = "ISO-8601 formatted UTC date (eg. '2020-11-23T16:35Z)\n" +
-                    "Reject signatures with a creation date not in range.\n" +
-                    "Defaults to beginning of time (\"-\").",
-            paramLabel = "DATE")
-    String notBefore = "-";
-
-    @CommandLine.Option(names = {"--not-after"},
-            description = "ISO-8601 formatted UTC date (eg. '2020-11-23T16:35Z)\n" +
-                    "Reject signatures with a creation date not in range.\n" +
-                    "Defaults to current system time (\"now\").\n" +
-                    "Accepts special value \"-\" for end of time.",
-            paramLabel = "DATE")
-    String notAfter = "now";
-
-    @CommandLine.Parameters(index = "0..*",
-            description = "Secret keys to attempt decryption with",
-            paramLabel = "KEY")
-    List keys = new ArrayList<>();
-
-    @Override
-    public void run() {
-        throwIfOutputExists(verifyOut, VERIFY_OUT);
-        throwIfOutputExists(sessionKeyOut, SESSION_KEY_OUT);
-
-        Decrypt decrypt = SopCLI.getSop().decrypt();
-        if (decrypt == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'decrypt' not implemented.");
-        }
-
-        setNotAfter(notAfter, decrypt);
-        setNotBefore(notBefore, decrypt);
-        setWithPasswords(withPassword, decrypt);
-        setWithSessionKeys(withSessionKey, decrypt);
-        setVerifyWith(certs, decrypt);
-        setDecryptWith(keys, decrypt);
-
-        if (verifyOut != null && certs.isEmpty()) {
-            String errorMessage = "Option %s is requested, but no option %s was provided.";
-            throw new SOPGPException.IncompleteVerification(String.format(errorMessage, VERIFY_OUT, "--verify-with"));
-        }
-
-        try {
-            ReadyWithResult ready = decrypt.ciphertext(System.in);
-            DecryptionResult result = ready.writeTo(System.out);
-            writeSessionKeyOut(result);
-            writeVerifyOut(result);
-        } catch (SOPGPException.BadData badData) {
-            throw new SOPGPException.BadData("No valid OpenPGP message found on Standard Input.", badData);
-        } catch (IOException ioException) {
-            throw new RuntimeException(ioException);
-        }
-    }
-
-    private void throwIfOutputExists(File outputFile, String optionName) {
-        if (outputFile == null) {
-            return;
-        }
-
-        if (outputFile.exists()) {
-            throw new SOPGPException.OutputExists(String.format(ERROR_OUTPUT_OF_OPTION_EXISTS, outputFile.getAbsolutePath(), optionName));
-        }
-    }
-
-    private void writeVerifyOut(DecryptionResult result) throws IOException {
-        if (verifyOut != null) {
-            FileUtil.createNewFileOrThrow(verifyOut);
-            try (FileOutputStream outputStream = new FileOutputStream(verifyOut)) {
-                PrintWriter writer = new PrintWriter(outputStream);
-                for (Verification verification : result.getVerifications()) {
-                    // CHECKSTYLE:OFF
-                    writer.println(verification.toString());
-                    // CHECKSTYLE:ON
-                }
-                writer.flush();
-            }
-        }
-    }
-
-    private void writeSessionKeyOut(DecryptionResult result) throws IOException {
-        if (sessionKeyOut != null) {
-            FileUtil.createNewFileOrThrow(sessionKeyOut);
-
-            try (FileOutputStream outputStream = new FileOutputStream(sessionKeyOut)) {
-                if (!result.getSessionKey().isPresent()) {
-                    throw new SOPGPException.UnsupportedOption("Session key not extracted. Possibly the feature --session-key-out is not supported.");
-                } else {
-                    SessionKey sessionKey = result.getSessionKey().get();
-                    outputStream.write(sessionKey.getAlgorithm());
-                    outputStream.write(sessionKey.getKey());
-                }
-            }
-        }
-    }
-
-    private void setDecryptWith(List keys, Decrypt decrypt) {
-        for (File key : keys) {
-            try (FileInputStream keyIn = new FileInputStream(key)) {
-                decrypt.withKey(keyIn);
-            } catch (SOPGPException.KeyIsProtected keyIsProtected) {
-                throw new SOPGPException.KeyIsProtected("Key in file " + key.getAbsolutePath() + " is password protected.", keyIsProtected);
-            } catch (SOPGPException.BadData badData) {
-                throw new SOPGPException.BadData("File " + key.getAbsolutePath() + " does not contain a private key.", badData);
-            } catch (FileNotFoundException e) {
-                throw new SOPGPException.MissingInput(String.format(ERROR_FILE_NOT_EXIST, key.getAbsolutePath()), e);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-    }
-
-    private void setVerifyWith(List certs, Decrypt decrypt) {
-        for (File cert : certs) {
-            try (FileInputStream certIn = new FileInputStream(cert)) {
-                decrypt.verifyWithCert(certIn);
-            } catch (FileNotFoundException e) {
-                throw new SOPGPException.MissingInput(String.format(ERROR_FILE_NOT_EXIST, cert.getAbsolutePath()), e);
-            } catch (SOPGPException.BadData badData) {
-                throw new SOPGPException.BadData("File " + cert.getAbsolutePath() + " does not contain a valid certificate.", badData);
-            } catch (IOException ioException) {
-                throw new RuntimeException(ioException);
-            }
-        }
-    }
-
-    private void setWithSessionKeys(List withSessionKey, Decrypt decrypt) {
-        Pattern sessionKeyPattern = Pattern.compile("^\\d+:[0-9A-F]+$");
-        for (String sessionKey : withSessionKey) {
-            if (!sessionKeyPattern.matcher(sessionKey).matches()) {
-                throw new IllegalArgumentException("Session keys are expected in the format 'ALGONUM:HEXKEY'.");
-            }
-            String[] split = sessionKey.split(":");
-            byte algorithm = (byte) Integer.parseInt(split[0]);
-            byte[] key = HexUtil.hexToBytes(split[1]);
-
-            try {
-                decrypt.withSessionKey(new SessionKey(algorithm, key));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                throw new SOPGPException.UnsupportedOption(String.format(ERROR_UNSUPPORTED_OPTION, "--with-session-key"), unsupportedOption);
-            }
-        }
-    }
-
-    private void setWithPasswords(List withPassword, Decrypt decrypt) {
-        for (String password : withPassword) {
-            try {
-                decrypt.withPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                throw new SOPGPException.UnsupportedOption(String.format(ERROR_UNSUPPORTED_OPTION, "--with-password"), unsupportedOption);
-            }
-        }
-    }
-
-    private void setNotAfter(String notAfter, Decrypt decrypt) {
-        Date notAfterDate = DateParser.parseNotAfter(notAfter);
-        try {
-            decrypt.verifyNotAfter(notAfterDate);
-        } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-            throw new SOPGPException.UnsupportedOption(String.format(ERROR_UNSUPPORTED_OPTION, "--not-after"), unsupportedOption);
-        }
-    }
-
-    private void setNotBefore(String notBefore, Decrypt decrypt) {
-        Date notBeforeDate = DateParser.parseNotBefore(notBefore);
-        try {
-            decrypt.verifyNotBefore(notBeforeDate);
-        } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-            throw new SOPGPException.UnsupportedOption(String.format(ERROR_UNSUPPORTED_OPTION, "--not-before"), unsupportedOption);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
deleted file mode 100644
index f5c71a2a..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/DetachInbandSignatureAndMessageCmd.java
+++ /dev/null
@@ -1,59 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-
-import picocli.CommandLine;
-import sop.Signatures;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.DetachInbandSignatureAndMessage;
-
-@CommandLine.Command(name = "detach-inband-signature-and-message",
-        description = "Split a clearsigned message",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class DetachInbandSignatureAndMessageCmd implements Runnable {
-
-    @CommandLine.Option(
-            names = {"--signatures-out"},
-            description = "Destination to which a detached signatures block will be written",
-            paramLabel = "SIGNATURES")
-    File signaturesOut;
-
-    @CommandLine.Option(names = "--no-armor",
-            description = "ASCII armor the output",
-            negatable = true)
-    boolean armor = true;
-
-    @Override
-    public void run() {
-        DetachInbandSignatureAndMessage detach = SopCLI.getSop().detachInbandSignatureAndMessage();
-        if (detach == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'detach-inband-signature-and-message' not implemented.");
-        }
-
-        if (signaturesOut == null) {
-            throw new SOPGPException.MissingArg("--signatures-out is required.");
-        }
-
-        if (!armor) {
-            detach.noArmor();
-        }
-
-        try {
-            Signatures signatures = detach
-                    .message(System.in).writeTo(System.out);
-            if (!signaturesOut.createNewFile()) {
-                throw new SOPGPException.OutputExists("Destination of --signatures-out already exists.");
-            }
-            signatures.writeTo(new FileOutputStream(signaturesOut));
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
deleted file mode 100644
index 0634240b..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java
+++ /dev/null
@@ -1,123 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.enums.EncryptAs;
-import sop.exception.SOPGPException;
-import sop.operation.Encrypt;
-
-@CommandLine.Command(name = "encrypt",
-        description = "Encrypt a message from standard input",
-        exitCodeOnInvalidInput = 37)
-public class EncryptCmd implements Runnable {
-
-    @CommandLine.Option(names = "--no-armor",
-            description = "ASCII armor the output",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Option(names = {"--as"},
-            description = "Type of the input data. Defaults to 'binary'",
-            paramLabel = "{binary|text|mime}")
-    EncryptAs type;
-
-    @CommandLine.Option(names = "--with-password",
-            description = "Encrypt the message with a password",
-            paramLabel = "PASSWORD")
-    List withPassword = new ArrayList<>();
-
-    @CommandLine.Option(names = "--sign-with",
-            description = "Sign the output with a private key",
-            paramLabel = "KEY")
-    List signWith = new ArrayList<>();
-
-    @CommandLine.Parameters(description = "Certificates the message gets encrypted to",
-            index = "0..*",
-            paramLabel = "CERTS")
-    List certs = new ArrayList<>();
-
-    @Override
-    public void run() {
-        Encrypt encrypt = SopCLI.getSop().encrypt();
-        if (encrypt == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'encrypt' not implemented.");
-        }
-
-        if (type != null) {
-            try {
-                encrypt.mode(type);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                throw new SOPGPException.UnsupportedOption("Unsupported option '--as'.", unsupportedOption);
-            }
-        }
-
-        if (withPassword.isEmpty() && certs.isEmpty()) {
-            throw new SOPGPException.MissingArg("At least one password or cert file required for encryption.");
-        }
-
-        for (String password : withPassword) {
-            try {
-                encrypt.withPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                throw new SOPGPException.UnsupportedOption("Unsupported option '--with-password'.", unsupportedOption);
-            }
-        }
-
-        for (File keyFile : signWith) {
-            try (FileInputStream keyIn = new FileInputStream(keyFile)) {
-                encrypt.signWith(keyIn);
-            } catch (FileNotFoundException e) {
-                throw new SOPGPException.MissingInput("Key file " + keyFile.getAbsolutePath() + " not found.", e);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.KeyIsProtected keyIsProtected) {
-                throw new SOPGPException.KeyIsProtected("Key from " + keyFile.getAbsolutePath() + " is password protected.", keyIsProtected);
-            } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-                throw new SOPGPException.UnsupportedAsymmetricAlgo("Key from " + keyFile.getAbsolutePath() + " has unsupported asymmetric algorithm.", unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.KeyCannotSign keyCannotSign) {
-                throw new SOPGPException.KeyCannotSign("Key from " + keyFile.getAbsolutePath() + " cannot sign.", keyCannotSign);
-            } catch (SOPGPException.BadData badData) {
-                throw new SOPGPException.BadData("Key file " + keyFile.getAbsolutePath() + " does not contain a valid OpenPGP private key.", badData);
-            }
-        }
-
-        for (File certFile : certs) {
-            try (FileInputStream certIn = new FileInputStream(certFile)) {
-                encrypt.withCert(certIn);
-            } catch (FileNotFoundException e) {
-                throw new SOPGPException.MissingInput("Certificate file " + certFile.getAbsolutePath() + " not found.", e);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-                throw new SOPGPException.UnsupportedAsymmetricAlgo("Certificate from " + certFile.getAbsolutePath() + " has unsupported asymmetric algorithm.", unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.CertCannotEncrypt certCannotEncrypt) {
-                throw new SOPGPException.CertCannotEncrypt("Certificate from " + certFile.getAbsolutePath() + " is not capable of encryption.", certCannotEncrypt);
-            } catch (SOPGPException.BadData badData) {
-                throw new SOPGPException.BadData("Certificate file " + certFile.getAbsolutePath() + " does not contain a valid OpenPGP certificate.", badData);
-            }
-        }
-
-        if (!armor) {
-            encrypt.noArmor();
-        }
-
-        try {
-            Ready ready = encrypt.plaintext(System.in);
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
deleted file mode 100644
index f4559339..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java
+++ /dev/null
@@ -1,45 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.IOException;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.ExtractCert;
-
-@CommandLine.Command(name = "extract-cert",
-        description = "Extract a public key certificate from a secret key from standard input",
-        exitCodeOnInvalidInput = 37)
-public class ExtractCertCmd implements Runnable {
-
-    @CommandLine.Option(names = "--no-armor",
-            description = "ASCII armor the output",
-            negatable = true)
-    boolean armor = true;
-
-    @Override
-    public void run() {
-        ExtractCert extractCert = SopCLI.getSop().extractCert();
-        if (extractCert == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'extract-cert' not implemented.");
-        }
-
-        if (!armor) {
-            extractCert.noArmor();
-        }
-
-        try {
-            Ready ready = extractCert.key(System.in);
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        } catch (SOPGPException.BadData badData) {
-            throw new SOPGPException.BadData("Standard Input does not contain valid OpenPGP private key material.", badData);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
deleted file mode 100644
index 28bde279..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
+++ /dev/null
@@ -1,63 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.GenerateKey;
-
-@CommandLine.Command(name = "generate-key",
-        description = "Generate a secret key",
-        exitCodeOnInvalidInput = 37)
-public class GenerateKeyCmd implements Runnable {
-
-    @CommandLine.Option(names = "--no-armor",
-            description = "ASCII armor the output",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Parameters(description = "User-ID, eg. \"Alice \"")
-    List userId = new ArrayList<>();
-
-    @Override
-    public void run() {
-        GenerateKey generateKey = SopCLI.getSop().generateKey();
-        if (generateKey == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'generate-key' not implemented.");
-        }
-
-        for (String userId : userId) {
-            generateKey.userId(userId);
-        }
-
-        if (!armor) {
-            generateKey.noArmor();
-        }
-
-        try {
-            Ready ready = generateKey.generate();
-            ready.writeTo(System.out);
-        } catch (SOPGPException.MissingArg missingArg) {
-            Print.errln("Missing argument.");
-            Print.trace(missingArg);
-            System.exit(missingArg.getExitCode());
-        } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-            Print.errln("Unsupported asymmetric algorithm.");
-            Print.trace(unsupportedAsymmetricAlgo);
-            System.exit(unsupportedAsymmetricAlgo.getExitCode());
-        } catch (IOException e) {
-            Print.errln("IO Error.");
-            Print.trace(e);
-            System.exit(1);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
deleted file mode 100644
index 7574923e..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java
+++ /dev/null
@@ -1,121 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import picocli.CommandLine;
-import sop.MicAlg;
-import sop.ReadyWithResult;
-import sop.SigningResult;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.enums.SignAs;
-import sop.exception.SOPGPException;
-import sop.operation.Sign;
-
-@CommandLine.Command(name = "sign",
-        description = "Create a detached signature on the data from standard input",
-        exitCodeOnInvalidInput = 37)
-public class SignCmd implements Runnable {
-
-    @CommandLine.Option(names = "--no-armor",
-            description = "ASCII armor the output",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Option(names = "--as", description = "Defaults to 'binary'. If '--as=text' and the input data is not valid UTF-8, sign fails with return code 53.",
-            paramLabel = "{binary|text}")
-    SignAs type;
-
-    @CommandLine.Parameters(description = "Secret keys used for signing",
-            paramLabel = "KEYS")
-    List secretKeyFile = new ArrayList<>();
-
-    @CommandLine.Option(names = "--micalg-out", description = "Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content-Type (RFC3156)",
-            paramLabel = "MICALG")
-    File micAlgOut;
-
-    @Override
-    public void run() {
-        Sign sign = SopCLI.getSop().sign();
-        if (sign == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'sign' not implemented.");
-        }
-
-        if (type != null) {
-            try {
-                sign.mode(type);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                Print.errln("Unsupported option '--as'");
-                Print.trace(unsupportedOption);
-                System.exit(unsupportedOption.getExitCode());
-            }
-        }
-
-        if (micAlgOut != null && micAlgOut.exists()) {
-            throw new SOPGPException.OutputExists(String.format("Target %s of option %s already exists.", micAlgOut.getAbsolutePath(), "--micalg-out"));
-        }
-
-        if (secretKeyFile.isEmpty()) {
-            Print.errln("Missing required parameter 'KEYS'.");
-            System.exit(19);
-        }
-
-        for (File keyFile : secretKeyFile) {
-            try (FileInputStream keyIn = new FileInputStream(keyFile)) {
-                sign.key(keyIn);
-            } catch (FileNotFoundException e) {
-                Print.errln("File " + keyFile.getAbsolutePath() + " does not exist.");
-                Print.trace(e);
-                System.exit(1);
-            } catch (IOException e) {
-                Print.errln("Cannot access file " + keyFile.getAbsolutePath());
-                Print.trace(e);
-                System.exit(1);
-            } catch (SOPGPException.KeyIsProtected e) {
-                Print.errln("Key " + keyFile.getName() + " is password protected.");
-                Print.trace(e);
-                System.exit(1);
-            } catch (SOPGPException.BadData badData) {
-                Print.errln("Bad data in key file " + keyFile.getAbsolutePath() + ":");
-                Print.trace(badData);
-                System.exit(badData.getExitCode());
-            }
-        }
-
-        if (!armor) {
-            sign.noArmor();
-        }
-
-        try {
-            ReadyWithResult ready = sign.data(System.in);
-            SigningResult result = ready.writeTo(System.out);
-
-            MicAlg micAlg = result.getMicAlg();
-            if (micAlgOut != null) {
-                // Write micalg out
-                micAlgOut.createNewFile();
-                FileOutputStream micAlgOutStream = new FileOutputStream(micAlgOut);
-                micAlg.writeTo(micAlgOutStream);
-                micAlgOutStream.close();
-            }
-        } catch (IOException e) {
-            Print.errln("IO Error.");
-            Print.trace(e);
-            System.exit(1);
-        } catch (SOPGPException.ExpectedText expectedText) {
-            Print.errln("Expected text input, but got binary data.");
-            Print.trace(expectedText);
-            System.exit(expectedText.getExitCode());
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
deleted file mode 100644
index 2702b4b9..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java
+++ /dev/null
@@ -1,136 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import picocli.CommandLine;
-import sop.Verification;
-import sop.cli.picocli.DateParser;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Verify;
-
-@CommandLine.Command(name = "verify",
-        description = "Verify a detached signature over the data from standard input",
-        exitCodeOnInvalidInput = 37)
-public class VerifyCmd implements Runnable {
-
-    @CommandLine.Parameters(index = "0",
-            description = "Detached signature",
-            paramLabel = "SIGNATURE")
-    File signature;
-
-    @CommandLine.Parameters(index = "1..*",
-            arity = "1..*",
-            description = "Public key certificates",
-            paramLabel = "CERT")
-    List certificates = new ArrayList<>();
-
-    @CommandLine.Option(names = {"--not-before"},
-            description = "ISO-8601 formatted UTC date (eg. '2020-11-23T16:35Z)\n" +
-                    "Reject signatures with a creation date not in range.\n" +
-                    "Defaults to beginning of time (\"-\").",
-            paramLabel = "DATE")
-    String notBefore = "-";
-
-    @CommandLine.Option(names = {"--not-after"},
-            description = "ISO-8601 formatted UTC date (eg. '2020-11-23T16:35Z)\n" +
-                    "Reject signatures with a creation date not in range.\n" +
-                    "Defaults to current system time (\"now\").\n" +
-                    "Accepts special value \"-\" for end of time.",
-            paramLabel = "DATE")
-    String notAfter = "now";
-
-    @Override
-    public void run() {
-        Verify verify = SopCLI.getSop().verify();
-        if (verify == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'verify' not implemented.");
-        }
-
-        if (notAfter != null) {
-            try {
-                verify.notAfter(DateParser.parseNotAfter(notAfter));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                Print.errln("Unsupported option '--not-after'.");
-                Print.trace(unsupportedOption);
-                System.exit(unsupportedOption.getExitCode());
-            }
-        }
-        if (notBefore != null) {
-            try {
-                verify.notBefore(DateParser.parseNotBefore(notBefore));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                Print.errln("Unsupported option '--not-before'.");
-                Print.trace(unsupportedOption);
-                System.exit(unsupportedOption.getExitCode());
-            }
-        }
-
-        for (File certFile : certificates) {
-            try (FileInputStream certIn = new FileInputStream(certFile)) {
-                verify.cert(certIn);
-            } catch (FileNotFoundException fileNotFoundException) {
-                Print.errln("Certificate file " + certFile.getAbsolutePath() + " not found.");
-
-                Print.trace(fileNotFoundException);
-                System.exit(1);
-            } catch (IOException ioException) {
-                Print.errln("IO Error.");
-                Print.trace(ioException);
-                System.exit(1);
-            } catch (SOPGPException.BadData badData) {
-                Print.errln("Certificate file " + certFile.getAbsolutePath() + " appears to not contain a valid OpenPGP certificate.");
-                Print.trace(badData);
-                System.exit(badData.getExitCode());
-            }
-        }
-
-        if (signature != null) {
-            try (FileInputStream sigIn = new FileInputStream(signature)) {
-                verify.signatures(sigIn);
-            } catch (FileNotFoundException e) {
-                Print.errln("Signature file " + signature.getAbsolutePath() + " does not exist.");
-                Print.trace(e);
-                System.exit(1);
-            } catch (IOException e) {
-                Print.errln("IO Error.");
-                Print.trace(e);
-                System.exit(1);
-            } catch (SOPGPException.BadData badData) {
-                Print.errln("File " + signature.getAbsolutePath() + " does not contain a valid OpenPGP signature.");
-                Print.trace(badData);
-                System.exit(badData.getExitCode());
-            }
-        }
-
-        List verifications = null;
-        try {
-            verifications = verify.data(System.in);
-        } catch (SOPGPException.NoSignature e) {
-            Print.errln("No verifiable signature found.");
-            Print.trace(e);
-            System.exit(e.getExitCode());
-        } catch (IOException ioException) {
-            Print.errln("IO Error.");
-            Print.trace(ioException);
-            System.exit(1);
-        } catch (SOPGPException.BadData badData) {
-            Print.errln("Standard Input appears not to contain a valid OpenPGP message.");
-            Print.trace(badData);
-            System.exit(badData.getExitCode());
-        }
-        for (Verification verification : verifications) {
-            Print.outln(verification.toString());
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
deleted file mode 100644
index 4a319192..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java
+++ /dev/null
@@ -1,52 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Version;
-
-@CommandLine.Command(name = "version", description = "Display version information about the tool",
-        exitCodeOnInvalidInput = 37)
-public class VersionCmd implements Runnable {
-
-    @CommandLine.ArgGroup()
-    Exclusive exclusive;
-
-    static class Exclusive {
-        @CommandLine.Option(names = "--extended", description = "Print an extended version string.")
-        boolean extended;
-
-        @CommandLine.Option(names = "--backend", description = "Print information about the cryptographic backend.")
-        boolean backend;
-    }
-
-
-
-    @Override
-    public void run() {
-        Version version = SopCLI.getSop().version();
-        if (version == null) {
-            throw new SOPGPException.UnsupportedSubcommand("Command 'version' not implemented.");
-        }
-
-        if (exclusive == null) {
-            Print.outln(version.getName() + " " + version.getVersion());
-            return;
-        }
-
-        if (exclusive.extended) {
-            Print.outln(version.getExtendedVersion());
-            return;
-        }
-
-        if (exclusive.backend) {
-            Print.outln(version.getBackendVersion());
-            return;
-        }
-    }
-}
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java
deleted file mode 100644
index fc6aefda..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Subcommands of the PGPainless SOP.
- */
-package sop.cli.picocli.commands;
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java b/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java
deleted file mode 100644
index 83f426d6..00000000
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Implementation of the Stateless OpenPGP Command Line Interface using Picocli.
- */
-package sop.cli.picocli;
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java
deleted file mode 100644
index 5c7def50..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/DateParserTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import java.util.Date;
-
-import org.junit.jupiter.api.Test;
-import sop.util.UTCUtil;
-
-public class DateParserTest {
-
-    @Test
-    public void parseNotAfterDashReturnsEndOfTime() {
-        assertEquals(DateParser.END_OF_TIME, DateParser.parseNotAfter("-"));
-    }
-
-    @Test
-    public void parseNotBeforeDashReturnsBeginningOfTime() {
-        assertEquals(DateParser.BEGINNING_OF_TIME, DateParser.parseNotBefore("-"));
-    }
-
-    @Test
-    public void parseNotAfterNowReturnsNow() {
-        assertEquals(new Date().getTime(), DateParser.parseNotAfter("now").getTime(), 1000);
-    }
-
-    @Test
-    public void parseNotBeforeNowReturnsNow() {
-        assertEquals(new Date().getTime(), DateParser.parseNotBefore("now").getTime(), 1000);
-    }
-
-    @Test
-    public void parseNotAfterTimestamp() {
-        String timestamp = "2019-10-24T23:48:29Z";
-        Date date = DateParser.parseNotAfter(timestamp);
-        assertEquals(timestamp, UTCUtil.formatUTCDate(date));
-    }
-
-    @Test
-    public void parseNotBeforeTimestamp() {
-        String timestamp = "2019-10-29T18:36:45Z";
-        Date date = DateParser.parseNotBefore(timestamp);
-        assertEquals(timestamp, UTCUtil.formatUTCDate(date));
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java
deleted file mode 100644
index eeb4589d..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/FileUtilTest.java
+++ /dev/null
@@ -1,123 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.nio.file.Files;
-
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-import sop.exception.SOPGPException;
-
-public class FileUtilTest {
-
-    @BeforeAll
-    public static void setup() {
-        FileUtil.setEnvironmentVariableResolver(new FileUtil.EnvironmentVariableResolver() {
-            @Override
-            public String resolveEnvironmentVariable(String name) {
-                if (name.equals("test123")) {
-                    return "test321";
-                }
-                return null;
-            }
-        });
-    }
-
-    @Test
-    public void getFile_ThrowsForNull() {
-        assertThrows(NullPointerException.class, () -> FileUtil.getFile(null));
-    }
-
-    @Test
-    public void getFile_prfxEnvAlreadyExists() throws IOException {
-        File tempFile = new File("@ENV:test");
-        tempFile.createNewFile();
-        tempFile.deleteOnExit();
-
-        assertThrows(SOPGPException.AmbiguousInput.class, () -> FileUtil.getFile("@ENV:test"));
-    }
-
-    @Test
-    public void getFile_EnvironmentVariable() {
-        File file = FileUtil.getFile("@ENV:test123");
-        assertEquals("test321", file.getName());
-    }
-
-    @Test
-    public void getFile_nonExistentEnvVariable() {
-        assertThrows(IllegalArgumentException.class, () -> FileUtil.getFile("@ENV:INVALID"));
-    }
-
-    @Test
-    public void getFile_prfxFdAlreadyExists() throws IOException {
-        File tempFile = new File("@FD:1");
-        tempFile.createNewFile();
-        tempFile.deleteOnExit();
-
-        assertThrows(SOPGPException.AmbiguousInput.class, () -> FileUtil.getFile("@FD:1"));
-    }
-
-    @Test
-    public void getFile_prfxFdNotSupported() {
-        assertThrows(IllegalArgumentException.class, () -> FileUtil.getFile("@FD:2"));
-    }
-
-    @Test
-    public void createNewFileOrThrow_throwsForNull() {
-        assertThrows(NullPointerException.class, () -> FileUtil.createNewFileOrThrow(null));
-    }
-
-    @Test
-    public void createNewFileOrThrow_success() throws IOException {
-        File dir = Files.createTempDirectory("test").toFile();
-        dir.deleteOnExit();
-        File file = new File(dir, "file");
-
-        assertFalse(file.exists());
-        FileUtil.createNewFileOrThrow(file);
-        assertTrue(file.exists());
-    }
-
-    @Test
-    public void createNewFileOrThrow_alreadyExists() throws IOException {
-        File dir = Files.createTempDirectory("test").toFile();
-        dir.deleteOnExit();
-        File file = new File(dir, "file");
-
-        FileUtil.createNewFileOrThrow(file);
-        assertTrue(file.exists());
-        assertThrows(SOPGPException.OutputExists.class, () -> FileUtil.createNewFileOrThrow(file));
-    }
-
-    @Test
-    public void getFileInputStream_success() throws IOException {
-        File dir = Files.createTempDirectory("test").toFile();
-        dir.deleteOnExit();
-        File file = new File(dir, "file");
-
-        FileUtil.createNewFileOrThrow(file);
-        FileInputStream inputStream = FileUtil.getFileInputStream(file.getAbsolutePath());
-        assertNotNull(inputStream);
-    }
-
-    @Test
-    public void getFileInputStream_fileNotFound() throws IOException {
-        File dir = Files.createTempDirectory("test").toFile();
-        dir.deleteOnExit();
-        File file = new File(dir, "file");
-
-        assertThrows(SOPGPException.MissingInput.class,
-                () -> FileUtil.getFileInputStream(file.getAbsolutePath()));
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
deleted file mode 100644
index 6360a779..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/SOPTest.java
+++ /dev/null
@@ -1,119 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.mockito.Mockito.mock;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.Test;
-import sop.SOP;
-import sop.operation.Armor;
-import sop.operation.Dearmor;
-import sop.operation.Decrypt;
-import sop.operation.DetachInbandSignatureAndMessage;
-import sop.operation.Encrypt;
-import sop.operation.ExtractCert;
-import sop.operation.GenerateKey;
-import sop.operation.Sign;
-import sop.operation.Verify;
-import sop.operation.Version;
-
-public class SOPTest {
-
-    @Test
-    @ExpectSystemExitWithStatus(69)
-    public void assertExitOnInvalidSubcommand() {
-        SOP sop = mock(SOP.class);
-        SopCLI.setSopInstance(sop);
-
-        SopCLI.main(new String[] {"invalid"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void assertThrowsIfNoSOPBackendSet() {
-        SopCLI.SOP_INSTANCE = null;
-        // At this point, no SOP backend is set, so an InvalidStateException triggers exit(1)
-        SopCLI.main(new String[] {"armor"});
-    }
-
-    @Test
-    public void UnsupportedSubcommandsTest() {
-        SOP nullCommandSOP = new SOP() {
-            @Override
-            public Version version() {
-                return null;
-            }
-
-            @Override
-            public GenerateKey generateKey() {
-                return null;
-            }
-
-            @Override
-            public ExtractCert extractCert() {
-                return null;
-            }
-
-            @Override
-            public Sign sign() {
-                return null;
-            }
-
-            @Override
-            public Verify verify() {
-                return null;
-            }
-
-            @Override
-            public Encrypt encrypt() {
-                return null;
-            }
-
-            @Override
-            public Decrypt decrypt() {
-                return null;
-            }
-
-            @Override
-            public Armor armor() {
-                return null;
-            }
-
-            @Override
-            public Dearmor dearmor() {
-                return null;
-            }
-
-            @Override
-            public DetachInbandSignatureAndMessage detachInbandSignatureAndMessage() {
-                return null;
-            }
-        };
-        SopCLI.setSopInstance(nullCommandSOP);
-
-        List commands = new ArrayList<>();
-        commands.add(new String[] {"armor"});
-        commands.add(new String[] {"dearmor"});
-        commands.add(new String[] {"decrypt"});
-        commands.add(new String[] {"detach-inband-signature-and-message"});
-        commands.add(new String[] {"encrypt"});
-        commands.add(new String[] {"extract-cert"});
-        commands.add(new String[] {"generate-key"});
-        commands.add(new String[] {"sign"});
-        commands.add(new String[] {"verify", "signature.asc", "cert.asc"});
-        commands.add(new String[] {"version"});
-
-        for (String[] command : commands) {
-            int exit = SopCLI.execute(command);
-            assertEquals(69, exit, "Unexpected exit code for non-implemented command " + Arrays.toString(command) + ": " + exit);
-        }
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java
deleted file mode 100644
index 01aaa9a5..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ArmorCmdTest.java
+++ /dev/null
@@ -1,101 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.Ready;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.enums.ArmorLabel;
-import sop.exception.SOPGPException;
-import sop.operation.Armor;
-
-public class ArmorCmdTest {
-
-    private Armor armor;
-    private SOP sop;
-
-    @BeforeEach
-    public void mockComponents() throws SOPGPException.BadData {
-        armor = mock(Armor.class);
-        sop = mock(SOP.class);
-        when(sop.armor()).thenReturn(armor);
-        when(armor.data((InputStream) any())).thenReturn(nopReady());
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    @Test
-    public void assertLabelIsNotCalledByDefault() throws SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"armor"});
-        verify(armor, never()).label(any());
-    }
-
-    @Test
-    public void assertLabelIsCalledWhenFlaggedWithArgument() throws SOPGPException.UnsupportedOption {
-        for (ArmorLabel label : ArmorLabel.values()) {
-            SopCLI.main(new String[] {"armor", "--label", label.name()});
-            verify(armor, times(1)).label(label);
-        }
-    }
-
-    @Test
-    public void assertDataIsAlwaysCalled() throws SOPGPException.BadData {
-        SopCLI.main(new String[] {"armor"});
-        verify(armor, times(1)).data((InputStream) any());
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertThrowsForInvalidLabel() {
-        SopCLI.main(new String[] {"armor", "--label", "Invalid"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void ifLabelsUnsupportedExit37() throws SOPGPException.UnsupportedOption {
-        when(armor.label(any())).thenThrow(new SOPGPException.UnsupportedOption("Custom Armor labels are not supported."));
-
-        SopCLI.main(new String[] {"armor", "--label", "Sig"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void ifBadDataExit41() throws SOPGPException.BadData {
-        when(armor.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-
-        SopCLI.main(new String[] {"armor"});
-    }
-
-    @Test
-    @FailOnSystemExit
-    public void ifNoErrorsNoExit() {
-        when(sop.armor()).thenReturn(armor);
-
-        SopCLI.main(new String[] {"armor"});
-    }
-
-    private static Ready nopReady() {
-        return new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) {
-            }
-        };
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java
deleted file mode 100644
index aaad201b..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DearmorCmdTest.java
+++ /dev/null
@@ -1,61 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.Ready;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Dearmor;
-
-public class DearmorCmdTest {
-
-    private SOP sop;
-    private Dearmor dearmor;
-
-    @BeforeEach
-    public void mockComponents() throws IOException, SOPGPException.BadData {
-        sop = mock(SOP.class);
-        dearmor = mock(Dearmor.class);
-        when(dearmor.data((InputStream) any())).thenReturn(nopReady());
-        when(sop.dearmor()).thenReturn(dearmor);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    private static Ready nopReady() {
-        return new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) {
-            }
-        };
-    }
-
-    @Test
-    public void assertDataIsCalled() throws IOException, SOPGPException.BadData {
-        SopCLI.main(new String[] {"dearmor"});
-        verify(dearmor, times(1)).data((InputStream) any());
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void assertBadDataCausesExit41() throws IOException, SOPGPException.BadData {
-        when(dearmor.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException("invalid armor")));
-        SopCLI.main(new String[] {"dearmor"});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
deleted file mode 100644
index 9e1c35ba..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/DecryptCmdTest.java
+++ /dev/null
@@ -1,344 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.util.Collections;
-import java.util.Date;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatcher;
-import org.mockito.ArgumentMatchers;
-import sop.DecryptionResult;
-import sop.ReadyWithResult;
-import sop.SOP;
-import sop.SessionKey;
-import sop.Verification;
-import sop.cli.picocli.DateParser;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Decrypt;
-import sop.util.HexUtil;
-import sop.util.UTCUtil;
-
-public class DecryptCmdTest {
-
-    private Decrypt decrypt;
-
-    @BeforeEach
-    public void mockComponents() throws SOPGPException.UnsupportedOption, SOPGPException.MissingArg, SOPGPException.BadData, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.PasswordNotHumanReadable, SOPGPException.CannotDecrypt {
-        SOP sop = mock(SOP.class);
-        decrypt = mock(Decrypt.class);
-
-        when(decrypt.verifyNotAfter(any())).thenReturn(decrypt);
-        when(decrypt.verifyNotBefore(any())).thenReturn(decrypt);
-        when(decrypt.withPassword(any())).thenReturn(decrypt);
-        when(decrypt.withSessionKey(any())).thenReturn(decrypt);
-        when(decrypt.withKey((InputStream) any())).thenReturn(decrypt);
-        when(decrypt.ciphertext((InputStream) any())).thenReturn(nopReadyWithResult());
-
-        when(sop.decrypt()).thenReturn(decrypt);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    private static ReadyWithResult nopReadyWithResult() {
-        return new ReadyWithResult() {
-            @Override
-            public DecryptionResult writeTo(OutputStream outputStream) {
-                return new DecryptionResult(null, Collections.emptyList());
-            }
-        };
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(19)
-    public void missingArgumentsExceptionCausesExit19() throws SOPGPException.MissingArg, SOPGPException.BadData, SOPGPException.CannotDecrypt {
-        when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.MissingArg("Missing arguments."));
-        SopCLI.main(new String[] {"decrypt"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void badDataExceptionCausesExit41() throws SOPGPException.MissingArg, SOPGPException.BadData, SOPGPException.CannotDecrypt {
-        when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"decrypt"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(31)
-    public void assertNotHumanReadablePasswordCausesExit31() throws SOPGPException.PasswordNotHumanReadable,
-            SOPGPException.UnsupportedOption {
-        when(decrypt.withPassword(any())).thenThrow(new SOPGPException.PasswordNotHumanReadable());
-        SopCLI.main(new String[] {"decrypt", "--with-password", "pretendThisIsNotReadable"});
-    }
-
-    @Test
-    public void assertWithPasswordPassesPasswordDown() throws SOPGPException.PasswordNotHumanReadable, SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"decrypt", "--with-password", "orange"});
-        verify(decrypt, times(1)).withPassword("orange");
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertUnsupportedWithPasswordCausesExit37() throws SOPGPException.PasswordNotHumanReadable, SOPGPException.UnsupportedOption {
-        when(decrypt.withPassword(any())).thenThrow(new SOPGPException.UnsupportedOption("Decrypting with password not supported."));
-        SopCLI.main(new String[] {"decrypt", "--with-password", "swordfish"});
-    }
-
-    @Test
-    public void assertDefaultTimeRangesAreUsedIfNotOverwritten() throws SOPGPException.UnsupportedOption {
-        Date now = new Date();
-        SopCLI.main(new String[] {"decrypt"});
-        verify(decrypt, times(1)).verifyNotBefore(DateParser.BEGINNING_OF_TIME);
-        verify(decrypt, times(1)).verifyNotAfter(
-                ArgumentMatchers.argThat(argument -> {
-                    // allow 1-second difference
-                    return Math.abs(now.getTime() - argument.getTime()) <= 1000;
-                }));
-    }
-
-    @Test
-    public void assertVerifyNotAfterAndBeforeDashResultsInMaxTimeRange() throws SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"decrypt", "--not-before", "-", "--not-after", "-"});
-        verify(decrypt, times(1)).verifyNotBefore(DateParser.BEGINNING_OF_TIME);
-        verify(decrypt, times(1)).verifyNotAfter(DateParser.END_OF_TIME);
-    }
-
-    @Test
-    public void assertVerifyNotAfterAndBeforeNowResultsInMinTimeRange() throws SOPGPException.UnsupportedOption {
-        Date now = new Date();
-        ArgumentMatcher isMaxOneSecOff = argument -> {
-            // Allow less than 1-second difference
-            return Math.abs(now.getTime() - argument.getTime()) <= 1000;
-        };
-
-        SopCLI.main(new String[] {"decrypt", "--not-before", "now", "--not-after", "now"});
-        verify(decrypt, times(1)).verifyNotAfter(ArgumentMatchers.argThat(isMaxOneSecOff));
-        verify(decrypt, times(1)).verifyNotBefore(ArgumentMatchers.argThat(isMaxOneSecOff));
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void assertMalformedDateInNotBeforeCausesExit1() {
-        // ParserException causes exit(1)
-        SopCLI.main(new String[] {"decrypt", "--not-before", "invalid"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void assertMalformedDateInNotAfterCausesExit1() {
-        // ParserException causes exit(1)
-        SopCLI.main(new String[] {"decrypt", "--not-after", "invalid"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertUnsupportedNotAfterCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(decrypt.verifyNotAfter(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting upper signature date boundary not supported."));
-        SopCLI.main(new String[] {"decrypt", "--not-after", "now"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertUnsupportedNotBeforeCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(decrypt.verifyNotBefore(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting lower signature date boundary not supported."));
-        SopCLI.main(new String[] {"decrypt", "--not-before", "now"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(59)
-    public void assertExistingSessionKeyOutFileCausesExit59() throws IOException {
-        File tempFile = File.createTempFile("existing-session-key-", ".tmp");
-        tempFile.deleteOnExit();
-        SopCLI.main(new String[] {"decrypt", "--session-key-out", tempFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertWhenSessionKeyCannotBeExtractedExit37() throws IOException {
-        Path tempDir = Files.createTempDirectory("session-key-out-dir");
-        File tempFile = new File(tempDir.toFile(), "session-key");
-        tempFile.deleteOnExit();
-        SopCLI.main(new String[] {"decrypt", "--session-key-out", tempFile.getAbsolutePath()});
-    }
-
-    @Test
-    public void assertSessionKeyIsProperlyWrittenToSessionKeyFile() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData, IOException {
-        byte[] key = "C7CBDAF42537776F12509B5168793C26B93294E5ABDFA73224FB0177123E9137".getBytes(StandardCharsets.UTF_8);
-        when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() {
-            @Override
-            public DecryptionResult writeTo(OutputStream outputStream) {
-                return new DecryptionResult(
-                        new SessionKey((byte) 9, key),
-                        Collections.emptyList()
-                );
-            }
-        });
-        Path tempDir = Files.createTempDirectory("session-key-out-dir");
-        File tempFile = new File(tempDir.toFile(), "session-key");
-        tempFile.deleteOnExit();
-        SopCLI.main(new String[] {"decrypt", "--session-key-out", tempFile.getAbsolutePath()});
-
-        ByteArrayOutputStream bytesInFile = new ByteArrayOutputStream();
-        try (FileInputStream fileIn = new FileInputStream(tempFile)) {
-            byte[] buf = new byte[32];
-            int read = fileIn.read(buf);
-            while (read != -1) {
-                bytesInFile.write(buf, 0, read);
-                read = fileIn.read(buf);
-            }
-        }
-
-        byte[] algAndKey = new byte[key.length + 1];
-        algAndKey[0] = (byte) 9;
-        System.arraycopy(key, 0, algAndKey, 1, key.length);
-        assertArrayEquals(algAndKey, bytesInFile.toByteArray());
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(29)
-    public void assertUnableToDecryptExceptionResultsInExit29() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData {
-        when(decrypt.ciphertext((InputStream) any())).thenThrow(new SOPGPException.CannotDecrypt());
-        SopCLI.main(new String[] {"decrypt"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(3)
-    public void assertNoSignatureExceptionCausesExit3() throws SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData {
-        when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() {
-            @Override
-            public DecryptionResult writeTo(OutputStream outputStream) throws SOPGPException.NoSignature {
-                throw new SOPGPException.NoSignature();
-            }
-        });
-        SopCLI.main(new String[] {"decrypt"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void badDataInVerifyWithCausesExit41() throws IOException, SOPGPException.BadData {
-        when(decrypt.verifyWithCert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        File tempFile = File.createTempFile("verify-with-", ".tmp");
-        SopCLI.main(new String[] {"decrypt", "--verify-with", tempFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(61)
-    public void unexistentCertFileCausesExit61() {
-        SopCLI.main(new String[] {"decrypt", "--verify-with", "invalid"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(59)
-    public void existingVerifyOutCausesExit59() throws IOException {
-        File certFile = File.createTempFile("existing-verify-out-cert", ".asc");
-        File existingVerifyOut = File.createTempFile("existing-verify-out", ".tmp");
-
-        SopCLI.main(new String[] {"decrypt", "--verify-out", existingVerifyOut.getAbsolutePath(), "--verify-with", certFile.getAbsolutePath()});
-    }
-
-    @Test
-    public void verifyOutIsProperlyWritten() throws IOException, SOPGPException.CannotDecrypt, SOPGPException.MissingArg, SOPGPException.BadData {
-        File certFile = File.createTempFile("verify-out-cert", ".asc");
-        File verifyOut = new File(certFile.getParent(), "verify-out.txt");
-        if (verifyOut.exists()) {
-            verifyOut.delete();
-        }
-        verifyOut.deleteOnExit();
-        Date date = UTCUtil.parseUTCDate("2021-07-11T20:58:23Z");
-        when(decrypt.ciphertext((InputStream) any())).thenReturn(new ReadyWithResult() {
-            @Override
-            public DecryptionResult writeTo(OutputStream outputStream) {
-                return new DecryptionResult(null, Collections.singletonList(
-                        new Verification(
-                                date,
-                                "1B66A707819A920925BC6777C3E0AFC0B2DFF862",
-                                "C8CD564EBF8D7BBA90611D8D071773658BF6BF86"))
-                );
-            }
-        });
-
-        SopCLI.main(new String[] {"decrypt", "--verify-out", verifyOut.getAbsolutePath(), "--verify-with", certFile.getAbsolutePath()});
-        try (BufferedReader reader = new BufferedReader(new FileReader(verifyOut))) {
-            String line = reader.readLine();
-            assertEquals("2021-07-11T20:58:23Z 1B66A707819A920925BC6777C3E0AFC0B2DFF862 C8CD564EBF8D7BBA90611D8D071773658BF6BF86", line);
-        }
-    }
-
-    @Test
-    public void assertWithSessionKeyIsPassedDown() throws SOPGPException.UnsupportedOption {
-        SessionKey key1 = new SessionKey((byte) 9, HexUtil.hexToBytes("C7CBDAF42537776F12509B5168793C26B93294E5ABDFA73224FB0177123E9137"));
-        SessionKey key2 = new SessionKey((byte) 9, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"));
-        SopCLI.main(new String[] {"decrypt",
-                "--with-session-key", "9:C7CBDAF42537776F12509B5168793C26B93294E5ABDFA73224FB0177123E9137",
-                "--with-session-key", "9:FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"});
-        verify(decrypt).withSessionKey(key1);
-        verify(decrypt).withSessionKey(key2);
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void assertMalformedSessionKeysResultInExit1() {
-        SopCLI.main(new String[] {"decrypt",
-                "--with-session-key", "C7CBDAF42537776F12509B5168793C26B93294E5ABDFA73224FB0177123E9137"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void assertBadDataInKeysResultsInExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData, IOException {
-        when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        File tempKeyFile = File.createTempFile("key-", ".tmp");
-        SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(61)
-    public void assertKeyFileNotFoundCausesExit61() {
-        SopCLI.main(new String[] {"decrypt", "nonexistent-key"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(67)
-    public void assertProtectedKeyCausesExit67() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
-        when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected());
-        File tempKeyFile = File.createTempFile("key-", ".tmp");
-        SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(13)
-    public void assertUnsupportedAlgorithmExceptionCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData, IOException {
-        when(decrypt.withKey((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new IOException()));
-        File tempKeyFile = File.createTempFile("key-", ".tmp");
-        SopCLI.main(new String[] {"decrypt", tempKeyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(23)
-    public void verifyOutWithoutVerifyWithCausesExit23() {
-        SopCLI.main(new String[] {"decrypt", "--verify-out", "out.file"});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
deleted file mode 100644
index 91f0a1e7..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/EncryptCmdTest.java
+++ /dev/null
@@ -1,194 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.Ready;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.enums.EncryptAs;
-import sop.exception.SOPGPException;
-import sop.operation.Encrypt;
-
-public class EncryptCmdTest {
-
-    Encrypt encrypt;
-
-    @BeforeEach
-    public void mockComponents() throws IOException {
-        encrypt = mock(Encrypt.class);
-        when(encrypt.plaintext((InputStream) any())).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) {
-
-            }
-        });
-
-        SOP sop = mock(SOP.class);
-        when(sop.encrypt()).thenReturn(encrypt);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(19)
-    public void missingBothPasswordAndCertFileCauseExit19() {
-        SopCLI.main(new String[] {"encrypt", "--no-armor"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void as_unsupportedEncryptAsCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(encrypt.mode(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting encryption mode not supported."));
-
-        SopCLI.main(new String[] {"encrypt", "--as", "Binary"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void as_invalidModeOptionCausesExit37() {
-        SopCLI.main(new String[] {"encrypt", "--as", "invalid"});
-    }
-
-    @Test
-    public void as_modeIsPassedDown() throws SOPGPException.UnsupportedOption {
-        for (EncryptAs mode : EncryptAs.values()) {
-            SopCLI.main(new String[] {"encrypt", "--as", mode.name(), "--with-password", "0rbit"});
-            verify(encrypt, times(1)).mode(mode);
-        }
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(31)
-    public void withPassword_notHumanReadablePasswordCausesExit31() throws SOPGPException.PasswordNotHumanReadable, SOPGPException.UnsupportedOption {
-        when(encrypt.withPassword("pretendThisIsNotReadable")).thenThrow(new SOPGPException.PasswordNotHumanReadable());
-
-        SopCLI.main(new String[] {"encrypt", "--with-password", "pretendThisIsNotReadable"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void withPassword_unsupportedWithPasswordCausesExit37() throws SOPGPException.PasswordNotHumanReadable, SOPGPException.UnsupportedOption {
-        when(encrypt.withPassword(any())).thenThrow(new SOPGPException.UnsupportedOption("Encrypting with password not supported."));
-
-        SopCLI.main(new String[] {"encrypt", "--with-password", "orange"});
-    }
-
-    @Test
-    public void signWith_multipleTimesGetPassedDown() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData {
-        File keyFile1 = File.createTempFile("sign-with-1-", ".asc");
-        File keyFile2 = File.createTempFile("sign-with-2-", ".asc");
-
-        SopCLI.main(new String[] {"encrypt", "--with-password", "password", "--sign-with", keyFile1.getAbsolutePath(), "--sign-with", keyFile2.getAbsolutePath()});
-        verify(encrypt, times(2)).signWith((InputStream) any());
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(61)
-    public void signWith_nonExistentKeyFileCausesExit61() {
-        SopCLI.main(new String[] {"encrypt", "--with-password", "admin", "--sign-with", "nonExistent.asc"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(67)
-    public void signWith_keyIsProtectedCausesExit67() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
-        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected());
-        File keyFile = File.createTempFile("sign-with", ".asc");
-        SopCLI.main(new String[] {"encrypt", "--sign-with", keyFile.getAbsolutePath(), "--with-password", "starship"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(13)
-    public void signWith_unsupportedAsymmetricAlgoCausesExit13() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
-        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception()));
-        File keyFile = File.createTempFile("sign-with", ".asc");
-        SopCLI.main(new String[] {"encrypt", "--with-password", "123456", "--sign-with", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(79)
-    public void signWith_certCannotSignCausesExit1() throws IOException, SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData {
-        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.KeyCannotSign());
-        File keyFile = File.createTempFile("sign-with", ".asc");
-        SopCLI.main(new String[] {"encrypt", "--with-password", "dragon", "--sign-with", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void signWith_badDataCausesExit41() throws SOPGPException.KeyIsProtected, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
-        when(encrypt.signWith((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        File keyFile = File.createTempFile("sign-with", ".asc");
-        SopCLI.main(new String[] {"encrypt", "--with-password", "orange", "--sign-with", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(61)
-    public void cert_nonExistentCertFileCausesExit61() {
-        SopCLI.main(new String[] {"encrypt", "invalid.asc"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(13)
-    public void cert_unsupportedAsymmetricAlgorithmCausesExit13() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData {
-        when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception()));
-        File certFile = File.createTempFile("cert", ".asc");
-        SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(17)
-    public void cert_certCannotEncryptCausesExit17() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData {
-        when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.CertCannotEncrypt("Certificate cannot encrypt.", new Exception()));
-        File certFile = File.createTempFile("cert", ".asc");
-        SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void cert_badDataCausesExit41() throws IOException, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.CertCannotEncrypt, SOPGPException.BadData {
-        when(encrypt.withCert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        File certFile = File.createTempFile("cert", ".asc");
-        SopCLI.main(new String[] {"encrypt", certFile.getAbsolutePath()});
-    }
-
-    @Test
-    public void noArmor_notCalledByDefault() {
-        SopCLI.main(new String[] {"encrypt", "--with-password", "clownfish"});
-        verify(encrypt, never()).noArmor();
-    }
-
-    @Test
-    public void noArmor_callGetsPassedDown() {
-        SopCLI.main(new String[] {"encrypt", "--with-password", "monkey", "--no-armor"});
-        verify(encrypt, times(1)).noArmor();
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void writeTo_ioExceptionCausesExit1() throws IOException {
-        when(encrypt.plaintext((InputStream) any())).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) throws IOException {
-                throw new IOException();
-            }
-        });
-
-        SopCLI.main(new String[] {"encrypt", "--with-password", "wildcat"});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java
deleted file mode 100644
index 382fe300..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/ExtractCertCmdTest.java
+++ /dev/null
@@ -1,76 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.Ready;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.ExtractCert;
-
-public class ExtractCertCmdTest {
-
-    ExtractCert extractCert;
-
-    @BeforeEach
-    public void mockComponents() throws IOException, SOPGPException.BadData {
-        extractCert = mock(ExtractCert.class);
-        when(extractCert.key((InputStream) any())).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) {
-            }
-        });
-
-        SOP sop = mock(SOP.class);
-        when(sop.extractCert()).thenReturn(extractCert);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    @Test
-    public void noArmor_notCalledByDefault() {
-        SopCLI.main(new String[] {"extract-cert"});
-        verify(extractCert, never()).noArmor();
-    }
-
-    @Test
-    public void noArmor_passedDown() {
-        SopCLI.main(new String[] {"extract-cert", "--no-armor"});
-        verify(extractCert, times(1)).noArmor();
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void key_ioExceptionCausesExit1() throws IOException, SOPGPException.BadData {
-        when(extractCert.key((InputStream) any())).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) throws IOException {
-                throw new IOException();
-            }
-        });
-        SopCLI.main(new String[] {"extract-cert"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void key_badDataCausesExit41() throws IOException, SOPGPException.BadData {
-        when(extractCert.key((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"extract-cert"});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java
deleted file mode 100644
index 643cf363..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/GenerateKeyCmdTest.java
+++ /dev/null
@@ -1,98 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.InOrder;
-import org.mockito.Mockito;
-import sop.Ready;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.GenerateKey;
-
-public class GenerateKeyCmdTest {
-
-    GenerateKey generateKey;
-
-    @BeforeEach
-    public void mockComponents() throws SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.MissingArg, IOException {
-        generateKey = mock(GenerateKey.class);
-        when(generateKey.generate()).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) {
-
-            }
-        });
-
-        SOP sop = mock(SOP.class);
-        when(sop.generateKey()).thenReturn(generateKey);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    @Test
-    public void noArmor_notCalledByDefault() {
-        SopCLI.main(new String[] {"generate-key", "Alice"});
-        verify(generateKey, never()).noArmor();
-    }
-
-    @Test
-    public void noArmor_passedDown() {
-        SopCLI.main(new String[] {"generate-key", "--no-armor", "Alice"});
-        verify(generateKey, times(1)).noArmor();
-    }
-
-    @Test
-    public void userId_multipleUserIdsPassedDownInProperOrder() {
-        SopCLI.main(new String[] {"generate-key", "Alice ", "Bob "});
-
-        InOrder inOrder = Mockito.inOrder(generateKey);
-        inOrder.verify(generateKey).userId("Alice ");
-        inOrder.verify(generateKey).userId("Bob ");
-
-        verify(generateKey, times(2)).userId(any());
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(19)
-    public void missingArgumentCausesExit19() throws SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.MissingArg, IOException {
-        // TODO: RFC4880-bis and the current Stateless OpenPGP CLI spec allow keys to have no user-ids,
-        //  so we might want to change this test in the future.
-        when(generateKey.generate()).thenThrow(new SOPGPException.MissingArg("Missing user-id."));
-        SopCLI.main(new String[] {"generate-key"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(13)
-    public void unsupportedAsymmetricAlgorithmCausesExit13() throws SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.MissingArg, IOException {
-        when(generateKey.generate()).thenThrow(new SOPGPException.UnsupportedAsymmetricAlgo("Unsupported asymmetric algorithm.", new Exception()));
-        SopCLI.main(new String[] {"generate-key", "Alice"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void ioExceptionCausesExit1() throws SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.MissingArg, IOException {
-        when(generateKey.generate()).thenReturn(new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) throws IOException {
-                throw new IOException();
-            }
-        });
-        SopCLI.main(new String[] {"generate-key", "Alice"});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
deleted file mode 100644
index ce0ce54a..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/SignCmdTest.java
+++ /dev/null
@@ -1,128 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.ReadyWithResult;
-import sop.SOP;
-import sop.SigningResult;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Sign;
-
-public class SignCmdTest {
-
-    Sign sign;
-    File keyFile;
-
-    @BeforeEach
-    public void mockComponents() throws IOException, SOPGPException.ExpectedText {
-        sign = mock(Sign.class);
-        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
-            @Override
-            public SigningResult writeTo(OutputStream outputStream) {
-                return SigningResult.builder().build();
-            }
-        });
-
-        SOP sop = mock(SOP.class);
-        when(sop.sign()).thenReturn(sign);
-
-        SopCLI.setSopInstance(sop);
-
-        keyFile = File.createTempFile("sign-", ".asc");
-    }
-
-    @Test
-    public void as_optionsAreCaseInsensitive() {
-        SopCLI.main(new String[] {"sign", "--as", "Binary", keyFile.getAbsolutePath()});
-        SopCLI.main(new String[] {"sign", "--as", "binary", keyFile.getAbsolutePath()});
-        SopCLI.main(new String[] {"sign", "--as", "BINARY", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void as_invalidOptionCausesExit37() {
-        SopCLI.main(new String[] {"sign", "--as", "Invalid", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void as_unsupportedOptionCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(sign.mode(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting signing mode not supported."));
-        SopCLI.main(new String[] {"sign", "--as", "binary", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void key_nonExistentKeyFileCausesExit1() {
-        SopCLI.main(new String[] {"sign", "invalid.asc"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void key_keyIsProtectedCausesExit1() throws SOPGPException.KeyIsProtected, IOException, SOPGPException.BadData {
-        when(sign.key((InputStream) any())).thenThrow(new SOPGPException.KeyIsProtected());
-        SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void key_badDataCausesExit41() throws SOPGPException.KeyIsProtected, IOException, SOPGPException.BadData {
-        when(sign.key((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(19)
-    public void key_missingKeyFileCausesExit19() {
-        SopCLI.main(new String[] {"sign"});
-    }
-
-    @Test
-    public void noArmor_notCalledByDefault() {
-        SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()});
-        verify(sign, never()).noArmor();
-    }
-
-    @Test
-    public void noArmor_passedDown() {
-        SopCLI.main(new String[] {"sign", "--no-armor", keyFile.getAbsolutePath()});
-        verify(sign, times(1)).noArmor();
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void data_ioExceptionCausesExit1() throws IOException, SOPGPException.ExpectedText {
-        when(sign.data((InputStream) any())).thenReturn(new ReadyWithResult() {
-            @Override
-            public SigningResult writeTo(OutputStream outputStream) throws IOException {
-                throw new IOException();
-            }
-        });
-        SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(53)
-    public void data_expectedTextExceptionCausesExit53() throws IOException, SOPGPException.ExpectedText {
-        when(sign.data((InputStream) any())).thenThrow(new SOPGPException.ExpectedText());
-        SopCLI.main(new String[] {"sign", keyFile.getAbsolutePath()});
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java
deleted file mode 100644
index 028d2451..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VerifyCmdTest.java
+++ /dev/null
@@ -1,204 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.PrintStream;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Date;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatchers;
-import sop.SOP;
-import sop.Verification;
-import sop.cli.picocli.DateParser;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Verify;
-import sop.util.UTCUtil;
-
-public class VerifyCmdTest {
-
-    Verify verify;
-    File signature;
-    File cert;
-
-    PrintStream originalSout;
-
-    @BeforeEach
-    public void prepare() throws SOPGPException.UnsupportedOption, SOPGPException.BadData, SOPGPException.NoSignature, IOException {
-        originalSout = System.out;
-
-        verify = mock(Verify.class);
-        when(verify.notBefore(any())).thenReturn(verify);
-        when(verify.notAfter(any())).thenReturn(verify);
-        when(verify.cert((InputStream) any())).thenReturn(verify);
-        when(verify.signatures((InputStream) any())).thenReturn(verify);
-        when(verify.data((InputStream) any())).thenReturn(
-                Collections.singletonList(
-                        new Verification(
-                                UTCUtil.parseUTCDate("2019-10-29T18:36:45Z"),
-                                "EB85BB5FA33A75E15E944E63F231550C4F47E38E",
-                                "EB85BB5FA33A75E15E944E63F231550C4F47E38E")
-                )
-        );
-
-        SOP sop = mock(SOP.class);
-        when(sop.verify()).thenReturn(verify);
-
-        SopCLI.setSopInstance(sop);
-
-        signature = File.createTempFile("signature-", ".asc");
-        cert = File.createTempFile("cert-", ".asc");
-    }
-
-    @AfterEach
-    public void restoreSout() {
-        System.setOut(originalSout);
-    }
-
-    @Test
-    public void notAfter_passedDown() throws SOPGPException.UnsupportedOption {
-        Date date = UTCUtil.parseUTCDate("2019-10-29T18:36:45Z");
-        SopCLI.main(new String[] {"verify", "--not-after", "2019-10-29T18:36:45Z", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notAfter(date);
-    }
-
-    @Test
-    public void notAfter_now() throws SOPGPException.UnsupportedOption {
-        Date now = new Date();
-        SopCLI.main(new String[] {"verify", "--not-after", "now", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notAfter(dateMatcher(now));
-    }
-
-    @Test
-    public void notAfter_dashCountsAsEndOfTime() throws SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"verify", "--not-after", "-", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notAfter(DateParser.END_OF_TIME);
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void notAfter_unsupportedOptionCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(verify.notAfter(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting upper signature date boundary not supported."));
-        SopCLI.main(new String[] {"verify", "--not-after", "2019-10-29T18:36:45Z", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    public void notBefore_passedDown() throws SOPGPException.UnsupportedOption {
-        Date date = UTCUtil.parseUTCDate("2019-10-29T18:36:45Z");
-        SopCLI.main(new String[] {"verify", "--not-before", "2019-10-29T18:36:45Z", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notBefore(date);
-    }
-
-    @Test
-    public void notBefore_now() throws SOPGPException.UnsupportedOption {
-        Date now = new Date();
-        SopCLI.main(new String[] {"verify", "--not-before", "now", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notBefore(dateMatcher(now));
-    }
-
-    @Test
-    public void notBefore_dashCountsAsBeginningOfTime() throws SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"verify", "--not-before", "-", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notBefore(DateParser.BEGINNING_OF_TIME);
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void notBefore_unsupportedOptionCausesExit37() throws SOPGPException.UnsupportedOption {
-        when(verify.notBefore(any())).thenThrow(new SOPGPException.UnsupportedOption("Setting lower signature date boundary not supported."));
-        SopCLI.main(new String[] {"verify", "--not-before", "2019-10-29T18:36:45Z", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    public void notBeforeAndNotAfterAreCalledWithDefaultValues() throws SOPGPException.UnsupportedOption {
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-        verify(verify, times(1)).notAfter(dateMatcher(new Date()));
-        verify(verify, times(1)).notBefore(DateParser.BEGINNING_OF_TIME);
-    }
-
-    private static Date dateMatcher(Date date) {
-        return ArgumentMatchers.argThat(argument -> Math.abs(argument.getTime() - date.getTime()) < 1000);
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void cert_fileNotFoundCausesExit1() {
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), "invalid.asc"});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void cert_badDataCausesExit41() throws SOPGPException.BadData {
-        when(verify.cert((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(1)
-    public void signature_fileNotFoundCausesExit1() {
-        SopCLI.main(new String[] {"verify", "invalid.sig", cert.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void signature_badDataCausesExit41() throws SOPGPException.BadData {
-        when(verify.signatures((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(3)
-    public void data_noSignaturesCausesExit3() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData {
-        when(verify.data((InputStream) any())).thenThrow(new SOPGPException.NoSignature());
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(41)
-    public void data_badDataCausesExit41() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData {
-        when(verify.data((InputStream) any())).thenThrow(new SOPGPException.BadData(new IOException()));
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-    }
-
-    @Test
-    public void resultIsPrintedProperly() throws SOPGPException.NoSignature, IOException, SOPGPException.BadData {
-        when(verify.data((InputStream) any())).thenReturn(Arrays.asList(
-                new Verification(UTCUtil.parseUTCDate("2019-10-29T18:36:45Z"),
-                        "EB85BB5FA33A75E15E944E63F231550C4F47E38E",
-                        "EB85BB5FA33A75E15E944E63F231550C4F47E38E"),
-                new Verification(UTCUtil.parseUTCDate("2019-10-24T23:48:29Z"),
-                        "C90E6D36200A1B922A1509E77618196529AE5FF8",
-                        "C4BC2DDB38CCE96485EBE9C2F20691179038E5C6")
-        ));
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-
-        SopCLI.main(new String[] {"verify", signature.getAbsolutePath(), cert.getAbsolutePath()});
-
-        System.setOut(originalSout);
-
-        String expected = "2019-10-29T18:36:45Z EB85BB5FA33A75E15E944E63F231550C4F47E38E EB85BB5FA33A75E15E944E63F231550C4F47E38E\n" +
-                "2019-10-24T23:48:29Z C90E6D36200A1B922A1509E77618196529AE5FF8 C4BC2DDB38CCE96485EBE9C2F20691179038E5C6\n";
-
-        assertEquals(expected, out.toString());
-    }
-}
diff --git a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java b/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java
deleted file mode 100644
index 98ea58e2..00000000
--- a/sop-java-picocli/src/test/java/sop/cli/picocli/commands/VersionCmdTest.java
+++ /dev/null
@@ -1,46 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import sop.SOP;
-import sop.cli.picocli.SopCLI;
-import sop.operation.Version;
-
-public class VersionCmdTest {
-
-    private Version version;
-
-    @BeforeEach
-    public void mockComponents() {
-        SOP sop = mock(SOP.class);
-        version = mock(Version.class);
-        when(version.getName()).thenReturn("MockSop");
-        when(version.getVersion()).thenReturn("1.0");
-        when(sop.version()).thenReturn(version);
-
-        SopCLI.setSopInstance(sop);
-    }
-
-    @Test
-    public void assertVersionCommandWorks() {
-        SopCLI.main(new String[] {"version"});
-        verify(version, times(1)).getVersion();
-        verify(version, times(1)).getName();
-    }
-
-    @Test
-    @ExpectSystemExitWithStatus(37)
-    public void assertInvalidOptionResultsInExit37() {
-        SopCLI.main(new String[] {"version", "--invalid"});
-    }
-}
diff --git a/sop-java/README.md b/sop-java/README.md
index 452576c6..e10261b6 100644
--- a/sop-java/README.md
+++ b/sop-java/README.md
@@ -1,80 +1 @@
-
-
-# SOP-Java
-
-[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03)
-[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/sop-java)](https://search.maven.org/artifact/org.pgpainless/sop-java)
-[![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/sop/SOP.html)
-[![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
-
-Stateless OpenPGP Protocol for Java.
-
-This module contains interfaces that model the API described by the 
-[Stateless OpenPGP Command Line Interface](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03) specification.
-
-This module is not a command line application! For that, see `sop-java-picocli`.
-
-## Usage Examples
-
-The API defined by `sop-java` is super straight forward:
-```java
-SOP sop = ... // e.g. new org.pgpainless.sop.SOPImpl();
-        
-// Generate an OpenPGP key
-byte[] key = sop.generateKey()
-        .userId("Alice ")
-        .generate()
-        .getBytes();
-
-// Extract the certificate (public key)
-byte[] cert = sop.extractCert()
-        .key(key)
-        .getBytes();
-
-// Encrypt a message
-byte[] message = ...
-byte[] encrypted = sop.encrypt()
-        .withCert(cert)
-        .signWith(key)
-        .plaintext(message)
-        .getBytes();
-
-// Decrypt a message
-ByteArrayAndResult messageAndVerifications = sop.decrypt()
-        .verifyWith(cert)
-        .withKey(key)
-        .ciphertext(encrypted)
-        .toByteArrayAndResult();
-byte[] decrypted = messageAndVerifications.getBytes();
-// Signature Verifications
-DecryptionResult messageInfo = messageAndVerifications.getResult();
-List signatureVerifications = messageInfo.getVerifications();
-```
-
-Furthermore, the API is capable of signing messages and verifying unencrypted signed data, as well as adding and removing ASCII armor.
-
-### Limitations
-As per the spec, sop-java does not (yet) deal with encrypted OpenPGP keys.
-
-## Why should I use this?
-
-If you need to use OpenPGP functionality like encrypting/decrypting messages, or creating/verifying
-signatures inside your application, you probably don't want to start from scratch and instead reuse some library.
-
-Instead of locking yourselves in by depending hard on that one library, you can simply depend on the interfaces from
-`sop-java` and plug in a library (such as `pgpainless-sop`) that implements said interfaces.
-
-That way you don't make yourself dependent from a single OpenPGP library and stay flexible.
-Should another library emerge, that better suits your needs (and implements `sop-java`), you can easily switch
-by swapping out the dependency with minimal changes to your code.
-
-## Why should I *implement* this?
-
-Did you create an [OpenPGP](https://datatracker.ietf.org/doc/html/rfc4880) implementation that can be used in the Java ecosystem?
-By implementing the `sop-java` interface, you can turn your library into a command line interface (see `sop-java-picocli`).
-This allows you to plug your library into the [OpenPGP interoperability test suite](https://tests.sequoia-pgp.org/)
-of the [Sequoia-PGP](https://sequoia-pgp.org/) project.
+# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java)
\ No newline at end of file
diff --git a/sop-java/build.gradle b/sop-java/build.gradle
deleted file mode 100644
index c2e2f1fb..00000000
--- a/sop-java/build.gradle
+++ /dev/null
@@ -1,22 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-plugins {
-    id 'java'
-}
-
-group 'org.pgpainless'
-
-repositories {
-    mavenCentral()
-}
-
-dependencies {
-    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
-}
-
-test {
-    useJUnitPlatform()
-}
\ No newline at end of file
diff --git a/sop-java/src/main/java/sop/ByteArrayAndResult.java b/sop-java/src/main/java/sop/ByteArrayAndResult.java
deleted file mode 100644
index fd2b39a7..00000000
--- a/sop-java/src/main/java/sop/ByteArrayAndResult.java
+++ /dev/null
@@ -1,50 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-
-/**
- * Tuple of a byte array and associated result object.
- * @param  type of result
- */
-public class ByteArrayAndResult {
-
-    private final byte[] bytes;
-    private final T result;
-
-    public ByteArrayAndResult(byte[] bytes, T result) {
-        this.bytes = bytes;
-        this.result = result;
-    }
-
-    /**
-     * Return the byte array part.
-     *
-     * @return bytes
-     */
-    public byte[] getBytes() {
-        return bytes;
-    }
-
-    /**
-     * Return the result part.
-     *
-     * @return result
-     */
-    public T getResult() {
-        return result;
-    }
-
-    /**
-     * Return the byte array part as an {@link InputStream}.
-     *
-     * @return input stream
-     */
-    public InputStream getInputStream() {
-        return new ByteArrayInputStream(getBytes());
-    }
-}
diff --git a/sop-java/src/main/java/sop/DecryptionResult.java b/sop-java/src/main/java/sop/DecryptionResult.java
deleted file mode 100644
index 4f0e1ab2..00000000
--- a/sop-java/src/main/java/sop/DecryptionResult.java
+++ /dev/null
@@ -1,29 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import sop.util.Optional;
-
-public class DecryptionResult {
-
-    private final Optional sessionKey;
-    private final List verifications;
-
-    public DecryptionResult(SessionKey sessionKey, List verifications) {
-        this.sessionKey = Optional.ofNullable(sessionKey);
-        this.verifications = Collections.unmodifiableList(verifications);
-    }
-
-    public Optional getSessionKey() {
-        return sessionKey;
-    }
-
-    public List getVerifications() {
-        return new ArrayList<>(verifications);
-    }
-}
diff --git a/sop-java/src/main/java/sop/MicAlg.java b/sop-java/src/main/java/sop/MicAlg.java
deleted file mode 100644
index 5bee7875..00000000
--- a/sop-java/src/main/java/sop/MicAlg.java
+++ /dev/null
@@ -1,55 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.io.OutputStream;
-import java.io.PrintWriter;
-
-public class MicAlg {
-
-    private final String micAlg;
-
-    public MicAlg(String micAlg) {
-        if (micAlg == null) {
-            throw new IllegalArgumentException("MicAlg String cannot be null.");
-        }
-        this.micAlg = micAlg;
-    }
-
-    public static MicAlg empty() {
-        return new MicAlg("");
-    }
-
-    public static MicAlg fromHashAlgorithmId(int id) {
-        switch (id) {
-            case 1:
-                return new MicAlg("pgp-md5");
-            case 2:
-                return new MicAlg("pgp-sha1");
-            case 3:
-                return new MicAlg("pgp-ripemd160");
-            case 8:
-                return new MicAlg("pgp-sha256");
-            case 9:
-                return new MicAlg("pgp-sha384");
-            case 10:
-                return new MicAlg("pgp-sha512");
-            case 11:
-                return new MicAlg("pgp-sha224");
-            default:
-                throw new IllegalArgumentException("Unsupported hash algorithm ID: " + id);
-        }
-    }
-
-    public String getMicAlg() {
-        return micAlg;
-    }
-
-    public void writeTo(OutputStream outputStream) {
-        PrintWriter pw = new PrintWriter(outputStream);
-        pw.write(getMicAlg());
-        pw.close();
-    }
-}
diff --git a/sop-java/src/main/java/sop/Ready.java b/sop-java/src/main/java/sop/Ready.java
deleted file mode 100644
index 71ab26ec..00000000
--- a/sop-java/src/main/java/sop/Ready.java
+++ /dev/null
@@ -1,45 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public abstract class Ready {
-
-    /**
-     * Write the data to the provided output stream.
-     *
-     * @param outputStream output stream
-     * @throws IOException in case of an IO error
-     */
-    public abstract void writeTo(OutputStream outputStream) throws IOException;
-
-    /**
-     * Return the data as a byte array by writing it to a {@link ByteArrayOutputStream} first and then returning
-     * the array.
-     *
-     * @return data as byte array
-     * @throws IOException in case of an IO error
-     */
-    public byte[] getBytes() throws IOException {
-        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-        writeTo(bytes);
-        return bytes.toByteArray();
-    }
-
-    /**
-     * Return an input stream containing the data.
-     *
-     * @return input stream
-     * @throws IOException in case of an IO error
-     */
-    public InputStream getInputStream() throws IOException {
-        return new ByteArrayInputStream(getBytes());
-    }
-}
diff --git a/sop-java/src/main/java/sop/ReadyWithResult.java b/sop-java/src/main/java/sop/ReadyWithResult.java
deleted file mode 100644
index 9feeddae..00000000
--- a/sop-java/src/main/java/sop/ReadyWithResult.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-
-import sop.exception.SOPGPException;
-
-public abstract class ReadyWithResult {
-
-    /**
-     * Write the data e.g. decrypted plaintext to the provided output stream and return the result of the
-     * processing operation.
-     *
-     * @param outputStream output stream
-     * @return result, eg. signatures
-     *
-     * @throws IOException in case of an IO error
-     * @throws SOPGPException.NoSignature if there are no valid signatures found
-     */
-    public abstract T writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature;
-
-    /**
-     * Return the data as a {@link ByteArrayAndResult}.
-     * Calling {@link ByteArrayAndResult#getBytes()} will give you access to the data as byte array, while
-     * {@link ByteArrayAndResult#getResult()} will grant access to the appended result.
-     *
-     * @return byte array and result
-     * @throws IOException in case of an IO error
-     * @throws SOPGPException.NoSignature if there are no valid signatures found
-     */
-    public ByteArrayAndResult toByteArrayAndResult() throws IOException, SOPGPException.NoSignature {
-        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-        T result = writeTo(bytes);
-        return new ByteArrayAndResult<>(bytes.toByteArray(), result);
-    }
-}
diff --git a/sop-java/src/main/java/sop/SOP.java b/sop-java/src/main/java/sop/SOP.java
deleted file mode 100644
index 2c2ccf16..00000000
--- a/sop-java/src/main/java/sop/SOP.java
+++ /dev/null
@@ -1,95 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import sop.operation.Armor;
-import sop.operation.Dearmor;
-import sop.operation.Decrypt;
-import sop.operation.DetachInbandSignatureAndMessage;
-import sop.operation.Encrypt;
-import sop.operation.ExtractCert;
-import sop.operation.GenerateKey;
-import sop.operation.Sign;
-import sop.operation.Verify;
-import sop.operation.Version;
-
-/**
- * Stateless OpenPGP Interface.
- */
-public interface SOP {
-
-    /**
-     * Get information about the implementations name and version.
-     *
-     * @return version
-     */
-    Version version();
-
-    /**
-     * Generate a secret key.
-     * Customize the operation using the builder {@link GenerateKey}.
-     *
-     * @return builder instance
-     */
-    GenerateKey generateKey();
-
-    /**
-     * Extract a certificate (public key) from a secret key.
-     * Customize the operation using the builder {@link ExtractCert}.
-     *
-     * @return builder instance
-     */
-    ExtractCert extractCert();
-
-    /**
-     * Create detached signatures.
-     * Customize the operation using the builder {@link Sign}.
-     *
-     * @return builder instance
-     */
-    Sign sign();
-
-    /**
-     * Verify detached signatures.
-     * Customize the operation using the builder {@link Verify}.
-     *
-     * @return builder instance
-     */
-    Verify verify();
-
-    /**
-     * Encrypt a message.
-     * Customize the operation using the builder {@link Encrypt}.
-     *
-     * @return builder instance
-     */
-    Encrypt encrypt();
-
-    /**
-     * Decrypt a message.
-     * Customize the operation using the builder {@link Decrypt}.
-     *
-     * @return builder instance
-     */
-    Decrypt decrypt();
-
-    /**
-     * Convert binary OpenPGP data to ASCII.
-     * Customize the operation using the builder {@link Armor}.
-     *
-     * @return builder instance
-     */
-    Armor armor();
-
-    /**
-     * Converts ASCII armored OpenPGP data to binary.
-     * Customize the operation using the builder {@link Dearmor}.
-     *
-     * @return builder instance
-     */
-    Dearmor dearmor();
-
-    DetachInbandSignatureAndMessage detachInbandSignatureAndMessage();
-}
diff --git a/sop-java/src/main/java/sop/SessionKey.java b/sop-java/src/main/java/sop/SessionKey.java
deleted file mode 100644
index 2adcec4d..00000000
--- a/sop-java/src/main/java/sop/SessionKey.java
+++ /dev/null
@@ -1,79 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.util.Arrays;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import sop.util.HexUtil;
-
-public class SessionKey {
-
-    private static final Pattern PATTERN = Pattern.compile("^(\\d):([0-9a-fA-F]+)$");
-
-    private final byte algorithm;
-    private final byte[] sessionKey;
-
-    public SessionKey(byte algorithm, byte[] sessionKey) {
-        this.algorithm = algorithm;
-        this.sessionKey = sessionKey;
-    }
-
-    /**
-     * Return the symmetric algorithm octet.
-     *
-     * @return algorithm id
-     */
-    public byte getAlgorithm() {
-        return algorithm;
-    }
-
-    /**
-     * Return the session key.
-     *
-     * @return session key
-     */
-    public byte[] getKey() {
-        return sessionKey;
-    }
-
-    @Override
-    public int hashCode() {
-        return getAlgorithm() * 17 + Arrays.hashCode(getKey());
-    }
-
-    @Override
-    public boolean equals(Object other) {
-        if (other == null) {
-            return false;
-        }
-        if (this == other) {
-            return true;
-        }
-        if (!(other instanceof SessionKey)) {
-            return false;
-        }
-
-        SessionKey otherKey = (SessionKey) other;
-        return getAlgorithm() == otherKey.getAlgorithm() && Arrays.equals(getKey(), otherKey.getKey());
-    }
-
-    public static SessionKey fromString(String string) {
-        Matcher matcher = PATTERN.matcher(string);
-        if (!matcher.matches()) {
-            throw new IllegalArgumentException("Provided session key does not match expected format.");
-        }
-        byte algorithm = Byte.parseByte(matcher.group(1));
-        String key = matcher.group(2);
-
-        return new SessionKey(algorithm, HexUtil.hexToBytes(key));
-    }
-
-    @Override
-    public String toString() {
-        return "" + (int) getAlgorithm() + ':' + HexUtil.bytesToHex(sessionKey);
-    }
-}
diff --git a/sop-java/src/main/java/sop/Signatures.java b/sop-java/src/main/java/sop/Signatures.java
deleted file mode 100644
index dd3f000d..00000000
--- a/sop-java/src/main/java/sop/Signatures.java
+++ /dev/null
@@ -1,21 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-public abstract class Signatures extends Ready {
-
-    /**
-     * Write OpenPGP signatures to the provided output stream.
-     *
-     * @param signatureOutputStream output stream
-     * @throws IOException in case of an IO error
-     */
-    @Override
-    public abstract void writeTo(OutputStream signatureOutputStream) throws IOException;
-
-}
diff --git a/sop-java/src/main/java/sop/SigningResult.java b/sop-java/src/main/java/sop/SigningResult.java
deleted file mode 100644
index 2cb142dc..00000000
--- a/sop-java/src/main/java/sop/SigningResult.java
+++ /dev/null
@@ -1,50 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-/**
- * This class contains various information about a signed message.
- */
-public final class SigningResult {
-
-    private final MicAlg micAlg;
-
-    private SigningResult(MicAlg micAlg) {
-        this.micAlg = micAlg;
-    }
-
-    /**
-     * Return a string identifying the digest mechanism used to create the signed message.
-     * This is useful for setting the micalg= parameter for the multipart/signed
-     * content type of a PGP/MIME object as described in section 5 of [RFC3156].
-     *
-     * If more than one signature was generated and different digest mechanisms were used,
-     * the value of the micalg object is an empty string.
-     *
-     * @return micalg
-     */
-    public MicAlg getMicAlg() {
-        return micAlg;
-    }
-
-    public static Builder builder() {
-        return new Builder();
-    }
-
-    public static class Builder {
-
-        private MicAlg micAlg;
-
-        public Builder setMicAlg(MicAlg micAlg) {
-            this.micAlg = micAlg;
-            return this;
-        }
-
-        public SigningResult build() {
-            SigningResult signingResult = new SigningResult(micAlg);
-            return signingResult;
-        }
-    }
-}
diff --git a/sop-java/src/main/java/sop/Verification.java b/sop-java/src/main/java/sop/Verification.java
deleted file mode 100644
index 2047c3d4..00000000
--- a/sop-java/src/main/java/sop/Verification.java
+++ /dev/null
@@ -1,58 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop;
-
-import java.util.Date;
-
-import sop.util.UTCUtil;
-
-public class Verification {
-
-    private final Date creationTime;
-    private final String signingKeyFingerprint;
-    private final String signingCertFingerprint;
-
-    public Verification(Date creationTime, String signingKeyFingerprint, String signingCertFingerprint) {
-        this.creationTime = creationTime;
-        this.signingKeyFingerprint = signingKeyFingerprint;
-        this.signingCertFingerprint = signingCertFingerprint;
-    }
-
-    /**
-     * Return the signatures' creation time.
-     *
-     * @return signature creation time
-     */
-    public Date getCreationTime() {
-        return creationTime;
-    }
-
-    /**
-     * Return the fingerprint of the signing (sub)key.
-     *
-     * @return signing key fingerprint
-     */
-    public String getSigningKeyFingerprint() {
-        return signingKeyFingerprint;
-    }
-
-    /**
-     * Return the fingerprint fo the signing certificate.
-     *
-     * @return signing certificate fingerprint
-     */
-    public String getSigningCertFingerprint() {
-        return signingCertFingerprint;
-    }
-
-    @Override
-    public String toString() {
-        return UTCUtil.formatUTCDate(getCreationTime()) +
-                ' ' +
-                getSigningKeyFingerprint() +
-                ' ' +
-                getSigningCertFingerprint();
-    }
-}
diff --git a/sop-java/src/main/java/sop/enums/ArmorLabel.java b/sop-java/src/main/java/sop/enums/ArmorLabel.java
deleted file mode 100644
index aeaa6f9b..00000000
--- a/sop-java/src/main/java/sop/enums/ArmorLabel.java
+++ /dev/null
@@ -1,13 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.enums;
-
-public enum ArmorLabel {
-    Auto,
-    Sig,
-    Key,
-    Cert,
-    Message
-}
diff --git a/sop-java/src/main/java/sop/enums/EncryptAs.java b/sop-java/src/main/java/sop/enums/EncryptAs.java
deleted file mode 100644
index 2de6792b..00000000
--- a/sop-java/src/main/java/sop/enums/EncryptAs.java
+++ /dev/null
@@ -1,11 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.enums;
-
-public enum EncryptAs {
-    Binary,
-    Text,
-    MIME
-}
diff --git a/sop-java/src/main/java/sop/enums/SignAs.java b/sop-java/src/main/java/sop/enums/SignAs.java
deleted file mode 100644
index fcd79f4d..00000000
--- a/sop-java/src/main/java/sop/enums/SignAs.java
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.enums;
-
-public enum SignAs {
-    Binary,
-    Text
-}
diff --git a/sop-java/src/main/java/sop/enums/package-info.java b/sop-java/src/main/java/sop/enums/package-info.java
deleted file mode 100644
index 67148d3e..00000000
--- a/sop-java/src/main/java/sop/enums/package-info.java
+++ /dev/null
@@ -1,9 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Stateless OpenPGP Interface for Java.
- * Enumerations.
- */
-package sop.enums;
diff --git a/sop-java/src/main/java/sop/exception/SOPGPException.java b/sop-java/src/main/java/sop/exception/SOPGPException.java
deleted file mode 100644
index 6b844f59..00000000
--- a/sop-java/src/main/java/sop/exception/SOPGPException.java
+++ /dev/null
@@ -1,316 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.exception;
-
-public abstract class SOPGPException extends RuntimeException {
-
-    public SOPGPException() {
-        super();
-    }
-
-    public SOPGPException(String message) {
-        super(message);
-    }
-
-    public SOPGPException(Throwable e) {
-        super(e);
-    }
-
-    public SOPGPException(String message, Throwable cause) {
-        super(message, cause);
-    }
-
-    public abstract int getExitCode();
-
-    /**
-     * No acceptable signatures found (sop verify).
-     */
-    public static class NoSignature extends SOPGPException {
-
-        public static final int EXIT_CODE = 3;
-
-        public NoSignature() {
-            super("No verifiable signature found.");
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Asymmetric algorithm unsupported (sop encrypt).
-     */
-    public static class UnsupportedAsymmetricAlgo extends SOPGPException {
-
-        public static final int EXIT_CODE = 13;
-
-        public UnsupportedAsymmetricAlgo(String message, Throwable e) {
-            super(message, e);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Certificate not encryption capable (e,g, expired, revoked, unacceptable usage).
-     */
-    public static class CertCannotEncrypt extends SOPGPException {
-        public static final int EXIT_CODE = 17;
-
-        public CertCannotEncrypt(String message, Throwable cause) {
-            super(message, cause);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Missing required argument.
-     */
-    public static class MissingArg extends SOPGPException {
-
-        public static final int EXIT_CODE = 19;
-
-        public MissingArg(String s) {
-            super(s);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Incomplete verification instructions (sop decrypt).
-     */
-    public static class IncompleteVerification extends SOPGPException {
-
-        public static final int EXIT_CODE = 23;
-
-        public IncompleteVerification(String message) {
-            super(message);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Unable to decrypt (sop decrypt).
-     */
-    public static class CannotDecrypt extends SOPGPException {
-
-        public static final int EXIT_CODE = 29;
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Non-UTF-8 or otherwise unreliable password (sop encrypt).
-     */
-    public static class PasswordNotHumanReadable extends SOPGPException {
-
-        public static final int EXIT_CODE = 31;
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Unsupported option.
-     */
-    public static class UnsupportedOption extends SOPGPException {
-
-        public static final int EXIT_CODE = 37;
-
-        public UnsupportedOption(String message) {
-            super(message);
-        }
-
-        public UnsupportedOption(String message, Throwable cause) {
-            super(message, cause);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Invalid data type (no secret key where KEYS expected, etc.).
-     */
-    public static class BadData extends SOPGPException {
-
-        public static final int EXIT_CODE = 41;
-
-        public BadData(Throwable e) {
-            super(e);
-        }
-
-        public BadData(String message, BadData badData) {
-            super(message, badData);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Non-Text input where text expected.
-     */
-    public static class ExpectedText extends SOPGPException {
-
-        public static final int EXIT_CODE = 53;
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Output file already exists.
-     */
-    public static class OutputExists extends SOPGPException {
-
-        public static final int EXIT_CODE = 59;
-
-        public OutputExists(String message) {
-            super(message);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Input file does not exist.
-     */
-    public static class MissingInput extends SOPGPException {
-
-        public static final int EXIT_CODE = 61;
-
-        public MissingInput(String message, Throwable cause) {
-            super(message, cause);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * A KEYS input is protected (locked) with a password, and sop cannot unlock it.
-     */
-    public static class KeyIsProtected extends SOPGPException {
-
-        public static final int EXIT_CODE = 67;
-
-        public KeyIsProtected() {
-            super();
-        }
-
-        public KeyIsProtected(String message, Throwable cause) {
-            super(message, cause);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Unsupported subcommand.
-     */
-    public static class UnsupportedSubcommand extends SOPGPException {
-
-        public static final int EXIT_CODE = 69;
-
-        public UnsupportedSubcommand(String message) {
-            super(message);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * An indirect parameter is a special designator (it starts with @), but sop does not know how to handle the prefix.
-     */
-    public static class UnsupportedSpecialPrefix extends SOPGPException {
-
-        public static final int EXIT_CODE = 71;
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * A indirect input parameter is a special designator (it starts with @),
-     * and a filename matching the designator is actually present.
-     */
-    public static class AmbiguousInput extends SOPGPException {
-
-        public static final int EXIT_CODE = 73;
-
-        public AmbiguousInput(String message) {
-            super(message);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-
-    /**
-     * Key not signature-capable (e.g. expired, revoked, unacceptable usage flags)
-     * (sop sign and sop encrypt with --sign-with).
-     */
-    public static class KeyCannotSign extends SOPGPException {
-
-        public static final int EXIT_CODE = 79;
-
-        public KeyCannotSign() {
-            super();
-        }
-
-        public KeyCannotSign(String s, KeyCannotSign keyCannotSign) {
-            super(s, keyCannotSign);
-        }
-
-        @Override
-        public int getExitCode() {
-            return EXIT_CODE;
-        }
-    }
-}
diff --git a/sop-java/src/main/java/sop/exception/package-info.java b/sop-java/src/main/java/sop/exception/package-info.java
deleted file mode 100644
index 4abc562b..00000000
--- a/sop-java/src/main/java/sop/exception/package-info.java
+++ /dev/null
@@ -1,9 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Stateless OpenPGP Interface for Java.
- * Exception classes.
- */
-package sop.exception;
diff --git a/sop-java/src/main/java/sop/operation/Armor.java b/sop-java/src/main/java/sop/operation/Armor.java
deleted file mode 100644
index dea3257a..00000000
--- a/sop-java/src/main/java/sop/operation/Armor.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-
-import sop.Ready;
-import sop.enums.ArmorLabel;
-import sop.exception.SOPGPException;
-
-public interface Armor {
-
-    /**
-     * Overrides automatic detection of label.
-     *
-     * @param label armor label
-     * @return builder instance
-     */
-    Armor label(ArmorLabel label) throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Armor the provided data.
-     *
-     * @param data input stream of unarmored OpenPGP data
-     * @return armored data
-     */
-    Ready data(InputStream data) throws SOPGPException.BadData;
-
-    /**
-     * Armor the provided data.
-     *
-     * @param data unarmored OpenPGP data
-     * @return armored data
-     */
-    default Ready data(byte[] data) throws SOPGPException.BadData {
-        return data(new ByteArrayInputStream(data));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/Dearmor.java b/sop-java/src/main/java/sop/operation/Dearmor.java
deleted file mode 100644
index 35eceb56..00000000
--- a/sop-java/src/main/java/sop/operation/Dearmor.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.Ready;
-import sop.exception.SOPGPException;
-
-public interface Dearmor {
-
-    /**
-     * Dearmor armored OpenPGP data.
-     *
-     * @param data armored OpenPGP data
-     * @return input stream of unarmored data
-     */
-    Ready data(InputStream data) throws SOPGPException.BadData, IOException;
-
-    /**
-     * Dearmor armored OpenPGP data.
-     *
-     * @param data armored OpenPGP data
-     * @return input stream of unarmored data
-     */
-    default Ready data(byte[] data) throws SOPGPException.BadData, IOException {
-        return data(new ByteArrayInputStream(data));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/Decrypt.java b/sop-java/src/main/java/sop/operation/Decrypt.java
deleted file mode 100644
index 0811ac2d..00000000
--- a/sop-java/src/main/java/sop/operation/Decrypt.java
+++ /dev/null
@@ -1,118 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Date;
-
-import sop.DecryptionResult;
-import sop.ReadyWithResult;
-import sop.SessionKey;
-import sop.exception.SOPGPException;
-
-public interface Decrypt {
-
-    /**
-     * Makes the SOP consider signatures before this date invalid.
-     *
-     * @param timestamp timestamp
-     * @return builder instance
-     */
-    Decrypt verifyNotBefore(Date timestamp)
-            throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Makes the SOP consider signatures after this date invalid.
-     *
-     * @param timestamp timestamp
-     * @return builder instance
-     */
-    Decrypt verifyNotAfter(Date timestamp)
-            throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Adds one or more verification cert.
-     *
-     * @param cert input stream containing the cert(s)
-     * @return builder instance
-     */
-    Decrypt verifyWithCert(InputStream cert)
-            throws SOPGPException.BadData,
-            IOException;
-
-    /**
-     * Adds one or more verification cert.
-     *
-     * @param cert byte array containing the cert(s)
-     * @return builder instance
-     */
-    default Decrypt verifyWithCert(byte[] cert)
-            throws SOPGPException.BadData, IOException {
-        return verifyWithCert(new ByteArrayInputStream(cert));
-    }
-
-    /**
-     * Tries to decrypt with the given session key.
-     *
-     * @param sessionKey session key
-     * @return builder instance
-     */
-    Decrypt withSessionKey(SessionKey sessionKey)
-            throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Tries to decrypt with the given password.
-     *
-     * @param password password
-     * @return builder instance
-     */
-    Decrypt withPassword(String password)
-            throws SOPGPException.PasswordNotHumanReadable,
-            SOPGPException.UnsupportedOption;
-
-    /**
-     * Adds one or more decryption key.
-     *
-     * @param key input stream containing the key(s)
-     * @return builder instance
-     */
-    Decrypt withKey(InputStream key)
-            throws SOPGPException.KeyIsProtected,
-            SOPGPException.BadData,
-            SOPGPException.UnsupportedAsymmetricAlgo;
-
-    /**
-     * Adds one or more decryption key.
-     *
-     * @param key byte array containing the key(s)
-     * @return builder instance
-     */
-    default Decrypt withKey(byte[] key)
-            throws SOPGPException.KeyIsProtected,
-            SOPGPException.BadData,
-            SOPGPException.UnsupportedAsymmetricAlgo {
-        return withKey(new ByteArrayInputStream(key));
-    }
-
-    /**
-     * Decrypts the given ciphertext, returning verification results and plaintext.
-     * @param ciphertext ciphertext
-     * @return ready with result
-     */
-    ReadyWithResult ciphertext(InputStream ciphertext)
-            throws SOPGPException.BadData, SOPGPException.MissingArg, SOPGPException.CannotDecrypt;
-
-    /**
-     * Decrypts the given ciphertext, returning verification results and plaintext.
-     * @param ciphertext ciphertext
-     * @return ready with result
-     */
-    default ReadyWithResult ciphertext(byte[] ciphertext)
-        throws SOPGPException.BadData, SOPGPException.MissingArg, SOPGPException.CannotDecrypt {
-        return ciphertext(new ByteArrayInputStream(ciphertext));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java b/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
deleted file mode 100644
index 9e22258c..00000000
--- a/sop-java/src/main/java/sop/operation/DetachInbandSignatureAndMessage.java
+++ /dev/null
@@ -1,44 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.ReadyWithResult;
-import sop.Signatures;
-
-/**
- * Split cleartext signed messages up into data and signatures.
- */
-public interface DetachInbandSignatureAndMessage {
-
-    /**
-     * Do not wrap the signatures in ASCII armor.
-     * @return builder
-     */
-    DetachInbandSignatureAndMessage noArmor();
-
-    /**
-     * Detach the provided cleartext signed message from its signatures.
-     *
-     * @param messageInputStream input stream containing the signed message
-     * @return result containing the detached message
-     * @throws IOException in case of an IO error
-     */
-    ReadyWithResult message(InputStream messageInputStream) throws IOException;
-
-    /**
-     * Detach the provided cleartext signed message from its signatures.
-     *
-     * @param message byte array containing the signed message
-     * @return result containing the detached message
-     * @throws IOException in case of an IO error
-     */
-    default ReadyWithResult message(byte[] message) throws IOException {
-        return message(new ByteArrayInputStream(message));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/Encrypt.java b/sop-java/src/main/java/sop/operation/Encrypt.java
deleted file mode 100644
index 784c07a0..00000000
--- a/sop-java/src/main/java/sop/operation/Encrypt.java
+++ /dev/null
@@ -1,109 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.Ready;
-import sop.enums.EncryptAs;
-import sop.exception.SOPGPException;
-
-public interface Encrypt {
-
-    /**
-     * Disable ASCII armor encoding.
-     *
-     * @return builder instance
-     */
-    Encrypt noArmor();
-
-    /**
-     * Sets encryption mode.
-     *
-     * @param mode mode
-     * @return builder instance
-     */
-    Encrypt mode(EncryptAs mode)
-            throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Adds the signer key.
-     *
-     * @param key input stream containing the encoded signer key
-     * @return builder instance
-     */
-    Encrypt signWith(InputStream key)
-            throws SOPGPException.KeyIsProtected,
-            SOPGPException.KeyCannotSign,
-            SOPGPException.UnsupportedAsymmetricAlgo,
-            SOPGPException.BadData;
-
-    /**
-     * Adds the signer key.
-     *
-     * @param key byte array containing the encoded signer key
-     * @return builder instance
-     */
-    default Encrypt signWith(byte[] key)
-            throws SOPGPException.KeyIsProtected,
-            SOPGPException.KeyCannotSign,
-            SOPGPException.UnsupportedAsymmetricAlgo,
-            SOPGPException.BadData {
-        return signWith(new ByteArrayInputStream(key));
-    }
-
-    /**
-     * Encrypt with the given password.
-     *
-     * @param password password
-     * @return builder instance
-     */
-    Encrypt withPassword(String password)
-            throws SOPGPException.PasswordNotHumanReadable,
-            SOPGPException.UnsupportedOption;
-
-    /**
-     * Encrypt with the given cert.
-     *
-     * @param cert input stream containing the encoded cert.
-     * @return builder instance
-     */
-    Encrypt withCert(InputStream cert)
-            throws SOPGPException.CertCannotEncrypt,
-            SOPGPException.UnsupportedAsymmetricAlgo,
-            SOPGPException.BadData;
-
-    /**
-     * Encrypt with the given cert.
-     *
-     * @param cert byte array containing the encoded cert.
-     * @return builder instance
-     */
-    default Encrypt withCert(byte[] cert)
-            throws SOPGPException.CertCannotEncrypt,
-            SOPGPException.UnsupportedAsymmetricAlgo,
-            SOPGPException.BadData {
-        return withCert(new ByteArrayInputStream(cert));
-    }
-
-    /**
-     * Encrypt the given data yielding the ciphertext.
-     * @param plaintext plaintext
-     * @return input stream containing the ciphertext
-     */
-    Ready plaintext(InputStream plaintext)
-        throws IOException;
-
-    /**
-     * Encrypt the given data yielding the ciphertext.
-     * @param plaintext plaintext
-     * @return input stream containing the ciphertext
-     */
-    default Ready plaintext(byte[] plaintext) throws IOException {
-        return plaintext(new ByteArrayInputStream(plaintext));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/ExtractCert.java b/sop-java/src/main/java/sop/operation/ExtractCert.java
deleted file mode 100644
index 32491111..00000000
--- a/sop-java/src/main/java/sop/operation/ExtractCert.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.Ready;
-import sop.exception.SOPGPException;
-
-public interface ExtractCert {
-
-    /**
-     * Disable ASCII armor encoding.
-     *
-     * @return builder instance
-     */
-    ExtractCert noArmor();
-
-    /**
-     * Extract the cert(s) from the provided key(s).
-     *
-     * @param keyInputStream input stream containing the encoding of one or more OpenPGP keys
-     * @return result containing the encoding of the keys certs
-     */
-    Ready key(InputStream keyInputStream) throws IOException, SOPGPException.BadData;
-
-    /**
-     * Extract the cert(s) from the provided key(s).
-     *
-     * @param key byte array containing the encoding of one or more OpenPGP key
-     * @return result containing the encoding of the keys certs
-     */
-    default Ready key(byte[] key) throws IOException, SOPGPException.BadData {
-        return key(new ByteArrayInputStream(key));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/GenerateKey.java b/sop-java/src/main/java/sop/operation/GenerateKey.java
deleted file mode 100644
index c652e84a..00000000
--- a/sop-java/src/main/java/sop/operation/GenerateKey.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.Ready;
-import sop.exception.SOPGPException;
-
-public interface GenerateKey {
-
-    /**
-     * Disable ASCII armor encoding.
-     *
-     * @return builder instance
-     */
-    GenerateKey noArmor();
-
-    /**
-     * Adds a user-id.
-     *
-     * @param userId user-id
-     * @return builder instance
-     */
-    GenerateKey userId(String userId);
-
-    /**
-     * Generate the OpenPGP key and return it encoded as an {@link InputStream}.
-     *
-     * @return key
-     */
-    Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo, IOException;
-}
diff --git a/sop-java/src/main/java/sop/operation/Sign.java b/sop-java/src/main/java/sop/operation/Sign.java
deleted file mode 100644
index be518cde..00000000
--- a/sop-java/src/main/java/sop/operation/Sign.java
+++ /dev/null
@@ -1,69 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import sop.ReadyWithResult;
-import sop.SigningResult;
-import sop.enums.SignAs;
-import sop.exception.SOPGPException;
-
-public interface Sign {
-
-    /**
-     * Disable ASCII armor encoding.
-     *
-     * @return builder instance
-     */
-    Sign noArmor();
-
-    /**
-     * Sets the signature mode.
-     * Note: This method has to be called before {@link #key(InputStream)} is called.
-     *
-     * @param mode signature mode
-     * @return builder instance
-     */
-    Sign mode(SignAs mode) throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Add one or more signing keys.
-     *
-     * @param key input stream containing encoded keys
-     * @return builder instance
-     */
-    Sign key(InputStream key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException;
-
-    /**
-     * Add one or more signing keys.
-     *
-     * @param key byte array containing encoded keys
-     * @return builder instance
-     */
-    default Sign key(byte[] key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
-        return key(new ByteArrayInputStream(key));
-    }
-
-    /**
-     * Signs data.
-     *
-     * @param data input stream containing data
-     * @return ready
-     */
-    ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText;
-
-    /**
-     * Signs data.
-     *
-     * @param data byte array containing data
-     * @return ready
-     */
-    default ReadyWithResult data(byte[] data) throws IOException, SOPGPException.ExpectedText {
-        return data(new ByteArrayInputStream(data));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/Verify.java b/sop-java/src/main/java/sop/operation/Verify.java
deleted file mode 100644
index 1bf9fe09..00000000
--- a/sop-java/src/main/java/sop/operation/Verify.java
+++ /dev/null
@@ -1,67 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.util.Date;
-
-import sop.exception.SOPGPException;
-
-public interface Verify extends VerifySignatures {
-
-    /**
-     * Makes the SOP implementation consider signatures before this date invalid.
-     *
-     * @param timestamp timestamp
-     * @return builder instance
-     */
-    Verify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Makes the SOP implementation consider signatures after this date invalid.
-     *
-     * @param timestamp timestamp
-     * @return builder instance
-     */
-    Verify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption;
-
-    /**
-     * Add one or more verification cert.
-     *
-     * @param cert input stream containing the encoded certs
-     * @return builder instance
-     */
-    Verify cert(InputStream cert) throws SOPGPException.BadData;
-
-    /**
-     * Add one or more verification cert.
-     *
-     * @param cert byte array containing the encoded certs
-     * @return builder instance
-     */
-    default Verify cert(byte[] cert) throws SOPGPException.BadData {
-        return cert(new ByteArrayInputStream(cert));
-    }
-
-    /**
-     * Provides the signatures.
-     * @param signatures input stream containing encoded, detached signatures.
-     *
-     * @return builder instance
-     */
-    VerifySignatures signatures(InputStream signatures) throws SOPGPException.BadData;
-
-    /**
-     * Provides the signatures.
-     * @param signatures byte array containing encoded, detached signatures.
-     *
-     * @return builder instance
-     */
-    default VerifySignatures signatures(byte[] signatures) throws SOPGPException.BadData {
-        return signatures(new ByteArrayInputStream(signatures));
-    }
-
-}
diff --git a/sop-java/src/main/java/sop/operation/VerifySignatures.java b/sop-java/src/main/java/sop/operation/VerifySignatures.java
deleted file mode 100644
index d41a8edd..00000000
--- a/sop-java/src/main/java/sop/operation/VerifySignatures.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.List;
-
-import sop.Verification;
-import sop.exception.SOPGPException;
-
-public interface VerifySignatures {
-
-    /**
-     * Provide the signed data (without signatures).
-     *
-     * @param data signed data
-     * @return list of signature verifications
-     * @throws IOException in case of an IO error
-     * @throws SOPGPException.NoSignature when no signature is found
-     * @throws SOPGPException.BadData when the data is invalid OpenPGP data
-     */
-    List data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData;
-
-    /**
-     * Provide the signed data (without signatures).
-     *
-     * @param data signed data
-     * @return list of signature verifications
-     * @throws IOException in case of an IO error
-     * @throws SOPGPException.NoSignature when no signature is found
-     * @throws SOPGPException.BadData when the data is invalid OpenPGP data
-     */
-    default List data(byte[] data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
-        return data(new ByteArrayInputStream(data));
-    }
-}
diff --git a/sop-java/src/main/java/sop/operation/Version.java b/sop-java/src/main/java/sop/operation/Version.java
deleted file mode 100644
index 0b50993f..00000000
--- a/sop-java/src/main/java/sop/operation/Version.java
+++ /dev/null
@@ -1,49 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.operation;
-
-public interface Version {
-
-    /**
-     * Return the implementations name.
-     * e.g. "SOP",
-     *
-     * @return implementation name
-     */
-    String getName();
-
-    /**
-     * Return the implementations short version string.
-     * e.g. "1.0"
-     *
-     * @return version string
-     */
-    String getVersion();
-
-    /**
-     * Return version information about the used OpenPGP backend.
-     * e.g. "Bouncycastle 1.70"
-     *
-     * @return backend version string
-     */
-    String getBackendVersion();
-
-    /**
-     * Return an extended version string containing multiple lines of version information.
-     * The first line MUST match the information produced by {@link #getName()} and {@link #getVersion()}, but the rest of the text
-     * has no defined structure.
-     * Example:
-     * 
-     *     "SOP 1.0
-     *     Awesome PGP!
-     *     Using Bouncycastle 1.70
-     *     LibFoo 1.2.2
-     *     See https://pgp.example.org/sop/ for more information"
-     * 

-     *
-     * @return extended version string
-     */
-    String getExtendedVersion();
-}
diff --git a/sop-java/src/main/java/sop/operation/package-info.java b/sop-java/src/main/java/sop/operation/package-info.java
deleted file mode 100644
index dde4d5bb..00000000
--- a/sop-java/src/main/java/sop/operation/package-info.java
+++ /dev/null
@@ -1,9 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Stateless OpenPGP Interface for Java.
- * Different cryptographic operations.
- */
-package sop.operation;
diff --git a/sop-java/src/main/java/sop/package-info.java b/sop-java/src/main/java/sop/package-info.java
deleted file mode 100644
index 5ad4f528..00000000
--- a/sop-java/src/main/java/sop/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Stateless OpenPGP Interface for Java.
- */
-package sop;
diff --git a/sop-java/src/main/java/sop/util/HexUtil.java b/sop-java/src/main/java/sop/util/HexUtil.java
deleted file mode 100644
index 9b88f53d..00000000
--- a/sop-java/src/main/java/sop/util/HexUtil.java
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2021 Paul Schaub, @maybeWeCouldStealAVan, @Dave L.
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-public class HexUtil {
-
-    private static final char[] HEX_ARRAY = "0123456789ABCDEF".toCharArray();
-
-    /**
-     * Encode a byte array to a hex string.
-     *
-     * @see 
-     *     How to convert a byte array to a hex string in Java?
-     * @param bytes bytes
-     * @return hex encoding
-     */
-    public static String bytesToHex(byte[] bytes) {
-        char[] hexChars = new char[bytes.length * 2];
-        for (int j = 0; j < bytes.length; j++) {
-            int v = bytes[j] & 0xFF;
-            hexChars[j * 2] = HEX_ARRAY[v >>> 4];
-            hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
-        }
-        return new String(hexChars);
-    }
-
-    /**
-     * Decode a hex string into a byte array.
-     *
-     * @see 
-     *     Convert a string representation of a hex dump to a byte array using Java?
-     * @param s hex string
-     * @return decoded byte array
-     */
-    public static byte[] hexToBytes(String s) {
-        int len = s.length();
-        byte[] data = new byte[len / 2];
-        for (int i = 0; i < len; i += 2) {
-            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
-                    + Character.digit(s.charAt(i + 1), 16));
-        }
-        return data;
-    }
-}
diff --git a/sop-java/src/main/java/sop/util/Optional.java b/sop-java/src/main/java/sop/util/Optional.java
deleted file mode 100644
index 00eb2012..00000000
--- a/sop-java/src/main/java/sop/util/Optional.java
+++ /dev/null
@@ -1,50 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-/**
- * Backport of java.util.Optional for older Android versions.
- *
- * @param  item type
- */
-public class Optional {
-
-    private final T item;
-
-    public Optional() {
-        this(null);
-    }
-
-    public Optional(T item) {
-        this.item = item;
-    }
-
-    public static  Optional of(T item) {
-        if (item == null) {
-            throw new NullPointerException("Item cannot be null.");
-        }
-        return new Optional<>(item);
-    }
-
-    public static  Optional ofNullable(T item) {
-        return new Optional<>(item);
-    }
-
-    public static  Optional ofEmpty() {
-        return new Optional<>(null);
-    }
-
-    public T get() {
-        return item;
-    }
-
-    public boolean isPresent() {
-        return item != null;
-    }
-
-    public boolean isEmpty() {
-        return item == null;
-    }
-}
diff --git a/sop-java/src/main/java/sop/util/ProxyOutputStream.java b/sop-java/src/main/java/sop/util/ProxyOutputStream.java
deleted file mode 100644
index 0559e8f4..00000000
--- a/sop-java/src/main/java/sop/util/ProxyOutputStream.java
+++ /dev/null
@@ -1,80 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-
-/**
- * {@link OutputStream} that buffers data being written into it, until its underlying output stream is being replaced.
- * At that point, first all the buffered data is being written to the underlying stream, followed by any successive
- * data that may get written to the {@link ProxyOutputStream}.
- *
- * This class is useful if we need to provide an {@link OutputStream} at one point in time when the final
- * target output stream is not yet known.
- */
-public class ProxyOutputStream extends OutputStream {
-
-    private final ByteArrayOutputStream buffer;
-    private OutputStream swapped;
-
-    public ProxyOutputStream() {
-        this.buffer = new ByteArrayOutputStream();
-    }
-
-    public synchronized void replaceOutputStream(OutputStream underlying) throws IOException {
-        if (underlying == null) {
-            throw new NullPointerException("Underlying OutputStream cannot be null.");
-        }
-        this.swapped = underlying;
-
-        byte[] bufferBytes = buffer.toByteArray();
-        swapped.write(bufferBytes);
-    }
-
-    @Override
-    public synchronized void write(byte[] b) throws IOException {
-        if (swapped == null) {
-            buffer.write(b);
-        } else {
-            swapped.write(b);
-        }
-    }
-
-    @Override
-    public synchronized void write(byte[] b, int off, int len) throws IOException {
-        if (swapped == null) {
-            buffer.write(b, off, len);
-        } else {
-            swapped.write(b, off, len);
-        }
-    }
-
-    @Override
-    public synchronized void flush() throws IOException {
-        buffer.flush();
-        if (swapped != null) {
-            swapped.flush();
-        }
-    }
-
-    @Override
-    public synchronized void close() throws IOException {
-        buffer.close();
-        if (swapped != null) {
-            swapped.close();
-        }
-    }
-
-    @Override
-    public synchronized void write(int i) throws IOException {
-        if (swapped == null) {
-            buffer.write(i);
-        } else {
-            swapped.write(i);
-        }
-    }
-}
diff --git a/sop-java/src/main/java/sop/util/UTCUtil.java b/sop-java/src/main/java/sop/util/UTCUtil.java
deleted file mode 100644
index 8ef7e773..00000000
--- a/sop-java/src/main/java/sop/util/UTCUtil.java
+++ /dev/null
@@ -1,56 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.TimeZone;
-
-/**
- * Utility class to parse and format dates as ISO-8601 UTC timestamps.
- */
-public class UTCUtil {
-
-    public static final SimpleDateFormat UTC_FORMATTER = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
-    public static final SimpleDateFormat[] UTC_PARSERS = new SimpleDateFormat[] {
-            UTC_FORMATTER,
-            new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssX"),
-            new SimpleDateFormat("yyyyMMdd'T'HHmmss'Z'"),
-            new SimpleDateFormat("yyyy-MM-dd'T'HH:mm'Z'")
-    };
-
-    static {
-        for (SimpleDateFormat f : UTC_PARSERS) {
-            f.setTimeZone(TimeZone.getTimeZone("UTC"));
-        }
-    }
-    /**
-     * Parse an ISO-8601 UTC timestamp from a string.
-     *
-     * @param dateString string
-     * @return date
-     */
-    public static Date parseUTCDate(String dateString) {
-        for (SimpleDateFormat parser : UTC_PARSERS) {
-            try {
-                return parser.parse(dateString);
-            } catch (ParseException e) {
-                // Try next parser
-            }
-        }
-        return null;
-    }
-
-    /**
-     * Format a date as ISO-8601 UTC timestamp.
-     *
-     * @param date date
-     * @return timestamp string
-     */
-    public static String formatUTCDate(Date date) {
-        return UTC_FORMATTER.format(date);
-    }
-}
diff --git a/sop-java/src/main/java/sop/util/package-info.java b/sop-java/src/main/java/sop/util/package-info.java
deleted file mode 100644
index 3dd9fc19..00000000
--- a/sop-java/src/main/java/sop/util/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Utility classes.
- */
-package sop.util;
diff --git a/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java b/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java
deleted file mode 100644
index 8ae1859f..00000000
--- a/sop-java/src/test/java/sop/util/ByteArrayAndResultTest.java
+++ /dev/null
@@ -1,33 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import java.nio.charset.StandardCharsets;
-import java.util.Collections;
-import java.util.List;
-
-import org.junit.jupiter.api.Test;
-import sop.ByteArrayAndResult;
-import sop.Verification;
-
-public class ByteArrayAndResultTest {
-
-    @Test
-    public void testCreationAndGetters() {
-        byte[] bytes = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
-        List result = Collections.singletonList(
-                new Verification(UTCUtil.parseUTCDate("2019-10-24T23:48:29Z"),
-                        "C90E6D36200A1B922A1509E77618196529AE5FF8",
-                        "C4BC2DDB38CCE96485EBE9C2F20691179038E5C6")
-        );
-        ByteArrayAndResult> bytesAndResult = new ByteArrayAndResult<>(bytes, result);
-
-        assertArrayEquals(bytes, bytesAndResult.getBytes());
-        assertEquals(result, bytesAndResult.getResult());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/HexUtilTest.java b/sop-java/src/test/java/sop/util/HexUtilTest.java
deleted file mode 100644
index 54fc21de..00000000
--- a/sop-java/src/test/java/sop/util/HexUtilTest.java
+++ /dev/null
@@ -1,63 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import java.nio.charset.Charset;
-
-import org.junit.jupiter.api.Test;
-
-/**
- * Test using some test vectors from RFC4648.
- *
- * @see RFC-4648 §10: Test Vectors
- */
-public class HexUtilTest {
-
-    @SuppressWarnings("CharsetObjectCanBeUsed")
-    private static final Charset ASCII = Charset.forName("US-ASCII");
-
-    @Test
-    public void emptyHexEncodeTest() {
-        assertHexEquals("", "");
-    }
-
-    @Test
-    public void encodeF() {
-        assertHexEquals("66", "f");
-    }
-
-    @Test
-    public void encodeFo() {
-        assertHexEquals("666F", "fo");
-    }
-
-    @Test
-    public void encodeFoo() {
-        assertHexEquals("666F6F", "foo");
-    }
-
-    @Test
-    public void encodeFoob() {
-        assertHexEquals("666F6F62", "foob");
-    }
-
-    @Test
-    public void encodeFooba() {
-        assertHexEquals("666F6F6261", "fooba");
-    }
-
-    @Test
-    public void encodeFoobar() {
-        assertHexEquals("666F6F626172", "foobar");
-    }
-
-    private void assertHexEquals(String hex, String ascii) {
-        assertEquals(hex, HexUtil.bytesToHex(ascii.getBytes(ASCII)));
-        assertArrayEquals(ascii.getBytes(ASCII), HexUtil.hexToBytes(hex));
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/MicAlgTest.java b/sop-java/src/test/java/sop/util/MicAlgTest.java
deleted file mode 100644
index f720c85b..00000000
--- a/sop-java/src/test/java/sop/util/MicAlgTest.java
+++ /dev/null
@@ -1,53 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.junit.jupiter.api.Test;
-import sop.MicAlg;
-
-public class MicAlgTest {
-
-    @Test
-    public void constructorNullArgThrows() {
-        assertThrows(IllegalArgumentException.class, () -> new MicAlg(null));
-    }
-
-    @Test
-    public void emptyMicAlgIsEmptyString() {
-        MicAlg empty = MicAlg.empty();
-        assertNotNull(empty.getMicAlg());
-        assertTrue(empty.getMicAlg().isEmpty());
-    }
-
-    @Test
-    public void fromInvalidAlgorithmIdThrows() {
-        assertThrows(IllegalArgumentException.class, () -> MicAlg.fromHashAlgorithmId(-1));
-    }
-
-    @Test
-    public void fromHashAlgorithmIdsKnownAlgsMatch() {
-        Map knownAlgorithmMicalgs = new HashMap<>();
-        knownAlgorithmMicalgs.put(1, "pgp-md5");
-        knownAlgorithmMicalgs.put(2, "pgp-sha1");
-        knownAlgorithmMicalgs.put(3, "pgp-ripemd160");
-        knownAlgorithmMicalgs.put(8, "pgp-sha256");
-        knownAlgorithmMicalgs.put(9, "pgp-sha384");
-        knownAlgorithmMicalgs.put(10, "pgp-sha512");
-        knownAlgorithmMicalgs.put(11, "pgp-sha224");
-
-        for (Integer id : knownAlgorithmMicalgs.keySet()) {
-            MicAlg micAlg = MicAlg.fromHashAlgorithmId(id);
-            assertEquals(knownAlgorithmMicalgs.get(id), micAlg.getMicAlg());
-        }
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/OptionalTest.java b/sop-java/src/test/java/sop/util/OptionalTest.java
deleted file mode 100644
index 45900b73..00000000
--- a/sop-java/src/test/java/sop/util/OptionalTest.java
+++ /dev/null
@@ -1,78 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import org.junit.jupiter.api.Test;
-
-public class OptionalTest {
-
-    @Test
-    public void testEmpty() {
-        Optional optional = new Optional<>();
-        assertEmpty(optional);
-    }
-
-    @Test
-    public void testArg() {
-        String string = "foo";
-        Optional optional = new Optional<>(string);
-        assertFalse(optional.isEmpty());
-        assertTrue(optional.isPresent());
-        assertEquals(string, optional.get());
-    }
-
-    @Test
-    public void testOfEmpty() {
-        Optional optional = Optional.ofEmpty();
-        assertEmpty(optional);
-    }
-
-    @Test
-    public void testNullArg() {
-        Optional optional = new Optional<>(null);
-        assertEmpty(optional);
-    }
-
-    @Test
-    public void testOfWithNullArgThrows() {
-        assertThrows(NullPointerException.class, () -> Optional.of(null));
-    }
-
-    @Test
-    public void testOf() {
-        String string = "Hello, World!";
-        Optional optional = Optional.of(string);
-        assertFalse(optional.isEmpty());
-        assertTrue(optional.isPresent());
-        assertEquals(string, optional.get());
-    }
-
-    @Test
-    public void testOfNullableWithNull() {
-        Optional optional = Optional.ofNullable(null);
-        assertEmpty(optional);
-    }
-
-    @Test
-    public void testOfNullableWithArg() {
-        Optional optional = Optional.ofNullable("bar");
-        assertEquals("bar", optional.get());
-        assertFalse(optional.isEmpty());
-        assertTrue(optional.isPresent());
-    }
-
-    private  void assertEmpty(Optional optional) {
-        assertTrue(optional.isEmpty());
-        assertFalse(optional.isPresent());
-
-        assertNull(optional.get());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java b/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java
deleted file mode 100644
index 9d99fd4f..00000000
--- a/sop-java/src/test/java/sop/util/ProxyOutputStreamTest.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-
-import org.junit.jupiter.api.Test;
-
-public class ProxyOutputStreamTest {
-
-    @Test
-    public void replaceOutputStreamThrowsNPEForNull() {
-        ProxyOutputStream proxy = new ProxyOutputStream();
-        assertThrows(NullPointerException.class, () -> proxy.replaceOutputStream(null));
-    }
-
-    @Test
-    public void testSwappingStreamPreservesWrittenBytes() throws IOException {
-        byte[] firstSection = "Foo\nBar\n".getBytes(StandardCharsets.UTF_8);
-        byte[] secondSection = "Baz\n".getBytes(StandardCharsets.UTF_8);
-
-        ProxyOutputStream proxy = new ProxyOutputStream();
-        proxy.write(firstSection);
-
-        ByteArrayOutputStream swappedStream = new ByteArrayOutputStream();
-        proxy.replaceOutputStream(swappedStream);
-
-        proxy.write(secondSection);
-        proxy.close();
-
-        assertEquals("Foo\nBar\nBaz\n", swappedStream.toString());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/ReadyTest.java b/sop-java/src/test/java/sop/util/ReadyTest.java
deleted file mode 100644
index 07fa0903..00000000
--- a/sop-java/src/test/java/sop/util/ReadyTest.java
+++ /dev/null
@@ -1,30 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-
-import org.junit.jupiter.api.Test;
-import sop.Ready;
-
-public class ReadyTest {
-
-    @Test
-    public void readyTest() throws IOException {
-        byte[] data = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
-        Ready ready = new Ready() {
-            @Override
-            public void writeTo(OutputStream outputStream) throws IOException {
-                outputStream.write(data);
-            }
-        };
-
-        assertArrayEquals(data, ready.getBytes());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java b/sop-java/src/test/java/sop/util/ReadyWithResultTest.java
deleted file mode 100644
index 97841fa8..00000000
--- a/sop-java/src/test/java/sop/util/ReadyWithResultTest.java
+++ /dev/null
@@ -1,44 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.Collections;
-import java.util.List;
-
-import org.junit.jupiter.api.Test;
-import sop.ByteArrayAndResult;
-import sop.ReadyWithResult;
-import sop.Verification;
-import sop.exception.SOPGPException;
-
-public class ReadyWithResultTest {
-
-    @Test
-    public void testReadyWithResult() throws SOPGPException.NoSignature, IOException {
-        byte[] data = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
-        List result = Collections.singletonList(
-                new Verification(UTCUtil.parseUTCDate("2019-10-24T23:48:29Z"),
-                        "C90E6D36200A1B922A1509E77618196529AE5FF8",
-                        "C4BC2DDB38CCE96485EBE9C2F20691179038E5C6")
-        );
-        ReadyWithResult> readyWithResult = new ReadyWithResult>() {
-            @Override
-            public List writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
-                outputStream.write(data);
-                return result;
-            }
-        };
-
-        ByteArrayAndResult> bytesAndResult = readyWithResult.toByteArrayAndResult();
-        assertArrayEquals(data, bytesAndResult.getBytes());
-        assertEquals(result, bytesAndResult.getResult());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/SessionKeyTest.java b/sop-java/src/test/java/sop/util/SessionKeyTest.java
deleted file mode 100644
index 2891d0d4..00000000
--- a/sop-java/src/test/java/sop/util/SessionKeyTest.java
+++ /dev/null
@@ -1,61 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import org.junit.jupiter.api.Test;
-import sop.SessionKey;
-
-public class SessionKeyTest {
-
-    @Test
-    public void fromStringTest() {
-        String string = "9:FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD";
-        SessionKey sessionKey = SessionKey.fromString(string);
-        assertEquals(string, sessionKey.toString());
-    }
-
-    @Test
-    public void toStringTest() {
-        SessionKey sessionKey = new SessionKey((byte) 9, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"));
-        assertEquals("9:FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD", sessionKey.toString());
-    }
-
-    @Test
-    public void equalsTest() {
-        SessionKey s1 = new SessionKey((byte) 9, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"));
-        SessionKey s2 = new SessionKey((byte) 9, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"));
-        SessionKey s3 = new SessionKey((byte) 4, HexUtil.hexToBytes("FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD"));
-        SessionKey s4 = new SessionKey((byte) 9, HexUtil.hexToBytes("19125CD57392BAB7037C7078359FCA4BEAF687F4025CBF9F7BCD8059CACC14FB"));
-        SessionKey s5 = new SessionKey((byte) 4, HexUtil.hexToBytes("19125CD57392BAB7037C7078359FCA4BEAF687F4025CBF9F7BCD8059CACC14FB"));
-
-        assertEquals(s1, s1);
-        assertEquals(s1, s2);
-        assertEquals(s1.hashCode(), s2.hashCode());
-        assertNotEquals(s1, s3);
-        assertNotEquals(s1.hashCode(), s3.hashCode());
-        assertNotEquals(s1, s4);
-        assertNotEquals(s1.hashCode(), s4.hashCode());
-        assertNotEquals(s4, s5);
-        assertNotEquals(s4.hashCode(), s5.hashCode());
-        assertNotEquals(s1, null);
-        assertNotEquals(s1, "FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD");
-    }
-
-    @Test
-    public void fromString_missingAlgorithmIdThrows() {
-        String missingAlgorithId = "FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD";
-        assertThrows(IllegalArgumentException.class, () -> SessionKey.fromString(missingAlgorithId));
-    }
-
-    @Test
-    public void fromString_wrongDivider() {
-        String semicolonDivider = "9;FCA4BEAF687F48059CACC14FB019125CD57392BAB7037C707835925CBF9F7BCD";
-        assertThrows(IllegalArgumentException.class, () -> SessionKey.fromString(semicolonDivider));
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/SigningResultTest.java b/sop-java/src/test/java/sop/util/SigningResultTest.java
deleted file mode 100644
index 0d35cdc1..00000000
--- a/sop-java/src/test/java/sop/util/SigningResultTest.java
+++ /dev/null
@@ -1,23 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import org.junit.jupiter.api.Test;
-import sop.MicAlg;
-import sop.SigningResult;
-
-public class SigningResultTest {
-
-    @Test
-    public void basicBuilderTest() {
-        SigningResult result = SigningResult.builder()
-                .setMicAlg(MicAlg.fromHashAlgorithmId(10))
-                .build();
-
-        assertEquals("pgp-sha512", result.getMicAlg().getMicAlg());
-    }
-}
diff --git a/sop-java/src/test/java/sop/util/UTCUtilTest.java b/sop-java/src/test/java/sop/util/UTCUtilTest.java
deleted file mode 100644
index 18de8176..00000000
--- a/sop-java/src/test/java/sop/util/UTCUtilTest.java
+++ /dev/null
@@ -1,48 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNull;
-
-import java.util.Date;
-
-import org.junit.jupiter.api.Test;
-
-/**
- * Test parsing some date examples from the stateless OpenPGP CLI spec.
- *
- * @see OpenPGP Stateless CLI §4.1. Date
- */
-public class UTCUtilTest {
-
-    @Test
-    public void parseExample1() {
-        String timestamp = "2019-10-29T12:11:04+00:00";
-        Date date = UTCUtil.parseUTCDate(timestamp);
-        assertEquals("2019-10-29T12:11:04Z", UTCUtil.formatUTCDate(date));
-    }
-
-    @Test
-    public void parseExample2() {
-        String timestamp = "2019-10-24T23:48:29Z";
-        Date date = UTCUtil.parseUTCDate(timestamp);
-        assertEquals("2019-10-24T23:48:29Z", UTCUtil.formatUTCDate(date));
-    }
-
-    @Test
-    public void parseExample3() {
-        String timestamp = "20191029T121104Z";
-        Date date = UTCUtil.parseUTCDate(timestamp);
-        assertEquals("2019-10-29T12:11:04Z", UTCUtil.formatUTCDate(date));
-    }
-
-    @Test
-    public void invalidDateReturnsNull() {
-        String invalidTimestamp = "foobar";
-        Date expectNull = UTCUtil.parseUTCDate(invalidTimestamp);
-        assertNull(expectNull);
-    }
-}

From 09c2a84ec1aaea0b1880671634ec9cf874f5c939 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 11 Jan 2022 15:21:58 +0100
Subject: [PATCH 0275/1450] Add reuse header to sop-java*/readme files

---
 sop-java-picocli/README.md | 7 ++++++-
 sop-java/README.md         | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/sop-java-picocli/README.md b/sop-java-picocli/README.md
index 3c9234af..433bd576 100644
--- a/sop-java-picocli/README.md
+++ b/sop-java-picocli/README.md
@@ -1 +1,6 @@
-# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java-picocli)
\ No newline at end of file
+
+# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java-picocli)
diff --git a/sop-java/README.md b/sop-java/README.md
index e10261b6..3e30ada9 100644
--- a/sop-java/README.md
+++ b/sop-java/README.md
@@ -1 +1,6 @@
-# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java)
\ No newline at end of file
+
+# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java)

From a7208e6c42be54d04daff6423d45f6d53e3ff12c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 11 Jan 2022 15:23:49 +0100
Subject: [PATCH 0276/1450] Update CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf32f122..798539e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.0.2-SNAPSHOT
 - Update SOP implementation to specification revision 03
+- Move `sop-java` and `sop-java-picocli` modules to [its own repository](https://github.com/pgpainless/sop-java)
 - `OpenPGPV4Fingerprint`: Hex decode bytes in constructor
 - Add `ArmorUtils.toAsciiArmoredString()` for single key
 - Fix `ClassCastException` when retrieving `RevocationKey` subpackets from signatures

From f4e574011ba9ae761157f28489f8457ce0319fce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 00:26:52 +0100
Subject: [PATCH 0277/1450] Add info about sop modules to root readme

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index d2c01e3f..697745cd 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,14 @@ PGPainless currently [*scores second place* on Sequoia-PGPs Interoperability Tes
 >
 > -Mario @ Cure53.de
 
+## Get Started
+
+The very easiest way to start using OpenPGP on Java/Kotlin based systems is to use an implementation of [sop-java](https://github.com/pgpainless/sop-java).
+`sop-java` defines a very stripped down API and is super easy to get started with.
+Luckily PGPainless provides an implementation for the `sop-java` interface definitions in the form of [pgpainless-sop](pgpainless-sop/README.md).
+
+If you need more flexibility, directly using `pgpainless-core` is the way to go.
+
 ## Features
 
 Most of PGPainless' features can be accessed directly from the `PGPainless` class.

From ef02163d97bbb89ee314475d33df14ba34a95ec0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 00:53:11 +0100
Subject: [PATCH 0278/1450] Remove dependency on picocli

---
 build.gradle                | 1 -
 pgpainless-cli/build.gradle | 2 --
 2 files changed, 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index af0936e1..07cb53d4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -73,7 +73,6 @@ allprojects {
         slf4jVersion = '1.7.32'
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
-        picocliVersion = '4.6.2'
         sopJavaVersion = '1.1.0'
         rootConfigDir = new File(rootDir, 'config')
         gitCommit = getGitCommit()
diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle
index 9db15a5b..3c8ab8f1 100644
--- a/pgpainless-cli/build.gradle
+++ b/pgpainless-cli/build.gradle
@@ -42,8 +42,6 @@ dependencies {
     implementation(project(":pgpainless-sop"))
     implementation "org.pgpainless:sop-java-picocli:$sopJavaVersion"
 
-    implementation "info.picocli:picocli:$picocliVersion"
-
     // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
     implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2'
 }

From 020c0be8fb3f66d06f52237896a0e41837b5146c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 01:00:00 +0100
Subject: [PATCH 0279/1450] Remove further traces of sop-java from the build
 script

---
 build.gradle | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 07cb53d4..9a1c6a8b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -31,13 +31,14 @@ allprojects {
     apply plugin: 'checkstyle'
 
     // Only generate jar for submodules
+    // without this we would generate an empty pgpainless.jar for the project root
     // https://stackoverflow.com/a/25445035
     jar {
         onlyIf { !sourceSets.main.allSource.files.isEmpty() }
     }
 
-    // For non-sop modules, enable android api compatibility check
-    if (it.name.equals('pgpainless-core') || it.name.equals('sop-java') || it.name.equals('pgpainless-sop')) {
+    // For library modules, enable android api compatibility check
+    if (it.name != 'pgpainless-cli') {
         // animalsniffer
         apply plugin: 'ru.vyarus.animalsniffer'
         dependencies {

From 9b270197c2457cff8b5bea46629e5e33eab593e3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 01:12:22 +0100
Subject: [PATCH 0280/1450] Add MIME StreamEncoding enum val

---
 .../java/org/pgpainless/algorithm/StreamEncoding.java | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
index 3ea9507b..d47304f6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
@@ -32,6 +32,17 @@ public enum StreamEncoding {
      */
     UTF8(PGPLiteralData.UTF8),
 
+    /**
+     * The literal data packet contains a MIME message body part (RFC2045).
+     * Introduced in rfc4880-bis10.
+     *
+     * TODO: Replace 'm' with 'PGPLiteralData.MIME' once BC 1.71 gets released and contains our fix:
+     *  https://github.com/bcgit/bc-java/pull/1088
+     *
+     * @see RFC4880-bis10
+     */
+    MIME('m'),
+
     /**
      * Early versions of PGP also defined a value of 'l' as a 'local' mode for machine-local conversions.
      * RFC 1991 [RFC1991] incorrectly stated this local mode flag as '1' (ASCII numeral one).

From e55fad6078cf0e7a4c0ccfb1dd89253cf4ceedf9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 01:28:15 +0100
Subject: [PATCH 0281/1450] Switch pgpainless-sop over to java-library plugin
 and api-depend on sop-java

---
 pgpainless-sop/build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle
index 87e893b2..d6b97e64 100644
--- a/pgpainless-sop/build.gradle
+++ b/pgpainless-sop/build.gradle
@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 plugins {
-    id 'java'
+    id 'java-library'
 }
 
 group 'org.pgpainless'
@@ -20,7 +20,7 @@ dependencies {
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
 
     implementation(project(":pgpainless-core"))
-    implementation "org.pgpainless:sop-java:$sopJavaVersion"
+    api "org.pgpainless:sop-java:$sopJavaVersion"
 }
 
 test {

From 7aa48f458b4782b5b003ba47fad11c0f41f6406b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 12 Jan 2022 01:48:15 +0100
Subject: [PATCH 0282/1450] Fix pgpainless-cli:jar resolution of
 pgpainless-sop.jar

---
 pgpainless-cli/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle
index 3c8ab8f1..869eedf7 100644
--- a/pgpainless-cli/build.gradle
+++ b/pgpainless-cli/build.gradle
@@ -72,4 +72,4 @@ run {
     }
 }
 
-tasks."jar".dependsOn(":pgpainless-core:assemble")
+tasks."jar".dependsOn(":pgpainless-core:assemble", ":pgpainless-sop:assemble")

From 593a6cdb6595b1c6383d28ea2c0999244cc5b4c8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 15 Jan 2022 14:38:36 +0100
Subject: [PATCH 0283/1450] Document how to include pgpainless-sop in build
 scripts

---
 pgpainless-sop/README.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 067f85c8..3de168c3 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -16,6 +16,33 @@ Implementation of the Stateless OpenPGP Protocol using PGPainless.
 This module implements `sop-java` using `pgpainless-core`.
 If your code depends on `sop-java`, this module can be used as a realization of those interfaces.
 
+## Get started
+
+To start using pgpainless-sop in your code, include the following lines in your build script:
+```
+// If you use Gradle
+...
+dependencies {
+    ...
+    implementation "org.pgpainless:pgpainless-sop:1.1.0"
+    ...
+}
+
+// If you use Maven
+...
+
+    ...
+    
+        org.pgpainless
+        pgpainless-sop
+        1.1.0
+    
+    ...
+
+```
+
+`pgpainless-sop` will transitively pull in its dependencies, such as `sop-java` and `pgpainless-core`.
+
 ## Usage Examples
 ```java
 SOP sop = new SOPImpl();

From 059a38a0a20b8e93527584f49cd4239e18553008 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 5 Feb 2022 14:41:43 +0100
Subject: [PATCH 0284/1450] sop-java, sop-java-picocli placeholder readme: add
 links to codeberg

---
 sop-java-picocli/README.md | 4 +++-
 sop-java/README.md         | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/sop-java-picocli/README.md b/sop-java-picocli/README.md
index 433bd576..d67967b9 100644
--- a/sop-java-picocli/README.md
+++ b/sop-java-picocli/README.md
@@ -3,4 +3,6 @@ SPDX-FileCopyrightText: 2022 Paul Schaub 
 
 SPDX-License-Identifier: Apache-2.0
 -->
-# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java-picocli)
+# MOVED
+* [Github](https://github.com/pgpainless/sop-java/tree/master/sop-java-picocli)
+* [Codeberg](https://codeberg.org/PGPainless/sop-java/src/branch/master/sop-java-picocli)
diff --git a/sop-java/README.md b/sop-java/README.md
index 3e30ada9..dd59c615 100644
--- a/sop-java/README.md
+++ b/sop-java/README.md
@@ -3,4 +3,6 @@ SPDX-FileCopyrightText: 2022 Paul Schaub 
 
 SPDX-License-Identifier: Apache-2.0
 -->
-# [MOVED](https://github.com/pgpainless/sop-java/tree/master/sop-java)
+# MOVED
+* [Github](https://github.com/pgpainless/sop-java/tree/master/sop-java)
+* [Codeberg](https://codeberg.org/PGPainless/sop-java/src/branch/master/sop-java)

From 94a9c84434a0f46002038ccf6d400d6f7dab8257 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 5 Feb 2022 14:48:40 +0100
Subject: [PATCH 0285/1450] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 798539e1..577c4743 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,8 @@ SPDX-License-Identifier: CC0-1.0
 - `OpenPGPV4Fingerprint`: Hex decode bytes in constructor
 - Add `ArmorUtils.toAsciiArmoredString()` for single key
 - Fix `ClassCastException` when retrieving `RevocationKey` subpackets from signatures
+- Fix `pgpainless-sop` gradle script
+  - it now automatically pulls in transitive dependencies
 
 ## 1.0.1
 - Fix sourcing of preferred algorithms by primary user-id when key is located via key-id

From 132981abfa290cc6c5dffaf4b3bef094b47ff00d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 5 Feb 2022 14:55:38 +0100
Subject: [PATCH 0286/1450] PGPainless 1.0.2

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 577c4743..cb711aa2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.0.2-SNAPSHOT
+## 1.0.2
 - Update SOP implementation to specification revision 03
 - Move `sop-java` and `sop-java-picocli` modules to [its own repository](https://github.com/pgpainless/sop-java)
 - `OpenPGPV4Fingerprint`: Hex decode bytes in constructor
diff --git a/README.md b/README.md
index 697745cd..cf732a2b 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.1'
+	implementation 'org.pgpainless:pgpainless-core:1.0.2'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 3de168c3..d4acd83c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -24,7 +24,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.1.0"
+    implementation "org.pgpainless:pgpainless-sop:1.0.2"
     ...
 }
 
@@ -35,7 +35,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.1.0
+        1.0.2
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 7c12e305..b07a09f3 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.0.2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 9b5cc2da5ad6b52202229dfcd3587d2e7066b96c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 5 Feb 2022 15:05:07 +0100
Subject: [PATCH 0287/1450] PGPainless-1.0.3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index b07a09f3..9ae75440 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.2'
-        isSnapshot = false
+        shortVersion = '1.0.3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 458b4f1f783522e7548f26405f6bed535bcfb812 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Feb 2022 13:58:50 +0100
Subject: [PATCH 0288/1450] Fix detection of unarmored data in detached
 signature verification

---
 .../DecryptionStreamFactory.java              | 37 ++++++----
 .../exception/FinalIOException.java           | 17 +++++
 .../VerifyDetachedSignatureTest.java          | 71 +++++++++++++++++++
 3 files changed, 112 insertions(+), 13 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 6d7cb069..bcc9099e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -46,6 +46,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.exception.FinalIOException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.exception.MissingLiteralDataException;
@@ -154,7 +155,7 @@ public final class DecryptionStreamFactory {
             objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
             // Parse OpenPGP message
             inputStream = processPGPPackets(objectFactory, 1);
-        } catch (EOFException e) {
+        } catch (EOFException | FinalIOException e) {
             throw e;
         } catch (MissingLiteralDataException e) {
             // Not an OpenPGP message.
@@ -174,7 +175,7 @@ public final class DecryptionStreamFactory {
                 objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
                 inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory);
             } else {
-                throw e;
+                throw new FinalIOException(e);
             }
         }
 
@@ -195,18 +196,28 @@ public final class DecryptionStreamFactory {
             throw new PGPException("Maximum depth of nested packages exceeded.");
         }
         Object nextPgpObject;
-        while ((nextPgpObject = objectFactory.nextObject()) != null) {
-            if (nextPgpObject instanceof PGPEncryptedDataList) {
-                return processPGPEncryptedDataList((PGPEncryptedDataList) nextPgpObject, depth);
+        try {
+            while ((nextPgpObject = objectFactory.nextObject()) != null) {
+                if (nextPgpObject instanceof PGPEncryptedDataList) {
+                    return processPGPEncryptedDataList((PGPEncryptedDataList) nextPgpObject, depth);
+                }
+                if (nextPgpObject instanceof PGPCompressedData) {
+                    return processPGPCompressedData((PGPCompressedData) nextPgpObject, depth);
+                }
+                if (nextPgpObject instanceof PGPOnePassSignatureList) {
+                    return processOnePassSignatureList(objectFactory, (PGPOnePassSignatureList) nextPgpObject, depth);
+                }
+                if (nextPgpObject instanceof PGPLiteralData) {
+                    return processPGPLiteralData(objectFactory, (PGPLiteralData) nextPgpObject, depth);
+                }
             }
-            if (nextPgpObject instanceof PGPCompressedData) {
-                return processPGPCompressedData((PGPCompressedData) nextPgpObject, depth);
-            }
-            if (nextPgpObject instanceof PGPOnePassSignatureList) {
-                return processOnePassSignatureList(objectFactory, (PGPOnePassSignatureList) nextPgpObject, depth);
-            }
-            if (nextPgpObject instanceof PGPLiteralData) {
-                return processPGPLiteralData(objectFactory, (PGPLiteralData) nextPgpObject, depth);
+        } catch (FinalIOException e) {
+            throw e;
+        } catch (IOException e) {
+            if (depth == 1 && e.getMessage().contains("unknown object in stream:")) {
+                throw new MissingLiteralDataException("No Literal Data Packet found.");
+            } else {
+                throw new FinalIOException(e);
             }
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
new file mode 100644
index 00000000..6b6f86de
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
@@ -0,0 +1,17 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.exception;
+
+import java.io.IOException;
+
+/**
+ * Wrapper for {@link IOException} indicating that we need to throw this exception up.
+ */
+public class FinalIOException extends IOException {
+
+    public FinalIOException(IOException e) {
+        super(e);
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java
new file mode 100644
index 00000000..01bc547d
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java
@@ -0,0 +1,71 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
+
+public class VerifyDetachedSignatureTest {
+
+    @Test
+    public void verify() throws PGPException, IOException {
+        String signedContent = "Content-Type: multipart/mixed; boundary=\"OSR6TONWKJD9dgyc2XH5AQPNnAs7pdg1t\"\n" +
+                "\n" +
+                "--OSR6TONWKJD9dgyc2XH5AQPNnAs7pdg1t\n" +
+                "Content-Type: text/plain; charset=utf-8\n" +
+                "Content-Transfer-Encoding: quoted-printable\n" +
+                "Content-Language: en-US\n" +
+                "\n" +
+                "NOT encrypted + signed(detached)\n" +
+                "\n" +
+                "\n" +
+                "\n" +
+                "--OSR6TONWKJD9dgyc2XH5AQPNnAs7pdg1t--\n";
+        String signature = "-----BEGIN PGP SIGNATURE-----\n" +
+                "\n" +
+                "iHUEARYIAB0WIQTBZCjWAcs5N4nPYdTDIInNavjWzgUCYgKPzAAKCRDDIInNavjW\n" +
+                "zmdoAP0TdFt1OWqosHhXxt2hNYqZQMc6bgQRpJNL029nRyzkPAD/SoYJ4T+aYEhw\n" +
+                "11qrbXloqkr0G3QaA6/zk31RPMI/bgI=\n" +
+                "=o5Ze\n" +
+                "-----END PGP SIGNATURE-----\n";
+        String pubkey = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "mDMEYIucWBYJKwYBBAHaRw8BAQdAew+8mzMWyf3+Pfy49qa60uKV6e5os7de4TdZ\n" +
+                "ceAWUq+0F2RlbmJvbmQ3QGZsb3djcnlwdC50ZXN0iHgEExYKACAFAmCLnFgCGwMF\n" +
+                "FgIDAQAECwkIBwUVCgkICwIeAQIZAQAKCRDDIInNavjWzm3JAQCgFgCEyD58iEa/\n" +
+                "Rw/DYNoQNoZC1lhw1bxBiOcIbtkdBgEAsDFZu3TBavOMKI7KW+vfMBHtRVbkMNpv\n" +
+                "unaAldoabgO4OARgi5xYEgorBgEEAZdVAQUBAQdAB1/Mrq5JGYim4KqGTSK4OESQ\n" +
+                "UwPgK56q0yrkiU9WgyYDAQgHiHUEGBYKAB0FAmCLnFgCGwwFFgIDAQAECwkIBwUV\n" +
+                "CgkICwIeAQAKCRDDIInNavjWzjMgAQCU+R1fItqdY6lt9jXUqipmXuqVaEFPwNA8\n" +
+                "YJ1rIwDwVQEAyUc8162KWzA2iQB5akwLwNr/pLDDtOWwhLUkrBb3mAc=\n" +
+                "=pXF6\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+
+        DecryptionStream verifier = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8)))
+                .withOptions(
+                        new ConsumerOptions()
+                                .addVerificationOfDetachedSignatures(new ByteArrayInputStream(signature.getBytes(StandardCharsets.UTF_8)))
+                                .addVerificationCerts(PGPainless.readKeyRing().keyRingCollection(pubkey, true).getPgpPublicKeyRingCollection())
+                                .setMultiPassStrategy(new InMemoryMultiPassStrategy())
+                );
+
+        Streams.drain(verifier);
+        verifier.close();
+        OpenPgpMetadata metadata = verifier.getResult();
+        assertTrue(metadata.isVerified());
+    }
+}

From 09c091bfeaadda7c2859f1bdd4c8ba4b3b874657 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Feb 2022 14:09:12 +0100
Subject: [PATCH 0289/1450] PGPainless 1.0.3

---
 CHANGELOG.md   | 3 +++
 README.md      | 2 +-
 version.gradle | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb711aa2..c502e989 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.0.3
+- Fix detection of unarmored data in signature verification
+
 ## 1.0.2
 - Update SOP implementation to specification revision 03
 - Move `sop-java` and `sop-java-picocli` modules to [its own repository](https://github.com/pgpainless/sop-java)
diff --git a/README.md b/README.md
index cf732a2b..dd4f1374 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.2'
+	implementation 'org.pgpainless:pgpainless-core:1.0.3'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index 9ae75440..73daad1d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.0.3'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From e276507b653daad0673de1007a327a66261019bc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Feb 2022 14:11:11 +0100
Subject: [PATCH 0290/1450] PGPainless-1.0.4-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 73daad1d..bf9c1eee 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.3'
-        isSnapshot = false
+        shortVersion = '1.0.4'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From b33885c268b9b255abf0fb3c6e549e16b8182832 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 14:19:46 +0100
Subject: [PATCH 0291/1450] Remove accidental marking of buffered stream in
 PGPUtilWrapper

---
 .../src/main/java/org/pgpainless/util/PGPUtilWrapper.java        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
index c01dd03d..dd95a3bc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
@@ -27,7 +27,6 @@ public final class PGPUtilWrapper {
      * @throws IOException in case of an io error which is unrelated to base64 encoding
      */
     public static InputStream getDecoderStream(BufferedInputStream buf) throws IOException {
-        buf.mark(512);
         try {
             return PGPUtil.getDecoderStream(buf);
         } catch (IOException e) {

From f3cf3456abd1ad57a33018eaffaa06bec9802265 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 14:21:12 +0100
Subject: [PATCH 0292/1450] ConsumerOptions.setIsCleartextSigned -> return this

---
 .../pgpainless/decryption_verification/ConsumerOptions.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 436d9356..66b5c4c8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -351,8 +351,9 @@ public class ConsumerOptions {
      * INTERNAL method to mark cleartext signed messages.
      * Do not call this manually.
      */
-    public void setIsCleartextSigned() {
+    public ConsumerOptions setIsCleartextSigned() {
         this.cleartextSigned = true;
+        return this;
     }
 
     /**

From e8da3b30d84b5ea60133d3d41196b0b31994489b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 14:21:28 +0100
Subject: [PATCH 0293/1450] Yet another patch for ASCII armor detection -.-

---
 .../DecryptionStreamFactory.java              |  6 +-
 .../VerifyDetachedSignatureTest.java          | 77 ++++++++++++++++++-
 2 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index bcc9099e..daf94a9a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -172,8 +172,7 @@ public final class DecryptionStreamFactory {
                 LOGGER.debug("The message is apparently not armored.");
                 bufferedIn.reset();
                 decoderStream = bufferedIn;
-                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
-                inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory);
+                inputStream = wrapInVerifySignatureStream(bufferedIn, null);
             } else {
                 throw new FinalIOException(e);
             }
@@ -214,6 +213,9 @@ public final class DecryptionStreamFactory {
         } catch (FinalIOException e) {
             throw e;
         } catch (IOException e) {
+            if (depth == 1 && e.getMessage().contains("invalid armor")) {
+                throw e;
+            }
             if (depth == 1 && e.getMessage().contains("unknown object in stream:")) {
                 throw new MissingLiteralDataException("No Literal Data Packet found.");
             } else {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java
index 01bc547d..fa1427d3 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyDetachedSignatureTest.java
@@ -19,7 +19,7 @@ import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMulti
 public class VerifyDetachedSignatureTest {
 
     @Test
-    public void verify() throws PGPException, IOException {
+    public void test1() throws PGPException, IOException {
         String signedContent = "Content-Type: multipart/mixed; boundary=\"OSR6TONWKJD9dgyc2XH5AQPNnAs7pdg1t\"\n" +
                 "\n" +
                 "--OSR6TONWKJD9dgyc2XH5AQPNnAs7pdg1t\n" +
@@ -68,4 +68,79 @@ public class VerifyDetachedSignatureTest {
         OpenPgpMetadata metadata = verifier.getResult();
         assertTrue(metadata.isVerified());
     }
+
+    @Test
+    public void test2() throws PGPException, IOException {
+        String signedContent = "Content-Type: multipart/mixed; boundary=\"------------26m0wPaTDf7nRDIftnMj4qjE\";\r\n" +
+                " protected-headers=\"v1\"\r\n" +
+                "From: Denys \r\n" +
+                "To: default@flowcrypt.test\r\n" +
+                "Message-ID: \r\n" +
+                "Subject: Signed + pub key\r\n" +
+                "\r\n" +
+                "--------------26m0wPaTDf7nRDIftnMj4qjE\r\n" +
+                "Content-Type: multipart/mixed; boundary=\"------------RQxi6oNuQI1n8MnuNglORR5s\"\r\n" +
+                "\r\n" +
+                "--------------RQxi6oNuQI1n8MnuNglORR5s\r\n" +
+                "Content-Type: text/plain; charset=UTF-8; format=flowed\r\n" +
+                "Content-Transfer-Encoding: base64\r\n" +
+                "\r\n" +
+                "U29tZSBpbXBvcnRhbnQgdGV4dA0KDQo=\r\n" +
+                "--------------RQxi6oNuQI1n8MnuNglORR5s\r\n" +
+                "Content-Type: application/pgp-keys; name=\"OpenPGP_0xC32089CD6AF8D6CE.asc\"\r\n" +
+                "Content-Disposition: attachment; filename=\"OpenPGP_0xC32089CD6AF8D6CE.asc\"\r\n" +
+                "Content-Description: OpenPGP public key\r\n" +
+                "Content-Transfer-Encoding: quoted-printable\r\n" +
+                "\r\n" +
+                "-----BEGIN PGP PUBLIC KEY BLOCK-----\r\n" +
+                "\r\n" +
+                "xjMEYIucWBYJKwYBBAHaRw8BAQdAew+8mzMWyf3+Pfy49qa60uKV6e5os7de4TdZ\r\n" +
+                "ceAWUq/NF2RlbmJvbmQ3QGZsb3djcnlwdC50ZXN0wngEExYKACAFAmCLnFgCGwMF\r\n" +
+                "FgIDAQAECwkIBwUVCgkICwIeAQIZAQAKCRDDIInNavjWzm3JAQCgFgCEyD58iEa/\r\n" +
+                "Rw/DYNoQNoZC1lhw1bxBiOcIbtkdBgEAsDFZu3TBavOMKI7KW+vfMBHtRVbkMNpv\r\n" +
+                "unaAldoabgPOOARgi5xYEgorBgEEAZdVAQUBAQdAB1/Mrq5JGYim4KqGTSK4OESQ\r\n" +
+                "UwPgK56q0yrkiU9WgyYDAQgHwnUEGBYKAB0FAmCLnFgCGwwFFgIDAQAECwkIBwUV\r\n" +
+                "CgkICwIeAQAKCRDDIInNavjWzjMgAQCU+R1fItqdY6lt9jXUqipmXuqVaEFPwNA8\r\n" +
+                "YJ1rIwDwVQEAyUc8162KWzA2iQB5akwLwNr/pLDDtOWwhLUkrBb3mAc=3D\r\n" +
+                "=3DyJxA\r\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\r\n" +
+                "\r\n" +
+                "--------------RQxi6oNuQI1n8MnuNglORR5s--\r\n" +
+                "\r\n" +
+                "--------------26m0wPaTDf7nRDIftnMj4qjE--\r\n";
+        String signature = "-----BEGIN PGP SIGNATURE-----\n" +
+                "\n" +
+                "wnsEABYIACMWIQTBZCjWAcs5N4nPYdTDIInNavjWzgUCYguNRQUDAAAAAAAKCRDDIInNavjWzoxf\n" +
+                "AQCOCu6bityLBbY1MPF+smwYLjkJvzEHf+ErXC7KkI4mnAEAn7FPPOzJAwWENv8a//0zg4P9Ymdr\n" +
+                "uyp1EJ1tsavXRQA=\n" +
+                "=K5yW\n" +
+                "-----END PGP SIGNATURE-----\n";
+        String pubkey = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "mDMEYIucWBYJKwYBBAHaRw8BAQdAew+8mzMWyf3+Pfy49qa60uKV6e5os7de4TdZ\n" +
+                "ceAWUq+0F2RlbmJvbmQ3QGZsb3djcnlwdC50ZXN0iHgEExYKACAFAmCLnFgCGwMF\n" +
+                "FgIDAQAECwkIBwUVCgkICwIeAQIZAQAKCRDDIInNavjWzm3JAQCgFgCEyD58iEa/\n" +
+                "Rw/DYNoQNoZC1lhw1bxBiOcIbtkdBgEAsDFZu3TBavOMKI7KW+vfMBHtRVbkMNpv\n" +
+                "unaAldoabgO4OARgi5xYEgorBgEEAZdVAQUBAQdAB1/Mrq5JGYim4KqGTSK4OESQ\n" +
+                "UwPgK56q0yrkiU9WgyYDAQgHiHUEGBYKAB0FAmCLnFgCGwwFFgIDAQAECwkIBwUV\n" +
+                "CgkICwIeAQAKCRDDIInNavjWzjMgAQCU+R1fItqdY6lt9jXUqipmXuqVaEFPwNA8\n" +
+                "YJ1rIwDwVQEAyUc8162KWzA2iQB5akwLwNr/pLDDtOWwhLUkrBb3mAc=\n" +
+                "=pXF6\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+        DecryptionStream verifier = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(signedContent.getBytes(StandardCharsets.UTF_8)))
+                .withOptions(
+                        new ConsumerOptions()
+                                .addVerificationOfDetachedSignatures(new ByteArrayInputStream(signature.getBytes(StandardCharsets.UTF_8)))
+                                .addVerificationCerts(PGPainless.readKeyRing().keyRingCollection(pubkey, true).getPgpPublicKeyRingCollection())
+                                .setMultiPassStrategy(new InMemoryMultiPassStrategy())
+                );
+
+        Streams.drain(verifier);
+        verifier.close();
+        OpenPgpMetadata metadata = verifier.getResult();
+        assertTrue(metadata.isVerified());
+    }
 }

From bb9e3e89b16aac97b9455b4b39b7cdfd01bf431e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 14:25:45 +0100
Subject: [PATCH 0294/1450] PGPainless 1.0.4

---
 CHANGELOG.md   | 3 +++
 README.md      | 2 +-
 version.gradle | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c502e989..fb76a07a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.0.4
+- Yet another patch for faulty ASCII armor detection 😒
+
 ## 1.0.3
 - Fix detection of unarmored data in signature verification
 
diff --git a/README.md b/README.md
index dd4f1374..3e726b82 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.3'
+	implementation 'org.pgpainless:pgpainless-core:1.0.4'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index bf9c1eee..80cba090 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.0.4'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 5b4018d2f095687308b60c797bce9caefbdeed20 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 14:27:38 +0100
Subject: [PATCH 0295/1450] PGPainless-1.0.5-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 80cba090..1dfd0e29 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.4'
-        isSnapshot = false
+        shortVersion = '1.0.5'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From c405a9999432329dd0a2229950db37f834768fc0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 10 Feb 2022 00:13:35 +0100
Subject: [PATCH 0296/1450] Bump sop-java to 1.2.0

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 9a1c6a8b..b0881e63 100644
--- a/build.gradle
+++ b/build.gradle
@@ -74,7 +74,7 @@ allprojects {
         slf4jVersion = '1.7.32'
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.1.0'
+        sopJavaVersion = '1.2.0'
         rootConfigDir = new File(rootDir, 'config')
         gitCommit = getGitCommit()
         isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI'))

From 2b9d92ed8996bac13720e4015f7ff16d892a73ba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 10 Feb 2022 10:50:36 +0100
Subject: [PATCH 0297/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb76a07a..aabeb14c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.1.0-SNAPSHOT
+- `pgpainless-sop`: Update `sop-java` to version 1.2.0
+    - Treat passwords and session keys as indirect parameters
+
 ## 1.0.4
 - Yet another patch for faulty ASCII armor detection 😒
 

From 36c5ec8a283471d1cd20aef77f581cd1819879ae Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Feb 2022 14:23:19 +0100
Subject: [PATCH 0298/1450] Host javadoc on javadoc.io

---
 README.md                 | 2 +-
 pgpainless-cli/README.md  | 2 ++
 pgpainless-core/README.md | 5 ++++-
 pgpainless-sop/README.md  | 3 +--
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 3e726b82..b55ee7f8 100644
--- a/README.md
+++ b/README.md
@@ -9,10 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 [![Travis (.com)](https://travis-ci.com/pgpainless/pgpainless.svg?branch=master)](https://travis-ci.com/pgpainless/pgpainless)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
 [![Coverage Status](https://coveralls.io/repos/github/pgpainless/pgpainless/badge.svg?branch=master)](https://coveralls.io/github/pgpainless/pgpainless?branch=master)
-[![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/)
 [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/)
 [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A)
 [![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
+
 ## About
 
 PGPainless aims to make using OpenPGP in Java projects as simple as possible.
diff --git a/pgpainless-cli/README.md b/pgpainless-cli/README.md
index 4f691f56..d1d72afc 100644
--- a/pgpainless-cli/README.md
+++ b/pgpainless-cli/README.md
@@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-CLI
 
+[![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-cli/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-cli)
+
 PGPainless-CLI is an implementation of the [Stateless OpenPGP Command Line Interface](https://tools.ietf.org/html/draft-dkg-openpgp-stateless-cli-01) specification based on PGPainless.
 
 It plugs `pgpainless-sop` into `sop-java-picocli`.
diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md
index 091722b8..d7b0a036 100644
--- a/pgpainless-core/README.md
+++ b/pgpainless-core/README.md
@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-Core
 
+[![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-core/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-core)
+[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
+
 Wrapper around Bouncycastle's OpenPGP implementation.
 
 ## Protection Against Attacks
@@ -50,4 +53,4 @@ It is therefore responsibility of the consumer to ensure that an attacker on the
 It is highly advised to store both secret and public keys in a secure key storage which protects against modifications.
 
 Furthermore, PGPainless cannot verify key authenticity, so it is up to the application that uses PGPainless to check,
-if a key really belongs to a certain user.
\ No newline at end of file
+if a key really belongs to a certain user.
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index d4acd83c..c20b58c4 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -8,8 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 
 [![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-sop)](https://search.maven.org/artifact/org.pgpainless/pgpainless-sop)
-[![JavaDoc](https://badgen.net/badge/javadoc/yes/green)](https://pgpainless.org/releases/latest/javadoc/org/pgpainless/sop/package-summary.html)
-[![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
+[![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-sop/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-sop)
 
 Implementation of the Stateless OpenPGP Protocol using PGPainless.
 

From 66d81067b51746a4ca0ee6bd7ed65be0d66abc71 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Feb 2022 14:39:11 +0100
Subject: [PATCH 0299/1450] Update README javadoc link

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b55ee7f8..4e505ce6 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ If you need more flexibility, directly using `pgpainless-core` is the way to go.
 Most of PGPainless' features can be accessed directly from the `PGPainless` class.
 If you want to get started, this class is your friend :)
 
-For further details you should check out the [javadoc](https://pgpainless.org/releases/latest/javadoc/)!
+For further details you should check out the [javadoc](https://javadoc.io/doc/org.pgpainless/pgpainless-core)!
 
 ### Handle Keys
 Reading keys from ASCII armored strings or from binary files is easy:

From b31742f215d363dac3225ab8daa4ae34eb355841 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 15:00:42 +0100
Subject: [PATCH 0300/1450] PGPainless 1.1.0

---
 CHANGELOG.md   | 3 ++-
 README.md      | 2 +-
 version.gradle | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index aabeb14c..5e3c57bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,9 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.0-SNAPSHOT
+## 1.1.0
 - `pgpainless-sop`: Update `sop-java` to version 1.2.0
     - Treat passwords and session keys as indirect parameters
+      This means they are no longer treated as string input, but pointers to files or env variables
 
 ## 1.0.4
 - Yet another patch for faulty ASCII armor detection 😒
diff --git a/README.md b/README.md
index 4e505ce6..d3713423 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.0.4'
+	implementation 'org.pgpainless:pgpainless-core:1.1.0'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index 1dfd0e29..3377af2c 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.0.5'
-        isSnapshot = true
+        shortVersion = '1.1.0'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 8edd0c6a148fc4041df7bbfec696db59e691328b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 15:03:50 +0100
Subject: [PATCH 0301/1450] PGPainless-1.1.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 3377af2c..e88ae14d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.0'
-        isSnapshot = false
+        shortVersion = '1.1.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 5e48a5a786eee433ee51a6c9a664b335b288ec84 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Feb 2022 18:44:58 +0100
Subject: [PATCH 0302/1450] Update SECURITY.md

---
 SECURITY.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 2448191a..59e9adbf 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -13,9 +13,10 @@ Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
 | Version | Supported          |
-| ------- | ------------------ |
-| 0.2.x   | :white_check_mark: |
-| < 0.2.0 | :x:                |
+|---------| ------------------ |
+| 1.1.X   | :white_check_mark: |
+| 1.0.X   | :white_check_mark: |
+| < 1.0.0 | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -23,3 +24,11 @@ If you find a security relevant vulnerability inside PGPainless, please let me k
 [Here](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A) you can find my OpenPGP key to email me confidentially.
 
 Valid security issues will be fixed ASAP.
+
+## Audits
+
+### Cure53 - FLO-04
+PGPainless has received a security audit by [cure53.de](https://cure53.de) in late 2021.
+The [penetrationj test and audit](https://cure53.de/pentest-report_pgpainless.pdf) covered PGPainless
+release candidate 1.0.0-rc6.
+Security fixes for discovered flaws were deployed before the final 1.0.0 release.
\ No newline at end of file

From 08a3f3e8b041f173d7da7234b9c2228151b9a6dc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Feb 2022 13:50:45 +0100
Subject: [PATCH 0303/1450] s/Bouncycastle/Bouncy Castle

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d3713423..872d1549 100644
--- a/README.md
+++ b/README.md
@@ -19,10 +19,10 @@ PGPainless aims to make using OpenPGP in Java projects as simple as possible.
 It does so by introducing an intuitive Builder structure, which allows easy 
 setup of encryption/decryption operations, as well as straight forward key generation.
 
-PGPainless is based around the Bouncycastle java library and can be used on Android down to API level 10.
-It can be configured to either use the Java Cryptographic Engine (JCE), or Bouncycastles lightweight reimplementation.
+PGPainless is based around the Bouncy Castle java library and can be used on Android down to API level 10.
+It can be configured to either use the Java Cryptographic Engine (JCE), or Bouncy Castles lightweight reimplementation.
 
-While signature verification in Bouncycastle is limited to signature correctness, PGPainless goes much further.
+While signature verification in Bouncy Castle is limited to signature correctness, PGPainless goes much further.
 It also checks if signing subkeys are properly bound to their primary key, if keys are expired or revoked, as well as
 if keys are allowed to create signatures in the first place.
 

From a3f9311d9a9bb080c506af6d08f28d93072c9bfe Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 19 Feb 2022 14:48:17 +0100
Subject: [PATCH 0304/1450] Add some comments to messy DecryptionStreamFactory
 code

---
 .../decryption_verification/DecryptionStreamFactory.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index daf94a9a..575a5e5f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -133,6 +133,11 @@ public final class DecryptionStreamFactory {
         InputStream decoderStream;
         PGPObjectFactory objectFactory;
 
+        // Workaround for cleartext signed data
+        // If we below threw a WrongConsumingMethodException, the CleartextSignatureProcessor will prepare the
+        // message for us and will set options.isCleartextSigned() to true.
+        // That way we can process long messages without running the issue of resetting the bufferedInputStream
+        // to invalid marks.
         if (options.isCleartextSigned()) {
             inputStream = wrapInVerifySignatureStream(bufferedIn, null);
             return new DecryptionStream(inputStream, resultBuilder, integrityProtectedEncryptedInputStream,
@@ -146,6 +151,9 @@ public final class DecryptionStreamFactory {
             if (decoderStream instanceof ArmoredInputStream) {
                 ArmoredInputStream armor = (ArmoredInputStream) decoderStream;
 
+                // Cleartext Signed Message
+                // Throw a WrongConsumingMethodException to delegate preparation (extraction of signatures)
+                // to the CleartextSignatureProcessor which will call us again (see comment above)
                 if (armor.isClearText()) {
                     throw new WrongConsumingMethodException("Message appears to be using the Cleartext Signature Framework. " +
                             "Use PGPainless.verifyCleartextSignedMessage() to verify this message instead.");
@@ -156,6 +164,7 @@ public final class DecryptionStreamFactory {
             // Parse OpenPGP message
             inputStream = processPGPPackets(objectFactory, 1);
         } catch (EOFException | FinalIOException e) {
+            // Broken message or invalid decryption session key
             throw e;
         } catch (MissingLiteralDataException e) {
             // Not an OpenPGP message.

From 41ed056165f8648fc2d1a0866985dc500a41b036 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 19 Feb 2022 16:05:02 +0100
Subject: [PATCH 0305/1450] By default emit IssuerFingerprint signature
 subpackets as non-critical

---
 .../pgpainless/signature/subpackets/SignatureSubpackets.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index 7076873f..73730fd3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -136,7 +136,7 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setIssuerFingerprint(@Nonnull PGPPublicKey key) {
-        return setIssuerFingerprint(true, key);
+        return setIssuerFingerprint(false, key);
     }
 
     @Override

From db58280db65b28e8b05fd01ee78026320a1c8c69 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 19 Feb 2022 17:07:56 +0100
Subject: [PATCH 0306/1450] Change default criticality of signature subpackets
 to mirror those of sequoia

---
 .../builder/RevocationSignatureBuilder.java   |  2 +-
 .../subpackets/BaseSignatureSubpackets.java   |  4 ++++
 .../subpackets/SignatureSubpackets.java       | 20 ++++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
index e2e9c0c0..3c2dcab9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/RevocationSignatureBuilder.java
@@ -19,7 +19,7 @@ public class RevocationSignatureBuilder extends AbstractSignatureBuilder algorithms) {
-        return setPreferredCompressionAlgorithms(true, algorithms);
+        return setPreferredCompressionAlgorithms(false, algorithms);
     }
 
     @Override
@@ -342,7 +342,7 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setPreferredSymmetricKeyAlgorithms(Set algorithms) {
-        return setPreferredSymmetricKeyAlgorithms(true, algorithms);
+        return setPreferredSymmetricKeyAlgorithms(false, algorithms);
     }
 
     @Override
@@ -381,7 +381,7 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setPreferredHashAlgorithms(Set algorithms) {
-        return setPreferredHashAlgorithms(true, algorithms);
+        return setPreferredHashAlgorithms(false, algorithms);
     }
 
     @Override
@@ -465,6 +465,11 @@ public class SignatureSubpackets
         return new ArrayList<>(intendedRecipientFingerprintList);
     }
 
+    @Override
+    public SignatureSubpackets setExportable(boolean exportable) {
+        return setExportable(true, exportable);
+    }
+
     @Override
     public SignatureSubpackets setExportable(boolean isCritical, boolean isExportable) {
         return setExportable(new Exportable(isCritical, isExportable));
@@ -480,6 +485,11 @@ public class SignatureSubpackets
         return exportable;
     }
 
+    @Override
+    public SignatureSubpackets setRevocable(boolean revocable) {
+        return setRevocable(true, revocable);
+    }
+
     @Override
     public SignatureSubpackets setRevocable(boolean isCritical, boolean isRevocable) {
         return setRevocable(new Revocable(isCritical, isRevocable));
@@ -530,7 +540,7 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setRevocationReason(RevocationAttributes revocationAttributes) {
-        return setRevocationReason(true, revocationAttributes);
+        return setRevocationReason(false, revocationAttributes);
     }
 
     @Override

From 1753cef10eaa79f370bf81de2d55d6792b4f46e3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 19 Feb 2022 15:41:43 +0100
Subject: [PATCH 0307/1450] Simplify handling of cleartext-signed data

---
 .../ConsumerOptions.java                      | 18 ----
 .../DecryptionBuilder.java                    | 20 +----
 .../DecryptionStreamFactory.java              | 84 +++++++++++--------
 .../CleartextSignatureProcessor.java          | 75 -----------------
 .../MultiPassStrategy.java                    |  2 +-
 .../VerifyCleartextSignatures.java            | 36 --------
 .../VerifyCleartextSignaturesImpl.java        | 30 -------
 .../CleartextSignatureVerificationTest.java   | 32 -------
 8 files changed, 55 insertions(+), 242 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 66b5c4c8..c23ede3d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -53,7 +53,6 @@ public class ConsumerOptions {
     private MissingKeyPassphraseStrategy missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE;
 
     private MultiPassStrategy multiPassStrategy = new InMemoryMultiPassStrategy();
-    private boolean cleartextSigned;
 
     /**
      * Consider signatures on the message made before the given timestamp invalid.
@@ -346,21 +345,4 @@ public class ConsumerOptions {
     public MultiPassStrategy getMultiPassStrategy() {
         return multiPassStrategy;
     }
-
-    /**
-     * INTERNAL method to mark cleartext signed messages.
-     * Do not call this manually.
-     */
-    public ConsumerOptions setIsCleartextSigned() {
-        this.cleartextSigned = true;
-        return this;
-    }
-
-    /**
-     * Return true if the message is cleartext signed.
-     * @return cleartext signed
-     */
-    public boolean isCleartextSigned() {
-        return this.cleartextSigned;
-    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
index 6cc28a7f..68a68847 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
@@ -4,19 +4,14 @@
 
 package org.pgpainless.decryption_verification;
 
-import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPException;
-import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl;
-import org.pgpainless.exception.WrongConsumingMethodException;
 
 public class DecryptionBuilder implements DecryptionBuilderInterface {
 
-    public static int BUFFER_SIZE = 4096;
-
     @Override
     public DecryptWith onInputStream(@Nonnull InputStream inputStream) {
         return new DecryptWithImpl(inputStream);
@@ -24,11 +19,10 @@ public class DecryptionBuilder implements DecryptionBuilderInterface {
 
     static class DecryptWithImpl implements DecryptWith {
 
-        private final BufferedInputStream inputStream;
+        private final InputStream inputStream;
 
         DecryptWithImpl(InputStream inputStream) {
-            this.inputStream = new BufferedInputStream(inputStream, BUFFER_SIZE);
-            this.inputStream.mark(BUFFER_SIZE);
+            this.inputStream = inputStream;
         }
 
         @Override
@@ -37,15 +31,7 @@ public class DecryptionBuilder implements DecryptionBuilderInterface {
                 throw new IllegalArgumentException("Consumer options cannot be null.");
             }
 
-            try {
-                return DecryptionStreamFactory.create(inputStream, consumerOptions);
-            } catch (WrongConsumingMethodException e) {
-                inputStream.reset();
-                return new VerifyCleartextSignaturesImpl()
-                        .onInputStream(inputStream)
-                        .withOptions(consumerOptions)
-                        .getVerificationStream();
-            }
+            return DecryptionStreamFactory.create(inputStream, consumerOptions);
         }
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 575a5e5f..fbdd6229 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -36,6 +36,7 @@ import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
@@ -46,6 +47,8 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
+import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.exception.FinalIOException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -53,7 +56,6 @@ import org.pgpainless.exception.MissingLiteralDataException;
 import org.pgpainless.exception.MissingPassphraseException;
 import org.pgpainless.exception.SignatureValidationException;
 import org.pgpainless.exception.UnacceptableAlgorithmException;
-import org.pgpainless.exception.WrongConsumingMethodException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
@@ -62,6 +64,7 @@ import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.DetachedSignatureCheck;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
+import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.CRCingArmoredInputStreamWrapper;
 import org.pgpainless.util.PGPUtilWrapper;
 import org.pgpainless.util.Passphrase;
@@ -77,6 +80,9 @@ public final class DecryptionStreamFactory {
     // Maximum nesting depth of packets (e.g. compression, encryption...)
     private static final int MAX_PACKET_NESTING_DEPTH = 16;
 
+    // Buffer Size for BufferedInputStreams
+    public static int BUFFER_SIZE = 4096;
+
     private final ConsumerOptions options;
     private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
     private final List onePassSignatureChecks = new ArrayList<>();
@@ -92,7 +98,8 @@ public final class DecryptionStreamFactory {
                                           @Nonnull ConsumerOptions options)
             throws PGPException, IOException {
         DecryptionStreamFactory factory = new DecryptionStreamFactory(options);
-        return factory.parseOpenPGPDataAndCreateDecryptionStream(inputStream);
+        BufferedInputStream bufferedIn = new BufferedInputStream(inputStream, BUFFER_SIZE);
+        return factory.parseOpenPGPDataAndCreateDecryptionStream(bufferedIn);
     }
 
     public DecryptionStreamFactory(ConsumerOptions options) {
@@ -125,44 +132,34 @@ public final class DecryptionStreamFactory {
         }
     }
 
-    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(InputStream inputStream)
+    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(BufferedInputStream bufferedIn)
             throws IOException, PGPException {
-        // Make sure we handle armored and non-armored data properly
-        BufferedInputStream bufferedIn = new BufferedInputStream(inputStream, 512);
-        bufferedIn.mark(512);
-        InputStream decoderStream;
+        InputStream pgpInStream;
+        InputStream outerDecodingStream;
         PGPObjectFactory objectFactory;
 
-        // Workaround for cleartext signed data
-        // If we below threw a WrongConsumingMethodException, the CleartextSignatureProcessor will prepare the
-        // message for us and will set options.isCleartextSigned() to true.
-        // That way we can process long messages without running the issue of resetting the bufferedInputStream
-        // to invalid marks.
-        if (options.isCleartextSigned()) {
-            inputStream = wrapInVerifySignatureStream(bufferedIn, null);
-            return new DecryptionStream(inputStream, resultBuilder, integrityProtectedEncryptedInputStream,
-                    null);
-        }
-
         try {
-            decoderStream = PGPUtilWrapper.getDecoderStream(bufferedIn);
-            decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream);
+            outerDecodingStream = PGPUtilWrapper.getDecoderStream(bufferedIn);
+            outerDecodingStream = CRCingArmoredInputStreamWrapper.possiblyWrap(outerDecodingStream);
 
-            if (decoderStream instanceof ArmoredInputStream) {
-                ArmoredInputStream armor = (ArmoredInputStream) decoderStream;
+            if (outerDecodingStream instanceof ArmoredInputStream) {
+                ArmoredInputStream armor = (ArmoredInputStream) outerDecodingStream;
 
                 // Cleartext Signed Message
                 // Throw a WrongConsumingMethodException to delegate preparation (extraction of signatures)
                 // to the CleartextSignatureProcessor which will call us again (see comment above)
                 if (armor.isClearText()) {
-                    throw new WrongConsumingMethodException("Message appears to be using the Cleartext Signature Framework. " +
-                            "Use PGPainless.verifyCleartextSignedMessage() to verify this message instead.");
+                    bufferedIn.reset();
+                    return parseCleartextSignedMessage(bufferedIn);
                 }
             }
 
-            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
+            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
             // Parse OpenPGP message
-            inputStream = processPGPPackets(objectFactory, 1);
+            pgpInStream = processPGPPackets(objectFactory, 1);
+            return new DecryptionStream(pgpInStream,
+                    resultBuilder, integrityProtectedEncryptedInputStream,
+                    (outerDecodingStream instanceof ArmoredInputStream) ? outerDecodingStream : null);
         } catch (EOFException | FinalIOException e) {
             // Broken message or invalid decryption session key
             throw e;
@@ -172,23 +169,44 @@ public final class DecryptionStreamFactory {
             //  to allow for detached signature verification.
             LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?");
             bufferedIn.reset();
-            decoderStream = bufferedIn;
-            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
-            inputStream = wrapInVerifySignatureStream(bufferedIn, objectFactory);
+            outerDecodingStream = bufferedIn;
+            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
+            pgpInStream = wrapInVerifySignatureStream(bufferedIn, objectFactory);
         } catch (IOException e) {
             if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) {
                 // We falsely assumed the data to be armored.
                 LOGGER.debug("The message is apparently not armored.");
                 bufferedIn.reset();
-                decoderStream = bufferedIn;
-                inputStream = wrapInVerifySignatureStream(bufferedIn, null);
+                outerDecodingStream = CRCingArmoredInputStreamWrapper.possiblyWrap(bufferedIn);
+                pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
             } else {
                 throw new FinalIOException(e);
             }
         }
 
-        return new DecryptionStream(inputStream, resultBuilder, integrityProtectedEncryptedInputStream,
-                (decoderStream instanceof ArmoredInputStream) ? decoderStream : null);
+        return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream,
+                (outerDecodingStream instanceof ArmoredInputStream) ? outerDecodingStream : null);
+    }
+
+    private DecryptionStream parseCleartextSignedMessage(BufferedInputStream in)
+            throws IOException, PGPException {
+        resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
+                .setFileEncoding(StreamEncoding.TEXT);
+
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(in);
+
+        MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
+        PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
+
+        for (PGPSignature signature : signatures) {
+            options.addVerificationOfDetachedSignature(signature);
+        }
+
+        initializeDetachedSignatures(options.getDetachedSignatures());
+
+        InputStream verifyIn = wrapInVerifySignatureStream(multiPassStrategy.getMessageInputStream(), null);
+        return new DecryptionStream(verifyIn, resultBuilder, integrityProtectedEncryptedInputStream,
+                null);
     }
 
     private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java
deleted file mode 100644
index 26e33a96..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/CleartextSignatureProcessor.java
+++ /dev/null
@@ -1,75 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification.cleartext_signatures;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import org.bouncycastle.bcpg.ArmoredInputStream;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureList;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.CompressionAlgorithm;
-import org.pgpainless.algorithm.StreamEncoding;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
-import org.pgpainless.exception.SignatureValidationException;
-import org.pgpainless.util.ArmoredInputStreamFactory;
-
-/**
- * Processor for cleartext-signed messages.
- */
-public class CleartextSignatureProcessor {
-
-    private final ArmoredInputStream in;
-    private final ConsumerOptions options;
-
-    public CleartextSignatureProcessor(InputStream inputStream,
-                                       ConsumerOptions options)
-            throws IOException {
-        if (inputStream instanceof ArmoredInputStream) {
-            this.in = (ArmoredInputStream) inputStream;
-        } else {
-            this.in = ArmoredInputStreamFactory.get(inputStream);
-        }
-        this.options = options;
-    }
-
-    /**
-     * Perform the first pass of cleartext signed message processing:
-     * Unpack the message from the ascii armor and detach signatures.
-     * The plaintext message is being written to cache/disk according to the used {@link MultiPassStrategy}.
-     *
-     * The result of this method is a {@link DecryptionStream} which will perform the second pass.
-     * It again outputs the plaintext message and performs signature verification.
-     *
-     * The result of {@link DecryptionStream#getResult()} contains information about the messages signatures.
-     *
-     * @return validated signature
-     * @throws IOException if the signature cannot be read.
-     * @throws PGPException if the signature cannot be initialized.
-     * @throws SignatureValidationException if the signature is invalid.
-     */
-    public DecryptionStream getVerificationStream() throws IOException, PGPException {
-        OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
-        resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
-                .setFileEncoding(StreamEncoding.TEXT);
-
-        MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
-        PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(in, multiPassStrategy.getMessageOutputStream());
-
-        for (PGPSignature signature : signatures) {
-            options.addVerificationOfDetachedSignature(signature);
-        }
-
-        options.setIsCleartextSigned();
-        return PGPainless.decryptAndOrVerify()
-                .onInputStream(multiPassStrategy.getMessageInputStream())
-                .withOptions(options);
-    }
-
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java
index 688105a1..5aa9f548 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/MultiPassStrategy.java
@@ -11,7 +11,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 
 /**
- * Since the {@link CleartextSignatureProcessor} needs to read the whole data twice in order to verify signatures,
+ * Since for verification of cleartext signed messages, we need to read the whole data twice in order to verify signatures,
  * a strategy for how to cache the read data is required.
  * Otherwise, large data kept in memory could cause {@link OutOfMemoryError OutOfMemoryErrors} or other issues.
  *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java
deleted file mode 100644
index 52360869..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignatures.java
+++ /dev/null
@@ -1,36 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification.cleartext_signatures;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import org.pgpainless.decryption_verification.ConsumerOptions;
-
-/**
- * Interface defining the API for verification of cleartext signed documents.
- */
-public interface VerifyCleartextSignatures {
-
-    /**
-     * Provide the {@link InputStream} which contains the cleartext-signed message.
-     * @param inputStream inputstream
-     * @return api handle
-     */
-    VerifyWith onInputStream(InputStream inputStream);
-
-    interface VerifyWith {
-
-        /**
-         * Pass in consumer options like verification certificates, acceptable date ranges etc.
-         *
-         * @param options options
-         * @return processor
-         * @throws IOException in case of an IO error
-         */
-        CleartextSignatureProcessor withOptions(ConsumerOptions options) throws IOException;
-
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java
deleted file mode 100644
index fde90874..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/VerifyCleartextSignaturesImpl.java
+++ /dev/null
@@ -1,30 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification.cleartext_signatures;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import org.pgpainless.decryption_verification.ConsumerOptions;
-
-public class VerifyCleartextSignaturesImpl implements VerifyCleartextSignatures {
-
-    private InputStream inputStream;
-
-    @Override
-    public VerifyWithImpl onInputStream(InputStream inputStream) {
-        VerifyCleartextSignaturesImpl.this.inputStream = inputStream;
-        return new VerifyWithImpl();
-    }
-
-    public class VerifyWithImpl implements VerifyWith {
-
-        @Override
-        public CleartextSignatureProcessor withOptions(ConsumerOptions options) throws IOException {
-            return new CleartextSignatureProcessor(inputStream, options);
-        }
-
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
index 4a2a99f5..bcf1321e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
@@ -6,7 +6,6 @@ package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
@@ -30,11 +29,9 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
-import org.pgpainless.decryption_verification.cleartext_signatures.VerifyCleartextSignaturesImpl;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
-import org.pgpainless.exception.WrongConsumingMethodException;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.consumer.CertificateValidator;
@@ -180,35 +177,6 @@ public class CleartextSignatureVerificationTest {
         assertEquals(1, metadata.getVerifiedSignatures().size());
     }
 
-    @Test
-    public void consumingInlineSignedMessageWithCleartextSignedVerificationApiThrowsWrongConsumingMethodException()
-            throws IOException {
-        String inlineSignedMessage = "-----BEGIN PGP MESSAGE-----\n" +
-                "Version: PGPainless\n" +
-                "\n" +
-                "kA0DAQoTVzbmkxrPNwwBy8BJYgAAAAAAQWgsIEp1bGlldCwgaWYgdGhlIG1lYXN1\n" +
-                "cmUgb2YgdGh5IGpveQpCZSBoZWFwZWQgbGlrZSBtaW5lLCBhbmQgdGhhdCB0aHkg\n" +
-                "c2tpbGwgYmUgbW9yZQpUbyBibGF6b24gaXQsIHRoZW4gc3dlZXRlbiB3aXRoIHRo\n" +
-                "eSBicmVhdGgKVGhpcyBuZWlnaGJvciBhaXIsIGFuZCBsZXQgcmljaCBtdXNpY+KA\n" +
-                "mXMgdG9uZ3VlClVuZm9sZCB0aGUgaW1hZ2luZWQgaGFwcGluZXNzIHRoYXQgYm90\n" +
-                "aApSZWNlaXZlIGluIGVpdGhlciBieSB0aGlzIGRlYXIgZW5jb3VudGVyLoh1BAET\n" +
-                "CgAGBQJhK2q9ACEJEFc25pMazzcMFiEET2ZcTcLEZgvGQl5BVzbmkxrPNwxr8gD+\n" +
-                "MDfg+qccpsoJVgHIW8mRPBQowXDyw+oNHsf28ii+/pEBAO/RXhFkZBPzlfDJMJVT\n" +
-                "UwJJeuna1R4yOoWjq0zqRvrg\n" +
-                "=dBiV\n" +
-                "-----END PGP MESSAGE-----\n";
-
-        PGPPublicKeyRing certificate = TestKeys.getEmilPublicKeyRing();
-        ConsumerOptions options = new ConsumerOptions()
-                .addVerificationCert(certificate);
-
-        assertThrows(WrongConsumingMethodException.class, () ->
-                new VerifyCleartextSignaturesImpl()
-                        .onInputStream(new ByteArrayInputStream(inlineSignedMessage.getBytes(StandardCharsets.UTF_8)))
-                        .withOptions(options)
-                        .getVerificationStream());
-    }
-
     @Test
     public void getDecoderStreamMistakensPlaintextForBase64RegressionTest()
             throws PGPException, IOException {

From 928fa12b514f28d729ac1443e90b9906eef7ede4 Mon Sep 17 00:00:00 2001
From: feri 
Date: Thu, 24 Feb 2022 00:51:16 +0100
Subject: [PATCH 0308/1450] Add new ProducerOption setComment() for Ascii
 armored EncryptionStreams. (#254)

* Add new ProducerOption setComment() for Ascii armored EncryptionStreams.
---
 .../encryption_signing/EncryptionStream.java  |  4 ++
 .../encryption_signing/ProducerOptions.java   | 35 ++++++++++
 .../java/org/pgpainless/example/Encrypt.java  | 67 +++++++++++++++++++
 3 files changed, 106 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 317b8cb2..37b7288e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -23,6 +23,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import org.pgpainless.util.StreamGeneratorWrapper;
 import org.slf4j.Logger;
@@ -74,6 +75,9 @@ public final class EncryptionStream extends OutputStream {
 
         LOGGER.debug("Wrap encryption output in ASCII armor");
         armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream);
+        if (options.hasComment()) {
+        	ArmorUtils.addCommentHeader(armorOutputStream, options.getComment());
+        }
         outermostStream = armorOutputStream;
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 94b7f0ce..890acc6c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -25,6 +25,7 @@ public final class ProducerOptions {
     private CompressionAlgorithm compressionAlgorithmOverride = PGPainless.getPolicy().getCompressionAlgorithmPolicy()
             .defaultCompressionAlgorithm();
     private boolean asciiArmor = true;
+    private String comment = null;
 
     private ProducerOptions(EncryptionOptions encryptionOptions, SigningOptions signingOptions) {
         this.encryptionOptions = encryptionOptions;
@@ -107,6 +108,40 @@ public final class ProducerOptions {
         return asciiArmor;
     }
 
+    /**
+     * set the comment for header in ascii armored output.
+     * The default value is null, which means no comment header is added.
+     * Multiline comments are possible using '\\n'.
+     *
+     * @param comment comment header text
+     * @return builder
+     */
+    public ProducerOptions setComment(String comment) {
+        if (!asciiArmor) {
+            throw new IllegalArgumentException("Comment can only be set when ASCII armoring is enabled.");
+        }
+        this.comment = comment;
+        return this;
+    }
+
+    /**
+     * Return comment set for header in ascii armored output.
+     *
+     * @return comment
+     */
+    public String getComment() {
+        return comment;
+    }
+
+    /**
+     * Return whether a comment was set (!= null).
+     *
+     * @return comment
+     */
+    public boolean hasComment() {
+        return comment != null;
+    }
+
     public ProducerOptions setCleartextSigned() {
         if (signingOptions == null) {
             throw new IllegalArgumentException("Signing Options cannot be null if cleartext signing is enabled.");
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
index d2f1113c..3a3888a1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
@@ -129,4 +129,71 @@ public class Encrypt {
 
         assertEquals(message, plaintext.toString());
     }
+
+    /**
+     * In this example, Alice is sending a signed and encrypted message to Bob.
+     * She encrypts the message to both bobs certificate and her own.
+     * A comment header with the text "This comment was added using options." is added
+     * using the fluent ProducerOption syntax.
+     *
+     * Bob subsequently decrypts the message using his key.
+     */
+    @Test
+    public void encryptWithCommentHeader() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        // Prepare keys
+        PGPSecretKeyRing keyAlice = PGPainless.generateKeyRing()
+                .modernKeyRing("alice@pgpainless.org", null);
+        PGPPublicKeyRing certificateAlice = KeyRingUtils.publicKeyRingFrom(keyAlice);
+
+        PGPSecretKeyRing keyBob = PGPainless.generateKeyRing()
+                .modernKeyRing("bob@pgpainless.org", null);
+        PGPPublicKeyRing certificateBob = KeyRingUtils.publicKeyRingFrom(keyBob);
+        SecretKeyRingProtector protectorBob = SecretKeyRingProtector.unprotectedKeys();
+
+        // plaintext message to encrypt
+        String message = "Hello, World!\n";
+        String comment = "This comment was added using options.";
+        ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
+        // Encrypt and sign
+        EncryptionStream encryptor = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertext)
+                .withOptions(ProducerOptions.encrypt(
+                        // we want to encrypt communication (affects key selection based on key flags)
+                        EncryptionOptions.encryptCommunications()
+                                .addRecipient(certificateBob)
+                                .addRecipient(certificateAlice)
+                        ).setAsciiArmor(true)
+                		.setComment(comment)
+                );
+
+        // Pipe data trough and CLOSE the stream (important)
+        Streams.pipeAll(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)), encryptor);
+        encryptor.close();
+        String encryptedMessage = ciphertext.toString();
+
+        // check that comment header was added after "BEGIN PGP" and "Version:"
+        assertEquals(encryptedMessage.split("\n")[2].trim(), "Comment: " + comment);
+
+        // also test, that decryption still works...
+
+        // Decrypt and verify signatures
+        DecryptionStream decryptor = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes(StandardCharsets.UTF_8)))
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(keyBob, protectorBob)
+                        .addVerificationCert(certificateAlice)
+                );
+
+        ByteArrayOutputStream plaintext = new ByteArrayOutputStream();
+
+        Streams.pipeAll(decryptor, plaintext);
+        decryptor.close();
+
+        // Check the metadata to see how the message was encrypted/signed
+        OpenPgpMetadata metadata = decryptor.getResult();
+        assertTrue(metadata.isEncrypted());
+        assertEquals(message, plaintext.toString());
+    }
+
+
 }

From 367a07411d2fd078a77dc13afd47267dee5a567d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Feb 2022 01:01:13 +0100
Subject: [PATCH 0309/1450] Update CHANGELOG

---
 CHANGELOG.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e3c57bf..8e6cdda9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,16 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.1.1-SNAPSHOT
+- Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)
+- Simplify consumption of cleartext-signed data
+- Change default criticality of signature subpackets
+  - Issuer Fingerprint: critical -> non-critical
+  - Revocable: non-critical -> critical
+  - Issuer KeyID: critical -> non-critical
+  - Preferred Algorithms: critical -> non-critical
+  - Revocation Reason: critical -> non-critical
+
 ## 1.1.0
 - `pgpainless-sop`: Update `sop-java` to version 1.2.0
     - Treat passwords and session keys as indirect parameters

From fc33e56ad86d4d5356b093749d30c4df19679c73 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Feb 2022 01:08:23 +0100
Subject: [PATCH 0310/1450] Some clarifications in javadoc

---
 .../org/pgpainless/encryption_signing/ProducerOptions.java   | 5 ++++-
 .../java/org/pgpainless/util/ArmoredOutputStreamFactory.java | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 890acc6c..ac4f0e6e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -109,10 +109,13 @@ public final class ProducerOptions {
     }
 
     /**
-     * set the comment for header in ascii armored output.
+     * Set the comment header in ASCII armored output.
      * The default value is null, which means no comment header is added.
      * Multiline comments are possible using '\\n'.
      *
+     * Note: If a default header comment is set using {@link org.pgpainless.util.ArmoredOutputStreamFactory#setComment(String)},
+     * then both comments will be written to the produced ASCII armor.
+     *
      * @param comment comment header text
      * @return builder
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
index 2ccf7536..2e1377a0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
@@ -61,6 +61,9 @@ public final class ArmoredOutputStreamFactory {
      * Set a comment header value in the ASCII armor header.
      * If the comment contains newlines, it will be split into multiple header entries.
      *
+     * @see org.pgpainless.encryption_signing.ProducerOptions#setComment(String)  for how to set comments for
+     * individual messages.
+     *
      * @param commentString comment
      */
     public static void setComment(String commentString) {

From 53f7815778399efef929251add96c1968eb54196 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Feb 2022 13:05:06 +0100
Subject: [PATCH 0311/1450] =?UTF-8?q?=D1=81=D0=BE=D0=BB=D1=96=D0=B4=D0=B0?=
 =?UTF-8?q?=D1=80=D0=BD=D1=96=D1=81=D1=82=D1=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 assets/repository-open-graph.png | Bin 58325 -> 51210 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/assets/repository-open-graph.png b/assets/repository-open-graph.png
index 93ef34a16e94719fe96960ebcbbc500c32e804f5..4df928e51aefa2b360b980f2d20b3dd0d0359713 100644
GIT binary patch
literal 51210
zcmeFZbyQVd+c&yF1(a4%x{>Z~>8?$KfUxOJcY{bMf;32p#0Kf^lJ4&A7LacE*5$IN{PXNF7_7b4oY%bOHGfwx_^hlbh5iix83+VImys3+gFsJ!OGG~uB;Z%;
z@pu{tgiYq5rsV`SbS1TOur;-?G9h(xw=*F%akDT5f!t;a5-j2Ny!q$2z*>O*vuzbTy9=yC>+&>n+iOJultXuqnL2zP>p**)ENrWFEzo;@dhns~yUCy2JNF-_ryVzk=*+2R
z6{$#9i8P%dMo+Jyr1$tVyPN2j`0u?cV-t1nk6&$E3LG4S&1{~37OwHFJQwU5ypLBr
zaalLg5Y%>9u^li#?K;d;B0l)iY`ZME98~?>7kX9{ixpwez8y}o?`gwOadVWFT1M5>
zGvVr=np&oQvKx1!8Zk>U*i?Tfee0~TFm!LRVPsHr(z#o>?W1v`da`=HV0}K%UWW_A
z-Z`ttIbduosxrrE9q8}~-gZ+h#OY8ee5
zn{Nj0jNIs#&y72;cNu&Rez!M$JRqq*ndBn78(z`HUyyxTUxvqSyR3nO6#c9HKv$*}ESu$Bw-PRr5Z3S46(Xd-MhOCl_J)
z-I^08{c3Yl_g(m!p7+F}{)(1sp#j^f0ioy82!0b?+HABE6poSXJxRGgd&r?{R&vIn
zXmJ!eMP8fx!%C7Aj`u1H-}QaElJ3U)1S4w~`{sl<_cXO<$;5X1r?Q_>{G?U&&RhtZ
zsUF4sRM9C+=5=r!?Nj?lGxa|DLwSInU!+vq&&kT(DYHDM1l^*io|e=JBSps$Uo@hl?0oUp$tz$s@P2yE={eEb%AU7BT~SYRTfU)94^r}y3C
zo8C`<&WcA%jjqST2R$w6noK_Io@yhQL8dv{Q?+>-@v`U~_Msh7ozirs&@ugqezOAn
z5(bMf2Y-r30`Jr86*P_LdQdIvsIE2FhzKp*m6sOi)nzDqRFVkX^T2deaZ4RI74o5|
zLP4VRvlytk%G&%Z-mkU!G3f_+M@&PMf<9mN4xUbPS3nkyzF~cSmC7*RV?$|qJ(peG
zMQe2xlZjU=lDmtG!6(_sm6;I`tdsPFFmjl)S=nK9v~*7WNnHg6NoEFT(`IsA_wd;Q
zS-a{^JsWOLIj^p-q)miL74JZoqoUM#cG+GgG)m`>xu}hgtU|^naIGL0IaRk5TYwtbRehSaDr5
zX=#9JcfDPfv6cHm_c66fHsvo}hu@p}tF%9E8J@f>iyh5adqZgH`N&4RCWK$B2SuDd
zX=FZQLWETEw-5VZP>ZQ2lT7z%-1lJO+*hEJSl4j6w761{@%LVXE>8>8Q#_xKR8|yp
zfR_%p-ySd5KH>V7)Z5SgPDrU?wll4Au({i0#4T8FVx_LRGp5lH$5aWg1#9JfzBC45
zQb+Bv=${HuCzlj`Z;2&avy7g3R`Xncq3HD&s>?IJYm;n({x3bo5l@8EeiDKNvF{hA{F>P5cmm}RWUA|s@TRDT73;Il|CXa$qkNl62a?QR9P7P
zOdc=tLOjq)%=PiD2uEvCq97_;hMyrJJ!DK-?2KbFKiJE1S53`h*?Zrdpv#jNnUzX@
zZ22*#XjCV~N>|2&v{&V5hxqwbplFh&v8=nhhZ+>$*+`2~GY)EuV7}*%??S$TnP#*U
zqDA#SVnTvp6iGdLZ>;8%hlJs{S^CZ8@4Tl&e^5ksV`wU(4?HHy=^mBl#|K1Th&_#~
z?18Pl(|LJ-kinw^9vN-93$uz(H@PPb6u>n(yzsjPWYrGZdrMLcvP*sHfLpwmm!`_
ze3S<726uR%ed^bwQ6TTZllXEuFwKKPK
z__`;3#d@vG{~ndvbc@)Syb$A0il{l~(4iPNXLMmi67Pz1PO+jmK2rV}S^SR1ywpgthXO?D_vXe9
zoxtuBa(&$m$B02b(L9bG?Ocjt0m4^%F3CuZ{OoD_cr4nRKCGvOJo5PVx&$Av{SMa2
zvL3rIC7aowAt-+Qsk#T!r
zvuBrt&r^)pB6B%E#br;FU#wzO_&y<+`31kAu_1?#>@CC;IU_m2)wHxASCz}Kt^5d=
zZ}={Y#cc>U1jk4T&1{)Ojd{|g>U>bE>5kA5QBuqJYW@!8YFm*{)aXORiZ;}bUo(w-
zIfqcmh-|c^<5GS72&u}t9sB;B#_#%yAx#mbDF{?-qapizrK5BZmpehO_NiPi1CcRt
zz=tZzJ>CKPwzpU75}*dN4&P}<21b$mq{k3^PC-^egSFuQ>3#O)jmgJH
zhIN6m;;gT4*!1ZXIXMWCFz$n-dnnSlE{gFzSf2-KObKyeQkobL5vu27Q~Xl+hT=5P
zg6l`}8&g6cw{KPmWjA^4peZT@;kOi^#}{C>EfXm=Gt{stCLv
z{B`Pf@^6?we>{366HY<@6tN6vzu1h2e-v*GxwqZsPY90JsD*WRg~DW21}_gWKAlWC
zTfj#VP9a9rMZqM@hqNh5Y`n{|D+#J
ze+4vW+T|dAx+sZ~9(vL-|CZj}ocEBaAReuXSQf7XUDvOqK^g;p8i@;o9hIVq=3_o_
z7Zw?^749QGw2~eBw_dNpa1_z9Hkb$=1yh}Xp7}H6`VM`9cKMguryQXbESC02`Cjw*
z+f3L;|H1AV!ijoTujcls>U`!^Cu5))xv&$6`dN2ia*%e}pHH8TV)E-hw3nPlSY1eA
zybNJYbId?792bXFa_pHaZ>3C|r$;9E`6A1SOa)2$1z<0bgL3Tm(|&sAF$WEkH?IVs
zqBLxO(YFcyL}w`pdHRPSqeW^6R{%RjGg(1ctKBF?Th$5G-Vb>I%yQma&8WKO<~g(+
z^D?w|ua@y*aMjI5O1RmF_~nPA!UGH8x!@3)>WP5w7-*Q6l1QzY9Z!+N_Cj4AhZMZ_
z9}wA)X4kp@&6q>M{rItUyE{21i-XhDUL$hp+^2hS8(j=cD)|yrFU8Ted9tF917{+X
z%gAeQk}*sjmTH@+O#(cIG?v?0Wls)N{YO2#^x7#|UM(BHmmMJ+x)Xn!W6yuW$X;Wp
z_Z1i6G1{2;7>Od;j8C#qx!3SD3_Db!43Snrp7hDd9Os}(8{x_`FkUFQU!dqn$2XZ?
z{ITz4ug0t)i4GMHDr#eEWaI%8rZ>+s*(X=?k1_I)6O@dH{Zrp>ObhbxQttQrg*wP3
z`x%%zUWETj{uq)RnEnX#?rdrf!;w_`JySa&F7_{PS}-5?XCKX+6-vpbUh$W!(ih*q
zoQQcz8+*AC&)s}8-m3`UvQrdlOvlnUs0A1
zIcMBKl-mqL1PJkKusVOQlnrMJnb%U+hdD0=2O$zR6IA!h^JG|@iN%AHMoraT;vuzV
zy&3u6?eyPTiX)Rya}sbP3hj7%IOXKKSYhGNbbNSOxNNO`5$cG=
zz&dL5<0G@GSe9^%Lhp5W(CTFqKX%KPSd$r^ixA6tSJ-&-#~8gfCy8AuAEEGL=8dZjD6rs+i{y@=K6UhRjEjBv5H
zwTALCsf!Xjb`;N2Q6M6$_#uM&YxPSNN@>mP7X0W117ZCUfE?e>nNjEkKm$97+-$U`WYLDG=wGpCE7|n_0#(@()TtH
z=%GaIx8S!yN=Jv^Bb^}#FZI#|v%PYbKg#H5M!oX=efCu&T|K*@`tZr6Si-1Rs+{_Y
z;BbY)vhs;vfPU%H`}nk9!blB!*a}ZMzQ}|X;qG|&qa9%sp&!QuesCNL;FT@9T-xgYkM7DPdztJ_Um+g`Dib_CT%>)zks?IIt(R4^GIOGXrRs3XAq%TM5IaPH}vxxYor{tWOasZWcHJr*NuBJ
z_Z1(Qw%qStE6PnsilF+_fItWzEyTo>WyHk(Q7i#UB+1^9g3_&T3EK@+VdOZ-{4edh
zl-ryAe}2l)NJGI9Ef~uE*bOrn$|RGqw}1H#6~l)?gXmqdv$Gw}<7P}ODQaqo*R+Se
zGHDW_$ep)tt_Sw#7+Cl?S=xH5ep$1odpDZ3ahl30b
zRs?$Q=TbA2`gPGzKDCwgu~@I5uWT#KF4Zd$8d7Of2~iWXZ~M1}zta@(S$*fEy_A5>
z9{rvAE7q5G3=O_-vGQSVAv{@@eCw#%;pzjr$rZ9;75m)=xC6WNz3;Ml11MjWJbp_4
za!gtB3D-*bPNtUhs836$@YWTT1MM2!$4Cf*x_N}2@CC`u{sf)8qMOX}=UWq{=usrnZ2`o^zD+eVPV2Z>g_$3o&EeojNp<3@+Tp@QrbFjM3yoQ
z=)mkmf%pB=t1Z1_59r?N2||~$W)8v95*98k_^fuY&Xdpc`dmJ*iG=NiLzwuTIwerk
z+OYs?S6T}4d=Oh}CPQOeBNHY!YdfH}1p)~OyV)5+pe9bFMkZz!HiF~_bxq`?7RG|)
znw$zO3U*>9<`&W(4koG|ifRxKD1_ITTv+ItfEyn`z}m#gkkrlE%Epn;O_2P7E+23W
zzs*ce`Y^-^DoC!SpiC-e>tI64!NkGD!YJWp;lf5P^o&%%!Pt}!EH3#s3E-O`xw(^*
z9Un8ZtE(%MD?5{|gBdd`FE1}M3mY>V8zV4+(b3(;$S*7C;>8qO&o2V9UvwWE+#fk6#q`b81m2gcFqn~58E+@Fq>GJSOY^HfmK=m
zV@W9)1?7LvfQ!J)!rJa(79i~Z80lnT`Y&Pq2XF8v58L^7Mu6%6r28ME|FQRn!N4d5
z1wL_Gh%=l$8F4{!`1*Xtwh#+rzK2UrUUoJX9*7Ae8>_JiBL|l;J0p)V2M?nuyD^s$
z#FUqp#f0nMNXghZIvLtPOyHyd;!G9*9WHKePELq1gprM#g@uvBh?Ses(1^#Bk%xU)p7Is!f4t7omBQLM1F(Zc|
zumn3R7aKb-?*l1g2%n^_gS8=WoEFxGW+u#bHf9eG-~#6pQI-)TXJcad*BxamLnl*U
zf*`rPg^jb@zaFSrSevLi8N#K>%EiIS&B6h!!NtbG&C33-K^i6wjsOzjG+9}g*#Dvn
zKNdbJ(bR;6iydNQ%4KT$*Ear1-O<+6$<@%oM8pi(
zDX<#=Ko7eirFjq~?SJy(YHk8Zf}VwqkA;Pt`G0>u9IVDh>_&hkF=R0T@XNu<1t11u
z%4o#S#c9OK#li-F`9C@Qf3qJp7GMPyHbyoMHCA>$7Ir>PUV0YRf7_w}Gu%r3;{*km
z{~u@k*MNUBYk+9}x(Ap`!1^-()BOG|GdL{%7e9Yv>wj?tfb@SC`5(#mzvB9@xc)~H
z_#X}aFS`CKuK$q){zrrVi?09A#P#f737m-y5Y@Q?>6unyV+oMjAsNX@i9aNHpi8kj
zU*PJgowT+i2!#3q{(}HYOvVLnB0I?_NFZ+@;-Wp`xBDiT4+4>bWW+_(+-82yyL+jP
zH{Tx~7{BopeU3=>cIw<)T?9cyJWs-20(-18OiBVF&)goSq4q=l3**I>k_dge+7}HK
z8XP+jEb$3aq)(+!P~^HAantgblvM5cZ$T_uc#!Z
zVL#1j`9wlw*c#JUsXWoFQQ*^9(1BTxdsZWJLo!D)z{3bRH`Qv@nlr~~w(FTr(TQh~
z&j|<&WE5ZlPKYA#32)y5TmQvO3=ualiFC5cF8BGmCh%MWcPR?3SJI6d{52bB`69>6{
z0PIe^x;h=vtp?v8Sj@G)-9A}u$=Izh)&o*#@6^cT~lA=rMB&uLckM!Kr|50+z`^e-;IpC~jtXgil(9W#|^^3sRW&
z?niJ-9*F#+1r}OTBd&51y=Xse8a{aWnL#yD70kD(*%k|dP@mD6vFH%SWbg+5Kr7*=-Hc;(dyDptq
z+@^v>Yhy;D1_=QgAo2)>NruxQG!Xg7XTg!ud-VL!Z}K_UoE<22nevWO)4aWzt93BJ
zRN2J_5-n{#n}}LHs%gl@++Si~LBx7%oXbO2kn}~T9y7H^UZu%
zq^HGRW>M;KQ@*W!G`_1L-Cr9gT|h(-Cw8qUw=GaBp1xh);iU0iqTu$6n!~q2k_S!!jq~eL)n?ecoV!2voTqhe=$V?IG|kJ-t`M^v>qbF<
zBwcGtj+5os6_sp1fQ8fuILJ>709Yt>`Oac}H@SJGEZO^}ma7`4A)&O*X7lU5c)E)m
zS;BC6g2<8JD}c2bti5}i9P1V+Q#eIJ6flgQSV^MroG9I;=%0i+aY!8%-vglr2qgXt
z5ja2C@1JU=qvyv_{4$J#aVrEtzoPkdEXPE49IJdc4=&Xl__tBvqp`>U;EH3!tM+KG
zEY>u1$f73(E9(6&0e>l@(hWV>B-SFs*&Ke@DXA!&Z9*z!m>|iOtIcX*6k{84!lA{;
zlEqz0-Mt(I)&oejh~exm*~@jhUc2rW3(K*7PSY+r`3lb7^%Az7Y=ZTWUp)*I2f-O_
zR;R+*KfbNE;g&<6l_?E0Z7_<;)cEKvTy*58rt-E4&ZHm8TM!Bw=do-4t%y@pfU^cnNMGZ^({1}YI=;JNW#$p
zij#!Xin(T;udooN<)S*-H7x_I0l?dVB^M%m$is5Kt^{myPCgxMRtQKrv;|2KMJHbP
zDBj_BYfIk4$$-89angHl;wrU>-D~%5h1Tq^tTJF(?#018rfgsM0Kax@5Mr@VxNeU-
za1g&smQ|&6W5&vh4mQ;_M}*-ceyso;Yo&IsFS=KtA#~fqansD(z4~FT902_tHK8Z9%1gu~E|ud-xqt6CgN{#`2_^
z8RA>`_hLTa_rzw-*>OEf67ep>@oMt3D`fZ+EkXoR(C(KQ5t~rZgE_i^!g;-ChQ8PJ3}{ytnoP;QO8;y2$jFEmm#4{Y75&_9&}t-d}H~tt9!UGN3#da8|H#
z0f7ai<{E9c32k36vnIQ15TR%V*J?=7<=whFs0s
zSDo%camO`@l?t9LfUq3k0Xo@km&mOCXx#Z-=RKlP7VYLBzk(R?@FjK?u
zJ8!rIBIUd_B$AMjAS*AgW@VM1o}Rwu#HX&JlD66zzI%Ppr0L>P8S>>z>&5X5Bhd_v
z33^2O#l(YeN(-ps0HtNuf@iJ+W2)G!YFMtuzqvdh{35
z=nHeBmi0`zO7t6rmqbKF<({+*3}YW2A(wk!yUcqX_or34EV&QLhSd$lBLoP+u@)nX
zA#*tkD`396Ik;Y=hgHNzB}%i(l*bDTB^eGx5l=F}7!d%yg#z$kjBO{wxuc?{hTh#=
z;&WMj1FNciUVQ2-O8hjJS&K7
zygJ?v=RG|@5+pM@i}+nqP6Ps>@b^JMSVqjoFfvE_gU0JZ2S-Qe%k_AAMn*=;mL^qR
zLW~OAMg7q%1yx1GuWyvT6XJ7gs8H4?i7Df`X%NOv0i5FQgN{$G!-!TqTqC_*icN*
z>#%)iG&_91c9*H)e8IE%8coo-ygt8^k?}Hh2znFO6j_QSErTanjFZGL4QV-FG<2>}
z^Jvqm_g%Ge>|yAOYwWwbyq`Rk%+VI6&B=M0lts##lcx;83xE_?ELr<;dvaP898&RJP8QrFPv0pMF(tHTs8H#|HX5)u+M
zZ=-2sl>Yq13qTbS7gVNfs^|f=J>DFg1Z3*e%UET8e|PKk%h~z>yt=DqCP>3+MNefK
zpcJ91&OkKF=zVp4RkLuW8OAKL!>(dEF=<{TJ?B17=S?#fOMJU7Npg2_gS~xJHH{1C
zSO7Wze(ZzK)Zd4y?N`Tg)#;mh|F{XzF*C=HZjVJ$NR_)D=oe_0NtT%nYWVo&2Kd~7I%;X5DPV4n7-790Jv`&QtzX=(8OT4)g&HRmvK>GI?
zlF!I7H)QS>)+s)H`qU@oz@f(J&ytAsT(wFPm-WcbcwU9oG+Sz~cD-B4D`tHLnVzn$
zq4w7X`GBV8Y8L75jO9cFs^!hZ{^pHjYY@8XY^60^uW(+M*?A9n9r+z@Mr3D7retmf
z3{^9S%hAm-7o=Fr52HWP)n{o$x>d0pQFSO@wUjb0IzUkUMg?epv)4rh}A|E+i_ve1hT`O?UXWFlJY#;dE*L@}8-x#gg
zo2eKLc=}=t@N;}3G+NwZR~xBd6G5eZrh(`?=M?P1z>h6f+qb)6L(kKOgIly)F*agx
zX8q0p@EU#uETVXVuy3Pe82#F%I
zF6$Zd)17eu+vitv8~sVp?GYH?LH+R-TH5>Typh*~V~aXQK*ES=i!oTKb6u~dEuQ++
zh2)uQ4r4z(eH!-OQxK>H9<_h6KWI3=;@GPK)V9v`U_uO2FthHUk$-JR_1(LCk&j5*
zdsT}QpI=bd^L3h*<*4Urc$^GN#YRSoWTQN}gl3*Hk9k+CmmBDK=(<&n4un%`;&{K&
z^6q-}9AAz|5?OyhTXi}T4^U1VxN;f-?k9Hk=4J-63|VfAU-Mx3=X*fr)bb3__TD65hXXvTXc7|RcU|<%
z%#*q5c^pn#LqCd6H}ewM%`AUUmB3e=-77r37#mXyBNo&#OSVT!p;YraH3Oo?W`-&t@+E%)S|7e
zEuHYZ!omsR`%9%T0&XU&-CCDD9k`d!DK-8)Q)O$gd#I4aH6E=bl!HwnIiw=m-Wi?Q
z`zoQV)x7z9WO8tP@75G8W(F-b{Y4mUBv6%Tf4Y6G6iVc^+p_N(3e9r;(KO~vQd)Wu
z1TL}%2cyFL4>EsO`A(bZhR5i9hdd5CL{B&a(zcdYa6!N=*a%FnLFc@vv=qEMQ7}s6
zI){CBI?&xcJXhn$X}=;~VL6`L0kP&v8sOa|Y&hznuf5zzqR9JLPGlng`WBs7IeA`
z5L+)c>H!|MM1DTieFF~&7IzOjNi=0;Wy3l5FrMf~yi2P5XmnfSk3vpHi1mb;nu-ET4WD8$-(}
zEOuoBD?gQR+=sEuPEA)E@?R@g?pz|-=mhHCY90%1G8@;y$8Xel?
z`mbbL&60HYZ>4>@EDNK1X)a1;L4~zU|0cVy5S00Cg=4AVe)rMketZ$_o=d
zIy!P{Mdxo@MjR?M7*yDXWn5o=>m?s
zNkJPVh^)BsodwHIw4lo
z_6`tq&rnwM8Ek0SAk$d#4MQ${=8h}`^1`*^5Ko*p)TOFZX85q^ei_Hk0oSX
zK0KJ%Iei2oIV2+STc2|pRR{^mb@y{rSC8egnp!%|dX4&;Nv+A}b}V0;o$AdS`~yv<
z_&18lKj-UQq0RnJJeC7r%NO;+!x?yRBJt&w<P$Jqh&J*?Bj)YNjhB@mz86pg5x0z+(k1A?d7h9N@bqSeh(cnPn-#zVqW3+#&|GXFf|e=iZY*Nm
z&TDCqB*n8MIb+juR+niVens{LKs`||bqv5K-wogQFv
z)lE&a5;-i=pP;__SzSFB-j6wm1pY4>T5Z6w1R~{wBZvNc%3OP
znW(?gr3Rt7kmQEt^`ImimBG*l6IC~I4AnbX!FeJbilfdriB{U?inIEw>rI^Tsyb&)
zAM~JY21+C#4IDWs7wOdNn&yFS^pAteKNkH-gN3?wXK=X<-#yEta}3PapYV0d?hHV5Y{46&=?*
zM!+GCz!q-p?l+QbcS?JiRIRLjTZETPTftK+p}Px6iu*=F)))kc6>9IUcA;pyl(az7
zFeq>wnyi=&gvReyONyHAYTqa%W&-*->Glqg8t408paQ+RIE?jhn&7d^=f^EcI}S4X
zLENT==Uh&4CA<=Pvep)gye3jGr2cIHO=*ex#Y$eb0cMxbox*)yR9}1pzlY=5zEb`2}Kv$~mHN6P6}
zrp>XqmB)7B4fCzqHTdI8nOr60IdoCh>6WuT-NDSZ!$(u*aSQtOn}pQ@5u_0r8w*oR
z;Tx|Vm@k2JmfJ0h7WM2dHu;7vFXnihY^Av$ZzO=@flz^tlXE-|k^}%}I77(NLyL^p^4mX>((JZFSfJ(dMDFyFr5Md`z74qGHLLFj@MGuR_L>Bz$^J
zKpI?-L~(0oG#})9zZZ?1>8o#(581MpIAdRL5^n7wx9Ggy2=vYF(WYq-*5GUGP0krf
z>(OH*x|H;Abpj@3Uu|%1w%CZCJbqXUaupbu~|l^Mp3Sw`AYI8VG8ExOn+=gS^QUz^;%%
zm7&-Hx8+o+$rqg}8%AC9(eOlWTVmjC(Zqy0%i3i9#-T)>#7v9StJ!8Ys2^)TyRuEZ
zan)!r;D4J;B`T->TMb8hn+iJG>epN?+>DdOj3oer<~F`6_*2VBkBc=U(L0
z{EoID%z38t_otKfkCgzo&3rSy{21Z@(Bh@?Hk2
z01xj1G);S>2m!&!oA_RJ=sdOjx3}3x*L8WHMbw;OuAK?IIJ719w-xG^^b~ezC%wdC
zB+tq*Q`A&wybtBK0(_~x??0S$zv#e7jeO%9#(H!B6xHr$?i*YAREgw{!$6!tci!H4@}@L~P0`XH`&iBa{>S-bYgi|IceaW-g)ZVX&S;~mC*I>&
zLbij%;m=+{kyF8x5X$Wi_cWY{_@&=#Z;<8f)o=y&=@HY@YaRW*b
zx7$j-&#IXK{|yiIa&vR*`5H4b#q%@@j<)erz0b4@*0VD+he~eNcVl`JdFrPEXZARl
z3C&r5+)dnzZJm&HPhnRSa>udsUTFg@+AA4vzD9n5gV|L!#8qX?N~-N$_l^zzMmt^@
z(fza3LCEx8_#%tCur)b4LOyLp-h-s;F0V|P*8PJE{w1h(eg
zQB+xDW_{mS^}}}fYw`{=!i9EJFX=T4)l^jap?okH3~&-(2G+wvM2~xpO!*3DEf!9n
zk6hl6mtd;Dl1-f>(YG#l%&GAv;k>>v>{iF|IoJEsP_k>o)1_;X@3`5^G1Ag7G9a;h
znn1W9dkZ2(naV}+qZ)gq2BZZ<0&YW_4hCL_65bcf!SGxP$gAjrTMxfDC?)fx1){#T
z?1`bxn%D;N*m3_SsPL4%z2nZ|v66~PWE_KbI*{WIY?caN|7MSki_2BXkj%bETDCL4
zxi}OG{(?QY$|?y?pqly8Z~pF05b3bY0~(K-Seu9oq-4=&37}Z7yqNcVI_HjDn<$*G
z3S#C$g;WjbP+C={G5kTYlZ_J@z}z`K{&l#4orqz>NREfZDmb3nj<$THr_n
z$)~~5OggOY?	?e)$qRo(@(Xk$B3@tjs7x19ScK8xAmdE9~j#&zws3Kz@8?Ar@}H
z?r~x+10MV?7z>pB7XHW9yz8c;7k0jeK#!otE!4svo({frKv
zK%mX8pYOfmBD?5osqaoCDTl#~_|~<;ee%Sm6-6r>GnRyVQwQ%6tn47tNU4l0nnKYs
z!sPJ>8HLP#N5rNLP2VUT^pL(V=#^p|TP^;cbvWn5{z-M1keWJO$`n+;*mI;r4`@a&
z4-3TxZcGS6evF+u0F~L{#orhZh_O<|T7E=NINs<;zZTSP^%#824r|kCnMl9=U;y2c
zr_GSsgEq~iX9n$M9-GPCC*WQ7d8o|P-*Wgo}F@q>xc
zU|-?uZFWVVF`Nuij>?rKrw9EOn7}1^mFjaf$i>x;i|2mHFNsy+Qp-EJaH5&BDiOtq
z*2qmbZK$vPF=g&kEGn=Zq32fWQtlHW{NtQ2V
z?`Do`PNu~+;*#d(>Q+%e+hRWFWZ^OAvAmPAmMga#?FVYn|A>TM&sUi4PtxXdHgnL<^pT4|
zRa0?yjiau`dnA{3BYx36|7HBjdP8+zU13vdOu-?v7q=@2)B#ptjI>Px=R%
z!a43{ejKfyzfviYP3@&
z4Jed=^KPok?Oo;<43Z3mLOYHhHwmVgj5HOZE}Syo2fuuwKyp-pnZW76!8CsEnEs-_
z#>JwMTr^%~VQ=dOYNVRE;EJc}_GsND$b}#9WDDaPG2@oS_oFGJGmm|4{SOpLK#7O8
zliQoj)_pS!xmgi|KtAe63cTZkbrup*PjHL%^6Iny0Ov4a=*<
z^Yy^jCuF`?5rUGnI|gqAly5Gce9>l}Hnlc-euTLPnw*DD4J2Q)I8GkcE-}QqFrd^Y
z3%!6LE!SCtS42e!6mjK4eP`U1J>(KGG60q(3l1n2o+D=vz6C@1ti
z;hUeecNK^)LI!6EO3?dgJNr1Lc13G=34C%a4t|Nz7)-Pa5Sd+C_!P4)d%77`#++9i
z^h!@zNsYw}c~qFF|NE|Juo2RpAIg^4
zo3O96eHzm8A2FS?6rfIlE`nb$zNspbX59PSNJ3jU&PNLhEV(T-T3`D{H0qM6;{hA6y=6hhrg95sj^YZfQKX9|D0$P}&V&mBWdhq7Gg~R)Gu*^yPPp9Sa
z)d_)rjv+`4R00v1vpcPU2DW**`?`fo4d7TF$3eW^)p|0W*ldwzkY++1aDY**~q%jjLu0&~8=UrE7ly#1eEXLS7*GX;vC
zjcfLkL)lx#}pOds+olC)TLuXcBpFI8!vRE*Nx{*=8YBZ2R0)eX}WIWhK
zQ&zC>)HhfuDPi}?^B!?ylB3|fo~heuZBu#Gd>*n`qG$|jR_Xu*FLgb@VBt_BGG~<1
z{9$``j&C?#l#`cp$Nw77fVzT+3g}V;Z=XSBB&olZNg7x`MAl{k(;%&uQj=Z|tEpmq
zS0HbzWJEvxNG29ER!b`@BJyFPP)`mrUctmIog($5QX?jZ0yOXS1_(mycLc
zoM?g0+B>pR$~>o#BRg4%7$t?zWDrQmZ+8dXrShE?*hfMZ$M*!+8qK^?c9J_`F|WX0
ziLCyGiVJFt@aWzQUZ61C=u7bUUD6p7VRtpmjE9G}GgXoSG^p$8j_ovUZZ}=uDq4={$(ma&n6gKL0cND&%w%L{
zW_EyBxVSWczu-4;8kTtNuC5OVgU@w8A9xf|bPWi~i?0!A_f!xc0}=gj&W`L~1$Myj
zNghZfT!^mZt{i`E6FPzB(!>1corSNEmM+!V!>>=|1g9XGHX`z!BkbOOf
zdguMhlwdH_6;OnH?g=E$j}L$hfM)~7W@eKf@;W*?1<=J5%gI7LhdMD&g>s;23RHT!
zc2}8e)}Bj@m$Dnm$b9||1loMD2|)r>dS{q9mv~^O`WllYJW$;0KiU#TBv-8Fc5+gc
za&k5?jrV?BQf~Hj8?>v563@rmfDVb_;8*cONCBWe8`Rs%*4!S(xRETCSkCZC2N
zOp?Nji_s=rYAUMj^>~Act>KIYx?=zX@EY!Tz58)Qep&DONR~oUxl#MGqOXHMvAfD<
z-g1sXA_{|8;3vQ^pZbq0`Iy8L7MEA~y%KHx$%tNF*<(h22b&Vq((w#`_L4(hj2t~Z
ziB{eci^9GmnxpYP!`l1$XU$&1<@N;uf!w3D6vl!SV*K-y?nmI=Nbor{^g6=_gv9{|
z$m+CN>Nvc63-n$`g--}E&W#Ccm*l>V@vQ
zsZ-T7G&I6G)qrw+UQuJZ*k#7xd`Ed-TL;+cS%i
z4cv4}+S`|umX(cHTI){lWiR4z3JU6R&pSnDDW>eG*QjR65C2rjuta=
zebe)+Wc>z@@!D%!L&G#;p9{lX*Kh3m@%S9ahnX~xPCeZi>{?!vb~p
z*}v?YhPRQRJA$M2?b|*l`b?FjG71=|>^{hb$Im$PaNJd1PUBoPr?)c|YCYb})#oRd@{ku4
z>=UdN@G_Y3O(L2ftS^~YH5h>8?R>eJ((O94?_up+_ID3i0&W|$1auML{ectU?U!q(
z0ibK70`=Q=sXOiGUL1;SQIRioHzDdz6Qq!7wxP9!@tUB!N!MCMj;*uhs8B;<6pezg
zmG5U>zu!qhhYdDPrtjnnK>aAS`qi&x=_}l{h*I_cP<;KmTJ#pi+Gi>S`;i0
zuZmgWXUhmXPW|rCDR{a)qJAGm_a(D5qeHQB`go^^FIAXM@9t~OVih_3NVlqF5NZ%;Z?{||fT{ncdfw)u#?fL#-x-KsmjP2
zM>K
z{hyNhh)_&{g|MQd+mVV5bR9OrJ12SKDYM0z$(M$tQkY>y!FF)k>l1=OucK{_h70db
zgszwYPDhE`2s?lQcoR?9>eG_O9hcnhdLWnsQe%mfeE!_IzwaZ5_DL6^D
zC&^aUJp+T64v>ga@fbTzkVn+P^8y+V_TxqW
z_jfr=s*y>mID<%A$&Cak2hg?(z{3qgVu6Pf!=nlV8K$`U)aQzdzEZHt^K%ED?Az~>
z{l&)23>~MkbN!|)Ud(a6Hxl98q_!
zJFK=ucL8WqubJ6sJeZITi*qK8R2EJ|?7HWcdIR(IFB%EM12I~^2?1)fu1q=C?=Ozl
z&81q0DO7{vr4A4mF5?^Ki3Np)z_S$|pqIaS>oK2VmgcVi(zo8(T;!&!pRSFtd(`iq
zceV0!z=z<9W1(EUY`PVep(WgPa0m@&cAd`a`ltmj>47I)=9gbn$DbC+N99f1F$1oG&OU3P8A?T!0rI0u)PT5^4J0blJ1vo?^hFF(7)d$F82_y!8%%hQ0ShH?ozj
z7Q(T$4iO4w?Ykp;2Db|?`g53am%|Ll=@XFLeVv5Y$nFdmLrVZ4Mat@NS4T0H$M8K|
znp=W8dUUOV>y-D9%s#2F{EBb(+f4R5%H`2BdoG+d2j%&UD+^Fi7nU2yhVH{(S_*H7
z10xh*MZK=2*!jUq7=q@{%B^IF^P$1xRgUo
zLpK+D+ISE}NV^Ej=E#%gKvR(ksX&m}9UL6sKo?_HoF6{8AR3UVsZ9G1lv*;`KU_d@
zW)&x0-HGE#ZM40X!hQgj+9AX>a!rg2=XBmwpm@}LnjrmaMoERGFXnB@e98v#c`Ld7
z?dfu$bFR1$XMd?O7}ZU@X2?)GL#xrR%l6IXjkcgDSUdirH-@_kQ-
z)>+8wb0A#S01@&%sk8}JR#w@xHL?`ozcOJ9ChA@(3@h!>o*ZA;yR$*+FLyF(`4Pmh
zo(CY`U*IXB)Gg=-hr}y6A2*l|r0mJeyURYivUkpTrh_Qhggm73$nC<}BuYn9pgj5w
z3!I?<@3reHjn>NRa(<=3=cw(Za-}%);kw*}r7A6O^d7W%6Y93#{y-5hQ{!Y+R_ulg
zd6HhKn(zLU(aMtk8;2*v9k`FAw&}8C-QKED0+R9z&cF#;Ppj=$>J1rsNB%YS8y|TL
zAXgH{K!5QjCZ=Cz&}P=m*|B_>$sB?OwUDSM-ec{FMYnN>ihlC{+1`$478d|*D+Gv{
z%F?X{CtMDXobc@fuMJYg(|Bo_U)h_!bMtQ0w^>MZoN%Q(?+ugKgeof~&yR!c3Uik-
zh5Gp8>OBHnG`7ABqa10ZO^(_Xomv6p_S$3O2Zo@`&w}k5O6euYX15wQg3qv3E?`Z0hUNH*s;)g{-u+i~b9J
zI!S^?0|1Pp05jZmd8~FLWD=N^8A`!ln2-fv)wZM;08{uEw3s2}F1Za*5A+JR&l<*~w?UY8g@kc>UG5BRI>sA>k2gYR>mDW>?M|*0ou^J)tZQe)+
z)d5}asohGS9Sfj@-m1Md+`D>FL}tKUhWDJJ8MHTpG4bDGQUbH(0rLF98XDqR%450OJ`dG3oyoNL$URY%`RZpf9;&b_NsLx~F&OR{Vz7Y7
zJZ+k72#}AqKq0lL^mC!|{AF?jwDKRWP#Gfqq*(5h5~ecNb9&
zqRSzja6#)*59L<9@zT`A2Dj~&(;}=4y{*A!vlgeQ-tb=8JQiyDMHrQ9^xYj0Y7kBVC1eFzBA^B{l%U1ei=+?qLx
z0IR9+B^ZKKp$CiuX6AJj<>lp7=hccejpJ7C!aeMxCovl$JP-1_F(^1oZwLc$}vv&GDtV5$z+CIFLJ0Vp1W
ztXub#Lny|k$%yA4&z?Dx93TI#s7Q2UWzr7NmWieyH#0G2GqYby0Ucma0hR&a4R3F6
zaM|DDE(hP$(AciPv=Ps-vy%X1+80h8&j)4+`RZ&Wa_Sr}wNfac@GRk`
zs!Mm+`>dIUvk@?yuT%^@BU^;brI_~t)>jPHU;*|9JXN(p9NAh7s0VWaEa&&&CICAO
zEw-wJMqdzPLOU{UL&j{8vu*bKSs6Cs$biM6_lLQI)COUp?q1(jt&Pn)BllP;WP2py`>%Lw0n1ODAB=bZ7atgZmEnC*R-^`o{V9TBy-D}VQJbMM_ZN*XmN{pC7F15UJrhi
zHs7*S4;#G)yde(6p@nF8VtoegRHg3^oh6C*SFeWhwAFKDzyC_(Q_UsagF1S`w-$dF
zm`C>DKUK4wZ2Kq19d3BP?}(VpQh>P;6C-1y`%Hw%5BS0Ho?jLgT$m3b$oh$g*f>7{
z#PuNc)uY5`+<(67d1G4paL4U#3}hYCz^)`}HVRbMf4zu)RhNQ?a%=~ZHRt;&_%Yui
zu=B9;)@atvLfx&sskzJX>Mr=+pejG^%VVKLrGc8bJS+=i0$#2Yqrma8r}N0bewm=U
zKG&iZUJl+$Fw<=o`%kGkN9iQGNhS)`C@Rd)&%4b0U;>-DCAIS$l^)|(7!2mi=+f0*
zQ{ZodD$E3IlxdCSDg^HQ@0zlC8o#8Bl-tlEV4H}0MCddO-f>3=VX(SF>O2hg6QZ~L
zG?NFaf3)JC)T0~9(UrYj5>1oJ(88-w%1K`Nq?=tr)F0eJQYpBTDwK^An6`_&FJN+7
z!ks0Pq+CXWB!^=AAM-CL0cdU}`T{{a-*8a=f3g6%V|I+C5vLEy{;A2oKYK)Qe+Gru
zyI8PU;D{J#Rnn?@U=eCQ_OC0j9fnTIZ3x^l!$MRdi0=4u!;Onr8Rh1E_aSgmf|b|t{@py3-IZLo!p
zH|J(fc&G}pF}QfSWH2DPk1hxGk+L`6R0z#$(@j@KcT6T6^FhauNh(vEtMPp`(QBS{
zB?xbOrkZA}qyUhKtAbedpX2y9=S7%8ng8O@J$6{o`x5M?)yCqmNmNu+-r|V$WkA0G
z;TaD4bY`(%`Kaa1?@Mce1%~G3`(ZWZZ5MmhOssU>U+Fk##Uz;dpKhJS4RWiYCBg!byAN=U
z+=IH=n!4z1ApPO*pOtNcE4E+U$msiF5puPF+wR+=Gcl~vno43RJYX}7w)Mmf3DL`2
zpVy+BwkWxp8v}yO)!Vt(WB8w4t#{s(+w3@ckJArL9AGk-QaB}MQUn`t41WFk1(Ls<
zLxz`w1G>Gv-PG9l9q0tY>DvU5KJWZR1Q1ju(ADfFk3@eiC1yD!miKLyfBA9buu-Ge
zlI>21Z{5Uoe(9T<@j$)C+&m1<M=rR@D_ts@0BTIZMr45a&fFUCky!SI4z-%=<47L!4yNPDBGr#_dluMirKmD?(sOU)4i(~iN
zh2577NsGP_h=%&cLAp(77A|w}HpE
zKC*?SY}lR;Aan7vNC8+0ND_-~CSqbhzyvnEu#nI_AjJdKEg69FS!N;6Q-+Nfc5n3~
z_Cdg6KYAK+Aim)Z+2GV_JtFDCuOgTerr8V{d`!ymfmEx$>WP5A6T{NB;k@
zg#2Iq5a|ioVSEz*>%splsQbV3Ax||t1J)TrNNXo|bNe_RldZ!G7RuKW=E{2T{++Q^
zrIl6PogKOprdJXg8Gt`sj9L`MAKo;v;G1LD-hK(yi88$}jz;TVB0>$TwmYVdo;h!0
znO@sSVAp=xB2bF#__INg76OO$&idAL?}xZOYmTx2oztEcLcWOY=F;!7HMSNA*(
zQ%AUjW!$fub@9_`oJ`+_YCcS$-~x!Hm3WZ3g-Q?5yNBLGb4#EddC=!|Jx3#a83!SJ
ze_*gi=p5gE$m&gY_vbr0%@Rm9Poe%#_a%G();r*%kXyO*r9voS^E@NS6gZTC)lr>NMyu?w2y!v5nIUC0+Ns**o3CO!g
z@6VossOfiR@%lGf6b$QFeI7EcEO1s~$bKQJeG$H%*tlg_Fv`$69|vkjv!>nZu3EJkC2#~vEj9aqK`=eX
zjDz0ZI8&1m=VsOOPMM)O7a#2CaGINnT36`}zD;U1jO|)4Z8Qm4wd~Ei68|Yw(>sc?
z?1YD#w+38}Q_{04fBNq(L9B9QT)Vvm)+H;c!Z#~guZlk
z#EVBi89Isq-pnaeRoJ)hNqflt&(1HxHW4Tjg#*=DiO}BiM-wpOZZ6t&g>5hUXft}W
zG}Y%zqH6ZBV+Jy%{7u@&Q?DQFE8aBd`+O)&#
z^;k(dWt(HN(7wdNSvdxNRWm@(ccIf`GcljxFef6YqO>JHQIh0mFNqtmxUH{
zObo8$Z^9=d&WdJ|U;1_MksQY5?r`{5CMSHOu|wj2P<=oi`r46|ug!8tF;I`(gxr~Y
ztUS5Lj$Y2b#de++#Jio6qEm|Cvkl4I2a+$bffr+?cdGFvw$SJc*S6#x!
zO^J*5L-zDWu#ps&M@u;Wfp1ORTxf8fK|tgo_Pr!jkv{RyENW8aOHL_i&Q$(x*zzR@
z2YjTRmBj40Ao@1p5D)mJ3Ta=DJ^8_q#>{0Ye)n1i3ncM8NWE$lPjL)%Fcx1FSxng7
zkiZ{%jed5G*qC2L2qr!>nUmv;VRyI{_+dE&oU5-)E(P~tA6CB7a5
z)s#+f>Az2gme)~wq#3y@fX>l-MPc7C?AGH%B17B~1<
zdnydRdXX`iNlrE`4fr#POcA1y!Wg}tVDEZm{-b<;$k)cdNLI)x6D=M`nHM!9%|-Mudlsh9WhE$v4ip`BN1AL7is!h!E0vhyeY^#zGwC;#iu+eboBVK
zuC<>M(%*wJ2|v(5`_&mBPmV_
zG8TK$(t9eTZ7tS>oy~Z#iuwy33N&8MM6aN7%q`q-x{ThUkl?W!lh_f5+X-+*mv4`V
zBlR?dXZx*Q#mA)isH4}neXiJ9)$8ocYY`U|iwWWDhP|?8AntDzBotSF)*e}nqjap`
z5isc`PfPHCn}nB|NntcAe^M2DNGDtENJaT_t{2BQD&6gsX}RtKE3bUJYYv_4=s=4p
zqUM_Ps795ByC-ucmCI!d*mt&b|AyIFmR#+raSGc_Vr;K)2=ten#x4~mx{jRXl>J7f
z7>uISPnJ!BHEO)ZtPg*fzC(8IJ)24`_m7mOx{_RAIox3rd-AX_iCg0bSQ0fX(uR>w+vKy4h@TRnXSZrs
zgy5SEQ%!;Ww+Mvl+#9#!y;!`XV2JC%q$MMo5n}1y*`KfTLMqX8>|TCH2J65+H4%*#
z0Z5Hgt~6DI_`&+wE^N}Zi@`3SOAFEDKB8;dSUoGlXGMLx$3lAN)Rfc1O4r3-%1_&r
z3im*0wixI^o?v?pU4dN5!?TRRb#+;c7#`_;Q^~)dAsS&}mjja;tr9s|bJ@@9@q`I+
z^~lw*2bxO}w2O`8&~ayaruI^~@IUg^k3S1qP#HSVQ?+!0t_YH?L}zMj{gsNT%zUzE
za(6waQkwXe&kCf!cA(8l-?s4M
zBafrbN<>X;`d#J=ue(up`|JK~Jc&n_V8b))Q+Facf+p2CN+(!hriJjzCcJh7Kj3%`
zxpaK?)5Q^9+Af@!vDPyjx2=cb#U-Ye9PyyvEmbuQ-G4xX#fwmDY09=g}=Cx>~qxoTIeTngQ^#PKX8mZZ#qeEXT_-|7$+{gRVI$~SrP
z96np!=WGMaFzJ?;UDTd!3BioCT{Yqsv1Q+
zrF@m@UKs1~`~KwXzIbpwoKHip#RNEUvOQ&qzTYPQTmG_`IvwX15x@9vwOWix1tk6eD*)VtvW-~I4|
z^5k!6@3VXA`dY_!$!Hw=LAx%$ei!14kM{Ll)>Vgj4qWOpS{S$|EPT{MHLu}XcE9>U
zZ$FjtQuP2&SmrIL%gFBoK@&TCUIfm>zLMOE&@$7HEL
z5r6~?`+Fq+M0@x
zYyFRiizeX>YJx$u>5;|`Mumyd+lc%lY?t;Goa6o(7siE~5ZU<4CsX3dk{;U-Fna22
z5Y0WtZ(WV#U~>yS^NWt`Cvvrq^CoYoq
zjCf@37A$}4>#ge==m@9kz<)gGJyq}InIR-JuhBp|jURZK_aa`EF!2Dkes-?e3Dq;0
zhL6ta?}M5cNR(yANj^O$Vgfrl#&-X%M1lx<%|vuS)i8uU35u`GS)ye@flG;BkRI`=
zwZYUtZd}v)@;Un@O_DoEX@0}<0vG=b=a^X)m=?b3!zNMM+6Fp^f!GypNwB!R+$ZJ{
zR-$^?L&vVnv1?ZCy)4ycC`?iWvXYi^2B9YC5gBw+Y?3U3pOx#>)KK`t@uPaz$k_3c
zt7Q#N76&0BzDKLQR+=D?-D}L^FzVSIP*N2UYCn~(Jo%PO+C$`PXbPJ;Lk^Y9w1+{hvx7xtERxr3-}L~17x?g9wGG)gFNDeYyt(XpG{ty7I)IAj
zncm7Pf3)I$zj(<#6^0q#+3b}iKh~%XW&7Uy46^yaCgU2j%vp>U{t9{WX*AslrlP6x
zKzVXnEIe+qp(WXH6-|iB`(yOkO8V#?e)Lv%|BqK}@!huoCw`o+=xz;CD*H#xJ%*K&
zGOhLY`-8~~eTgdJ-H6JO$w6Jgx@2Q(dL+XEyAk9pv9-ijnX_ET`vOD)8xhee#njsg
zYQc4%_!{O6F9~LQ={rxtM~rve>ikAhE^LQlg=Es)wkHe+<1HqoxHC_KE%D4gK%cpq
zu0ih$q@-pPRMfAd&La*D+7s|{v?evX@OzXh3FFVaBiUyT%qBLzKPbtMv3ioIxw~%f
z>o!^WNnz`^J7~b(OHi*zs|{u03{o_-{M)TAxSPJrcxC3Jj}byZ!~KpV{N0G`C?H2B
z_x*rLeDA4>Nj}|bLRxb#&PP;yttUr6{z(m}ef5Ksb6PBvs+BJsK~q5SL#}L}0?9Rq
z7_8xjWPHEd>v3P{z{27K#?u3QUKgL{sC|pmF1Wu_?v(3)+1V-Jc&Str$A#OKQN1X|
zk|ZDBPOrjwI)V0}(QhQ`sbY>-*KxweF?Z{;*oeD%j{d&b+DAnz#Myl9YP&gZeZ5y<
zc0DCm18SWP^ah*WXg5zxg*^GA-f@He!qmz)wYH*{&E@dFcTstl#+?&y-I*yF;D6--XJZ
zU@LJiiT3d3i6Gu4{%uAHu)7;m{)jcfeEs|%%4&+=H&_slb|jJyrJGugOil7+30kXK&_GChJV
z5%{*Fey{gK+wd?MwfB9f;^2i(A>JNm4ndAbCn-+);y&Lme8qtGPQ-Ixz8u!*in!~g
zycMx#yBI<;c=g|TG_29s(yZ`JW%yxKeeUNRr@s(lMl{Ni6kFt*U6bNu!Q_6TZ!ZA0B+!n6>=efWXaYG*GC}Xt6|mb{RYp7TayV7T4`qJ$1BDRj6>EBMVkW+vdZ_6wxZ~y>ZM{_UhK<8eF|~K@
z<}kO|j`?DG{>I<5G~usLNBBFt3vO+5Pq-X#p7e0yh97`DxqB2$cj9ol(SlSTgK{!A
zA;j<65c|oCh<`<_9bd5d{dVU;tMjA|ef2CepwxuLl`K=n4jcDv`
z*kQ=KYcp#HA@QcN?v*(cb3w4i*|~TDdVW_9VLa63%g=6Ues#r)q*fad_cRFuZhKmG
zz8$L#wCF>T-A%&JZ7j`*M_O~FUbT+c7>@kKPOpIHr0so{P^*8D!w(U0X)Gr$9{R
zOG!cOEBAzwcaIrRGxEr_)HaSFAIMlB+8IOMM0Na>UKnuQ9pXf?UD6ng*Q?9Si
zjb}S|*U46qjOs0+sM2D7<(22$wV-_5@WaLGoXK7}T_?a=l+QCcDJ=oclyYDOp?K4X
z%Ig}YFz%i8@7ru|6=aI@a|6)H?9IppYEwK%zy?i@vHKfoF7i6ZI|)up&^1bWMWL#O
zZz}a(cz|l}K$jw|aK8Ams9(+CYh7D+b5$I&j&=)}G;00*QjR((RZQ6Sk)-a2sLlQ7
z>qe?JRhLF{QD07t>R30WOS78a&!Z512gssZDir&fg_RgQu4y|$(z9oXK~ZseaJ);$sAB8>gr}w@DET*;^2pHJ!K*OI?noFk-
z-W+g?x7th`$rTi{oyMLh6rSvzID%!Z=c+Hx53M@*?-~N~q?dOf1RDu>v+A@M16=Xx
z@M3~|Q{W#i>KOeqr7Q0JT=_;O8m3-EfKS}oURVBZf-RtoyAF^!eM>54;(p>A-Wl(>
ziV;~MpMsdhLE;;;lUa$@zpq7Kx(TN-FPZ0Le7Z;aELliL|>+R=1P@!M*y)AGeB;Tv@E#K&%ETo#RR;1
zwI$BCPadB?slBUSG5ou8oLJ1k2g$l`lw7ldi33rPzGYp9DDZ2>(vkg5$i8>6
zyEPyQx||HfK$~*#pCIVz*m|{)zw+>Y7vB@g&!K1sC{P~LV^G#hzO%LG6$DY1rCurZOwRKYpb(LLLS-}by*xC=GaRy{L
zm5W}8L?&m<);T_>j6_0vx$#2~bo>4}aGKW{{%k&A`6XHPqotDs!+|~c?_7XtZlw6d
zX+%y>T$-v*h+lMW`mjfV*P)LU
zrn&~+Y&_v<(hqB-Bi=ApvSy(z8;z&)tehUcuLugBx)R@9Lqfkjv9bn=kP6dZ2_E&j
zJFeLq-kgfVm!|&q+~e@dGsV6kQXXxEe=A*?|Av1@ZcrS0eF(RdrZ9n`{yhB5u9aOP
zgQWRoKJ-Ot04u!pIh33;K<=`;mhF@78`O7-xO!gzH&4(*6s2&70SH1hLa+@2iO>4?
z$m;68>HFxrN}jwa^kt)XPfsE4%;kNR9^zu*QeGGd^Y;fH^PSyV3V8NwKU?}GJS$Si
zF3c4+wEq${=y#b)`Q%__xn*tc~P(Ybr29WpATR|&lO@{fp{@p
zTA^d1rziOg#cA=+5T(&YtF1C6wL7-!3qeIBJG>xydN%);f($zSWQ!x#XhO&qZ?0=Z
zRy6_*i2>_^HUn#y;pgg>sv7*(Z?a3E>jNBL+*4>3Ogbebr?^d4zSdimP_cB`L|AUX
zQCU>^=Bp_l$d%fEp#`04fL0}FR=oux_pp(6c%2ol+EbOt^)~q&ajObHg3}i&b+)AE
z^pW^TSG0Ry^&rv_ByVCn9hx%sl`IfK>oF~?^Xq*8r$_hLE)PoRG#_fslbbyoo0?N=
z&Y>v1=K#t#cdIM?r6%6%%GXS)Q;%+S=bp}-qptANb{a9lb}~rHAqbxwQwTxz*VR^#
ztxYs;n&vh=7*Q&;mGZK-8x2etc<(%65#p6hSt?8rBVYy5*^@d;Y%*MC2go-O9jA!(
zgDi6Eo^y?-@fpE+3xS6Boxi=fTcVorVgH
zm7EJZfs<*X2DKtzxTDUdtej3?6vgZw6^M)2()UXpZbD)>RAz4ze-1!7+D=1^_pN5~
zLat!?3$EG*KlO8z11cTy8)L^4>9%OxJ4&36Ok0ufD|wh_KskHMf|AsicM#6?CQB6K
z8%q2dhi@&$uTP@Mo+tLOyP9eC!yj~l`tSOF(cg9FQ4uK~cMf?T?iVsuwIFZ;X}I*S
z+N}=Ql2~Lel>TA|mV|ot%$!Pu#Z_BL*;Ohm!q^4z0^?|jb=j+`2Hm)(Ih=HdNR`1a
z8ll?ul9w02T9WE>a{}HJ++O0|Hg`gyNeAb1tR9+`k+x|kape8ol|PdBs5YH0jtu*Y
z(QFGo7Wyr?^#)VhcX>OeEkzSbB2sebs5M^@E8g0_!YYpA?QQvxzBX<(q=87
zk7DgZGPXP9Yb4696OleB1{};Z%cmUO4*m1=@6QLH<8LO-%MS}!T#Q?&jB2O8?k?+)
zxPfTl@7{dS+nYu33P|0KHdoAsKzYA
zkueMNv^Mbi{QnqX@XsQKeDydMjoQ0|X|QS6NBa1plF#A6sqLnQ$pBRGYj5v7Zhd`|
zD}H_RB^~>Cvxh}!PMa(jbZ(nvqP=4&g&<-zf=o$Z`{g{yO{7Vn7B`{AhR~&MXg?c1
zb{xfe#%UT#P*$GP##AIrYo|)TZk6I|V^`Bq16BV~b7MaDEiKST?}T9daHdib_+sGA
zLOTSYvxlG|87nIi3|oaA8*=b+IdmmSXl`GqumlqLB=iYBF>9f&kjb|^UU_|VFN}i}
z=Ao@nChKNaXKaXC^J6!nq!CemgExG$
zUHbK1dWJ+*6Gkr;(YEpUx$bFMF;wfu*`xu*06h`97aLEHZh@U(18v7C(~l@NKNM8(
zm!L5LOQLdG$sseOr|K+*HGIUMJ845wm~HD(R>!?c!#aWve4cZK_>spuA_q9!a|fZ=
zkqNT$S|XWz$y{$YRoBc%XVRHl@G$qAvrae_V(&}*OI~b#?IFdyNr?>-{F!*luM#E9
z?$qx_DXJx=!~1C|JHst$V#|Us?jzN444SE$Vy16=5O9bwzfM
z@OAHghX)s`vU=veiAJ}hOm-$n@Lo*ekO-N;5#s%RV|;MIpB{fynp
z-I@-q^fQi8`Xp^;H^0^3y9Ij8=hb?IjYM%J^#WLm(#cSrAGL0B%q!EszVFDDtFoR+
zh8L$exq&-lpN8p9PPv+*rw}heE4#nom*Csjb5aL4HVf-2F_JS`$g8>QGHj|#Xg_p$
z7@?MNLnCATjqlhZLpwV*p};H!`glabs!Deuv^ZS_5!F`_SwU9B+}~(V_YhHCW!p+l
z%}7knMUYPXRhCsRxUa$CTb!IUr^1M}g_3&5+r-k~x?5(yB+Yb>zd^+?v;%2c8OpfM
zUg9-)^WIc}lcv3*dZm3eFpO8$TxGS}xYN@rVh`bD=?dH}G|1+KCEwbcGndY&Ieh15
zQ@ayZ-5I|1bhKf#=vQaF;jNJd8}8uLOLD%k((88kwWTbwgOjfNXnfx1+;tz5x@MUz
zYO{47R&{W*v%oxsqu*E6oUhk#{5-ohJmqr(;$sLj#-%ZzYeH9na*Ejb-f=4jlQ-hm
z_A!f`46NwzKXj}rAtPWA$XL2EBicr>frlXc#Em#q=ApwLf#Ue36KyMqU2aBe8@?w}
z2M%8|AUO+N_v4Axh(E0@(4&GB;mx_a&s4y4-=R~1KnmNIQ-~BiQSI@0=l2Et>eKFN
zDnZNB`dGBSPVaF<3eSZfwfAExE?8Y_Kq)
zvoP5qzuZ!7pyD<3MZInsMp$hiV4ovOIQmj9U>7(W9iV@(-G|Dvr%^=v-t6Y+Nw0{U
zTLvR_Qgk?1S7`LEPC^>VOef0k-Id^weg0!j>&MRy`uZzXUCki9{xf1?6|l;2ah4Lh
zQJbX?KeZ@-K8_F@#AOG0eGtGp+S;F6`X5GG;Br$1Z2j^u>sw8cw~>d&*~L@t7fa?!
zNuh2N>Y7d&B0A*5Ms%R%ukZ`3c=k!%!HK1;&GqNdxbE%;k99DVU5?(h?>`Uk;RxF-
z3w4buwgzqdh4=MVI+I$BybX6L@|fm(J(v%*?)ey&5QZuB&?-U6L09k92=7$>akPIX
z+9%F_W5A}@KId_4TTf)Ik%WXCmw@PQm*q^`bfuO7CijBDcaa2;^Rbj1-z}6qjp4%B
z%*S^tk!u~!VhB2ogwaO59XOgo5vAg-&uV43+>WeH_9>surL&1Je0Y|9Y^Gu@Vm(PJ
zd(FqF8*RdIuaXY&qk*&F6~c~zt0z$#twdQlX0v2z5tzYWjv>;29_tL+E+{RVz!K=;
zh2_;FW`*MfRq@vge(p*vFRTN%mTRtOj9w}*upTGx+>6v%Q4z`xeSQhH7Ae%jZqPGv
z*gQBCEk{tO9`C0Ncb_rN4@}6Ac{8!mPF7loc-GfYR`G`&)8XJawriy4;f>_^+j#xD%`FuGgC@NIVTk-OOoO>*;Qh3J>6w<0AJdQDei{Vvax
z<(AcLF5-|8JNYr7trrdVjj8#GJvwSicF5dsLDY!*R+S)&FwXJRbDs@gi??8$w
z;68xJOM{T=8iB{sM89e)HNo&12w$c>;&5)V8LSSf^_yuKfLA=o>ze~@_-QT}O|6b1
zOA2m8jGOiZgr}!5vio+0Nh{bJJq@Dsk0S%JK;X&R6n|P=y?5AwJM`PIIR0{y!C^>F
zYH?z$@?=PM^I_fDSLt|LI?Uox0zDR);hkil!}jX{f7=Px62bZO72W5yu!%QF#r^X=
zogWkOZhJ>16B8p-vG&g#?*}^%D*}HhG>-A`W#9B2!s_x0&0NplqVCSZ-*qmn%%~hV
zg8YCu-SafgZunawiVY6W3$ZM!lH&C2PC3NcK<^44XrM5#_gsk3J1bw~1_(|S)Q7Vd
zdL7Zt3q}UkHs6LSwF<`NSHlqD*D75uU`Z*2;0otd9j!sqd?c79rS&A*i)-+0-_t<
zQx|8xG)8(P72HpFW#E;YA8Z7tKEh~TR5pzue*_0jQN7E#Wl!RfF+Q;**`GV##!YA=
z__v4k{WC;XykdD2`?kLmt!|by*kn*+sHH1X-0?T@=#x!;D!1$;2mGwOyENtpH}6_t
zCzQ7W2X7GHmIzps2PFA@d;L84&v}!XwQ)>ioNp1{?q+{B=f3MY3dEWzyF}&ZEW4X}
zGKFmdahg)BBe{ez!~V0KYl&P^#cmGkG%)#ZnmCOtnsk(ZazefvY#
zWWXzzl?W<(UsZ7z0tdZwxhgG>J<*#d488sKIe!I`u{?2nm9m>HF;zl}ZrNBs>0#Sm
zp6z?nSCtJdHyLjWU#$>|stZR-{l2QhwNroCx?Bn!m#-7fme&!Qt0TxcmrbSecrm<-
zT(zj-F^`#xu%~g8^ZE@gnczc_d9iX_({Cew>>N&gERReQV`a%USqoX#{;_uOiN$+X
zP*eeDN}70|u=?{b>QH`~UB#fsx<{vS#)Z!0bwr{^jXq$rDpn5nR%J9V2II|UJ0)7{
zo8+)(CvR!D+X;kkB(^ngs6HK(qgs~7j+P{r)c+{jB@>s)qC1ilnnlyF^6GkzboruQ
zcjBQd}Y3l$90gj0|1L<>;!4m&APkX${96!
zDvtJczS4>4LygU7%zD@uI?g|T$$kY�q{4&9e6w7qsWtQp}&(7)y9PdmK`B2O#lx
z9y?`h2E$gj{DZ%06XSbPS@!6YjmZP1f`856$W7U8SAx50uTu(
zg%6#g*@OBaB$GC&H>=${@WItA^Q|97U6C63M;!U`!l~%gy*t1W>Yh%Dql%yY{RMOM
zghI`-T?4*ph}W527xVH&TyV7Bhg>cDghM86dQKZ&o@`eXO%}q6cEcEM(MnfjJl}^#
z#a?As(2Gt9L7Crwrdx0b%mA3*6~r`WW9W;}9EC5HWO9F?ZatN6QiX4K!(|pZZ{yP6
zd4RLoeOGF+LL6``CID93v-N);XtoASbx>xpP0~LTe}8=+!A1Q#JYPIP+76E)lRFQO
z;Rc=E)Ri`+tOj$QT{Ed0o(6!TIM-Mq-MmZY_AkMex82^c{k2(d;ZrMFZw7s}uEk0~
zew;CTvX4){-^S$5N1$)~LXIOIrl878r5IYQlKrw)vd2rwN6f`Ic1zj`!xw3zMq3_9
zH>8>mXuO(qdbNLJJ$UPCch%sScq2T|>V08$J$mel;;o@_9Jc)z__Hr|bmcimy<8=c
z?1;)sbT}G*T`41AE*&Wn>1#x`#Y*tEV7t_QRkU6FbT-YIT$Ebvo*z2;fQ@}4MSL--
zhC*Gmy^*}R-$Z${NBA|j2X~AH2j}2G;KZ+P>HZ|HZ8!5%5)~qJib|xOUYAP4YE`J3
z%c3#yBGO%0q`F&*t?+)P;gLOz8LwA=t9F&txzRu!dqKrWWnBG^zkb`%*w!V6m4tuM
z>9H@fl_!6NVR!xvZynxi=uQ#^uIE!iA?aR5&8NHV{_$J4~hgmVym$x+{S8h1fY=wERAh`?Q;}v#}~6x}a3;)pOTTxm|Lz
zUA~jGvLgA}%5+~(^AZE*=MsGQEvJp*=Zn&sb${F@_vLECG;L(ch7RMn?+tpqML=!{
zc1RB`9f4&BMPV*P+!ZuX_buJ>|l6#Mt1ZfrC1I_c!#@>8Gig2sC
z%DsCj#uX%1Stpd&1|u#=}%&HSRlWyNU6JwkL_iTc9<5^
z+!D%B*^glr`CyMJtK-nr!rZ0DC(y@|oiMzEIai+t-+SW-`CYDHP^GadEoP9R)LOB9
zU5CVoLe%A>(iX;}k$SysRVV*gwGaTk+H9?Bz!8Kz5#zMu6x3;A!?~xRRJiB(_^xW4
zfC=}Bw%_~kzoQL^0yrg7t^3QCU$xoaghdmV12CHr4v0zO%82FHWOMz}UIPxkHWkwW
zlG!bwZYcW^j}iASt1}|TNAhfywJ>|didlnq2Bp(zJdEs#yLGHiQp-B^u`3%9q*|^%cXw`OF_2fhjIJ{EP_SPAGi=#uRQT*T#}9iRVe*FXxtALF!(=pFPGi+4-cjL+
z&jAR6)+?Q43=)@rTxw;?9)Pl)1ZN``zH6Sa3)=V+we7li39$END^WVHu
z(Ed_X!>~IE*$%qJ^181h)+_y5g(l3NDfmgiQ>4kjOwIoRJCk?gG_*U&zkyfXhset+htJcsulmZ3mh_jX`sVp4(gAc+<<<&+50rnb<~%Y)Dpm~
zOHLE=JAbd6e97%Nf0cD6m|O7CB;-me@Gf50dm?M82SOq|NndX-Wh}c_#iU)g4TQIp
z9$MT!9`14EYB){EEo#Kc0TWM#(tp@;!}0@8a++^`h{0g)yM#6qtky+);NY9s*ygd|D~
zk(LlT2}%CN{=R>VbH=$ix98$pH|ru}B$;!r`L5@EpXZtHX|IB_>2?Iptq$+1{ez`j
z0wR{i4THgH*lk&d{;Ss21nOXUH6k>E2;04nia_s0O?e!vBg@BD7%OxP}OwJW~E~y6(T9_;c<+#bXQ{6{a^pl)s5o}j
zc8NkPIimQv1+YE&6#hHL$M`yS{5CjY0AACKVoAGUtF2nR`|eTJ0jy0Swo@7of7uf~6{$7Y
z&8~fTR@tbNp&+dPyBW2S7$4((1ttYl`SxVW6?Y=`?A%{b2pC?k09Uf1bVWK4A1
z2msmT%-6iwnJd&OThXa1Z=FXbN^5xOZgwW#uBmmZ6%{o&L|
z*kaFA6a(VZOYomp7N1Psy;TB~ZV=3E6~1ND+)nY4hTG;#Ppm{^OPE0;Zs;F3%9;or
zW7M^SJ^UC?DG%Cw*oD4)cX=w8z2~6Slo9GeNgd+=>AI7e>Sye+
z)b7M_V2EqH=Bqm#MjkV$@p84vH2C7)r5h7x^bQJDR_@Y@E9I&VcSyL4b0{seP}*B$
zHUD5@Vo{4ZT20kU*rr|GUS5bduX4t@@EM97{JB=MQquV}U$(#hYT2ou9-uBP)OMA_
zAa35F(e2j$){hlF+njC{1|DYZg|}ICM1KhL^%mF)_TT8MqlAEgKT8R2+VNisS(+Cf
zr96viiA(waS^!K*8dS!UI!t+c$vsM{i!5aZHu
z@2^YVf*LMbxX8;2Zopzhyk@gUySm!TDv>YKM~J6;%2$mx9)dBK@6I({SMs&&dE_=H
z5&)m!M7qHz!>$Qb^yWIqUdy%!mD%4Qp8O2;1|QJ_RQs=6ufmnuKBpW;@u@1KjORE0
z5XFKcfO>lLAa729&?6H{w9X{3O~*l>B?g;6Zzr8eQgX|-2$wPM_C}mkVW1}^zp7Lq
zY>_SfsrqMHuJEs%&<{x8`uY$v^io>1Bum(5qI&T{9F!1m?X=q-Hj)1pl4X9pwxHl_7_|F`TaMjJ
zw^-Y`j_V(vl0nL5NrEfL>wKS!W5Tk}_sFlY2}d)(OjHz~)WxfRAst`1%lKW+rsGZP
z7FHU4TA(`*v}CtLi7a(aGE%L28jUegWp*CuY@Y6_288{AFIcD(E?N?x-YyNmq}64%
z50ocDVdlgt!uKur&|i*N}^SYeO_EkTQMai
znF5?fQL89(|2qi%bYF^3N_kH@U+scx(OGxz>&29>FUdO{oIX;FU`kB0`P3YOsQUR7
zl(L%E|p?|w>ZQ=Hm6
z|9Z4lDkQr%v$xn70`^J0+slBi`Rt1=o9!YaDn?t;B5Cm}GvoV(%xO|K`^bxn|1PT<
z9ryIKzMpApE0L3zpZ9!K-Wydd=qZk#(@a9bjF&?`3>ybOTl)QN%{;hi@qs>^1=whK
zOij&S$bmpHOZIkNRh`+{1v~2@jpjGU5ec^{Kg={uS8EauOu60z5sX
zxpHenVNJIB+cNqQOpn6Kw}U|1tYdCKlCFMkI~MnFnzY;Ma;Doxe&WlQQtRQ&aU|LrebgvB#ZgO{?4>RS?%I$ZZoc<(G{!(Z_EVD*RU_x)h+upTu(S
zpZYGN02p_(?CSG?61;(#3P~C-8?I%bRRXY!e`b$6-*{~D*i_W&!&UPJSX>tN-QGNZVkkUAKp`=cyl;K0%Btv*)Jwck!qaV^1?2
zsIwiJ?d|!}vMsVt7y227%?p2B!f=h_=78}ai0|Z7$CfPD%r95D{xo?=<}PET-3AWk
z7xtd81S+V7ByFfXYqNRs4X=+u@f8$Tazd88fK74X1$BEwjt?E<>ts3H|y(Iskt2>SRT+?fZh=Js^kocQ%!F
zT^8BJ`6g&y2EIFE)vVHA82#tJCp62A^LPAw2ddO7ZGMpaAYbhohjGU@zT=X5Y;hP~
z8K9d=B)MV_rCXF^S0Gv~wahlp>I7!M{mih-&|xK&?t4!+KjlIn=H7KU_c;+-nGLRtS7hizzDvgBZW)=})at;#e)o)S8VYCS4;
zVW=q!V)bgq|8cCCl5E|p{To6Q2MLso_PqAHaB~@%Ox|-xu^2x`$JP2PnQk0`cz-tF
zv~DH_LN|HY?EnoOvv!vfM5`Wc>5~*U*vtoAq6Txl6bB?TZA0VP20WR77x4^--O7pP
z`(cV?DFE4b_YE=|Xl%=EGAMEdkQ{aQtaX+k>`W|C%E&G)GZCMvRT09*z3?=y7NA`W
z->zlOqEc`=0`UCAX;%ivuh3|Rv=$_0^%y1Mxu`79PXWC35i)u4d)RCsI{!AlynCl&
zl76jHUqEJT@E_ow8mOIQNs|C<_O&?q_+|$ol>tqE25a%cY8g+K9O}+T4p1#HrD-Nv
zYE5$*qM0@}$BbS&sb$6#pTmX8E99^V59b;H&Wf@Jc#!X6Ux9x*e)J?m(dv3yNvP%T
z$X_<eN-;HCDvQ(u
z`4?-B#!vs)pHp?uBEHXW(cT=55gDhg#dhY^zRZK$jfDwA;}`t|H(1#7Png3SGxHFqR^$HX!M?pA{Ip{;Wf+`%aPQa<1
z@Psu5k72}hJ+$QLg^}Oo(DiU5?DJiu1r*|vh_4T-=X`gAx<~sfDNEuE<{7gchN
zH2y{-uYsbmZ^J+QyYmT9Xdjat-IJ+*1${{@S|+?`>s8k?aaD>G
zS6{imc`qz~LlvDoIKOb9y+@}YT$^qLC4nj
zym9|F_ZpwySp|UX;u!qje4nkV{h>yvxU0VhqgWg*b)G4%kXhnkTp79U512@rvP#CB
zOEdX21`%P;wlFwrrsQZ)tq_ocjYoTR`6XN}=G)hf0BSD}FBBavs0*@Xh`Y3u%DfR#
z5q3vzQ?n3ll<6k?j(i|ogpfXyCxp#%D<;9ln^v!`F)XSabvjnkz2?fwU!zOX*VwU%
zkzCgU5g-70o=q%D4~El$py3uIgAbdzLZ8hGNGwE1<9+8i8(p|Zrmb?#p49A*T3Lk{U2z4F@$iN8x9J5?rJR6P6V
zwaZE;9B!UVjk@iwU|TutdAI9L_Pc)5yH$&6Uyo-(9xB{|%Glm(xS4qG)QMk@o%`(z
z>*a5khvqlf^q?80i`UaQnZ%#ja_RPpMy`*2iNA>l
z-|X|&J=?I7sYJtqFzRcuROP)D_F$yVj7{f#9cm&!vPZ$4V3Q1Pf}S6$t6^{G$MOscquo2`vP{zZ?GZ8+
zEa?a@7eO^stGapAGn1&o4NT{x-DtbufC_X!<&H?3WpF5aqE~|2rRSd4n@X8)`+ebC
zB&3s2wY$dad_fNyrr!q(UFq!5*?GX)Lo3TCx!
zUS@F32U_y(^xAFDNP2B$=epJN9|wAc9v|_P#p0(8dsU}CRLdqorZlzJgt(uJ3mxgz
zdbrsw>D5&m_2{~^`_4RLcyBDPB;|p}ld!4foIJ@5@
zOZ}JXh>K64rmolh1RIiV9kqgJ$(ubI2P`}m%3-6lZagt3Q?F!6m*%?WA?yzVs1r-h
zKmLs4jQGsAh4|(8*hoYK{tVgOv+;2Dnrmi3E>U5tYpD)VKJm$Wx$5V>JFhL0KCo6e
zM9GW`dV%fHp`|?yg;1FPlGJ{eI}*~sw$LoDw(W0!YvNt_LN_sFq;M!pG6H7981?1d
zubzx4&C2QRI9+da-)&YQQiX#s6u$L&&f!Tjs!X(Y&B<}EIZRQB$YuHZEIr-zI2>7I
zC04C5FtDsK_8lkyhYq7xBnjPyeTXjIaH8nLnilb*{9^ml90_#C?wsmEZ21MGb`Z?>
zeoIT01}Ac^y**eteMnFxys}Ef4nkRN@)H629SyXDEQ~(?QBAmpDKm&;l`J%Da(P($
zD>uU0J8fnBRu?xW8*8DYBi#BmT?#tm3>Ox$82+~Bb>CfD+AFQnebwpL=YzMuxbL@g
znySC!ah2O8G;ejbQdR3X7=Mss-BxKM$V^)+(+OUDGIc=?+?x_KqT{)s9e0
zo^99u?L6go+@^mYi5VYb`5jl<^>9q8t{R{9!D`%#g@`&zC#EfDH^a$|l|COgW@QRsA4jfk%qqTsk@-7Kj>Wn{?)Rfes~SJs4B
z`DJvN1oWEENePz*>O1QUAITRF^=(KW5bnkX00vrCSg$$jeB$Ue+>9voEkNi|3`%D;
zp-!qTo?h}TNZG`-!GRB6A1;MtL|OI?<1p`ot^d*?+8xBrMM~t>Ufh#vamlTAf=i2_
zAXN+V*PYb-_eKpQYs8<`)iD&GlBY|^H+||g^-W)qdR&?k92?7CvDDv%=b;*|SDy>2
zahZxHH>7wxs!7L){4+(isv{eVuX)*SNxl^nj)k^*Wb^j}D~M)I)wpJHUGPoHjpLVV
z5(y2VD~|iTQQm!nyctoOpMCacFgDoi=uTC=R-|6@4~LCT#vfGdj?~8bZprM(`L6jV
z4f6^M-jveMZ8zCUHvW2s+d+p?t8B3u2od3*(hIwj17ALs~3Pg|a$uaii~
z(H|dJwKWfC>M9e@Xz4|V^xcHR@Lt;^89I((y|R&&T`~7rJ=MOfq9Cw+WlCu8L!Z@z
z{RPtr`Y%l11%FTA}8HlYNm90iQ{axyY{kdx_{NV
zS||K(16{-RO3s0I55Ut3->R;G+5_N`k)i!?4KK5L@zVix|NgOC(f79X@O3&Xw7*F0
zCXhm515?b!YCJH)w|K|X)|zWeX?slZ5~6FIg^;jcqhtRjm3^BL=~(%MbPR5<_tdVg
zN;U%`;!zYwhXx
z<;N1v1^0QUB8eeB3_VP_px}FMv1c>v$DgsA1(*1lD05JjLcGL654U7bH0%b>JGfHabUYbbjT{@O`6)YGJQGnOe)*7V&kbHGlwzNI*%6;IHmj-uLMKs^4LvQ)`%n#2+
z!GS2GVCIJi^>^vLv{HKVYPzQC!Z+k|hw#`wfl|73^z(V^5gn9k7h2>K4I%9&}vMLefPI#U57zR@^o#WKd)spyEWJvx{I1`I-L(XGB
z2bZ{^xa;W{lBMB1$Ex8V2N^){hSVT!(kZf#;DCz?X|)>I*SfmtyCG4#KW(;20XZWZ
zh3Ln7DEZVqe0+ZhX~whN*D$(f;iB*gDGcnYt+ii>#)A$*jkL!(9^K;QW)@k$#s8RW
zI{1t#HP&`hxE#AYo2)<)96=&GPH_F}r9OyJ<^2in;pQrkdxBE8uQ<-Y1sxBD_DJwl
z9c+b;B}!NpygGhY_gm36UV=}jhy9v5Fl-U+g=wDJ6FM@MqG8=AbesWqf3Z8K(YC4P
z{G6j~Gqq#+@FKo5@HuxQA!_j(t$X#Yp(M3KPe%+^vrog6-8tCJNFfWu1%kgFxbO4e
zTD)0BAz*t(yKN9K>Jj@h2L$cfuDl%XdgRh{GN
!8R+Qtj2Mh6a`&J0UegdA^D`U=_VuoE_T`F{O}I355HI9(p!4xO>5p7wkY8N=e_v=TZ*o<#
ze%=(P4*WQhG&Q1@^5l>rC%0{I0?NI>e&BkWhziU4p4PpaclNr~~!hwGo~
z^K|*?alK{{X-B?t7(3IAxa}SN`C#Ju?ov&Dr8Z=&Ih9*1iJZ=lUj{A+BD(4!pZRsg8G*~>FRSIq5`Fhi@ZY8l3%sP
z7Cd_AmAGwl?PBJ@t7^^tw#9~yr`7eXji?Mr_MmKfLxgBK34k6a5#No#2T?0)ZjEIZ
zK|49ST7NwY2QUU7`ISg5t8M!{zu~IAJT$ET+e$QbKRH@lAr~Iz6+3(%5qEF>z^d~i5-_0geezLtPEP&jYMC!Mz_#oWpSZ6oNzExhd)+C
zb=|ygy7b1~p53hEPFi4{S@`aq`2!q!)1sb6(D1SD8_cMH7a?2)8W#E&*GW`jd7UT`
zjARSbd~77^ptkbxpQrg-2@t4^Tf5dm0aQPZ@%%fDW-K6?9t~|csI0#;ALcw~PiBRp
z#L+XRs`g5cbYd5xQ2^u#<7rXM5{I
z{j@rluk&Mom9UVL6k?V>4J%Z;y0Ds+0<^wTT1Y^Y<;IeC3Ant06(;q`Hiz>jei`}q
zzXE@auU=1^^1_CnBzp%}`K0CKt$X-;XKp%hckdMW?RH@n4Of}z45I(XVBd-0g;}5d
zZulj7sionnsx(B6&CJ`re|vx6omZo|1e?f*=A83wqmU~*@cXZsf=!rP{jO|1@WF2w~CXKMR|>A6oo*uKT(3%sU#5c
zVCa*Aij-x_-sD|<#~PnUnKopG_EHpeIc0BtFm>pJZoEO?5x#Qct7=3QcLaW#9a_0C
zAJpH>UygVUgY9)>hC9|a!*_XVnyk~<)M~dMb2v7Kxs&4&v%(+?uqE6VpVo_=
zGH42z=xCX1P*_t#Z#eYdu$v0ja;q2hU|mX|)J`|S#jkg%ER8QXr*2~8P_xkw>mB>|
z;T3~F98c?n6i{U$9m9Ay9Mdhq;7!
z2m5RJ{n3YB8AP>VfIh4hGyRm3Vfa37FF6l+lC_!K34*=U3tfS85H2x{SzdKFZH+%IPoe(bpWA`%ttl_S@iQn9`^^tWBjOo)W
zd^wfhaH1c|4UXH
z{;nNom9s)CA!)vYp_7x}g@1*dPTFa=1ybhWvAjF;A%=6(;$m;i2(g|k4V_i;G{_n*
zB+6>%ZK5;kdi%r(e#&=6oAehW_}8TO%lU6VYwk?lVg=JG%=Uq>MHZNlZ;Mw&5(z|zYC5*KTaL&c=Kxq5D8i?K>U;4
zAyqv!u87f&(>V6#-AcYI*QBg`UYs1THu~WGkz_uRS58$;AL&o|iD1=*g3|?@9ZaZX
zv16gE5?S#|BmpPlBGM7q$FkQyApX*!<4wCz8C=2t6%m>Yr^-5bDd$vc`
z=N}2MXcTSvI9roE!j@UkgMU4M2kr&;LE#$iI0eI=jB<--8gU$z&Urn=)WL2&To-av
zkMqoZryX!KLU4NbZ!x-PUEp{>!o^%X%(0K3`%V{Za{|X#pPxzCT+1tsM=vi%ENxdl
z!S>m=F9&?Q%bL+O6uWpM*gY0YG#=bsd~E=ZGVjYr`0ULmO`P&6p*$T#D0WYu=uwQv
zuL3E)crXSzonb1-AN+lmKLdX~C~rn~1lSO25>KMYSfOk31=p`EtRG1s?~aN_SAVQ(
z^;CJ@beOI|!VA*}0jL`Hw0B$Dx$Jy|`av5TEW%H(Cz>#W+V1-ciZUFPxwwv38sGWD
zmcn@}mi4|_T-wY?fm+N8pNrhgcmx~w*_4EBXC+et(xXO%k0a=9RUrG=p!N$JLLTt{QRVx{Hnuzf!FQ$=dw&%K?o`=@2}Bb*GJKuCV|{y*x{bmlfU-
zi(c8P
zy1V(aOck7RiONwo8(LywCEc6^Cy-L^%Rk;W+gAA^!WM!-E~IE@*>=0M^#aGK@W?Iz
z;gLZiH7=I(4Gul@LHN@qZ`Z;8mFopx7H}->#lylvIxvlKGVbqrBwGj)?mGhs(vQQZfaHcxQ6bmc
zEaR2V2<(@8KY$+vt`|2XafkPt14kbp-e27K3@9U@qO3WAD&G=g+XNTW1LH%KVmDBb6o
zxc1&_pWk=B-}$cV{LWu{t&3~D%y-N&#~kB{`@Wxt^-M`o3imw8c@zqTDH$5{`r87k;1<}8xg
z1b@@iwQHGa`(|jkzg{u5wRTf4L-*dmcICE(~J1iKK_TrIfDJYh7Lcz=V=}nbnR}w
z`KcLGqrbI!WcV!JV?&8?e(PpFz?T#~qEp<}
z%#!sBd;42Td$*uD;f+eu0Qs{EHMlc7)0_Btkw-n7s~A1E>T9CQhPQ9;E^praa8MaX
zDYCjNzdD*Xy3BKSerK#Vl=;D!)1-0w-tORp?(Tf$K*#n^pPQKj(q$H3105K%&RThW
zxWZad=`50`5lqWdc2`!sURq5rCdKkuU#zg#&k8~1!r3Xg%vWQr>bq#>Y0lL>c?&d0
z!L=2$n#RiTyUz`e8@ChiHVncAG2#C?8Y!6R>+&uzz^{P*8Rm9iDw%=e$$w
zlm%yJ`0!NNqwWg6tZD@6S}Iz*CPackK`uS#pt&<80&JeyxttRNdIkJ)q;mId4AI
zmd4Awt_s$~DEOOrm--S*P)&yAx=!B
zb&jyGQcy`@agK=WyrQp#4xRFR7X0e7`-=_D2Q8z==oMZsxtznA-#0}#BCoq0OU|gI
ztlZ<+-mg5o(=RyK=&X={BS9*u@`kqgJ8yDodKU?2`pOv3UGY(wZbwY4V3oX4ZS;!z
z>if8*>D%oU)5?a+@lUThV}`{mYqht_?z2gq@@~hl6OF7x%@!W2#xl~`v6`fN4>a8p
z-5bU0d~q}BfF9?0QY(jsmtdKsOA+t%{?qs^$MpD{7jJ{L-LYsJwb=t}wGESUs(wSd*#`x(Vm(jEp&3X!l!Ai9LLPpQK5G&QpGJS#+zj1Z|}38
z=K5*NibeffRX1Vd83j+w>J8cI%XYOdM6axmVyldi){4Jvx%1+#052yej@RtaAaGiJ3-0PbejT-gOdDO_tSI9JVVhJn2W-H(}fP6u9dD9V8*}|A7hlp
z6Ib!76p_3Uj1|p=>yKk~b#`@---kj)H`2=YV~@wT(9`A5;%PfS<;##8%=EZazSm{b
zEs751@Tc^zel$z$TGS%pNKm%T;iu|Wt6XAOrjd%GWNipd5mTlgZWxj|SB*Jb#EqoijFw
z+6>*;Y9ru&%MsZ^>@8Kh=K2lSCG>Lsec=Q%rU=Zvnsky&?9v%nDHjjAjPV7Y32@v9
z-*33V{w;}WBu9}v}f~(b|gKuzhuS5W4%%gstLHu^y6t*)1{wd*V9Wee~3HY5k4Q&lJn*T
zfsW-FFUMOA9K*@-KfHo4B>2DBPsglb;|uXvpw`l8LyC5ZQA}s$X=mrVr6gDiFX~Ti
zeBQ;@^R*Dqy%X~OoX-8!z2{5*ssgEX9s~XFDRqe6R$D${raC(@@092`NF8^^Q}sbT
z>sco98Xx8*%53FmTfLi8jBftZtPFy5PsfJBsba3VH__sxwqIPtj`&PD#V&YbggH+`
z?D3PVY_&_cb9Bp5`$>s|8aHoK#nO|>*4RssQW{~`rrHxOBBtjRp=g*SV
z)hw@urHx@sf^xL<)gZiYe!kfc*g9+-b4V%lyGR!*vO|9)vc6)PVyoj;_IoZVfA-k8
z*n^I%S)X^1U0AwDIkI=Ug3ebfjys2S?wZ;K=IIM#j;M>z6NHp`(IdElofn-qq5_s~
zv}-+i^_67!$#cQROyU6FbB?up1nr&=iKbMgzBT3gKfNWFA;jR%B|37qu-%T1hOpS;
z772z5zBa+E9<|eh!{`UqYdws^xK39E&U!vJ&6mahl9|<0fNL3O_$qmyrYQ5tFiI}}
z`rKaeeAHK>CpgO+&QwEKw=>S=aRv)~5*!Yk=3(G3(j=oIINY0++sn$EPk6A#WR!VY
z$1OWQB!jy92M)E|T80q^K|6mpt8|{vt6F0r{P)A(ZeMva@g#hymLXdHamFltO2=}#aqlFW7d}Q??mI0GBj~>
z9&X&_j88P!iwQW@XUWIpC^>rNjoX#4+H=8V95fO%N-EXY0_Yc3YIUYa7n*RG$f}4g
z1*e?HeS|)*)e(l{`(gs4f|Fp-e)#l;HdShZl1+q^DA`7}r%zmC_QtH#UF-COxQlgV
zl%4q3oll1cT)lmkS?`qjgNGE~c+N=0&8M8tR%OgKwsJhjh_iwrLdZ3-2O8b
zIwD@0z_&b7_JWl|AL{RX;G5siotpijOYqR2_PoD5*%y=~^&mz*0b7vwaL-{9>J_0t
z=lw*2##35UGpBRT)jfKrBp*Aw;^^dB9QXK=d_CSJZykY*yY%|0)DO<;l>{#Smhz%v
zeaF-LOZ?QE?MECpM7IbM2W=0GNs`Xb3`Wh`Zl$A4p37l{%Lb}{CfAcR_ub*XTQr$&
z-e-Av&2C-hIYqpTbksw%l!wQ8cbWkDDQ_yLS0Rsd%WH%AM9ZJENQ~XxOmdS9U}l>%
zmSjJFZZ*aV6;j`I&U
z9SQ1^uncxuvTovln_IadOr}+d>!OZCKXARP*lMN5K7TInt__Vm*WOfz+j#DnB)dM_
z(mDbk-}vlmJ#B~MN)S_Yw6{d{a5FDo%bjK~rx#qguBX2^`QitD&VNb5GNsw1cVS7?
z>J=8*m5p*{tlf=*Myo!I`>zR?xT@JP_3%G-DGPpV|2*LzVNy7%jC~3FtSGzDg%;N}
z6uH=Cr80M_pErmLkLZ{M2=_ZUP6wXNFTOIw+&eoG#%zWAR?6po5smNDyr%unZJRF%
z(=hqug4r13917ANObTM%HQO`q6dEQM@M)&hi>%Z~li)VD@lx32zc99P=>N5J{gK#{
z)3GU@6`a3t)xK0bv9|b0QO*^n{!;J#)kpYiVuuC6k>(OklAR?Kjp8;vjrm#?{&=qw
ztlt+~rW|D~${q+3ViyWski(83xxjpmDD_e>LE?*v=|_!CGxYaSF;9Exe#v7Q*Cq_{
zX4spUGd*(~S1!UMCE}fN*Tl8}J^w^`aK25P!
zK0U4T+frICfgazD)*BL4o!d^q>uY3MDDNbiY+XV6WS{jmB0+{eGEHGe748Mg?Y^5j
zk!nhvUZyWQVv|JaC0lnIS}xLx;dhSL>OGSgVc9Ud?EOOcDK=-S@uN`2;9I(wgNiYi
zaox-ZwFR(~u=JT1!!hiG&f=;)S57UlupqKx?B&v~EW#u|72CyqZWEX9BF%k5st-Zs
z-PS>9BZ5l@1cWraDSMKrNpot|&PO5QhV%aU2Z_{Ht-JipV)<5s*v(fN>sMu^cs9rz
z7c0YZI~lvfwobE#$xba|C=m#TM5eD^K1+J_8Iw05=TC=jya77@$F!y7iVp*%qDq-`
z{QbY4(urjas1y)genRh@6lo%0eD5W9oonHWF-1pT&=ssRBBQlWlxAH_?^~+zZQOZ}
z_iI9eOOgNinN|H$e)HY}mBG#D8nOl%>25V)U~^)8^!dEX#t_}%GRUcYu|&K9^{}ko
zD{b_kwpND7`cC(2v3l3+v|_&OJ9f!!kr-P+RQ&5tztlQ)&OF1oXhEfthJCftc|*Mj
z)meYjA-2X(;HF=At=W|u==yiHK?~@MbGmeb`Wsga48x;TNbi$zwh7+86G3y~gKuw|~yJKWU!0hMy-nFF}cMIZHL8mhQ4qk^;FY
zex@?3RT2){tA{pgJ~m?1XIcXu1Wn>He7;L2AzemJLzHGC{&4Uj-ZegN)2G%dO$sYX
zS~N*kUtXR~lp{30bzW+6LqOnS3|7!9^*~ielj5e!3QqTZUW$z~5H)zFaESTWyJ#t0
zEw_^moV1DkOds<(myH_l(_`C;>&t?#v4;KE)STZhDbuO0g@}qd#_2uxbr59M51M=`
zN$@d@ACt;yDoBw7N1d!|$ao;9WAC-`Stm5rMV+e>B*7DE?%GAS+VTC{e~iv#*%I8`
zO(ZyY8q;v+RQ}wiGPU$aciHL$u^2uBJO{6zT|=U#NryiN-Nn~^m`;!921}hoHHzX%
zdXPF@w|Nrc>*F6LwK5>drhjrnu{TPK
z6OX0azMp=pd(L^AumAk$ka@E((XZ#VAwDP;Fs;(g^!Q|L@(v4u2ny?9{2K|eb
zx_y?Pp-m!A#M4B|jx;;OOsu#&iZFO+HjMT(y(^Lb%r8Q0H;j(Uw%CWSUYn@cuL`N+
zT!^A~s?^dpdcwxV+0yf*F7e=ElW~Q?VE<)P^(SJFnZpL`352tIB)wiHhO8xFc%Mxe
z!~CrlevcvPm(@3o+aysXlin!_r%I&x3QZ`Je*Fw*zl!ff;CSSmaW!OV%)mxLuHmZ5
zwF?&C>-#M?JN#>}YRxcCzR2ep;(Z?HU&{9^#7x=Nd3pVwnGP9c?isXZGub&z3=?hM
zlF155QTHem?!$oK-_!~X&&0_NcTa1(i(FEF78KNk`~8wsvpC^3m!FpJs{>e{7YN(^
zqBQI=tomh079{D<+H-u0Q$0(gO})zug~E7hB_^gMBPR9_wG1?}Sl?Gd(siO_4Th>8
z7_MO7CUk06YWVypJt$ct>FkxeIh~o0TRu?UeG_n_p+VV^nQx~+%gxcLzwfg;0j7xP
z_wTWU`YH9tv`??HQ;=;>j#f2|-WE-dd}r?^cSFN@B;n7ogJk))rf>=L_b+GG`r`fM>F>#)n{X0-QaLr3lfIfm~@ZG)Sf>X!dk
za;iPE=F}zGJJENOP?ZT?ywmapdEy*Rb#9{%g~ESf1@fhqg1msKgB^>pnS%+M#na9aaD0|>TP4nZ+2Zo_`IN}08C(qb~UE*
zw6nE$5%3hcelo8Bd`2#_UZ*-4;%XywT}wfUO3c9-O~u8+#lprc;c4a0ab5U4m7uek
zxqyne>9ninM
z5Ax0bvJiOOKj;6q(f`=5leL`etAMzJsT=Z88F8WO$a)3L989gu1WrD3^K){r@tLBT
zIoQq6%v?NXoXmV?Tzt&toMt>Grsn+oY-papO(kRR;%aPfibke_$yuym9xh`pem)Zu
z6J|CZQ+{SH6K*zUV;(kMW;Ro9b3S%{w7CiU->10eYz3ZRZ2R|BAyb*bRNNe#X574H
z9L(lyob1e8oZP0&{QTx-%v{F2+}xb(JRF?-{3okH&OzXgl8n%G4i>h5T~V?%b~Sf!
zwiCK8Z)NZ1`L8e3tnARLuExlwvGZ`Uv$6AYv%!>H{9IiB8l-`Cb^#+t=45AM;ovy=
z#>`Ye5@s|8W3#d|wm`Ew+FP7_fgFnfybNrtG2$CA^T~C17XdM6w6Uv$vzmj0tiXZ$^Ir}A=S(UP>s(x&y=4A3FZF*LC-}!)rQu!&XRp6K
zUlr~2=eIur$=2#*tEi|>f`EXr>7VU)F?L6rog4w|hy2-=zvUfR^Pg*w&mcXr{xd)RWfq9%{2%=1FLV1p_ym~xKM(mI
z?eBlK>p$D|KiYx+(cu4B*MGL_f3yStqrv~NuK&-r>-@hMHrgJ5o(J&ffPIhCz`e0d
z2lRcUYF$~i}AZ5I^k!e!(K0~H-h1Q)SgWfUZ^r_W*I2#{9Fho_@ZR45to
zJ8GW8OQRmHYJESqe%*@0JoN-GNm^5lFpNZ0Jf-=Jxah?@VFrYR;i+8nRCE#<-4%|^
zXU})v#=LV16Eo$eBQ5m}%u6aa*N>e1b_}k(e%B(y!M}c(-Jr7_?XorGlMvVPjdOo#
z*}PaM=M<~~{xOnWamD!SqXDM>pHKeJE~5VW{-z}A?4OHKL>N?mJ{g%{`v3X#pMn3`
z9;!d4@E@c2|J`Te!E?=+vidT^!wI#Su4?CK$h?k;iTVEh`_zvg)E*wyFHSt$jO>&s
zicQPJnZ~gDK~vk#qK^K8wPjietL^qCH+HYhuEPT)<$=@F(K#a^V!N$Azc(x0L;*pb)QI?kvZja?p
z-dr58>Ce`dRaE3T5V&*a&cbkU774d?%BeHwn>#u}+p&>52cMz{P)n|x3+ledhub=(
z_HkRwBWd3}iJ3LBqjZWalS=GHG9Mi7{odM|kwk7l+1`cV#Z&G&|2l$6`#n5_k&BB<
zZee16J|luzH`BD~rS(`P{~ao1ER_PLKPoKX(!~*et|Ni|m;AHcU
z9>St2zE~G8j5yTvMX{T@{;WTjmYWqC8d~nYocW4IDpUH^_3whn#I=S5s8hA$^-WDS
zUn7_oMk`8>b|yn@RafJMe5~g>lf0J-nx@?>N%l
zylGysH;}8Zd*K?3+6URUpWY$kP%@bQ&=6B!FYf!R;Tj2-Wmw_5oT-sfqWjAC4Cm=q
z_R9pwD5?^eR%Ux;v?rF|W#dO6B}0WD>m>?`++6*N1$fV&w<(ZeC{7fHX!m=G7rn_+
z_+U0ssS3q51N{NGq-sT$%JwH4^oi}1D2k=cq+l+P@QiB7rxGq1UuXVr=b3LAkp|u}A*8$-n+tvFxqAH5EpKl174KZSeA#WX5%=kn
zCzh*YRl`MAZ;Xv63ejKHQss$pNqOYK&c8b%FXMRU8wzux@H!1m-v_yCcEd$2VZQ@#
zh~Kxz-Odt!cB%CpXPOwP6|6bP#>pBNryGOQk~Q
zns@|e@#zM*V_waX4*YnRxBmM5yBpsBJ&S(%+=obm*O8Ht#%`6))6e^J^|KmYTw7ck
z`Z&+PNJl3o_aKoQR%ig{F
z=qjs0c6vHpU^}bcr+neV4b{FJUEUtv-m_=Vc4AZBPyA6Acw4XWdzp(H_yyL<&7TNP
zf%#0sHE`-zVza`>2kXcgwnnlhxUmketayX_bGt351-94tZ0EvOGQMc|VgzrDLS4H9
z8~1@shu@Yp%eeV^}1
z%aVV`p*V1pmzURVX;7Klx;KCS`)O>vIj{(vlk;=Lz=Y%b0!wvW=%ugd@cHrdT5pmV
zc3H*k*{|rKLUdn^pI=3X90UNEju^p|sEJd^qMrC{ugt^txhD*Kax%Tbpw?_PGCebs
zs#9#80aopv-~-M9*#hgt)}qKTs8ErPyT8#AQc@#sFVoV}Ad{}*nm3zXwDLthf0|T1iUPb$r%(^9mt?YQn33QuV263_{v%{=xY!s
z;1+xIYaClPl7-n1dCUFDP!S?3cteztGp0XEo|T&Vj#MZ`@qVShzrSsdBqb%K(BVdp
zd&0FVR~k?!k@pP^3e(8@+_`gjakJCYZ*zvV^NsFQbd>pQv)slw2`DX)vDvC1{ROsv
zg+N?lokoLUWMXpt^htb`e~BXSpN9~~=Ng}v=YV`m8UX9)URM|^TDmjYp#9RNON3Xhpts#1!rh{zOt9@?y?F5=
zWc!juGFDdB>5c?LdwYBQ!!oeF`@X*FkR;TzwUn84ij?XCaHnTyn?#W#@wa`1A`mSJ
zi;d0xXwhLk+a50Ltis$0E)$TILdn
z=X42-vp1NSb7RmnwCfKfsfQEbD-H@es}Rj4^WrMAimNLZ`A@TjzN|C|kLlVU&9m`O
z!lL4HWXk8ypLbg%_@+8dHg*v!W`mRHRJi9ndi02*EP@Kz6RJh96GxrNrqF>VNkP-fGenB$hOBV9kvRwIIHdIY+U|@i3Ed278Mhef%%d2H{RKKOA
zMHc*fw8G=c<;%%CJD%v-RZ}=PZr?pug;+l2GUsU%)QK%$HpZetrCq*wF$r>wB}AT~
z)OI*4YY5x%UNgjy7^NWJX#V)}^zE&C6uWzS3?3`rk^JU7)l7|#j}K-rcXYT9xu&bi
zXPXdUVRN(e)2C1AuV23l2e~(&mOyyv((9a+(Q>!N-V!@qiZjSx(x7f3adRGGrWkAW
zj!8+n4Se5M=3>#8XL#IE+i~{l3yD(u(Qb%P#a`>?ZBguEGBPrX3`!xk#UT&Lyc_Hr&C3s7<>ib?^K0X$6!KDCpN2`5xXFC!G
zs(tr28m<}6!TBl;YGvi
z6=%rucP&n#!s0s$G5t}oEdUPH-;19^++DpY-giseZLaeUAR7%p!Qq@1?Mzu;KgdP8
zZp0a*C(YRz$OSF)5%!}BXV93J#po55(Ahwe+xNgjp
z+?%N`2X?0cTQM~|JGxAj4m>(@fy-e`5Ejn*b>U5Tc*>I}PjDC^$&G4v
zv+(kk)?n)KJ5TM%)lUETVO%~g1rRJtGj9RXvcQ9bPdv7Ri2%v@)go$YYKBW4^1yX9
zt}tq-!Hz+cDUin>AQt0;fdGvsI?FzP{_MTp#=AM{F`i-B_1^U+3f0WxiAm(I`i|Qs
zVsCpj0X;w|=$Q|n@_^r!<|rz6$V6v-iCi|F?59_+5`d^8UMwDWF$z`iFn
z1R+Y^n+q*XO}FZD>xi7~Zo4mazF@7k99)$HFP`h=LK5f%8M2>WFPuN$4d}I}csHoQ
zMA^(N<>$|zt~1|=$%VYtz|i_WKgPBj?)qf(`H?pQee#XPgx0@tp2xvaix>0?2P7A`
zpbCKAcjrf-vxmn3gml8om+L~>&0J>N`vCsX%0K|t1dEDwAI)D|b42J*G@p}6M4vHa
zmEnBj$I;w2sYrk~sPa}U+q!8==QC1l6KRZw1Qram4P{1(&;vCNA1tGh61zNqA5R~jEaha$Venho
z2&NW=4wGc5(Ec~~gfkH83%S7aIy`
zFkxppc#{I?t~&z~;RqFM;A=36523<)(r3;S=I_QL0sNDb7^7yc+G8wSF2@N`{W51-
z)rI{!d=Uh5FN{@HJbL_i**j$bQXr)DzDlq4jirwr&g&nwzJy{@(T@E#e5g7xAkRR2myxoAZnZ0=MJS0RNV(Jx$(TPs4*~8<`oH;|Rp^>5T
zVNMB!3bR9^K0PQWohdSJY{&FyXlW&G-HTVt(#Y8WoV_^Lm8@Nj*A;i$qv*k*x6o#<
zYP7I#IgnI4fewIR2;YX(Nj9d3**IL`k+(3Amj^t|ymhnsa7!1GCX?<~U(L}bYn+fz
z#GN+{U_hMK*hVs$I>ij+@CUJlxR4iECNt9FyK5hwwi{EMfJ})bcnHFbc4L)8^TVda
zI^33>R7ff*_x$zVj&*Nk#kw=`VE`Wa!tdMJ0x#fv7p5Z(OKc?5XsVBod>}3f=x(bf
z2>ZGMro>XX8bZyPuA26e`m=sVypVcdvB$QwAYqc~93F$aIXw
zYe0s4mw9d6_n%y-?KN+U{s0F}sxt#{!EUei>a}Z#8(D*#F;tFURav>w#ygJqpB04-
zoQeCARtPa?WBwvG7S_Vrk2;9ET$Of^b5(Qo%H)rI93fH*fj%|QVgX!q0pe{yf3Z^1
zUF7J_UuB{LOerBQPA4d+2N77s*48#a-vg2iIQMN+y2njnLm-;XgZ&|~=PHZdPAI!>
z(%mzN8CVY&Wn^mPFaW#|Xj7z>4Oi0A(klP@gXRJXHD6ajgi4)WS;+-mXqfP*p}yV{
zxJYUgKY|M&mV;b)50`{1EGA}zCUkRcO{wO=q3hO?c8-2U|A$5?06t52^c}JMrp?$x
zMe=b1>KCpuNe@UeUt`g0&R@&B^B8Mkyru>opIKX58yIjM_#>pv0eD)G>%0nLZk+-+
zWPEEK6R+6A*-e|T?CkDlK+pt@^HpOgWgbXbbSx~2fZPxz6}U(eB?`rM256llgJe6(
zcC4~YBhLUx?Xg39K`#?;reXLLl;67JY#>(^9(;B;Eisqa7V+W8p*%
zAZZivYf`in15cN5W6d`vHL>fNG
zfGL_sMn-1VA?GW`@+E=Vf=G)2eHJaRY25>3gQ=-p*iRBk?Z6k*x80vJE4ct@dE3_R
zz1GOp%fL8|6_tyRNWH-8=33t}T2YV^5~ffHd9yj%PAo2F0W`~0j1xdy6d84qMv~}3
z9Bh`r{S}bnaPf~prp*CaBOPL`JCZLfqBU}K)FB7)Y+O7BRf@v(S?k3e@HEM1g97NduSnhGkpa
z?SW2b2;qyJ*~9<=`CVp+bRuETtRSQ_D8CmkZ#@U1(R1?8Nw!CWztFn01;EpipW;WBc-fuO=$?1s`}MPibElF6jff4
z1t1h4#rvdb3PI1#6&Du0PeztuYQ@&-ZPDCv2y#mi1pUGnqH92(12|7G_2VW)KKd4@
z9)c022)dM=&h|p{E1GC7tJnIJopRxHNq`OM0fv`*Z)V;V6MGvK74^f8L8mC4K`lKI
zpf&Jx1w?y>71;^!GBC)}NWBC?HZnCi`DUR2_);gx`^4gSYhe7q=8L>HtsyHBsmy?U
zw`^c)4@f4U#0H#(0Tj6;bOfMM!~4IU?rknct`wSg#OEM~ZnBm6F_>CPD@Ox7jP4Hy
z1a7Dd=@-ORSQA}V9|MRkyE{8{_u>VS8UaWwKr{>+9#>Y2{w)sqf#vN5~}5
zqOZUc;NbkWd_j8#?N%o6!%vXQ5i$+0a)p>U12&VMn)*k_H1_@b_rrk&Pq)YE0%lMW
z74?Tm9?r}YDkCea0!R^ZAwq~joM>oj0%W2LL>cljqOTqt9E1aRKyHQoSABTuOku-n
z&d>-pY6}E&BLSdfZzCf$Gn?ug8?6C2@i=&Q0Um$^rUR#;+Vx(7_Ru4;2Y{9(WG+PF
zeQx|D3@SWU`vC;H0XE?JI#lYAz~e9$JChs@1mPUuXEv}ic&rb*VOZ79&lldmTW)REU%p2NT0;>&DmLy4Dz+K6D(5xXktSec
z8#6Pr=mG6Y&w@6z`+Ro;$(1Xc&4sVuyvZTuwJ$0!EBlbO;&(idtT};wnS^`kWq&yE;>3gXNzm@O&i}}WN-M%3(MmLg4+a%=KvzGqD<#f=dbS%C_
z88br$|1nt(2GP}8hew?aO2kUi%;DA(2%$rwpZY+ZH=RoEzxOwwtw=l{v#S_~c
zfb&T&fC?r^omWr*u=e|b^Qz@Jt{I!~EZgxB7NRaQa*C5Dl}wekd8B
zWtGggwlMs=1~D=Htvo$F(;))`A64A^H2z>;0ZJ|<8I_ubzUqKW6xOvsEeFtLfE-Z@
zbAsPd83<~2J#JZQ8Sk$$>kO)`0M7yv_-26}5fdL>e9#E7Vufy24BH^96FU+BUTZbKzsYLwR>h3u`w~zVH@Y|r6Ab#6}=Xn(xf
z=2ni>$uteTo?^Vk3l-XmGDZU~8+85Nm!%0B7qwU}G4zwr+bn>GA;?MEgJ0xmCwczV
z`)ndHzirSjEhlOpdQZRAbOn!RT6_We&*F0Fc>h~QO}#Dd>Fy75en+byupqHxxDYKD
zVDJ%`Y&5%R0KHf(pp-0-!T?kGMd_QkC_Mp
zss|KFR;T)Y8N>i9N)#Uk4+e%22_jLwx-J263#cCwkrk$e_Ln{)^&ow>biJ}dVBU6P
zdQ-;HJa(CoAuHPHbxX3_nvT}$@Db?%s^PzyO%a5);{J()=Gq0MY^2bnUwwZl-v(l%
zu&R5$tBZ^3c(pI?IgH7lKjn*UOf`a&j@`h?ksmn`qvJdvR&yX%Ac9AxTE<4B=I9V%lt
z@5N`sk@G9~)ok|b3V?PFn&j&h^0c-wVN|mv;`+%TR9I2C01Aq!$!L4a7&+<&SzX%0
zF@jN(rJ@c>3Y0OSqfi>VDIY~8B2ptop$dEt*E-t
zZHvK_ZnCNKG{QEMB|{1Ysdg(sEt%h)O&EaKit8&baQhQvZLnv~>8^vCMX<+A^(^y2
zntg36fG+{}e;B0*`|dTH6r@9-oj;H9=FJ;!2pGN)=@kdykDgwtySf$u>
zM44exU|<=Mlw|jn!bZn@y$$aEIdPvG`9iCwm
zcbErp1-(!Fqv<8NOZnRBLys{pDMpQKX-#6NiMzHsEEE=PC_xIDh$RYrewJSG^(@&yYEnmULLC&Npiu5AOV}rcjy}h=&(P}@E$Dq
z1+w6$NUuSe!8l;-<-J-XW0&O#AIzuUhteX`dK`2A~q>XaR{`;pSkSO|dZGd`c
zLoSfnjH;~_#fo?g7z&q>5x^TyhF);&MRT=p9>E;HX+)^Icg*avXy-7~0_
z&~t$t(WdW0uH9h|NP;I0tVRfzQdmz}SvjC+HY=|hsRDEhvOql#3NPJ2)|VNM0U`h?
z(#dQJXVh#DlW5WJddF#j!pSAa3H$1RnD}BPOM2-
zg%_-`?x+!+3em(00?yF;Tu==lGDPd&X7$@&E)8J8cts32R{=Kj!pUYLHSIoBC-f_T
zWb7X4^XsRC5Y(KJI0TX;h0aQu%j`xYse>h0RX|Aw)F-0(T~gsxkA89f(V8>wB?u#p
zBBSW>Dj(i9?rNYWNzlN;_G!tiKnuqgGaW#K6~%f!`%gOEFV~|SaF`7$2iM#|vAcsv
zX#(y`>5!U84IW5K2SIMA^=}cE#OitX11=)ex+HTQqypQcFC08P8b~34dLTzF<2B^G
z6reEbKYsi`dM5yyBHbkj)$QE8oOUn4zNb;$+yR`BC;k_P(RnMOpFsL&*S?*3(eS=>
z%v%n`2vuO`NLvKt4SL|MB8MAqKsrIXghyrkz9y3#2WF;KNKJs7!Q1nyUokn)zH`pDF;`(
zT6AyK`!S-?0szi~PLkHq!(+dJ1IRQWYKxKZJEwsE;gpR*;OPZ{jLX8mj_8(RY%|Yd
zolcHMTP#1P?iR8gNCe~JT|0+|r-29rdAtt}JU5p|wv%EquCN;DL4MKzMGfIURZzYT
zC~^XB$N-5!t`r}|L5e|zQl-<%H_8+VeevR>P1^UscOrh(GaU)65LLary%}IPG_tts
z0Hb`pYBy9UffVR|{ZiJ`i>0n$A1ilb>`U9tQv`8S2L*8U`nP?nPHKF3nk#
zz5@=q$b;`;Hc)_DLYxk69cJ>HFI$g%2>us%v0KM4pR89uuE^t=@$>htH%
zs{rgn$}oTnfgLT19Pft0hH^p4P^_QiU?#@Fb!W{OX~XE71a|y(#RieiDDSV`iI#h?
zv$K;f7s&#WwHk28Zr@SZ#Y~%lT)*AdwSB|j)FGNTP^n@4fi++obrf&pVQCP-IcN{|
z4I!JCLt>@=kr3`~34KZtGfSrribX(Cvz}|j1i3TcO6(JnX)>W6khi(&=iG5~THexx1v)0tDE
zsG<14K&fa-N9Lex*_KIeB4VFFWg2|^b^U-
z$grE;jK2ZZ(eW8mMj-Tn0EnISrTRVEa-(@2av@Y}K;fr=zL!qFya*8fygwW2VRh2qvgC((6#;;P-TKB
z4Miy8s|;yZ!`@Z-qQb6tM&eVAtOJ_hOfS^Q321-Kaaz~>(j}DeFyuK`fE&Ipm*k@$)B
zjv;i|6#A@3KqDVW@N$u?h6vT-D0%=DxyaJeQiUcRrU<6h4v?VC=X1LtCVbsMb>f&d
zrw=6~@OX4KoJqSo%*LWL&WfDdbxtYpaVZ#F281+(9dzr5LOnBWB@OH!DJTVm13ae#
zkygOf9ztn1{9k3jguOTWG%5EuX{viGohAdsW{Ed-Vus%kpTy!nw$orD<02#se1^jA
zfK>NtYWtEK9%m1LX#E5Z4UvcZH$W0GKO|-a}p(YKh(Yim(xg5*66N3O<8{PmxWpn#!lwh*VR(
zeoqAoH(J;GL?aShoX40l=p;)5dGMmoU%Zez#_m!ZHUeHIsxhH{PPD|LKr1{pHg
z>Hb(>PyV=cP^*|9&JD1$)>9%i7-=A=7-;5ru1wl~u(z1^-H{YD^~NygU_BQunpi=v
z?l5O)8!#W3xro31-KFD01qI|}{6li?pAO=HjuGJ$^p6pBaH+sLP8vJ($+L~1Gck27
z;rQUzNvI{}8L4OL_U5!L)`>fM98U}pR2GO@GL6w5yIF4`PC-FI!17CbbMOJK6f&9t
zvbM93;5bua!6DKrf;?%WZb3Nu#4Qk!{;p1F
zJ`_S}zM7ZuWkKx;pdp-gq_*C;Hq@c@PGjNZ-zF-UcCu#+m>3R@?wa~WYE66V7Sj4K
z&oT>rekveI!U4P_%ULN^rn$j)byYx^xL#~O=WG&>^V
z7zSE-g_JZ4bO1)s=zy^vG}S;Gi@lC{^*ry~i&GW`Bv2*03!4oKdwR`)?S?q-PxkHJ
z>L8o%p9+!=c}?oiLZZU)bn9EB1{CPAQ{+}^q)UJ*pCNJ<2ki+Mc`Bd@Mra7C
zIXs-vBfO&)w&{LgQW(k%GwNJ8M4_yHY`H
zg+9yqB+jY}P)Z`^G`EC!N~{wIO{gIhLVK*oc54%#Pg*>nXX*;Q$_=qxo0F|Wn$ONt
zQ&WT4M}T&@(QL|~nac#tPB8|6JQ@
z1V=j%bdg3aQS_nfThm_q%-5~}o$Z5x0`)$5`qTD1-Y^8#J-e|x}pl+Bp@A*m!XSxCj
zu@8gQ1;YPYq!aQh=lw0*+C|L;=<1^=dnR{uuv_f-<1VBvny(9`(CGjmNET)xx$T~f
z@ODTgBq}9{PW$eef+#9V643^mxNHYIXMQ6(C>V`^Zv~X*0F4B~VfOdj6N#H~0@Jrp
zLi`8UJBL|yD(&dbI1w+9THk5XjxDEnl+%-?$GM~p_s=80>LIs
zf%XzIH8tIYj+^;kO_T$m=xsn^B2~#fSqXHU`&$kEp2>%1P50%cQt*!$O5%0~Nba**CM*g~XWRq{b>9FRS40Z^0Q6t2{Qic>0XTxEaB8^_Ew;J2
zS#978z?mrTjkzR5y;Yk5ujqpc0M5uWmMZAAD*{K1q4a^K2+cP)6;wuONiR|(N(qpk
zTIjRT&;jVQsPlIgUF^?6ni7X5DMPE!yufa3Q1*?6D!YLRH@xcT+#6<`slRS-g108$JC@NlT_gu#`<
zY$2#O^V~p%A5|=7RbeDDa`X@lm)OM!?@XMwXDBQ#GB2(8hAnvS9@6&!%5fK9O>VPh
zf;6phC{UCPSNm4zFS1vd04l0G67D>M`ep{5%jKYjLtS>K+4T2pM;^q0Au^O~H-N|u
z5a>Zfb5`t9gcpDuH3!vRo&+fK^2dyY#{P2v^cKLdmi$6UVHp}}lwRli#q;S;wRvj`HHf*WsAq2!?}Q5>`?`As4~O8=-0w@p((e>dPa
z_h_RfL=l7noc?Sug^)lSiW6F_p#*D2g%UnMZ
zK!33f+mLOFP?4#bMl{G6%8=5ifl`zP(xB3?w@0BAX`Yix^E{6v(MY3811XwGlg9J8
zdY(VeJzO3Gbxn*)
z;;g#^#<%camtVvM-W#Y`uwVhP9W%q_d&KWdBx%YyZ{)}Djm;g2b+O2oX=#x;c=#9$
zX42+w-jTv{5>Sb8^MQ%K1$EyLD+XbPw)a8(budw^IyiBtaAqu^@|%c3&Fe@D1C-Hc
zSZ+f1Q^L^nZB}l;K|y62C;dY=(QH6bn7oS~r@V1vizNj^OG|*;aqqW)Jhye>OB}-v
zxZ!WfIvNc2Z%fSia3?a^U_X+h0BC|Q(4s^fUV7@bgfqfG5`z-v7E$`yYJ*#3sDJR<@-NYsl|Xtz#rfQs7-vp
zihqHZ7mE>;xLmR(p>llx`tE6S*3EE81;4GxpT&VFEV5M?4SvyTs(_yJ1h7D%y}dm=
zDNoD1`LC-q;m54U78q#0Q@j))V*{4&0P}5e^Y5YGLL3fO1|5S~EfFV%(Cw6D{5?Et
zY-BpF#OuHI`z;Fchct<+Uaj$v{$3siP2zHK_olurIbvl+FakdNdy-0_Qjn+_2W>rQ
zcj2%80A4I2?LJ?_aqn1}=nOBGFebQQdz1$ecV2KmKtZoG#(Ba001R0T3*Mtd=bh&m
z3TbiJk0H!!Dj1b&@7&?SvO>8xk6tCIf92~NHjE^-m_vImtaW+xs2*)!jb@eHp8V%L
zN-^)l-kO1o^C~QK$SDUEK)9Gj21o0sPwSvLBr^#wEi^|OG__@@j*>e9D>)V1C9jl1mnE8+1LA|Ma?ZP#0*G0
zy4b+64Nx`pORuH*6vvp6sx``A#rvO+;w(VX94)iP=+o8nE=K6B4b^&-<(1sj8JmBf
z0UO*
z0)plWribM$8%4H-9}E<))&KJljwliQz~(-}kp6%OdHJJoU=@@%gh3f3s7zZyxs35a
zt}z|BWbgZ-cyKCo;%+%$_B}qcP1cIzQ-NJe7cdbu0y?AfXD9obQ?I&{{-yUOM)ewC
zS3BMf{&fSL8quyJA5L)ej5caF;-`Q)uXML+d#=^FCCpn$f0RZho3aTEnDd&T#u>S@
zXB#j)6MD7S=*r{#Pq|jrkIm2?AHVv_01~pw
zq!by~jbUJOHWw5`;N(JMRR=-#4ER2xKq|k1SB(bC){`>}TUTxRyHliX#Bv1KuiFz-
zipEnj0VU3hM4HhMpcsIW0{4IF*GCNaB#UF_UmE1$@hn-lGzM@xY14>E#*p8Vcm5>C
zIUFt#=wS?TlpA8qIQm%|s^@ui5ft-c_Z~xvNYe%@*DepB7iR**D&Gr%7>S3A!F3T06753m!j?)*Yg-v
zMlsUTVq;E}?)>~Y3}f~Sa9(2ZrK6Z#PoO}H7_s~nSXu~4UNJ{`Ae7J~Lx#2_YU<`s
zfahm|CDou>?9|r_OA}j?LS9NX@oMi!{)`hFe@=8S#JBl?pVtBejJeNxoF?OKw&%bC
zPnA0i)kL_Ubeh~cfRA-fMGEbWZsREXn-3jx4pN5t5!A)1Q5V|-lg6Vh2NX)(IWl`D
zAlxMd$RyT8ZFq(6J?czJ!S3f+Thh`?UMKw^Nu=PYIZsLofj}Nf(dBs
zODr_0ttbR4R2d?z4fsRH(N`W{R}@HWarq1yY9#;=c0XP&p-Q6Zz7HMPcg$uqInYpt
zZs}%titl-jvxV55fRLIksvt=lDdSDNu@<4CD0$cD6zLZ@voii$$|h
z2i%w%m+$ZkO_x@?L$!m4Qr)dadVn)l0aX8-t3f^2z$3cy_rbcWjXGd%WY(0G-OfcNRN65XJOUtpD*0q_mip
zfrUrVf1p;8p2UN-yGgo?gHIL$a;gIbzq>aRD;A@bpFFkSm%(uz)((`~cq6q#8;z_WV~10MR%`X+tbG=+S&ibgaK8
zV|#!m@wY?^O6povK4tV^3MV{{zTuL?Bq^1M8UCi8l}-Bd>9=qXrp@PX?gk}h5m?-M?U^XO_mI!H~sJc~Z%
z>!=9AacBQ8qKjZO=)yBYwN0s4gUmkZzb?ddE$Gy5-q*l?bm%aglkxCuWI{DF-Kmaq
zIs>qIZ8Jdr71?t*Ys4~hNvWYxs|<0I$XA
zVuf96GzgG%?7D_k($nuJvDPlOo8#xdxLWJ_I(CSrjgg*E%tSX2a3QtK%+dx39C14iUHPewEWJuAgc>7
zsF2;bzLT08EV;-jo4Lux!a8gXay3><{&FR(!F_x^VewcRG%%tmY?*mGS4`Yo^uhFb
zSkHUfn7p+9gh&AkBhN{tdl6}-XdpuGM|%RlJx#L6Ivd-6>oRP{TdnF*2|#tW+%b`r
zeTYdi5{d@69y|_r9HF8{szeCJ!-RjV!YCrj$GCH;Hu4OnPQ}QK?I4cOxP6kJK8~|2
z4Fn&ZnN2ZmM2FnCkrZq@n0ss#A^*p#<;@q
z1gH#5G8R^(uxQ(eo&P60A1xKRQb(JvhUmrGVE^^e7{+efpL~M7Hc?xeq#Nk#g!^+?
z1!I2>VLL?u35>7~oQD}60r1F*Lt_^W?uDHBn%`j1{vy@+r+b?=_^L!qZ{IoZ)VO*zl1U=oKMUd~u;qGt)#9wXant7^FBg8eWFE
zM214y7ciVNg|79U`vVas$G#>MNw0u_Sac9QZW4oBqd^u}OQf+ylQ#PG={X*#0P!iQ
z5RAfV-;>#HUyF*!=Y2jxc0E4cX%g!L>5j(SL&j1A>X`9>BChFC7R#fNAZ#9BbQZIU)_DwgZ?U-t~2z50_)N?$SlTp3Ar=;
zfZcB7{4V<>#X?d&nKx=$DK#5&4FrA4niV07g^z#|syG1WzLY*z%p2%2`x-8qrd#_(
z1>49*M@JLrAvbiFNGvcI5n5HPnB;kuxx;|Qt+%qks}aS5jF>Zh+H*YPx%!fll3#mz
zxPgjd4QP^S20es%yWKc(>^2>LFEPiSBIFqF?mYH2NweTM^OBhGdHOUQEhao5N63pO
z`-7+p%RhBq3Bv0qdh^RMJ2;iR%w|rY6}Foi>p``UcquJGhIuR`-n=%F33)2|4QU-K
zF=&YMqv^oMZp(fwTslCYZ_8k%hKXtYN&nTWvM}BvOsewTW?9Y3^>YXsJ#{2On*K{@h>6Hbc%>1yTa6s4})Kx5m-@JUoOhP%itk)8@beX8Kv!
z?I$je_BScc;oD(t$z`f3D|^o~ju->?w_L^(Zr7Fj%hG7Y|
zNN%<~jt3P0DGVv`WAKb4?9c5s`iA}&>hSNFm{VJVti1*NRq!uhH&U~k97&e*tD1IR
zbwL21wg$ap0_r$C;1$t*Ygkw!@jnblzJKUqmx#r4NA+$q`FnI2`gT_&6R7q|Y)Wh#
zSjafB9W_28?b?S|I|Y9H8XhKx%zsP(q-cdV;fsQ?S8#9w`X5688pOq73v{pP8+CV>
zhH!On-USxe6=B&@Mj}dgh2M4vw0%_PU4c0D>ws_2s{55?x`@KcLd
zknkurXJF2u?hxa})p6G5Ry!aYVJjFn1fh`^*^ymG8vi#Sr60lT*NHCu?Dc?u{#mdc
zUC&3zyjHJY-(@xcIosuFbneV8v)GbN#+m>b%U&wGj*OV=!aE~_9*`$*4jch1PUC%$
zYd^x5n0)*clI2Yph5@WU*K96tY;2r>r^>aW;&iGFYO^WoRda+J)|px>9dEgHda)p&
za_ja%G-NhV4KVtHKwmOAdWHIn9|knrZfS#1*kTh5xt0)ZpY5We=||i;As#HgJ(NG*
zZ|SNwxnh&Z+mGmvo;-c3c=;Q*Rr^6k((YBo^&!R!Z?rbyCxQq`)2vleN~#{pLBx8<
zV=Py|66gJDk_m$t>5!?Wf}HX6_U`s@-{lPI0~H@)Z?luX!F6V|*mC0Mj{(AER^&Ck
z>R;3!0Ewb1^>|!h(UK*7I1yCvPb~W4Gh=WCKosa!q}7e`GKQ(H0Hp3JA6SJ&sbcGvi~E
z?UW>=mbRL20W*z4!Pp1snE6EP!h~;F{|0TCiBXst+V1>1Lq?^2
zt>#ZnvOX_{c`NkO+DjXq!tia07?Fi;-q0|{8&3+SMAmcxG(Ev|xU(}^9`*C{Bgjxe
zL4gE4G@}6nnS?sW3r>4LBAn&sh^PR5FAqlEym;k4lB$wf9Y-5YhQELR{-DC+M`Rif
zVbTUc66yK)aVUT!{~9|xJ2Hf~T7L_o@DdCe=)Be88V-1KGy-om5&G~=H4>&TbUd-37|39N*d97;G1V$XD;&pJgfmse(lR3@HPxc4Y(2JEFLp0F;Sl0s
zP@B+HsQ3>I0pTQB6~4-c2Z{8+@bAc(4ne~+95XdsjUNt3?Adb;1bbfW>Jhtrk9~Zi
zux;^OO8DIkXyb7GNuTvPT4QQtd58XNC@vns82Yg1>~8SytWMjC_g;{fzckifR)#Dm
z^g@w7lW>4B7#d6FzA_c*k#~)-MIeeiU6a}?hfg`QvUMe35)rW-Gr|O1V?aq3MT>rZ
zVPgpJZryswH1DTV@a->uZYn-bc4Bn$we54WR&8C2>B|Z{g!4EnZ+iL;nJMY-Lj8E{
zuMMkVtf5{O1Axfz9>`+@81Fs*Qoxd~@f0(w20{-7_d
zu?0V?mn^oA{qL>~#1z8mdtO&FYWUy9@c-IkD6%LjE)IWPEisgLbRm@vL;5=aS$DG0APN;3eoYUw~a
zK#afc6`Gs=CQWA{9sTI_ML2b3A~p)seE*+}4;Z^5(6Ge|AX4HP8qQYuvT{1zB>LA(
z>rXFY?APPlx1uATrTeQsAflcm=1R;JN6P#v5
zd;1@ZL}@y3AaaQVCHgVG0=-VOX?uYrdxh_3Azc}J`vS@f!bjyrhilTe0b>9JX-Mhw
z{JDW4Z?N~zrHrD_L}#2}w?2jwO=NM$6@-lSV)D?u>rkWZz6gTlT0s9h9<7LSXGJ4J
zWbo`*W?_@)#O_nJWBngAty&{66bsHSVDPL&ad%v{8pda`h2m%O(hss7?bQ>^2e99-
zdVvQ$12z365*N#L$<>VS)4EXLQU%u|oF{$o8c^ICTaFt@U+PIWIxsQ37U0-9bT4P9
zV2YDaZA9Muopjx2Kx}>563(QxyV)eEeUB1AA?`my!l71si94IOWHXg5>?
z5LySK;P&pVx-$3NXxwOo|MXE4uh>&ngL15q(kj)yzcEK_A0wCx`J_<^t
z6b^jll8NPv8=8w59XUIqUswO@&$VS5gIE=h@S~~mX?qA_ptt;IbH8a8eW6Zxx{_^9
z3t&sVEh|fjuE6)*4E^%o^+Lo?STepnUba~n{a2iKEfm(BXlBI{wb7&{Lv#|`We;Jc
zYaxT-^JaSygOQul<$V$8h6v)6KIjynvF(9OJM<-E$;CqZe8|DIVfjl;gb$!D*UA)~
zV9N!4p!_3=4l{B9Z_`We0503)zUA4GH?E&PX@JUU(qY99R*wR;e&fb#za|OVz^YKk
zmn*r0kfdjz$L4=twLch449jl_ql8$izE@WjB89MI#uBiqfrLl7SW_h5+*IKluSF9Y
zLwZkSCRM9|U}y(Yu~LOQ-V1i(c_w|_kc)K%n8)Y$lM&i07@GD7N^ReM6qBbeDn}L{
z^)=3#|8j*UQ70G_6&EkB%bNvTu3*ez+1=?2Lj&fRV6*xUcw{a^d>27{A!w?J^~Oiv
z^YZec#Laz40o>q&EVS%~WDp9=n3)9x?JxnAm6y+dj~(;h!vF+mi3`L|>!69Om3Lft
zMNiM*)xZAS8A(Y34|WH0SxI3-*5kGCcPCr=Y?Tid#DGh=TRbj07paPin+)#vxQS^j>D#(kYUymT6BnFM99?ulWN$fHuef>xwVPS#_fkwRm
zsz~w<{PsE8Y~`3Saoe#tGOJ?E@b2Dy0!RQ!gy_FRC9EDORnvsS#|x+)O*0Y_7a{&8
zr4A}VEdGMHQNvfXvEN@mSX=h?tvtS0N=gc$QXm}_Aq0Mmh#`!Vok;_hmNPp~K^%`x
zRrYiUX8+c)QyBbccjGl}2snr(M?M(96d8SD`g(dj_?kGYgj*|-iN!B1EiDQm;1T_;
zmdb@zrMFJ1mAWG7sZGa^@_kw}rV6G8Q+;Ov-}zXdjy>JEhY>ow4gKnk7br{Wr=>xL
zR_d)^w~ms3F!NJbDsmF93pxcGtj7r&0}rW-`HHNY^O#2bbs<`8Vxq5
z%YjTw?3scjVuyl;q5>X_5yF-2G%E7n>Bqt7Lt|*_{x9yf(o5BkW?|Krc_2D
zhtNu}LGWWJS%b0A$n1xMn6G=NKGp{f|0uAL?~wr}JmZ!Ux%L;0+6!8BY^*tE`1t^h
zy=H{&fYI|Ds;8c~KGa4A%h=HBGN!?}3p2Ae2b@3Z
zRwSiW;*SgwNz~dvo-n+>ix1XzkT{vLWm_Jh0PHI|_LgzO&f~(Dt5}|vvAczZYjrfK
zkeuo2Z^^9wj-jn2h0hMkEuCpddm_}w|6IFEl`l1JAQyon#d}w5-?y((HQmr_^qn71KLxE$2qc!97i~&$sCx|!v`s{lmd|WYG3yojB
z+F%-svbLRz>&0t}jlio~`|^;4Qew#p3dC>fJ9H2$i}$)hg4_v~evd^!>Fd`UAtt(*
zotexzm7g1Ov|m&oL){ylS;Cd`6HSq0iVdxw90J2_Rx8!kr+w1?46G0F;RQRSrQ3TK
zCGP}yBBo#Ad%k=5;HwZKPv2HlnAJ
zj{{YF^7!$kTlo&tKb;FnZ9!gn;HKe+`5z^H9Pb`nvfnWNS~r&>B
zPRj%W!2=B$B3rrycmXC6mJUcZzI$e7ynPfem2%T8o7`MoS5Vdu*wW~d6WN*(vo#bq
zQ8EGr?EdEtsx~32KuzfS9aKVP-IYWE&etzkS>vs7#LR<^=
zs5KaLMnhQ?hW_r7U_R*7l3A&J`&6jyf@`I};4HK{6dVxLu#2DvgrHpWNr9`ZjBQEb+qRd3EhDd%?@?XpxIcF`Wk0Bt67v&_jw7{5
zUvLITxE>E6g7)+laln_F^rFh~kR_e>>r_kt*5U6qMao#GDR-$h!_k(L$_Cf<4b3R1
z++#!3|53bPK<`q7DFK{D$D%(P@l7Qk#w79EKSC9opFcmf91c-RV8CvNOrX7c7{Y_j
z9~N$Sg$I_d0Yrn(`7w_Ty&8p<+d{wk<=K1r^-!W-vBDoFUkTilOQUjoBg!pXaX}@Ox9ef7H2X8aq
ztn{bpWZCqFB+ckXotpZ%3wE
z7Hl}hV^-*x)H21&EG}4
zsq?=jpm)Jnh+~pf&)v9jBY8s*DtpSNEZ!|f++>I_0t~Fq$15e(YQR*4%Ci{_d}=8BwUwdzNe>~zU<%wKsX5o(a8V8
zGtx6*!9M5#eW?h3ps79XOwJFS8Z9H7Q#k#;gF8<1{f6hqJ-m;8DzIKVBM%JcYnQN9
zH}X_}l>mS~AHEgPoC{Kf!~}fZYM@Sm1NVE(v;|ddb7L3g%U4Ok2;y28v4!e{3)P81
z(iy?-dkymz%P)+(4!mPS;PI)=8WV=T7pP%Vo&Y-U!jci_1uxv5qUnq@Na(SRwIZKq
zq;zp+Nyb(BP9na$*J-m!Qg$BP52Tyj83{7Esoxe><&xzeYx2JJ17gke)%ukCI#AO=
zP0jz0*G~?wzRq+nE-p^Us|CF~Iber>{7AC)!{;J;oaGm-uANi)5?EbQ`djwj2(6fT
zf;sJmRJ062l*_gQzieu1A}2c;<&b1}7!@uf=My?JxjaWL2qRh>s+(6l#*&KtA!dtE
z962fBi1a3<0jca)^>z~If7jG*=j22Ii&F5JLiqz?ce5nY4%>6yV-ZoNJtt$(V8QJ;;ay8CpDUu(J!Wb5F0ns@UxkTZ|g>!Qvic%_65
zTDM;sP+XFzqHJd+!SI!!2S;OeCS&9Mo;YLtT5b1O#4eRRYAXP$f
zTg#W89s@xsDXIKdEtw)#f|`2#6XzQwV)+iB0z+$|s51$oHZH^Trb$jue{I1+tkEH1^oKw)t4}Uk^vY(LYQJ#`lyD$ttI=x
zq=8-U)@w@$QaM;^@7}#zejy?KggoBsx!O65>B+C}pgvCmfMr`VZSFN$URD$SPA`9X
zHA}++4!69iq#fYslYF%%L>US1hg!R~eCZbqm;8G_KmfeIr`WhlzU5RX9Sq^r5Ll_47*tK$Db-e2X4tgIF)Ie-&nAG2rudh
z+M);UX>P2-GUTHp!7GF>bP^==ed(Vpj{&5-GvOD=#x2T;>03QAGp+7r5(mj2$pM=!
z--~a{X4*8XwyhV`|6|c2uL<@djKYFHnr~ukxL`t~)_Uy40urQ_Pb-W`&rK^*I3WkdRdxi~<ox>UPOp2{*Kx<3%)YI#UJ}P9LIH
zfCG5Eq4(#rT7TpPZf+jhg){cAF`8h$0X6V%rcX~YYhE`PE(*2AFZsd@u`OgXe#}mPbRLD
z$P#-v)qe;|lA9k-=O+*v^Jy(XK&wF-)w5ZB`kXd-4g>_yI~QxjyG1u@J5YusJrqnK
zyywnU>+Bf=G5j&w$_?b-dD3||iq9l_QQRtH&1o5LF`?yF~)u8?!j)n+?qw2~o2pNSO+5hE)Q!oas*
zTqYplmaMrg1^(8o$>JBR?J$*++B+gDstQkQ
z3C;kd6j{Sy%=ejs;J@q9^2nX$fF>KkvC%|{sWMvvrSkFZhL;B*3aiuQ@oETe5`f$ft?1JSS(j1Eo8{ELV?4`@SkW-nvl{Wr&3Hh@f>z5W=Jf~)
zl)9ZpW*Q~@)Ya9ksWtx7N&FRpI`|_SqZLc}Cuc@+WT{haJZ$Tt1AL%unIJ2$rD=d02sqm^*+9L2+E?85hT`r
zOfLW*rh3|{!L||@GJoX0>kSnH_;%fdHTo7nx4G$0#*NlamSqe_xd$#Tyn+K6Ehf50
z+?QS9{|mAQmeyO_l578T17?0bma4zHR5B1VidkuQJZP19X0Y90_Aws*V%yxFf(7MK!uCbzIl2@hL_i^}JX)
z52A1}4+}M}hIA7zn#J~V8;oIVeBcTR0um&vi`(LSl>r4c(&{Y!Cnlu^<$OD*Llq)Rgx9aYqg
zXgrJvm4n6rPCe6GYFN^IV+%Mk`XCQ186k5K
zdZX}jCFvH}9qCFI7i-z((yIP(t^kM`E)Mk3I@I|Irj0e>Ex{&6&Q
z!#DzPgADS{a0#VrVnOGDMUlF{34w~h~1bU
z5I|!ds^R3wA(x6^`$g0I2*OfR%Po-4EWJg}r-9
zAM~&^)O1^ad9a&2v+6-?IaxQms45Zx?&9vX@V`Ii!}Jr2AV|l{wIN{&V8Oj|5=69Y
z`SM!KhAy5zhs*c$<&U=sOD*gB_ALs|c2Cu-KqBB1If%`EnqYj=?sx}7j)}>`0B0fv
zDgp?Q<%4#x@a-R4suJ3@Ag~!l-@vth|3{qy$`o^#9KKHhpMXzUtY3=)2_>=$MS!d#
zblB=x19#hmeXY5BkQI;%C3{0T!X+wN9~Xi!eNuX0Wn93I?B(fsC7E0lxmOBLG~p=d
zg|W{Ypn1uiwYyHsL&;7@8TM}C+hp5;Sqb#Y8AeUdm=-Snj^ieMQvFZc(=iJfj@$Px
z-^(b9_;lx2A|_Fsd%X?kYHVtV3cK)bLHa9{wx{sj;oTqJ%11Gub)J}_D`Pd_hY@5$?l
z4Dj^wiomd@wsL{yC>|}<=i{@3{gVR`fT$=R1WPE6iuo@D@fWY__%S+42@C`ZLxMti
zJKd8AF{7{wpw^{>Eg0_9Q!RQxAAy}rzu74hP<|T%ZgWVGa*XhhAQ+QD5vT_UWjgvv
z8tbHX9JZpVX0@rf;{
z$y5Ac!veYnaIJcNU!Qu!pKnh(v_2Vy&C7q$5tQqA7(Dv$gJp255^@>9QJxCs#Ga7;jyEjr`md}UI=09wvw{wH=BxSkg@4(b$OqJH0zF@5cY!g0F62cIJnIa#@0a3$!_1kG}H
zD=@W?);--QzHtCnU!bv6{w1DkZ;KC1o`MKSIGfWy;TyM;q}U|yr;KypDtsY*3mq0Y
z_({p|>OHCHLgh0A^+*XUT?5dFEeZwT4ZQbgC*TqEU~Uh6$;3#Qxfr|)hf)lR8&J!W
zKu!5ZQ?Q}lqoIt4=J+_8+tiXg0KuCdX)XgNRRgYB6o;dk*Dop?ut8F9nQqw7E^CH`
z*Ng7D;RJ`>mC>DZ-sWhKNdyWdRV3u^o;z;p_`iXA_$$v3~
zxyH`%w*UjB>sM}q6gQ@>93754Mzs|2caM3;Y(1$l7Db-K4A2r94m8UE`%)9>1tl2Z
zz_;b)E>4RXS(3yO`LIAg3>-(6C|Z0{{>57V$ta?q6;(-0s=E=RmWvfLdCHwGzyBEV
zKJ@TH(lDV7{Q!8>n3)qj;9<-gl)y*cS&7wL8bs4WQ_5}_)lIBvGg3y@1YJp}TCO9&FfSb%mUp8+R!#@<^
zV}#cH*qil*iE)8bO-+sPW(vo^)EbRF9z*x$Vdp}LIr!q{aKS0`;5c9fvC91n2DrFC^k464F3_-kP81M!MdQWMwbu0+ff`A6t)lP=x1-?YK4?Et_Zk_-2|Mefnd?4A`4YA_A*XTD(2;G?fRrH8@
z!uemHHe$+~|MmaxKU5V3Q^a5lc7q5a@eD*7VCZ)O4{5#RMUJ8ZoQiH*!4-4Gpa;UDn??hIJ$IujP}(yx?e}NDh2q
zuLTPiQgA7}ho&OTf%>@PE>f@+E-Q?ZVJkJBuk8Q1*<)sTs89#q$ysQT576z8q@kvZ
zT`>EfQosR#^T487YWzD6Id33C$>q4gL=`tycsz&jg#5Z+1Xg85fHfc+>?C;8QFOb8
z=$0dOBe2PP--q3W%4iRU^S%UQ>Q3f|L3Y|bprL`Y>|J!v$P4-kd_#mYUc}MYi0K7K
zWf)K@sUJlPbC7^opR9WVP2cRw;6g(T^&M_9I>gjnxWm(6kR&X5rly(L)F;byaq*0j6
zHFm?;CpP=L+Cg1P8KBQ2jL#ZY1Hx8=8nMQT6KJ(J22^bTTqA?vo-=y0-=yaR@sdaYy+Va>~!Z
zN*S5EFcE9%eYpEU!%23y;m|d|&$9GD$3}hKLCDetAAR`)j;s0M0{w5fVH>4uV9FdXoZ0gkZ9J0QbVfWtTGTAJpMdgF5*)YH==#|vT{7Oz~9
zc@rXRA|o+sM;5}Qa}w(~2fhsy?=bu==qr>+0lf1RD=RB4TvC{W-q!XR$bb!;(>sL}JOk$~@VamrlCeEJpCy434yRsTPVgpoti#5n5h<3=)Z0-gLxbyo#Ku
zP0*Ae0or=Jev2O+hbfuuZ9ANs3DBFp<2E*41$IKeeQLC?^fn_?e@OSY&1=(>jK;M%
z-~)9Kq^{rY!+$Xn8l=?1dfZAnuYN=L!zk{J^zej%obJiQrVZrQCOi`y*QWI*QK6xS
z(B$l0K1-HjH07eUA!!Da;
za^262u37`Z*1o9|4{%sM+9>$SC>vcUHxEx)zbOURV8DHWjx8ErUw?xaI?eRSgKvft
zuBxruu=g>=Jbi~wMINvZZ(9677aYs_?QE;B{Gst6-@U7Eb>TK9jdO6vAG%jwSy_*}
zZ_czAzk0=2kd%YNn__?L=8yq5Fnl}c^2Yy!qigmr?@Z+3;!5HU5hYRLxpR$JA(%V5
z9%tl(Pb6xWFvvK!nm9R}p|oJ&%nTRN-34;^=A`q47PonRA%6D%o@Gk;yy)
zx8!;Wzr(O>*5Lw5#n9uEyh$iq+F^Ee!Nxa`j97ax8CULc(6orOrN}}Mrk2b1~nqQK8~`M?nsr_M5+v}^LkFwpOHBz0QBA8D_^+SBKMh9
z68L4HSwUGv#RW{Gauo|~2KM_v%8#d=sjLXR#6UzBkZ-Ab`5ZC^eA5RoTgz5RfW}iSAf1-)5OvlB
zN}!;iqMw5hh>$iMH@nG7G;;Fl@yt0T@EgKY2QL*dl%nDIwuhg*vH-b8c}FI%sWorq
zOiGHsjVDx(7-TgTU#juUNkCQS%1IO!CRyiX?`}A=DF6KlMzZ>8}{ZK-^;J
zhX4)z_VUe)G(9P~>!3#TXL8WR(cIrNg-5G9eyboq^RqhoX~EGDzz@C=2+(Qt9K(Uu
zGiReA?+dH9jjW*r
zg>6~nJ?s3h7Qo04(t^!SKN~9=8#C-6F*`H02ePF7P=NJ34Gtc}+2(@z$iK4U`bMXp
zsF40%4sg9GR4&kHGv=!1E5fo6t2~07N}1f?#AO^OC;{UqoMHYm#*~5Qw+QjlK{7Dn
z)Ekp&=t)S3_Ll>e_!2u4%G06eahEnxK5N|&CQ_#8ELAP#ba^8=3i%S`kVReLCe?J=
z`{OWsc|yZty#tZ`KXZ${+tsT+7BV`P0?*iAg6yjbdoIY)HlZHvLwfC&O^m#;S`g6N
zB_;FTw&S{hN7(Lu1)y|Z-hcRzC&LxfNVA4ElpG%*5Z9^2?55Dm5rO{Z4RuV<9SP+U@{097lOI;KGLMMEc{KLiB
zsN!!h00yxzKtG48se!$DgS(0^RiHoE2xLml9~#IfGyUJkpvI;L-84Lu_sgxa+#Xb`
ze)%lQ40BI-m+{?K8$uiHVXadAa?>X;(8wpW4(6arZycL~D~k6jC@NOY!YQ8EGVtkY
z^(bFFILX?$K*SAf!b8ME7oMVf$au^*m#t+;A_$=;5Z4SEDW8QXhkKxTYlc*ninm*M
zYzR6=<=c#;8^N(N<9Honn-vr6p{u@lwJzG+eH}
zRgE*{5mGTZtsx#&?l)aw`^Wu$v^46QJ;!`g8i$y#7p4a$J1{w7Aj|X!4%X^l6@`^F
z?;*qFYO}pE&v1u^BI=a!@i0Iyga?lTszo_*lp?
z_F`qjoOYKxA1drHw5|>vn3HwdR7Yjbuq)pAm@?N5&En~10q?$n6
zS>pWxWJ~IaL%caNxaHV1qaXdbk(MQ9Ed6pwO3MfB>e!9tCl;iEEGZcadNpN_-PN^B
z7Ifog@>(XF;#$r3e8#}P&;H3!zgS&^pFt42=Nivd#Bb>L+`D@Nj?rkq4`xR
zC5w3b*?#aEGxqZHS1x5{7PFJ>&Ai9aB#m2ZxCf|d`#bfEmc`8h&41A6rB8{g>bi^f
zTMTjswxRrY0-iZuMl2y+|C5WQZ!y30yM0r>4Kd68d+8TFiTTNLj8O%_p5i^v$#nXQ%qK-^uX^8pd+w>#rPdE8RX`J0*(Jnw5D
z&ODxDA*#j=CFBm0lHp0At*tFx|0C?R{S-89;kDMP$xzXp}?!)SbzBS7XY=*
zrg>q=Hn`|P?n1iK$FkKO|3Vpo7HTc%JW@{<;K9><^`vBNlB?iA2*t7it9!dY>_-9&
z24$D80Z@CR3FuB6+au|scT;%I`}qwmIpN*j>F(msReZKfuL9yt
zX=`uq$DNQhj*m=;;+j3@;xsK}vvSD*45eDMM@#m&zj|Jou8aU+N|pbGXQcl##jK86hD$xZF)!NL=Fgv#bpCij+fBX-oY^PI{f$*aNl2-ZFq_yQu}c)`
zV-$-7Q%~xY%>_hHVxEp%UQZ35Zzc|=$hke$6{ZN)(QkJLhzPCJ$FzP7rI*K~_U=tO
zS@b;y=Aot$Y69yZN_)6+!c*yUkukKi53G@sV3|4udT$bU$blG-?5Kad?Wm`pUo?1QGodL_`GS@Ga(d*hy@2?z5v64yZG5m7>4KtVwtF
zac?yn_=!82ZJpze9yf}Ts**z1oPIlk)4%<&>wP;v0MrO7oiCK2Q>Ew$(7hXfqApTk
zC-4SRq2o?K1JoXUD~`%wsrf6O(H}gV@o6iI{NdgL{-!0*=yR?ccAT6=*p+HVM}6*!
z1iCo&fi;V6E0U#(PO=^yahtDk6
zj>Dnj9piRgZP_)SboU$u4n7x1dMQzEvQ&EZGE1G$g)6PHx2zP7Cq%{5j0~9HzhD)c
zc-qHHhtP#IEgFN6#~haToY!I+iQi&V0DIN~dZ3Ux#6{)TmD7YpbKxR2Le^`u_X-G9
zd71(YppoThLl|d9Ejtb){$SyO%BIp3-n7HV*-NWFiZO1Gr9$H@wZXUqOKR++?tH!p
zwi9MnO^@dQI$j_-wije~M0?e%!+vO8n(~YchFO$rG}ZN#CQKODUpAo^@U_3salq^~
zx3NPxf95ric7%NNe5i{>8PK;G8K=n^(lv6wFEgEcHE^w5H&F%naK?qH=X`c`UXzz@
z0-aI0Qiz5r8sardk^`e5o3}mkhvkNXr{7~R&S=8-B5HR|PA>JgfR=4sR6JZW6>f^f
zd($v;bN*hoM4URq=5-=3?i*(XSF1$a1PD!WJ=iZd{mOrU`6AgDrdv4=8bk3qF*nSg
z#a*^&t=KZ=H@W-OhG1Fg9#q!SA~FxTFe@2qk@$c4ip`{-6DIghdun~G%auH^IK2AyFiH$`mu
z`d)Q)lE{S}uU;x1`g_?Q3y&OPD%NBU4bxb0f=eZO>u~|I^$#6)F8i#%;2-BdJPsWh
zYM3n&ZS4sFUX*wXsmOmHcWApjj<{s0>F9cb?r
z?s_eI+Gi8iS(!$~(hUi%BVdIFYlh&Kx`N~Q?9lM=*Mpz>2E2Ho*wTZjJ16uby2dWl
z6fe?&j^4tMSOe1skIyJDj_VH90sGEDkWCCmPVzT)yvR(GySv9~*}C3A1oX0@%jxlw
z;JDJ!WK%{*L*MljhGP`nDmz^5Fsm2<;hepfyOQ}pv(i5O7R;*=z=~f=FE*Ov==Yc0
zbagJP9CGNdQPML8`Tfo_x3zFf$=TBC)Fz{x!zp+F`KNbgzd52c!Orr5trpUKvmzUs
zxj5KHalZ>cCnruW5442uAo9aQ1B&|?Inib4vUYQFVwUm7COUBEz!^Q@A@jK%Hbst1
z>Gnp^F+#m(^xltDov)2t!^XxB=!28f43~&zBRy=8WA)18Xn#TY=QI?~fnn-`d?Bgg
zcWFyA1+kZ-Jf!u&<8=zEt}T)24u0--Tct!rl`t`dpV_^0=P9)B#lxCGKu~3YTyH_#
z`LSb^y8^D>A#ee8)yhYPf>y9294UVbB43mLQk3|g0
zcr4-+9E8R;aIe%a<|2+dAmQEe)p_+8Ud?Mov+uq+IDp^w@=wgW>?0AJ8MHXMzqHL7
zID)41zI5qC3MRpxNptsPT(TOfHPB)v}to;QU~NzF{73g
zX+-|dMGQ&^)U=lbAkOS?wOed|=L3tnF^xNTD^a?o>gfWuLaQV--TQRg8AU-jS$^!F
z%3O?OL@m^yKucL+VPQSsrp@NKV(xDC)E-zQjl=@B-Bwao*1zo;Wwtd&9AGnc!855|
z*3FxF$z@f$ZwCjiA}5)Kt!w@Iv6pTh9&3*J(|bdYOb|ux+wU+k6_?(GE>~So?S(9k
z>DP^oD!IG^Kn0m=0bp%zlfOv%$+WHNuwFshu+K@tz+cRmBE;1h@?TAgk~taQqo-Fb
zU;Y&Jj;@cqf1d;@M~)s1auc?iowjb>tcJDz91VgAcX)8w-ASb7>_T@|vmge{qo?-t
zmkl-0`$QEcHyLTAuR{Dq%9VF(jC0VI3E59i7%pUB<-h-DG1ihNj!=n}vZ5lvhKU-K
zsMs1lOKD7cDEv+*R>{fA?tl|-JZL7|6_Sejj7CmQ9P_sfT6o-9_d#@Lycum+P{GRj
ze&ZL37FlJpA?zqjPqmRk=Om6>c&;t&P>T?-Se3LMC>YA{hI?2YIApXm;2MbDuo_U5@+Mu53Yz~
z$G!rXPth%9wuZUVyyda4uWDDz>OKV-DX%4?5s*IQoQOVt%zmn+y$qPoN-LcvBeCBg
z!t^i$;#H!5%E`x?ePCCn}EdR5Z%FAsS+tN=E|?0W0C{Y0;OC%7Vfqzq@o
z75E35t>|{kPpqcW1ud9{E%x+rb8$V!que;iX~~jBSC^#=j_|mf;suzB=U;FC_xq$6
zr{){0Ijx4WF2dGkGF^wx&kw@_DgQkzniQ?&IYvKL*vXwc=Y!F*jFN0=%4nP^URoq|
zgz1nJZW72r`yR4pb!!xQ5km~?hESR#tmD<*LclIOcy^g_cyYb<+G?jxJs2DZe{Yd<
z2Ii0tHDtjx$boQ{zZJbmjD~i}Zd}d)ORXC2F^WY;wYfVgGICRcV!gdm+;xOIIq4z#
z=>Z9-QYWV^k_W<
zG}rU^(Lss!o8n-r2Ry^(y?ga}1pL(ThsVX8J_GjKCld6DA($n^*BDdG9PIl&-T3Rd
zZNu8!5!m~^H`*cpxquB`Yz=+pdFZ2)Egzy3kn;h3gga@_ca(!FTHtzL~(zCENogWe`~>fqkJ@|tgjKsoFE#!r1V6Zo-((+G-;g?}4cONX0
z=vIPVZ{I8f>
zP;WVxyMR!OfQu#rnv^T)Eo3(I^7dAa6;f1C&{^7cfM+)vPK!;93$oE59%wrB8K&Fg
zV_;%w8!mhW`}${*k5}i^Kz-F3i>10Yh_2dngdxuz0jn0>oS|tFONUE>R(|gdwcuq8
zvf(z=7COvr@+yQpw9g*DwJ-mJQF$$~Vg-XI;sS1nlGEb@uQvk|pm|Op7Vm)-Csk(i
zepN~2^Zxe^q^<&C*zbgA`I2#@J`
zUfvQ8Bo)^&djKg_naWUx2h=uw8+@-hr_t4zzkYRg6
zzscN0skC`5Ahm?^Z7TK`w2qO3-CKO__Otw$2O)qRQ?6FC{|=e^&Eec>>2&YjJD?$7
zLBv~$&j!D36)b0FmwaLS_nCVjJ@M%ux>8zbBaqiyQRTL1uDi%B7UVuqy4!qQtgcbq
z@CzidKCsi5V~#htwt*UD6xbZW_3^4ct@y;6?v)=irKdlyQkS;EDSCD)kI`}Vk>{kt
z!lkH(XjRP+pZ~7B{Ao&xkOA2FG~8cn`}4?Ad3E&|+pyQrN9n;_#c5{6mj=R*o0oSj
z-a-#B&Yr&N%1YQowg6{&f)Vb1NJt0_Uo~m-<@d`M9h8VCkf;^AZ09Mjs`ADbK$4;l
z4jdP#$)Zg;`1tv~U>*hQ=>Z(&6wc3LrXtOoh~vcySshTh3vIz)4i0nbUJ_Q_4tgkB
zX83Oq5xRN$_{c%F`5ecA68oxiUgyts9kzoA+8Yj^Q|He=p)^P&r9MY|nUl}E(9bul
zY?ao^a=)vn@C1!+Y>UazFi#4jqKBU!H@&)rDh%*5mN*9m}cUj9fIi`~XWUbPA4JNK|Ql<1RoU@_-k6(QM
zBNV!HnWT~Pzn1?`Xp^d{VhZkAug$ut+mvscDaQ8KUxy+cg_hy3g=+m|x%BV9U-Sw*
z?!SMVL@8DCzZ~!VkLc(B?wkCdnxI$zBUWOO`ERh)|Kl%t<0Wv9=UAf6QCV5Or>c6|nlU~lt7bPqR+48J?fjXQLqQBeS-+oy+T*XLG@|2gz-cxhvqmy-K7
zz1kP3hi8qK+nr^sRKr6_Du9;oEgT6!RWJo+!|*AKjoAg4fJeym*WEQh8id@0j`}fm
zoTugv%
z1{eOfqxwuqQ2Z51bx<>fGsmYEx(iLf4!ba?)?^9pTc)VbCH%t`fqnx+4<$Hm41JAP
zkVV&?)iQmzs~Mmf^W+H0XQq`-b)PDm)UpC?x|B9q0Xy70y-ol
zZ5|!h1fISFEf)Lj4yK;g+|2v;fdL#v#^*M4)7!T*sjh+N_C4)(IPRZK(S;uMvuC;S
z1`c>Ud9n>Nzk<5DdMxurB!}XDRTJAh;XPjr%)PfRL@
zP`Tcfm3g4T%ffgIDghGhu8>S0R;&I(wO)UB5P4>}NrH;WvuB*{rVg5oLuW>t`X`lr
zGG4BLRK_DHh@TYqnZ}Lyw0$YR}ff#KT#qQ3{$tkzVfIwRoJ5&!)WeQ~7c)vF%T3)?60w+W0
z7@41;FL{S1XxsnM-gU<{eXjdZ=|pI0wTObW)K*1^WebS5N=2cF$SNbCMJOu_CB~=$
zt>*woDQ*xVqD5u^m0=`IivVdsXC+M
zsefThrc+X~5vZJUJtDRfqEFb#ykkt_Ro%oA0}pr1a7gK}CRyp1gHbcVW1lBK=xU?N
z=KRg^!L@orMIC!;RqZctuvXp9sY&5(1(0_RWzq>TB-oMV96FJt_6XlxC541hqY|6L
z=TGKrzQHp9qA?g?nr41zOqsjomk{FE;lH)d9lh`60S?@AB#(^I4X(CUOI)w|=FRc`
zW*Mc*601|ye`SN*O-Rww)U-p(<=jsAx&3?q&_r+5A2ZaS3lM~053krPRsrHntny1g
z#2#BvsUiGgOz^(gT--#3(%A?J2#viu*k{n8F`XQ?Fz<^-jz0>_-1oQ&=<-IFhw(69
zudd%^_N^V7Os=RI7dCg5VZe&eL}W->#$xMOSEy71zzz#YSXOcAL-RlV^wW?q%e6o_
zU;vGirKKT;3SOTF^an=~OOhcX^5-GJKD0*x^LQ+()U6oXVgn!tNXhJW85~DDpD`!G
ztQk@ohrBI=TX<3deye!rggEn%TgF5{g~EHG#lso0N{ixR3M6~5!Hf`
zP?HgJ2WN~HkMRj6v$wE(goFzvb4WG?NgaOiBU}*oZzp{tXd<(T)7U(^QyWi@WJ@062k?FJ`{83(DU84&7)eA
zEPN3SXdZ5>LBN22amM^fQdFDze{GJsdq0!1PizeUlK5e%{WdQPz_kyEiw#&qzSsSL
zKZMT!W2w(ti}(~ceC${!fr%WBjiy^oCuba8t*F?WcMZC|rU}Y*W%1*vLn+Et-jUB0
zbl*C`Fb%iQms_6L+S=;dfT@o-7$U}z&*EF;&hT0AYbd!_NH2ltZDg8+l;#b2UEZEM
zdv%f(y#%cGH%sIwp)kN};K@l{5xSp%Ap)Wo^H^Mw`cY(Bcs?C3-sm
zj-Qdz3NTa|nB?1E6SCjf0vngJ?|#CBZgKl_qYWD@nKGuhx@hqvir2cA_OFi`fBG^
zU&&t>SxRX(P$OFyRvNdVbhW=GNpXW`BGUja`;50_xukN4_Tz_2s1$Bl+RoJe%+K!T
z3?4$2qSlbj1gb&WN%XIEDJu}CQn(3AGoqaf4klA;FqMn;cKOBg?Ax$PfZB~|m@$qc
zv9EO+KQ=8MXU<;vvy72eK7V8M;0)PmCEkjkrsj(F_E<0Y5mMfz3^}i^N%Qb(Y6w3v
z^7R*#A6h*6HPhgex&nnTuK5aMrwHqlZbzZ8iuiz@L8x2;RlI=xJC`yt@NSkm|1@>Np0hw<;r#U&rtwbH9
z(#3Me1D8@#-~o;yDzJgRj(0h#Vn4Cm0B(TtBp)0}1?)ywQeno_VG>Juhf=fdtXHFU
z?x4^1&CEu9ig$%}$g)Q6d#~(U!chu~gv
z`rCS6%AGi74Sa*RsHSNsnu?Xm;+WYN6rm*}9WT0BNF$aj
zp2rn*-zT*iOBaaMh_Me#L$z>qfL2pu5oGpE9=rr~1ICi>Pgkg@WM*}AS%;2&A{hmA
zGJ}?iXj%_qK{t&Lv3#S}49%!VU7auIeQfK(Or3m!xs=yX@ax#iV$^}+n7G;2uw1*#
zXQu+)0PAoY#HhME`)U)8O+Rp1-}4x9Y!*s>UfCnmtTkF%R;%IARa7kRI0o5>wrvZ_
zNZa>bdGgoBauesiH)O*PXgrsDUqk`~!d{iDJ;Q2tq2M`TeiRi&F5BE$;^pXF&%qz}
z5FD%+N_!y`tpFxkif`m*+%3BZY#^@`!Tm+qo8xUN2f5drdpmoh4Su&NOECZ>$7sM|
z6(Xv@dE>1VNhvSC#!L2fXH$eOx32A6Z7`+iLm3QTWY;LG|3<{p?n<=Z-Sbn1ETlSq
zw}=Ie;q?+=U6#BL%ItC2>~nzH1J(-urMVkm0D-fQBRT9se7uG_bK#T`q&td=END;G
z;7!34c@q){h1m1B(l`q5zn^aNE)UNeGlwKbp`aLjRey@ANZ#%S8W15$a2wL?BahUn
ze#=;|>(CnJ80}}TR14fK*tl-~$0umWoGCA`5a)48qK@b3kteO0lgGBR4K6CvPoWQSmr8)YlzBLz?$_xu=;
z#l(Zyz(VG$<2bGS+U9@Z=NH1BdQPu+iUyJ^xn!TV;?VCU3-8
zMugX-(JG;l!U?4*%ZG1KriRs&s$qVZ#~pqdx^V9Xd`!MfcLHNih7hW+fzEg+x;)lIuQI<}srLuRbXlch*T4?e1?
zVa(o3sqwl98rF`3z23erJS#G!fm^dlDnr(iO;b-dk+zTsAgn4YDpm?olo#vySGw)*
zSf{&MtK{$M8ibq`c55Vc;!Jwu;?twFj>Vjs0@0K`10J{y`*Gl=lb_C4B+lc^t%RBX=I+s_dU{
zpl?mtBbMo>d6q^An5kFNf85Ob03UsKL;G15J62IvxU*Mvdzkdhx!KT5zt7i1PHhyY
z4I|I!9DD-;tVa-I?g^iPvhX5^hC%8BVpFo(Djm)Za4O|B{-hiC*x<-%_Pk?>%YzQV
zG0)4RI}n^~o&T9Tcq}n=PInAO0avxmy8+ujY%>C{_PSCB&mH9Huv|XqSH~7nfj%t@e#VnctC;1ph%1PRd@-GUjN-%9l
zE;9XyMS4%gpTep*ZEFPJ3b0c3$
zeyP2iY>X1p8Pi~k%E6ADipqcEk$;RlE
z#$JGMCB6BndtC9x5wFEZ8E0?3>PbQQs_6YRWPh#*m;0zdYS4AsBv>{7^Cs=2xm&vu
zChWFg3~l%rjGq+<(_+D-D?en{^jI7|Sgef|u-Nw^-&9ooZ|;u)}|!Tb^dOG#CgcFVIObI#Es
zoj5jy!?<`IsTdmVKs!=vAO{!4oF(#rkSd}i&1v&*e?2_xKMAsYNQh^-$<@)#?Hb8S
zx{-;z+WLX1CdOQsU1F6$a0yWqF<)tDSUB#`-~g_O$;RjuK7&6}HTJ}L3*a>v4F=(M
zrM6(L>Brkci=hJ3K+a%nMM)7}zjiHgaSCfF1JOU_q1TYJdal-H2KQ@3gV=%TPZKFg
zkCyni>G1MnN2q^J0H#bk<{wA}2$kkEdBUqfQq>?_rliD0LQ8$q6J(LF;Sb*oSGq300E>O;9DkZ99b#y18{eJGS76(iT4=cu4GK>#Sc*
zx&0M^*jG?OCO^S|L%cPj9DqZ1INXc@^fZkqs7;^{$c}Cm>JUate(e)r8%q;%AqpV5
zUqsT3;UtAq3RO=;!U3t=0Yw`a50S9pM3!`ipAdjs52@N|ZEbjy1Y2M~UuN%be5y}`EQ2*nP>^HAm<)7)x
zSzkjXJXzR1w_7PM^Ht^#cYdR@H|a{RdOb^G&qLo8CHECP6eo`9FV6S`EDB6DlY1@jRtWZ+-+uB5vQEK5
z4lX0SH=t22v40dM0KyD9a&lNAQ_0^%wHgr7s;IYLgt&~OZ=mg8Q3Uj
zo-fshsUkw=V`+|en4&$+i90k~oW6zR==BDIdhu0Rli}B~&w&yIgnRcX#_~i0cLJZ)
zuW@n2`7K!13AEV;s%K~Zix)v6T1Ni+6n@Ueu4NRxB+`*pXQax%?6hg2?4zCCPkZYG
z1~r8xp_jK3e?(I#=ka_?9$P!9yYDnQ+)22v?zt*J&*~zk1$kZCjwi>csYG*1i^rC<
zL-%FD0S4WYr5pn;M(BEkC^W&k!euY(!TnFf9JjB6DoY0{av5vkhI)#iW)Alx2Mzda
z2I78AI#Y0X$=2RjV;02nhg-GB5#a(c6!TT$O98OjCc^H%qN7vd-WW+8d!
znq|sh|JV!2#F8XnAc||S51AYfdY?kBJRRSc#RUK!;AAf{C2B7%5%MbrRlYyu>0YD-
z=%GLmW$fi(O80()$Qgw*-lyP=auk8zfuniFTjs=6fChu1!Fhx9RQK}=$R(%&6m$P|
zU2?Y|_L~i(almMKK~kMl?D6l>iH^*w>igOyMEspn|Fzy;i}gFU$?kFaH>Q`J6?5oc
zdFC);T>d5YB8P)y4I>C1)iEY1q7Z=<_x$DVQ^*iV`FshFL-F}~f4Iai;Fl8i7*@gRuEsCK!eCdp(4z*zd*$YAO$sG#EuQ!o
zQV7WpOhg}WudY*92YoR{v=;~Vm~KKaS2fa9&CJ3TR5eQHCvQDkhTpDtgs|^vYYFT_
zG+HI@SWo^-MZ_r0qVUtEgTEv!y)L2j%g$6o;1BzP*^b7G017Oj(@#db
zvw2nyzoZHfBjp>@0YpV3+2A2`H8-KO8H3mP5hQ^YJ&)vqmQorWJBR|6Zv5G2C%%`V
zT=|)YeBi~uKCLL_{ktCE|A?wz{ElV+QTG3@FZoC8%YQ&g@z=Bb>skJ<
Date: Thu, 24 Feb 2022 17:04:30 +0100
Subject: [PATCH 0312/1450] Support multiline comments in
 ProducerOption.setComment().

---
 .../encryption_signing/EncryptionStream.java      |  7 ++++++-
 .../test/java/org/pgpainless/example/Encrypt.java | 15 +++++++++++----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 37b7288e..d3f0cd54 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -76,7 +76,12 @@ public final class EncryptionStream extends OutputStream {
         LOGGER.debug("Wrap encryption output in ASCII armor");
         armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream);
         if (options.hasComment()) {
-        	ArmorUtils.addCommentHeader(armorOutputStream, options.getComment());
+            String[] commentLines = options.getComment().split("\n");
+            for (String commentLine : commentLines) {
+            	if (!commentLine.trim().isEmpty()) {
+            		ArmorUtils.addCommentHeader(armorOutputStream, commentLine);
+            	}
+            }
         }
         outermostStream = armorOutputStream;
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
index 3a3888a1..385198e9 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
@@ -133,8 +133,7 @@ public class Encrypt {
     /**
      * In this example, Alice is sending a signed and encrypted message to Bob.
      * She encrypts the message to both bobs certificate and her own.
-     * A comment header with the text "This comment was added using options." is added
-     * using the fluent ProducerOption syntax.
+     * A multiline comment header is added using the fluent ProducerOption syntax.
      *
      * Bob subsequently decrypts the message using his key.
      */
@@ -152,7 +151,13 @@ public class Encrypt {
 
         // plaintext message to encrypt
         String message = "Hello, World!\n";
-        String comment = "This comment was added using options.";
+        String[] comments = {
+        		"This comment was added using options.",
+        		"And it has three lines.",
+        		" ",
+        		"Empty lines are skipped."
+        };
+        String comment = comments[0] + "\n" + comments[1] + "\n" + comments[2] + "\n" + comments[3];
         ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
         // Encrypt and sign
         EncryptionStream encryptor = PGPainless.encryptAndOrSign()
@@ -172,7 +177,9 @@ public class Encrypt {
         String encryptedMessage = ciphertext.toString();
 
         // check that comment header was added after "BEGIN PGP" and "Version:"
-        assertEquals(encryptedMessage.split("\n")[2].trim(), "Comment: " + comment);
+        assertEquals(encryptedMessage.split("\n")[2].trim(), "Comment: " + comments[0]);
+        assertEquals(encryptedMessage.split("\n")[3].trim(), "Comment: " + comments[1]);
+        assertEquals(encryptedMessage.split("\n")[4].trim(), "Comment: " + comments[3]);
 
         // also test, that decryption still works...
 

From a1deb531a496ec694b8e105aa5c5bf427ba00f10 Mon Sep 17 00:00:00 2001
From: feri 
Date: Thu, 24 Feb 2022 17:20:57 +0100
Subject: [PATCH 0313/1450] trim comment lines.

---
 .../org/pgpainless/encryption_signing/EncryptionStream.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index d3f0cd54..27b8958a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -79,7 +79,7 @@ public final class EncryptionStream extends OutputStream {
             String[] commentLines = options.getComment().split("\n");
             for (String commentLine : commentLines) {
             	if (!commentLine.trim().isEmpty()) {
-            		ArmorUtils.addCommentHeader(armorOutputStream, commentLine);
+            		ArmorUtils.addCommentHeader(armorOutputStream, commentLine.trim());
             	}
             }
         }

From a681a27bb71bc510a5c61a1c674225164b8f5ed3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Feb 2022 15:56:56 +0100
Subject: [PATCH 0314/1450] Add logo svg

---
 assets/pgpainless.svg | 110 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 assets/pgpainless.svg

diff --git a/assets/pgpainless.svg b/assets/pgpainless.svg
new file mode 100644
index 00000000..47588bd8
--- /dev/null
+++ b/assets/pgpainless.svg
@@ -0,0 +1,110 @@
+
+
+  
+    
+      
+        image/svg+xml
+        
+        
+      
+    
+  
+  
+  
+    
+  
+  
+    
+    
+  
+  
+  
+    
+      
+    
+    
+      
+      
+        
+        
+        
+        
+      
+    
+  
+

From 69c0a1bfa43c8ffe6ad6fa051811ff7b4963fa99 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Feb 2022 16:06:01 +0100
Subject: [PATCH 0315/1450] PGPainless 1.1.1

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 2 +-
 version.gradle           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e6cdda9..a91a90c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.1-SNAPSHOT
+## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)
 - Simplify consumption of cleartext-signed data
 - Change default criticality of signature subpackets
diff --git a/README.md b/README.md
index 872d1549..4dc5d2f2 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.0'
+	implementation 'org.pgpainless:pgpainless-core:1.1.1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index c20b58c4..f7f3856d 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.0.2"
+    implementation "org.pgpainless:pgpainless-sop:1.1.1"
     ...
 }
 
diff --git a/version.gradle b/version.gradle
index e88ae14d..0e0f97a3 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.1.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 37be70e0f36ba080b04fcc2cb4a15eaeda01d5f2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Feb 2022 16:11:00 +0100
Subject: [PATCH 0316/1450] PGPainless-1.1.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 0e0f97a3..03d66410 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.1'
-        isSnapshot = false
+        shortVersion = '1.1.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From d876f770a61ee1d1c6a590b55e69b61bf3f9a025 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Feb 2022 16:12:56 +0100
Subject: [PATCH 0317/1450] Bump version in sop readme

---
 pgpainless-sop/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index f7f3856d..00196f93 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.0.2
+        1.1.1
     
     ...
 
@@ -75,4 +75,4 @@ byte[] decrypted = messageAndVerifications.getBytes();
 // Signature Verifications
 DecryptionResult messageInfo = messageAndVerifications.getResult();
 List signatureVerifications = messageInfo.getVerifications();
-```
\ No newline at end of file
+```

From 1088b6c8ae0fae7bc20202982bfb6daeb8a9d88e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Feb 2022 16:23:27 +0100
Subject: [PATCH 0318/1450] Add dep5 license info for pgpainless.svg

---
 .reuse/dep5 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.reuse/dep5 b/.reuse/dep5
index 99b0abe2..f820f003 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -19,6 +19,10 @@ Files: assets/repository-open-graph.png
 Copyright: 2021 Paul Schaub 
 License: CC-BY-3.0
 
+Files: assets/pgpainless.svg
+Copyright: 2021 Paul Schaub 
+License: CC-BY-3.0
+
 Files: assets/test_vectors/*
 Copyright: 2018 Paul Schaub 
 License: CC0-1.0

From d55d6a16866e7984fa81a43d6082f1a100bb3018 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 1 Mar 2022 12:14:09 +0100
Subject: [PATCH 0319/1450] Improve RegExs for extracting email addresses from
 keys

Based on https://github.com/pgpainless/pgpainless/pull/257/
Thanks @bratkartoffel for the initial proposed changes
---
 .../org/pgpainless/key/info/KeyRingInfo.java  | 12 +++-
 .../pgpainless/key/info/KeyRingInfoTest.java  | 58 +++++++++++++++++++
 2 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 74b72e61..8b47e2a2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -50,7 +50,8 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
  */
 public class KeyRingInfo {
 
-    private static final Pattern PATTERN_EMAIL = Pattern.compile("[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,6}");
+    private static final Pattern PATTERN_EMAIL_FROM_USERID = Pattern.compile("<([a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+@[a-zA-Z0-9.-]+)>");
+    private static final Pattern PATTERN_EMAIL_EXPLICIT = Pattern.compile("^([a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+@[a-zA-Z0-9.-]+)$");
 
     private final PGPKeyRing keys;
     private final Signatures signatures;
@@ -421,9 +422,14 @@ public class KeyRingInfo {
         List userIds = getUserIds();
         List emails = new ArrayList<>();
         for (String userId : userIds) {
-            Matcher matcher = PATTERN_EMAIL.matcher(userId);
+            Matcher matcher = PATTERN_EMAIL_FROM_USERID.matcher(userId);
             if (matcher.find()) {
-                emails.add(matcher.group());
+                emails.add(matcher.group(1));
+            } else {
+                matcher = PATTERN_EMAIL_EXPLICIT.matcher(userId);
+                if (matcher.find()) {
+                    emails.add(matcher.group(1));
+                }
             }
         }
         return emails;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index 0cb351b7..8bd053f2 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -50,6 +50,7 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnprotectedKeysProtector;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.UserId;
+import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.TestAllImplementations;
 import org.pgpainless.util.Passphrase;
@@ -701,4 +702,61 @@ public class KeyRingInfoTest {
         assertTrue(unboundKeyCreation.after(latestModification));
         assertTrue(unboundKeyCreation.after(latestKeyCreation));
     }
+
+    @Test
+    public void getEmailsTest() throws IOException {
+        String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: B4A8 9FE8 9D59 31E6 BCF7  DC2F 6BA1 2CC7 9A08 8D73\n" +
+                "Comment: Alice Anderson  [Primary Mail Address]\n" +
+                "Comment: Alice A. \n" +
+                "Comment: \n" +
+                "Comment: alice@rfc4880.spec\n" +
+                "Comment: alice anderson@invalid.mail\n" +
+                "Comment: Alice Anderson \n" +
+                "\n" +
+                "lFgEYh39eBYJKwYBBAHaRw8BAQdAegaKui2AnIZ7D4fRozwqEvbHePpU/agSN6Kr\n" +
+                "11uVHKoAAP4xCyRezCJ04di6+NICghNDPqWBJLtk3MI1ndlBLwcgjw9LtDdBbGlj\n" +
+                "ZSBBbmRlcnNvbiA8YWxpY2VAZW1haWwudGxkPiBbUHJpbWFyeSBNYWlsIEFkZHJl\n" +
+                "c3NdiI8EExYKAEEFAmId/XgJEGuhLMeaCI1zFiEEtKif6J1ZMea899wva6Esx5oI\n" +
+                "jXMCngECmwEFFgIDAQAECwkIBwUVCgkICwKZAQAA1MoBALzi4qecj+tnLdQEWbTI\n" +
+                "uHIc6NVoUb7p4B8Jro/ehJ1fAQDjt3+VfLUZ8QaX+TtTDGnWHyEOoJ0VxiIKdMmv\n" +
+                "2dYtCrQfQWxpY2UgQS4gPGFsaWNlQHBncGFpbmxlc3Mub3JnPoiMBBMWCgA+BQJi\n" +
+                "Hf14CRBroSzHmgiNcxYhBLSon+idWTHmvPfcL2uhLMeaCI1zAp4BApsBBRYCAwEA\n" +
+                "BAsJCAcFFQoJCAsAAABCAP9jSCveW6JxpszuxOiGJyQSCDp39lql6BU35UgOb2fJ\n" +
+                "5QD+K00v724rDpqjKphMMr9B8CYXuU+jTDoUHquSCRhJrge0EzxhbGljZUBvcGVu\n" +
+                "cGdwLm9yZz6IjAQTFgoAPgUCYh39eAkQa6Esx5oIjXMWIQS0qJ/onVkx5rz33C9r\n" +
+                "oSzHmgiNcwKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLAAD50AEAv/MkwkK9wojSH+uV\n" +
+                "0Y3Dnm4bZsA5bIWGAgAxmKsh/IMA/11NwGhx+YwRmerO9zVxWcEnnbSQP4Re4ALe\n" +
+                "AZTcx88GtBJhbGljZUByZmM0ODgwLnNwZWOIjAQTFgoAPgUCYh39eAkQa6Esx5oI\n" +
+                "jXMWIQS0qJ/onVkx5rz33C9roSzHmgiNcwKeAQKbAQUWAgMBAAQLCQgHBRUKCQgL\n" +
+                "AAC26wD+NDz1j3PB2v2QAKadzyYgod5IcSGAgzBUwf16edvsWCoBAL3nkb2ahPW/\n" +
+                "vk946LzejWPQToGSrRxmY7VjNutTNRQGtBthbGljZSBhbmRlcnNvbkBpbnZhbGlk\n" +
+                "Lm1haWyIjAQTFgoAPgUCYh39eAkQa6Esx5oIjXMWIQS0qJ/onVkx5rz33C9roSzH\n" +
+                "mgiNcwKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLAAAxIwEAs/rtMrGAXfDO/yssC3B/\n" +
+                "8ZSVoExPi8B5jzJqMVb4kuQBAJVqpSSUNVPwNJsH7EP74iXPCyWn9oy1p4G53BxV\n" +
+                "8eQEtCxBbGljZSBBbmRlcnNvbiA8YWxpY2UgYW5kZXJzb25AaW52YWxpZC5tYWls\n" +
+                "PoiMBBMWCgA+BQJiHf14CRBroSzHmgiNcxYhBLSon+idWTHmvPfcL2uhLMeaCI1z\n" +
+                "Ap4BApsBBRYCAwEABAsJCAcFFQoJCAsAAA2cAP9ygQbt8oQtRc4oPm/LLPDjH89u\n" +
+                "LBMVywN0yBdEWO/ASgEAmgl1kgyMRyf28SjISAWAHiTGs0mRAn9kdwJGU4+27AGc\n" +
+                "XQRiHf14EgorBgEEAZdVAQUBAQdAIvJYcrgjLhPGjJ9YCaPKZcZrgpf93v3zlE/v\n" +
+                "GGUQrT8DAQgHAAD/WWQiuS/2UBFt97J4htg14ICcjoMnOrI4mimeZwYTtoAPrYh1\n" +
+                "BBgWCgAdBQJiHf14Ap4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQa6Esx5oIjXOo\n" +
+                "qQEAlmUF0RIpnqWqWmtKtbbTSYj6+UgV0L5n2RWtlOVdfMIA/34+rQ45pUqelgCc\n" +
+                "yzfUm8wDlJjT9ogVGsvtDnLokv4BnFgEYh39eBYJKwYBBAHaRw8BAQdAnQCPdWgk\n" +
+                "X02oa5RBIRNCAEkdf1FooxlzlDCXBUUMaMoAAP9EhqmoCsUBplDMfnMUtu1g6BLq\n" +
+                "qGIAOtm/HXtQ4UUo2xCFiNUEGBYKAH0FAmId/XgCngECmwIFFgIDAQAECwkIBwUV\n" +
+                "CgkIC18gBBkWCgAGBQJiHf14AAoJEIEZZ8Ab4jMdYsUA/ilgaT94y0hEEkEFF2Dm\n" +
+                "vle6KXtHHPo/G0fkcGras8W9AQDo+IQSzTJylS+AJQfTSTuGUEP8hWPG/1f7SWVo\n" +
+                "z6/eBgAKCRBroSzHmgiNc7A7AQDEGMAPe4guEgkCfZRFRZoWb8ahpKB3y6cYQ7t1\n" +
+                "qDzPRwEAhdVBeryRUcwjgwHX0xmMFK7vLkdonn8BR2++nXBO2g8=\n" +
+                "=ZRAy\n" +
+                "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+
+        List emails = info.getEmailAddresses();
+        assertEquals(emails, Arrays.asList("alice@email.tld", "alice@pgpainless.org", "alice@openpgp.org", "alice@rfc4880.spec"));
+    }
 }

From 63b39c56bda22567688b373b9a1618a8363a9209 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 1 Mar 2022 17:18:20 +0100
Subject: [PATCH 0320/1450] Fix README

---
 pgpainless-core/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/README.md b/pgpainless-core/README.md
index d7b0a036..82afdfb5 100644
--- a/pgpainless-core/README.md
+++ b/pgpainless-core/README.md
@@ -9,7 +9,7 @@ SPDX-License-Identifier: Apache-2.0
 [![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-core/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-core)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
 
-Wrapper around Bouncycastle's OpenPGP implementation.
+Wrapper around Bouncy Castle's OpenPGP implementation.
 
 ## Protection Against Attacks
 

From 35dd4f9a67e14d5869dffe579e489966ede9ccec Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 1 Mar 2022 17:37:24 +0100
Subject: [PATCH 0321/1450] Fix unused import

---
 .../src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index 8bd053f2..8379e0cc 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -50,10 +50,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnprotectedKeysProtector;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.UserId;
-import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.DateUtil;
-import org.pgpainless.util.TestAllImplementations;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.TestAllImplementations;
 
 public class KeyRingInfoTest {
 

From 1949cc5eeae94a99be103e3c25b0e0d788e7af0c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 2 Mar 2022 11:15:07 +0100
Subject: [PATCH 0322/1450] Fix generics of CertificationSubpackets callback

---
 .../signature/subpackets/CertificationSubpackets.java          | 2 +-
 .../builder/ThirdPartyCertificationSignatureBuilderTest.java   | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java
index 59356bba..24614882 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/CertificationSubpackets.java
@@ -6,7 +6,7 @@ package org.pgpainless.signature.subpackets;
 
 public interface CertificationSubpackets extends BaseSignatureSubpackets {
 
-    interface Callback extends SignatureSubpacketCallback {
+    interface Callback extends SignatureSubpacketCallback {
 
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
index 89732991..bfc83df4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
@@ -13,7 +13,6 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.subpackets.BaseSignatureSubpackets;
 import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 
@@ -53,7 +52,7 @@ public class ThirdPartyCertificationSignatureBuilderTest {
 
         signatureBuilder.applyCallback(new CertificationSubpackets.Callback() {
             @Override
-            public void modifyHashedSubpackets(BaseSignatureSubpackets hashedSubpackets) {
+            public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
                 hashedSubpackets.setExportable(true, false);
             }
         });

From 2e6ae5c117cc00e854846768bee155ad3031b00d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 1 Mar 2022 12:26:29 +0100
Subject: [PATCH 0323/1450] Update README

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a91a90c8..0e200863 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.1.2-SNAPSHOT
+- Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
+
 ## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)
 - Simplify consumption of cleartext-signed data

From 54b443f18302e239ac99358213e905767c0d3cb2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 2 Mar 2022 11:36:55 +0100
Subject: [PATCH 0324/1450] Document generics fix in CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e200863..3cf07aa2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.1.2-SNAPSHOT
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
+- Fix generic type of `CertificationSubpackets.Callback`5
 
 ## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)

From afad3fc7470faa0796ddc23ba17536ba5c1fd44e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Mar 2022 14:35:52 +0100
Subject: [PATCH 0325/1450] Fix changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cf07aa2..8c8cbdca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.1.2-SNAPSHOT
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
-- Fix generic type of `CertificationSubpackets.Callback`5
+- Fix generic type of `CertificationSubpackets.Callback`
 
 ## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)

From 5b9e72d42c761de781852232c3921c0c1cac63bf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Mar 2022 14:58:36 +0100
Subject: [PATCH 0326/1450] Add KeyRingInfo.isUsableForEncryption()

---
 .../org/pgpainless/key/info/KeyRingInfo.java  |  19 ++++
 .../pgpainless/key/info/KeyRingInfoTest.java  | 100 +++++++++++++++++-
 2 files changed, 118 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 8b47e2a2..a1818902 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -1009,6 +1009,25 @@ public class KeyRingInfo {
         return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
     }
 
+    /**
+     * Returns true, if the certificate has at least one usable encryption subkey.
+     *
+     * @return true if usable for encryption
+     */
+    public boolean isUsableForEncryption() {
+        return isUsableForEncryption(EncryptionPurpose.ANY);
+    }
+
+    /**
+     * Returns true, if the certificate has at least one usable encryption subkey for the given purpose.
+     *
+     * @param purpose purpose of encryption
+     * @return true if usable for encryption
+     */
+    public boolean isUsableForEncryption(@Nonnull EncryptionPurpose purpose) {
+        return !getEncryptionSubkeys(purpose).isEmpty();
+    }
+
     private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) {
         if (getPublicKey(keyID) == null) {
             throw new NoSuchElementException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index 8379e0cc..bfececee 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -218,7 +218,7 @@ public class KeyRingInfoTest {
 
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(
-                KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                        KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
                 .addSubkey(KeySpec.getBuilder(
                         KeyType.ECDH(EllipticCurve._BRAINPOOLP384R1),
                         KeyFlag.ENCRYPT_STORAGE))
@@ -758,4 +758,102 @@ public class KeyRingInfoTest {
         List emails = info.getEmailAddresses();
         assertEquals(emails, Arrays.asList("alice@email.tld", "alice@pgpainless.org", "alice@openpgp.org", "alice@rfc4880.spec"));
     }
+
+    @Test
+    public void isUsableForEncryptionTest_base() throws IOException {
+        String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: 9B6A C43E A67C 11BB C023  4CC3 69D5 9A7C 29C0 F858\n" +
+                "Comment: Usable \n" +
+                "\n" +
+                "mDMEYiS54BYJKwYBBAHaRw8BAQdAr0FXsDQtIpF54UwfjQb+8XJ3jxt3LkpCh0e7\n" +
+                "lH59Vzy0HlVzYWJsZSA8dXNhYmxlQHBncGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJi\n" +
+                "JLngCRBp1Zp8KcD4WBYhBJtqxD6mfBG7wCNMw2nVmnwpwPhYAp4BApsBBRYCAwEA\n" +
+                "BAsJCAcFFQoJCAsCmQEAACuNAQDX+7/ffM2B9qaW+F9MkeUJeq9u8MLk+BcaotQZ\n" +
+                "/c+8pQD/RhaVmKTLjm+RmpG2O1lrkta4L5CQQBXYdNMnebhlLAu4OARiJLngEgor\n" +
+                "BgEEAZdVAQUBAQdA8Et257jQXR0oJOimAWU9Z5Erq5OcfguBI28ixgw5z2IDAQgH\n" +
+                "iHUEGBYKAB0FAmIkueACngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRBp1Zp8KcD4\n" +
+                "WDQYAQDtJG06gAiFk7D1EqdtoTgBeIXi6pdKJ8VQA17/Sel1PgEAjO7Gy+RishFG\n" +
+                "eT0WwimGAGWOFgyIB8GCmuk1sEN+9wO4MwRiJLngFgkrBgEEAdpHDwEBB0BNGWZx\n" +
+                "IiCzs6Acu/e7Di9E+uUZmEA7geObWgwPleedLYjVBBgWCgB9BQJiJLngAp4BApsC\n" +
+                "BRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCYiS54AAKCRBsyz3UPPzzw6bTAQCZ\n" +
+                "4NnXfhuyw2itPKNnVSvPl72GgHzfVb2MZi2QBPFJyQD+K7Xl6qNcaI9VyMos8zSy\n" +
+                "VT74iE7Sraqu2Fck27y1wgMACgkQadWafCnA+FjLFwEAxb/GFdAoUgmY6DGIbatO\n" +
+                "LOIorswrgSQVZ8B1yLh1gxcA/2K3XO1Tl68O961SW60CijoBY/16EFC+mkQIzxTT\n" +
+                "J5wP\n" +
+                "=nFoO\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----";
+
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(CERT);
+        KeyRingInfo info = PGPainless.inspectKeyRing(cert);
+        assertTrue(info.isUsableForEncryption());
+    }
+
+    @Test
+    public void isUsableForEncryptionTest_commsOnly() throws IOException {
+        String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: B2EE 493D 1DAC 943A 1CBD  B151 5F15 42D1 ACB7 D26F\n" +
+                "Comment: Comms Only \n" +
+                "\n" +
+                "mG8EYiS7mhMFK4EEACIDAwTENCF226L9l1i24ZpHuTK9P9kEc7neMZ1cQbJFSX9p\n" +
+                "ZP89dp4dnjZcAop5jzdvqjU98BgX9STZB6q2qYEG46luZoanDA0dpwzm0TENAvcr\n" +
+                "KoeIMqjv6dkKs5k11qtFx/K0JkNvbW1zIE9ubHkgPGNvbW1zLW9ubHlAcGdwYWlu\n" +
+                "bGVzcy5vcmc+iK8EExMKAEEFAmIku5sJEF8VQtGst9JvFiEEsu5JPR2slDocvbFR\n" +
+                "XxVC0ay30m8CngECmwMFFgIDAQAECwkIBwUVCgkICwKZAQAA3u4BgOl888SnxXys\n" +
+                "Ft/sPRh/hT8n0ObrxDHUgaAR5J7Sc3097u1r3ecCYaY045FYKKb23QGAjGSEEFG1\n" +
+                "TLbM1JMsE5H7xjjjJ5tTM6l45vkkrk3uMhsCL+QLv9pp251ctTF/JSCvuHMEYiS7\n" +
+                "mxIFK4EEACIDAwToE6c42GWSI0zmalisYewWvV/2Sfdo9KKgxfzX3rfldrOWFkN1\n" +
+                "fkLy6b01AUt3RqfwEBIJK6OrSXOlmdCiRV1Oqf20f2MGsDNXAttDApSSDJIHwV24\n" +
+                "3i6qylin0ujQ9KIDAQgHiJUEGBMKAB0FAmIku5sCngECmwQFFgIDAQAECwkIBwUV\n" +
+                "CgkICwAKCRBfFULRrLfSbwoYAYCzcZ29xIRUEHzZvAXWeHselBLdLGztZSBZKd9T\n" +
+                "m045mewePa780jk5o2z5Nt4Bj0EBfRxoiWt/czpy0nWpyfEeTHOx32jHHoTStjIF\n" +
+                "2XO/hpB2T8VXFfFKwj7U9LGkX+ciLg==\n" +
+                "=etPP\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----";
+
+        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(CERT);
+        KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys);
+
+        assertTrue(info.isUsableForEncryption(EncryptionPurpose.COMMUNICATIONS));
+        assertTrue(info.isUsableForEncryption(EncryptionPurpose.ANY));
+
+        assertFalse(info.isUsableForEncryption(EncryptionPurpose.STORAGE));
+    }
+
+    @Test
+    public void isUsableForEncryptionTest_encryptionKeyRevoked() throws IOException {
+        // encryption subkey is revoked
+        String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: CE65 608D 8639 E20C 61BF  077B F010 3226 1C64 5EA7\n" +
+                "Comment: Revoked \n" +
+                "\n" +
+                "mDMEYiS8+hYJKwYBBAHaRw8BAQdATvSKAaY5yvyOdJtZXBEXbyiWSsExOwnP2L35\n" +
+                "AyMPe7u0IFJldm9rZWQgPHJldm9rZWRAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEF\n" +
+                "AmIkvPoJEPAQMiYcZF6nFiEEzmVgjYY54gxhvwd78BAyJhxkXqcCngECmwEFFgID\n" +
+                "AQAECwkIBwUVCgkICwKZAQAAYFQA/02fMgRnneYK17Vsxc8DJEj0pVmTDHIOQH8K\n" +
+                "O8BuTkvhAP9zXtnJ7BsWO3Kg/ajIlaZEzMl6/lK2FTnAzBhs1UtrD7g4BGIkvPoS\n" +
+                "CisGAQQBl1UBBQEBB0AO8Bzm66ydlFhKtesh9EX66k4yyODeO0X3y3JUbrAnFQMB\n" +
+                "CAeIdQQYFgoAHQUCYiS8+gKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEPAQMiYc\n" +
+                "ZF6nTB0BAPjF6pUUrS3wv8CvrIM3S4BCtCOp+oQyPsie72As+47SAP41KfnvzYF3\n" +
+                "Y0WBp94Dqiy1MkvMZ9Q2x8BQt/L1UsoTBIh7BCgWCgAtBQJiJLz8CRDwEDImHGRe\n" +
+                "pxYhBM5lYI2GOeIMYb8He/AQMiYcZF6nAocAAh0DAAABqgD/TJpSDZ5fX3zNHqmN\n" +
+                "4TOuJ1GEkiYpPjBhem2C+U9jHjoBAJxQqzDB2VMiUDfe2+LLVIYa4EwhT2rT12qg\n" +
+                "aJ+TXWAJuDMEYiS8+hYJKwYBBAHaRw8BAQdAR0y6K6GPt4ddNyaRX16duqDFZwQi\n" +
+                "jeflFZ+UGLQ5GgSI1QQYFgoAfQUCYiS8+gKeAQKbAgUWAgMBAAQLCQgHBRUKCQgL\n" +
+                "XyAEGRYKAAYFAmIkvPoACgkQCX8koK2POrbPywEA3mbeGX8vWwnENtiFeMBjXNox\n" +
+                "oHAIuULBsvOdc1xrH0QBALezsulAJoziQ/t+EUrNHgTELDq3F8Y8tmLAJykb/nQB\n" +
+                "AAoJEPAQMiYcZF6n6CAA/0HadYoqOUbMjgu3Tle0HSXiTCJfBrTox5trTOKUsQ8z\n" +
+                "AQCjeV+3VT+u1movwIYv4XkzB6gB+B2C+DK9nvG5sXZhBg==\n" +
+                "=uqmO\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----";
+        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(CERT);
+        KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys);
+
+        assertFalse(info.isUsableForEncryption());
+        assertFalse(info.isUsableForEncryption(EncryptionPurpose.ANY));
+        assertFalse(info.isUsableForEncryption(EncryptionPurpose.COMMUNICATIONS));
+        assertFalse(info.isUsableForEncryption(EncryptionPurpose.STORAGE));
+    }
 }

From 126cc9df70b522e157a02e5dfd0e2630f46badaa Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 10:24:08 +0100
Subject: [PATCH 0327/1450] Make toSecondsPrecision() more readable and improv
 performance

---
 .../main/java/org/pgpainless/util/DateUtil.java    | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
index 8a1b610e..0cec35d9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
@@ -46,21 +46,23 @@ public final class DateUtil {
     }
 
     /**
-     * "Round" a date down to seconds precision.
+     * Floor a date down to seconds precision.
      * @param date date
-     * @return rounded date
+     * @return floored date
      */
     public static Date toSecondsPrecision(Date date) {
-        long seconds = date.getTime() / 1000;
-        return new Date(seconds * 1000);
+        long millis = date.getTime();
+        long seconds = millis / 1000;
+        long floored = seconds * 1000;
+        return new Date(floored);
     }
 
     /**
-     * Return the current date "rounded" to UTC precision.
+     * Return the current date "floored" to UTC precision.
      *
      * @return now
      */
     public static Date now() {
-        return parseUTCDate(formatUTCDate(new Date()));
+        return toSecondsPrecision(new Date());
     }
 }

From a7d1f09b5ce469037cd13916aae9378d3b4c756e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 10:26:24 +0100
Subject: [PATCH 0328/1450] Document SimpleDateFormat not thread-safe

---
 pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
index 0cec35d9..ad1fce09 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
@@ -15,6 +15,7 @@ public final class DateUtil {
 
     }
 
+    // Java's SimpleDateFormat is not thread-safe, therefore we return a new instance on every invocation.
     public static SimpleDateFormat getParser() {
         SimpleDateFormat parser = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z");
         parser.setTimeZone(TimeZone.getTimeZone("UTC"));

From a6dcf027c02055161cdc05286442252019189f5f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 10:36:20 +0100
Subject: [PATCH 0329/1450] Add and document PGPainless.inspectKeyRing(key,
 date)

---
 .../src/main/java/org/pgpainless/PGPainless.java   | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 57dd29d5..bd353f24 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -116,7 +116,7 @@ public final class PGPainless {
      * This method can be used to determine expiration dates, key flags and other information about a key.
      *
      * To evaluate a key at a given date (e.g. to determine if the key was allowed to create a certain signature)
-     * use {@link KeyRingInfo#KeyRingInfo(PGPKeyRing, Date)} instead.
+     * use {@link #inspectKeyRing(PGPKeyRing, Date)} instead.
      *
      * @param keyRing key ring
      * @return access object
@@ -125,6 +125,18 @@ public final class PGPainless {
         return new KeyRingInfo(keyRing);
     }
 
+    /**
+     * Quickly access information about a {@link org.bouncycastle.openpgp.PGPPublicKeyRing} / {@link PGPSecretKeyRing}.
+     * This method can be used to determine expiration dates, key flags and other information about a key at a specific time.
+     *
+     * @param keyRing key ring
+     * @param inspectionDate date of inspection
+     * @return access object
+     */
+    public static KeyRingInfo inspectKeyRing(PGPKeyRing keyRing, Date inspectionDate) {
+        return new KeyRingInfo(keyRing, inspectionDate);
+    }
+
     /**
      * Access, and make changes to PGPainless policy on acceptable/default algorithms etc.
      *

From 10e72f6773a75a56a6bb9fdaea63b0f0e576e772 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 11:08:59 +0100
Subject: [PATCH 0330/1450] Allow custom key creation dates during generation

---
 .../key/generation/KeyRingBuilder.java        |  4 +-
 .../pgpainless/key/generation/KeySpec.java    | 13 +++++-
 .../key/generation/KeySpecBuilder.java        |  9 +++-
 .../generation/KeySpecBuilderInterface.java   |  4 ++
 ...GenerateKeyWithCustomCreationDateTest.java | 46 +++++++++++++++++++
 5 files changed, 73 insertions(+), 3 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
index 537bc255..88ed6ecd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
@@ -305,9 +305,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
         // Create raw Key Pair
         KeyPair keyPair = certKeyGenerator.generateKeyPair();
 
+        Date keyCreationDate = spec.getKeyCreationDate() != null ? spec.getKeyCreationDate() : new Date();
+
         // Form PGP key pair
         PGPKeyPair pgpKeyPair = ImplementationFactory.getInstance()
-                .getPGPKeyPair(type.getAlgorithm(), keyPair, new Date());
+                .getPGPKeyPair(type.getAlgorithm(), keyPair, keyCreationDate);
         return pgpKeyPair;
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
index bd5a5063..63645edd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
@@ -5,6 +5,7 @@
 package org.pgpainless.key.generation;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
 import org.pgpainless.algorithm.KeyFlag;
@@ -12,18 +13,23 @@ import org.pgpainless.key.generation.type.KeyType;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
 
+import java.util.Date;
+
 public class KeySpec {
 
     private final KeyType keyType;
     private final SignatureSubpackets subpacketGenerator;
     private final boolean inheritedSubPackets;
+    private final Date keyCreationDate;
 
     KeySpec(@Nonnull KeyType type,
             @Nonnull SignatureSubpackets subpacketGenerator,
-            boolean inheritedSubPackets) {
+            boolean inheritedSubPackets,
+            @Nullable Date keyCreationDate) {
         this.keyType = type;
         this.subpacketGenerator = subpacketGenerator;
         this.inheritedSubPackets = inheritedSubPackets;
+        this.keyCreationDate = keyCreationDate;
     }
 
     @Nonnull
@@ -45,6 +51,11 @@ public class KeySpec {
         return inheritedSubPackets;
     }
 
+    @Nullable
+    public Date getKeyCreationDate() {
+        return keyCreationDate;
+    }
+
     public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) {
         return new KeySpecBuilder(type, flag, flags);
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
index 07b53383..2d7010d8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
@@ -5,6 +5,7 @@
 package org.pgpainless.key.generation;
 
 import java.util.Arrays;
+import java.util.Date;
 import java.util.LinkedHashSet;
 import java.util.Set;
 import javax.annotation.Nonnull;
@@ -31,6 +32,7 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
     private Set preferredCompressionAlgorithms = algorithmSuite.getCompressionAlgorithms();
     private Set preferredHashAlgorithms = algorithmSuite.getHashAlgorithms();
     private Set preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
+    private Date keyCreationDate;
 
     KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) {
         if (flag == null) {
@@ -66,6 +68,11 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
         return this;
     }
 
+    @Override
+    public KeySpecBuilder setKeyCreationDate(@Nonnull Date creationDate) {
+        this.keyCreationDate = creationDate;
+        return this;
+    }
 
     @Override
     public KeySpec build() {
@@ -75,6 +82,6 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
         this.hashedSubpackets.setPreferredSymmetricKeyAlgorithms(preferredSymmetricAlgorithms);
         this.hashedSubpackets.setFeatures(Feature.MODIFICATION_DETECTION);
 
-        return new KeySpec(type, (SignatureSubpackets) hashedSubpackets, false);
+        return new KeySpec(type, (SignatureSubpackets) hashedSubpackets, false, keyCreationDate);
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java
index cd68e8b4..4a99bc8d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilderInterface.java
@@ -10,6 +10,8 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 
+import java.util.Date;
+
 public interface KeySpecBuilderInterface {
 
     KeySpecBuilder overridePreferredCompressionAlgorithms(@Nonnull CompressionAlgorithm... compressionAlgorithms);
@@ -18,5 +20,7 @@ public interface KeySpecBuilderInterface {
 
     KeySpecBuilder overridePreferredSymmetricKeyAlgorithms(@Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms);
 
+    KeySpecBuilder setKeyCreationDate(@Nonnull Date creationDate);
+
     KeySpec build();
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java
new file mode 100644
index 00000000..e77602dd
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java
@@ -0,0 +1,46 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.generation;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.JUtils;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import org.pgpainless.key.generation.type.xdh.XDHSpec;
+import org.pgpainless.util.DateUtil;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.Iterator;
+
+public class GenerateKeyWithCustomCreationDateTest {
+
+    @Test
+    public void generateKeyWithCustomCreationDateTest()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        Date creationDate = DateUtil.parseUTCDate("2018-06-11 14:12:09 UTC");
+        PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
+                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA)
+                        .setKeyCreationDate(creationDate)) // primary key with custom creation time
+                .addUserId("Alice")
+                .build();
+
+        Iterator iterator = secretKeys.iterator();
+        PGPPublicKey primaryKey = iterator.next().getPublicKey();
+        PGPPublicKey subkey = iterator.next().getPublicKey();
+
+        JUtils.assertDateEquals(creationDate, primaryKey.getCreationTime());
+        // subkey has no creation date override, so it was generated "just now"
+        JUtils.assertDateNotEquals(creationDate, subkey.getCreationTime());
+    }
+}

From c3f5b997ab72bdd01ea9a25ecacebdb892ed7185 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 11:11:04 +0100
Subject: [PATCH 0331/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8c8cbdca..cac498d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.1.2-SNAPSHOT
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
 - Fix generic type of `CertificationSubpackets.Callback`
+- Add `KeyRingInfo.isUsableForEncryption()`
+- Add `PGPainless.inspectKeyRing(key, date)`
+- Allow custom key creation dates during key generation
 
 ## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)

From 5d3646cd3626de1125a51106dc5661adfa0291a5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 11:27:21 +0100
Subject: [PATCH 0332/1450] Add missing @throws documentation

---
 .../secretkeyring/SecretKeyRingEditorInterface.java           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
index e999a163..ec579c9e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
@@ -348,7 +348,7 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param revocationAttributes revocation attributes
      * @return builder
-     * @throws PGPException
+     * @throws PGPException if the revocation signatures cannot be generated
      */
     SecretKeyRingEditorInterface revokeUserIds(
             @Nonnull SelectUserId userIdSelector,
@@ -370,7 +370,7 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param subpacketsCallback callback to modify the revocations subpackets
      * @return builder
-     * @throws PGPException
+     * @throws PGPException if the revocation signatures cannot be generated
      */
     SecretKeyRingEditorInterface revokeUserIds(
             @Nonnull SelectUserId userIdSelector,

From 9d160ef0476f7d6a0dc3c6830c26ab7d52e7d5a1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 12:17:45 +0100
Subject: [PATCH 0333/1450] Reject subkeys with predating binding signatures

---
 .../signature/consumer/SignaturePicker.java   |  1 +
 .../consumer/SignatureValidator.java          | 16 +++++++++-
 .../signature/consumer/SignatureVerifier.java |  3 ++
 ...GenerateKeyWithCustomCreationDateTest.java | 31 ++++++++++++++++---
 4 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
index ee6dfc89..5ab81099 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
@@ -337,6 +337,7 @@ public final class SignaturePicker {
             try {
                 SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
                 SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
+                SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
                 SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature);
                 // if the currently latest signature is not yet expired, check if the next candidate is not yet expired
                 if (latestSubkeyBinding != null && !SignatureUtils.isSignatureExpired(latestSubkeyBinding, validationDate)) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index d0de0d46..a8f1ec5b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -355,6 +355,10 @@ public abstract class SignatureValidator {
         };
     }
 
+    public static SignatureValidator signatureDoesNotPredateSignee(PGPPublicKey signee) {
+        return signatureDoesNotPredateKeyCreation(signee);
+    }
+
     /**
      * Verify that a signature has a hashed creation time subpacket.
      *
@@ -379,6 +383,16 @@ public abstract class SignatureValidator {
      * @return validator
      */
     public static SignatureValidator signatureDoesNotPredateSigningKey(PGPPublicKey key) {
+        return signatureDoesNotPredateKeyCreation(key);
+    }
+
+    /**
+     * Verify that a signature does not predate the creation time of the given key.
+     *
+     * @param key key
+     * @return validator
+     */
+    public static SignatureValidator signatureDoesNotPredateKeyCreation(PGPPublicKey key) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -386,7 +400,7 @@ public abstract class SignatureValidator {
                 Date signatureCreationTime = signature.getCreationTime();
 
                 if (keyCreationTime.after(signatureCreationTime)) {
-                    throw new SignatureValidationException("Signature predates its signing key (key creation: " + keyCreationTime + ", signature creation: " + signatureCreationTime + ")");
+                    throw new SignatureValidationException("Signature predates key (key creation: " + keyCreationTime + ", signature creation: " + signatureCreationTime + ")");
                 }
             }
         };
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
index b0db7c9b..1cfff7db 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
@@ -243,6 +243,7 @@ public final class SignatureVerifier {
             throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
+        SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
         SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
         SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
@@ -265,6 +266,7 @@ public final class SignatureVerifier {
     public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
+        SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
         SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
 
@@ -303,6 +305,7 @@ public final class SignatureVerifier {
             throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
+        SignatureValidator.signatureDoesNotPredateSignee(signedKey).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
         SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java
index e77602dd..d2697b82 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithCustomCreationDateTest.java
@@ -4,6 +4,14 @@
 
 package org.pgpainless.key.generation;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Iterator;
+
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
@@ -13,15 +21,11 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.ecc.EllipticCurve;
 import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
 import org.pgpainless.key.generation.type.xdh.XDHSpec;
 import org.pgpainless.util.DateUtil;
 
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.Iterator;
-
 public class GenerateKeyWithCustomCreationDateTest {
 
     @Test
@@ -43,4 +47,21 @@ public class GenerateKeyWithCustomCreationDateTest {
         // subkey has no creation date override, so it was generated "just now"
         JUtils.assertDateNotEquals(creationDate, subkey.getCreationTime());
     }
+
+    @Test
+    public void generateSubkeyWithFutureKeyCreationDate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        Calendar calendar = Calendar.getInstance();
+        calendar.add(Calendar.YEAR, 20);
+        Date future = calendar.getTime();
+
+        PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
+                .addSubkey(KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._P384), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).setKeyCreationDate(future))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.ECDSA(EllipticCurve._P384), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
+                .addUserId("Captain Future ")
+                .build();
+
+        // Subkey has future key creation date, so its binding will predate the key -> no usable encryption key left
+        assertFalse(PGPainless.inspectKeyRing(secretKeys)
+                .isUsableForEncryption());
+    }
 }

From fc65bb449672fd6558abcb9c6fb54ce75ebfce78 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 14:55:45 +0100
Subject: [PATCH 0334/1450] Raise readable error message when trying to encrypt
 for key without acceptable self-sigs

---
 .../encryption_signing/EncryptionOptions.java  | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index ed748e3e..48107b23 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -11,6 +11,7 @@ import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.Set;
 
 import javax.annotation.Nonnull;
@@ -184,15 +185,24 @@ public class EncryptionOptions {
      * @return this
      */
     public EncryptionOptions addRecipient(PGPPublicKeyRing key, EncryptionKeySelector encryptionKeySelectionStrategy) {
-        KeyRingInfo info = new KeyRingInfo(key, new Date());
-        Date primaryKeyExpiration = info.getPrimaryKeyExpirationDate();
-        if (primaryKeyExpiration != null && primaryKeyExpiration.before(new Date())) {
+        Date evaluationDate = new Date();
+        KeyRingInfo info;
+        info = new KeyRingInfo(key, evaluationDate);
+
+        Date primaryKeyExpiration;
+        try {
+            primaryKeyExpiration = info.getPrimaryKeyExpirationDate();
+        } catch (NoSuchElementException e) {
+            throw new IllegalArgumentException("Provided key " + OpenPgpFingerprint.of(key) + " does not have a valid/acceptable signature carrying a primary key expiration date.");
+        }
+        if (primaryKeyExpiration != null && primaryKeyExpiration.before(evaluationDate)) {
             throw new IllegalArgumentException("Provided key " + OpenPgpFingerprint.of(key) + " is expired: " + primaryKeyExpiration);
         }
+
         List encryptionSubkeys = encryptionKeySelectionStrategy
                 .selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose));
         if (encryptionSubkeys.isEmpty()) {
-            throw new IllegalArgumentException("Key has no suitable encryption subkeys.");
+            throw new IllegalArgumentException("Key " + OpenPgpFingerprint.of(key) + " has no suitable encryption subkeys.");
         }
 
         for (PGPPublicKey encryptionSubkey : encryptionSubkeys) {

From f1f7dec8b6b5cae50c8ffea596418e241fe709ab Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 14:56:37 +0100
Subject: [PATCH 0335/1450] Fix accidental verification of thirdparty user-id
 revocations using primary key

---
 .../org/pgpainless/signature/consumer/SignaturePicker.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
index 5ab81099..be0c87b7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
@@ -169,6 +169,11 @@ public final class SignaturePicker {
 
         PGPSignature latestUserIdRevocation = null;
         for (PGPSignature signature : signatures) {
+            PGPPublicKey signer = keyRing.getPublicKey(signature.getKeyID());
+            if (signer == null) {
+                // Signature made by external key. Skip.
+                continue;
+            }
             try {
                 SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
             } catch (SignatureValidationException e) {

From 3fe78ab12a05a2474b4e4aaba60aef5e4bd56b18 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 14:56:56 +0100
Subject: [PATCH 0336/1450] Fix NPE when validating broken signature

---
 .../signature/subpackets/SignatureSubpacketsUtil.java         | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 396311c6..17add09a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -575,6 +575,10 @@ public final class SignatureSubpacketsUtil {
      * @return last occurrence of the subpacket in the vector
      */
     public static 
 P getSignatureSubpacket(PGPSignatureSubpacketVector vector, SignatureSubpacket type) {
+        if (vector == null) {
+            // Almost never happens, but may be caused by broken signatures.
+            return null;
+        }
         org.bouncycastle.bcpg.SignatureSubpacket[] allPackets = vector.getSubpackets(type.getCode());
         if (allPackets.length == 0) {
             return null;

From db02106518c1ad586b89e9fa84fb002b676420f1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 14:57:00 +0100
Subject: [PATCH 0337/1450] Fix typo

---
 .../signature/subpackets/SignatureSubpacketsUtil.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 17add09a..bbf8972b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -567,7 +567,7 @@ public final class SignatureSubpacketsUtil {
     }
 
     /**
-     * Return the last occurence of a subpacket type in the given signature subpacket vector.
+     * Return the last occurrence of a subpacket type in the given signature subpacket vector.
      *
      * @param vector subpacket vector (hashed/unhashed)
      * @param type subpacket type

From 8563cf0969a7afe729f691dc4bd011c62a9896c7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 15:00:33 +0100
Subject: [PATCH 0338/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cac498d7..8f23ab77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@ SPDX-License-Identifier: CC0-1.0
 - Add `KeyRingInfo.isUsableForEncryption()`
 - Add `PGPainless.inspectKeyRing(key, date)`
 - Allow custom key creation dates during key generation
+- Reject subkeys with bindings that predate key generation
+- `EncryptionOptions.addRecipient()`: Transform `NoSuchElementException` into `IllegalArgumentException` with proper error message
+- Fix `ClassCastException` by preventing accidental verification of 3rd-party-issued user-id revocation with primary key.
+- Fix `NullPointerException` when trying to verify malformed signature
 
 ## 1.1.1
 - Add `producerOptions.setComment(string)` to allow adding ASCII armor comments when creating OpenPGP messages (thanks @ferenc-hechler)

From 95aed9bf2222d89503887a3d321d1b0993ba87d4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 15:02:24 +0100
Subject: [PATCH 0339/1450] PGPainless 1.1.2

---
 CHANGELOG.md   | 2 +-
 README.md      | 2 +-
 version.gradle | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f23ab77..2f39e50c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.2-SNAPSHOT
+## 1.1.2
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
 - Fix generic type of `CertificationSubpackets.Callback`
 - Add `KeyRingInfo.isUsableForEncryption()`
diff --git a/README.md b/README.md
index 4dc5d2f2..29454fd0 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.1'
+	implementation 'org.pgpainless:pgpainless-core:1.1.2'
 }
 ```
 
diff --git a/version.gradle b/version.gradle
index 03d66410..3bf96de1 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.1.2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 5b43cfaf8c49c6b1f12acc5d34eb10d6105d2345 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Mar 2022 15:05:02 +0100
Subject: [PATCH 0340/1450] PGPainless-1.1.3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 3bf96de1..34931747 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.2'
-        isSnapshot = false
+        shortVersion = '1.1.3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From b34866b012d45eca06ea1b81da275a51ea8999f6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Mar 2022 21:03:31 +0100
Subject: [PATCH 0341/1450] Make SigningOptions.getSigningMethods package
 visible

---
 .../java/org/pgpainless/encryption_signing/SigningOptions.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 45b9f521..ab3898dc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -385,7 +385,7 @@ public final class SigningOptions {
      *
      * @return signing methods
      */
-    public Map getSigningMethods() {
+    Map getSigningMethods() {
         return Collections.unmodifiableMap(signingMethods);
     }
 

From 26d79679f0be855b54ad644eeb88d926cd86afba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Mar 2022 21:05:00 +0100
Subject: [PATCH 0342/1450] Fix crash when validating unmatched signer's
 user-id subpacket

TODO: We might want to deprecate Signer's UserID subpackets completely and ignore them.
See results of sequoias test suite once PR below gets merged.
https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/merge_requests/28
---
 .../signature/consumer/CertificateValidator.java          | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 7080e368..93d12fc5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -144,7 +144,13 @@ public final class CertificateValidator {
         // Specific signer user-id
         SignerUserID signerUserID = SignatureSubpacketsUtil.getSignerUserID(signature);
         if (signerUserID != null) {
-            PGPSignature userIdSig = userIdSignatures.get(signerUserID.getID()).get(0);
+            List signerUserIdSigs = userIdSignatures.get(signerUserID.getID());
+            if (signerUserIdSigs == null || signerUserIdSigs.isEmpty()) {
+                throw new SignatureValidationException("Signature was allegedly made by user-id '" + signerUserID.getID() +
+                        "' but we have no valid signatures for that on the certificate.");
+            }
+
+            PGPSignature userIdSig = signerUserIdSigs.get(0);
             if (userIdSig.getSignatureType() == SignatureType.CERTIFICATION_REVOCATION.getCode()) {
                 throw new SignatureValidationException("Signature was made with user-id '" + signerUserID.getID() + "' which is revoked.");
             }

From 0824bbd37c31cd9b7af8413fc84d548f01205fa0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Mar 2022 21:05:17 +0100
Subject: [PATCH 0343/1450] Add investigative test for signers user-ids

---
 .../investigations/WrongSignerUserIdTest.java | 144 ++++++++++++++++++
 1 file changed, 144 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java

diff --git a/pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java b/pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java
new file mode 100644
index 00000000..ccccdb2d
--- /dev/null
+++ b/pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java
@@ -0,0 +1,144 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package investigations;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+import java.util.Iterator;
+
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.bcpg.CompressionAlgorithmTags;
+import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
+import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
+import org.bouncycastle.util.io.Streams;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.exception.SignatureValidationException;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+
+public class WrongSignerUserIdTest {
+
+    private static final String CERT = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "   Comment: Alice's OpenPGP Transferable Secret Key\n" +
+            "   Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html\n" +
+            "\n" +
+            "   lFgEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U\n" +
+            "   b7O1u10AAP9XBeW6lzGOLx7zHH9AsUDUTb2pggYGMzd0P3ulJ2AfvQ4RtCZBbGlj\n" +
+            "   ZSBMb3ZlbGFjZSA8YWxpY2VAb3BlbnBncC5leGFtcGxlPoiQBBMWCAA4AhsDBQsJ\n" +
+            "   CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE64W7X6M6deFelE5j8jFVDE9H444FAl2l\n" +
+            "   nzoACgkQ8jFVDE9H447pKwD6A5xwUqIDprBzrHfahrImaYEZzncqb25vkLV2arYf\n" +
+            "   a78A/R3AwtLQvjxwLDuzk4dUtUwvUYibL2sAHwj2kGaHnfICnF0EXEcE6RIKKwYB\n" +
+            "   BAGXVQEFAQEHQEL/BiGtq0k84Km1wqQw2DIikVYrQrMttN8d7BPfnr4iAwEIBwAA\n" +
+            "   /3/xFPG6U17rhTuq+07gmEvaFYKfxRB6sgAYiW6TMTpQEK6IeAQYFggAIBYhBOuF\n" +
+            "   u1+jOnXhXpROY/IxVQxPR+OOBQJcRwTpAhsMAAoJEPIxVQxPR+OOWdABAMUdSzpM\n" +
+            "   hzGs1O0RkWNQWbUzQ8nUOeD9wNbjE3zR+yfRAQDbYqvtWQKN4AQLTxVJN5X5AWyb\n" +
+            "   Pnn+We1aTBhaGa86AQ==\n" +
+            "   =n8OM\n" +
+            "   -----END PGP PRIVATE KEY BLOCK-----";
+    private static final String USER_ID = "Alice Lovelace ";
+
+    public static void main(String[] args) throws Exception {
+        WrongSignerUserIdTest test = new WrongSignerUserIdTest();
+        test.execute();
+    }
+
+    public void execute() throws PGPException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(CERT);
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        assertEquals(USER_ID, certificate.getPublicKey().getUserIDs().next());
+
+        Iterator keys = secretKeys.getSecretKeys();
+        PGPSecretKey signingKey = keys.next();
+        PGPSecretKey encryptionKey = keys.next();
+
+        PGPPrivateKey signingPrivKey = UnlockSecretKey.unlockSecretKey(signingKey, Passphrase.emptyPassphrase());
+
+        // ARMOR
+        ByteArrayOutputStream cipherText = new ByteArrayOutputStream();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(cipherText);
+
+        // ENCRYPTION
+        PGPDataEncryptorBuilder dataEncryptorBuilder = new BcPGPDataEncryptorBuilder(SymmetricKeyAlgorithmTags.AES_256);
+        dataEncryptorBuilder.setWithIntegrityPacket(true);
+
+        PGPEncryptedDataGenerator encDataGenerator = new PGPEncryptedDataGenerator(dataEncryptorBuilder);
+        encDataGenerator.addMethod(new BcPublicKeyKeyEncryptionMethodGenerator(encryptionKey.getPublicKey()));
+        OutputStream encStream = encDataGenerator.open(armorOut, new byte[4096]);
+
+        // COMPRESSION
+        PGPCompressedDataGenerator compressedDataGenerator = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZLIB);
+        BCPGOutputStream bOut = new BCPGOutputStream(compressedDataGenerator.open(encStream));
+
+        // SIGNING
+        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
+                new BcPGPContentSignerBuilder(signingKey.getPublicKey().getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId()));
+        sigGen.init(PGPSignature.BINARY_DOCUMENT, signingPrivKey);
+
+        PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator();
+        subpacketGenerator.addSignerUserID(false, "Albert Lovelace ");
+        sigGen.setHashedSubpackets(subpacketGenerator.generate());
+
+        sigGen.generateOnePassVersion(false).encode(bOut);
+
+        // LITERAL DATA
+        PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator();
+        OutputStream lOut = literalDataGenerator.open(bOut, PGPLiteralDataGenerator.BINARY,
+                PGPLiteralDataGenerator.CONSOLE, new Date(), new byte[4096]);
+
+        // write msg
+        ByteArrayInputStream msgIn = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8));
+        int ch;
+        while ((ch = msgIn.read()) >= 0) {
+            lOut.write(ch);
+            sigGen.update((byte) ch);
+        }
+
+        lOut.close();
+        sigGen.generate().encode(bOut);
+        compressedDataGenerator.close();
+        encStream.close();
+        armorOut.close();
+
+        try {
+            DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(
+                            new ByteArrayInputStream(cipherText.toByteArray()))
+                    .withOptions(new ConsumerOptions()
+                            .addDecryptionKey(secretKeys)
+                            .addVerificationCert(certificate));
+
+            ByteArrayOutputStream out = new ByteArrayOutputStream();
+            Streams.pipeAll(decryptionStream, out);
+
+            decryptionStream.close();
+        } catch (SignatureValidationException e) {
+            // expected
+        }
+    }
+}

From 8f473b513f9ede165f6f0c81dff311492b7d35a5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 10 Mar 2022 12:01:12 +0100
Subject: [PATCH 0344/1450] Add support for OpenPGP v5 fingerprints.

Obviously we need support for key.getFingerprint() in BC, but once
that is there, this should magically start working.
---
 .../pgpainless/key/OpenPgpFingerprint.java    |   3 +
 .../pgpainless/key/OpenPgpV4Fingerprint.java  |  80 ++++++------
 .../pgpainless/key/OpenPgpV5Fingerprint.java  | 117 ++++++++++++++++++
 .../key/OpenPgpV5FingerprintTest.java         |  25 ++++
 4 files changed, 185 insertions(+), 40 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV5Fingerprint.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index af0051c8..b00e4d6f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -33,6 +33,9 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable
-     *     XEP-0373 §4.1: The OpenPGP Public-Key Data Node about how to obtain the fingerprint
-     * @param fingerprint hexadecimal representation of the fingerprint.
+     *
+     * @param fingerprint uppercase hexadecimal fingerprint of length 40
      */
     public OpenPgpV4Fingerprint(@Nonnull String fingerprint) {
         super(fingerprint);
     }
 
-    @Override
-    public int getVersion() {
-        return 4;
-    }
-
-    @Override
-    protected boolean isValid(@Nonnull String fp) {
-        return fp.matches("[0-9A-F]{40}");
-    }
-
-    @Override
-    public long getKeyId() {
-        byte[] bytes = Hex.decode(toString().getBytes(utf8));
-        ByteBuffer buf = ByteBuffer.wrap(bytes);
-
-        // We have to cast here in order to be compatible with java 8
-        // https://github.com/eclipse/jetty.project/issues/3244
-        ((Buffer) buf).position(12);
-
-        return buf.getLong();
-    }
-
-    @Override
-    public String prettyPrint() {
-        String fp = toString();
-        StringBuilder pretty = new StringBuilder();
-        for (int i = 0; i < 5; i++) {
-            pretty.append(fp, i * 4, (i + 1) * 4).append(' ');
-        }
-        pretty.append(' ');
-        for (int i = 5; i < 9; i++) {
-            pretty.append(fp, i * 4, (i + 1) * 4).append(' ');
-        }
-        pretty.append(fp, 36, 40);
-        return pretty.toString();
-    }
-
     public OpenPgpV4Fingerprint(@Nonnull byte[] bytes) {
         super(Hex.encode(bytes));
     }
@@ -95,6 +57,44 @@ public class OpenPgpV4Fingerprint extends OpenPgpFingerprint {
         super(ring);
     }
 
+    @Override
+    public int getVersion() {
+        return 4;
+    }
+
+    @Override
+    protected boolean isValid(@Nonnull String fp) {
+        return fp.matches("^[0-9A-F]{40}$");
+    }
+
+    @Override
+    public long getKeyId() {
+        byte[] bytes = Hex.decode(toString().getBytes(utf8));
+        ByteBuffer buf = ByteBuffer.wrap(bytes);
+
+        // The key id is the right-most 8 bytes (conveniently a long)
+        // We have to cast here in order to be compatible with java 8
+        // https://github.com/eclipse/jetty.project/issues/3244
+        ((Buffer) buf).position(12); // 20 - 8 bytes = offset 12
+
+        return buf.getLong();
+    }
+
+    @Override
+    public String prettyPrint() {
+        String fp = toString();
+        StringBuilder pretty = new StringBuilder();
+        for (int i = 0; i < 5; i++) {
+            pretty.append(fp, i * 4, (i + 1) * 4).append(' ');
+        }
+        pretty.append(' ');
+        for (int i = 5; i < 9; i++) {
+            pretty.append(fp, i * 4, (i + 1) * 4).append(' ');
+        }
+        pretty.append(fp, 36, 40);
+        return pretty.toString();
+    }
+
     @Override
     public boolean equals(Object other) {
         if (other == null) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV5Fingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV5Fingerprint.java
new file mode 100644
index 00000000..fafbc34c
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV5Fingerprint.java
@@ -0,0 +1,117 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.encoders.Hex;
+
+import javax.annotation.Nonnull;
+import java.nio.Buffer;
+import java.nio.ByteBuffer;
+
+/**
+ * This class represents a hex encoded, upper case OpenPGP v5 fingerprint.
+ */
+public class OpenPgpV5Fingerprint extends OpenPgpFingerprint {
+
+    /**
+     * Create an {@link OpenPgpV5Fingerprint}.
+     *
+     * @param fingerprint uppercase hexadecimal fingerprint of length 64
+     */
+    public OpenPgpV5Fingerprint(@Nonnull String fingerprint) {
+        super(fingerprint);
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull byte[] bytes) {
+        super(Hex.encode(bytes));
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull PGPPublicKey key) {
+        super(key);
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull PGPSecretKey key) {
+        this(key.getPublicKey());
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull PGPPublicKeyRing ring) {
+        super(ring);
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull PGPSecretKeyRing ring) {
+        super(ring);
+    }
+
+    public OpenPgpV5Fingerprint(@Nonnull PGPKeyRing ring) {
+        super(ring);
+    }
+
+    @Override
+    public int getVersion() {
+        return 5;
+    }
+
+    @Override
+    protected boolean isValid(@Nonnull String fp) {
+        return fp.matches("^[0-9A-F]{64}$");
+    }
+
+    @Override
+    public long getKeyId() {
+        byte[] bytes = Hex.decode(toString().getBytes(utf8));
+        ByteBuffer buf = ByteBuffer.wrap(bytes);
+
+        // The key id is the left-most 8 bytes (conveniently a long).
+        // We have to cast here in order to be compatible with java 8
+        // https://github.com/eclipse/jetty.project/issues/3244
+        ((Buffer) buf).position(0);
+
+        return buf.getLong();
+    }
+
+    @Override
+    public String prettyPrint() {
+        String fp = toString();
+        StringBuilder pretty = new StringBuilder();
+
+        for (int i = 0; i < 4; i++) {
+            pretty.append(fp, i * 8, (i + 1) * 8).append(' ');
+        }
+        pretty.append(' ');
+        for (int i = 4; i < 7; i++) {
+            pretty.append(fp, i * 8, (i + 1) * 8).append(' ');
+        }
+        pretty.append(fp, 56, 64);
+        return pretty.toString();
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (other == null) {
+            return false;
+        }
+
+        if (!(other instanceof CharSequence)) {
+            return false;
+        }
+
+        return this.toString().equals(other.toString());
+    }
+
+    @Override
+    public int hashCode() {
+        return toString().hashCode();
+    }
+
+    @Override
+    public int compareTo(OpenPgpFingerprint openPgpFingerprint) {
+        return toString().compareTo(openPgpFingerprint.toString());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
new file mode 100644
index 00000000..f3c10cf7
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
@@ -0,0 +1,25 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class OpenPgpV5FingerprintTest {
+
+    @Test
+    public void testFingerprintFormatting() {
+        String pretty = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        String fp = pretty.replace(" ", "");
+
+        OpenPgpV5Fingerprint fingerprint = new OpenPgpV5Fingerprint(fp);
+        assertEquals(fp, fingerprint.toString());
+        assertEquals(pretty, fingerprint.prettyPrint());
+
+        long id = fingerprint.getKeyId();
+        assertEquals("76543210abcdefab", Long.toHexString(id));
+    }
+}

From 6b9b956c2cd40615c251bc367d101300de425a02 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 10 Mar 2022 12:22:02 +0100
Subject: [PATCH 0345/1450] Add OpenPgpFingerprint.parse(String)

---
 .../org/pgpainless/key/OpenPgpFingerprint.java  | 17 +++++++++++++++++
 .../key/OpenPgpV4FingerprintTest.java           | 11 +++++++++++
 .../key/OpenPgpV5FingerprintTest.java           | 11 +++++++++++
 3 files changed, 39 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index b00e4d6f..d5a1daad 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -50,6 +50,23 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable
Date: Sun, 13 Mar 2022 15:12:38 +0100
Subject: [PATCH 0346/1450] Add comment about hash algorithm header

---
 .../java/org/pgpainless/encryption_signing/EncryptionStream.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 27b8958a..6fc112ba 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -152,6 +152,7 @@ public final class EncryptionStream extends OutputStream {
 
     private void prepareLiteralDataProcessing() throws IOException {
         if (options.isCleartextSigned()) {
+            // Begin cleartext with hash algorithm of first signing method
             SigningOptions.SigningMethod firstMethod = options.getSigningOptions().getSigningMethods().values().iterator().next();
             armorOutputStream.beginClearText(firstMethod.getHashAlgorithm().getAlgorithmId());
             return;

From 661c043cdc489f8b7728b00535ae4e2e52f0e006 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 13 Mar 2022 16:52:57 +0100
Subject: [PATCH 0347/1450] DFix KeyRingInfo.getValidAndExpiredUserIds
 considering unbound user-ids as valid

---
 .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index a1818902..971d5a8e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -347,6 +347,11 @@ public class KeyRingInfo {
             PGPSignature certification = signatures.userIdCertifications.get(userId);
             PGPSignature revocation = signatures.userIdRevocations.get(userId);
 
+            // Unbound user-id
+            if (certification == null) {
+                continue;
+            }
+
             // Not revoked -> valid
             if (revocation == null) {
                 probablyExpired.add(userId);

From ffdbd2149162f8d1f1877f623a1a0e47ad62ec90 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Mar 2022 18:23:40 +0100
Subject: [PATCH 0348/1450] Implement configuration option for SignerUserId
 subpacket verification level.

By default we ignore SignerUserId subpackets on signatures.
This behavior can be changed by calling Policy.setSignerUserIdValidationLevel().
Right now, STRICT and DISABLED are available as options, but it may make sense to implement
another option PARTIALLY, which will accept signatures made by key with user-id 'A '
but where the sig contains a signer user id of value 'foo@bar' for example.
---
 .../java/org/pgpainless/policy/Policy.java    | 44 +++++++++++
 .../consumer/CertificateValidator.java        |  2 +-
 .../WrongSignerUserIdTest.java                | 78 +++++++++++++------
 3 files changed, 99 insertions(+), 25 deletions(-)
 rename pgpainless-core/src/test/java/{investigations => org/pgpainless/decryption_verification}/WrongSignerUserIdTest.java (69%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 85948546..58d6f6a2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -42,6 +42,25 @@ public final class Policy {
 
     private AlgorithmSuite keyGenerationAlgorithmSuite = AlgorithmSuite.getDefaultAlgorithmSuite();
 
+    // Signers User-ID is soon to be deprecated.
+    private SignerUserIdValidationLevel signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED;
+
+    public enum SignerUserIdValidationLevel {
+        /**
+         * PGPainless will verify {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets in signatures strictly.
+         * This means, that signatures with Signer's User-ID subpackets containing a value that does not match the signer key's
+         * user-id exactly, will be rejected.
+         * E.g. Signer's user-id "alice@pgpainless.org", User-ID: "Alice <alice@pgpainless.org>" does not
+         * match exactly and is therefore rejected.
+         */
+        STRICT,
+
+        /**
+         * PGPainless will ignore {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets on signature.
+         */
+        DISABLED
+    }
+
     Policy() {
     }
 
@@ -468,4 +487,29 @@ public final class Policy {
     public void setKeyGenerationAlgorithmSuite(@Nonnull AlgorithmSuite algorithmSuite) {
         this.keyGenerationAlgorithmSuite = algorithmSuite;
     }
+
+    /**
+     * Return the level of validation PGPainless shall do on {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets.
+     * By default, this value is {@link SignerUserIdValidationLevel#DISABLED}.
+     *
+     * @return the level of validation
+     */
+    public SignerUserIdValidationLevel getSignerUserIdValidationLevel() {
+        return signerUserIdValidationLevel;
+    }
+
+    /**
+     * Specify, how {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets on signatures shall be validated.
+     *
+     * @param signerUserIdValidationLevel level of verification PGPainless shall do on
+     * {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets.
+     * @return policy instance
+     */
+    public Policy setSignerUserIdValidationLevel(SignerUserIdValidationLevel signerUserIdValidationLevel) {
+        if (signerUserIdValidationLevel == null) {
+            throw new NullPointerException("SignerUserIdValidationLevel cannot be null.");
+        }
+        this.signerUserIdValidationLevel = signerUserIdValidationLevel;
+        return this;
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 93d12fc5..65a1a41d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -143,7 +143,7 @@ public final class CertificateValidator {
 
         // Specific signer user-id
         SignerUserID signerUserID = SignatureSubpacketsUtil.getSignerUserID(signature);
-        if (signerUserID != null) {
+        if (signerUserID != null && policy.getSignerUserIdValidationLevel() == Policy.SignerUserIdValidationLevel.STRICT) {
             List signerUserIdSigs = userIdSignatures.get(signerUserID.getID());
             if (signerUserIdSigs == null || signerUserIdSigs.isEmpty()) {
                 throw new SignatureValidationException("Signature was allegedly made by user-id '" + signerUserID.getID() +
diff --git a/pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java
similarity index 69%
rename from pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java
index ccccdb2d..b3ecabc8 100644
--- a/pgpainless-core/src/test/java/investigations/WrongSignerUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/WrongSignerUserIdTest.java
@@ -2,9 +2,11 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package investigations;
+package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -34,17 +36,17 @@ import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
 import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.exception.SignatureValidationException;
 import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.policy.Policy;
 import org.pgpainless.util.Passphrase;
 
 public class WrongSignerUserIdTest {
 
-    private static final String CERT = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "   Comment: Alice's OpenPGP Transferable Secret Key\n" +
             "   Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html\n" +
             "\n" +
@@ -63,13 +65,54 @@ public class WrongSignerUserIdTest {
             "   -----END PGP PRIVATE KEY BLOCK-----";
     private static final String USER_ID = "Alice Lovelace ";
 
-    public static void main(String[] args) throws Exception {
-        WrongSignerUserIdTest test = new WrongSignerUserIdTest();
-        test.execute();
+    @Test
+    public void verificationSucceedsWithDisabledCheck() throws PGPException, IOException {
+        executeTest(false, true);
     }
 
-    public void execute() throws PGPException, IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(CERT);
+    @Test
+    public void verificationFailsWithEnabledCheck() throws PGPException, IOException {
+        executeTest(true, false);
+    }
+
+    @AfterAll
+    public static void resetDefault() {
+        PGPainless.getPolicy().setSignerUserIdValidationLevel(Policy.SignerUserIdValidationLevel.DISABLED);
+    }
+
+    public void executeTest(boolean enableCheck, boolean expectSucessfulVerification) throws IOException, PGPException {
+        PGPainless.getPolicy().setSignerUserIdValidationLevel(enableCheck ? Policy.SignerUserIdValidationLevel.STRICT : Policy.SignerUserIdValidationLevel.DISABLED);
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        assertEquals(USER_ID, secretKeys.getPublicKey().getUserIDs().next());
+
+        String messageWithWrongUserId = generateTestMessage(secretKeys);
+        verifyTestMessage(messageWithWrongUserId, secretKeys, expectSucessfulVerification);
+    }
+
+    private void verifyTestMessage(String messageWithWrongUserId, PGPSecretKeyRing secretKeys, boolean expectSuccessfulVerification) throws IOException, PGPException {
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(
+                        new ByteArrayInputStream(messageWithWrongUserId.getBytes(StandardCharsets.UTF_8)))
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(secretKeys)
+                        .addVerificationCert(certificate));
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+
+        decryptionStream.close();
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+
+        if (expectSuccessfulVerification) {
+            assertTrue(metadata.isVerified());
+        } else {
+            assertFalse(metadata.isVerified());
+        }
+
+    }
+
+    private String generateTestMessage(PGPSecretKeyRing secretKeys) throws PGPException, IOException {
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
 
         assertEquals(USER_ID, certificate.getPublicKey().getUserIDs().next());
@@ -126,19 +169,6 @@ public class WrongSignerUserIdTest {
         encStream.close();
         armorOut.close();
 
-        try {
-            DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify().onInputStream(
-                            new ByteArrayInputStream(cipherText.toByteArray()))
-                    .withOptions(new ConsumerOptions()
-                            .addDecryptionKey(secretKeys)
-                            .addVerificationCert(certificate));
-
-            ByteArrayOutputStream out = new ByteArrayOutputStream();
-            Streams.pipeAll(decryptionStream, out);
-
-            decryptionStream.close();
-        } catch (SignatureValidationException e) {
-            // expected
-        }
+        return cipherText.toString();
     }
 }

From 0819592b3aeb78157548f20c9ecf7c4ed2d9ef5e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 14 Mar 2022 11:12:21 +0100
Subject: [PATCH 0349/1450] Update changelog

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f39e50c..484671e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,13 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.1.3-SNAPSHOT
+- Make `SigningOptions.getSigningMethods()` part of internal API
+- Fix crash when trying to do verification of unmatched `SignersUserId` signature subpacket
+  - For now, verification of `SignersUserId` is disabled but can be enabled via `Policy.setSignerUserIdValidationLevel()`
+- Initial support for `OpenPgpV5Fingerprint`
+- Security: Fix `KeyRingInfo.getValidAndExpiredUserIds()` accidentally including unbound user-ids
+
 ## 1.1.2
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
 - Fix generic type of `CertificationSubpackets.Callback`

From d4d29553ec273185f0f6f854dce8d99399a28abe Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 15:10:23 +0100
Subject: [PATCH 0350/1450] Add decryption example

---
 .../pgpainless/example/DecryptOrVerify.java   | 77 ++++++++++++++++++-
 1 file changed, 76 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
index d0f3461c..d85d667e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
@@ -5,6 +5,8 @@
 package org.pgpainless.example;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
@@ -54,6 +56,11 @@ public class DecryptOrVerify {
             "=JHMt\n" +
             "-----END PGP PRIVATE KEY BLOCK-----\n";
 
+    // The key above is not password protected.
+    private static final SecretKeyRingProtector keyProtector = SecretKeyRingProtector.unprotectedKeys();
+
+    private static final String PLAINTEXT = "Hello, World!\n";
+
     private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -76,6 +83,27 @@ public class DecryptOrVerify {
             "QUibivG5Slahz8l7PWnGkxbB2naQxgw=\n" +
             "=oNIK\n" +
             "-----END PGP SIGNATURE-----";
+    private static final String ENCRYPTED = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "hF4DwqNy0B3ItTkSAQdArkuJHqPTVX+UaqQtHzppwOZDK0TfH1f/fAjrZaso/DUw\n" +
+            "ne6Xc1HYG+gTBWEQUw09m5b/f0E7DSeIg/ai/HKnF8mBSIQhphPR4yVAWypOOUmh\n" +
+            "0kABCiGjaJQyAzF/VtzC+ZVU67DfBl24CEPaRMumxieVUqo/VYWy3zyzE6H1zMqq\n" +
+            "/lWeVnK7NwtfArlhpRcph0S8\n" +
+            "=1cyl\n" +
+            "-----END PGP MESSAGE-----\n";
+    private static final String ENCRYPTED_AND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "hF4DwqNy0B3ItTkSAQdAGqwFJ6SRW6It9w+RBudeGbdUj8OZqwApqyvwbKUzJiYw\n" +
+            "WAcJOrGIbrK9bKzJdCLbVYkegILb6vqTuamU8iYDCccstV4Y2w0kT5ynHHPVFKfg\n" +
+            "0r8BUe/Mi8zL0Af6K2r6A9gq/Q8vmscoOB5mI5Yxrk48+rPcp0rZbSu9rC9pHZfs\n" +
+            "hhvxwGwG8EZm14pseHUZdoKldUD8tCbhkS7wDMOHzA1Fo1m1Yyjhe4kBaCrn9zhP\n" +
+            "YSeOzHtMxk5JBcrZW+LMMuRGNBzxc0R1yirqk8yymF1qzTTuYqziO0QxbW1gU00F\n" +
+            "ewdovd7Cx1Il8ONgRzGS3Wyb+iORNuhLpw+w2SV74Kg8XWLD7pDFgOuFZw39b+0X\n" +
+            "Nw==\n" +
+            "=9PiO\n" +
+            "-----END PGP MESSAGE-----";
 
     private static PGPSecretKeyRing secretKey;
     private static PGPPublicKeyRing certificate;
@@ -86,6 +114,53 @@ public class DecryptOrVerify {
         certificate = PGPainless.extractCertificate(secretKey);
     }
 
+    @Test
+    public void decryptMessage() throws PGPException, IOException {
+        ConsumerOptions consumerOptions = new ConsumerOptions()
+                .addDecryptionKey(secretKey, keyProtector);
+
+        ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED.getBytes(StandardCharsets.UTF_8));
+
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(consumerOptions);
+
+        Streams.pipeAll(decryptionStream, plaintextOut);
+        decryptionStream.close();
+
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+        assertTrue(metadata.isEncrypted()); // message was encrypted
+        assertFalse(metadata.isVerified()); // We did not do any signature verification
+
+        assertEquals(PLAINTEXT, plaintextOut.toString());
+    }
+
+    @Test
+    public void decryptMessageAndVerifySignatures() throws PGPException, IOException {
+        ConsumerOptions consumerOptions = new ConsumerOptions()
+                .addDecryptionKey(secretKey, keyProtector)
+                .addVerificationCert(certificate);
+
+        ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED_AND_SIGNED.getBytes(StandardCharsets.UTF_8));
+
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(consumerOptions);
+
+        Streams.pipeAll(decryptionStream, plaintextOut);
+        decryptionStream.close();
+
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+        assertTrue(metadata.isEncrypted());
+        assertTrue(metadata.isSigned());
+        assertTrue(metadata.isVerified());
+        assertTrue(metadata.containsVerifiedSignatureFrom(certificate));
+
+        assertEquals(PLAINTEXT, plaintextOut.toString());
+    }
+
     @Test
     public void verifySignatures() throws PGPException, IOException {
         ConsumerOptions options = new ConsumerOptions()
@@ -104,7 +179,7 @@ public class DecryptOrVerify {
 
             OpenPgpMetadata metadata = verificationStream.getResult();
             assertTrue(metadata.isVerified());
-            assertArrayEquals("Hello, World!\n".getBytes(StandardCharsets.UTF_8), out.toByteArray());
+            assertEquals(PLAINTEXT, out.toString());
         }
     }
 

From bfe140294ca46e06f6cf1d04a99fe4a280f5baeb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 15:38:07 +0100
Subject: [PATCH 0351/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 484671e6..e0c0352d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,9 @@ SPDX-License-Identifier: CC0-1.0
 - Initial support for `OpenPgpV5Fingerprint`
 - Security: Fix `KeyRingInfo.getValidAndExpiredUserIds()` accidentally including unbound user-ids
 
+## 1.0.5
+- Security: Fix `KeyRingInfo.getValidAndExpiredUserIds()` accidentally including unbound user-ids
+
 ## 1.1.2
 - Fix `keyRingInfo.getEmailAddresses()` incorrectly matching some mail addresses (thanks @bratkartoffel for reporting and initial patch proposal)
 - Fix generic type of `CertificationSubpackets.Callback`

From 655f4ae09ae185a0f1d2e5b5c0287b874eeb79c9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 15:41:30 +0100
Subject: [PATCH 0352/1450] PGPainless 1.1.3

---
 CHANGELOG.md             | 1 +
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e0c0352d..28d2483f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ SPDX-License-Identifier: CC0-1.0
 - Fix crash when trying to do verification of unmatched `SignersUserId` signature subpacket
   - For now, verification of `SignersUserId` is disabled but can be enabled via `Policy.setSignerUserIdValidationLevel()`
 - Initial support for `OpenPgpV5Fingerprint`
+- Add `OpenPgpFingerprint.parse(string)`
 - Security: Fix `KeyRingInfo.getValidAndExpiredUserIds()` accidentally including unbound user-ids
 
 ## 1.0.5
diff --git a/README.md b/README.md
index 29454fd0..933ba781 100644
--- a/README.md
+++ b/README.md
@@ -186,7 +186,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.2'
+	implementation 'org.pgpainless:pgpainless-core:1.1.3'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 00196f93..af3c5e52 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.1.1"
+    implementation "org.pgpainless:pgpainless-sop:1.1.3"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.1.1
+        1.1.3
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 34931747..b91ac185 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.1.3'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From f155768539077c461152945e8e4174d48792fc3c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 15:43:50 +0100
Subject: [PATCH 0353/1450] PGPainless-1.1.4-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index b91ac185..57acae3f 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.3'
-        isSnapshot = false
+        shortVersion = '1.1.4'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From ecfa3823fb3c1f47a6ea8d46d176ab0324cca041 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 16:51:56 +0100
Subject: [PATCH 0354/1450] Add utility method to remove secret subkey from key
 ring

This might be useful for offline primary keys
---
 .../org/pgpainless/key/util/KeyRingUtils.java | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index af06928e..1648d5d8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.key.util;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -25,6 +26,7 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
 import org.pgpainless.PGPainless;
 import org.pgpainless.exception.NotYetImplementedException;
+import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 
@@ -290,4 +292,24 @@ public final class KeyRingUtils {
         return newSecretKey;
     }
 
+    public static PGPSecretKeyRing removeSecretKey(PGPSecretKeyRing secretKeys, long secretKeyId)
+            throws IOException, PGPException {
+        if (secretKeys.getSecretKey(secretKeyId) == null) {
+            throw new NoSuchElementException("PGPSecretKeyRing does not contain secret key " + Long.toHexString(secretKeyId));
+        }
+
+        ByteArrayOutputStream encoded = new ByteArrayOutputStream();
+        for (PGPSecretKey secretKey : secretKeys) {
+            if (secretKey.getKeyID() == secretKeyId) {
+                secretKey.getPublicKey().encode(encoded);
+            } else {
+                secretKey.encode(encoded);
+            }
+        }
+        for (Iterator it = secretKeys.getExtraPublicKeys(); it.hasNext(); ) {
+            PGPPublicKey extra = it.next();
+            extra.encode(encoded);
+        }
+        return new PGPSecretKeyRing(encoded.toByteArray(), ImplementationFactory.getInstance().getKeyFingerprintCalculator());
+    }
 }

From 29dc20d0bc330afa27e0e0f6b4335b88771736e3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 16:52:29 +0100
Subject: [PATCH 0355/1450] Add EncryptionResult.isEncryptedFor(certificate)

---
 .../encryption_signing/EncryptionResult.java  | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
index 566238d3..d1bc3d7f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
@@ -11,6 +11,7 @@ import java.util.Set;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
@@ -130,6 +131,25 @@ public final class EncryptionResult {
         return PGPLiteralData.CONSOLE.equals(getFileName());
     }
 
+    /**
+     * Returns true, if the message was encrypted for at least one subkey of the given certificate.
+     *
+     * @param certificate certificate
+     * @return true if encrypted for 1+ subkeys, false otherwise.
+     */
+    public boolean isEncryptedFor(PGPPublicKeyRing certificate) {
+        for (SubkeyIdentifier recipient : recipients) {
+            if (certificate.getPublicKey().getKeyID() != recipient.getPrimaryKeyId()) {
+                continue;
+            }
+
+            if (certificate.getPublicKey(recipient.getSubkeyId()) != null) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     /**
      * Create a builder for the encryption result class.
      *

From 2dba981e075c79085c1d58856d85c2d18222f8b7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 17:20:55 +0100
Subject: [PATCH 0356/1450] Update README

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 933ba781..a4157c6d 100644
--- a/README.md
+++ b/README.md
@@ -208,6 +208,23 @@ PGPainless is developed in - and accepts contributions from - the following plac
 * [Github](https://github.com/pgpainless/pgpainless)
 * [Codeberg](https://codeberg.org/PGPainless/pgpainless)
 
+We are using SemVer (MAJOR.MINOR.PATCH) versioning, although MINOR releases could contain breaking changes from time to time.
+
+If you want to contribute a bug fix, please check the `release/X.Y` branches first to see, what the oldest release is
+which contains the bug you are fixing. That way we can update older revisions of the library easily.
+
+### Branches
+* `release/X.Y` contains the state of the latest `X.Y.Z` PATCH release + next PATCH snapshot definition.
+* `master` contains the state of the latest MINOR release + some smaller changes that will make it into the next PATCH release.
+* `development` contains new features that will make it into the next MINOR release.
+
+#### Example:
+Latest release: 1.1.3
+* `release/1.0` contains the state of `1.0.5-SNAPSHOT`
+* `release/1.1` contains the state of `1.1.4-SNAPSHOT`
+* `master` contains the state `release/1.1` plus patch level changes that will make it into `1.1.4`.
+* `development` contains the state which will at some point become `1.2.0`.
+
 Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part of the project.
 
 ## Acknowledgements

From 9e0aa95a5a1138b1d7266831def013341737e97f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Mar 2022 21:29:34 +0100
Subject: [PATCH 0357/1450] Add documentation for the DecryptOrVerify examples

---
 .../pgpainless/example/DecryptOrVerify.java   | 133 ++++++++++++++----
 1 file changed, 106 insertions(+), 27 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
index d85d667e..074fc206 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
@@ -30,8 +30,14 @@ import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 
+/**
+ * This class contains examples on how to decrypt encrypted, and verify signed messages.
+ */
 public class DecryptOrVerify {
 
+    /**
+     * The secret key.
+     */
     private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +
             "Comment: AA21 9149 3B35 E679 8876  DE43 B0D7 8185 F639 B6C9\n" +
@@ -56,11 +62,22 @@ public class DecryptOrVerify {
             "=JHMt\n" +
             "-----END PGP PRIVATE KEY BLOCK-----\n";
 
-    // The key above is not password protected.
+    /**
+     * Protector to unlock the secret key.
+     * Since the key is not protected, it is enough to use an unprotectedKeys implementation.
+     *
+     * For more info on how to use the {@link SecretKeyRingProtector}, see {@link UnlockSecretKeys}.
+     */
     private static final SecretKeyRingProtector keyProtector = SecretKeyRingProtector.unprotectedKeys();
 
+    /**
+     * The plaintext message.
+     */
     private static final String PLAINTEXT = "Hello, World!\n";
 
+    /**
+     * The {@link #PLAINTEXT} message, but signed using inband signatures.
+     */
     private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -70,6 +87,10 @@ public class DecryptOrVerify {
             "M8e7ufwA\n" +
             "=RDiy\n" +
             "-----END PGP MESSAGE-----";
+
+    /**
+     * The {@link #PLAINTEXT} message, but signed using the cleartext signature framework.
+     */
     private static final String CLEARTEXT_SIGNED = "-----BEGIN PGP SIGNED MESSAGE-----\n" +
             "Hash: SHA512\n" +
             "\n" +
@@ -83,6 +104,10 @@ public class DecryptOrVerify {
             "QUibivG5Slahz8l7PWnGkxbB2naQxgw=\n" +
             "=oNIK\n" +
             "-----END PGP SIGNATURE-----";
+
+    /**
+     * The {@link #PLAINTEXT} message, but encrypted for the {@link #certificate}.
+     */
     private static final String ENCRYPTED = "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -92,6 +117,10 @@ public class DecryptOrVerify {
             "/lWeVnK7NwtfArlhpRcph0S8\n" +
             "=1cyl\n" +
             "-----END PGP MESSAGE-----\n";
+
+    /**
+     * The {@link #PLAINTEXT} message signed by the {@link #secretKey} and encrypted for the {@link #certificate}.
+     */
     private static final String ENCRYPTED_AND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -110,37 +139,55 @@ public class DecryptOrVerify {
 
     @BeforeAll
     public static void prepare() throws IOException {
+        // read the secret key
         secretKey = PGPainless.readKeyRing().secretKeyRing(KEY);
+        // certificate is the public part of the key
         certificate = PGPainless.extractCertificate(secretKey);
     }
 
+    /**
+     * This example demonstrates how to decrypt an encrypted message using a secret key.
+     *
+     * @throws PGPException
+     * @throws IOException
+     */
     @Test
     public void decryptMessage() throws PGPException, IOException {
         ConsumerOptions consumerOptions = new ConsumerOptions()
-                .addDecryptionKey(secretKey, keyProtector);
+                .addDecryptionKey(secretKey, keyProtector); // add the decryption key ring
 
         ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
         ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED.getBytes(StandardCharsets.UTF_8));
 
+        // The decryption stream is an input stream from which we read the decrypted data
         DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
                 .onInputStream(ciphertextIn)
                 .withOptions(consumerOptions);
 
         Streams.pipeAll(decryptionStream, plaintextOut);
-        decryptionStream.close();
+        decryptionStream.close(); // remember to close the stream!
 
+        // The metadata object contains information about the message
         OpenPgpMetadata metadata = decryptionStream.getResult();
         assertTrue(metadata.isEncrypted()); // message was encrypted
         assertFalse(metadata.isVerified()); // We did not do any signature verification
 
+        // The output stream now contains the decrypted message
         assertEquals(PLAINTEXT, plaintextOut.toString());
     }
 
+    /**
+     * In this example, an encrypted and signed message is processed.
+     * The message gets decrypted using the secret key and the signatures are verified using the certificate.
+     *
+     * @throws PGPException
+     * @throws IOException
+     */
     @Test
     public void decryptMessageAndVerifySignatures() throws PGPException, IOException {
         ConsumerOptions consumerOptions = new ConsumerOptions()
-                .addDecryptionKey(secretKey, keyProtector)
-                .addVerificationCert(certificate);
+                .addDecryptionKey(secretKey, keyProtector) // provide the secret key of the recipient for decryption
+                .addVerificationCert(certificate); // provide the signers public key for signature verification
 
         ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
         ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ENCRYPTED_AND_SIGNED.getBytes(StandardCharsets.UTF_8));
@@ -150,66 +197,98 @@ public class DecryptOrVerify {
                 .withOptions(consumerOptions);
 
         Streams.pipeAll(decryptionStream, plaintextOut);
-        decryptionStream.close();
+        decryptionStream.close(); // remember to close the stream to finish signature verification
 
+        // metadata with information on the message, like signatures
         OpenPgpMetadata metadata = decryptionStream.getResult();
-        assertTrue(metadata.isEncrypted());
-        assertTrue(metadata.isSigned());
-        assertTrue(metadata.isVerified());
-        assertTrue(metadata.containsVerifiedSignatureFrom(certificate));
+        assertTrue(metadata.isEncrypted()); // messages was in fact encrypted
+        assertTrue(metadata.isSigned()); // message contained some signatures
+        assertTrue(metadata.isVerified()); // the signatures were actually correct
+        assertTrue(metadata.containsVerifiedSignatureFrom(certificate)); // the signatures could be verified using the certificate
 
         assertEquals(PLAINTEXT, plaintextOut.toString());
     }
 
+    /**
+     * In this example, signed messages are verified.
+     * The example shows that verification of inband signed, and cleartext signed messages works the same.
+     * @throws PGPException
+     * @throws IOException
+     */
     @Test
     public void verifySignatures() throws PGPException, IOException {
         ConsumerOptions options = new ConsumerOptions()
-                .addVerificationCert(certificate);
+                .addVerificationCert(certificate); // provide the signers certificate for verification of signatures
 
         for (String signed : new String[] {INBAND_SIGNED, CLEARTEXT_SIGNED}) {
             ByteArrayOutputStream out = new ByteArrayOutputStream();
             ByteArrayInputStream in = new ByteArrayInputStream(signed.getBytes(StandardCharsets.UTF_8));
-            DecryptionStream verificationStream;
-                verificationStream = PGPainless.decryptAndOrVerify()
-                        .onInputStream(in)
-                        .withOptions(options);
+
+            DecryptionStream verificationStream = PGPainless.decryptAndOrVerify()
+                    .onInputStream(in)
+                    .withOptions(options);
 
             Streams.pipeAll(verificationStream, out);
-            verificationStream.close();
+            verificationStream.close(); // remember to close the stream to finish sig verification
 
+            // Get the metadata object for information about the message
             OpenPgpMetadata metadata = verificationStream.getResult();
-            assertTrue(metadata.isVerified());
+            assertTrue(metadata.isVerified()); // signatures were verified successfully
+            // The output stream we piped to now contains the message
             assertEquals(PLAINTEXT, out.toString());
         }
     }
 
-
+    /**
+     * This example shows how to create - and verify - cleartext signed messages.
+     * @throws PGPException
+     * @throws IOException
+     */
     @Test
-    public void createVerifyCleartextSignedMessage() throws PGPException, IOException {
+    public void createAndVerifyCleartextSignedMessage() throws PGPException, IOException {
+        // In this example we sign and verify a number of different messages one after the other
         for (String msg : new String[] {"Hello World!", "- Hello - World -", "Hello, World!\n", "Hello\nWorld!"}) {
+            // we need to read the plaintext message from somewhere
             ByteArrayInputStream in = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8));
+            // and write the signed message to an output stream
             ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+            SigningOptions signingOptions = SigningOptions.get();
+            // for cleartext signed messages, we need to add a detached signature...
+            signingOptions.addDetachedSignature(keyProtector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT);
+            ProducerOptions producerOptions = ProducerOptions.sign(signingOptions)
+                    .setCleartextSigned(); // and declare that the message will be cleartext signed
+
+            // Create the signing stream
             EncryptionStream signingStream = PGPainless.encryptAndOrSign()
-                    .onOutputStream(out)
-                    .withOptions(ProducerOptions.sign(SigningOptions.get()
-                            .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
-                    ).setCleartextSigned());
+                    .onOutputStream(out) // on the output stream
+                    .withOptions(producerOptions); // with the options
 
-            Streams.pipeAll(in, signingStream);
-            signingStream.close();
+            Streams.pipeAll(in, signingStream); // pipe the plaintext message into the signing stream
+            signingStream.close(); // remember to close the stream to finish the signatures
 
-            ByteArrayInputStream signedIn = new ByteArrayInputStream(out.toByteArray());
+            // Now the output stream contains the signed message
+            byte[] signedMessage = out.toByteArray();
 
+            // Verification
+            // we need to read the signed message
+            ByteArrayInputStream signedIn = new ByteArrayInputStream(signedMessage);
+
+            // and pass it to the decryption stream
             DecryptionStream verificationStream = PGPainless.decryptAndOrVerify()
                     .onInputStream(signedIn)
                     .withOptions(new ConsumerOptions().addVerificationCert(certificate));
 
+            // plain will receive the plaintext message
             ByteArrayOutputStream plain = new ByteArrayOutputStream();
             Streams.pipeAll(verificationStream, plain);
-            verificationStream.close();
 
+            verificationStream.close(); // as always, remember to close the stream
+
+            // Metadata will confirm that the message was in fact signed
             OpenPgpMetadata metadata = verificationStream.getResult();
             assertTrue(metadata.isVerified());
+            // compare the plaintext to what we originally signed
             assertArrayEquals(msg.getBytes(StandardCharsets.UTF_8), plain.toByteArray());
         }
     }

From d6cf1c6609de195f67fb2549dc15140b45150dc4 Mon Sep 17 00:00:00 2001
From: Simon Frankenberger 
Date: Thu, 3 Mar 2022 11:55:34 +0100
Subject: [PATCH 0358/1450] fix "Easily Generate Keys" example code missing
 passphrase wrapper class

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a4157c6d..2627b1f9 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ There are some predefined key archetypes, but it is possible to fully customize
                                         KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)
                 ).addUserId("Juliet ")
                 .addUserId("xmpp:juliet@capulet.lit")
-                .setPassphrase("romeo_oh_Romeo<3")
+                .setPassphrase(Passphrase.fromPassword("romeo_oh_Romeo<3"))
                 .build();
 ```
 

From e569c2c99152a202d2019a2bd3a2b240f033924e Mon Sep 17 00:00:00 2001
From: Simon Frankenberger 
Date: Thu, 3 Mar 2022 11:56:28 +0100
Subject: [PATCH 0359/1450] ArmorUtils now prints out the primary user-id and
 brief information about other user-ids

---
 .../java/org/pgpainless/util/ArmorUtils.java  | 31 ++++++++++-
 .../org/pgpainless/util/ArmorUtilsTest.java   | 55 +++++++++++++++++++
 2 files changed, 83 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 9d73635e..122dd961 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -24,6 +24,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
 import org.bouncycastle.util.io.Streams;
@@ -106,14 +107,38 @@ public final class ArmorUtils {
         return sb.toString();
     }
 
+    private static Tuple getPrimaryUserIdAndUserIdCount(PGPPublicKey publicKey) {
+        Iterator userIds = publicKey.getUserIDs();
+        int countIdentities = 0;
+        String primary = null;
+        while (userIds.hasNext()) {
+            countIdentities++;
+            String userId = userIds.next();
+            if (primary == null) {
+                Iterator signatures = publicKey.getSignaturesForID(userId);
+                while (signatures.hasNext()) {
+                    PGPSignature signature = signatures.next();
+                    if (signature.getHashedSubPackets().isPrimaryUserID()) {
+                        primary = userId;
+                        break;
+                    }
+                }
+            }
+        }
+        return new Tuple<>(primary, countIdentities);
+    }
+
     private static MultiMap keyToHeader(PGPPublicKey publicKey) {
         MultiMap header = new MultiMap<>();
         OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
-        Iterator userIds = publicKey.getUserIDs();
 
         header.put(HEADER_COMMENT, fingerprint.prettyPrint());
-        if (userIds.hasNext()) {
-            header.put(HEADER_COMMENT, userIds.next());
+        Tuple idCount = getPrimaryUserIdAndUserIdCount(publicKey);
+        if (idCount.getA() != null) {
+            header.put(HEADER_COMMENT, idCount.getA() + " (Primary)");
+        }
+        if (idCount.getB() != 1) {
+            header.put(HEADER_COMMENT, String.format("Public key contains %d identities", idCount.getB()));
         }
         return header;
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
index f421277b..d9ac2ca5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
@@ -21,16 +21,24 @@ import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestTemplate;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.TestKeys;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.ecc.EllipticCurve;
+import org.pgpainless.key.generation.type.ecc.ecdsa.ECDSA;
 
 public class ArmorUtilsTest {
 
@@ -144,6 +152,53 @@ public class ArmorUtilsTest {
                 "-----END PGP MESSAGE-----\n", out.toString());
     }
 
+    @Test
+    public void testMultipleIdentitiesInHeader() throws Exception {
+        PGPSecretKeyRing secretKeyRing = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER))
+                .addUserId("Juliet ")
+                .addUserId("xmpp:juliet@capulet.lit")
+                .setPassphrase(Passphrase.fromPassword("test"))
+                .build();
+        PGPPublicKey publicKey = secretKeyRing.getPublicKey();
+        PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
+        String armored = PGPainless.asciiArmor(publicKeyRing);
+        Assertions.assertTrue(armored.contains("Comment: Juliet  (Primary)"));
+        Assertions.assertTrue(armored.contains("Comment: Public key contains 2 identities"));
+    }
+
+    @Test
+    public void testSingleIdentityInHeader() throws Exception {
+        PGPSecretKeyRing secretKeyRing = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER))
+                .addUserId("Juliet ")
+                .setPassphrase(Passphrase.fromPassword("test"))
+                .build();
+        PGPPublicKey publicKey = secretKeyRing.getPublicKey();
+        PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
+        String armored = PGPainless.asciiArmor(publicKeyRing);
+        Assertions.assertTrue(armored.contains("Comment: Juliet  (Primary)"));
+        Assertions.assertFalse(armored.contains("Comment: Public key contains 1 identities"));
+    }
+
+    @Test
+    public void testWithoutIdentityInHeader() throws Exception {
+        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing("-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "\n" +
+                "xsBNBGIgzE0BCACwxaYg6bpmp0POq1T6yalGE9XaL2IG9d9khDBweZ63s3Pu1pHB\n" +
+                "JtmjgN7Tx3ts6hLzQm3YKYA6zu1MXQ8k2vqtdtGUpZPp18Pbars7yUDqh8QIdFjO\n" +
+                "GeE+c8So0MQgTgoBuyZiSmslwp1WO78ozf/0rCayFdy73dPUntuLE6c2ZKO8nw/g\n" +
+                "uyk2ozsqLN/TBpgbuJUyMedJtXV10DdT9QxH/66LmdjFKXTkc74qI8YAm/pmJeOh\n" +
+                "36qZ5ehAgz9MthPQINnZKpnqidqkGFvjwVFlCMlVSmNCNJmpgGDH3gvkklZHzGsf\n" +
+                "dfzQswd/BQjPsFH9cK+QFYMG6q2zrvM0X9mdABEBAAE=\n" +
+                "=njg8\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\n");
+        PGPPublicKey publicKey = publicKeys.getPublicKey();
+        PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
+        String armored = PGPainless.asciiArmor(publicKeyRing);
+        Assertions.assertTrue(armored.contains("Comment: Public key contains 0 identities"));
+    }
+
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
     public void decodeExampleTest() throws IOException, PGPException {

From 3585203557066a22ac40c2fd5cefbc01974c628f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 21 Mar 2022 16:44:59 +0100
Subject: [PATCH 0360/1450] Prettify user-id info on armor

---
 .../java/org/pgpainless/util/ArmorUtils.java  | 36 ++++++++++++++-----
 .../org/pgpainless/util/ArmorUtilsTest.java   | 33 +++++++++++++----
 2 files changed, 54 insertions(+), 15 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 122dd961..a46dd211 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -108,12 +108,21 @@ public final class ArmorUtils {
     }
 
     private static Tuple getPrimaryUserIdAndUserIdCount(PGPPublicKey publicKey) {
+        // Quickly determine the primary user-id + number of total user-ids
+        // NOTE: THIS METHOD DOES NOT CRYPTOGRAPHICALLY VERIFY THE SIGNATURES
+        // DO NOT RELY ON IT!
         Iterator userIds = publicKey.getUserIDs();
         int countIdentities = 0;
+        String first = null;
         String primary = null;
         while (userIds.hasNext()) {
             countIdentities++;
             String userId = userIds.next();
+            // remember the first user-id
+            if (first == null) {
+                first = userId;
+            }
+
             if (primary == null) {
                 Iterator signatures = publicKey.getSignaturesForID(userId);
                 while (signatures.hasNext()) {
@@ -125,7 +134,10 @@ public final class ArmorUtils {
                 }
             }
         }
-        return new Tuple<>(primary, countIdentities);
+        // It may happen that no user-id is marked as primary
+        // in that case print the first one
+        String printed = primary != null ? primary : first;
+        return new Tuple<>(printed, countIdentities);
     }
 
     private static MultiMap keyToHeader(PGPPublicKey publicKey) {
@@ -133,16 +145,24 @@ public final class ArmorUtils {
         OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
 
         header.put(HEADER_COMMENT, fingerprint.prettyPrint());
-        Tuple idCount = getPrimaryUserIdAndUserIdCount(publicKey);
-        if (idCount.getA() != null) {
-            header.put(HEADER_COMMENT, idCount.getA() + " (Primary)");
-        }
-        if (idCount.getB() != 1) {
-            header.put(HEADER_COMMENT, String.format("Public key contains %d identities", idCount.getB()));
-        }
+        setUserIdInfoOnHeader(header, publicKey);
         return header;
     }
 
+    private static void setUserIdInfoOnHeader(MultiMap header, PGPPublicKey publicKey) {
+        Tuple idCount = getPrimaryUserIdAndUserIdCount(publicKey);
+        String primary = idCount.getA();
+        int totalCount = idCount.getB();
+        if (primary != null) {
+            header.put(HEADER_COMMENT, primary);
+        }
+        if (totalCount == 2) {
+            header.put(HEADER_COMMENT, "1 further identity");
+        } else if (totalCount > 2) {
+            header.put(HEADER_COMMENT, String.format("%d further identities", totalCount - 1));
+        }
+    }
+
     private static MultiMap keysToHeader(PGPKeyRing keyRing) {
         PGPPublicKey publicKey = keyRing.getPublicKey();
         return keyToHeader(publicKey);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
index d9ac2ca5..c320c649 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
@@ -163,10 +163,27 @@ public class ArmorUtilsTest {
         PGPPublicKey publicKey = secretKeyRing.getPublicKey();
         PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
         String armored = PGPainless.asciiArmor(publicKeyRing);
-        Assertions.assertTrue(armored.contains("Comment: Juliet  (Primary)"));
-        Assertions.assertTrue(armored.contains("Comment: Public key contains 2 identities"));
+        Assertions.assertTrue(armored.contains("Comment: Juliet "));
+        Assertions.assertTrue(armored.contains("Comment: 1 further identity"));
     }
 
+    @Test
+    public void testEvenMoreIdentitiesInHeader() throws Exception {
+        PGPSecretKeyRing secretKeyRing = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER))
+                .addUserId("Juliet ")
+                .addUserId("xmpp:juliet@capulet.lit")
+                .addUserId("Juliet Montague ")
+                .setPassphrase(Passphrase.fromPassword("test"))
+                .build();
+        PGPPublicKey publicKey = secretKeyRing.getPublicKey();
+        PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
+        String armored = PGPainless.asciiArmor(publicKeyRing);
+        Assertions.assertTrue(armored.contains("Comment: Juliet "));
+        Assertions.assertTrue(armored.contains("Comment: 2 further identities"));
+    }
+
+
     @Test
     public void testSingleIdentityInHeader() throws Exception {
         PGPSecretKeyRing secretKeyRing = PGPainless.buildKeyRing()
@@ -177,13 +194,13 @@ public class ArmorUtilsTest {
         PGPPublicKey publicKey = secretKeyRing.getPublicKey();
         PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
         String armored = PGPainless.asciiArmor(publicKeyRing);
-        Assertions.assertTrue(armored.contains("Comment: Juliet  (Primary)"));
-        Assertions.assertFalse(armored.contains("Comment: Public key contains 1 identities"));
+        Assertions.assertTrue(armored.contains("Comment: Juliet "));
+        Assertions.assertFalse(armored.contains("Comment: 1 total identities"));
     }
 
     @Test
     public void testWithoutIdentityInHeader() throws Exception {
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing("-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+        final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
                 "\n" +
                 "xsBNBGIgzE0BCACwxaYg6bpmp0POq1T6yalGE9XaL2IG9d9khDBweZ63s3Pu1pHB\n" +
                 "JtmjgN7Tx3ts6hLzQm3YKYA6zu1MXQ8k2vqtdtGUpZPp18Pbars7yUDqh8QIdFjO\n" +
@@ -192,11 +209,13 @@ public class ArmorUtilsTest {
                 "36qZ5ehAgz9MthPQINnZKpnqidqkGFvjwVFlCMlVSmNCNJmpgGDH3gvkklZHzGsf\n" +
                 "dfzQswd/BQjPsFH9cK+QFYMG6q2zrvM0X9mdABEBAAE=\n" +
                 "=njg8\n" +
-                "-----END PGP PUBLIC KEY BLOCK-----\n");
+                "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(CERT);
         PGPPublicKey publicKey = publicKeys.getPublicKey();
         PGPPublicKeyRing publicKeyRing = PGPainless.readKeyRing().publicKeyRing(publicKey.getEncoded());
         String armored = PGPainless.asciiArmor(publicKeyRing);
-        Assertions.assertTrue(armored.contains("Comment: Public key contains 0 identities"));
+        Assertions.assertFalse(armored.contains("Comment: 0 total identities"));
     }
 
     @TestTemplate

From b1eb33eb2c0f6daf036d56ca10c35b8054dc867b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 12:44:36 +0100
Subject: [PATCH 0361/1450] Update CHANGELOG

---
 CHANGELOG.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28d2483f..9d644157 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,13 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.3-SNAPSHOT
+## 1.1.4-SNAPSHOT
+- Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring
+  - This can come in handy when using primary keys stored offline
+- Add `EncryptionResult.isEncryptedFor(certificate)`
+- `ArmorUtils.toAsciiArmoredString()` methods now print out primary user-id and brief information about further user-ids (thanks @bratkartoffel for the patch)
+
+## 1.1.3
 - Make `SigningOptions.getSigningMethods()` part of internal API
 - Fix crash when trying to do verification of unmatched `SignersUserId` signature subpacket
   - For now, verification of `SignersUserId` is disabled but can be enabled via `Policy.setSignerUserIdValidationLevel()`

From b5ccb23a62680f1af63c557792210275a0102db5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 12:49:30 +0100
Subject: [PATCH 0362/1450] Add documentation for
 KeyRingUtils.removeSecretKey()

---
 .../org/pgpainless/key/util/KeyRingUtils.java  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 1648d5d8..6be05289 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -292,17 +292,34 @@ public final class KeyRingUtils {
         return newSecretKey;
     }
 
+    /**
+     * Remove the secret key of the subkey identified by the given secret key id from the key ring.
+     * The public part stays attached to the key ring, so that it can still be used for encryption / verification of signatures.
+     *
+     * This method is intended to be used to remove secret primary keys from live keys when those are kept in offline storage.
+     *
+     * @param secretKeys secret key ring
+     * @param secretKeyId id of the secret key to remove
+     * @return secret key ring with removed secret key
+     *
+     * @throws IOException
+     * @throws PGPException
+     */
     public static PGPSecretKeyRing removeSecretKey(PGPSecretKeyRing secretKeys, long secretKeyId)
             throws IOException, PGPException {
         if (secretKeys.getSecretKey(secretKeyId) == null) {
             throw new NoSuchElementException("PGPSecretKeyRing does not contain secret key " + Long.toHexString(secretKeyId));
         }
 
+        // Since BCs constructors for secret key rings are mostly private, we need to encode the key ring how we want it
+        //  and then parse it again.
         ByteArrayOutputStream encoded = new ByteArrayOutputStream();
         for (PGPSecretKey secretKey : secretKeys) {
             if (secretKey.getKeyID() == secretKeyId) {
+                // only encode the public part of the target key
                 secretKey.getPublicKey().encode(encoded);
             } else {
+                // otherwise, encode secret + public key
                 secretKey.encode(encoded);
             }
         }
@@ -310,6 +327,7 @@ public final class KeyRingUtils {
             PGPPublicKey extra = it.next();
             extra.encode(encoded);
         }
+        // Parse the key back into an object
         return new PGPSecretKeyRing(encoded.toByteArray(), ImplementationFactory.getInstance().getKeyFingerprintCalculator());
     }
 }

From 4bae2e74c4d77c295e4073f7dc7fd487aa2e9c1a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 13:05:27 +0100
Subject: [PATCH 0363/1450] Add documentation for further KeyRingUtils methods

---
 .../org/pgpainless/key/util/KeyRingUtils.java | 81 ++++++++++++++++++-
 1 file changed, 78 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 6be05289..327701ad 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -143,24 +143,57 @@ public final class KeyRingUtils {
         return UnlockSecretKey.unlockSecretKey(secretKey, protector);
     }
 
-    /*
-        PGPXxxKeyRing -> PGPXxxKeyRingCollection
-         */
+    /**
+     * Create a new {@link PGPPublicKeyRingCollection} from an array of {@link PGPPublicKeyRing PGPPublicKeyRings}.
+     *
+     * @param rings array of public key rings
+     * @return key ring collection
+     *
+     * @throws IOException in case of an io error
+     * @throws PGPException in case of a broken key
+     */
     public static PGPPublicKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPPublicKeyRing... rings)
             throws IOException, PGPException {
         return new PGPPublicKeyRingCollection(Arrays.asList(rings));
     }
 
+    /**
+     * Create a new {@link PGPSecretKeyRingCollection} from an array of {@link PGPSecretKeyRing PGPSecretKeyRings}.
+     *
+     * @param rings array of secret key rings
+     * @return secret key ring collection
+     *
+     * @throws IOException in case of an io error
+     * @throws PGPException in case of a broken key
+     */
     public static PGPSecretKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPSecretKeyRing... rings)
             throws IOException, PGPException {
         return new PGPSecretKeyRingCollection(Arrays.asList(rings));
     }
 
+    /**
+     * Return true, if the given {@link PGPPublicKeyRing} contains a {@link PGPPublicKey} for the given key id.
+     *
+     * @param ring public key ring
+     * @param keyId id of the key in question
+     * @return true if ring contains said key, false otherwise
+     */
     public static boolean keyRingContainsKeyWithId(@Nonnull PGPPublicKeyRing ring,
                                                    long keyId) {
         return ring.getPublicKey(keyId) != null;
     }
 
+    /**
+     * Inject a key certification into the given key ring.
+     *
+     * @param keyRing key ring
+     * @param certifiedKey signed public key
+     * @param certification key signature
+     * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
+     * @return key ring with injected signature
+     *
+     * @throws NoSuchElementException in case that the signed key is not part of the key ring
+     */
     public static  T injectCertification(T keyRing, PGPPublicKey certifiedKey, PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
@@ -197,6 +230,15 @@ public final class KeyRingUtils {
         }
     }
 
+    /**
+     * Inject a user-id certification into the given key ring.
+     *
+     * @param keyRing key ring
+     * @param userId signed user-id
+     * @param certification signature
+     * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
+     * @return key ring with injected certification
+     */
     public static  T injectCertification(T keyRing, String userId, PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
@@ -226,6 +268,15 @@ public final class KeyRingUtils {
         }
     }
 
+    /**
+     * Inject a user-attribute vector certification into the given key ring.
+     *
+     * @param keyRing key ring
+     * @param userAttributes certified user attributes
+     * @param certification certification signature
+     * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
+     * @return key ring with injected user-attribute certification
+     */
     public static  T injectCertification(T keyRing, PGPUserAttributeSubpacketVector userAttributes, PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
@@ -255,6 +306,17 @@ public final class KeyRingUtils {
         }
     }
 
+    /**
+     * Inject a {@link PGPPublicKey} into the given key ring.
+     *
+     * Note: Right now this method is broken and will throw a {@link NotYetImplementedException}.
+     * TODO: Fix with BC 171
+     *
+     * @param keyRing key ring
+     * @param publicKey public key
+     * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
+     * @return key ring with injected public key
+     */
     public static  T keysPlusPublicKey(T keyRing, PGPPublicKey publicKey) {
         if (true)
             // Is currently broken beyond repair
@@ -281,10 +343,23 @@ public final class KeyRingUtils {
         }
     }
 
+    /**
+     * Inject a {@link PGPSecretKey} into a {@link PGPSecretKeyRing}.
+     *
+     * @param secretKeys secret key ring
+     * @param secretKey secret key
+     * @return secret key ring with injected secret key
+     */
     public static PGPSecretKeyRing keysPlusSecretKey(PGPSecretKeyRing secretKeys, PGPSecretKey secretKey) {
         return PGPSecretKeyRing.insertSecretKey(secretKeys, secretKey);
     }
 
+    /**
+     * Inject the given signature into the public part of the given secret key.
+     * @param secretKey secret key
+     * @param signature signature
+     * @return secret key with the signature injected in its public key
+     */
     public static PGPSecretKey secretKeyPlusSignature(PGPSecretKey secretKey, PGPSignature signature) {
         PGPPublicKey publicKey = secretKey.getPublicKey();
         publicKey = PGPPublicKey.addCertification(publicKey, signature);

From e89e0f216c3cc37826fada4dfe35df756f27ecf7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 13:20:36 +0100
Subject: [PATCH 0364/1450] Annotate KeyRingUtils methods with Nullable and
 Nonnull

---
 .../org/pgpainless/key/util/KeyRingUtils.java | 85 +++++++++++++++----
 1 file changed, 69 insertions(+), 16 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 327701ad..502dbff8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -12,6 +12,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.NoSuchElementException;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyRing;
@@ -43,7 +44,8 @@ public final class KeyRingUtils {
      * @param secretKeys secret keys
      * @return primary secret key
      */
-    public static PGPSecretKey requirePrimarySecretKeyFrom(PGPSecretKeyRing secretKeys) {
+    @Nonnull
+    public static PGPSecretKey requirePrimarySecretKeyFrom(@Nonnull PGPSecretKeyRing secretKeys) {
         PGPSecretKey primarySecretKey = getPrimarySecretKeyFrom(secretKeys);
         if (primarySecretKey == null) {
             throw new NoSuchElementException("Provided PGPSecretKeyRing has no primary secret key.");
@@ -57,7 +59,8 @@ public final class KeyRingUtils {
      * @param secretKeys secret key ring
      * @return primary secret key
      */
-    public static PGPSecretKey getPrimarySecretKeyFrom(PGPSecretKeyRing secretKeys) {
+    @Nullable
+    public static PGPSecretKey getPrimarySecretKeyFrom(@Nonnull PGPSecretKeyRing secretKeys) {
         PGPSecretKey secretKey = secretKeys.getSecretKey();
         if (secretKey.isMasterKey()) {
             return secretKey;
@@ -72,7 +75,8 @@ public final class KeyRingUtils {
      * @param keyRing key ring
      * @return primary public key
      */
-    public static PGPPublicKey requirePrimaryPublicKeyFrom(PGPKeyRing keyRing) {
+    @Nonnull
+    public static PGPPublicKey requirePrimaryPublicKeyFrom(@Nonnull PGPKeyRing keyRing) {
         PGPPublicKey primaryPublicKey = getPrimaryPublicKeyFrom(keyRing);
         if (primaryPublicKey == null) {
             throw new NoSuchElementException("Provided PGPKeyRing has no primary public key.");
@@ -86,7 +90,8 @@ public final class KeyRingUtils {
      * @param keyRing key ring
      * @return primary public key
      */
-    public static PGPPublicKey getPrimaryPublicKeyFrom(PGPKeyRing keyRing) {
+    @Nullable
+    public static PGPPublicKey getPrimaryPublicKeyFrom(@Nonnull PGPKeyRing keyRing) {
         PGPPublicKey primaryPublicKey = keyRing.getPublicKey();
         if (primaryPublicKey.isMasterKey()) {
             return primaryPublicKey;
@@ -94,11 +99,28 @@ public final class KeyRingUtils {
         return null;
     }
 
-    public static PGPPublicKey getPublicKeyFrom(PGPKeyRing keyRing, long subKeyId) {
+    /**
+     * Return the public key with the given subKeyId from the keyRing.
+     * If no such subkey exists, return null.
+     * @param keyRing key ring
+     * @param subKeyId subkey id
+     * @return subkey or null
+     */
+    @Nullable
+    public static PGPPublicKey getPublicKeyFrom(@Nonnull PGPKeyRing keyRing, long subKeyId) {
         return keyRing.getPublicKey(subKeyId);
     }
 
-    public static PGPPublicKey requirePublicKeyFrom(PGPKeyRing keyRing, long subKeyId) {
+    /**
+     * Require the public key with the given subKeyId from the keyRing.
+     * If no such subkey exists, throw an {@link NoSuchElementException}.
+     *
+     * @param keyRing key ring
+     * @param subKeyId subkey id
+     * @return subkey
+     */
+    @Nonnull
+    public static PGPPublicKey requirePublicKeyFrom(@Nonnull PGPKeyRing keyRing, long subKeyId) {
         PGPPublicKey publicKey = getPublicKeyFrom(keyRing, subKeyId);
         if (publicKey == null) {
             throw new NoSuchElementException("KeyRing does not contain public key with keyID " + Long.toHexString(subKeyId));
@@ -106,7 +128,16 @@ public final class KeyRingUtils {
         return publicKey;
     }
 
-    public static PGPSecretKey requireSecretKeyFrom(PGPSecretKeyRing keyRing, long subKeyId) {
+    /**
+     * Require the secret key with the given secret subKeyId from the secret keyRing.
+     * If no such subkey exists, throw an {@link NoSuchElementException}.
+     *
+     * @param keyRing secret key ring
+     * @param subKeyId subkey id
+     * @return secret subkey
+     */
+    @Nonnull
+    public static PGPSecretKey requireSecretKeyFrom(@Nonnull PGPSecretKeyRing keyRing, long subKeyId) {
         PGPSecretKey secretKey = keyRing.getSecretKey(subKeyId);
         if (secretKey == null) {
             throw new NoSuchElementException("KeyRing does not contain secret key with keyID " + Long.toHexString(subKeyId));
@@ -120,7 +151,8 @@ public final class KeyRingUtils {
      * @param secretKeys secret key ring
      * @return public key ring
      */
-    public static PGPPublicKeyRing publicKeyRingFrom(PGPSecretKeyRing secretKeys) {
+    @Nonnull
+    public static PGPPublicKeyRing publicKeyRingFrom(@Nonnull PGPSecretKeyRing secretKeys) {
         List publicKeyList = new ArrayList<>();
         Iterator publicKeyIterator = secretKeys.getPublicKeys();
         while (publicKeyIterator.hasNext()) {
@@ -139,7 +171,9 @@ public final class KeyRingUtils {
      *
      * @throws PGPException if something goes wrong (e.g. wrong passphrase)
      */
-    public static PGPPrivateKey unlockSecretKey(PGPSecretKey secretKey, SecretKeyRingProtector protector) throws PGPException {
+    @Nonnull
+    public static PGPPrivateKey unlockSecretKey(@Nonnull PGPSecretKey secretKey, @Nonnull SecretKeyRingProtector protector)
+            throws PGPException {
         return UnlockSecretKey.unlockSecretKey(secretKey, protector);
     }
 
@@ -152,6 +186,7 @@ public final class KeyRingUtils {
      * @throws IOException in case of an io error
      * @throws PGPException in case of a broken key
      */
+    @Nonnull
     public static PGPPublicKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPPublicKeyRing... rings)
             throws IOException, PGPException {
         return new PGPPublicKeyRingCollection(Arrays.asList(rings));
@@ -166,6 +201,7 @@ public final class KeyRingUtils {
      * @throws IOException in case of an io error
      * @throws PGPException in case of a broken key
      */
+    @Nonnull
     public static PGPSecretKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPSecretKeyRing... rings)
             throws IOException, PGPException {
         return new PGPSecretKeyRingCollection(Arrays.asList(rings));
@@ -194,7 +230,10 @@ public final class KeyRingUtils {
      *
      * @throws NoSuchElementException in case that the signed key is not part of the key ring
      */
-    public static  T injectCertification(T keyRing, PGPPublicKey certifiedKey, PGPSignature certification) {
+    @Nonnull
+    public static  T injectCertification(@Nonnull T keyRing,
+                                                               @Nonnull PGPPublicKey certifiedKey,
+                                                               @Nonnull PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
         if (keyRing instanceof PGPSecretKeyRing) {
@@ -239,7 +278,10 @@ public final class KeyRingUtils {
      * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
      * @return key ring with injected certification
      */
-    public static  T injectCertification(T keyRing, String userId, PGPSignature certification) {
+    @Nonnull
+    public static  T injectCertification(@Nonnull T keyRing,
+                                                               @Nonnull String userId,
+                                                               @Nonnull PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
         if (keyRing instanceof PGPSecretKeyRing) {
@@ -277,7 +319,10 @@ public final class KeyRingUtils {
      * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
      * @return key ring with injected user-attribute certification
      */
-    public static  T injectCertification(T keyRing, PGPUserAttributeSubpacketVector userAttributes, PGPSignature certification) {
+    @Nonnull
+    public static  T injectCertification(@Nonnull T keyRing,
+                                                               @Nonnull PGPUserAttributeSubpacketVector userAttributes,
+                                                               @Nonnull PGPSignature certification) {
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
         if (keyRing instanceof PGPSecretKeyRing) {
@@ -317,7 +362,9 @@ public final class KeyRingUtils {
      * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
      * @return key ring with injected public key
      */
-    public static  T keysPlusPublicKey(T keyRing, PGPPublicKey publicKey) {
+    @Nonnull
+    public static  T keysPlusPublicKey(@Nonnull T keyRing,
+                                                             @Nonnull PGPPublicKey publicKey) {
         if (true)
             // Is currently broken beyond repair
             throw new NotYetImplementedException();
@@ -350,7 +397,9 @@ public final class KeyRingUtils {
      * @param secretKey secret key
      * @return secret key ring with injected secret key
      */
-    public static PGPSecretKeyRing keysPlusSecretKey(PGPSecretKeyRing secretKeys, PGPSecretKey secretKey) {
+    @Nonnull
+    public static PGPSecretKeyRing keysPlusSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
+                                                     @Nonnull PGPSecretKey secretKey) {
         return PGPSecretKeyRing.insertSecretKey(secretKeys, secretKey);
     }
 
@@ -360,7 +409,9 @@ public final class KeyRingUtils {
      * @param signature signature
      * @return secret key with the signature injected in its public key
      */
-    public static PGPSecretKey secretKeyPlusSignature(PGPSecretKey secretKey, PGPSignature signature) {
+    @Nonnull
+    public static PGPSecretKey secretKeyPlusSignature(@Nonnull PGPSecretKey secretKey,
+                                                      @Nonnull PGPSignature signature) {
         PGPPublicKey publicKey = secretKey.getPublicKey();
         publicKey = PGPPublicKey.addCertification(publicKey, signature);
         PGPSecretKey newSecretKey = PGPSecretKey.replacePublicKey(secretKey, publicKey);
@@ -380,7 +431,9 @@ public final class KeyRingUtils {
      * @throws IOException
      * @throws PGPException
      */
-    public static PGPSecretKeyRing removeSecretKey(PGPSecretKeyRing secretKeys, long secretKeyId)
+    @Nonnull
+    public static PGPSecretKeyRing removeSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
+                                                   long secretKeyId)
             throws IOException, PGPException {
         if (secretKeys.getSecretKey(secretKeyId) == null) {
             throw new NoSuchElementException("PGPSecretKeyRing does not contain secret key " + Long.toHexString(secretKeyId));

From 16b0d0730ef726915c6935c9ee84b1c7db7ccf9d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 14:17:35 +0100
Subject: [PATCH 0365/1450] Annotate and document ArmorUtils class

---
 .../java/org/pgpainless/util/ArmorUtils.java  | 465 ++++++++++++++----
 .../org/pgpainless/sop/ExtractCertImpl.java   |   2 +-
 2 files changed, 367 insertions(+), 100 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index a46dd211..8e93ce6d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -31,6 +31,9 @@ import org.bouncycastle.util.io.Streams;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.key.OpenPgpFingerprint;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 public final class ArmorUtils {
 
     // MessageIDs are 32 printable characters
@@ -46,27 +49,79 @@ public final class ArmorUtils {
 
     }
 
-    public static String toAsciiArmoredString(PGPSecretKey secretKey) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPSecretKey}.
+     *
+     * @param secretKey secret key
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPSecretKey secretKey)
+            throws IOException {
         MultiMap header = keyToHeader(secretKey.getPublicKey());
         return toAsciiArmoredString(secretKey.getEncoded(), header);
     }
 
-    public static String toAsciiArmoredString(PGPPublicKey publicKey) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPPublicKey}.
+     *
+     * @param publicKey public key
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPPublicKey publicKey)
+            throws IOException {
         MultiMap header = keyToHeader(publicKey);
         return toAsciiArmoredString(publicKey.getEncoded(), header);
     }
 
-    public static String toAsciiArmoredString(PGPSecretKeyRing secretKeys) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPSecretKeyRing}.
+     *
+     * @param secretKeys secret key ring
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPSecretKeyRing secretKeys)
+            throws IOException {
         MultiMap header = keysToHeader(secretKeys);
         return toAsciiArmoredString(secretKeys.getEncoded(), header);
     }
 
-    public static String toAsciiArmoredString(PGPPublicKeyRing publicKeys) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPPublicKeyRing}.
+     *
+     * @param publicKeys public key ring
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPPublicKeyRing publicKeys)
+            throws IOException {
         MultiMap header = keysToHeader(publicKeys);
         return toAsciiArmoredString(publicKeys.getEncoded(), header);
     }
 
-    public static String toAsciiArmoredString(PGPSecretKeyRingCollection secretKeyRings) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPSecretKeyRingCollection}.
+     * The encoding will use per-key ASCII armors protecting each {@link PGPSecretKeyRing} individually.
+     * Those armors are then concatenated with newlines in between.
+     *
+     * @param secretKeyRings secret key ring collection
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPSecretKeyRingCollection secretKeyRings)
+            throws IOException {
         StringBuilder sb = new StringBuilder();
         for (Iterator iterator = secretKeyRings.iterator(); iterator.hasNext(); ) {
             PGPSecretKeyRing secretKeyRing = iterator.next();
@@ -78,24 +133,19 @@ public final class ArmorUtils {
         return sb.toString();
     }
 
-    public static ArmoredOutputStream toAsciiArmoredStream(PGPKeyRing keyRing, OutputStream outputStream) {
-        MultiMap header = keysToHeader(keyRing);
-        return toAsciiArmoredStream(outputStream, header);
-    }
-
-    public static ArmoredOutputStream toAsciiArmoredStream(OutputStream outputStream, MultiMap header) {
-        ArmoredOutputStream armoredOutputStream = ArmoredOutputStreamFactory.get(outputStream);
-        if (header != null) {
-            for (String headerKey : header.keySet()) {
-                for (String headerValue : header.get(headerKey)) {
-                    armoredOutputStream.addHeader(headerKey, headerValue);
-                }
-            }
-        }
-        return armoredOutputStream;
-    }
-
-    public static String toAsciiArmoredString(PGPPublicKeyRingCollection publicKeyRings) throws IOException {
+    /**
+     * Return the ASCII armored encoding of the given {@link PGPPublicKeyRingCollection}.
+     * The encoding will use per-key ASCII armors protecting each {@link PGPPublicKeyRing} individually.
+     * Those armors are then concatenated with newlines in between.
+     *
+     * @param publicKeyRings public key ring collection
+     * @return ascii armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPPublicKeyRingCollection publicKeyRings)
+            throws IOException {
         StringBuilder sb = new StringBuilder();
         for (Iterator iterator = publicKeyRings.iterator(); iterator.hasNext(); ) {
             PGPPublicKeyRing publicKeyRing = iterator.next();
@@ -107,7 +157,204 @@ public final class ArmorUtils {
         return sb.toString();
     }
 
-    private static Tuple getPrimaryUserIdAndUserIdCount(PGPPublicKey publicKey) {
+    /**
+     * Return the ASCII armored encoding of the given OpenPGP data bytes.
+     *
+     * @param bytes openpgp data
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull byte[] bytes)
+            throws IOException {
+        return toAsciiArmoredString(bytes, null);
+    }
+
+    /**
+     * Return the ASCII armored encoding of the given OpenPGP data bytes.
+     * The ASCII armor will include headers from the header map.
+     *
+     * @param bytes OpenPGP data
+     * @param additionalHeaderValues header map
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull byte[] bytes,
+                                              @Nullable MultiMap additionalHeaderValues)
+            throws IOException {
+        return toAsciiArmoredString(new ByteArrayInputStream(bytes), additionalHeaderValues);
+    }
+
+    /**
+     * Return the ASCII armored encoding of the {@link InputStream} containing OpenPGP data.
+     *
+     * @param inputStream input stream of OpenPGP data
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull InputStream inputStream)
+            throws IOException {
+        return toAsciiArmoredString(inputStream, null);
+    }
+
+    /**
+     * Return the ASCII armored encoding of the OpenPGP data from the given {@link InputStream}.
+     * The ASCII armor will include armor headers from the given header map.
+     *
+     * @param inputStream input stream of OpenPGP data
+     * @param additionalHeaderValues ASCII armor header map
+     * @return ASCII armored encoding
+     *
+     * @throws IOException in case of an io error
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull InputStream inputStream,
+                                              @Nullable MultiMap additionalHeaderValues)
+            throws IOException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        ArmoredOutputStream armor = toAsciiArmoredStream(out, additionalHeaderValues);
+        Streams.pipeAll(inputStream, armor);
+        armor.close();
+
+        return out.toString();
+    }
+
+    /**
+     * Return an {@link ArmoredOutputStream} prepared with headers for the given key ring, which wraps the given
+     * {@link OutputStream}.
+     *
+     * The armored output stream can be used to encode the key ring by calling {@link PGPKeyRing#encode(OutputStream)}
+     * with the armored output stream as an argument.
+     *
+     * @param keyRing key ring
+     * @param outputStream wrapped output stream
+     * @return armored output stream
+     */
+    @Nonnull
+    public static ArmoredOutputStream toAsciiArmoredStream(@Nonnull PGPKeyRing keyRing,
+                                                           @Nonnull OutputStream outputStream) {
+        MultiMap header = keysToHeader(keyRing);
+        return toAsciiArmoredStream(outputStream, header);
+    }
+
+    /**
+     * Create an {@link ArmoredOutputStream} wrapping the given {@link OutputStream}.
+     * The armored output stream will be prepared with armor headers given by header.
+     *
+     * Note: Since the armored output stream is retrieved from {@link ArmoredOutputStreamFactory#get(OutputStream)},
+     * it may already come with custom headers. Hence, the header entries given by header are appended below those
+     * already populated headers.
+     *
+     * @param outputStream output stream to wrap
+     * @param header map of header entries
+     * @return armored output stream
+     */
+    @Nonnull
+    public static ArmoredOutputStream toAsciiArmoredStream(@Nonnull OutputStream outputStream,
+                                                           @Nullable MultiMap header) {
+        ArmoredOutputStream armoredOutputStream = ArmoredOutputStreamFactory.get(outputStream);
+        if (header != null) {
+            for (String headerKey : header.keySet()) {
+                for (String headerValue : header.get(headerKey)) {
+                    armoredOutputStream.addHeader(headerKey, headerValue);
+                }
+            }
+        }
+        return armoredOutputStream;
+    }
+
+    /**
+     * Return an {@link ArmoredOutputStream} prepared with headers for the given key ring, which wraps the given
+     * {@link OutputStream}.
+     *
+     * The armored output stream can be used to encode the key ring by calling {@link PGPKeyRing#encode(OutputStream)}
+     * with the armored output stream as an argument.
+     *
+     * @param keyRing key ring
+     * @param outputStream wrapped output stream
+     * @return armored output stream
+     *
+     * @deprecated use {@link #toAsciiArmoredStream(PGPKeyRing, OutputStream)} instead
+     */
+    @Deprecated
+    @Nonnull
+    public static ArmoredOutputStream createArmoredOutputStreamFor(@Nonnull PGPKeyRing keyRing,
+                                                                   @Nonnull OutputStream outputStream) {
+        return toAsciiArmoredStream(keyRing, outputStream);
+    }
+
+    /**
+     * Generate a header map for ASCII armor from the given {@link PGPKeyRing}.
+     *
+     * @param keyRing key ring
+     * @return header map
+     */
+    @Nonnull
+    private static MultiMap keysToHeader(@Nonnull PGPKeyRing keyRing) {
+        PGPPublicKey publicKey = keyRing.getPublicKey();
+        return keyToHeader(publicKey);
+    }
+
+    /**
+     * Generate a header map for ASCII armor from the given {@link PGPPublicKey}.
+     * The header map consists of a comment field of the keys pretty-printed fingerprint,
+     * as well as some optional user-id information (see {@link #setUserIdInfoOnHeader(MultiMap, PGPPublicKey)}.
+     *
+     * @param publicKey public key
+     * @return header map
+     */
+    @Nonnull
+    private static MultiMap keyToHeader(@Nonnull PGPPublicKey publicKey) {
+        MultiMap header = new MultiMap<>();
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
+
+        header.put(HEADER_COMMENT, fingerprint.prettyPrint());
+        setUserIdInfoOnHeader(header, publicKey);
+        return header;
+    }
+
+    /**
+     * Add user-id information to the header map.
+     * If the key is carrying at least one user-id, we add a comment for the probable primary user-id.
+     * If the key carries more than one user-id, we further add a comment stating how many further identities
+     * the key has.
+     *
+     * @param header header map
+     * @param publicKey public key
+     */
+    private static void setUserIdInfoOnHeader(@Nonnull MultiMap header,
+                                              @Nonnull PGPPublicKey publicKey) {
+        Tuple idCount = getPrimaryUserIdAndUserIdCount(publicKey);
+        String primary = idCount.getA();
+        int totalCount = idCount.getB();
+        if (primary != null) {
+            header.put(HEADER_COMMENT, primary);
+        }
+        if (totalCount == 2) {
+            header.put(HEADER_COMMENT, "1 further identity");
+        } else if (totalCount > 2) {
+            header.put(HEADER_COMMENT, String.format("%d further identities", totalCount - 1));
+        }
+    }
+
+    /**
+     * Determine a probable primary user-id, as well as the total number of user-ids on the given {@link PGPPublicKey}.
+     * This method is trimmed for efficiency and does not do any cryptographic validation of signatures.
+     *
+     * The key might not have any user-id at all, in which case {@link Tuple#getA()} will return null.
+     * The key might have some user-ids, but none of it marked as primary, in which case {@link Tuple#getA()}
+     * will return the first user-id of the key.
+     *
+     * @param publicKey public key
+     * @return tuple consisting of a primary user-id candidate, and the total number of user-ids on the key.
+     */
+    @Nonnull
+    private static Tuple getPrimaryUserIdAndUserIdCount(@Nonnull PGPPublicKey publicKey) {
         // Quickly determine the primary user-id + number of total user-ids
         // NOTE: THIS METHOD DOES NOT CRYPTOGRAPHICALLY VERIFY THE SIGNATURES
         // DO NOT RELY ON IT!
@@ -140,98 +387,93 @@ public final class ArmorUtils {
         return new Tuple<>(printed, countIdentities);
     }
 
-    private static MultiMap keyToHeader(PGPPublicKey publicKey) {
-        MultiMap header = new MultiMap<>();
-        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
-
-        header.put(HEADER_COMMENT, fingerprint.prettyPrint());
-        setUserIdInfoOnHeader(header, publicKey);
-        return header;
-    }
-
-    private static void setUserIdInfoOnHeader(MultiMap header, PGPPublicKey publicKey) {
-        Tuple idCount = getPrimaryUserIdAndUserIdCount(publicKey);
-        String primary = idCount.getA();
-        int totalCount = idCount.getB();
-        if (primary != null) {
-            header.put(HEADER_COMMENT, primary);
-        }
-        if (totalCount == 2) {
-            header.put(HEADER_COMMENT, "1 further identity");
-        } else if (totalCount > 2) {
-            header.put(HEADER_COMMENT, String.format("%d further identities", totalCount - 1));
-        }
-    }
-
-    private static MultiMap keysToHeader(PGPKeyRing keyRing) {
-        PGPPublicKey publicKey = keyRing.getPublicKey();
-        return keyToHeader(publicKey);
-    }
-
-    public static String toAsciiArmoredString(byte[] bytes) throws IOException {
-        return toAsciiArmoredString(bytes, null);
-    }
-
-    public static String toAsciiArmoredString(byte[] bytes, MultiMap additionalHeaderValues) throws IOException {
-        return toAsciiArmoredString(new ByteArrayInputStream(bytes), additionalHeaderValues);
-    }
-
-    public static String toAsciiArmoredString(InputStream inputStream) throws IOException {
-        return toAsciiArmoredString(inputStream, null);
-    }
-
-    public static void addHashAlgorithmHeader(ArmoredOutputStream armor, HashAlgorithm hashAlgorithm) {
+    /**
+     * Add an ASCII armor header entry about the used hash algorithm into the {@link ArmoredOutputStream}.
+     *
+     * @param armor armored output stream
+     * @param hashAlgorithm hash algorithm
+     *
+     * @see 
+     *     RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor
+     */
+    public static void addHashAlgorithmHeader(@Nonnull ArmoredOutputStream armor,
+                                              @Nonnull HashAlgorithm hashAlgorithm) {
         armor.addHeader(HEADER_HASH, hashAlgorithm.getAlgorithmName());
     }
 
-    public static void addCommentHeader(ArmoredOutputStream armor, String comment) {
+    /**
+     * Add an ASCII armor comment header entry into the {@link ArmoredOutputStream}.
+     *
+     * @param armor armored output stream
+     * @param comment free-text comment
+     *
+     * @see 
+     *     RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor
+     */
+    public static void addCommentHeader(@Nonnull ArmoredOutputStream armor,
+                                        @Nonnull String comment) {
         armor.addHeader(HEADER_COMMENT, comment);
     }
 
-    public static void addMessageIdHeader(ArmoredOutputStream armor, String messageId) {
-        if (messageId == null) {
-            throw new NullPointerException("MessageID cannot be null.");
-        }
+    /**
+     * Add an ASCII armor message-id header entry into the {@link ArmoredOutputStream}.
+     *
+     * @param armor armored output stream
+     * @param messageId message id
+     *
+     * @see 
+     *     RFC 4880 - OpenPGP Message Format §6.2. Forming ASCII Armor
+     */
+    public static void addMessageIdHeader(@Nonnull ArmoredOutputStream armor,
+                                          @Nonnull String messageId) {
         if (!PATTERN_MESSAGE_ID.matcher(messageId).matches()) {
             throw new IllegalArgumentException("MessageIDs MUST consist of 32 printable characters.");
         }
         armor.addHeader(HEADER_MESSAGEID, messageId);
     }
 
-    public static String toAsciiArmoredString(InputStream inputStream, MultiMap additionalHeaderValues) throws IOException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        ArmoredOutputStream armor = toAsciiArmoredStream(out, additionalHeaderValues);
-        Streams.pipeAll(inputStream, armor);
-        armor.close();
-
-        return out.toString();
-    }
-
-    public static ArmoredOutputStream createArmoredOutputStreamFor(PGPKeyRing keyRing, OutputStream outputStream) {
-        ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(outputStream);
-        MultiMap headerMap = keysToHeader(keyRing);
-        for (String header : headerMap.keySet()) {
-            for (String value : headerMap.get(header)) {
-                armor.addHeader(header, value);
-            }
-        }
-
-        return armor;
-    }
-
-    public static List getCommentHeaderValues(ArmoredInputStream armor) {
+    /**
+     * Extract all ASCII armor header values of type comment from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of comment headers
+     */
+    @Nonnull
+    public static List getCommentHeaderValues(@Nonnull ArmoredInputStream armor) {
         return getArmorHeaderValues(armor, HEADER_COMMENT);
     }
 
-    public static List getMessageIdHeaderValues(ArmoredInputStream armor) {
+    /**
+     * Extract all ASCII armor header values of type message id from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of message-id headers
+     */
+    @Nonnull
+    public static List getMessageIdHeaderValues(@Nonnull ArmoredInputStream armor) {
         return getArmorHeaderValues(armor, HEADER_MESSAGEID);
     }
 
-    public static List getHashHeaderValues(ArmoredInputStream armor) {
+    /**
+     * Return all ASCII armor header values of type hash-algorithm from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of hash headers
+     */
+    @Nonnull
+    public static List getHashHeaderValues(@Nonnull ArmoredInputStream armor) {
         return getArmorHeaderValues(armor, HEADER_HASH);
     }
 
-    public static List getHashAlgorithms(ArmoredInputStream armor) {
+    /**
+     * Return a list of {@link HashAlgorithm} enums extracted from the hash header entries of the given
+     * {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of hash algorithms from the ASCII header
+     */
+    @Nonnull
+    public static List getHashAlgorithms(@Nonnull ArmoredInputStream armor) {
         List algorithmNames = getHashHeaderValues(armor);
         List algorithms = new ArrayList<>();
         for (String name : algorithmNames) {
@@ -243,15 +485,38 @@ public final class ArmorUtils {
         return algorithms;
     }
 
-    public static List getVersionHeaderValues(ArmoredInputStream armor) {
+    /**
+     * Return all ASCII armor header values of type version from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of version headers
+     */
+    @Nonnull
+    public static List getVersionHeaderValues(@Nonnull ArmoredInputStream armor) {
         return getArmorHeaderValues(armor, HEADER_VERSION);
     }
 
-    public static List getCharsetHeaderValues(ArmoredInputStream armor) {
+    /**
+     * Return all ASCII armor header values of type charset from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @return list of charset headers
+     */
+    @Nonnull
+    public static List getCharsetHeaderValues(@Nonnull ArmoredInputStream armor) {
         return getArmorHeaderValues(armor, HEADER_CHARSET);
     }
 
-    public static List getArmorHeaderValues(ArmoredInputStream armor, String headerKey) {
+    /**
+     * Return all ASCII armor header values of the given headerKey from the given {@link ArmoredInputStream}.
+     *
+     * @param armor armored input stream
+     * @param headerKey ASCII armor header key
+     * @return list of values for the header key
+     */
+    @Nonnull
+    public static List getArmorHeaderValues(@Nonnull ArmoredInputStream armor,
+                                                    @Nonnull String headerKey) {
         String[] header = armor.getArmorHeaders();
         String key = headerKey + ": ";
         List values = new ArrayList<>();
@@ -278,7 +543,9 @@ public final class ArmorUtils {
      * @param inputStream input stream
      * @return BufferedInputStreamExt
      */
-    public static InputStream getDecoderStream(InputStream inputStream) throws IOException {
+    @Nonnull
+    public static InputStream getDecoderStream(@Nonnull InputStream inputStream)
+            throws IOException {
         BufferedInputStream buf = new BufferedInputStream(inputStream, 512);
         InputStream decoderStream = PGPUtilWrapper.getDecoderStream(buf);
         // Data is not armored -> return
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
index 6c3c825f..5f694208 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
@@ -54,7 +54,7 @@ public class ExtractCertImpl implements ExtractCert {
             public void writeTo(OutputStream outputStream) throws IOException {
 
                 for (PGPPublicKeyRing cert : certs) {
-                    OutputStream out = armor ? ArmorUtils.createArmoredOutputStreamFor(cert, outputStream) : outputStream;
+                    OutputStream out = armor ? ArmorUtils.toAsciiArmoredStream(cert, outputStream) : outputStream;
                     cert.encode(out);
 
                     if (armor) {

From e8b03834cb325fe30013cdaea7c4edda9b0b8342 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Mar 2022 15:09:09 +0100
Subject: [PATCH 0366/1450] Annotate fromId(code) methods with Nullable and add
 Nonnull requireFromId(code) methods

---
 .../algorithm/CompressionAlgorithm.java       | 22 ++++++++++++
 .../org/pgpainless/algorithm/Feature.java     | 35 +++++++++++++++++++
 .../pgpainless/algorithm/HashAlgorithm.java   | 23 ++++++++++++
 .../algorithm/PublicKeyAlgorithm.java         | 24 ++++++++++++-
 .../algorithm/SignatureSubpacket.java         | 28 +++++++++++++--
 .../pgpainless/algorithm/SignatureType.java   |  3 ++
 .../pgpainless/algorithm/StreamEncoding.java  | 24 +++++++++++++
 .../algorithm/SymmetricKeyAlgorithm.java      | 23 ++++++++++++
 .../DecryptionStreamFactory.java              | 13 ++++---
 .../encryption_signing/SigningOptions.java    |  2 +-
 .../BcImplementationFactory.java              |  2 +-
 .../java/org/pgpainless/key/info/KeyInfo.java |  2 +-
 .../org/pgpainless/key/info/KeyRingInfo.java  |  3 +-
 .../secretkeyring/SecretKeyRingEditor.java    |  6 ++--
 .../key/util/OpenPgpKeyAttributeUtil.java     |  5 ++-
 .../PublicKeyParameterValidationUtil.java     |  4 +--
 .../java/org/pgpainless/policy/Policy.java    | 35 +++++++++++++++----
 .../consumer/SignatureValidator.java          | 22 +++++++-----
 .../subpackets/SignatureSubpacketsHelper.java |  6 ++--
 .../subpackets/SignatureSubpacketsUtil.java   | 15 ++++++--
 .../java/org/pgpainless/util/SessionKey.java  |  2 +-
 .../org/pgpainless/algorithm/FeatureTest.java | 17 +++++++++
 .../signature/SignatureStructureTest.java     |  2 +-
 .../java/org/pgpainless/sop/DecryptImpl.java  |  2 +-
 24 files changed, 278 insertions(+), 42 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java
index b1f11185..a2e78c5f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CompressionAlgorithm.java
@@ -5,10 +5,14 @@
 package org.pgpainless.algorithm;
 
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.bcpg.CompressionAlgorithmTags;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * Enumeration of possible compression algorithms.
  *
@@ -37,10 +41,28 @@ public enum CompressionAlgorithm {
      * @param id id
      * @return compression algorithm
      */
+    @Nullable
     public static CompressionAlgorithm fromId(int id) {
         return MAP.get(id);
     }
 
+    /**
+     * Return the {@link CompressionAlgorithm} value that corresponds to the provided numerical id.
+     * If an invalid id is provided, thrown an {@link NoSuchElementException}.
+     *
+     * @param id id
+     * @return compression algorithm
+     * @throws NoSuchElementException in case of an unmapped id
+     */
+    @Nonnull
+    public static CompressionAlgorithm requireFromId(int id) {
+        CompressionAlgorithm algorithm = fromId(id);
+        if (algorithm == null) {
+            throw new NoSuchElementException("No CompressionAlgorithm found for id " + id);
+        }
+        return algorithm;
+    }
+
     private final int algorithmId;
 
     CompressionAlgorithm(int id) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
index 9ec7e362..52de27bf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
@@ -7,10 +7,14 @@ package org.pgpainless.algorithm;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.bcpg.sig.Features;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * An enumeration of features that may be set in the {@link Features} subpacket.
  *
@@ -60,16 +64,46 @@ public enum Feature {
         }
     }
 
+    /**
+     * Return the {@link Feature} encoded by the given id.
+     * If the id does not match any known features, return null.
+     *
+     * @param id feature id
+     * @return feature
+     */
+    @Nullable
     public static Feature fromId(byte id) {
         return MAP.get(id);
     }
 
+    /**
+     * Return the {@link Feature} encoded by the given id.
+     * If the id does not match any known features, throw an {@link NoSuchElementException}.
+     *
+     * @param id feature id
+     * @return feature
+     * @throws NoSuchElementException if an unmatched feature id is encountered
+     */
+    @Nonnull
+    public static Feature requireFromId(byte id) {
+        Feature feature = fromId(id);
+        if (feature == null) {
+            throw new NoSuchElementException("Unknown feature id encountered: " + id);
+        }
+        return feature;
+    }
+
     private final byte featureId;
 
     Feature(byte featureId) {
         this.featureId = featureId;
     }
 
+    /**
+     * Return the id of the feature.
+     *
+     * @return feature id
+     */
     public byte getFeatureId() {
         return featureId;
     }
@@ -80,6 +114,7 @@ public enum Feature {
      * @param bitmask bitmask
      * @return list of key flags encoded by the bitmask
      */
+    @Nonnull
     public static List fromBitmask(int bitmask) {
         List features = new ArrayList<>();
         for (Feature f : Feature.values()) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
index b8c97d7e..bcd69cc0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
@@ -6,9 +6,13 @@ package org.pgpainless.algorithm;
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.NoSuchElementException;
 
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * An enumeration of different hashing algorithms.
  *
@@ -42,10 +46,28 @@ public enum HashAlgorithm {
      * @param id numeric id
      * @return enum value
      */
+    @Nullable
     public static HashAlgorithm fromId(int id) {
         return ID_MAP.get(id);
     }
 
+    /**
+     * Return the  {@link HashAlgorithm} value that corresponds to the provided algorithm id.
+     * If an invalid algorithm id was provided, throw a {@link NoSuchElementException}.
+     *
+     * @param id algorithm id
+     * @return enum value
+     * @throws NoSuchElementException in case of an unknown algorithm id
+     */
+    @Nonnull
+    public static HashAlgorithm requireFromId(int id) {
+        HashAlgorithm algorithm = fromId(id);
+        if (algorithm == null) {
+            throw new NoSuchElementException("No HashAlgorithm found for id " + id);
+        }
+        return algorithm;
+    }
+
     /**
      * Return the {@link HashAlgorithm} value that corresponds to the provided name.
      * If an invalid algorithm name was provided, null is returned.
@@ -56,6 +78,7 @@ public enum HashAlgorithm {
      * @param name text name
      * @return enum value
      */
+    @Nullable
     public static HashAlgorithm fromName(String name) {
         return NAME_MAP.get(name);
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
index fcb1801c..baa8f92e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
@@ -5,10 +5,14 @@
 package org.pgpainless.algorithm;
 
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * Enumeration of public key algorithms as defined in RFC4880.
  *
@@ -96,12 +100,30 @@ public enum PublicKeyAlgorithm {
      * If an invalid id is provided, null is returned.
      *
      * @param id numeric algorithm id
-     * @return algorithm
+     * @return algorithm or null
      */
+    @Nullable
     public static PublicKeyAlgorithm fromId(int id) {
         return MAP.get(id);
     }
 
+    /**
+     * Return the {@link PublicKeyAlgorithm} that corresponds to the provided algorithm id.
+     * If an invalid id is provided, throw a {@link NoSuchElementException}.
+     *
+     * @param id numeric algorithm id
+     * @return algorithm
+     * @throws NoSuchElementException in case of an unmatched algorithm id
+     */
+    @Nonnull
+    public static PublicKeyAlgorithm requireFromId(int id) {
+        PublicKeyAlgorithm algorithm = fromId(id);
+        if (algorithm == null) {
+            throw new NoSuchElementException("No PublicKeyAlgorithm found for id " + id);
+        }
+        return algorithm;
+    }
+
     private final int algorithmId;
     private final boolean signingCapable;
     private final boolean encryptionCapable;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java
index e3a754ae..9429f0c6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureSubpacket.java
@@ -4,6 +4,9 @@
 
 package org.pgpainless.algorithm;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 import static org.bouncycastle.bcpg.SignatureSubpacketTags.ATTESTED_CERTIFICATIONS;
 import static org.bouncycastle.bcpg.SignatureSubpacketTags.CREATION_TIME;
 import static org.bouncycastle.bcpg.SignatureSubpacketTags.EMBEDDED_SIGNATURE;
@@ -36,6 +39,7 @@ import static org.bouncycastle.bcpg.SignatureSubpacketTags.TRUST_SIG;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 /**
@@ -412,14 +416,28 @@ public enum SignatureSubpacket {
 
     /**
      * Return the {@link SignatureSubpacket} that corresponds to the provided id.
+     * If an unmatched code is presented, return null.
      *
      * @param code id
      * @return signature subpacket
      */
+    @Nullable
     public static SignatureSubpacket fromCode(int code) {
-        SignatureSubpacket tag = MAP.get(code);
+        return MAP.get(code);
+    }
+
+    /**
+     * Return the {@link SignatureSubpacket} that corresponds to the provided code.
+     *
+     * @param code code
+     * @return signature subpacket
+     * @throws NoSuchElementException in case of an unmatched subpacket tag
+     */
+    @Nonnull
+    public static SignatureSubpacket requireFromCode(int code) {
+        SignatureSubpacket tag = fromCode(code);
         if (tag == null) {
-            throw new IllegalArgumentException("No SignatureSubpacket tag found with code " + code);
+            throw new NoSuchElementException("No SignatureSubpacket tag found with code " + code);
         }
         return tag;
     }
@@ -433,7 +451,11 @@ public enum SignatureSubpacket {
     public static List fromCodes(int[] codes) {
         List tags = new ArrayList<>();
         for (int code : codes) {
-            tags.add(fromCode(code));
+            try {
+                tags.add(requireFromCode(code));
+            } catch (NoSuchElementException e) {
+                // skip
+            }
         }
         return tags;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java
index a31dd31a..c2f02989 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SignatureType.java
@@ -6,6 +6,7 @@ package org.pgpainless.algorithm;
 
 import org.bouncycastle.openpgp.PGPSignature;
 
+import javax.annotation.Nonnull;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -167,7 +168,9 @@ public enum SignatureType {
      *
      * @param code numeric id
      * @return signature type enum
+     * @throws IllegalArgumentException in case of an unmatched signature type code
      */
+    @Nonnull
     public static SignatureType valueOf(int code) {
         SignatureType type = map.get(code);
         if (type != null) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
index d47304f6..ad3de600 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
@@ -5,10 +5,14 @@
 package org.pgpainless.algorithm;
 
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.openpgp.PGPLiteralData;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * Enumeration of possible encoding formats of the content of the literal data packet.
  *
@@ -78,11 +82,31 @@ public enum StreamEncoding {
 
     /**
      * Return the {@link StreamEncoding} corresponding to the provided code identifier.
+     * If no matching encoding is found, return null.
      *
      * @param code identifier
      * @return encoding enum
      */
+    @Nullable
     public static StreamEncoding fromCode(int code) {
         return MAP.get((char) code);
     }
+
+    /**
+     * Return the {@link StreamEncoding} corresponding to the provided code identifier.
+     * If no matching encoding is found, throw a {@link NoSuchElementException}.
+     *
+     * @param code identifier
+     * @return encoding enum
+     *
+     * @throws NoSuchElementException in case of an unmatched identifier
+     */
+    @Nonnull
+    public static StreamEncoding requireFromCode(int code) {
+        StreamEncoding encoding = fromCode(code);
+        if (encoding == null) {
+            throw new NoSuchElementException("No StreamEncoding found for code " + code);
+        }
+        return encoding;
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java
index dcbf34cf..e04f21a5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/SymmetricKeyAlgorithm.java
@@ -5,10 +5,14 @@
 package org.pgpainless.algorithm;
 
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * Enumeration of possible symmetric encryption algorithms.
  *
@@ -106,10 +110,29 @@ public enum SymmetricKeyAlgorithm {
      * @param id numeric algorithm id
      * @return symmetric key algorithm enum
      */
+    @Nullable
     public static SymmetricKeyAlgorithm fromId(int id) {
         return MAP.get(id);
     }
 
+    /**
+     * Return the {@link SymmetricKeyAlgorithm} enum that corresponds to the provided numeric id.
+     * If an invalid id is provided, throw a {@link NoSuchElementException}.
+     *
+     * @param id numeric algorithm id
+     * @return symmetric key algorithm enum
+     *
+     * @throws NoSuchElementException if an unmatched id is provided
+     */
+    @Nonnull
+    public static SymmetricKeyAlgorithm requireFromId(int id) {
+        SymmetricKeyAlgorithm algorithm = fromId(id);
+        if (algorithm == null) {
+            throw new NoSuchElementException("No SymmetricKeyAlgorithm found for id " + id);
+        }
+        return algorithm;
+    }
+
     private final int algorithmId;
 
     SymmetricKeyAlgorithm(int algorithmId) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index fbdd6229..d552ead8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -14,6 +14,7 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -310,9 +311,13 @@ public final class DecryptionStreamFactory {
 
     private InputStream processPGPCompressedData(PGPCompressedData pgpCompressedData, int depth)
             throws PGPException, IOException {
-        CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.fromId(pgpCompressedData.getAlgorithm());
-        LOGGER.debug("Depth {}: Encountered PGPCompressedData: {}", depth, compressionAlgorithm);
-        resultBuilder.setCompressionAlgorithm(compressionAlgorithm);
+        try {
+            CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.requireFromId(pgpCompressedData.getAlgorithm());
+            LOGGER.debug("Depth {}: Encountered PGPCompressedData: {}", depth, compressionAlgorithm);
+            resultBuilder.setCompressionAlgorithm(compressionAlgorithm);
+        } catch (NoSuchElementException e) {
+            throw new PGPException("Unknown compression algorithm encountered.", e);
+        }
 
         InputStream inflatedDataStream = pgpCompressedData.getDataStream();
         InputStream decodedDataStream = PGPUtil.getDecoderStream(inflatedDataStream);
@@ -340,7 +345,7 @@ public final class DecryptionStreamFactory {
 
         resultBuilder.setFileName(pgpLiteralData.getFileName())
                 .setModificationDate(pgpLiteralData.getModificationTime())
-                .setFileEncoding(StreamEncoding.fromCode(pgpLiteralData.getFormat()));
+                .setFileEncoding(StreamEncoding.requireFromCode(pgpLiteralData.getFormat()));
 
         if (onePassSignatureChecks.isEmpty() && onePassSignaturesWithMissingCert.isEmpty()) {
             LOGGER.debug("No OnePassSignatures found -> We are done");
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index ab3898dc..0db93407 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -320,7 +320,7 @@ public final class SigningOptions {
             throws PGPException {
         SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID());
         PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID());
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(signingSecretKey.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(signingSecretKey.getPublicKey().getAlgorithm());
         int bitStrength = secretKey.getPublicKey().getBitStrength();
         if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
             throw new IllegalArgumentException("Public key algorithm policy violation: " +
diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
index 67cc6881..c8e20521 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
@@ -58,7 +58,7 @@ public class BcImplementationFactory extends ImplementationFactory {
         int keyEncryptionAlgorithm = secretKey.getKeyEncryptionAlgorithm();
 
         if (secretKey.getS2K() == null) {
-            return getPBESecretKeyEncryptor(SymmetricKeyAlgorithm.fromId(keyEncryptionAlgorithm), passphrase);
+            return getPBESecretKeyEncryptor(SymmetricKeyAlgorithm.requireFromId(keyEncryptionAlgorithm), passphrase);
         }
 
         int hashAlgorithm = secretKey.getS2K().getHashAlgorithm();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
index a37eda24..d1a5f748 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
@@ -65,7 +65,7 @@ public class KeyInfo {
     }
 
     public static String getCurveName(PGPPublicKey publicKey) {
-        PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm());
+        PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(publicKey.getAlgorithm());
         ECPublicBCPGKey key;
         switch (algorithm) {
             case ECDSA: {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 971d5a8e..f1611aff 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -567,8 +567,9 @@ public class KeyRingInfo {
      *
      * @return public key algorithm
      */
+    @Nonnull
     public PublicKeyAlgorithm getAlgorithm() {
-        return PublicKeyAlgorithm.fromId(getPublicKey().getAlgorithm());
+        return PublicKeyAlgorithm.requireFromId(getPublicKey().getAlgorithm());
     }
 
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 7eb5a92f..f5a5292c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -272,11 +272,11 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             KeyFlag... additionalKeyFlags)
             throws PGPException, IOException, NoSuchAlgorithmException {
         KeyFlag[] flags = concat(keyFlag, additionalKeyFlags);
-        PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.requireFromId(subkey.getPublicKey().getAlgorithm());
         SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm);
 
         // check key against public key algorithm policy
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(subkey.getPublicKey().getAlgorithm());
         int bitStrength = subkey.getPublicKey().getBitStrength();
         if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
             throw new IllegalArgumentException("Public key algorithm policy violation: " +
@@ -285,7 +285,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
 
         PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
-        PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.fromId(primaryKey.getPublicKey().getAlgorithm());
+        PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.requireFromId(primaryKey.getPublicKey().getAlgorithm());
         HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator
                 .negotiateSignatureHashAlgorithm(PGPainless.getPolicy())
                 .negotiateHashAlgorithm(info.getPreferredHashAlgorithms());
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java
index a775bc08..e97a2d7a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/OpenPgpKeyAttributeUtil.java
@@ -42,7 +42,10 @@ public final class OpenPgpKeyAttributeUtil {
                     continue;
                 }
                 for (int h : hashAlgos) {
-                    hashAlgorithms.add(HashAlgorithm.fromId(h));
+                    HashAlgorithm algorithm = HashAlgorithm.fromId(h);
+                    if (algorithm != null) {
+                        hashAlgorithms.add(algorithm);
+                    }
                 }
                 // Exit the loop after the first key signature with hash algorithms.
                 break;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index 5ee8135b..fbddb080 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -42,7 +42,7 @@ public class PublicKeyParameterValidationUtil {
 
     public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey)
             throws KeyIntegrityException {
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(publicKey.getAlgorithm());
         boolean valid = true;
 
         // Algorithm specific validations
@@ -97,7 +97,7 @@ public class PublicKeyParameterValidationUtil {
      */
     private static boolean verifyCanSign(PGPPrivateKey privateKey, PGPPublicKey publicKey) {
         SecureRandom random = new SecureRandom();
-        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(publicKey.getAlgorithm());
+        PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(publicKey.getAlgorithm());
         PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(
                 ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKeyAlgorithm, HashAlgorithm.SHA256)
         );
diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 58d6f6a2..e64899c0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -9,6 +9,7 @@ import java.util.Collections;
 import java.util.EnumMap;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 
 import javax.annotation.Nonnull;
 
@@ -232,8 +233,13 @@ public final class Policy {
          * @return true if algorithm is acceptable, false otherwise
          */
         public boolean isAcceptable(int algorithmId) {
-            SymmetricKeyAlgorithm algorithm = SymmetricKeyAlgorithm.fromId(algorithmId);
-            return isAcceptable(algorithm);
+            try {
+                SymmetricKeyAlgorithm algorithm = SymmetricKeyAlgorithm.requireFromId(algorithmId);
+                return isAcceptable(algorithm);
+            } catch (NoSuchElementException e) {
+                // Unknown algorithm is not acceptable
+                return false;
+            }
         }
 
         /**
@@ -329,8 +335,13 @@ public final class Policy {
          * @return true if the hash algorithm is acceptable, false otherwise
          */
         public boolean isAcceptable(int algorithmId) {
-            HashAlgorithm algorithm = HashAlgorithm.fromId(algorithmId);
-            return isAcceptable(algorithm);
+            try {
+                HashAlgorithm algorithm = HashAlgorithm.requireFromId(algorithmId);
+                return isAcceptable(algorithm);
+            } catch (NoSuchElementException e) {
+                // Unknown algorithm is not acceptable
+                return false;
+            }
         }
 
         /**
@@ -382,7 +393,13 @@ public final class Policy {
         }
 
         public boolean isAcceptable(int compressionAlgorithmTag) {
-            return isAcceptable(CompressionAlgorithm.fromId(compressionAlgorithmTag));
+            try {
+                CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.requireFromId(compressionAlgorithmTag);
+                return isAcceptable(compressionAlgorithm);
+            } catch (NoSuchElementException e) {
+                // Unknown algorithm is not acceptable
+                return false;
+            }
         }
 
         public boolean isAcceptable(CompressionAlgorithm compressionAlgorithm) {
@@ -408,7 +425,13 @@ public final class Policy {
         }
 
         public boolean isAcceptable(int algorithmId, int bitStrength) {
-            return isAcceptable(PublicKeyAlgorithm.fromId(algorithmId), bitStrength);
+            try {
+                PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(algorithmId);
+                return isAcceptable(algorithm, bitStrength);
+            } catch (NoSuchElementException e) {
+                // Unknown algorithm is not acceptable
+                return false;
+            }
         }
 
         public boolean isAcceptable(PublicKeyAlgorithm algorithm, int bitStrength) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index a8f1ec5b..3572fff0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -9,6 +9,7 @@ import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.bcpg.sig.KeyFlags;
@@ -92,7 +93,7 @@ public abstract class SignatureValidator {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
-                if (!PublicKeyAlgorithm.fromId(signature.getKeyAlgorithm()).isSigningCapable()) {
+                if (!PublicKeyAlgorithm.requireFromId(signature.getKeyAlgorithm()).isSigningCapable()) {
                     // subkey is not signing capable -> No need to process embedded sigs
                     return;
                 }
@@ -168,7 +169,7 @@ public abstract class SignatureValidator {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
-                PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.fromId(signingKey.getAlgorithm());
+                PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(signingKey.getAlgorithm());
                     int bitStrength = signingKey.getBitStrength();
                     if (bitStrength == -1) {
                         throw new SignatureValidationException("Cannot determine bit strength of signing key.");
@@ -191,11 +192,14 @@ public abstract class SignatureValidator {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
-                HashAlgorithm hashAlgorithm = HashAlgorithm.fromId(signature.getHashAlgorithm());
-                Policy.HashAlgorithmPolicy hashAlgorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy);
-
-                if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm())) {
-                    throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm);
+                try {
+                    HashAlgorithm hashAlgorithm = HashAlgorithm.requireFromId(signature.getHashAlgorithm());
+                    Policy.HashAlgorithmPolicy hashAlgorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy);
+                    if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm())) {
+                        throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm);
+                    }
+                } catch (NoSuchElementException e) {
+                    throw new SignatureValidationException("Signature uses unknown hash algorithm " + signature.getHashAlgorithm());
                 }
             }
         };
@@ -255,8 +259,8 @@ public abstract class SignatureValidator {
                 PGPSignatureSubpacketVector hashedSubpackets = signature.getHashedSubPackets();
                 for (int criticalTag : hashedSubpackets.getCriticalTags()) {
                     try {
-                        SignatureSubpacket.fromCode(criticalTag);
-                    } catch (IllegalArgumentException e) {
+                        SignatureSubpacket.requireFromCode(criticalTag);
+                    } catch (NoSuchElementException e) {
                         throw new SignatureValidationException("Signature contains unknown critical subpacket of type " + Long.toHexString(criticalTag));
                     }
                 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
index ee34a6fc..2118c49c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
@@ -33,7 +33,7 @@ public class SignatureSubpacketsHelper {
 
     public static SignatureSubpackets applyFrom(PGPSignatureSubpacketVector vector, SignatureSubpackets subpackets) {
         for (SignatureSubpacket subpacket : vector.toArray()) {
-            org.pgpainless.algorithm.SignatureSubpacket type = org.pgpainless.algorithm.SignatureSubpacket.fromCode(subpacket.getType());
+            org.pgpainless.algorithm.SignatureSubpacket type = org.pgpainless.algorithm.SignatureSubpacket.requireFromCode(subpacket.getType());
             switch (type) {
                 case signatureCreationTime:
                 case issuerKeyId:
@@ -102,8 +102,8 @@ public class SignatureSubpacketsHelper {
                 case signatureTarget:
                     SignatureTarget target = (SignatureTarget) subpacket;
                     subpackets.setSignatureTarget(target.isCritical(),
-                            PublicKeyAlgorithm.fromId(target.getPublicKeyAlgorithm()),
-                            HashAlgorithm.fromId(target.getHashAlgorithm()),
+                            PublicKeyAlgorithm.requireFromId(target.getPublicKeyAlgorithm()),
+                            HashAlgorithm.requireFromId(target.getHashAlgorithm()),
                             target.getHashData());
                     break;
                 case embeddedSignature:
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index bbf8972b..12c6f1de 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -257,7 +257,10 @@ public final class SignatureSubpacketsUtil {
         PreferredAlgorithms preferences = getPreferredSymmetricAlgorithms(signature);
         if (preferences != null) {
             for (int code : preferences.getPreferences()) {
-                algorithms.add(SymmetricKeyAlgorithm.fromId(code));
+                SymmetricKeyAlgorithm algorithm = SymmetricKeyAlgorithm.fromId(code);
+                if (algorithm != null) {
+                    algorithms.add(algorithm);
+                }
             }
         }
         return algorithms;
@@ -286,7 +289,10 @@ public final class SignatureSubpacketsUtil {
         PreferredAlgorithms preferences = getPreferredHashAlgorithms(signature);
         if (preferences != null) {
             for (int code : preferences.getPreferences()) {
-                algorithms.add(HashAlgorithm.fromId(code));
+                HashAlgorithm algorithm = HashAlgorithm.fromId(code);
+                if (algorithm != null) {
+                    algorithms.add(algorithm);
+                }
             }
         }
         return algorithms;
@@ -315,7 +321,10 @@ public final class SignatureSubpacketsUtil {
         PreferredAlgorithms preferences = getPreferredCompressionAlgorithms(signature);
         if (preferences != null) {
             for (int code : preferences.getPreferences()) {
-                algorithms.add(CompressionAlgorithm.fromId(code));
+                CompressionAlgorithm algorithm = CompressionAlgorithm.fromId(code);
+                if (algorithm != null) {
+                    algorithms.add(algorithm);
+                }
             }
         }
         return algorithms;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
index 72bab826..397e1f0a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
@@ -24,7 +24,7 @@ public class SessionKey {
      * @param sessionKey BC session key
      */
     public SessionKey(@Nonnull PGPSessionKey sessionKey) {
-        this(SymmetricKeyAlgorithm.fromId(sessionKey.getAlgorithm()), sessionKey.getKey());
+        this(SymmetricKeyAlgorithm.requireFromId(sessionKey.getAlgorithm()), sessionKey.getKey());
     }
 
     /**
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java
index 347322f8..e9d0b86e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/FeatureTest.java
@@ -6,20 +6,37 @@ package org.pgpainless.algorithm;
 
 import org.junit.jupiter.api.Test;
 
+import java.util.NoSuchElementException;
+
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class FeatureTest {
 
+    @Test
+    public void testAll() {
+        for (Feature feature : Feature.values()) {
+            assertEquals(feature, Feature.fromId(feature.getFeatureId()));
+            assertEquals(feature, Feature.requireFromId(feature.getFeatureId()));
+        }
+    }
+
     @Test
     public void testModificationDetection() {
         Feature modificationDetection = Feature.MODIFICATION_DETECTION;
         assertEquals(0x01, modificationDetection.getFeatureId());
         assertEquals(modificationDetection, Feature.fromId((byte) 0x01));
+        assertEquals(modificationDetection, Feature.requireFromId((byte) 0x01));
     }
 
     @Test
     public void testFromInvalidIdIsNull() {
         assertNull(Feature.fromId((byte) 0x99));
     }
+
+    @Test
+    public void testRequireFromInvalidThrows() {
+        assertThrows(NoSuchElementException.class, () -> Feature.requireFromId((byte) 0x99));
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java
index 84eecdb5..cf118822 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureStructureTest.java
@@ -64,7 +64,7 @@ public class SignatureStructureTest {
 
     @Test
     public void testGetHashAlgorithm() {
-        assertEquals(HashAlgorithm.SHA256, HashAlgorithm.fromId(signature.getHashAlgorithm()));
+        assertEquals(HashAlgorithm.SHA256, HashAlgorithm.requireFromId(signature.getHashAlgorithm()));
     }
 
     @Test
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index bef260c4..38656c9b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -70,7 +70,7 @@ public class DecryptImpl implements Decrypt {
     public DecryptImpl withSessionKey(SessionKey sessionKey) throws SOPGPException.UnsupportedOption {
         consumerOptions.setSessionKey(
                 new org.pgpainless.util.SessionKey(
-                        SymmetricKeyAlgorithm.fromId(sessionKey.getAlgorithm()),
+                        SymmetricKeyAlgorithm.requireFromId(sessionKey.getAlgorithm()),
                         sessionKey.getKey()));
         return this;
     }

From aeb321b576e3fb4cbb3f5c15c6d60bf0ec3da3b5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Mar 2022 13:40:14 +0100
Subject: [PATCH 0367/1450] Add short project description to README

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 2627b1f9..b4cc1089 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,8 @@ SPDX-License-Identifier: Apache-2.0
 [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A)
 [![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
 
+**PGPainless is an easy-to-use OpenPGP library for Java and Android applications**
+
 ## About
 
 PGPainless aims to make using OpenPGP in Java projects as simple as possible.

From 405c7225f67f5937d4cabceb2770ef7aed79ab82 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Mar 2022 15:17:29 +0100
Subject: [PATCH 0368/1450] Deprecate ProducerOptions.setForYourEyesOnly()

Use of this special file name is deprecated since at least crypto-refresh-05
---
 .../org/pgpainless/encryption_signing/ProducerOptions.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index ac4f0e6e..3fe284c8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -193,7 +193,10 @@ public final class ProducerOptions {
      * Note: Therefore this method cannot be used simultaneously with {@link #setFileName(String)}.
      *
      * @return this
+     * @deprecated deprecated since at least crypto-refresh-05. It is not recommended using this special filename in
+     * newly generated literal data packets
      */
+    @Deprecated
     public ProducerOptions setForYourEyesOnly() {
         this.fileName = PGPLiteralData.CONSOLE;
         return this;

From 8ff405d6ad7ff72c2ad4ccb2edf38bd8b7794467 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Mar 2022 14:16:13 +0100
Subject: [PATCH 0369/1450] Add toString() to SessionKey

---
 .../src/main/java/org/pgpainless/util/SessionKey.java       | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
index 397e1f0a..1e71bb03 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/SessionKey.java
@@ -7,6 +7,7 @@ package org.pgpainless.util;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPSessionKey;
+import org.bouncycastle.util.encoders.Hex;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 
 /**
@@ -57,4 +58,9 @@ public class SessionKey {
         System.arraycopy(key, 0, copy, 0, copy.length);
         return copy;
     }
+
+    @Override
+    public String toString() {
+        return "" + getAlgorithm().getAlgorithmId() + ":" + Hex.toHexString(getKey());
+    }
 }

From 80d97b1bc02497c9dd723a497932065b7975a191 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 27 Mar 2022 16:35:20 +0200
Subject: [PATCH 0370/1450] Fix malformed signature packets

---
 .../org/pgpainless/encryption_signing/EncryptionStream.java  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 6fc112ba..68aef2ce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -47,6 +47,8 @@ public final class EncryptionStream extends OutputStream {
     private static final int BUFFER_SIZE = 1 << 9;
 
     OutputStream outermostStream;
+    OutputStream signatureLayerStream;
+
     private ArmoredOutputStream armorOutputStream = null;
     private OutputStream publicKeyEncryptedStream = null;
     private PGPCompressedDataGenerator compressedDataGenerator;
@@ -130,6 +132,7 @@ public final class EncryptionStream extends OutputStream {
     }
 
     private void prepareOnePassSignatures() throws IOException, PGPException {
+        signatureLayerStream = outermostStream;
         SigningOptions signingOptions = options.getSigningOptions();
         if (signingOptions == null || signingOptions.getSigningMethods().isEmpty()) {
             // No singing options/methods -> no signing
@@ -274,7 +277,7 @@ public final class EncryptionStream extends OutputStream {
                 resultBuilder.addDetachedSignature(signingKey, signature);
             }
             if (!signingMethod.isDetached() || options.isCleartextSigned()) {
-                signature.encode(outermostStream);
+                signature.encode(signatureLayerStream);
             }
         }
     }

From 82936c5499bce2f86177ba596d244cfa3d205930 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Mar 2022 14:16:46 +0100
Subject: [PATCH 0371/1450] Add investigative test for broken messages when
 using different data/sig encodings

---
 .../CanonicalizedDataEncryptionTest.java      | 219 ++++++++++++++++++
 1 file changed, 219 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java

diff --git a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
new file mode 100644
index 00000000..4f6dd15c
--- /dev/null
+++ b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
@@ -0,0 +1,219 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package investigations;
+
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.DocumentSignatureType;
+import org.pgpainless.algorithm.StreamEncoding;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+
+public class CanonicalizedDataEncryptionTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9AF4 29C4 C389 CC11 1739  98E9 9F8E E9C5 3AE5 C1A4\n" +
+            "Comment: Test \n" +
+            "\n" +
+            "lQcYBGI8Y/cBEACHIx1hfYeTHZ39UGM5kuJBuvJOZXR60DppIkgjPWyc+p2mxXY5\n" +
+            "tOl+xVSzWHudogtxM1kbpYghPXWOj7ssh7V+4OI1JIi3ODEuWozRN1HjqyY11ORg\n" +
+            "ky6lmbZ0/YupTFbZ6H4yMoHbLPugN2fAdZLcpeVL0taQ04ImaNQnnGIiaCd9TxWN\n" +
+            "UiQRouFFI2YSrE97x8+32VycxtCX11/DN7xU6v4SISL4NoIlhsBT+WhFCl/6ntwB\n" +
+            "JXStwjN4Mp/gmmtu5EBDh+OYLq09z2jOzBTofhSRYz5wH0oNh1gj4CwwrkThvBMH\n" +
+            "fl9pTKhwp3vL/76UkWJHu9OjCP6T2sPFeCuRPCBI9gDTpK1vkfQa0pj7X9hF+8we\n" +
+            "TY6E1prcYbx/1sxO5EEVYDCqtmd5VDQd69uaC8/NWH0769bxbNZUc5EJ/PkFZXKJ\n" +
+            "nCsjr8i29j6r7NbK6YlFxNj/CkbYfufzQ7moo9miGh1u3Pe0kbZpdYuPUnh3oVi3\n" +
+            "px6L/IJxIR+owJLs9X+W/3bvP7OmYwHT3czwQ8/PrI+CuybFv+BDOKX1142zh1Qj\n" +
+            "IEsc6Zx7wUMRH2qImRP7amuxP7npMaANp0GWNNWTgKHV+iLxbYDHnIX2qcPpWn4W\n" +
+            "CRWshgulAzt9IP0AGErHw4FDXSzk4s9btRDL6MFYP/2+gG+L4cLlxEOarwARAQAB\n" +
+            "AA/9HMu5vgVut0WPXeQcUK9g8Rqx+UybJnRqje6VKpUzKLwqjdfz2lYXj0DjTJgl\n" +
+            "NzDJeWS0rzR1roeXHjq4asO8Q/4Nlb9kNo6NxE/dQ9Oi6n2U1dG4nG+gd/8qJwHE\n" +
+            "Gd4/f42QHogurZKHR9umixdCpSvgkWiq+g9n42FhG9OyAZzqFUSd1hBTyUJI+F+T\n" +
+            "p5T6Fuk79PQnTOz8k+575HBi/EFaxGg1OGj9EJwHLZ2uv093pkLlpITjuQbxysIW\n" +
+            "2VhuXiHbI8i4EbyYg9xHfBF2vxfmsBhSvLeeIwXdHT/uiq0H1oYqE+W01Q5VsjOu\n" +
+            "KIklhij4pUp7zXjkLoNmRhTWS3wXCLS/cwIpf37aZh5HJaP2BMorDoeJFlEVgBVT\n" +
+            "VpiljD1IIQ3FvvZEK6p9GPMIzrW2EWa25Koi+ouFNoSxycAuuA1JdvsBZFTWaNG5\n" +
+            "CyNvNp7ZhFTdL6rFmLo94M/326cF3DW5pW8BxQOj1VnE9jRWs6pqypEZ8k+L3eVi\n" +
+            "WFS6ZECWy5nkew8QYtuuHb01XiJdKljO0Rrhni7cEbtGtgPwkfoELoo+yNC+AVuf\n" +
+            "uqYDtY1PTcx9ndlV5gLabZpO7gCH8qvDrgDEHGwJogxNeHnXLI8Zz+ClWhS99C8Z\n" +
+            "6gV5KZstg87ZK331LumY3TMt/FVROOzLtPrg3IubWfNGbfEIALWcuDBjYBs8XNqV\n" +
+            "WizXB99ssslKwm79pggca5pM5wEryAwRN2Lsqcncd/sN3g0GhyqxKBnKkBvoayRP\n" +
+            "zdQE5F0+ylL5FEDSaAyroDPUww0E7QYh7zm1WVDPZZLknn0r6Yq6yn0E+7R/fHe7\n" +
+            "8NJu6C2veH+wYgh6cqVKXCAQccBj+K2r7dUExuldxGyuB5lbVcKTf8dgXqxGh3uw\n" +
+            "CNA6tSL1OqqYxn2MME3xrFoBBxjttX2XQuQKdHD2CL9wySRkvFwgJb3KDZjh7K1B\n" +
+            "yEbLLkMWUA2H6QF7Lnqq65rcjgfLvq64MSTfNiW0EL4hIBvAPpnK7LHCHkt6i3jC\n" +
+            "3beoHfcIAL59K+pwtV9hPa3SQpZfYkumYxw3ixSh9UJ2bTUkecypCN+MrHDi6ALe\n" +
+            "Thcfn6/fEbJXeKFC4OGqNW6aw2ArcJ5q1SFeV1bnTz0REdgaOZj/o71O5hdBjgEV\n" +
+            "RjuK36PNmimJQKk3HZfBtb0FnfL6Cx5Q2gIG+wJDd0MyoSTpWNuUlav9TnxCEyeC\n" +
+            "MQGxgEb0BrPX7xGLIVBcfkV3i5w77wbIk1vgZlNFyc4ecZbdBwFd1X140G7aVFik\n" +
+            "LNaPY87WUbnzBN+P31KkQxgEOZNLt091XmDFbsbMGj7s7N0DPMMV9Vk8qy5VmlSg\n" +
+            "Bh59FvQNaZfR/a0OE3cCLJlS7076mwkH/0Bc6Y7GKsYVdqhCLtw/IlNBAlGGUCM0\n" +
+            "7h7glI40ET1X5ar1ABBC6FGwZO/QV0ynaVQuO0oCbn5uIZXIRdZ8AiBwf4E3LeaI\n" +
+            "kSCOu81c/HXmNw78cx13uCkW18ReS+12ScXflSzvTGTsmdP8wuORBWxSHgJYv5qC\n" +
+            "RXt3/hWb5dOm7nbhydqNdHvLSQ1d6Uky2OWVMQJuLlj1ZQ7wYShEOGRi3oJxUVT5\n" +
+            "tO08dshzBaPdPKsz02ZDSKOnC1JR63jfONydwW3VoRFgtjV6kJ40XRJvP0uVbyye\n" +
+            "E0RUBNao18tA2vT1iXkEiSHcU1ImewuXiOzcVeWIRU/b6j4Z+Of1iN52UbQZVGVz\n" +
+            "dCA8dGVzdEB2YW5pdGFzdmkudGFlPokCTQQTAQoAQQUCYjxj9wkQn47pxTrlwaQW\n" +
+            "IQSa9CnEw4nMERc5mOmfjunFOuXBpAKeAQKbBwUWAgMBAAQLCQgHBRUKCQgLApkB\n" +
+            "AABFhA/+IULfY31WpA3y0EgpYQTDpg3jSKPGPRaDYlMAAkIlCjoAA0N3gTKtktmG\n" +
+            "3tEQfwI0zYzVP+8FHlJ/5ovu6+qSIdAVA7YUewNLG2p6DlMW8Eysa/ARmbIrlN+R\n" +
+            "bH+KgFNz3dS9zS6mvRu2m6a8qRFpW4iHAJctaV29Ff5sKppLjetdOH8wL/b7fE+O\n" +
+            "mg/mrBRVVhqwSvAULoHAIix8vpdAr2iiHhGzvwDpqVirca15XoCaKKNlJfTaRH+J\n" +
+            "5nqsABTKTrsOZyLW8OuQ8VaWGi4XZB2ansTMnH4m7RzWwXM+P2BjB9KEtClVgGxw\n" +
+            "jHlEqbqtquaJW5hh7xjXRNZ45joTxQkepLZ8TM3hB6Ben4st893kffwur39mRWFe\n" +
+            "u/KvvFdkQZuvWj+8Ng4uvWap+9KbGpam8ohZLY4OoR2d7/9ueikGmLyJFKjLDVWQ\n" +
+            "Ya+inSUIDdyYvq7flHo0dXB7yftpvpOCQ9E/p2FmVDvvKsaRvAItQV8cX1RpYtGG\n" +
+            "wdLQnmsIuRhV5j7OXv5zyQJvbvLgisl11VFWR7RNhJ9xNPbUTknCw1Ftp0nSXEnS\n" +
+            "gl/0Z7KWoiY8sAn3o45KZRnq8uiF19kYXdrRWIFo1LtG68hjOYYRG5ejmCt6zx53\n" +
+            "Zd+AyZA+lkh8uI921Nnio2g70zVVSKEVaJcWTlkVyKge2iV/YkQ=\n" +
+            "=EyDf\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    String message = "Hello, World!\n";
+
+    private static PGPSecretKeyRing secretKeys;
+    private static PGPPublicKeyRing publicKeys;
+
+    @BeforeAll
+    public static void readKeys() throws IOException {
+        secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        publicKeys = PGPainless.extractCertificate(secretKeys);
+        System.out.println(PGPainless.asciiArmor(secretKeys));
+    }
+
+    @Test
+    public void binaryDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.BINARY);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    @Test
+    public void binaryDataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.BINARY);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    @Test
+    @Disabled("Fails")
+    public void textDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    @Test
+    public void textDataTextSig() throws PGPException, IOException {
+        System.out.println("SignatureType: Text, LiteralData: Text");
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.TEXT);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    @Test
+    @Disabled("Fails")
+    public void utf8DataBinarySig() throws PGPException, IOException {
+        System.out.println("SignatureType: Binary, LiteralData: UTF8");
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    @Test
+    public void utf8DataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.UTF8);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            fail();
+        }
+    }
+
+    private String encryptAndSign(String message, DocumentSignatureType sigType, StreamEncoding dataFormat)
+            throws PGPException, IOException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions
+                        .signAndEncrypt(
+                                EncryptionOptions.encryptCommunications()
+                                        .addRecipient(publicKeys),
+                                SigningOptions.get()
+                                        .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, sigType)
+                        )
+                        .setEncoding(dataFormat)
+                );
+
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));
+        Streams.pipeAll(inputStream, encryptionStream);
+        encryptionStream.close();
+
+        String msg = out.toString();
+        return msg;
+    }
+
+    private OpenPgpMetadata decryptAndVerify(String msg) throws PGPException, IOException {
+        ByteArrayInputStream in = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys())
+                        .addVerificationCert(publicKeys));
+
+        Streams.drain(decryptionStream);
+        decryptionStream.close();
+
+        return decryptionStream.getResult();
+    }
+}

From 1cb3e559b528ac944148feaa390bb2b10c97355c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 27 Mar 2022 17:29:42 +0200
Subject: [PATCH 0372/1450] Eliminate removed 'm' StreamEncoding

---
 .../java/org/pgpainless/algorithm/StreamEncoding.java | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
index ad3de600..b0617bbb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/StreamEncoding.java
@@ -36,17 +36,6 @@ public enum StreamEncoding {
      */
     UTF8(PGPLiteralData.UTF8),
 
-    /**
-     * The literal data packet contains a MIME message body part (RFC2045).
-     * Introduced in rfc4880-bis10.
-     *
-     * TODO: Replace 'm' with 'PGPLiteralData.MIME' once BC 1.71 gets released and contains our fix:
-     *  https://github.com/bcgit/bc-java/pull/1088
-     *
-     * @see RFC4880-bis10
-     */
-    MIME('m'),
-
     /**
      * Early versions of PGP also defined a value of 'l' as a 'local' mode for machine-local conversions.
      * RFC 1991 [RFC1991] incorrectly stated this local mode flag as '1' (ASCII numeral one).

From 620deaa1f9f63918c8de8a674f203b51da21af51 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 27 Mar 2022 17:34:24 +0200
Subject: [PATCH 0373/1450] Deprecate ProducerOptions.setEncoding()

The reason is that values other than BINARY oftentimes cause issues
(see https://github.com/pgpainless/pgpainless/issues/264), and further
experts recommended to ignore the metadata of the LiteralData packet
and only produce with ('b'/0/) as metadata values.
---
 .../org/pgpainless/encryption_signing/ProducerOptions.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 3fe284c8..77901e34 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -230,7 +230,11 @@ public final class ProducerOptions {
      *
      * @param encoding encoding
      * @return this
+     *
+     * @deprecated this option will be removed in the near future, as values other than {@link StreamEncoding#BINARY}
+     * are causing issues. See https://github.com/pgpainless/pgpainless/issues/264 for details
      */
+    @Deprecated
     public ProducerOptions setEncoding(@Nonnull StreamEncoding encoding) {
         this.streamEncoding = encoding;
         return this;
@@ -239,6 +243,7 @@ public final class ProducerOptions {
     public StreamEncoding getEncoding() {
         return streamEncoding;
     }
+
     /**
      * Override which compression algorithm shall be used.
      *

From a8fa501a7a2673d20d9deef281dd523745eead1d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:08:29 +0200
Subject: [PATCH 0374/1450] Update CHANGELOG

---
 CHANGELOG.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d644157..48dafad2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,16 @@ SPDX-License-Identifier: CC0-1.0
   - This can come in handy when using primary keys stored offline
 - Add `EncryptionResult.isEncryptedFor(certificate)`
 - `ArmorUtils.toAsciiArmoredString()` methods now print out primary user-id and brief information about further user-ids (thanks @bratkartoffel for the patch)
+- Methods of `KeyRingUtils` and `ArmorUtils` classes are now annotated with `@Nonnull/@Nullable`
+- Enums `fromId(code)` methods are now annotated with `@Nullable` and there are now `requireFromId(code)` counterparts which are `@Nonnull`.
+- `ProducerOptions.setForYourEyesOnly()` is now deprecated (reason is deprecation in the 
+- [crypto-refresh-05](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-05.html#name-special-filename-_console-d) document)
+- Add `SessionKey.toString()`
+- Partially fix generation of malformed signature packets when using different combinations of `StreamEncoding` and `DocumentSignatureType` values
+  - Unfortunately PGPainless still produces broken signatures when using either `StreamEncoding.TEXT` or `StreamEncoding.UTF8` in combination with `DocumentSignatureType.BINARY_DOCUMENT`.
+- Deprecate `ProducerOptions.setEncoding(StreamEncoding)`
+  - Will be removed in a future release
+- Remove `StreamEncoding.MIME` (was removed from the standard)
 
 ## 1.1.3
 - Make `SigningOptions.getSigningMethods()` part of internal API

From 87e6b044d9fd4c28a25dfe0c117e7a34ba2ae74f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:18:03 +0200
Subject: [PATCH 0375/1450] Add EncryptionStream class description

---
 .../org/pgpainless/encryption_signing/EncryptionStream.java    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 68aef2ce..34fd05ca 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -30,6 +30,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
+ * OutputStream that produces an OpenPGP message. The message can be encrypted, signed, or both,
+ * depending on its configuration.
+ *
  * This class is based upon Jens Neuhalfen's Bouncy-GPG PGPEncryptingStream.
  * @see Source
  */

From b0eb32d550456bb2e9cf1980f84c7e76d3d773c5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:21:53 +0200
Subject: [PATCH 0376/1450] Fix checkstyle

---
 .../CanonicalizedDataEncryptionTest.java         | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
index 4f6dd15c..9be3569e 100644
--- a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
+++ b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
@@ -100,7 +100,9 @@ public class CanonicalizedDataEncryptionTest {
     public static void readKeys() throws IOException {
         secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
         publicKeys = PGPainless.extractCertificate(secretKeys);
+        // CHECKSTYLE:OFF
         System.out.println(PGPainless.asciiArmor(secretKeys));
+        // CHECKSTYLE:ON
     }
 
     @Test
@@ -109,8 +111,10 @@ public class CanonicalizedDataEncryptionTest {
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }
@@ -121,8 +125,10 @@ public class CanonicalizedDataEncryptionTest {
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }
@@ -134,21 +140,24 @@ public class CanonicalizedDataEncryptionTest {
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }
 
     @Test
     public void textDataTextSig() throws PGPException, IOException {
-        System.out.println("SignatureType: Text, LiteralData: Text");
         String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.TEXT);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }
@@ -156,13 +165,14 @@ public class CanonicalizedDataEncryptionTest {
     @Test
     @Disabled("Fails")
     public void utf8DataBinarySig() throws PGPException, IOException {
-        System.out.println("SignatureType: Binary, LiteralData: UTF8");
         String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }
@@ -173,8 +183,10 @@ public class CanonicalizedDataEncryptionTest {
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
             System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
             System.out.println(msg);
+            // CHECKSTYLE:ON
             fail();
         }
     }

From ccee24dd9370193caf517aca24a42f656979d298 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:26:50 +0200
Subject: [PATCH 0377/1450] PGPainless 1.1.4

---
 CHANGELOG.md             | 2 +-
 README.md                | 8 ++++----
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 48dafad2..b17b071e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.4-SNAPSHOT
+## 1.1.4
 - Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring
   - This can come in handy when using primary keys stored offline
 - Add `EncryptionResult.isEncryptedFor(certificate)`
diff --git a/README.md b/README.md
index b4cc1089..514dbd84 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.3'
+	implementation 'org.pgpainless:pgpainless-core:1.1.4'
 }
 ```
 
@@ -221,10 +221,10 @@ which contains the bug you are fixing. That way we can update older revisions of
 * `development` contains new features that will make it into the next MINOR release.
 
 #### Example:
-Latest release: 1.1.3
+Latest release: 1.1.4
 * `release/1.0` contains the state of `1.0.5-SNAPSHOT`
-* `release/1.1` contains the state of `1.1.4-SNAPSHOT`
-* `master` contains the state `release/1.1` plus patch level changes that will make it into `1.1.4`.
+* `release/1.1` contains the state of `1.1.5-SNAPSHOT`
+* `master` contains the state `release/1.1` plus patch level changes that will make it into `1.1.5`.
 * `development` contains the state which will at some point become `1.2.0`.
 
 Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part of the project.
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index af3c5e52..9ec6c8cd 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.1.3"
+    implementation "org.pgpainless:pgpainless-sop:1.1.4"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.1.3
+        1.1.4
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 57acae3f..99bdb588 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.1.4'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 30a62daec9462b1fb85cb449a2b65d1aa9cf2dc0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:28:37 +0200
Subject: [PATCH 0378/1450] PGPainless-1.1.5-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 99bdb588..3b94fb87 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.4'
-        isSnapshot = false
+        shortVersion = '1.1.5'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 4782868bc125a57f6aa9ade8aadc2a962754ec27 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:49:26 +0200
Subject: [PATCH 0379/1450] SOP encrypt: match signature type when using --as=
 option

---
 .../src/main/java/org/pgpainless/sop/EncryptImpl.java       | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index bb0af660..51624214 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -60,7 +60,11 @@ public class EncryptImpl implements Encrypt {
                 signingOptions = SigningOptions.get();
             }
             try {
-                signingOptions.addInlineSignatures(SecretKeyRingProtector.unprotectedKeys(), keys, DocumentSignatureType.BINARY_DOCUMENT);
+                signingOptions.addInlineSignatures(
+                        SecretKeyRingProtector.unprotectedKeys(),
+                        keys,
+                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
+                );
             } catch (IllegalArgumentException e) {
                 throw new SOPGPException.KeyCannotSign();
             } catch (WrongPassphraseException e) {

From 9497cbaeb15803ac2f3005f4c17db9dbb3cd2da0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 12:50:29 +0200
Subject: [PATCH 0380/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b17b071e..7f609c7e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.1.5-SNAPSHOT
+- SOP encrypt: match signature type when using `encrypt --as=` option
+
 ## 1.1.4
 - Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring
   - This can come in handy when using primary keys stored offline

From c31fd7d5e0f224ff010f8fa6c000eb4d8b209696 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 13:14:36 +0200
Subject: [PATCH 0381/1450] SOP: Fix mapping of encryption format

---
 .../src/main/java/org/pgpainless/sop/EncryptImpl.java          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 51624214..d6bd7709 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -125,10 +125,9 @@ public class EncryptImpl implements Encrypt {
     private static StreamEncoding encryptAsToStreamEncoding(EncryptAs encryptAs) {
         switch (encryptAs) {
             case Binary:
+            case MIME:
                 return StreamEncoding.BINARY;
             case Text:
-                return StreamEncoding.TEXT;
-            case MIME:
                 return StreamEncoding.UTF8;
         }
         throw new IllegalArgumentException("Invalid value encountered: " + encryptAs);

From 6bef376992817ba9cc7bf065b8842dbbd05a8b85 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 16:13:08 +0200
Subject: [PATCH 0382/1450] Fix signature generation with all format and
 signature type combinations

This comes at the cost of that we no longer CR/LF encode literal data before encryption/signing.
That means that applications that rely on PGPainless to do the CR/LF encoding must manually
do the encoding before feeding the message to PGPainless.
The newly introduced CRLFGeneratorStream has documentation on how to do that.
Fixes #264
---
 .../CRLFGeneratorStream.java                  | 64 +++++++++++++
 .../encryption_signing/EncryptionStream.java  | 12 +--
 .../encryption_signing/ProducerOptions.java   |  3 +-
 .../util/StreamGeneratorWrapper.java          | 91 -------------------
 .../CanonicalizedDataEncryptionTest.java      | 90 +++++++++++++++++-
 5 files changed, 158 insertions(+), 102 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
new file mode 100644
index 00000000..f5b13f2a
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
@@ -0,0 +1,64 @@
+// SPDX-FileCopyrightText: 2021 David Hook 
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import org.pgpainless.algorithm.StreamEncoding;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+/**
+ * {@link OutputStream} which applies CR-LF encoding of its input data, based on the desired {@link StreamEncoding}.
+ *
+ *
+ * If you need PGPainless to CRLF encode signed data for you, you could do the following:
+ * {@code
+ * 
+ *     InputStream plaintext = ...
+ *     EncryptionStream signerOrEncryptor = PGPainless.signAndOrEncrypt(...);
+ *     CRLFGeneratorStream crlfOut = new CRLFGeneratorStream(signerOrEncryptor, streamEncoding);
+ *
+ *     Streams.pipeAll(plaintext, crlfOut);
+ *     crlfOut.close;
+ *
+ *     EncryptionResult result = signerOrEncryptor.getResult();
+ * 

+ * }
+ * This implementation originates from the Bouncy Castle library.
+ */
+public class CRLFGeneratorStream extends OutputStream {
+
+    protected final OutputStream crlfOut;
+    private final boolean isBinary;
+    private int lastB = 0;
+
+    public CRLFGeneratorStream(OutputStream crlfOut, StreamEncoding encoding) {
+        this.crlfOut = crlfOut;
+        this.isBinary = encoding == StreamEncoding.BINARY;
+    }
+
+    public void write(int b) throws IOException {
+        if (!isBinary) {
+            if (b == '\n' && lastB != '\r') {   // Unix
+                crlfOut.write('\r');
+            } else if (lastB == '\r') {         // MAC
+                if (b != '\n') {
+                    crlfOut.write('\n');
+                }
+            }
+            lastB = b;
+        }
+
+        crlfOut.write(b);
+    }
+
+    public void close() throws IOException {
+        if (!isBinary && lastB == '\r') {       // MAC
+            crlfOut.write('\n');
+        }
+        crlfOut.close();
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 34fd05ca..66fd1d24 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -15,6 +15,7 @@ import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
@@ -25,7 +26,6 @@ import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
-import org.pgpainless.util.StreamGeneratorWrapper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -56,7 +56,7 @@ public final class EncryptionStream extends OutputStream {
     private OutputStream publicKeyEncryptedStream = null;
     private PGPCompressedDataGenerator compressedDataGenerator;
     private BCPGOutputStream basicCompressionStream;
-    private StreamGeneratorWrapper streamGeneratorWrapper;
+    private PGPLiteralDataGenerator literalDataGenerator;
     private OutputStream literalDataStream;
 
     EncryptionStream(@Nonnull OutputStream targetOutputStream,
@@ -164,8 +164,8 @@ public final class EncryptionStream extends OutputStream {
             return;
         }
 
-        streamGeneratorWrapper = StreamGeneratorWrapper.forStreamEncoding(options.getEncoding());
-        literalDataStream = streamGeneratorWrapper.open(outermostStream,
+        literalDataGenerator = new PGPLiteralDataGenerator();
+        literalDataStream = literalDataGenerator.open(outermostStream, options.getEncoding().getCode(),
                 options.getFileName(), options.getModificationDate(), new byte[BUFFER_SIZE]);
         outermostStream = literalDataStream;
 
@@ -226,8 +226,8 @@ public final class EncryptionStream extends OutputStream {
             literalDataStream.flush();
             literalDataStream.close();
         }
-        if (streamGeneratorWrapper != null) {
-            streamGeneratorWrapper.close();
+        if (literalDataGenerator != null) {
+            literalDataGenerator.close();
         }
 
         if (options.isCleartextSigned()) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 77901e34..9ee3c03e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -231,8 +231,7 @@ public final class ProducerOptions {
      * @param encoding encoding
      * @return this
      *
-     * @deprecated this option will be removed in the near future, as values other than {@link StreamEncoding#BINARY}
-     * are causing issues. See https://github.com/pgpainless/pgpainless/issues/264 for details
+     * @deprecated options other than the default value of {@link StreamEncoding#BINARY} are discouraged.
      */
     @Deprecated
     public ProducerOptions setEncoding(@Nonnull StreamEncoding encoding) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java
deleted file mode 100644
index eded853b..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/util/StreamGeneratorWrapper.java
+++ /dev/null
@@ -1,91 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.util;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.util.Date;
-
-import javax.annotation.Nonnull;
-
-import org.bouncycastle.openpgp.PGPCanonicalizedDataGenerator;
-import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
-import org.pgpainless.algorithm.StreamEncoding;
-
-/**
- * Literal Data can be encoded in different ways.
- * BINARY encoding leaves the data as is and is generated through the {@link PGPLiteralDataGenerator}.
- * However, if the data is encoded in TEXT or UTF8 encoding, we need to use the {@link PGPCanonicalizedDataGenerator}
- * instead.
- *
- * This wrapper class acts as a handle for both options and provides a unified interface for them.
- */
-public final class StreamGeneratorWrapper {
-
-    private final StreamEncoding encoding;
-    private final PGPLiteralDataGenerator literalDataGenerator;
-    private final PGPCanonicalizedDataGenerator canonicalizedDataGenerator;
-
-    /**
-     * Create a new instance for the given encoding.
-     *
-     * @param encoding stream encoding
-     * @return wrapper
-     */
-    public static StreamGeneratorWrapper forStreamEncoding(@Nonnull StreamEncoding encoding) {
-        if (encoding == StreamEncoding.BINARY) {
-            return new StreamGeneratorWrapper(encoding, new PGPLiteralDataGenerator());
-        } else {
-            return new StreamGeneratorWrapper(encoding, new PGPCanonicalizedDataGenerator());
-        }
-    }
-
-    private StreamGeneratorWrapper(@Nonnull StreamEncoding encoding, @Nonnull PGPLiteralDataGenerator literalDataGenerator) {
-        if (encoding != StreamEncoding.BINARY) {
-            throw new IllegalArgumentException("PGPLiteralDataGenerator can only be used with BINARY encoding.");
-        }
-        this.encoding = encoding;
-        this.literalDataGenerator = literalDataGenerator;
-        this.canonicalizedDataGenerator = null;
-    }
-
-    private StreamGeneratorWrapper(@Nonnull StreamEncoding encoding, @Nonnull PGPCanonicalizedDataGenerator canonicalizedDataGenerator) {
-        if (encoding != StreamEncoding.TEXT && encoding != StreamEncoding.UTF8) {
-            throw new IllegalArgumentException("PGPCanonicalizedDataGenerator can only be used with TEXT or UTF8 encoding.");
-        }
-        this.encoding = encoding;
-        this.canonicalizedDataGenerator = canonicalizedDataGenerator;
-        this.literalDataGenerator = null;
-    }
-
-    /**
-     * Open a new encoding stream.
-     *
-     * @param outputStream wrapped output stream
-     * @param filename file name
-     * @param modificationDate modification date
-     * @param buffer buffer
-     * @return encoding stream
-     */
-    public OutputStream open(OutputStream outputStream, String filename, Date modificationDate, byte[] buffer) throws IOException {
-        if (literalDataGenerator != null) {
-            return literalDataGenerator.open(outputStream, encoding.getCode(), filename, modificationDate, buffer);
-        } else {
-            return canonicalizedDataGenerator.open(outputStream, encoding.getCode(), filename, modificationDate, buffer);
-        }
-    }
-
-    /**
-     * Close all encoding streams opened by this generator wrapper.
-     */
-    public void close() throws IOException {
-        if (literalDataGenerator != null) {
-            literalDataGenerator.close();
-        }
-        if (canonicalizedDataGenerator != null) {
-            canonicalizedDataGenerator.close();
-        }
-    }
-}
diff --git a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
index 9be3569e..7cae970e 100644
--- a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
+++ b/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
@@ -4,31 +4,46 @@
 
 package investigations;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
 
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.CompressionAlgorithmTags;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
+import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.encryption_signing.CRLFGeneratorStream;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.protection.UnlockSecretKey;
 
 public class CanonicalizedDataEncryptionTest {
 
@@ -134,7 +149,6 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    @Disabled("Fails")
     public void textDataBinarySig() throws PGPException, IOException {
         String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
@@ -163,7 +177,6 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    @Disabled("Fails")
     public void utf8DataBinarySig() throws PGPException, IOException {
         String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
@@ -228,4 +241,75 @@ public class CanonicalizedDataEncryptionTest {
 
         return decryptionStream.getResult();
     }
+
+    @Test
+    public void testManualSignWithAllCombinations() throws PGPException, IOException {
+        for (StreamEncoding streamEncoding : StreamEncoding.values()) {
+            for (DocumentSignatureType sigType : DocumentSignatureType.values()) {
+                manualSignAndVerify(sigType, streamEncoding);
+            }
+        }
+    }
+
+    public void manualSignAndVerify(DocumentSignatureType sigType, StreamEncoding streamEncoding)
+            throws IOException, PGPException {
+        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), SecretKeyRingProtector.unprotectedKeys());
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
+
+        PGPCompressedDataGenerator compressor = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZLIB);
+        OutputStream compressedOut = compressor.open(armorOut);
+
+        PGPSignatureGenerator signer = new PGPSignatureGenerator(
+                new BcPGPContentSignerBuilder(
+                        secretKeys.getPublicKey().getAlgorithm(),
+                        HashAlgorithm.SHA256.getAlgorithmId()));
+        signer.init(sigType.getSignatureType().getCode(), privateKey);
+
+        PGPOnePassSignature ops = signer.generateOnePassVersion(false);
+        ops.encode(compressedOut);
+
+        PGPLiteralDataGenerator author = new PGPLiteralDataGenerator();
+        OutputStream literalOut = author.open(compressedOut, streamEncoding.getCode(), "", PGPLiteralData.NOW, new byte[4096]);
+
+        byte[] msg = message.getBytes(StandardCharsets.UTF_8);
+
+        ByteArrayOutputStream crlfed = new ByteArrayOutputStream();
+        CRLFGeneratorStream crlfOut = new CRLFGeneratorStream(crlfed, streamEncoding);
+        crlfOut.write(msg);
+        msg = crlfed.toByteArray();
+
+        for (byte b : msg) {
+            literalOut.write(b);
+            signer.update(b);
+        }
+
+        literalOut.close();
+        PGPSignature signature = signer.generate();
+
+        signature.encode(compressedOut);
+        compressor.close();
+
+        armorOut.close();
+
+        String ciphertext = out.toString();
+        // CHECKSTYLE:OFF
+        System.out.println(sigType + " " + streamEncoding);
+        System.out.println(ciphertext);
+        // CHECKSTYLE:ON
+
+        ByteArrayInputStream cipherIn = new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8));
+        ByteArrayOutputStream decrypted = new ByteArrayOutputStream();
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                        .onInputStream(cipherIn)
+                                .withOptions(new ConsumerOptions()
+                                        .addVerificationCert(publicKeys));
+
+        Streams.pipeAll(decryptionStream, decrypted);
+        decryptionStream.close();
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+        assertTrue(metadata.isVerified(), "Not verified! Sig Type: " + sigType + " StreamEncoding: " + streamEncoding);
+
+        assertArrayEquals(msg, decrypted.toByteArray());
+    }
 }

From ade07bde85385791cb918f96446dac2770404605 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Mar 2022 16:43:23 +0200
Subject: [PATCH 0383/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f609c7e..797d7d64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.1.5-SNAPSHOT
 - SOP encrypt: match signature type when using `encrypt --as=` option
+- `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding
+  - This fixes broken signature generation for mismatching (`StreamEncoding`,`DocumentSignatureType`) tuples.
+  - Applications that rely on CRLF-encoding must now apply that encoding themselves (see [#264](https://github.com/pgpainless/pgpainless/issues/264#issuecomment-1083206738) for details).
 
 ## 1.1.4
 - Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring

From f8e66f4d611c523ecc508d087a2125bcba7c3b96 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 31 Mar 2022 15:03:50 +0200
Subject: [PATCH 0384/1450] Add ProducerOptions.applyCRLFEncoding()

Enabling it will automatically apply CRLF encoding to input data.
Further, disentangle signing from the encryption stream
---
 .../encryption_signing/EncryptionStream.java  |  35 +++--
 .../encryption_signing/ProducerOptions.java   |  37 +++++-
 .../SignatureGenerationStream.java            |  61 +++++++++
 .../CanonicalizedDataEncryptionTest.java      | 122 +++++++++++++++---
 4 files changed, 214 insertions(+), 41 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
 rename pgpainless-core/src/test/java/{investigations => org/pgpainless/decryption_verification}/CanonicalizedDataEncryptionTest.java (75%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 66fd1d24..3b737702 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -21,6 +21,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
 import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.SubkeyIdentifier;
@@ -70,6 +71,8 @@ public final class EncryptionStream extends OutputStream {
         prepareCompression();
         prepareOnePassSignatures();
         prepareLiteralDataProcessing();
+        prepareSigningStream();
+        prepareInputEncoding();
     }
 
     private void prepareArmor() {
@@ -174,20 +177,19 @@ public final class EncryptionStream extends OutputStream {
                 .setFileEncoding(options.getEncoding());
     }
 
+    public void prepareSigningStream() {
+        outermostStream = new SignatureGenerationStream(outermostStream, options.getSigningOptions());
+    }
+
+    public void prepareInputEncoding() {
+        CRLFGeneratorStream crlfGeneratorStream = new CRLFGeneratorStream(outermostStream,
+                options.isApplyCRLFEncoding() ? StreamEncoding.UTF8 : StreamEncoding.BINARY);
+        outermostStream = crlfGeneratorStream;
+    }
+
     @Override
     public void write(int data) throws IOException {
         outermostStream.write(data);
-        SigningOptions signingOptions = options.getSigningOptions();
-        if (signingOptions == null || signingOptions.getSigningMethods().isEmpty()) {
-            return;
-        }
-
-        for (SubkeyIdentifier signingKey : signingOptions.getSigningMethods().keySet()) {
-            SigningOptions.SigningMethod signingMethod = signingOptions.getSigningMethods().get(signingKey);
-            PGPSignatureGenerator signatureGenerator = signingMethod.getSignatureGenerator();
-            byte asByte = (byte) (data & 0xff);
-            signatureGenerator.update(asByte);
-        }
     }
 
     @Override
@@ -199,15 +201,6 @@ public final class EncryptionStream extends OutputStream {
     @Override
     public void write(@Nonnull byte[] buffer, int off, int len) throws IOException {
         outermostStream.write(buffer, 0, len);
-        SigningOptions signingOptions = options.getSigningOptions();
-        if (signingOptions == null || signingOptions.getSigningMethods().isEmpty()) {
-            return;
-        }
-        for (SubkeyIdentifier signingKey : signingOptions.getSigningMethods().keySet()) {
-            SigningOptions.SigningMethod signingMethod = signingOptions.getSigningMethods().get(signingKey);
-            PGPSignatureGenerator signatureGenerator = signingMethod.getSignatureGenerator();
-            signatureGenerator.update(buffer, 0, len);
-        }
     }
 
     @Override
@@ -221,6 +214,8 @@ public final class EncryptionStream extends OutputStream {
             return;
         }
 
+        outermostStream.close();
+
         // Literal Data
         if (literalDataStream != null) {
             literalDataStream.flush();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 9ee3c03e..41d9ca85 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -19,7 +19,8 @@ public final class ProducerOptions {
     private final SigningOptions signingOptions;
     private String fileName = "";
     private Date modificationDate = PGPLiteralData.NOW;
-    private StreamEncoding streamEncoding = StreamEncoding.BINARY;
+    private StreamEncoding encodingField = StreamEncoding.BINARY;
+    private boolean applyCRLFEncoding = false;
     private boolean cleartextSigned = false;
 
     private CompressionAlgorithm compressionAlgorithmOverride = PGPainless.getPolicy().getCompressionAlgorithmPolicy()
@@ -223,9 +224,12 @@ public final class ProducerOptions {
     }
 
     /**
-     * Set the format of the literal data packet.
+     * Set format metadata field of the literal data packet.
      * Defaults to {@link StreamEncoding#BINARY}.
      *
+     * This does not change the encoding of the wrapped data itself.
+     * To apply CR/LF encoding to your input data before processing, use {@link #applyCRLFEncoding(boolean)} instead.
+     *
      * @see RFC4880 §5.9. Literal Data Packet
      *
      * @param encoding encoding
@@ -235,12 +239,37 @@ public final class ProducerOptions {
      */
     @Deprecated
     public ProducerOptions setEncoding(@Nonnull StreamEncoding encoding) {
-        this.streamEncoding = encoding;
+        this.encodingField = encoding;
         return this;
     }
 
     public StreamEncoding getEncoding() {
-        return streamEncoding;
+        return encodingField;
+    }
+
+    /**
+     * Apply special encoding of line endings to the input data.
+     * By default, this is set to 
false
, which means that the data is not altered.
+     *
+     * Setting it to 
true
 will change the line endings to CR/LF.
+     * Note: The encoding will not be reversed when decrypting, so applying CR/LF encoding will result in
+     * the identity "decrypt(encrypt(data)) == data == verify(sign(data))".
+     *
+     * @param applyCRLFEncoding apply crlf encoding
+     * @return this
+     */
+    public ProducerOptions applyCRLFEncoding(boolean applyCRLFEncoding) {
+        this.applyCRLFEncoding = applyCRLFEncoding;
+        return this;
+    }
+
+    /**
+     * Return the input encoding that will be applied before signing / encryption.
+     *
+     * @return input encoding
+     */
+    public boolean isApplyCRLFEncoding() {
+        return applyCRLFEncoding;
     }
 
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
new file mode 100644
index 00000000..69ae1346
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
@@ -0,0 +1,61 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.pgpainless.key.SubkeyIdentifier;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.io.OutputStream;
+
+class SignatureGenerationStream extends OutputStream {
+
+    private final OutputStream wrapped;
+    private final SigningOptions options;
+
+    SignatureGenerationStream(OutputStream wrapped, SigningOptions signingOptions) {
+        this.wrapped = wrapped;
+        this.options = signingOptions;
+    }
+
+    @Override
+    public void write(int b) throws IOException {
+        wrapped.write(b);
+        if (options == null || options.getSigningMethods().isEmpty()) {
+            return;
+        }
+
+        for (SubkeyIdentifier signingKey : options.getSigningMethods().keySet()) {
+            SigningOptions.SigningMethod signingMethod = options.getSigningMethods().get(signingKey);
+            PGPSignatureGenerator signatureGenerator = signingMethod.getSignatureGenerator();
+            byte asByte = (byte) (b & 0xff);
+            signatureGenerator.update(asByte);
+        }
+    }
+
+    @Override
+    public void write(@Nonnull byte[] buffer) throws IOException {
+        write(buffer, 0, buffer.length);
+    }
+
+    @Override
+    public void write(@Nonnull byte[] buffer, int off, int len) throws IOException {
+        wrapped.write(buffer, 0, len);
+        if (options == null || options.getSigningMethods().isEmpty()) {
+            return;
+        }
+        for (SubkeyIdentifier signingKey : options.getSigningMethods().keySet()) {
+            SigningOptions.SigningMethod signingMethod = options.getSigningMethods().get(signingKey);
+            PGPSignatureGenerator signatureGenerator = signingMethod.getSignatureGenerator();
+            signatureGenerator.update(buffer, 0, len);
+        }
+    }
+
+    @Override
+    public void close() throws IOException {
+        wrapped.close();
+    }
+}
diff --git a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
similarity index 75%
rename from pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
index 7cae970e..e1722343 100644
--- a/pgpainless-core/src/test/java/investigations/CanonicalizedDataEncryptionTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package investigations;
+package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -34,9 +34,6 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.encryption_signing.CRLFGeneratorStream;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
@@ -120,9 +117,11 @@ public class CanonicalizedDataEncryptionTest {
         // CHECKSTYLE:ON
     }
 
+    // NO CR/LF ENCODING PRIOR TO PROCESSING
+
     @Test
-    public void binaryDataBinarySig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.BINARY);
+    public void noInputEncodingBinaryDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.BINARY, false);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -135,8 +134,8 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    public void binaryDataTextSig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.BINARY);
+    public void noInputEncodingBinaryDataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.BINARY, false);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -149,8 +148,8 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    public void textDataBinarySig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT);
+    public void noInputEncodingTextDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, false);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -163,8 +162,8 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    public void textDataTextSig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.TEXT);
+    public void noInputEncodingTextDataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.TEXT, false);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -177,8 +176,8 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    public void utf8DataBinarySig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8);
+    public void noInputEncodingUtf8DataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8, false);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -191,8 +190,23 @@ public class CanonicalizedDataEncryptionTest {
     }
 
     @Test
-    public void utf8DataTextSig() throws PGPException, IOException {
-        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.UTF8);
+    public void noInputEncodingUtf8DataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.UTF8, false);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+    // APPLY CR/LF ENCODING PRIOR TO PROCESSING
+
+    @Test
+    public void inputEncodingBinaryDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.BINARY, true);
         OpenPgpMetadata metadata = decryptAndVerify(msg);
 
         if (!metadata.isVerified()) {
@@ -204,7 +218,80 @@ public class CanonicalizedDataEncryptionTest {
         }
     }
 
-    private String encryptAndSign(String message, DocumentSignatureType sigType, StreamEncoding dataFormat)
+    @Test
+    public void inputEncodingBinaryDataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.BINARY, true);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+
+    @Test
+    public void inputEncodingTextDataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, true);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+
+    @Test
+    public void inputEncodingTextDataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.TEXT, true);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+
+    @Test
+    public void inputEncodingUtf8DataBinarySig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.UTF8, true);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+
+    @Test
+    public void inputEncodingUtf8DataTextSig() throws PGPException, IOException {
+        String msg = encryptAndSign(message, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT, StreamEncoding.UTF8, true);
+        OpenPgpMetadata metadata = decryptAndVerify(msg);
+
+        if (!metadata.isVerified()) {
+            // CHECKSTYLE:OFF
+            System.out.println("Not verified. Session-Key: " + metadata.getSessionKey());
+            System.out.println(msg);
+            // CHECKSTYLE:ON
+            fail();
+        }
+    }
+
+    private String encryptAndSign(String message,
+                                  DocumentSignatureType sigType,
+                                  StreamEncoding dataFormat,
+                                  boolean applyCRLFEncoding)
             throws PGPException, IOException {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
 
@@ -218,6 +305,7 @@ public class CanonicalizedDataEncryptionTest {
                                         .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, sigType)
                         )
                         .setEncoding(dataFormat)
+                        .applyCRLFEncoding(applyCRLFEncoding)
                 );
 
         ByteArrayInputStream inputStream = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));

From 131c0c6d036c19d4d3f7eed3ddc44cfb93e92676 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 31 Mar 2022 15:10:50 +0200
Subject: [PATCH 0385/1450] Add javadoc header to SignatureGenerationStream

---
 .../encryption_signing/SignatureGenerationStream.java          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
index 69ae1346..55ee943f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
@@ -11,6 +11,9 @@ import javax.annotation.Nonnull;
 import java.io.IOException;
 import java.io.OutputStream;
 
+/**
+ * OutputStream which has the task of updating signature generators for written data.
+ */
 class SignatureGenerationStream extends OutputStream {
 
     private final OutputStream wrapped;

From 39382c7de6d28c3c63ff58cae8aa1a71505ac1a2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 31 Mar 2022 15:29:06 +0200
Subject: [PATCH 0386/1450] Add annotations to SignatureGenerationStream
 constructor

---
 .../encryption_signing/SignatureGenerationStream.java          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
index 55ee943f..7a96f2e1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SignatureGenerationStream.java
@@ -8,6 +8,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.pgpainless.key.SubkeyIdentifier;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import java.io.IOException;
 import java.io.OutputStream;
 
@@ -19,7 +20,7 @@ class SignatureGenerationStream extends OutputStream {
     private final OutputStream wrapped;
     private final SigningOptions options;
 
-    SignatureGenerationStream(OutputStream wrapped, SigningOptions signingOptions) {
+    SignatureGenerationStream(@Nonnull OutputStream wrapped, @Nullable SigningOptions signingOptions) {
         this.wrapped = wrapped;
         this.options = signingOptions;
     }

From 50bcb6a1357d9390a81595bce7acfe96c68986cc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 31 Mar 2022 21:56:24 +0200
Subject: [PATCH 0387/1450] Fix changelog and change method signature

---
 CHANGELOG.md                                  |  4 +-
 .../CRLFGeneratorStream.java                  | 15 -----
 .../encryption_signing/ProducerOptions.java   |  9 ++-
 .../CanonicalizedDataEncryptionTest.java      | 64 ++++++++++++++++---
 4 files changed, 60 insertions(+), 32 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 797d7d64..44686127 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,9 +7,9 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.1.5-SNAPSHOT
 - SOP encrypt: match signature type when using `encrypt --as=` option
-- `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding
+- `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding.
   - This fixes broken signature generation for mismatching (`StreamEncoding`,`DocumentSignatureType`) tuples.
-  - Applications that rely on CRLF-encoding must now apply that encoding themselves (see [#264](https://github.com/pgpainless/pgpainless/issues/264#issuecomment-1083206738) for details).
+  - Applications that rely on CRLF-encoding can request PGPainless to apply this encoding by calling `ProducerOptions.applyCRLFEncoding(true)`.
 
 ## 1.1.4
 - Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
index f5b13f2a..9743f6f9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
@@ -12,21 +12,6 @@ import java.io.OutputStream;
 
 /**
  * {@link OutputStream} which applies CR-LF encoding of its input data, based on the desired {@link StreamEncoding}.
- *
- *
- * If you need PGPainless to CRLF encode signed data for you, you could do the following:
- * {@code
- * 
- *     InputStream plaintext = ...
- *     EncryptionStream signerOrEncryptor = PGPainless.signAndOrEncrypt(...);
- *     CRLFGeneratorStream crlfOut = new CRLFGeneratorStream(signerOrEncryptor, streamEncoding);
- *
- *     Streams.pipeAll(plaintext, crlfOut);
- *     crlfOut.close;
- *
- *     EncryptionResult result = signerOrEncryptor.getResult();
- * 

- * }
  * This implementation originates from the Bouncy Castle library.
  */
 public class CRLFGeneratorStream extends OutputStream {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index 41d9ca85..ae335db4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -249,17 +249,16 @@ public final class ProducerOptions {
 
     /**
      * Apply special encoding of line endings to the input data.
-     * By default, this is set to 
false
, which means that the data is not altered.
+     * By default, this is disabled, which means that the data is not altered.
      *
-     * Setting it to 
true
 will change the line endings to CR/LF.
+     * Enabling it will change the line endings to CR/LF.
      * Note: The encoding will not be reversed when decrypting, so applying CR/LF encoding will result in
      * the identity "decrypt(encrypt(data)) == data == verify(sign(data))".
      *
-     * @param applyCRLFEncoding apply crlf encoding
      * @return this
      */
-    public ProducerOptions applyCRLFEncoding(boolean applyCRLFEncoding) {
-        this.applyCRLFEncoding = applyCRLFEncoding;
+    public ProducerOptions applyCRLFEncoding() {
+        this.applyCRLFEncoding = true;
         return this;
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
index e1722343..c427af99 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CanonicalizedDataEncryptionTest.java
@@ -288,6 +288,47 @@ public class CanonicalizedDataEncryptionTest {
         }
     }
 
+    @Test
+    public void resultOfDecryptionIsCRLFEncoded() throws PGPException, IOException {
+        String before = "Foo\nBar!\n";
+        String after = "Foo\r\nBar!\r\n";
+
+        String encrypted = encryptAndSign(before, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, true);
+
+        ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys())
+                        .addVerificationCert(publicKeys));
+
+        ByteArrayOutputStream decrypted = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, decrypted);
+        decryptionStream.close();
+
+        assertArrayEquals(after.getBytes(StandardCharsets.UTF_8), decrypted.toByteArray());
+    }
+
+    @Test
+    public void resultOfDecryptionIsNotCRLFEncoded() throws PGPException, IOException {
+        String beforeAndAfter = "Foo\nBar!\n";
+
+        String encrypted = encryptAndSign(beforeAndAfter, DocumentSignatureType.BINARY_DOCUMENT, StreamEncoding.TEXT, false);
+
+        ByteArrayInputStream in = new ByteArrayInputStream(encrypted.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(secretKeys, SecretKeyRingProtector.unprotectedKeys())
+                        .addVerificationCert(publicKeys));
+
+        ByteArrayOutputStream decrypted = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, decrypted);
+        decryptionStream.close();
+
+        assertArrayEquals(beforeAndAfter.getBytes(StandardCharsets.UTF_8), decrypted.toByteArray());
+    }
+
     private String encryptAndSign(String message,
                                   DocumentSignatureType sigType,
                                   StreamEncoding dataFormat,
@@ -295,18 +336,21 @@ public class CanonicalizedDataEncryptionTest {
             throws PGPException, IOException {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
 
+        ProducerOptions options = ProducerOptions
+                .signAndEncrypt(
+                        EncryptionOptions.encryptCommunications()
+                                .addRecipient(publicKeys),
+                        SigningOptions.get()
+                                .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, sigType)
+                )
+                .setEncoding(dataFormat);
+        if (applyCRLFEncoding) {
+            options.applyCRLFEncoding();
+        }
+
         EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
                 .onOutputStream(out)
-                .withOptions(ProducerOptions
-                        .signAndEncrypt(
-                                EncryptionOptions.encryptCommunications()
-                                        .addRecipient(publicKeys),
-                                SigningOptions.get()
-                                        .addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, sigType)
-                        )
-                        .setEncoding(dataFormat)
-                        .applyCRLFEncoding(applyCRLFEncoding)
-                );
+                .withOptions(options);
 
         ByteArrayInputStream inputStream = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));
         Streams.pipeAll(inputStream, encryptionStream);

From 8ec86e6464e647fc986a962c208f5a17fc112449 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 2 Apr 2022 17:03:38 +0200
Subject: [PATCH 0388/1450] Rename KeyRingUtil.removeSecretKey() to
 stripSecretKey()

---
 .../org/pgpainless/key/util/KeyRingUtils.java | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 502dbff8..0fe6df89 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -430,11 +430,35 @@ public final class KeyRingUtils {
      *
      * @throws IOException
      * @throws PGPException
+     *
+     * @deprecated use {@link #stripSecretKey(PGPSecretKeyRing, long)} instead.
+     * TODO: Remove in 1.2.X
      */
     @Nonnull
+    @Deprecated
     public static PGPSecretKeyRing removeSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
                                                    long secretKeyId)
             throws IOException, PGPException {
+        return stripSecretKey(secretKeys, secretKeyId);
+    }
+
+    /**
+     * Remove the secret key of the subkey identified by the given secret key id from the key ring.
+     * The public part stays attached to the key ring, so that it can still be used for encryption / verification of signatures.
+     *
+     * This method is intended to be used to remove secret primary keys from live keys when those are kept in offline storage.
+     *
+     * @param secretKeys secret key ring
+     * @param secretKeyId id of the secret key to remove
+     * @return secret key ring with removed secret key
+     *
+     * @throws IOException
+     * @throws PGPException
+     */
+    @Nonnull
+    public static PGPSecretKeyRing stripSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
+                                                   long secretKeyId)
+            throws IOException, PGPException {
         if (secretKeys.getSecretKey(secretKeyId) == null) {
             throw new NoSuchElementException("PGPSecretKeyRing does not contain secret key " + Long.toHexString(secretKeyId));
         }

From 6869c669378a4f6c244474b174e47eb701745d1c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 2 Apr 2022 17:12:12 +0200
Subject: [PATCH 0389/1450] Add TODOs to remove deprecated methods in 1.2.X

---
 .../org/pgpainless/encryption_signing/EncryptionResult.java     | 2 ++
 .../org/pgpainless/key/protection/SecretKeyRingProtector.java   | 2 ++
 .../src/main/java/org/pgpainless/key/util/KeyRingUtils.java     | 1 +
 .../pgpainless/signature/consumer/DetachedSignatureCheck.java   | 2 ++
 .../src/main/java/org/pgpainless/util/ArmorUtils.java           | 2 ++
 5 files changed, 9 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
index d1bc3d7f..10342a3c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
@@ -51,6 +51,8 @@ public final class EncryptionResult {
      * @return symmetric encryption algorithm
      *
      * @deprecated use {@link #getEncryptionAlgorithm()} instead.
+     *
+     * TODO: Remove in 1.2.X
      */
     @Deprecated
     public SymmetricKeyAlgorithm getSymmetricKeyAlgorithm() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
index 2709b143..84f47155 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
@@ -77,6 +77,8 @@ public interface SecretKeyRingProtector {
      * @param keys key ring
      * @return protector
      * @deprecated use {@link #unlockEachKeyWith(Passphrase, PGPSecretKeyRing)} instead.
+     *
+     * TODO: Remove in 1.2.X
      */
     @Deprecated
     static SecretKeyRingProtector unlockAllKeysWith(@Nonnull Passphrase passphrase, @Nonnull PGPSecretKeyRing keys) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 0fe6df89..f64133b0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -385,6 +385,7 @@ public final class KeyRingUtils {
             // TODO: Replace with PGPSecretKeyRing.insertOrReplacePublicKey() once available
             //  Right now replacePublicKeys looses extra public keys.
             //  See https://github.com/bcgit/bc-java/pull/1068 for a possible fix
+            //  Fix once BC 171 gets released.
             secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys);
             return (T) secretKeys;
         }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
index 1f6114bb..a431c5de 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
@@ -63,6 +63,8 @@ public class DetachedSignatureCheck {
      *
      * @return fingerprint of the signing key
      * @deprecated use {@link #getSigningKeyIdentifier()} instead.
+     *
+     * TODO: Remove in 1.2.X
      */
     @Deprecated
     public OpenPgpFingerprint getFingerprint() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 8e93ce6d..1d3c17cc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -280,6 +280,8 @@ public final class ArmorUtils {
      * @return armored output stream
      *
      * @deprecated use {@link #toAsciiArmoredStream(PGPKeyRing, OutputStream)} instead
+     *
+     * TODO: Remove in 1.2.X
      */
     @Deprecated
     @Nonnull

From 7eb2f5fb4d84768b4424470794b5f9a9fd015d85 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 2 Apr 2022 17:16:37 +0200
Subject: [PATCH 0390/1450] Document how PGPainlessCLI works

---
 .../src/main/java/org/pgpainless/cli/PGPainlessCLI.java       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
index b199ec72..35791a3e 100644
--- a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
+++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
@@ -7,6 +7,10 @@ package org.pgpainless.cli;
 import org.pgpainless.sop.SOPImpl;
 import sop.cli.picocli.SopCLI;
 
+/**
+ * This class merely binds PGPainless to {@link SopCLI} by injecting a {@link SOPImpl} instance.
+ * CLI command calls are then simply forwarded to {@link SopCLI#execute(String[])}.
+ */
 public class PGPainlessCLI {
 
     static {

From 4bd01578fbecf02d39e49b8e7157cb9103986a2f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 2 Apr 2022 18:14:17 +0200
Subject: [PATCH 0391/1450] Fix javadoc generation

---
 .../java/org/pgpainless/encryption_signing/ProducerOptions.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index ae335db4..c0e60181 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -228,7 +228,7 @@ public final class ProducerOptions {
      * Defaults to {@link StreamEncoding#BINARY}.
      *
      * This does not change the encoding of the wrapped data itself.
-     * To apply CR/LF encoding to your input data before processing, use {@link #applyCRLFEncoding(boolean)} instead.
+     * To apply CR/LF encoding to your input data before processing, use {@link #applyCRLFEncoding()} instead.
      *
      * @see RFC4880 §5.9. Literal Data Packet
      *

From 58dee0d970b055e4304f3d1ffd885dff1cc00b83 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 2 Apr 2022 18:56:05 +0200
Subject: [PATCH 0392/1450] Fix javadoc warnings

---
 .../main/java/org/pgpainless/PGPainless.java  |  2 +
 .../MessageInspector.java                     |  6 ++
 .../ClearsignedMessageUtil.java               |  2 +
 .../EncryptionBuilderInterface.java           |  5 +-
 .../encryption_signing/EncryptionOptions.java |  1 +
 .../encryption_signing/SigningOptions.java    |  2 +
 .../key/generation/KeyRingTemplates.java      | 36 ++++++++++
 .../SecretKeyRingEditorInterface.java         | 66 ++++++++++++++++++-
 .../pgpainless/key/parsing/KeyRingReader.java | 10 +++
 .../protection/SecretKeyRingProtector.java    |  3 +
 .../org/pgpainless/key/util/KeyRingUtils.java |  8 +--
 .../pgpainless/signature/SignatureUtils.java  |  2 +
 .../builder/AbstractSignatureBuilder.java     |  2 +
 ...irdPartyCertificationSignatureBuilder.java |  4 ++
 .../signature/consumer/SignaturePicker.java   | 12 ++++
 .../consumer/SignatureValidityComparator.java |  2 +
 .../subpackets/SignatureSubpacketsUtil.java   |  2 +
 .../java/org/pgpainless/util/ArmorUtils.java  |  2 +
 18 files changed, 160 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index bd353f24..46dd35c2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -71,6 +71,8 @@ public final class PGPainless {
      *
      * @param key key or certificate
      * @return ascii armored string
+     *
+     * @throws IOException in case of an error in the {@link org.bouncycastle.bcpg.ArmoredOutputStream}
      */
     public static String asciiArmor(@Nonnull PGPKeyRing key) throws IOException {
         if (key instanceof PGPSecretKeyRing) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java
index a9948f1d..3dda0f5d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageInspector.java
@@ -75,6 +75,9 @@ public final class MessageInspector {
      *
      * @param message OpenPGP message
      * @return encryption info
+     *
+     * @throws PGPException in case the message is broken
+     * @throws IOException in case of an IO error
      */
     public static EncryptionInfo determineEncryptionInfoForMessage(String message) throws PGPException, IOException {
         @SuppressWarnings("CharsetObjectCanBeUsed")
@@ -88,6 +91,9 @@ public final class MessageInspector {
      *
      * @param dataIn openpgp message
      * @return encryption information
+     *
+     * @throws IOException in case of an IO error
+     * @throws PGPException if the message is broken
      */
     public static EncryptionInfo determineEncryptionInfoForMessage(InputStream dataIn) throws IOException, PGPException {
         InputStream decoded = ArmorUtils.getDecoderStream(dataIn);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
index d2b514bb..ee166c99 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
@@ -35,7 +35,9 @@ public final class ClearsignedMessageUtil {
      * @param clearsignedInputStream input stream containing a clearsigned message
      * @param messageOutputStream output stream to which the dearmored message shall be written
      * @return signatures
+     *
      * @throws IOException if the message is not clearsigned or some other IO error happens
+     * @throws WrongConsumingMethodException in case the armored message is not cleartext signed
      */
     public static PGPSignatureList detachSignaturesFromInbandClearsignedMessage(InputStream clearsignedInputStream,
                                                                                 OutputStream messageOutputStream)
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java
index 9ba0bb78..c705c0b1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionBuilderInterface.java
@@ -27,7 +27,10 @@ public interface EncryptionBuilderInterface {
          * Create an {@link EncryptionStream} with the given options (recipients, signers, algorithms...).
          *
          * @param options options
-         * @return encryption strea
+         * @return encryption stream
+         *
+         * @throws PGPException if something goes wrong during encryption stream preparation
+         * @throws IOException if something goes wrong during encryption stream preparation (writing headers)
          */
         EncryptionStream withOptions(ProducerOptions options) throws PGPException, IOException;
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 48107b23..af557703 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -282,6 +282,7 @@ public class EncryptionOptions {
      * If the algorithm is not overridden, a suitable algorithm will be negotiated.
      *
      * @param encryptionAlgorithm encryption algorithm override
+     * @return this
      */
     public EncryptionOptions overrideEncryptionAlgorithm(SymmetricKeyAlgorithm encryptionAlgorithm) {
         if (encryptionAlgorithm == SymmetricKeyAlgorithm.NULL) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 0db93407..0608b22e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -58,6 +58,7 @@ public final class SigningOptions {
          * The resulting signature will be written into the message itself, together with a one-pass-signature packet.
          *
          * @param signatureGenerator signature generator
+         * @param hashAlgorithm hash algorithm used to generate the signature
          * @return inline signing method
          */
         public static SigningMethod inlineSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) {
@@ -70,6 +71,7 @@ public final class SigningOptions {
          * to the signed message.
          *
          * @param signatureGenerator signature generator
+         * @param hashAlgorithm hash algorithm used to generate the signature
          * @return detached signing method
          */
         public static SigningMethod detachedSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 0917b110..0d663ff9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -33,6 +33,10 @@ public final class KeyRingTemplates {
      * @param length length in bits.
      *
      * @return {@link PGPSecretKeyRing} containing the KeyPair.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -47,6 +51,10 @@ public final class KeyRingTemplates {
      * @param length length in bits.
      *
      * @return {@link PGPSecretKeyRing} containing the KeyPair.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -62,6 +70,10 @@ public final class KeyRingTemplates {
      * @param password Password of the key. Can be null for unencrypted keys.
      *
      * @return {@link PGPSecretKeyRing} containing the KeyPair.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length, String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -77,6 +89,10 @@ public final class KeyRingTemplates {
      * @param password Password of the key. Can be null for unencrypted keys.
      *
      * @return {@link PGPSecretKeyRing} containing the KeyPair.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
@@ -98,6 +114,10 @@ public final class KeyRingTemplates {
      * @param userId user-id
      *
      * @return {@link PGPSecretKeyRing} containing the key pairs.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -112,6 +132,10 @@ public final class KeyRingTemplates {
      * @param userId user-id
      *
      * @return {@link PGPSecretKeyRing} containing the key pairs.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -127,6 +151,10 @@ public final class KeyRingTemplates {
      * @param password Password of the private key. Can be null for an unencrypted key.
      *
      * @return {@link PGPSecretKeyRing} containing the key pairs.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId, String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
@@ -142,6 +170,10 @@ public final class KeyRingTemplates {
      * @param password Password of the private key. Can be null for an unencrypted key.
      *
      * @return {@link PGPSecretKeyRing} containing the key pairs.
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
@@ -163,6 +195,10 @@ public final class KeyRingTemplates {
      * @param userId primary user id
      * @param password passphrase or null if the key should be unprotected.
      * @return key ring
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing modernKeyRing(String userId, String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
index ec579c9e..6f4d34b8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
@@ -34,6 +34,8 @@ public interface SecretKeyRingEditorInterface {
      * @param userId user-id
      * @param secretKeyRingProtector protector to unlock the secret key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a signature for the user-id
      */
     SecretKeyRingEditorInterface addUserId(
             @Nonnull CharSequence userId,
@@ -48,6 +50,8 @@ public interface SecretKeyRingEditorInterface {
      *                                   certification signature.
      * @param protector protector to unlock the primary secret key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a signature for the user-id
      */
     SecretKeyRingEditorInterface addUserId(
             @Nonnull CharSequence userId,
@@ -62,6 +66,8 @@ public interface SecretKeyRingEditorInterface {
      * @param userId user id
      * @param protector protector to unlock the secret key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a signature for the user-id
      */
     SecretKeyRingEditorInterface addPrimaryUserId(
             @Nonnull CharSequence userId,
@@ -76,6 +82,8 @@ public interface SecretKeyRingEditorInterface {
      * @param userIdSelector selector to select user-ids
      * @param protector protector to unlock the primary key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface removeUserId(SelectUserId userIdSelector,
                                               SecretKeyRingProtector protector)
@@ -89,6 +97,8 @@ public interface SecretKeyRingEditorInterface {
      * @param userId user-id to revoke
      * @param protector protector to unlock the primary key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface removeUserId(CharSequence userId,
                                               SecretKeyRingProtector protector)
@@ -102,6 +112,11 @@ public interface SecretKeyRingEditorInterface {
      * @param subKeyPassphrase passphrase to encrypt the sub key
      * @param secretKeyRingProtector protector to unlock the secret key of the key ring
      * @return the builder
+     *
+     * @throws InvalidAlgorithmParameterException in case the user wants to use invalid parameters for the key
+     * @throws NoSuchAlgorithmException in case of missing algorithm support in the crypto backend
+     * @throws PGPException in case we cannot generate a binding signature for the subkey
+     * @throws IOException in case of an IO error
      */
     SecretKeyRingEditorInterface addSubKey(
             @Nonnull KeySpec keySpec,
@@ -118,6 +133,11 @@ public interface SecretKeyRingEditorInterface {
      * @param subpacketsCallback callback to modify the subpackets of the subkey binding signature
      * @param secretKeyRingProtector protector to unlock the primary key
      * @return builder
+     *
+     * @throws InvalidAlgorithmParameterException in case the user wants to use invalid parameters for the key
+     * @throws NoSuchAlgorithmException in case of missing algorithm support in the crypto backend
+     * @throws PGPException in case we cannot generate a binding signature for the subkey
+     * @throws IOException in case of an IO error
      */
     SecretKeyRingEditorInterface addSubKey(
             @Nonnull KeySpec keySpec,
@@ -136,6 +156,10 @@ public interface SecretKeyRingEditorInterface {
      * @param keyFlag first key flag for the subkey
      * @param additionalKeyFlags optional additional key flags
      * @return builder
+     *
+     * @throws PGPException in case we cannot generate a binding signature for the subkey
+     * @throws IOException in case of an IO error
+     * @throws NoSuchAlgorithmException in case of missing algorithm support in the crypto backend
      */
     SecretKeyRingEditorInterface addSubKey(
             @Nonnull PGPKeyPair subkey,
@@ -152,6 +176,8 @@ public interface SecretKeyRingEditorInterface {
      *
      * @param secretKeyRingProtector protector of the primary key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature
      */
     default SecretKeyRingEditorInterface revoke(
             @Nonnull SecretKeyRingProtector secretKeyRingProtector)
@@ -166,6 +192,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector of the primary key
      * @param revocationAttributes reason for the revocation
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature
      */
     SecretKeyRingEditorInterface revoke(
             @Nonnull SecretKeyRingProtector secretKeyRingProtector,
@@ -180,6 +208,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param subpacketsCallback callback to modify the revocations subpackets
      * @return builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature
      */
     SecretKeyRingEditorInterface revoke(
             @Nonnull SecretKeyRingProtector secretKeyRingProtector,
@@ -198,6 +228,8 @@ public interface SecretKeyRingEditorInterface {
      * @param fingerprint fingerprint of the subkey to be revoked
      * @param secretKeyRingProtector protector to unlock the secret key ring
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the subkey
      */
     default SecretKeyRingEditorInterface revokeSubKey(
             @Nonnull OpenPgpFingerprint fingerprint,
@@ -215,6 +247,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key
      * @param revocationAttributes reason for the revocation
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the subkey
      */
     default SecretKeyRingEditorInterface revokeSubKey(
             OpenPgpFingerprint fingerprint,
@@ -235,6 +269,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key
      * @param revocationAttributes reason for the revocation
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the subkey
      */
     SecretKeyRingEditorInterface revokeSubKey(
             long subKeyId,
@@ -255,6 +291,8 @@ public interface SecretKeyRingEditorInterface {
      * @param subKeyId id of the subkey
      * @param secretKeyRingProtector protector to unlock the secret key ring
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the subkey
      */
     default SecretKeyRingEditorInterface revokeSubKey(
             long subKeyId,
@@ -279,6 +317,8 @@ public interface SecretKeyRingEditorInterface {
      * @param subpacketsCallback callback which can be used to modify the subpackets of the revocation
      *                           signature
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the subkey
      */
     SecretKeyRingEditorInterface revokeSubKey(
             long keyID,
@@ -296,6 +336,8 @@ public interface SecretKeyRingEditorInterface {
      * @param userId userId to revoke
      * @param secretKeyRingProtector protector to unlock the primary key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     default SecretKeyRingEditorInterface revokeUserId(
             @Nonnull CharSequence userId,
@@ -311,6 +353,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key
      * @param revocationAttributes reason for the revocation
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface revokeUserId(
             @Nonnull CharSequence userId,
@@ -329,6 +373,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param subpacketCallback callback to modify the revocations subpackets
      * @return builder
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface revokeUserId(
             @Nonnull CharSequence userId,
@@ -348,7 +394,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param revocationAttributes revocation attributes
      * @return builder
-     * @throws PGPException if the revocation signatures cannot be generated
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface revokeUserIds(
             @Nonnull SelectUserId userIdSelector,
@@ -370,7 +417,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary secret key
      * @param subpacketsCallback callback to modify the revocations subpackets
      * @return builder
-     * @throws PGPException if the revocation signatures cannot be generated
+     *
+     * @throws PGPException in case we cannot generate a revocation signature for the user-id
      */
     SecretKeyRingEditorInterface revokeUserIds(
             @Nonnull SelectUserId userIdSelector,
@@ -385,6 +433,8 @@ public interface SecretKeyRingEditorInterface {
      * @param expiration new expiration date or null
      * @param secretKeyRingProtector to unlock the secret key
      * @return the builder
+     *
+     * @throws PGPException in case we cannot generate a new self-signature with the changed expiration date
      */
     SecretKeyRingEditorInterface setExpirationDate(
             @Nullable Date expiration,
@@ -397,6 +447,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key.
      * @param revocationAttributes reason for the revocation
      * @return revocation certificate
+     *
+     * @throws PGPException in case we cannot generate a revocation certificate
      */
     PGPSignature createRevocationCertificate(
             @Nonnull SecretKeyRingProtector secretKeyRingProtector,
@@ -410,6 +462,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key.
      * @param revocationAttributes reason for the revocation
      * @return revocation certificate
+     *
+     * @throws PGPException in case we cannot generate a revocation certificate
      */
     PGPSignature createRevocationCertificate(
             long subkeyId,
@@ -424,6 +478,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key.
      * @param certificateSubpacketsCallback callback to modify the subpackets of the revocation certificate.
      * @return revocation certificate
+     *
+     * @throws PGPException in case we cannot generate a revocation certificate
      */
     PGPSignature createRevocationCertificate(
             long subkeyId,
@@ -438,6 +494,8 @@ public interface SecretKeyRingEditorInterface {
      * @param secretKeyRingProtector protector to unlock the primary key.
      * @param revocationAttributes reason for the revocation
      * @return revocation certificate
+     *
+     * @throws PGPException in case we cannot generate a revocation certificate
      */
     default PGPSignature createRevocationCertificate(
             OpenPgpFingerprint subkeyFingerprint,
@@ -521,6 +579,8 @@ public interface SecretKeyRingEditorInterface {
          *
          * @param passphrase passphrase
          * @return editor builder
+         *
+         * @throws PGPException in case the passphrase cannot be changed
          */
         SecretKeyRingEditorInterface toNewPassphrase(Passphrase passphrase)
                 throws PGPException;
@@ -529,6 +589,8 @@ public interface SecretKeyRingEditorInterface {
          * Leave the key unprotected.
          *
          * @return editor builder
+         *
+         * @throws PGPException in case the passphrase cannot be changed
          */
         SecretKeyRingEditorInterface toNoPassphrase() throws PGPException;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
index 5c347f75..0021f74e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
@@ -107,6 +107,8 @@ public class KeyRingReader {
      * @param inputStream input stream
      * @param maxIterations max iterations before abort
      * @return public key ring
+     *
+     * @throws IOException in case of an IO error or exceeding of max iterations
      */
     public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
@@ -142,6 +144,9 @@ public class KeyRingReader {
      * @param inputStream input stream
      * @param maxIterations max iterations before abort
      * @return public key ring collection
+     *
+     * @throws IOException in case of an IO error or exceeding of max iterations
+     * @throws PGPException in case of a broken key
      */
     public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations)
             throws IOException, PGPException {
@@ -186,6 +191,8 @@ public class KeyRingReader {
      * @param inputStream input stream
      * @param maxIterations max iterations before abort
      * @return public key ring
+     *
+     * @throws IOException in case of an IO error or exceeding of max iterations
      */
     public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
         InputStream decoderStream = ArmorUtils.getDecoderStream(inputStream);
@@ -222,6 +229,9 @@ public class KeyRingReader {
      * @param inputStream input stream
      * @param maxIterations max iterations before abort
      * @return secret key ring collection
+     *
+     * @throws IOException in case of an IO error or exceeding of max iterations
+     * @throws PGPException in case of a broken secret key
      */
     public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream,
                                                                          int maxIterations)
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
index 84f47155..ee461a4e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
@@ -37,6 +37,8 @@ public interface SecretKeyRingProtector {
      *
      * @param keyId id of the key
      * @return decryptor for the key
+     *
+     * @throws PGPException if the decryptor cannot be created for some reason
      */
     @Nullable PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException;
 
@@ -46,6 +48,7 @@ public interface SecretKeyRingProtector {
      *
      * @param keyId id of the key
      * @return encryptor for the key
+     *
      * @throws PGPException if the encryptor cannot be created for some reason
      */
     @Nullable PBESecretKeyEncryptor getEncryptor(Long keyId) throws PGPException;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index f64133b0..375e3527 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -429,8 +429,8 @@ public final class KeyRingUtils {
      * @param secretKeyId id of the secret key to remove
      * @return secret key ring with removed secret key
      *
-     * @throws IOException
-     * @throws PGPException
+     * @throws IOException in case of an error during serialization / deserialization of the key
+     * @throws PGPException in case of a broken key
      *
      * @deprecated use {@link #stripSecretKey(PGPSecretKeyRing, long)} instead.
      * TODO: Remove in 1.2.X
@@ -453,8 +453,8 @@ public final class KeyRingUtils {
      * @param secretKeyId id of the secret key to remove
      * @return secret key ring with removed secret key
      *
-     * @throws IOException
-     * @throws PGPException
+     * @throws IOException in case of an error during serialization / deserialization of the key
+     * @throws PGPException in case of a broken key
      */
     @Nonnull
     public static PGPSecretKeyRing stripSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 420efc26..1ebbdda4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -193,7 +193,9 @@ public final class SignatureUtils {
      *
      * @param encodedSignatures ASCII armored signature list
      * @return signature list
+     *
      * @throws IOException if the signatures cannot be read
+     * @throws PGPException in case of a broken signature
      */
     public static List readSignatures(String encodedSignatures) throws IOException, PGPException {
         @SuppressWarnings("CharsetObjectCanBeUsed")
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java
index 08e496ac..1079f92f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/AbstractSignatureBuilder.java
@@ -114,6 +114,8 @@ public abstract class AbstractSignatureBuilder {
     /**
      * Create a new {@link SignatureValidityComparator} which orders signatures following the passed ordering.
      * Still, hard revocations will come first.
+     *
+     * @param order order of creation dates
      */
     public SignatureValidityComparator(SignatureCreationDateComparator.Order order) {
         this.creationDateComparator = new SignatureCreationDateComparator(order);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 12c6f1de..7d3b4622 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -506,6 +506,8 @@ public final class SignatureSubpacketsUtil {
      *
      * @param signature signature
      * @return embedded signature
+     *
+     * @throws PGPException in case the embedded signatures cannot be parsed
      */
     public static PGPSignatureList getEmbeddedSignature(PGPSignature signature) throws PGPException {
         PGPSignatureList hashed = signature.getHashedSubPackets().getEmbeddedSignatures();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 1d3c17cc..d95673a4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -544,6 +544,8 @@ public final class ArmorUtils {
      *
      * @param inputStream input stream
      * @return BufferedInputStreamExt
+     *
+     * @throws IOException in case of an IO error
      */
     @Nonnull
     public static InputStream getDecoderStream(@Nonnull InputStream inputStream)

From 4aaa242d64f98cc57e85ef7072832abb4ebfd736 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 10:40:57 +0200
Subject: [PATCH 0393/1450] Add javadoc to SignatureSubpacketsUtil

---
 .../signature/subpackets/SignatureSubpacketsUtil.java     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 7d3b4622..5a839bcb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -438,7 +438,7 @@ public final class SignatureSubpacketsUtil {
     /**
      * Return the notation data subpackets from the signatures unhashed area.
      *
-     * @param signature signture
+     * @param signature signature
      * @return unhashed notations
      */
     public static List getUnhashedNotationData(PGPSignature signature) {
@@ -638,6 +638,12 @@ public final class SignatureSubpacketsUtil {
         }
     }
 
+    /**
+     * Make sure that a key of the given {@link PublicKeyAlgorithm} is able to carry the given key flags.
+     *
+     * @param algorithm key algorithm
+     * @param flags key flags
+     */
     public static void assureKeyCanCarryFlags(PublicKeyAlgorithm algorithm, KeyFlag... flags) {
         final int mask = KeyFlag.toBitmask(flags);
 

From bfbe03f9e08b62b2767e5ea7ff7b919891dd312c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 12:19:07 +0200
Subject: [PATCH 0394/1450] Document SelectUserIds

---
 .../util/selection/userid/SelectUserId.java   | 125 ++++++++++++++++--
 1 file changed, 113 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
index 25ee5a33..e86e59f3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
@@ -9,19 +9,44 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPKeyRing;
 import org.pgpainless.PGPainless;
+import org.pgpainless.key.info.KeyRingInfo;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
+/**
+ * Filter for selecting user-ids from keys and from lists.
+ */
 public abstract class SelectUserId {
 
+    /**
+     * Return true, if the given user-id is accepted by this particular filter, false otherwise.
+     *
+     * @param userId user-id
+     * @return acceptance of the filter
+     */
     protected abstract boolean accept(String userId);
 
-    public List selectUserIds(PGPKeyRing keyRing) {
+    /**
+     * Select all currently valid user-ids of the given key ring.
+     *
+     * @param keyRing public or secret key ring
+     * @return valid user-ids
+     */
+    @Nonnull
+    public List selectUserIds(@Nonnull PGPKeyRing keyRing) {
         List userIds = PGPainless.inspectKeyRing(keyRing).getValidUserIds();
         return selectUserIds(userIds);
     }
 
-    public List selectUserIds(List userIds) {
+    /**
+     * Select all acceptable (see {@link #accept(String)}) from the given list of user-ids.
+     *
+     * @param userIds list of user-ids
+     * @return sub-list of acceptable user-ids
+     */
+    @Nonnull
+    public List selectUserIds(@Nonnull List userIds) {
         List selected = new ArrayList<>();
         for (String userId : userIds) {
             if (accept(userId)) {
@@ -31,11 +56,25 @@ public abstract class SelectUserId {
         return selected;
     }
 
+    /**
+     * Return the first valid, acceptable user-id from the given public or secret key ring.
+     *
+     * @param keyRing public or secret key ring
+     * @return first matching valid user-id or null
+     */
+    @Nullable
     public String firstMatch(PGPKeyRing keyRing) {
         return firstMatch(selectUserIds(keyRing));
     }
 
-    public String firstMatch(List userIds) {
+    /**
+     * Return the first valid, acceptable user-id from the list of user-ids.
+     *
+     * @param userIds list of user-ids
+     * @return first matching valid user-id or null
+     */
+    @Nullable
+    public String firstMatch(@Nonnull List userIds) {
         for (String userId : userIds) {
             if (accept(userId)) {
                 return userId;
@@ -44,6 +83,12 @@ public abstract class SelectUserId {
         return null;
     }
 
+    /**
+     * Filter that filters for user-ids which contain the given 
query
 as a substring.
+     *
+     * @param query query
+     * @return filter
+     */
     public static SelectUserId containsSubstring(@Nonnull CharSequence query) {
         return new SelectUserId() {
             @Override
@@ -53,6 +98,12 @@ public abstract class SelectUserId {
         };
     }
 
+    /**
+     * Filter that filters for user-ids which match the given 
query
 exactly.
+     *
+     * @param query query
+     * @return filter
+     */
     public static SelectUserId exactMatch(@Nonnull CharSequence query) {
         return new SelectUserId() {
             @Override
@@ -62,6 +113,12 @@ public abstract class SelectUserId {
         };
     }
 
+    /**
+     * Filter that filters for user-ids which start with the given 
substring
.
+     *
+     * @param substring substring
+     * @return filter
+     */
     public static SelectUserId startsWith(@Nonnull CharSequence substring) {
         String string = substring.toString();
         return new SelectUserId() {
@@ -72,55 +129,99 @@ public abstract class SelectUserId {
         };
     }
 
+    /**
+     * Filter that filters for user-ids which contain the given 
email
 address.
+     * Note: This only accepts user-ids which properly have the email address surrounded by angle brackets.
+     *
+     * The argument 
email
 can both be a plain email address (
"foo@bar.baz"
),
+     * or surrounded by angle brackets (
""
, the result of the filter will be the same.
+     *
+     * @param email email address
+     * @return filter
+     */
     public static SelectUserId containsEmailAddress(@Nonnull CharSequence email) {
         String string = email.toString();
         return containsSubstring(string.matches("^<.+>$") ? string : '<' + string + '>');
     }
 
+    /**
+     * Filter that filters for valid user-ids on the given 
keyRing
 only.
+     *
+     * @param keyRing public / secret keys
+     * @return filter
+     */
     public static SelectUserId validUserId(PGPKeyRing keyRing) {
+        final KeyRingInfo info = PGPainless.inspectKeyRing(keyRing);
+
         return new SelectUserId() {
             @Override
             protected boolean accept(String userId) {
-                return PGPainless.inspectKeyRing(keyRing).isUserIdValid(userId);
+                return info.isUserIdValid(userId);
             }
         };
     }
 
-    public static SelectUserId and(SelectUserId... strategies) {
+    /**
+     * Filter that filters for user-ids which pass all the given 
filters
.
+     *
+     * @param filters filters
+     * @return filter
+     */
+    public static SelectUserId and(SelectUserId... filters) {
         return new SelectUserId() {
             @Override
             protected boolean accept(String userId) {
                 boolean accept = true;
-                for (SelectUserId strategy : strategies) {
-                    accept &= strategy.accept(userId);
+                for (SelectUserId filter : filters) {
+                    accept &= filter.accept(userId);
                 }
                 return accept;
             }
         };
     }
 
-    public static SelectUserId or(SelectUserId... strategies) {
+    /**
+     * Filter that filters for user-ids which pass at least one of the given 
filters
>.
+     *
+     * @param filters filters
+     * @return filter
+     */
+    public static SelectUserId or(SelectUserId... filters) {
         return new SelectUserId() {
             @Override
             protected boolean accept(String userId) {
                 boolean accept = false;
-                for (SelectUserId strategy : strategies) {
-                    accept |= strategy.accept(userId);
+                for (SelectUserId filter : filters) {
+                    accept |= filter.accept(userId);
                 }
                 return accept;
             }
         };
     }
 
-    public static SelectUserId not(SelectUserId strategy) {
+    /**
+     * Filter that inverts the result of the given 
filter
.
+     *
+     * @param filter filter
+     * @return inverting filter
+     */
+    public static SelectUserId not(SelectUserId filter) {
         return new SelectUserId() {
             @Override
             protected boolean accept(String userId) {
-                return !strategy.accept(userId);
+                return !filter.accept(userId);
             }
         };
     }
 
+    /**
+     * Filter that selects user-ids by the given 
email
 address.
+     * It returns user-ids which either contain the given 
email
 address as angle-bracketed string,
+     * or which equal the given 
email
 string exactly.
+     *
+     * @param email email
+     * @return filter
+     */
     public static SelectUserId byEmail(CharSequence email) {
         return SelectUserId.or(
                 SelectUserId.exactMatch(email),

From 7ca9934cbe08ae0648f73d34e31b0a6f532577ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 12:32:37 +0200
Subject: [PATCH 0395/1450] Document KeyRingSelectionStrategy

---
 .../keyring/KeyRingSelectionStrategy.java     | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
index a9f842e3..fb57e338 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
@@ -8,11 +8,41 @@ import java.util.Set;
 
 import org.pgpainless.util.MultiMap;
 
+/**
+ *
+ * @param  Type of {@link org.bouncycastle.openpgp.PGPKeyRing} ({@link org.bouncycastle.openpgp.PGPSecretKeyRing}
+ *           or {@link org.bouncycastle.openpgp.PGPPublicKeyRing}).
+ * @param  Type of key ring collection (e.g. {@link org.bouncycastle.openpgp.PGPSecretKeyRingCollection}
+ *          or {@link org.bouncycastle.openpgp.PGPPublicKeyRingCollection}).
+ * @param  Type of key identifier
+ */
 public interface KeyRingSelectionStrategy {
 
+    /**
+     * Return true, if the filter accepts the given 
keyRing
 based on the given 
identifier
.
+     *
+     * @param identifier identifier
+     * @param keyRing key ring
+     * @return acceptance
+     */
     boolean accept(O identifier, R keyRing);
 
+    /**
+     * Iterate of the given 
keyRingCollection
 and return a {@link Set} of all acceptable
+     * keyRings in the collection, based on the given 
identifier
.
+     *
+     * @param identifier identifier
+     * @param keyRingCollection collection
+     * @return set of acceptable key rings
+     */
     Set selectKeyRingsFromCollection(O identifier, C keyRingCollection);
 
+    /**
+     * Iterate over all keyRings in the given {@link MultiMap} of keyRingCollections and return a new {@link MultiMap}
+     * which for every identifier (key of the map) contains all acceptable keyRings based on that identifier.
+     *
+     * @param keyRingCollections MultiMap of identifiers and keyRingCollections.
+     * @return MultiMap of identifiers and acceptable keyRings.
+     */
     MultiMap selectKeyRingsFromCollections(MultiMap keyRingCollections);
 }

From 2c86d8dfe45089d1c02b9b8383c90afaa4c51fe5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 12:49:00 +0200
Subject: [PATCH 0396/1450] Document various KeyRingSelectionStrategies

---
 .../PublicKeyRingSelectionStrategy.java       |  5 +++++
 .../SecretKeyRingSelectionStrategy.java       |  6 +++++
 .../selection/keyring/impl/ExactUserId.java   | 12 ++++++++++
 .../selection/keyring/impl/Whitelist.java     | 22 +++++++++++++++++++
 .../util/selection/keyring/impl/Wildcard.java |  3 +++
 .../util/selection/keyring/impl/XMPP.java     | 16 ++++++++++++++
 6 files changed, 64 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java
index 038549bf..68c9d946 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/PublicKeyRingSelectionStrategy.java
@@ -13,6 +13,11 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.pgpainless.util.MultiMap;
 
+/**
+ * Abstract {@link KeyRingSelectionStrategy} for {@link PGPPublicKeyRing PGPPublicKeyRings}.
+ *
+ * @param  Type of identifier
+ */
 public abstract class PublicKeyRingSelectionStrategy implements KeyRingSelectionStrategy {
 
     @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
index c54f81a5..943f2d82 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
@@ -9,10 +9,16 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Set;
 
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.pgpainless.util.MultiMap;
 
+/**
+ * Abstract {@link KeyRingSelectionStrategy} for {@link PGPSecretKeyRing PGPSecretKeyRings}.
+ *
+ * @param  Type of identifier
+ */
 public abstract class SecretKeyRingSelectionStrategy implements KeyRingSelectionStrategy {
     @Override
     public Set selectKeyRingsFromCollection(O identifier, @Nonnull PGPSecretKeyRingCollection keyRingCollection) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java
index 5a05dc56..29c43c41 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/ExactUserId.java
@@ -11,12 +11,20 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy;
 import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy;
 
+/**
+ * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which select key rings
+ * based on the exact user-id.
+ */
 public final class ExactUserId {
 
     private ExactUserId() {
 
     }
 
+    /**
+     * {@link PublicKeyRingSelectionStrategy} which accepts {@link PGPPublicKeyRing PGPPublicKeyRings} if those
+     * have a user-id which exactly matches the given 
identifier
.
+     */
     public static class PubRingSelectionStrategy extends PublicKeyRingSelectionStrategy {
 
         @Override
@@ -29,6 +37,10 @@ public final class ExactUserId {
         }
     }
 
+    /**
+     * {@link SecretKeyRingSelectionStrategy} which accepts {@link PGPSecretKeyRing PGPSecretKeyRings} if those
+     * have a user-id which exactly matches the given 
identifier
.
+     */
     public static class SecRingSelectionStrategy extends SecretKeyRingSelectionStrategy {
 
         @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java
index f296d8f1..934f5577 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Whitelist.java
@@ -13,12 +13,25 @@ import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy;
 import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy;
 import org.pgpainless.util.MultiMap;
 
+/**
+ * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept PGP KeyRings
+ * based on a whitelist of acceptable keyIds.
+ */
 public final class Whitelist {
 
     private Whitelist() {
 
     }
 
+    /**
+     * {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accepts
+     * {@link PGPPublicKeyRing PGPPublicKeyRings} if the 
whitelist
 contains their primary key id.
+     *
+     * If the whitelist contains 123L for "alice@pgpainless.org", the key with primary key id 123L is
+     * acceptable for "alice@pgpainless.org".
+     *
+     * @param  Type of identifier for {@link org.bouncycastle.openpgp.PGPPublicKeyRingCollection PGPPublicKeyRingCollections}.
+     */
     public static class PubRingSelectionStrategy extends PublicKeyRingSelectionStrategy {
 
         private final MultiMap whitelist;
@@ -43,6 +56,15 @@ public final class Whitelist {
         }
     }
 
+    /**
+     * {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accepts
+     * {@link PGPSecretKeyRing PGPSecretKeyRings} if the 
whitelist
 contains their primary key id.
+     *
+     * If the whitelist contains 123L for "alice@pgpainless.org", the key with primary key id 123L is
+     * acceptable for "alice@pgpainless.org".
+     *
+     * @param  Type of identifier for {@link org.bouncycastle.openpgp.PGPSecretKeyRingCollection PGPSecretKeyRingCollections}.
+     */
     public static class SecRingSelectionStrategy extends SecretKeyRingSelectionStrategy {
 
         private final MultiMap whitelist;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java
index f7bab777..d1929028 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/Wildcard.java
@@ -9,6 +9,9 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy;
 import org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy;
 
+/**
+ * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept all keyRings.
+ */
 public final class Wildcard {
 
     private Wildcard() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java
index 11c3c8ff..edc38006 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/impl/XMPP.java
@@ -7,12 +7,22 @@ package org.pgpainless.util.selection.keyring.impl;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 
+/**
+ * Implementations of {@link org.pgpainless.util.selection.keyring.KeyRingSelectionStrategy} which accept KeyRings
+ * containing a given XMPP address of the format "xmpp:alice@pgpainless.org".
+ */
 public final class XMPP {
 
     private XMPP() {
 
     }
 
+    /**
+     * {@link org.pgpainless.util.selection.keyring.PublicKeyRingSelectionStrategy} which accepts a given
+     * {@link PGPPublicKeyRing} if its primary key has a user-id that matches the given 
jid
.
+     *
+     * The argument 
jid
 can either contain the prefix "xmpp:", or not, the result will be the same.
+     */
     public static class PubRingSelectionStrategy extends ExactUserId.PubRingSelectionStrategy {
 
         @Override
@@ -24,6 +34,12 @@ public final class XMPP {
         }
     }
 
+    /**
+     * {@link org.pgpainless.util.selection.keyring.SecretKeyRingSelectionStrategy} which accepts a given
+     * {@link PGPSecretKeyRing} if its primary key has a user-id that matches the given 
jid
.
+     *
+     * The argument 
jid
 can either contain the prefix "xmpp:", or not, the result will be the same.
+     */
     public static class SecRingSelectionStrategy extends ExactUserId.SecRingSelectionStrategy {
 
         @Override

From c8a1ca5b29d3f9e8520ddd2d5e7065daec8200fc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 12:53:47 +0200
Subject: [PATCH 0397/1450] Make use of DateUtil.now() in test

---
 .../RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java
index 606b69f4..2cbbbe87 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey.java
@@ -100,7 +100,7 @@ public class RevokeKeyWithoutPreferredAlgorithmsOnPrimaryKey {
     @ExtendWith(TestAllImplementations.class)
     public void testChangingExpirationTimeWithKeyWithoutPrefAlgos()
             throws IOException, PGPException {
-        Date expirationDate = DateUtil.toSecondsPrecision(new Date());
+        Date expirationDate = DateUtil.now();
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
 
         SecretKeyRingProtector protector = new UnprotectedKeysProtector();

From 2065b4e4edf8b09c7ba7e1ddb321e140922ae6fc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 13:08:24 +0200
Subject: [PATCH 0398/1450] Document planned removal of
 BCUtil.constantTimeAreEquals(char[], char[])

---
 .../src/main/java/org/pgpainless/util/BCUtil.java            | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
index 78e604c8..bb811cea 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
@@ -15,6 +15,11 @@ public final class BCUtil {
      * test will fail. For best results always pass the expected value
      * as the first parameter.
      *
+     * TODO: This method was proposed as a patch to BC:
+     *  https://github.com/bcgit/bc-java/pull/1141
+     *  Replace usage of this method with upstream eventually.
+     *  Remove once BC 172 gets released, given it contains the patch.
+     *
      * @param expected first array
      * @param supplied second array
      * @return true if arrays equal, false otherwise.

From e601f8dbdae2505bd8d0c38a68d95277cbdda1ac Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 19:49:28 +0200
Subject: [PATCH 0399/1450] In Encrypt example: Read keys from string

---
 .../java/org/pgpainless/example/Encrypt.java  | 118 +++++++++++++++---
 1 file changed, 101 insertions(+), 17 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
index 385198e9..ed57b90b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
@@ -11,8 +11,6 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
@@ -29,11 +27,102 @@ import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.util.Passphrase;
 
 public class Encrypt {
 
+    private static final String ALICE_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 12E3 4F04 C66D 2B70 D16C  960D ACF2 16F0 F93D DD20\n" +
+            "Comment: alice@pgpainless.org\n" +
+            "\n" +
+            "lFgEYksu1hYJKwYBBAHaRw8BAQdAIhUpRrs6zFTBI1pK40jCkzY/DQ/t4fUgNtlS\n" +
+            "mXOt1cIAAP4wM0LQD/Wj9w6/QujM/erj/TodDZzmp2ZwblrvDQri0RJ/tBRhbGlj\n" +
+            "ZUBwZ3BhaW5sZXNzLm9yZ4iPBBMWCgBBBQJiSy7WCRCs8hbw+T3dIBYhBBLjTwTG\n" +
+            "bStw0WyWDazyFvD5Pd0gAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAOOTAQDf\n" +
+            "UsRQSAs0d/Nm4YIrq+gU7gOdTJuf33f/u/u1nGM1fAD/RY7I3gQoZ0lWbvXVkRAL\n" +
+            "Cu9cUJdvL7kpW1oYtYg21QucXQRiSy7WEgorBgEEAZdVAQUBAQdA60F84k6MY/Uy\n" +
+            "BCZe4/WP8JDw/Efu5/Gyk8hcd3HzHFsDAQgHAAD/aC8DOOkK0XNVz2hkSVczmNoJ\n" +
+            "Umog0PfQLRujpOTqonAQKIh1BBgWCgAdBQJiSy7WAp4BApsMBRYCAwEABAsJCAcF\n" +
+            "FQoJCAsACgkQrPIW8Pk93SCd6AD/Y3LF2RvgbEaOBtAvH6w0ZBPorB3rk6dx+Ae0\n" +
+            "GvW4E8wA+QHmgNo0pdkDxTl0BN1KC7BV1iRFqe9Vo7fW2LLfhlEEnFgEYksu1hYJ\n" +
+            "KwYBBAHaRw8BAQdAPtqap21/zmVzxOHk++891/EZSNikwWkq9t0pmYjhtJ8AAP9N\n" +
+            "m/G6nbiEB8mu/TkNnb7vdhSmLddL9kdKh0LzWD95LBF0iNUEGBYKAH0FAmJLLtYC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJiSy7WAAoJEOEz2Vo79Yyl\n" +
+            "zN0A/iZAVklSJsfQslshR6/zMBufwCK1S05jg/5Ydaksv3QcAQC4gsxdFFne+H4M\n" +
+            "mos4atad6hMhlqr0/Zyc71ZdO5I/CAAKCRCs8hbw+T3dIGhqAQCIdVtCus336cDe\n" +
+            "Nug+E9v1PEM3F/dt6GAqSG8LJqdAGgEA8cUXdUBooOo/QBkDnpteke8Z3IhIGyGe\n" +
+            "dc8OwJyVFwc=\n" +
+            "=ARAi\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+    private static final String ALICE_CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 12E3 4F04 C66D 2B70 D16C  960D ACF2 16F0 F93D DD20\n" +
+            "Comment: alice@pgpainless.org\n" +
+            "\n" +
+            "mDMEYksu1hYJKwYBBAHaRw8BAQdAIhUpRrs6zFTBI1pK40jCkzY/DQ/t4fUgNtlS\n" +
+            "mXOt1cK0FGFsaWNlQHBncGFpbmxlc3Mub3JniI8EExYKAEEFAmJLLtYJEKzyFvD5\n" +
+            "Pd0gFiEEEuNPBMZtK3DRbJYNrPIW8Pk93SACngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
+            "CwKZAQAA45MBAN9SxFBICzR382bhgiur6BTuA51Mm5/fd/+7+7WcYzV8AP9Fjsje\n" +
+            "BChnSVZu9dWREAsK71xQl28vuSlbWhi1iDbVC7g4BGJLLtYSCisGAQQBl1UBBQEB\n" +
+            "B0DrQXziToxj9TIEJl7j9Y/wkPD8R+7n8bKTyFx3cfMcWwMBCAeIdQQYFgoAHQUC\n" +
+            "Yksu1gKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEKzyFvD5Pd0gnegA/2Nyxdkb\n" +
+            "4GxGjgbQLx+sNGQT6Kwd65OncfgHtBr1uBPMAPkB5oDaNKXZA8U5dATdSguwVdYk\n" +
+            "RanvVaO31tiy34ZRBLgzBGJLLtYWCSsGAQQB2kcPAQEHQD7amqdtf85lc8Th5Pvv\n" +
+            "PdfxGUjYpMFpKvbdKZmI4bSfiNUEGBYKAH0FAmJLLtYCngECmwIFFgIDAQAECwkI\n" +
+            "BwUVCgkIC18gBBkWCgAGBQJiSy7WAAoJEOEz2Vo79YylzN0A/iZAVklSJsfQslsh\n" +
+            "R6/zMBufwCK1S05jg/5Ydaksv3QcAQC4gsxdFFne+H4Mmos4atad6hMhlqr0/Zyc\n" +
+            "71ZdO5I/CAAKCRCs8hbw+T3dIGhqAQCIdVtCus336cDeNug+E9v1PEM3F/dt6GAq\n" +
+            "SG8LJqdAGgEA8cUXdUBooOo/QBkDnpteke8Z3IhIGyGedc8OwJyVFwc=\n" +
+            "=GUhm\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+    private static final String BOB_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: A0D2 F316 0F6B 2CE5 7A50  FF32 261E 5081 9736 C493\n" +
+            "Comment: bob@pgpainless.org\n" +
+            "\n" +
+            "lFgEYksu1hYJKwYBBAHaRw8BAQdAXTBT1OKN1GAvGC+fzuy/k34BK+d5Saa87Glb\n" +
+            "iQgIxg8AAPwMI5DGqADFfl6H3Nxj3NxEZLasiFDpwEszluLVRy0jihGbtBJib2JA\n" +
+            "cGdwYWlubGVzcy5vcmeIjwQTFgoAQQUCYksu1gkQJh5QgZc2xJMWIQSg0vMWD2ss\n" +
+            "5XpQ/zImHlCBlzbEkwKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAADvrAD/cWBW\n" +
+            "mRkSfoCbEl22s59FXE7NPENrsJK8jxmWsWX3jbEA/AyXMCjwH6IhDgdgO7wH2z1r\n" +
+            "cUb/hokiCcCaJs6hjKcInF0EYksu1hIKKwYBBAGXVQEFAQEHQCeURSBi9brhisUH\n" +
+            "Dz0xN1NCgU5yeirx53xrQDFFx+d6AwEIBwAA/1GHX9+4Rg0ePsXGm1QIWL+C4rdf\n" +
+            "AReCTYoS3EBiZVdADoyIdQQYFgoAHQUCYksu1gKeAQKbDAUWAgMBAAQLCQgHBRUK\n" +
+            "CQgLAAoJECYeUIGXNsST8c0A/1dEIO9gsFB15UWDlTzN3S0TXQNN8wVzIMdW7XP2\n" +
+            "7c6bAQCB5ChqQA9AB1020DLr28BAbSjI7mPdIWg2PpE7B1EXC5xYBGJLLtYWCSsG\n" +
+            "AQQB2kcPAQEHQKP5NxT0ZhmRbrl3S6uwrUN248g1TEUR0DCVuLgyGSLpAAEA6bMa\n" +
+            "GaUf3S55rkFDjFC4Cv72zc8E5ex2RKgbpxXxqhYQN4jVBBgWCgB9BQJiSy7WAp4B\n" +
+            "ApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCYksu1gAKCRDJLjPCA2NIfylD\n" +
+            "AP4tNFV23FBlrC57iesHVc+TTfNJ8rd+U7mbJvUgykcSNAEAy64tKPuVj+aA1bpm\n" +
+            "gHxfqdEJCOko8UhVVP6ltiDUcAoACgkQJh5QgZc2xJP9TQEA1DNgFno3di+xGDEN\n" +
+            "pwe9lmz8d/RWy/kuBT9S/3CMJjQBAKNBhHPuFfvk7RFbsmMrHsSqDFqIuUfGqq39\n" +
+            "VzmiMp8N\n" +
+            "=LpkJ\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+    private static final String BOB_CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: A0D2 F316 0F6B 2CE5 7A50  FF32 261E 5081 9736 C493\n" +
+            "Comment: bob@pgpainless.org\n" +
+            "\n" +
+            "mDMEYksu1hYJKwYBBAHaRw8BAQdAXTBT1OKN1GAvGC+fzuy/k34BK+d5Saa87Glb\n" +
+            "iQgIxg+0EmJvYkBwZ3BhaW5sZXNzLm9yZ4iPBBMWCgBBBQJiSy7WCRAmHlCBlzbE\n" +
+            "kxYhBKDS8xYPayzlelD/MiYeUIGXNsSTAp4BApsBBRYCAwEABAsJCAcFFQoJCAsC\n" +
+            "mQEAAO+sAP9xYFaZGRJ+gJsSXbazn0VcTs08Q2uwkryPGZaxZfeNsQD8DJcwKPAf\n" +
+            "oiEOB2A7vAfbPWtxRv+GiSIJwJomzqGMpwi4OARiSy7WEgorBgEEAZdVAQUBAQdA\n" +
+            "J5RFIGL1uuGKxQcPPTE3U0KBTnJ6KvHnfGtAMUXH53oDAQgHiHUEGBYKAB0FAmJL\n" +
+            "LtYCngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRAmHlCBlzbEk/HNAP9XRCDvYLBQ\n" +
+            "deVFg5U8zd0tE10DTfMFcyDHVu1z9u3OmwEAgeQoakAPQAddNtAy69vAQG0oyO5j\n" +
+            "3SFoNj6ROwdRFwu4MwRiSy7WFgkrBgEEAdpHDwEBB0Cj+TcU9GYZkW65d0ursK1D\n" +
+            "duPINUxFEdAwlbi4Mhki6YjVBBgWCgB9BQJiSy7WAp4BApsCBRYCAwEABAsJCAcF\n" +
+            "FQoJCAtfIAQZFgoABgUCYksu1gAKCRDJLjPCA2NIfylDAP4tNFV23FBlrC57iesH\n" +
+            "Vc+TTfNJ8rd+U7mbJvUgykcSNAEAy64tKPuVj+aA1bpmgHxfqdEJCOko8UhVVP6l\n" +
+            "tiDUcAoACgkQJh5QgZc2xJP9TQEA1DNgFno3di+xGDENpwe9lmz8d/RWy/kuBT9S\n" +
+            "/3CMJjQBAKNBhHPuFfvk7RFbsmMrHsSqDFqIuUfGqq39VzmiMp8N\n" +
+            "=1MqZ\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+
     /**
      * In this example, Alice is sending a signed and encrypted message to Bob.
      * She signs the message using her key and then encrypts the message to both bobs certificate and her own.
@@ -42,16 +131,14 @@ public class Encrypt {
      * her certificate.
      */
     @Test
-    public void encryptAndSignMessage() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+    public void encryptAndSignMessage() throws PGPException, IOException {
         // Prepare keys
-        PGPSecretKeyRing keyAlice = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
-        PGPPublicKeyRing certificateAlice = KeyRingUtils.publicKeyRingFrom(keyAlice);
+        PGPSecretKeyRing keyAlice = PGPainless.readKeyRing().secretKeyRing(ALICE_KEY);
+        PGPPublicKeyRing certificateAlice = PGPainless.readKeyRing().publicKeyRing(ALICE_CERT);
         SecretKeyRingProtector protectorAlice = SecretKeyRingProtector.unprotectedKeys();
 
-        PGPSecretKeyRing keyBob = PGPainless.generateKeyRing()
-                .modernKeyRing("bob@pgpainless.org", null);
-        PGPPublicKeyRing certificateBob = KeyRingUtils.publicKeyRingFrom(keyBob);
+        PGPSecretKeyRing keyBob = PGPainless.readKeyRing().secretKeyRing(BOB_KEY);
+        PGPPublicKeyRing certificateBob = PGPainless.readKeyRing().publicKeyRing(BOB_CERT);
         SecretKeyRingProtector protectorBob = SecretKeyRingProtector.unprotectedKeys();
 
         // plaintext message to encrypt
@@ -138,15 +225,12 @@ public class Encrypt {
      * Bob subsequently decrypts the message using his key.
      */
     @Test
-    public void encryptWithCommentHeader() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+    public void encryptWithCommentHeader() throws PGPException, IOException {
         // Prepare keys
-        PGPSecretKeyRing keyAlice = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
-        PGPPublicKeyRing certificateAlice = KeyRingUtils.publicKeyRingFrom(keyAlice);
+        PGPPublicKeyRing certificateAlice = PGPainless.readKeyRing().publicKeyRing(ALICE_CERT);
 
-        PGPSecretKeyRing keyBob = PGPainless.generateKeyRing()
-                .modernKeyRing("bob@pgpainless.org", null);
-        PGPPublicKeyRing certificateBob = KeyRingUtils.publicKeyRingFrom(keyBob);
+        PGPSecretKeyRing keyBob = PGPainless.readKeyRing().secretKeyRing(BOB_KEY);
+        PGPPublicKeyRing certificateBob = PGPainless.readKeyRing().publicKeyRing(BOB_CERT);
         SecretKeyRingProtector protectorBob = SecretKeyRingProtector.unprotectedKeys();
 
         // plaintext message to encrypt

From d0b070f0f3d45833b556babea37afff0770fda48 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 20:17:57 +0200
Subject: [PATCH 0400/1450] Fix javadoc

---
 .../util/selection/keyring/KeyRingSelectionStrategy.java       | 1 +
 .../util/selection/keyring/SecretKeyRingSelectionStrategy.java | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
index fb57e338..26180214 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/KeyRingSelectionStrategy.java
@@ -9,6 +9,7 @@ import java.util.Set;
 import org.pgpainless.util.MultiMap;
 
 /**
+ * Filter for selecting public / secret key rings based on identifiers (e.g. user-ids).
  *
  * @param  Type of {@link org.bouncycastle.openpgp.PGPKeyRing} ({@link org.bouncycastle.openpgp.PGPSecretKeyRing}
  *           or {@link org.bouncycastle.openpgp.PGPPublicKeyRing}).
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
index 943f2d82..ac5e8065 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/keyring/SecretKeyRingSelectionStrategy.java
@@ -4,12 +4,11 @@
 
 package org.pgpainless.util.selection.keyring;
 
-import javax.annotation.Nonnull;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Set;
+import javax.annotation.Nonnull;
 
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.pgpainless.util.MultiMap;

From 0bce68d6ee3c147d707b627a5766c01f76a107ae Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Apr 2022 20:18:15 +0200
Subject: [PATCH 0401/1450] Add shortcut SigningOptions.addSignature() method

---
 .../encryption_signing/SigningOptions.java        | 15 +++++++++++++++
 .../test/java/org/pgpainless/example/Sign.java    |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 0608b22e..52d21641 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -98,6 +98,21 @@ public final class SigningOptions {
         return new SigningOptions();
     }
 
+    /**
+     * Sign the message using an inline signature made by the provided signing key.
+     *
+     * @param signingKeyProtector protector to unlock the signing key
+     * @param signingKey key ring containing the signing key
+     * @return this
+     *
+     * @throws PGPException if the key cannot be unlocked or a signing method cannot be created
+     */
+    public SigningOptions addSignature(SecretKeyRingProtector signingKeyProtector,
+                                       PGPSecretKeyRing signingKey)
+            throws PGPException {
+        return addInlineSignature(signingKeyProtector, signingKey, DocumentSignatureType.BINARY_DOCUMENT);
+    }
+
     /**
      * Add inline signatures with all secret key rings in the provided secret key ring collection.
      *
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
index 13185e37..77db571d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
@@ -55,7 +55,7 @@ public class Sign {
         EncryptionStream signingStream = PGPainless.encryptAndOrSign()
                 .onOutputStream(signedOut)
                 .withOptions(ProducerOptions.sign(SigningOptions.get()
-                                .addInlineSignature(protector, secretKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT))
+                                .addSignature(protector, secretKey))
                 );
 
         Streams.pipeAll(messageIn, signingStream);

From f6c6b9aded3bbb38d1cf5b5e7496f39944a24005 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 14:10:04 +0200
Subject: [PATCH 0402/1450] Do not attempt to verify signatures made by
 external keys using primary key.

This aims at fixing #266 in combination with #267.
---
 .../org/pgpainless/key/KeyRingValidator.java     |  8 ++++++++
 .../signature/consumer/CertificateValidator.java | 16 ++++++++++++++++
 .../signature/consumer/SignaturePicker.java      |  5 +++++
 .../signature/consumer/SignatureVerifier.java    |  4 ++++
 4 files changed, 33 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
index f52c1408..c3355ff8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
@@ -94,6 +94,10 @@ public final class KeyRingValidator {
             List signatures = CollectionUtils.iteratorToList(userIdSigs);
             Collections.sort(signatures, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
             for (PGPSignature signature : signatures) {
+                if (signature.getKeyID() != primaryKey.getKeyID()) {
+                    // Signature was not made by primary key
+                    continue;
+                }
                 try {
                     if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
                         if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
@@ -116,6 +120,10 @@ public final class KeyRingValidator {
             Iterator userAttributeSignatureIterator = primaryKey.getSignaturesForUserAttribute(userAttribute);
             while (userAttributeSignatureIterator.hasNext()) {
                 PGPSignature signature = userAttributeSignatureIterator.next();
+                if (signature.getKeyID() != primaryKey.getKeyID()) {
+                    // Signature was not made by primary key
+                    continue;
+                }
                 try {
                     if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
                         if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 65a1a41d..809ea003 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -72,6 +72,10 @@ public final class CertificateValidator {
         Iterator primaryKeyRevocationIterator = primaryKey.getSignaturesOfType(SignatureType.KEY_REVOCATION.getCode());
         while (primaryKeyRevocationIterator.hasNext()) {
             PGPSignature revocation = primaryKeyRevocationIterator.next();
+            if (revocation.getKeyID() != primaryKey.getKeyID()) {
+                // Revocation was not made by primary key, skip
+                // TODO: What about external revocation keys?
+            }
             try {
                 if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
                     directKeySignatures.add(revocation);
@@ -86,6 +90,10 @@ public final class CertificateValidator {
         Iterator keySignatures = primaryKey.getSignaturesOfType(SignatureType.DIRECT_KEY.getCode());
         while (keySignatures.hasNext()) {
             PGPSignature keySignature = keySignatures.next();
+            if (keySignature.getKeyID() != primaryKey.getKeyID()) {
+                // Signature was not made by primary key, skip
+                continue;
+            }
             try {
                 if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
                     directKeySignatures.add(keySignature);
@@ -112,6 +120,10 @@ public final class CertificateValidator {
             Iterator userIdSigs = primaryKey.getSignaturesForID(userId);
             while (userIdSigs.hasNext()) {
                 PGPSignature userIdSig = userIdSigs.next();
+                if (userIdSig.getKeyID() != primaryKey.getKeyID()) {
+                    // Sig was made by external key, skip
+                    continue;
+                }
                 try {
                     if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
                         signaturesOnUserId.add(userIdSig);
@@ -168,6 +180,10 @@ public final class CertificateValidator {
             Iterator bindingRevocations = signingSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode());
             while (bindingRevocations.hasNext()) {
                 PGPSignature revocation = bindingRevocations.next();
+                if (revocation.getKeyID() != primaryKey.getKeyID()) {
+                    // Subkey Revocation was not made by primary key, skip
+                    continue;
+                }
                 try {
                     if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
                         subkeySigs.add(revocation);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
index 74fff1e9..e6f2f755 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
@@ -209,10 +209,15 @@ public final class SignaturePicker {
 
         Iterator userIdSigIterator = primaryKey.getSignaturesForID(userId);
         List signatures = CollectionUtils.iteratorToList(userIdSigIterator);
+
         Collections.sort(signatures, new SignatureCreationDateComparator());
 
         PGPSignature mostRecentUserIdCertification = null;
         for (PGPSignature signature : signatures) {
+            if (primaryKey.getKeyID() != signature.getKeyID()) {
+                // Signature not made by primary key
+                continue;
+            }
             try {
                 SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
             } catch (SignatureValidationException e) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
index 1cfff7db..d4a61271 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
@@ -89,6 +89,7 @@ public final class SignatureVerifier {
      */
     public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
             throws SignatureValidationException {
+        SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsCertification().verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@@ -129,6 +130,7 @@ public final class SignatureVerifier {
      */
     public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
             throws SignatureValidationException {
+        SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@@ -174,6 +176,7 @@ public final class SignatureVerifier {
                                                             PGPPublicKey keyWithUserAttributes, Policy policy,
                                                             Date validationDate)
             throws SignatureValidationException {
+        SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsCertification().verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@@ -219,6 +222,7 @@ public final class SignatureVerifier {
                                                          PGPPublicKey keyWithUserAttributes, Policy policy,
                                                          Date validationDate)
             throws SignatureValidationException {
+        SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
         SignatureValidator.signatureIsEffective(validationDate).verify(signature);

From 8c6813ce565567ed84d5b1e0a5ee32a14634a984 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Barab=C3=A1s?= 
Date: Tue, 5 Apr 2022 10:38:19 +0200
Subject: [PATCH 0403/1450] #266 Handle ClassCastException in signature.init
 calls

---
 .../signature/consumer/SignatureValidator.java         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 3572fff0..51bfa7c3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -461,7 +461,7 @@ public abstract class SignatureValidator {
                     if (!valid) {
                         throw new SignatureValidationException("Signature is not correct.");
                     }
-                } catch (PGPException e) {
+                } catch (PGPException | ClassCastException e) {
                     throw new SignatureValidationException("Cannot verify subkey binding signature correctness", e);
                 }
             }
@@ -485,7 +485,7 @@ public abstract class SignatureValidator {
                     if (!valid) {
                         throw new SignatureValidationException("Primary Key Binding Signature is not correct.");
                     }
-                } catch (PGPException e) {
+                } catch (PGPException | ClassCastException e) {
                     throw new SignatureValidationException("Cannot verify primary key binding signature correctness", e);
                 }
             }
@@ -514,7 +514,7 @@ public abstract class SignatureValidator {
                     if (!valid) {
                         throw new SignatureValidationException("Signature is not correct.");
                     }
-                } catch (PGPException e) {
+                } catch (PGPException | ClassCastException e) {
                     throw new SignatureValidationException("Cannot verify direct-key signature correctness", e);
                 }
             }
@@ -577,7 +577,7 @@ public abstract class SignatureValidator {
                     if (!valid) {
                         throw new SignatureValidationException("Signature over user-id '" + userId + "' is not correct.");
                     }
-                } catch (PGPException e) {
+                } catch (PGPException | ClassCastException e) {
                     throw new SignatureValidationException("Cannot verify signature over user-id '" + userId + "'.", e);
                 }
             }
@@ -602,7 +602,7 @@ public abstract class SignatureValidator {
                     if (!valid) {
                         throw new SignatureValidationException("Signature over user-attribute vector is not correct.");
                     }
-                } catch (PGPException e) {
+                } catch (PGPException | ClassCastException e) {
                     throw new SignatureValidationException("Cannot verify signature over user-attribute vector.", e);
                 }
             }

From 30c9ea254adefafcd5caae084e11378ed2a7a958 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Barab=C3=A1s?= 
Date: Tue, 5 Apr 2022 14:35:01 +0200
Subject: [PATCH 0404/1450] Fix XML comment

---
 .../java/org/pgpainless/util/selection/userid/SelectUserId.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
index e86e59f3..65ac568b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
@@ -181,7 +181,7 @@ public abstract class SelectUserId {
     }
 
     /**
-     * Filter that filters for user-ids which pass at least one of the given 
filters
>.
+     * Filter that filters for user-ids which pass at least one of the given 
filters
.
      *
      * @param filters filters
      * @return filter

From 3245dff73101a7720b789a6ac85fe70e412b1a5f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 14:43:14 +0200
Subject: [PATCH 0405/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44686127..41838790 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ SPDX-License-Identifier: CC0-1.0
 - `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding.
   - This fixes broken signature generation for mismatching (`StreamEncoding`,`DocumentSignatureType`) tuples.
   - Applications that rely on CRLF-encoding can request PGPainless to apply this encoding by calling `ProducerOptions.applyCRLFEncoding(true)`.
+- Rename `KeyRingUtils.removeSecretKey()` to `stripSecretKey()`.
+- Add handy `SignatureOptions.addSignature()` method.
+- Fix `ClassCastException` when evaluating a certificate with third party signatures. Thanks @p-barabas for the initial report and bug fix!
 
 ## 1.1.4
 - Add utility method `KeyRingUtils.removeSecretKey()` to remove secret key part from key ring

From a7d56e3461d2b0fb6f53d0ca0d067034b5092104 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 14:48:44 +0200
Subject: [PATCH 0406/1450] PGPainless 1.1.5

---
 CHANGELOG.md                                                  | 2 +-
 README.md                                                     | 2 +-
 .../org/pgpainless/util/selection/userid/SelectUserId.java    | 2 +-
 pgpainless-sop/README.md                                      | 4 ++--
 version.gradle                                                | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41838790..8134c0cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.1.5-SNAPSHOT
+## 1.1.5
 - SOP encrypt: match signature type when using `encrypt --as=` option
 - `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding.
   - This fixes broken signature generation for mismatching (`StreamEncoding`,`DocumentSignatureType`) tuples.
diff --git a/README.md b/README.md
index 514dbd84..58e59401 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.4'
+	implementation 'org.pgpainless:pgpainless-core:1.1.5'
 }
 ```
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
index 65ac568b..5c1611af 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/selection/userid/SelectUserId.java
@@ -134,7 +134,7 @@ public abstract class SelectUserId {
      * Note: This only accepts user-ids which properly have the email address surrounded by angle brackets.
      *
      * The argument 
email
 can both be a plain email address (
"foo@bar.baz"
),
-     * or surrounded by angle brackets (
""
, the result of the filter will be the same.
+     * or surrounded by angle brackets ({@code 
""
}), the result of the filter will be the same.
      *
      * @param email email address
      * @return filter
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 9ec6c8cd..bb4af342 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.1.4"
+    implementation "org.pgpainless:pgpainless-sop:1.1.5"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.1.4
+        1.1.5
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 3b94fb87..384e25a3 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.1.5'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 8e45a2a7f6bef5cfafd5e9753424c038f2bfd0e3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 14:51:26 +0200
Subject: [PATCH 0407/1450] PGPainless-1.1.6-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 384e25a3..3b633561 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.5'
-        isSnapshot = false
+        shortVersion = '1.1.6'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.70'

From 636fc63bc1f03bd4cb3e752dac0f984181cfe426 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 14:57:43 +0200
Subject: [PATCH 0408/1450] Add local.properties to .gitignore

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 84123d97..f12ea5f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,8 @@ libs/
 *.log
 *.jar
 
+local.properties
+
 gradle.properties
 !gradle-wrapper.jar
 

From 6e6789542892c23cebfaefc896cb6a4859d646c1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 5 Apr 2022 17:01:15 +0200
Subject: [PATCH 0409/1450] Add ECOSYSTEM.md

---
 ECOSYSTEM.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 ECOSYSTEM.md

diff --git a/ECOSYSTEM.md b/ECOSYSTEM.md
new file mode 100644
index 00000000..ead27565
--- /dev/null
+++ b/ECOSYSTEM.md
@@ -0,0 +1,47 @@
+
+
+# Ecosystem
+
+PGPainless consists of an ecosystem of different libraries and projects.
+
+## [PGPainless](https://github.com/pgpainless/pgpainless)
+
+The main repository contains the following components:
+
+* `pgpainless-core` - core implementation - powerful, yet easy to use OpenPGP API
+* `pgpainless-sop` - super simple OpenPGP implementation. Drop-in for `sop-java`
+* `pgpainless-cli` - SOP CLI implementation using PGPainless
+
+## [SOP-Java](https://github.com/pgpainless/sop-java)
+
+An API definition and CLI implementation of the [Stateless OpenPGP Protocol](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-03.html).
+
+* `sop-java` - generic OpenPGP API definition
+* `sop-java-picocli` - Abstract CLI implementation for `sop-java`
+
+## [WKD-Java](https://github.com/pgpainless/wkd-java)
+
+Implementation of the [Web Key Directory](https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-13.html).
+
+* `wkd-java` - abstract WKD discovery implementation
+* `wkd-java-cli` - CLI application implementing WKD discovery using PGPainless
+* `wkd-test-suite` - Generator for test vectors for testing WKD implementations
+
+## [Cert-D-Java](https://github.com/pgpainless/cert-d-java)
+
+Implementations of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/).
+
+* `pgp-certificate-store` - abstract definitions of OpenPGP certificate stores
+* `pgp-cert-d-java` - implementation of `pgp-certificate-store` following the PGP-CERT-D spec.
+* `pgp-cert-d-java-jdbc-sqlite-lookup` - subkey lookup using sqlite database
+
+## [Cert-D-PGPainless](https://github.com/pgpainless/cert-d-pgpainless)
+
+Implementation of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/) using PGPainless.
+
+* `pgpainless-cert-d` - PGPainless-based implementation of `pgp-cert-d-java`.
+* `pgpainless-cert-d-cli` - CLI frontend for `pgpainless-cert-d`.
\ No newline at end of file

From 02d6d19aac4202efb30eb60794cbae882d6785cc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 6 Apr 2022 11:37:31 +0200
Subject: [PATCH 0410/1450] Update ECOSYSTEM

---
 ECOSYSTEM.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ECOSYSTEM.md b/ECOSYSTEM.md
index ead27565..0652bdef 100644
--- a/ECOSYSTEM.md
+++ b/ECOSYSTEM.md
@@ -31,6 +31,12 @@ Implementation of the [Web Key Directory](https://www.ietf.org/archive/id/draft-
 * `wkd-java-cli` - CLI application implementing WKD discovery using PGPainless
 * `wkd-test-suite` - Generator for test vectors for testing WKD implementations
 
+## [VKS-Java](https://github.com/pgpainless/vks-java)
+
+Client-side API for communicating with Verifying Key Servers, such as https://keys.openpgp.org/.
+
+* `vks-java` - VKS client implementation
+
 ## [Cert-D-Java](https://github.com/pgpainless/cert-d-java)
 
 Implementations of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/).

From 53017d2d38dba66d1e4347ec953a79f769f691c2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 19:40:39 +0200
Subject: [PATCH 0411/1450] Bump BC to 1.71

---
 pgpainless-core/build.gradle | 5 +++--
 version.gradle               | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index e6947458..6cb6faa5 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -15,8 +15,9 @@ dependencies {
     api "org.slf4j:slf4j-api:$slf4jVersion"
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
 
-    api "org.bouncycastle:bcprov-jdk15on:$bouncyCastleVersion"
-    api "org.bouncycastle:bcpg-jdk15on:$bouncyCastleVersion"
+    // Bouncy Castle
+    api "org.bouncycastle:bcprov-jdk15to18:$bouncyCastleVersion"
+    api "org.bouncycastle:bcpg-jdk15to18:$bouncyCastleVersion"
 
     // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
     implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2'
diff --git a/version.gradle b/version.gradle
index 3b633561..2d2d8941 100644
--- a/version.gradle
+++ b/version.gradle
@@ -8,6 +8,6 @@ allprojects {
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
-        bouncyCastleVersion = '1.70'
+        bouncyCastleVersion = '1.71'
     }
 }

From 6b3f37796c6e107498bedb122c64152cfa611d24 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 19:40:56 +0200
Subject: [PATCH 0412/1450] Restructure dependencies and version.gradle

---
 build.gradle                 | 4 ----
 pgpainless-core/build.gradle | 5 +++--
 version.gradle               | 4 ++++
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/build.gradle b/build.gradle
index b0881e63..33e493f0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -71,10 +71,6 @@ allprojects {
     }
 
     project.ext {
-        slf4jVersion = '1.7.32'
-        logbackVersion = '1.2.9'
-        junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.0'
         rootConfigDir = new File(rootDir, 'config')
         gitCommit = getGitCommit()
         isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI'))
diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index 6cb6faa5..50cbb700 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -7,6 +7,7 @@ plugins {
 }
 
 dependencies {
+    // JUnit
     testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
     testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
@@ -19,6 +20,6 @@ dependencies {
     api "org.bouncycastle:bcprov-jdk15to18:$bouncyCastleVersion"
     api "org.bouncycastle:bcpg-jdk15to18:$bouncyCastleVersion"
 
-    // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
-    implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2'
+    // @Nullable, @Nonnull annotations
+    implementation "com.google.code.findbugs:jsr305:3.0.2"
 }
diff --git a/version.gradle b/version.gradle
index 2d2d8941..9406a66b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -9,5 +9,9 @@ allprojects {
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'
+        slf4jVersion = '1.7.32'
+        logbackVersion = '1.2.9'
+        junitVersion = '5.8.2'
+        sopJavaVersion = '1.2.0'
     }
 }

From a22336a79582382264fac468bfd28e79dd306613 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 14:04:59 +0100
Subject: [PATCH 0413/1450] Create dedicated KeyException class for key-related
 exceptions.

---
 .../encryption_signing/EncryptionOptions.java |   9 +-
 .../encryption_signing/SigningOptions.java    |  48 ++++---
 .../exception/KeyCannotSignException.java     |  13 --
 .../pgpainless/exception/KeyException.java    | 118 ++++++++++++++++++
 .../exception/KeyIntegrityException.java      |   4 +
 .../exception/KeyValidationError.java         |  14 ---
 .../org/pgpainless/key/info/KeyRingInfo.java  |   9 +-
 .../EncryptDecryptTest.java                   |   3 +-
 .../EncryptionOptionsTest.java                |  10 +-
 .../encryption_signing/SigningTest.java       |  17 ++-
 .../signature/CertificateExpirationTest.java  |   3 +-
 ...ncryptCommsStorageFlagsDifferentiated.java |   3 +-
 .../java/org/pgpainless/sop/SignImpl.java     |   3 +-
 13 files changed, 186 insertions(+), 68 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index af557703..ca7b8ddb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -23,6 +23,7 @@ import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
@@ -154,7 +155,7 @@ public class EncryptionOptions {
         List encryptionSubkeys = encryptionKeySelectionStrategy
                 .selectEncryptionSubkeys(info.getEncryptionSubkeys(userId, purpose));
         if (encryptionSubkeys.isEmpty()) {
-            throw new IllegalArgumentException("Key has no suitable encryption subkeys.");
+            throw new KeyException.UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key));
         }
 
         for (PGPPublicKey encryptionSubkey : encryptionSubkeys) {
@@ -193,16 +194,16 @@ public class EncryptionOptions {
         try {
             primaryKeyExpiration = info.getPrimaryKeyExpirationDate();
         } catch (NoSuchElementException e) {
-            throw new IllegalArgumentException("Provided key " + OpenPgpFingerprint.of(key) + " does not have a valid/acceptable signature carrying a primary key expiration date.");
+            throw new KeyException.UnacceptableSelfSignatureException(OpenPgpFingerprint.of(key));
         }
         if (primaryKeyExpiration != null && primaryKeyExpiration.before(evaluationDate)) {
-            throw new IllegalArgumentException("Provided key " + OpenPgpFingerprint.of(key) + " is expired: " + primaryKeyExpiration);
+            throw new KeyException.ExpiredKeyException(OpenPgpFingerprint.of(key), primaryKeyExpiration);
         }
 
         List encryptionSubkeys = encryptionKeySelectionStrategy
                 .selectEncryptionSubkeys(info.getEncryptionSubkeys(purpose));
         if (encryptionSubkeys.isEmpty()) {
-            throw new IllegalArgumentException("Key " + OpenPgpFingerprint.of(key) + " has no suitable encryption subkeys.");
+            throw new KeyException.UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key));
         }
 
         for (PGPPublicKey encryptionSubkey : encryptionSubkeys) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 52d21641..f81bf5aa 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -24,8 +24,7 @@ import org.pgpainless.algorithm.DocumentSignatureType;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
 import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator;
-import org.pgpainless.exception.KeyCannotSignException;
-import org.pgpainless.exception.KeyValidationError;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
@@ -120,13 +119,13 @@ public final class SigningOptions {
      * @param signingKeys collection of signing keys
      * @param signatureType type of signature (binary, canonical text)
      * @return this
-     * @throws KeyValidationError if something is wrong with any of the keys
+     * @throws KeyException if something is wrong with any of the keys
      * @throws PGPException if any of the keys cannot be unlocked or a signing method cannot be created
      */
     public SigningOptions addInlineSignatures(SecretKeyRingProtector secrectKeyDecryptor,
                                               Iterable signingKeys,
                                               DocumentSignatureType signatureType)
-            throws KeyValidationError, PGPException {
+            throws KeyException, PGPException {
         for (PGPSecretKeyRing signingKey : signingKeys) {
             addInlineSignature(secrectKeyDecryptor, signingKey, signatureType);
         }
@@ -141,14 +140,14 @@ public final class SigningOptions {
      * @param secretKeyDecryptor decryptor to unlock the signing secret key
      * @param secretKey signing key
      * @param signatureType type of signature (binary, canonical text)
-     * @throws KeyValidationError if something is wrong with the key
+     * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      * @return this
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
                                              PGPSecretKeyRing secretKey,
                                              DocumentSignatureType signatureType)
-            throws KeyValidationError, PGPException {
+            throws KeyException, PGPException {
         return addInlineSignature(secretKeyDecryptor, secretKey, null, signatureType);
     }
 
@@ -164,14 +163,14 @@ public final class SigningOptions {
      * @param userId user-id of the signer
      * @param signatureType signature type (binary, canonical text)
      * @return this
-     * @throws KeyValidationError if the key is invalid
+     * @throws KeyException if the key is invalid
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
                                              PGPSecretKeyRing secretKey,
                                              String userId,
                                              DocumentSignatureType signatureType)
-            throws KeyValidationError, PGPException {
+            throws KeyException, PGPException {
         return addInlineSignature(secretKeyDecryptor, secretKey, userId, signatureType, null);
     }
 
@@ -188,7 +187,8 @@ public final class SigningOptions {
      * @param signatureType signature type (binary, canonical text)
      * @param subpacketsCallback callback to modify the hashed and unhashed subpackets of the signature
      * @return this
-     * @throws KeyValidationError if the key is invalid
+     * @throws KeyException
+     * if the key is invalid
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
@@ -196,19 +196,27 @@ public final class SigningOptions {
                                              String userId,
                                              DocumentSignatureType signatureType,
                                              @Nullable BaseSignatureSubpackets.Callback subpacketsCallback)
-            throws KeyValidationError, PGPException {
+            throws KeyException, PGPException {
         KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date());
         if (userId != null && !keyRingInfo.isUserIdValid(userId)) {
-            throw new KeyValidationError(userId, keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId));
+            throw new KeyException.UnboundUserIdException(
+                    OpenPgpFingerprint.of(secretKey),
+                    userId,
+                    keyRingInfo.getLatestUserIdCertification(userId),
+                    keyRingInfo.getUserIdRevocation(userId)
+            );
         }
 
         List signingPubKeys = keyRingInfo.getSigningSubkeys();
         if (signingPubKeys.isEmpty()) {
-            throw new KeyCannotSignException("Key " + OpenPgpFingerprint.of(secretKey) + " has no valid signing key.");
+            throw new KeyException.UnacceptableSigningKeyException(OpenPgpFingerprint.of(secretKey));
         }
 
         for (PGPPublicKey signingPubKey : signingPubKeys) {
             PGPSecretKey signingSecKey = secretKey.getSecretKey(signingPubKey.getKeyID());
+            if (signingSecKey == null) {
+                throw new KeyException.MissingSecretKeyException(OpenPgpFingerprint.of(secretKey), signingPubKey.getKeyID());
+            }
             PGPPrivateKey signingSubkey = UnlockSecretKey.unlockSecretKey(signingSecKey, secretKeyDecryptor);
             Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId)
                     : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID());
@@ -304,18 +312,23 @@ public final class SigningOptions {
             throws PGPException {
         KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date());
         if (userId != null && !keyRingInfo.isUserIdValid(userId)) {
-            throw new KeyValidationError(userId, keyRingInfo.getLatestUserIdCertification(userId), keyRingInfo.getUserIdRevocation(userId));
+            throw new KeyException.UnboundUserIdException(
+                    OpenPgpFingerprint.of(secretKey),
+                    userId,
+                    keyRingInfo.getLatestUserIdCertification(userId),
+                    keyRingInfo.getUserIdRevocation(userId)
+            );
         }
 
         List signingPubKeys = keyRingInfo.getSigningSubkeys();
         if (signingPubKeys.isEmpty()) {
-            throw new KeyCannotSignException("Key has no valid signing key.");
+            throw new KeyException.UnacceptableSigningKeyException(OpenPgpFingerprint.of(secretKey));
         }
 
         for (PGPPublicKey signingPubKey : signingPubKeys) {
             PGPSecretKey signingSecKey = secretKey.getSecretKey(signingPubKey.getKeyID());
             if (signingSecKey == null) {
-                throw new PGPException("Missing secret key for signing key " + Long.toHexString(signingPubKey.getKeyID()));
+                throw new KeyException.MissingSecretKeyException(OpenPgpFingerprint.of(secretKey), signingPubKey.getKeyID());
             }
             PGPPrivateKey signingSubkey = signingSecKey.extractPrivateKey(
                     secretKeyDecryptor.getDecryptor(signingPubKey.getKeyID()));
@@ -340,8 +353,9 @@ public final class SigningOptions {
         PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(signingSecretKey.getPublicKey().getAlgorithm());
         int bitStrength = secretKey.getPublicKey().getBitStrength();
         if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
-            throw new IllegalArgumentException("Public key algorithm policy violation: " +
-                    publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
+            throw new KeyException.UnacceptableSigningKeyException(
+                    new KeyException.PublicKeyAlgorithmPolicyException(
+                            OpenPgpFingerprint.of(secretKey), signingSecretKey.getKeyID(), publicKeyAlgorithm, bitStrength));
         }
 
         PGPSignatureGenerator generator = createSignatureGenerator(signingSubkey, hashAlgorithm, signatureType);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java
deleted file mode 100644
index ee869fa9..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyCannotSignException.java
+++ /dev/null
@@ -1,13 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.exception;
-
-import org.bouncycastle.openpgp.PGPException;
-
-public class KeyCannotSignException extends PGPException {
-    public KeyCannotSignException(String message) {
-        super(message);
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
new file mode 100644
index 00000000..7ffc66ee
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
@@ -0,0 +1,118 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.exception;
+
+import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.algorithm.PublicKeyAlgorithm;
+import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.util.DateUtil;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.util.Date;
+
+public abstract class KeyException extends RuntimeException {
+
+    private final OpenPgpFingerprint fingerprint;
+
+    protected KeyException(@Nonnull String message, @Nonnull OpenPgpFingerprint fingerprint) {
+        super(message);
+        this.fingerprint = fingerprint;
+    }
+
+    protected KeyException(@Nonnull String message, @Nonnull OpenPgpFingerprint fingerprint, @Nonnull Throwable underlying) {
+        super(message, underlying);
+        this.fingerprint = fingerprint;
+    }
+
+    public OpenPgpFingerprint getFingerprint() {
+        return fingerprint;
+    }
+
+    public static class ExpiredKeyException extends KeyException {
+
+        public ExpiredKeyException(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull Date expirationDate) {
+            super("Key " + fingerprint + " is expired. Expiration date: " + DateUtil.formatUTCDate(expirationDate), fingerprint);
+        }
+    }
+
+    public static class UnacceptableEncryptionKeyException extends KeyException {
+
+        public UnacceptableEncryptionKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
+            super("Key " + fingerprint + " has no acceptable encryption key.", fingerprint);
+        }
+
+        public UnacceptableEncryptionKeyException(@Nonnull PublicKeyAlgorithmPolicyException reason) {
+            super("Key " + reason.getFingerprint() + " has no acceptable encryption key.", reason.getFingerprint(), reason);
+        }
+    }
+
+    public static class UnacceptableSigningKeyException extends KeyException {
+
+        public UnacceptableSigningKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
+            super("Key " + fingerprint + " has no acceptable signing key.", fingerprint);
+        }
+
+        public UnacceptableSigningKeyException(@Nonnull PublicKeyAlgorithmPolicyException reason) {
+            super("Key " + reason.getFingerprint() + " has no acceptable signing key.", reason.getFingerprint(), reason);
+        }
+    }
+
+    public static class UnacceptableSelfSignatureException extends KeyException {
+
+        public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {
+            super("Key " + fingerprint + " does not have a valid/acceptable signature to derive an expiration date from.", fingerprint);
+        }
+    }
+
+    public static class MissingSecretKeyException extends KeyException {
+
+        private final long missingSecretKeyId;
+
+        public MissingSecretKeyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId) {
+            super("Key " + fingerprint + " does not contain a secret key for public key " + Long.toHexString(keyId), fingerprint);
+            this.missingSecretKeyId = keyId;
+        }
+
+        public long getMissingSecretKeyId() {
+            return missingSecretKeyId;
+        }
+    }
+
+    public static class PublicKeyAlgorithmPolicyException extends KeyException {
+
+        private final long violatingSubkeyId;
+
+        public PublicKeyAlgorithmPolicyException(@Nonnull OpenPgpFingerprint fingerprint, long keyId, @Nonnull PublicKeyAlgorithm algorithm, int bitSize) {
+            super("Subkey " + Long.toHexString(keyId) + " of key " + fingerprint + " is violating the Public Key Algorithm Policy:\n" +
+                    algorithm + " of size " + bitSize + " is not acceptable.", fingerprint);
+            this.violatingSubkeyId = keyId;
+        }
+
+        public long getViolatingSubkeyId() {
+             return violatingSubkeyId;
+        }
+    }
+
+    public static class UnboundUserIdException extends KeyException {
+
+        public UnboundUserIdException(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull String userId,
+                                      @Nullable PGPSignature userIdSignature, @Nullable PGPSignature userIdRevocation) {
+            super(errorMessage(fingerprint, userId, userIdSignature, userIdRevocation), fingerprint);
+        }
+
+        private static String errorMessage(@Nonnull OpenPgpFingerprint fingerprint, @Nonnull String userId,
+                                           @Nullable PGPSignature userIdSignature, @Nullable PGPSignature userIdRevocation) {
+            String errorMessage = "UserID '" + userId + "' is not valid for key " + fingerprint + ": ";
+            if (userIdSignature == null) {
+                return errorMessage + "Missing binding signature.";
+            }
+            if (userIdRevocation != null) {
+                return errorMessage + "UserID is revoked.";
+            }
+            return errorMessage + "Unacceptable binding signature.";
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java
index 65ed3dea..b7a87ab7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyIntegrityException.java
@@ -4,6 +4,10 @@
 
 package org.pgpainless.exception;
 
+/**
+ * This exception gets thrown, when the integrity of an OpenPGP key is broken.
+ * That could happen on accident, or during an active attack, so take this exception seriously.
+ */
 public class KeyIntegrityException extends AssertionError {
 
     public KeyIntegrityException() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java
deleted file mode 100644
index 8296d6c9..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyValidationError.java
+++ /dev/null
@@ -1,14 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.exception;
-
-import org.bouncycastle.openpgp.PGPSignature;
-
-public class KeyValidationError extends AssertionError {
-
-    public KeyValidationError(String userId, PGPSignature userIdSig, PGPSignature userIdRevocation) {
-        super("User-ID '" + userId + "' is not valid: Sig: " + userIdSig + " Rev: " + userIdRevocation);
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index f1611aff..3ea2f424 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -36,7 +36,7 @@ import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
-import org.pgpainless.exception.KeyValidationError;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.util.RevocationAttributes;
@@ -949,7 +949,12 @@ public class KeyRingInfo {
      */
     public @Nonnull List getEncryptionSubkeys(String userId, EncryptionPurpose purpose) {
         if (userId != null && !isUserIdValid(userId)) {
-            throw new KeyValidationError(userId, getLatestUserIdCertification(userId), getUserIdRevocation(userId));
+            throw new KeyException.UnboundUserIdException(
+                    OpenPgpFingerprint.of(keys),
+                    userId,
+                    getLatestUserIdCertification(userId),
+                    getUserIdRevocation(userId)
+            );
         }
 
         return getEncryptionSubkeys(purpose);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
index 966e273f..88a2c38b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
@@ -34,6 +34,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.generation.KeySpec;
@@ -326,7 +327,7 @@ public class EncryptDecryptTest {
 
         PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
 
-        assertThrows(IllegalArgumentException.class, () ->
+        assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () ->
                 EncryptionOptions.encryptCommunications()
                         .addRecipient(publicKeys));
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
index 0c5f6489..488e5918 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
-import org.pgpainless.exception.KeyValidationError;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.generation.KeySpec;
 import org.pgpainless.key.generation.type.KeyType;
@@ -132,14 +132,14 @@ public class EncryptionOptionsTest {
                 .build();
         PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys);
 
-        assertThrows(IllegalArgumentException.class, () -> options.addRecipient(publicKeys));
+        assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> options.addRecipient(publicKeys));
     }
 
     @Test
     public void testEncryptionKeySelectionStrategyEmpty_ThrowsAssertionError() {
         EncryptionOptions options = new EncryptionOptions();
 
-        assertThrows(IllegalArgumentException.class,
+        assertThrows(KeyException.UnacceptableEncryptionKeyException.class,
                 () -> options.addRecipient(publicKeys, new EncryptionOptions.EncryptionKeySelector() {
                     @Override
                     public List selectEncryptionSubkeys(List encryptionCapableKeys) {
@@ -147,7 +147,7 @@ public class EncryptionOptionsTest {
                     }
                 }));
 
-        assertThrows(IllegalArgumentException.class,
+        assertThrows(KeyException.UnacceptableEncryptionKeyException.class,
                 () -> options.addRecipient(publicKeys, "test@pgpainless.org", new EncryptionOptions.EncryptionKeySelector() {
                     @Override
                     public List selectEncryptionSubkeys(List encryptionCapableKeys) {
@@ -180,6 +180,6 @@ public class EncryptionOptionsTest {
     @Test
     public void testAddRecipient_withInvalidUserId() {
         EncryptionOptions options = new EncryptionOptions();
-        assertThrows(KeyValidationError.class, () -> options.addRecipient(publicKeys, "invalid@user.id"));
+        assertThrows(KeyException.UnboundUserIdException.class, () -> options.addRecipient(publicKeys, "invalid@user.id"));
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java
index 593938ad..156e6b57 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java
@@ -35,8 +35,7 @@ import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
-import org.pgpainless.exception.KeyCannotSignException;
-import org.pgpainless.exception.KeyValidationError;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.generation.KeySpec;
@@ -45,9 +44,9 @@ import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.util.KeyRingUtils;
-import org.pgpainless.util.TestAllImplementations;
 import org.pgpainless.util.MultiMap;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.TestAllImplementations;
 
 public class SigningTest {
 
@@ -125,7 +124,7 @@ public class SigningTest {
 
         SigningOptions opts = new SigningOptions();
         // "bob" is not a valid user-id
-        assertThrows(KeyValidationError.class,
+        assertThrows(KeyException.UnboundUserIdException.class,
                 () -> opts.addInlineSignature(protector, secretKeys, "bob",
                         DocumentSignatureType.CANONICAL_TEXT_DOCUMENT));
     }
@@ -146,7 +145,7 @@ public class SigningTest {
 
         SigningOptions opts = new SigningOptions();
         // "alice" has been revoked
-        assertThrows(KeyValidationError.class,
+        assertThrows(KeyException.UnboundUserIdException.class,
                 () -> opts.addInlineSignature(protector, fSecretKeys, "alice",
                         DocumentSignatureType.CANONICAL_TEXT_DOCUMENT));
     }
@@ -253,9 +252,9 @@ public class SigningTest {
                 .build();
 
         SigningOptions options = new SigningOptions();
-        assertThrows(KeyCannotSignException.class, () -> options.addDetachedSignature(
+        assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addDetachedSignature(
                 SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT));
-        assertThrows(KeyCannotSignException.class, () -> options.addInlineSignature(
+        assertThrows(KeyException.UnacceptableSigningKeyException.class, () -> options.addInlineSignature(
                 SecretKeyRingProtector.unprotectedKeys(), secretKeys, DocumentSignatureType.BINARY_DOCUMENT));
     }
 
@@ -270,10 +269,10 @@ public class SigningTest {
                 .build();
 
         SigningOptions options = new SigningOptions();
-        assertThrows(KeyValidationError.class, () ->
+        assertThrows(KeyException.UnboundUserIdException.class, () ->
                 options.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob",
                         DocumentSignatureType.BINARY_DOCUMENT));
-        assertThrows(KeyValidationError.class, () ->
+        assertThrows(KeyException.UnboundUserIdException.class, () ->
                 options.addInlineSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys, "Bob",
                         DocumentSignatureType.BINARY_DOCUMENT));
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java
index c87bd2aa..f8c6471e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/CertificateExpirationTest.java
@@ -21,6 +21,7 @@ import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
 
@@ -124,7 +125,7 @@ public class CertificateExpirationTest {
                 "-----END PGP PUBLIC KEY BLOCK-----\n";
 
         PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(CERT);
-        assertThrows(IllegalArgumentException.class, () -> encrypt(cert));
+        assertThrows(KeyException.ExpiredKeyException.class, () -> encrypt(cert));
     }
 
     private EncryptionResult encrypt(PGPPublicKeyRing certificate) throws PGPException, IOException {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java
index 079f1062..b96d95e5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/weird_keys/TestEncryptCommsStorageFlagsDifferentiated.java
@@ -16,6 +16,7 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.generation.KeySpec;
 import org.pgpainless.key.generation.type.KeyType;
 import org.pgpainless.key.generation.type.rsa.RsaLength;
@@ -38,7 +39,7 @@ public class TestEncryptCommsStorageFlagsDifferentiated {
 
         PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys);
 
-        assertThrows(IllegalArgumentException.class, () -> EncryptionOptions.encryptCommunications()
+        assertThrows(KeyException.UnacceptableEncryptionKeyException.class, () -> EncryptionOptions.encryptCommunications()
                 .addRecipient(publicKeys));
     }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
index b3d18043..286c5262 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
@@ -22,6 +22,7 @@ import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
@@ -63,7 +64,7 @@ public class SignImpl implements Sign {
                 }
                 signingOptions.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key, modeToSigType(mode));
             }
-        } catch (PGPException e) {
+        } catch (PGPException | KeyException e) {
             throw new SOPGPException.BadData(e);
         }
         return this;

From bb8ecaa1c13094797f00f8228f0cb3cb7436458e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 15:50:08 +0100
Subject: [PATCH 0414/1450] PGPainless-1.2.0-SNAPSHOT

---
 CHANGELOG.md   | 5 +++++
 version.gradle | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8134c0cc..e7b0c522 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+
+## 1.2.0-SNAPSHOT
+- Improve exception hierarchy for key-related exceptions
+  - See [PR](https://github.com/pgpainless/pgpainless/pull/261) for more information on how to migrate.
+
 ## 1.1.5
 - SOP encrypt: match signature type when using `encrypt --as=` option
 - `ProducerOptions.setEncoding()`: The encoding is henceforth only considered metadata and will no longer trigger CRLF encoding.
diff --git a/version.gradle b/version.gradle
index 9406a66b..2f1bd17d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,7 +4,7 @@
 
 allprojects {
     ext {
-        shortVersion = '1.1.6'
+        shortVersion = '1.2.0'
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8

From 864bfad80ce0a2d6f6d45de95e8164516e902127 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Mar 2022 16:52:56 +0100
Subject: [PATCH 0415/1450] Add test for encryption / decryption, signing with
 missing secret subkey

---
 .../CertificateWithMissingSecretKeyTest.java  | 147 ++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
new file mode 100644
index 00000000..13359830
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
@@ -0,0 +1,147 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.DocumentSignatureType;
+import org.pgpainless.algorithm.EncryptionPurpose;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.KeyException;
+import org.pgpainless.exception.MissingDecryptionMethodException;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.util.KeyRingUtils;
+
+public class CertificateWithMissingSecretKeyTest {
+
+    private static final String MISSING_SIGNING_SECKEY = "" +
+            "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: E97B 15E6 52FA 8BAE 2311  DDCB A5BD 9DC4 4415 C987\n" +
+            "Comment: Missing Signing Subkey \n" +
+            "\n" +
+            "lFgEYjCuERYJKwYBBAHaRw8BAQdAaqeTdbyb/D+UXd2aXsP58+k+tvt22DnL6bC0\n" +
+            "7p2tJacAAP0fEmwUY7rSPugQakzsA8nV4Nv3PYlKa6meqEePT+8s8BFitC9NaXNz\n" +
+            "aW5nIFNpZ25pbmcgU3Via2V5IDxtaXNzaW5nQHNpZ25pbmcuc3Via2V5PoiPBBMW\n" +
+            "CgBBBQJiMK4RCRClvZ3ERBXJhxYhBOl7FeZS+ouuIxHdy6W9ncREFcmHAp4BApsB\n" +
+            "BRYCAwEABAsJCAcFFQoJCAsCmQEAAN0HAPkB7IphgTM94s/VpyV5+hvYbxesnji5\n" +
+            "RNzqs3nRhS8DBgEA/+gCpAkgznB3T/uNtWIoTf7Kuib5mIJ+SW0l+htuEgacXQRi\n" +
+            "MK4REgorBgEEAZdVAQUBAQdAlaQH44c7PdKkjaVVXvg86i+thKV121C/nH75Krhh\n" +
+            "QxYDAQgHAAD/aWJt9M85Al+57lPqS5ppzrIoCoTZ6JCwuJUSNEAg4BgQ6Ih1BBgW\n" +
+            "CgAdBQJiMK4RAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQpb2dxEQVyYdzuAD9\n" +
+            "GEkU7NfugHw8alQT7IJbUobVyZzeXQyzPqSKUw/Vp54BAJXZj8NzQrrM4Q5C3+Mf\n" +
+            "uznN+ryRovDXhf8T5PUXHloDuDMEYjCuERYJKwYBBAHaRw8BAQdAVeBpPurrwAU3\n" +
+            "ns+1C2c6wJ8iTZ1eWEP2qgBAlokx5N+I1QQYFgoAfQUCYjCuEQKeAQKbAgUWAgMB\n" +
+            "AAQLCQgHBRUKCQgLXyAEGRYKAAYFAmIwrhEACgkQld4KwYO6xR4YEwEA942iduoW\n" +
+            "1ANEmwCwnYwMAa3HlXsMs5bdIUGnxuo7MBEA/1YYeAu45O2Z8kTdrDZM/1emoxt1\n" +
+            "j6EzybnaJ+2XGX4AAAoJEKW9ncREFcmHLXsBAITCIwGtaCvZdWCQlJeYak1NTuBp\n" +
+            "bmOEFga0sLmRI/zYAP97U2oc8dqV55S1b4yNkfENK2MD6Ow0nv8CL6+S0UaCBw==\n" +
+            "=eTh7\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    private static final long signingSubkeyId = -7647663290973502178L;
+    private static PGPSecretKeyRing missingSigningSecKey;
+
+    private static long encryptionSubkeyId;
+    private static PGPSecretKeyRing missingDecryptionSecKey;
+
+    private static final SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+
+
+    @BeforeAll
+    public static void prepare() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        // missing signing sec key we read from bytes
+        missingSigningSecKey = PGPainless.readKeyRing().secretKeyRing(MISSING_SIGNING_SECKEY);
+
+        // missing encryption sec key we generate on the fly
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
+                .modernKeyRing("Missing Decryption Key ", null);
+        encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys)
+                .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID();
+        // remove the encryption/decryption secret key
+        missingDecryptionSecKey = KeyRingUtils.removeSecretKey(secretKeys, encryptionSubkeyId);
+    }
+
+    @Test
+    public void assureMissingSigningSecKeyOnlyContainSigningPubKey() {
+        assertNotNull(missingSigningSecKey.getPublicKey(signingSubkeyId));
+        assertNull(missingSigningSecKey.getSecretKey(signingSubkeyId));
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(missingSigningSecKey);
+        assertFalse(info.getSigningSubkeys().isEmpty()); // This method only tests for pub keys.
+    }
+
+    @Test
+    public void assureMissingDecryptionSecKeyOnlyContainsEncryptionPubKey() {
+        assertNotNull(missingDecryptionSecKey.getPublicKey(encryptionSubkeyId));
+        assertNull(missingDecryptionSecKey.getSecretKey(encryptionSubkeyId));
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(missingDecryptionSecKey);
+        assertFalse(info.getEncryptionSubkeys(EncryptionPurpose.ANY).isEmpty()); // pub key is still there
+    }
+
+    @Test
+    public void testSignWithMissingSigningSecKey() {
+        SigningOptions signingOptions = SigningOptions.get();
+
+        assertThrows(KeyException.MissingSecretKeyException.class, () ->
+                signingOptions.addInlineSignature(protector, missingSigningSecKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT));
+        assertThrows(KeyException.MissingSecretKeyException.class, () ->
+                signingOptions.addDetachedSignature(protector, missingSigningSecKey, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT));
+    }
+
+    @Test
+    public void testEncryptDecryptWithMissingDecryptionKey() throws PGPException, IOException {
+        ByteArrayInputStream in = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8));
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(missingDecryptionSecKey);
+        ProducerOptions producerOptions = ProducerOptions.encrypt(
+                EncryptionOptions.encryptCommunications()
+                        .addRecipient(certificate));  // we can still encrypt, since the pub key is still there
+
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(producerOptions);
+
+        Streams.pipeAll(in, encryptionStream);
+        encryptionStream.close();
+
+        assertTrue(encryptionStream.getResult().isEncryptedFor(certificate));
+
+        // Test decryption
+        ByteArrayInputStream cipherIn = new ByteArrayInputStream(out.toByteArray());
+
+        ConsumerOptions consumerOptions = new ConsumerOptions()
+                .addDecryptionKey(missingDecryptionSecKey);
+
+        assertThrows(MissingDecryptionMethodException.class, () ->
+                PGPainless.decryptAndOrVerify()
+                        .onInputStream(cipherIn)
+                        .withOptions(consumerOptions)); // <- cannot find decryption key
+    }
+}

From 73fa46895e4ee8e524a5c43bf8106de1286603a9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 19:51:42 +0200
Subject: [PATCH 0416/1450] Implement merging of certificates

Fixes #211
---
 .../src/main/java/org/pgpainless/PGPainless.java | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 46dd35c2..827085ce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -8,6 +8,7 @@ import java.io.IOException;
 import java.util.Date;
 import javax.annotation.Nonnull;
 
+import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
@@ -66,6 +67,21 @@ public final class PGPainless {
         return KeyRingUtils.publicKeyRingFrom(secretKey);
     }
 
+    /**
+     * Merge two copies of the same certificate (e.g. an old copy, and one retrieved from a key server) together.
+     *
+     * @param originalCopy local, older copy of the cert
+     * @param updatedCopy updated, newer copy of the cert
+     * @return merged certificate
+     * @throws PGPException in case of an error
+     */
+    public static PGPPublicKeyRing mergeCertificate(
+            @Nonnull PGPPublicKeyRing originalCopy,
+            @Nonnull PGPPublicKeyRing updatedCopy)
+            throws PGPException {
+        return PGPPublicKeyRing.join(originalCopy, updatedCopy);
+    }
+
     /**
      * Wrap a key or certificate in ASCII armor.
      *

From 361d2376f5273404ba595c5c7027835a3975446d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:21:07 +0200
Subject: [PATCH 0417/1450] Update documentation on curve oid workaround

---
 .../src/main/java/org/pgpainless/key/info/KeyInfo.java        | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
index d1a5f748..f85c5c8a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyInfo.java
@@ -96,7 +96,9 @@ public class KeyInfo {
 
         // Workaround for ECUtil not recognizing ed25519
         // see https://github.com/bcgit/bc-java/issues/1087
-        // TODO: Remove once BC 1.71 gets released and contains a fix
+        // UPDATE: Apparently 1087 is not fixed properly with BC 1.71
+        // See https://github.com/bcgit/bc-java/issues/1142
+        // TODO: Remove when BC 1.72 comes out with a fix.
         if (identifier.equals(GNUObjectIdentifiers.Ed25519)) {
             return EdDSACurve._Ed25519.getName();
         }

From d0544e690ea71473a70235f930c8540fef4a97ff Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:24:36 +0200
Subject: [PATCH 0418/1450] Fix KeyRingUtils.keysPlusPublicKey()

---
 .../java/org/pgpainless/key/util/KeyRingUtils.java    | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 375e3527..a7a2b0b9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -355,7 +355,6 @@ public final class KeyRingUtils {
      * Inject a {@link PGPPublicKey} into the given key ring.
      *
      * Note: Right now this method is broken and will throw a {@link NotYetImplementedException}.
-     * TODO: Fix with BC 171
      *
      * @param keyRing key ring
      * @param publicKey public key
@@ -365,10 +364,6 @@ public final class KeyRingUtils {
     @Nonnull
     public static  T keysPlusPublicKey(@Nonnull T keyRing,
                                                              @Nonnull PGPPublicKey publicKey) {
-        if (true)
-            // Is currently broken beyond repair
-            throw new NotYetImplementedException();
-
         PGPSecretKeyRing secretKeys = null;
         PGPPublicKeyRing publicKeys;
         if (keyRing instanceof PGPSecretKeyRing) {
@@ -382,11 +377,7 @@ public final class KeyRingUtils {
         if (secretKeys == null) {
             return (T) publicKeys;
         } else {
-            // TODO: Replace with PGPSecretKeyRing.insertOrReplacePublicKey() once available
-            //  Right now replacePublicKeys looses extra public keys.
-            //  See https://github.com/bcgit/bc-java/pull/1068 for a possible fix
-            //  Fix once BC 171 gets released.
-            secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys);
+            secretKeys = PGPSecretKeyRing.insertOrReplacePublicKey(secretKeys, publicKey);
             return (T) secretKeys;
         }
     }

From 5f65ca443764087f83fe3a2b2ac274eeea7c2699 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:28:45 +0200
Subject: [PATCH 0419/1450] Remove workaround for BC not properly parsing
 RevocationKey subpacket

---
 .../signature/subpackets/SignatureSubpacketsUtil.java    | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 5a839bcb..9ebc03e8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -596,15 +596,6 @@ public final class SignatureSubpacketsUtil {
         }
 
         org.bouncycastle.bcpg.SignatureSubpacket last = allPackets[allPackets.length - 1];
-
-        if (type == SignatureSubpacket.revocationKey) {
-            // RevocationKey subpackets are not castable for some reason
-            // See https://github.com/bcgit/bc-java/pull/1085 for an upstreamed fix
-            // We need to manually construct the new object for now.
-            // TODO: Remove workaround when BC 1.71 is released (and has our fix)
-            return (P) new RevocationKey(last.isCritical(), last.isLongLength(), last.getData());
-        }
-
         return (P) last;
     }
 

From d4c56f655ff0a732217ef0644ebdd79a03ea2791 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:41:21 +0200
Subject: [PATCH 0420/1450] Add support for PolicyURI subpackets (fixes #248)

---
 .../subpackets/BaseSignatureSubpackets.java   |  8 +++++++
 .../subpackets/SignatureSubpackets.java       | 23 +++++++++++++++++++
 .../subpackets/SignatureSubpacketsHelper.java |  7 +++++-
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
index 182917a0..c6d68c6a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
@@ -5,6 +5,7 @@
 package org.pgpainless.signature.subpackets;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.Date;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -15,6 +16,7 @@ import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint;
 import org.bouncycastle.bcpg.sig.IssuerFingerprint;
 import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.NotationData;
+import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.Revocable;
 import org.bouncycastle.bcpg.sig.SignatureCreationTime;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
@@ -88,6 +90,12 @@ public interface BaseSignatureSubpackets {
 
     BaseSignatureSubpackets setExportable(@Nullable Exportable exportable);
 
+    BaseSignatureSubpackets setPolicyUrl(@Nullable URL policyUrl);
+
+    BaseSignatureSubpackets setPolicyUrl(boolean isCritical, @Nonnull URL policyUrl);
+
+    BaseSignatureSubpackets setPolicyUrl(@Nullable PolicyURI policyUrl);
+
     BaseSignatureSubpackets setRevocable(boolean revocable);
 
     BaseSignatureSubpackets setRevocable(boolean isCritical, boolean isRevocable);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index 6c0740c7..742ab831 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -5,6 +5,7 @@
 package org.pgpainless.signature.subpackets;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
@@ -26,6 +27,7 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.KeyFlags;
 import org.bouncycastle.bcpg.sig.NotationData;
+import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.PreferredAlgorithms;
 import org.bouncycastle.bcpg.sig.PrimaryUserID;
 import org.bouncycastle.bcpg.sig.Revocable;
@@ -68,6 +70,7 @@ public class SignatureSubpackets
     private final List embeddedSignatureList = new ArrayList<>();
     private SignerUserID signerUserId;
     private KeyExpirationTime keyExpirationTime;
+    private PolicyURI policyURI;
     private PrimaryUserID primaryUserId;
     private Revocable revocable;
     private RevocationReason revocationReason;
@@ -485,6 +488,26 @@ public class SignatureSubpackets
         return exportable;
     }
 
+    @Override
+    public BaseSignatureSubpackets setPolicyUrl(@Nullable URL policyUrl) {
+        return policyUrl == null ? setPolicyUrl((PolicyURI) null) : setPolicyUrl(false, policyUrl);
+    }
+
+    @Override
+    public BaseSignatureSubpackets setPolicyUrl(boolean isCritical, @Nonnull URL policyUrl) {
+        return setPolicyUrl(new PolicyURI(isCritical, policyUrl.toString()));
+    }
+
+    @Override
+    public BaseSignatureSubpackets setPolicyUrl(@Nullable PolicyURI policyUrl) {
+        this.policyURI = policyUrl;
+        return this;
+    }
+
+    public PolicyURI getPolicyURI() {
+        return policyURI;
+    }
+
     @Override
     public SignatureSubpackets setRevocable(boolean revocable) {
         return setRevocable(true, revocable);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
index 2118c49c..4bea3036 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
@@ -12,6 +12,7 @@ import org.bouncycastle.bcpg.sig.IntendedRecipientFingerprint;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.KeyFlags;
 import org.bouncycastle.bcpg.sig.NotationData;
+import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.PreferredAlgorithms;
 import org.bouncycastle.bcpg.sig.PrimaryUserID;
 import org.bouncycastle.bcpg.sig.Revocable;
@@ -114,11 +115,14 @@ public class SignatureSubpacketsHelper {
                     IntendedRecipientFingerprint intendedRecipientFingerprint = (IntendedRecipientFingerprint) subpacket;
                     subpackets.addIntendedRecipientFingerprint(intendedRecipientFingerprint);
                     break;
+                case policyUrl:
+                    PolicyURI policyURI = (PolicyURI) subpacket;
+                    subpackets.setPolicyUrl(policyURI);
+                    break;
 
                 case regularExpression:
                 case keyServerPreferences:
                 case preferredKeyServers:
-                case policyUrl:
                 case placeholder:
                 case preferredAEADAlgorithms:
                 case attestedCertification:
@@ -135,6 +139,7 @@ public class SignatureSubpacketsHelper {
         addSubpacket(generator, subpackets.getSignatureCreationTimeSubpacket());
         addSubpacket(generator, subpackets.getSignatureExpirationTimeSubpacket());
         addSubpacket(generator, subpackets.getExportableSubpacket());
+        addSubpacket(generator, subpackets.getPolicyURI());
         for (NotationData notationData : subpackets.getNotationDataSubpackets()) {
             addSubpacket(generator, notationData);
         }

From 771084545417e839f5d2c492e7c4ee4b3f04839f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:46:21 +0200
Subject: [PATCH 0421/1450] Simplify setPolicyUrl implementation

---
 .../signature/subpackets/BaseSignatureSubpackets.java         | 2 +-
 .../pgpainless/signature/subpackets/SignatureSubpackets.java  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
index c6d68c6a..7e44b748 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
@@ -90,7 +90,7 @@ public interface BaseSignatureSubpackets {
 
     BaseSignatureSubpackets setExportable(@Nullable Exportable exportable);
 
-    BaseSignatureSubpackets setPolicyUrl(@Nullable URL policyUrl);
+    BaseSignatureSubpackets setPolicyUrl(@Nonnull URL policyUrl);
 
     BaseSignatureSubpackets setPolicyUrl(boolean isCritical, @Nonnull URL policyUrl);
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index 742ab831..914ff2ff 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -489,8 +489,8 @@ public class SignatureSubpackets
     }
 
     @Override
-    public BaseSignatureSubpackets setPolicyUrl(@Nullable URL policyUrl) {
-        return policyUrl == null ? setPolicyUrl((PolicyURI) null) : setPolicyUrl(false, policyUrl);
+    public BaseSignatureSubpackets setPolicyUrl(@Nonnull URL policyUrl) {
+        return setPolicyUrl(false, policyUrl);
     }
 
     @Override

From e4bccaf58d70476100f163aaf4b5f437edad4516 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 20:47:47 +0200
Subject: [PATCH 0422/1450] Add support for RegularExpression subpackets (fixes
 #246)

---
 .../subpackets/BaseSignatureSubpackets.java   |  7 ++++++
 .../subpackets/SignatureSubpackets.java       | 22 +++++++++++++++++++
 .../subpackets/SignatureSubpacketsHelper.java |  7 +++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
index 7e44b748..28e99b9e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.java
@@ -17,6 +17,7 @@ import org.bouncycastle.bcpg.sig.IssuerFingerprint;
 import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.NotationData;
 import org.bouncycastle.bcpg.sig.PolicyURI;
+import org.bouncycastle.bcpg.sig.RegularExpression;
 import org.bouncycastle.bcpg.sig.Revocable;
 import org.bouncycastle.bcpg.sig.SignatureCreationTime;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
@@ -96,6 +97,12 @@ public interface BaseSignatureSubpackets {
 
     BaseSignatureSubpackets setPolicyUrl(@Nullable PolicyURI policyUrl);
 
+    BaseSignatureSubpackets setRegularExpression(@Nonnull String regex);
+
+    BaseSignatureSubpackets setRegularExpression(boolean isCritical, @Nonnull String regex);
+
+    BaseSignatureSubpackets setRegularExpression(@Nullable RegularExpression regex);
+
     BaseSignatureSubpackets setRevocable(boolean revocable);
 
     BaseSignatureSubpackets setRevocable(boolean isCritical, boolean isRevocable);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index 914ff2ff..c622844f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -30,6 +30,7 @@ import org.bouncycastle.bcpg.sig.NotationData;
 import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.PreferredAlgorithms;
 import org.bouncycastle.bcpg.sig.PrimaryUserID;
+import org.bouncycastle.bcpg.sig.RegularExpression;
 import org.bouncycastle.bcpg.sig.Revocable;
 import org.bouncycastle.bcpg.sig.RevocationKey;
 import org.bouncycastle.bcpg.sig.RevocationReason;
@@ -72,6 +73,7 @@ public class SignatureSubpackets
     private KeyExpirationTime keyExpirationTime;
     private PolicyURI policyURI;
     private PrimaryUserID primaryUserId;
+    private RegularExpression regularExpression;
     private Revocable revocable;
     private RevocationReason revocationReason;
     private final List residualSubpackets = new ArrayList<>();
@@ -508,6 +510,26 @@ public class SignatureSubpackets
         return policyURI;
     }
 
+    @Override
+    public BaseSignatureSubpackets setRegularExpression(@Nonnull String regex) {
+        return setRegularExpression(false, regex);
+    }
+
+    @Override
+    public BaseSignatureSubpackets setRegularExpression(boolean isCritical, @Nonnull String regex) {
+        return setRegularExpression(new RegularExpression(isCritical, regex));
+    }
+
+    @Override
+    public BaseSignatureSubpackets setRegularExpression(@Nullable RegularExpression regex) {
+        this.regularExpression = regex;
+        return this;
+    }
+
+    public RegularExpression getRegularExpression() {
+        return regularExpression;
+    }
+
     @Override
     public SignatureSubpackets setRevocable(boolean revocable) {
         return setRevocable(true, revocable);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
index 4bea3036..2def2af6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
@@ -15,6 +15,7 @@ import org.bouncycastle.bcpg.sig.NotationData;
 import org.bouncycastle.bcpg.sig.PolicyURI;
 import org.bouncycastle.bcpg.sig.PreferredAlgorithms;
 import org.bouncycastle.bcpg.sig.PrimaryUserID;
+import org.bouncycastle.bcpg.sig.RegularExpression;
 import org.bouncycastle.bcpg.sig.Revocable;
 import org.bouncycastle.bcpg.sig.RevocationKey;
 import org.bouncycastle.bcpg.sig.RevocationReason;
@@ -119,8 +120,11 @@ public class SignatureSubpacketsHelper {
                     PolicyURI policyURI = (PolicyURI) subpacket;
                     subpackets.setPolicyUrl(policyURI);
                     break;
-
                 case regularExpression:
+                    RegularExpression regex = (RegularExpression) subpacket;
+                    subpackets.setRegularExpression(regex);
+                    break;
+                    
                 case keyServerPreferences:
                 case preferredKeyServers:
                 case placeholder:
@@ -140,6 +144,7 @@ public class SignatureSubpacketsHelper {
         addSubpacket(generator, subpackets.getSignatureExpirationTimeSubpacket());
         addSubpacket(generator, subpackets.getExportableSubpacket());
         addSubpacket(generator, subpackets.getPolicyURI());
+        addSubpacket(generator, subpackets.getRegularExpression());
         for (NotationData notationData : subpackets.getNotationDataSubpackets()) {
             addSubpacket(generator, notationData);
         }

From 9a012b5bab30f523dcb35f1669620301d58c0ce4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 21:15:43 +0200
Subject: [PATCH 0423/1450] Update changelog

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7b0c522..7778d873 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,13 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.2.0-SNAPSHOT
 - Improve exception hierarchy for key-related exceptions
   - See [PR](https://github.com/pgpainless/pgpainless/pull/261) for more information on how to migrate.
+- Bump Bouncy Castle to `1.71`
+  - Switch from `bcpg-jdk15on:1.70` to `bcpg-jdk15to18:1.71`
+  - Switch from `bcprov-jdk15on:1.70` to `bcprov-jdk15to18:1.71`
+- Implement merging of certificate copies
+  - can be used to implement updating certificates from key servers
+- Fix `KeyRingUtils.keysPlusPublicKey()`
+- Add support for adding `PolicyURI` and `RegularExpression` signature subpackets on signatures
 
 ## 1.1.5
 - SOP encrypt: match signature type when using `encrypt --as=` option

From 05022fcbb5f7b39ace18b78bbcf5a4948e0663b9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 21:17:00 +0200
Subject: [PATCH 0424/1450] Fix whitespace error

---
 .../signature/subpackets/SignatureSubpacketsHelper.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
index 2def2af6..8af60a03 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsHelper.java
@@ -124,7 +124,7 @@ public class SignatureSubpacketsHelper {
                     RegularExpression regex = (RegularExpression) subpacket;
                     subpackets.setRegularExpression(regex);
                     break;
-                    
+
                 case keyServerPreferences:
                 case preferredKeyServers:
                 case placeholder:

From 9f50946dd7c195df1870fd1a1ffe47302c23974b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 21:20:46 +0200
Subject: [PATCH 0425/1450] PGPainless 1.2.0

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7778d873..25ab7ef0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ SPDX-License-Identifier: CC0-1.0
 # PGPainless Changelog
 
 
-## 1.2.0-SNAPSHOT
+## 1.2.0
 - Improve exception hierarchy for key-related exceptions
   - See [PR](https://github.com/pgpainless/pgpainless/pull/261) for more information on how to migrate.
 - Bump Bouncy Castle to `1.71`
diff --git a/README.md b/README.md
index 58e59401..503475d9 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.1.5'
+	implementation 'org.pgpainless:pgpainless-core:1.2.0'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index bb4af342..a656eb4c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.1.5"
+    implementation "org.pgpainless:pgpainless-sop:1.2.0"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.1.5
+        1.2.0
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 2f1bd17d..38f38e95 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.2.0'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 5f9ad3396acbf9e8e86463315479769b6916a75f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Apr 2022 21:22:53 +0200
Subject: [PATCH 0426/1450] PGPainless 1.2.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 38f38e95..cf6c38c4 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.2.0'
-        isSnapshot = false
+        shortVersion = '1.2.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 9558deab741aa4e24860a8c397f39651ddfde6ca Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 11 Apr 2022 12:11:26 +0200
Subject: [PATCH 0427/1450] Set mainClass name in application section

---
 pgpainless-cli/build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle
index 869eedf7..7317524b 100644
--- a/pgpainless-cli/build.gradle
+++ b/pgpainless-cli/build.gradle
@@ -48,6 +48,10 @@ dependencies {
 
 mainClassName = 'org.pgpainless.cli.PGPainlessCLI'
 
+application {
+    mainClass = mainClassName
+}
+
 jar {
     duplicatesStrategy(DuplicatesStrategy.EXCLUDE)
     manifest {

From 5307402edb112b831b7ff0e6a68730a4d372059a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 11 Apr 2022 14:15:29 +0200
Subject: [PATCH 0428/1450] Bump sop-java to 1.2.2

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index cf6c38c4..c556858b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -12,6 +12,6 @@ allprojects {
         slf4jVersion = '1.7.32'
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.0'
+        sopJavaVersion = '1.2.2'
     }
 }

From 218d7becae63e4c1d739e8bbc46b245eb09842ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 11 Apr 2022 14:15:29 +0200
Subject: [PATCH 0429/1450] Bump sop-java to 1.2.2

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index cf6c38c4..c556858b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -12,6 +12,6 @@ allprojects {
         slf4jVersion = '1.7.32'
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.0'
+        sopJavaVersion = '1.2.2'
     }
 }

From b64d6e8e55243737bcb0ebef5e2eceea40e2b670 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 16 Apr 2022 00:22:41 +0200
Subject: [PATCH 0430/1450] Stabilize HashAlgorithm.fromName()

---
 .../main/java/org/pgpainless/algorithm/HashAlgorithm.java  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
index bcd69cc0..12feb678 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
@@ -80,7 +80,12 @@ public enum HashAlgorithm {
      */
     @Nullable
     public static HashAlgorithm fromName(String name) {
-        return NAME_MAP.get(name);
+        String algorithmName = name.toUpperCase();
+        HashAlgorithm algorithm = NAME_MAP.get(algorithmName);
+        if (algorithm == null) {
+            algorithm = NAME_MAP.get(algorithmName.replace("-", ""));
+        }
+        return algorithm;
     }
 
     private final int algorithmId;

From c3dfb254b1cee1be1a15725e3b37b07809c67230 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 16 Apr 2022 00:23:20 +0200
Subject: [PATCH 0431/1450] Experimental implementation of signing of existing
 hash contexts (MessageDigest instances)

---
 .../HashContextPGPContentSignerBuilder.java   | 237 ++++++++++++++++++
 .../signature/builder/HashContextSigner.java  |  38 +++
 .../signature/HashContextSignerTest.java      | 125 +++++++++
 3 files changed, 400 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java
new file mode 100644
index 00000000..68c24743
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java
@@ -0,0 +1,237 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.signature.builder;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.Signer;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
+import org.bouncycastle.crypto.signers.DSADigestSigner;
+import org.bouncycastle.crypto.signers.DSASigner;
+import org.bouncycastle.crypto.signers.ECDSASigner;
+import org.bouncycastle.crypto.signers.Ed25519Signer;
+import org.bouncycastle.crypto.signers.Ed448Signer;
+import org.bouncycastle.crypto.signers.RSADigestSigner;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.operator.PGPContentSigner;
+import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPKeyConverter;
+import org.bouncycastle.util.Arrays;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.PublicKeyAlgorithm;
+
+/**
+ * Implementation of {@link PGPContentSignerBuilder} using the BC API, which can be used to sign hash contexts.
+ * This can come in handy to sign data, which was already processed to calculate the hash context, without the
+ * need to process it again to calculate the OpenPGP signature.
+ */
+public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuilder {
+
+    private final BcPGPKeyConverter keyConverter = new BcPGPKeyConverter();
+    private final MessageDigest messageDigest;
+    private final HashAlgorithm hashAlgorithm;
+
+    public HashContextPGPContentSignerBuilder(MessageDigest messageDigest) {
+        this.messageDigest = messageDigest;
+        this.hashAlgorithm = HashAlgorithm.fromName(messageDigest.getAlgorithm());
+        if (hashAlgorithm == null) {
+            throw new IllegalArgumentException("Cannot recognize OpenPGP Hash Algorithm: " + messageDigest.getAlgorithm());
+        }
+    }
+
+    @Override
+    public PGPContentSigner build(int signatureType, PGPPrivateKey privateKey) throws PGPException {
+        PublicKeyAlgorithm keyAlgorithm = PublicKeyAlgorithm.requireFromId(privateKey.getPublicKeyPacket().getAlgorithm());
+        AsymmetricKeyParameter privKeyParam = keyConverter.getPrivateKey(privateKey);
+        final Signer signer = createSigner(keyAlgorithm, messageDigest, privKeyParam);
+        signer.init(true, privKeyParam);
+
+        return new PGPContentSigner() {
+            public int getType() {
+                return signatureType;
+            }
+
+            public int getHashAlgorithm() {
+                return hashAlgorithm.getAlgorithmId();
+            }
+
+            public int getKeyAlgorithm() {
+                return keyAlgorithm.getAlgorithmId();
+            }
+
+            public long getKeyID() {
+                return privateKey.getKeyID();
+            }
+
+            public OutputStream getOutputStream() {
+                return new SignerOutputStream(signer);
+            }
+
+            public byte[] getSignature() {
+                try {
+                    return signer.generateSignature();
+                } catch (CryptoException e) {
+                    throw new IllegalStateException("unable to create signature");
+                }
+            }
+
+            public byte[] getDigest() {
+                return messageDigest.digest();
+            }
+        };
+    }
+
+    static Signer createSigner(
+            PublicKeyAlgorithm keyAlgorithm,
+            MessageDigest messageDigest,
+            CipherParameters keyParam)
+            throws PGPException {
+        ExistingMessageDigest staticDigest = new ExistingMessageDigest(messageDigest);
+        switch (keyAlgorithm.getAlgorithmId()) {
+            case PublicKeyAlgorithmTags.RSA_GENERAL:
+            case PublicKeyAlgorithmTags.RSA_SIGN:
+                return new RSADigestSigner(staticDigest);
+            case PublicKeyAlgorithmTags.DSA:
+                return new DSADigestSigner(new DSASigner(), staticDigest);
+            case PublicKeyAlgorithmTags.ECDSA:
+                return new DSADigestSigner(new ECDSASigner(), staticDigest);
+            case PublicKeyAlgorithmTags.EDDSA:
+                if (keyParam instanceof Ed25519PrivateKeyParameters || keyParam instanceof Ed25519PublicKeyParameters) {
+                    return new EdDsaSigner(new Ed25519Signer(), staticDigest);
+                }
+                return new EdDsaSigner(new Ed448Signer(new byte[0]), staticDigest);
+            default:
+                throw new PGPException("cannot recognise keyAlgorithm: " + keyAlgorithm);
+        }
+    }
+
+    static class ExistingMessageDigest implements Digest {
+
+        private final MessageDigest digest;
+
+        ExistingMessageDigest(MessageDigest messageDigest) {
+            this.digest = messageDigest;
+        }
+
+        @Override
+        public void update(byte in) {
+            digest.update(in);
+        }
+
+        @Override
+        public void update(byte[] in, int inOff, int len) {
+            digest.update(in, inOff, len);
+        }
+
+        @Override
+        public int doFinal(byte[] out, int outOff) {
+            byte[] hash = digest.digest();
+            System.arraycopy(hash, 0, out, outOff, hash.length);
+            return getDigestSize();
+        }
+
+        @Override
+        public void reset() {
+            // Nope!
+            // We cannot reset, since BCs signer classes are resetting in their init() methods, which would also reset
+            // the messageDigest, losing its state. This would shatter our intention.
+        }
+
+        @Override
+        public String getAlgorithmName() {
+            return digest.getAlgorithm();
+        }
+
+        @Override
+        public int getDigestSize() {
+            return digest.getDigestLength();
+        }
+    }
+
+    // Copied from BCs BcImplProvider - required since BCs class is package visible only :/
+    private static class EdDsaSigner
+            implements Signer {
+        private final Signer signer;
+        private final Digest digest;
+        private final byte[] digBuf;
+
+        EdDsaSigner(Signer signer, Digest digest) {
+            this.signer = signer;
+            this.digest = digest;
+            this.digBuf = new byte[digest.getDigestSize()];
+        }
+
+        public void init(boolean forSigning, CipherParameters param) {
+            this.signer.init(forSigning, param);
+            this.digest.reset();
+        }
+
+        public void update(byte b) {
+            this.digest.update(b);
+        }
+
+        public void update(byte[] in, int off, int len) {
+            this.digest.update(in, off, len);
+        }
+
+        public byte[] generateSignature()
+                throws CryptoException, DataLengthException {
+            digest.doFinal(digBuf, 0);
+
+            signer.update(digBuf, 0, digBuf.length);
+
+            return signer.generateSignature();
+        }
+
+        public boolean verifySignature(byte[] signature) {
+            digest.doFinal(digBuf, 0);
+
+            signer.update(digBuf, 0, digBuf.length);
+
+            return signer.verifySignature(signature);
+        }
+
+        public void reset() {
+            Arrays.clear(digBuf);
+            signer.reset();
+            digest.reset();
+        }
+    }
+
+    // Copied from BC, required since BCs class is package visible only
+    static class SignerOutputStream
+            extends OutputStream {
+        private Signer sig;
+
+        SignerOutputStream(Signer sig) {
+            this.sig = sig;
+        }
+
+        public void write(byte[] bytes, int off, int len)
+                throws IOException {
+            sig.update(bytes, off, len);
+        }
+
+        public void write(byte[] bytes)
+                throws IOException {
+            sig.update(bytes, 0, bytes.length);
+        }
+
+        public void write(int b)
+                throws IOException {
+            sig.update((byte) b);
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
new file mode 100644
index 00000000..57d687cc
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.signature.builder;
+
+import java.security.MessageDigest;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.pgpainless.algorithm.SignatureType;
+
+public class HashContextSigner {
+
+    /**
+     * Create an OpenPGP Signature over the given {@link MessageDigest} hash context.
+     *
+     * WARNING: This method does not yet validate the signing key.
+     * TODO: Change API to receive and evaluate PGPSecretKeyRing + SecretKeyRingProtector instead.
+     *
+     * @param hashContext hash context
+     * @param privateKey signing-capable key
+     * @return signature
+     * @throws PGPException in case of an OpenPGP error
+     */
+    public static PGPSignature signHashContext(MessageDigest hashContext, SignatureType signatureType, PGPPrivateKey privateKey)
+            throws PGPException {
+        // TODO: Validate signing key
+        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
+                new HashContextPGPContentSignerBuilder(hashContext)
+        );
+
+        sigGen.init(signatureType.getCode(), privateKey);
+        return sigGen.generate();
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java
new file mode 100644
index 00000000..baa5a73f
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java
@@ -0,0 +1,125 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.signature;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.key.generation.type.rsa.RsaLength;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.signature.builder.HashContextSigner;
+import org.pgpainless.util.Passphrase;
+
+public class HashContextSignerTest {
+
+    private static final String message = "Hello, World!\n";
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 62D5 CBED 8BD0 7D3F D167  240D 4364 E4C1 C4ED 8F59\n" +
+            "Comment: Sigfried \n" +
+            "\n" +
+            "lFgEYlnOkRYJKwYBBAHaRw8BAQdA7Kxn/sPIXo44xnxLBL81G5ghGzMikFc5ib9/\n" +
+            "qgJpZSUAAQCZnJN2l/cfWWh4DijBAwFWoVJOCphKhsJEjKxOzWdqMA2DtBVTaWdm\n" +
+            "cmllZCA8c2lnQGZyaS5lZD6IjwQTFgoAQQUCYlnOkQkQQ2TkwcTtj1kWIQRi1cvt\n" +
+            "i9B9P9FnJA1DZOTBxO2PWQKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAAd/gEA\n" +
+            "kiPFDdMGjZV/7Do/3ox46iCH3N1I3BGmA2Jt8PsYwe0BAKe5ahLzCNAXjBQU4iSD\n" +
+            "A4FGipNaG2ZWgAMkdwVjMLEAnF0EYlnOkRIKKwYBBAGXVQEFAQEHQI3n0cWbBh+7\n" +
+            "zeuBjMWevsyxLUCExKSj5fxCh/0GuJgAAwEIBwAA/16V22vjZfAvtnUrVtUZQoYZ\n" +
+            "E8h87Jzj/XxXFy63I6qoER2IdQQYFgoAHQUCYlnOkQKeAQKbDAUWAgMBAAQLCQgH\n" +
+            "BRUKCQgLAAoJEENk5MHE7Y9ZzhsA+gPb2FNutetjrYUSY7BEsk+PPkCXF9W6JZmb\n" +
+            "W/zyRxgpAP9zNzpWrO7kKQ0PwMMd3R1F4Rg6GH+vjXsIbd6jT25UBJxYBGJZzpEW\n" +
+            "CSsGAQQB2kcPAQEHQPOZhITstSj3cPfsTiBEPhtCrc184fkAjl4s+gSB9ttRAAD/\n" +
+            "RVpdc9BhJ/ZXtqQaCBL65h7Uym7i+HExQphHOiuB3iwQOIjVBBgWCgB9BQJiWc6R\n" +
+            "Ap4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCYlnOkQAKCRDXXcvYX8Ym\n" +
+            "crh9AP99WWietGWYs2//FYi0bEAWp6D0HmHP42rvC3qsqyMa8wD8D1Pi2atKwQTP\n" +
+            "JAxQFa06cUIw2POE3llaB0MKQXdTVgQACgkQQ2TkwcTtj1mF+gD+OHo68KeGFUi0\n" +
+            "VcVV/dx/6ES9GAIf1TI6jEsaU8TPBcMBAOHG+5MMVvyNiVKLA0JgJPF3JXOOEU+5\n" +
+            "qiHwlVoGncUM\n" +
+            "=431t\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    @Test
+    public void signContextWithEdDSAKeys() throws PGPException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        signWithKeys(secretKeys);
+    }
+
+    @Test
+    public void signContextWithRSAKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleRsaKeyRing("Sigfried", RsaLength._3072);
+        signWithKeys(secretKeys);
+    }
+
+    @Test
+    public void signContextWithEcKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().simpleEcKeyRing("Sigfried");
+        signWithKeys(secretKeys);
+    }
+
+    private void signWithKeys(PGPSecretKeyRing secretKeys) throws PGPException, NoSuchAlgorithmException, IOException {
+        for (HashAlgorithm hashAlgorithm : new HashAlgorithm[] {
+                HashAlgorithm.SHA256, HashAlgorithm.SHA384, HashAlgorithm.SHA512
+        }) {
+            signFromContext(secretKeys, hashAlgorithm);
+        }
+    }
+
+    private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm) throws PGPException, NoSuchAlgorithmException, IOException {
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+        long signingKeyId = PGPainless.inspectKeyRing(certificate).getSigningSubkeys().get(0).getKeyID();
+        PGPPrivateKey signingKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(signingKeyId), Passphrase.emptyPassphrase());
+
+        byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8);
+        ByteArrayInputStream messageIn = new ByteArrayInputStream(messageBytes);
+
+        PGPSignature signature = signMessage(messageBytes, hashAlgorithm, signingKey);
+        assertEquals(hashAlgorithm.getAlgorithmId(), signature.getHashAlgorithm());
+
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(messageIn)
+                .withOptions(new ConsumerOptions()
+                        .addVerificationCert(certificate)
+                        .addVerificationOfDetachedSignature(signature));
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+        assertTrue(metadata.isVerified());
+    }
+
+    private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPPrivateKey signingKey)
+            throws NoSuchAlgorithmException, PGPException {
+        // Prepare the hash context
+        // This would be done by the caller application
+        MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider());
+        messageDigest.update(message);
+
+        return HashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, signingKey);
+    }
+}

From 73b7f1b9bb0e2d8adf2dae79c95051eecfe22efa Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 19 Apr 2022 21:07:46 +0200
Subject: [PATCH 0432/1450] Refactoring

---
 .../BcHashContextSigner.java                  | 66 ++++++++++++++
 ...BcPGPHashContextContentSignerBuilder.java} | 76 +---------------
 .../PGPHashContextContentSignerBuilder.java   | 86 +++++++++++++++++++
 .../signature/builder/HashContextSigner.java  | 38 --------
 .../BcHashContextSignerTest.java}             | 20 ++---
 5 files changed, 164 insertions(+), 122 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcHashContextSigner.java
 rename pgpainless-core/src/main/java/org/pgpainless/{signature/builder/HashContextPGPContentSignerBuilder.java => encryption_signing/BcPGPHashContextContentSignerBuilder.java} (74%)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/encryption_signing/PGPHashContextContentSignerBuilder.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
 rename pgpainless-core/src/test/java/org/pgpainless/{signature/HashContextSignerTest.java => encryption_signing/BcHashContextSignerTest.java} (87%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcHashContextSigner.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcHashContextSigner.java
new file mode 100644
index 00000000..54c6df9e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcHashContextSigner.java
@@ -0,0 +1,66 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import java.security.MessageDigest;
+import java.util.List;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.protection.UnlockSecretKey;
+
+import javax.annotation.Nonnull;
+
+public class BcHashContextSigner {
+
+    public static PGPSignature signHashContext(@Nonnull MessageDigest hashContext,
+                                               @Nonnull SignatureType signatureType,
+                                               @Nonnull PGPSecretKeyRing secretKeys,
+                                               @Nonnull SecretKeyRingProtector protector)
+            throws PGPException {
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        List signingSubkeyCandidates = info.getSigningSubkeys();
+        PGPSecretKey signingKey = null;
+        for (PGPPublicKey signingKeyCandidate : signingSubkeyCandidates) {
+            signingKey = secretKeys.getSecretKey(signingKeyCandidate.getKeyID());
+            if (signingKey != null) {
+                break;
+            }
+        }
+        if (signingKey == null) {
+            throw new PGPException("Key does not contain suitable signing subkey.");
+        }
+
+        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(signingKey, protector);
+        return signHashContext(hashContext, signatureType, privateKey);
+    }
+
+    /**
+     * Create an OpenPGP Signature over the given {@link MessageDigest} hash context.
+     *
+     * @param hashContext hash context
+     * @param privateKey signing-capable key
+     * @return signature
+     * @throws PGPException in case of an OpenPGP error
+     */
+    static PGPSignature signHashContext(MessageDigest hashContext, SignatureType signatureType, PGPPrivateKey privateKey)
+            throws PGPException {
+        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
+                new BcPGPHashContextContentSignerBuilder(hashContext)
+        );
+
+        sigGen.init(signatureType.getCode(), privateKey);
+        return sigGen.generate();
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
similarity index 74%
rename from pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java
rename to pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
index 68c24743..474ee9ef 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextPGPContentSignerBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
@@ -2,9 +2,8 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.signature.builder;
+package org.pgpainless.encryption_signing;
 
-import java.io.IOException;
 import java.io.OutputStream;
 import java.security.MessageDigest;
 
@@ -37,13 +36,13 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm;
  * This can come in handy to sign data, which was already processed to calculate the hash context, without the
  * need to process it again to calculate the OpenPGP signature.
  */
-public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuilder {
+class BcPGPHashContextContentSignerBuilder extends PGPHashContextContentSignerBuilder {
 
     private final BcPGPKeyConverter keyConverter = new BcPGPKeyConverter();
     private final MessageDigest messageDigest;
     private final HashAlgorithm hashAlgorithm;
 
-    public HashContextPGPContentSignerBuilder(MessageDigest messageDigest) {
+    public BcPGPHashContextContentSignerBuilder(MessageDigest messageDigest) {
         this.messageDigest = messageDigest;
         this.hashAlgorithm = HashAlgorithm.fromName(messageDigest.getAlgorithm());
         if (hashAlgorithm == null) {
@@ -76,7 +75,7 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
             }
 
             public OutputStream getOutputStream() {
-                return new SignerOutputStream(signer);
+                return new PGPHashContextContentSignerBuilder.SignerOutputStream(signer);
             }
 
             public byte[] getSignature() {
@@ -117,49 +116,6 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
         }
     }
 
-    static class ExistingMessageDigest implements Digest {
-
-        private final MessageDigest digest;
-
-        ExistingMessageDigest(MessageDigest messageDigest) {
-            this.digest = messageDigest;
-        }
-
-        @Override
-        public void update(byte in) {
-            digest.update(in);
-        }
-
-        @Override
-        public void update(byte[] in, int inOff, int len) {
-            digest.update(in, inOff, len);
-        }
-
-        @Override
-        public int doFinal(byte[] out, int outOff) {
-            byte[] hash = digest.digest();
-            System.arraycopy(hash, 0, out, outOff, hash.length);
-            return getDigestSize();
-        }
-
-        @Override
-        public void reset() {
-            // Nope!
-            // We cannot reset, since BCs signer classes are resetting in their init() methods, which would also reset
-            // the messageDigest, losing its state. This would shatter our intention.
-        }
-
-        @Override
-        public String getAlgorithmName() {
-            return digest.getAlgorithm();
-        }
-
-        @Override
-        public int getDigestSize() {
-            return digest.getDigestLength();
-        }
-    }
-
     // Copied from BCs BcImplProvider - required since BCs class is package visible only :/
     private static class EdDsaSigner
             implements Signer {
@@ -210,28 +166,4 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
         }
     }
 
-    // Copied from BC, required since BCs class is package visible only
-    static class SignerOutputStream
-            extends OutputStream {
-        private Signer sig;
-
-        SignerOutputStream(Signer sig) {
-            this.sig = sig;
-        }
-
-        public void write(byte[] bytes, int off, int len)
-                throws IOException {
-            sig.update(bytes, off, len);
-        }
-
-        public void write(byte[] bytes)
-                throws IOException {
-            sig.update(bytes, 0, bytes.length);
-        }
-
-        public void write(int b)
-                throws IOException {
-            sig.update((byte) b);
-        }
-    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/PGPHashContextContentSignerBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/PGPHashContextContentSignerBuilder.java
new file mode 100644
index 00000000..2ea36206
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/PGPHashContextContentSignerBuilder.java
@@ -0,0 +1,86 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.Signer;
+import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
+
+abstract class PGPHashContextContentSignerBuilder implements PGPContentSignerBuilder {
+
+    // Copied from BC, required since BCs class is package visible only
+    static class SignerOutputStream
+            extends OutputStream {
+        private Signer sig;
+
+        SignerOutputStream(Signer sig) {
+            this.sig = sig;
+        }
+
+        public void write(byte[] bytes, int off, int len)
+                throws IOException {
+            sig.update(bytes, off, len);
+        }
+
+        public void write(byte[] bytes)
+                throws IOException {
+            sig.update(bytes, 0, bytes.length);
+        }
+
+        public void write(int b)
+                throws IOException {
+            sig.update((byte) b);
+        }
+    }
+
+
+    static class ExistingMessageDigest implements Digest {
+
+        private final MessageDigest digest;
+
+        ExistingMessageDigest(MessageDigest messageDigest) {
+            this.digest = messageDigest;
+        }
+
+        @Override
+        public void update(byte in) {
+            digest.update(in);
+        }
+
+        @Override
+        public void update(byte[] in, int inOff, int len) {
+            digest.update(in, inOff, len);
+        }
+
+        @Override
+        public int doFinal(byte[] out, int outOff) {
+            byte[] hash = digest.digest();
+            System.arraycopy(hash, 0, out, outOff, hash.length);
+            return getDigestSize();
+        }
+
+        @Override
+        public void reset() {
+            // Nope!
+            // We cannot reset, since BCs signer classes are resetting in their init() methods, which would also reset
+            // the messageDigest, losing its state. This would shatter our intention.
+        }
+
+        @Override
+        public String getAlgorithmName() {
+            return digest.getAlgorithm();
+        }
+
+        @Override
+        public int getDigestSize() {
+            return digest.getDigestLength();
+        }
+    }
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
deleted file mode 100644
index 57d687cc..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/HashContextSigner.java
+++ /dev/null
@@ -1,38 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.signature.builder;
-
-import java.security.MessageDigest;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPrivateKey;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureGenerator;
-import org.pgpainless.algorithm.SignatureType;
-
-public class HashContextSigner {
-
-    /**
-     * Create an OpenPGP Signature over the given {@link MessageDigest} hash context.
-     *
-     * WARNING: This method does not yet validate the signing key.
-     * TODO: Change API to receive and evaluate PGPSecretKeyRing + SecretKeyRingProtector instead.
-     *
-     * @param hashContext hash context
-     * @param privateKey signing-capable key
-     * @return signature
-     * @throws PGPException in case of an OpenPGP error
-     */
-    public static PGPSignature signHashContext(MessageDigest hashContext, SignatureType signatureType, PGPPrivateKey privateKey)
-            throws PGPException {
-        // TODO: Validate signing key
-        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
-                new HashContextPGPContentSignerBuilder(hashContext)
-        );
-
-        sigGen.init(signatureType.getCode(), privateKey);
-        return sigGen.generate();
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java
similarity index 87%
rename from pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java
index baa5a73f..50b7cbf7 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/HashContextSignerTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/BcHashContextSignerTest.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.signature;
+package org.pgpainless.encryption_signing;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -17,7 +17,6 @@ import java.security.NoSuchAlgorithmException;
 
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
@@ -30,11 +29,9 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.key.generation.type.rsa.RsaLength;
-import org.pgpainless.key.protection.UnlockSecretKey;
-import org.pgpainless.signature.builder.HashContextSigner;
-import org.pgpainless.util.Passphrase;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 
-public class HashContextSignerTest {
+public class BcHashContextSignerTest {
 
     private static final String message = "Hello, World!\n";
     private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -88,15 +85,14 @@ public class HashContextSignerTest {
         }
     }
 
-    private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm) throws PGPException, NoSuchAlgorithmException, IOException {
+    private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm)
+            throws PGPException, NoSuchAlgorithmException, IOException {
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
-        long signingKeyId = PGPainless.inspectKeyRing(certificate).getSigningSubkeys().get(0).getKeyID();
-        PGPPrivateKey signingKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(signingKeyId), Passphrase.emptyPassphrase());
 
         byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8);
         ByteArrayInputStream messageIn = new ByteArrayInputStream(messageBytes);
 
-        PGPSignature signature = signMessage(messageBytes, hashAlgorithm, signingKey);
+        PGPSignature signature = signMessage(messageBytes, hashAlgorithm, secretKeys);
         assertEquals(hashAlgorithm.getAlgorithmId(), signature.getHashAlgorithm());
 
         DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
@@ -113,13 +109,13 @@ public class HashContextSignerTest {
         assertTrue(metadata.isVerified());
     }
 
-    private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPPrivateKey signingKey)
+    private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPSecretKeyRing secretKeys)
             throws NoSuchAlgorithmException, PGPException {
         // Prepare the hash context
         // This would be done by the caller application
         MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider());
         messageDigest.update(message);
 
-        return HashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, signingKey);
+        return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys, SecretKeyRingProtector.unprotectedKeys());
     }
 }

From 46f69b9fa522a21a394a0bdcf4f2588567883c06 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 20:53:44 +0200
Subject: [PATCH 0433/1450] Introduce OpenPgpInputStream to distinguish between
 armored, binary and non-OpenPGP data

---
 .../DecryptionStreamFactory.java              |  80 +-
 .../OpenPgpInputStream.java                   | 144 ++++
 .../java/org/pgpainless/util/ArmorUtils.java  |  21 +-
 .../org/pgpainless/util/PGPUtilWrapper.java   |  40 -
 .../org/bouncycastle/PGPUtilWrapperTest.java  |  52 --
 .../OpenPgpInputStreamTest.java               | 704 ++++++++++++++++++
 6 files changed, 884 insertions(+), 157 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
 delete mode 100644 pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index d552ead8..7f8e7f0d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -4,8 +4,6 @@
 
 package org.pgpainless.decryption_verification;
 
-import java.io.BufferedInputStream;
-import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
@@ -66,8 +64,6 @@ import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.DetachedSignatureCheck;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
 import org.pgpainless.util.ArmoredInputStreamFactory;
-import org.pgpainless.util.CRCingArmoredInputStreamWrapper;
-import org.pgpainless.util.PGPUtilWrapper;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
 import org.pgpainless.util.Tuple;
@@ -81,9 +77,6 @@ public final class DecryptionStreamFactory {
     // Maximum nesting depth of packets (e.g. compression, encryption...)
     private static final int MAX_PACKET_NESTING_DEPTH = 16;
 
-    // Buffer Size for BufferedInputStreams
-    public static int BUFFER_SIZE = 4096;
-
     private final ConsumerOptions options;
     private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
     private final List onePassSignatureChecks = new ArrayList<>();
@@ -99,8 +92,8 @@ public final class DecryptionStreamFactory {
                                           @Nonnull ConsumerOptions options)
             throws PGPException, IOException {
         DecryptionStreamFactory factory = new DecryptionStreamFactory(options);
-        BufferedInputStream bufferedIn = new BufferedInputStream(inputStream, BUFFER_SIZE);
-        return factory.parseOpenPGPDataAndCreateDecryptionStream(bufferedIn);
+        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
+        return factory.parseOpenPGPDataAndCreateDecryptionStream(openPgpIn);
     }
 
     public DecryptionStreamFactory(ConsumerOptions options) {
@@ -133,69 +126,52 @@ public final class DecryptionStreamFactory {
         }
     }
 
-    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(BufferedInputStream bufferedIn)
+    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(OpenPgpInputStream openPgpIn)
             throws IOException, PGPException {
+
         InputStream pgpInStream;
         InputStream outerDecodingStream;
         PGPObjectFactory objectFactory;
 
-        try {
-            outerDecodingStream = PGPUtilWrapper.getDecoderStream(bufferedIn);
-            outerDecodingStream = CRCingArmoredInputStreamWrapper.possiblyWrap(outerDecodingStream);
-
-            if (outerDecodingStream instanceof ArmoredInputStream) {
-                ArmoredInputStream armor = (ArmoredInputStream) outerDecodingStream;
-
-                // Cleartext Signed Message
-                // Throw a WrongConsumingMethodException to delegate preparation (extraction of signatures)
-                // to the CleartextSignatureProcessor which will call us again (see comment above)
-                if (armor.isClearText()) {
-                    bufferedIn.reset();
-                    return parseCleartextSignedMessage(bufferedIn);
-                }
-            }
+        // Non-OpenPGP data. We are probably verifying detached signatures
+        if (openPgpIn.isNonOpenPgp()) {
+            outerDecodingStream = openPgpIn;
+            pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
+            return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
+        }
 
+        if (openPgpIn.isBinaryOpenPgp()) {
+            outerDecodingStream = openPgpIn;
             objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
             // Parse OpenPGP message
             pgpInStream = processPGPPackets(objectFactory, 1);
             return new DecryptionStream(pgpInStream,
-                    resultBuilder, integrityProtectedEncryptedInputStream,
-                    (outerDecodingStream instanceof ArmoredInputStream) ? outerDecodingStream : null);
-        } catch (EOFException | FinalIOException e) {
-            // Broken message or invalid decryption session key
-            throw e;
-        } catch (MissingLiteralDataException e) {
-            // Not an OpenPGP message.
-            //  Reset the buffered stream to parse the message as arbitrary binary data
-            //  to allow for detached signature verification.
-            LOGGER.debug("The message appears to not be an OpenPGP message. This is probably data signed with detached signatures?");
-            bufferedIn.reset();
-            outerDecodingStream = bufferedIn;
-            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
-            pgpInStream = wrapInVerifySignatureStream(bufferedIn, objectFactory);
-        } catch (IOException e) {
-            if (e.getMessage().contains("invalid armor") || e.getMessage().contains("invalid header encountered")) {
-                // We falsely assumed the data to be armored.
-                LOGGER.debug("The message is apparently not armored.");
-                bufferedIn.reset();
-                outerDecodingStream = CRCingArmoredInputStreamWrapper.possiblyWrap(bufferedIn);
-                pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
+                    resultBuilder, integrityProtectedEncryptedInputStream, null);
+        }
+
+        if (openPgpIn.isAsciiArmored()) {
+            ArmoredInputStream armoredInputStream = ArmoredInputStreamFactory.get(openPgpIn);
+            if (armoredInputStream.isClearText()) {
+                return parseCleartextSignedMessage(armoredInputStream);
             } else {
-                throw new FinalIOException(e);
+                outerDecodingStream = armoredInputStream;
+                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
+                // Parse OpenPGP message
+                pgpInStream = processPGPPackets(objectFactory, 1);
+                return new DecryptionStream(pgpInStream,
+                        resultBuilder, integrityProtectedEncryptedInputStream,
+                        outerDecodingStream);
             }
         }
 
-        return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream,
-                (outerDecodingStream instanceof ArmoredInputStream) ? outerDecodingStream : null);
+        throw new PGPException("Not sure how to handle the input stream.");
     }
 
-    private DecryptionStream parseCleartextSignedMessage(BufferedInputStream in)
+    private DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn)
             throws IOException, PGPException {
         resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
                 .setFileEncoding(StreamEncoding.TEXT);
 
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(in);
-
         MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
         PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
new file mode 100644
index 00000000..c3668daa
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
@@ -0,0 +1,144 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.Charset;
+
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.pgpainless.implementation.ImplementationFactory;
+
+public class OpenPgpInputStream extends BufferedInputStream {
+
+    private static final byte[] ARMOR_HEADER = "-----BEGIN PGP ".getBytes(Charset.forName("UTF8"));
+
+    // Buffer beginning bytes of the data
+    public static final int MAX_BUFFER_SIZE = 8192;
+
+    private final byte[] buffer;
+    private final int bufferLen;
+
+    private boolean containsArmorHeader;
+    private boolean containsOpenPgpPackets;
+
+    public OpenPgpInputStream(InputStream in) throws IOException {
+        super(in, MAX_BUFFER_SIZE);
+
+        mark(MAX_BUFFER_SIZE);
+        buffer = new byte[MAX_BUFFER_SIZE];
+        bufferLen = read(buffer);
+        reset();
+
+        inspectBuffer();
+    }
+
+    private void inspectBuffer() {
+        if (determineIsArmored()) {
+            return;
+        }
+
+        determineIsBinaryOpenPgp();
+    }
+
+    private boolean determineIsArmored() {
+        if (startsWithIgnoringWhitespace(buffer, ARMOR_HEADER, bufferLen)) {
+            containsArmorHeader = true;
+            return true;
+        }
+        return false;
+    }
+
+    private void determineIsBinaryOpenPgp() {
+        if (bufferLen == -1) {
+            // Empty data
+            return;
+        }
+
+        try {
+            ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen);
+            PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(bufferIn);
+            while (objectFactory.nextObject() != null) {
+                // read all packets in buffer
+            }
+            containsOpenPgpPackets = true;
+        } catch (IOException e) {
+            if (e.getMessage().contains("premature end of stream in PartialInputStream")) {
+                // We *probably* hit valid, but large OpenPGP data
+                // This is not an optimal way of determining the nature of data, but probably the best
+                // we can get from BC.
+                containsOpenPgpPackets = true;
+            }
+            // else: seemingly random, non-OpenPGP data
+        }
+    }
+
+    private boolean startsWith(byte[] bytes, byte[] subsequence, int bufferLen) {
+        return indexOfSubsequence(bytes, subsequence, bufferLen) == 0;
+    }
+
+    private int indexOfSubsequence(byte[] bytes, byte[] subsequence, int bufferLen) {
+        if (bufferLen == -1) {
+            return -1;
+        }
+        // Naive implementation
+        // TODO: Could be improved by using e.g. Knuth-Morris-Pratt algorithm.
+        for (int i = 0; i < bufferLen; i++) {
+            if ((i + subsequence.length) <= bytes.length) {
+                boolean found = true;
+                for (int j = 0; j < subsequence.length; j++) {
+                    if (bytes[i + j] != subsequence[j]) {
+                        found = false;
+                        break;
+                    }
+                }
+
+                if (found) {
+                    return i;
+                }
+            }
+        }
+        return -1;
+    }
+
+    private boolean startsWithIgnoringWhitespace(byte[] bytes, byte[] subsequence, int bufferLen) {
+        if (bufferLen == -1) {
+            return false;
+        }
+
+        for (int i = 0; i < bufferLen; i++) {
+            // Working on bytes is not trivial with unicode data, but its good enough here
+            if (Character.isWhitespace(bytes[i])) {
+                continue;
+            }
+
+            if ((i + subsequence.length) > bytes.length) {
+                return false;
+            }
+
+            for (int j = 0; j < subsequence.length; j++) {
+                if (bytes[i + j] != subsequence[j]) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        return false;
+    }
+
+    public boolean isAsciiArmored() {
+        return containsArmorHeader;
+    }
+
+    public boolean isBinaryOpenPgp() {
+        return containsOpenPgpPackets;
+    }
+
+    public boolean isNonOpenPgp() {
+        return !isAsciiArmored() && !isBinaryOpenPgp();
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index d95673a4..e862652d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -4,7 +4,6 @@
 
 package org.pgpainless.util;
 
-import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -14,6 +13,8 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Pattern;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
@@ -29,11 +30,9 @@ import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.decryption_verification.OpenPgpInputStream;
 import org.pgpainless.key.OpenPgpFingerprint;
 
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
-
 public final class ArmorUtils {
 
     // MessageIDs are 32 printable characters
@@ -550,16 +549,12 @@ public final class ArmorUtils {
     @Nonnull
     public static InputStream getDecoderStream(@Nonnull InputStream inputStream)
             throws IOException {
-        BufferedInputStream buf = new BufferedInputStream(inputStream, 512);
-        InputStream decoderStream = PGPUtilWrapper.getDecoderStream(buf);
-        // Data is not armored -> return
-        if (decoderStream instanceof BufferedInputStream) {
-            return decoderStream;
+        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
+        if (openPgpIn.isAsciiArmored()) {
+            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
+            return PGPUtil.getDecoderStream(armorIn);
         }
-        // Wrap armored input stream with fix for #159
-        decoderStream = CRCingArmoredInputStreamWrapper.possiblyWrap(decoderStream);
 
-        decoderStream = PGPUtil.getDecoderStream(decoderStream);
-        return decoderStream;
+        return openPgpIn;
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
deleted file mode 100644
index dd95a3bc..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/util/PGPUtilWrapper.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.util;
-
-import java.io.BufferedInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-import org.bouncycastle.openpgp.PGPUtil;
-
-public final class PGPUtilWrapper {
-
-    private PGPUtilWrapper() {
-
-    }
-
-    /**
-     * {@link PGPUtil#getDecoderStream(InputStream)} sometimes mistakens non-base64 data for base64 encoded data.
-     *
-     * This method expects a {@link BufferedInputStream} which is being reset in case an {@link IOException} is encountered.
-     * Therefore, we can properly handle non-base64 encoded data.
-     *
-     * @param buf buffered input stream
-     * @return input stream
-     * @throws IOException in case of an io error which is unrelated to base64 encoding
-     */
-    public static InputStream getDecoderStream(BufferedInputStream buf) throws IOException {
-        try {
-            return PGPUtil.getDecoderStream(buf);
-        } catch (IOException e) {
-            if (e.getMessage().contains("invalid characters encountered at end of base64 data")) {
-                buf.reset();
-                return buf;
-            }
-            throw e;
-        }
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java b/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java
deleted file mode 100644
index 1c0093f3..00000000
--- a/pgpainless-core/src/test/java/org/bouncycastle/PGPUtilWrapperTest.java
+++ /dev/null
@@ -1,52 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.bouncycastle;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-import java.io.BufferedInputStream;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.Date;
-
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
-import org.bouncycastle.openpgp.PGPObjectFactory;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.TestTemplate;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.util.TestAllImplementations;
-import org.pgpainless.util.PGPUtilWrapper;
-
-public class PGPUtilWrapperTest {
-
-    @TestTemplate
-    @ExtendWith(TestAllImplementations.class)
-    public void testGetDecoderStream() throws IOException {
-
-        ByteArrayInputStream msg = new ByteArrayInputStream("Foo\nBar".getBytes(StandardCharsets.UTF_8));
-        PGPLiteralDataGenerator literalDataGenerator = new PGPLiteralDataGenerator();
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        OutputStream litOut = literalDataGenerator.open(out, PGPLiteralDataGenerator.TEXT, "", new Date(), new byte[1 << 9]);
-        Streams.pipeAll(msg, litOut);
-        literalDataGenerator.close();
-
-        InputStream in = new ByteArrayInputStream(out.toByteArray());
-        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(in);
-        PGPLiteralData literalData = (PGPLiteralData) objectFactory.nextObject();
-        InputStream litIn = literalData.getDataStream();
-        BufferedInputStream bufIn = new BufferedInputStream(litIn);
-        InputStream decoderStream = PGPUtilWrapper.getDecoderStream(bufIn);
-        ByteArrayOutputStream result = new ByteArrayOutputStream();
-        Streams.pipeAll(decoderStream, result);
-        assertEquals("Foo\nBar", result.toString());
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
new file mode 100644
index 00000000..f416ea7f
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
@@ -0,0 +1,704 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Random;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+
+public class OpenPgpInputStreamTest {
+
+    private static final Random RANDOM = new Random();
+
+    @Test
+    public void randomBytesDoNotContainOpenPgpData() throws IOException {
+        byte[] randomBytes = new byte[1000000];
+        RANDOM.nextBytes(randomBytes);
+        ByteArrayInputStream randomIn = new ByteArrayInputStream(randomBytes);
+
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(randomIn);
+        assertFalse(openPgpInputStream.isAsciiArmored());
+        assertFalse(openPgpInputStream.isBinaryOpenPgp());
+        assertTrue(openPgpInputStream.isNonOpenPgp());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(openPgpInputStream, out);
+
+        assertArrayEquals(randomBytes, out.toByteArray());
+    }
+
+    @Test
+    public void shortAsciiArmoredMessageIsAsciiArmored() throws IOException {
+        String asciiArmoredMessage = "-----BEGIN PGP MESSAGE-----\n" +
+                "\n" +
+                "wcDMAwAAAAAAAAAAAQv9FBhYmbkqLBVrhUUPouXTiXJ/ElyDknSW0xTDgofFbIZ5\n" +
+                "9ABYrYHaDEUAupwYzh5H8xNiL70/RdI0cMv7k2Rqlug/W4f0Mz+wYJ4xN24NzRQ5\n" +
+                "BqlsTIlXwJI0N4Rj7KSBfVhSHYEm0EtA4qx8ylL3vJfAH1AH7bBLjSzkDYE7dvu8\n" +
+                "2/PigN2c0tQ+AG4O+QV8zgJpc0tE2bh0h1eiXarhOZZSNjJKqmYZ4PlhgdiQBRs7\n" +
+                "a7EgkdNYMUTCbBiEpyQiiorDIxqmiaQVJjoCmSiSMCxvae9ozue6x1FvFyZWEPdV\n" +
+                "Lp8pSnuZwQt7jAw/Qm3u1ogyNdQaoXF/pDuwJEf0ufYwMsI7wDUVUJiRL23BGDOB\n" +
+                "h2YbFu7TWz63wkwjTs8bfeQ8JPmWXTG75Z95sjaiMloGhKwhYem8XPWAmh6xLWfF\n" +
+                "TgYU/AgKTgBvb/WugSLpi1zSOjkET3IY00vjvCzfwxxojJd/vfaSdOQX2EbADwgm\n" +
+                "KAmdO0Q9+BRuBDNPAEH/0j8BuiicOrrHRd0c9T4ku9u1vvxGJCMwiKPj9TGlxxpw\n" +
+                "C5uUVzvOSzGKfZ5ZH4SToaMhbYW37UXtA7URW1zF86c=\n" +
+                "=Yz3x\n" +
+                "-----END PGP MESSAGE-----";
+
+        ByteArrayInputStream asciiIn = new ByteArrayInputStream(asciiArmoredMessage.getBytes(StandardCharsets.UTF_8));
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(asciiIn);
+
+        assertTrue(openPgpInputStream.isAsciiArmored());
+        assertFalse(openPgpInputStream.isNonOpenPgp());
+        assertFalse(openPgpInputStream.isBinaryOpenPgp());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(openPgpInputStream, out);
+
+        assertArrayEquals(asciiArmoredMessage.getBytes(StandardCharsets.UTF_8), out.toByteArray());
+    }
+
+    String longAsciiArmoredMessage = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Comment: 7F91 16FE A90A 5983 936C  7CFA A027 DB2F 3E1E 118A\n" +
+            "Comment: Paul Schaub \n" +
+            "Comment: Paul Schaub \n" +
+            "Comment: Paul Schaub \n" +
+            "\n" +
+            "xsFNBFfz1ucBEADXSvUjnOWSzgW5hXki1xUpGv7vacT8XqqGbO9Z32P3eFxa4E9J\n" +
+            "vveJmx+voxRWpleZ/L6XCYYmCKnagjF0fMxFD1Zxicp5tzbruC1cm/Els0IJVjFV\n" +
+            "RLke3SegTHxHncA8+BYn2k/VnTKwDXzP0ZLyc7mUbDl8CCtWGGUkXpaa7WyZIA/q\n" +
+            "mvUqh7671Vr4vJlq0kFbUibsFblZjk9uydHvvqaVpmBzbr/gWDyirHXwPl5lCnWp\n" +
+            "ORjT7tc8hjyt+dxpmnGdqlDIcqUjdCWoN6NxffLtKz/XpJ+dBvA8rXT/QaPSaVCG\n" +
+            "o0DbgybvRF1HvX30udx4FF9fFsVAbYP1mvZx4fHy+Z1rJJhODZv1YpH7YY1bmG02\n" +
+            "vfFkwpW4AyAdsONA+n/XdMCsA006/pljNd3GxjcqB5D6BhpdUvcgUslkuELsVYWb\n" +
+            "EyhxKzzJvZNjQ/iHsaThooy9SFHc71PgYdyEL/WzoGr421GwpCL6BuE0rlumgaTm\n" +
+            "joU/9ydLO6zpbV4RYDgtsaGQxOxVc0y1Lj8CWTi/XYIVRnmqrjGmubRV7q8pTxrg\n" +
+            "oyk2zwQ+twyxp/8ZRHzl5ISiDLKSDlcMK1oa7NqyL+MCwiswpaObk56HxgF2ZwEb\n" +
+            "JZYCwetxyTK7HX4/WV0V6TaPzS7dHAsb6t1Aq8IS1JdGjWKRPkjkhR95nQARAQAB\n" +
+            "zSNQYXVsIFNjaGF1YiA8dmFuaXRhc3ZpdGFlQGZzZmUub3JnPsLEAgQTAQoCrAIb\n" +
+            "AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEWIQR/kRb+qQpZg5NsfPqgJ9sv\n" +
+            "Ph4RigUCYAwbLDUUgAAAAAASABpwcm9vZkBtZXRhY29kZS5iaXpkbnM6amFiYmVy\n" +
+            "aGVhZC50az90eXBlPVRYVD4UgAAAAAASACNwcm9vZkBtZXRhY29kZS5iaXpodHRw\n" +
+            "czovL2Zvc3N0b2Rvbi5vcmcvQHZhbml0YXN2aXRhZZAUgAAAAAASAHVwcm9vZkBt\n" +
+            "ZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1v\n" +
+            "LXNpZC0yMDkzNjgxNTQ1PTYyODlhYTNiZDhhNTAxYTM2MzIyYTBmODk0ZjhkMWQ5\n" +
+            "NzE4ZGVkMDM2MTYwMzlmMWNmNDhiMmE0MWVlMzU5MjCPFIAAAAAAEgB0cHJvb2ZA\n" +
+            "bWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVt\n" +
+            "by1zaWQtMTk5MTQxODIwPWY0YThmZjg0MDA0MzkzYTg3ZjcwMTNjNjAwNjViZGM4\n" +
+            "OWIxMTY5ZWJjZmI4MDYwYzRmOTY2OWI0M2JhMGM4MTSQFIAAAAAAEgB1cHJvb2ZA\n" +
+            "bWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVt\n" +
+            "by1zaWQtMTQyOTY3NzEyNT1lOGE3YjEyMzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2\n" +
+            "YTUzZTM2ODQyODNhMWQ1ZmUyNmVmNTg3MmRkMGFlZjQxSBSAAAAAABIALXByb29m\n" +
+            "QG1ldGFjb2RlLmJpemh0dHBzOi8vY29kZWJlcmcub3JnL3Zhbml0YXN2aXRhZS9n\n" +
+            "aXRlYV9wcm9vZgAKCRCgJ9svPh4RivdTEADC3xMcrcDR/+4JlDl5fblecfJHr3/E\n" +
+            "0fzkPWJJBL+TIn3ON2sSKIfLn9M7NYWIGT0QLI4LnqT+SZ3Ont1h8irM4O8LuTwZ\n" +
+            "kqjLkytGhgCErSdGzJ3oIcdXcnzX/p6fmxer1Qg/bpFy8mRrpSQ5tI0TYUXfD0qs\n" +
+            "BEbUhB3Tsg8AYaDRcdPx8gf1METZDxx/E6RQNzVIfyCK8hszzU1pRFr15DYDCjl5\n" +
+            "RZjTxXqxJFKUz85LvQToaFo5SXgH/fWf0EeoD+YNqyhROYr8iWMLCLiHqvqkEXny\n" +
+            "lm7qNlFxFGFSu8Mcj6HSet5qvRj2wn6XssOWm2pOalDJx+L/biETr5vEnBwfw7p2\n" +
+            "1Pmrg/jhK9yasKsdYKRlJdJWOtpEi9amcQ4sGA9OD74weJ/zEEPgLKbvkWFuUy8a\n" +
+            "69AEeKAbB3RH3r7+PRnPVvxC3MpEmLsRsjVdP21xGhtnqAzJFkMRXf5lpC6czJiH\n" +
+            "gd/sao0mJPrkWUHDn0k9rgoZI9gRRENk3tXefjwQ2A5aEcAagmb2l0DjugYAb7dU\n" +
+            "ip9bJNUhBgjiaWYBj9uZOzYdQ7kFcFWp7iCGvkoeBMQf29rXZOZsxQmKLgEPZuCl\n" +
+            "YmIO4PS6sERoPT+FUGl85YAkEIBII0TCQdVQd/Vx6JRLc/f/cFCoKBv2+9LKVPIp\n" +
+            "wNNL5J+0m/H1dMLDzAQTAQoCdgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC\n" +
+            "GQEWIQR/kRb+qQpZg5NsfPqgJ9svPh4RigUCX8gjtUgUgAAAAAASAC1wcm9vZkBt\n" +
+            "ZXRhY29kZS5iaXpodHRwczovL2NvZGViZXJnLm9yZy92YW5pdGFzdml0YWUvZ2l0\n" +
+            "ZWFfcHJvb2aQFIAAAAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5pdGFz\n" +
+            "dml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTQyOTY3NzEyNT1lOGE3YjEy\n" +
+            "MzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2YTUzZTM2ODQyODNhMWQ1ZmUyNmVmNTg3\n" +
+            "MmRkMGFlZjQxjxSAAAAAABIAdHByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRh\n" +
+            "c3ZpdGFlQGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTE5OTE0MTgyMD1mNGE4ZmY4\n" +
+            "NDAwNDM5M2E4N2Y3MDEzYzYwMDY1YmRjODliMTE2OWViY2ZiODA2MGM0Zjk2Njli\n" +
+            "NDNiYTBjODE0kBSAAAAAABIAdXByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRh\n" +
+            "c3ZpdGFlQGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTIwOTM2ODE1NDU9NjI4OWFh\n" +
+            "M2JkOGE1MDFhMzYzMjJhMGY4OTRmOGQxZDk3MThkZWQwMzYxNjAzOWYxY2Y0OGIy\n" +
+            "YTQxZWUzNTkyMD4UgAAAAAASACNwcm9vZkBtZXRhY29kZS5iaXpodHRwczovL2Zv\n" +
+            "c3N0b2Rvbi5vcmcvQHZhbml0YXN2aXRhZQAKCRCgJ9svPh4RiiRwD/47o9xzTDXB\n" +
+            "thNwd/T1UWKSNtLoPX6V4V2hUW/z1SZulba9i041fM04yaauqOFrKfoFJjovdZis\n" +
+            "UZeYs0Bfjf87JoJwN6TgX/7bQjSncBKHmKDXI7SLuY9dtYvqGCUOlVPTr4lxm1Ht\n" +
+            "CK5XJWzMjE/mUaPwUeP8agG2lRko46K2O4msUGvnZt/m6ggtyn7WhdxHAMEiBxmk\n" +
+            "j0lTIj5Q78hMxlWCI7D9bSNkRSHKN+5AQ0OIQCQnvbh1Gz85DO+VJdtr529L5pz+\n" +
+            "WEsrApGbjhi3UYfIS5fBTMfIcOZ8gs7fty79LOBuweAKKWnLt6jrRlBZ16D8LuM+\n" +
+            "1nrPUzTIanuqFLiysBhKBrX16UCKsW+kRvWLRG4AnEdWVlJr79kSzbzVYPHwKBqb\n" +
+            "41fagZdQdxt0xZcA2wGdV7UKLbY+rNew4PC9Lt+nS6pnItT0hlSVdPOBKoieoLR0\n" +
+            "XQAPM+Cr1qGlCFWNbMq6Q5ssS3kbTULd7UTKZuD9Wp+7h8zHqB8GoffaIT0Vvl0x\n" +
+            "t2TPM9+GJIkS3K+JQOGpPMrT2qRt9sL8J8u2usk/KOiD2uqu0QH3I+0qkvakFc24\n" +
+            "sGnj1XmIg46vYEF1N+E8kjzkIKkxoX/1sTKd5EHnw2ivOxLQM3B2PGNAn2N4S9eF\n" +
+            "qN+60sNMNXmlptdlVuOxdeJBSeF0vXFZ2cLDgwQTAQoCLQIbAwYLCQgHAwIGFQgC\n" +
+            "CQoLBBYCAwECHgECF4ACGQEWIQR/kRb+qQpZg5NsfPqgJ9svPh4RigUCX8giLj4U\n" +
+            "gAAAAAASACNwcm9vZkBtZXRhY29kZS5iaXpodHRwczovL2Zvc3N0b2Rvbi5vcmcv\n" +
+            "QHZhbml0YXN2aXRhZZAUgAAAAAASAHVwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZh\n" +
+            "bml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0yMDkzNjgxNTQ1PTYy\n" +
+            "ODlhYTNiZDhhNTAxYTM2MzIyYTBmODk0ZjhkMWQ5NzE4ZGVkMDM2MTYwMzlmMWNm\n" +
+            "NDhiMmE0MWVlMzU5MjCPFIAAAAAAEgB0cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2\n" +
+            "YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTk5MTQxODIwPWY0\n" +
+            "YThmZjg0MDA0MzkzYTg3ZjcwMTNjNjAwNjViZGM4OWIxMTY5ZWJjZmI4MDYwYzRm\n" +
+            "OTY2OWI0M2JhMGM4MTSQFIAAAAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2\n" +
+            "YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTQyOTY3NzEyNT1l\n" +
+            "OGE3YjEyMzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2YTUzZTM2ODQyODNhMWQ1ZmUy\n" +
+            "NmVmNTg3MmRkMGFlZjQxAAoJEKAn2y8+HhGKcCkP+gPiUroUSbVfJzFyWej0EPF1\n" +
+            "773h5aVoKgZ4gtVYSupM4rudP0oP/tH8sjSFebetpgyKEfZqau3lGbiWaIjXgNRW\n" +
+            "+9Tyi201tJbg/sAMczhK9ikGM0RtzI0oA1YK5DFYA8ImCfxkv7ZDi3/AiUzPei/6\n" +
+            "ja4g417ueNw8kp12Jh3jErWWHpeideHpcKg9vbbXO9GJ/nNWKXLwBAGhTKNAulby\n" +
+            "CYMfXqG1xKiWchDI9BylNF5bSPz5Yoxz91QBAR7X5x77rhSmg0zWkMIbla8VMrzX\n" +
+            "ZvfypFMeQeju3qRzLmAsSUr8JCg0q7q9tePQynn/wvcRoPGPxLLEsHdcOM2j5e3G\n" +
+            "+jU+gDsOVCpyEYP70OGsF8duR/iNCJ+pso1JPu2I+5NSGeIYfejuoa0AoHUt6yHs\n" +
+            "+K2bGh3hEFz8jyxp27GvcQvwAYDDaZ+RQRdAo4DKXb9Y/mqxvrm8GsbB+puzrIxw\n" +
+            "be3/iAw47ANJG0RbuDVlycBEwGImAKhQ24fM1/QFhs3YyRPg2jqOujOrcgYVC599\n" +
+            "XSGMwcdpS/dka0l77rkMK2WKk1R0+cfwM/XItMti/dVgfMPstfjO3xc8E5LAxZIv\n" +
+            "n9yfLIdS87jqgw1mUKF9PSFC53v7cQppYlt6tztFjo8HWisiP7LRkSR+wR+HKjSL\n" +
+            "Ek3f6fF97SSUREcxN2cfwsNEBBMBCgHuAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe\n" +
+            "AQIXgJAUgAAAAAASAHVwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRh\n" +
+            "ZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0xNDI5Njc3MTI1PWU4YTdiMTIzNmI4\n" +
+            "NTBiNDY3YTUwOTJjMGJkZmVhODZhNTNlMzY4NDI4M2ExZDVmZTI2ZWY1ODcyZGQw\n" +
+            "YWVmNDGPFIAAAAAAEgB0cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0\n" +
+            "YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTk5MTQxODIwPWY0YThmZjg0MDA0\n" +
+            "MzkzYTg3ZjcwMTNjNjAwNjViZGM4OWIxMTY5ZWJjZmI4MDYwYzRmOTY2OWI0M2Jh\n" +
+            "MGM4MTSQFIAAAAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0\n" +
+            "YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMjA5MzY4MTU0NT02Mjg5YWEzYmQ4\n" +
+            "YTUwMWEzNjMyMmEwZjg5NGY4ZDFkOTcxOGRlZDAzNjE2MDM5ZjFjZjQ4YjJhNDFl\n" +
+            "ZTM1OTIwFiEEf5EW/qkKWYOTbHz6oCfbLz4eEYoFAl/IHp4CGQEACgkQoCfbLz4e\n" +
+            "EYqTOA/+OubamE0ivV15sXOLbVTYoPYgy21lJilGXnV7JBcSixRDEupTIaWqZwB4\n" +
+            "YVtA8hbyXOMgA96VT0SJ93rN7WDQYCiPjF+oQD2yo24rHxj831SNjPQBjjQiCVtA\n" +
+            "aYOvqfgE9peUgAmGxB0JZ9CDCjQFxzV0lAhsb1KlWNNCqTNYqWWlwRdziKeKoUEH\n" +
+            "//fiQvWRK7NZbbnNj6rKKo4CnfXKuVCzKDNIeq3vf877k+EIwyNXVlgghFaqTjP8\n" +
+            "kUVD0clmtS6fBwZ+LbQydo3yEQ66/mbkjYJ1lpO3hn2hvHXn/kZE7qRmWe/frIMU\n" +
+            "Z6niuKaAoPErYQyMTuQ/dFRbsqT6cXHw1mGkuoqiLp6wccb5JrfaszVbUF3MIdZF\n" +
+            "041uQqYJvaATgCsM236cgRCpfxlc/8YC2C5PK0oMyYTiHe910PB0aYY1v2IEOnpq\n" +
+            "LP+0hdOET0bzTBVwsq9fD4YxNclw4mYHZ439TezI+Fnr47OuIS/BrWWOxBrFdTnL\n" +
+            "eHBL42/5+i46jbdE6RKU+Kpb0byWr/jYkm9AZVp1/zHBU31u/TpEFXE/Imn0bauH\n" +
+            "ubiBC9L+8Oy4SMrCLdcclfG4Sk3JaBDgetAZLslzxSXEMl9C2tHFSgyO8Xx+5KNK\n" +
+            "TZx5n04SWFFUgNZIYATCV70QpVAgagkSrNwrpV2QcfcsFbACiDzCw0EEEwEKAesC\n" +
+            "GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEf5EW/qkKWYOTbHz6oCfbLz4e\n" +
+            "EYoFAl/IG5qQFIAAAAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5pdGFz\n" +
+            "dml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTQyOTY3NzEyNT1lOGE3YjEy\n" +
+            "MzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2YTUzZTM2ODQyODNhMWQ1ZmUyNmVmNTg3\n" +
+            "MmRkMGFlZjQxjxSAAAAAABIAdHByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRh\n" +
+            "c3ZpdGFlQGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTE5OTE0MTgyMD1mNGE4ZmY4\n" +
+            "NDAwNDM5M2E4N2Y3MDEzYzYwMDY1YmRjODliMTE2OWViY2ZiODA2MGM0Zjk2Njli\n" +
+            "NDNiYTBjODE0kBSAAAAAABIAdXByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRh\n" +
+            "c3ZpdGFlQGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTIwOTM2ODE1NDU9NjI4OWFh\n" +
+            "M2JkOGE1MDFhMzYzMjJhMGY4OTRmOGQxZDk3MThkZWQwMzYxNjAzOWYxY2Y0OGIy\n" +
+            "YTQxZWUzNTkyMAAKCRCgJ9svPh4RioY0EAC2URLKbRQTP97apJ7qctk9dWOKgx+m\n" +
+            "xLqCmo0d4uH7phxx6VAXLXCJRwPhrvOekUL4xRC2qYyO0Zit4yXM7HbxqC8lScMX\n" +
+            "z98siF7aAXWjJ+2UpIaoP75jpUPs0t0Ude1gQ6UqPqLJI/yQLWVtAaa8IqEFBvFR\n" +
+            "sOg4T2MuZdUo75r/PApL1npZcHhNUSwagHYOY6lCKAlpMxitEhxPR07Ji5llIKGV\n" +
+            "d1wyOxzP09IXsfeKME2zfrTSf9ybHEVAUQdjybXcEaB+carkw/gzKrxEgrACnEOe\n" +
+            "CvWwd0Fq84F9U+MTnikIhdcSTUDAVRbFQQnxdd+G6QocYc15jtdOFnnZvXI9FuWf\n" +
+            "asEKlCdqT/bv6a/Nvba0AE9aAIkbCwr3I4Dx93alVPPMBiFpvG6p7mMQLQAL4IsA\n" +
+            "m+OinigQy2BtsSd/fwP851QFJNc8aUf9dvu0zq8f/rFNk+V58SEKVXEOtSYK7tcI\n" +
+            "A+mrkL/jwkwFas2Uh3ZirkqVq4KFtJA2jlW3m14TTyuk6IGxP5SB5RjTY2nlJbJw\n" +
+            "+jO1AkAONomoy0uzuAxlJAFxUjhEpHNU5MuNCYPIlmplkSoCdEv1pc7c1ZnB2zjP\n" +
+            "FUqsx69gorhoIEGeMfi1XGxuHy2I3GbmFtA681Vgzl5FppV2v7X9jicL4GruAkwH\n" +
+            "zUz1S6VeXnelcMLBjwQTAQIAIgUCV/PW5wIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC\n" +
+            "HgECF4AAIQkQoCfbLz4eEYoWIQR/kRb+qQpZg5NsfPqgJ9svPh4RikX2EACFH0OF\n" +
+            "okyqKs4hJTeIW5i3nMYID1F3vfusmDFfpcltue+2LdEvrj1rhOXfvOpNSWLWUzJa\n" +
+            "O46tH813WSBncMwSlo+6zAkojcOnf0fC08RlDSimioXG4dOcs9pd3TPKxEMOTQYs\n" +
+            "kGbyRUrvg6Hl+zv7eXRyyMFMQYAwOQJ9pIf5AGp5ObJ2RU87IOxKH/jTjAV6yDvr\n" +
+            "RrBii8NhVr4ouj7c/UflLKLgZ/8RJxcUL5yFInTfbaEMBnQv20AMsAqFR+1VTQ5M\n" +
+            "flLfa7eK+g2lPpCXaZaNrzZkdWk6GggAg4A/6Ighx/VxaPY8PI5K0j7C/PUiKSxQ\n" +
+            "pHHIwuEOZG4Uy33iOjT6n9oiHSMF3iNbf4zvs1Gv5IJOgv1xgU+ppfLF3o322NTh\n" +
+            "t5YXLnbMXPGSh6SvxLlBUxI8gjQdjfaJol0oz31UDedF+CElD7SJbJIPKJq4NBqe\n" +
+            "kQjNUFuHNRouXWNjpX5jlTGx8VM4jUzKISo5I1UvGbUZRxteyWWyFJgbr7VCH2+e\n" +
+            "aENvN215GHWi63EE8Qkp/euTBqA2U69E6vHxwhw+5NA9zE4J0C9yn1JsqBqjPgpt\n" +
+            "emn14QJeJw+yms+BXzAASZY4CL/OGHS40BJgpV7n9GNF8OrZuEZZM+dfzgVd9r4S\n" +
+            "Ogq+ogmrA7DvTpM4OA9Cu+wVVXQRL/BNndEdjc0mUGF1bCBTY2hhdWIgPHZhbml0\n" +
+            "YXN2aXRhZUBtYWlsYm94Lm9yZz7Cw/4EEwEKAqgCGwMFCwkIBwMFFQoJCAsFFgID\n" +
+            "AQACHgECF4AWIQR/kRb+qQpZg5NsfPqgJ9svPh4RigUCYAwbOTUUgAAAAAASABpw\n" +
+            "cm9vZkBtZXRhY29kZS5iaXpkbnM6amFiYmVyaGVhZC50az90eXBlPVRYVD4UgAAA\n" +
+            "AAASACNwcm9vZkBtZXRhY29kZS5iaXpodHRwczovL2Zvc3N0b2Rvbi5vcmcvQHZh\n" +
+            "bml0YXN2aXRhZZAUgAAAAAASAHVwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0\n" +
+            "YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0yMDkzNjgxNTQ1PTYyODlh\n" +
+            "YTNiZDhhNTAxYTM2MzIyYTBmODk0ZjhkMWQ5NzE4ZGVkMDM2MTYwMzlmMWNmNDhi\n" +
+            "MmE0MWVlMzU5MjCPFIAAAAAAEgB0cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5p\n" +
+            "dGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTk5MTQxODIwPWY0YThm\n" +
+            "Zjg0MDA0MzkzYTg3ZjcwMTNjNjAwNjViZGM4OWIxMTY5ZWJjZmI4MDYwYzRmOTY2\n" +
+            "OWI0M2JhMGM4MTSQFIAAAAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5p\n" +
+            "dGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQtMTQyOTY3NzEyNT1lOGE3\n" +
+            "YjEyMzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2YTUzZTM2ODQyODNhMWQ1ZmUyNmVm\n" +
+            "NTg3MmRkMGFlZjQxSBSAAAAAABIALXByb29mQG1ldGFjb2RlLmJpemh0dHBzOi8v\n" +
+            "Y29kZWJlcmcub3JnL3Zhbml0YXN2aXRhZS9naXRlYV9wcm9vZgAKCRCgJ9svPh4R\n" +
+            "ivVhD/46gD755fsVTqanw0VUq9HCWEmSGu5jIU6USs8ZD71Jb1uivXjjKVM4Ir8a\n" +
+            "BZW7+HNrz+XoRfztExxnwh90GVTWYkdrM44x3dOBxQ33etW41yqkmdHHbDnJ45Oj\n" +
+            "23RBp7zSEHmG5TZyvSU5aWUVw+QEqV6uzt43XYL5z3Nnt9RKs9CEAXcrKxOi9FLs\n" +
+            "V/g9xARlfsNw5J4LxoTYV856qPabb4VZy/6TRKxWMJXFQg55xODKgMm+Us2C97db\n" +
+            "6d4rrGH+XFE5rwKNbJH8m3bsHxEwdleIWX270cwtd769FeAydtjte9kTNNJ+9JGG\n" +
+            "Pj2LbhRkf8gnnvQxzyOdiMQ59cAz4rrgVviB0wXOEqhgjxxmIg3e3Y3pncnXRzZm\n" +
+            "v2ShxzpUw7UWK25S3TDBVcHRE0IpOm0eOMQq5kWGy+pEUm1IbJz+kPb0cI9x+VhZ\n" +
+            "k4nnni4yrhAooBcxn5gkKlQc3FFiM8gqw6duj68ugheL/CtJYuYFdJoKtSajzKSD\n" +
+            "vn/64t+rvPY1eywmOgaQ7ljZXEYO3KrgILaKZp5quTY4HY644OMSFboOphLQ2yMm\n" +
+            "ZNUMeYKyHNu5Nw6qyrhcpCLEQ8D5RK63YLuvyDIn+psseOCjjNQhjSRTyYfV4cfW\n" +
+            "C7Bgs9j14xh7t77CY7OtOjWof2mHSzAerMIr5F698BeqMx9DHsLDyAQTAQoCcgIb\n" +
+            "AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBH+RFv6pClmDk2x8+qAn2y8+HhGK\n" +
+            "BQJfyCO2SBSAAAAAABIALXByb29mQG1ldGFjb2RlLmJpemh0dHBzOi8vY29kZWJl\n" +
+            "cmcub3JnL3Zhbml0YXN2aXRhZS9naXRlYV9wcm9vZpAUgAAAAAASAHVwcm9vZkBt\n" +
+            "ZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1v\n" +
+            "LXNpZC0xNDI5Njc3MTI1PWU4YTdiMTIzNmI4NTBiNDY3YTUwOTJjMGJkZmVhODZh\n" +
+            "NTNlMzY4NDI4M2ExZDVmZTI2ZWY1ODcyZGQwYWVmNDGPFIAAAAAAEgB0cHJvb2ZA\n" +
+            "bWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVt\n" +
+            "by1zaWQtMTk5MTQxODIwPWY0YThmZjg0MDA0MzkzYTg3ZjcwMTNjNjAwNjViZGM4\n" +
+            "OWIxMTY5ZWJjZmI4MDYwYzRmOTY2OWI0M2JhMGM4MTSQFIAAAAAAEgB1cHJvb2ZA\n" +
+            "bWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVt\n" +
+            "by1zaWQtMjA5MzY4MTU0NT02Mjg5YWEzYmQ4YTUwMWEzNjMyMmEwZjg5NGY4ZDFk\n" +
+            "OTcxOGRlZDAzNjE2MDM5ZjFjZjQ4YjJhNDFlZTM1OTIwPhSAAAAAABIAI3Byb29m\n" +
+            "QG1ldGFjb2RlLmJpemh0dHBzOi8vZm9zc3RvZG9uLm9yZy9AdmFuaXRhc3ZpdGFl\n" +
+            "AAoJEKAn2y8+HhGK7R4P/RtmQN/Q39Jj+v4pPWxetHRAqFasLoZnFCj1rYgHE7z1\n" +
+            "hWqhCFMaCgeM3r63knwNNQhbZ2KTGhw1tjC/yfWnvDrhQkm1Idr6Zpn9v/D3KIXM\n" +
+            "s4bdPMlRUpRXOE/AM+RS08/bouE7CqIwv0oAj3VOMiMazRYLwXAfkJtUzgWNqlwX\n" +
+            "pujDtAJB6M11XM/Q6qeM4j1pjvXJs/faUFHXyku1zH4rcR0go79qyAbZ1vS67Ps/\n" +
+            "Wg5QYpklc80XarpHRtFVFWagGEtM0mkazkyYBgySZRm8miDGEuwm2HzDru0x+Clp\n" +
+            "H7uSDy6uiOjJO6+ApbJxkWDH/POuwpd0fCLwI9C4UAEnZLkCE3iXNbTKguXEc1Rb\n" +
+            "t8nxrMVlhQO35+1AVo9rpr/8r+FZRlYfZYEB4sUtxjbbIpFV0YZkOBiAW3r6Tp0X\n" +
+            "YJU8wi/fChJvF4j81grwckQavRDbsuQEEbnYzwjucpw2D+Ug/6U+Dhjj1qeYuxJG\n" +
+            "VfF+S07d3k2h84IzElcPwoP5uxpe2MdIOQY+EK0D3mpfedmrlkv8wnImMKp9dU2N\n" +
+            "tG4YqAikdAy4akbU03nk6GVFrGo3gLDKXBA9GVNbnjW9qd0S3OI64Ci+8mBg3NBN\n" +
+            "yIX5uLPsN1+PrwwzQuOBw/gSeWs9JhJA4C8emlzwb+sT8mw+h3ZZ8EI81LD+0h09\n" +
+            "wsN/BBMBCgIpAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEf5EW/qkKWYOT\n" +
+            "bHz6oCfbLz4eEYoFAl/IIjU+FIAAAAAAEgAjcHJvb2ZAbWV0YWNvZGUuYml6aHR0\n" +
+            "cHM6Ly9mb3NzdG9kb24ub3JnL0B2YW5pdGFzdml0YWWQFIAAAAAAEgB1cHJvb2ZA\n" +
+            "bWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVt\n" +
+            "by1zaWQtMjA5MzY4MTU0NT02Mjg5YWEzYmQ4YTUwMWEzNjMyMmEwZjg5NGY4ZDFk\n" +
+            "OTcxOGRlZDAzNjE2MDM5ZjFjZjQ4YjJhNDFlZTM1OTIwjxSAAAAAABIAdHByb29m\n" +
+            "QG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFlQGphYmJlcmhlYWQudGs/b21l\n" +
+            "bW8tc2lkLTE5OTE0MTgyMD1mNGE4ZmY4NDAwNDM5M2E4N2Y3MDEzYzYwMDY1YmRj\n" +
+            "ODliMTE2OWViY2ZiODA2MGM0Zjk2NjliNDNiYTBjODE0kBSAAAAAABIAdXByb29m\n" +
+            "QG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFlQGphYmJlcmhlYWQudGs/b21l\n" +
+            "bW8tc2lkLTE0Mjk2NzcxMjU9ZThhN2IxMjM2Yjg1MGI0NjdhNTA5MmMwYmRmZWE4\n" +
+            "NmE1M2UzNjg0MjgzYTFkNWZlMjZlZjU4NzJkZDBhZWY0MQAKCRCgJ9svPh4Riuaw\n" +
+            "D/9zil7na4utYS7e87CDlnUZT1JmWFRB/fglMG6B3dV1I+wIqsCIYWEkkobJlBI4\n" +
+            "YLYqx3UrYn/TGEca6y6pzlhbRk7YaY+z31XSWZj+fuRBZLLx2WTRgH1L3brQn5+k\n" +
+            "AHkUx2cS1R1usTxqFqWp+APbdDGDpzvHp8omtaYqecAaOhJp3AN96kdsyXCR/SeY\n" +
+            "Kc8aghCBqQx1uhXjyATO3OE+nD/DtWU7z/wqR2LrIvIzrUIQW76FgaqPMSf922p8\n" +
+            "1GxFvAHIa81SGptYDPq7kNXqG1LVF/NJBJAqxCZhu/yIrx+jus7+g3XaoEbuGtO/\n" +
+            "SPxpdDcKiuRwRer1MznX0cbzE2DoaI21t9kJ3y9l8QBl7xLHSCXYxF+hxBy3w7Nq\n" +
+            "TeGpdclC2uMV05H43vKk4Ecrax96g8Bwt6J+jpDPw0LbOBbwGKs5P5ggugtlSFFG\n" +
+            "jMmuIfd+s89lhXzTkBirkM8rEcLrORXww1meaxlhZ8gqHP/amWvNIG/Rpoa+oMs2\n" +
+            "ArA4BJpSeK58pPKH+kL+uZzbfIHZORM54hnuyDOYiMAjdjETETK4QJuNdHkniEU2\n" +
+            "FkHZVYmmdP2Vtjx9XWoFoWjAg2V4XPo87p4GUzwLQ12YS8tNkZMdtUOf0sOKE45E\n" +
+            "EhAb4jxjIcWFQdX99YrtG9Pb8H8KlJeMunQwyLGUcbmt7cLDQAQTAQoB6gIbAwUL\n" +
+            "CQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBH+RFv6pClmDk2x8+qAn2y8+HhGKBQJf\n" +
+            "yBuakBSAAAAAABIAdXByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFl\n" +
+            "QGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTE0Mjk2NzcxMjU9ZThhN2IxMjM2Yjg1\n" +
+            "MGI0NjdhNTA5MmMwYmRmZWE4NmE1M2UzNjg0MjgzYTFkNWZlMjZlZjU4NzJkZDBh\n" +
+            "ZWY0MY8UgAAAAAASAHRwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRh\n" +
+            "ZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0xOTkxNDE4MjA9ZjRhOGZmODQwMDQz\n" +
+            "OTNhODdmNzAxM2M2MDA2NWJkYzg5YjExNjllYmNmYjgwNjBjNGY5NjY5YjQzYmEw\n" +
+            "YzgxNJAUgAAAAAASAHVwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRh\n" +
+            "ZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0yMDkzNjgxNTQ1PTYyODlhYTNiZDhh\n" +
+            "NTAxYTM2MzIyYTBmODk0ZjhkMWQ5NzE4ZGVkMDM2MTYwMzlmMWNmNDhiMmE0MWVl\n" +
+            "MzU5MjAACgkQoCfbLz4eEYq+WhAAxE+FWFauoqKvk7m9XfV9m1v8o9jzialXMo92\n" +
+            "pbyH0TZl2L8H8zUxxJIgvwdgHxvlqLnK95mDNKkRi2qCLhtLVAy04W4n0h7D+//D\n" +
+            "5pCbvMokU4LKYWNL8Rtv0cBIFxpUI2xdVdAG5E3pLimdcpE5/IpHAj+ImkF+8rNk\n" +
+            "yKUHwTUZ24PKgugdzI5zp0UUZ3QrLe4PxOrZif3UURhzej2751+5GSZixZQN+eWl\n" +
+            "L+CldUaWTG4I6e93FpepX3gCpPJo5zMbTlDZG9dQFFMY/jfxNf84MlfDOp5EuIYO\n" +
+            "v4QrG1EdYn9xMBdDilK5lWzAh2flQx3Oi2y5jFIGYX8enUJeMrsbtchbcWhS6O/u\n" +
+            "fefSAAAriw3r4CLQrJ1eyH5DHK2nh6leNP8hXmiV7c1TzK/KMI8uiDQ13Wp2Utoq\n" +
+            "hLVs1tXfM1EMzGoPXQIMDdbOqtJCtjFVlRsBDu/pp1+IppTpq9+ftqHXoB3+nMrh\n" +
+            "mV7r2/BMyR+q88PfJGahxQc0w82YZjaMufWfaDIixDpVtRFNSzbWmz7AA+ylOSOv\n" +
+            "lJKHpJVHo7YP7h23jhqOc25vZ+JQS1YQ00IYFMg86T/7Xq0gttSYLf2deZHnKF8E\n" +
+            "mEoZL0UY2tqOZfXl+Ge+w4QsV01WrXmzcBLydGneACdJ6Luk40kwWO70VEkK+Ed5\n" +
+            "u64eyejCwY4EEwEKADgWIQR/kRb+qQpZg5NsfPqgJ9svPh4RigUCXJkXLAIbAwUL\n" +
+            "CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCgJ9svPh4RipPtD/0duXEGR8m82Pbj\n" +
+            "zivuW0HCyLIxsbhvWYyBlbENo2qvX+zWl2n4Q24n6nfTOh+6WNLc9MHworhO3laC\n" +
+            "9syN4CLgv14cbSCAdTsLaDpOpLBTkwFhEI2gFEiKGaNRnRrf6oGci9q5O4DTkYtk\n" +
+            "ARZHq9e0tWA/rYYcsQQrRbj+eG50Lirwn39CwvPlMx5Gag50jThyUb2qbyOXJAkb\n" +
+            "7R6UxRvHOKJxjZqW0qp8F5GPBjqRhqcVQ6BypAHsvnhiOtZPiagQSovf6U1gHMU5\n" +
+            "kysuybtPMoxesa/U2ZtOs6xvDv2JF+Lscbg/wB1nIe1VwIuzrN80fXB1IGn+Dxl8\n" +
+            "hYTFUn7iJuVhPgAkmN4m6+hD6EQcOB+SLO+rJKFNTaVAL4w79onDgVQGJR/FspBI\n" +
+            "aHTPUaC3zV8G+91SUFPV37e64+FgPFEGu15UcXJdt3/m1dO/nDu/YU8xC0TMyPk/\n" +
+            "llIc+vNl/IxhT0Y8FEHL+WJWZQ9FyBxXBILlP5THuUwnedCuhnlO46GDmZSxHxh7\n" +
+            "CoMF19QxMQ6Qf0uDnnr0vMfnYQuwdEcushJHam1XwWe7kvPao0irq1r8tab2BFhP\n" +
+            "AnnY+nl4e9S23IkkVbbmCXaRM5QCmwgrLY/XggfcVxqb82qBp8irYHRiIjVAEElB\n" +
+            "HJrJWeCQnhVM18nrAbG3ic6sAeB/8s0lUGF1bCBTY2hhdWIgPHZhbml0YXN2aXRh\n" +
+            "ZUByaXNldXAubmV0PsLD/gQTAQoCqAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX\n" +
+            "gBYhBH+RFv6pClmDk2x8+qAn2y8+HhGKBQJgDBs5NRSAAAAAABIAGnByb29mQG1l\n" +
+            "dGFjb2RlLmJpemRuczpqYWJiZXJoZWFkLnRrP3R5cGU9VFhUPhSAAAAAABIAI3By\n" +
+            "b29mQG1ldGFjb2RlLmJpemh0dHBzOi8vZm9zc3RvZG9uLm9yZy9AdmFuaXRhc3Zp\n" +
+            "dGFlkBSAAAAAABIAdXByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFl\n" +
+            "QGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTIwOTM2ODE1NDU9NjI4OWFhM2JkOGE1\n" +
+            "MDFhMzYzMjJhMGY4OTRmOGQxZDk3MThkZWQwMzYxNjAzOWYxY2Y0OGIyYTQxZWUz\n" +
+            "NTkyMI8UgAAAAAASAHRwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRh\n" +
+            "ZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0xOTkxNDE4MjA9ZjRhOGZmODQwMDQz\n" +
+            "OTNhODdmNzAxM2M2MDA2NWJkYzg5YjExNjllYmNmYjgwNjBjNGY5NjY5YjQzYmEw\n" +
+            "YzgxNJAUgAAAAAASAHVwcm9vZkBtZXRhY29kZS5iaXp4bXBwOnZhbml0YXN2aXRh\n" +
+            "ZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0xNDI5Njc3MTI1PWU4YTdiMTIzNmI4\n" +
+            "NTBiNDY3YTUwOTJjMGJkZmVhODZhNTNlMzY4NDI4M2ExZDVmZTI2ZWY1ODcyZGQw\n" +
+            "YWVmNDFIFIAAAAAAEgAtcHJvb2ZAbWV0YWNvZGUuYml6aHR0cHM6Ly9jb2RlYmVy\n" +
+            "Zy5vcmcvdmFuaXRhc3ZpdGFlL2dpdGVhX3Byb29mAAoJEKAn2y8+HhGKwsUP/1o5\n" +
+            "+7BMfta1gsVSEBvaqmCZDK0jL7Mo3g2Sayiw+aOVyFUIYy//YLd4QZGIjn7Wq015\n" +
+            "pjA/sSwAEtZ3rUE74ACbi29YMqSqgfMBvuD6O3u2TvV0y5I6ozGUkwP2cicNlXxn\n" +
+            "cONKBpfDRGa1VDIg4ghGM7/Al4AaBMIhNAQOJS1FiofXZ7qJ7jKK57BY8e1uUfg0\n" +
+            "KChPv/xu21wrhKy8DusBz7PSt8S8KBtisst8Mq+ew8rLRFbZ0F/l5VgvdudVSaR1\n" +
+            "mmSToRvmKgi2RHjIs7hlEEwRr+dWGO9SaW0oxNbVygMlP/pLEn1R9U94tAxDLXgm\n" +
+            "aDYL2NNXwyka5uBKLsy1dHXqXukKPS8py2PZhu2FJMLU0+ml+s2kTbA2Bze7slRO\n" +
+            "uiGPJg9WzovCQYVDam8eafGDMC6Q393HXH+gxq29LRg2Lulf4NJtosO4JVbOyzee\n" +
+            "Rd5FlZkUiJ7vbiVqIzGN8jel8Mr/NNKCcockwmry1u3JArwgNSqR+Uv+CeH446bm\n" +
+            "lfZ6JrwKWQRcuKVRfrXGuT46YmoFSaJjjlTATUVxcUuQNkFlQ6bibmdzEmFaKpVS\n" +
+            "QUf8gXnEjLh78K7kdx81c9cmIU4GrulK2uzGQULt3UgKytyrYf5EOwqnbrDDhAYR\n" +
+            "FwclbYRjvPUZSlTWoCo4u72gOuxdRWDgya9Ic0YnwsPIBBMBCgJyAhsDBQsJCAcD\n" +
+            "BRUKCQgLBRYCAwEAAh4BAheAFiEEf5EW/qkKWYOTbHz6oCfbLz4eEYoFAl/II7ZI\n" +
+            "FIAAAAAAEgAtcHJvb2ZAbWV0YWNvZGUuYml6aHR0cHM6Ly9jb2RlYmVyZy5vcmcv\n" +
+            "dmFuaXRhc3ZpdGFlL2dpdGVhX3Byb29mkBSAAAAAABIAdXByb29mQG1ldGFjb2Rl\n" +
+            "LmJpenhtcHA6dmFuaXRhc3ZpdGFlQGphYmJlcmhlYWQudGs/b21lbW8tc2lkLTE0\n" +
+            "Mjk2NzcxMjU9ZThhN2IxMjM2Yjg1MGI0NjdhNTA5MmMwYmRmZWE4NmE1M2UzNjg0\n" +
+            "MjgzYTFkNWZlMjZlZjU4NzJkZDBhZWY0MY8UgAAAAAASAHRwcm9vZkBtZXRhY29k\n" +
+            "ZS5iaXp4bXBwOnZhbml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0x\n" +
+            "OTkxNDE4MjA9ZjRhOGZmODQwMDQzOTNhODdmNzAxM2M2MDA2NWJkYzg5YjExNjll\n" +
+            "YmNmYjgwNjBjNGY5NjY5YjQzYmEwYzgxNJAUgAAAAAASAHVwcm9vZkBtZXRhY29k\n" +
+            "ZS5iaXp4bXBwOnZhbml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0y\n" +
+            "MDkzNjgxNTQ1PTYyODlhYTNiZDhhNTAxYTM2MzIyYTBmODk0ZjhkMWQ5NzE4ZGVk\n" +
+            "MDM2MTYwMzlmMWNmNDhiMmE0MWVlMzU5MjA+FIAAAAAAEgAjcHJvb2ZAbWV0YWNv\n" +
+            "ZGUuYml6aHR0cHM6Ly9mb3NzdG9kb24ub3JnL0B2YW5pdGFzdml0YWUACgkQoCfb\n" +
+            "Lz4eEYpSJw/+MXSg/xXIpdIVQ3NWeWB3p05op3/ilfb8GuF09XGqck4DeUq6aj93\n" +
+            "LD997vFmvL98ypGoyIpe3ds3DoUXzSFVjPLttFcHPsNm2CmkK6L9M1MY/2JzIRPh\n" +
+            "9GO1fUe5ZxspXgsf3rTZmkYXRUi/22DrEODm6H6fSK57D9J90ppRe8Rm8rqCV29J\n" +
+            "ht1LLgiaCwbz/DKQBBWv5ePaesnyYGTePWqLeHCLsa25mX46NS2HlBSFrcmyR+58\n" +
+            "wxnhkXn8SAbm5JCu/FpY5KX0PSY71QDfPUN2BaOoHRHRT5mSxqsgInJHnRVDf66L\n" +
+            "Lxh65LnfpdjCjTUsT6WPu7DgO9F8ObYnkno+YiaP7b9Uz7qzV3eK8SwmWTLiGE/x\n" +
+            "E1wFGGSvJuvCFAsMGvnc6lVZGA/F3jJCOdBy/QwyfVU54bGjPyUmodZAKoxn6Og2\n" +
+            "jylRUL3a9zdzt6sRxeCtuY+eqbq0ZcasP7b3PjYyMOdNQz2k9G0Fz7SW4PPQiu/m\n" +
+            "JFuCV33O6X5boaqoO/HTa9ZLJqCA8DjbF4i4r2phVzlv0veskqY1Nl9myGV5Mfq/\n" +
+            "El2dc/WfjlZAaw5Hs5qz9vdeFgqu14tSZVdLGENtg4F4TFdLobTE/ElqAVYxyA6e\n" +
+            "PsbOVHdIrwnZQmQvDJEoZEumZbXFmDhAm0Rb/9J8kqAd4KH0wIZq/VDCw38EEwEK\n" +
+            "AikCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQR/kRb+qQpZg5NsfPqgJ9sv\n" +
+            "Ph4RigUCX8giNT4UgAAAAAASACNwcm9vZkBtZXRhY29kZS5iaXpodHRwczovL2Zv\n" +
+            "c3N0b2Rvbi5vcmcvQHZhbml0YXN2aXRhZZAUgAAAAAASAHVwcm9vZkBtZXRhY29k\n" +
+            "ZS5iaXp4bXBwOnZhbml0YXN2aXRhZUBqYWJiZXJoZWFkLnRrP29tZW1vLXNpZC0y\n" +
+            "MDkzNjgxNTQ1PTYyODlhYTNiZDhhNTAxYTM2MzIyYTBmODk0ZjhkMWQ5NzE4ZGVk\n" +
+            "MDM2MTYwMzlmMWNmNDhiMmE0MWVlMzU5MjCPFIAAAAAAEgB0cHJvb2ZAbWV0YWNv\n" +
+            "ZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQt\n" +
+            "MTk5MTQxODIwPWY0YThmZjg0MDA0MzkzYTg3ZjcwMTNjNjAwNjViZGM4OWIxMTY5\n" +
+            "ZWJjZmI4MDYwYzRmOTY2OWI0M2JhMGM4MTSQFIAAAAAAEgB1cHJvb2ZAbWV0YWNv\n" +
+            "ZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVyaGVhZC50az9vbWVtby1zaWQt\n" +
+            "MTQyOTY3NzEyNT1lOGE3YjEyMzZiODUwYjQ2N2E1MDkyYzBiZGZlYTg2YTUzZTM2\n" +
+            "ODQyODNhMWQ1ZmUyNmVmNTg3MmRkMGFlZjQxAAoJEKAn2y8+HhGKNEoP/j/1WwVN\n" +
+            "9h17ZpRvz9ZD3e9WN8iwYZnGTvjuAuCJPpCznfEOszP4Gcy/ixPRQXrnAYaqCoFL\n" +
+            "08a+dambbFPhGduVgoSkItwNcl6KyPv0Q6dDykXfKXBHSTAdvMmhhL51/f3J0Sxa\n" +
+            "xzJ8ev2OzOqJIUzkXtRHwYrdrclJrX/iLankL1lBZzDXJwf+IpAPczBe2a/S/sYz\n" +
+            "NAeiH/OvipNpchQQG6lkQF0duzdx1OudbIGQYuWzVtep8uokIJcrVxMleVZLEvfF\n" +
+            "ZkR5woOSloTbMfB/Kb1MEL2w9R8trJ5F81ZvXolL/DDIEqLTbZEpP9pUSYLe+eWO\n" +
+            "6cszMA2jBwIPYgamg3JKXS/zdDdqnV++rF5/IztLAv1T8mqClOUstU88LuYGBchu\n" +
+            "N4hLgeIB+/q0EmCTWIM/ewnMh/KEZHVXJI+ljoMjwS2dZSkV8KcmTVtU1JccR0Ud\n" +
+            "HxpYtrcwZaUgzFkPJf3WvFidt7rDs32DJCZiM/NKhzIdukyvG6DAFzabveR8XTlz\n" +
+            "evZDNn6gVw04v+jtX++YbasBOI4t8wj2mtqCs3f2bLTRx1fuBu+DyNjAbJT+925G\n" +
+            "kbT4gBkb/8aJOOvwWsT4ljXqngXykk39eAVSmRNlsa2Wnv5v/5Fh4gGY5ecfdLH0\n" +
+            "z14X/fFoVPkp+g+FOD9lpEP96swULamszCG4wsNABBMBCgHqAhsDBQsJCAcDBRUK\n" +
+            "CQgLBRYCAwEAAh4BAheAFiEEf5EW/qkKWYOTbHz6oCfbLz4eEYoFAl/IG5qQFIAA\n" +
+            "AAAAEgB1cHJvb2ZAbWV0YWNvZGUuYml6eG1wcDp2YW5pdGFzdml0YWVAamFiYmVy\n" +
+            "aGVhZC50az9vbWVtby1zaWQtMTQyOTY3NzEyNT1lOGE3YjEyMzZiODUwYjQ2N2E1\n" +
+            "MDkyYzBiZGZlYTg2YTUzZTM2ODQyODNhMWQ1ZmUyNmVmNTg3MmRkMGFlZjQxjxSA\n" +
+            "AAAAABIAdHByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFlQGphYmJl\n" +
+            "cmhlYWQudGs/b21lbW8tc2lkLTE5OTE0MTgyMD1mNGE4ZmY4NDAwNDM5M2E4N2Y3\n" +
+            "MDEzYzYwMDY1YmRjODliMTE2OWViY2ZiODA2MGM0Zjk2NjliNDNiYTBjODE0kBSA\n" +
+            "AAAAABIAdXByb29mQG1ldGFjb2RlLmJpenhtcHA6dmFuaXRhc3ZpdGFlQGphYmJl\n" +
+            "cmhlYWQudGs/b21lbW8tc2lkLTIwOTM2ODE1NDU9NjI4OWFhM2JkOGE1MDFhMzYz\n" +
+            "MjJhMGY4OTRmOGQxZDk3MThkZWQwMzYxNjAzOWYxY2Y0OGIyYTQxZWUzNTkyMAAK\n" +
+            "CRCgJ9svPh4Rijb9D/9LGdGSSD7DhHEd9vMKHe7PL+pysg2K/aTm+XMHKozCOkaf\n" +
+            "hnF6ltSW5vjCXOaEnMtKpH5vnb/RL4tKuWLj/CVC0L1rGAa0MQ0b4AG4fWlbctw1\n" +
+            "I7PAEES+fUFLftrnMgxYF97gM/yGp9a74IfIKHcZ+sVs7dw9Sa8kDCtg3KBCFG4h\n" +
+            "Y5PqUDVlQjWDU0E17y7Vx+0yT9Gfw6esDoao1vCGJhe+AZRZdr5fasdkejUhnZEf\n" +
+            "We1NhGbpfQSh92blSu8YxDhM1N0JFL2WOpZ0JVi/N5rYBRsh9gxHSRhsk1xu9EMU\n" +
+            "OWORX80bBrvN0md8N4F2SWtuzOz/CpJejrxqvx07lJSW+2nRA9TESg1vdPQxhlBz\n" +
+            "NL4HgixHxMhURjPYcvNa8ZPMC40aqukAwt7s/JVMpGwAqOPrCZX3afsbp/OOX3Jp\n" +
+            "F5B0V15GNuoDww/yIGAl+7x8QA3L6eDfjgEHtVYKKJEWN/SHak6QN6M4/ku3zsxk\n" +
+            "gguhr+hZ+BPXh3+Pk1NGiAKBpo+nnUKBcUpXWV4ie1E8DsNhLGgn2Gci2aTt+CW8\n" +
+            "LboPCZJGokhnQhimElUbgZ/8ggsSC6fYqA6qe1EONjw0TSerMJETZqeH/fwJURWN\n" +
+            "BH9Yo+cWM7WqG3p8zy1s6ztBMugvZaM8I4C64TtNbjjgwP04lqrPxtvADoZepcLB\n" +
+            "jgQTAQoAIQUCV/QFEAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAhCRCgJ9sv\n" +
+            "Ph4RihYhBH+RFv6pClmDk2x8+qAn2y8+HhGKs+cQALvEPLUb1jqTtMb/grxritVy\n" +
+            "37BKecW5rMgIXnEPY19PU7fpFtehnAiX1Ydg645fGoDuEqSQKXxN3vOpW7RytNgr\n" +
+            "JnSB4/a4kJFWctQVbknx99PA3LienS1YcEa48uYTz87RKwYVE8PDVCxqL0+8Q1JE\n" +
+            "eaR6xWZfumBJMyBYN5yxhTn2BOQbU09WUwR/lqJc+0Ig1qGSOhpN08MoCqQTpUkY\n" +
+            "S9JQ5+jEYfQq0G0FdI/5SoSBB0qS18cs6mkEAwYtQq6DMH54KcnHT1gBwnBgZgPj\n" +
+            "J1rclBjVrUS+fBzNznZCXRTFrx8sWamYjeOeJjoBbzX8zpDANqJOwrcFX0qCzVJ+\n" +
+            "K7mGIPBQKpDYIV91b94xO0Unp8YBylyQ5WglfLdYlV2wMB9eNkayJHblhQtiQggE\n" +
+            "zBfqco+QlhFZjIh8pSON/wnpWlOE0gPUrcHIWkAWxIatPrASpYhQb+I+Ewd6XsJH\n" +
+            "oiU/3J3kojdJIoCQgdN3mI8cdORdq8YW0z6ZvFuC9nZp3TW28gut2aDYG9/EPqpW\n" +
+            "rLaCrs5qTxiikqd7zEsrexy8roMvr27uCP5gjKXYzNK3NL/xHnignZuBiAM67mNF\n" +
+            "jU7wrZHtnFfOPGnuubkpaPS4hMYkZnZc98ELV352sqFyX3dAvnLVHBqzs6SpPMyZ\n" +
+            "f+mHlHyFlkU8IXvPmhByzsDNBFfz3OgBDADWLIoatRXvo51XQta+AYScGlwnlB5H\n" +
+            "oPnwLfUdE2rly+8zE86omWM24Rf3bBUOwsCNxDotDyupPFJwB5lc+RmFg3AfjZDe\n" +
+            "jvr2GEX8CN603z3VuxVqVoUI7uPy+X0UbD5sh6vUJ+SkVBzLejKFWQCvQnVo+U8N\n" +
+            "E46lDEIzzWRSr8PSzTUU3ZILbExXb528wzIosaS0m+prGbQJN8jBw7l350y/uqX0\n" +
+            "4/NtTGE+x2XJyhgM/jnKzyB8xiY+SYHoMhD3yKnT8uNIHSzgg4fzGCpNGxqR5Zfw\n" +
+            "ZX++fCHaog/Uw+j0XvogTTadknVJINkf1wccLzwPhAsre1beIBaac7peMW7yKF4t\n" +
+            "TRbTNje2Pjz5A1ZdmITTXL6L/DrUFpaXXukCnfj+AQF1uoSjLzpvJRdalpr6OZhw\n" +
+            "HOQrYHbGAeAPh/1Np5m0dWYyidqt7GKh4e66g6B+TJT+LQN5XBy5iyCLiBB6489a\n" +
+            "5RmCPXehNm0fOmUY3thmR5tvg5Dn0Z0GxcUAEQEAAcLBvgQYAQgAcgWCX/iQNwkQ\n" +
+            "oCfbLz4eEYpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn\n" +
+            "v215/4oD56DA4iFieGJvYIv+F8ITuV/t/0aycU116SYCGwwWIQR/kRb+qQpZg5Ns\n" +
+            "fPqgJ9svPh4RigAAN38P/A9xXbD9n3BGT7/LdAbEkhsUDoLR7nB7nlT4lClgGITk\n" +
+            "u2rEGHWjsifzV+djuPp+Kf+cWXWVOdhL30AFiYPq8hZejO41npx+H8tA+dIIe22e\n" +
+            "mP7JW9IN5K+CRL8XC3XTLnel4ZHAt1z2/ZdXO4bAuU+gOAVNUxOzh2ytbgKex5w8\n" +
+            "rtJt1AlaNOVcA7OiZ6OaFIBiPsFaF7ZXYPJlF1STE+2Vwzixb6zr9kZf0lAkGA37\n" +
+            "9mxxD5hxjteakAe3bltqJH82XfIaJ03u7sAcZLHthcJJYDiibtAsfzt+nsLxLvDy\n" +
+            "uUYx8WmqV17MhvqK0pnYRKk8N6U02XRJ4HaG5X5AkyLqYyYeF1QiOyGFRhp7hwwL\n" +
+            "4vQ7RaikFN8xXsj1YviCERjE9CqtZ10cKccEFCHMllR264SeugiKIzf+ed/3ds/i\n" +
+            "+Mtd72A8Lr2NIf1vyQ1BzIVLlDhZnRmrmJjgXduwbhhNalayY0lyjbUnc8tSYU+D\n" +
+            "V36cCuas1HOTdRoVsCfamIyKLDxQR6hpr780WUX5lTdVS45NGoXfUVcRlUvWN7PD\n" +
+            "0fknLO8AdjCFCN8MIfk2jSXDgMi8VPI2AUoz56YnSpQSEVbvtAMKcIhM/5ObqJoY\n" +
+            "SNExTUqr5bkiEIcujMrdmPczcrDJtoOyEtlRBJhKRsUY47B/lNWGu3v8YtQ5mWt0\n" +
+            "wsF2BBgBAgAJBQJX89zoAhsMACEJEKAn2y8+HhGKFiEEf5EW/qkKWYOTbHz6oCfb\n" +
+            "Lz4eEYrgAg//UvHWgBE+nOiW3u3VjwN02OzmYCDk7WUamHqiEc/oxuYcOywMGcg8\n" +
+            "XOE47FMWknW5KBJ6DVFuLPd+Ugac/ap4xeZ0KcWnpomr04sgdJYZcNxuJEqTloWS\n" +
+            "zMuBU1R43D2KT6f+4tH+LIQ+siitqROoFJhjJEdakWDYamktIUsvX9sW7H5ZqmVq\n" +
+            "Cb9mDLc53lERTsrg7Z8abGWTgp8saXiepKLz/9A0fAgV+4NSAahQhjGMHaIhbsJM\n" +
+            "jv28ltUHophE0U1X9pIOQLqIDKFVLhSKTmwzKbZGAeFDvnLyn+ARFihC2nB7Ik7x\n" +
+            "aAut0Ws1v6uZ1is+VoLgW8QHggxfKI+m2kVxfkrPugrVt+Y9IyQSKWvspxm/AnE0\n" +
+            "VZvtz8fmo38fLtvlS3qiqLVB8V0iFGhPvCNH2K9oViz0Zvtk4Q1dIhoF5V9NtA2B\n" +
+            "S/J/gC5DDZAxRh9fFj4uEsy2G49Eod6YZGKpRYICWmzbhOeA6f94wY2mT3QQpiWy\n" +
+            "PcJR2O5yRX6+iVZ9lYANw75104dqaht7uhyCxLZ8OHk7ujBBHFqJubeOgMNnUMFh\n" +
+            "yl3NsPRb2vVuCJ+SpLf4kn/NjO4fTy6AqU0BP+LvhD0bPF3sIIBo9tMHXHBV8X6X\n" +
+            "op9cn4kDuvTdxjASZGce4tOVBh4KMhyOqAdeqnfFLZEHt5UGp/of8azOwM0EV/Pb\n" +
+            "PwEMANvXotph9BCyrs8NTj1zmaxOvygrc/6HZvb+JiJDaEonyjPEgLoKDePUgdz+\n" +
+            "kuWk6d8cSpOm47vBoxf5emVry82htPH9nIGkUyhfFRZkxn7HZ9KIcr+c7NXdBh9M\n" +
+            "0Ig1mWRj6bYOJqJHBpRZm+fV9T+CzGlg05IdBv6dFKTSjAv/pjIkAfhuvNEhNGLO\n" +
+            "2m/48QeuDzsHjjM80/+V6zNSy4SYw/hPGyTSoU1yJyibtLYP8rRN7x0+qqx3IiyB\n" +
+            "NuWZrH6Du6AGffASdk75UiEGr7UVf5ysDx/mBLFMdBoOeSyEHTeypdlC7e8Az7T3\n" +
+            "fzEI4+0ibUEV7+EH+94Azn/AVa3vt6WZ+KFgImy6CBM4S2GQmetvTGYRMXosXSzk\n" +
+            "5twraPZQoUkEEYy08/4yFEbWBniM3nA472rwXDFyjYxx6UZP+wZ/gaqrQKpgKl7G\n" +
+            "Ioe1VVq2bvQpbbWg52K4QpyYmubvfXnGqbjJNXDQN40fK0jVoH3V8pw0czpN0NRA\n" +
+            "BgJhhQARAQABwsMVBBgBAgAJBQJX89s/AhsCAcAJEKAn2y8+HhGKwN0gBBkBAgAG\n" +
+            "BQJX89s/AAoJENzPszAsnkYVdRkL/j13BrBz0MTnRdYO5Ljd9sN2ryLB1EZFyXqJ\n" +
+            "YPZgS0tzy5hWpRvSxH2+N9F3d09LbKLaihuGIApv1XWztIPEhVCtzclIq5rylbsb\n" +
+            "flr8yQ5iL/cI4krQjoV1Z8BYhR6rD97UbPXC+yrhmtnJ9YgL/WSivZqIDv3WOHVW\n" +
+            "QzlMoLZjBX7hawVODes5MiSkFep+P5s6O7uGLYEwKU0Ss1ohBwFBCpCUlc0cftLX\n" +
+            "h8Yo6WxwVRXcsPl0v7095reC+RZtG8DBS8Rhf/of2DOqyQa6qSStIfzjnxQGjWt3\n" +
+            "+TQ9RgWtOqC6/wFy5zk818G5wp4nOwcjBnnlbZGKYJqJIWS7BGf9FcVYxzIb+UcC\n" +
+            "dQEUB1YX86slkYbznicfsRMvHo8cXGE37wwQVgJ2cgToUQFvMmE2T7Qxz5+5II3v\n" +
+            "EXm4lFle+HFFG+rqZXX9S6kgJlm3m+p16GCqV0FX2+9Yl3gKbUFLqgg8j83YagpH\n" +
+            "wmteeSTpIc8UttQq2NAw6mLnPFnphRYhBH+RFv6pClmDk2x8+qAn2y8+HhGK570Q\n" +
+            "AI9PhyCeAM/Wiq+TodmE85C5L/U6/qS4gSQrqRewD/57fA9O59bg1ntEyz8QW9uH\n" +
+            "3Q/5fiE+ck7KI8bLOY6zzC0hTYxszwkgs6hTfRe2z4P6kPJNMyRv6iFKSB0nnA+K\n" +
+            "4fMcWnnsGOkA6b97weeFJ5effmM2WCuciPIwf6XMjeewCvyCmZ3tpTlt7nbJ5bVC\n" +
+            "QZzp5Dsc5p58g3cTHvomYIeVsojD00kwYZyzRohfYOt+nHWrwVo4/WjNJQUpw+oO\n" +
+            "UGVgCqgVgCYTUomzREMaVo8mFe5WR2mo3x7M9DoSfVzALt6qdyJ8lkj0FJUKftJl\n" +
+            "WJ0WR8vRXTtwThL25LZ0tFr2drZ99lql+TB4qg8121laRu+GPbWdCQZGH4OjVu3b\n" +
+            "ozElF1TceCefGGrk4cDwD46e/pfQVrE7b2oMXx0b0519oQP0YRyTSW8vssgnWaRa\n" +
+            "lFWwDDgwBCCB4LbYrlnyauuRvo4KjozCP7ZrzAVbni6i6VSUWIz27FoQsV0BFHLG\n" +
+            "42P2fdiPZy5e2CJUuG5XQOkK3ndgZgZYnOJW6RuKB779VY7gia2lkyZJkXHvHGTx\n" +
+            "+4glDEAm/O+E7IoANwTIE6N9umdkRk89qtsjSYuGLzBo2yMk80k0MFqQNRlHxskZ\n" +
+            "/BE7tydXnOpXhGvlOawIWgfXGwDI0HQhVgdHpPoXl21+zsFNBFf1A1ABEACpA1uS\n" +
+            "uwl+3+a6zzwWsvjRAZnLfAe0ibEmvVMoqF/y6m+VDmivoXFEC+a5fCc6qEwcVE1B\n" +
+            "AZqvbvklzXhwu0jSrNGKz3Vr3FlwtuS0h6W+EEWTh9B0Y2bNiyB3hqRnZ0KuUMUu\n" +
+            "gIifY/G2TPDN3FhCWiU+QJcpTazO+Up74y3YXLxgBo3Zt4H2xf0EzMH9nuKKKtmA\n" +
+            "pQTHMnUQu4Bd/AOrWYJgTQqlFwVJZAcggjLcyk5p8QMGyKpwXpXagvwqHgA0Ct+B\n" +
+            "YSoYkIpVyywQaUS3PKIeEjp5kCuv5iNlZMDv7A6cHASUqsxpjljEyZ/G+R6S9t+4\n" +
+            "7zCNhOqYpAOHrfmXzLe70OtEt91gqIoA6RXeBgBerV/CPuenAjQKQrlcTrlh4/hO\n" +
+            "xj3wWfb+HWiatz/rHQI/gN0oZi1Qg3xuaO8VhCQ98MgTszgU1/K2rb54aI4Ar2h3\n" +
+            "wajqd+421sGxAe/ftbT4ckHkrCgI0j8t0LPvtoOFjpqh2zMbSRjPRzT6ClY/nYPK\n" +
+            "ryY9PZ+6mi8suQpdni4szGKLdIEkloaZNJPwrP7R2d5vQNwyti9qClPeqJjCl5RW\n" +
+            "4zj1GP3ZbVUgcFG3FzImTmdyEd4Y9P1hvPa0CV5W+kyzi4P4VeXK6Zk7CcpTu3Pk\n" +
+            "2VgfD0qhpYcVQLBqNFtPHl665cRJKMxdore1cwARAQABwsG+BBgBCAByBYJf+JA/\n" +
+            "CRCgJ9svPh4RikcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v\n" +
+            "cmcpsdpfx97DwXxPD4xmjMokBtXDs8EKClmOHnHi9CVxUgIbDBYhBH+RFv6pClmD\n" +
+            "k2x8+qAn2y8+HhGKAAA3xxAAvnU620zS2T3PIPYB2VMv7LoUJfAihwWB9J8L0DZG\n" +
+            "tS5GGlFiKQrXaqHpn0cdbm5UrcoXc4gNq78Xn1mG0c3osCmXWqSU/IWovKIubeyn\n" +
+            "UfDofUEk3UTNAHOJpdzryclmib8DwueFOKzEWyRVvpfW7FcGj0bD8QBOJ2LgjjvD\n" +
+            "gp6jza8RXOwXmMkAUU1Hk9QKJCmLgR5xZ+Jdqcb9iW6rn5o8NOOu4i/FPB0pIT9U\n" +
+            "3vXrYWw25uNtoeL89o1xdbFvF+cMOd50x6WtpbAqXtyoSo0giM3ANrY+f9afZBRa\n" +
+            "JGnRVdgQoSdmcbLXIOUe1Xu3h4eR35t1i9hGc3krwdz/534Jrqk2MBN0UOFhOPG7\n" +
+            "3uJnldrz5YkDH2N9/n6GoMowzj+a2p7VmqvjN1v0WxJHiVGjydaRh09ucAkBWPv4\n" +
+            "fOARyZolt6grFP4bLYundxaF/i2XsQDhU3+fXN0PMfkV0EcJT8oinMX3KAknsWLT\n" +
+            "1iAWnniL8N+9uYNjKTucmyvYZrNIQc+7mVBPZRJDripistlWX8iFFpJxvf+IOOSE\n" +
+            "4zYQGe0LPMImDORQT/8LmgJuwLxvkTfL0QJjEwN6QcDWepy8UforgN3giHt2VZbN\n" +
+            "GA+z6+8cu3+wy2phh1tUkQ2XvaJ6x4KnmOR7/Uoio8pTQx6Xt1K0CpXFO7byiJPZ\n" +
+            "957CwXYEGAECAAkFAlf1A1ACGwwAIQkQoCfbLz4eEYoWIQR/kRb+qQpZg5NsfPqg\n" +
+            "J9svPh4RignwD/9V0MDPMOIOs5TCsn21ww3rzi4tjqZUdG/B6eX4DEU2BzMUvr5K\n" +
+            "9Yi8NUf65ua03BQD2PMYWqnGafkJkZ5URAY7iaV7WvJ0SNlJuV2HyGbzqxStiaXO\n" +
+            "ntwvGxZpOO6nvg5/uEBtkuzpMG+8716J/MSfyfj2NtdZkMi+2k8PmdK6jvnSsmAP\n" +
+            "iuCeP32dZSgnlEa3xiFUkNdpQQNVCnGSNWQ7MpHgl1L94qtv41kGT8LI1b8K4R4l\n" +
+            "ovpaKleCCBW9UbD3btHijMLfHy7Ivv4Pg3mkSkEq9uVeNJDkkM2NG7R0dBiclvI5\n" +
+            "xVupf2bIHIBqSo8AaMsEFnfhgEcHPqlCErnN+O8PyrVSVP0LwaXKF9mtez2vpd2H\n" +
+            "4vhFnHbVKTmVIOsW4B1Mbxhnbvl9CPfqNV4uT+4Vg5WS+XmB+ZYWNIJ6JoBp1fJH\n" +
+            "2jUawrQc4DzJPr7ihdeKXd5L+UUo1VmfDRkQvz4Frcwxzl3yg8keHLJd6EvssPtI\n" +
+            "0VU5kAgTbmHkRf9vX/4dCvcyk5+PAiSE1A7Xq3uJTZ3FjxXCxEPSLHjM1GCt1+Tm\n" +
+            "0pnZVp2bH+jGLmgvoRDGEhmYEfzlMra+7fFD00C3UcbSQDNURs3MtRZzv8EkLLAP\n" +
+            "RA7Wcl3XI+M5pFuR+aatDz1hB1uFF/NvnvkjujzTysguoJhU2EKWTtIJIc7BTQRX\n" +
+            "89bnARAAs1NzkaHRNHWu2YiQk8lTctciFjyMlVH/Vy28yZSfpHWrt7MCzhkaK1PY\n" +
+            "sWlnJifOlCnvzyDW26ouLqbPR51lzRFs9UID1dzg4RCuPMs0TwlIfcUCbBRc3lq3\n" +
+            "An941sEwD0+gguGog1oIum2regAftnbSoQj/1+OoZZz0zqeDkHorQcCDTc3EfYsL\n" +
+            "jswiFioioOPWgPjG6DSa39xf07YdrW0DOwpJ/M+MCVoPxREqbXC/oCYUQ85h4V66\n" +
+            "a8YMYrmkeHzq1kuX7HXuoJKtX8W3vHCiPo/sU/wF74b0oDiskfeXwMaZoRhVPkYG\n" +
+            "BEIhAO6n9tqWtuSzxWmMWH/TDw8h2GM6hCa67YPVuiTnztNdr8FR9D3WFpcizpbN\n" +
+            "JFj6HBcrfO6IwD5NK8h5fiqFeIQAIfo1PL88OC8jDVjscF0YoJeCiI8sRFjP/1y/\n" +
+            "MbYaKIR4fA+PbogeW/klGeI8bp49dGQa+8cnrgDcnzNS1TXh1Zcaob9H+DDHdSCN\n" +
+            "37hHtfroFDBCr6KRQ55WzBTdR+zmibZDjkGY4T0uaQjFQAGshPNGcr63rCSWyZnI\n" +
+            "nx1H4WWwnsUquTt7T+qt0TAOfd+9shgPqz/dLKkkF87mBtS423dGdDp6BZJ5t4lp\n" +
+            "l8LGiSuk9p/ckoB4MET+1iLjaU+FECLFyIg95v6Gk1OYFxeDnnEAEQEAAcLBvgQY\n" +
+            "AQgAcgWCX/iQQwkQoCfbLz4eEYpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx\n" +
+            "dW9pYS1wZ3Aub3JnYWATd/tucGd3FDiHb4AJdZ9NptbAcccakj1mpmFlMEkCGwwW\n" +
+            "IQR/kRb+qQpZg5NsfPqgJ9svPh4RigAAMB0P/RLNviscaB3Ii0ZLMs6wQOsYkJ/O\n" +
+            "1c4fm8ajmz+Z5lgEhgVbeFhmsqJHIgk/ni4UcdHAsKIBwfcVxZPzR+nH1g5CId/E\n" +
+            "2mZXCcCi586Z8jyn8b34Vx/rYdJVkqyBL3OtS+EOMBROvA5VsNWrIVm0BrGqzEjm\n" +
+            "0mKUuRldpZyjNRzD2beITJkOCk1H/Vqt+bCXmxb2akb+06bB0NqKG+kjRvlCnSwB\n" +
+            "vZ+RyiXVrOeeoj4ODgGyta0W+Rtnoa+AXpr5JE6uBc3Z+vgZrDndqBgD/SZUXjNC\n" +
+            "//Y3M6qxfji84e8HXmFzuZccmSzwH+Op6Mlh4XiPhqxmL5/AJoE8QxCUnCb4mENc\n" +
+            "nfGdmnlmWGrbApNkdmb3hXDXpZCJzRYgdPtUEuWJ5/mlm0979/bF8b0HN0eCG06V\n" +
+            "qoNi+nSNbeth7f/4gseq60DpcJaf4lGVs9AgjXFNGWSyZmHuFwM+UpfHZiRXfprb\n" +
+            "ilB7ZBhfhx9d0MZ7luyFAa1IdCjb3bpdvZMPSSx8xoW4obcuExVayJzJz1HCeWwr\n" +
+            "3wYuzV4SkWbSm3YWOBfK9EaGc2RogTu89esmyCwW2uslcSrnYS6Dp0lCcC1CXsKl\n" +
+            "ZKWV2GZgbZAUI+w7T71UT4Dw/P4qOvuKIfqvD2SJ0ZfoKoV1oa5YNHqpsJUmmc+U\n" +
+            "XmfTZgfP14xzBUyVwsF2BBgBAgAJBQJX89bnAhsMACEJEKAn2y8+HhGKFiEEf5EW\n" +
+            "/qkKWYOTbHz6oCfbLz4eEYrOhRAA1jBGY2Nrs3SRcou4Ih+4bgXMzG6qPRIh/2ac\n" +
+            "lDM86SHyrA4KrsVlsFiRWHndiyHnnqiT2BqX1tJr+FRqCkuzd5dsj3M9hLrG7aqU\n" +
+            "rJvoEAAo2A4NY1HofR3rpPbibNKEfkPSY0P9GV+8lzb0wKgJ3tzj1FUqjyT4Q3gm\n" +
+            "d9Va7647kHTFJG9Hmjzp/fUkLk4Fg9m3vBg7uaTe0LvF5cgfZk2WGRmqtmOP7hzg\n" +
+            "BwJP6fYzzKNeDyFnzUJr4Dba501wQ6YvmKWyh4gvnFNhI95oL9CqgnygsiHUjafQ\n" +
+            "WexpmXGWAlPvuUQrGN6352vSFf/g/t00sb+Ic0hp1kohOHsmJmA8BHZPHKZPLPO5\n" +
+            "/TvrO/VAd5GMm9iEHkOMAT5sWlnc1oNXHe7QTKpskgUrVjlOKCUkWqeP4Q2oHIVf\n" +
+            "2fUtSru0MoqqemqQvPfSzL8XvOnz35JAC/6rDLRWMmhA7bGhLi+K1dQrNH/OQbU3\n" +
+            "z3ZwXnlm8NhnuT2Ocu7A9jAfizdA4aHfTVTryzOoLMfO4qOYvmiJsBjnm9qgWMSC\n" +
+            "oC5HWI6sD3IxM5J0kgqPWpshyh0pQwvru0yffoP0iyC4Mti+v/5J8XXpAk/QUuRk\n" +
+            "Nfd1+cEU3U5Nej8jRfV8gDfe6VZ+7nfI1ALfPaiYPFF4CSb89XE7mX5jJ2cEA4Eg\n" +
+            "BlUanyzOwU0EV/UBfwEQAOBVbrr/emeHtuSpxTzNLq6WwLSYROYdhdQ486uDPKEJ\n" +
+            "P8S0Vf0OJ4HmX3rYQCFDb0zfZhS/Lu5mFx5Fg4oDGZ0Rlvh4HThnJJGbVZemj4f9\n" +
+            "L4p8hD36kaGMCWPBtgg+54HCuQY+pZvqGCuzJtw7K/QHB627ZAuN5xVXAIUXpMvR\n" +
+            "VUd3/H6qrSXvEQipVrpBHFVG1YcbX2erj31i5hwd7yGS1nJQfp6hwC5E/GbBWp/u\n" +
+            "n9WSKzttKAPls8G81GH6907pmvWvetxJaMqegPpB+tDJ1SESlnRsg7f40x9C7v7o\n" +
+            "S3DjyUGbN6AH/aNcktInC4Qly8etoFopsMjvxj/Mpl7NJmokjLmjY2KQxbkQmBiP\n" +
+            "Ba6Vi5ulRDzBA7hwVGGnqlNQiP6duNC5NpHhzCZbK8zWSlxB3NRT9KqV6FDezdFa\n" +
+            "Xm3rxNrTBl3u/NBP2Gog/0EBukirB7shSWISZ/S7d5MB+YrY4Zg5FRJfW7QwDdhf\n" +
+            "b3pwfr+T3TocttcbbExFk4lA0DNMlMyyhNpszxuEUp7rCi3S9Ushu+YIYO2JL0rl\n" +
+            "gZzGYLS4IbJmA9/mcxNi/Cl8fC+JVt7o0BNHJ5B8JXupGJN1JWVNkwYIdGoD06ER\n" +
+            "hPrre5vuoyjSXK0DRomx07eLi1bxKXHiGd6/GbaJaxToa2+EVIdfKPvoOa8tG7Gb\n" +
+            "ABEBAAHCxDwEGAEIAvAFgl/4kFEJEKAn2y8+HhGKRxQAAAAAAB4AIHNhbHRAbm90\n" +
+            "YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6QrIsUofls51gJdZ+HVbH8dGKJVka/TmXp6\n" +
+            "YORSw2jPAhsCwbygBBkBCABvBYJf+JBRCRBivukmS/FzEUcUAAAAAAAeACBzYWx0\n" +
+            "QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfFq6l7ZWZIJAuffcBu7/dVPtpCFk02\n" +
+            "rAl5iGot9GkqNRYhBGo6N12WZ24XXwA6ZmK+6SZL8XMRAAAWGRAAnpBgU8p/MAEW\n" +
+            "iHl0LSRV5pUWd+zsxO/FytOEe/ctDtHQ5+bEQLnjRuvsz1De2HuuMvfYFSymjNyx\n" +
+            "CxwfdmZ2UA/kCT0CvMo7tn4yhcIvyG/MCAnvERPDgibuJx+SguRhNa8Ld6DDduop\n" +
+            "EPyNKwzmnnitP0ar87CQ6sKlMzJH0dduflv7o+Bp0qWfUeagJ1ZDliFu/0AbwFYO\n" +
+            "bKJs9M5NFM0aa7V3xWWqVlTjQZA54O3ZlXcbYsnKHwmrD/tBTdyzfBBlMkBWG47b\n" +
+            "Og4jJN+p0L5/PQ3VzJgsGAdXgANbkopRTBvg8/+BqtvduOiug/ez3v/ywAkn9Mg6\n" +
+            "basjzWC1LLaH019NEwztfZRDVa/kbM0qt+pczra6S6Cr+mOlVm9cw+aHRB93QS2k\n" +
+            "MPf9EyliHBRB9AIrvcwY7imVgE1oMr2lDWK3G1OMrlGuF/6YBTI+Ok7lTKpIWpAu\n" +
+            "HD9yFK3BzfVnJqmAch54rpTtNZLOQXdFSgUBDjvj5CoQKJ/kdZW6wSNYUHpK8zNd\n" +
+            "lL1/pdq9EMQAyNDHN4/LlABLaZFe1Wy/Nn3bAdVYOpd5MpIYN++LyPALbVUIpARg\n" +
+            "M9D8LUWTv/PBAMeIvV2MmgrDVIY7wqCdS2WFRqmUfdfeZEPFkfJmNfhWb4YqIhg6\n" +
+            "NAfDnE34ddLOqv7FGz4m4Va4sFteztkWIQR/kRb+qQpZg5NsfPqgJ9svPh4RigAA\n" +
+            "i1IQAJPs9+RaZW6buMjkKO46eYWkq9/GtiRzp10XZHB3hreezadT4RHw8tqsm6h/\n" +
+            "8vprK+eJGfCsnhJz08XuItRZQYa1/XmsGTggQh6n2pmOjP7o1x90b4UdeRYi02k7\n" +
+            "wGCwGq6T+yi7jpjWMVEGRn28jumJQmfbC9PjsS0wBI5ne5QFyksu9PjtddYahcov\n" +
+            "1Kz/SUvwVUUgLh7TLi/Ll6qrLZb4tRlEGh4rkfM45dsAQv+ekLi4oh0lRoH33lH/\n" +
+            "sUSgwnzPyRVeqL8tcy70SkQ5295go5jt/WloXitjlQplbunG1gPQQxfSa+TD71ka\n" +
+            "2+wkSBuTyeWHXzi2azOv9gRkUoBOE341cBT16rMIkoIrNLy6uaXj6CtOl6fMqxQz\n" +
+            "Jl5wPYk6wccr3i8q4vGfiDZlDO+a8hLljIYF1TC4DThYTY4dwBGlv8dD6vb+Kj5Y\n" +
+            "FwhovXVsTzQboinToK58roVOM7TbQAN5OV47sagyIylaACybmEC2jYXmtxYpE3KY\n" +
+            "/pKdy8ItBlQRGdIbbS6cPtgUO+SQdjabHkXt6eg355kaXFV9Ci0XjJKsS0az1LXP\n" +
+            "ArU8qg40/7M8Bl/ytgmArsHJ4rEYQQxDNSdqh4oH0duSdoSATyyLwrwBYY3a2w1x\n" +
+            "V6jX6X3DjiiwxhciYto0C5BFX6uwQIJU6qcrI+qAKt6+rnnqwsOVBBgBAgAJBQJX\n" +
+            "9QF/AhsCAkAJEKAn2y8+HhGKwV0gBBkBAgAGBQJX9QF/AAoJEGK+6SZL8XMR13AQ\n" +
+            "AKDbc2MFkbJARAU1thZT8nbZMDNxhheaMe4M+1epv1FNxIP5kzxQK06rfwYAW6nf\n" +
+            "ms2Bg90FEJXa7KnZqfc5qj+eYPflLYrgcpwR4ZazXykI62RBSHgv9SUNmR9tEOL9\n" +
+            "jFd8Qf5x2qbYrCv6ElQmfLee0wrV2ML06nOzkwa71KnKfdCP6dOIa2VyVkQ9TaN6\n" +
+            "6yfGfO3qGnpsrd/vHs2Z17a8kTou7wt+Do13TZekbyLnIBG2XkDsY++KzWfNlO4h\n" +
+            "svAzyJKbVZfbtiiTwYZdtYWoImn5BQCUaYSGZdkkBgV/eqtXPoLzBieeKC5QTx1A\n" +
+            "bO5lz3xAD2iUdj0HN7Uzl4gutnJllLXakhagIRTY6rGSaiBKVhRBTb4ZwFmEB3DA\n" +
+            "n9Rd7C1+e5xhtoznDwENC7gCzr37fzW3VbP9rACs1LmMwQEBp8n+az591QDeNFKM\n" +
+            "NG9EqtG8vZZY4AER3s+6fzAGFehcj6hnWC7ZUjRpE1oWYLWUWaJ70crBY0X+14QO\n" +
+            "YcDCHd0GVg0alhayb/jbcVjUPqNisjX3RUCtKLlw4/auEv4/9fbX1jQogSfmNDp/\n" +
+            "gvDUdiUZ5fsq7GpFik2HiNtzITzT1G5QnHQpCwvwttwXdh5TfXPjcWy1OJsnQnht\n" +
+            "+X51zOWQnPe4NpayR0CdPAiFBpr+xrwwT0B6i3KJzKcfFiEEf5EW/qkKWYOTbHz6\n" +
+            "oCfbLz4eEYoj6w//fcy/NA+hsS9vJmsnQDqJbZMcWJZmImdlXl6MveXYpFR4iwQo\n" +
+            "EPY5E2y3N0hzhh4Yy0j9FG7SN3kKH4NysMQSAtgHI9E1sshGCBYSv3DNMsdbSjid\n" +
+            "mnGfEcFHl7uSITdhXDMDh84tfDnyF50d0y+Bcpdjb0ipLqDQzV/TISbnsuHC6IVO\n" +
+            "T8avF9+NQd2dXMCyxsLQziUuKoB1A+DloAz1HrpmZ5VJ9koebRIV8RIJmIV1Bv4Z\n" +
+            "18OBX2XCmWZUXudVMbEI+DTXogenj3j+0yYhalAj14rPndScRkr7NjR3sQxTzygT\n" +
+            "Q6k1YGQVitCSFdt90R/UHpBVX8a4bt4giM2ZYnSl0kjkyki7ZtAWMqmgdOks7643\n" +
+            "OWrS2IXgTUHy/oikwCpOvtUiV0hGtV7GhIbqecV+jshjXEko/yH/u2JFwjhEnEPP\n" +
+            "Njy3gUNb2qtRxqPSboKk+p9OFqGPNonzlgxS4KBRjC+2Lr9ky1VxWhIcsIjMMFxG\n" +
+            "STmGCJvwicAAKs1eAyxi3B5ES5taZmkdkZ6niPloFM44EO1cvEPKZLqiXOBlw7J2\n" +
+            "fzC53N9HXIdLdEkScbUzxSXQJ2e1nZ1U8pi+hOpRZqNqE+hoAxer9wVzCAljOSwh\n" +
+            "wMx2yRO5CAYzX41+jbqspsvqqX/YUCtxzbOAc1VrpvgK0jDlftyZD8q3aE8=\n" +
+            "=UC83\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+
+    @Test
+    public void longAsciiArmoredMessageIsAsciiArmored() throws IOException {
+        byte[] asciiArmoredBytes = longAsciiArmoredMessage.getBytes(StandardCharsets.UTF_8);
+        assertTrue(asciiArmoredBytes.length > OpenPgpInputStream.MAX_BUFFER_SIZE);
+        ByteArrayInputStream asciiIn = new ByteArrayInputStream(asciiArmoredBytes);
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(asciiIn);
+
+        assertTrue(openPgpInputStream.isAsciiArmored());
+        assertFalse(openPgpInputStream.isNonOpenPgp());
+        assertFalse(openPgpInputStream.isBinaryOpenPgp());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(openPgpInputStream, out);
+
+        assertArrayEquals(asciiArmoredBytes, out.toByteArray());
+    }
+
+    @Test
+    public void shortBinaryOpenPgpMessageIsBinary() throws IOException {
+        String asciiArmored = "-----BEGIN PGP MESSAGE-----\n" +
+                "\n" +
+                "wV4DR2b2udXyHrYSAQdA8GwHRf0XsR9FsPL36oNvdoBZPXddygb2iYdGBJko9X0w\n" +
+                "VQqhsjX54WCiMBQx4ma0om49rAWHCk4h4IAq5+WsdN+xCklAUXsbIA7BZUaXfzEB\n" +
+                "0j8BpWiU6SJ9YB23OtZSWl/5bu8hx1bnKd5ZM0D5VP2QF772Ci/oAGywSuOA+C6b\n" +
+                "G4Bkf1xlQ9vctnBpMix3xUA=\n" +
+                "=95Eb\n" +
+                "-----END PGP MESSAGE-----\n";
+        // Dearmor the data to get binary openpgp data
+        ArmoredInputStream armoredInputStream = new ArmoredInputStream(new ByteArrayInputStream(asciiArmored.getBytes(StandardCharsets.UTF_8)));
+        ByteArrayOutputStream binaryOut = new ByteArrayOutputStream();
+        Streams.pipeAll(armoredInputStream, binaryOut);
+
+        byte[] binaryBytes = binaryOut.toByteArray();
+        ByteArrayInputStream binaryIn = new ByteArrayInputStream(binaryBytes);
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(binaryIn);
+
+        assertTrue(openPgpInputStream.isBinaryOpenPgp());
+        assertFalse(openPgpInputStream.isAsciiArmored());
+        assertFalse(openPgpInputStream.isNonOpenPgp());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(openPgpInputStream, out);
+        assertArrayEquals(binaryBytes, out.toByteArray());
+    }
+
+    @Test
+    public void longBinaryOpenPgpMessageIsBinary() throws IOException {
+        // Dearmor the data to get binary openpgp data
+        ArmoredInputStream armoredInputStream = new ArmoredInputStream(new ByteArrayInputStream(longAsciiArmoredMessage.getBytes(StandardCharsets.UTF_8)));
+        ByteArrayOutputStream binaryOut = new ByteArrayOutputStream();
+        Streams.pipeAll(armoredInputStream, binaryOut);
+
+        byte[] binaryBytes = binaryOut.toByteArray();
+        ByteArrayInputStream binaryIn = new ByteArrayInputStream(binaryBytes);
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(binaryIn);
+
+        assertTrue(openPgpInputStream.isBinaryOpenPgp());
+        assertFalse(openPgpInputStream.isAsciiArmored());
+        assertFalse(openPgpInputStream.isNonOpenPgp());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(openPgpInputStream, out);
+        assertArrayEquals(binaryBytes, out.toByteArray());
+    }
+
+    @Test
+    public void emptyStreamTest() throws IOException {
+        ByteArrayInputStream in = new ByteArrayInputStream(new byte[0]);
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(in);
+
+        assertFalse(openPgpInputStream.isBinaryOpenPgp());
+        assertFalse(openPgpInputStream.isAsciiArmored());
+        assertTrue(openPgpInputStream.isNonOpenPgp());
+    }
+}

From 8172aa108305068d9d31e2d6b2e8dc519b2e0b4c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 20:56:02 +0200
Subject: [PATCH 0434/1450] Update documentation of #96 workaround

---
 .../src/main/java/org/pgpainless/util/ArmorUtils.java         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index e862652d..48bdc0cc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -536,11 +536,9 @@ public final class ArmorUtils {
      * to read all PGPKeyRings properly, we apparently have to make sure that the {@link InputStream} that is given
      * as constructor argument is a PGPUtil.BufferedInputStreamExt.
      * Since {@link PGPUtil#getDecoderStream(InputStream)} will return an {@link org.bouncycastle.bcpg.ArmoredInputStream}
-     * if the underlying input stream contains armored data, we have to nest two method calls to make sure that the
+     * if the underlying input stream contains armored data, we first dearmor the data ourselves to make sure that the
      * end-result is a PGPUtil.BufferedInputStreamExt.
      *
-     * This is a hacky solution.
-     *
      * @param inputStream input stream
      * @return BufferedInputStreamExt
      *

From 230725f6ff81db5207daaf3a8a25ede11c66431a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 21:33:13 +0200
Subject: [PATCH 0435/1450] Add option to force handling of data as non-openpgp

---
 .../ConsumerOptions.java                      | 16 ++++++
 .../DecryptionStreamFactory.java              |  2 +-
 .../OpenPgpInputStream.java                   | 57 +++++++------------
 3 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index c23ede3d..7b8d1e70 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -36,6 +36,7 @@ public class ConsumerOptions {
 
 
     private boolean ignoreMDCErrors = false;
+    private boolean forceNonOpenPgpData = false;
 
     private Date verifyNotBefore = null;
     private Date verifyNotAfter = new Date();
@@ -296,6 +297,21 @@ public class ConsumerOptions {
         return ignoreMDCErrors;
     }
 
+    /**
+     * Force PGPainless to handle the data provided by the {@link InputStream} as non-OpenPGP data.
+     * This workaround might come in handy if PGPainless accidentally mistakes the data for binary OpenPGP data.
+     *
+     * @return options
+     */
+    public ConsumerOptions forceNonOpenPgpData() {
+        this.forceNonOpenPgpData = true;
+        return this;
+    }
+
+    boolean isForceNonOpenPgpData() {
+        return forceNonOpenPgpData;
+    }
+
     /**
      * Specify the {@link MissingKeyPassphraseStrategy}.
      * This strategy defines, how missing passphrases for unlocking secret keys are handled.
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 7f8e7f0d..a8847c33 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -134,7 +134,7 @@ public final class DecryptionStreamFactory {
         PGPObjectFactory objectFactory;
 
         // Non-OpenPGP data. We are probably verifying detached signatures
-        if (openPgpIn.isNonOpenPgp()) {
+        if (openPgpIn.isNonOpenPgp() || options.isForceNonOpenPgpData()) {
             outerDecodingStream = openPgpIn;
             pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
             return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
index c3668daa..d15f2ffb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
@@ -18,7 +18,7 @@ public class OpenPgpInputStream extends BufferedInputStream {
     private static final byte[] ARMOR_HEADER = "-----BEGIN PGP ".getBytes(Charset.forName("UTF8"));
 
     // Buffer beginning bytes of the data
-    public static final int MAX_BUFFER_SIZE = 8192;
+    public static final int MAX_BUFFER_SIZE = 8192 * 2;
 
     private final byte[] buffer;
     private final int bufferLen;
@@ -53,6 +53,14 @@ public class OpenPgpInputStream extends BufferedInputStream {
         return false;
     }
 
+    /**
+     * This method is still brittle.
+     * Basically we try to parse OpenPGP packets from the buffer.
+     * If we run into exceptions, then we know that the data is non-OpenPGP'ish.
+     *
+     * This breaks down though if we read plausible garbage where the data accidentally makes sense,
+     * or valid, yet incomplete packets (remember, we are still only working on a portion of the data).
+     */
     private void determineIsBinaryOpenPgp() {
         if (bufferLen == -1) {
             // Empty data
@@ -62,47 +70,24 @@ public class OpenPgpInputStream extends BufferedInputStream {
         try {
             ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen);
             PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(bufferIn);
+
+            boolean containsPackets = false;
             while (objectFactory.nextObject() != null) {
-                // read all packets in buffer
+                containsPackets = true;
+                // read all packets in buffer - hope to confirm invalid data via thrown IOExceptions
             }
-            containsOpenPgpPackets = true;
+            containsOpenPgpPackets = containsPackets;
+
         } catch (IOException e) {
-            if (e.getMessage().contains("premature end of stream in PartialInputStream")) {
-                // We *probably* hit valid, but large OpenPGP data
-                // This is not an optimal way of determining the nature of data, but probably the best
-                // we can get from BC.
-                containsOpenPgpPackets = true;
-            }
-            // else: seemingly random, non-OpenPGP data
-        }
-    }
+            String msg = e.getMessage();
 
-    private boolean startsWith(byte[] bytes, byte[] subsequence, int bufferLen) {
-        return indexOfSubsequence(bytes, subsequence, bufferLen) == 0;
-    }
+            // If true, we *probably* hit valid, but large OpenPGP data (not sure though) :/
+            // Otherwise we hit garbage and can be sure that this is no OpenPGP data \o/
+            containsOpenPgpPackets = (msg != null && msg.contains("premature end of stream in PartialInputStream"));
 
-    private int indexOfSubsequence(byte[] bytes, byte[] subsequence, int bufferLen) {
-        if (bufferLen == -1) {
-            return -1;
+            // This is not an optimal way of determining the nature of data, but probably the best
+            // we can do :/
         }
-        // Naive implementation
-        // TODO: Could be improved by using e.g. Knuth-Morris-Pratt algorithm.
-        for (int i = 0; i < bufferLen; i++) {
-            if ((i + subsequence.length) <= bytes.length) {
-                boolean found = true;
-                for (int j = 0; j < subsequence.length; j++) {
-                    if (bytes[i + j] != subsequence[j]) {
-                        found = false;
-                        break;
-                    }
-                }
-
-                if (found) {
-                    return i;
-                }
-            }
-        }
-        return -1;
     }
 
     private boolean startsWithIgnoringWhitespace(byte[] bytes, byte[] subsequence, int bufferLen) {

From 4764202ac9468da1449fe38748175c0a60d0e872 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 22:43:19 +0200
Subject: [PATCH 0436/1450] Change visibility of
 BcPGPHashContextContentSignerBuilder constructor

---
 .../BcPGPHashContextContentSignerBuilder.java                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
index 474ee9ef..df6f6ca3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
@@ -42,7 +42,7 @@ class BcPGPHashContextContentSignerBuilder extends PGPHashContextContentSignerBu
     private final MessageDigest messageDigest;
     private final HashAlgorithm hashAlgorithm;
 
-    public BcPGPHashContextContentSignerBuilder(MessageDigest messageDigest) {
+    BcPGPHashContextContentSignerBuilder(MessageDigest messageDigest) {
         this.messageDigest = messageDigest;
         this.hashAlgorithm = HashAlgorithm.fromName(messageDigest.getAlgorithm());
         if (hashAlgorithm == null) {

From 6c983d66e0dcf4f87258a7a35f6b78d748bb972a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 22:45:39 +0200
Subject: [PATCH 0437/1450] Take hash algorithm usage date into account when
 checking algorithm acceptance

---
 .../java/org/pgpainless/policy/Policy.java    | 151 +++++++++++++++++-
 .../consumer/SignatureValidator.java          |   5 +-
 .../org/pgpainless/policy/PolicyTest.java     |  31 +++-
 3 files changed, 175 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index e64899c0..17804e5e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -6,7 +6,9 @@ package org.pgpainless.policy;
 
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.Date;
 import java.util.EnumMap;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.NoSuchElementException;
@@ -18,6 +20,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.NotationRegistry;
 
 /**
@@ -301,11 +304,39 @@ public final class Policy {
     public static final class HashAlgorithmPolicy {
 
         private final HashAlgorithm defaultHashAlgorithm;
-        private final List acceptableHashAlgorithms;
+        private final Map acceptableHashAlgorithmsAndTerminationDates;
 
-        public HashAlgorithmPolicy(HashAlgorithm defaultHashAlgorithm, List acceptableHashAlgorithms) {
+        /**
+         * Create a {@link HashAlgorithmPolicy} which accepts all {@link HashAlgorithm HashAlgorithms} from the
+         * given map, if the queried usage date is BEFORE the respective termination date.
+         * A termination date value of 
null
 means no termination, resulting in the algorithm being
+         * acceptable, regardless of usage date.
+         *
+         * @param defaultHashAlgorithm default hash algorithm
+         * @param algorithmTerminationDates map of acceptable algorithms and their termination dates
+         */
+        public HashAlgorithmPolicy(@Nonnull HashAlgorithm defaultHashAlgorithm, @Nonnull Map algorithmTerminationDates) {
             this.defaultHashAlgorithm = defaultHashAlgorithm;
-            this.acceptableHashAlgorithms = Collections.unmodifiableList(acceptableHashAlgorithms);
+            this.acceptableHashAlgorithmsAndTerminationDates = algorithmTerminationDates;
+        }
+
+        /**
+         * Create a {@link HashAlgorithmPolicy} which accepts all {@link HashAlgorithm HashAlgorithms} listed in
+         * the given list, regardless of usage date.
+         *
+         * @param defaultHashAlgorithm default hash algorithm (e.g. used as fallback if negotiation fails)
+         * @param acceptableHashAlgorithms list of acceptable hash algorithms
+         */
+        public HashAlgorithmPolicy(@Nonnull HashAlgorithm defaultHashAlgorithm, @Nonnull List acceptableHashAlgorithms) {
+            this(defaultHashAlgorithm, Collections.unmodifiableMap(listToMap(acceptableHashAlgorithms)));
+        }
+
+        private static Map listToMap(@Nonnull List algorithms) {
+            Map algorithmsAndTerminationDates = new HashMap<>();
+            for (HashAlgorithm algorithm : algorithms) {
+                algorithmsAndTerminationDates.put(algorithm, null);
+            }
+            return algorithmsAndTerminationDates;
         }
 
         /**
@@ -319,17 +350,17 @@ public final class Policy {
         }
 
         /**
-         * Return true if the given hash algorithm is acceptable by this policy.
+         * Return true if the given hash algorithm is currently acceptable by this policy.
          *
          * @param hashAlgorithm hash algorithm
          * @return true if the hash algorithm is acceptable, false otherwise
          */
-        public boolean isAcceptable(HashAlgorithm hashAlgorithm) {
-            return acceptableHashAlgorithms.contains(hashAlgorithm);
+        public boolean isAcceptable(@Nonnull HashAlgorithm hashAlgorithm) {
+            return isAcceptable(hashAlgorithm, new Date());
         }
 
         /**
-         * Return true if the given hash algorithm is acceptable by this policy.
+         * Return true if the given hash algorithm is currently acceptable by this policy.
          *
          * @param algorithmId hash algorithm
          * @return true if the hash algorithm is acceptable, false otherwise
@@ -344,6 +375,39 @@ public final class Policy {
             }
         }
 
+        /**
+         * Return true, if the given algorithm is acceptable for the given usage date.
+         *
+         * @param hashAlgorithm algorithm
+         * @param usageDate usage date (e.g. signature creation time)
+         *
+         * @return acceptance
+         */
+        public boolean isAcceptable(@Nonnull HashAlgorithm hashAlgorithm, @Nonnull Date usageDate) {
+            if (!acceptableHashAlgorithmsAndTerminationDates.containsKey(hashAlgorithm)) {
+                return false;
+            }
+
+            // Check termination date
+            Date terminationDate = acceptableHashAlgorithmsAndTerminationDates.get(hashAlgorithm);
+            if (terminationDate == null) {
+                return true;
+            }
+
+            // Reject if usage date is past termination date
+            return terminationDate.after(usageDate);
+        }
+
+        public boolean isAcceptable(int algorithmId, @Nonnull Date usageDate) {
+            try {
+                HashAlgorithm algorithm = HashAlgorithm.requireFromId(algorithmId);
+                return isAcceptable(algorithm, usageDate);
+            } catch (NoSuchElementException e) {
+                // Unknown algorithm is not acceptable
+                return false;
+            }
+        }
+
         /**
          * The default signature hash algorithm policy of PGPainless.
          * Note that this policy is only used for non-revocation signatures.
@@ -352,6 +416,44 @@ public final class Policy {
          * @return default signature hash algorithm policy
          */
         public static HashAlgorithmPolicy defaultSignatureAlgorithmPolicy() {
+            return smartSignatureHashAlgorithmPolicy();
+        }
+
+        /**
+         * {@link HashAlgorithmPolicy} which takes the date of the algorithm usage into consideration.
+         * If the policy has a termination date for a given algorithm, and the usage date is after that termination
+         * date, the algorithm is rejected.
+         *
+         * This policy is inspired by Sequoia-PGP's collision resistant algorithm policy.
+         *
+         * @see 
+         *     Sequoia-PGP's Collision Resistant Algorithm Policy
+         *
+         * @return smart signature algorithm policy
+         */
+        public static HashAlgorithmPolicy smartSignatureHashAlgorithmPolicy() {
+            Map algorithmDateMap = new HashMap<>();
+
+            algorithmDateMap.put(HashAlgorithm.MD5, DateUtil.parseUTCDate("1997-02-01 00:00:00 UTC"));
+            algorithmDateMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+            algorithmDateMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+            algorithmDateMap.put(HashAlgorithm.SHA224, null);
+            algorithmDateMap.put(HashAlgorithm.SHA256, null);
+            algorithmDateMap.put(HashAlgorithm.SHA384, null);
+            algorithmDateMap.put(HashAlgorithm.SHA512, null);
+
+            return new HashAlgorithmPolicy(HashAlgorithm.SHA512, algorithmDateMap);
+        }
+
+        /**
+         * {@link HashAlgorithmPolicy} which only accepts signatures made using algorithms which are acceptable
+         * according to 2022 standards.
+         *
+         * Particularly this policy only accepts algorithms from the SHA2 family.
+         *
+         * @return static signature algorithm policy
+         */
+        public static HashAlgorithmPolicy static2022SignatureAlgorithmPolicy() {
             return new HashAlgorithmPolicy(HashAlgorithm.SHA512, Arrays.asList(
                     HashAlgorithm.SHA224,
                     HashAlgorithm.SHA256,
@@ -366,6 +468,41 @@ public final class Policy {
          * @return default revocation signature hash algorithm policy
          */
         public static HashAlgorithmPolicy defaultRevocationSignatureHashAlgorithmPolicy() {
+            return smartRevocationSignatureHashAlgorithmPolicy();
+        }
+
+        /**
+         * Revocation Signature {@link HashAlgorithmPolicy} which takes the date of the algorithm usage
+         * into consideration.
+         * If the policy has a termination date for a given algorithm, and the usage date is after that termination
+         * date, the algorithm is rejected.
+         *
+         * This policy is inspired by Sequoia-PGP's collision resistant algorithm policy.
+         *
+         * @see 
+         *     Sequoia-PGP's Collision Resistant Algorithm Policy
+         *
+         * @return smart signature revocation algorithm policy
+         */
+        public static HashAlgorithmPolicy smartRevocationSignatureHashAlgorithmPolicy() {
+            Map algorithmDateMap = new HashMap<>();
+
+            algorithmDateMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+            algorithmDateMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+            algorithmDateMap.put(HashAlgorithm.SHA224, null);
+            algorithmDateMap.put(HashAlgorithm.SHA256, null);
+            algorithmDateMap.put(HashAlgorithm.SHA384, null);
+            algorithmDateMap.put(HashAlgorithm.SHA512, null);
+
+            return new HashAlgorithmPolicy(HashAlgorithm.SHA512, algorithmDateMap);
+        }
+
+        /**
+         * Hash algorithm policy for revocation signatures, which accepts SHA1 & SHA2 algorithms, as well as RIPEMD160.
+         *
+         * @return static revocation signature hash algorithm policy
+         */
+        public static HashAlgorithmPolicy static2022RevocationSignatureHashAlgorithmPolicy() {
             return new HashAlgorithmPolicy(HashAlgorithm.SHA512, Arrays.asList(
                     HashAlgorithm.RIPEMD160,
                     HashAlgorithm.SHA1,
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 51bfa7c3..6a10e1f3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -195,8 +195,9 @@ public abstract class SignatureValidator {
                 try {
                     HashAlgorithm hashAlgorithm = HashAlgorithm.requireFromId(signature.getHashAlgorithm());
                     Policy.HashAlgorithmPolicy hashAlgorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy);
-                    if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm())) {
-                        throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm);
+                    if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm(), signature.getCreationTime())) {
+                        throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm +
+                                " (Signature creation time: " + DateUtil.formatUTCDate(signature.getCreationTime()) + ")");
                     }
                 } catch (NoSuchElementException e) {
                     throw new SignatureValidationException("Signature uses unknown hash algorithm " + signature.getHashAlgorithm());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
index 6d86f8d9..9959be68 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
@@ -9,6 +9,9 @@ import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -16,6 +19,7 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.util.DateUtil;
 
 public class PolicyTest {
 
@@ -33,11 +37,23 @@ public class PolicyTest {
         policy.setSymmetricKeyDecryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256,
                 Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.BLOWFISH)));
 
-        policy.setSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512,
-                Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256)));
+        Map sigHashAlgoMap = new HashMap<>();
+        sigHashAlgoMap.put(HashAlgorithm.SHA512, null);
+        sigHashAlgoMap.put(HashAlgorithm.SHA384, null);
+        sigHashAlgoMap.put(HashAlgorithm.SHA256, null);
+        sigHashAlgoMap.put(HashAlgorithm.SHA224, null);
+        sigHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+        policy.setSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap));
 
+        Map revHashAlgoMap = new HashMap<>();
+        revHashAlgoMap.put(HashAlgorithm.SHA512, null);
+        revHashAlgoMap.put(HashAlgorithm.SHA384, null);
+        revHashAlgoMap.put(HashAlgorithm.SHA256, null);
+        revHashAlgoMap.put(HashAlgorithm.SHA224, null);
+        revHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
+        revHashAlgoMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
         policy.setRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512,
-                Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1)));
+                revHashAlgoMap));
 
         policy.setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
     }
@@ -92,12 +108,17 @@ public class PolicyTest {
     public void testAcceptableSignatureHashAlgorithm() {
         assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512));
         assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512.getAlgorithmId()));
+        // Usage date before termination date -> acceptable
+        assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
+        assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
     }
 
     @Test
     public void testUnacceptableSignatureHashAlgorithm() {
         assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1));
         assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId()));
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
     }
 
     @Test
@@ -109,12 +130,16 @@ public class PolicyTest {
     public void testAcceptableRevocationSignatureHashAlgorithm() {
         assertTrue(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA384));
         assertTrue(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA384.getAlgorithmId()));
+        assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
+        assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
     }
 
     @Test
     public void testUnacceptableRevocationSignatureHashAlgorithm() {
         assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.RIPEMD160));
         assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.RIPEMD160.getAlgorithmId()));
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
     }
 
     @Test

From 9b8cf37dd1e7286634b5bd3d9664d7bdc8ed96f2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 23:06:40 +0200
Subject: [PATCH 0438/1450] Use smart hash algorithm policy as default
 revocation hash policy

---
 .../java/org/pgpainless/policy/Policy.java    | 28 +------------------
 1 file changed, 1 insertion(+), 27 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 17804e5e..36582bf0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -468,33 +468,7 @@ public final class Policy {
          * @return default revocation signature hash algorithm policy
          */
         public static HashAlgorithmPolicy defaultRevocationSignatureHashAlgorithmPolicy() {
-            return smartRevocationSignatureHashAlgorithmPolicy();
-        }
-
-        /**
-         * Revocation Signature {@link HashAlgorithmPolicy} which takes the date of the algorithm usage
-         * into consideration.
-         * If the policy has a termination date for a given algorithm, and the usage date is after that termination
-         * date, the algorithm is rejected.
-         *
-         * This policy is inspired by Sequoia-PGP's collision resistant algorithm policy.
-         *
-         * @see 
-         *     Sequoia-PGP's Collision Resistant Algorithm Policy
-         *
-         * @return smart signature revocation algorithm policy
-         */
-        public static HashAlgorithmPolicy smartRevocationSignatureHashAlgorithmPolicy() {
-            Map algorithmDateMap = new HashMap<>();
-
-            algorithmDateMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
-            algorithmDateMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
-            algorithmDateMap.put(HashAlgorithm.SHA224, null);
-            algorithmDateMap.put(HashAlgorithm.SHA256, null);
-            algorithmDateMap.put(HashAlgorithm.SHA384, null);
-            algorithmDateMap.put(HashAlgorithm.SHA512, null);
-
-            return new HashAlgorithmPolicy(HashAlgorithm.SHA512, algorithmDateMap);
+            return smartSignatureHashAlgorithmPolicy();
         }
 
         /**

From 9b11b943545997615126d6b71debdc8255197a92 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Apr 2022 23:06:46 +0200
Subject: [PATCH 0439/1450] Update CHANGELOG

---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 25ab7ef0..ca3c8c29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,21 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.2.1-SNAPSHOT
+- Bump `sop-java` dependency to `1.2.2`
+- Add experimental support for creating signatures over pre-calculated `MessageDigest` objects.
+  - `BcHashContextSigner.signHashContext()` can be used to create OpenPGP signatures over manually hashed data.  
+    This allows applications to do the hashing themselves.
+- Harden detection of binary/ascii armored/non-OpenPGP data
+- Add `ConsumerOptions.forceNonOpenPgpData()` to force PGPainless to handle data as non-OpenPGP data
+  - This is a workaround for when PGPainless accidentally mistakes non-OpenPGP data for binary OpenPGP data
+- Implement "smart" hash algorithm policies, which take the 'usage-date' for algorithms into account
+  - This allows for fine-grained signature hash algorithm policing with usage termination dates
+- Switch to smart signature hash algorithm policies by default
+  - PGPainless now accepts SHA-1 signatures if they were made before 2013-02-01
+  - We also now accept RIPEMD160 signatures if they were made before 2013-02-01
+  - We further accept MD5 signatures made prior to 1997-02-01
+ 
 
 ## 1.2.0
 - Improve exception hierarchy for key-related exceptions

From 4698b6801551279bdcc65b16913e415256dcbcf3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 23 Apr 2022 01:47:44 +0200
Subject: [PATCH 0440/1450] Fix javadoc generation

---
 pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 36582bf0..83b89791 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -472,7 +472,7 @@ public final class Policy {
         }
 
         /**
-         * Hash algorithm policy for revocation signatures, which accepts SHA1 & SHA2 algorithms, as well as RIPEMD160.
+         * Hash algorithm policy for revocation signatures, which accepts SHA1 and SHA2 algorithms, as well as RIPEMD160.
          *
          * @return static revocation signature hash algorithm policy
          */

From 6bf1649cb729c37a0a08614c151196ab2f37e2f1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 26 Apr 2022 00:39:25 +0200
Subject: [PATCH 0441/1450] Bump slf4j to 1.7.36

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index c556858b..928903b4 100644
--- a/version.gradle
+++ b/version.gradle
@@ -9,7 +9,7 @@ allprojects {
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'
-        slf4jVersion = '1.7.32'
+        slf4jVersion = '1.7.36'
         logbackVersion = '1.2.9'
         junitVersion = '5.8.2'
         sopJavaVersion = '1.2.2'

From 249cab6eab8c82576e6b48f901406395c904181e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 26 Apr 2022 00:39:40 +0200
Subject: [PATCH 0442/1450] Bump logback to 1.2.11

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 928903b4..27856c41 100644
--- a/version.gradle
+++ b/version.gradle
@@ -10,7 +10,7 @@ allprojects {
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'
         slf4jVersion = '1.7.36'
-        logbackVersion = '1.2.9'
+        logbackVersion = '1.2.11'
         junitVersion = '5.8.2'
         sopJavaVersion = '1.2.2'
     }

From 009ef616995e52777b6975398ee995f274c32912 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 26 Apr 2022 00:41:39 +0200
Subject: [PATCH 0443/1450] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca3c8c29..f19eb0d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.2.1-SNAPSHOT
 - Bump `sop-java` dependency to `1.2.2`
+- Bump `slf4j` dependency to `1.7.36`
+- Bump `logback` dependency to `1.2.11`
 - Add experimental support for creating signatures over pre-calculated `MessageDigest` objects.
   - `BcHashContextSigner.signHashContext()` can be used to create OpenPGP signatures over manually hashed data.  
     This allows applications to do the hashing themselves.

From 71d5007edcddbf52a06df1b5b4232fb24cee8e44 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 26 Apr 2022 02:11:53 +0200
Subject: [PATCH 0444/1450] Add dependency diagram

---
 ECOSYSTEM.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/ECOSYSTEM.md b/ECOSYSTEM.md
index 0652bdef..b0b4125b 100644
--- a/ECOSYSTEM.md
+++ b/ECOSYSTEM.md
@@ -8,6 +8,45 @@ SPDX-License-Identifier: Apache-2.0
 
 PGPainless consists of an ecosystem of different libraries and projects.
 
+```mermaid
+flowchart TB
+    subgraph SOP-JAVA
+    sop-java-picocli-->sop-java
+    end
+    subgraph PGPAINLESS
+    pgpainless-sop-->pgpainless-core
+    pgpainless-sop-->sop-java
+    pgpainless-cli-->pgpainless-sop
+    pgpainless-cli-->sop-java-picocli
+    end
+    subgraph WKD-JAVA
+    wkd-java-cli-->wkd-java
+    wkd-test-suite-->wkd-java
+    wkd-test-suite-->pgpainless-core
+    end
+    subgraph CERT-D-JAVA
+    pgp-cert-d-java-->pgp-certificate-store
+    pgp-cert-d-java-jdbc-sqlite-lookup-->pgp-cert-d-java
+    end
+    subgraph CERT-D-PGPAINLESS
+    pgpainless-cert-d-->pgpainless-core
+    pgpainless-cert-d-->pgp-cert-d-java
+    pgpainless-cert-d-cli-->pgpainless-cert-d
+    pgpainless-cert-d-cli-->pgp-cert-d-java-jdbc-sqlite-lookup
+    end
+    subgraph VKS-JAVA
+    vks-java-cli-->vks-java
+    end
+    subgraph PGPEASY
+    pgpeasy-->pgpainless-cli
+    pgpeasy-->wkd-java-cli
+    pgpeasy-->vks-java-cli
+    pgpeasy-->pgpainless-cert-d-cli
+    end
+    wkd-java-cli-->pgpainless-cert-d
+    wkd-java-->pgp-certificate-store
+```
+
 ## [PGPainless](https://github.com/pgpainless/pgpainless)
 
 The main repository contains the following components:

From a983f99644b02bee631d9b24cdc7303718ec151f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 29 Apr 2022 17:01:11 +0200
Subject: [PATCH 0445/1450] Bump sop-java to 1.2.3

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 27856c41..b3bd537e 100644
--- a/version.gradle
+++ b/version.gradle
@@ -12,6 +12,6 @@ allprojects {
         slf4jVersion = '1.7.36'
         logbackVersion = '1.2.11'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.2'
+        sopJavaVersion = '1.2.3'
     }
 }

From 3b00eb3334ca7e6d6708abff06b5349aa136bd66 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 29 Apr 2022 17:01:22 +0200
Subject: [PATCH 0446/1450] Update changelog

---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f19eb0d1..e44d2d43 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,8 +5,8 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.2.1-SNAPSHOT
-- Bump `sop-java` dependency to `1.2.2`
+## 1.2.1
+- Bump `sop-java` dependency to `1.2.3`
 - Bump `slf4j` dependency to `1.7.36`
 - Bump `logback` dependency to `1.2.11`
 - Add experimental support for creating signatures over pre-calculated `MessageDigest` objects.

From c3f6ca2ab8d592186d85fac5beea1f451f8e56f5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 29 Apr 2022 17:02:11 +0200
Subject: [PATCH 0447/1450] PGPainless 1.2.1

---
 README.md                | 2 +-
 build.gradle             | 1 +
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 503475d9..e27a0c3d 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.2.0'
+	implementation 'org.pgpainless:pgpainless-core:1.2.1'
 }
 ```
 
diff --git a/build.gradle b/build.gradle
index 33e493f0..3c4db676 100644
--- a/build.gradle
+++ b/build.gradle
@@ -62,6 +62,7 @@ allprojects {
 
     repositories {
         mavenCentral()
+        mavenLocal()
     }
 
     // Reproducible Builds
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index a656eb4c..fd635594 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.2.0"
+    implementation "org.pgpainless:pgpainless-sop:1.2.1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.2.0
+        1.2.1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index b3bd537e..d1efa621 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.2.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 51cd75533bb0a468ed6e3e2f74b03918836f0405 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 29 Apr 2022 17:05:59 +0200
Subject: [PATCH 0448/1450] PGPainless 1.2.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index d1efa621..452291ef 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.2.1'
-        isSnapshot = false
+        shortVersion = '1.2.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From b980fcd7b1fff3c12e07cdc8b5f8d47ab0091a27 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 29 Apr 2022 22:49:45 +0200
Subject: [PATCH 0449/1450] EncryptionOptions.addRecipients(collection):
 Disallow empty collections

Fixes #281
---
 .../pgpainless/encryption_signing/EncryptionOptions.java  | 6 ++++++
 .../encryption_signing/EncryptionOptionsTest.java         | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index ca7b8ddb..99059c0a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -107,6 +107,9 @@ public class EncryptionOptions {
      * @return this
      */
     public EncryptionOptions addRecipients(Iterable keys) {
+        if (!keys.iterator().hasNext()) {
+            throw new IllegalArgumentException("Set of recipient keys cannot be empty.");
+        }
         for (PGPPublicKeyRing key : keys) {
             addRecipient(key);
         }
@@ -122,6 +125,9 @@ public class EncryptionOptions {
      * @return this
      */
     public EncryptionOptions addRecipients(@Nonnull Iterable keys, @Nonnull EncryptionKeySelector selector) {
+        if (!keys.iterator().hasNext()) {
+            throw new IllegalArgumentException("Set of recipient keys cannot be empty.");
+        }
         for (PGPPublicKeyRing key : keys) {
             addRecipient(key, selector);
         }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
index 488e5918..40a336e8 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
@@ -116,6 +116,14 @@ public class EncryptionOptionsTest {
         assertTrue(encryptionKeys.contains(encryptStorage));
     }
 
+    @Test
+    public void testAddEmptyRecipientsFails() {
+        EncryptionOptions options = new EncryptionOptions();
+        assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList()));
+        assertThrows(IllegalArgumentException.class, () -> options.addRecipients(Collections.emptyList(),
+                encryptionCapableKeys -> encryptionCapableKeys));
+    }
+
     @Test
     public void testAddEmptyPassphraseFails() {
         EncryptionOptions options = new EncryptionOptions();

From 2b37c4c9cb7ca3c52c9c8327a5d6cabe3d2a7418 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 3 May 2022 11:23:40 +0200
Subject: [PATCH 0450/1450] Deprecate Policy.*.default*Policy() methods in
 favor of methods with more expressive names

You cannot tell, what defaultHashAlgorithmPolicy() really means.
Therefore the default methods were deprecated in favor for more expressive methods
---
 .../java/org/pgpainless/policy/Policy.java    | 73 +++++++++++++++++--
 1 file changed, 65 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index 83b89791..d1eca6ba 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -31,17 +31,17 @@ public final class Policy {
     private static Policy INSTANCE;
 
     private HashAlgorithmPolicy signatureHashAlgorithmPolicy =
-            HashAlgorithmPolicy.defaultSignatureAlgorithmPolicy();
+            HashAlgorithmPolicy.smartSignatureHashAlgorithmPolicy();
     private HashAlgorithmPolicy revocationSignatureHashAlgorithmPolicy =
-            HashAlgorithmPolicy.defaultRevocationSignatureHashAlgorithmPolicy();
+            HashAlgorithmPolicy.smartSignatureHashAlgorithmPolicy();
     private SymmetricKeyAlgorithmPolicy symmetricKeyEncryptionAlgorithmPolicy =
-            SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyEncryptionAlgorithmPolicy();
+            SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022();
     private SymmetricKeyAlgorithmPolicy symmetricKeyDecryptionAlgorithmPolicy =
-            SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyDecryptionAlgorithmPolicy();
+            SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022();
     private CompressionAlgorithmPolicy compressionAlgorithmPolicy =
-            CompressionAlgorithmPolicy.defaultCompressionAlgorithmPolicy();
+            CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy();
     private PublicKeyAlgorithmPolicy publicKeyAlgorithmPolicy =
-            PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy();
+            PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy();
     private final NotationRegistry notationRegistry = new NotationRegistry();
 
     private AlgorithmSuite keyGenerationAlgorithmSuite = AlgorithmSuite.getDefaultAlgorithmSuite();
@@ -249,8 +249,20 @@ public final class Policy {
          * The default symmetric encryption algorithm policy of PGPainless.
          *
          * @return default symmetric encryption algorithm policy
+         * @deprecated not expressive - will be removed in a future release
          */
+        @Deprecated
         public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyEncryptionAlgorithmPolicy() {
+            return symmetricKeyEncryptionPolicy2022();
+        }
+
+        /**
+         * Policy for symmetric encryption algorithms in the context of message production (encryption).
+         * This suite contains algorithms that are deemed safe to use in 2022.
+         *
+         * @return 2022 symmetric key encryption algorithm policy
+         */
+        public static SymmetricKeyAlgorithmPolicy symmetricKeyEncryptionPolicy2022() {
             return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList(
                     // Reject: Unencrypted, IDEA, TripleDES, CAST5, Blowfish
                     SymmetricKeyAlgorithm.AES_256,
@@ -267,8 +279,20 @@ public final class Policy {
          * The default symmetric decryption algorithm policy of PGPainless.
          *
          * @return default symmetric decryption algorithm policy
+         * @deprecated not expressive - will be removed in a future update
          */
+        @Deprecated
         public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyDecryptionAlgorithmPolicy() {
+            return symmetricKeyDecryptionPolicy2022();
+        }
+
+        /**
+         * Policy for symmetric key encryption algorithms in the context of message consumption (decryption).
+         * This suite contains algorithms that are deemed safe to use in 2022.
+         *
+         * @return 2022 symmetric key decryption algorithm policy
+         */
+        public static SymmetricKeyAlgorithmPolicy symmetricKeyDecryptionPolicy2022() {
             return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList(
                     // Reject: Unencrypted, IDEA, TripleDES, Blowfish
                     SymmetricKeyAlgorithm.CAST5,
@@ -414,7 +438,9 @@ public final class Policy {
          * For revocation signatures {@link #defaultRevocationSignatureHashAlgorithmPolicy()} is used instead.
          *
          * @return default signature hash algorithm policy
+         * @deprecated not expressive - will be removed in an upcoming release
          */
+        @Deprecated
         public static HashAlgorithmPolicy defaultSignatureAlgorithmPolicy() {
             return smartSignatureHashAlgorithmPolicy();
         }
@@ -453,7 +479,7 @@ public final class Policy {
          *
          * @return static signature algorithm policy
          */
-        public static HashAlgorithmPolicy static2022SignatureAlgorithmPolicy() {
+        public static HashAlgorithmPolicy static2022SignatureHashAlgorithmPolicy() {
             return new HashAlgorithmPolicy(HashAlgorithm.SHA512, Arrays.asList(
                     HashAlgorithm.SHA224,
                     HashAlgorithm.SHA256,
@@ -466,7 +492,9 @@ public final class Policy {
          * The default revocation signature hash algorithm policy of PGPainless.
          *
          * @return default revocation signature hash algorithm policy
+         * @deprecated not expressive - will be removed in an upcoming release
          */
+        @Deprecated
         public static HashAlgorithmPolicy defaultRevocationSignatureHashAlgorithmPolicy() {
             return smartSignatureHashAlgorithmPolicy();
         }
@@ -517,7 +545,25 @@ public final class Policy {
             return acceptableCompressionAlgorithms.contains(compressionAlgorithm);
         }
 
+        /**
+         * Default {@link CompressionAlgorithmPolicy} of PGPainless.
+         * The default compression algorithm policy accepts any compression algorithm.
+         *
+         * @return default algorithm policy
+         * @deprecated not expressive - might be removed in a future release
+         */
+        @Deprecated
         public static CompressionAlgorithmPolicy defaultCompressionAlgorithmPolicy() {
+            return anyCompressionAlgorithmPolicy();
+        }
+
+        /**
+         * Policy that accepts any known compression algorithm and offers {@link CompressionAlgorithm#ZIP} as
+         * default algorithm.
+         *
+         * @return compression algorithm policy
+         */
+        public static CompressionAlgorithmPolicy anyCompressionAlgorithmPolicy() {
             return new CompressionAlgorithmPolicy(CompressionAlgorithm.ZIP, Arrays.asList(
                     CompressionAlgorithm.UNCOMPRESSED,
                     CompressionAlgorithm.ZIP,
@@ -556,6 +602,17 @@ public final class Policy {
 
         /**
          * Return PGPainless' default public key algorithm policy.
+         * This policy is based upon recommendations made by the German Federal Office for Information Security (BSI).
+         *
+         * @return default algorithm policy
+         * @deprecated not expressive - might be removed in a future release
+         */
+        @Deprecated
+        public static PublicKeyAlgorithmPolicy defaultPublicKeyAlgorithmPolicy() {
+            return bsi2021PublicKeyAlgorithmPolicy();
+        }
+
+        /**
          * This policy is based upon recommendations made by the German Federal Office for Information Security (BSI).
          *
          * Basically this policy requires keys based on elliptic curves to have a bit strength of at least 250,
@@ -567,7 +624,7 @@ public final class Policy {
          *
          * @return default algorithm policy
          */
-        public static PublicKeyAlgorithmPolicy defaultPublicKeyAlgorithmPolicy() {
+        public static PublicKeyAlgorithmPolicy bsi2021PublicKeyAlgorithmPolicy() {
             Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
             // §5.4.1
             minimalBitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 2000);

From 288f1b414b2375f38754d36d859f9beb9397cf5e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 3 May 2022 11:31:19 +0200
Subject: [PATCH 0451/1450] Fix javadoc links

---
 .../src/main/java/org/pgpainless/policy/Policy.java         | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index d1eca6ba..ad9f0635 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -452,8 +452,7 @@ public final class Policy {
          *
          * This policy is inspired by Sequoia-PGP's collision resistant algorithm policy.
          *
-         * @see 
-         *     Sequoia-PGP's Collision Resistant Algorithm Policy
+         * @see Sequoia-PGP's Collision Resistant Algorithm Policy
          *
          * @return smart signature algorithm policy
          */
@@ -618,8 +617,7 @@ public final class Policy {
          * Basically this policy requires keys based on elliptic curves to have a bit strength of at least 250,
          * and keys based on prime number factorization / discrete logarithm problems to have a strength of at least 2000 bits.
          *
-         * @see 
-         *     BSI - Technical Guideline - Cryptographic Mechanisms: Recommendations and Key Lengths (2021-01)
+         * @see BSI - Technical Guideline - Cryptographic Mechanisms: Recommendations and Key Lengths (2021-01)
          * @see BlueKrypt | Cryptographic Key Length Recommendation
          *
          * @return default algorithm policy

From 69f84f24b60006c975c77e84a2de3162cf014653 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 4 May 2022 20:55:29 +0200
Subject: [PATCH 0452/1450] Implement heavy duty packet inspection to figure
 out nature of data

---
 .../DecryptionStreamFactory.java              |   2 +-
 .../OpenPgpInputStream.java                   | 320 ++++++++++++++++--
 .../OpenPgpInputStreamTest.java               |  32 +-
 3 files changed, 328 insertions(+), 26 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index a8847c33..2da18c00 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -140,7 +140,7 @@ public final class DecryptionStreamFactory {
             return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
         }
 
-        if (openPgpIn.isBinaryOpenPgp()) {
+        if (openPgpIn.isLikelyOpenPgpMessage()) {
             outerDecodingStream = openPgpIn;
             objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
             // Parse OpenPGP message
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
index d15f2ffb..fa954f97 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
@@ -4,14 +4,46 @@
 
 package org.pgpainless.decryption_verification;
 
+import static org.bouncycastle.bcpg.PacketTags.COMPRESSED_DATA;
+import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_1;
+import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_2;
+import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_3;
+import static org.bouncycastle.bcpg.PacketTags.EXPERIMENTAL_4;
+import static org.bouncycastle.bcpg.PacketTags.LITERAL_DATA;
+import static org.bouncycastle.bcpg.PacketTags.MARKER;
+import static org.bouncycastle.bcpg.PacketTags.MOD_DETECTION_CODE;
+import static org.bouncycastle.bcpg.PacketTags.ONE_PASS_SIGNATURE;
+import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY;
+import static org.bouncycastle.bcpg.PacketTags.PUBLIC_KEY_ENC_SESSION;
+import static org.bouncycastle.bcpg.PacketTags.PUBLIC_SUBKEY;
+import static org.bouncycastle.bcpg.PacketTags.RESERVED;
+import static org.bouncycastle.bcpg.PacketTags.SECRET_KEY;
+import static org.bouncycastle.bcpg.PacketTags.SECRET_SUBKEY;
+import static org.bouncycastle.bcpg.PacketTags.SIGNATURE;
+import static org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC;
+import static org.bouncycastle.bcpg.PacketTags.SYMMETRIC_KEY_ENC_SESSION;
+import static org.bouncycastle.bcpg.PacketTags.SYM_ENC_INTEGRITY_PRO;
+import static org.bouncycastle.bcpg.PacketTags.TRUST;
+import static org.bouncycastle.bcpg.PacketTags.USER_ATTRIBUTE;
+import static org.bouncycastle.bcpg.PacketTags.USER_ID;
+
 import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.Charset;
 
-import org.bouncycastle.openpgp.PGPObjectFactory;
-import org.pgpainless.implementation.ImplementationFactory;
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedData;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.PublicKeyAlgorithm;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.algorithm.StreamEncoding;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 
 public class OpenPgpInputStream extends BufferedInputStream {
 
@@ -25,8 +57,9 @@ public class OpenPgpInputStream extends BufferedInputStream {
 
     private boolean containsArmorHeader;
     private boolean containsOpenPgpPackets;
+    private boolean isLikelyOpenPgpMessage;
 
-    public OpenPgpInputStream(InputStream in) throws IOException {
+    public OpenPgpInputStream(InputStream in, boolean check) throws IOException {
         super(in, MAX_BUFFER_SIZE);
 
         mark(MAX_BUFFER_SIZE);
@@ -34,10 +67,16 @@ public class OpenPgpInputStream extends BufferedInputStream {
         bufferLen = read(buffer);
         reset();
 
-        inspectBuffer();
+        if (check) {
+            inspectBuffer();
+        }
     }
 
-    private void inspectBuffer() {
+    public OpenPgpInputStream(InputStream in) throws IOException {
+        this(in, true);
+    }
+
+    private void inspectBuffer() throws IOException {
         if (determineIsArmored()) {
             return;
         }
@@ -61,32 +100,250 @@ public class OpenPgpInputStream extends BufferedInputStream {
      * This breaks down though if we read plausible garbage where the data accidentally makes sense,
      * or valid, yet incomplete packets (remember, we are still only working on a portion of the data).
      */
-    private void determineIsBinaryOpenPgp() {
+    private void determineIsBinaryOpenPgp() throws IOException {
         if (bufferLen == -1) {
             // Empty data
             return;
         }
 
-        try {
-            ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen);
-            PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(bufferIn);
+        ByteArrayInputStream bufferIn = new ByteArrayInputStream(buffer, 0, bufferLen);
+        nonExhaustiveParseAndCheckPlausibility(bufferIn);
+    }
 
-            boolean containsPackets = false;
-            while (objectFactory.nextObject() != null) {
-                containsPackets = true;
-                // read all packets in buffer - hope to confirm invalid data via thrown IOExceptions
+    private void nonExhaustiveParseAndCheckPlausibility(ByteArrayInputStream bufferIn) throws IOException {
+        int hdr = bufferIn.read();
+        if (hdr < 0 || (hdr & 0x80) == 0) {
+            return;
+        }
+
+        boolean newPacket = (hdr & 0x40) != 0;
+        int        tag = 0;
+        int        bodyLen = 0;
+        boolean    partial = false;
+
+        if (newPacket) {
+            tag = hdr & 0x3f;
+
+            int    l = bufferIn.read();
+            if (l < 192) {
+                bodyLen = l;
+            } else if (l <= 223) {
+                int b = bufferIn.read();
+                bodyLen = ((l - 192) << 8) + (b) + 192;
+            } else if (l == 255) {
+                bodyLen = (bufferIn.read() << 24) | (bufferIn.read() << 16) |  (bufferIn.read() << 8)  | bufferIn.read();
+            } else {
+                partial = true;
+                bodyLen = 1 << (l & 0x1f);
             }
-            containsOpenPgpPackets = containsPackets;
+        } else {
+            int lengthType = hdr & 0x3;
+            tag = (hdr & 0x3f) >> 2;
+            switch (lengthType) {
+                case 0:
+                    bodyLen = bufferIn.read();
+                    break;
+                case 1:
+                    bodyLen = (bufferIn.read() << 8) | bufferIn.read();
+                    break;
+                case 2:
+                    bodyLen = (bufferIn.read() << 24) | (bufferIn.read() << 16) | (bufferIn.read() << 8) | bufferIn.read();
+                    break;
+                case 3:
+                    partial = true;
+                    break;
+                default:
+                    return;
+            }
+        }
 
-        } catch (IOException e) {
-            String msg = e.getMessage();
+        if (bodyLen < 0) {
+            return;
+        }
 
-            // If true, we *probably* hit valid, but large OpenPGP data (not sure though) :/
-            // Otherwise we hit garbage and can be sure that this is no OpenPGP data \o/
-            containsOpenPgpPackets = (msg != null && msg.contains("premature end of stream in PartialInputStream"));
+        BCPGInputStream bcpgIn = new BCPGInputStream(bufferIn);
+        switch (tag) {
+            case RESERVED:
+                // How to handle this? Probably discard as garbage...
+                return;
 
-            // This is not an optimal way of determining the nature of data, but probably the best
-            // we can do :/
+            case PUBLIC_KEY_ENC_SESSION:
+                int pkeskVersion = bcpgIn.read();
+                if (pkeskVersion <= 0 || pkeskVersion > 5) {
+                    return;
+                }
+
+                // Skip Key-ID
+                for (int i = 0; i < 8; i++) {
+                    bcpgIn.read();
+                }
+
+                int pkeskAlg = bcpgIn.read();
+                if (PublicKeyAlgorithm.fromId(pkeskAlg) == null) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case SIGNATURE:
+                int sigVersion = bcpgIn.read();
+                int sigType;
+                if (sigVersion == 2 || sigVersion == 3) {
+                    int l = bcpgIn.read();
+                    sigType = bcpgIn.read();
+                } else if (sigVersion == 4 || sigVersion == 5) {
+                    sigType = bcpgIn.read();
+                } else {
+                    return;
+                }
+
+                try {
+                    SignatureType.valueOf(sigType);
+                } catch (IllegalArgumentException e) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case SYMMETRIC_KEY_ENC_SESSION:
+                int skeskVersion = bcpgIn.read();
+                if (skeskVersion == 4) {
+                    int skeskAlg = bcpgIn.read();
+                    if (SymmetricKeyAlgorithm.fromId(skeskAlg) == null) {
+                        return;
+                    }
+                    // TODO: Parse S2K?
+                } else {
+                    return;
+                }
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case ONE_PASS_SIGNATURE:
+                int opsVersion = bcpgIn.read();
+                if (opsVersion == 3) {
+                    int opsSigType = bcpgIn.read();
+                    try {
+                        SignatureType.valueOf(opsSigType);
+                    } catch (IllegalArgumentException e) {
+                        return;
+                    }
+                    int opsHashAlg = bcpgIn.read();
+                    if (HashAlgorithm.fromId(opsHashAlg) == null) {
+                        return;
+                    }
+                    int opsKeyAlg = bcpgIn.read();
+                    if (PublicKeyAlgorithm.fromId(opsKeyAlg) == null) {
+                        return;
+                    }
+                } else {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case SECRET_KEY:
+            case PUBLIC_KEY:
+            case SECRET_SUBKEY:
+            case PUBLIC_SUBKEY:
+                int keyVersion = bcpgIn.read();
+                for (int i = 0; i < 4; i++) {
+                    // Creation time
+                    bcpgIn.read();
+                }
+                if (keyVersion == 3) {
+                    long validDays = (in.read() << 8) | in.read();
+                    if (validDays < 0) {
+                        return;
+                    }
+                } else if (keyVersion == 4) {
+
+                } else if (keyVersion == 5) {
+
+                } else {
+                    return;
+                }
+                int keyAlg = bcpgIn.read();
+                if (PublicKeyAlgorithm.fromId(keyAlg) == null) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                break;
+
+            case COMPRESSED_DATA:
+                int compAlg = bcpgIn.read();
+                if (CompressionAlgorithm.fromId(compAlg) == null) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case SYMMETRIC_KEY_ENC:
+                // No data to compare :(
+                containsOpenPgpPackets = true;
+                break;
+
+            case MARKER:
+                byte[] marker = new byte[3];
+                bcpgIn.readFully(marker);
+                if (marker[0] != 0x50 || marker[1] != 0x47 || marker[2] != 0x50) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                break;
+
+            case LITERAL_DATA:
+                int format = bcpgIn.read();
+                if (StreamEncoding.fromCode(format) == null) {
+                    return;
+                }
+
+                containsOpenPgpPackets = true;
+                isLikelyOpenPgpMessage = true;
+                break;
+
+            case TRUST:
+            case USER_ID:
+            case USER_ATTRIBUTE:
+                // Not much to compare
+                containsOpenPgpPackets = true;
+                break;
+
+            case SYM_ENC_INTEGRITY_PRO:
+                int seipVersion = bcpgIn.read();
+                if (seipVersion != 1) {
+                    return;
+                }
+                isLikelyOpenPgpMessage = true;
+                containsOpenPgpPackets = true;
+                break;
+
+            case MOD_DETECTION_CODE:
+                byte[] digest = new byte[20];
+                bcpgIn.readFully(digest);
+
+                containsOpenPgpPackets = true;
+                break;
+
+            case EXPERIMENTAL_1:
+            case EXPERIMENTAL_2:
+            case EXPERIMENTAL_3:
+            case EXPERIMENTAL_4:
+                return;
+            default:
+                containsOpenPgpPackets = false;
+                break;
         }
     }
 
@@ -119,10 +376,31 @@ public class OpenPgpInputStream extends BufferedInputStream {
         return containsArmorHeader;
     }
 
+    /**
+     * Return true, if the data is possibly binary OpenPGP.
+     * The criterion for this are less strict than for {@link #isLikelyOpenPgpMessage()},
+     * as it also accepts other OpenPGP packets at the beginning of the data stream.
+     *
+     * Use with caution.
+     *
+     * @return true if data appears to be binary OpenPGP data
+     */
     public boolean isBinaryOpenPgp() {
         return containsOpenPgpPackets;
     }
 
+    /**
+     * Returns true, if the underlying data is very likely (more than 99,9%) an OpenPGP message.
+     * OpenPGP Message means here that it starts with either an {@link PGPEncryptedData},
+     * {@link PGPCompressedData}, {@link PGPOnePassSignature} or {@link PGPLiteralData} packet.
+     * The plausability of these data packets is checked as far as possible.
+     *
+     * @return true if likely OpenPGP message
+     */
+    public boolean isLikelyOpenPgpMessage() {
+        return isLikelyOpenPgpMessage;
+    }
+
     public boolean isNonOpenPgp() {
         return !isAsciiArmored() && !isBinaryOpenPgp();
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
index f416ea7f..67719886 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
@@ -11,18 +11,22 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.Random;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.bcpg.CompressionAlgorithmTags;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
 
 public class OpenPgpInputStreamTest {
 
     private static final Random RANDOM = new Random();
 
-    @Test
+    @RepeatedTest(10)
     public void randomBytesDoNotContainOpenPgpData() throws IOException {
         byte[] randomBytes = new byte[1000000];
         RANDOM.nextBytes(randomBytes);
@@ -30,13 +34,33 @@ public class OpenPgpInputStreamTest {
 
         OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(randomIn);
         assertFalse(openPgpInputStream.isAsciiArmored());
-        assertFalse(openPgpInputStream.isBinaryOpenPgp());
-        assertTrue(openPgpInputStream.isNonOpenPgp());
+        assertFalse(openPgpInputStream.isLikelyOpenPgpMessage());
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(openPgpInputStream, out);
+        byte[] outBytes = out.toByteArray();
 
-        assertArrayEquals(randomBytes, out.toByteArray());
+        assertArrayEquals(randomBytes, outBytes);
+    }
+
+    @RepeatedTest(10)
+    public void largeCompressedDataIsBinaryOpenPgp() throws IOException {
+        // Since we are compressing RANDOM data, the output will likely be roughly the same size
+        // So we very likely will end up with data larger than the MAX_BUFFER_SIZE
+        byte[] randomBytes = new byte[OpenPgpInputStream.MAX_BUFFER_SIZE * 10];
+        RANDOM.nextBytes(randomBytes);
+
+        ByteArrayOutputStream compressedDataPacket = new ByteArrayOutputStream();
+        PGPCompressedDataGenerator compressedDataGenerator = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compressor = compressedDataGenerator.open(compressedDataPacket);
+        compressor.write(randomBytes);
+        compressor.close();
+
+        OpenPgpInputStream inputStream = new OpenPgpInputStream(new ByteArrayInputStream(compressedDataPacket.toByteArray()));
+        assertFalse(inputStream.isAsciiArmored());
+        assertFalse(inputStream.isNonOpenPgp());
+        assertTrue(inputStream.isBinaryOpenPgp());
+        assertTrue(inputStream.isLikelyOpenPgpMessage());
     }
 
     @Test

From 826331917fd8bcad6c116a9b6a8deefd6ee0a27f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 5 May 2022 11:15:19 +0200
Subject: [PATCH 0453/1450] Add comments to unexhaustive parsing method

---
 .../decryption_verification/OpenPgpInputStream.java           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
index fa954f97..cccbe250 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
@@ -111,6 +111,7 @@ public class OpenPgpInputStream extends BufferedInputStream {
     }
 
     private void nonExhaustiveParseAndCheckPlausibility(ByteArrayInputStream bufferIn) throws IOException {
+        // Read the packet header
         int hdr = bufferIn.read();
         if (hdr < 0 || (hdr & 0x80) == 0) {
             return;
@@ -121,6 +122,7 @@ public class OpenPgpInputStream extends BufferedInputStream {
         int        bodyLen = 0;
         boolean    partial = false;
 
+        // Determine the packet length
         if (newPacket) {
             tag = hdr & 0x3f;
 
@@ -157,10 +159,12 @@ public class OpenPgpInputStream extends BufferedInputStream {
             }
         }
 
+        // Negative body length -> garbage
         if (bodyLen < 0) {
             return;
         }
 
+        // Try to unexhaustively parse the first packet bit by bit and check for plausibility
         BCPGInputStream bcpgIn = new BCPGInputStream(bufferIn);
         switch (tag) {
             case RESERVED:

From 4c72bc2a8ed46d5f314d559d0721dc009f60a174 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 5 May 2022 11:19:23 +0200
Subject: [PATCH 0454/1450] Update changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e44d2d43..f125f2f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.2.2
+- `EncryptionOptions.addRecipients(collection)`: Disallow empty collections to prevent misuse from resulting in unencrypted messages
+- Deprecate default policy factory methods in favor of policy factory methods with expressive names
+- Another fix for OpenPGP data detection
+  - We now inspect the first packet of the data stream to figure out, whether it is plausible OpenPGP data, without exhausting the stream
+
 ## 1.2.1
 - Bump `sop-java` dependency to `1.2.3`
 - Bump `slf4j` dependency to `1.7.36`

From ae3004a2216d563a38bd9e226d55f3940cd1c430 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 5 May 2022 11:22:59 +0200
Subject: [PATCH 0455/1450] PGPainless 1.2.2

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index e27a0c3d..ea004600 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.2.1'
+	implementation 'org.pgpainless:pgpainless-core:1.2.2'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index fd635594..27546b3c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.2.1"
+    implementation "org.pgpainless:pgpainless-sop:1.2.2"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.2.1
+        1.2.2
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 452291ef..e81f0793 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.2.2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 7b7707b3a9e3bc9621cd1516772244d543bf97f8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 5 May 2022 11:25:32 +0200
Subject: [PATCH 0456/1450] PGPainless 1.2.3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index e81f0793..f890e8d6 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.2.2'
-        isSnapshot = false
+        shortVersion = '1.2.3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 64a50266f1476127db69ddcd4d1e423b2552d308 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 5 May 2022 12:43:44 +0200
Subject: [PATCH 0457/1450] Test for detection of uncompressed, signed
 messages, and improve decryption of seip messages

---
 .../DecryptionStreamFactory.java              |  5 ++-
 .../OpenPgpInputStream.java                   | 11 +++---
 .../OpenPgpInputStreamTest.java               | 38 ++++++++++++++++++-
 3 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 2da18c00..1913444e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -140,7 +140,10 @@ public final class DecryptionStreamFactory {
             return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
         }
 
-        if (openPgpIn.isLikelyOpenPgpMessage()) {
+        // Data appears to be OpenPGP message,
+        //  or we handle it as such, since user provided a session-key for decryption
+        if (openPgpIn.isLikelyOpenPgpMessage() ||
+                (openPgpIn.isBinaryOpenPgp() && options.getSessionKey() != null)) {
             outerDecodingStream = openPgpIn;
             objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
             // Parse OpenPGP message
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
index cccbe250..669c2dec 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpInputStream.java
@@ -77,14 +77,14 @@ public class OpenPgpInputStream extends BufferedInputStream {
     }
 
     private void inspectBuffer() throws IOException {
-        if (determineIsArmored()) {
+        if (checkForAsciiArmor()) {
             return;
         }
 
-        determineIsBinaryOpenPgp();
+        checkForBinaryOpenPgp();
     }
 
-    private boolean determineIsArmored() {
+    private boolean checkForAsciiArmor() {
         if (startsWithIgnoringWhitespace(buffer, ARMOR_HEADER, bufferLen)) {
             containsArmorHeader = true;
             return true;
@@ -100,7 +100,7 @@ public class OpenPgpInputStream extends BufferedInputStream {
      * This breaks down though if we read plausible garbage where the data accidentally makes sense,
      * or valid, yet incomplete packets (remember, we are still only working on a portion of the data).
      */
-    private void determineIsBinaryOpenPgp() throws IOException {
+    private void checkForBinaryOpenPgp() throws IOException {
         if (bufferLen == -1) {
             // Empty data
             return;
@@ -210,7 +210,6 @@ public class OpenPgpInputStream extends BufferedInputStream {
                 }
 
                 containsOpenPgpPackets = true;
-                isLikelyOpenPgpMessage = true;
                 break;
 
             case SYMMETRIC_KEY_ENC_SESSION:
@@ -295,6 +294,8 @@ public class OpenPgpInputStream extends BufferedInputStream {
             case SYMMETRIC_KEY_ENC:
                 // No data to compare :(
                 containsOpenPgpPackets = true;
+                // While this is a valid OpenPGP message, enabling the line below would lead to too many false positives
+                // isLikelyOpenPgpMessage = true;
                 break;
 
             case MARKER:
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
index 67719886..c2a24c76 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
@@ -13,20 +13,30 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Random;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.CompressionAlgorithmTags;
 import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 
 public class OpenPgpInputStreamTest {
 
     private static final Random RANDOM = new Random();
 
-    @RepeatedTest(10)
+    @RepeatedTest(100)
     public void randomBytesDoNotContainOpenPgpData() throws IOException {
         byte[] randomBytes = new byte[1000000];
         RANDOM.nextBytes(randomBytes);
@@ -43,7 +53,7 @@ public class OpenPgpInputStreamTest {
         assertArrayEquals(randomBytes, outBytes);
     }
 
-    @RepeatedTest(10)
+    @Test
     public void largeCompressedDataIsBinaryOpenPgp() throws IOException {
         // Since we are compressing RANDOM data, the output will likely be roughly the same size
         // So we very likely will end up with data larger than the MAX_BUFFER_SIZE
@@ -725,4 +735,28 @@ public class OpenPgpInputStreamTest {
         assertFalse(openPgpInputStream.isAsciiArmored());
         assertTrue(openPgpInputStream.isNonOpenPgp());
     }
+
+    @Test
+    public void testSignedMessageConsumption() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8));
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
+                .modernKeyRing("Sigmund ", null);
+
+        ByteArrayOutputStream signedOut = new ByteArrayOutputStream();
+        EncryptionStream signer = PGPainless.encryptAndOrSign()
+                .onOutputStream(signedOut)
+                .withOptions(ProducerOptions.sign(new SigningOptions()
+                                .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys))
+                        .setAsciiArmor(false)
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
+
+        Streams.pipeAll(plaintext, signer);
+        signer.close();
+
+        byte[] binary = signedOut.toByteArray();
+
+        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(new ByteArrayInputStream(binary));
+        assertFalse(openPgpIn.isAsciiArmored());
+        assertTrue(openPgpIn.isLikelyOpenPgpMessage());
+    }
 }

From 3e7e6df3f9ac37633773bd18a17cf9d9c6d9f409 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 14:11:39 +0200
Subject: [PATCH 0458/1450] Disallow stripping of primary secret keys

---
 .../src/main/java/org/pgpainless/key/util/KeyRingUtils.java  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index a7a2b0b9..dd366e46 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -451,6 +451,11 @@ public final class KeyRingUtils {
     public static PGPSecretKeyRing stripSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
                                                    long secretKeyId)
             throws IOException, PGPException {
+        
+        if (secretKeys.getPublicKey().getKeyID() == secretKeyId) {
+            throw new IllegalArgumentException("Bouncy Castle currently cannot deal with stripped secret primary keys.");
+        }
+
         if (secretKeys.getSecretKey(secretKeyId) == null) {
             throw new NoSuchElementException("PGPSecretKeyRing does not contain secret key " + Long.toHexString(secretKeyId));
         }

From 374e6452f0d49384f3540255024e68fe31a6ecdb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 14:12:18 +0200
Subject: [PATCH 0459/1450] Add RevokedKeyException

---
 .../main/java/org/pgpainless/exception/KeyException.java   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
index 7ffc66ee..66c5d2cf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/KeyException.java
@@ -38,6 +38,13 @@ public abstract class KeyException extends RuntimeException {
         }
     }
 
+    public static class RevokedKeyException extends KeyException {
+
+        public RevokedKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
+            super("Key " + fingerprint + " appears to be revoked.", fingerprint);
+        }
+    }
+
     public static class UnacceptableEncryptionKeyException extends KeyException {
 
         public UnacceptableEncryptionKeyException(@Nonnull OpenPgpFingerprint fingerprint) {

From d3f412873bd0b8db6e5a5fadf4eab41270082710 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 21:44:52 +0200
Subject: [PATCH 0460/1450] Fix checkstyle issues

---
 .../src/main/java/org/pgpainless/key/util/KeyRingUtils.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index dd366e46..8306db34 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -449,9 +449,9 @@ public final class KeyRingUtils {
      */
     @Nonnull
     public static PGPSecretKeyRing stripSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
-                                                   long secretKeyId)
+                                                  long secretKeyId)
             throws IOException, PGPException {
-        
+
         if (secretKeys.getPublicKey().getKeyID() == secretKeyId) {
             throw new IllegalArgumentException("Bouncy Castle currently cannot deal with stripped secret primary keys.");
         }

From 49d65788b48018bf2e194b21ab392b7c7c7c8d55 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 21:46:03 +0200
Subject: [PATCH 0461/1450] Remove support for processing compressed detached
 signatures

Signatures are indistinguishable from randomness, so there is no point in
compressing them, apart from attempting to exploit flaws in compression
algorithms.
Thanks to @DemiMarie for pointing this out

Fixes #286
---
 .../pgpainless/signature/SignatureUtils.java  |  8 +-------
 .../signature/SignatureUtilsTest.java         | 19 -------------------
 2 files changed, 1 insertion(+), 26 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 1ebbdda4..cfbf4ce4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -17,7 +17,6 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.RevocationReason;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
-import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
@@ -232,7 +231,7 @@ public final class SignatureUtils {
 
     /**
      * Read and return {@link PGPSignature PGPSignatures}.
-     * This method can deal with signatures that may be armored, compressed and may contain marker packets.
+     * This method can deal with signatures that may be binary, armored and may contain marker packets.
      *
      * @param inputStream input stream
      * @param maxIterations number of loop iterations until reading is aborted
@@ -248,11 +247,6 @@ public final class SignatureUtils {
         int i = 0;
         Object nextObject;
         while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
-            if (nextObject instanceof PGPCompressedData) {
-                PGPCompressedData compressedData = (PGPCompressedData) nextObject;
-                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
-            }
-
             if (nextObject instanceof PGPSignatureList) {
                 PGPSignatureList signatureList = (PGPSignatureList) nextObject;
                 for (PGPSignature s : signatureList) {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
index 296f20a8..87dd75c2 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@@ -12,28 +12,9 @@ import java.util.List;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.Test;
-import org.pgpainless.key.util.KeyIdUtil;
 
 public class SignatureUtilsTest {
 
-    @Test
-    public void readSignaturesFromCompressedData() throws PGPException, IOException {
-        String compressed = "-----BEGIN PGP MESSAGE-----\n" +
-                "Version: PGPainless\n" +
-                "\n" +
-                "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
-                "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
-                "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
-                "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
-                "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
-                "=yZ18\n" +
-                "-----END PGP MESSAGE-----";
-        List signatures = SignatureUtils.readSignatures(compressed);
-        assertEquals(2, signatures.size());
-        assertEquals(KeyIdUtil.fromLongKeyId("5736E6931ACF370C"), signatures.get(0).getKeyID());
-        assertEquals(KeyIdUtil.fromLongKeyId("F49AAA6B067BAB28"), signatures.get(1).getKeyID());
-    }
-
     @Test
     public void noIssuerResultsInKeyId0() throws PGPException, IOException {
         String sig = "-----BEGIN PGP SIGNATURE-----\n" +

From be6c16079e041adfa705b5bec02d983961d831ba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 22:15:13 +0200
Subject: [PATCH 0462/1450] Switch to version agnostic SOP spec URL

---
 pgpainless-cli/README.md | 2 +-
 pgpainless-sop/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-cli/README.md b/pgpainless-cli/README.md
index d1d72afc..f3cf2861 100644
--- a/pgpainless-cli/README.md
+++ b/pgpainless-cli/README.md
@@ -8,7 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 
 [![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-cli/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-cli)
 
-PGPainless-CLI is an implementation of the [Stateless OpenPGP Command Line Interface](https://tools.ietf.org/html/draft-dkg-openpgp-stateless-cli-01) specification based on PGPainless.
+PGPainless-CLI is an implementation of the [Stateless OpenPGP Command Line Interface](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/) specification based on PGPainless.
 
 It plugs `pgpainless-sop` into `sop-java-picocli`.
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 27546b3c..0ef67686 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-SOP
 
-[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-03)
+[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-sop)](https://search.maven.org/artifact/org.pgpainless/pgpainless-sop)
 [![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-sop/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-sop)
 

From ba767cc7ed298098cd8ca57c88ac93bcdd45eded Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 22:29:17 +0200
Subject: [PATCH 0463/1450] Add NGI and Flowcrypt logo svgs

---
 assets/NGIAssure_tag.svg  | 1 +
 assets/flowcrypt-logo.svg | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 assets/NGIAssure_tag.svg
 create mode 100644 assets/flowcrypt-logo.svg

diff --git a/assets/NGIAssure_tag.svg b/assets/NGIAssure_tag.svg
new file mode 100644
index 00000000..62b7c127
--- /dev/null
+++ b/assets/NGIAssure_tag.svg
@@ -0,0 +1 @@
+Logo-NGIAssure-tag
diff --git a/assets/flowcrypt-logo.svg b/assets/flowcrypt-logo.svg
new file mode 100644
index 00000000..a6bf4919
--- /dev/null
+++ b/assets/flowcrypt-logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file

From 08ec140b63437c55af6f53e581a38bf2b0a514e8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 22:49:22 +0200
Subject: [PATCH 0464/1450] Add Logos for FlowCrypt and NGI and add NGI info

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index ea004600..3dbb435f 100644
--- a/README.md
+++ b/README.md
@@ -231,5 +231,10 @@ Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part o
 
 ## Acknowledgements
 Development on PGPainless is generously sponsored by [FlowCrypt.com](https://flowcrypt.com). Thank you very very very much!
+[![FlowCrypt Logo](https://raw.githubusercontent.com/pgpainless/pgpainless/main/assets/flowcrypt-logo.svg)](https://flowcrypt.com)
+
+Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainless/)) will be funded by [NGI Assure](https://nlnet.nl/assure/) through [NLNet](https://nlnet.nl).  
+NGI Assure is made possible with financial support from the [European Commission](https://ec.europa.eu/)'s [Next Generation Internet](https://ngi.eu/) programme, under the aegis of [DG Communications Networks, Content and Technology](https://ec.europa.eu/info/departments/communications-networks-content-and-technology_en).
+[![NGI Assure Logo](https://raw.githubusercontent.com/pgpainless/pgpainless/main/assets/NGIAssure_tag.svg)](https://nlnet.nl/assure/)
 
 Continuous Integration is kindly provided by [Travis-CI.com](https://travis-ci.com/).

From 12e62d381c38a43aec442dbd187cc1f42fe22eae Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 8 May 2022 11:24:34 +0200
Subject: [PATCH 0465/1450] Make readSignatures skip over compressed data
 packets without decompression.

---
 .../org/pgpainless/signature/SignatureUtils.java |  7 +++++++
 .../pgpainless/signature/SignatureUtilsTest.java | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index cfbf4ce4..5d68e8b9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -17,6 +17,7 @@ import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.RevocationReason;
 import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
+import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
@@ -26,6 +27,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.bouncycastle.util.encoders.Hex;
+import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
@@ -247,6 +249,11 @@ public final class SignatureUtils {
         int i = 0;
         Object nextObject;
         while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
+            if (nextObject instanceof PGPCompressedData) {
+                PGPCompressedData compressedData = (PGPCompressedData) nextObject;
+                Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing
+            }
+
             if (nextObject instanceof PGPSignatureList) {
                 PGPSignatureList signatureList = (PGPSignatureList) nextObject;
                 for (PGPSignature s : signatureList) {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
index 87dd75c2..757f28e6 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@@ -15,6 +15,22 @@ import org.junit.jupiter.api.Test;
 
 public class SignatureUtilsTest {
 
+    @Test
+    public void readSignaturesFromCompressedDataDoesNotAttemptDecompression() throws PGPException, IOException {
+        String compressed = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "owHrKGVhEOZiYGNlSoxcsJtBkVMg3OzZZKnz5jxiiiz+aTG+h46kcR9zinOECZ/o\n" +
+                "YmTYsKve/opb3v/o8J0qq1/MFFBhP9jfEq+/avK6qPMrlh70Zfinu96c+cncX9GK\n" +
+                "B4ui3fUfbUo8tFrVTIRn7kROq69H77hd6cCw9susVdls1as1gNYunnp5V8Qp+wX3\n" +
+                "+jUnwoRB1p4SfPk412lb/cSmShb211fOX07h0JxVH1JXsc/vi2mi5ieG/2Xxb5tk\n" +
+                "LE+r7WwruxSaeXLuLsOmXTPZD0/VtvlqO89RYjsA\n" +
+                "=yZ18\n" +
+                "-----END PGP MESSAGE-----";
+        List signatures = SignatureUtils.readSignatures(compressed);
+        assertEquals(0, signatures.size());
+    }
+
     @Test
     public void noIssuerResultsInKeyId0() throws PGPException, IOException {
         String sig = "-----BEGIN PGP SIGNATURE-----\n" +

From 8fd67da973f3b51717536698483fb5d033ae1079 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 8 May 2022 11:34:56 +0200
Subject: [PATCH 0466/1450] Add comment about readSignatures skipping
 compressed data packets

---
 .../main/java/org/pgpainless/signature/SignatureUtils.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 5d68e8b9..f002d5cd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -249,8 +249,13 @@ public final class SignatureUtils {
         int i = 0;
         Object nextObject;
         while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
+
+            // Since signatures are indistinguishable from randomness, there is no point in having them compressed,
+            //  except for an attacker who is trying to exploit flaws in the decompression algorithm.
+            //  Therefore, we ignore compressed data packets without attempting decompression.
             if (nextObject instanceof PGPCompressedData) {
                 PGPCompressedData compressedData = (PGPCompressedData) nextObject;
+                // getInputStream() does not do decompression, contrary to getDataStream().
                 Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing
             }
 

From c510551f1624b9cdc240b920976ba02ecc53caef Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 12 May 2022 18:16:44 +0200
Subject: [PATCH 0467/1450] Move Flowcrypt and NGI logos to external host

---
 README.md                 | 4 ++--
 assets/NGIAssure_tag.svg  | 1 -
 assets/flowcrypt-logo.svg | 1 -
 3 files changed, 2 insertions(+), 4 deletions(-)
 delete mode 100644 assets/NGIAssure_tag.svg
 delete mode 100644 assets/flowcrypt-logo.svg

diff --git a/README.md b/README.md
index 3dbb435f..edd6a245 100644
--- a/README.md
+++ b/README.md
@@ -231,10 +231,10 @@ Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part o
 
 ## Acknowledgements
 Development on PGPainless is generously sponsored by [FlowCrypt.com](https://flowcrypt.com). Thank you very very very much!
-[![FlowCrypt Logo](https://raw.githubusercontent.com/pgpainless/pgpainless/main/assets/flowcrypt-logo.svg)](https://flowcrypt.com)
+[![FlowCrypt Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/flowcrypt-logo.svg)](https://flowcrypt.com)
 
 Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainless/)) will be funded by [NGI Assure](https://nlnet.nl/assure/) through [NLNet](https://nlnet.nl).  
 NGI Assure is made possible with financial support from the [European Commission](https://ec.europa.eu/)'s [Next Generation Internet](https://ngi.eu/) programme, under the aegis of [DG Communications Networks, Content and Technology](https://ec.europa.eu/info/departments/communications-networks-content-and-technology_en).
-[![NGI Assure Logo](https://raw.githubusercontent.com/pgpainless/pgpainless/main/assets/NGIAssure_tag.svg)](https://nlnet.nl/assure/)
+[![NGI Assure Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/NGIAssure_tag.svg)](https://nlnet.nl/assure/)
 
 Continuous Integration is kindly provided by [Travis-CI.com](https://travis-ci.com/).
diff --git a/assets/NGIAssure_tag.svg b/assets/NGIAssure_tag.svg
deleted file mode 100644
index 62b7c127..00000000
--- a/assets/NGIAssure_tag.svg
+++ /dev/null
@@ -1 +0,0 @@
-Logo-NGIAssure-tag
diff --git a/assets/flowcrypt-logo.svg b/assets/flowcrypt-logo.svg
deleted file mode 100644
index a6bf4919..00000000
--- a/assets/flowcrypt-logo.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file

From 51baa0e5cbad25cd6e952f35737e12657b13d487 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 17 May 2022 18:12:37 +0200
Subject: [PATCH 0468/1450] Add modernKeyRing(userId) shortcut method

---
 .../key/generation/KeyRingTemplates.java          | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 0d663ff9..41d39a1a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -188,6 +188,21 @@ public final class KeyRingTemplates {
         return builder.build();
     }
 
+    /**
+     * Generate a modern PGP key ring consisting of an ed25519 EdDSA primary key which is used to certify
+     * an X25519 XDH encryption subkey and an ed25519 EdDSA signing key.
+     *
+     * @param userId primary user id
+     * @return key ring
+     *
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
+     */
+    public PGPSecretKeyRing modernKeyRing(String userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        return modernKeyRing(userId, null);
+    }
+
     /**
      * Generate a modern PGP key ring consisting of an ed25519 EdDSA primary key which is used to certify
      * an X25519 XDH encryption subkey and an ed25519 EdDSA signing key.

From 77d010ec941c8ac56010ff09608683db6f49e00d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 17 May 2022 18:15:54 +0200
Subject: [PATCH 0469/1450] Add CollectionUtils.addAll(iterator, collection)

---
 .../java/org/pgpainless/util/CollectionUtils.java  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java
index e4414b31..e901eecc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/CollectionUtils.java
@@ -6,6 +6,7 @@ package org.pgpainless.util;
 
 import java.lang.reflect.Array;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 
@@ -60,4 +61,17 @@ public final class CollectionUtils {
         }
         return false;
     }
+
+    /**
+     * Add all items from the iterator to the collection.
+     *
+     * @param         type of item
+     * @param iterator   iterator to gather items from
+     * @param collection collection to add items to
+     */
+    public static  void addAll(Iterator iterator, Collection collection) {
+        while (iterator.hasNext()) {
+            collection.add(iterator.next());
+        }
+    }
 }

From 1a37058c66fd4832743a95a42b2999f3ae038309 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 17 May 2022 18:31:10 +0200
Subject: [PATCH 0470/1450] Add SignatureUtils.getSignaturesForUserIdBy(key,
 userId, keyId)

---
 .../pgpainless/signature/SignatureUtils.java  | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index f002d5cd..9b86f575 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -9,7 +9,9 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 
@@ -40,6 +42,8 @@ import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 import org.pgpainless.util.ArmorUtils;
 
+import javax.annotation.Nonnull;
+
 /**
  * Utility methods related to signatures.
  */
@@ -333,4 +337,36 @@ public final class SignatureUtils {
 
         return fp.equals(issuerFp);
     }
+
+    /**
+     * Extract all signatures from the given 
key
 which were issued by 
issuerKeyId

+     * over 
userId
.
+     *
+     * @param key public key
+     * @param userId user-id
+     * @param issuerKeyId issuer key-id
+     * @return (potentially empty) list of signatures
+     */
+    public static @Nonnull List getSignaturesOverUserIdBy(
+            @Nonnull PGPPublicKey key,
+            @Nonnull String userId,
+            long issuerKeyId) {
+        List signaturesByKeyId = new ArrayList<>();
+        Iterator userIdSignatures = key.getSignaturesForID(userId);
+
+        // getSignaturesForID() is nullable -.-
+        if (userIdSignatures == null) {
+            return signaturesByKeyId;
+        }
+
+        // filter for signatures by key-id
+        while (userIdSignatures.hasNext()) {
+            PGPSignature signature = userIdSignatures.next();
+            if (signature.getKeyID() == issuerKeyId) {
+                signaturesByKeyId.add(signature);
+            }
+        }
+
+        return Collections.unmodifiableList(signaturesByKeyId);
+    }
 }

From 3a9bfd57ac371a84a59563ebf19c0deccbc96f18 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 17 May 2022 18:32:18 +0200
Subject: [PATCH 0471/1450] Add test for
 SignatureUtils.getSignaturesForUserIdBy()

---
 .../signature/SignatureUtilsTest.java         | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
index 757f28e6..ac67d2de 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@@ -10,8 +10,11 @@ import java.io.IOException;
 import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
 
 public class SignatureUtilsTest {
 
@@ -83,4 +86,56 @@ public class SignatureUtilsTest {
         List signatures = SignatureUtils.readSignatures(sigs);
         assertEquals(1, signatures.size()); // first sig gets skipped
     }
+
+    @Test
+    public void testGetSignaturesOverUserIdBy() throws IOException {
+        String alice = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+                "Version: PGPainless\n" +
+                "Comment: 9CA2 8D6D DBA6 BCF1 23A4  2775 0EB5 08CD 1714 B46A\n" +
+                "Comment: Alice \n" +
+                "Comment: 1 further identity\n" +
+                "\n" +
+                "mDMEYoPLwhYJKwYBBAHaRw8BAQdAnuduN87Gu2qvsfdRxLP83strq+doPNP8Hx2J\n" +
+                "esvaN0+0GUFsaWNlIDxhbGljZUBleG1hcGxlLmNvbT6IjwQTFgoAQQUCYoPLwgkQ\n" +
+                "DrUIzRcUtGoWIQScoo1t26a88SOkJ3UOtQjNFxS0agKeAQKbAQUWAgMBAAQLCQgH\n" +
+                "BRUKCQgLApkBAABRRwD+II62grSOGKDyBYMLTfCNQejcazQYWoSVyJiD308CRxgA\n" +
+                "/2H6kTXaV+Lk2+te/yZ3aeAd1wFBDe2HRelrMy4074gMiHUEEBYKACcFAmKDy8IJ\n" +
+                "EE3a6g4UHIzBFiEE0VukWebIQb/PImHfTdrqDhQcjMEAAOjCAQCcCQySwr/8VgW8\n" +
+                "Ww+pKM21gWWSGMazMqAcDwqnCrebtAEAiU2PtfWGFZc6VVdsMI1GOcRp++fz+AJ5\n" +
+                "fqzWZ+QBBgK0LUFsaWNlIEV4YW1wbGUgPGFsaWNlQGV4YW1wbGUuY29tPiBbZnJv\n" +
+                "bSB3b3JrXYh1BBAWCgAnBQJig8vCCRC2GO3iDTVMtxYhBKl1XHhzEUcOxqNPwLYY\n" +
+                "7eINNUy3AADMFQD+Pcfk5nT7P4KDBxYiLs8Jct3dWLoOMR7dY9jn43d4Q6IBANWy\n" +
+                "DqBF1IsqTeqRaKUVKw8sWrEIZcgFt7SpgcsLTHMOuDgEYoPLwhIKKwYBBAGXVQEF\n" +
+                "AQEHQKY2huLPeGlqnLi4ITEgbtYp/C4ofZjmh6/rKUirtopIAwEIB4h1BBgWCgAd\n" +
+                "BQJig8vCAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQDrUIzRcUtGp9qQD+KuK+\n" +
+                "lWnlioN8gEyh1Rl2b4ABH6hOBdfW6zjUggnvVHwBAN6r6MJdu47c9xsLKypzyhwB\n" +
+                "0RbnyH5NMS6jwsK5zmoOuDMEYoPLwhYJKwYBBAHaRw8BAQdAxst2EY4/drt/MeTU\n" +
+                "RkzQdB8AO1Wc2gnlXavk2a+0DpyI1QQYFgoAfQUCYoPLwgKeAQKbAgUWAgMBAAQL\n" +
+                "CQgHBRUKCQgLXyAEGRYKAAYFAmKDy8IACgkQchAyuqB7Hn2yOAD/cPA01NO5YJPg\n" +
+                "KUuSDLnk872y+e419bvFizrM4LKYbeoA/0aw12mcpi1smQJ3mm9T/oGidatBQJ74\n" +
+                "JIPqTtwHSTIHAAoJEA61CM0XFLRqzj4A+QGjS6ay2AioirHJ9SCA8Eq6L2f/N3RB\n" +
+                "YBOlV32f3zxyAP9fwXlz0hRbBDnnie2O5eXT9ZurnAKGXPwCtlsqrmeTBg==\n" +
+                "=uC3F\n" +
+                "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+        String aliceId = "Alice ";
+        String charliesPetNameForAlice = "Alice Example  [from work]";
+
+        long aliceKeyId = 1059762964264170602L;
+        long bobKeyId = 5610053632031231169L;
+        long charlieKeyId = -5325245004225622857L;
+
+        PGPPublicKeyRing aliceCert = PGPainless.readKeyRing().publicKeyRing(alice);
+        PGPPublicKey aliceKey = aliceCert.getPublicKey();
+
+        // alice self-signed her user-id
+        assertEquals(1, SignatureUtils.getSignaturesOverUserIdBy(aliceKey, aliceId, aliceKeyId).size());
+        // Bob signed alices user-id
+        assertEquals(1, SignatureUtils.getSignaturesOverUserIdBy(aliceKey, aliceId, bobKeyId).size());
+        // charlie gave alice a pet name
+        assertEquals(1, SignatureUtils.getSignaturesOverUserIdBy(aliceKey, charliesPetNameForAlice, charlieKeyId).size());
+
+        // Alice did not certify the petname charlie gave her
+        assertEquals(0, SignatureUtils.getSignaturesOverUserIdBy(aliceKey, charliesPetNameForAlice, aliceKeyId).size());
+    }
 }

From 9921fc6ff6fbde7783df7989b5a992f3a4c7f0cd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 18 May 2022 14:19:08 +0200
Subject: [PATCH 0472/1450] Add and test
 OpenPgpFingerprint.parseFromBinary(bytes)

---
 .../pgpainless/key/OpenPgpFingerprint.java    | 11 +++++
 .../key/OpenPgpV4FingerprintTest.java         | 39 ++++++++++++++++++
 .../key/OpenPgpV5FingerprintTest.java         | 40 +++++++++++++++++++
 3 files changed, 90 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index d5a1daad..6abe207b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -67,6 +67,17 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable OpenPgpFingerprint.parseFromBinary(binary));
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
index fffccfe0..2e657d72 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
@@ -4,9 +4,11 @@
 
 package org.pgpainless.key;
 
+import org.bouncycastle.util.encoders.Hex;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class OpenPgpV5FingerprintTest {
@@ -33,4 +35,42 @@ public class OpenPgpV5FingerprintTest {
         OpenPgpV5Fingerprint v5fp = (OpenPgpV5Fingerprint) parsed;
         assertEquals(prettyPrint, v5fp.prettyPrint());
     }
+
+    @Test
+    public void testParseFromBinary() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_leadingZeros() {
+        String hex = "000000000000000001AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_trailingZeros() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA100000000000000000";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_wrongLength() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA012345"; // missing 2 digits
+        byte[] binary = Hex.decode(hex);
+
+        assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.parseFromBinary(binary));
+    }
 }

From 70a861611cf7804ed71f0f1e34e766906dd59200 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 18 May 2022 14:21:22 +0200
Subject: [PATCH 0473/1450] Improve SignatureUtils.wasIssuedBy() by adding
 support for v5 fingerprints

---
 .../pgpainless/signature/SignatureUtils.java  | 22 +++++++++----------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 9b86f575..2b69a832 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -14,6 +14,7 @@ import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
+import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
@@ -36,14 +37,11 @@ import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.algorithm.negotiation.HashAlgorithmNegotiator;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpFingerprint;
-import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.util.OpenPgpKeyAttributeUtil;
 import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 import org.pgpainless.util.ArmorUtils;
 
-import javax.annotation.Nonnull;
-
 /**
  * Utility methods related to signatures.
  */
@@ -325,17 +323,17 @@ public final class SignatureUtils {
     }
 
     public static boolean wasIssuedBy(byte[] fingerprint, PGPSignature signature) {
-        if (fingerprint.length != 20) {
+        try {
+            OpenPgpFingerprint fp = OpenPgpFingerprint.parseFromBinary(fingerprint);
+            OpenPgpFingerprint issuerFp = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
+            if (issuerFp == null) {
+                return fp.getKeyId() == signature.getKeyID();
+            }
+            return fp.equals(issuerFp);
+        } catch (IllegalArgumentException e) {
             // Unknown fingerprint length
             return false;
         }
-        OpenPgpV4Fingerprint fp = new OpenPgpV4Fingerprint(fingerprint);
-        OpenPgpFingerprint issuerFp = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
-        if (issuerFp == null) {
-            return fp.getKeyId() == signature.getKeyID();
-        }
-
-        return fp.equals(issuerFp);
     }
 
     /**
@@ -354,7 +352,7 @@ public final class SignatureUtils {
         List signaturesByKeyId = new ArrayList<>();
         Iterator userIdSignatures = key.getSignaturesForID(userId);
 
-        // getSignaturesForID() is nullable -.-
+        // getSignaturesForID() is nullable for some reason -.-
         if (userIdSignatures == null) {
             return signaturesByKeyId;
         }

From 44c32d0620d86e8a0af9e4d5d9a0702a08fba262 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 1 Jun 2022 13:36:00 +0200
Subject: [PATCH 0474/1450] When setting expiration dates: Prevent integer
 overflow

---
 .../subpackets/SignatureSubpackets.java       | 17 +++++++----
 .../modification/ChangeExpirationTest.java    | 30 ++++++++++++++++++-
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index c622844f..df0269a3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -212,9 +212,7 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setSignatureExpirationTime(boolean isCritical, long seconds) {
-        if (seconds < 0) {
-            throw new IllegalArgumentException("Expiration time cannot be negative.");
-        }
+        enforceBounds(seconds);
         return setSignatureExpirationTime(new SignatureExpirationTime(isCritical, seconds));
     }
 
@@ -285,12 +283,19 @@ public class SignatureSubpackets
 
     @Override
     public SignatureSubpackets setKeyExpirationTime(boolean isCritical, long secondsFromCreationToExpiration) {
-        if (secondsFromCreationToExpiration < 0) {
-            throw new IllegalArgumentException("Seconds from key creation to expiration cannot be less than 0.");
-        }
+        enforceBounds(secondsFromCreationToExpiration);
         return setKeyExpirationTime(new KeyExpirationTime(isCritical, secondsFromCreationToExpiration));
     }
 
+    private void enforceBounds(long secondsFromCreationToExpiration) {
+        if (secondsFromCreationToExpiration < 0) {
+            throw new IllegalArgumentException("Seconds from creation to expiration cannot be less than 0.");
+        }
+        if (secondsFromCreationToExpiration > 0xffffffffL) {
+            throw new IllegalArgumentException("Integer overflow. Seconds from creation to expiration cannot be larger than 0xffffffff");
+        }
+    }
+
     @Override
     public SignatureSubpackets setKeyExpirationTime(@Nullable KeyExpirationTime keyExpirationTime) {
         this.keyExpirationTime = keyExpirationTime;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java
index 6a1c2f71..7aaf71e4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangeExpirationTest.java
@@ -7,6 +7,7 @@ package org.pgpainless.key.modification;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
 import java.util.Calendar;
@@ -14,13 +15,14 @@ import java.util.Date;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.JUtils;
 import org.junit.jupiter.api.TestTemplate;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.junit.JUtils;
 import org.pgpainless.PGPainless;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnprotectedKeysProtector;
 import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.TestAllImplementations;
@@ -93,4 +95,30 @@ public class ChangeExpirationTest {
         sInfo = PGPainless.inspectKeyRing(secretKeys);
         assertNull(sInfo.getPrimaryKeyExpirationDate());
     }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testExtremeExpirationDates() throws PGPException, IOException {
+        PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+
+        // seconds from 2021 to 2199 will overflow 32bit integers
+        Date farAwayExpiration = DateUtil.parseUTCDate("2199-01-01 00:00:00 UTC");
+
+        final PGPSecretKeyRing finalKeys = secretKeys;
+        assertThrows(IllegalArgumentException.class, () ->
+                PGPainless.modifyKeyRing(finalKeys)
+                        .setExpirationDate(farAwayExpiration, protector)
+                        .done());
+
+        Date notSoFarAwayExpiration = DateUtil.parseUTCDate("2100-01-01 00:00:00 UTC");
+
+        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+                .setExpirationDate(notSoFarAwayExpiration, protector)
+                .done();
+
+        Date actualExpiration = PGPainless.inspectKeyRing(secretKeys)
+                        .getPrimaryKeyExpirationDate();
+        JUtils.assertDateEquals(notSoFarAwayExpiration, actualExpiration);
+    }
 }

From 444ec6d5939295205d6f30b04684f30acf3b7862 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 1 Jun 2022 13:40:07 +0200
Subject: [PATCH 0475/1450] Add documentation to enforceBounds()

---
 .../signature/subpackets/SignatureSubpackets.java          | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
index df0269a3..a2eb1f7d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpackets.java
@@ -287,6 +287,13 @@ public class SignatureSubpackets
         return setKeyExpirationTime(new KeyExpirationTime(isCritical, secondsFromCreationToExpiration));
     }
 
+    /**
+     * Enforce that 
secondsFromCreationToExpiration
 is within bounds of an unsigned 32bit number.
+     * Values less than 0 are illegal, as well as values greater 0xffffffff.
+     *
+     * @param secondsFromCreationToExpiration number to check
+     * @throws IllegalArgumentException in case of an under- or overflow
+     */
     private void enforceBounds(long secondsFromCreationToExpiration) {
         if (secondsFromCreationToExpiration < 0) {
             throw new IllegalArgumentException("Seconds from creation to expiration cannot be less than 0.");

From 03be9b8bae2bc41a838a6d9d13857b5eb63d476a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 4 Jun 2022 18:39:56 +0200
Subject: [PATCH 0476/1450] Update README

---
 README.md | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index edd6a245..390e8771 100644
--- a/README.md
+++ b/README.md
@@ -192,17 +192,9 @@ dependencies {
 }
 ```
 
-## About
-PGPainless is a by-product of my [Summer of Code 2018 project](https://blog.jabberhead.tk/summer-of-code-2018/)
-implementing OpenPGP support for the XMPP client library [Smack](https://github.com/igniterealtime/Smack).
-For that project I was in need of a simple-to-use OpenPGP library.
-
-Originally I was going to use [Bouncy-GPG](https://github.com/neuhalje/bouncy-gpg) for my project,
-but ultimately I decided to create my own OpenPGP library which better fits my needs.
-
-However, PGPainless was heavily influenced by Bouncy-GPG.
-
-To reach out to the development team, feel free to send a mail: info@pgpainless.org
+## Professional Support
+Do you need a custom feature? Are you unsure of what's the best way to integrate PGPainless into your product?
+We offer paid professional services. Don't hesitate to send an inquiry to [info@pgpainless.org](mailto:info@pgpainless.org).
 
 ## Development
 PGPainless is developed in - and accepts contributions from - the following places:

From c967cbb9f0b58ac446cd7b5a146f379b23b02578 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 16 Jun 2022 11:05:28 +0200
Subject: [PATCH 0477/1450] SOP: Properly throw CannotDecrypt

---
 .../src/main/java/org/pgpainless/sop/DecryptImpl.java          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 38656c9b..413136da 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -22,6 +22,7 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
@@ -128,6 +129,8 @@ public class DecryptImpl implements Decrypt {
             decryptionStream = PGPainless.decryptAndOrVerify()
                     .onInputStream(ciphertext)
                     .withOptions(consumerOptions);
+        } catch (MissingDecryptionMethodException e) {
+            throw new SOPGPException.CannotDecrypt();
         } catch (PGPException | IOException e) {
             throw new SOPGPException.BadData(e);
         }

From 57fbb469ea86aaf507cdd328244d5fd6bb970e31 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 15 Jun 2022 23:13:53 +0200
Subject: [PATCH 0478/1450] Fix performance issue of encrypt and sign
 operations by buffering

---
 .../pgpainless/encryption_signing/CRLFGeneratorStream.java | 6 ++++++
 .../pgpainless/encryption_signing/EncryptionStream.java    | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
index 9743f6f9..4cab8be3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/CRLFGeneratorStream.java
@@ -46,4 +46,10 @@ public class CRLFGeneratorStream extends OutputStream {
         }
         crlfOut.close();
     }
+
+    @Override
+    public void flush() throws IOException {
+        super.flush();
+        crlfOut.flush();
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 3b737702..0cba8093 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.encryption_signing;
 
+import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.ArrayList;
@@ -182,7 +183,11 @@ public final class EncryptionStream extends OutputStream {
     }
 
     public void prepareInputEncoding() {
-        CRLFGeneratorStream crlfGeneratorStream = new CRLFGeneratorStream(outermostStream,
+        // By buffering here, we drastically improve performance
+        // Reason is that CRLFGeneratorStream only implements write(int), so we need BufferedOutputStream to
+        // "convert" to write(buf) calls again
+        BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(outermostStream);
+        CRLFGeneratorStream crlfGeneratorStream = new CRLFGeneratorStream(bufferedOutputStream,
                 options.isApplyCRLFEncoding() ? StreamEncoding.UTF8 : StreamEncoding.BINARY);
         outermostStream = crlfGeneratorStream;
     }

From 9cdea63ec4227017cb9ae89a94e03ba40d6330f7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 15 Jun 2022 23:14:09 +0200
Subject: [PATCH 0479/1450] Fix performance issues of sop armor and dearmor
 operations

---
 .../src/main/java/org/pgpainless/sop/ArmorImpl.java         | 6 +++++-
 .../src/main/java/org/pgpainless/sop/DearmorImpl.java       | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
index 5c92f9b9..71bc3e6b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.sop;
 
+import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -28,8 +29,11 @@ public class ArmorImpl implements Armor {
         return new Ready() {
             @Override
             public void writeTo(OutputStream outputStream) throws IOException {
-                ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(outputStream);
+                // By buffering the output stream, we can improve performance drastically
+                BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(outputStream);
+                ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bufferedOutputStream);
                 Streams.pipeAll(data, armor);
+                bufferedOutputStream.flush();
                 armor.close();
             }
         };
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
index 73bd65d5..1cebec6e 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.sop;
 
+import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -22,7 +23,9 @@ public class DearmorImpl implements Dearmor {
 
             @Override
             public void writeTo(OutputStream outputStream) throws IOException {
-                Streams.pipeAll(decoder, outputStream);
+                BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(outputStream);
+                Streams.pipeAll(decoder, bufferedOutputStream);
+                bufferedOutputStream.flush();
                 decoder.close();
             }
         };

From 9a545a29360678cfec793bef26ec6b899f91ea5a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 7 Jun 2022 08:55:10 +0200
Subject: [PATCH 0480/1450] Wip: SOP 4

---
 .../key/generation/KeyRingTemplates.java      |  12 +-
 pgpainless-sop/build.gradle                   |   2 +
 .../java/org/pgpainless/sop/DecryptImpl.java  |  37 ++++--
 .../{SignImpl.java => DetachedSignImpl.java}  |  15 ++-
 ...erifyImpl.java => DetachedVerifyImpl.java} |  12 +-
 .../java/org/pgpainless/sop/EncryptImpl.java  |  50 +++++---
 .../org/pgpainless/sop/GenerateKeyImpl.java   |  10 +-
 ...MessageImpl.java => InlineDetachImpl.java} |   6 +-
 .../org/pgpainless/sop/InlineSignImpl.java    |  42 +++++++
 .../org/pgpainless/sop/InlineVerifyImpl.java  |  37 ++++++
 .../MatchMakingSecretKeyRingProtector.java    | 101 +++++++++++++++
 .../main/java/org/pgpainless/sop/SOPImpl.java |  40 ++++--
 .../java/org/pgpainless/sop/ArmorTest.java    |   2 +-
 .../DetachInbandSignatureAndMessageTest.java  |   2 +-
 .../sop/EncryptDecryptRoundTripTest.java      | 117 +++++++++++++++++-
 version.gradle                                |   2 +-
 16 files changed, 429 insertions(+), 58 deletions(-)
 rename pgpainless-sop/src/main/java/org/pgpainless/sop/{SignImpl.java => DetachedSignImpl.java} (92%)
 rename pgpainless-sop/src/main/java/org/pgpainless/sop/{VerifyImpl.java => DetachedVerifyImpl.java} (86%)
 rename pgpainless-sop/src/main/java/org/pgpainless/sop/{DetachInbandSignatureAndMessageImpl.java => InlineDetachImpl.java} (92%)
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 41d39a1a..e2cf7190 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -200,7 +200,7 @@ public final class KeyRingTemplates {
      * @throws PGPException in case of an OpenPGP related error
      */
     public PGPSecretKeyRing modernKeyRing(String userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        return modernKeyRing(userId, null);
+        return modernKeyRing(userId, (Passphrase) null);
     }
 
     /**
@@ -217,13 +217,19 @@ public final class KeyRingTemplates {
      */
     public PGPSecretKeyRing modernKeyRing(String userId, String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
+        Passphrase passphrase = (password != null ? Passphrase.fromPassword(password) : null);
+        return modernKeyRing(userId, passphrase);
+    }
+
+    public PGPSecretKeyRing modernKeyRing(String userId, Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
                 .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
                 .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
                 .addUserId(userId);
-        if (!isNullOrEmpty(password)) {
-            builder.setPassphrase(Passphrase.fromPassword(password));
+        if (passphrase != null && !passphrase.isEmpty()) {
+            builder.setPassphrase(passphrase);
         }
         return builder.build();
     }
diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle
index d6b97e64..4eca8a7f 100644
--- a/pgpainless-sop/build.gradle
+++ b/pgpainless-sop/build.gradle
@@ -10,9 +10,11 @@ group 'org.pgpainless'
 
 repositories {
     mavenCentral()
+    mavenLocal()
 }
 
 dependencies {
+    implementation 'org.jetbrains:annotations:20.1.0'
     testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 413136da..89eb29db 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -7,9 +7,12 @@ package org.pgpainless.sop;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@@ -23,9 +26,8 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.exception.MissingDecryptionMethodException;
+import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.Passphrase;
 import sop.DecryptionResult;
 import sop.ReadyWithResult;
@@ -37,6 +39,8 @@ import sop.operation.Decrypt;
 public class DecryptImpl implements Decrypt {
 
     private final ConsumerOptions consumerOptions = new ConsumerOptions();
+    private final Set keys = new HashSet<>();
+    private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     @Override
     public DecryptImpl verifyNotBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
@@ -96,29 +100,34 @@ public class DecryptImpl implements Decrypt {
     }
 
     @Override
-    public DecryptImpl withKey(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, SOPGPException.UnsupportedAsymmetricAlgo {
+    public DecryptImpl withKey(InputStream keyIn) throws SOPGPException.BadData, SOPGPException.UnsupportedAsymmetricAlgo {
         try {
-            PGPSecretKeyRingCollection secretKeys = PGPainless.readKeyRing()
+            PGPSecretKeyRingCollection secretKeyCollection = PGPainless.readKeyRing()
                     .secretKeyRingCollection(keyIn);
-
-            for (PGPSecretKeyRing secretKey : secretKeys) {
-                KeyRingInfo info = new KeyRingInfo(secretKey);
-                if (!info.isFullyDecrypted()) {
-                    throw new SOPGPException.KeyIsProtected();
-                }
+            for (PGPSecretKeyRing key : secretKeyCollection) {
+                keys.add(key);
             }
-
-            consumerOptions.addDecryptionKeys(secretKeys, SecretKeyRingProtector.unprotectedKeys());
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
         return this;
     }
 
+    @Override
+    public Decrypt withKeyPassword(byte[] password) {
+        String string = new String(password, Charset.forName("UTF8"));
+        protector.addPassphrase(Passphrase.fromPassword(string));
+        return this;
+    }
+
     @Override
     public ReadyWithResult ciphertext(InputStream ciphertext)
             throws SOPGPException.BadData,
             SOPGPException.MissingArg {
+        for (PGPSecretKeyRing key : keys) {
+            protector.addSecretKey(key);
+            consumerOptions.addDecryptionKey(key, protector);
+        }
 
         if (consumerOptions.getDecryptionKeys().isEmpty() && consumerOptions.getDecryptionPassphrases().isEmpty() && consumerOptions.getSessionKey() == null) {
             throw new SOPGPException.MissingArg("Missing decryption key, passphrase or session key.");
@@ -131,8 +140,12 @@ public class DecryptImpl implements Decrypt {
                     .withOptions(consumerOptions);
         } catch (MissingDecryptionMethodException e) {
             throw new SOPGPException.CannotDecrypt();
+        } catch (WrongPassphraseException e) {
+            throw new SOPGPException.KeyIsProtected();
         } catch (PGPException | IOException e) {
             throw new SOPGPException.BadData(e);
+        } finally {
+            protector.clear();
         }
 
         return new ReadyWithResult() {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
similarity index 92%
rename from pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
rename to pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index 286c5262..3341712a 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -32,28 +32,28 @@ import sop.ReadyWithResult;
 import sop.SigningResult;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
-import sop.operation.Sign;
+import sop.operation.DetachedSign;
 
-public class SignImpl implements Sign {
+public class DetachedSignImpl implements DetachedSign {
 
     private boolean armor = true;
     private SignAs mode = SignAs.Binary;
     private final SigningOptions signingOptions = new SigningOptions();
 
     @Override
-    public Sign noArmor() {
+    public DetachedSign noArmor() {
         armor = false;
         return this;
     }
 
     @Override
-    public Sign mode(SignAs mode) {
+    public DetachedSign mode(SignAs mode) {
         this.mode = mode;
         return this;
     }
 
     @Override
-    public Sign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
+    public DetachedSign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
 
@@ -70,6 +70,11 @@ public class SignImpl implements Sign {
         return this;
     }
 
+    @Override
+    public DetachedSign withKeyPassword(byte[] password) {
+        return null;
+    }
+
     @Override
     public ReadyWithResult data(InputStream data) throws IOException {
         ByteArrayOutputStream buffer = new ByteArrayOutputStream();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
similarity index 86%
rename from pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java
rename to pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index c874b452..d4db494f 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -21,26 +21,26 @@ import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.key.SubkeyIdentifier;
 import sop.Verification;
 import sop.exception.SOPGPException;
-import sop.operation.Verify;
+import sop.operation.DetachedVerify;
 
-public class VerifyImpl implements Verify {
+public class DetachedVerifyImpl implements DetachedVerify {
 
     private final ConsumerOptions options = new ConsumerOptions();
 
     @Override
-    public Verify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
+    public DetachedVerify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
         options.verifyNotBefore(timestamp);
         return this;
     }
 
     @Override
-    public Verify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption {
+    public DetachedVerify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption {
         options.verifyNotAfter(timestamp);
         return this;
     }
 
     @Override
-    public Verify cert(InputStream cert) throws SOPGPException.BadData {
+    public DetachedVerify cert(InputStream cert) throws SOPGPException.BadData {
         PGPPublicKeyRingCollection certificates;
         try {
             certificates = PGPainless.readKeyRing().publicKeyRingCollection(cert);
@@ -52,7 +52,7 @@ public class VerifyImpl implements Verify {
     }
 
     @Override
-    public VerifyImpl signatures(InputStream signatures) throws SOPGPException.BadData {
+    public DetachedVerifyImpl signatures(InputStream signatures) throws SOPGPException.BadData {
         try {
             options.addVerificationOfDetachedSignatures(signatures);
         } catch (IOException | PGPException e) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index d6bd7709..bfa80f47 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -7,9 +7,13 @@ package org.pgpainless.sop;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.charset.Charset;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
@@ -20,7 +24,6 @@ import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.WrongPassphraseException;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.Passphrase;
 import sop.util.ProxyOutputStream;
 import sop.Ready;
@@ -33,6 +36,9 @@ public class EncryptImpl implements Encrypt {
     EncryptionOptions encryptionOptions = new EncryptionOptions();
     SigningOptions signingOptions = null;
 
+    Set signingKeys = new HashSet<>();
+    MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+
     private EncryptAs encryptAs = EncryptAs.Binary;
     boolean armor = true;
 
@@ -49,7 +55,7 @@ public class EncryptImpl implements Encrypt {
     }
 
     @Override
-    public Encrypt signWith(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
+    public Encrypt signWith(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
             if (keys.size() != 1) {
@@ -59,23 +65,20 @@ public class EncryptImpl implements Encrypt {
             if (signingOptions == null) {
                 signingOptions = SigningOptions.get();
             }
-            try {
-                signingOptions.addInlineSignatures(
-                        SecretKeyRingProtector.unprotectedKeys(),
-                        keys,
-                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
-                );
-            } catch (IllegalArgumentException e) {
-                throw new SOPGPException.KeyCannotSign();
-            } catch (WrongPassphraseException e) {
-                throw new SOPGPException.KeyIsProtected();
-            }
+            signingKeys.add(keys.getKeyRings().next());
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
         return this;
     }
 
+    @Override
+    public Encrypt withKeyPassword(byte[] password) {
+        String passphrase = new String(password, Charset.forName("UTF8"));
+        protector.addPassphrase(Passphrase.fromPassword(passphrase));
+        return this;
+    }
+
     @Override
     public Encrypt withPassword(String password) throws SOPGPException.PasswordNotHumanReadable, SOPGPException.UnsupportedOption {
         encryptionOptions.addPassphrase(Passphrase.fromPassword(password));
@@ -97,6 +100,26 @@ public class EncryptImpl implements Encrypt {
 
     @Override
     public Ready plaintext(InputStream plaintext) throws IOException {
+        for (PGPSecretKeyRing signingKey : signingKeys) {
+            protector.addSecretKey(signingKey);
+        }
+
+        if (signingOptions != null) {
+            try {
+                signingOptions.addInlineSignatures(
+                        protector,
+                        signingKeys,
+                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
+                );
+            } catch (IllegalArgumentException e) {
+                throw new SOPGPException.KeyCannotSign();
+            } catch (WrongPassphraseException e) {
+                throw new SOPGPException.KeyIsProtected();
+            } catch (PGPException e) {
+                throw new SOPGPException.BadData(e);
+            }
+        }
+
         ProducerOptions producerOptions = signingOptions != null ?
                 ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions) :
                 ProducerOptions.encrypt(encryptionOptions);
@@ -125,7 +148,6 @@ public class EncryptImpl implements Encrypt {
     private static StreamEncoding encryptAsToStreamEncoding(EncryptAs encryptAs) {
         switch (encryptAs) {
             case Binary:
-            case MIME:
                 return StreamEncoding.BINARY;
             case Text:
                 return StreamEncoding.UTF8;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index 6a2c09f9..893c8dd8 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -19,6 +19,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmorUtils;
+import org.pgpainless.util.Passphrase;
 import sop.Ready;
 import sop.exception.SOPGPException;
 import sop.operation.GenerateKey;
@@ -27,6 +28,7 @@ public class GenerateKeyImpl implements GenerateKey {
 
     private boolean armor = true;
     private final Set userIds = new LinkedHashSet<>();
+    private Passphrase passphrase;
 
     @Override
     public GenerateKey noArmor() {
@@ -40,6 +42,12 @@ public class GenerateKeyImpl implements GenerateKey {
         return this;
     }
 
+    @Override
+    public GenerateKey withKeyPassword(String password) {
+        this.passphrase = Passphrase.fromPassword(password);
+        return this;
+    }
+
     @Override
     public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo {
         Iterator userIdIterator = userIds.iterator();
@@ -50,7 +58,7 @@ public class GenerateKeyImpl implements GenerateKey {
         PGPSecretKeyRing key;
         try {
              key = PGPainless.generateKeyRing()
-                    .modernKeyRing(userIdIterator.next(), null);
+                    .modernKeyRing(userIdIterator.next(), passphrase);
 
             if (userIdIterator.hasNext()) {
                 SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(key);
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
similarity index 92%
rename from pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java
rename to pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
index 34d2f618..f23434c2 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachInbandSignatureAndMessageImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
@@ -20,14 +20,14 @@ import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.ReadyWithResult;
 import sop.Signatures;
 import sop.exception.SOPGPException;
-import sop.operation.DetachInbandSignatureAndMessage;
+import sop.operation.InlineDetach;
 
-public class DetachInbandSignatureAndMessageImpl implements DetachInbandSignatureAndMessage {
+public class InlineDetachImpl implements InlineDetach {
 
     private boolean armor = true;
 
     @Override
-    public DetachInbandSignatureAndMessage noArmor() {
+    public InlineDetach noArmor() {
         this.armor = false;
         return this;
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
new file mode 100644
index 00000000..7eaeaa6f
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -0,0 +1,42 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import sop.ReadyWithResult;
+import sop.SigningResult;
+import sop.enums.InlineSignAs;
+import sop.exception.SOPGPException;
+import sop.operation.DetachedSign;
+import sop.operation.InlineSign;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+public class InlineSignImpl implements InlineSign {
+    @Override
+    public DetachedSign mode(InlineSignAs mode) throws SOPGPException.UnsupportedOption {
+        return null;
+    }
+
+    @Override
+    public DetachedSign noArmor() {
+        return null;
+    }
+
+    @Override
+    public InlineSign key(InputStream key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
+        return null;
+    }
+
+    @Override
+    public InlineSign withKeyPassword(byte[] password) {
+        return null;
+    }
+
+    @Override
+    public ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText {
+        return null;
+    }
+}
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
new file mode 100644
index 00000000..a230e0fd
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import sop.ReadyWithResult;
+import sop.Verification;
+import sop.exception.SOPGPException;
+import sop.operation.InlineVerify;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Date;
+import java.util.List;
+
+public class InlineVerifyImpl implements InlineVerify {
+    @Override
+    public ReadyWithResult> data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
+        return null;
+    }
+
+    @Override
+    public InlineVerify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
+        return null;
+    }
+
+    @Override
+    public InlineVerify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption {
+        return null;
+    }
+
+    @Override
+    public InlineVerify cert(InputStream cert) throws SOPGPException.BadData {
+        return null;
+    }
+}
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java
new file mode 100644
index 00000000..df54583e
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java
@@ -0,0 +1,101 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
+import org.jetbrains.annotations.Nullable;
+import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.info.KeyInfo;
+import org.pgpainless.key.protection.CachingSecretKeyRingProtector;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+
+public class MatchMakingSecretKeyRingProtector implements SecretKeyRingProtector {
+
+    private final Set passphrases = new HashSet<>();
+    private final Set keys = new HashSet<>();
+    private final CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector();
+
+    public void addPassphrase(Passphrase passphrase) {
+        if (passphrase.isEmpty()) {
+            return;
+        }
+
+        if (!passphrases.add(passphrase)) {
+            return;
+        }
+
+        for (PGPSecretKeyRing key : keys) {
+            for (PGPSecretKey subkey : key) {
+                if (protector.hasPassphrase(subkey.getKeyID())) {
+                    continue;
+                }
+
+                testPassphrase(passphrase, subkey);
+            }
+        }
+    }
+
+    public void addSecretKey(PGPSecretKeyRing key) {
+        if (!keys.add(key)) {
+            return;
+        }
+
+        for (PGPSecretKey subkey : key) {
+            if (KeyInfo.isDecrypted(subkey)) {
+                protector.addPassphrase(subkey.getKeyID(), Passphrase.emptyPassphrase());
+            } else {
+                for (Passphrase passphrase : passphrases) {
+                    testPassphrase(passphrase, subkey);
+                }
+            }
+        }
+    }
+
+    private void testPassphrase(Passphrase passphrase, PGPSecretKey subkey) {
+        try {
+            PBESecretKeyDecryptor decryptor = ImplementationFactory.getInstance().getPBESecretKeyDecryptor(passphrase);
+            UnlockSecretKey.unlockSecretKey(subkey, decryptor);
+            protector.addPassphrase(subkey.getKeyID(), passphrase);
+        } catch (PGPException e) {
+            // wrong password
+        }
+    }
+
+    @Override
+    public boolean hasPassphraseFor(Long keyId) {
+        return protector.hasPassphrase(keyId);
+    }
+
+    @Nullable
+    @Override
+    public PBESecretKeyDecryptor getDecryptor(Long keyId) throws PGPException {
+        return protector.getDecryptor(keyId);
+    }
+
+    @Nullable
+    @Override
+    public PBESecretKeyEncryptor getEncryptor(Long keyId) throws PGPException {
+        return protector.getEncryptor(keyId);
+    }
+
+    public void clear() {
+        for (Passphrase passphrase : passphrases) {
+            passphrase.clear();
+        }
+
+        for (PGPSecretKeyRing key : keys) {
+            protector.forgetPassphrase(key);
+        }
+    }
+}
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
index cfa426a5..35ff8994 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
@@ -8,12 +8,14 @@ import sop.SOP;
 import sop.operation.Armor;
 import sop.operation.Dearmor;
 import sop.operation.Decrypt;
-import sop.operation.DetachInbandSignatureAndMessage;
+import sop.operation.DetachedSign;
+import sop.operation.DetachedVerify;
+import sop.operation.InlineDetach;
 import sop.operation.Encrypt;
 import sop.operation.ExtractCert;
 import sop.operation.GenerateKey;
-import sop.operation.Sign;
-import sop.operation.Verify;
+import sop.operation.InlineSign;
+import sop.operation.InlineVerify;
 import sop.operation.Version;
 
 public class SOPImpl implements SOP {
@@ -34,13 +36,33 @@ public class SOPImpl implements SOP {
     }
 
     @Override
-    public Sign sign() {
-        return new SignImpl();
+    public DetachedSign sign() {
+        return detachedSign();
     }
 
     @Override
-    public Verify verify() {
-        return new VerifyImpl();
+    public DetachedSign detachedSign() {
+        return new DetachedSignImpl();
+    }
+
+    @Override
+    public InlineSign inlineSign() {
+        return new InlineSignImpl();
+    }
+
+    @Override
+    public DetachedVerify verify() {
+        return detachedVerify();
+    }
+
+    @Override
+    public DetachedVerify detachedVerify() {
+        return new DetachedVerifyImpl();
+    }
+
+    @Override
+    public InlineVerify inlineVerify() {
+        return new InlineVerifyImpl();
     }
 
     @Override
@@ -64,7 +86,7 @@ public class SOPImpl implements SOP {
     }
 
     @Override
-    public DetachInbandSignatureAndMessage detachInbandSignatureAndMessage() {
-        return new DetachInbandSignatureAndMessageImpl();
+    public InlineDetach inlineDetach() {
+        return new InlineDetachImpl();
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
index ad6da440..95129dfa 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
@@ -28,7 +28,7 @@ public class ArmorTest {
 
     @Test
     public void armor() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        byte[] data = PGPainless.generateKeyRing().modernKeyRing("Alice", null).getEncoded();
+        byte[] data = PGPainless.generateKeyRing().modernKeyRing("Alice").getEncoded();
         byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data).getBytes(StandardCharsets.UTF_8);
         byte[] armored = new SOPImpl()
                 .armor()
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java
index 06c11226..b76f069c 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java
@@ -58,7 +58,7 @@ public class DetachInbandSignatureAndMessageTest {
         signingStream.close();
 
         // actually detach the message
-        ByteArrayAndResult detachedMsg = sop.detachInbandSignatureAndMessage()
+        ByteArrayAndResult detachedMsg = sop.inlineDetach()
                 .message(out.toByteArray())
                 .toByteArrayAndResult();
 
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index d0699ae7..45a26586 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -11,6 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 
 import org.bouncycastle.util.io.Streams;
@@ -24,12 +25,13 @@ import sop.exception.SOPGPException;
 
 public class EncryptDecryptRoundTripTest {
 
+    private static final Charset utf8 = Charset.forName("UTF8");
     private static SOP sop;
     private static byte[] aliceKey;
     private static byte[] aliceCert;
     private static byte[] bobKey;
     private static byte[] bobCert;
-    private static byte[] message = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
+    private static byte[] message = "Hello, World!\n".getBytes(utf8);
 
     @BeforeAll
     public static void setup() throws IOException {
@@ -218,8 +220,119 @@ public class EncryptDecryptRoundTripTest {
                 "=MUYS\n" +
                 "-----END PGP PRIVATE KEY BLOCK-----";
 
+        String msg = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4Doj0CaB2GRvISAQdAhV5sjUCxanM68jG9qaq2rep1KKQx2o+9yrK0Rsrtqkww\n" +
+                "mb4uVv/SD3ixDztUSgUset0jeUeZHZAWfTB9cWawX4fiB2BdbcxhxFqQR8VPJ2SZ\n" +
+                "0jcB+wH1gq05AkMaCfoEIio3o3QcZq2In8tqj69U3AFRQApoH/p+ZLDz2pcnFBn+\n" +
+                "x1Y+C6wNg/3g\n" +
+                "=6vge\n" +
+                "-----END PGP MESSAGE-----";
+
         assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.decrypt()
-                .withKey(passwordProtectedKey.getBytes(StandardCharsets.UTF_8)));
+                .withKey(passwordProtectedKey.getBytes(StandardCharsets.UTF_8))
+                .ciphertext(msg.getBytes(utf8)));
+    }
+
+    @Test
+    public void encryptDecryptRoundTripWithProtectedKey() throws IOException {
+        byte[] passphrase = "sw0rdf1sh".getBytes(utf8);
+
+        byte[] key = sop.generateKey()
+                .userId("Alice ")
+                .withKeyPassword(passphrase)
+                .generate().getBytes();
+
+        byte[] cert = sop.extractCert()
+                .key(key)
+                .getBytes();
+
+        byte[] plaintext = "Hello, World!\n".getBytes(utf8);
+
+        byte[] ciphertext = sop.encrypt()
+                .withCert(cert)
+                .plaintext(plaintext)
+                .getBytes();
+
+        byte[] decrypted = sop.decrypt()
+                .withKeyPassword(passphrase)
+                .withKey(key)
+                .ciphertext(ciphertext)
+                .toByteArrayAndResult()
+                .getBytes();
+
+        assertArrayEquals(plaintext, decrypted);
+    }
+
+    @Test
+    public void encryptDecryptRoundTripWithTwoProtectedKeysAndOnePassphrase() throws IOException {
+        byte[] passphrase1 = "sw0rdf1sh".getBytes(utf8);
+
+        byte[] key1 = sop.generateKey()
+                .userId("Alice ")
+                .withKeyPassword(passphrase1)
+                .generate().getBytes();
+
+        byte[] cert1 = sop.extractCert()
+                .key(key1)
+                .getBytes();
+
+        byte[] passphrase2 = "fooBar".getBytes(utf8);
+
+        byte[] key2 = sop.generateKey()
+                .userId("Bob ")
+                .withKeyPassword(passphrase2)
+                .generate().getBytes();
+
+        byte[] cert2 = sop.extractCert()
+                .key(key2)
+                .getBytes();
+
+        byte[] plaintext = "Hello, World!\n".getBytes(utf8);
+
+        byte[] ciphertext = sop.encrypt()
+                .withCert(cert1)
+                .withCert(cert2)
+                .plaintext(plaintext)
+                .getBytes();
+
+        byte[] decrypted = sop.decrypt()
+                .withKey(key1)
+                .withKey(key2)
+                .withKeyPassword(passphrase2)
+                .ciphertext(ciphertext)
+                .toByteArrayAndResult()
+                .getBytes();
+
+        assertArrayEquals(plaintext, decrypted);
+    }
+
+    @Test
+    public void encryptDecryptRoundTripFailsWithProtectedKeyAndWrongPassphrase() throws IOException {
+        byte[] passphrase = "sw0rdf1sh".getBytes(utf8);
+
+        byte[] key = sop.generateKey()
+                .userId("Alice ")
+                .withKeyPassword(passphrase)
+                .generate().getBytes();
+
+        byte[] cert = sop.extractCert()
+                .key(key)
+                .getBytes();
+
+        byte[] plaintext = "Hello, World!\n".getBytes(utf8);
+
+        byte[] ciphertext = sop.encrypt()
+                .withCert(cert)
+                .plaintext(plaintext)
+                .getBytes();
+
+        assertThrows(SOPGPException.KeyIsProtected.class,
+                () -> sop.decrypt()
+                        .withKeyPassword("foobar")
+                        .withKey(key)
+                        .ciphertext(ciphertext));
     }
 
     @Test
diff --git a/version.gradle b/version.gradle
index f890e8d6..ddb6de7d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -12,6 +12,6 @@ allprojects {
         slf4jVersion = '1.7.36'
         logbackVersion = '1.2.11'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.3'
+        sopJavaVersion = '1.2.4-SNAPSHOT'
     }
 }

From dd26b5230d2b30513a124270930df78339d95561 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 9 Jun 2022 00:42:06 +0200
Subject: [PATCH 0481/1450] Use newly introduced modernKeyRing(userId) method

---
 .../CertificateWithMissingSecretKeyTest.java     |  2 +-
 .../CleartextSignatureVerificationTest.java      |  2 +-
 .../OpenPgpInputStreamTest.java                  |  2 +-
 .../VerifyWithMissingPublicKeyCallback.java      |  2 +-
 .../EncryptionOptionsTest.java                   |  2 +-
 .../encryption_signing/FileInformationTest.java  |  2 +-
 .../java/org/pgpainless/example/ConvertKeys.java |  2 +-
 .../test/java/org/pgpainless/example/Sign.java   |  2 +-
 .../org/pgpainless/key/KeyRingValidatorTest.java |  2 +-
 .../generation/KeyGenerationSubpacketsTest.java  |  4 ++--
 .../org/pgpainless/key/info/KeyRingInfoTest.java |  2 +-
 ...eyWithModifiedBindingSignatureSubpackets.java |  2 +-
 .../key/modification/AddUserIdTest.java          |  2 +-
 ...hangePrimaryUserIdAndExpirationDatesTest.java | 10 +++++-----
 .../modification/RefuseToAddWeakSubkeyTest.java  |  4 ++--
 .../key/modification/RevokeSubKeyTest.java       |  4 ++--
 .../key/modification/RevokeUserIdsTest.java      |  6 +++---
 .../key/parsing/KeyRingCollectionReaderTest.java |  4 ++--
 .../key/parsing/KeyRingReaderTest.java           | 16 ++++++++--------
 .../org/pgpainless/key/util/KeyRingUtilTest.java |  2 +-
 .../OnePassSignatureBracketingTest.java          |  4 ++--
 .../signature/SignatureSubpacketsUtilTest.java   |  2 +-
 .../builder/DirectKeySignatureBuilderTest.java   |  2 +-
 ...rdPartyCertificationSignatureBuilderTest.java |  6 +++---
 24 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
index 13359830..a53999a6 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
@@ -79,7 +79,7 @@ public class CertificateWithMissingSecretKeyTest {
 
         // missing encryption sec key we generate on the fly
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Missing Decryption Key ", null);
+                .modernKeyRing("Missing Decryption Key ");
         encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys)
                 .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID();
         // remove the encryption/decryption secret key
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
index bcf1321e..12596988 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
@@ -214,7 +214,7 @@ public class CleartextSignatureVerificationTest {
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         String message = randomString(28, 4000);
 
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
                 .onOutputStream(out)
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
index c2a24c76..a39ee70f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
@@ -740,7 +740,7 @@ public class OpenPgpInputStreamTest {
     public void testSignedMessageConsumption() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World!\n".getBytes(StandardCharsets.UTF_8));
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Sigmund ", null);
+                .modernKeyRing("Sigmund ");
 
         ByteArrayOutputStream signedOut = new ByteArrayOutputStream();
         EncryptionStream signer = PGPainless.encryptAndOrSign()
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
index 9c786807..e4e9427b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
@@ -42,7 +42,7 @@ public class VerifyWithMissingPublicKeyCallback {
 
     @Test
     public void testMissingPublicKeyCallback() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice", null);
+        PGPSecretKeyRing signingSecKeys = PGPainless.generateKeyRing().modernKeyRing("alice");
         PGPPublicKey signingKey = new KeyRingInfo(signingSecKeys).getSigningSubkeys().get(0);
         PGPPublicKeyRing signingPubKeys = KeyRingUtils.publicKeyRingFrom(signingSecKeys);
         PGPPublicKeyRing unrelatedKeys = TestKeys.getJulietPublicKeyRing();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
index 40a336e8..3e7ccb4d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
@@ -167,7 +167,7 @@ public class EncryptionOptionsTest {
     @Test
     public void testAddRecipients_PGPPublicKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPPublicKeyRing secondKeyRing = KeyRingUtils.publicKeyRingFrom(
-                PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org", null));
+                PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org"));
 
         PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(
                 Arrays.asList(publicKeys, secondKeyRing));
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
index c5a4d28c..662971e4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
@@ -38,7 +38,7 @@ public class FileInformationTest {
 
     @BeforeAll
     public static void generateKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit", null);
+        secretKey = PGPainless.generateKeyRing().modernKeyRing("alice@wonderland.lit");
         certificate = PGPainless.extractCertificate(secretKey);
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java
index 2c96112c..fc99fa44 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ConvertKeys.java
@@ -26,7 +26,7 @@ public class ConvertKeys {
     public void secretKeyToCertificate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         String userId = "alice@wonderland.lit";
         PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing(userId, null);
+                .modernKeyRing(userId);
         // Extract certificate (public key) from secret key
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
index 77db571d..06228c75 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Sign.java
@@ -39,7 +39,7 @@ public class Sign {
 
     @BeforeAll
     public static void prepare() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example ", null);
+        secretKey = PGPainless.generateKeyRing().modernKeyRing("Emilia Example ");
         protector = SecretKeyRingProtector.unprotectedKeys(); // no password
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
index 970cea9c..7d5c0520 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
@@ -296,7 +296,7 @@ public class KeyRingValidatorTest {
     @Test
     public void testKeyWithUserAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ", null);
+                .modernKeyRing("Alice ");
         PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys);
         PGPPublicKey publicKey = secretKeys.getPublicKey();
         PGPSecretKey secretKey = secretKeys.getSecretKey();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java
index 9a866d34..cce27a80 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/KeyGenerationSubpacketsTest.java
@@ -41,7 +41,7 @@ public class KeyGenerationSubpacketsTest {
     @Test
     public void verifyDefaultSubpacketsForUserIdSignatures()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
 
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
         PGPSignature userIdSig = info.getLatestUserIdCertification("Alice");
@@ -108,7 +108,7 @@ public class KeyGenerationSubpacketsTest {
     @Test
     public void verifyDefaultSubpacketsForSubkeyBindingSignatures()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
         List keysBefore = info.getPublicKeys();
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index bfececee..43273315 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -515,7 +515,7 @@ public class KeyRingInfoTest {
 
     @Test
     public void getSecretKeyTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
 
         OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(secretKeys);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java
index e0fa2a01..77143b9f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddSubkeyWithModifiedBindingSignatureSubpackets.java
@@ -42,7 +42,7 @@ public class AddSubkeyWithModifiedBindingSignatureSubpackets {
     public void bindEncryptionSubkeyAndModifyBindingSignatureHashedSubpackets() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ", null);
+                .modernKeyRing("Alice ");
         KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys);
 
         PGPKeyPair secretSubkey = KeyRingBuilder.generateKeyPair(
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java
index 4580b00c..19f84930 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/AddUserIdTest.java
@@ -114,7 +114,7 @@ public class AddUserIdTest {
     @Test
     public void addNewPrimaryUserIdTest() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
         UserId bob = UserId.newBuilder().withName("Bob").noEmail().noComment().build();
 
         assertNotEquals("Bob", PGPainless.inspectKeyRing(secretKeys).getPrimaryUserId());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java
index 26618b7a..db60934f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/ChangePrimaryUserIdAndExpirationDatesTest.java
@@ -27,7 +27,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
     public void generateA_primaryB_revokeA_cantSecondaryA()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("A", null);
+                .modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@@ -70,7 +70,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
     public void generateA_primaryExpire_isExpired()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("A", null);
+                .modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@@ -92,7 +92,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
     public void generateA_primaryB_primaryExpire_bIsStillPrimary()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("A", null);
+                .modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@@ -130,7 +130,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
 
     @Test
     public void generateA_expire_certify() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         secretKeys = PGPainless.modifyKeyRing(secretKeys)
@@ -151,7 +151,7 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
     @Test
     public void generateA_expire_primaryB_expire_isPrimaryB()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         Thread.sleep(1000);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
index 72dfac71..2570837f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
@@ -37,7 +37,7 @@ public class RefuseToAddWeakSubkeyTest {
         PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
 
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
         SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys);
         KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build();
 
@@ -49,7 +49,7 @@ public class RefuseToAddWeakSubkeyTest {
     public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
 
         // set weak policy
         Map minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java
index 81e6287f..6a044199 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java
@@ -128,7 +128,7 @@ public class RevokeSubKeyTest {
     @Test
     public void inspectSubpacketsOnDefaultRevocationSignature()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
         PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys)
                 .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0);
@@ -153,7 +153,7 @@ public class RevokeSubKeyTest {
     @Test
     public void inspectSubpacketsOnModifiedRevocationSignature()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
         PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys)
                 .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java
index a8c732b4..9dc968ed 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeUserIdsTest.java
@@ -27,7 +27,7 @@ public class RevokeUserIdsTest {
     @Test
     public void revokeWithSelectUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ", null);
+                .modernKeyRing("Alice ");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         secretKeys = PGPainless.modifyKeyRing(secretKeys)
@@ -58,7 +58,7 @@ public class RevokeUserIdsTest {
     @Test
     public void removeUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ", null);
+                .modernKeyRing("Alice ");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
         secretKeys = PGPainless.modifyKeyRing(secretKeys)
@@ -89,7 +89,7 @@ public class RevokeUserIdsTest {
     @Test
     public void emptySelectionYieldsNoSuchElementException() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ", null);
+                .modernKeyRing("Alice ");
 
         assertThrows(NoSuchElementException.class, () ->
                 PGPainless.modifyKeyRing(secretKeys).revokeUserIds(
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java
index 5c117652..552ae25f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingCollectionReaderTest.java
@@ -27,8 +27,8 @@ public class KeyRingCollectionReaderTest {
     @Test
     public void writeAndParseKeyRingCollections() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         // secret keys
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ", null);
-        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ");
 
         PGPSecretKeyRingCollection collection = KeyRingUtils.keyRingsToKeyRingCollection(alice, bob);
         String ascii = ArmorUtils.toAsciiArmoredString(collection);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
index 68233c9b..9349a864 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@@ -455,8 +455,8 @@ class KeyRingReaderTest {
 
     @Test
     public void testReadSecretKeysIgnoresMultipleMarkers() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
-        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org");
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org");
         MarkerPacket marker = TestUtils.getMarkerPacket();
 
         ByteArrayOutputStream bytes = new ByteArrayOutputStream();
@@ -489,7 +489,7 @@ class KeyRingReaderTest {
     @Test
     public void testReadingSecretKeysExceedsIterationLimit()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org");
         MarkerPacket marker = TestUtils.getMarkerPacket();
 
         ByteArrayOutputStream bytes = new ByteArrayOutputStream();
@@ -508,8 +508,8 @@ class KeyRingReaderTest {
     @Test
     public void testReadingSecretKeyCollectionExceedsIterationLimit()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
-        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org");
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org");
         MarkerPacket marker = TestUtils.getMarkerPacket();
 
         ByteArrayOutputStream bytes = new ByteArrayOutputStream();
@@ -530,7 +530,7 @@ class KeyRingReaderTest {
     @Test
     public void testReadingPublicKeysExceedsIterationLimit()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org");
         PGPPublicKeyRing alice = PGPainless.extractCertificate(secretKeys);
         MarkerPacket marker = TestUtils.getMarkerPacket();
 
@@ -550,8 +550,8 @@ class KeyRingReaderTest {
     @Test
     public void testReadingPublicKeyCollectionExceedsIterationLimit()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org", null);
-        PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org", null);
+        PGPSecretKeyRing sec1 = PGPainless.generateKeyRing().modernKeyRing("alice@pgpainless.org");
+        PGPSecretKeyRing sec2 = PGPainless.generateKeyRing().modernKeyRing("bob@pgpainless.org");
         PGPPublicKeyRing alice = PGPainless.extractCertificate(sec1);
         PGPPublicKeyRing bob = PGPainless.extractCertificate(sec2);
         MarkerPacket marker = TestUtils.getMarkerPacket();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
index 45552664..b75969fc 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
@@ -33,7 +33,7 @@ public class KeyRingUtilTest {
     @Test
     public void testInjectCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
 
         // test preconditions
         assertFalse(secretKeys.getPublicKey().getUserAttributes().hasNext());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java
index 19f8c5ac..0042d14b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/OnePassSignatureBracketingTest.java
@@ -56,8 +56,8 @@ public class OnePassSignatureBracketingTest {
     public void onePassSignaturePacketsAndSignaturesAreBracketedTest()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
 
-        PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
-        PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob", null);
+        PGPSecretKeyRing key1 = PGPainless.generateKeyRing().modernKeyRing("Alice");
+        PGPSecretKeyRing key2 = PGPainless.generateKeyRing().modernKeyRing("Bob");
         PGPPublicKeyRing cert1 = PGPainless.extractCertificate(key1);
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
index d990c4b1..d5cfb4f5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
@@ -54,7 +54,7 @@ public class SignatureSubpacketsUtilTest {
     @Test
     public void testGetKeyExpirationTimeAsDate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Expire", null);
+                .modernKeyRing("Expire");
         Date expiration = Date.from(new Date().toInstant().plus(365, ChronoUnit.DAYS));
         secretKeys = PGPainless.modifyKeyRing(secretKeys)
                 .setExpirationDate(expiration, SecretKeyRingProtector.unprotectedKeys())
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
index 0ab09eb0..945a06a5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
@@ -34,7 +34,7 @@ public class DirectKeySignatureBuilderTest {
     @Test
     public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
 
         DirectKeySignatureBuilder dsb = new DirectKeySignatureBuilder(
                 secretKeys.getSecretKey(),
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
index bfc83df4..ced6a466 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
@@ -30,7 +30,7 @@ public class ThirdPartyCertificationSignatureBuilderTest {
     @Test
     public void testInvalidSignatureTypeThrows() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
         assertThrows(IllegalArgumentException.class, () ->
                 new ThirdPartyCertificationSignatureBuilder(
                         SignatureType.BINARY_DOCUMENT, // invalid type
@@ -41,10 +41,10 @@ public class ThirdPartyCertificationSignatureBuilderTest {
     @Test
     public void testUserIdCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", null);
+                .modernKeyRing("Alice");
 
         PGPPublicKeyRing bobsPublicKeys = PGPainless.extractCertificate(
-                PGPainless.generateKeyRing().modernKeyRing("Bob", null));
+                PGPainless.generateKeyRing().modernKeyRing("Bob"));
 
         ThirdPartyCertificationSignatureBuilder signatureBuilder = new ThirdPartyCertificationSignatureBuilder(
                 secretKeys.getSecretKey(),

From 0b69e18715ae14220e054bebc30a635eef5f5e50 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 9 Jun 2022 00:44:09 +0200
Subject: [PATCH 0482/1450] Experimental support for inline-sign, inline-verify

---
 .../pgpainless/cli/commands/ArmorTest.java    |   4 +-
 .../pgpainless/cli/commands/DearmorTest.java  |   4 +-
 .../DetachInbandSignatureAndMessageTest.java  |   6 +-
 .../cli/commands/SignVerifyTest.java          |   4 +-
 .../misc/SignUsingPublicKeyBehaviorTest.java  |   2 +-
 .../java/org/pgpainless/sop/DecryptImpl.java  |  11 +-
 .../org/pgpainless/sop/DetachedSignImpl.java  |  19 +--
 .../java/org/pgpainless/sop/EncryptImpl.java  |  51 ++++---
 .../org/pgpainless/sop/InlineSignImpl.java    | 124 ++++++++++++++++--
 .../org/pgpainless/sop/InlineVerifyImpl.java  |  71 +++++++++-
 .../java/org/pgpainless/sop/SignTest.java     |  13 --
 11 files changed, 222 insertions(+), 87 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java
index 409d4040..c4644319 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java
@@ -43,7 +43,7 @@ public class ArmorTest {
     @FailOnSystemExit
     public void armorSecretKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
+                .modernKeyRing("alice@pgpainless.org");
         byte[] bytes = secretKey.getEncoded();
 
         System.setIn(new ByteArrayInputStream(bytes));
@@ -59,7 +59,7 @@ public class ArmorTest {
     @FailOnSystemExit
     public void armorPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
+                .modernKeyRing("alice@pgpainless.org");
         PGPPublicKeyRing publicKey = PGPainless.extractCertificate(secretKey);
         byte[] bytes = publicKey.getEncoded();
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java
index ab5e2c7a..4dc43822 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java
@@ -43,7 +43,7 @@ public class DearmorTest {
     @FailOnSystemExit
     public void dearmorSecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
+                .modernKeyRing("alice@pgpainless.org");
         String armored = PGPainless.asciiArmor(secretKey);
 
         System.setIn(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)));
@@ -59,7 +59,7 @@ public class DearmorTest {
     @FailOnSystemExit
     public void dearmorCertificate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org", null);
+                .modernKeyRing("alice@pgpainless.org");
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
         String armored = PGPainless.asciiArmor(certificate);
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java
index 15cf2546..dd7a77d2 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java
@@ -115,7 +115,7 @@ public class DetachInbandSignatureAndMessageTest {
 
         // Detach
         File tempSigFile = new File(tempDir, "sig.out");
-        PGPainlessCLI.main(new String[] {"detach-inband-signature-and-message", "--signatures-out=" + tempSigFile.getAbsolutePath()});
+        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + tempSigFile.getAbsolutePath()});
 
         // Test equality with expected values
         assertEquals(CLEAR_SIGNED_BODY, msgOut.toString());
@@ -150,7 +150,7 @@ public class DetachInbandSignatureAndMessageTest {
 
         // Detach
         File tempSigFile = new File(tempDir, "sig.asc");
-        PGPainlessCLI.main(new String[] {"detach-inband-signature-and-message", "--signatures-out=" + tempSigFile.getAbsolutePath(), "--no-armor"});
+        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + tempSigFile.getAbsolutePath(), "--no-armor"});
 
         // Test equality with expected values
         assertEquals(CLEAR_SIGNED_BODY, msgOut.toString());
@@ -187,7 +187,7 @@ public class DetachInbandSignatureAndMessageTest {
         // Detach
         File existingSigFile = new File(tempDir, "sig.existing");
         assertTrue(existingSigFile.createNewFile());
-        PGPainlessCLI.main(new String[] {"detach-inband-signature-and-message", "--signatures-out=" + existingSigFile.getAbsolutePath()});
+        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + existingSigFile.getAbsolutePath()});
     }
 
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
index 525e3e1d..c207db4e 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
@@ -59,7 +59,7 @@ public class SignVerifyTest {
         File aliceKeyFile = new File(tempDir, "alice.key");
         assertTrue(aliceKeyFile.createNewFile());
         PGPSecretKeyRing aliceKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("alice", null);
+                .modernKeyRing("alice");
         OutputStream aliceKeyOut = new FileOutputStream(aliceKeyFile);
         Streams.pipeAll(new ByteArrayInputStream(aliceKeys.getEncoded()), aliceKeyOut);
         aliceKeyOut.close();
@@ -108,7 +108,7 @@ public class SignVerifyTest {
         String[] split = verification.split(" ");
         OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(aliceKeys);
         OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(new KeyRingInfo(alicePub, new Date()).getSigningSubkeys().get(0));
-        assertEquals(signingKeyFingerprint.toString(), split[1].trim());
+        assertEquals(signingKeyFingerprint.toString(), split[1].trim(), verification);
         assertEquals(primaryKeyFingerprint.toString(), split[2].trim());
 
         // Test micalg output
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
index 0c6eac2b..81562d28 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
@@ -134,7 +134,7 @@ public class SignUsingPublicKeyBehaviorTest {
         assertTrue(sigFile.createNewFile());
         FileOutputStream sigOut = new FileOutputStream(sigFile);
         System.setOut(new PrintStream(sigOut));
-        PGPainlessCLI.execute("sign", "--armor", aliceKeyFile.getAbsolutePath());
+        PGPainlessCLI.main(new String[] {"sign", "--armor", aliceKeyFile.getAbsolutePath()});
 
         System.setIn(originalIn);
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 89eb29db..4c813efe 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -10,9 +10,7 @@ import java.io.OutputStream;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.Date;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@@ -39,7 +37,6 @@ import sop.operation.Decrypt;
 public class DecryptImpl implements Decrypt {
 
     private final ConsumerOptions consumerOptions = new ConsumerOptions();
-    private final Set keys = new HashSet<>();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     @Override
@@ -105,7 +102,8 @@ public class DecryptImpl implements Decrypt {
             PGPSecretKeyRingCollection secretKeyCollection = PGPainless.readKeyRing()
                     .secretKeyRingCollection(keyIn);
             for (PGPSecretKeyRing key : secretKeyCollection) {
-                keys.add(key);
+                protector.addSecretKey(key);
+                consumerOptions.addDecryptionKey(key, protector);
             }
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
@@ -124,10 +122,6 @@ public class DecryptImpl implements Decrypt {
     public ReadyWithResult ciphertext(InputStream ciphertext)
             throws SOPGPException.BadData,
             SOPGPException.MissingArg {
-        for (PGPSecretKeyRing key : keys) {
-            protector.addSecretKey(key);
-            consumerOptions.addDecryptionKey(key, protector);
-        }
 
         if (consumerOptions.getDecryptionKeys().isEmpty() && consumerOptions.getDecryptionPassphrases().isEmpty() && consumerOptions.getSessionKey() == null) {
             throw new SOPGPException.MissingArg("Missing decryption key, passphrase or session key.");
@@ -145,6 +139,7 @@ public class DecryptImpl implements Decrypt {
         } catch (PGPException | IOException e) {
             throw new SOPGPException.BadData(e);
         } finally {
+            // Forget passphrases after decryption
             protector.clear();
         }
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index 3341712a..3b985de6 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -8,6 +8,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -24,9 +25,8 @@ import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
+import org.pgpainless.util.Passphrase;
 import sop.MicAlg;
 import sop.ReadyWithResult;
 import sop.SigningResult;
@@ -39,6 +39,7 @@ public class DetachedSignImpl implements DetachedSign {
     private boolean armor = true;
     private SignAs mode = SignAs.Binary;
     private final SigningOptions signingOptions = new SigningOptions();
+    private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     @Override
     public DetachedSign noArmor() {
@@ -58,11 +59,8 @@ public class DetachedSignImpl implements DetachedSign {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
 
             for (PGPSecretKeyRing key : keys) {
-                KeyRingInfo info = new KeyRingInfo(key);
-                if (!info.isFullyDecrypted()) {
-                    throw new SOPGPException.KeyIsProtected();
-                }
-                signingOptions.addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key, modeToSigType(mode));
+                protector.addSecretKey(key);
+                signingOptions.addDetachedSignature(protector, key, modeToSigType(mode));
             }
         } catch (PGPException | KeyException e) {
             throw new SOPGPException.BadData(e);
@@ -72,7 +70,9 @@ public class DetachedSignImpl implements DetachedSign {
 
     @Override
     public DetachedSign withKeyPassword(byte[] password) {
-        return null;
+        String string = new String(password, Charset.forName("UTF8"));
+        protector.addPassphrase(Passphrase.fromPassword(string));
+        return this;
     }
 
     @Override
@@ -96,6 +96,9 @@ public class DetachedSignImpl implements DetachedSign {
                     signingStream.close();
                     EncryptionResult encryptionResult = signingStream.getResult();
 
+                    // forget passphrases
+                    protector.clear();
+
                     List signatures = new ArrayList<>();
                     for (SubkeyIdentifier key : encryptionResult.getDetachedSignatures().keySet()) {
                         signatures.addAll(encryptionResult.getDetachedSignatures().get(key));
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index bfa80f47..635ab82f 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -8,8 +8,6 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.charset.Charset;
-import java.util.HashSet;
-import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@@ -25,18 +23,16 @@ import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.util.Passphrase;
-import sop.util.ProxyOutputStream;
 import sop.Ready;
 import sop.enums.EncryptAs;
 import sop.exception.SOPGPException;
 import sop.operation.Encrypt;
+import sop.util.ProxyOutputStream;
 
 public class EncryptImpl implements Encrypt {
 
     EncryptionOptions encryptionOptions = new EncryptionOptions();
     SigningOptions signingOptions = null;
-
-    Set signingKeys = new HashSet<>();
     MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     private EncryptAs encryptAs = EncryptAs.Binary;
@@ -55,17 +51,34 @@ public class EncryptImpl implements Encrypt {
     }
 
     @Override
-    public Encrypt signWith(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
+    public Encrypt signWith(InputStream keyIn)
+            throws SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
+        if (signingOptions == null) {
+            signingOptions = SigningOptions.get();
+        }
+
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
             if (keys.size() != 1) {
                 throw new SOPGPException.BadData(new AssertionError("Exactly one secret key at a time expected. Got " + keys.size()));
             }
 
-            if (signingOptions == null) {
-                signingOptions = SigningOptions.get();
+            PGPSecretKeyRing signingKey = keys.iterator().next();
+            protector.addSecretKey(signingKey);
+
+            try {
+                signingOptions.addInlineSignature(
+                        protector,
+                        signingKey,
+                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
+                );
+            } catch (IllegalArgumentException e) {
+                throw new SOPGPException.KeyCannotSign();
+            } catch (WrongPassphraseException e) {
+                throw new SOPGPException.KeyIsProtected();
+            } catch (PGPException e) {
+                throw new SOPGPException.BadData(e);
             }
-            signingKeys.add(keys.getKeyRings().next());
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
@@ -100,26 +113,6 @@ public class EncryptImpl implements Encrypt {
 
     @Override
     public Ready plaintext(InputStream plaintext) throws IOException {
-        for (PGPSecretKeyRing signingKey : signingKeys) {
-            protector.addSecretKey(signingKey);
-        }
-
-        if (signingOptions != null) {
-            try {
-                signingOptions.addInlineSignatures(
-                        protector,
-                        signingKeys,
-                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
-                );
-            } catch (IllegalArgumentException e) {
-                throw new SOPGPException.KeyCannotSign();
-            } catch (WrongPassphraseException e) {
-                throw new SOPGPException.KeyIsProtected();
-            } catch (PGPException e) {
-                throw new SOPGPException.BadData(e);
-            }
-        }
-
         ProducerOptions producerOptions = signingOptions != null ?
                 ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions) :
                 ProducerOptions.encrypt(encryptionOptions);
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index 7eaeaa6f..d7b0c161 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -4,39 +4,139 @@
 
 package org.pgpainless.sop;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.util.io.Streams;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.DocumentSignatureType;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.KeyException;
+import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.util.Passphrase;
+import sop.MicAlg;
 import sop.ReadyWithResult;
 import sop.SigningResult;
 import sop.enums.InlineSignAs;
 import sop.exception.SOPGPException;
-import sop.operation.DetachedSign;
 import sop.operation.InlineSign;
 
-import java.io.IOException;
-import java.io.InputStream;
-
 public class InlineSignImpl implements InlineSign {
+
+    private boolean armor = true;
+    private InlineSignAs mode = InlineSignAs.Binary;
+    private final SigningOptions signingOptions = new SigningOptions();
+    private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+
     @Override
-    public DetachedSign mode(InlineSignAs mode) throws SOPGPException.UnsupportedOption {
-        return null;
+    public InlineSign mode(InlineSignAs mode) throws SOPGPException.UnsupportedOption {
+        this.mode = mode;
+        return this;
     }
 
     @Override
-    public DetachedSign noArmor() {
-        return null;
+    public InlineSign noArmor() {
+        this.armor = false;
+        return this;
     }
 
     @Override
-    public InlineSign key(InputStream key) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
-        return null;
+    public InlineSign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
+        try {
+            PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
+
+            for (PGPSecretKeyRing key : keys) {
+                protector.addSecretKey(key);
+                if (mode == InlineSignAs.CleartextSigned) {
+                    signingOptions.addDetachedSignature(protector, key, DocumentSignatureType.BINARY_DOCUMENT);
+                } else {
+                    signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
+                }
+            }
+        } catch (PGPException | KeyException e) {
+            throw new SOPGPException.BadData(e);
+        }
+        return this;
     }
 
     @Override
     public InlineSign withKeyPassword(byte[] password) {
-        return null;
+        String string = new String(password, Charset.forName("UTF8"));
+        protector.addPassphrase(Passphrase.fromPassword(string));
+        return this;
     }
 
     @Override
     public ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText {
-        return null;
+
+        ProducerOptions producerOptions = ProducerOptions.sign(signingOptions);
+        if (mode == InlineSignAs.CleartextSigned) {
+            producerOptions.setCleartextSigned();
+            producerOptions.setAsciiArmor(true);
+        } else {
+            producerOptions.setAsciiArmor(armor);
+        }
+
+        return new ReadyWithResult() {
+            @Override
+            public SigningResult writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
+                try {
+                    EncryptionStream signingStream = PGPainless.encryptAndOrSign()
+                            .onOutputStream(outputStream)
+                            .withOptions(producerOptions);
+
+                    if (signingStream.isClosed()) {
+                        throw new IllegalStateException("EncryptionStream is already closed.");
+                    }
+
+                    Streams.pipeAll(data, signingStream);
+                    signingStream.close();
+                    EncryptionResult encryptionResult = signingStream.getResult();
+
+                    // forget passphrases
+                    protector.clear();
+
+                    List signatures = new ArrayList<>();
+                    for (SubkeyIdentifier key : encryptionResult.getDetachedSignatures().keySet()) {
+                        signatures.addAll(encryptionResult.getDetachedSignatures().get(key));
+                    }
+
+                    return SigningResult.builder()
+                            .setMicAlg(micAlgFromSignatures(signatures))
+                            .build();
+                } catch (PGPException e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        };
+    }
+
+    private MicAlg micAlgFromSignatures(Iterable signatures) {
+        int algorithmId = 0;
+        for (PGPSignature signature : signatures) {
+            int sigAlg = signature.getHashAlgorithm();
+            if (algorithmId == 0 || algorithmId == sigAlg) {
+                algorithmId = sigAlg;
+            } else {
+                return MicAlg.empty();
+            }
+        }
+        return algorithmId == 0 ? MicAlg.empty() : MicAlg.fromHashAlgorithmId(algorithmId);
+    }
+
+    private static DocumentSignatureType modeToSigType(InlineSignAs mode) {
+        return mode == InlineSignAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT
+                : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT;
     }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index a230e0fd..7c1f7ce2 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -4,6 +4,15 @@
 
 package org.pgpainless.sop;
 
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.util.io.Streams;
+import org.pgpainless.PGPainless;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.key.SubkeyIdentifier;
 import sop.ReadyWithResult;
 import sop.Verification;
 import sop.exception.SOPGPException;
@@ -11,27 +20,75 @@ import sop.operation.InlineVerify;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 
 public class InlineVerifyImpl implements InlineVerify {
-    @Override
-    public ReadyWithResult> data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
-        return null;
-    }
+
+    private final ConsumerOptions options = new ConsumerOptions();
 
     @Override
     public InlineVerify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
-        return null;
+        options.verifyNotBefore(timestamp);
+        return this;
     }
 
     @Override
     public InlineVerify notAfter(Date timestamp) throws SOPGPException.UnsupportedOption {
-        return null;
+        options.verifyNotAfter(timestamp);
+        return this;
     }
 
     @Override
     public InlineVerify cert(InputStream cert) throws SOPGPException.BadData {
-        return null;
+        PGPPublicKeyRingCollection certificates;
+        try {
+            certificates = PGPainless.readKeyRing().publicKeyRingCollection(cert);
+        } catch (IOException | PGPException e) {
+            throw new SOPGPException.BadData(e);
+        }
+        options.addVerificationCerts(certificates);
+        return this;
+    }
+
+    @Override
+    public ReadyWithResult> data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
+        return new ReadyWithResult>() {
+            @Override
+            public List writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
+                DecryptionStream decryptionStream;
+                try {
+                    decryptionStream = PGPainless.decryptAndOrVerify()
+                            .onInputStream(data)
+                            .withOptions(options);
+
+                    Streams.pipeAll(decryptionStream, outputStream);
+                    decryptionStream.close();
+
+                    OpenPgpMetadata metadata = decryptionStream.getResult();
+                    List verificationList = new ArrayList<>();
+
+                    for (SubkeyIdentifier verifiedSigningKey : metadata.getVerifiedSignatures().keySet()) {
+                        PGPSignature signature = metadata.getVerifiedSignatures().get(verifiedSigningKey);
+                        verificationList.add(new Verification(
+                                signature.getCreationTime(),
+                                verifiedSigningKey.getSubkeyFingerprint().toString(),
+                                verifiedSigningKey.getPrimaryKeyFingerprint().toString()));
+                    }
+
+                    if (!options.getCertificates().isEmpty()) {
+                        if (verificationList.isEmpty()) {
+                            throw new SOPGPException.NoSignature();
+                        }
+                    }
+
+                    return verificationList;
+                } catch (PGPException e) {
+                    throw new SOPGPException.BadData(e);
+                }
+            }
+        };
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
index 4736002f..7e2d55dd 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
@@ -11,17 +11,13 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
 import java.util.Date;
 import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.signature.SignatureUtils;
 import sop.SOP;
@@ -128,13 +124,4 @@ public class SignTest {
         assertEquals(SignatureType.CANONICAL_TEXT_DOCUMENT.getCode(), sig.getSignatureType());
     }
 
-    @Test
-    public void rejectEncryptedKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing key = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice", "passphrase");
-        byte[] bytes = key.getEncoded();
-
-        assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.sign().key(bytes));
-    }
-
 }

From 53df487e59df397220759e52e9f62648e042883b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 10 Jun 2022 17:43:51 +0200
Subject: [PATCH 0483/1450] Adopt changes from SOP-Java and add test for using
 incapable keys

---
 .../misc/SignUsingPublicKeyBehaviorTest.java  |  2 +-
 .../org/pgpainless/key/info/KeyRingInfo.java  | 27 ++++++++
 .../java/org/pgpainless/sop/DearmorImpl.java  |  8 ++-
 .../org/pgpainless/sop/DetachedSignImpl.java  |  7 +-
 .../java/org/pgpainless/sop/EncryptImpl.java  |  3 +
 .../org/pgpainless/sop/InlineSignImpl.java    | 64 +++++++-----------
 .../org/pgpainless/sop/IncapableKeysTest.java | 67 +++++++++++++++++++
 7 files changed, 137 insertions(+), 41 deletions(-)
 create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
index 81562d28..affe621e 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/misc/SignUsingPublicKeyBehaviorTest.java
@@ -99,7 +99,7 @@ public class SignUsingPublicKeyBehaviorTest {
     }
 
     @Test
-    @ExpectSystemExitWithStatus(SOPGPException.BadData.EXIT_CODE)
+    @ExpectSystemExitWithStatus(SOPGPException.KeyCannotSign.EXIT_CODE)
     public void testSignatureCreationAndVerification() throws IOException {
         originalSout = System.out;
         InputStream originalIn = System.in;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 3ea2f424..b73087b4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -21,6 +21,7 @@ import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
+import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.sig.PrimaryUserID;
 import org.bouncycastle.bcpg.sig.RevocationReason;
 import org.bouncycastle.openpgp.PGPKeyRing;
@@ -1039,6 +1040,32 @@ public class KeyRingInfo {
         return !getEncryptionSubkeys(purpose).isEmpty();
     }
 
+    public boolean isUsableForSigning() {
+        List signingKeys = getSigningSubkeys();
+        for (PGPPublicKey pk : signingKeys) {
+            PGPSecretKey sk = getSecretKey(pk.getKeyID());
+            if (sk == null) {
+                // Missing secret key
+                continue;
+            }
+            S2K s2K = sk.getS2K();
+            // Unencrypted key
+            if (s2K == null) {
+                return true;
+            }
+
+            // Secret key on smart-card
+            int s2kType = s2K.getType();
+            if (s2kType >= 100 && s2kType <= 110) {
+                continue;
+            }
+            // protected secret key
+            return true;
+        }
+        // No usable secret key found
+        return false;
+    }
+
     private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) {
         if (getPublicKey(keyID) == null) {
             throw new NoSuchElementException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
index 1cebec6e..ac53d415 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
@@ -12,13 +12,19 @@ import java.io.OutputStream;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.util.io.Streams;
 import sop.Ready;
+import sop.exception.SOPGPException;
 import sop.operation.Dearmor;
 
 public class DearmorImpl implements Dearmor {
 
     @Override
     public Ready data(InputStream data) throws IOException {
-        InputStream decoder = PGPUtil.getDecoderStream(data);
+        InputStream decoder;
+        try {
+            decoder = PGPUtil.getDecoderStream(data);
+        } catch (IOException e) {
+            throw new SOPGPException.BadData(e);
+        }
         return new Ready() {
 
             @Override
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index 3b985de6..704b5af5 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -25,6 +25,7 @@ import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import org.pgpainless.util.Passphrase;
 import sop.MicAlg;
@@ -54,11 +55,15 @@ public class DetachedSignImpl implements DetachedSign {
     }
 
     @Override
-    public DetachedSign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
+    public DetachedSign key(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
 
             for (PGPSecretKeyRing key : keys) {
+                KeyRingInfo info = PGPainless.inspectKeyRing(key);
+                if (!info.isUsableForSigning()) {
+                    throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
+                }
                 protector.addSecretKey(key);
                 signingOptions.addDetachedSignature(protector, key, modeToSigType(mode));
             }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 635ab82f..3c5f8e8a 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -21,6 +21,7 @@ import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.KeyException;
 import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.util.Passphrase;
 import sop.Ready;
@@ -105,6 +106,8 @@ public class EncryptImpl implements Encrypt {
                     .keyRingCollection(cert, false)
                     .getPgpPublicKeyRingCollection();
             encryptionOptions.addRecipients(certificates);
+        } catch (KeyException.UnacceptableEncryptionKeyException e) {
+            throw new SOPGPException.CertCannotEncrypt(e.getMessage(), e);
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index d7b0c161..639d8c6e 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -14,20 +14,17 @@ import java.util.List;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
-import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.KeyException;
-import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
-import sop.MicAlg;
-import sop.ReadyWithResult;
-import sop.SigningResult;
+import sop.Ready;
 import sop.enums.InlineSignAs;
 import sop.exception.SOPGPException;
 import sop.operation.InlineSign;
@@ -38,6 +35,7 @@ public class InlineSignImpl implements InlineSign {
     private InlineSignAs mode = InlineSignAs.Binary;
     private final SigningOptions signingOptions = new SigningOptions();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+    private final List signingKeys = new ArrayList<>();
 
     @Override
     public InlineSign mode(InlineSignAs mode) throws SOPGPException.UnsupportedOption {
@@ -52,17 +50,17 @@ public class InlineSignImpl implements InlineSign {
     }
 
     @Override
-    public InlineSign key(InputStream keyIn) throws SOPGPException.KeyIsProtected, SOPGPException.BadData, IOException {
+    public InlineSign key(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
         try {
             PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
 
             for (PGPSecretKeyRing key : keys) {
-                protector.addSecretKey(key);
-                if (mode == InlineSignAs.CleartextSigned) {
-                    signingOptions.addDetachedSignature(protector, key, DocumentSignatureType.BINARY_DOCUMENT);
-                } else {
-                    signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
+                KeyRingInfo info = PGPainless.inspectKeyRing(key);
+                if (!info.isUsableForSigning()) {
+                    throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
                 }
+                protector.addSecretKey(key);
+                signingKeys.add(key);
             }
         } catch (PGPException | KeyException e) {
             throw new SOPGPException.BadData(e);
@@ -78,7 +76,20 @@ public class InlineSignImpl implements InlineSign {
     }
 
     @Override
-    public ReadyWithResult data(InputStream data) throws IOException, SOPGPException.ExpectedText {
+    public Ready data(InputStream data) throws SOPGPException.KeyIsProtected, IOException, SOPGPException.ExpectedText {
+        for (PGPSecretKeyRing key : signingKeys) {
+            try {
+                if (mode == InlineSignAs.CleartextSigned) {
+                    signingOptions.addDetachedSignature(protector, key, DocumentSignatureType.BINARY_DOCUMENT);
+                } else {
+                    signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
+                }
+            } catch (KeyException.UnacceptableSigningKeyException | KeyException.MissingSecretKeyException e) {
+                throw new SOPGPException.KeyCannotSign("Key " + OpenPgpFingerprint.of(key) + " cannot sign.", e);
+            } catch (PGPException e) {
+                throw new SOPGPException.KeyIsProtected("Key " + OpenPgpFingerprint.of(key) + " cannot be unlocked.", e);
+            }
+        }
 
         ProducerOptions producerOptions = ProducerOptions.sign(signingOptions);
         if (mode == InlineSignAs.CleartextSigned) {
@@ -88,9 +99,9 @@ public class InlineSignImpl implements InlineSign {
             producerOptions.setAsciiArmor(armor);
         }
 
-        return new ReadyWithResult() {
+        return new Ready() {
             @Override
-            public SigningResult writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
+            public void writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
                 try {
                     EncryptionStream signingStream = PGPainless.encryptAndOrSign()
                             .onOutputStream(outputStream)
@@ -102,19 +113,9 @@ public class InlineSignImpl implements InlineSign {
 
                     Streams.pipeAll(data, signingStream);
                     signingStream.close();
-                    EncryptionResult encryptionResult = signingStream.getResult();
 
                     // forget passphrases
                     protector.clear();
-
-                    List signatures = new ArrayList<>();
-                    for (SubkeyIdentifier key : encryptionResult.getDetachedSignatures().keySet()) {
-                        signatures.addAll(encryptionResult.getDetachedSignatures().get(key));
-                    }
-
-                    return SigningResult.builder()
-                            .setMicAlg(micAlgFromSignatures(signatures))
-                            .build();
                 } catch (PGPException e) {
                     throw new RuntimeException(e);
                 }
@@ -122,19 +123,6 @@ public class InlineSignImpl implements InlineSign {
         };
     }
 
-    private MicAlg micAlgFromSignatures(Iterable signatures) {
-        int algorithmId = 0;
-        for (PGPSignature signature : signatures) {
-            int sigAlg = signature.getHashAlgorithm();
-            if (algorithmId == 0 || algorithmId == sigAlg) {
-                algorithmId = sigAlg;
-            } else {
-                return MicAlg.empty();
-            }
-        }
-        return algorithmId == 0 ? MicAlg.empty() : MicAlg.fromHashAlgorithmId(algorithmId);
-    }
-
     private static DocumentSignatureType modeToSigType(InlineSignAs mode) {
         return mode == InlineSignAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT
                 : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT;
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java
new file mode 100644
index 00000000..a50acee1
--- /dev/null
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java
@@ -0,0 +1,67 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.ecc.EllipticCurve;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import org.pgpainless.util.ArmorUtils;
+import sop.SOP;
+import sop.exception.SOPGPException;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class IncapableKeysTest {
+
+    private static byte[] nonSigningKey;
+    private static byte[] nonEncryptionKey;
+    private static byte[] nonSigningCert;
+    private static byte[] nonEncryptionCert;
+
+    private static final SOP sop = new SOPImpl();
+
+    @BeforeAll
+    public static void generateKeys() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing key = PGPainless.buildKeyRing()
+                .addSubkey(KeySpec.getBuilder(KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .addUserId("Non Signing ")
+                .build();
+        nonSigningKey = ArmorUtils.toAsciiArmoredString(key).getBytes(StandardCharsets.UTF_8);
+        nonSigningCert = sop.extractCert().key(nonSigningKey).getBytes();
+
+        key = PGPainless.buildKeyRing()
+                .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .addUserId("Non Encryption ")
+                .build();
+        nonEncryptionKey = ArmorUtils.toAsciiArmoredString(key).getBytes(StandardCharsets.UTF_8);
+        nonEncryptionCert = sop.extractCert().key(nonEncryptionKey).getBytes();
+    }
+
+    @Test
+    public void encryptionToNonEncryptionKeyFails() {
+        assertThrows(SOPGPException.CertCannotEncrypt.class, () -> sop.encrypt().withCert(nonEncryptionCert));
+    }
+
+    @Test
+    public void signingWithNonSigningKeyFails() {
+        assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.sign().key(nonSigningKey));
+        assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.detachedSign().key(nonSigningKey));
+        assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.inlineSign().key(nonSigningKey));
+    }
+}

From a3b2070e76799a28930ee92ee5e93687e30d8e7a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 11 Jun 2022 11:22:56 +0200
Subject: [PATCH 0484/1450] Rename test and reference exit codes directly

---
 .../src/test/java/org/pgpainless/cli/ExitCodeTest.java       | 5 +++--
 ...andSignatureAndMessageTest.java => InlineDetachTest.java} | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{DetachInbandSignatureAndMessageTest.java => InlineDetachTest.java} (99%)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java
index aa3d7d5b..07c9bf68 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/ExitCodeTest.java
@@ -7,17 +7,18 @@ package org.pgpainless.cli;
 import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
 import com.ginsberg.junit.exit.FailOnSystemExit;
 import org.junit.jupiter.api.Test;
+import sop.exception.SOPGPException;
 
 public class ExitCodeTest {
 
     @Test
-    @ExpectSystemExitWithStatus(69)
+    @ExpectSystemExitWithStatus(SOPGPException.UnsupportedSubcommand.EXIT_CODE)
     public void testUnknownCommand_69() {
         PGPainlessCLI.main(new String[] {"generate-kex"});
     }
 
     @Test
-    @ExpectSystemExitWithStatus(37)
+    @ExpectSystemExitWithStatus(SOPGPException.UnsupportedOption.EXIT_CODE)
     public void testCommandWithUnknownOption_37() {
         PGPainlessCLI.main(new String[] {"generate-key", "-k", "\"k is unknown\""});
     }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java
similarity index 99%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java
index dd7a77d2..07a212fc 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DetachInbandSignatureAndMessageTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java
@@ -28,7 +28,7 @@ import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.cli.TestUtils;
 import sop.exception.SOPGPException;
 
-public class DetachInbandSignatureAndMessageTest {
+public class InlineDetachTest {
 
     private PrintStream originalSout;
     private static File tempDir;

From 7074ff5f2f18edc3a35053ec17433b3c58b7a3d3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 11 Jun 2022 11:45:54 +0200
Subject: [PATCH 0485/1450] Rename command tests and add generate-key test for
 encrypted keys

---
 .../{ArmorTest.java => ArmorCmdTest.java}     |   2 +-
 .../{DearmorTest.java => DearmorCmdTest.java} |   2 +-
 ...tCertTest.java => ExtractCertCmdTest.java} |   2 +-
 .../cli/commands/GenerateCertCmdTest.java     | 114 ++++++++++++++++++
 .../cli/commands/GenerateCertTest.java        |  53 --------
 ...tachTest.java => InlineDetachCmdTest.java} |   2 +-
 ...va => RoundTripEncryptDecryptCmdTest.java} |   2 +-
 ...t.java => RoundTripSignVerifyCmdTest.java} |   2 +-
 8 files changed, 120 insertions(+), 59 deletions(-)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{ArmorTest.java => ArmorCmdTest.java} (99%)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{DearmorTest.java => DearmorCmdTest.java} (99%)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{ExtractCertTest.java => ExtractCertCmdTest.java} (98%)
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
 delete mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{InlineDetachTest.java => InlineDetachCmdTest.java} (99%)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{EncryptDecryptTest.java => RoundTripEncryptDecryptCmdTest.java} (98%)
 rename pgpainless-cli/src/test/java/org/pgpainless/cli/commands/{SignVerifyTest.java => RoundTripSignVerifyCmdTest.java} (99%)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
similarity index 99%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
index c4644319..711796e6 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
@@ -25,7 +25,7 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.cli.PGPainlessCLI;
 
-public class ArmorTest {
+public class ArmorCmdTest {
 
     private static PrintStream originalSout;
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
similarity index 99%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index 4dc43822..a49f4db1 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -25,7 +25,7 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.cli.PGPainlessCLI;
 
-public class DearmorTest {
+public class DearmorCmdTest {
 
     private PrintStream originalSout;
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
similarity index 98%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
index 6f746445..1d20fb0e 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
@@ -23,7 +23,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.key.info.KeyRingInfo;
 
-public class ExtractCertTest {
+public class ExtractCertCmdTest {
 
     @Test
     @FailOnSystemExit
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
new file mode 100644
index 00000000..8534decb
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
@@ -0,0 +1,114 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.pgpainless.cli.TestUtils.ARMOR_PRIVATE_KEY_HEADER_BYTES;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+
+import com.ginsberg.junit.exit.FailOnSystemExit;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.cli.PGPainlessCLI;
+import org.pgpainless.key.info.KeyInfo;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+
+public class GenerateCertCmdTest {
+
+    @Test
+    @FailOnSystemExit
+    public void testKeyGeneration() throws IOException, PGPException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        System.setOut(new PrintStream(out));
+        PGPainlessCLI.execute("generate-key", "--armor", "Juliet Capulet ");
+
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(out.toByteArray());
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        assertTrue(info.isFullyDecrypted());
+        assertTrue(info.isUserIdValid("Juliet Capulet "));
+
+        for (PGPSecretKey key : secretKeys) {
+            assertTrue(testPassphrase(key, null));
+        }
+
+        byte[] outBegin = new byte[37];
+        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
+        assertArrayEquals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES);
+    }
+
+    @Test
+    @FailOnSystemExit
+    public void testGenerateKeyWithPassword() throws IOException, PGPException {
+        PrintStream orig = System.out;
+        try {
+            // Write password to file
+            Path tempDir = Files.createTempDirectory("genkey");
+            File passwordFile = new File(tempDir.toFile(), "password");
+            passwordFile.createNewFile();
+            passwordFile.deleteOnExit();
+            FileOutputStream fileOut = new FileOutputStream(passwordFile);
+            fileOut.write("sw0rdf1sh".getBytes(StandardCharsets.UTF_8));
+            fileOut.flush();
+            fileOut.close();
+
+            ByteArrayOutputStream out = new ByteArrayOutputStream();
+            System.setOut(new PrintStream(out));
+            PGPainlessCLI.execute("generate-key", "Juliet Capulet ",
+                    "--with-key-password", passwordFile.getAbsolutePath());
+
+            PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(out.toByteArray());
+            KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+            assertFalse(info.isFullyDecrypted());
+            assertTrue(info.isFullyEncrypted());
+
+            for (PGPSecretKey key : secretKeys) {
+                assertTrue(testPassphrase(key, "sw0rdf1sh"));
+            }
+        } finally {
+            System.setOut(orig);
+        }
+    }
+
+    private boolean testPassphrase(PGPSecretKey key, String passphrase) throws PGPException {
+        if (KeyInfo.isEncrypted(key)) {
+            UnlockSecretKey.unlockSecretKey(key, Passphrase.fromPassword(passphrase));
+        } else {
+            if (passphrase != null) {
+                return false;
+            }
+            UnlockSecretKey.unlockSecretKey(key, (PBESecretKeyDecryptor) null);
+        }
+        return true;
+    }
+
+    @Test
+    @FailOnSystemExit
+    public void testNoArmor() {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        System.setOut(new PrintStream(out));
+        PGPainlessCLI.execute("generate-key", "--no-armor", "Test ");
+
+        byte[] outBegin = new byte[37];
+        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
+        assertFalse(Arrays.equals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES));
+    }
+}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java
deleted file mode 100644
index 4c0e5fa1..00000000
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertTest.java
+++ /dev/null
@@ -1,53 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.cli.commands;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.pgpainless.cli.TestUtils.ARMOR_PRIVATE_KEY_HEADER_BYTES;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.Arrays;
-
-import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
-import org.pgpainless.key.info.KeyRingInfo;
-
-public class GenerateCertTest {
-
-    @Test
-    @FailOnSystemExit
-    public void testKeyGeneration() throws IOException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("generate-key", "--armor", "Juliet Capulet ");
-
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(out.toByteArray());
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
-        assertTrue(info.isUserIdValid("Juliet Capulet "));
-
-        byte[] outBegin = new byte[37];
-        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
-        assertArrayEquals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES);
-    }
-
-    @Test
-    @FailOnSystemExit
-    public void testNoArmor() {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("generate-key", "--no-armor", "Test ");
-
-        byte[] outBegin = new byte[37];
-        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
-        assertFalse(Arrays.equals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES));
-    }
-}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
similarity index 99%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
index 07a212fc..aed4c581 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
@@ -28,7 +28,7 @@ import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.cli.TestUtils;
 import sop.exception.SOPGPException;
 
-public class InlineDetachTest {
+public class InlineDetachCmdTest {
 
     private PrintStream originalSout;
     private static File tempDir;
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
similarity index 98%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
index 4e655864..dba9f47b 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/EncryptDecryptTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
@@ -24,7 +24,7 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.cli.TestUtils;
 
-public class EncryptDecryptTest {
+public class RoundTripEncryptDecryptCmdTest {
 
     private static File tempDir;
     private static PrintStream originalSout;
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
similarity index 99%
rename from pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
rename to pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
index c207db4e..0fce1273 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/SignVerifyTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
@@ -39,7 +39,7 @@ import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.util.KeyRingUtils;
 
-public class SignVerifyTest {
+public class RoundTripSignVerifyCmdTest {
 
     private static File tempDir;
     private static PrintStream originalSout;

From 3f16c5486793c8fadbf5f198afb216dd31a7d6a2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 11 Jun 2022 11:55:58 +0200
Subject: [PATCH 0486/1450] Create test util to write data to temp file

---
 .../test/java/org/pgpainless/cli/TestUtils.java    | 12 ++++++++++++
 .../cli/commands/GenerateCertCmdTest.java          | 14 +++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java
index 16e1937c..8fca7381 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/TestUtils.java
@@ -11,6 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
@@ -40,6 +41,17 @@ public class TestUtils {
         return dir;
     }
 
+    public static File writeTempFile(File tempDir, byte[] value) throws IOException {
+        File tempFile = new File(tempDir, randomString(10));
+        tempFile.createNewFile();
+        tempFile.deleteOnExit();
+        FileOutputStream fileOutputStream = new FileOutputStream(tempFile);
+        fileOutputStream.write(value);
+        fileOutputStream.flush();
+        fileOutputStream.close();
+        return tempFile;
+    }
+
     private static String randomString(int length) {
         StringBuilder sb = new StringBuilder();
         for (int i = 0; i < length; i++) {
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
index 8534decb..63afc39f 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
@@ -11,12 +11,9 @@ import static org.pgpainless.cli.TestUtils.ARMOR_PRIVATE_KEY_HEADER_BYTES;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Path;
 import java.util.Arrays;
 
 import com.ginsberg.junit.exit.FailOnSystemExit;
@@ -27,6 +24,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.cli.PGPainlessCLI;
+import org.pgpainless.cli.TestUtils;
 import org.pgpainless.key.info.KeyInfo;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.UnlockSecretKey;
@@ -61,14 +59,8 @@ public class GenerateCertCmdTest {
         PrintStream orig = System.out;
         try {
             // Write password to file
-            Path tempDir = Files.createTempDirectory("genkey");
-            File passwordFile = new File(tempDir.toFile(), "password");
-            passwordFile.createNewFile();
-            passwordFile.deleteOnExit();
-            FileOutputStream fileOut = new FileOutputStream(passwordFile);
-            fileOut.write("sw0rdf1sh".getBytes(StandardCharsets.UTF_8));
-            fileOut.flush();
-            fileOut.close();
+            File tempDir = TestUtils.createTempDirectory();
+            File passwordFile = TestUtils.writeTempFile(tempDir, "sw0rdf1sh".getBytes(StandardCharsets.UTF_8));
 
             ByteArrayOutputStream out = new ByteArrayOutputStream();
             System.setOut(new PrintStream(out));

From 2d60650cc6e8c62362bf2e49b56950c4ebcd8599 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 16 Jun 2022 13:09:42 +0200
Subject: [PATCH 0487/1450] Progress on SOP04 support

---
 .../ClearsignedMessageUtil.java               |  8 +-
 .../org/pgpainless/sop/InlineDetachImpl.java  |  2 +-
 .../{SignTest.java => DetachedSignTest.java}  |  2 +-
 ...MessageTest.java => InlineDetachTest.java} | 57 +++++++++----
 .../sop/InlineSignVerifyRoundtripTest.java    | 81 +++++++++++++++++++
 5 files changed, 131 insertions(+), 19 deletions(-)
 rename pgpainless-sop/src/test/java/org/pgpainless/sop/{SignTest.java => DetachedSignTest.java} (99%)
 rename pgpainless-sop/src/test/java/org/pgpainless/sop/{DetachInbandSignatureAndMessageTest.java => InlineDetachTest.java} (59%)
 create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
index ee166c99..cd0f6b35 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/cleartext_signatures/ClearsignedMessageUtil.java
@@ -42,7 +42,13 @@ public final class ClearsignedMessageUtil {
     public static PGPSignatureList detachSignaturesFromInbandClearsignedMessage(InputStream clearsignedInputStream,
                                                                                 OutputStream messageOutputStream)
             throws IOException, WrongConsumingMethodException {
-        ArmoredInputStream in = ArmoredInputStreamFactory.get(clearsignedInputStream);
+        ArmoredInputStream in;
+        if (clearsignedInputStream instanceof ArmoredInputStream) {
+            in = (ArmoredInputStream) clearsignedInputStream;
+        } else {
+            in = ArmoredInputStreamFactory.get(clearsignedInputStream);
+        }
+
         if (!in.isClearText()) {
             throw new WrongConsumingMethodException("Message is not using the Cleartext Signature Framework.");
         }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
index f23434c2..517f9e9e 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
@@ -14,8 +14,8 @@ import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.util.io.Streams;
-import org.pgpainless.exception.WrongConsumingMethodException;
 import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
+import org.pgpainless.exception.WrongConsumingMethodException;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.ReadyWithResult;
 import sop.Signatures;
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
similarity index 99%
rename from pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
rename to pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
index 7e2d55dd..c6fcc267 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/SignTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
@@ -25,7 +25,7 @@ import sop.Verification;
 import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 
-public class SignTest {
+public class DetachedSignTest {
 
     private static SOP sop;
     private static byte[] key;
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
similarity index 59%
rename from pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java
rename to pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
index b76f069c..9df0345a 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachInbandSignatureAndMessageTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
@@ -29,12 +29,13 @@ import sop.ByteArrayAndResult;
 import sop.SOP;
 import sop.Signatures;
 import sop.Verification;
+import sop.enums.InlineSignAs;
 
-public class DetachInbandSignatureAndMessageTest {
+public class InlineDetachTest {
 
+    private static final SOP sop = new SOPImpl();
     @Test
-    public void testDetachingOfInbandSignaturesAndMessage() throws IOException, PGPException {
-        SOP sop = new SOPImpl();
+    public void detachCleartextSignedMessage() throws IOException {
         byte[] key = sop.generateKey()
                 .userId("Alice ")
                 .generate()
@@ -44,22 +45,15 @@ public class DetachInbandSignatureAndMessageTest {
 
         // Create a cleartext signed message
         byte[] data = "Hello, World\n".getBytes(StandardCharsets.UTF_8);
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        EncryptionStream signingStream = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
-                .withOptions(
-                        ProducerOptions.sign(
-                                SigningOptions.get()
-                                        .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(),
-                                                secretKey, DocumentSignatureType.BINARY_DOCUMENT)
-                        ).setCleartextSigned());
-
-        Streams.pipeAll(new ByteArrayInputStream(data), signingStream);
-        signingStream.close();
+        byte[] cleartextSigned = sop.inlineSign()
+                .key(key)
+                .withKeyPassword("sw0rdf1sh")
+                .mode(InlineSignAs.CleartextSigned)
+                .data(data).getBytes();
 
         // actually detach the message
         ByteArrayAndResult detachedMsg = sop.inlineDetach()
-                .message(out.toByteArray())
+                .message(cleartextSigned)
                 .toByteArrayAndResult();
 
         byte[] message = detachedMsg.getBytes();
@@ -75,4 +69,35 @@ public class DetachInbandSignatureAndMessageTest {
         assertEquals(new OpenPgpV4Fingerprint(secretKey).toString(), verificationList.get(0).getSigningCertFingerprint());
         assertArrayEquals(data, message);
     }
+
+    @Test
+    public void detachInbandSignedMessage() throws IOException {
+        byte[] key = sop.generateKey()
+                .userId("Alice ")
+                .generate()
+                .getBytes();
+        byte[] cert = sop.extractCert().key(key).getBytes();
+
+        byte[] data = "Hello, World\n".getBytes(StandardCharsets.UTF_8);
+        byte[] inlineSigned = sop.inlineSign()
+                .key(key)
+                .data(data).getBytes();
+
+        // actually detach the message
+        ByteArrayAndResult detachedMsg = sop.inlineDetach()
+                .message(inlineSigned)
+                .toByteArrayAndResult();
+
+        byte[] message = detachedMsg.getBytes();
+        byte[] signature = detachedMsg.getResult().getBytes();
+
+        List verificationList = sop.verify()
+                .cert(cert)
+                .signatures(signature)
+                .data(message);
+
+        assertFalse(verificationList.isEmpty());
+        assertEquals(1, verificationList.size());
+        assertArrayEquals(data, message);
+    }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
new file mode 100644
index 00000000..ee892501
--- /dev/null
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
@@ -0,0 +1,81 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import org.junit.jupiter.api.Test;
+import sop.ByteArrayAndResult;
+import sop.SOP;
+import sop.Verification;
+import sop.enums.InlineSignAs;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+public class InlineSignVerifyRoundtripTest {
+
+    private static final SOP sop = new SOPImpl();
+
+    @Test
+    public void testInlineSignAndVerifyWithCleartextSignatures() throws IOException {
+        byte[] key = sop.generateKey()
+                .userId("Werner")
+                .withKeyPassword("sw0rdf1sh")
+                .generate().getBytes();
+
+        byte[] cert = sop.extractCert()
+                .key(key).getBytes();
+
+        byte[] message = "If you want something different, create a new protocol but don't try to\npush it onto a working system.\n".getBytes(StandardCharsets.UTF_8);
+
+        byte[] inlineSigned = sop.inlineSign()
+                .key(key)
+                .withKeyPassword("sw0rdf1sh")
+                .mode(InlineSignAs.CleartextSigned)
+                .data(message).getBytes();
+
+        ByteArrayAndResult> result = sop.inlineVerify()
+                .cert(cert)
+                .data(inlineSigned)
+                .toByteArrayAndResult();
+
+        byte[] verified = result.getBytes();
+
+        assertFalse(result.getResult().isEmpty());
+        assertArrayEquals(message, verified);
+    }
+
+    @Test
+    public void testInlineSignAndVerifyWithBinarySignatures() throws IOException {
+        byte[] key = sop.generateKey()
+                .userId("Werner")
+                .withKeyPassword("sw0rdf1sh")
+                .generate().getBytes();
+
+        byte[] cert = sop.extractCert()
+                .key(key).getBytes();
+
+        byte[] message = "Yes, this is what has been deployed worldwide for years in millions of\ninstallations (decryption wise) and is meanwhile in active use.\n".getBytes(StandardCharsets.UTF_8);
+
+        byte[] inlineSigned = sop.inlineSign()
+                .key(key)
+                .withKeyPassword("sw0rdf1sh")
+                .data(message).getBytes();
+
+        ByteArrayAndResult> result = sop.inlineVerify()
+                .cert(cert)
+                .data(inlineSigned)
+                .toByteArrayAndResult();
+
+        byte[] verified = result.getBytes();
+
+        assertFalse(result.getResult().isEmpty());
+        assertArrayEquals(message, verified);
+    }
+
+}

From 5375cd454f5f0c9943343508453a2568eab59d14 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 16:56:32 +0200
Subject: [PATCH 0488/1450] Implement inline-detach for 3 different types of
 input

---
 .../org/pgpainless/sop/InlineDetachImpl.java  |  85 +++++++++++++-
 .../org/pgpainless/sop/InlineDetachTest.java  | 105 +++++++++++++++++-
 2 files changed, 180 insertions(+), 10 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
index 517f9e9e..178018aa 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
@@ -10,12 +10,20 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 
+import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.util.io.Streams;
+import org.pgpainless.decryption_verification.OpenPgpInputStream;
 import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
 import org.pgpainless.exception.WrongConsumingMethodException;
+import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.ReadyWithResult;
 import sop.Signatures;
@@ -43,13 +51,80 @@ public class InlineDetachImpl implements InlineDetach {
             public Signatures writeTo(OutputStream messageOutputStream)
                     throws SOPGPException.NoSignature, IOException {
 
-                PGPSignatureList signatures;
-                try {
-                    signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(messageInputStream, messageOutputStream);
-                } catch (WrongConsumingMethodException e) {
-                    throw new IOException(e);
+                PGPSignatureList signatures = null;
+                OpenPgpInputStream pgpIn = new OpenPgpInputStream(messageInputStream);
+
+                if (pgpIn.isNonOpenPgp()) {
+                    throw new SOPGPException.BadData("Data appears to be non-OpenPGP.");
                 }
 
+                // handle ASCII armor
+                if (pgpIn.isAsciiArmored()) {
+                    ArmoredInputStream armorIn = new ArmoredInputStream(pgpIn);
+
+                    // Handle cleartext signature framework
+                    if (armorIn.isClearText()) {
+                        try {
+                            signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, messageOutputStream);
+                            if (signatures == null) {
+                                throw new SOPGPException.BadData("Data did not contain OpenPGP signatures.");
+                            }
+                        } catch (WrongConsumingMethodException e) {
+                            throw new SOPGPException.BadData(e);
+                        }
+                    }
+                    // else just dearmor
+                    pgpIn = new OpenPgpInputStream(armorIn);
+                }
+
+                // if data was not using cleartext signatures framework
+                if (signatures == null) {
+
+                    if (!pgpIn.isBinaryOpenPgp()) {
+                        throw new SOPGPException.BadData("Data was containing ASCII armored non-OpenPGP data.");
+                    }
+
+                    // handle binary OpenPGP data
+                    PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(pgpIn);
+                    Object next;
+                    while ((next = objectFactory.nextObject()) != null) {
+
+                        if (next instanceof PGPOnePassSignatureList) {
+                            // skip over ops
+                            continue;
+                        }
+
+                        if (next instanceof PGPLiteralData) {
+                            // write out contents of literal data packet
+                            PGPLiteralData literalData = (PGPLiteralData) next;
+                            InputStream literalIn = literalData.getDataStream();
+                            Streams.pipeAll(literalIn, messageOutputStream);
+                            literalIn.close();
+                            continue;
+                        }
+
+                        if (next instanceof PGPCompressedData) {
+                            // decompress compressed data
+                            PGPCompressedData compressedData = (PGPCompressedData) next;
+                            try {
+                                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
+                            } catch (PGPException e) {
+                                throw new SOPGPException.BadData("Cannot decompress PGPCompressedData", e);
+                            }
+                            continue;
+                        }
+
+                        if (next instanceof PGPSignatureList) {
+                            signatures = (PGPSignatureList) next;
+                        }
+                    }
+                }
+
+                if (signatures == null) {
+                    throw new SOPGPException.BadData("Data did not contain OpenPGP signatures.");
+                }
+
+                // write out signatures
                 if (armor) {
                     ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(sigOut);
                     for (PGPSignature signature : signatures) {
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
index 9df0345a..b4bfe815 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
@@ -11,29 +11,44 @@ import static org.junit.jupiter.api.Assertions.assertFalse;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.DocumentSignatureType;
-import org.pgpainless.encryption_signing.EncryptionStream;
-import org.pgpainless.encryption_signing.ProducerOptions;
-import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
 import sop.ByteArrayAndResult;
 import sop.SOP;
 import sop.Signatures;
 import sop.Verification;
 import sop.enums.InlineSignAs;
+import sop.exception.SOPGPException;
 
 public class InlineDetachTest {
 
     private static final SOP sop = new SOPImpl();
+
+    /**
+     * Construct a message which is signed using the cleartext signature framework.
+     * The message consists of an armor header followed by the dash-escaped message data, followed by an armored signature.
+     *
+     * Detaching must result in the unescaped message data plus the signature packet.
+     * Verifying the signature must work.
+     *
+     * @throws IOException in case of an IO error
+     */
     @Test
     public void detachCleartextSignedMessage() throws IOException {
         byte[] key = sop.generateKey()
@@ -70,6 +85,16 @@ public class InlineDetachTest {
         assertArrayEquals(data, message);
     }
 
+    /**
+     * Construct a message which is inline-signed.
+     * The message consists of a compressed data packet containing an OnePassSignature, a literal data packet and
+     * a signature packet.
+     *
+     * Detaching the message must result in the contents of the literal data packet, plus the signature packet.
+     * Verification must work.
+     *
+     * @throws IOException in case of an IO error
+     */
     @Test
     public void detachInbandSignedMessage() throws IOException {
         byte[] key = sop.generateKey()
@@ -100,4 +125,74 @@ public class InlineDetachTest {
         assertEquals(1, verificationList.size());
         assertArrayEquals(data, message);
     }
+
+    /**
+     * Construct a message which consists of a literal data packet followed by a signatures block.
+     * Detaching it must result in the contents of the literal data packet plus the signatures block.
+     *
+     * Verification must still work.
+     *
+     * @throws IOException in case of an IO error
+     */
+    @Test
+    public void detachOpenPgpMessage() throws IOException {
+        byte[] key = sop.generateKey()
+                .userId("Alice ")
+                .generate()
+                .getBytes();
+        byte[] cert = sop.extractCert().key(key).getBytes();
+
+        byte[] data = "Hello, World\n".getBytes(StandardCharsets.UTF_8);
+        byte[] inlineSigned = sop.inlineSign()
+                .key(key)
+                .data(data).getBytes();
+
+        ByteArrayOutputStream literalDataAndSignatures = new ByteArrayOutputStream();
+        ArmoredInputStream armorIn = new ArmoredInputStream(new ByteArrayInputStream(inlineSigned));
+        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(armorIn);
+        Object next;
+        while ((next = objectFactory.nextObject()) != null) {
+            if (next instanceof PGPCompressedData) {
+                PGPCompressedData compressedData = (PGPCompressedData) next;
+                try {
+                    objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(compressedData.getDataStream());
+                } catch (PGPException e) {
+                    throw new SOPGPException.BadData("Cannot decompress compressed data", e);
+                }
+                continue;
+            }
+            if (next instanceof PGPLiteralData) {
+                PGPLiteralData litDat = (PGPLiteralData) next;
+                PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+                OutputStream litOut = litGen.open(literalDataAndSignatures, (char) litDat.getFormat(), litDat.getFileName(), litDat.getModificationTime(), new byte[8192]);
+                Streams.pipeAll(litDat.getDataStream(), litOut);
+                litOut.close();
+                continue;
+            }
+
+            if (next instanceof PGPSignatureList) {
+                PGPSignatureList signatures = (PGPSignatureList) next;
+                for (PGPSignature signature : signatures) {
+                    signature.encode(literalDataAndSignatures);
+                }
+            }
+        }
+
+        // actually detach the message
+        ByteArrayAndResult detachedMsg = sop.inlineDetach()
+                .message(literalDataAndSignatures.toByteArray())
+                .toByteArrayAndResult();
+
+        byte[] message = detachedMsg.getBytes();
+        byte[] signature = detachedMsg.getResult().getBytes();
+
+        List verificationList = sop.verify()
+                .cert(cert)
+                .signatures(signature)
+                .data(message);
+
+        assertFalse(verificationList.isEmpty());
+        assertEquals(1, verificationList.size());
+        assertArrayEquals(data, message);
+    }
 }

From 75455f1a3c94b5d4232fdf3c8259adc0072177ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 17:31:48 +0200
Subject: [PATCH 0489/1450] Add OpenPgpMetadata.isCleartextSigned and use it in
 sop to determine if message was cleartext signed

---
 .../DecryptionStreamFactory.java              |  1 +
 .../OpenPgpMetadata.java                      | 58 +++++++++++++------
 .../CleartextSignatureVerificationTest.java   |  1 +
 .../DecryptAndVerifyMessageTest.java          |  2 +
 ...eVerificationWithoutCertIsStillSigned.java |  1 +
 .../java/org/pgpainless/sop/DecryptImpl.java  | 17 +++---
 .../pgpainless/sop/DetachedVerifyImpl.java    | 17 +++---
 .../org/pgpainless/sop/InlineVerifyImpl.java  | 45 +++++++-------
 8 files changed, 88 insertions(+), 54 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 1913444e..77ad92bb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -155,6 +155,7 @@ public final class DecryptionStreamFactory {
         if (openPgpIn.isAsciiArmored()) {
             ArmoredInputStream armoredInputStream = ArmoredInputStreamFactory.get(openPgpIn);
             if (armoredInputStream.isClearText()) {
+                resultBuilder.setCleartextSigned();
                 return parseCleartextSignedMessage(armoredInputStream);
             } else {
                 outerDecodingStream = armoredInputStream;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
index 7c589c2c..2d9feb33 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
@@ -40,6 +40,7 @@ public class OpenPgpMetadata {
     private final String fileName;
     private final Date modificationDate;
     private final StreamEncoding fileEncoding;
+    private final boolean cleartextSigned;
 
     public OpenPgpMetadata(Set recipientKeyIds,
                            SubkeyIdentifier decryptionKey,
@@ -51,7 +52,8 @@ public class OpenPgpMetadata {
                            List invalidDetachedSignatures,
                            String fileName,
                            Date modificationDate,
-                           StreamEncoding fileEncoding) {
+                           StreamEncoding fileEncoding,
+                           boolean cleartextSigned) {
 
         this.recipientKeyIds = Collections.unmodifiableSet(recipientKeyIds);
         this.decryptionKey = decryptionKey;
@@ -64,6 +66,7 @@ public class OpenPgpMetadata {
         this.fileName = fileName;
         this.modificationDate = modificationDate;
         this.fileEncoding = fileEncoding;
+        this.cleartextSigned = cleartextSigned;
     }
 
     /**
@@ -269,6 +272,15 @@ public class OpenPgpMetadata {
         return fileEncoding;
     }
 
+    /**
+     * Return true if the message was signed using the cleartext signature framework.
+     *
+     * @return true if cleartext signed.
+     */
+    public boolean isCleartextSigned() {
+        return cleartextSigned;
+    }
+
     public static Builder getBuilder() {
         return new Builder();
     }
@@ -282,6 +294,7 @@ public class OpenPgpMetadata {
         private String fileName;
         private StreamEncoding fileEncoding;
         private Date modificationDate;
+        private boolean cleartextSigned = false;
 
         private final List verifiedInbandSignatures = new ArrayList<>();
         private final List verifiedDetachedSignatures = new ArrayList<>();
@@ -324,29 +337,38 @@ public class OpenPgpMetadata {
             return this;
         }
 
+        public Builder addVerifiedInbandSignature(SignatureVerification signatureVerification) {
+            this.verifiedInbandSignatures.add(signatureVerification);
+            return this;
+        }
+
+        public Builder addVerifiedDetachedSignature(SignatureVerification signatureVerification) {
+            this.verifiedDetachedSignatures.add(signatureVerification);
+            return this;
+        }
+
+        public Builder addInvalidInbandSignature(SignatureVerification signatureVerification, SignatureValidationException e) {
+            this.invalidInbandSignatures.add(new SignatureVerification.Failure(signatureVerification, e));
+            return this;
+        }
+
+        public Builder addInvalidDetachedSignature(SignatureVerification signatureVerification, SignatureValidationException e) {
+            this.invalidDetachedSignatures.add(new SignatureVerification.Failure(signatureVerification, e));
+            return this;
+        }
+
+        public Builder setCleartextSigned() {
+            this.cleartextSigned = true;
+            return this;
+        }
+
         public OpenPgpMetadata build() {
             return new OpenPgpMetadata(
                     recipientFingerprints, decryptionKey,
                     sessionKey, compressionAlgorithm,
                     verifiedInbandSignatures, invalidInbandSignatures,
                     verifiedDetachedSignatures, invalidDetachedSignatures,
-                    fileName, modificationDate, fileEncoding);
-        }
-
-        public void addVerifiedInbandSignature(SignatureVerification signatureVerification) {
-            this.verifiedInbandSignatures.add(signatureVerification);
-        }
-
-        public void addVerifiedDetachedSignature(SignatureVerification signatureVerification) {
-            this.verifiedDetachedSignatures.add(signatureVerification);
-        }
-
-        public void addInvalidInbandSignature(SignatureVerification signatureVerification, SignatureValidationException e) {
-            this.invalidInbandSignatures.add(new SignatureVerification.Failure(signatureVerification, e));
-        }
-
-        public void addInvalidDetachedSignature(SignatureVerification signatureVerification, SignatureValidationException e) {
-            this.invalidDetachedSignatures.add(new SignatureVerification.Failure(signatureVerification, e));
+                    fileName, modificationDate, fileEncoding, cleartextSigned);
         }
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
index 12596988..521dd558 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
@@ -94,6 +94,7 @@ public class CleartextSignatureVerificationTest {
 
         OpenPgpMetadata result = decryptionStream.getResult();
         assertTrue(result.isVerified());
+        assertTrue(result.isCleartextSigned());
 
         PGPSignature signature = result.getVerifiedSignatures().values().iterator().next();
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
index 7c44f307..152f4c33 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
@@ -6,6 +6,7 @@ package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
@@ -68,6 +69,7 @@ public class DecryptAndVerifyMessageTest {
 
         assertTrue(metadata.isEncrypted());
         assertTrue(metadata.isSigned());
+        assertFalse(metadata.isCleartextSigned());
         assertTrue(metadata.isVerified());
         assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getSymmetricKeyAlgorithm());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java
index 0e979ead..0b2f5d7d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java
@@ -41,6 +41,7 @@ public class SignedMessageVerificationWithoutCertIsStillSigned {
 
         OpenPgpMetadata metadata = verificationStream.getResult();
 
+        assertFalse(metadata.isCleartextSigned());
         assertTrue(metadata.isSigned(), "Message is signed, even though we miss the verification cert.");
         assertFalse(metadata.isVerified(), "Message is not verified because we lack the verification cert.");
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 4c813efe..b9539ed5 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -16,16 +16,15 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.exception.WrongPassphraseException;
-import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.Passphrase;
 import sop.DecryptionResult;
 import sop.ReadyWithResult;
@@ -151,12 +150,8 @@ public class DecryptImpl implements Decrypt {
                 OpenPgpMetadata metadata = decryptionStream.getResult();
 
                 List verificationList = new ArrayList<>();
-                for (SubkeyIdentifier verifiedSigningKey : metadata.getVerifiedSignatures().keySet()) {
-                    PGPSignature signature = metadata.getVerifiedSignatures().get(verifiedSigningKey);
-                    verificationList.add(new Verification(
-                            signature.getCreationTime(),
-                            verifiedSigningKey.getSubkeyFingerprint().toString(),
-                            verifiedSigningKey.getPrimaryKeyFingerprint().toString()));
+                for (SignatureVerification signatureVerification : metadata.getVerifiedInbandSignatures()) {
+                    verificationList.add(map(signatureVerification));
                 }
 
                 if (!consumerOptions.getCertificates().isEmpty()) {
@@ -178,4 +173,10 @@ public class DecryptImpl implements Decrypt {
             }
         };
     }
+
+    private Verification map(SignatureVerification sigVerification) {
+        return new Verification(sigVerification.getSignature().getCreationTime(),
+                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
+    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index d4db494f..81cb08ff 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -12,13 +12,12 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
-import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.decryption_verification.SignatureVerification;
 import sop.Verification;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedVerify;
@@ -75,12 +74,8 @@ public class DetachedVerifyImpl implements DetachedVerify {
             OpenPgpMetadata metadata = decryptionStream.getResult();
             List verificationList = new ArrayList<>();
 
-            for (SubkeyIdentifier verifiedSigningKey : metadata.getVerifiedSignatures().keySet()) {
-                PGPSignature signature = metadata.getVerifiedSignatures().get(verifiedSigningKey);
-                verificationList.add(new Verification(
-                        signature.getCreationTime(),
-                        verifiedSigningKey.getSubkeyFingerprint().toString(),
-                        verifiedSigningKey.getPrimaryKeyFingerprint().toString()));
+            for (SignatureVerification signatureVerification : metadata.getVerifiedDetachedSignatures()) {
+                verificationList.add(map(signatureVerification));
             }
 
             if (!options.getCertificates().isEmpty()) {
@@ -94,4 +89,10 @@ public class DetachedVerifyImpl implements DetachedVerify {
             throw new SOPGPException.BadData(e);
         }
     }
+
+    private Verification map(SignatureVerification sigVerification) {
+        return new Verification(sigVerification.getSignature().getCreationTime(),
+                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
+    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 7c1f7ce2..7c31f44b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -4,20 +4,6 @@
 
 package org.pgpainless.sop;
 
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.util.io.Streams;
-import org.pgpainless.PGPainless;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
-import org.pgpainless.key.SubkeyIdentifier;
-import sop.ReadyWithResult;
-import sop.Verification;
-import sop.exception.SOPGPException;
-import sop.operation.InlineVerify;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -25,6 +11,19 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.util.io.Streams;
+import org.pgpainless.PGPainless;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.SignatureVerification;
+import sop.ReadyWithResult;
+import sop.Verification;
+import sop.exception.SOPGPException;
+import sop.operation.InlineVerify;
+
 public class InlineVerifyImpl implements InlineVerify {
 
     private final ConsumerOptions options = new ConsumerOptions();
@@ -70,12 +69,12 @@ public class InlineVerifyImpl implements InlineVerify {
                     OpenPgpMetadata metadata = decryptionStream.getResult();
                     List verificationList = new ArrayList<>();
 
-                    for (SubkeyIdentifier verifiedSigningKey : metadata.getVerifiedSignatures().keySet()) {
-                        PGPSignature signature = metadata.getVerifiedSignatures().get(verifiedSigningKey);
-                        verificationList.add(new Verification(
-                                signature.getCreationTime(),
-                                verifiedSigningKey.getSubkeyFingerprint().toString(),
-                                verifiedSigningKey.getPrimaryKeyFingerprint().toString()));
+                    List verifications = metadata.isCleartextSigned() ?
+                            metadata.getVerifiedDetachedSignatures() :
+                            metadata.getVerifiedInbandSignatures();
+
+                    for (SignatureVerification signatureVerification : verifications) {
+                        verificationList.add(map(signatureVerification));
                     }
 
                     if (!options.getCertificates().isEmpty()) {
@@ -91,4 +90,10 @@ public class InlineVerifyImpl implements InlineVerify {
             }
         };
     }
+
+    private Verification map(SignatureVerification sigVerification) {
+        return new Verification(sigVerification.getSignature().getCreationTime(),
+                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
+    }
 }

From d64e749f2276edd73240c764cda4beba6515fd11 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 17:50:31 +0200
Subject: [PATCH 0490/1450] Fix sop encrypt --sign-with allowing for protected
 keys

---
 .../java/org/pgpainless/sop/EncryptImpl.java  | 41 ++++++++++++-------
 .../sop/EncryptDecryptRoundTripTest.java      | 11 +++++
 .../org/pgpainless/sop/IncapableKeysTest.java |  5 +++
 3 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 3c5f8e8a..0843ae08 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -8,6 +8,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.charset.Charset;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
@@ -23,6 +25,8 @@ import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.exception.WrongPassphraseException;
+import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
 import sop.Ready;
 import sop.enums.EncryptAs;
@@ -35,6 +39,7 @@ public class EncryptImpl implements Encrypt {
     EncryptionOptions encryptionOptions = new EncryptionOptions();
     SigningOptions signingOptions = null;
     MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+    private final Set signingKeys = new HashSet<>();
 
     private EncryptAs encryptAs = EncryptAs.Binary;
     boolean armor = true;
@@ -63,23 +68,15 @@ public class EncryptImpl implements Encrypt {
             if (keys.size() != 1) {
                 throw new SOPGPException.BadData(new AssertionError("Exactly one secret key at a time expected. Got " + keys.size()));
             }
-
             PGPSecretKeyRing signingKey = keys.iterator().next();
-            protector.addSecretKey(signingKey);
 
-            try {
-                signingOptions.addInlineSignature(
-                        protector,
-                        signingKey,
-                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
-                );
-            } catch (IllegalArgumentException e) {
-                throw new SOPGPException.KeyCannotSign();
-            } catch (WrongPassphraseException e) {
-                throw new SOPGPException.KeyIsProtected();
-            } catch (PGPException e) {
-                throw new SOPGPException.BadData(e);
+            KeyRingInfo info = PGPainless.inspectKeyRing(signingKey);
+            if (info.getSigningSubkeys().isEmpty()) {
+                throw new SOPGPException.KeyCannotSign("Key " + OpenPgpFingerprint.of(signingKey) + " cannot sign.");
             }
+
+            protector.addSecretKey(signingKey);
+            signingKeys.add(signingKey);
         } catch (IOException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
@@ -122,6 +119,22 @@ public class EncryptImpl implements Encrypt {
         producerOptions.setAsciiArmor(armor);
         producerOptions.setEncoding(encryptAsToStreamEncoding(encryptAs));
 
+        for (PGPSecretKeyRing signingKey : signingKeys) {
+            try {
+                signingOptions.addInlineSignature(
+                        protector,
+                        signingKey,
+                        (encryptAs == EncryptAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
+                );
+            } catch (KeyException.UnacceptableSigningKeyException e) {
+                throw new SOPGPException.KeyCannotSign();
+            } catch (WrongPassphraseException e) {
+                throw new SOPGPException.KeyIsProtected();
+            } catch (PGPException e) {
+                throw new SOPGPException.BadData(e);
+            }
+        }
+
         try {
             ProxyOutputStream proxy = new ProxyOutputStream();
             EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 45a26586..7bc5bfdb 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -38,6 +38,7 @@ public class EncryptDecryptRoundTripTest {
         sop = new SOPImpl();
         aliceKey = sop.generateKey()
                 .userId("Alice ")
+                .withKeyPassword("wonderland.is.c00l")
                 .generate()
                 .getBytes();
         aliceCert = sop.extractCert()
@@ -56,6 +57,7 @@ public class EncryptDecryptRoundTripTest {
     public void basicRoundTripWithKey() throws IOException, SOPGPException.KeyCannotSign {
         byte[] encrypted = sop.encrypt()
                 .signWith(aliceKey)
+                .withKeyPassword("wonderland.is.c00l")
                 .withCert(aliceCert)
                 .withCert(bobCert)
                 .plaintext(message)
@@ -426,6 +428,15 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, bytesAndResult.getBytes());
     }
 
+    @Test
+    public void testEncryptWithWrongPassphraseThrowsKeyIsProtected() {
+        assertThrows(SOPGPException.KeyIsProtected.class, () -> sop.encrypt()
+                .withKeyPassword("falsePassphrase")
+                .signWith(aliceKey)
+                .withCert(bobCert)
+                .plaintext(message));
+    }
+
     @Test
     public void testDecryptionWithSessionKey_VerificationWithCert() throws IOException {
         byte[] plaintext = "This is a test message.\nSit back and relax.\n".getBytes(StandardCharsets.UTF_8);
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java
index a50acee1..5139bbf6 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/IncapableKeysTest.java
@@ -64,4 +64,9 @@ public class IncapableKeysTest {
         assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.detachedSign().key(nonSigningKey));
         assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.inlineSign().key(nonSigningKey));
     }
+
+    @Test
+    public void encryptAndSignWithNonSigningKeyFails() {
+        assertThrows(SOPGPException.KeyCannotSign.class, () -> sop.encrypt().signWith(nonSigningKey));
+    }
 }

From 749a623d8834825df32e6b6be30a0b7744ccf632 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 17:56:26 +0200
Subject: [PATCH 0491/1450] Bump SOP version

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 7675fcb9..dbd1cf35 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -15,7 +15,7 @@ import sop.operation.Version;
 public class VersionImpl implements Version {
 
     // draft version
-    private static final String SOP_VERSION = "03";
+    private static final String SOP_VERSION = "04";
 
     @Override
     public String getName() {

From 40f662edbca9455c25fa8e5895fc6aa0095ba461 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 18:44:38 +0200
Subject: [PATCH 0492/1450] Bump sop-java to 4.0.0

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index ddb6de7d..a6230a41 100644
--- a/version.gradle
+++ b/version.gradle
@@ -12,6 +12,6 @@ allprojects {
         slf4jVersion = '1.7.36'
         logbackVersion = '1.2.11'
         junitVersion = '5.8.2'
-        sopJavaVersion = '1.2.4-SNAPSHOT'
+        sopJavaVersion = '4.0.0'
     }
 }

From fd3e574d0d8a5589f74cacbd010373e0871f1809 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 18:45:13 +0200
Subject: [PATCH 0493/1450] Update CHANGELOG

---
 CHANGELOG.md   | 27 +++++++++++++++++++++++++++
 version.gradle |  2 +-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f125f2f9..3d31c8ff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,33 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.0
+- Add `RevokedKeyException`
+- `KeyRingUtils.stripSecretKey()`: Disallow stripping of primary secret key
+- Remove support for reading compressed detached signatures
+- Add `PGPainless.generateKeyRing().modernKeyRing(userId)` shortcut method without passphrase
+- Add `CollectionUtils.addAll(Iterator, Collection)`
+- Add `SignatureUtils.getSignaturesForUserIdBy(key, userId, keyId)`
+- Add `OpenPgpFingerprint.parseFromBinary(bytes)`
+- `SignatureUtils.wasIssuedBy()`: Add support for V5 fingerprints
+- Prevent integer overflows when setting expiration dates
+- SOP: Properly throw `KeyCannotDecrypt` exception
+- Fix performance issues of encrypt and sign operations by using buffering
+- Fix performance issues of armor and dearmor operations
+- Bump dependency `sop-java` to `4.0.0`
+- Add support for SOP specification version 04
+  - Implement `inline-sign`
+  - Implement `inline-verify`
+  - Rename `DetachInbandSignatureAndMessageImpl` to `InlineDetachImpl`
+  - Rename `SignImpl` to `DetachedSignImpl`
+  - Rename `VerifyImpl` to `DetachedVerifyImpl`
+  - Add support for `--with-key-password` option in `GenerateKeyImpl`, `DetachedSignImpl`, `DecryptImpl`, `EncryptImpl`.
+  - `InlineDetachImpl` now supports 3 different message types:
+    - Messages using Cleartext Signature Framework
+    - OpenPGP messages using OnePassSignatures
+    - OpenPGP messages without OnePassSignatures
+- Introduce `OpenPgpMetadata.isCleartextSigned()`
+
 ## 1.2.2
 - `EncryptionOptions.addRecipients(collection)`: Disallow empty collections to prevent misuse from resulting in unencrypted messages
 - Deprecate default policy factory methods in favor of policy factory methods with expressive names
diff --git a/version.gradle b/version.gradle
index a6230a41..0c7faf27 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,7 +4,7 @@
 
 allprojects {
     ext {
-        shortVersion = '1.2.3'
+        shortVersion = '1.3.0'
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8

From c078c320c399bc495f0693c027d9548ea3425207 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 18:49:30 +0200
Subject: [PATCH 0494/1450] PGPainless 1.3.0

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 0c7faf27..5c8840ea 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.0'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 57743383e55d8b388d3649addde8fed088f712df Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 18:51:44 +0200
Subject: [PATCH 0495/1450] PGPainless 1.3.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 5c8840ea..18354f3b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.0'
-        isSnapshot = false
+        shortVersion = '1.3.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 73da2cc889a0112e9c6248ae8e7a779f896d5fa6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 19 Jun 2022 22:14:11 +0200
Subject: [PATCH 0496/1450] Fix reproducible builds by specifying file and
 directory modes for archive tasks

---
 build.gradle | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/build.gradle b/build.gradle
index 3c4db676..7802bdb1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -69,6 +69,9 @@ allprojects {
     tasks.withType(AbstractArchiveTask) {
         preserveFileTimestamps = false
         reproducibleFileOrder = true
+
+        dirMode = 0755
+        fileMode = 0644
     }
 
     project.ext {

From c1170773bc46b98d7dd9bb6c4dfad60b19fc8f85 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 14:17:44 +0200
Subject: [PATCH 0497/1450] Implement certification of third party keys

---
 .../main/java/org/pgpainless/PGPainless.java  |   5 +
 .../algorithm/CertificationType.java          |  46 +++++++
 .../key/certification/CertifyCertificate.java | 123 ++++++++++++++++++
 .../key/certification/package-info.java       |   8 ++
 .../certification/CertifyCertificateTest.java |  67 ++++++++++
 5 files changed, 249 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/CertificationType.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/certification/package-info.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 827085ce..0f47e26e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -16,6 +16,7 @@ import org.pgpainless.decryption_verification.DecryptionBuilder;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.encryption_signing.EncryptionBuilder;
 import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.key.certification.CertifyCertificate;
 import org.pgpainless.key.generation.KeyRingBuilder;
 import org.pgpainless.key.generation.KeyRingTemplates;
 import org.pgpainless.key.info.KeyRingInfo;
@@ -163,4 +164,8 @@ public final class PGPainless {
     public static Policy getPolicy() {
         return Policy.getInstance();
     }
+
+    public static CertifyCertificate certifyCertificate() {
+        return new CertifyCertificate();
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/CertificationType.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CertificationType.java
new file mode 100644
index 00000000..f5c8ec7e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/CertificationType.java
@@ -0,0 +1,46 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import javax.annotation.Nonnull;
+
+/**
+ * Subset of {@link SignatureType}, reduced to certification types.
+ */
+public enum CertificationType {
+
+    /**
+     * The issuer of this certification does not make any particular assertion as to how well the certifier has
+     * checked that the owner of the key is in fact the person described by the User ID.
+     */
+    GENERIC(SignatureType.GENERIC_CERTIFICATION),
+
+    /**
+     * The issuer of this certification has not done any verification of the claim that the owner of this key is
+     * the User ID specified.
+     */
+    NONE(SignatureType.NO_CERTIFICATION),
+
+    /**
+     * The issuer of this certification has done some casual verification of the claim of identity.
+     */
+    CASUAL(SignatureType.CASUAL_CERTIFICATION),
+
+    /**
+     * The issuer of this certification has done some casual verification of the claim of identity.
+     */
+    POSITIVE(SignatureType.POSITIVE_CERTIFICATION),
+    ;
+
+    private final SignatureType signatureType;
+
+    CertificationType(@Nonnull SignatureType signatureType) {
+        this.signatureType = signatureType;
+    }
+
+    public @Nonnull SignatureType asSignatureType() {
+        return signatureType;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
new file mode 100644
index 00000000..69029a84
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -0,0 +1,123 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.certification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CertificationType;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.exception.KeyException;
+import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.util.KeyRingUtils;
+import org.pgpainless.signature.builder.ThirdPartyCertificationSignatureBuilder;
+import org.pgpainless.signature.subpackets.CertificationSubpackets;
+import org.pgpainless.util.DateUtil;
+
+import java.util.Date;
+
+public class CertifyCertificate {
+
+    CertifyUserId certifyUserId(PGPPublicKeyRing certificate, String userId) {
+        return new CertifyUserId(certificate, userId);
+    }
+
+    public static class CertifyUserId {
+
+        private final PGPPublicKeyRing certificate;
+        private final String userId;
+        private final CertificationType certificationType;
+
+        CertifyUserId(PGPPublicKeyRing certificate, String userId) {
+            this(certificate, userId, CertificationType.GENERIC);
+        }
+
+        CertifyUserId(PGPPublicKeyRing certificate, String userId, CertificationType certificationType) {
+            this.certificate = certificate;
+            this.userId = userId;
+            this.certificationType = certificationType;
+        }
+
+        CertifyUserIdWithSubpackets withKey(PGPSecretKeyRing certificationKey, SecretKeyRingProtector protector) throws PGPException {
+            Date now = DateUtil.now();
+            KeyRingInfo info = PGPainless.inspectKeyRing(certificationKey, now);
+
+            // We only support certification-capable primary keys
+            OpenPgpFingerprint fingerprint = info.getFingerprint();
+            PGPPublicKey certificationPubKey = info.getPublicKey(fingerprint);
+            if (!info.isKeyValidlyBound(certificationPubKey.getKeyID())) {
+                throw new KeyException.RevokedKeyException(fingerprint);
+            }
+
+            Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
+            if (expirationDate != null && expirationDate.before(now)) {
+                throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
+            }
+
+            PGPSecretKey secretKey = certificationKey.getSecretKey(certificationPubKey.getKeyID());
+            if (secretKey == null) {
+                throw new KeyException.MissingSecretKeyException(fingerprint, certificationPubKey.getKeyID());
+            }
+
+            ThirdPartyCertificationSignatureBuilder sigBuilder = new ThirdPartyCertificationSignatureBuilder(
+                    certificationType.asSignatureType(), secretKey, protector);
+
+            return new CertifyUserIdWithSubpackets(certificate, userId, sigBuilder);
+        }
+    }
+
+    public static class CertifyUserIdWithSubpackets {
+
+        private final PGPPublicKeyRing certificate;
+        private final String userId;
+        private final ThirdPartyCertificationSignatureBuilder sigBuilder;
+
+        CertifyUserIdWithSubpackets(PGPPublicKeyRing certificate, String userId, ThirdPartyCertificationSignatureBuilder sigBuilder) {
+            this.certificate = certificate;
+            this.userId = userId;
+            this.sigBuilder = sigBuilder;
+        }
+
+        public CertifyUserIdResult withSubpackets(CertificationSubpackets.Callback subpacketCallback) throws PGPException {
+            sigBuilder.applyCallback(subpacketCallback);
+            return build();
+        }
+
+        public CertifyUserIdResult build() throws PGPException {
+            PGPSignature signature = sigBuilder.build(certificate, userId);
+
+            return new CertifyUserIdResult(certificate, userId, signature);
+        }
+    }
+
+    public static class CertifyUserIdResult {
+
+        private final PGPPublicKeyRing certificate;
+        private final String userId;
+        private final PGPSignature certification;
+
+        CertifyUserIdResult(PGPPublicKeyRing certificate, String userId, PGPSignature certification) {
+            this.certificate = certificate;
+            this.userId = userId;
+            this.certification = certification;
+        }
+
+        public PGPSignature getCertification() {
+            return certification;
+        }
+
+        public PGPPublicKeyRing getCertifiedCertificate() {
+            // inject the signature
+            PGPPublicKeyRing certified = KeyRingUtils.injectCertification(certificate, userId, certification);
+            return certified;
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/package-info.java
new file mode 100644
index 00000000..db2f4857
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/package-info.java
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * API for key certifications.
+ */
+package org.pgpainless.key.certification;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
new file mode 100644
index 00000000..7093865d
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
@@ -0,0 +1,67 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.certification;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.util.Arrays;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.signature.consumer.SignatureVerifier;
+import org.pgpainless.util.CollectionUtils;
+import org.pgpainless.util.DateUtil;
+
+public class CertifyCertificateTest {
+
+    @Test
+    public void testSuccessfulCertificationOfUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ", null);
+        String bobUserId = "Bob ";
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId, null);
+
+        PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob);
+
+        CertifyCertificate.CertifyUserIdResult result = PGPainless.certifyCertificate()
+                .certifyUserId(bobCertificate, bobUserId)
+                .withKey(alice, protector)
+                .build();
+
+        assertNotNull(result);
+        PGPSignature signature = result.getCertification();
+        assertNotNull(signature);
+        assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(signature.getSignatureType()));
+        assertEquals(alice.getPublicKey().getKeyID(), signature.getKeyID());
+
+        assertTrue(SignatureVerifier.verifyUserIdCertification(
+                bobUserId, signature, alice.getPublicKey(), bob.getPublicKey(), PGPainless.getPolicy(), DateUtil.now()));
+
+        PGPPublicKeyRing bobCertified = result.getCertifiedCertificate();
+        PGPPublicKey bobCertifiedKey = bobCertified.getPublicKey();
+        // There are 2 sigs now, bobs own and alice'
+        assertEquals(2, CollectionUtils.iteratorToList(bobCertifiedKey.getSignaturesForID(bobUserId)).size());
+        List sigsByAlice = CollectionUtils.iteratorToList(
+                bobCertifiedKey.getSignaturesForKeyID(alice.getPublicKey().getKeyID()));
+        assertEquals(1, sigsByAlice.size());
+        assertEquals(signature, sigsByAlice.get(0));
+
+        assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded()));
+    }
+}

From fa5ddfd11242c9b47bfb14d4f0e8d18f5a4901ef Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 7 May 2022 21:48:36 +0200
Subject: [PATCH 0498/1450] WIP: Implement delegations

THERE ARE THINGS BROKEN NOW. DO NOT MERGE!
---
 .../main/java/org/pgpainless/PGPainless.java  |   2 +-
 .../pgpainless/algorithm/Trustworthiness.java | 111 +++++++++++++
 .../key/certification/CertifyCertificate.java | 146 ++++++++++++------
 .../secretkeyring/SecretKeyRingEditor.java    |   8 +-
 .../builder/DirectKeySignatureBuilder.java    |  17 +-
 .../certification/CertifyCertificateTest.java |  40 ++++-
 .../DirectKeySignatureBuilderTest.java        |   3 +
 7 files changed, 272 insertions(+), 55 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 0f47e26e..a2f16ab9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -165,7 +165,7 @@ public final class PGPainless {
         return Policy.getInstance();
     }
 
-    public static CertifyCertificate certifyCertificate() {
+    public static CertifyCertificate certify() {
         return new CertifyCertificate();
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
new file mode 100644
index 00000000..573bbf9d
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
@@ -0,0 +1,111 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+public class Trustworthiness {
+
+    private final int amount;
+    private final int depth;
+
+    public static final int THRESHOLD_FULLY_CONVINCED = 120;
+    public static final int THRESHOLD_MARGINALLY_CONVINCED = 60;
+    public static final int THRESHOLD_NOT_TRUSTED = 0;
+
+    public Trustworthiness(int amount, int depth) {
+        this.amount = capAmount(amount);
+        this.depth = capDepth(depth);
+    }
+
+    public int getAmount() {
+        return amount;
+    }
+
+    public int getDepth() {
+        return depth;
+    }
+
+    /**
+     * This means that we are fully convinced of the trustworthiness of the key.
+     *
+     * @return builder
+     */
+    public static Builder fullyTrusted() {
+        return new Builder(THRESHOLD_FULLY_CONVINCED);
+    }
+
+    /**
+     * This means that we are marginally (partially) convinced of the trustworthiness of the key.
+     *
+     * @return builder
+     */
+    public static Builder marginallyTrusted() {
+        return new Builder(THRESHOLD_MARGINALLY_CONVINCED);
+    }
+
+    /**
+     * This means that we do not trust the key.
+     * Can be used to overwrite previous trust.
+     *
+     * @return builder
+     */
+    public static Builder untrusted() {
+        return new Builder(THRESHOLD_NOT_TRUSTED);
+    }
+
+    public static final class Builder {
+
+        private final int amount;
+
+        private Builder(int amount) {
+            this.amount = amount;
+        }
+
+        /**
+         * The key is a trusted introducer (depth 1).
+         * Certifications made by this key are considered trustworthy.
+         *
+         * @return trust
+         */
+        public Trustworthiness introducer() {
+            return new Trustworthiness(amount, 1);
+        }
+
+        /**
+         * The key is a meta introducer (depth 2).
+         * This key can introduce trusted introducers of depth 1.
+         *
+         * @return trust
+         */
+        public Trustworthiness metaIntroducer() {
+            return new Trustworthiness(amount, 2);
+        }
+
+        /**
+         * The key is a level 
n
 meta introducer.
+         * This key can introduce meta introducers of depth 
n - 1
.
+         *
+         * @param n depth
+         * @return trust
+         */
+        public Trustworthiness levelNIntroducer(int n) {
+            return new Trustworthiness(amount, n);
+        }
+    }
+
+    private static int capAmount(int amount) {
+        if (amount < 0 || amount > 255) {
+            throw new IllegalArgumentException("Trust amount MUST be a value between 0 and 255");
+        }
+        return amount;
+    }
+
+    private static int capDepth(int depth) {
+        if (depth < 0 || depth > 255) {
+            throw new IllegalArgumentException("Trust depth MUST be a value between 0 and 255");
+        }
+        return depth;
+    }
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index 69029a84..77dab4e8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -13,111 +13,171 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CertificationType;
 import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.algorithm.Trustworthiness;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.util.KeyRingUtils;
+import org.pgpainless.signature.builder.DirectKeySignatureBuilder;
 import org.pgpainless.signature.builder.ThirdPartyCertificationSignatureBuilder;
 import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.util.DateUtil;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import java.util.Date;
 
 public class CertifyCertificate {
 
-    CertifyUserId certifyUserId(PGPPublicKeyRing certificate, String userId) {
-        return new CertifyUserId(certificate, userId);
+    CertificationOnUserId userIdOnCertificate(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate) {
+        return new CertificationOnUserId(userId, certificate, CertificationType.GENERIC);
     }
 
-    public static class CertifyUserId {
+    CertificationOnUserId userIdOnCertificate(@Nonnull String userid, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
+        return new CertificationOnUserId(userid, certificate, certificationType);
+    }
+
+    DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate) {
+        return certificate(certificate, null);
+    }
+
+    DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
+        return new DelegationOnCertificate(certificate, trustworthiness);
+    }
+
+    public static class CertificationOnUserId {
 
         private final PGPPublicKeyRing certificate;
         private final String userId;
         private final CertificationType certificationType;
 
-        CertifyUserId(PGPPublicKeyRing certificate, String userId) {
-            this(certificate, userId, CertificationType.GENERIC);
-        }
-
-        CertifyUserId(PGPPublicKeyRing certificate, String userId, CertificationType certificationType) {
-            this.certificate = certificate;
+        CertificationOnUserId(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
             this.userId = userId;
+            this.certificate = certificate;
             this.certificationType = certificationType;
         }
 
-        CertifyUserIdWithSubpackets withKey(PGPSecretKeyRing certificationKey, SecretKeyRingProtector protector) throws PGPException {
-            Date now = DateUtil.now();
-            KeyRingInfo info = PGPainless.inspectKeyRing(certificationKey, now);
-
-            // We only support certification-capable primary keys
-            OpenPgpFingerprint fingerprint = info.getFingerprint();
-            PGPPublicKey certificationPubKey = info.getPublicKey(fingerprint);
-            if (!info.isKeyValidlyBound(certificationPubKey.getKeyID())) {
-                throw new KeyException.RevokedKeyException(fingerprint);
-            }
-
-            Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
-            if (expirationDate != null && expirationDate.before(now)) {
-                throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
-            }
-
-            PGPSecretKey secretKey = certificationKey.getSecretKey(certificationPubKey.getKeyID());
-            if (secretKey == null) {
-                throw new KeyException.MissingSecretKeyException(fingerprint, certificationPubKey.getKeyID());
-            }
+        CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
+            PGPSecretKey secretKey = getCertificationSecretKey(certificationKey);
 
             ThirdPartyCertificationSignatureBuilder sigBuilder = new ThirdPartyCertificationSignatureBuilder(
                     certificationType.asSignatureType(), secretKey, protector);
 
-            return new CertifyUserIdWithSubpackets(certificate, userId, sigBuilder);
+            return new CertificationOnUserIdWithSubpackets(certificate, userId, sigBuilder);
         }
     }
 
-    public static class CertifyUserIdWithSubpackets {
+    public static class CertificationOnUserIdWithSubpackets {
 
         private final PGPPublicKeyRing certificate;
         private final String userId;
         private final ThirdPartyCertificationSignatureBuilder sigBuilder;
 
-        CertifyUserIdWithSubpackets(PGPPublicKeyRing certificate, String userId, ThirdPartyCertificationSignatureBuilder sigBuilder) {
+        CertificationOnUserIdWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull String userId, @Nonnull ThirdPartyCertificationSignatureBuilder sigBuilder) {
             this.certificate = certificate;
             this.userId = userId;
             this.sigBuilder = sigBuilder;
         }
 
-        public CertifyUserIdResult withSubpackets(CertificationSubpackets.Callback subpacketCallback) throws PGPException {
+        public CertificationResult withSubpackets(@Nonnull CertificationSubpackets.Callback subpacketCallback) throws PGPException {
             sigBuilder.applyCallback(subpacketCallback);
             return build();
         }
 
-        public CertifyUserIdResult build() throws PGPException {
+        public CertificationResult build() throws PGPException {
             PGPSignature signature = sigBuilder.build(certificate, userId);
-
-            return new CertifyUserIdResult(certificate, userId, signature);
+            PGPPublicKeyRing certifiedCertificate = KeyRingUtils.injectCertification(certificate, userId, signature);
+            return new CertificationResult(certifiedCertificate, signature);
         }
     }
 
-    public static class CertifyUserIdResult {
+    public static class DelegationOnCertificate {
+
+        private final PGPPublicKeyRing certificate;
+        private final Trustworthiness trustworthiness;
+
+        DelegationOnCertificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
+            this.certificate = certificate;
+            this.trustworthiness = trustworthiness;
+        }
+
+        public DelegationOnCertificateWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
+            PGPSecretKey secretKey = getCertificationSecretKey(certificationKey);
+
+            DirectKeySignatureBuilder sigBuilder = new DirectKeySignatureBuilder(secretKey, protector);
+            if (trustworthiness != null) {
+                sigBuilder.getHashedSubpackets().setTrust(true, trustworthiness.getDepth(), trustworthiness.getAmount());
+            }
+            return new DelegationOnCertificateWithSubpackets(certificate, sigBuilder);
+        }
+    }
+
+    public static class DelegationOnCertificateWithSubpackets {
+
+        private final PGPPublicKeyRing certificate;
+        private final DirectKeySignatureBuilder sigBuilder;
+
+        public DelegationOnCertificateWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull DirectKeySignatureBuilder sigBuilder) {
+            this.certificate = certificate;
+            this.sigBuilder = sigBuilder;
+        }
+
+        public CertificationResult withSubpackets(@Nonnull CertificationSubpackets.Callback subpacketsCallback) throws PGPException {
+            sigBuilder.applyCallback(subpacketsCallback);
+            return build();
+        }
+
+        public CertificationResult build() throws PGPException {
+            PGPPublicKey delegatedKey = certificate.getPublicKey();
+            PGPSignature delegation = sigBuilder.build(delegatedKey);
+            PGPPublicKeyRing delegatedCertificate = KeyRingUtils.injectCertification(certificate, delegatedKey, delegation);
+            return new CertificationResult(delegatedCertificate, delegation);
+        }
+    }
+
+    public static class CertificationResult {
 
         private final PGPPublicKeyRing certificate;
-        private final String userId;
         private final PGPSignature certification;
 
-        CertifyUserIdResult(PGPPublicKeyRing certificate, String userId, PGPSignature certification) {
+        CertificationResult(@Nonnull PGPPublicKeyRing certificate, @Nonnull PGPSignature certification) {
             this.certificate = certificate;
-            this.userId = userId;
             this.certification = certification;
         }
 
+        @Nonnull
         public PGPSignature getCertification() {
             return certification;
         }
 
+        @Nonnull
         public PGPPublicKeyRing getCertifiedCertificate() {
-            // inject the signature
-            PGPPublicKeyRing certified = KeyRingUtils.injectCertification(certificate, userId, certification);
-            return certified;
+            return certificate;
         }
     }
+
+    private static PGPSecretKey getCertificationSecretKey(PGPSecretKeyRing certificationKey) {
+        Date now = DateUtil.now();
+        KeyRingInfo info = PGPainless.inspectKeyRing(certificationKey, now);
+
+        // We only support certification-capable primary keys
+        OpenPgpFingerprint fingerprint = info.getFingerprint();
+        PGPPublicKey certificationPubKey = info.getPublicKey(fingerprint);
+        if (!info.isKeyValidlyBound(certificationPubKey.getKeyID())) {
+            throw new KeyException.RevokedKeyException(fingerprint);
+        }
+
+        Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
+        if (expirationDate != null && expirationDate.before(now)) {
+            throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
+        }
+
+        PGPSecretKey secretKey = certificationKey.getSecretKey(certificationPubKey.getKeyID());
+        if (secretKey == null) {
+            throw new KeyException.MissingSecretKeyException(fingerprint, certificationPubKey.getKeyID());
+        }
+        return secretKey;
+    }
+
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index f5a5292c..19d7ffcc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -59,6 +59,7 @@ import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.signature.builder.DirectKeySignatureBuilder;
 import org.pgpainless.signature.builder.RevocationSignatureBuilder;
 import org.pgpainless.signature.builder.SelfSignatureBuilder;
+import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
@@ -613,9 +614,11 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         final Date keyCreationTime = publicKey.getCreationTime();
 
         DirectKeySignatureBuilder builder = new DirectKeySignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
-        builder.applyCallback(new SelfSignatureSubpackets.Callback() {
+        System.out.println("FIXME"); // will cause checkstyle warning so I remember
+        /*
+        builder.applyCallback(new CertificationSubpackets.Callback() {
             @Override
-            public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
+            public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
                 if (expiration != null) {
                     hashedSubpackets.setKeyExpirationTime(keyCreationTime, expiration);
                 } else {
@@ -623,6 +626,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
                 }
             }
         });
+         */
 
         return builder.build(publicKey);
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java
index caf08710..0e5498bd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java
@@ -10,9 +10,10 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
+import org.pgpainless.signature.subpackets.CertificationSubpackets;
 
 public class DirectKeySignatureBuilder extends AbstractSignatureBuilder {
 
@@ -25,15 +26,15 @@ public class DirectKeySignatureBuilder extends AbstractSignatureBuilder", null);
         String bobUserId = "Bob ";
@@ -39,8 +40,8 @@ public class CertifyCertificateTest {
 
         PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob);
 
-        CertifyCertificate.CertifyUserIdResult result = PGPainless.certifyCertificate()
-                .certifyUserId(bobCertificate, bobUserId)
+        CertifyCertificate.CertificationResult result = PGPainless.certify()
+                .userIdOnCertificate(bobUserId, bobCertificate)
                 .withKey(alice, protector)
                 .build();
 
@@ -64,4 +65,37 @@ public class CertifyCertificateTest {
 
         assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded()));
     }
+
+    @Test
+    public void testKeyDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ", null);
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ", null);
+
+        PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob);
+
+        CertifyCertificate.CertificationResult result = PGPainless.certify()
+                .certificate(bobCertificate, Trustworthiness.fullyTrusted().introducer())
+                .withKey(alice, protector)
+                .build();
+
+        assertNotNull(result);
+        PGPSignature signature = result.getCertification();
+        assertNotNull(signature);
+        assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType()));
+        assertEquals(alice.getPublicKey().getKeyID(), signature.getKeyID());
+
+        assertTrue(SignatureVerifier.verifyDirectKeySignature(
+                signature, alice.getPublicKey(), bob.getPublicKey(), PGPainless.getPolicy(), DateUtil.now()));
+
+        PGPPublicKeyRing bobCertified = result.getCertifiedCertificate();
+        PGPPublicKey bobCertifiedKey = bobCertified.getPublicKey();
+        
+        List sigsByAlice = CollectionUtils.iteratorToList(
+                bobCertifiedKey.getSignaturesForKeyID(alice.getPublicKey().getKeyID()));
+        assertEquals(1, sigsByAlice.size());
+        assertEquals(signature, sigsByAlice.get(0));
+
+        assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded()));
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
index 945a06a5..6c1c0cf4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
@@ -40,6 +40,8 @@ public class DirectKeySignatureBuilderTest {
                 secretKeys.getSecretKey(),
                 SecretKeyRingProtector.unprotectedKeys());
 
+        System.out.println("FIXME"); // will cause checkstyle warning, so I remember
+        /*
         dsb.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -50,6 +52,7 @@ public class DirectKeySignatureBuilderTest {
                 hashedSubpackets.setFeatures(Feature.MODIFICATION_DETECTION);
             }
         });
+         */
 
         Thread.sleep(1000);
 

From d2b48e83d921c187eb9609ccce4474fd42bca6b8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 11 May 2022 12:27:11 +0200
Subject: [PATCH 0499/1450] Implement certifying of certifications

---
 .../pgpainless/algorithm/Trustworthiness.java |  32 ++++-
 .../key/certification/CertifyCertificate.java | 111 ++++++++++++++++--
 .../secretkeyring/SecretKeyRingEditor.java    |  12 +-
 .../DirectKeySelfSignatureBuilder.java        |  57 +++++++++
 ... ThirdPartyDirectKeySignatureBuilder.java} |   6 +-
 .../algorithm/TrustworthinessTest.java        |  74 ++++++++++++
 .../certification/CertifyCertificateTest.java |   9 +-
 ...rdPartyDirectKeySignatureBuilderTest.java} |   7 +-
 8 files changed, 277 insertions(+), 31 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.java
 rename pgpainless-core/src/main/java/org/pgpainless/signature/builder/{DirectKeySignatureBuilder.java => ThirdPartyDirectKeySignatureBuilder.java} (81%)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
 rename pgpainless-core/src/test/java/org/pgpainless/signature/builder/{DirectKeySignatureBuilderTest.java => ThirdPartyDirectKeySignatureBuilderTest.java} (94%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
index 573bbf9d..0df31764 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
@@ -10,8 +10,8 @@ public class Trustworthiness {
     private final int depth;
 
     public static final int THRESHOLD_FULLY_CONVINCED = 120;
-    public static final int THRESHOLD_MARGINALLY_CONVINCED = 60;
-    public static final int THRESHOLD_NOT_TRUSTED = 0;
+    public static final int MARGINALLY_CONVINCED = 60;
+    public static final int NOT_TRUSTED = 0;
 
     public Trustworthiness(int amount, int depth) {
         this.amount = capAmount(amount);
@@ -26,6 +26,30 @@ public class Trustworthiness {
         return depth;
     }
 
+    public boolean isNotTrusted() {
+        return getAmount() == NOT_TRUSTED;
+    }
+
+    public boolean isMarginallyTrusted() {
+        return getAmount() > NOT_TRUSTED;
+    }
+
+    public boolean isFullyTrusted() {
+        return getAmount() >= THRESHOLD_FULLY_CONVINCED;
+    }
+
+    public boolean isIntroducer() {
+        return getDepth() >= 1;
+    }
+
+    public boolean canIntroduce(int otherDepth) {
+        return getDepth() > otherDepth;
+    }
+
+    public boolean canIntroduce(Trustworthiness other) {
+        return canIntroduce(other.getDepth());
+    }
+
     /**
      * This means that we are fully convinced of the trustworthiness of the key.
      *
@@ -41,7 +65,7 @@ public class Trustworthiness {
      * @return builder
      */
     public static Builder marginallyTrusted() {
-        return new Builder(THRESHOLD_MARGINALLY_CONVINCED);
+        return new Builder(MARGINALLY_CONVINCED);
     }
 
     /**
@@ -51,7 +75,7 @@ public class Trustworthiness {
      * @return builder
      */
     public static Builder untrusted() {
-        return new Builder(THRESHOLD_NOT_TRUSTED);
+        return new Builder(NOT_TRUSTED);
     }
 
     public static final class Builder {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index 77dab4e8..8503f8bd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -19,7 +19,7 @@ import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.util.KeyRingUtils;
-import org.pgpainless.signature.builder.DirectKeySignatureBuilder;
+import org.pgpainless.signature.builder.ThirdPartyDirectKeySignatureBuilder;
 import org.pgpainless.signature.builder.ThirdPartyCertificationSignatureBuilder;
 import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.util.DateUtil;
@@ -28,20 +28,60 @@ import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import java.util.Date;
 
+/**
+ * API for creating certifications and delegations (Signatures) on keys.
+ * This API can be used to sign another persons OpenPGP key.
+ *
+ * A certification over a user-id is thereby used to attest, that the user believes that the user-id really belongs
+ * to the owner of the certificate.
+ * A delegation over a key can be used to delegate trust by marking the certificate as a trusted introducer.
+ */
 public class CertifyCertificate {
 
+    /**
+     * Create a certification over a User-Id.
+     * By default, this method will use {@link CertificationType#GENERIC} to create the signature.
+     * If you need to create another type of certification, use
+     * {@link #userIdOnCertificate(String, PGPPublicKeyRing, CertificationType)} instead.
+     *
+     * @param userId user-id to certify
+     * @param certificate certificate
+     * @return API
+     */
     CertificationOnUserId userIdOnCertificate(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate) {
         return new CertificationOnUserId(userId, certificate, CertificationType.GENERIC);
     }
 
+    /**
+     * Create a certification of the given {@link CertificationType} over a User-Id.
+     *
+     * @param userid user-id to certify
+     * @param certificate certificate
+     * @param certificationType type of signature
+     * @return API
+     */
     CertificationOnUserId userIdOnCertificate(@Nonnull String userid, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
         return new CertificationOnUserId(userid, certificate, certificationType);
     }
 
+    /**
+     * Create a delegation (direct key signature) over a certificate.
+     *
+     * @param certificate certificate
+     * @return API
+     */
     DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate) {
         return certificate(certificate, null);
     }
 
+    /**
+     * Create a delegation (direct key signature) containing a {@link org.bouncycastle.bcpg.sig.TrustSignature} packet
+     * over a certificate.
+     *
+     * @param certificate certificate
+     * @param trustworthiness trustworthiness of the certificate
+     * @return API
+     */
     DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
         return new DelegationOnCertificate(certificate, trustworthiness);
     }
@@ -58,8 +98,16 @@ public class CertifyCertificate {
             this.certificationType = certificationType;
         }
 
+        /**
+         * Create the certification using the given key.
+         *
+         * @param certificationKey key used to create the certification
+         * @param protector protector to unlock the certification key
+         * @return API
+         * @throws PGPException in case of an OpenPGP related error
+         */
         CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
-            PGPSecretKey secretKey = getCertificationSecretKey(certificationKey);
+            PGPSecretKey secretKey = getCertifyingSecretKey(certificationKey);
 
             ThirdPartyCertificationSignatureBuilder sigBuilder = new ThirdPartyCertificationSignatureBuilder(
                     certificationType.asSignatureType(), secretKey, protector);
@@ -80,11 +128,24 @@ public class CertifyCertificate {
             this.sigBuilder = sigBuilder;
         }
 
-        public CertificationResult withSubpackets(@Nonnull CertificationSubpackets.Callback subpacketCallback) throws PGPException {
+        /**
+         * Apply the given signature subpackets and build the certification.
+         *
+         * @param subpacketCallback callback to modify the signatures subpackets
+         * @return result
+         * @throws PGPException in case of an OpenPGP related error
+         */
+        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketCallback) throws PGPException {
             sigBuilder.applyCallback(subpacketCallback);
             return build();
         }
 
+        /**
+         * Build the certification signature.
+         *
+         * @return result
+         * @throws PGPException in case of an OpenPGP related error
+         */
         public CertificationResult build() throws PGPException {
             PGPSignature signature = sigBuilder.build(certificate, userId);
             PGPPublicKeyRing certifiedCertificate = KeyRingUtils.injectCertification(certificate, userId, signature);
@@ -102,10 +163,18 @@ public class CertifyCertificate {
             this.trustworthiness = trustworthiness;
         }
 
+        /**
+         * Build the delegation using the given certification key.
+         *
+         * @param certificationKey key to create the certification with
+         * @param protector protector to unlock the certification key
+         * @return API
+         * @throws PGPException in case of an OpenPGP related error
+         */
         public DelegationOnCertificateWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
-            PGPSecretKey secretKey = getCertificationSecretKey(certificationKey);
+            PGPSecretKey secretKey = getCertifyingSecretKey(certificationKey);
 
-            DirectKeySignatureBuilder sigBuilder = new DirectKeySignatureBuilder(secretKey, protector);
+            ThirdPartyDirectKeySignatureBuilder sigBuilder = new ThirdPartyDirectKeySignatureBuilder(secretKey, protector);
             if (trustworthiness != null) {
                 sigBuilder.getHashedSubpackets().setTrust(true, trustworthiness.getDepth(), trustworthiness.getAmount());
             }
@@ -116,18 +185,31 @@ public class CertifyCertificate {
     public static class DelegationOnCertificateWithSubpackets {
 
         private final PGPPublicKeyRing certificate;
-        private final DirectKeySignatureBuilder sigBuilder;
+        private final ThirdPartyDirectKeySignatureBuilder sigBuilder;
 
-        public DelegationOnCertificateWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull DirectKeySignatureBuilder sigBuilder) {
+        DelegationOnCertificateWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull ThirdPartyDirectKeySignatureBuilder sigBuilder) {
             this.certificate = certificate;
             this.sigBuilder = sigBuilder;
         }
 
-        public CertificationResult withSubpackets(@Nonnull CertificationSubpackets.Callback subpacketsCallback) throws PGPException {
+        /**
+         * Apply the given signature subpackets and build the delegation signature.
+         *
+         * @param subpacketsCallback callback to modify the signatures subpackets
+         * @return result
+         * @throws PGPException in case of an OpenPGP related error
+         */
+        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketsCallback) throws PGPException {
             sigBuilder.applyCallback(subpacketsCallback);
             return build();
         }
 
+        /**
+         * Build the delegation signature.
+         *
+         * @return result
+         * @throws PGPException in case of an OpenPGP related error
+         */
         public CertificationResult build() throws PGPException {
             PGPPublicKey delegatedKey = certificate.getPublicKey();
             PGPSignature delegation = sigBuilder.build(delegatedKey);
@@ -146,18 +228,28 @@ public class CertifyCertificate {
             this.certification = certification;
         }
 
+        /**
+         * Return the signature.
+         *
+         * @return signature
+         */
         @Nonnull
         public PGPSignature getCertification() {
             return certification;
         }
 
+        /**
+         * Return the certificate, which now contains the signature.
+         *
+         * @return certificate + signature
+         */
         @Nonnull
         public PGPPublicKeyRing getCertifiedCertificate() {
             return certificate;
         }
     }
 
-    private static PGPSecretKey getCertificationSecretKey(PGPSecretKeyRing certificationKey) {
+    private static PGPSecretKey getCertifyingSecretKey(PGPSecretKeyRing certificationKey) {
         Date now = DateUtil.now();
         KeyRingInfo info = PGPainless.inspectKeyRing(certificationKey, now);
 
@@ -179,5 +271,4 @@ public class CertifyCertificate {
         }
         return secretKey;
     }
-
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 19d7ffcc..7418401f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -56,10 +56,9 @@ import org.pgpainless.key.protection.fixes.S2KUsageFix;
 import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.RevocationAttributes;
-import org.pgpainless.signature.builder.DirectKeySignatureBuilder;
+import org.pgpainless.signature.builder.DirectKeySelfSignatureBuilder;
 import org.pgpainless.signature.builder.RevocationSignatureBuilder;
 import org.pgpainless.signature.builder.SelfSignatureBuilder;
-import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
@@ -613,12 +612,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         PGPPublicKey publicKey = primaryKey.getPublicKey();
         final Date keyCreationTime = publicKey.getCreationTime();
 
-        DirectKeySignatureBuilder builder = new DirectKeySignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
-        System.out.println("FIXME"); // will cause checkstyle warning so I remember
-        /*
-        builder.applyCallback(new CertificationSubpackets.Callback() {
+        DirectKeySelfSignatureBuilder builder = new DirectKeySelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
+        builder.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
-            public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
+            public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
                 if (expiration != null) {
                     hashedSubpackets.setKeyExpirationTime(keyCreationTime, expiration);
                 } else {
@@ -626,7 +623,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
                 }
             }
         });
-         */
 
         return builder.build(publicKey);
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.java
new file mode 100644
index 00000000..cf99f8d6
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySelfSignatureBuilder.java
@@ -0,0 +1,57 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.signature.builder;
+
+import javax.annotation.Nullable;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
+
+public class DirectKeySelfSignatureBuilder extends AbstractSignatureBuilder {
+
+    public DirectKeySelfSignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature)
+            throws PGPException {
+        super(certificationKey, protector, archetypeSignature);
+    }
+
+    public DirectKeySelfSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException {
+        super(SignatureType.DIRECT_KEY, signingKey, protector);
+    }
+
+    public SelfSignatureSubpackets getHashedSubpackets() {
+        return hashedSubpackets;
+    }
+
+    public SelfSignatureSubpackets getUnhashedSubpackets() {
+        return unhashedSubpackets;
+    }
+
+    public void applyCallback(@Nullable SelfSignatureSubpackets.Callback callback) {
+        if (callback != null) {
+            callback.modifyHashedSubpackets(getHashedSubpackets());
+            callback.modifyUnhashedSubpackets(getUnhashedSubpackets());
+        }
+    }
+
+    public PGPSignature build(PGPPublicKey key) throws PGPException {
+        PGPSignatureGenerator signatureGenerator = buildAndInitSignatureGenerator();
+        if (key.getKeyID() != publicSigningKey.getKeyID()) {
+            return signatureGenerator.generateCertification(publicSigningKey, key);
+        } else {
+            return signatureGenerator.generateCertification(key);
+        }
+    }
+
+    @Override
+    protected boolean isValidSignatureType(SignatureType type) {
+        return type == SignatureType.DIRECT_KEY;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java
similarity index 81%
rename from pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java
rename to pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java
index 0e5498bd..dd720bce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/DirectKeySignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java
@@ -15,14 +15,14 @@ import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.subpackets.CertificationSubpackets;
 
-public class DirectKeySignatureBuilder extends AbstractSignatureBuilder {
+public class ThirdPartyDirectKeySignatureBuilder extends AbstractSignatureBuilder {
 
-    public DirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature)
+    public ThirdPartyDirectKeySignatureBuilder(PGPSecretKey certificationKey, SecretKeyRingProtector protector, PGPSignature archetypeSignature)
             throws PGPException {
         super(certificationKey, protector, archetypeSignature);
     }
 
-    public DirectKeySignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException {
+    public ThirdPartyDirectKeySignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector) throws PGPException {
         super(SignatureType.DIRECT_KEY, signingKey, protector);
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
new file mode 100644
index 00000000..017126aa
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
@@ -0,0 +1,74 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+
+public class TrustworthinessTest {
+
+    @Test
+    public void fullyTrustedIntroducer() {
+        Trustworthiness it = Trustworthiness.fullyTrusted().introducer();
+        assertTrue(it.isFullyTrusted());
+        assertFalse(it.isNotTrusted());
+
+        assertTrue(it.isIntroducer());
+        assertFalse(it.canIntroduce(it));
+    }
+
+    @Test
+    public void marginallyTrustedIntroducer() {
+        Trustworthiness it = Trustworthiness.marginallyTrusted().introducer();
+        assertFalse(it.isFullyTrusted());
+        assertTrue(it.isMarginallyTrusted());
+        assertFalse(it.isNotTrusted());
+
+        assertTrue(it.isIntroducer());
+        assertFalse(it.canIntroduce(2));
+    }
+
+    @Test
+    public void nonTrustedIntroducer() {
+        Trustworthiness it = Trustworthiness.untrusted().introducer();
+        assertTrue(it.isNotTrusted());
+        assertFalse(it.isMarginallyTrusted());
+        assertFalse(it.isFullyTrusted());
+
+        assertTrue(it.isIntroducer());
+    }
+
+    @Test
+    public void trustedMetaIntroducer() {
+        Trustworthiness it = Trustworthiness.fullyTrusted().metaIntroducer();
+        assertTrue(it.isFullyTrusted());
+        assertTrue(it.isIntroducer());
+
+        Trustworthiness that = Trustworthiness.fullyTrusted().introducer();
+        assertTrue(it.canIntroduce(that));
+        assertFalse(that.canIntroduce(it));
+    }
+
+    @Test
+    public void invalidArguments() {
+        assertThrows(IllegalArgumentException.class, () -> new Trustworthiness(300, 1));
+        assertThrows(IllegalArgumentException.class, () -> new Trustworthiness(60, 300));
+        assertThrows(IllegalArgumentException.class, () -> new Trustworthiness(-4, 1));
+        assertThrows(IllegalArgumentException.class, () -> new Trustworthiness(120, -1));
+    }
+
+    @Test
+    public void inBetweenValues() {
+        Trustworthiness it = new Trustworthiness(30, 1);
+        assertTrue(it.isMarginallyTrusted());
+        assertFalse(it.isFullyTrusted());
+
+        it = new Trustworthiness(140, 1);
+        assertTrue(it.isFullyTrusted());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
index c6028925..4a72276c 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
@@ -14,6 +14,7 @@ import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.List;
 
+import org.bouncycastle.bcpg.sig.TrustSignature;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
@@ -84,13 +85,19 @@ public class CertifyCertificateTest {
         assertNotNull(signature);
         assertEquals(SignatureType.DIRECT_KEY, SignatureType.valueOf(signature.getSignatureType()));
         assertEquals(alice.getPublicKey().getKeyID(), signature.getKeyID());
+        TrustSignature trustSignaturePacket = signature.getHashedSubPackets().getTrust();
+        assertNotNull(trustSignaturePacket);
+        Trustworthiness trustworthiness = new Trustworthiness(trustSignaturePacket.getTrustAmount(), trustSignaturePacket.getDepth());
+        assertTrue(trustworthiness.isFullyTrusted());
+        assertTrue(trustworthiness.isIntroducer());
+        assertFalse(trustworthiness.canIntroduce(1));
 
         assertTrue(SignatureVerifier.verifyDirectKeySignature(
                 signature, alice.getPublicKey(), bob.getPublicKey(), PGPainless.getPolicy(), DateUtil.now()));
 
         PGPPublicKeyRing bobCertified = result.getCertifiedCertificate();
         PGPPublicKey bobCertifiedKey = bobCertified.getPublicKey();
-        
+
         List sigsByAlice = CollectionUtils.iteratorToList(
                 bobCertifiedKey.getSignaturesForKeyID(alice.getPublicKey().getKeyID()));
         assertEquals(1, sigsByAlice.size());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
similarity index 94%
rename from pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
index 6c1c0cf4..46dc1ac5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/DirectKeySignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
@@ -29,19 +29,17 @@ import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 
-public class DirectKeySignatureBuilderTest {
+public class ThirdPartyDirectKeySignatureBuilderTest {
 
     @Test
     public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .modernKeyRing("Alice");
 
-        DirectKeySignatureBuilder dsb = new DirectKeySignatureBuilder(
+        DirectKeySelfSignatureBuilder dsb = new DirectKeySelfSignatureBuilder(
                 secretKeys.getSecretKey(),
                 SecretKeyRingProtector.unprotectedKeys());
 
-        System.out.println("FIXME"); // will cause checkstyle warning, so I remember
-        /*
         dsb.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -52,7 +50,6 @@ public class DirectKeySignatureBuilderTest {
                 hashedSubpackets.setFeatures(Feature.MODIFICATION_DETECTION);
             }
         });
-         */
 
         Thread.sleep(1000);
 

From 870af0e005be7b65a23ed6d4672fdaefec50dd95 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 12 May 2022 16:24:55 +0200
Subject: [PATCH 0500/1450] Add javadoc documentation to Trustworthiness class

---
 .../pgpainless/algorithm/Trustworthiness.java | 57 ++++++++++++++++++-
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
index 0df31764..8d62f967 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
@@ -4,6 +4,11 @@
 
 package org.pgpainless.algorithm;
 
+/**
+ * Facade class for {@link org.bouncycastle.bcpg.sig.TrustSignature}.
+ * A trust signature subpacket marks the trustworthiness of a certificate and defines its capabilities to act
+ * as a trusted introducer.
+ */
 public class Trustworthiness {
 
     private final int amount;
@@ -18,34 +23,82 @@ public class Trustworthiness {
         this.depth = capDepth(depth);
     }
 
+    /**
+     * Get the trust amount.
+     * This value means how confident the issuer of the signature is in validity of the binding.
+     *
+     * @return trust amount
+     */
     public int getAmount() {
         return amount;
     }
 
+    /**
+     * Get the depth of the trust signature.
+     * This value controls, whether the certificate can act as a trusted introducer.
+     *
+     * @return depth
+     */
     public int getDepth() {
         return depth;
     }
 
+    /**
+     * Returns true, if the trust amount is equal to 0.
+     * This means the key is not trusted.
+     *
+     * Otherwise return false
+     * @return true if untrusted
+     */
     public boolean isNotTrusted() {
         return getAmount() == NOT_TRUSTED;
     }
 
+    /**
+     * Return true if the certificate is at least marginally trusted.
+     * That is the case, if the trust amount is greater than 0.
+     *
+     * @return true if the cert is at least marginally trusted
+     */
     public boolean isMarginallyTrusted() {
         return getAmount() > NOT_TRUSTED;
     }
 
+    /**
+     * Return true if the certificate is fully trusted. That is the case if the trust amount is
+     * greater than or equal to 120.
+     *
+     * @return true if the cert is fully trusted
+     */
     public boolean isFullyTrusted() {
         return getAmount() >= THRESHOLD_FULLY_CONVINCED;
     }
 
+    /**
+     * Return true, if the cert is an introducer. That is the case if the depth is greater 0.
+     *
+     * @return true if introducer
+     */
     public boolean isIntroducer() {
         return getDepth() >= 1;
     }
 
+    /**
+     * Return true, if the certified cert can introduce certificates with trust depth of 
otherDepth
.
+     *
+     * @param otherDepth other certifications trust depth
+     * @return true if the cert can introduce the other
+     */
     public boolean canIntroduce(int otherDepth) {
         return getDepth() > otherDepth;
     }
 
+    /**
+     * Return true, if the certified cert can introduce certificates with the given 
other
 trust depth.
+     *
+     * @param other other certificates trust depth
+     * @return true if the cert can introduce the other
+     */
     public boolean canIntroduce(Trustworthiness other) {
         return canIntroduce(other.getDepth());
     }
@@ -107,13 +160,13 @@ public class Trustworthiness {
         }
 
         /**
-         * The key is a level 
n
 meta introducer.
+         * The key is a meta introducer of depth 
n
.
          * This key can introduce meta introducers of depth 
n - 1
.
          *
          * @param n depth
          * @return trust
          */
-        public Trustworthiness levelNIntroducer(int n) {
+        public Trustworthiness metaIntroducerOfDepth(int n) {
             return new Trustworthiness(amount, n);
         }
     }

From 1483ff9e24a411381185ec42ee499fd81ae7a459 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 12 May 2022 16:25:04 +0200
Subject: [PATCH 0501/1450] Add another test for Trustworthiness

---
 .../pgpainless/algorithm/TrustworthinessTest.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
index 017126aa..bf87ed65 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/TrustworthinessTest.java
@@ -71,4 +71,17 @@ public class TrustworthinessTest {
         it = new Trustworthiness(140, 1);
         assertTrue(it.isFullyTrusted());
     }
+
+    @Test
+    public void depthHierarchyTest() {
+        Trustworthiness l1 = Trustworthiness.fullyTrusted().metaIntroducerOfDepth(1);
+        Trustworthiness l2 = Trustworthiness.fullyTrusted().metaIntroducerOfDepth(2);
+        Trustworthiness l3 = Trustworthiness.fullyTrusted().metaIntroducerOfDepth(3);
+
+        assertTrue(l3.canIntroduce(l2));
+        assertTrue(l3.canIntroduce(l1));
+        assertTrue(l2.canIntroduce(l1));
+        assertFalse(l1.canIntroduce(l2));
+        assertFalse(l1.canIntroduce(l3));
+    }
 }

From bbd94c6c9abb4adb842967ccb5ae4e7bc8943b30 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 12 May 2022 16:26:57 +0200
Subject: [PATCH 0502/1450] More documentation

---
 .../main/java/org/pgpainless/algorithm/Trustworthiness.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
index 8d62f967..26e66e9c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Trustworthiness.java
@@ -14,9 +14,9 @@ public class Trustworthiness {
     private final int amount;
     private final int depth;
 
-    public static final int THRESHOLD_FULLY_CONVINCED = 120;
-    public static final int MARGINALLY_CONVINCED = 60;
-    public static final int NOT_TRUSTED = 0;
+    public static final int THRESHOLD_FULLY_CONVINCED = 120;    // greater or equal is fully trusted
+    public static final int MARGINALLY_CONVINCED = 60;          // default value for marginally convinced
+    public static final int NOT_TRUSTED = 0;                    // 0 is not trusted
 
     public Trustworthiness(int amount, int depth) {
         this.amount = capAmount(amount);

From 8d2afdf3b6f1a94e1246309394115355005ba2df Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 17 May 2022 18:32:59 +0200
Subject: [PATCH 0503/1450] Make certify() methods public

---
 .../key/certification/CertifyCertificate.java          | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index 8503f8bd..4a8d3985 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -48,7 +48,7 @@ public class CertifyCertificate {
      * @param certificate certificate
      * @return API
      */
-    CertificationOnUserId userIdOnCertificate(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate) {
+    public CertificationOnUserId userIdOnCertificate(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate) {
         return new CertificationOnUserId(userId, certificate, CertificationType.GENERIC);
     }
 
@@ -60,7 +60,7 @@ public class CertifyCertificate {
      * @param certificationType type of signature
      * @return API
      */
-    CertificationOnUserId userIdOnCertificate(@Nonnull String userid, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
+    public CertificationOnUserId userIdOnCertificate(@Nonnull String userid, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
         return new CertificationOnUserId(userid, certificate, certificationType);
     }
 
@@ -70,7 +70,7 @@ public class CertifyCertificate {
      * @param certificate certificate
      * @return API
      */
-    DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate) {
+    public DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate) {
         return certificate(certificate, null);
     }
 
@@ -82,7 +82,7 @@ public class CertifyCertificate {
      * @param trustworthiness trustworthiness of the certificate
      * @return API
      */
-    DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
+    public DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
         return new DelegationOnCertificate(certificate, trustworthiness);
     }
 
@@ -106,7 +106,7 @@ public class CertifyCertificate {
          * @return API
          * @throws PGPException in case of an OpenPGP related error
          */
-        CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
+        public CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
             PGPSecretKey secretKey = getCertifyingSecretKey(certificationKey);
 
             ThirdPartyCertificationSignatureBuilder sigBuilder = new ThirdPartyCertificationSignatureBuilder(

From 7223b40b23ac73702b14655eb793e17ff071ad38 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 24 May 2022 20:22:33 +0200
Subject: [PATCH 0504/1450] Add javadoc and indentation

---
 .../key/certification/CertifyCertificate.java | 41 ++++++++++++++-----
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index 4a8d3985..a4f37b66 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -48,7 +48,8 @@ public class CertifyCertificate {
      * @param certificate certificate
      * @return API
      */
-    public CertificationOnUserId userIdOnCertificate(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate) {
+    public CertificationOnUserId userIdOnCertificate(@Nonnull String userId,
+                                                     @Nonnull PGPPublicKeyRing certificate) {
         return new CertificationOnUserId(userId, certificate, CertificationType.GENERIC);
     }
 
@@ -60,12 +61,16 @@ public class CertifyCertificate {
      * @param certificationType type of signature
      * @return API
      */
-    public CertificationOnUserId userIdOnCertificate(@Nonnull String userid, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
+    public CertificationOnUserId userIdOnCertificate(@Nonnull String userid,
+                                                     @Nonnull PGPPublicKeyRing certificate,
+                                                     @Nonnull CertificationType certificationType) {
         return new CertificationOnUserId(userid, certificate, certificationType);
     }
 
     /**
      * Create a delegation (direct key signature) over a certificate.
+     * This can be used to mark a certificate as a trusted introducer
+     * (see {@link #certificate(PGPPublicKeyRing, Trustworthiness)}).
      *
      * @param certificate certificate
      * @return API
@@ -77,12 +82,14 @@ public class CertifyCertificate {
     /**
      * Create a delegation (direct key signature) containing a {@link org.bouncycastle.bcpg.sig.TrustSignature} packet
      * over a certificate.
+     * This can be used to mark a certificate as a trusted introducer.
      *
      * @param certificate certificate
      * @param trustworthiness trustworthiness of the certificate
      * @return API
      */
-    public DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
+    public DelegationOnCertificate certificate(@Nonnull PGPPublicKeyRing certificate,
+                                               @Nullable Trustworthiness trustworthiness) {
         return new DelegationOnCertificate(certificate, trustworthiness);
     }
 
@@ -92,7 +99,9 @@ public class CertifyCertificate {
         private final String userId;
         private final CertificationType certificationType;
 
-        CertificationOnUserId(@Nonnull String userId, @Nonnull PGPPublicKeyRing certificate, @Nonnull CertificationType certificationType) {
+        CertificationOnUserId(@Nonnull String userId,
+                              @Nonnull PGPPublicKeyRing certificate,
+                              @Nonnull CertificationType certificationType) {
             this.userId = userId;
             this.certificate = certificate;
             this.certificationType = certificationType;
@@ -106,7 +115,9 @@ public class CertifyCertificate {
          * @return API
          * @throws PGPException in case of an OpenPGP related error
          */
-        public CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
+        public CertificationOnUserIdWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey,
+                                                           @Nonnull SecretKeyRingProtector protector)
+                throws PGPException {
             PGPSecretKey secretKey = getCertifyingSecretKey(certificationKey);
 
             ThirdPartyCertificationSignatureBuilder sigBuilder = new ThirdPartyCertificationSignatureBuilder(
@@ -122,7 +133,9 @@ public class CertifyCertificate {
         private final String userId;
         private final ThirdPartyCertificationSignatureBuilder sigBuilder;
 
-        CertificationOnUserIdWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull String userId, @Nonnull ThirdPartyCertificationSignatureBuilder sigBuilder) {
+        CertificationOnUserIdWithSubpackets(@Nonnull PGPPublicKeyRing certificate,
+                                            @Nonnull String userId,
+                                            @Nonnull ThirdPartyCertificationSignatureBuilder sigBuilder) {
             this.certificate = certificate;
             this.userId = userId;
             this.sigBuilder = sigBuilder;
@@ -135,7 +148,8 @@ public class CertifyCertificate {
          * @return result
          * @throws PGPException in case of an OpenPGP related error
          */
-        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketCallback) throws PGPException {
+        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketCallback)
+                throws PGPException {
             sigBuilder.applyCallback(subpacketCallback);
             return build();
         }
@@ -158,7 +172,8 @@ public class CertifyCertificate {
         private final PGPPublicKeyRing certificate;
         private final Trustworthiness trustworthiness;
 
-        DelegationOnCertificate(@Nonnull PGPPublicKeyRing certificate, @Nullable Trustworthiness trustworthiness) {
+        DelegationOnCertificate(@Nonnull PGPPublicKeyRing certificate,
+                                @Nullable Trustworthiness trustworthiness) {
             this.certificate = certificate;
             this.trustworthiness = trustworthiness;
         }
@@ -171,7 +186,9 @@ public class CertifyCertificate {
          * @return API
          * @throws PGPException in case of an OpenPGP related error
          */
-        public DelegationOnCertificateWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey, @Nonnull SecretKeyRingProtector protector) throws PGPException {
+        public DelegationOnCertificateWithSubpackets withKey(@Nonnull PGPSecretKeyRing certificationKey,
+                                                             @Nonnull SecretKeyRingProtector protector)
+                throws PGPException {
             PGPSecretKey secretKey = getCertifyingSecretKey(certificationKey);
 
             ThirdPartyDirectKeySignatureBuilder sigBuilder = new ThirdPartyDirectKeySignatureBuilder(secretKey, protector);
@@ -187,7 +204,8 @@ public class CertifyCertificate {
         private final PGPPublicKeyRing certificate;
         private final ThirdPartyDirectKeySignatureBuilder sigBuilder;
 
-        DelegationOnCertificateWithSubpackets(@Nonnull PGPPublicKeyRing certificate, @Nonnull ThirdPartyDirectKeySignatureBuilder sigBuilder) {
+        DelegationOnCertificateWithSubpackets(@Nonnull PGPPublicKeyRing certificate,
+                                              @Nonnull ThirdPartyDirectKeySignatureBuilder sigBuilder) {
             this.certificate = certificate;
             this.sigBuilder = sigBuilder;
         }
@@ -199,7 +217,8 @@ public class CertifyCertificate {
          * @return result
          * @throws PGPException in case of an OpenPGP related error
          */
-        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketsCallback) throws PGPException {
+        public CertificationResult buildWithSubpackets(@Nonnull CertificationSubpackets.Callback subpacketsCallback)
+                throws PGPException {
             sigBuilder.applyCallback(subpacketsCallback);
             return build();
         }

From a944d2a6b9b660935ae19bde8bf4ad7bab636175 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 15:09:02 +0200
Subject: [PATCH 0505/1450] Fix build errors

---
 .../src/main/java/org/pgpainless/PGPainless.java          | 5 +++++
 .../key/certification/CertifyCertificateTest.java         | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index a2f16ab9..74a1f239 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -165,6 +165,11 @@ public final class PGPainless {
         return Policy.getInstance();
     }
 
+    /**
+     * Create different kinds of signatures on other keys.
+     *
+     * @return builder
+     */
     public static CertifyCertificate certify() {
         return new CertifyCertificate();
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
index 4a72276c..3dbc4988 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
@@ -35,9 +35,9 @@ public class CertifyCertificateTest {
     @Test
     public void testUserIdCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ");
         String bobUserId = "Bob ";
-        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId, null);
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing(bobUserId);
 
         PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob);
 
@@ -70,8 +70,8 @@ public class CertifyCertificateTest {
     @Test
     public void testKeyDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
-        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ", null);
-        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ", null);
+        PGPSecretKeyRing alice = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        PGPSecretKeyRing bob = PGPainless.generateKeyRing().modernKeyRing("Bob ");
 
         PGPPublicKeyRing bobCertificate = PGPainless.extractCertificate(bob);
 

From 82ff62b4e65f00e3dd63784ace3f1e38b86fe49d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 17:58:27 +0200
Subject: [PATCH 0506/1450] Remove unused NotYetImplementedException

---
 .../exception/NotYetImplementedException.java        | 12 ------------
 .../java/org/pgpainless/key/util/KeyRingUtils.java   |  3 ---
 2 files changed, 15 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java
deleted file mode 100644
index 72f9b569..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/NotYetImplementedException.java
+++ /dev/null
@@ -1,12 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.exception;
-
-/**
- * Method that gets thrown if the user requests some functionality which is not yet implemented.
- */
-public class NotYetImplementedException extends RuntimeException {
-
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 8306db34..21c5b575 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -26,7 +26,6 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
 import org.pgpainless.PGPainless;
-import org.pgpainless.exception.NotYetImplementedException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
@@ -354,8 +353,6 @@ public final class KeyRingUtils {
     /**
      * Inject a {@link PGPPublicKey} into the given key ring.
      *
-     * Note: Right now this method is broken and will throw a {@link NotYetImplementedException}.
-     *
      * @param keyRing key ring
      * @param publicKey public key
      * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}

From ca39efda99bef968e6f247d02e60a42c763f2d10 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 18:10:44 +0200
Subject: [PATCH 0507/1450] Add test for CleartextSignedMessageUtil

---
 .../CleartextSignatureVerificationTest.java   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
index 521dd558..cabfdbb1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CleartextSignatureVerificationTest.java
@@ -6,6 +6,7 @@ package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
@@ -13,6 +14,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
@@ -27,11 +29,13 @@ import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
+import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.WrongConsumingMethodException;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.consumer.CertificateValidator;
@@ -241,6 +245,29 @@ public class CleartextSignatureVerificationTest {
         decryptionStream.close();
     }
 
+    @Test
+    public void clearsignedMessageUtil_detachSignaturesFromInbandNonClearsignedMessageThrows() {
+        // Message is inband signed, but does not use cleartext signature framework
+        String message = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "owGbwMvMyCX29UzQdZ1/lUqMpw8YJDGAgJGjd3JgcqJTVUpylpOCmUK+l39asYGl\n" +
+                "k1NkcYSxgkuaR26EQplppGVuREGqn3NBRJRXoVm4T1BuhoJjcllOYV5xhmVKloVz\n" +
+                "UJaZQmhBSbqCr6uhQlVIkL9rqUJgaaWjpalCuVdiXkVhiFNuQHpmeLpChGNqVkG5\n" +
+                "U1iBgqmvo79LXlFVWK5rpEGkh0dBfrB/ngKXj5FhVlZuUpllTk6xb3m5QlWUT3Gh\n" +
+                "o7dCQXGIgnlwZkBYlI9FhEFAprdnkLGFe6KjZ2meQblCXkiWaWhUknl5YmmYb7JC\n" +
+                "noJJeWZYXmJarpFvXkpKpbGXQkcpC6MYF4M6K1PShlmCnAKwsBBTZJktcnnrHYXL\n" +
+                "h1oWr+qECTMw+O9i+KfUs3LXgzOuS102VbY+fLCqwFynLmyqVDE3b4Yu/5x68UCG\n" +
+                "/35qnVwnbYX8YrK6j+UdabAo/HnvZL7jk7pjRg1n3TIy+QE=\n" +
+                "=yFcL\n" +
+                "-----END PGP MESSAGE-----";
+
+        InputStream inputStream = new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8));
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        assertThrows(WrongConsumingMethodException.class,
+                () -> ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(inputStream, outputStream));
+    }
+
     private String randomString(int maxWordLen, int wordCount) {
         StringBuilder sb = new StringBuilder();
         for (int i = 0; i < wordCount; i++) {

From fed3080ae8275305b396bbaedcfe37ed669c3ce9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 18:19:24 +0200
Subject: [PATCH 0508/1450] Add tests to increase coverage of v5 fingerprint
 class

---
 .../key/OpenPgpV5FingerprintTest.java         | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
index 2e657d72..b8c74b8b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
@@ -8,6 +8,7 @@ import org.bouncycastle.util.encoders.Hex;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -34,6 +35,7 @@ public class OpenPgpV5FingerprintTest {
         assertTrue(parsed instanceof OpenPgpV5Fingerprint);
         OpenPgpV5Fingerprint v5fp = (OpenPgpV5Fingerprint) parsed;
         assertEquals(prettyPrint, v5fp.prettyPrint());
+        assertEquals(5, v5fp.getVersion());
     }
 
     @Test
@@ -44,6 +46,9 @@ public class OpenPgpV5FingerprintTest {
         OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
         assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
         assertEquals(hex, fingerprint.toString());
+
+        OpenPgpV5Fingerprint constructed = new OpenPgpV5Fingerprint(binary);
+        assertEquals(fingerprint, constructed);
     }
 
     @Test
@@ -73,4 +78,18 @@ public class OpenPgpV5FingerprintTest {
 
         assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.parseFromBinary(binary));
     }
+
+    @Test
+    public void equalsTest() {
+        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint);
+
+        assertNotEquals(parsed, null);
+        assertNotEquals(parsed, new Object());
+        assertEquals(parsed, parsed.toString());
+
+        OpenPgpFingerprint parsed2 = new OpenPgpV5Fingerprint(prettyPrint);
+        assertEquals(parsed.hashCode(), parsed2.hashCode());
+        assertEquals(0, parsed.compareTo(parsed2));
+    }
 }

From 2873de0d052683744888a82e098afbdf6a6dbd3f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 18:35:31 +0200
Subject: [PATCH 0509/1450] Include mockito as test dependency

---
 pgpainless-core/build.gradle | 3 +++
 version.gradle               | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index 50cbb700..f1b852ca 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -12,6 +12,9 @@ dependencies {
     testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
 
+    // Mocking Components
+    testImplementation "org.mockito:mockito-core:$mockitoVersion"
+
     // Logging
     api "org.slf4j:slf4j-api:$slf4jVersion"
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
diff --git a/version.gradle b/version.gradle
index 18354f3b..b97d329f 100644
--- a/version.gradle
+++ b/version.gradle
@@ -9,9 +9,10 @@ allprojects {
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'
-        slf4jVersion = '1.7.36'
-        logbackVersion = '1.2.11'
         junitVersion = '5.8.2'
+        logbackVersion = '1.2.11'
+        mockitoVersion = '4.5.1'
+        slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.0'
     }
 }

From 37441a81e83a4581c040e3c7546025e6d4cd87e7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 18:35:48 +0200
Subject: [PATCH 0510/1450] Add OpenPgpV5Fingerprint constructor tests using
 mocked v5 keys

---
 .../key/OpenPgpV5FingerprintTest.java         | 90 ++++++++++++++++++-
 1 file changed, 87 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
index b8c74b8b..a250bef4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
@@ -4,13 +4,20 @@
 
 package org.pgpainless.key;
 
-import org.bouncycastle.util.encoders.Hex;
-import org.junit.jupiter.api.Test;
-
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.encoders.Hex;
+import org.junit.jupiter.api.Test;
 
 public class OpenPgpV5FingerprintTest {
 
@@ -92,4 +99,81 @@ public class OpenPgpV5FingerprintTest {
         assertEquals(parsed.hashCode(), parsed2.hashCode());
         assertEquals(0, parsed.compareTo(parsed2));
     }
+
+    @Test
+    public void constructFromMockedPublicKey() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
+        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
+        assertEquals(5, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedSecretKey() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPSecretKey secretKey = mock(PGPSecretKey.class);
+        when(secretKey.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = new OpenPgpV5Fingerprint(secretKey);
+        assertEquals(5, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedPublicKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPPublicKeyRing publicKeys = mock(PGPPublicKeyRing.class);
+        when(publicKeys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKeys);
+        assertEquals(5, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV5Fingerprint(publicKeys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedSecretKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPSecretKeyRing secretKeys = mock(PGPSecretKeyRing.class);
+        when(secretKeys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(secretKeys);
+        assertEquals(5, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV5Fingerprint(secretKeys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPKeyRing keys = mock(PGPKeyRing.class);
+        when(keys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(keys);
+        assertEquals(5, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV5Fingerprint(keys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    private PGPPublicKey getMockedPublicKey(String hex) {
+        byte[] binary = Hex.decode(hex);
+
+        PGPPublicKey mocked = mock(PGPPublicKey.class);
+        when(mocked.getVersion()).thenReturn(5);
+        when(mocked.getFingerprint()).thenReturn(binary);
+        return mocked;
+    }
 }

From 0690a213609226d915595520f23986c42b36e5f3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 18:48:27 +0200
Subject: [PATCH 0511/1450] Increase coverage of Policy class

---
 .../org/pgpainless/policy/PolicyTest.java     | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
index 9959be68..4e3cb51e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
@@ -6,6 +6,7 @@ package org.pgpainless.policy;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.util.Arrays;
@@ -167,4 +168,41 @@ public class PolicyTest {
         policy.getNotationRegistry().addKnownNotation("notation@pgpainless.org");
         assertTrue(policy.getNotationRegistry().isKnownNotation("notation@pgpainless.org"));
     }
+
+    @Test
+    public void testUnknownSymmetricKeyEncryptionAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getSymmetricKeyEncryptionAlgorithmPolicy().isAcceptable(-1));
+    }
+
+    @Test
+    public void testUnknownSymmetricKeyDecryptionAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(-1));
+    }
+
+    @Test
+    public void testUnknownSignatureHashAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(-1));
+        assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(-1, new Date()));
+    }
+
+    @Test
+    public void testUnknownRevocationHashAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(-1));
+        assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(-1, new Date()));
+    }
+
+    @Test
+    public void testUnknownCompressionAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getCompressionAlgorithmPolicy().isAcceptable(-1));
+    }
+
+    @Test
+    public void testUnknownPublicKeyAlgorithmIsNotAcceptable() {
+        assertFalse(policy.getPublicKeyAlgorithmPolicy().isAcceptable(-1, 4096));
+    }
+
+    @Test
+    public void setNullSignerUserIdValidationLevelThrows() {
+        assertThrows(NullPointerException.class, () -> policy.setSignerUserIdValidationLevel(null));
+    }
 }

From b6975b38f13501f323b549acf88450909c419045 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 20 Jun 2022 19:03:52 +0200
Subject: [PATCH 0512/1450] Add tests for KeyFlag bitmask methods

---
 .../org/pgpainless/algorithm/KeyFlagTest.java | 97 +++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/KeyFlagTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/KeyFlagTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/KeyFlagTest.java
new file mode 100644
index 00000000..3ec5dcb6
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/KeyFlagTest.java
@@ -0,0 +1,97 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+
+public class KeyFlagTest {
+
+    @Test
+    public void testEmptyBitmaskHasNoFlags() {
+        int bitmask = KeyFlag.toBitmask();
+        assertEquals(0, bitmask);
+        for (KeyFlag flag : KeyFlag.values()) {
+            assertFalse(KeyFlag.hasKeyFlag(bitmask, flag));
+        }
+    }
+
+    @Test
+    public void testEmptyBitmaskToKeyFlags() {
+        int emptyMask = 0;
+        List flags = KeyFlag.fromBitmask(emptyMask);
+        assertTrue(flags.isEmpty());
+    }
+
+    @Test
+    public void testSingleBitmaskToKeyFlags() {
+        for (KeyFlag flag : KeyFlag.values()) {
+            int singleMask = KeyFlag.toBitmask(flag);
+            List singletonList = KeyFlag.fromBitmask(singleMask);
+            assertEquals(1, singletonList.size());
+            assertEquals(flag, singletonList.get(0));
+        }
+    }
+
+    @Test
+    public void testKeyFlagsToBitmaskToList() {
+        int bitMask = KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE);
+        List flags = KeyFlag.fromBitmask(bitMask);
+
+        assertEquals(2, flags.size());
+        assertTrue(flags.contains(KeyFlag.ENCRYPT_COMMS));
+        assertTrue(flags.contains(KeyFlag.ENCRYPT_STORAGE));
+    }
+
+    @Test
+    public void testSingleKeyFlagToBitmask() {
+        for (KeyFlag flag : KeyFlag.values()) {
+            int bitmask = KeyFlag.toBitmask(flag);
+            assertEquals(flag.getFlag(), bitmask);
+        }
+    }
+
+    @Test
+    public void testDuplicateFlagsDoNotChangeMask() {
+        int mask = KeyFlag.toBitmask(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_COMMS);
+        assertEquals(KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE), mask);
+    }
+
+    @Test
+    public void testMaskHasNot() {
+        int mask = KeyFlag.toBitmask(KeyFlag.ENCRYPT_STORAGE);
+        assertFalse(KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS));
+    }
+
+    @Test
+    public void testMaskContainsNone() {
+        int mask = KeyFlag.toBitmask(KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE);
+
+        assertFalse(KeyFlag.containsAny(mask, KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER));
+    }
+
+    @Test
+    public void testContainsAnyContainsAllExact() {
+        int mask = KeyFlag.toBitmask(KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS);
+        assertTrue(KeyFlag.containsAny(mask, KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS));
+    }
+
+    @Test
+    public void testContainsAnyContainsAll() {
+        int mask = KeyFlag.toBitmask(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.AUTHENTICATION);
+        assertTrue(KeyFlag.containsAny(mask, KeyFlag.SIGN_DATA, KeyFlag.AUTHENTICATION));
+    }
+
+    @Test
+    public void testContainsAnyContainsSome() {
+        int mask = KeyFlag.toBitmask(KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.AUTHENTICATION);
+        assertTrue(KeyFlag.containsAny(mask, KeyFlag.CERTIFY_OTHER));
+    }
+}

From 8d1794544a889920914c9d149c1e8d144964af57 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 21 Jun 2022 19:48:38 +0200
Subject: [PATCH 0513/1450] Fix indentation

---
 .../org/pgpainless/encryption_signing/EncryptionStream.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 0cba8093..dbfc737e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -87,9 +87,9 @@ public final class EncryptionStream extends OutputStream {
         if (options.hasComment()) {
             String[] commentLines = options.getComment().split("\n");
             for (String commentLine : commentLines) {
-            	if (!commentLine.trim().isEmpty()) {
-            		ArmorUtils.addCommentHeader(armorOutputStream, commentLine.trim());
-            	}
+                if (!commentLine.trim().isEmpty()) {
+                    ArmorUtils.addCommentHeader(armorOutputStream, commentLine.trim());
+                }
             }
         }
         outermostStream = armorOutputStream;

From e5ba4f99334be1abc59ff655903a381ab2c596cc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 21 Jun 2022 19:48:49 +0200
Subject: [PATCH 0514/1450] Add buffer to improve encryption performance

---
 .../org/pgpainless/encryption_signing/EncryptionStream.java    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index dbfc737e..50f5cb5f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -82,6 +82,9 @@ public final class EncryptionStream extends OutputStream {
             return;
         }
 
+        // ArmoredOutputStream better be buffered
+        outermostStream = new BufferedOutputStream(outermostStream);
+
         LOGGER.debug("Wrap encryption output in ASCII armor");
         armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream);
         if (options.hasComment()) {

From bca359805b8b8f8158f7b6115a392e2a9c2813b7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 22 Jun 2022 22:14:22 +0200
Subject: [PATCH 0515/1450] SOP decrypt: Do not throw if no signatures found

---
 .../src/main/java/org/pgpainless/sop/DecryptImpl.java       | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index b9539ed5..efed9472 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -154,12 +154,6 @@ public class DecryptImpl implements Decrypt {
                     verificationList.add(map(signatureVerification));
                 }
 
-                if (!consumerOptions.getCertificates().isEmpty()) {
-                    if (verificationList.isEmpty()) {
-                        throw new SOPGPException.NoSignature();
-                    }
-                }
-
                 SessionKey sessionKey = null;
                 if (metadata.getSessionKey() != null) {
                     org.pgpainless.util.SessionKey sk = metadata.getSessionKey();

From 07f9c3ceeffa7532d95a755cdd10f70bc9a95591 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 10:30:16 +0200
Subject: [PATCH 0516/1450] Fix decrypt no signatures test

---
 .../pgpainless/sop/EncryptDecryptRoundTripTest.java    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 7bc5bfdb..52db6a62 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -166,18 +166,20 @@ public class EncryptDecryptRoundTripTest {
     }
 
     @Test
-    public void encrypt_decryptAndVerifyYieldsNoSignatureException() throws IOException {
+    public void encrypt_decryptAndVerifyYieldsNoVerifications() throws IOException {
         byte[] encrypted = sop.encrypt()
                 .withCert(bobCert)
                 .plaintext(message)
                 .getBytes();
 
-        assertThrows(SOPGPException.NoSignature.class, () -> sop
-                .decrypt()
+        DecryptionResult result = sop.decrypt()
                 .withKey(bobKey)
                 .verifyWithCert(aliceCert)
                 .ciphertext(encrypted)
-                .toByteArrayAndResult());
+                .toByteArrayAndResult()
+                .getResult();
+
+        assertTrue(result.getVerifications().isEmpty());
     }
 
     @Test

From 0c28c7a389024a013e53bf4813756f8220aedfc8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 11:46:19 +0200
Subject: [PATCH 0517/1450] symmetrically encrypted messages are still
 encrypted

---
 .../org/pgpainless/decryption_verification/OpenPgpMetadata.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
index 2d9feb33..130ea554 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
@@ -84,7 +84,7 @@ public class OpenPgpMetadata {
      * @return true if encrypted, false otherwise
      */
     public boolean isEncrypted() {
-        return sessionKey != null && sessionKey.getAlgorithm() != SymmetricKeyAlgorithm.NULL && !getRecipientKeyIds().isEmpty();
+        return sessionKey != null && sessionKey.getAlgorithm() != SymmetricKeyAlgorithm.NULL;
     }
 
     /**

From efc0cb357b44d393a487786cbed29cb0e4dfc5f7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 11:47:20 +0200
Subject: [PATCH 0518/1450] EncryptDecryptRoundTripTest: make passphrase
 constant

---
 .../java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 52db6a62..6f7e3d47 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -28,6 +28,7 @@ public class EncryptDecryptRoundTripTest {
     private static final Charset utf8 = Charset.forName("UTF8");
     private static SOP sop;
     private static byte[] aliceKey;
+    private static final String alicePassword = "wonderland.is.c00l";
     private static byte[] aliceCert;
     private static byte[] bobKey;
     private static byte[] bobCert;
@@ -38,7 +39,7 @@ public class EncryptDecryptRoundTripTest {
         sop = new SOPImpl();
         aliceKey = sop.generateKey()
                 .userId("Alice ")
-                .withKeyPassword("wonderland.is.c00l")
+                .withKeyPassword(alicePassword)
                 .generate()
                 .getBytes();
         aliceCert = sop.extractCert()
@@ -57,7 +58,7 @@ public class EncryptDecryptRoundTripTest {
     public void basicRoundTripWithKey() throws IOException, SOPGPException.KeyCannotSign {
         byte[] encrypted = sop.encrypt()
                 .signWith(aliceKey)
-                .withKeyPassword("wonderland.is.c00l")
+                .withKeyPassword(alicePassword)
                 .withCert(aliceCert)
                 .withCert(bobCert)
                 .plaintext(message)

From 14531f00500ec55bebd15fe3b0a717165ea53568 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 11:47:48 +0200
Subject: [PATCH 0519/1450] Make sop decrypt throw for unencrypted data

---
 .../java/org/pgpainless/sop/DecryptImpl.java   |  4 ++++
 .../sop/EncryptDecryptRoundTripTest.java       | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index efed9472..7d8481e3 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -149,6 +149,10 @@ public class DecryptImpl implements Decrypt {
                 decryptionStream.close();
                 OpenPgpMetadata metadata = decryptionStream.getResult();
 
+                if (!metadata.isEncrypted()) {
+                    throw new SOPGPException.BadData("Data is not encrypted.");
+                }
+
                 List verificationList = new ArrayList<>();
                 for (SignatureVerification signatureVerification : metadata.getVerifiedInbandSignatures()) {
                     verificationList.add(map(signatureVerification));
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 6f7e3d47..515cf71d 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -515,4 +515,22 @@ public class EncryptDecryptRoundTripTest {
         assertThrows(SOPGPException.BadData.class, () ->
                 sop.decrypt().withSessionKey(wrongSessionKey).ciphertext(ciphertext));
     }
+
+    @Test
+    public void decryptNonEncryptedDataFailsBadData() throws IOException {
+        byte[] signed = sop.inlineSign()
+                .key(aliceKey)
+                .withKeyPassword(alicePassword)
+                .data(message)
+                .getBytes();
+
+        assertThrows(SOPGPException.BadData.class, () ->
+                sop.decrypt()
+                        .verifyWithCert(aliceCert)
+                        .withKey(aliceKey)
+                        .withKeyPassword(alicePassword)
+                        .ciphertext(signed)
+                        .toByteArrayAndResult()
+        );
+    }
 }

From e0be145541a55feeff335ee5405dd9833e0ecd87 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 11:57:28 +0200
Subject: [PATCH 0520/1450] Update changelog

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3d31c8ff..c5240e67 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,14 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.1-SNAPSHOT
+- Fix reproducibility of builds by setting fixed file permissions in archive task
+- Improve encryption performance by buffering streams
+- Fix `OpenPgpMetadata.isEncrypted()` to also return true for symmetrically encrypted messages
+- SOP changes
+  - decrypt: Do not throw `NoSignatures` if no signatures found
+  - decrypt: Throw `BadData` when ciphertext is not encrypted
+
 ## 1.3.0
 - Add `RevokedKeyException`
 - `KeyRingUtils.stripSecretKey()`: Disallow stripping of primary secret key

From 9654af15e6d394942473d72b555069d81a12fac1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 12:09:01 +0200
Subject: [PATCH 0521/1450] PGPainless 1.3.1

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 390e8771..271024b0 100644
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.2.2'
+	implementation 'org.pgpainless:pgpainless-core:1.3.1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 0ef67686..58c1e9c9 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.2.2"
+    implementation "org.pgpainless:pgpainless-sop:1.3.1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.2.2
+        1.3.1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index b97d329f..97e1dfb2 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 62ef8b8d5fe608b7e0ed265069c0d0ad72bb1c0f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 12:10:58 +0200
Subject: [PATCH 0522/1450] PGPainless 1.3.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 97e1dfb2..178eb300 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.1'
-        isSnapshot = false
+        shortVersion = '1.3.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From d0ad0ac3e4eed3ecfeb58d2a4eab880a20b57dfd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 23 Jun 2022 12:12:42 +0200
Subject: [PATCH 0523/1450] Fix heading of changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c5240e67..39f795af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.1-SNAPSHOT
+## 1.3.1
 - Fix reproducibility of builds by setting fixed file permissions in archive task
 - Improve encryption performance by buffering streams
 - Fix `OpenPgpMetadata.isEncrypted()` to also return true for symmetrically encrypted messages

From 3f40fb99ef54534cec32a68a6c073b40c0a39026 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 24 Jun 2022 12:04:38 +0200
Subject: [PATCH 0524/1450] Add RevocationState enum

---
 .../pgpainless/algorithm/RevocationState.java | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
new file mode 100644
index 00000000..5a0fa142
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+public enum RevocationState {
+
+    /**
+     * Certificate is not revoked.
+     */
+    notRevoked,
+
+    /**
+     * Certificate is revoked with a soft revocation.
+     */
+    softRevoked,
+
+    /**
+     * Certificate is revoked with a hard revocation.
+     */
+    hardRevoked
+}

From 0c0f82ce2e00aa329a47fdb12fdcf007869973c5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 24 Jun 2022 12:28:10 +0200
Subject: [PATCH 0525/1450] Add KeyRingInfo constructor that takes Policy
 instance

---
 .../java/org/pgpainless/key/info/KeyRingInfo.java   | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index b73087b4..9d761e38 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -86,8 +86,19 @@ public class KeyRingInfo {
      * @param validationDate date of validation
      */
     public KeyRingInfo(PGPKeyRing keys, Date validationDate) {
+        this(keys, PGPainless.getPolicy(), validationDate);
+    }
+
+    /**
+     * Evaluate the key ring at the provided validation date.
+     *
+     * @param keys key ring
+     * @param policy policy
+     * @param validationDate validation date
+     */
+    public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) {
         this.keys = keys;
-        this.signatures = new Signatures(keys, validationDate, PGPainless.getPolicy());
+        this.signatures = new Signatures(keys, validationDate, policy);
         this.evaluationDate = validationDate;
         this.primaryUserId = findPrimaryUserId();
     }

From 7e0b1b344c1aee0af35a6b997b369f1a92ef1aa1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 24 Jun 2022 12:47:35 +0200
Subject: [PATCH 0526/1450] s/{validation|evaluation}Date/referenceTime/g

---
 .../org/pgpainless/key/info/KeyRingInfo.java  |  20 +--
 .../consumer/SignatureValidator.java          | 136 +++++++++++------
 .../signature/consumer/SignatureVerifier.java | 141 ++++++++++--------
 3 files changed, 179 insertions(+), 118 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 9d761e38..7999b592 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -56,7 +56,7 @@ public class KeyRingInfo {
 
     private final PGPKeyRing keys;
     private final Signatures signatures;
-    private final Date evaluationDate;
+    private final Date referenceDate;
     private final String primaryUserId;
 
     /**
@@ -99,7 +99,7 @@ public class KeyRingInfo {
     public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) {
         this.keys = keys;
         this.signatures = new Signatures(keys, validationDate, policy);
-        this.evaluationDate = validationDate;
+        this.referenceDate = validationDate;
         this.primaryUserId = findPrimaryUserId();
     }
 
@@ -413,7 +413,7 @@ public class KeyRingInfo {
         }
         if (certification.getHashedSubPackets().isPrimaryUserID()) {
             Date keyExpiration = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(certification, keys.getPublicKey());
-            if (keyExpiration != null && evaluationDate.after(keyExpiration)) {
+            if (keyExpiration != null && referenceDate.after(keyExpiration)) {
                 return false;
             }
         }
@@ -1097,9 +1097,9 @@ public class KeyRingInfo {
         private final Map subkeyRevocations;
         private final Map subkeyBindings;
 
-        public Signatures(PGPKeyRing keyRing, Date evaluationDate, Policy policy) {
-            primaryKeyRevocation = SignaturePicker.pickCurrentRevocationSelfSignature(keyRing, policy, evaluationDate);
-            primaryKeySelfSignature = SignaturePicker.pickLatestDirectKeySignature(keyRing, policy, evaluationDate);
+        public Signatures(PGPKeyRing keyRing, Date referenceDate, Policy policy) {
+            primaryKeyRevocation = SignaturePicker.pickCurrentRevocationSelfSignature(keyRing, policy, referenceDate);
+            primaryKeySelfSignature = SignaturePicker.pickLatestDirectKeySignature(keyRing, policy, referenceDate);
             userIdRevocations = new HashMap<>();
             userIdCertifications = new HashMap<>();
             subkeyRevocations = new HashMap<>();
@@ -1107,11 +1107,11 @@ public class KeyRingInfo {
 
             for (Iterator it = keyRing.getPublicKey().getUserIDs(); it.hasNext(); ) {
                 String userId = it.next();
-                PGPSignature revocation = SignaturePicker.pickCurrentUserIdRevocationSignature(keyRing, userId, policy, evaluationDate);
+                PGPSignature revocation = SignaturePicker.pickCurrentUserIdRevocationSignature(keyRing, userId, policy, referenceDate);
                 if (revocation != null) {
                     userIdRevocations.put(userId, revocation);
                 }
-                PGPSignature certification = SignaturePicker.pickLatestUserIdCertificationSignature(keyRing, userId, policy, evaluationDate);
+                PGPSignature certification = SignaturePicker.pickLatestUserIdCertificationSignature(keyRing, userId, policy, referenceDate);
                 if (certification != null) {
                     userIdCertifications.put(userId, certification);
                 }
@@ -1121,11 +1121,11 @@ public class KeyRingInfo {
             keys.next(); // Skip primary key
             while (keys.hasNext()) {
                 PGPPublicKey subkey = keys.next();
-                PGPSignature subkeyRevocation = SignaturePicker.pickCurrentSubkeyBindingRevocationSignature(keyRing, subkey, policy, evaluationDate);
+                PGPSignature subkeyRevocation = SignaturePicker.pickCurrentSubkeyBindingRevocationSignature(keyRing, subkey, policy, referenceDate);
                 if (subkeyRevocation != null) {
                     subkeyRevocations.put(subkey.getKeyID(), subkeyRevocation);
                 }
-                PGPSignature subkeyBinding = SignaturePicker.pickLatestSubkeyBindingSignature(keyRing, subkey, policy, evaluationDate);
+                PGPSignature subkeyBinding = SignaturePicker.pickLatestSubkeyBindingSignature(keyRing, subkey, policy, referenceDate);
                 if (subkeyBinding != null) {
                     subkeyBindings.put(subkey.getKeyID(), subkeyBinding);
                 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 6a10e1f3..56614f4f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -44,14 +44,15 @@ public abstract class SignatureValidator {
 
     /**
      * Check, whether there is the possibility that the given signature was created by the given key.
-     * {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that the signature
-     * was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
+     * {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that
+     * the signature was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
      *
      * If there is no information found in the signature about who created it (no issuer, no fingerprint),
      * {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig.
      *
      * @param signingKey signing key
-     * @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by the given key.
+     * @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by
+     * the given key.
      */
     public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) {
         return new SignatureValidator() {
@@ -62,14 +63,17 @@ public abstract class SignatureValidator {
                 Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
                 if (issuer != null) {
                     if (issuer != signingKey.getKeyID()) {
-                        throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
+                        throw new SignatureValidationException("Signature was not created by " +
+                                signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
                     }
                 }
 
-                OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
+                OpenPgpFingerprint fingerprint =
+                        SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
                 if (fingerprint != null) {
                     if (!fingerprint.equals(signingKeyFingerprint)) {
-                        throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
+                        throw new SignatureValidationException("Signature was not created by " +
+                                signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
                     }
                 }
 
@@ -86,10 +90,12 @@ public abstract class SignatureValidator {
      * @param primaryKey primary key
      * @param subkey subkey
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return validator
      */
-    public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
+    public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey,
+                                                                                  PGPPublicKey subkey, Policy policy,
+                                                                                  Date referenceDate) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -117,7 +123,7 @@ public abstract class SignatureValidator {
 
                             try {
                                 signatureStructureIsAcceptable(subkey, policy).verify(embedded);
-                                signatureIsEffective(validationDate).verify(embedded);
+                                signatureIsEffective(referenceDate).verify(embedded);
                                 correctPrimaryKeyBindingSignature(primaryKey, subkey).verify(embedded);
 
                                 hasValidPrimaryKeyBinding = true;
@@ -129,7 +135,9 @@ public abstract class SignatureValidator {
                     }
 
                     if (!hasValidPrimaryKeyBinding) {
-                        throw new SignatureValidationException("Missing primary key binding signature on signing capable subkey " + Long.toHexString(subkey.getKeyID()), rejectedEmbeddedSigs);
+                        throw new SignatureValidationException(
+                                "Missing primary key binding signature on signing capable subkey " +
+                                        Long.toHexString(subkey.getKeyID()), rejectedEmbeddedSigs);
                     }
                 } catch (PGPException e) {
                     throw new SignatureValidationException("Cannot process list of embedded signatures.", e);
@@ -165,7 +173,8 @@ public abstract class SignatureValidator {
      * @param signingKey signing key
      * @return validator
      */
-    private static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy, PGPPublicKey signingKey) {
+    private static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy,
+                                                                                PGPPublicKey signingKey) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -176,7 +185,8 @@ public abstract class SignatureValidator {
                     }
                     if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
                         throw new SignatureValidationException("Signature was made using unacceptable key. " +
-                                algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
+                                algorithm + " (" + bitStrength +
+                                " bits) is not acceptable according to the public key algorithm policy.");
                     }
             }
         };
@@ -194,13 +204,16 @@ public abstract class SignatureValidator {
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 try {
                     HashAlgorithm hashAlgorithm = HashAlgorithm.requireFromId(signature.getHashAlgorithm());
-                    Policy.HashAlgorithmPolicy hashAlgorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy);
+                    Policy.HashAlgorithmPolicy hashAlgorithmPolicy =
+                            getHashAlgorithmPolicyForSignature(signature, policy);
                     if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm(), signature.getCreationTime())) {
-                        throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm +
-                                " (Signature creation time: " + DateUtil.formatUTCDate(signature.getCreationTime()) + ")");
+                        throw new SignatureValidationException("Signature uses unacceptable hash algorithm " +
+                                hashAlgorithm + " (Signature creation time: " +
+                                DateUtil.formatUTCDate(signature.getCreationTime()) + ")");
                     }
                 } catch (NoSuchElementException e) {
-                    throw new SignatureValidationException("Signature uses unknown hash algorithm " + signature.getHashAlgorithm());
+                    throw new SignatureValidationException("Signature uses unknown hash algorithm " +
+                            signature.getHashAlgorithm());
                 }
             }
         };
@@ -214,10 +227,12 @@ public abstract class SignatureValidator {
      * @param policy revocation policy for revocation sigs, normal policy for non-rev sigs
      * @return policy
      */
-    private static Policy.HashAlgorithmPolicy getHashAlgorithmPolicyForSignature(PGPSignature signature, Policy policy) {
+    private static Policy.HashAlgorithmPolicy getHashAlgorithmPolicyForSignature(PGPSignature signature,
+                                                                                 Policy policy) {
         SignatureType type = SignatureType.valueOf(signature.getSignatureType());
         Policy.HashAlgorithmPolicy hashAlgorithmPolicy;
-        if (type == SignatureType.CERTIFICATION_REVOCATION || type == SignatureType.KEY_REVOCATION || type == SignatureType.SUBKEY_REVOCATION) {
+        if (type == SignatureType.CERTIFICATION_REVOCATION || type == SignatureType.KEY_REVOCATION ||
+                type == SignatureType.SUBKEY_REVOCATION) {
             hashAlgorithmPolicy = policy.getRevocationSignatureHashAlgorithmPolicy();
         } else {
             hashAlgorithmPolicy = policy.getSignatureHashAlgorithmPolicy();
@@ -241,7 +256,8 @@ public abstract class SignatureValidator {
                         continue;
                     }
                     if (!registry.isKnownNotation(notation.getNotationName())) {
-                        throw new SignatureValidationException("Signature contains unknown critical notation '" + notation.getNotationName() + "' in its hashed area.");
+                        throw new SignatureValidationException("Signature contains unknown critical notation '" +
+                                notation.getNotationName() + "' in its hashed area.");
                     }
                 }
             }
@@ -262,7 +278,9 @@ public abstract class SignatureValidator {
                     try {
                         SignatureSubpacket.requireFromCode(criticalTag);
                     } catch (NoSuchElementException e) {
-                        throw new SignatureValidationException("Signature contains unknown critical subpacket of type " + Long.toHexString(criticalTag));
+                        throw new SignatureValidationException(
+                                "Signature contains unknown critical subpacket of type " +
+                                        Long.toHexString(criticalTag));
                     }
                 }
             }
@@ -281,15 +299,15 @@ public abstract class SignatureValidator {
     /**
      * Verify that a signature is effective at the given reference date.
      *
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return validator
      */
-    public static SignatureValidator signatureIsEffective(Date validationDate) {
+    public static SignatureValidator signatureIsEffective(Date referenceDate) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
-                signatureIsAlreadyEffective(validationDate).verify(signature);
-                signatureIsNotYetExpired(validationDate).verify(signature);
+                signatureIsAlreadyEffective(referenceDate).verify(signature);
+                signatureIsNotYetExpired(referenceDate).verify(signature);
             }
         };
     }
@@ -297,10 +315,10 @@ public abstract class SignatureValidator {
     /**
      * Verify that a signature was created prior to the given reference date.
      *
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return validator
      */
-    public static SignatureValidator signatureIsAlreadyEffective(Date validationDate) {
+    public static SignatureValidator signatureIsAlreadyEffective(Date referenceDate) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -310,8 +328,9 @@ public abstract class SignatureValidator {
                     return;
                 }
 
-                if (signatureCreationTime.after(validationDate)) {
-                    throw new SignatureValidationException("Signature was created at " + signatureCreationTime + " and is therefore not yet valid at " + validationDate);
+                if (signatureCreationTime.after(referenceDate)) {
+                    throw new SignatureValidationException("Signature was created at " + signatureCreationTime +
+                            " and is therefore not yet valid at " + referenceDate);
                 }
             }
         };
@@ -320,10 +339,10 @@ public abstract class SignatureValidator {
     /**
      * Verify that a signature is not yet expired.
      *
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return validator
      */
-    public static SignatureValidator signatureIsNotYetExpired(Date validationDate) {
+    public static SignatureValidator signatureIsNotYetExpired(Date referenceDate) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -333,8 +352,9 @@ public abstract class SignatureValidator {
                 }
 
                 Date signatureExpirationTime = SignatureSubpacketsUtil.getSignatureExpirationTimeAsDate(signature);
-                if (signatureExpirationTime != null && signatureExpirationTime.before(validationDate)) {
-                    throw new SignatureValidationException("Signature is already expired (expiration: " + signatureExpirationTime + ", validation: " + validationDate + ")");
+                if (signatureExpirationTime != null && signatureExpirationTime.before(referenceDate)) {
+                    throw new SignatureValidationException("Signature is already expired (expiration: " +
+                            signatureExpirationTime + ", validation: " + referenceDate + ")");
                 }
             }
         };
@@ -375,7 +395,8 @@ public abstract class SignatureValidator {
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 SignatureCreationTime creationTime = SignatureSubpacketsUtil.getSignatureCreationTime(signature);
                 if (creationTime == null) {
-                    throw new SignatureValidationException("Malformed signature. Signature has no signature creation time subpacket in its hashed area.");
+                    throw new SignatureValidationException(
+                            "Malformed signature. Signature has no signature creation time subpacket in its hashed area.");
                 }
             }
         };
@@ -405,7 +426,8 @@ public abstract class SignatureValidator {
                 Date signatureCreationTime = signature.getCreationTime();
 
                 if (keyCreationTime.after(signatureCreationTime)) {
-                    throw new SignatureValidationException("Signature predates key (key creation: " + keyCreationTime + ", signature creation: " + signatureCreationTime + ")");
+                    throw new SignatureValidationException("Signature predates key (key creation: " +
+                            keyCreationTime + ", signature creation: " + signatureCreationTime + ")");
                 }
             }
         };
@@ -425,7 +447,8 @@ public abstract class SignatureValidator {
                     return;
                 }
                 boolean predatesBindingSig = true;
-                Iterator bindingSignatures = signingKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode());
+                Iterator bindingSignatures =
+                        signingKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode());
                 if (!bindingSignatures.hasNext()) {
                     throw new SignatureValidationException("Signing subkey does not have a subkey binding signature.");
                 }
@@ -436,7 +459,8 @@ public abstract class SignatureValidator {
                     }
                 }
                 if (predatesBindingSig) {
-                    throw new SignatureValidationException("Signature was created before the signing key was bound to the key ring.");
+                    throw new SignatureValidationException(
+                            "Signature was created before the signing key was bound to the key ring.");
                 }
             }
         };
@@ -457,7 +481,8 @@ public abstract class SignatureValidator {
                     throw new SignatureValidationException("Primary key cannot be its own subkey.");
                 }
                 try {
-                    signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), primaryKey);
+                    signature.init(ImplementationFactory.getInstance()
+                            .getPGPContentVerifierBuilderProvider(), primaryKey);
                     boolean valid = signature.verifyCertification(primaryKey, subkey);
                     if (!valid) {
                         throw new SignatureValidationException("Signature is not correct.");
@@ -487,7 +512,8 @@ public abstract class SignatureValidator {
                         throw new SignatureValidationException("Primary Key Binding Signature is not correct.");
                     }
                 } catch (PGPException | ClassCastException e) {
-                    throw new SignatureValidationException("Cannot verify primary key binding signature correctness", e);
+                    throw new SignatureValidationException(
+                            "Cannot verify primary key binding signature correctness", e);
                 }
             }
         };
@@ -554,7 +580,8 @@ public abstract class SignatureValidator {
                     }
                 }
                 if (!valid) {
-                    throw new SignatureValidationException("Signature is of type " + type + " while only " + Arrays.toString(signatureTypes) + " are allowed here.");
+                    throw new SignatureValidationException("Signature is of type " + type + " while only " +
+                            Arrays.toString(signatureTypes) + " are allowed here.");
                 }
             }
         };
@@ -568,18 +595,22 @@ public abstract class SignatureValidator {
      * @param certifyingKey key that created the signature.
      * @return validator
      */
-    public static SignatureValidator correctSignatureOverUserId(String userId, PGPPublicKey certifiedKey, PGPPublicKey certifyingKey) {
+    public static SignatureValidator correctSignatureOverUserId(String userId, PGPPublicKey certifiedKey,
+                                                                PGPPublicKey certifyingKey) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 try {
-                    signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), certifyingKey);
+                    signature.init(ImplementationFactory.getInstance()
+                            .getPGPContentVerifierBuilderProvider(), certifyingKey);
                     boolean valid = signature.verifyCertification(userId, certifiedKey);
                     if (!valid) {
-                        throw new SignatureValidationException("Signature over user-id '" + userId + "' is not correct.");
+                        throw new SignatureValidationException("Signature over user-id '" + userId +
+                                "' is not correct.");
                     }
                 } catch (PGPException | ClassCastException e) {
-                    throw new SignatureValidationException("Cannot verify signature over user-id '" + userId + "'.", e);
+                    throw new SignatureValidationException("Cannot verify signature over user-id '" +
+                            userId + "'.", e);
                 }
             }
         };
@@ -593,12 +624,15 @@ public abstract class SignatureValidator {
      * @param certifyingKey key that created the certification signature
      * @return validator
      */
-    public static SignatureValidator correctSignatureOverUserAttributes(PGPUserAttributeSubpacketVector userAttributes, PGPPublicKey certifiedKey, PGPPublicKey certifyingKey) {
+    public static SignatureValidator correctSignatureOverUserAttributes(PGPUserAttributeSubpacketVector userAttributes,
+                                                                        PGPPublicKey certifiedKey,
+                                                                        PGPPublicKey certifyingKey) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 try {
-                    signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), certifyingKey);
+                    signature.init(ImplementationFactory.getInstance()
+                            .getPGPContentVerifierBuilderProvider(), certifyingKey);
                     boolean valid = signature.verifyCertification(userAttributes, certifiedKey);
                     if (!valid) {
                         throw new SignatureValidationException("Signature over user-attribute vector is not correct.");
@@ -616,12 +650,16 @@ public abstract class SignatureValidator {
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 Date timestamp = signature.getCreationTime();
                 if (notBefore != null && timestamp.before(notBefore)) {
-                    throw new SignatureValidationException("Signature was made before the earliest allowed signature creation time. Created: " +
-                            DateUtil.formatUTCDate(timestamp) + " Earliest allowed: " + DateUtil.formatUTCDate(notBefore));
+                    throw new SignatureValidationException(
+                            "Signature was made before the earliest allowed signature creation time. Created: " +
+                            DateUtil.formatUTCDate(timestamp) + " Earliest allowed: " +
+                                    DateUtil.formatUTCDate(notBefore));
                 }
                 if (notAfter != null && timestamp.after(notAfter)) {
-                    throw new SignatureValidationException("Signature was made after the latest allowed signature creation time. Created: " +
-                            DateUtil.formatUTCDate(timestamp) + " Latest allowed: " + DateUtil.formatUTCDate(notAfter));
+                    throw new SignatureValidationException(
+                            "Signature was made after the latest allowed signature creation time. Created: " +
+                            DateUtil.formatUTCDate(timestamp) + " Latest allowed: " +
+                                    DateUtil.formatUTCDate(notAfter));
                 }
             }
         };
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
index d4a61271..c4565197 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureVerifier.java
@@ -36,12 +36,13 @@ public final class SignatureVerifier {
      * @param signingKey key that created the certification
      * @param keyWithUserId key carrying the user-id
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if signature verification is successful
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
+    public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey,
+                                                    PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureType type = SignatureType.valueOf(signature.getSignatureType());
         switch (type) {
@@ -49,9 +50,9 @@ public final class SignatureVerifier {
             case NO_CERTIFICATION:
             case CASUAL_CERTIFICATION:
             case POSITIVE_CERTIFICATION:
-                return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
+                return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, referenceDate);
             case CERTIFICATION_REVOCATION:
-                return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
+                return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, referenceDate);
             default:
                 throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
         }
@@ -64,14 +65,15 @@ public final class SignatureVerifier {
      * @param signature certification signature
      * @param primaryKey primary key
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the self-signature is verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
+    public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey,
+                                                    Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
+        return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, referenceDate);
     }
 
     /**
@@ -82,17 +84,18 @@ public final class SignatureVerifier {
      * @param signingKey key that created the certification
      * @param keyWithUserId primary key that carries the user-id
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if signature verification is successful
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
+    public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey,
+                                                    PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsCertification().verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
         SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
 
         return true;
@@ -105,14 +108,15 @@ public final class SignatureVerifier {
      * @param signature user-id revocation signature
      * @param primaryKey primary key
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the user-id revocation signature is successfully verified
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
+    public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey,
+                                                 Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
+        return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, referenceDate);
     }
 
     /**
@@ -123,17 +127,18 @@ public final class SignatureVerifier {
      * @param signingKey key that created the revocation signature
      * @param keyWithUserId primary key carrying the user-id
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the user-id revocation signature is successfully verified
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
+    public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey,
+                                                 PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
         SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
 
         return true;
@@ -146,16 +151,17 @@ public final class SignatureVerifier {
      * @param signature certification self-signature
      * @param primaryKey primary key that carries the user-attributes
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
     public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
                                                             PGPSignature signature, PGPPublicKey primaryKey,
-                                                            Policy policy, Date validationDate)
+                                                            Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
+        return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy,
+                referenceDate);
     }
 
     /**
@@ -166,7 +172,7 @@ public final class SignatureVerifier {
      * @param signingKey key that created the user-attributes certification
      * @param keyWithUserAttributes key that carries the user-attributes certification
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
@@ -174,13 +180,14 @@ public final class SignatureVerifier {
     public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
                                                             PGPSignature signature, PGPPublicKey signingKey,
                                                             PGPPublicKey keyWithUserAttributes, Policy policy,
-                                                            Date validationDate)
+                                                            Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsCertification().verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
-        SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
+        SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey)
+                .verify(signature);
 
         return true;
     }
@@ -192,16 +199,16 @@ public final class SignatureVerifier {
      * @param signature user-attributes revocation signature
      * @param primaryKey primary key that carries the user-attributes
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the revocation signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
     public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
                                                          PGPSignature signature, PGPPublicKey primaryKey,
-                                                         Policy policy, Date validationDate)
+                                                         Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
+        return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, referenceDate);
     }
 
     /**
@@ -212,7 +219,7 @@ public final class SignatureVerifier {
      * @param signingKey revocation key
      * @param keyWithUserAttributes key that carries the user-attributes
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the revocation signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
@@ -220,13 +227,14 @@ public final class SignatureVerifier {
     public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
                                                          PGPSignature signature, PGPPublicKey signingKey,
                                                          PGPPublicKey keyWithUserAttributes, Policy policy,
-                                                         Date validationDate)
+                                                         Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
-        SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
+        SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey)
+                .verify(signature);
 
         return true;
     }
@@ -238,18 +246,20 @@ public final class SignatureVerifier {
      * @param primaryKey primary key
      * @param subkey subkey
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the binding signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
+    public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey,
+                                                       PGPPublicKey subkey, Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
         SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
-        SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
+        SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, referenceDate)
+                .verify(signature);
         SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
 
         return true;
@@ -262,16 +272,18 @@ public final class SignatureVerifier {
      * @param primaryKey primary key
      * @param subkey subkey
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the subkey revocation signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
+    public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey,
+                                                        PGPPublicKey subkey, Policy policy, Date referenceDate)
+            throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
         SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
         SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
 
         return true;
@@ -283,14 +295,15 @@ public final class SignatureVerifier {
      * @param signature signature
      * @param primaryKey primary key
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the signature can be verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
+    public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey,
+                                                   Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
+        return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, referenceDate);
     }
 
     /**
@@ -300,17 +313,18 @@ public final class SignatureVerifier {
      * @param signingKey signing key
      * @param signedKey signed key
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if signature verification is successful
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
+    public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey,
+                                                   PGPPublicKey signedKey, Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
         SignatureValidator.signatureDoesNotPredateSignee(signedKey).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
         SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
 
         return true;
@@ -322,16 +336,17 @@ public final class SignatureVerifier {
      * @param signature signature
      * @param primaryKey primary key
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if signature verification is successful
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
+    public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey,
+                                                       Policy policy, Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
         SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
 
         return true;
@@ -344,14 +359,16 @@ public final class SignatureVerifier {
      * @param signedData input stream containing the signed data
      * @param signingKey the key that created the signature
      * @param policy policy
-     * @param validationDate reference date of signature verification
+     * @param referenceDate reference date of signature verification
      * @return true if the signature is successfully verified
      *
      * @throws SignatureValidationException if the signature verification fails for some reason
      */
-    public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
+    public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData,
+                                                       PGPPublicKey signingKey, Policy policy, Date referenceDate)
+            throws SignatureValidationException {
         initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
-        return verifyInitializedSignature(signature, signingKey, policy, validationDate);
+        return verifyInitializedSignature(signature, signingKey, policy, referenceDate);
     }
 
     /**
@@ -363,7 +380,8 @@ public final class SignatureVerifier {
      *
      * @throws SignatureValidationException in case the signature cannot be verified for some reason
      */
-    public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
+    public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData,
+                                                                  PGPPublicKey signingKey)
             throws SignatureValidationException {
         try {
             signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
@@ -399,16 +417,17 @@ public final class SignatureVerifier {
      * @param signature OpenPGP signature
      * @param signingKey key that created the signature
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if signature is verified successfully
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
+    public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy,
+                                                     Date referenceDate)
             throws SignatureValidationException {
         SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
         SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-        SignatureValidator.signatureIsEffective(validationDate).verify(signature);
+        SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
 
         try {
             if (!signature.verify()) {
@@ -420,7 +439,8 @@ public final class SignatureVerifier {
         }
     }
 
-    public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignatureCheck onePassSignature, Policy policy)
+    public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey,
+                                                 OnePassSignatureCheck onePassSignature, Policy policy)
             throws SignatureValidationException {
         try {
             SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
@@ -435,10 +455,12 @@ public final class SignatureVerifier {
                 throw new IllegalStateException("No comparison signature provided.");
             }
             if (!onePassSignature.getOnePassSignature().verify(signature)) {
-                throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
+                throw new SignatureValidationException("Bad signature of key " +
+                        Long.toHexString(signingKey.getKeyID()));
             }
         } catch (PGPException e) {
-            throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
+            throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " +
+                    e.getMessage(), e);
         }
 
         return true;
@@ -451,13 +473,14 @@ public final class SignatureVerifier {
      * @param signature self-signature
      * @param primaryKey primary key that created the signature
      * @param policy policy
-     * @param validationDate reference date for signature verification
+     * @param referenceDate reference date for signature verification
      * @return true if the signature is successfully verified
      *
      * @throws SignatureValidationException if signature verification fails for some reason
      */
-    public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
+    public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey,
+                                                    Policy policy, Date referenceDate)
             throws SignatureValidationException {
-        return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
+        return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, referenceDate);
     }
 }

From b2a5351cc3c757b6e6366525b74a2f875c87cfa4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 29 Jun 2022 16:00:21 +0200
Subject: [PATCH 0527/1450] Delete unused KeyRingValidator class

---
 .../org/pgpainless/key/KeyRingValidator.java  | 146 --------
 .../pgpainless/key/KeyRingValidatorTest.java  | 324 ------------------
 .../signature/KeyRingValidationTest.java      | 125 -------
 3 files changed, 595 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java b/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
deleted file mode 100644
index c3355ff8..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/key/KeyRingValidator.java
+++ /dev/null
@@ -1,146 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.key;
-
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPKeyRing;
-import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
-import org.pgpainless.algorithm.SignatureType;
-import org.pgpainless.exception.SignatureValidationException;
-import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.policy.Policy;
-import org.pgpainless.signature.consumer.SignatureCreationDateComparator;
-import org.pgpainless.signature.consumer.SignatureVerifier;
-import org.pgpainless.util.CollectionUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public final class KeyRingValidator {
-
-    private KeyRingValidator() {
-
-    }
-
-    private static final Logger LOGGER = LoggerFactory.getLogger(KeyRingValidator.class);
-
-    public static  R validate(R keyRing, Policy policy) {
-        try {
-            return validate(keyRing, policy, new Date());
-        } catch (PGPException e) {
-            return null;
-        }
-    }
-
-    public static  R validate(R keyRing, Policy policy, Date validationDate) throws PGPException {
-        return getKeyRingAtDate(keyRing, policy, validationDate);
-    }
-
-    private static  R getKeyRingAtDate(R keyRing, Policy policy, Date validationDate) throws PGPException {
-        PGPPublicKey primaryKey = keyRing.getPublicKey();
-        primaryKey = evaluatePrimaryKey(primaryKey, policy, validationDate);
-        if (keyRing instanceof PGPPublicKeyRing) {
-            PGPPublicKeyRing publicKeys = (PGPPublicKeyRing) keyRing;
-            publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, primaryKey);
-            keyRing = (R) publicKeys;
-        }
-
-        return keyRing;
-    }
-
-    private static PGPPublicKey evaluatePrimaryKey(PGPPublicKey primaryKey, Policy policy, Date validationDate) throws PGPException {
-
-        PGPPublicKey blank = new PGPPublicKey(primaryKey.getPublicKeyPacket(), ImplementationFactory.getInstance().getKeyFingerprintCalculator());
-
-        Iterator directKeyIterator = primaryKey.getSignaturesOfType(SignatureType.DIRECT_KEY.getCode());
-        List directKeyCertifications = CollectionUtils.iteratorToList(directKeyIterator);
-        Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
-        for (PGPSignature signature : directKeyCertifications) {
-            try {
-                if (SignatureVerifier.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
-                    blank = PGPPublicKey.addCertification(blank, signature);
-                }
-            } catch (SignatureValidationException e) {
-                LOGGER.debug("Rejecting direct key signature: {}", e.getMessage(), e);
-            }
-        }
-
-        Iterator revocationIterator = primaryKey.getSignaturesOfType(SignatureType.KEY_REVOCATION.getCode());
-        List directKeyRevocations = CollectionUtils.iteratorToList(revocationIterator);
-        Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
-        for (PGPSignature signature : directKeyRevocations) {
-            try {
-                if (SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
-                    blank = PGPPublicKey.addCertification(blank, signature);
-                }
-            } catch (SignatureValidationException e) {
-                LOGGER.debug("Rejecting key revocation signature: {}", e.getMessage(), e);
-            }
-        }
-
-        Iterator userIdIterator = primaryKey.getUserIDs();
-        while (userIdIterator.hasNext()) {
-            String userId = userIdIterator.next();
-            Iterator userIdSigs = primaryKey.getSignaturesForID(userId);
-            List signatures = CollectionUtils.iteratorToList(userIdSigs);
-            Collections.sort(signatures, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
-            for (PGPSignature signature : signatures) {
-                if (signature.getKeyID() != primaryKey.getKeyID()) {
-                    // Signature was not made by primary key
-                    continue;
-                }
-                try {
-                    if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
-                        if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
-                            blank = PGPPublicKey.addCertification(blank, userId, signature);
-                        }
-                    } else {
-                        if (SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
-                            blank = PGPPublicKey.addCertification(blank, userId, signature);
-                        }
-                    }
-                } catch (SignatureValidationException e) {
-                    LOGGER.debug("Rejecting user-id certification for user-id {}: {}", userId, e.getMessage(), e);
-                }
-            }
-        }
-
-        Iterator userAttributes = primaryKey.getUserAttributes();
-        while (userAttributes.hasNext()) {
-            PGPUserAttributeSubpacketVector userAttribute = userAttributes.next();
-            Iterator userAttributeSignatureIterator = primaryKey.getSignaturesForUserAttribute(userAttribute);
-            while (userAttributeSignatureIterator.hasNext()) {
-                PGPSignature signature = userAttributeSignatureIterator.next();
-                if (signature.getKeyID() != primaryKey.getKeyID()) {
-                    // Signature was not made by primary key
-                    continue;
-                }
-                try {
-                    if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
-                        if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
-                            blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
-                        }
-                    } else {
-                        if (SignatureVerifier.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
-                            blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
-                        }
-                    }
-                } catch (SignatureValidationException e) {
-                    LOGGER.debug("Rejecting user-attribute signature: {}", e.getMessage(), e);
-                }
-            }
-        }
-
-        return blank;
-    }
-
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
deleted file mode 100644
index 7d5c0520..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/key/KeyRingValidatorTest.java
+++ /dev/null
@@ -1,324 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.key;
-
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.Random;
-
-import org.bouncycastle.bcpg.attr.ImageAttribute;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPrivateKey;
-import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureGenerator;
-import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
-import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.HashAlgorithm;
-import org.pgpainless.algorithm.SignatureType;
-import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.key.protection.UnlockSecretKey;
-import org.pgpainless.util.ArmorUtils;
-import org.pgpainless.util.CollectionUtils;
-import org.pgpainless.util.DateUtil;
-
-public class KeyRingValidatorTest {
-
-    @Test
-    public void testRevokedSubkey() throws IOException {
-        String key = "-----BEGIN PGP ARMORED FILE-----\n" +
-                "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" +
-                "\n" +
-                "xsBNBFpJegABCAC1ePFquP0135m8DYhcybhv7l+ecojitFOd/jRM7hCczIqKgalD\n" +
-                "1Ro1gNr3VmH6FjRIKIvGT+sOzCKne1v3KyAAPoxtwxjkATTKdOGo15I6v5ZjmO1d\n" +
-                "rLQOLSt1TF7XbQSt+ns6PUZWJL907DvECUU5b9FkNUqfQ14QqY+gi7MOyAQez3b7\n" +
-                "Pg5Cyz/kVWQ6TSMW/myDEDEertQ4rDBsptEDFHCC2+iF4hO2LqfiCriu5qyLcKCQ\n" +
-                "pd6dEuwJQ/jjT0D9A9Fwf+i04x6ZPKSU9oNAWqn8OSAq3/0B/hu9V+0U0iHPnJxe\n" +
-                "quykvJk7maxhiGhxBWYXTvDJmoon0NOles7LABEBAAHCwHwEHwEKAA8Fgl4L4QAC\n" +
-                "FQoCmwMCHgEAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOPu8ffB/9Q\n" +
-                "60dg60qhA2rPnd/1dCL2B+c8RWnq44PpijE3gA1RQvcRQE5jNzMSo/MnG0mSL5wH\n" +
-                "eTsjSd/DRI3nHP06rs6Qub11NoKhNuya3maz9gyzeZMc/jNib83/BzFCrxsSQm+9\n" +
-                "WHurxXeWXOPMLZs3xS/jG0EDtCJ2Fm4UF19fcIydwN/ssF4NGpfCY82+wTSx4joI\n" +
-                "3cRKObCFJaaBgG5nl+eFr7cfjEIuqCJCaQsXiqBe7d6V3KqN18t+CgSaybMZXcys\n" +
-                "Q/USxEkLhIB2pOZwcz4E3TTFgxRAxcr4cs4Bd2PRz3Z5FKTzo0ma/Ft0UfFJR+fC\n" +
-                "cs55+n6kC9K0y/E7BY2hwsB8BB8BCgAPBYJaSXoAAhUKApsDAh4BACEJEGhPrWLc\n" +
-                "A4+7FiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7uqDQf7BqTD6GNTwXPOt/0kHQPYmbdI\n" +
-                "tX+pWP+o3jaB6VTHDXcn27bttA5M82EXZfae4+bC1dMB+1uLal4ciVgO9ImJC9Nw\n" +
-                "s5fc3JH4R5uuSvpjzjudkJsGu3cAKE3hwiT93Mi6t6ENpLCDSxqxzAmfoOQbVJYW\n" +
-                "Y7gP7Z4Cj0IAP29aprEc0JWoMjHKpKgYF6u0sWgHWBuEXk/6o6GYb2HZYK4ycpY2\n" +
-                "WXKgVhy7/iQDYO1FOfcWQXHVGLn8OzILjobKohNenTT20ZhAASi3LUDSDMTQfxSS\n" +
-                "Vt0nhzWuXJJ4R8PzUVeRJ0A0oMyjZVHivHC6GwMsiQuSUTx8e/GnOByOqfGne80S\n" +
-                "anVsaWV0QGV4YW1wbGUub3JnwsBzBBMBCgAGBYJaSXoAACEJEGhPrWLcA4+7FiEE\n" +
-                "8tFQpP6Ykl1R6RU5aE+tYtwDj7tDfQf+PnxsIFu/0juKBUjjtAYfRzkrrYtMepPj\n" +
-                "taTvGfo1SzUkX/6F/GjdSeVg5Iq6YcBrj8c+cB3EoZpHnScTgWQHwceWQLd9Hhbg\n" +
-                "TrUNvW1eg2CVzN0RBuYMtWu9JM4pH7ssJW1NmN+/N9B67qb2y+JfBwH/la508NzC\n" +
-                "rl3xWTxjT5wNy+FGkNZg23s/0qlO2uxCjc+mRAuAlp5EmTOVWOIBbM0xttjBOx39\n" +
-                "ZmWWQKJZ0nrFjK1jppHqazwWWNX7RHkK81tlbSUtOPoTIJDz38NaiyMcZH3p9okN\n" +
-                "3DU4XtF+oE18M+Z/E0xUQmumbkajFzcUjmd7enozP5BnGESzdNS5Xc7ATQRaSsuA\n" +
-                "AQgAykb8tqlWXtqHGGkBqAq3EnpmvBqrKvqejjtZKAXqEszJ9NlibCGUuLwnNOVO\n" +
-                "R/hcOUlOGH+cyMcApBWJB+7d/83K1eCCdv88nDFVav7hKLKlEBbZJNHgHpJ313pl\n" +
-                "etzCR4x3STEISrEtO71l2HBdrKSYXaxGgILxYwcSi3i2EjzxRDy+0zyy8s7d+OD5\n" +
-                "ShFYexgSrKH3Xx1cxQAJzGGJVx75HHU9GVh3xHwJ7nDm26KzHegG2XPIBXJ2z8vm\n" +
-                "sSVTWyj0AjT4kVVapN0f84AKKjyQ7fguCzXGHFV9jmxDx+YH+9HhjIrHSzbDx6+4\n" +
-                "wyRsxj7Su+hu/bogJ28nnbTzQwARAQABwsCTBCgBCgAmBYJcKq2AHx3IVW5rbm93\n" +
-                "biByZXZvY2F0aW9uIHJlYXNvbiAyMDAAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHp\n" +
-                "FTloT61i3AOPu6RDCACgqNPoLWPsjWDyZxvF8MyYTB3JivI7RVf8W6mNJTxMDD69\n" +
-                "iWwiC0F6R8M3ljk8vc85C6tQ8iWPVT6cGHhFgQn14a1MYpgyVTTdwjbqvjxmPeyS\n" +
-                "We31yZGz54dAsONnrWScO4ZdKVTtKhu115KELiPmguoN/JwG+OIbgvKvzQX+8D4M\n" +
-                "Gl823A6Ua8/zJm/TAOQolo6X9Sqr9bO1v/z3ecuYkuNeGhQOC3/VQ0TH2xRbmykD\n" +
-                "5XbgffPi0sjg2ZRrDikg/W+40gxW+oHxQ6ZIaIn/OFooj7xooH+jn++f8W8faEk5\n" +
-                "pLOoCwsX0SucDbGvt85D1DhOUD9H0CEkaZbO+113wsGsBBgBCgAJBYJeC+EAApsC\n" +
-                "AVcJEGhPrWLcA4+7wHSgBBkBCgAGBYJeC+EAACEJEEpyNKOhITplFiEEUXksDkji\n" +
-                "/alOk7kRSnI0o6EhOmWnSQgAiu/zdEmHf6Wbwfbs/c6FObfPxGuzLkQr4fZKcqK8\n" +
-                "1MtR1mh1WVLJRgXW4u8cHtZyH5pThngMcUiyzWsa0g6Jaz8w6sr/Wv3e1qdTCITs\n" +
-                "kMrWCDaoDhD2teAjmWuk9u8ZBPJ7xhme+Q/UQ90xomQ/NdCJafirk2Ds92p7N7RK\n" +
-                "SES1KywBhfONJbPw1TdZ9Mts+DGjkucYbe+ZzPxrLpWXur1BSGEqBtTAGW3dS/xp\n" +
-                "wBYNlhasXHjYMr4HeIYYYOx+oR5JgDYoVfp2k0DwK/QXogbja+/Vjv+LrXdNY0t1\n" +
-                "bA35FNnl637M8iCNrXvIoRFARbNyge8c/jSWGPLB/tIyNhYhBPLRUKT+mJJdUekV\n" +
-                "OWhPrWLcA4+7FLwIAK1GngNMnruxWM4EoghKTSmKNrd6p/d3Wsd+y2019A7Nz+4O\n" +
-                "ydkEDvmNVVhlUcfgOf2L6Bf63wdN0ho+ODhCuNSqHe6NL1NhdITbMGnDdKb57IIB\n" +
-                "9CuJFpILn9LZ1Ei6JPEpmpiSEaL+VJt1fMnfc8jtF8N3WcRVfJsq1aslXe8Npg70\n" +
-                "9YVgm2OXsNWgktl9fciu4ENTybQGjpN9WTa1aU1nkko6NUoIfjtM+PO4VU7x00M+\n" +
-                "dTJsYGhnc96EtT8EfSAIFBKZRAkMBFhEcdkxa8hCKI3+nyI3gTq0TcFST3wy05Am\n" +
-                "oV7wlgzUAMsW7MV2NpG7fJul2Q7puKw+udBUc0TCwawEGAEKAAkFglro/4ACmwIB\n" +
-                "VwkQaE+tYtwDj7vAdKAEGQEKAAYFglro/4AAIQkQSnI0o6EhOmUWIQRReSwOSOL9\n" +
-                "qU6TuRFKcjSjoSE6ZeFHB/92jhUTXrEgho6DYhmVFuXa3NGhAjIyZo3yYHMoL9aZ\n" +
-                "3DUyjxhAyRDpI2CrahQ4JsPhej2m+3fHWa34/tb5mpHYFWEahQvdWSFCcU7p2NUK\n" +
-                "cq2zNA6ixO2+fQQhmbrYR+TFxYmhLjCGUNt14E/XaIL1VxPQOA5KbiRPpa8BsUNl\n" +
-                "Nik9ASPWyn0ZA0rjJ1ZV7nJarXVbuZDEcUDuDm3cA5tup7juB8fTz2BDcg3Ka+Oc\n" +
-                "PEz0GgZfq9K40di3r9IHLBhNPHieFVIj9j/JyMnTvVOceM3J/Rb0MCWJVbXNBKpR\n" +
-                "MDibCQh+7fbqyQEM/zIpmk0TgBpTZZqMP0gxYdWImT1IFiEE8tFQpP6Ykl1R6RU5\n" +
-                "aE+tYtwDj7tOtggAhgAqvOB142L2SkS3ZIdwuhAtWLPHCtEwBOqGtP8Z204rqAmb\n" +
-                "nJymzo77+OT+SScnDTrwzOUJnCi0qPUxfuxhvHxnBxBIjaoMcF++iKsqF1vf6WuX\n" +
-                "OjbJ1N8I08pB2niht5MxIZ9rMGDeASj79X7I9Jjzsd30OVGfTZyy3VyYPxcJ6n/s\n" +
-                "ZocNmaTv0/F8K3TirSH6JDXdY5zirRi99GJ3R+AL6OzxrChuvLFSEtIRJrW5XVfg\n" +
-                "3whc0XD+5J9RsHoL33ub9ZhQHFKsjrf0nGYbEFwMhSdysfTYYMbwKi0CcQeQtPP0\n" +
-                "Y87zSryajDMFXQS0exdvhN4AXDlPlB3Rrkj7CQ==\n" +
-                "=yTKS\n" +
-                "-----END PGP ARMORED FILE-----\n";
-
-        PGPPublicKeyRing keyRing = PGPainless.readKeyRing().publicKeyRing(key);
-        PGPPublicKeyRing validated = KeyRingValidator.validate(keyRing, PGPainless.getPolicy());
-
-        Iterator keys = validated.getPublicKeys();
-        assertFalse(keys.next().hasRevocation());
-        assertTrue(keys.next().hasRevocation());
-    }
-
-    @Test
-    public void badSignatureTest() throws IOException {
-        String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-                "\n" +
-                "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
-                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
-                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
-                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
-                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
-                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
-                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
-                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
-                "vLIwa3T4CyshfT0AEQEAAc0hQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" +
-                "bGU+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" +
-                "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" +
-                "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" +
-                "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" +
-                "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" +
-                "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" +
-                "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" +
-                "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" +
-                "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" +
-                "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGzsDNBF2lnPIBDADW\n" +
-                "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" +
-                "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" +
-                "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" +
-                "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" +
-                "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" +
-                "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" +
-                "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" +
-                "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" +
-                "EQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" +
-                "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" +
-                "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" +
-                "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" +
-                "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" +
-                "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" +
-                "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" +
-                "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" +
-                "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" +
-                "NEJd3XZRzaXZE2aAMcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJd\n" +
-                "pZzyAhsMAAoJEPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQM\n" +
-                "w7+41IL4rVcSKhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUr\n" +
-                "dVaZQanYmtSxcVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMV\n" +
-                "V9zpf3u0k14itcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZ\n" +
-                "gbYn3OWjCPHVdTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8\n" +
-                "/5VK2b0vk/+wqMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8\n" +
-                "AyFAExaEK6VyjP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUC\n" +
-                "BqWif9RSK4xjzRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4u\n" +
-                "bVrj5KjhX2PVNEJd3XZRzaXZE2Z/MQ==\n" +
-                "=6+l9\n" +
-                "-----END PGP PUBLIC KEY BLOCK-----\n";
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
-        PGPPublicKeyRing validated = KeyRingValidator.validate(publicKeys, PGPainless.getPolicy());
-        // CHECKSTYLE:OFF
-        System.out.println(ArmorUtils.toAsciiArmoredString(validated));
-        // CHECKSTYLE:ON
-    }
-
-    @Test
-    public void unboundSubkey() throws IOException {
-        String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-                "\n" +
-                "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
-                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
-                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
-                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
-                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
-                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
-                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
-                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
-                "vLIwa3T4CyshfT0AEQEAAc0hQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" +
-                "bGU+wsEOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" +
-                "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" +
-                "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" +
-                "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" +
-                "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" +
-                "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" +
-                "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" +
-                "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" +
-                "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" +
-                "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGzsDNBF2lnPIBDADW\n" +
-                "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" +
-                "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" +
-                "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" +
-                "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" +
-                "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" +
-                "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" +
-                "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" +
-                "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" +
-                "EQEAAcLA9gQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" +
-                "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" +
-                "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" +
-                "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" +
-                "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" +
-                "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" +
-                "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" +
-                "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" +
-                "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" +
-                "NEJd3XZRzaXZE2aAMc7ATQRgSLpPAQgAx2jWKrOk6fGy2/KJGTs6vAN8c+fg+PgH\n" +
-                "6xDkasqmGllG0xPVOTML+Ge3i025IezFp1BNApPLWVksFRnbTF/Aiwbpeax7mub0\n" +
-                "PdFo4LeNxfUZhl/83+aZKYvT/j9AB7rjILhu+wqZmLY9UAkdvIO0SfEUIFf0mL5c\n" +
-                "9UJm47IOpY0EPc8l7B5DkXpkA63BKGyMPle6XZV3r/VIltnMnQezY1TErjeEnFrE\n" +
-                "KYxqMgDhPIEaBSK8tqf3POwY2mP42K8+yke/St9+FvLIAKOj2KpVp/0pxcNBBoHA\n" +
-                "9oo0W4CQP6S0hQkFZy9iZ1/NIpU+YLy8miBpdTMYm4CZLz5mrT2mpwARAQAB\n" +
-                "=T4QR\n" +
-                "-----END PGP PUBLIC KEY BLOCK-----\n";
-
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
-        PGPPublicKey unbound = CollectionUtils.iteratorToList(publicKeys.getPublicKeys()).get(2);
-        assertNotNull(unbound);
-
-        Date validationDate = DateUtil.parseUTCDate("2019-10-15 10:18:26 UTC");
-        KeyRingInfo info = new KeyRingInfo(publicKeys, validationDate);
-        for (PGPPublicKey publicKey : publicKeys) {
-            if (publicKey != unbound) {
-                assertTrue(info.isKeyValidlyBound(publicKey.getKeyID()));
-            } else {
-                assertFalse(info.isKeyValidlyBound(publicKey.getKeyID()));
-            }
-        }
-    }
-
-    @Test
-    public void expired() throws IOException {
-        String key = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-                "\n" +
-                "xsDNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
-                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
-                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
-                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
-                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
-                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
-                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
-                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
-                "vLIwa3T4CyshfT0AEQEAAc0hQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" +
-                "bGU+wsFcBBMBCgCQBYJgSLnzBYkCH0c9BQsJCAcCCRD7/MgqAV5zMEcUAAAAAAAe\n" +
-                "ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcwVhGjJD1hkSHawAIfkCGs\n" +
-                "HrkFeok37qxAtN/xGj08tAYVCgkICwIEFgIDAQIXgAIbAwIeARYhBNGmbhojsYLJ\n" +
-                "mA94jPv8yCoBXnMwAABJmgwAh3SdjziuXu5K4slejN57yezIZBG92CCEfqdoFOE/\n" +
-                "LShjMkZbRZEjOADmwTUevAVNRzBtU6SesOE3lL+sHsdmwcQACEbQXvT6AaDQnkyT\n" +
-                "N/Kse4reDLA+Cwdvy+dKdIF5g1IKzLc5gSSHHlGi0dc4kTQYXicXl4rw6y4fgfx8\n" +
-                "6wWf9ujUexjI35X1A3+yGVkB12lDC4XxcIuQjd2PnxsrRIk8ty32qtv+4Ww3YrvA\n" +
-                "wsY7ft9YkMRs7kJ7joVuCWbzje/mpYOSc7t3TCx0VgkRtcXewyGQ22977Vkdk+gi\n" +
-                "zmw/f/fV+s1fPzhLYonlmiWwU7COF9dDkuEh2NOkAcuZxVZ/QjMZ449M8kBgCLcD\n" +
-                "JGrEzIseP9vW8EHRNGxOZx/0Bo0HPMSlUesOugsoIVXBop/ixtd1eD5ijQt6HhvW\n" +
-                "CgASMtfpA4DT9boeGRYXH4vySDqoHPVkKDKYqDHZ526Z98M1a/76njOLVgioIOL/\n" +
-                "gND3vo4iOAfwfoQIvi8b/B0fzsDNBF2lnPIBDADWML9cbGMrp12CtF9b2P6z9TTT\n" +
-                "74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvIDEINOQ6A9QxdxoqWdCHrOuW3\n" +
-                "ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+Uzula/6k1DogDf28qhCxMwG/\n" +
-                "i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AObaifV7wIhEJnvqgFXDN2RXGj\n" +
-                "LeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT86Rafp1qKlgPNbiIlC1g9RY/\n" +
-                "iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh827KVZW4lXvqsge+wtnWlszc\n" +
-                "selGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6vdRBUnkCaEkOtl1mr2JpQi5n\n" +
-                "TU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76UqVC7KidNepdHbZjjXCt8/Zo+\n" +
-                "Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48AEQEAAcLA9gQYAQoAIBYhBNGm\n" +
-                "bhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJEPv8yCoBXnMw6f8L/26C34dk\n" +
-                "jBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcSKhIhk/3Ud5knaRtP2ef1+5F6\n" +
-                "6h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSxcVV2PL9+QEiNN3tzluhaWO//\n" +
-                "rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14itcv6alKY8+rLZvO1wIIeRZLm\n" +
-                "U0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHVdTrdZ2CqnZbG3SXw6awH9bzR\n" +
-                "LV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+wqMJxfpa1lHvJLobzOP9fvrsw\n" +
-                "sr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6VyjP7SXGLwvfisw34OxuZr3qmx\n" +
-                "1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xjzRTe56iPeiSJJOIciMP9i2ld\n" +
-                "I+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PVNEJd3XZRzaXZE2aAMQ==\n" +
-                "=LxAY\n" +
-                "-----END PGP PUBLIC KEY BLOCK-----\n";
-
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
-        PGPPublicKeyRing validated = KeyRingValidator.validate(publicKeys, PGPainless.getPolicy());
-    }
-
-    @Test
-    public void testKeyWithUserAttributes() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("Alice ");
-        PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys);
-        PGPPublicKey publicKey = secretKeys.getPublicKey();
-        PGPSecretKey secretKey = secretKeys.getSecretKey();
-        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, SecretKeyRingProtector.unprotectedKeys());
-
-        PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(
-                ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKey.getAlgorithm(), HashAlgorithm.SHA512.getAlgorithmId())
-        );
-
-        signatureGenerator.init(SignatureType.CASUAL_CERTIFICATION.getCode(), privateKey);
-        PGPUserAttributeSubpacketVectorGenerator userAttrGen = new PGPUserAttributeSubpacketVectorGenerator();
-        byte[] image = new byte[100];
-        new Random().nextBytes(image);
-        userAttrGen.setImageAttribute(ImageAttribute.JPEG, image);
-        PGPUserAttributeSubpacketVector userAttr = userAttrGen.generate();
-
-        PGPSignature certification = signatureGenerator.generateCertification(userAttr, publicKey);
-        publicKey = PGPPublicKey.addCertification(publicKey, userAttr, certification);
-        publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey);
-        secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys);
-
-        secretKeys = KeyRingValidator.validate(secretKeys, PGPainless.getPolicy());
-        assertTrue(secretKeys.getPublicKey().getUserAttributes().hasNext());
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java
deleted file mode 100644
index 0352abba..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/KeyRingValidationTest.java
+++ /dev/null
@@ -1,125 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.signature;
-
-import java.io.IOException;
-import java.util.Collections;
-import java.util.Date;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.HashAlgorithm;
-import org.pgpainless.key.KeyRingValidator;
-import org.pgpainless.policy.Policy;
-import org.pgpainless.util.ArmorUtils;
-import org.pgpainless.util.DateUtil;
-
-public class KeyRingValidationTest {
-
-    private static Policy.HashAlgorithmPolicy defaultSignatureHashAlgorithmPolicy;
-
-    @BeforeAll
-    public static void setCustomPolicy() {
-        Policy policy = PGPainless.getPolicy();
-        defaultSignatureHashAlgorithmPolicy = policy.getSignatureHashAlgorithmPolicy();
-
-        policy.setSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA256, Collections.singletonList(HashAlgorithm.SHA256)));
-    }
-
-    @AfterAll
-    public static void resetCustomPolicy() {
-        PGPainless.getPolicy().setSignatureHashAlgorithmPolicy(defaultSignatureHashAlgorithmPolicy);
-    }
-
-    @Test
-    public void testSignatureValidationOnPrimaryKey() throws IOException, PGPException {
-        String key = "-----BEGIN PGP ARMORED FILE-----\n" +
-                "Comment: ASCII Armor added by openpgp-interoperability-test-suite\n" +
-                "\n" +
-                "xsBNBFpJegABCAC1ePFquP0135m8DYhcybhv7l+ecojitFOd/jRM7hCczIqKgalD\n" +
-                "1Ro1gNr3VmH6FjRIKIvGT+sOzCKne1v3KyAAPoxtwxjkATTKdOGo15I6v5ZjmO1d\n" +
-                "rLQOLSt1TF7XbQSt+ns6PUZWJL907DvECUU5b9FkNUqfQ14QqY+gi7MOyAQez3b7\n" +
-                "Pg5Cyz/kVWQ6TSMW/myDEDEertQ4rDBsptEDFHCC2+iF4hO2LqfiCriu5qyLcKCQ\n" +
-                "pd6dEuwJQ/jjT0D9A9Fwf+i04x6ZPKSU9oNAWqn8OSAq3/0B/hu9V+0U0iHPnJxe\n" +
-                "quykvJk7maxhiGhxBWYXTvDJmoon0NOles7LABEBAAHCwIcEIAEKABoFglwqrYAT\n" +
-                "HQFLZXkgaXMgc3VwZXJzZWRlZAAhCRBoT61i3AOPuxYhBPLRUKT+mJJdUekVOWhP\n" +
-                "rWLcA4+76+wH/1NmN/Qma5FTxmSWEcfH2ynKhwejKp8p8O7+y/uq1FlUwRzChzeX\n" +
-                "kd9w099uODMasxGaNSJU1mh5N+1oulyHrSyWFRWqDnQUnDx3IiPapK/j85udkJdo\n" +
-                "WfdTcxaS2C9Yo4S77cPwkbFLmEQ2Ovs5zjj0Q+mfoZNM+KJcsnOoJ+eeOE2GNA3x\n" +
-                "5TWvw0QXBfyW74MZHc0UE82ixcG6g4KbrI6W544EixY5vu3IxVsxiL66zy27A8ha\n" +
-                "EDdBWS8kc8UQ2cRveuqZwRsWcrh/2iHHShY/5zBOdQ1PL++ubwkteNSU9SsXjjDM\n" +
-                "oWm1RGy7/bagPPtqBnRMQ20vvW+3oBYxyd7CwHwEHwEKAA8Fgl4L4QACFQoCmwMC\n" +
-                "HgEAIQkQaE+tYtwDj7sWIQTy0VCk/piSXVHpFTloT61i3AOPu8ffB/9Q60dg60qh\n" +
-                "A2rPnd/1dCL2B+c8RWnq44PpijE3gA1RQvcRQE5jNzMSo/MnG0mSL5wHeTsjSd/D\n" +
-                "RI3nHP06rs6Qub11NoKhNuya3maz9gyzeZMc/jNib83/BzFCrxsSQm+9WHurxXeW\n" +
-                "XOPMLZs3xS/jG0EDtCJ2Fm4UF19fcIydwN/ssF4NGpfCY82+wTSx4joI3cRKObCF\n" +
-                "JaaBgG5nl+eFr7cfjEIuqCJCaQsXiqBe7d6V3KqN18t+CgSaybMZXcysQ/USxEkL\n" +
-                "hIB2pOZwcz4E3TTFgxRAxcr4cs4Bd2PRz3Z5FKTzo0ma/Ft0UfFJR+fCcs55+n6k\n" +
-                "C9K0y/E7BY2hwsB8BB8BCgAPBYJaSXoAAhUKApsDAh4BACEJEGhPrWLcA4+7FiEE\n" +
-                "8tFQpP6Ykl1R6RU5aE+tYtwDj7uqDQf7BqTD6GNTwXPOt/0kHQPYmbdItX+pWP+o\n" +
-                "3jaB6VTHDXcn27bttA5M82EXZfae4+bC1dMB+1uLal4ciVgO9ImJC9Nws5fc3JH4\n" +
-                "R5uuSvpjzjudkJsGu3cAKE3hwiT93Mi6t6ENpLCDSxqxzAmfoOQbVJYWY7gP7Z4C\n" +
-                "j0IAP29aprEc0JWoMjHKpKgYF6u0sWgHWBuEXk/6o6GYb2HZYK4ycpY2WXKgVhy7\n" +
-                "/iQDYO1FOfcWQXHVGLn8OzILjobKohNenTT20ZhAASi3LUDSDMTQfxSSVt0nhzWu\n" +
-                "XJJ4R8PzUVeRJ0A0oMyjZVHivHC6GwMsiQuSUTx8e/GnOByOqfGne80SanVsaWV0\n" +
-                "QGV4YW1wbGUub3JnwsBzBBMBCgAGBYJaSXoAACEJEGhPrWLcA4+7FiEE8tFQpP6Y\n" +
-                "kl1R6RU5aE+tYtwDj7tDfQf+PnxsIFu/0juKBUjjtAYfRzkrrYtMepPjtaTvGfo1\n" +
-                "SzUkX/6F/GjdSeVg5Iq6YcBrj8c+cB3EoZpHnScTgWQHwceWQLd9HhbgTrUNvW1e\n" +
-                "g2CVzN0RBuYMtWu9JM4pH7ssJW1NmN+/N9B67qb2y+JfBwH/la508NzCrl3xWTxj\n" +
-                "T5wNy+FGkNZg23s/0qlO2uxCjc+mRAuAlp5EmTOVWOIBbM0xttjBOx39ZmWWQKJZ\n" +
-                "0nrFjK1jppHqazwWWNX7RHkK81tlbSUtOPoTIJDz38NaiyMcZH3p9okN3DU4XtF+\n" +
-                "oE18M+Z/E0xUQmumbkajFzcUjmd7enozP5BnGESzdNS5Xc7ATQRaSsuAAQgAykb8\n" +
-                "tqlWXtqHGGkBqAq3EnpmvBqrKvqejjtZKAXqEszJ9NlibCGUuLwnNOVOR/hcOUlO\n" +
-                "GH+cyMcApBWJB+7d/83K1eCCdv88nDFVav7hKLKlEBbZJNHgHpJ313pletzCR4x3\n" +
-                "STEISrEtO71l2HBdrKSYXaxGgILxYwcSi3i2EjzxRDy+0zyy8s7d+OD5ShFYexgS\n" +
-                "rKH3Xx1cxQAJzGGJVx75HHU9GVh3xHwJ7nDm26KzHegG2XPIBXJ2z8vmsSVTWyj0\n" +
-                "AjT4kVVapN0f84AKKjyQ7fguCzXGHFV9jmxDx+YH+9HhjIrHSzbDx6+4wyRsxj7S\n" +
-                "u+hu/bogJ28nnbTzQwARAQABwsGsBBgBCgAJBYJeC+EAApsCAVcJEGhPrWLcA4+7\n" +
-                "wHSgBBkBCgAGBYJeC+EAACEJEEpyNKOhITplFiEEUXksDkji/alOk7kRSnI0o6Eh\n" +
-                "OmWnSQgAiu/zdEmHf6Wbwfbs/c6FObfPxGuzLkQr4fZKcqK81MtR1mh1WVLJRgXW\n" +
-                "4u8cHtZyH5pThngMcUiyzWsa0g6Jaz8w6sr/Wv3e1qdTCITskMrWCDaoDhD2teAj\n" +
-                "mWuk9u8ZBPJ7xhme+Q/UQ90xomQ/NdCJafirk2Ds92p7N7RKSES1KywBhfONJbPw\n" +
-                "1TdZ9Mts+DGjkucYbe+ZzPxrLpWXur1BSGEqBtTAGW3dS/xpwBYNlhasXHjYMr4H\n" +
-                "eIYYYOx+oR5JgDYoVfp2k0DwK/QXogbja+/Vjv+LrXdNY0t1bA35FNnl637M8iCN\n" +
-                "rXvIoRFARbNyge8c/jSWGPLB/tIyNhYhBPLRUKT+mJJdUekVOWhPrWLcA4+7FLwI\n" +
-                "AK1GngNMnruxWM4EoghKTSmKNrd6p/d3Wsd+y2019A7Nz+4OydkEDvmNVVhlUcfg\n" +
-                "Of2L6Bf63wdN0ho+ODhCuNSqHe6NL1NhdITbMGnDdKb57IIB9CuJFpILn9LZ1Ei6\n" +
-                "JPEpmpiSEaL+VJt1fMnfc8jtF8N3WcRVfJsq1aslXe8Npg709YVgm2OXsNWgktl9\n" +
-                "fciu4ENTybQGjpN9WTa1aU1nkko6NUoIfjtM+PO4VU7x00M+dTJsYGhnc96EtT8E\n" +
-                "fSAIFBKZRAkMBFhEcdkxa8hCKI3+nyI3gTq0TcFST3wy05AmoV7wlgzUAMsW7MV2\n" +
-                "NpG7fJul2Q7puKw+udBUc0TCwawEGAEKAAkFglro/4ACmwIBVwkQaE+tYtwDj7vA\n" +
-                "dKAEGQEKAAYFglro/4AAIQkQSnI0o6EhOmUWIQRReSwOSOL9qU6TuRFKcjSjoSE6\n" +
-                "ZeFHB/92jhUTXrEgho6DYhmVFuXa3NGhAjIyZo3yYHMoL9aZ3DUyjxhAyRDpI2Cr\n" +
-                "ahQ4JsPhej2m+3fHWa34/tb5mpHYFWEahQvdWSFCcU7p2NUKcq2zNA6ixO2+fQQh\n" +
-                "mbrYR+TFxYmhLjCGUNt14E/XaIL1VxPQOA5KbiRPpa8BsUNlNik9ASPWyn0ZA0rj\n" +
-                "J1ZV7nJarXVbuZDEcUDuDm3cA5tup7juB8fTz2BDcg3Ka+OcPEz0GgZfq9K40di3\n" +
-                "r9IHLBhNPHieFVIj9j/JyMnTvVOceM3J/Rb0MCWJVbXNBKpRMDibCQh+7fbqyQEM\n" +
-                "/zIpmk0TgBpTZZqMP0gxYdWImT1IFiEE8tFQpP6Ykl1R6RU5aE+tYtwDj7tOtggA\n" +
-                "hgAqvOB142L2SkS3ZIdwuhAtWLPHCtEwBOqGtP8Z204rqAmbnJymzo77+OT+SScn\n" +
-                "DTrwzOUJnCi0qPUxfuxhvHxnBxBIjaoMcF++iKsqF1vf6WuXOjbJ1N8I08pB2nih\n" +
-                "t5MxIZ9rMGDeASj79X7I9Jjzsd30OVGfTZyy3VyYPxcJ6n/sZocNmaTv0/F8K3Ti\n" +
-                "rSH6JDXdY5zirRi99GJ3R+AL6OzxrChuvLFSEtIRJrW5XVfg3whc0XD+5J9RsHoL\n" +
-                "33ub9ZhQHFKsjrf0nGYbEFwMhSdysfTYYMbwKi0CcQeQtPP0Y87zSryajDMFXQS0\n" +
-                "exdvhN4AXDlPlB3Rrkj7CQ==\n" +
-                "=qQpG\n" +
-                "-----END PGP ARMORED FILE-----\n";
-
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(key);
-
-        Date validationDate = DateUtil.parseUTCDate("2019-05-01 00:00:00 UTC");
-        Policy policy = PGPainless.getPolicy();
-        PGPPublicKeyRing evaluated = KeyRingValidator.validate(publicKeys, policy, validationDate);
-
-        // CHECKSTYLE:OFF
-        System.out.println(ArmorUtils.toAsciiArmoredString(evaluated));
-        // CHECKSTYLE:ON
-
-
-    }
-}

From a99ce159692e7445eda6d76d0f63dff4c5f62643 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 30 Jun 2022 13:11:27 +0200
Subject: [PATCH 0528/1450] Forward userIdOnCertificate() method call

---
 .../org/pgpainless/key/certification/CertifyCertificate.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index a4f37b66..05e64879 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -50,7 +50,7 @@ public class CertifyCertificate {
      */
     public CertificationOnUserId userIdOnCertificate(@Nonnull String userId,
                                                      @Nonnull PGPPublicKeyRing certificate) {
-        return new CertificationOnUserId(userId, certificate, CertificationType.GENERIC);
+        return userIdOnCertificate(userId, certificate, CertificationType.GENERIC);
     }
 
     /**

From 8b66b3527ec9f4baa9f27401d1480b16f2f9bc05 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 30 Jun 2022 13:16:15 +0200
Subject: [PATCH 0529/1450] Add tests for pet name certification and scoped
 delegation

---
 .../certification/CertifyCertificateTest.java | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
index 3dbc4988..f837be1b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
@@ -23,10 +23,13 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.Arrays;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CertificationType;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.algorithm.Trustworthiness;
+import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.consumer.SignatureVerifier;
+import org.pgpainless.signature.subpackets.CertificationSubpackets;
 import org.pgpainless.util.CollectionUtils;
 import org.pgpainless.util.DateUtil;
 
@@ -105,4 +108,58 @@ public class CertifyCertificateTest {
 
         assertFalse(Arrays.areEqual(bobCertificate.getEncoded(), bobCertified.getEncoded()));
     }
+
+    @Test
+    public void testPetNameCertification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing()
+                .modernKeyRing("Alice ");
+        PGPSecretKeyRing bobKey = PGPainless.generateKeyRing()
+                .modernKeyRing("Bob ");
+
+        PGPPublicKeyRing bobCert = PGPainless.extractCertificate(bobKey);
+        String petName = "Bobby";
+
+        CertifyCertificate.CertificationResult result = PGPainless.certify()
+                .userIdOnCertificate(petName, bobCert)
+                .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys())
+                .buildWithSubpackets(new CertificationSubpackets.Callback() {
+                    @Override
+                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
+                        hashedSubpackets.setExportable(false);
+                    }
+                });
+
+        PGPSignature certification = result.getCertification();
+        assertEquals(aliceKey.getPublicKey().getKeyID(), certification.getKeyID());
+        assertEquals(CertificationType.GENERIC.asSignatureType().getCode(), certification.getSignatureType());
+
+        PGPPublicKeyRing certWithPetName = result.getCertifiedCertificate();
+        KeyRingInfo info = PGPainless.inspectKeyRing(certWithPetName);
+        assertTrue(info.getUserIds().contains(petName));
+        assertFalse(info.getValidUserIds().contains(petName));
+    }
+
+    @Test
+    public void testScopedDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing()
+                .modernKeyRing("Alice ");
+        PGPSecretKeyRing caKey = PGPainless.generateKeyRing()
+                .modernKeyRing("CA ");
+        PGPPublicKeyRing caCert = PGPainless.extractCertificate(caKey);
+
+        CertifyCertificate.CertificationResult result = PGPainless.certify()
+                .certificate(caCert, Trustworthiness.fullyTrusted().introducer())
+                .withKey(aliceKey, SecretKeyRingProtector.unprotectedKeys())
+                .buildWithSubpackets(new CertificationSubpackets.Callback() {
+                    @Override
+                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
+                        hashedSubpackets.setRegularExpression("^.*<.+@example.com>.*$");
+                    }
+                });
+
+        PGPSignature certification = result.getCertification();
+        assertEquals(SignatureType.DIRECT_KEY.getCode(), certification.getSignatureType());
+        assertEquals("^.*<.+@example.com>.*$",
+                certification.getHashedSubPackets().getRegularExpression().getRegex());
+    }
 }

From 170aaaa0c58a1694f45d01b7bcba936678bdc711 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 4 Jul 2022 11:05:16 +0200
Subject: [PATCH 0530/1450] Document KO protection utility class

---
 .../key/util/PublicKeyParameterValidationUtil.java       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index fbddb080..d3c7fe68 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -38,6 +38,15 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyIntegrityException;
 import org.pgpainless.implementation.ImplementationFactory;
 
+/**
+ * Utility class to verify keys against Key Overwriting (KO) attacks.
+ * This class of attacks is only possible if the attacker has access to the (encrypted) secret key material.
+ * To execute the attack, they would modify the unauthenticated parameters of the users public key.
+ * Using the modified public key in combination with the unmodified secret key material can then lead to the
+ * extraction of secret key parameters via weakly crafted messages.
+ *
+ * @see Key Overwriting (KO) Attacks against OpenPGP
+ */
 public class PublicKeyParameterValidationUtil {
 
     public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey)

From 762391659e27061a744b65cf7e668318f3609606 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 6 Jul 2022 23:56:08 +0200
Subject: [PATCH 0531/1450] Add node_modules to .gitignore

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index f12ea5f8..744e25e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,5 @@ pgpainless-core/.project
 pgpainless-core/.settings/
 
 push_html.sh
+
+docs/node_modules

From 16c44e670e65c29f9b701d0166f05e970c00611a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 6 Jul 2022 23:56:41 +0200
Subject: [PATCH 0532/1450] Initial sphinx-based documentation

---
 ECOSYSTEM.md                              |   92 -
 docs/Makefile                             |   20 +
 docs/README.md                            |   16 +
 docs/make.bat                             |   35 +
 docs/package-lock.json                    | 2626 +++++++++++++++++++++
 docs/package.json                         |    5 +
 docs/source/conf.py                       |   53 +
 docs/source/ecosystem.md                  |   85 +
 docs/source/index.rst                     |   25 +
 docs/source/pgpainless-core/quickstart.md |   27 +
 docs/source/pgpainless-sop/quickstart.md  |  369 +++
 docs/source/quickstart.md                 |   20 +
 docs/source/sop.md                        |    3 +
 13 files changed, 3284 insertions(+), 92 deletions(-)
 delete mode 100644 ECOSYSTEM.md
 create mode 100644 docs/Makefile
 create mode 100644 docs/README.md
 create mode 100644 docs/make.bat
 create mode 100644 docs/package-lock.json
 create mode 100644 docs/package.json
 create mode 100644 docs/source/conf.py
 create mode 100644 docs/source/ecosystem.md
 create mode 100644 docs/source/index.rst
 create mode 100644 docs/source/pgpainless-core/quickstart.md
 create mode 100644 docs/source/pgpainless-sop/quickstart.md
 create mode 100644 docs/source/quickstart.md
 create mode 100644 docs/source/sop.md

diff --git a/ECOSYSTEM.md b/ECOSYSTEM.md
deleted file mode 100644
index b0b4125b..00000000
--- a/ECOSYSTEM.md
+++ /dev/null
@@ -1,92 +0,0 @@
-
-
-# Ecosystem
-
-PGPainless consists of an ecosystem of different libraries and projects.
-
-```mermaid
-flowchart TB
-    subgraph SOP-JAVA
-    sop-java-picocli-->sop-java
-    end
-    subgraph PGPAINLESS
-    pgpainless-sop-->pgpainless-core
-    pgpainless-sop-->sop-java
-    pgpainless-cli-->pgpainless-sop
-    pgpainless-cli-->sop-java-picocli
-    end
-    subgraph WKD-JAVA
-    wkd-java-cli-->wkd-java
-    wkd-test-suite-->wkd-java
-    wkd-test-suite-->pgpainless-core
-    end
-    subgraph CERT-D-JAVA
-    pgp-cert-d-java-->pgp-certificate-store
-    pgp-cert-d-java-jdbc-sqlite-lookup-->pgp-cert-d-java
-    end
-    subgraph CERT-D-PGPAINLESS
-    pgpainless-cert-d-->pgpainless-core
-    pgpainless-cert-d-->pgp-cert-d-java
-    pgpainless-cert-d-cli-->pgpainless-cert-d
-    pgpainless-cert-d-cli-->pgp-cert-d-java-jdbc-sqlite-lookup
-    end
-    subgraph VKS-JAVA
-    vks-java-cli-->vks-java
-    end
-    subgraph PGPEASY
-    pgpeasy-->pgpainless-cli
-    pgpeasy-->wkd-java-cli
-    pgpeasy-->vks-java-cli
-    pgpeasy-->pgpainless-cert-d-cli
-    end
-    wkd-java-cli-->pgpainless-cert-d
-    wkd-java-->pgp-certificate-store
-```
-
-## [PGPainless](https://github.com/pgpainless/pgpainless)
-
-The main repository contains the following components:
-
-* `pgpainless-core` - core implementation - powerful, yet easy to use OpenPGP API
-* `pgpainless-sop` - super simple OpenPGP implementation. Drop-in for `sop-java`
-* `pgpainless-cli` - SOP CLI implementation using PGPainless
-
-## [SOP-Java](https://github.com/pgpainless/sop-java)
-
-An API definition and CLI implementation of the [Stateless OpenPGP Protocol](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-03.html).
-
-* `sop-java` - generic OpenPGP API definition
-* `sop-java-picocli` - Abstract CLI implementation for `sop-java`
-
-## [WKD-Java](https://github.com/pgpainless/wkd-java)
-
-Implementation of the [Web Key Directory](https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-13.html).
-
-* `wkd-java` - abstract WKD discovery implementation
-* `wkd-java-cli` - CLI application implementing WKD discovery using PGPainless
-* `wkd-test-suite` - Generator for test vectors for testing WKD implementations
-
-## [VKS-Java](https://github.com/pgpainless/vks-java)
-
-Client-side API for communicating with Verifying Key Servers, such as https://keys.openpgp.org/.
-
-* `vks-java` - VKS client implementation
-
-## [Cert-D-Java](https://github.com/pgpainless/cert-d-java)
-
-Implementations of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/).
-
-* `pgp-certificate-store` - abstract definitions of OpenPGP certificate stores
-* `pgp-cert-d-java` - implementation of `pgp-certificate-store` following the PGP-CERT-D spec.
-* `pgp-cert-d-java-jdbc-sqlite-lookup` - subkey lookup using sqlite database
-
-## [Cert-D-PGPainless](https://github.com/pgpainless/cert-d-pgpainless)
-
-Implementation of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/) using PGPainless.
-
-* `pgpainless-cert-d` - PGPainless-based implementation of `pgp-cert-d-java`.
-* `pgpainless-cert-d-cli` - CLI frontend for `pgpainless-cert-d`.
\ No newline at end of file
diff --git a/docs/Makefile b/docs/Makefile
new file mode 100644
index 00000000..d0c3cbf1
--- /dev/null
+++ b/docs/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = source
+BUILDDIR      = build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 00000000..1ed74654
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,16 @@
+# User Guide for PGPainless
+
+## Build the Guide
+
+```shell
+$ make {html|epub|latexpdf}
+```
+
+Note: Building requires `mermaid-cli` to be installed in this directory:
+```shell
+$ # Move here
+$ cd pgpainless/docs
+$ npm install @mermaid-js/mermaid-cli
+```
+
+TODO: This is ugly. Install mermaid-cli globally? Perhaps point to user-installed mermaid-cli in conf.py's mermaid_cmd
\ No newline at end of file
diff --git a/docs/make.bat b/docs/make.bat
new file mode 100644
index 00000000..6247f7e2
--- /dev/null
+++ b/docs/make.bat
@@ -0,0 +1,35 @@
+@ECHO OFF
+
+pushd %~dp0
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set SOURCEDIR=source
+set BUILDDIR=build
+
+if "%1" == "" goto help
+
+%SPHINXBUILD% >NUL 2>NUL
+if errorlevel 9009 (
+	echo.
+	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+	echo.installed, then set the SPHINXBUILD environment variable to point
+	echo.to the full path of the 'sphinx-build' executable. Alternatively you
+	echo.may add the Sphinx directory to PATH.
+	echo.
+	echo.If you don't have Sphinx installed, grab it from
+	echo.http://sphinx-doc.org/
+	exit /b 1
+)
+
+%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+goto end
+
+:help
+%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+
+:end
+popd
diff --git a/docs/package-lock.json b/docs/package-lock.json
new file mode 100644
index 00000000..c75cb36f
--- /dev/null
+++ b/docs/package-lock.json
@@ -0,0 +1,2626 @@
+{
+  "name": "docs",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@mermaid-js/mermaid-cli": "^9.1.3"
+      }
+    },
+    "node_modules/@braintree/sanitize-url": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz",
+      "integrity": "sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w=="
+    },
+    "node_modules/@mermaid-js/mermaid-cli": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@mermaid-js/mermaid-cli/-/mermaid-cli-9.1.3.tgz",
+      "integrity": "sha512-R7VFArRIhczOejWtKT2Ii8MVKayjpiY6hebGqtcmA8FGSUXDgB4QzK5z9zpOfh1k90XH0PzPpTlL4KXnFfDx1Q==",
+      "dependencies": {
+        "chalk": "^4.1.0",
+        "commander": "^9.0.0",
+        "mermaid": "^9.0.0",
+        "puppeteer": "^14.1.0"
+      },
+      "bin": {
+        "mmdc": "index.bundle.js"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "18.0.3",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.0.3.tgz",
+      "integrity": "sha512-HzNRZtp4eepNitP+BD6k2L6DROIDG4Q0fm4x+dwfsr6LGmROENnok75VGw40628xf+iR24WeMFcHuuBDUAzzsQ==",
+      "optional": true
+    },
+    "node_modules/@types/yauzl": {
+      "version": "2.10.0",
+      "resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.10.0.tgz",
+      "integrity": "sha512-Cn6WYCm0tXv8p6k+A8PvbDG763EDpBoTzHdA+Q/MF6H3sapGjCm9NzoaJncJS9tUKSuCoDs9XHxYYsQDgxR6kw==",
+      "optional": true,
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/agent-base": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "dependencies": {
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
+    },
+    "node_modules/base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/bl": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
+      "dependencies": {
+        "buffer": "^5.5.0",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/buffer": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.1.13"
+      }
+    },
+    "node_modules/buffer-crc32": {
+      "version": "0.2.13",
+      "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
+      "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==",
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/chalk": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+      "dependencies": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/chownr": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
+      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+    },
+    "node_modules/commander": {
+      "version": "9.3.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-9.3.0.tgz",
+      "integrity": "sha512-hv95iU5uXPbK83mjrJKuZyFM/LBAoCV/XhVGkS5Je6tl7sxr6A0ITMw5WoRV46/UaJ46Nllm3Xt7IaJhXTIkzw==",
+      "engines": {
+        "node": "^12.20.0 || >=14"
+      }
+    },
+    "node_modules/concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="
+    },
+    "node_modules/cross-fetch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.1.5.tgz",
+      "integrity": "sha512-lvb1SBsI0Z7GDwmuid+mU3kWVBwTVUbe7S0H52yaaAdQOXq2YktTCZdlAcNKFzE6QtRz0snpw9bNiPeOIkkQvw==",
+      "dependencies": {
+        "node-fetch": "2.6.7"
+      }
+    },
+    "node_modules/d3": {
+      "version": "7.6.1",
+      "resolved": "https://registry.npmjs.org/d3/-/d3-7.6.1.tgz",
+      "integrity": "sha512-txMTdIHFbcpLx+8a0IFhZsbp+PfBBPt8yfbmukZTQFroKuFqIwqswF0qE5JXWefylaAVpSXFoKm3yP+jpNLFLw==",
+      "dependencies": {
+        "d3-array": "3",
+        "d3-axis": "3",
+        "d3-brush": "3",
+        "d3-chord": "3",
+        "d3-color": "3",
+        "d3-contour": "4",
+        "d3-delaunay": "6",
+        "d3-dispatch": "3",
+        "d3-drag": "3",
+        "d3-dsv": "3",
+        "d3-ease": "3",
+        "d3-fetch": "3",
+        "d3-force": "3",
+        "d3-format": "3",
+        "d3-geo": "3",
+        "d3-hierarchy": "3",
+        "d3-interpolate": "3",
+        "d3-path": "3",
+        "d3-polygon": "3",
+        "d3-quadtree": "3",
+        "d3-random": "3",
+        "d3-scale": "4",
+        "d3-scale-chromatic": "3",
+        "d3-selection": "3",
+        "d3-shape": "3",
+        "d3-time": "3",
+        "d3-time-format": "4",
+        "d3-timer": "3",
+        "d3-transition": "3",
+        "d3-zoom": "3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-array": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.0.tgz",
+      "integrity": "sha512-3yXFQo0oG3QCxbF06rMPFyGRMGJNS7NvsV1+2joOjbBE+9xvWQ8+GcMJAjRCzw06zQ3/arXeJgbPYcjUCuC+3g==",
+      "dependencies": {
+        "internmap": "1 - 2"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-axis": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-3.0.0.tgz",
+      "integrity": "sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-brush": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-3.0.0.tgz",
+      "integrity": "sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ==",
+      "dependencies": {
+        "d3-dispatch": "1 - 3",
+        "d3-drag": "2 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-selection": "3",
+        "d3-transition": "3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-chord": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-3.0.1.tgz",
+      "integrity": "sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g==",
+      "dependencies": {
+        "d3-path": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-collection": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/d3-collection/-/d3-collection-1.0.7.tgz",
+      "integrity": "sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A=="
+    },
+    "node_modules/d3-color": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz",
+      "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-contour": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-4.0.0.tgz",
+      "integrity": "sha512-7aQo0QHUTu/Ko3cP9YK9yUTxtoDEiDGwnBHyLxG5M4vqlBkO/uixMRele3nfsfj6UXOcuReVpVXzAboGraYIJw==",
+      "dependencies": {
+        "d3-array": "^3.2.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-delaunay": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/d3-delaunay/-/d3-delaunay-6.0.2.tgz",
+      "integrity": "sha512-IMLNldruDQScrcfT+MWnazhHbDJhcRJyOEBAJfwQnHle1RPh6WDuLvxNArUju2VSMSUuKlY5BGHRJ2cYyoFLQQ==",
+      "dependencies": {
+        "delaunator": "5"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-dispatch": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-3.0.1.tgz",
+      "integrity": "sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-drag": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-3.0.0.tgz",
+      "integrity": "sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg==",
+      "dependencies": {
+        "d3-dispatch": "1 - 3",
+        "d3-selection": "3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-dsv": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-3.0.1.tgz",
+      "integrity": "sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q==",
+      "dependencies": {
+        "commander": "7",
+        "iconv-lite": "0.6",
+        "rw": "1"
+      },
+      "bin": {
+        "csv2json": "bin/dsv2json.js",
+        "csv2tsv": "bin/dsv2dsv.js",
+        "dsv2dsv": "bin/dsv2dsv.js",
+        "dsv2json": "bin/dsv2json.js",
+        "json2csv": "bin/json2dsv.js",
+        "json2dsv": "bin/json2dsv.js",
+        "json2tsv": "bin/json2dsv.js",
+        "tsv2csv": "bin/dsv2dsv.js",
+        "tsv2json": "bin/dsv2json.js"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-dsv/node_modules/commander": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-7.2.0.tgz",
+      "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==",
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/d3-ease": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz",
+      "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-fetch": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-3.0.1.tgz",
+      "integrity": "sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw==",
+      "dependencies": {
+        "d3-dsv": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-force": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-3.0.0.tgz",
+      "integrity": "sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg==",
+      "dependencies": {
+        "d3-dispatch": "1 - 3",
+        "d3-quadtree": "1 - 3",
+        "d3-timer": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-format": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz",
+      "integrity": "sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-geo": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-3.0.1.tgz",
+      "integrity": "sha512-Wt23xBych5tSy9IYAM1FR2rWIBFWa52B/oF/GYe5zbdHrg08FU8+BuI6X4PvTwPDdqdAdq04fuWJpELtsaEjeA==",
+      "dependencies": {
+        "d3-array": "2.5.0 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-hierarchy": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-3.1.2.tgz",
+      "integrity": "sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-interpolate": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz",
+      "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==",
+      "dependencies": {
+        "d3-color": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-path": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.0.1.tgz",
+      "integrity": "sha512-gq6gZom9AFZby0YLduxT1qmrp4xpBA1YZr19OI717WIdKE2OM5ETq5qrHLb301IgxhLwcuxvGZVLeeWc/k1I6w==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-polygon": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-3.0.1.tgz",
+      "integrity": "sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-quadtree": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-3.0.1.tgz",
+      "integrity": "sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-random": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-3.0.1.tgz",
+      "integrity": "sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-scale": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz",
+      "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==",
+      "dependencies": {
+        "d3-array": "2.10.0 - 3",
+        "d3-format": "1 - 3",
+        "d3-interpolate": "1.2.0 - 3",
+        "d3-time": "2.1.1 - 3",
+        "d3-time-format": "2 - 4"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-scale-chromatic": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz",
+      "integrity": "sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g==",
+      "dependencies": {
+        "d3-color": "1 - 3",
+        "d3-interpolate": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-selection": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
+      "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-shape": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.1.0.tgz",
+      "integrity": "sha512-tGDh1Muf8kWjEDT/LswZJ8WF85yDZLvVJpYU9Nq+8+yW1Z5enxrmXOhTArlkaElU+CTn0OTVNli+/i+HP45QEQ==",
+      "dependencies": {
+        "d3-path": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-time": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.0.0.tgz",
+      "integrity": "sha512-zmV3lRnlaLI08y9IMRXSDshQb5Nj77smnfpnd2LrBa/2K281Jijactokeak14QacHs/kKq0AQ121nidNYlarbQ==",
+      "dependencies": {
+        "d3-array": "2 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-time-format": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz",
+      "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==",
+      "dependencies": {
+        "d3-time": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-timer": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz",
+      "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/d3-transition": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-3.0.1.tgz",
+      "integrity": "sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w==",
+      "dependencies": {
+        "d3-color": "1 - 3",
+        "d3-dispatch": "1 - 3",
+        "d3-ease": "1 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-timer": "1 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "peerDependencies": {
+        "d3-selection": "2 - 3"
+      }
+    },
+    "node_modules/d3-voronoi": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/d3-voronoi/-/d3-voronoi-1.1.4.tgz",
+      "integrity": "sha512-dArJ32hchFsrQ8uMiTBLq256MpnZjeuBtdHpaDlYuQyjU0CVzCJl/BVW+SkszaAeH95D/8gxqAhgx0ouAWAfRg=="
+    },
+    "node_modules/d3-zoom": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-3.0.0.tgz",
+      "integrity": "sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw==",
+      "dependencies": {
+        "d3-dispatch": "1 - 3",
+        "d3-drag": "2 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-selection": "2 - 3",
+        "d3-transition": "2 - 3"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/dagre": {
+      "version": "0.8.5",
+      "resolved": "https://registry.npmjs.org/dagre/-/dagre-0.8.5.tgz",
+      "integrity": "sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==",
+      "dependencies": {
+        "graphlib": "^2.1.8",
+        "lodash": "^4.17.15"
+      }
+    },
+    "node_modules/dagre-d3": {
+      "version": "0.6.4",
+      "resolved": "https://registry.npmjs.org/dagre-d3/-/dagre-d3-0.6.4.tgz",
+      "integrity": "sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==",
+      "dependencies": {
+        "d3": "^5.14",
+        "dagre": "^0.8.5",
+        "graphlib": "^2.1.8",
+        "lodash": "^4.17.15"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/commander": {
+      "version": "2.20.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
+      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3": {
+      "version": "5.16.0",
+      "resolved": "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz",
+      "integrity": "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==",
+      "dependencies": {
+        "d3-array": "1",
+        "d3-axis": "1",
+        "d3-brush": "1",
+        "d3-chord": "1",
+        "d3-collection": "1",
+        "d3-color": "1",
+        "d3-contour": "1",
+        "d3-dispatch": "1",
+        "d3-drag": "1",
+        "d3-dsv": "1",
+        "d3-ease": "1",
+        "d3-fetch": "1",
+        "d3-force": "1",
+        "d3-format": "1",
+        "d3-geo": "1",
+        "d3-hierarchy": "1",
+        "d3-interpolate": "1",
+        "d3-path": "1",
+        "d3-polygon": "1",
+        "d3-quadtree": "1",
+        "d3-random": "1",
+        "d3-scale": "2",
+        "d3-scale-chromatic": "1",
+        "d3-selection": "1",
+        "d3-shape": "1",
+        "d3-time": "1",
+        "d3-time-format": "2",
+        "d3-timer": "1",
+        "d3-transition": "1",
+        "d3-voronoi": "1",
+        "d3-zoom": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-array": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-1.2.4.tgz",
+      "integrity": "sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-axis": {
+      "version": "1.0.12",
+      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-1.0.12.tgz",
+      "integrity": "sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-brush": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.6.tgz",
+      "integrity": "sha512-7RW+w7HfMCPyZLifTz/UnJmI5kdkXtpCbombUSs8xniAyo0vIbrDzDwUJB6eJOgl9u5DQOt2TQlYumxzD1SvYA==",
+      "dependencies": {
+        "d3-dispatch": "1",
+        "d3-drag": "1",
+        "d3-interpolate": "1",
+        "d3-selection": "1",
+        "d3-transition": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-chord": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-1.0.6.tgz",
+      "integrity": "sha512-JXA2Dro1Fxw9rJe33Uv+Ckr5IrAa74TlfDEhE/jfLOaXegMQFQTAgAw9WnZL8+HxVBRXaRGCkrNU7pJeylRIuA==",
+      "dependencies": {
+        "d3-array": "1",
+        "d3-path": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-color": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz",
+      "integrity": "sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-contour": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-1.3.2.tgz",
+      "integrity": "sha512-hoPp4K/rJCu0ladiH6zmJUEz6+u3lgR+GSm/QdM2BBvDraU39Vr7YdDCicJcxP1z8i9B/2dJLgDC1NcvlF8WCg==",
+      "dependencies": {
+        "d3-array": "^1.1.1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-dispatch": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-1.0.6.tgz",
+      "integrity": "sha512-fVjoElzjhCEy+Hbn8KygnmMS7Or0a9sI2UzGwoB7cCtvI1XpVN9GpoYlnb3xt2YV66oXYb1fLJ8GMvP4hdU1RA=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-drag": {
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-1.2.5.tgz",
+      "integrity": "sha512-rD1ohlkKQwMZYkQlYVCrSFxsWPzI97+W+PaEIBNTMxRuxz9RF0Hi5nJWHGVJ3Om9d2fRTe1yOBINJyy/ahV95w==",
+      "dependencies": {
+        "d3-dispatch": "1",
+        "d3-selection": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-dsv": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-1.2.0.tgz",
+      "integrity": "sha512-9yVlqvZcSOMhCYzniHE7EVUws7Fa1zgw+/EAV2BxJoG3ME19V6BQFBwI855XQDsxyOuG7NibqRMTtiF/Qup46g==",
+      "dependencies": {
+        "commander": "2",
+        "iconv-lite": "0.4",
+        "rw": "1"
+      },
+      "bin": {
+        "csv2json": "bin/dsv2json",
+        "csv2tsv": "bin/dsv2dsv",
+        "dsv2dsv": "bin/dsv2dsv",
+        "dsv2json": "bin/dsv2json",
+        "json2csv": "bin/json2dsv",
+        "json2dsv": "bin/json2dsv",
+        "json2tsv": "bin/json2dsv",
+        "tsv2csv": "bin/dsv2dsv",
+        "tsv2json": "bin/dsv2json"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-ease": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-1.0.7.tgz",
+      "integrity": "sha512-lx14ZPYkhNx0s/2HX5sLFUI3mbasHjSSpwO/KaaNACweVwxUruKyWVcb293wMv1RqTPZyZ8kSZ2NogUZNcLOFQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-fetch": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-1.2.0.tgz",
+      "integrity": "sha512-yC78NBVcd2zFAyR/HnUiBS7Lf6inSCoWcSxFfw8FYL7ydiqe80SazNwoffcqOfs95XaLo7yebsmQqDKSsXUtvA==",
+      "dependencies": {
+        "d3-dsv": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-force": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-1.2.1.tgz",
+      "integrity": "sha512-HHvehyaiUlVo5CxBJ0yF/xny4xoaxFxDnBXNvNcfW9adORGZfyNF1dj6DGLKyk4Yh3brP/1h3rnDzdIAwL08zg==",
+      "dependencies": {
+        "d3-collection": "1",
+        "d3-dispatch": "1",
+        "d3-quadtree": "1",
+        "d3-timer": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-format": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.5.tgz",
+      "integrity": "sha512-J0piedu6Z8iB6TbIGfZgDzfXxUFN3qQRMofy2oPdXzQibYGqPB/9iMcxr/TGalU+2RsyDO+U4f33id8tbnSRMQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-geo": {
+      "version": "1.12.1",
+      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-1.12.1.tgz",
+      "integrity": "sha512-XG4d1c/UJSEX9NfU02KwBL6BYPj8YKHxgBEw5om2ZnTRSbIcego6dhHwcxuSR3clxh0EpE38os1DVPOmnYtTPg==",
+      "dependencies": {
+        "d3-array": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-hierarchy": {
+      "version": "1.1.9",
+      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz",
+      "integrity": "sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-interpolate": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.4.0.tgz",
+      "integrity": "sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==",
+      "dependencies": {
+        "d3-color": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-path": {
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-1.0.9.tgz",
+      "integrity": "sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-polygon": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-1.0.6.tgz",
+      "integrity": "sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-quadtree": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-1.0.7.tgz",
+      "integrity": "sha512-RKPAeXnkC59IDGD0Wu5mANy0Q2V28L+fNe65pOCXVdVuTJS3WPKaJlFHer32Rbh9gIo9qMuJXio8ra4+YmIymA=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-random": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-1.1.2.tgz",
+      "integrity": "sha512-6AK5BNpIFqP+cx/sreKzNjWbwZQCSUatxq+pPRmFIQaWuoD+NrbVWw7YWpHiXpCQ/NanKdtGDuB+VQcZDaEmYQ=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-scale": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-2.2.2.tgz",
+      "integrity": "sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw==",
+      "dependencies": {
+        "d3-array": "^1.2.0",
+        "d3-collection": "1",
+        "d3-format": "1",
+        "d3-interpolate": "1",
+        "d3-time": "1",
+        "d3-time-format": "2"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-scale-chromatic": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-1.5.0.tgz",
+      "integrity": "sha512-ACcL46DYImpRFMBcpk9HhtIyC7bTBR4fNOPxwVSl0LfulDAwyiHyPOTqcDG1+t5d4P9W7t/2NAuWu59aKko/cg==",
+      "dependencies": {
+        "d3-color": "1",
+        "d3-interpolate": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-selection": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-1.4.2.tgz",
+      "integrity": "sha512-SJ0BqYihzOjDnnlfyeHT0e30k0K1+5sR3d5fNueCNeuhZTnGw4M4o8mqJchSwgKMXCNFo+e2VTChiSJ0vYtXkg=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-shape": {
+      "version": "1.3.7",
+      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-1.3.7.tgz",
+      "integrity": "sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw==",
+      "dependencies": {
+        "d3-path": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-time": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-1.1.0.tgz",
+      "integrity": "sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-time-format": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.3.0.tgz",
+      "integrity": "sha512-guv6b2H37s2Uq/GefleCDtbe0XZAuy7Wa49VGkPVPMfLL9qObgBST3lEHJBMUp8S7NdLQAGIvr2KXk8Hc98iKQ==",
+      "dependencies": {
+        "d3-time": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-timer": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-1.0.10.tgz",
+      "integrity": "sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw=="
+    },
+    "node_modules/dagre-d3/node_modules/d3-transition": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.3.2.tgz",
+      "integrity": "sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==",
+      "dependencies": {
+        "d3-color": "1",
+        "d3-dispatch": "1",
+        "d3-ease": "1",
+        "d3-interpolate": "1",
+        "d3-selection": "^1.1.0",
+        "d3-timer": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/d3-zoom": {
+      "version": "1.8.3",
+      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-1.8.3.tgz",
+      "integrity": "sha512-VoLXTK4wvy1a0JpH2Il+F2CiOhVu7VRXWF5M/LroMIh3/zBAC3WAt7QoIvPibOavVo20hN6/37vwAsdBejLyKQ==",
+      "dependencies": {
+        "d3-dispatch": "1",
+        "d3-drag": "1",
+        "d3-interpolate": "1",
+        "d3-selection": "1",
+        "d3-transition": "1"
+      }
+    },
+    "node_modules/dagre-d3/node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/delaunator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.0.tgz",
+      "integrity": "sha512-AyLvtyJdbv/U1GkiS6gUUzclRoAY4Gs75qkMygJJhU75LW4DNuSF2RMzpxs9jw9Oz1BobHjTdkG3zdP55VxAqw==",
+      "dependencies": {
+        "robust-predicates": "^3.0.0"
+      }
+    },
+    "node_modules/devtools-protocol": {
+      "version": "0.0.1001819",
+      "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1001819.tgz",
+      "integrity": "sha512-G6OsIFnv/rDyxSqBa2lDLR6thp9oJioLsb2Gl+LbQlyoA9/OBAkrTU9jiCcQ8Pnh7z4d6slDiLaogR5hzgJLmQ=="
+    },
+    "node_modules/dompurify": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.8.tgz",
+      "integrity": "sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw=="
+    },
+    "node_modules/end-of-stream": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "dependencies": {
+        "once": "^1.4.0"
+      }
+    },
+    "node_modules/extract-zip": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/extract-zip/-/extract-zip-2.0.1.tgz",
+      "integrity": "sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg==",
+      "dependencies": {
+        "debug": "^4.1.1",
+        "get-stream": "^5.1.0",
+        "yauzl": "^2.10.0"
+      },
+      "bin": {
+        "extract-zip": "cli.js"
+      },
+      "engines": {
+        "node": ">= 10.17.0"
+      },
+      "optionalDependencies": {
+        "@types/yauzl": "^2.9.1"
+      }
+    },
+    "node_modules/fd-slicer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
+      "integrity": "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==",
+      "dependencies": {
+        "pend": "~1.2.0"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
+    },
+    "node_modules/fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
+    },
+    "node_modules/get-stream": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.2.0.tgz",
+      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
+      "dependencies": {
+        "pump": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/graphlib": {
+      "version": "2.1.8",
+      "resolved": "https://registry.npmjs.org/graphlib/-/graphlib-2.1.8.tgz",
+      "integrity": "sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==",
+      "dependencies": {
+        "lodash": "^4.17.15"
+      }
+    },
+    "node_modules/has-flag": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/https-proxy-agent": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
+      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
+      "dependencies": {
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
+      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ieee754": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
+      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "dependencies": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
+    },
+    "node_modules/internmap": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz",
+      "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/khroma": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
+      "integrity": "sha512-2J8rDNlQWbtiNYThZRvmMv5yt44ZakX+Tz5ZIp/mN1pt4snn+m030Va5Z4v8xA0cQFDXBwO/8i42xL4QPsVk3g=="
+    },
+    "node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
+    "node_modules/mermaid": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-9.1.3.tgz",
+      "integrity": "sha512-jTIYiqKwsUXVCoxHUVkK8t0QN3zSKIdJlb9thT0J5jCnzXyc+gqTbZE2QmjRfavFTPPn5eRy5zaFp7V+6RhxYg==",
+      "dependencies": {
+        "@braintree/sanitize-url": "^6.0.0",
+        "d3": "^7.0.0",
+        "dagre": "^0.8.5",
+        "dagre-d3": "^0.6.4",
+        "dompurify": "2.3.8",
+        "graphlib": "^2.1.8",
+        "khroma": "^2.0.0",
+        "moment-mini": "^2.24.0",
+        "stylis": "^4.0.10"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/mkdirp-classic": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
+    },
+    "node_modules/moment-mini": {
+      "version": "2.24.0",
+      "resolved": "https://registry.npmjs.org/moment-mini/-/moment-mini-2.24.0.tgz",
+      "integrity": "sha512-9ARkWHBs+6YJIvrIp0Ik5tyTTtP9PoV0Ssu2Ocq5y9v8+NOOpWiRshAp8c4rZVWTOe+157on/5G+zj5pwIQFEQ=="
+    },
+    "node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/node-fetch": {
+      "version": "2.6.7",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "dependencies": {
+        "whatwg-url": "^5.0.0"
+      },
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      },
+      "peerDependencies": {
+        "encoding": "^0.1.0"
+      },
+      "peerDependenciesMeta": {
+        "encoding": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/pend": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz",
+      "integrity": "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="
+    },
+    "node_modules/pkg-dir": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz",
+      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
+      "dependencies": {
+        "find-up": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/progress": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
+      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
+    },
+    "node_modules/pump": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "dependencies": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "node_modules/puppeteer": {
+      "version": "14.4.1",
+      "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-14.4.1.tgz",
+      "integrity": "sha512-+H0Gm84aXUvSLdSiDROtLlOofftClgw2TdceMvvCU9UvMryappoeS3+eOLfKvoy4sm8B8MWnYmPhWxVFudAOFQ==",
+      "hasInstallScript": true,
+      "dependencies": {
+        "cross-fetch": "3.1.5",
+        "debug": "4.3.4",
+        "devtools-protocol": "0.0.1001819",
+        "extract-zip": "2.0.1",
+        "https-proxy-agent": "5.0.1",
+        "pkg-dir": "4.2.0",
+        "progress": "2.0.3",
+        "proxy-from-env": "1.1.0",
+        "rimraf": "3.0.2",
+        "tar-fs": "2.1.1",
+        "unbzip2-stream": "1.4.3",
+        "ws": "8.7.0"
+      },
+      "engines": {
+        "node": ">=14.1.0"
+      }
+    },
+    "node_modules/readable-stream": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz",
+      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/rimraf": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "dependencies": {
+        "glob": "^7.1.3"
+      },
+      "bin": {
+        "rimraf": "bin.js"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/robust-predicates": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.1.tgz",
+      "integrity": "sha512-ndEIpszUHiG4HtDsQLeIuMvRsDnn8c8rYStabochtUeCvfuvNptb5TUbVD68LRAILPX7p9nqQGh4xJgn3EHS/g=="
+    },
+    "node_modules/rw": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/rw/-/rw-1.3.3.tgz",
+      "integrity": "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "node_modules/string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dependencies": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
+    "node_modules/stylis": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.1.1.tgz",
+      "integrity": "sha512-lVrM/bNdhVX2OgBFNa2YJ9Lxj7kPzylieHd3TNjuGE0Re9JB7joL5VUKOVH1kdNNJTgGPpT8hmwIAPLaSyEVFQ=="
+    },
+    "node_modules/supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/tar-fs": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz",
+      "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==",
+      "dependencies": {
+        "chownr": "^1.1.1",
+        "mkdirp-classic": "^0.5.2",
+        "pump": "^3.0.0",
+        "tar-stream": "^2.1.4"
+      }
+    },
+    "node_modules/tar-stream": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
+      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
+      "dependencies": {
+        "bl": "^4.0.3",
+        "end-of-stream": "^1.4.1",
+        "fs-constants": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/through": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
+      "integrity": "sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg=="
+    },
+    "node_modules/tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "node_modules/unbzip2-stream": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
+      "integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
+      "dependencies": {
+        "buffer": "^5.2.1",
+        "through": "^2.3.8"
+      }
+    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
+    "node_modules/webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "node_modules/whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "dependencies": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    },
+    "node_modules/ws": {
+      "version": "8.7.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.7.0.tgz",
+      "integrity": "sha512-c2gsP0PRwcLFzUiA8Mkr37/MI7ilIlHQxaEAtd0uNMbVMoy8puJyafRlm0bV9MbGSabUPeLrRRaqIBcFcA2Pqg==",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": "^5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/yauzl": {
+      "version": "2.10.0",
+      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
+      "integrity": "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==",
+      "dependencies": {
+        "buffer-crc32": "~0.2.3",
+        "fd-slicer": "~1.1.0"
+      }
+    }
+  },
+  "dependencies": {
+    "@braintree/sanitize-url": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz",
+      "integrity": "sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w=="
+    },
+    "@mermaid-js/mermaid-cli": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@mermaid-js/mermaid-cli/-/mermaid-cli-9.1.3.tgz",
+      "integrity": "sha512-R7VFArRIhczOejWtKT2Ii8MVKayjpiY6hebGqtcmA8FGSUXDgB4QzK5z9zpOfh1k90XH0PzPpTlL4KXnFfDx1Q==",
+      "requires": {
+        "chalk": "^4.1.0",
+        "commander": "^9.0.0",
+        "mermaid": "^9.0.0",
+        "puppeteer": "^14.1.0"
+      }
+    },
+    "@types/node": {
+      "version": "18.0.3",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.0.3.tgz",
+      "integrity": "sha512-HzNRZtp4eepNitP+BD6k2L6DROIDG4Q0fm4x+dwfsr6LGmROENnok75VGw40628xf+iR24WeMFcHuuBDUAzzsQ==",
+      "optional": true
+    },
+    "@types/yauzl": {
+      "version": "2.10.0",
+      "resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.10.0.tgz",
+      "integrity": "sha512-Cn6WYCm0tXv8p6k+A8PvbDG763EDpBoTzHdA+Q/MF6H3sapGjCm9NzoaJncJS9tUKSuCoDs9XHxYYsQDgxR6kw==",
+      "optional": true,
+      "requires": {
+        "@types/node": "*"
+      }
+    },
+    "agent-base": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "requires": {
+        "debug": "4"
+      }
+    },
+    "ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "requires": {
+        "color-convert": "^2.0.1"
+      }
+    },
+    "balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
+    },
+    "base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA=="
+    },
+    "bl": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
+      "requires": {
+        "buffer": "^5.5.0",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
+    "brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "requires": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "buffer": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+      "requires": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.1.13"
+      }
+    },
+    "buffer-crc32": {
+      "version": "0.2.13",
+      "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
+      "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="
+    },
+    "chalk": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+      "requires": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      }
+    },
+    "chownr": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
+      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
+    },
+    "color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "requires": {
+        "color-name": "~1.1.4"
+      }
+    },
+    "color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+    },
+    "commander": {
+      "version": "9.3.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-9.3.0.tgz",
+      "integrity": "sha512-hv95iU5uXPbK83mjrJKuZyFM/LBAoCV/XhVGkS5Je6tl7sxr6A0ITMw5WoRV46/UaJ46Nllm3Xt7IaJhXTIkzw=="
+    },
+    "concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="
+    },
+    "cross-fetch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.1.5.tgz",
+      "integrity": "sha512-lvb1SBsI0Z7GDwmuid+mU3kWVBwTVUbe7S0H52yaaAdQOXq2YktTCZdlAcNKFzE6QtRz0snpw9bNiPeOIkkQvw==",
+      "requires": {
+        "node-fetch": "2.6.7"
+      }
+    },
+    "d3": {
+      "version": "7.6.1",
+      "resolved": "https://registry.npmjs.org/d3/-/d3-7.6.1.tgz",
+      "integrity": "sha512-txMTdIHFbcpLx+8a0IFhZsbp+PfBBPt8yfbmukZTQFroKuFqIwqswF0qE5JXWefylaAVpSXFoKm3yP+jpNLFLw==",
+      "requires": {
+        "d3-array": "3",
+        "d3-axis": "3",
+        "d3-brush": "3",
+        "d3-chord": "3",
+        "d3-color": "3",
+        "d3-contour": "4",
+        "d3-delaunay": "6",
+        "d3-dispatch": "3",
+        "d3-drag": "3",
+        "d3-dsv": "3",
+        "d3-ease": "3",
+        "d3-fetch": "3",
+        "d3-force": "3",
+        "d3-format": "3",
+        "d3-geo": "3",
+        "d3-hierarchy": "3",
+        "d3-interpolate": "3",
+        "d3-path": "3",
+        "d3-polygon": "3",
+        "d3-quadtree": "3",
+        "d3-random": "3",
+        "d3-scale": "4",
+        "d3-scale-chromatic": "3",
+        "d3-selection": "3",
+        "d3-shape": "3",
+        "d3-time": "3",
+        "d3-time-format": "4",
+        "d3-timer": "3",
+        "d3-transition": "3",
+        "d3-zoom": "3"
+      }
+    },
+    "d3-array": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.0.tgz",
+      "integrity": "sha512-3yXFQo0oG3QCxbF06rMPFyGRMGJNS7NvsV1+2joOjbBE+9xvWQ8+GcMJAjRCzw06zQ3/arXeJgbPYcjUCuC+3g==",
+      "requires": {
+        "internmap": "1 - 2"
+      }
+    },
+    "d3-axis": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-3.0.0.tgz",
+      "integrity": "sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw=="
+    },
+    "d3-brush": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-3.0.0.tgz",
+      "integrity": "sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ==",
+      "requires": {
+        "d3-dispatch": "1 - 3",
+        "d3-drag": "2 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-selection": "3",
+        "d3-transition": "3"
+      }
+    },
+    "d3-chord": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-3.0.1.tgz",
+      "integrity": "sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g==",
+      "requires": {
+        "d3-path": "1 - 3"
+      }
+    },
+    "d3-collection": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/d3-collection/-/d3-collection-1.0.7.tgz",
+      "integrity": "sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A=="
+    },
+    "d3-color": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz",
+      "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA=="
+    },
+    "d3-contour": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-4.0.0.tgz",
+      "integrity": "sha512-7aQo0QHUTu/Ko3cP9YK9yUTxtoDEiDGwnBHyLxG5M4vqlBkO/uixMRele3nfsfj6UXOcuReVpVXzAboGraYIJw==",
+      "requires": {
+        "d3-array": "^3.2.0"
+      }
+    },
+    "d3-delaunay": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/d3-delaunay/-/d3-delaunay-6.0.2.tgz",
+      "integrity": "sha512-IMLNldruDQScrcfT+MWnazhHbDJhcRJyOEBAJfwQnHle1RPh6WDuLvxNArUju2VSMSUuKlY5BGHRJ2cYyoFLQQ==",
+      "requires": {
+        "delaunator": "5"
+      }
+    },
+    "d3-dispatch": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-3.0.1.tgz",
+      "integrity": "sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg=="
+    },
+    "d3-drag": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-3.0.0.tgz",
+      "integrity": "sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg==",
+      "requires": {
+        "d3-dispatch": "1 - 3",
+        "d3-selection": "3"
+      }
+    },
+    "d3-dsv": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-3.0.1.tgz",
+      "integrity": "sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q==",
+      "requires": {
+        "commander": "7",
+        "iconv-lite": "0.6",
+        "rw": "1"
+      },
+      "dependencies": {
+        "commander": {
+          "version": "7.2.0",
+          "resolved": "https://registry.npmjs.org/commander/-/commander-7.2.0.tgz",
+          "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw=="
+        }
+      }
+    },
+    "d3-ease": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz",
+      "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w=="
+    },
+    "d3-fetch": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-3.0.1.tgz",
+      "integrity": "sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw==",
+      "requires": {
+        "d3-dsv": "1 - 3"
+      }
+    },
+    "d3-force": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-3.0.0.tgz",
+      "integrity": "sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg==",
+      "requires": {
+        "d3-dispatch": "1 - 3",
+        "d3-quadtree": "1 - 3",
+        "d3-timer": "1 - 3"
+      }
+    },
+    "d3-format": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz",
+      "integrity": "sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA=="
+    },
+    "d3-geo": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-3.0.1.tgz",
+      "integrity": "sha512-Wt23xBych5tSy9IYAM1FR2rWIBFWa52B/oF/GYe5zbdHrg08FU8+BuI6X4PvTwPDdqdAdq04fuWJpELtsaEjeA==",
+      "requires": {
+        "d3-array": "2.5.0 - 3"
+      }
+    },
+    "d3-hierarchy": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-3.1.2.tgz",
+      "integrity": "sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA=="
+    },
+    "d3-interpolate": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz",
+      "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==",
+      "requires": {
+        "d3-color": "1 - 3"
+      }
+    },
+    "d3-path": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.0.1.tgz",
+      "integrity": "sha512-gq6gZom9AFZby0YLduxT1qmrp4xpBA1YZr19OI717WIdKE2OM5ETq5qrHLb301IgxhLwcuxvGZVLeeWc/k1I6w=="
+    },
+    "d3-polygon": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-3.0.1.tgz",
+      "integrity": "sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg=="
+    },
+    "d3-quadtree": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-3.0.1.tgz",
+      "integrity": "sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw=="
+    },
+    "d3-random": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-3.0.1.tgz",
+      "integrity": "sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ=="
+    },
+    "d3-scale": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz",
+      "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==",
+      "requires": {
+        "d3-array": "2.10.0 - 3",
+        "d3-format": "1 - 3",
+        "d3-interpolate": "1.2.0 - 3",
+        "d3-time": "2.1.1 - 3",
+        "d3-time-format": "2 - 4"
+      }
+    },
+    "d3-scale-chromatic": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz",
+      "integrity": "sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g==",
+      "requires": {
+        "d3-color": "1 - 3",
+        "d3-interpolate": "1 - 3"
+      }
+    },
+    "d3-selection": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
+      "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ=="
+    },
+    "d3-shape": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.1.0.tgz",
+      "integrity": "sha512-tGDh1Muf8kWjEDT/LswZJ8WF85yDZLvVJpYU9Nq+8+yW1Z5enxrmXOhTArlkaElU+CTn0OTVNli+/i+HP45QEQ==",
+      "requires": {
+        "d3-path": "1 - 3"
+      }
+    },
+    "d3-time": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.0.0.tgz",
+      "integrity": "sha512-zmV3lRnlaLI08y9IMRXSDshQb5Nj77smnfpnd2LrBa/2K281Jijactokeak14QacHs/kKq0AQ121nidNYlarbQ==",
+      "requires": {
+        "d3-array": "2 - 3"
+      }
+    },
+    "d3-time-format": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz",
+      "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==",
+      "requires": {
+        "d3-time": "1 - 3"
+      }
+    },
+    "d3-timer": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz",
+      "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA=="
+    },
+    "d3-transition": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-3.0.1.tgz",
+      "integrity": "sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w==",
+      "requires": {
+        "d3-color": "1 - 3",
+        "d3-dispatch": "1 - 3",
+        "d3-ease": "1 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-timer": "1 - 3"
+      }
+    },
+    "d3-voronoi": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/d3-voronoi/-/d3-voronoi-1.1.4.tgz",
+      "integrity": "sha512-dArJ32hchFsrQ8uMiTBLq256MpnZjeuBtdHpaDlYuQyjU0CVzCJl/BVW+SkszaAeH95D/8gxqAhgx0ouAWAfRg=="
+    },
+    "d3-zoom": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-3.0.0.tgz",
+      "integrity": "sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw==",
+      "requires": {
+        "d3-dispatch": "1 - 3",
+        "d3-drag": "2 - 3",
+        "d3-interpolate": "1 - 3",
+        "d3-selection": "2 - 3",
+        "d3-transition": "2 - 3"
+      }
+    },
+    "dagre": {
+      "version": "0.8.5",
+      "resolved": "https://registry.npmjs.org/dagre/-/dagre-0.8.5.tgz",
+      "integrity": "sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==",
+      "requires": {
+        "graphlib": "^2.1.8",
+        "lodash": "^4.17.15"
+      }
+    },
+    "dagre-d3": {
+      "version": "0.6.4",
+      "resolved": "https://registry.npmjs.org/dagre-d3/-/dagre-d3-0.6.4.tgz",
+      "integrity": "sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==",
+      "requires": {
+        "d3": "^5.14",
+        "dagre": "^0.8.5",
+        "graphlib": "^2.1.8",
+        "lodash": "^4.17.15"
+      },
+      "dependencies": {
+        "commander": {
+          "version": "2.20.3",
+          "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
+          "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
+        },
+        "d3": {
+          "version": "5.16.0",
+          "resolved": "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz",
+          "integrity": "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==",
+          "requires": {
+            "d3-array": "1",
+            "d3-axis": "1",
+            "d3-brush": "1",
+            "d3-chord": "1",
+            "d3-collection": "1",
+            "d3-color": "1",
+            "d3-contour": "1",
+            "d3-dispatch": "1",
+            "d3-drag": "1",
+            "d3-dsv": "1",
+            "d3-ease": "1",
+            "d3-fetch": "1",
+            "d3-force": "1",
+            "d3-format": "1",
+            "d3-geo": "1",
+            "d3-hierarchy": "1",
+            "d3-interpolate": "1",
+            "d3-path": "1",
+            "d3-polygon": "1",
+            "d3-quadtree": "1",
+            "d3-random": "1",
+            "d3-scale": "2",
+            "d3-scale-chromatic": "1",
+            "d3-selection": "1",
+            "d3-shape": "1",
+            "d3-time": "1",
+            "d3-time-format": "2",
+            "d3-timer": "1",
+            "d3-transition": "1",
+            "d3-voronoi": "1",
+            "d3-zoom": "1"
+          }
+        },
+        "d3-array": {
+          "version": "1.2.4",
+          "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-1.2.4.tgz",
+          "integrity": "sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw=="
+        },
+        "d3-axis": {
+          "version": "1.0.12",
+          "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-1.0.12.tgz",
+          "integrity": "sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ=="
+        },
+        "d3-brush": {
+          "version": "1.1.6",
+          "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.6.tgz",
+          "integrity": "sha512-7RW+w7HfMCPyZLifTz/UnJmI5kdkXtpCbombUSs8xniAyo0vIbrDzDwUJB6eJOgl9u5DQOt2TQlYumxzD1SvYA==",
+          "requires": {
+            "d3-dispatch": "1",
+            "d3-drag": "1",
+            "d3-interpolate": "1",
+            "d3-selection": "1",
+            "d3-transition": "1"
+          }
+        },
+        "d3-chord": {
+          "version": "1.0.6",
+          "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-1.0.6.tgz",
+          "integrity": "sha512-JXA2Dro1Fxw9rJe33Uv+Ckr5IrAa74TlfDEhE/jfLOaXegMQFQTAgAw9WnZL8+HxVBRXaRGCkrNU7pJeylRIuA==",
+          "requires": {
+            "d3-array": "1",
+            "d3-path": "1"
+          }
+        },
+        "d3-color": {
+          "version": "1.4.1",
+          "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz",
+          "integrity": "sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q=="
+        },
+        "d3-contour": {
+          "version": "1.3.2",
+          "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-1.3.2.tgz",
+          "integrity": "sha512-hoPp4K/rJCu0ladiH6zmJUEz6+u3lgR+GSm/QdM2BBvDraU39Vr7YdDCicJcxP1z8i9B/2dJLgDC1NcvlF8WCg==",
+          "requires": {
+            "d3-array": "^1.1.1"
+          }
+        },
+        "d3-dispatch": {
+          "version": "1.0.6",
+          "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-1.0.6.tgz",
+          "integrity": "sha512-fVjoElzjhCEy+Hbn8KygnmMS7Or0a9sI2UzGwoB7cCtvI1XpVN9GpoYlnb3xt2YV66oXYb1fLJ8GMvP4hdU1RA=="
+        },
+        "d3-drag": {
+          "version": "1.2.5",
+          "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-1.2.5.tgz",
+          "integrity": "sha512-rD1ohlkKQwMZYkQlYVCrSFxsWPzI97+W+PaEIBNTMxRuxz9RF0Hi5nJWHGVJ3Om9d2fRTe1yOBINJyy/ahV95w==",
+          "requires": {
+            "d3-dispatch": "1",
+            "d3-selection": "1"
+          }
+        },
+        "d3-dsv": {
+          "version": "1.2.0",
+          "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-1.2.0.tgz",
+          "integrity": "sha512-9yVlqvZcSOMhCYzniHE7EVUws7Fa1zgw+/EAV2BxJoG3ME19V6BQFBwI855XQDsxyOuG7NibqRMTtiF/Qup46g==",
+          "requires": {
+            "commander": "2",
+            "iconv-lite": "0.4",
+            "rw": "1"
+          }
+        },
+        "d3-ease": {
+          "version": "1.0.7",
+          "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-1.0.7.tgz",
+          "integrity": "sha512-lx14ZPYkhNx0s/2HX5sLFUI3mbasHjSSpwO/KaaNACweVwxUruKyWVcb293wMv1RqTPZyZ8kSZ2NogUZNcLOFQ=="
+        },
+        "d3-fetch": {
+          "version": "1.2.0",
+          "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-1.2.0.tgz",
+          "integrity": "sha512-yC78NBVcd2zFAyR/HnUiBS7Lf6inSCoWcSxFfw8FYL7ydiqe80SazNwoffcqOfs95XaLo7yebsmQqDKSsXUtvA==",
+          "requires": {
+            "d3-dsv": "1"
+          }
+        },
+        "d3-force": {
+          "version": "1.2.1",
+          "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-1.2.1.tgz",
+          "integrity": "sha512-HHvehyaiUlVo5CxBJ0yF/xny4xoaxFxDnBXNvNcfW9adORGZfyNF1dj6DGLKyk4Yh3brP/1h3rnDzdIAwL08zg==",
+          "requires": {
+            "d3-collection": "1",
+            "d3-dispatch": "1",
+            "d3-quadtree": "1",
+            "d3-timer": "1"
+          }
+        },
+        "d3-format": {
+          "version": "1.4.5",
+          "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.5.tgz",
+          "integrity": "sha512-J0piedu6Z8iB6TbIGfZgDzfXxUFN3qQRMofy2oPdXzQibYGqPB/9iMcxr/TGalU+2RsyDO+U4f33id8tbnSRMQ=="
+        },
+        "d3-geo": {
+          "version": "1.12.1",
+          "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-1.12.1.tgz",
+          "integrity": "sha512-XG4d1c/UJSEX9NfU02KwBL6BYPj8YKHxgBEw5om2ZnTRSbIcego6dhHwcxuSR3clxh0EpE38os1DVPOmnYtTPg==",
+          "requires": {
+            "d3-array": "1"
+          }
+        },
+        "d3-hierarchy": {
+          "version": "1.1.9",
+          "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz",
+          "integrity": "sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ=="
+        },
+        "d3-interpolate": {
+          "version": "1.4.0",
+          "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.4.0.tgz",
+          "integrity": "sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==",
+          "requires": {
+            "d3-color": "1"
+          }
+        },
+        "d3-path": {
+          "version": "1.0.9",
+          "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-1.0.9.tgz",
+          "integrity": "sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg=="
+        },
+        "d3-polygon": {
+          "version": "1.0.6",
+          "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-1.0.6.tgz",
+          "integrity": "sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ=="
+        },
+        "d3-quadtree": {
+          "version": "1.0.7",
+          "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-1.0.7.tgz",
+          "integrity": "sha512-RKPAeXnkC59IDGD0Wu5mANy0Q2V28L+fNe65pOCXVdVuTJS3WPKaJlFHer32Rbh9gIo9qMuJXio8ra4+YmIymA=="
+        },
+        "d3-random": {
+          "version": "1.1.2",
+          "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-1.1.2.tgz",
+          "integrity": "sha512-6AK5BNpIFqP+cx/sreKzNjWbwZQCSUatxq+pPRmFIQaWuoD+NrbVWw7YWpHiXpCQ/NanKdtGDuB+VQcZDaEmYQ=="
+        },
+        "d3-scale": {
+          "version": "2.2.2",
+          "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-2.2.2.tgz",
+          "integrity": "sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw==",
+          "requires": {
+            "d3-array": "^1.2.0",
+            "d3-collection": "1",
+            "d3-format": "1",
+            "d3-interpolate": "1",
+            "d3-time": "1",
+            "d3-time-format": "2"
+          }
+        },
+        "d3-scale-chromatic": {
+          "version": "1.5.0",
+          "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-1.5.0.tgz",
+          "integrity": "sha512-ACcL46DYImpRFMBcpk9HhtIyC7bTBR4fNOPxwVSl0LfulDAwyiHyPOTqcDG1+t5d4P9W7t/2NAuWu59aKko/cg==",
+          "requires": {
+            "d3-color": "1",
+            "d3-interpolate": "1"
+          }
+        },
+        "d3-selection": {
+          "version": "1.4.2",
+          "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-1.4.2.tgz",
+          "integrity": "sha512-SJ0BqYihzOjDnnlfyeHT0e30k0K1+5sR3d5fNueCNeuhZTnGw4M4o8mqJchSwgKMXCNFo+e2VTChiSJ0vYtXkg=="
+        },
+        "d3-shape": {
+          "version": "1.3.7",
+          "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-1.3.7.tgz",
+          "integrity": "sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw==",
+          "requires": {
+            "d3-path": "1"
+          }
+        },
+        "d3-time": {
+          "version": "1.1.0",
+          "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-1.1.0.tgz",
+          "integrity": "sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA=="
+        },
+        "d3-time-format": {
+          "version": "2.3.0",
+          "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.3.0.tgz",
+          "integrity": "sha512-guv6b2H37s2Uq/GefleCDtbe0XZAuy7Wa49VGkPVPMfLL9qObgBST3lEHJBMUp8S7NdLQAGIvr2KXk8Hc98iKQ==",
+          "requires": {
+            "d3-time": "1"
+          }
+        },
+        "d3-timer": {
+          "version": "1.0.10",
+          "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-1.0.10.tgz",
+          "integrity": "sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw=="
+        },
+        "d3-transition": {
+          "version": "1.3.2",
+          "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.3.2.tgz",
+          "integrity": "sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==",
+          "requires": {
+            "d3-color": "1",
+            "d3-dispatch": "1",
+            "d3-ease": "1",
+            "d3-interpolate": "1",
+            "d3-selection": "^1.1.0",
+            "d3-timer": "1"
+          }
+        },
+        "d3-zoom": {
+          "version": "1.8.3",
+          "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-1.8.3.tgz",
+          "integrity": "sha512-VoLXTK4wvy1a0JpH2Il+F2CiOhVu7VRXWF5M/LroMIh3/zBAC3WAt7QoIvPibOavVo20hN6/37vwAsdBejLyKQ==",
+          "requires": {
+            "d3-dispatch": "1",
+            "d3-drag": "1",
+            "d3-interpolate": "1",
+            "d3-selection": "1",
+            "d3-transition": "1"
+          }
+        },
+        "iconv-lite": {
+          "version": "0.4.24",
+          "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+          "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+          "requires": {
+            "safer-buffer": ">= 2.1.2 < 3"
+          }
+        }
+      }
+    },
+    "debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "requires": {
+        "ms": "2.1.2"
+      }
+    },
+    "delaunator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.0.tgz",
+      "integrity": "sha512-AyLvtyJdbv/U1GkiS6gUUzclRoAY4Gs75qkMygJJhU75LW4DNuSF2RMzpxs9jw9Oz1BobHjTdkG3zdP55VxAqw==",
+      "requires": {
+        "robust-predicates": "^3.0.0"
+      }
+    },
+    "devtools-protocol": {
+      "version": "0.0.1001819",
+      "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1001819.tgz",
+      "integrity": "sha512-G6OsIFnv/rDyxSqBa2lDLR6thp9oJioLsb2Gl+LbQlyoA9/OBAkrTU9jiCcQ8Pnh7z4d6slDiLaogR5hzgJLmQ=="
+    },
+    "dompurify": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.8.tgz",
+      "integrity": "sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw=="
+    },
+    "end-of-stream": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "requires": {
+        "once": "^1.4.0"
+      }
+    },
+    "extract-zip": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/extract-zip/-/extract-zip-2.0.1.tgz",
+      "integrity": "sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg==",
+      "requires": {
+        "@types/yauzl": "^2.9.1",
+        "debug": "^4.1.1",
+        "get-stream": "^5.1.0",
+        "yauzl": "^2.10.0"
+      }
+    },
+    "fd-slicer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
+      "integrity": "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==",
+      "requires": {
+        "pend": "~1.2.0"
+      }
+    },
+    "find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "requires": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      }
+    },
+    "fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
+    },
+    "fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
+    },
+    "get-stream": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.2.0.tgz",
+      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
+      "requires": {
+        "pump": "^3.0.0"
+      }
+    },
+    "glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "requires": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      }
+    },
+    "graphlib": {
+      "version": "2.1.8",
+      "resolved": "https://registry.npmjs.org/graphlib/-/graphlib-2.1.8.tgz",
+      "integrity": "sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==",
+      "requires": {
+        "lodash": "^4.17.15"
+      }
+    },
+    "has-flag": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ=="
+    },
+    "https-proxy-agent": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
+      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
+      "requires": {
+        "agent-base": "6",
+        "debug": "4"
+      }
+    },
+    "iconv-lite": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
+      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "requires": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      }
+    },
+    "ieee754": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
+      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="
+    },
+    "inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "requires": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
+    },
+    "internmap": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz",
+      "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg=="
+    },
+    "khroma": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
+      "integrity": "sha512-2J8rDNlQWbtiNYThZRvmMv5yt44ZakX+Tz5ZIp/mN1pt4snn+m030Va5Z4v8xA0cQFDXBwO/8i42xL4QPsVk3g=="
+    },
+    "locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "requires": {
+        "p-locate": "^4.1.0"
+      }
+    },
+    "lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
+    "mermaid": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-9.1.3.tgz",
+      "integrity": "sha512-jTIYiqKwsUXVCoxHUVkK8t0QN3zSKIdJlb9thT0J5jCnzXyc+gqTbZE2QmjRfavFTPPn5eRy5zaFp7V+6RhxYg==",
+      "requires": {
+        "@braintree/sanitize-url": "^6.0.0",
+        "d3": "^7.0.0",
+        "dagre": "^0.8.5",
+        "dagre-d3": "^0.6.4",
+        "dompurify": "2.3.8",
+        "graphlib": "^2.1.8",
+        "khroma": "^2.0.0",
+        "moment-mini": "^2.24.0",
+        "stylis": "^4.0.10"
+      }
+    },
+    "minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "requires": {
+        "brace-expansion": "^1.1.7"
+      }
+    },
+    "mkdirp-classic": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
+    },
+    "moment-mini": {
+      "version": "2.24.0",
+      "resolved": "https://registry.npmjs.org/moment-mini/-/moment-mini-2.24.0.tgz",
+      "integrity": "sha512-9ARkWHBs+6YJIvrIp0Ik5tyTTtP9PoV0Ssu2Ocq5y9v8+NOOpWiRshAp8c4rZVWTOe+157on/5G+zj5pwIQFEQ=="
+    },
+    "ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node-fetch": {
+      "version": "2.6.7",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "requires": {
+        "whatwg-url": "^5.0.0"
+      }
+    },
+    "once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "requires": {
+        "wrappy": "1"
+      }
+    },
+    "p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "requires": {
+        "p-try": "^2.0.0"
+      }
+    },
+    "p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "requires": {
+        "p-limit": "^2.2.0"
+      }
+    },
+    "p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
+    },
+    "path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w=="
+    },
+    "path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg=="
+    },
+    "pend": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz",
+      "integrity": "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="
+    },
+    "pkg-dir": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz",
+      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
+      "requires": {
+        "find-up": "^4.0.0"
+      }
+    },
+    "progress": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
+      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA=="
+    },
+    "proxy-from-env": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
+    },
+    "pump": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "requires": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "puppeteer": {
+      "version": "14.4.1",
+      "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-14.4.1.tgz",
+      "integrity": "sha512-+H0Gm84aXUvSLdSiDROtLlOofftClgw2TdceMvvCU9UvMryappoeS3+eOLfKvoy4sm8B8MWnYmPhWxVFudAOFQ==",
+      "requires": {
+        "cross-fetch": "3.1.5",
+        "debug": "4.3.4",
+        "devtools-protocol": "0.0.1001819",
+        "extract-zip": "2.0.1",
+        "https-proxy-agent": "5.0.1",
+        "pkg-dir": "4.2.0",
+        "progress": "2.0.3",
+        "proxy-from-env": "1.1.0",
+        "rimraf": "3.0.2",
+        "tar-fs": "2.1.1",
+        "unbzip2-stream": "1.4.3",
+        "ws": "8.7.0"
+      }
+    },
+    "readable-stream": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz",
+      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
+      "requires": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      }
+    },
+    "rimraf": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "requires": {
+        "glob": "^7.1.3"
+      }
+    },
+    "robust-predicates": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.1.tgz",
+      "integrity": "sha512-ndEIpszUHiG4HtDsQLeIuMvRsDnn8c8rYStabochtUeCvfuvNptb5TUbVD68LRAILPX7p9nqQGh4xJgn3EHS/g=="
+    },
+    "rw": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/rw/-/rw-1.3.3.tgz",
+      "integrity": "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="
+    },
+    "safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="
+    },
+    "safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "requires": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
+    "stylis": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.1.1.tgz",
+      "integrity": "sha512-lVrM/bNdhVX2OgBFNa2YJ9Lxj7kPzylieHd3TNjuGE0Re9JB7joL5VUKOVH1kdNNJTgGPpT8hmwIAPLaSyEVFQ=="
+    },
+    "supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "requires": {
+        "has-flag": "^4.0.0"
+      }
+    },
+    "tar-fs": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz",
+      "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==",
+      "requires": {
+        "chownr": "^1.1.1",
+        "mkdirp-classic": "^0.5.2",
+        "pump": "^3.0.0",
+        "tar-stream": "^2.1.4"
+      }
+    },
+    "tar-stream": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
+      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
+      "requires": {
+        "bl": "^4.0.3",
+        "end-of-stream": "^1.4.1",
+        "fs-constants": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1"
+      }
+    },
+    "through": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
+      "integrity": "sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg=="
+    },
+    "tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "unbzip2-stream": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
+      "integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
+      "requires": {
+        "buffer": "^5.2.1",
+        "through": "^2.3.8"
+      }
+    },
+    "util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
+    "webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "requires": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    },
+    "wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    },
+    "ws": {
+      "version": "8.7.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.7.0.tgz",
+      "integrity": "sha512-c2gsP0PRwcLFzUiA8Mkr37/MI7ilIlHQxaEAtd0uNMbVMoy8puJyafRlm0bV9MbGSabUPeLrRRaqIBcFcA2Pqg==",
+      "requires": {}
+    },
+    "yauzl": {
+      "version": "2.10.0",
+      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
+      "integrity": "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==",
+      "requires": {
+        "buffer-crc32": "~0.2.3",
+        "fd-slicer": "~1.1.0"
+      }
+    }
+  }
+}
diff --git a/docs/package.json b/docs/package.json
new file mode 100644
index 00000000..96ba9fc2
--- /dev/null
+++ b/docs/package.json
@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "@mermaid-js/mermaid-cli": "^9.1.3"
+  }
+}
diff --git a/docs/source/conf.py b/docs/source/conf.py
new file mode 100644
index 00000000..7de6dcbf
--- /dev/null
+++ b/docs/source/conf.py
@@ -0,0 +1,53 @@
+import os
+# Configuration file for the Sphinx documentation builder.
+
+# -- Project information
+
+project = 'PGPainless'
+copyright = '2022, Paul Schaub'
+author = 'Paul Schaub'
+
+# https://protips.readthedocs.io/git-tag-version.html
+latest_tag = os.popen('git describe --abbrev=0').read().strip()
+release = latest_tag
+version = release
+
+myst_substitutions = {
+  "repo_host" : "codeberg.org"
+}
+
+
+
+
+# -- General configuration
+
+extensions = [
+    'myst_parser',
+    'sphinxcontrib.mermaid',
+    'sphinx.ext.duration',
+    'sphinx.ext.doctest',
+    'sphinx.ext.autodoc',
+    'sphinx.ext.autosummary',
+]
+
+source_suffix = ['.rst', '.md']
+
+myst_enable_extensions = [
+    'colon_fence',
+    'substitution',
+]
+
+myst_heading_anchors = 3
+
+templates_path = ['_templates']
+
+# -- Options for HTML output
+
+html_theme = 'sphinx_rtd_theme'
+
+# -- Options for EPUB output
+#epub_show_urls = 'footnote'
+
+mermaid_cmd = "./node_modules/.bin/mmdc"
+mermaid_output_format = 'png'
+mermaid_params = ['--theme', 'default', '--width', '800', '--backgroundColor', 'transparent']
diff --git a/docs/source/ecosystem.md b/docs/source/ecosystem.md
new file mode 100644
index 00000000..30d8d6a3
--- /dev/null
+++ b/docs/source/ecosystem.md
@@ -0,0 +1,85 @@
+# The PGPainless Ecosystem
+
+PGPainless consists of an ecosystem of different libraries and projects.
+
+The diagram below shows, how the different projects relate to one another.
+
+```{mermaid}
+flowchart LR
+    subgraph SOP-JAVA
+    sop-java-picocli-->sop-java
+    end
+    subgraph PGPAINLESS
+    pgpainless-sop-->pgpainless-core
+    pgpainless-sop-->sop-java
+    pgpainless-cli-->pgpainless-sop
+    pgpainless-cli-->sop-java-picocli
+    end
+    subgraph WKD-JAVA
+    wkd-java-cli-->wkd-java
+    wkd-test-suite-->wkd-java
+    wkd-test-suite-->pgpainless-core
+    end
+    subgraph CERT-D-JAVA
+    pgp-cert-d-java-->pgp-certificate-store
+    pgp-cert-d-java-jdbc-sqlite-lookup-->pgp-cert-d-java
+    end
+    subgraph CERT-D-PGPAINLESS
+    pgpainless-cert-d-->pgpainless-core
+    pgpainless-cert-d-->pgp-cert-d-java
+    pgpainless-cert-d-cli-->pgpainless-cert-d
+    pgpainless-cert-d-cli-->pgp-cert-d-java-jdbc-sqlite-lookup
+    end
+    subgraph VKS-JAVA
+    vks-java-cli-->vks-java
+    end
+    subgraph PGPEASY
+    pgpeasy-->pgpainless-cli
+    pgpeasy-->wkd-java-cli
+    pgpeasy-->vks-java-cli
+    pgpeasy-->pgpainless-cert-d-cli
+    end
+    wkd-java-cli-->pgpainless-cert-d
+    wkd-java-->pgp-certificate-store
+```
+
+## Libraries and Tools
+
+* {{ '[PGPainless](https://{}/pgpainless/pgpainless)'.format(repo_host) }}  
+  The main repository contains the following components:
+    * `pgpainless-core` - core implementation - powerful, yet easy to use OpenPGP API
+    * `pgpainless-sop` - super simple OpenPGP implementation. Drop-in for `sop-java`
+    * `pgpainless-cli` - SOP CLI implementation using PGPainless
+
+* {{ '[SOP-Java](https://{}/pgpainless/sop-java)'.format(repo_host) }}  
+  An API definition and CLI implementation of the [Stateless OpenPGP Protocol](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/) (SOP).
+  Consumers of the SOP API can simply depend on `sop-java` and then switch out the backend as they wish.
+  Read more about the [SOP](sop) protocol here.
+    * `sop-java` - generic OpenPGP API definition
+    * `sop-java-picocli` - CLI frontend for `sop-java`
+
+* {{ '[WKD-Java](https://{}/pgpainless/wkd-java)'.format(repo_host) }}  
+  Implementation of the [Web Key Directory](https://www.ietf.org/archive/id/draft-koch-openpgp-webkey-service-13.html).
+    * `wkd-java` - generic WKD discovery implementation
+    * `wkd-java-cli` - CLI frontend for WKD discovery using PGPainless
+    * `wkd-test-suite` - Generator for test vectors for testing WKD implementations
+
+* {{ '[VKS-Java](https://{}/pgpainless/vks-java)'.format(repo_host) }}  
+  Client-side API for communicating with Verifying Key Servers, such as https://keys.openpgp.org/.
+    * `vks-java` - VKS client implementation
+    * `vks-java-cli` - CLI frontend for `vks-java`
+
+* {{ '[Cert-D-Java](https://{}/pgpainless/cert-d-java)'.format(repo_host) }}  
+  Implementations of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/).
+    * `pgp-certificate-store` - abstract definitions of OpenPGP certificate stores
+    * `pgp-cert-d-java` - implementation of `pgp-certificate-store` following the PGP-CERT-D spec
+    * `pgp-cert-d-java-jdbc-sqlite-lookup` - subkey lookup using sqlite database
+
+* {{ '[Cert-D-PGPainless](https://{}/pgpainless/cert-d-pgpainless)'.format(repo_host) }}  
+  Implementation of the [Shared OpenPGP Certificate Directory specification](https://sequoia-pgp.gitlab.io/pgp-cert-d/) using PGPainless.
+    * `pgpainless-cert-d` - PGPainless-based implementation of `pgp-cert-d-java`
+    * `pgpainless-cert-d-cli` - CLI frontend for `pgpainless-cert-d`
+
+* {{ '[PGPeasy](https://{}/pgpainless/pgpeasy)'.format(repo_host) }}  
+  Prototypical, comprehensive OpenPGP CLI application
+  * `pgpeasy` - CLI application
\ No newline at end of file
diff --git a/docs/source/index.rst b/docs/source/index.rst
new file mode 100644
index 00000000..19390f15
--- /dev/null
+++ b/docs/source/index.rst
@@ -0,0 +1,25 @@
+PGPainless - Painless OpenPGP
+=============================
+
+**OpenPGP** (`RFC 4480 `_) is an Internet Standard mostly used for email encryption.
+It provides mechanisms to ensure *confidentiality*, *integrity* and *authenticity* of messages.
+However, OpenPGP can also be used for other purposes, such as secure messaging or as a signature mechanism for software distribution.
+
+**PGPainless** strives to improve the (currently pretty dire) state of the ecosystem of Java libraries and tooling for OpenPGP.
+
+The library focuses on being easy and intuitive to use without getting into your way.
+Common functions such as creating keys, encrypting data, and so on are implemented using a builder structure that guides you through the necessary steps.
+
+Internally, it is based on `Bouncy Castles `_ mighty, but low-level OpenPGP API.
+PGPainless' goal is to empower you to use OpenPGP without needing to write all the boilerplate code required by Bouncy Castle.
+It aims to be secure by default while allowing customization if required.
+
+
+Contents
+--------
+
+.. toctree::
+
+   quickstart.md
+   ecosystem.md
+   sop.md
diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
new file mode 100644
index 00000000..c1d39d47
--- /dev/null
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -0,0 +1,27 @@
+## PGPainless API with pgpainless-core
+
+Coming soon.
+
+### Setup
+bla
+
+### Generate a Key
+bla
+
+### Extract a Certificate
+bla
+
+### Apply / Remove ASCII Armor
+bla
+
+### Encrypt a Message
+bla
+
+### Decrypt a Message
+bla
+
+### Sign a Message
+bla
+
+### Verify a Signature
+bla
diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
new file mode 100644
index 00000000..10a06541
--- /dev/null
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -0,0 +1,369 @@
+## SOP API with pgpainless-sop
+
+The Stateless OpenPGP Protocol (SOP) defines a simplistic interface for the most important OpenPGP operations.
+It allows you to encrypt, decrypt, sign and verify messages, generate keys and add/remove ASCII armor from data.
+However, it does not yet provide tools for key management.
+Furthermore, the implementation is deciding for you, which (secure) algorithms to use, and it doesn't let you
+change those.
+
+If you want to read more about the background of the SOP protocol, there is a [whole chapter](../sop) dedicated to it.
+
+### Setup
+
+PGPainless' releases are published to and can be fetched from Maven Central.
+To get started, you first need to include `pgpainless-sop` in your projects build script.
+```
+// If you use Gradle
+...
+dependencies {
+    ...
+    implementation "org.pgpainless:pgpainless-sop:XYZ"
+    ...
+}
+
+// If you use Maven
+...
+
+    ...
+    
+        org.pgpainless
+        pgpainless-sop
+        XYZ
+    
+    ...
+
+```
+
+:::{important}
+Replace `XYZ` with the current version, e.g. {{ env.config.version }}!
+:::
+
+The entry point to the API is the `SOP` interface, for which `pgpainless-sop` provides a concrete implementation
+`SOPImpl`.
+
+```java
+// Instantiate the API
+SOP sop = new SOPImpl();
+```
+
+Now you are ready to go!
+
+### Generate a Key
+
+To generate a new OpenPGP key, the method `SOP.generateKey()` is your friend:
+
+```java
+// generate key
+byte[] keyBytes = sop.generateKey()
+        .userId("John Doe ")
+        .withKeyPassword("f00b4r")
+        .generate()
+        .getBytes();
+```
+
+The call `userId(String userId)` can be called multiple times to add multiple user-ids to the key, but it MUST
+be called at least once.
+The argument given in the first invocation will become the keys primary user-id.
+
+Optionally, the key can be protected with a password by calling `withKeyPassword(String password)`.
+If this method is not called, the key will be unprotected.
+
+The `generate()` method call generates the key and returns a `Ready` object.
+This in turn can be used to write the result to a stream via `writeTo(OutputStream out)`, or to get the result
+as bytes via `getBytes()`.
+In both cases, the resulting output will be the UTF8 encoded, ASCII armored OpenPGP secret key.
+
+To disable ASCII armoring, call `noArmor()` before calling `generate()`.
+
+At the time of writing, the resulting OpenPGP secret key will consist of a certification-capable 256-bits
+ed25519 EdDSA primary key, a 256-bits ed25519 EdDSA subkey used for signing, as well as a 256-bits X25519
+ECDH subkey for encryption.
+
+The whole key does not have an expiration date set.
+
+### Extract a Certificate
+
+Now that you generated your secret key, you probably want to share the public key with your contacts.
+To extract the OpenPGP public key (which we will call *certificate* from now on) from the secret key,
+use the `SOP.extractCert()` method call:
+
+```java
+// extract certificate
+byte[] certificateBytes = sop.extractCert()
+        .key(keyBytes)
+        .getBytes();
+```
+
+The `key(_)` method either takes a byte array (like in the example), or an `InputStream`.
+In both cases it returns another `Ready` object from which the certificate can be accessed, either via
+`writeTo(OutputStream out)` or `getBytes()`.
+
+By default, the resulting certificate will be ASCII armored, regardless of whether the input key was armored or not.
+To disable ASCII armoring, call `noArmor()` before calling `key(_)`.
+
+In our example, `certificateBytes` can now safely be shared with anyone.
+
+### Apply / Remove ASCII Armor
+
+Perhaps you want to print your secret key onto a piece of paper for backup purposes,
+but you accidentally called `noArmor()` when generating the key.
+
+To add ASCII armor to some binary OpenPGP data, the `armor()` API can be used:
+
+```java
+// wrap data in ASCII armor
+byte[] armoredData = sop.armor()
+        .data(binaryData)
+        .getBytes();
+```
+
+The `data(_)` method can either be called by providing a byte array, or an `InputStream`.
+
+:::{note}
+There is a `label(ArmorLabel label)` method, which could theoretically be used to define the label used in the
+ASCII armor header.
+However, this method is not (yet?) supported by `pgpainless-sop` and will currently throw an `UnsupportedOption`
+exception.
+Instead, the implementation will figure out the data type and set the respective label on its own.
+:::
+
+To remove ASCII armor from armored data, simply use the `dearmor()` API:
+
+```java
+// remove ASCII armor
+byte[] binaryData = sop.unarmor()
+        .data(armoredData)
+        .getBytes();
+```
+
+Once again, the `data(_)` method can be called either with a byte array or an `InputStream` as argument.
+
+If the input data is not validly armored OpenPGP data, the `data(_)` method call will throw a `BadData` exception.
+
+### Encrypt a Message
+
+Now lets get to the juicy part and finally encrypt a message!
+In this example, we will assume that Alice is the sender that wants to send a message to Bob.
+Beforehand, Alice acquired Bobs certificate, e.g. by fetching it from a key server.
+
+To encrypt a message, you can make use of the `encrypt()` API:
+
+```java
+// encrypt and sign a message
+byte[] aliceKey = ...;  // Alice' secret key
+byte[] aliceCert = ...; // Alice' certificate (e.g. via extractCert())
+byte[] bobCert = ...;   // Bobs certificate
+
+byte[] plaintext = "Hello, World!\n".getBytes(); // plaintext
+
+byte[] ciphertext = sop.encrypt()
+        // encrypt for each recipient
+        .withCert(bobCert)
+        .withCert(aliceCert)
+        // Optionally: Sign the message
+        .signWith(aliceKey)
+        .withKeyPassword("sw0rdf1sh") // if signing key is protected
+        // provide the plaintext
+        .plaintext(plaintext)
+        .getBytes();
+```
+
+Here you encrypt the message for each recipient (Alice probably wants to be able to decrypt the message too!)
+by calling `withCert(_)` with the recipients certificate as argument. It does not matter, if the certificate
+is ASCII armored or not, and the method can either be called with a byte array or an `InputStream` as argument.
+
+The API not only supports asymmetric encryption via OpenPGP certificates, but it can also encrypt messages
+symmetrically using one or more passwords. Both mechanisms can even be used together in the same message!
+To (additionally or exclusively) encrypt the message for a password, simply call `withPassword(String password)`
+before the `plaintext(_)` method call.
+
+It is recommended (but not required) to sign encrypted messages.
+In order to sign the message before encryption is applied, call `signWith(_)` with the signing key as argument.
+This method call can be repeated multiple times to sign the message with multiple signing keys.
+
+If any keys used for signing are password protected, you need to provide the signing key password via
+`withKeyPassword(_)`.
+It does not matter in which order signing keys and key passwords are provided, the implementation will figure out
+matches on its own. If different key passwords are used, the `withKeyPassword(_)` method can be called multiple times.
+
+By default, the encrypted message will be ASCII armored. To disable ASCII armor, call `noArmor()` before the
+`plaintext(_)` method call.
+
+Lastly, you need to provide the plaintext by calling `plaintext(_)` with either a byte array or an `InputStream`
+as argument.
+The ciphertext can then be accessed from the resulting `Ready` object as usual.
+
+### Decrypt a Message
+
+Now let's switch perspective and help Bob decrypt the message from Alice.
+
+Decrypting encrypted messages is done in a similar fashion using the `decrypt()` API:
+
+```java
+// decrypt a message and verify its signature(s)
+byte[] aliceCert = ...; // Alice' certificate
+byte[] bobKey = ...;    // Bobs secret key 
+byte[] bobCert = ...;   // Bobs certificate
+
+byte[] ciphertext = ...; // the encrypted message
+
+ReadyWithResult readyWithResult = sop.decrypt()
+        .withKey(bobKey)
+        .verifyWith(aliceCert)
+        .withKeyPassword("password123") // if decryption key is protected
+        .ciphertext(ciphertext);
+```
+
+The `ReadyWithResult` can now be processed in two different ways, depending on whether you want the
+plaintext as bytes or simply write it out to an `OutputStream`.
+
+To get the plaintext bytes directly, you shall proceed as follows:
+
+```java
+ByteArrayAndResult bytesAndResult = readyWithResult.toByteArrayAndResult();
+DecryptionResult result = bytesAndResult.getResult();
+byte[] plaintext = bytesAndResult.getBytes();
+```
+
+If you instead want to write the plaintext out to an `OutputStream`, the following code can be used:
+
+```java
+OutputStream out = ...;
+DecryptionResult result = readyWithResult.writeTo(out);
+```
+
+Note, that in both cases you acquire a `DecryptionResult` object. This contains information about the message,
+such as which signatures could successfully be verified.
+
+If you provided the senders certificate for the purpose of signature verification via `verifyWith(_)`, you now
+probably want to check, if the message was actually signed by the sender by checking `result.getVerifications()`.
+
+:::{note}
+Signature verification will be discussed in more detail in section [](#verify-a-signature)
+:::
+
+If the message was encrypted symmetrically using a password, you can also decrypt is symmetrically by calling
+`withPassword(String password)` before the `ciphertext(_)` method call. This method call can be repeated multiple
+times. The implementation will try different passwords until it finds a matching one.
+
+### Sign a Message
+
+There are three different main ways of signing a message:
+* Inline Signatures
+* Cleartext Signatures
+* Detached Signatures
+
+An inline-signature will be part of the message itself (e.g. like with messages that are encrypted *and* signed).
+Inline-signed messages are not human-readable without prior processing.
+
+A cleartext signature makes use of the [cleartext signature framework](https://datatracker.ietf.org/doc/html/rfc4880#section-7).
+Messages signed in this way do have an ASCII armor header and footer, yet the content of the message is still
+human-readable without special software.
+
+Lastly, a detached signature can be distributed as an extra file alongside the message without altering it.
+This is useful if the plaintext itself cannot be modified (e.g. if a binary file is signed).
+
+The SOP API can generate all of those signature types.
+
+#### Inline-Signatures
+
+Let's start with an inline signature:
+
+```java
+byte[] signingKey = ...;
+byte[] message = ...;
+
+byte[] inlineSignedMessage = sop.inlineSign()
+        .mode(InlineSignAs.Text) // or 'Binary'
+        .key(signingKey)
+        .withKeyPassword("fnord")
+        .data(message)
+        .getBytes();
+```
+
+You can choose between two different signature formats which can be set using `mode(InlineSignAs mode)`.
+The default value is `Binary`. You can also set it to `Text` which signals to the receiver that the data is
+UTF8 text.
+
+:::{note}
+For inline signatures, do NOT set the `mode()` to `CleartextSigned`, as that will create message which uses the
+cleartext signature framework (see further below).
+:::
+
+You must provide at least one signing key using `key(_)` in order to be able to sign the message.
+
+If any key is password protected, you need to provide its password using `withKeyPassword(_)` which
+can be called multiple times to provide multiple passwords.
+
+Once you provide the plaintext using `data(_)` with either a byte array or an `InputStream` as argument,
+you will get a `Ready` object back, from which the signed message can be retrieved as usual.
+
+By default, the signed message will be ASCII armored. This can be disabled by calling `noArmor()`
+before the `data(_)` method call.
+
+#### Cleartext Signatures
+
+A cleartext-signed message can be generated in a similar way to an inline-signed message, however,
+there are is one subtle difference:
+
+```java
+byte[] signingKey = ...;
+byte[] message = ...;
+
+byte[] cleartextSignedMessage = sop.inlineSign()
+        .mode(InlineSignAs.CleartextSigned) // This MUST be set
+        .key(signingKey)
+        .withKeyPassword("fnord")
+        .data(message)
+        .getBytes();
+```
+
+:::{important}
+In order to produce a cleartext-signed message, the signature mode MUST be set to `CleartextSigned`
+by calling `mode(InlineSignAs.CleartextSigned)`.
+:::
+
+:::{note}
+Calling `noArmor()` will have no effect for cleartext-signed messages, so such method call will be ignored.
+:::
+
+#### Detached Signatures
+
+As the name suggests, detached signatures are detached from the message itself and can be distributed separately.
+
+To produce a detached signature, the `detachedSign()` API is used:
+
+```java
+byte[] signingKey = ...;
+byte[] message = ...;
+
+ReadyWithResult readyWithResult = sop.detachedSign()
+        .key(signingKey)
+        .withKeyPassword("fnord")
+        .data(message);
+```
+
+Here you have the choice, how you want to write out the signature.
+If you want to write the signature to an `OutputStream`, you can do the following:
+
+```java
+OutputStream out = ...;
+SigningResult result = readyWithResult.writeTo(out);
+```
+
+If instead you want to get the signature as a byte array, do this instead:
+
+```java
+ByteArrayAndResult bytesAndResult = readyWithResult.toByteArrayAndResult();
+SigningResult result = bytesAndResult.getResult();
+byte[] detachedSignature = bytesAndResult.getBytes();
+```
+
+In any case, the detached signature can now be distributed alongside the original message.
+
+By default, the resulting detached signature will be ASCII armored. This can be disabled by calling `noArmor()`
+prior to calling `data(_)`.
+
+The `SigningResult` object you got back in both cases contains information about the signature.
+
+### Verify a Signature
\ No newline at end of file
diff --git a/docs/source/quickstart.md b/docs/source/quickstart.md
new file mode 100644
index 00000000..7cfee56c
--- /dev/null
+++ b/docs/source/quickstart.md
@@ -0,0 +1,20 @@
+# Quickstart Guide
+
+In this guide, we will get you started with OpenPGP using PGPainless as quickly as possible.
+
+At first though, you need to decide which API you want to use;
+
+* PGPainless' core API is powerful and heavily customizable
+* The SOP API is a bit less powerful, but *dead* simple to use
+
+The SOP API is the recommended way to go if you just want to get started already.
+
+In case you need more technical documentation, Javadoc can be found in the following places:
+* For the core API: {{ '[pgpainless-core](https://javadoc.io/doc/org.pgpainless/pgpainless-core/{}/index.html)'.format(env.config.version) }}
+* For the SOP API: {{ '[pgpainless-sop](https://javadoc.io/doc/org.pgpainless/pgpainless-sop/{}/index.html)'.format(env.config.version) }}
+
+```{include} pgpainless-sop/quickstart.md
+```
+
+```{include} pgpainless-core/quickstart.md
+```
\ No newline at end of file
diff --git a/docs/source/sop.md b/docs/source/sop.md
new file mode 100644
index 00000000..5dbf6dc7
--- /dev/null
+++ b/docs/source/sop.md
@@ -0,0 +1,3 @@
+# Stateless OpenPGP Protocol (SOP)
+
+Lorem ipsum dolor sit amet.
\ No newline at end of file

From c916cec0425a8f43abcc26266b2661c4595f1f3f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Jul 2022 00:13:50 +0200
Subject: [PATCH 0533/1450] URL footnotes in pdf and conf.py documentation

---
 docs/source/conf.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/docs/source/conf.py b/docs/source/conf.py
index 7de6dcbf..9c42bc9b 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -13,12 +13,9 @@ release = latest_tag
 version = release
 
 myst_substitutions = {
-  "repo_host" : "codeberg.org"
+  "repo_host" : "codeberg.org" # or 'github.com'
 }
 
-
-
-
 # -- General configuration
 
 extensions = [
@@ -45,9 +42,11 @@ templates_path = ['_templates']
 
 html_theme = 'sphinx_rtd_theme'
 
-# -- Options for EPUB output
+# Show URLs as footnotes
 #epub_show_urls = 'footnote'
+latex_show_urls = 'footnote'
 
 mermaid_cmd = "./node_modules/.bin/mmdc"
+# 'raw' does not work for epub and pdf, neither does 'svg'
 mermaid_output_format = 'png'
 mermaid_params = ['--theme', 'default', '--width', '800', '--backgroundColor', 'transparent']

From 556496dc87d62b7f44c0c2385f88915a137502df Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 7 Jul 2022 00:44:28 +0200
Subject: [PATCH 0534/1450] Add .readthedocs.yaml

---
 .readthedocs.yaml     | 30 ++++++++++++++++++++++++++++++
 docs/requirements.txt |  2 ++
 docs/source/conf.py   |  2 ++
 3 files changed, 34 insertions(+)
 create mode 100644 .readthedocs.yaml
 create mode 100644 docs/requirements.txt

diff --git a/.readthedocs.yaml b/.readthedocs.yaml
new file mode 100644
index 00000000..12a92ce6
--- /dev/null
+++ b/.readthedocs.yaml
@@ -0,0 +1,30 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+  os: ubuntu-20.04
+  tools:
+    python: "3.9"
+    # You can also specify other tool versions:
+    nodejs: "16"
+    # rust: "1.55"
+    # golang: "1.17"
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+   configuration: docs/source/conf.py
+
+# If using Sphinx, optionally build your docs in additional formats such as PDF
+formats:
+    - pdf
+    - epub
+
+# Optionally declare the Python requirements required to build your docs
+python:
+   install:
+   - requirements: docs/requirements.txt
diff --git a/docs/requirements.txt b/docs/requirements.txt
new file mode 100644
index 00000000..1d5e0d5b
--- /dev/null
+++ b/docs/requirements.txt
@@ -0,0 +1,2 @@
+myst-parser>=0.17
+sphinxcontrib-mermaid>=0.7.1
diff --git a/docs/source/conf.py b/docs/source/conf.py
index 9c42bc9b..a715c183 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -7,6 +7,8 @@ project = 'PGPainless'
 copyright = '2022, Paul Schaub'
 author = 'Paul Schaub'
 
+master_doc = 'index'
+
 # https://protips.readthedocs.io/git-tag-version.html
 latest_tag = os.popen('git describe --abbrev=0').read().strip()
 release = latest_tag

From 6f2b5ed1ca65a40ec6b2faa3b496d9e50f8e5a40 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 00:21:40 +0200
Subject: [PATCH 0535/1450] Fix mermaid-cli cmd

---
 .gitignore                                |    2 +-
 .readthedocs.yaml                         |   12 +-
 .reuse/dep5                               |    9 +
 docs/package-lock.json                    | 2626 ---------------------
 docs/package.json                         |    5 -
 docs/source/conf.py                       |    3 +-
 docs/source/ecosystem.md                  |   41 +-
 docs/source/ecosystem_dia.md              |   38 +
 docs/source/ecosystem_dia.png             |  Bin 0 -> 110743 bytes
 docs/source/ecosystem_dia.svg             |    1 +
 docs/source/index.rst                     |    2 +-
 docs/source/pgpainless-core/quickstart.md |    4 +
 docs/source/pgpainless-sop/quickstart.md  |  101 +-
 docs/source/sop.md                        |    9 +-
 14 files changed, 177 insertions(+), 2676 deletions(-)
 delete mode 100644 docs/package-lock.json
 delete mode 100644 docs/package.json
 create mode 100644 docs/source/ecosystem_dia.md
 create mode 100644 docs/source/ecosystem_dia.png
 create mode 100644 docs/source/ecosystem_dia.svg

diff --git a/.gitignore b/.gitignore
index 744e25e8..0a0ff0f1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,4 +32,4 @@ pgpainless-core/.settings/
 
 push_html.sh
 
-docs/node_modules
+node_modules
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
index 12a92ce6..1d6088af 100644
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -8,12 +8,22 @@ version: 2
 # Set the version of Python and other tools you might need
 build:
   os: ubuntu-20.04
+  # apt_packages:
+    # - libgtk-3-0
+    # - libasound2
+    # - libnss3
+    # - libxss1
+    # - libgbm1
+    # - libxshmfence1
   tools:
     python: "3.9"
     # You can also specify other tool versions:
-    nodejs: "16"
+    # nodejs: "16"
     # rust: "1.55"
     # golang: "1.17"
+  # jobs:
+    # post_install:
+      # - npm install -g @mermaid-js/mermaid-cli
 
 # Build documentation in the docs/ directory with Sphinx
 sphinx:
diff --git a/.reuse/dep5 b/.reuse/dep5
index f820f003..f7656261 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -9,6 +9,15 @@ Source: https://pgpainless.org
 # Copyright: $YEAR $NAME <$CONTACT>
 # License: ...
 
+# Documentation
+Files: docs/*
+Copyright: 2022 Paul Schaub 
+License: CC-BY-3.0
+
+Files: .readthedocs.yaml
+Copyright: 2022 Paul Schaub 
+License: CC0-1.0
+
 # Gradle build tool
 Files: gradle*
 Copyright: 2015 the original author or authors.
diff --git a/docs/package-lock.json b/docs/package-lock.json
deleted file mode 100644
index c75cb36f..00000000
--- a/docs/package-lock.json
+++ /dev/null
@@ -1,2626 +0,0 @@
-{
-  "name": "docs",
-  "lockfileVersion": 2,
-  "requires": true,
-  "packages": {
-    "": {
-      "dependencies": {
-        "@mermaid-js/mermaid-cli": "^9.1.3"
-      }
-    },
-    "node_modules/@braintree/sanitize-url": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz",
-      "integrity": "sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w=="
-    },
-    "node_modules/@mermaid-js/mermaid-cli": {
-      "version": "9.1.3",
-      "resolved": "https://registry.npmjs.org/@mermaid-js/mermaid-cli/-/mermaid-cli-9.1.3.tgz",
-      "integrity": "sha512-R7VFArRIhczOejWtKT2Ii8MVKayjpiY6hebGqtcmA8FGSUXDgB4QzK5z9zpOfh1k90XH0PzPpTlL4KXnFfDx1Q==",
-      "dependencies": {
-        "chalk": "^4.1.0",
-        "commander": "^9.0.0",
-        "mermaid": "^9.0.0",
-        "puppeteer": "^14.1.0"
-      },
-      "bin": {
-        "mmdc": "index.bundle.js"
-      }
-    },
-    "node_modules/@types/node": {
-      "version": "18.0.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.0.3.tgz",
-      "integrity": "sha512-HzNRZtp4eepNitP+BD6k2L6DROIDG4Q0fm4x+dwfsr6LGmROENnok75VGw40628xf+iR24WeMFcHuuBDUAzzsQ==",
-      "optional": true
-    },
-    "node_modules/@types/yauzl": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.10.0.tgz",
-      "integrity": "sha512-Cn6WYCm0tXv8p6k+A8PvbDG763EDpBoTzHdA+Q/MF6H3sapGjCm9NzoaJncJS9tUKSuCoDs9XHxYYsQDgxR6kw==",
-      "optional": true,
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
-    "node_modules/agent-base": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
-      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
-      "dependencies": {
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-      "dependencies": {
-        "color-convert": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
-      }
-    },
-    "node_modules/balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
-    },
-    "node_modules/base64-js": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
-      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ]
-    },
-    "node_modules/bl": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
-      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
-      "dependencies": {
-        "buffer": "^5.5.0",
-        "inherits": "^2.0.4",
-        "readable-stream": "^3.4.0"
-      }
-    },
-    "node_modules/brace-expansion": {
-      "version": "1.1.11",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
-      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
-      "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
-    "node_modules/buffer": {
-      "version": "5.7.1",
-      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
-      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "dependencies": {
-        "base64-js": "^1.3.1",
-        "ieee754": "^1.1.13"
-      }
-    },
-    "node_modules/buffer-crc32": {
-      "version": "0.2.13",
-      "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
-      "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==",
-      "engines": {
-        "node": "*"
-      }
-    },
-    "node_modules/chalk": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
-      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
-      "dependencies": {
-        "ansi-styles": "^4.1.0",
-        "supports-color": "^7.1.0"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/chalk?sponsor=1"
-      }
-    },
-    "node_modules/chownr": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
-      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
-    },
-    "node_modules/color-convert": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "dependencies": {
-        "color-name": "~1.1.4"
-      },
-      "engines": {
-        "node": ">=7.0.0"
-      }
-    },
-    "node_modules/color-name": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
-    },
-    "node_modules/commander": {
-      "version": "9.3.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-9.3.0.tgz",
-      "integrity": "sha512-hv95iU5uXPbK83mjrJKuZyFM/LBAoCV/XhVGkS5Je6tl7sxr6A0ITMw5WoRV46/UaJ46Nllm3Xt7IaJhXTIkzw==",
-      "engines": {
-        "node": "^12.20.0 || >=14"
-      }
-    },
-    "node_modules/concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="
-    },
-    "node_modules/cross-fetch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.1.5.tgz",
-      "integrity": "sha512-lvb1SBsI0Z7GDwmuid+mU3kWVBwTVUbe7S0H52yaaAdQOXq2YktTCZdlAcNKFzE6QtRz0snpw9bNiPeOIkkQvw==",
-      "dependencies": {
-        "node-fetch": "2.6.7"
-      }
-    },
-    "node_modules/d3": {
-      "version": "7.6.1",
-      "resolved": "https://registry.npmjs.org/d3/-/d3-7.6.1.tgz",
-      "integrity": "sha512-txMTdIHFbcpLx+8a0IFhZsbp+PfBBPt8yfbmukZTQFroKuFqIwqswF0qE5JXWefylaAVpSXFoKm3yP+jpNLFLw==",
-      "dependencies": {
-        "d3-array": "3",
-        "d3-axis": "3",
-        "d3-brush": "3",
-        "d3-chord": "3",
-        "d3-color": "3",
-        "d3-contour": "4",
-        "d3-delaunay": "6",
-        "d3-dispatch": "3",
-        "d3-drag": "3",
-        "d3-dsv": "3",
-        "d3-ease": "3",
-        "d3-fetch": "3",
-        "d3-force": "3",
-        "d3-format": "3",
-        "d3-geo": "3",
-        "d3-hierarchy": "3",
-        "d3-interpolate": "3",
-        "d3-path": "3",
-        "d3-polygon": "3",
-        "d3-quadtree": "3",
-        "d3-random": "3",
-        "d3-scale": "4",
-        "d3-scale-chromatic": "3",
-        "d3-selection": "3",
-        "d3-shape": "3",
-        "d3-time": "3",
-        "d3-time-format": "4",
-        "d3-timer": "3",
-        "d3-transition": "3",
-        "d3-zoom": "3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-array": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.0.tgz",
-      "integrity": "sha512-3yXFQo0oG3QCxbF06rMPFyGRMGJNS7NvsV1+2joOjbBE+9xvWQ8+GcMJAjRCzw06zQ3/arXeJgbPYcjUCuC+3g==",
-      "dependencies": {
-        "internmap": "1 - 2"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-axis": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-3.0.0.tgz",
-      "integrity": "sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-brush": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-3.0.0.tgz",
-      "integrity": "sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ==",
-      "dependencies": {
-        "d3-dispatch": "1 - 3",
-        "d3-drag": "2 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-selection": "3",
-        "d3-transition": "3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-chord": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-3.0.1.tgz",
-      "integrity": "sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g==",
-      "dependencies": {
-        "d3-path": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-collection": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/d3-collection/-/d3-collection-1.0.7.tgz",
-      "integrity": "sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A=="
-    },
-    "node_modules/d3-color": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz",
-      "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-contour": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-4.0.0.tgz",
-      "integrity": "sha512-7aQo0QHUTu/Ko3cP9YK9yUTxtoDEiDGwnBHyLxG5M4vqlBkO/uixMRele3nfsfj6UXOcuReVpVXzAboGraYIJw==",
-      "dependencies": {
-        "d3-array": "^3.2.0"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-delaunay": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/d3-delaunay/-/d3-delaunay-6.0.2.tgz",
-      "integrity": "sha512-IMLNldruDQScrcfT+MWnazhHbDJhcRJyOEBAJfwQnHle1RPh6WDuLvxNArUju2VSMSUuKlY5BGHRJ2cYyoFLQQ==",
-      "dependencies": {
-        "delaunator": "5"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-dispatch": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-3.0.1.tgz",
-      "integrity": "sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-drag": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-3.0.0.tgz",
-      "integrity": "sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg==",
-      "dependencies": {
-        "d3-dispatch": "1 - 3",
-        "d3-selection": "3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-dsv": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-3.0.1.tgz",
-      "integrity": "sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q==",
-      "dependencies": {
-        "commander": "7",
-        "iconv-lite": "0.6",
-        "rw": "1"
-      },
-      "bin": {
-        "csv2json": "bin/dsv2json.js",
-        "csv2tsv": "bin/dsv2dsv.js",
-        "dsv2dsv": "bin/dsv2dsv.js",
-        "dsv2json": "bin/dsv2json.js",
-        "json2csv": "bin/json2dsv.js",
-        "json2dsv": "bin/json2dsv.js",
-        "json2tsv": "bin/json2dsv.js",
-        "tsv2csv": "bin/dsv2dsv.js",
-        "tsv2json": "bin/dsv2json.js"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-dsv/node_modules/commander": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-7.2.0.tgz",
-      "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==",
-      "engines": {
-        "node": ">= 10"
-      }
-    },
-    "node_modules/d3-ease": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz",
-      "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-fetch": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-3.0.1.tgz",
-      "integrity": "sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw==",
-      "dependencies": {
-        "d3-dsv": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-force": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-3.0.0.tgz",
-      "integrity": "sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg==",
-      "dependencies": {
-        "d3-dispatch": "1 - 3",
-        "d3-quadtree": "1 - 3",
-        "d3-timer": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-format": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz",
-      "integrity": "sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-geo": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-3.0.1.tgz",
-      "integrity": "sha512-Wt23xBych5tSy9IYAM1FR2rWIBFWa52B/oF/GYe5zbdHrg08FU8+BuI6X4PvTwPDdqdAdq04fuWJpELtsaEjeA==",
-      "dependencies": {
-        "d3-array": "2.5.0 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-hierarchy": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-3.1.2.tgz",
-      "integrity": "sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-interpolate": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz",
-      "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==",
-      "dependencies": {
-        "d3-color": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-path": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.0.1.tgz",
-      "integrity": "sha512-gq6gZom9AFZby0YLduxT1qmrp4xpBA1YZr19OI717WIdKE2OM5ETq5qrHLb301IgxhLwcuxvGZVLeeWc/k1I6w==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-polygon": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-3.0.1.tgz",
-      "integrity": "sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-quadtree": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-3.0.1.tgz",
-      "integrity": "sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-random": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-3.0.1.tgz",
-      "integrity": "sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-scale": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz",
-      "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==",
-      "dependencies": {
-        "d3-array": "2.10.0 - 3",
-        "d3-format": "1 - 3",
-        "d3-interpolate": "1.2.0 - 3",
-        "d3-time": "2.1.1 - 3",
-        "d3-time-format": "2 - 4"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-scale-chromatic": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz",
-      "integrity": "sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g==",
-      "dependencies": {
-        "d3-color": "1 - 3",
-        "d3-interpolate": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-selection": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
-      "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-shape": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.1.0.tgz",
-      "integrity": "sha512-tGDh1Muf8kWjEDT/LswZJ8WF85yDZLvVJpYU9Nq+8+yW1Z5enxrmXOhTArlkaElU+CTn0OTVNli+/i+HP45QEQ==",
-      "dependencies": {
-        "d3-path": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-time": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.0.0.tgz",
-      "integrity": "sha512-zmV3lRnlaLI08y9IMRXSDshQb5Nj77smnfpnd2LrBa/2K281Jijactokeak14QacHs/kKq0AQ121nidNYlarbQ==",
-      "dependencies": {
-        "d3-array": "2 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-time-format": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz",
-      "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==",
-      "dependencies": {
-        "d3-time": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-timer": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz",
-      "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/d3-transition": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-3.0.1.tgz",
-      "integrity": "sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w==",
-      "dependencies": {
-        "d3-color": "1 - 3",
-        "d3-dispatch": "1 - 3",
-        "d3-ease": "1 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-timer": "1 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      },
-      "peerDependencies": {
-        "d3-selection": "2 - 3"
-      }
-    },
-    "node_modules/d3-voronoi": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/d3-voronoi/-/d3-voronoi-1.1.4.tgz",
-      "integrity": "sha512-dArJ32hchFsrQ8uMiTBLq256MpnZjeuBtdHpaDlYuQyjU0CVzCJl/BVW+SkszaAeH95D/8gxqAhgx0ouAWAfRg=="
-    },
-    "node_modules/d3-zoom": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-3.0.0.tgz",
-      "integrity": "sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw==",
-      "dependencies": {
-        "d3-dispatch": "1 - 3",
-        "d3-drag": "2 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-selection": "2 - 3",
-        "d3-transition": "2 - 3"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/dagre": {
-      "version": "0.8.5",
-      "resolved": "https://registry.npmjs.org/dagre/-/dagre-0.8.5.tgz",
-      "integrity": "sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==",
-      "dependencies": {
-        "graphlib": "^2.1.8",
-        "lodash": "^4.17.15"
-      }
-    },
-    "node_modules/dagre-d3": {
-      "version": "0.6.4",
-      "resolved": "https://registry.npmjs.org/dagre-d3/-/dagre-d3-0.6.4.tgz",
-      "integrity": "sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==",
-      "dependencies": {
-        "d3": "^5.14",
-        "dagre": "^0.8.5",
-        "graphlib": "^2.1.8",
-        "lodash": "^4.17.15"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/commander": {
-      "version": "2.20.3",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
-      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3": {
-      "version": "5.16.0",
-      "resolved": "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz",
-      "integrity": "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==",
-      "dependencies": {
-        "d3-array": "1",
-        "d3-axis": "1",
-        "d3-brush": "1",
-        "d3-chord": "1",
-        "d3-collection": "1",
-        "d3-color": "1",
-        "d3-contour": "1",
-        "d3-dispatch": "1",
-        "d3-drag": "1",
-        "d3-dsv": "1",
-        "d3-ease": "1",
-        "d3-fetch": "1",
-        "d3-force": "1",
-        "d3-format": "1",
-        "d3-geo": "1",
-        "d3-hierarchy": "1",
-        "d3-interpolate": "1",
-        "d3-path": "1",
-        "d3-polygon": "1",
-        "d3-quadtree": "1",
-        "d3-random": "1",
-        "d3-scale": "2",
-        "d3-scale-chromatic": "1",
-        "d3-selection": "1",
-        "d3-shape": "1",
-        "d3-time": "1",
-        "d3-time-format": "2",
-        "d3-timer": "1",
-        "d3-transition": "1",
-        "d3-voronoi": "1",
-        "d3-zoom": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-array": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-1.2.4.tgz",
-      "integrity": "sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-axis": {
-      "version": "1.0.12",
-      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-1.0.12.tgz",
-      "integrity": "sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-brush": {
-      "version": "1.1.6",
-      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.6.tgz",
-      "integrity": "sha512-7RW+w7HfMCPyZLifTz/UnJmI5kdkXtpCbombUSs8xniAyo0vIbrDzDwUJB6eJOgl9u5DQOt2TQlYumxzD1SvYA==",
-      "dependencies": {
-        "d3-dispatch": "1",
-        "d3-drag": "1",
-        "d3-interpolate": "1",
-        "d3-selection": "1",
-        "d3-transition": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-chord": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-1.0.6.tgz",
-      "integrity": "sha512-JXA2Dro1Fxw9rJe33Uv+Ckr5IrAa74TlfDEhE/jfLOaXegMQFQTAgAw9WnZL8+HxVBRXaRGCkrNU7pJeylRIuA==",
-      "dependencies": {
-        "d3-array": "1",
-        "d3-path": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-color": {
-      "version": "1.4.1",
-      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz",
-      "integrity": "sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-contour": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-1.3.2.tgz",
-      "integrity": "sha512-hoPp4K/rJCu0ladiH6zmJUEz6+u3lgR+GSm/QdM2BBvDraU39Vr7YdDCicJcxP1z8i9B/2dJLgDC1NcvlF8WCg==",
-      "dependencies": {
-        "d3-array": "^1.1.1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-dispatch": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-1.0.6.tgz",
-      "integrity": "sha512-fVjoElzjhCEy+Hbn8KygnmMS7Or0a9sI2UzGwoB7cCtvI1XpVN9GpoYlnb3xt2YV66oXYb1fLJ8GMvP4hdU1RA=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-drag": {
-      "version": "1.2.5",
-      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-1.2.5.tgz",
-      "integrity": "sha512-rD1ohlkKQwMZYkQlYVCrSFxsWPzI97+W+PaEIBNTMxRuxz9RF0Hi5nJWHGVJ3Om9d2fRTe1yOBINJyy/ahV95w==",
-      "dependencies": {
-        "d3-dispatch": "1",
-        "d3-selection": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-dsv": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-1.2.0.tgz",
-      "integrity": "sha512-9yVlqvZcSOMhCYzniHE7EVUws7Fa1zgw+/EAV2BxJoG3ME19V6BQFBwI855XQDsxyOuG7NibqRMTtiF/Qup46g==",
-      "dependencies": {
-        "commander": "2",
-        "iconv-lite": "0.4",
-        "rw": "1"
-      },
-      "bin": {
-        "csv2json": "bin/dsv2json",
-        "csv2tsv": "bin/dsv2dsv",
-        "dsv2dsv": "bin/dsv2dsv",
-        "dsv2json": "bin/dsv2json",
-        "json2csv": "bin/json2dsv",
-        "json2dsv": "bin/json2dsv",
-        "json2tsv": "bin/json2dsv",
-        "tsv2csv": "bin/dsv2dsv",
-        "tsv2json": "bin/dsv2json"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-ease": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-1.0.7.tgz",
-      "integrity": "sha512-lx14ZPYkhNx0s/2HX5sLFUI3mbasHjSSpwO/KaaNACweVwxUruKyWVcb293wMv1RqTPZyZ8kSZ2NogUZNcLOFQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-fetch": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-1.2.0.tgz",
-      "integrity": "sha512-yC78NBVcd2zFAyR/HnUiBS7Lf6inSCoWcSxFfw8FYL7ydiqe80SazNwoffcqOfs95XaLo7yebsmQqDKSsXUtvA==",
-      "dependencies": {
-        "d3-dsv": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-force": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-1.2.1.tgz",
-      "integrity": "sha512-HHvehyaiUlVo5CxBJ0yF/xny4xoaxFxDnBXNvNcfW9adORGZfyNF1dj6DGLKyk4Yh3brP/1h3rnDzdIAwL08zg==",
-      "dependencies": {
-        "d3-collection": "1",
-        "d3-dispatch": "1",
-        "d3-quadtree": "1",
-        "d3-timer": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-format": {
-      "version": "1.4.5",
-      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.5.tgz",
-      "integrity": "sha512-J0piedu6Z8iB6TbIGfZgDzfXxUFN3qQRMofy2oPdXzQibYGqPB/9iMcxr/TGalU+2RsyDO+U4f33id8tbnSRMQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-geo": {
-      "version": "1.12.1",
-      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-1.12.1.tgz",
-      "integrity": "sha512-XG4d1c/UJSEX9NfU02KwBL6BYPj8YKHxgBEw5om2ZnTRSbIcego6dhHwcxuSR3clxh0EpE38os1DVPOmnYtTPg==",
-      "dependencies": {
-        "d3-array": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-hierarchy": {
-      "version": "1.1.9",
-      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz",
-      "integrity": "sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-interpolate": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.4.0.tgz",
-      "integrity": "sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==",
-      "dependencies": {
-        "d3-color": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-path": {
-      "version": "1.0.9",
-      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-1.0.9.tgz",
-      "integrity": "sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-polygon": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-1.0.6.tgz",
-      "integrity": "sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-quadtree": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-1.0.7.tgz",
-      "integrity": "sha512-RKPAeXnkC59IDGD0Wu5mANy0Q2V28L+fNe65pOCXVdVuTJS3WPKaJlFHer32Rbh9gIo9qMuJXio8ra4+YmIymA=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-random": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-1.1.2.tgz",
-      "integrity": "sha512-6AK5BNpIFqP+cx/sreKzNjWbwZQCSUatxq+pPRmFIQaWuoD+NrbVWw7YWpHiXpCQ/NanKdtGDuB+VQcZDaEmYQ=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-scale": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-2.2.2.tgz",
-      "integrity": "sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw==",
-      "dependencies": {
-        "d3-array": "^1.2.0",
-        "d3-collection": "1",
-        "d3-format": "1",
-        "d3-interpolate": "1",
-        "d3-time": "1",
-        "d3-time-format": "2"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-scale-chromatic": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-1.5.0.tgz",
-      "integrity": "sha512-ACcL46DYImpRFMBcpk9HhtIyC7bTBR4fNOPxwVSl0LfulDAwyiHyPOTqcDG1+t5d4P9W7t/2NAuWu59aKko/cg==",
-      "dependencies": {
-        "d3-color": "1",
-        "d3-interpolate": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-selection": {
-      "version": "1.4.2",
-      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-1.4.2.tgz",
-      "integrity": "sha512-SJ0BqYihzOjDnnlfyeHT0e30k0K1+5sR3d5fNueCNeuhZTnGw4M4o8mqJchSwgKMXCNFo+e2VTChiSJ0vYtXkg=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-shape": {
-      "version": "1.3.7",
-      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-1.3.7.tgz",
-      "integrity": "sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw==",
-      "dependencies": {
-        "d3-path": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-time": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-1.1.0.tgz",
-      "integrity": "sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-time-format": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.3.0.tgz",
-      "integrity": "sha512-guv6b2H37s2Uq/GefleCDtbe0XZAuy7Wa49VGkPVPMfLL9qObgBST3lEHJBMUp8S7NdLQAGIvr2KXk8Hc98iKQ==",
-      "dependencies": {
-        "d3-time": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-timer": {
-      "version": "1.0.10",
-      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-1.0.10.tgz",
-      "integrity": "sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw=="
-    },
-    "node_modules/dagre-d3/node_modules/d3-transition": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.3.2.tgz",
-      "integrity": "sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==",
-      "dependencies": {
-        "d3-color": "1",
-        "d3-dispatch": "1",
-        "d3-ease": "1",
-        "d3-interpolate": "1",
-        "d3-selection": "^1.1.0",
-        "d3-timer": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/d3-zoom": {
-      "version": "1.8.3",
-      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-1.8.3.tgz",
-      "integrity": "sha512-VoLXTK4wvy1a0JpH2Il+F2CiOhVu7VRXWF5M/LroMIh3/zBAC3WAt7QoIvPibOavVo20hN6/37vwAsdBejLyKQ==",
-      "dependencies": {
-        "d3-dispatch": "1",
-        "d3-drag": "1",
-        "d3-interpolate": "1",
-        "d3-selection": "1",
-        "d3-transition": "1"
-      }
-    },
-    "node_modules/dagre-d3/node_modules/iconv-lite": {
-      "version": "0.4.24",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-      "dependencies": {
-        "safer-buffer": ">= 2.1.2 < 3"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
-      "dependencies": {
-        "ms": "2.1.2"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/delaunator": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.0.tgz",
-      "integrity": "sha512-AyLvtyJdbv/U1GkiS6gUUzclRoAY4Gs75qkMygJJhU75LW4DNuSF2RMzpxs9jw9Oz1BobHjTdkG3zdP55VxAqw==",
-      "dependencies": {
-        "robust-predicates": "^3.0.0"
-      }
-    },
-    "node_modules/devtools-protocol": {
-      "version": "0.0.1001819",
-      "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1001819.tgz",
-      "integrity": "sha512-G6OsIFnv/rDyxSqBa2lDLR6thp9oJioLsb2Gl+LbQlyoA9/OBAkrTU9jiCcQ8Pnh7z4d6slDiLaogR5hzgJLmQ=="
-    },
-    "node_modules/dompurify": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.8.tgz",
-      "integrity": "sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw=="
-    },
-    "node_modules/end-of-stream": {
-      "version": "1.4.4",
-      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
-      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
-      "dependencies": {
-        "once": "^1.4.0"
-      }
-    },
-    "node_modules/extract-zip": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/extract-zip/-/extract-zip-2.0.1.tgz",
-      "integrity": "sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg==",
-      "dependencies": {
-        "debug": "^4.1.1",
-        "get-stream": "^5.1.0",
-        "yauzl": "^2.10.0"
-      },
-      "bin": {
-        "extract-zip": "cli.js"
-      },
-      "engines": {
-        "node": ">= 10.17.0"
-      },
-      "optionalDependencies": {
-        "@types/yauzl": "^2.9.1"
-      }
-    },
-    "node_modules/fd-slicer": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
-      "integrity": "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==",
-      "dependencies": {
-        "pend": "~1.2.0"
-      }
-    },
-    "node_modules/find-up": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
-      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
-      "dependencies": {
-        "locate-path": "^5.0.0",
-        "path-exists": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/fs-constants": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
-      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
-    },
-    "node_modules/fs.realpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
-    },
-    "node_modules/get-stream": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.2.0.tgz",
-      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
-      "dependencies": {
-        "pump": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/glob": {
-      "version": "7.2.3",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
-      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "dependencies": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.1.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
-      },
-      "engines": {
-        "node": "*"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/graphlib": {
-      "version": "2.1.8",
-      "resolved": "https://registry.npmjs.org/graphlib/-/graphlib-2.1.8.tgz",
-      "integrity": "sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==",
-      "dependencies": {
-        "lodash": "^4.17.15"
-      }
-    },
-    "node_modules/has-flag": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
-      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/https-proxy-agent": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
-      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
-      "dependencies": {
-        "agent-base": "6",
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/iconv-lite": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
-      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
-      "dependencies": {
-        "safer-buffer": ">= 2.1.2 < 3.0.0"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/ieee754": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
-      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ]
-    },
-    "node_modules/inflight": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
-      "dependencies": {
-        "once": "^1.3.0",
-        "wrappy": "1"
-      }
-    },
-    "node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
-    },
-    "node_modules/internmap": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz",
-      "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/khroma": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
-      "integrity": "sha512-2J8rDNlQWbtiNYThZRvmMv5yt44ZakX+Tz5ZIp/mN1pt4snn+m030Va5Z4v8xA0cQFDXBwO/8i42xL4QPsVk3g=="
-    },
-    "node_modules/locate-path": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
-      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
-      "dependencies": {
-        "p-locate": "^4.1.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
-    },
-    "node_modules/mermaid": {
-      "version": "9.1.3",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-9.1.3.tgz",
-      "integrity": "sha512-jTIYiqKwsUXVCoxHUVkK8t0QN3zSKIdJlb9thT0J5jCnzXyc+gqTbZE2QmjRfavFTPPn5eRy5zaFp7V+6RhxYg==",
-      "dependencies": {
-        "@braintree/sanitize-url": "^6.0.0",
-        "d3": "^7.0.0",
-        "dagre": "^0.8.5",
-        "dagre-d3": "^0.6.4",
-        "dompurify": "2.3.8",
-        "graphlib": "^2.1.8",
-        "khroma": "^2.0.0",
-        "moment-mini": "^2.24.0",
-        "stylis": "^4.0.10"
-      }
-    },
-    "node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
-      "dependencies": {
-        "brace-expansion": "^1.1.7"
-      },
-      "engines": {
-        "node": "*"
-      }
-    },
-    "node_modules/mkdirp-classic": {
-      "version": "0.5.3",
-      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
-      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
-    },
-    "node_modules/moment-mini": {
-      "version": "2.24.0",
-      "resolved": "https://registry.npmjs.org/moment-mini/-/moment-mini-2.24.0.tgz",
-      "integrity": "sha512-9ARkWHBs+6YJIvrIp0Ik5tyTTtP9PoV0Ssu2Ocq5y9v8+NOOpWiRshAp8c4rZVWTOe+157on/5G+zj5pwIQFEQ=="
-    },
-    "node_modules/ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
-    },
-    "node_modules/node-fetch": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
-      "dependencies": {
-        "whatwg-url": "^5.0.0"
-      },
-      "engines": {
-        "node": "4.x || >=6.0.0"
-      },
-      "peerDependencies": {
-        "encoding": "^0.1.0"
-      },
-      "peerDependenciesMeta": {
-        "encoding": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "dependencies": {
-        "wrappy": "1"
-      }
-    },
-    "node_modules/p-limit": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
-      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
-      "dependencies": {
-        "p-try": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/p-locate": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
-      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
-      "dependencies": {
-        "p-limit": "^2.2.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/p-try": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
-      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/path-exists": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
-      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/path-is-absolute": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/pend": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz",
-      "integrity": "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="
-    },
-    "node_modules/pkg-dir": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz",
-      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
-      "dependencies": {
-        "find-up": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/progress": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
-      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
-      "engines": {
-        "node": ">=0.4.0"
-      }
-    },
-    "node_modules/proxy-from-env": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
-    },
-    "node_modules/pump": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
-      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
-      "dependencies": {
-        "end-of-stream": "^1.1.0",
-        "once": "^1.3.1"
-      }
-    },
-    "node_modules/puppeteer": {
-      "version": "14.4.1",
-      "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-14.4.1.tgz",
-      "integrity": "sha512-+H0Gm84aXUvSLdSiDROtLlOofftClgw2TdceMvvCU9UvMryappoeS3+eOLfKvoy4sm8B8MWnYmPhWxVFudAOFQ==",
-      "hasInstallScript": true,
-      "dependencies": {
-        "cross-fetch": "3.1.5",
-        "debug": "4.3.4",
-        "devtools-protocol": "0.0.1001819",
-        "extract-zip": "2.0.1",
-        "https-proxy-agent": "5.0.1",
-        "pkg-dir": "4.2.0",
-        "progress": "2.0.3",
-        "proxy-from-env": "1.1.0",
-        "rimraf": "3.0.2",
-        "tar-fs": "2.1.1",
-        "unbzip2-stream": "1.4.3",
-        "ws": "8.7.0"
-      },
-      "engines": {
-        "node": ">=14.1.0"
-      }
-    },
-    "node_modules/readable-stream": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz",
-      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/rimraf": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
-      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
-      "dependencies": {
-        "glob": "^7.1.3"
-      },
-      "bin": {
-        "rimraf": "bin.js"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/robust-predicates": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.1.tgz",
-      "integrity": "sha512-ndEIpszUHiG4HtDsQLeIuMvRsDnn8c8rYStabochtUeCvfuvNptb5TUbVD68LRAILPX7p9nqQGh4xJgn3EHS/g=="
-    },
-    "node_modules/rw": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/rw/-/rw-1.3.3.tgz",
-      "integrity": "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="
-    },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ]
-    },
-    "node_modules/safer-buffer": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
-    },
-    "node_modules/string_decoder": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
-      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
-      "dependencies": {
-        "safe-buffer": "~5.2.0"
-      }
-    },
-    "node_modules/stylis": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.1.1.tgz",
-      "integrity": "sha512-lVrM/bNdhVX2OgBFNa2YJ9Lxj7kPzylieHd3TNjuGE0Re9JB7joL5VUKOVH1kdNNJTgGPpT8hmwIAPLaSyEVFQ=="
-    },
-    "node_modules/supports-color": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
-      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
-      "dependencies": {
-        "has-flag": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/tar-fs": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz",
-      "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==",
-      "dependencies": {
-        "chownr": "^1.1.1",
-        "mkdirp-classic": "^0.5.2",
-        "pump": "^3.0.0",
-        "tar-stream": "^2.1.4"
-      }
-    },
-    "node_modules/tar-stream": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
-      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
-      "dependencies": {
-        "bl": "^4.0.3",
-        "end-of-stream": "^1.4.1",
-        "fs-constants": "^1.0.0",
-        "inherits": "^2.0.3",
-        "readable-stream": "^3.1.1"
-      },
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/through": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
-      "integrity": "sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg=="
-    },
-    "node_modules/tr46": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
-      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
-    },
-    "node_modules/unbzip2-stream": {
-      "version": "1.4.3",
-      "resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
-      "integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
-      "dependencies": {
-        "buffer": "^5.2.1",
-        "through": "^2.3.8"
-      }
-    },
-    "node_modules/util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
-    },
-    "node_modules/webidl-conversions": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
-      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
-    },
-    "node_modules/whatwg-url": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
-      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
-      "dependencies": {
-        "tr46": "~0.0.3",
-        "webidl-conversions": "^3.0.0"
-      }
-    },
-    "node_modules/wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
-    },
-    "node_modules/ws": {
-      "version": "8.7.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.7.0.tgz",
-      "integrity": "sha512-c2gsP0PRwcLFzUiA8Mkr37/MI7ilIlHQxaEAtd0uNMbVMoy8puJyafRlm0bV9MbGSabUPeLrRRaqIBcFcA2Pqg==",
-      "engines": {
-        "node": ">=10.0.0"
-      },
-      "peerDependencies": {
-        "bufferutil": "^4.0.1",
-        "utf-8-validate": "^5.0.2"
-      },
-      "peerDependenciesMeta": {
-        "bufferutil": {
-          "optional": true
-        },
-        "utf-8-validate": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/yauzl": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
-      "integrity": "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==",
-      "dependencies": {
-        "buffer-crc32": "~0.2.3",
-        "fd-slicer": "~1.1.0"
-      }
-    }
-  },
-  "dependencies": {
-    "@braintree/sanitize-url": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz",
-      "integrity": "sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w=="
-    },
-    "@mermaid-js/mermaid-cli": {
-      "version": "9.1.3",
-      "resolved": "https://registry.npmjs.org/@mermaid-js/mermaid-cli/-/mermaid-cli-9.1.3.tgz",
-      "integrity": "sha512-R7VFArRIhczOejWtKT2Ii8MVKayjpiY6hebGqtcmA8FGSUXDgB4QzK5z9zpOfh1k90XH0PzPpTlL4KXnFfDx1Q==",
-      "requires": {
-        "chalk": "^4.1.0",
-        "commander": "^9.0.0",
-        "mermaid": "^9.0.0",
-        "puppeteer": "^14.1.0"
-      }
-    },
-    "@types/node": {
-      "version": "18.0.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.0.3.tgz",
-      "integrity": "sha512-HzNRZtp4eepNitP+BD6k2L6DROIDG4Q0fm4x+dwfsr6LGmROENnok75VGw40628xf+iR24WeMFcHuuBDUAzzsQ==",
-      "optional": true
-    },
-    "@types/yauzl": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/@types/yauzl/-/yauzl-2.10.0.tgz",
-      "integrity": "sha512-Cn6WYCm0tXv8p6k+A8PvbDG763EDpBoTzHdA+Q/MF6H3sapGjCm9NzoaJncJS9tUKSuCoDs9XHxYYsQDgxR6kw==",
-      "optional": true,
-      "requires": {
-        "@types/node": "*"
-      }
-    },
-    "agent-base": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
-      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
-      "requires": {
-        "debug": "4"
-      }
-    },
-    "ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-      "requires": {
-        "color-convert": "^2.0.1"
-      }
-    },
-    "balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
-    },
-    "base64-js": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
-      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA=="
-    },
-    "bl": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
-      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
-      "requires": {
-        "buffer": "^5.5.0",
-        "inherits": "^2.0.4",
-        "readable-stream": "^3.4.0"
-      }
-    },
-    "brace-expansion": {
-      "version": "1.1.11",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
-      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
-      "requires": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
-    "buffer": {
-      "version": "5.7.1",
-      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
-      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
-      "requires": {
-        "base64-js": "^1.3.1",
-        "ieee754": "^1.1.13"
-      }
-    },
-    "buffer-crc32": {
-      "version": "0.2.13",
-      "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
-      "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="
-    },
-    "chalk": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
-      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
-      "requires": {
-        "ansi-styles": "^4.1.0",
-        "supports-color": "^7.1.0"
-      }
-    },
-    "chownr": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
-      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg=="
-    },
-    "color-convert": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "requires": {
-        "color-name": "~1.1.4"
-      }
-    },
-    "color-name": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
-    },
-    "commander": {
-      "version": "9.3.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-9.3.0.tgz",
-      "integrity": "sha512-hv95iU5uXPbK83mjrJKuZyFM/LBAoCV/XhVGkS5Je6tl7sxr6A0ITMw5WoRV46/UaJ46Nllm3Xt7IaJhXTIkzw=="
-    },
-    "concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="
-    },
-    "cross-fetch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.1.5.tgz",
-      "integrity": "sha512-lvb1SBsI0Z7GDwmuid+mU3kWVBwTVUbe7S0H52yaaAdQOXq2YktTCZdlAcNKFzE6QtRz0snpw9bNiPeOIkkQvw==",
-      "requires": {
-        "node-fetch": "2.6.7"
-      }
-    },
-    "d3": {
-      "version": "7.6.1",
-      "resolved": "https://registry.npmjs.org/d3/-/d3-7.6.1.tgz",
-      "integrity": "sha512-txMTdIHFbcpLx+8a0IFhZsbp+PfBBPt8yfbmukZTQFroKuFqIwqswF0qE5JXWefylaAVpSXFoKm3yP+jpNLFLw==",
-      "requires": {
-        "d3-array": "3",
-        "d3-axis": "3",
-        "d3-brush": "3",
-        "d3-chord": "3",
-        "d3-color": "3",
-        "d3-contour": "4",
-        "d3-delaunay": "6",
-        "d3-dispatch": "3",
-        "d3-drag": "3",
-        "d3-dsv": "3",
-        "d3-ease": "3",
-        "d3-fetch": "3",
-        "d3-force": "3",
-        "d3-format": "3",
-        "d3-geo": "3",
-        "d3-hierarchy": "3",
-        "d3-interpolate": "3",
-        "d3-path": "3",
-        "d3-polygon": "3",
-        "d3-quadtree": "3",
-        "d3-random": "3",
-        "d3-scale": "4",
-        "d3-scale-chromatic": "3",
-        "d3-selection": "3",
-        "d3-shape": "3",
-        "d3-time": "3",
-        "d3-time-format": "4",
-        "d3-timer": "3",
-        "d3-transition": "3",
-        "d3-zoom": "3"
-      }
-    },
-    "d3-array": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.0.tgz",
-      "integrity": "sha512-3yXFQo0oG3QCxbF06rMPFyGRMGJNS7NvsV1+2joOjbBE+9xvWQ8+GcMJAjRCzw06zQ3/arXeJgbPYcjUCuC+3g==",
-      "requires": {
-        "internmap": "1 - 2"
-      }
-    },
-    "d3-axis": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-3.0.0.tgz",
-      "integrity": "sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw=="
-    },
-    "d3-brush": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-3.0.0.tgz",
-      "integrity": "sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ==",
-      "requires": {
-        "d3-dispatch": "1 - 3",
-        "d3-drag": "2 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-selection": "3",
-        "d3-transition": "3"
-      }
-    },
-    "d3-chord": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-3.0.1.tgz",
-      "integrity": "sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g==",
-      "requires": {
-        "d3-path": "1 - 3"
-      }
-    },
-    "d3-collection": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/d3-collection/-/d3-collection-1.0.7.tgz",
-      "integrity": "sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A=="
-    },
-    "d3-color": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz",
-      "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA=="
-    },
-    "d3-contour": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-4.0.0.tgz",
-      "integrity": "sha512-7aQo0QHUTu/Ko3cP9YK9yUTxtoDEiDGwnBHyLxG5M4vqlBkO/uixMRele3nfsfj6UXOcuReVpVXzAboGraYIJw==",
-      "requires": {
-        "d3-array": "^3.2.0"
-      }
-    },
-    "d3-delaunay": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/d3-delaunay/-/d3-delaunay-6.0.2.tgz",
-      "integrity": "sha512-IMLNldruDQScrcfT+MWnazhHbDJhcRJyOEBAJfwQnHle1RPh6WDuLvxNArUju2VSMSUuKlY5BGHRJ2cYyoFLQQ==",
-      "requires": {
-        "delaunator": "5"
-      }
-    },
-    "d3-dispatch": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-3.0.1.tgz",
-      "integrity": "sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg=="
-    },
-    "d3-drag": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-3.0.0.tgz",
-      "integrity": "sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg==",
-      "requires": {
-        "d3-dispatch": "1 - 3",
-        "d3-selection": "3"
-      }
-    },
-    "d3-dsv": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-3.0.1.tgz",
-      "integrity": "sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q==",
-      "requires": {
-        "commander": "7",
-        "iconv-lite": "0.6",
-        "rw": "1"
-      },
-      "dependencies": {
-        "commander": {
-          "version": "7.2.0",
-          "resolved": "https://registry.npmjs.org/commander/-/commander-7.2.0.tgz",
-          "integrity": "sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw=="
-        }
-      }
-    },
-    "d3-ease": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz",
-      "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w=="
-    },
-    "d3-fetch": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-3.0.1.tgz",
-      "integrity": "sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw==",
-      "requires": {
-        "d3-dsv": "1 - 3"
-      }
-    },
-    "d3-force": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-3.0.0.tgz",
-      "integrity": "sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg==",
-      "requires": {
-        "d3-dispatch": "1 - 3",
-        "d3-quadtree": "1 - 3",
-        "d3-timer": "1 - 3"
-      }
-    },
-    "d3-format": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz",
-      "integrity": "sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA=="
-    },
-    "d3-geo": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-3.0.1.tgz",
-      "integrity": "sha512-Wt23xBych5tSy9IYAM1FR2rWIBFWa52B/oF/GYe5zbdHrg08FU8+BuI6X4PvTwPDdqdAdq04fuWJpELtsaEjeA==",
-      "requires": {
-        "d3-array": "2.5.0 - 3"
-      }
-    },
-    "d3-hierarchy": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-3.1.2.tgz",
-      "integrity": "sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA=="
-    },
-    "d3-interpolate": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz",
-      "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==",
-      "requires": {
-        "d3-color": "1 - 3"
-      }
-    },
-    "d3-path": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.0.1.tgz",
-      "integrity": "sha512-gq6gZom9AFZby0YLduxT1qmrp4xpBA1YZr19OI717WIdKE2OM5ETq5qrHLb301IgxhLwcuxvGZVLeeWc/k1I6w=="
-    },
-    "d3-polygon": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-3.0.1.tgz",
-      "integrity": "sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg=="
-    },
-    "d3-quadtree": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-3.0.1.tgz",
-      "integrity": "sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw=="
-    },
-    "d3-random": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-3.0.1.tgz",
-      "integrity": "sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ=="
-    },
-    "d3-scale": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz",
-      "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==",
-      "requires": {
-        "d3-array": "2.10.0 - 3",
-        "d3-format": "1 - 3",
-        "d3-interpolate": "1.2.0 - 3",
-        "d3-time": "2.1.1 - 3",
-        "d3-time-format": "2 - 4"
-      }
-    },
-    "d3-scale-chromatic": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz",
-      "integrity": "sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g==",
-      "requires": {
-        "d3-color": "1 - 3",
-        "d3-interpolate": "1 - 3"
-      }
-    },
-    "d3-selection": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
-      "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ=="
-    },
-    "d3-shape": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.1.0.tgz",
-      "integrity": "sha512-tGDh1Muf8kWjEDT/LswZJ8WF85yDZLvVJpYU9Nq+8+yW1Z5enxrmXOhTArlkaElU+CTn0OTVNli+/i+HP45QEQ==",
-      "requires": {
-        "d3-path": "1 - 3"
-      }
-    },
-    "d3-time": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.0.0.tgz",
-      "integrity": "sha512-zmV3lRnlaLI08y9IMRXSDshQb5Nj77smnfpnd2LrBa/2K281Jijactokeak14QacHs/kKq0AQ121nidNYlarbQ==",
-      "requires": {
-        "d3-array": "2 - 3"
-      }
-    },
-    "d3-time-format": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz",
-      "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==",
-      "requires": {
-        "d3-time": "1 - 3"
-      }
-    },
-    "d3-timer": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz",
-      "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA=="
-    },
-    "d3-transition": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-3.0.1.tgz",
-      "integrity": "sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w==",
-      "requires": {
-        "d3-color": "1 - 3",
-        "d3-dispatch": "1 - 3",
-        "d3-ease": "1 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-timer": "1 - 3"
-      }
-    },
-    "d3-voronoi": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/d3-voronoi/-/d3-voronoi-1.1.4.tgz",
-      "integrity": "sha512-dArJ32hchFsrQ8uMiTBLq256MpnZjeuBtdHpaDlYuQyjU0CVzCJl/BVW+SkszaAeH95D/8gxqAhgx0ouAWAfRg=="
-    },
-    "d3-zoom": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-3.0.0.tgz",
-      "integrity": "sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw==",
-      "requires": {
-        "d3-dispatch": "1 - 3",
-        "d3-drag": "2 - 3",
-        "d3-interpolate": "1 - 3",
-        "d3-selection": "2 - 3",
-        "d3-transition": "2 - 3"
-      }
-    },
-    "dagre": {
-      "version": "0.8.5",
-      "resolved": "https://registry.npmjs.org/dagre/-/dagre-0.8.5.tgz",
-      "integrity": "sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==",
-      "requires": {
-        "graphlib": "^2.1.8",
-        "lodash": "^4.17.15"
-      }
-    },
-    "dagre-d3": {
-      "version": "0.6.4",
-      "resolved": "https://registry.npmjs.org/dagre-d3/-/dagre-d3-0.6.4.tgz",
-      "integrity": "sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==",
-      "requires": {
-        "d3": "^5.14",
-        "dagre": "^0.8.5",
-        "graphlib": "^2.1.8",
-        "lodash": "^4.17.15"
-      },
-      "dependencies": {
-        "commander": {
-          "version": "2.20.3",
-          "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
-          "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
-        },
-        "d3": {
-          "version": "5.16.0",
-          "resolved": "https://registry.npmjs.org/d3/-/d3-5.16.0.tgz",
-          "integrity": "sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==",
-          "requires": {
-            "d3-array": "1",
-            "d3-axis": "1",
-            "d3-brush": "1",
-            "d3-chord": "1",
-            "d3-collection": "1",
-            "d3-color": "1",
-            "d3-contour": "1",
-            "d3-dispatch": "1",
-            "d3-drag": "1",
-            "d3-dsv": "1",
-            "d3-ease": "1",
-            "d3-fetch": "1",
-            "d3-force": "1",
-            "d3-format": "1",
-            "d3-geo": "1",
-            "d3-hierarchy": "1",
-            "d3-interpolate": "1",
-            "d3-path": "1",
-            "d3-polygon": "1",
-            "d3-quadtree": "1",
-            "d3-random": "1",
-            "d3-scale": "2",
-            "d3-scale-chromatic": "1",
-            "d3-selection": "1",
-            "d3-shape": "1",
-            "d3-time": "1",
-            "d3-time-format": "2",
-            "d3-timer": "1",
-            "d3-transition": "1",
-            "d3-voronoi": "1",
-            "d3-zoom": "1"
-          }
-        },
-        "d3-array": {
-          "version": "1.2.4",
-          "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-1.2.4.tgz",
-          "integrity": "sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw=="
-        },
-        "d3-axis": {
-          "version": "1.0.12",
-          "resolved": "https://registry.npmjs.org/d3-axis/-/d3-axis-1.0.12.tgz",
-          "integrity": "sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ=="
-        },
-        "d3-brush": {
-          "version": "1.1.6",
-          "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.6.tgz",
-          "integrity": "sha512-7RW+w7HfMCPyZLifTz/UnJmI5kdkXtpCbombUSs8xniAyo0vIbrDzDwUJB6eJOgl9u5DQOt2TQlYumxzD1SvYA==",
-          "requires": {
-            "d3-dispatch": "1",
-            "d3-drag": "1",
-            "d3-interpolate": "1",
-            "d3-selection": "1",
-            "d3-transition": "1"
-          }
-        },
-        "d3-chord": {
-          "version": "1.0.6",
-          "resolved": "https://registry.npmjs.org/d3-chord/-/d3-chord-1.0.6.tgz",
-          "integrity": "sha512-JXA2Dro1Fxw9rJe33Uv+Ckr5IrAa74TlfDEhE/jfLOaXegMQFQTAgAw9WnZL8+HxVBRXaRGCkrNU7pJeylRIuA==",
-          "requires": {
-            "d3-array": "1",
-            "d3-path": "1"
-          }
-        },
-        "d3-color": {
-          "version": "1.4.1",
-          "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz",
-          "integrity": "sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q=="
-        },
-        "d3-contour": {
-          "version": "1.3.2",
-          "resolved": "https://registry.npmjs.org/d3-contour/-/d3-contour-1.3.2.tgz",
-          "integrity": "sha512-hoPp4K/rJCu0ladiH6zmJUEz6+u3lgR+GSm/QdM2BBvDraU39Vr7YdDCicJcxP1z8i9B/2dJLgDC1NcvlF8WCg==",
-          "requires": {
-            "d3-array": "^1.1.1"
-          }
-        },
-        "d3-dispatch": {
-          "version": "1.0.6",
-          "resolved": "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-1.0.6.tgz",
-          "integrity": "sha512-fVjoElzjhCEy+Hbn8KygnmMS7Or0a9sI2UzGwoB7cCtvI1XpVN9GpoYlnb3xt2YV66oXYb1fLJ8GMvP4hdU1RA=="
-        },
-        "d3-drag": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/d3-drag/-/d3-drag-1.2.5.tgz",
-          "integrity": "sha512-rD1ohlkKQwMZYkQlYVCrSFxsWPzI97+W+PaEIBNTMxRuxz9RF0Hi5nJWHGVJ3Om9d2fRTe1yOBINJyy/ahV95w==",
-          "requires": {
-            "d3-dispatch": "1",
-            "d3-selection": "1"
-          }
-        },
-        "d3-dsv": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/d3-dsv/-/d3-dsv-1.2.0.tgz",
-          "integrity": "sha512-9yVlqvZcSOMhCYzniHE7EVUws7Fa1zgw+/EAV2BxJoG3ME19V6BQFBwI855XQDsxyOuG7NibqRMTtiF/Qup46g==",
-          "requires": {
-            "commander": "2",
-            "iconv-lite": "0.4",
-            "rw": "1"
-          }
-        },
-        "d3-ease": {
-          "version": "1.0.7",
-          "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-1.0.7.tgz",
-          "integrity": "sha512-lx14ZPYkhNx0s/2HX5sLFUI3mbasHjSSpwO/KaaNACweVwxUruKyWVcb293wMv1RqTPZyZ8kSZ2NogUZNcLOFQ=="
-        },
-        "d3-fetch": {
-          "version": "1.2.0",
-          "resolved": "https://registry.npmjs.org/d3-fetch/-/d3-fetch-1.2.0.tgz",
-          "integrity": "sha512-yC78NBVcd2zFAyR/HnUiBS7Lf6inSCoWcSxFfw8FYL7ydiqe80SazNwoffcqOfs95XaLo7yebsmQqDKSsXUtvA==",
-          "requires": {
-            "d3-dsv": "1"
-          }
-        },
-        "d3-force": {
-          "version": "1.2.1",
-          "resolved": "https://registry.npmjs.org/d3-force/-/d3-force-1.2.1.tgz",
-          "integrity": "sha512-HHvehyaiUlVo5CxBJ0yF/xny4xoaxFxDnBXNvNcfW9adORGZfyNF1dj6DGLKyk4Yh3brP/1h3rnDzdIAwL08zg==",
-          "requires": {
-            "d3-collection": "1",
-            "d3-dispatch": "1",
-            "d3-quadtree": "1",
-            "d3-timer": "1"
-          }
-        },
-        "d3-format": {
-          "version": "1.4.5",
-          "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.5.tgz",
-          "integrity": "sha512-J0piedu6Z8iB6TbIGfZgDzfXxUFN3qQRMofy2oPdXzQibYGqPB/9iMcxr/TGalU+2RsyDO+U4f33id8tbnSRMQ=="
-        },
-        "d3-geo": {
-          "version": "1.12.1",
-          "resolved": "https://registry.npmjs.org/d3-geo/-/d3-geo-1.12.1.tgz",
-          "integrity": "sha512-XG4d1c/UJSEX9NfU02KwBL6BYPj8YKHxgBEw5om2ZnTRSbIcego6dhHwcxuSR3clxh0EpE38os1DVPOmnYtTPg==",
-          "requires": {
-            "d3-array": "1"
-          }
-        },
-        "d3-hierarchy": {
-          "version": "1.1.9",
-          "resolved": "https://registry.npmjs.org/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz",
-          "integrity": "sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ=="
-        },
-        "d3-interpolate": {
-          "version": "1.4.0",
-          "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.4.0.tgz",
-          "integrity": "sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==",
-          "requires": {
-            "d3-color": "1"
-          }
-        },
-        "d3-path": {
-          "version": "1.0.9",
-          "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-1.0.9.tgz",
-          "integrity": "sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg=="
-        },
-        "d3-polygon": {
-          "version": "1.0.6",
-          "resolved": "https://registry.npmjs.org/d3-polygon/-/d3-polygon-1.0.6.tgz",
-          "integrity": "sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ=="
-        },
-        "d3-quadtree": {
-          "version": "1.0.7",
-          "resolved": "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-1.0.7.tgz",
-          "integrity": "sha512-RKPAeXnkC59IDGD0Wu5mANy0Q2V28L+fNe65pOCXVdVuTJS3WPKaJlFHer32Rbh9gIo9qMuJXio8ra4+YmIymA=="
-        },
-        "d3-random": {
-          "version": "1.1.2",
-          "resolved": "https://registry.npmjs.org/d3-random/-/d3-random-1.1.2.tgz",
-          "integrity": "sha512-6AK5BNpIFqP+cx/sreKzNjWbwZQCSUatxq+pPRmFIQaWuoD+NrbVWw7YWpHiXpCQ/NanKdtGDuB+VQcZDaEmYQ=="
-        },
-        "d3-scale": {
-          "version": "2.2.2",
-          "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-2.2.2.tgz",
-          "integrity": "sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw==",
-          "requires": {
-            "d3-array": "^1.2.0",
-            "d3-collection": "1",
-            "d3-format": "1",
-            "d3-interpolate": "1",
-            "d3-time": "1",
-            "d3-time-format": "2"
-          }
-        },
-        "d3-scale-chromatic": {
-          "version": "1.5.0",
-          "resolved": "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-1.5.0.tgz",
-          "integrity": "sha512-ACcL46DYImpRFMBcpk9HhtIyC7bTBR4fNOPxwVSl0LfulDAwyiHyPOTqcDG1+t5d4P9W7t/2NAuWu59aKko/cg==",
-          "requires": {
-            "d3-color": "1",
-            "d3-interpolate": "1"
-          }
-        },
-        "d3-selection": {
-          "version": "1.4.2",
-          "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-1.4.2.tgz",
-          "integrity": "sha512-SJ0BqYihzOjDnnlfyeHT0e30k0K1+5sR3d5fNueCNeuhZTnGw4M4o8mqJchSwgKMXCNFo+e2VTChiSJ0vYtXkg=="
-        },
-        "d3-shape": {
-          "version": "1.3.7",
-          "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-1.3.7.tgz",
-          "integrity": "sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw==",
-          "requires": {
-            "d3-path": "1"
-          }
-        },
-        "d3-time": {
-          "version": "1.1.0",
-          "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-1.1.0.tgz",
-          "integrity": "sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA=="
-        },
-        "d3-time-format": {
-          "version": "2.3.0",
-          "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.3.0.tgz",
-          "integrity": "sha512-guv6b2H37s2Uq/GefleCDtbe0XZAuy7Wa49VGkPVPMfLL9qObgBST3lEHJBMUp8S7NdLQAGIvr2KXk8Hc98iKQ==",
-          "requires": {
-            "d3-time": "1"
-          }
-        },
-        "d3-timer": {
-          "version": "1.0.10",
-          "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-1.0.10.tgz",
-          "integrity": "sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw=="
-        },
-        "d3-transition": {
-          "version": "1.3.2",
-          "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.3.2.tgz",
-          "integrity": "sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==",
-          "requires": {
-            "d3-color": "1",
-            "d3-dispatch": "1",
-            "d3-ease": "1",
-            "d3-interpolate": "1",
-            "d3-selection": "^1.1.0",
-            "d3-timer": "1"
-          }
-        },
-        "d3-zoom": {
-          "version": "1.8.3",
-          "resolved": "https://registry.npmjs.org/d3-zoom/-/d3-zoom-1.8.3.tgz",
-          "integrity": "sha512-VoLXTK4wvy1a0JpH2Il+F2CiOhVu7VRXWF5M/LroMIh3/zBAC3WAt7QoIvPibOavVo20hN6/37vwAsdBejLyKQ==",
-          "requires": {
-            "d3-dispatch": "1",
-            "d3-drag": "1",
-            "d3-interpolate": "1",
-            "d3-selection": "1",
-            "d3-transition": "1"
-          }
-        },
-        "iconv-lite": {
-          "version": "0.4.24",
-          "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-          "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-          "requires": {
-            "safer-buffer": ">= 2.1.2 < 3"
-          }
-        }
-      }
-    },
-    "debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
-      "requires": {
-        "ms": "2.1.2"
-      }
-    },
-    "delaunator": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.0.tgz",
-      "integrity": "sha512-AyLvtyJdbv/U1GkiS6gUUzclRoAY4Gs75qkMygJJhU75LW4DNuSF2RMzpxs9jw9Oz1BobHjTdkG3zdP55VxAqw==",
-      "requires": {
-        "robust-predicates": "^3.0.0"
-      }
-    },
-    "devtools-protocol": {
-      "version": "0.0.1001819",
-      "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1001819.tgz",
-      "integrity": "sha512-G6OsIFnv/rDyxSqBa2lDLR6thp9oJioLsb2Gl+LbQlyoA9/OBAkrTU9jiCcQ8Pnh7z4d6slDiLaogR5hzgJLmQ=="
-    },
-    "dompurify": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.8.tgz",
-      "integrity": "sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw=="
-    },
-    "end-of-stream": {
-      "version": "1.4.4",
-      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
-      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
-      "requires": {
-        "once": "^1.4.0"
-      }
-    },
-    "extract-zip": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/extract-zip/-/extract-zip-2.0.1.tgz",
-      "integrity": "sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg==",
-      "requires": {
-        "@types/yauzl": "^2.9.1",
-        "debug": "^4.1.1",
-        "get-stream": "^5.1.0",
-        "yauzl": "^2.10.0"
-      }
-    },
-    "fd-slicer": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
-      "integrity": "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==",
-      "requires": {
-        "pend": "~1.2.0"
-      }
-    },
-    "find-up": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
-      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
-      "requires": {
-        "locate-path": "^5.0.0",
-        "path-exists": "^4.0.0"
-      }
-    },
-    "fs-constants": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
-      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow=="
-    },
-    "fs.realpath": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
-    },
-    "get-stream": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.2.0.tgz",
-      "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==",
-      "requires": {
-        "pump": "^3.0.0"
-      }
-    },
-    "glob": {
-      "version": "7.2.3",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
-      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "requires": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.1.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
-      }
-    },
-    "graphlib": {
-      "version": "2.1.8",
-      "resolved": "https://registry.npmjs.org/graphlib/-/graphlib-2.1.8.tgz",
-      "integrity": "sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==",
-      "requires": {
-        "lodash": "^4.17.15"
-      }
-    },
-    "has-flag": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
-      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ=="
-    },
-    "https-proxy-agent": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
-      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
-      "requires": {
-        "agent-base": "6",
-        "debug": "4"
-      }
-    },
-    "iconv-lite": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
-      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
-      "requires": {
-        "safer-buffer": ">= 2.1.2 < 3.0.0"
-      }
-    },
-    "ieee754": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
-      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="
-    },
-    "inflight": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
-      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
-      "requires": {
-        "once": "^1.3.0",
-        "wrappy": "1"
-      }
-    },
-    "inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
-    },
-    "internmap": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz",
-      "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg=="
-    },
-    "khroma": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
-      "integrity": "sha512-2J8rDNlQWbtiNYThZRvmMv5yt44ZakX+Tz5ZIp/mN1pt4snn+m030Va5Z4v8xA0cQFDXBwO/8i42xL4QPsVk3g=="
-    },
-    "locate-path": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
-      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
-      "requires": {
-        "p-locate": "^4.1.0"
-      }
-    },
-    "lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
-    },
-    "mermaid": {
-      "version": "9.1.3",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-9.1.3.tgz",
-      "integrity": "sha512-jTIYiqKwsUXVCoxHUVkK8t0QN3zSKIdJlb9thT0J5jCnzXyc+gqTbZE2QmjRfavFTPPn5eRy5zaFp7V+6RhxYg==",
-      "requires": {
-        "@braintree/sanitize-url": "^6.0.0",
-        "d3": "^7.0.0",
-        "dagre": "^0.8.5",
-        "dagre-d3": "^0.6.4",
-        "dompurify": "2.3.8",
-        "graphlib": "^2.1.8",
-        "khroma": "^2.0.0",
-        "moment-mini": "^2.24.0",
-        "stylis": "^4.0.10"
-      }
-    },
-    "minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
-      "requires": {
-        "brace-expansion": "^1.1.7"
-      }
-    },
-    "mkdirp-classic": {
-      "version": "0.5.3",
-      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
-      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A=="
-    },
-    "moment-mini": {
-      "version": "2.24.0",
-      "resolved": "https://registry.npmjs.org/moment-mini/-/moment-mini-2.24.0.tgz",
-      "integrity": "sha512-9ARkWHBs+6YJIvrIp0Ik5tyTTtP9PoV0Ssu2Ocq5y9v8+NOOpWiRshAp8c4rZVWTOe+157on/5G+zj5pwIQFEQ=="
-    },
-    "ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
-    },
-    "node-fetch": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
-      "requires": {
-        "whatwg-url": "^5.0.0"
-      }
-    },
-    "once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "requires": {
-        "wrappy": "1"
-      }
-    },
-    "p-limit": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
-      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
-      "requires": {
-        "p-try": "^2.0.0"
-      }
-    },
-    "p-locate": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
-      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
-      "requires": {
-        "p-limit": "^2.2.0"
-      }
-    },
-    "p-try": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
-      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ=="
-    },
-    "path-exists": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
-      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w=="
-    },
-    "path-is-absolute": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
-      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg=="
-    },
-    "pend": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/pend/-/pend-1.2.0.tgz",
-      "integrity": "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="
-    },
-    "pkg-dir": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz",
-      "integrity": "sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==",
-      "requires": {
-        "find-up": "^4.0.0"
-      }
-    },
-    "progress": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
-      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA=="
-    },
-    "proxy-from-env": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="
-    },
-    "pump": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
-      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
-      "requires": {
-        "end-of-stream": "^1.1.0",
-        "once": "^1.3.1"
-      }
-    },
-    "puppeteer": {
-      "version": "14.4.1",
-      "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-14.4.1.tgz",
-      "integrity": "sha512-+H0Gm84aXUvSLdSiDROtLlOofftClgw2TdceMvvCU9UvMryappoeS3+eOLfKvoy4sm8B8MWnYmPhWxVFudAOFQ==",
-      "requires": {
-        "cross-fetch": "3.1.5",
-        "debug": "4.3.4",
-        "devtools-protocol": "0.0.1001819",
-        "extract-zip": "2.0.1",
-        "https-proxy-agent": "5.0.1",
-        "pkg-dir": "4.2.0",
-        "progress": "2.0.3",
-        "proxy-from-env": "1.1.0",
-        "rimraf": "3.0.2",
-        "tar-fs": "2.1.1",
-        "unbzip2-stream": "1.4.3",
-        "ws": "8.7.0"
-      }
-    },
-    "readable-stream": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.0.tgz",
-      "integrity": "sha512-BViHy7LKeTz4oNnkcLJ+lVSL6vpiFeX6/d3oSH8zCW7UxP2onchk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
-      "requires": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      }
-    },
-    "rimraf": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
-      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
-      "requires": {
-        "glob": "^7.1.3"
-      }
-    },
-    "robust-predicates": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.1.tgz",
-      "integrity": "sha512-ndEIpszUHiG4HtDsQLeIuMvRsDnn8c8rYStabochtUeCvfuvNptb5TUbVD68LRAILPX7p9nqQGh4xJgn3EHS/g=="
-    },
-    "rw": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/rw/-/rw-1.3.3.tgz",
-      "integrity": "sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ=="
-    },
-    "safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="
-    },
-    "safer-buffer": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
-    },
-    "string_decoder": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
-      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
-      "requires": {
-        "safe-buffer": "~5.2.0"
-      }
-    },
-    "stylis": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.1.1.tgz",
-      "integrity": "sha512-lVrM/bNdhVX2OgBFNa2YJ9Lxj7kPzylieHd3TNjuGE0Re9JB7joL5VUKOVH1kdNNJTgGPpT8hmwIAPLaSyEVFQ=="
-    },
-    "supports-color": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
-      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
-      "requires": {
-        "has-flag": "^4.0.0"
-      }
-    },
-    "tar-fs": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz",
-      "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==",
-      "requires": {
-        "chownr": "^1.1.1",
-        "mkdirp-classic": "^0.5.2",
-        "pump": "^3.0.0",
-        "tar-stream": "^2.1.4"
-      }
-    },
-    "tar-stream": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
-      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
-      "requires": {
-        "bl": "^4.0.3",
-        "end-of-stream": "^1.4.1",
-        "fs-constants": "^1.0.0",
-        "inherits": "^2.0.3",
-        "readable-stream": "^3.1.1"
-      }
-    },
-    "through": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
-      "integrity": "sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg=="
-    },
-    "tr46": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
-      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
-    },
-    "unbzip2-stream": {
-      "version": "1.4.3",
-      "resolved": "https://registry.npmjs.org/unbzip2-stream/-/unbzip2-stream-1.4.3.tgz",
-      "integrity": "sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==",
-      "requires": {
-        "buffer": "^5.2.1",
-        "through": "^2.3.8"
-      }
-    },
-    "util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
-    },
-    "webidl-conversions": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
-      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
-    },
-    "whatwg-url": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
-      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
-      "requires": {
-        "tr46": "~0.0.3",
-        "webidl-conversions": "^3.0.0"
-      }
-    },
-    "wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
-    },
-    "ws": {
-      "version": "8.7.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.7.0.tgz",
-      "integrity": "sha512-c2gsP0PRwcLFzUiA8Mkr37/MI7ilIlHQxaEAtd0uNMbVMoy8puJyafRlm0bV9MbGSabUPeLrRRaqIBcFcA2Pqg==",
-      "requires": {}
-    },
-    "yauzl": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
-      "integrity": "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==",
-      "requires": {
-        "buffer-crc32": "~0.2.3",
-        "fd-slicer": "~1.1.0"
-      }
-    }
-  }
-}
diff --git a/docs/package.json b/docs/package.json
deleted file mode 100644
index 96ba9fc2..00000000
--- a/docs/package.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "dependencies": {
-    "@mermaid-js/mermaid-cli": "^9.1.3"
-  }
-}
diff --git a/docs/source/conf.py b/docs/source/conf.py
index a715c183..7c6a130e 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -48,7 +48,6 @@ html_theme = 'sphinx_rtd_theme'
 #epub_show_urls = 'footnote'
 latex_show_urls = 'footnote'
 
-mermaid_cmd = "./node_modules/.bin/mmdc"
 # 'raw' does not work for epub and pdf, neither does 'svg'
 mermaid_output_format = 'png'
-mermaid_params = ['--theme', 'default', '--width', '800', '--backgroundColor', 'transparent']
+mermaid_params = ['--theme', 'default', '--width', '1600', '--backgroundColor', 'transparent']
diff --git a/docs/source/ecosystem.md b/docs/source/ecosystem.md
index 30d8d6a3..cd88cfd8 100644
--- a/docs/source/ecosystem.md
+++ b/docs/source/ecosystem.md
@@ -4,44 +4,11 @@ PGPainless consists of an ecosystem of different libraries and projects.
 
 The diagram below shows, how the different projects relate to one another.
 
-```{mermaid}
-flowchart LR
-    subgraph SOP-JAVA
-    sop-java-picocli-->sop-java
-    end
-    subgraph PGPAINLESS
-    pgpainless-sop-->pgpainless-core
-    pgpainless-sop-->sop-java
-    pgpainless-cli-->pgpainless-sop
-    pgpainless-cli-->sop-java-picocli
-    end
-    subgraph WKD-JAVA
-    wkd-java-cli-->wkd-java
-    wkd-test-suite-->wkd-java
-    wkd-test-suite-->pgpainless-core
-    end
-    subgraph CERT-D-JAVA
-    pgp-cert-d-java-->pgp-certificate-store
-    pgp-cert-d-java-jdbc-sqlite-lookup-->pgp-cert-d-java
-    end
-    subgraph CERT-D-PGPAINLESS
-    pgpainless-cert-d-->pgpainless-core
-    pgpainless-cert-d-->pgp-cert-d-java
-    pgpainless-cert-d-cli-->pgpainless-cert-d
-    pgpainless-cert-d-cli-->pgp-cert-d-java-jdbc-sqlite-lookup
-    end
-    subgraph VKS-JAVA
-    vks-java-cli-->vks-java
-    end
-    subgraph PGPEASY
-    pgpeasy-->pgpainless-cli
-    pgpeasy-->wkd-java-cli
-    pgpeasy-->vks-java-cli
-    pgpeasy-->pgpainless-cert-d-cli
-    end
-    wkd-java-cli-->pgpainless-cert-d
-    wkd-java-->pgp-certificate-store
+![Ecosystem](ecosystem_dia.*)
+
 
 ## Libraries and Tools
 
diff --git a/docs/source/ecosystem_dia.md b/docs/source/ecosystem_dia.md
new file mode 100644
index 00000000..6469faaa
--- /dev/null
+++ b/docs/source/ecosystem_dia.md
@@ -0,0 +1,38 @@
+```mermaid
+flowchart LR
+    subgraph SOP-JAVA
+    sop-java-picocli-->sop-java
+    end
+    subgraph PGPAINLESS
+    pgpainless-sop-->pgpainless-core
+    pgpainless-sop-->sop-java
+    pgpainless-cli-->pgpainless-sop
+    pgpainless-cli-->sop-java-picocli
+    end
+    subgraph WKD-JAVA
+    wkd-java-cli-->wkd-java
+    wkd-test-suite-->wkd-java
+    wkd-test-suite-->pgpainless-core
+    end
+    subgraph CERT-D-JAVA
+    pgp-cert-d-java-->pgp-certificate-store
+    pgp-cert-d-java-jdbc-sqlite-lookup-->pgp-cert-d-java
+    end
+    subgraph CERT-D-PGPAINLESS
+    pgpainless-cert-d-->pgpainless-core
+    pgpainless-cert-d-->pgp-cert-d-java
+    pgpainless-cert-d-cli-->pgpainless-cert-d
+    pgpainless-cert-d-cli-->pgp-cert-d-java-jdbc-sqlite-lookup
+    end
+    subgraph VKS-JAVA
+    vks-java-cli-->vks-java
+    end
+    subgraph PGPEASY
+    pgpeasy-->pgpainless-cli
+    pgpeasy-->wkd-java-cli
+    pgpeasy-->vks-java-cli
+    pgpeasy-->pgpainless-cert-d-cli
+    end
+    wkd-java-cli-->pgpainless-cert-d
+    wkd-java-->pgp-certificate-store
+```
\ No newline at end of file
diff --git a/docs/source/ecosystem_dia.png b/docs/source/ecosystem_dia.png
new file mode 100644
index 0000000000000000000000000000000000000000..70872a9f97b0918aef1108c8cb78a4bae603d44a
GIT binary patch
literal 110743
zcmbq*by$>J`!4o20F_cwrKFXVMig*Bx?@0;PNf?Z0R^d{q@}y0TSU5B8l@Rv=#KM@
z?(h5k&VT2+&Rlz6PQ34WS3K)};=UIj2j^VWKNsN}
z_M6mi;GZ+r3KF6?xt-*TI5>B35KkW~Im9fF+iMNzpEj-UzV*B}b)INfMM=wp&X&+seTk#b37HppWb#6
z=sdUQmWSqxxBf;w-(ic?xeO2e|9*`{*G*i&iPY^$!nn*J6{23@jw{HkI5^F&iHWRBy(!}fsDEHa_AVt5
zSY6{O{k^WOEqjCS430c(t!g^h7(bsJ2J)SG&|4W5g=lU}6$j$X8CTn1-}Mm+Mhn{8EBxaAq=HFv9q|KK**+;MDYd%}
z5E61ewX9kf%bXWFbqUy6=6!kWw6}&&c)eTo&6{N3s@9xVuLA0T)D;YOweNDzIx(Vk+MN6bmBSpqBCX+duyZ0YC6nf)hQhHMa
zZMPPTkLQKsTa9e`ud;2)r^&F`Op7OLX~l4)sD!j6D`#;t!PVPpa&iO>4GpGk;SZuq
z3<}lBcvh8;4<;Cu(miO52QsCv;ErcysZz72P(l~(Fx`WR(Yt)n^YPoa{AZL9l3W%EbxDXw*({bB-3yf3O()p!8yD{F_;WFRqmp
zyUEH(PNV`p^dyJ~YbjqpefdI%(&HFioa=bDGHgxLp)RACdX)U(L$uTGxUSXfX9t!n
zLPC$BzcMnrV-;&}nRRL&cM0@q(f;-y$kPUa6Fik6jHusDx}18m?a3G{A4H`&K}G;RxFw<
z#iYCK>-%5CUro3|B&iw5W2UD0@#DvXwR+>->cGD0_dYtRU>FxJa0S=8Q{-q@H#o5t
z|9PxjlDO^c+#Dl=ak%1i<92_lG&O~=8+SuCD|Xt`?qH{#!F=@MLVM&@KHDWW1VRek
z8qRW;Ezg&G<>t-Rg?jw7mX`(Tk3BWG=g*#X;j%H3&C#LC4508aZTuwW8z|cxdf;|!
zn*=u{NQSj$8Y>E$j}%Gu^dRa~;DIx9bBVTSRCou4fP<)Nu9jjnw?7R6EK;M;z)z!i
zLp4QGU%8?vt)oT`IwT^4(tnb+K3y9YuVcTzZ>!pudc57vk+&3W>87HmS0v33Qxe9+
zW7Pe{zCU}oaAOyf<96Jr=Kd=}uevuFZsIcgscAlnH`vDJo@ze2lQJ^rZkZ(E9+Oz(
zPiAidJ!S~dWF|h|o6d7u${^{_*R{NG@g$z^`DYe{MvcHz*mJg1-_{9_wcU@ci_Q5T
z^-U0-5wQ!a+U=>ZP4Eo}=n0^>q=3{YHR{n26KlBd?xyOxJupT%e+hRf^}tR4oj;1^c6+Vfquo-YFRAauKYuVs?z1Sp-6U}(%n*uTN1UOnQGvWT{$~=N)2A<*Oev86N`W>FMc>
zw~|3AcviXW^_h;Cadm;(9Xz%DKMQo2*xALA6#^N#$kF?Zj4B+4tTGSd
z;^RwCFsBt6j++O3ucyky1CE|Csl5MLWc)Kf02(y5HXX_}_AOA!{u#8SlSab)&mf78
z3!5dTm6R(p@aP!L$j7IG>MwX@t(>dH-4LBr?;~q+d?1HQF`@`vcbuBPieq(FwkvUC
zJtJWo{iN8q&m!_U9r}5Kd!^fP_=J<`2k&c(3HkZ;2gkeS3?rdzI+9dwk0f?|wNrKCaA8EIVp{khx0@SRj(P9R8*dafOIL#%?oses
zNe*PGevQ+tcJiyLVq8iJ)PCO6Raf^oNn&@XIhe|Lb8Z|KSQW+TxDlACl#$J6XXZxL
zg@-ev1>4f-XwMRy06R>!3K3H{q9@fBEp9T>FH0AKkP6QpN=9t
zPN8ugvN9n({Z<%L#MUX|`SWaW3d%#d=3DjnRGOB3snzs;4T)T)C!wK)B4Dl0(q!W!
z{G^1qEMkg6E&g>6gV}**2c=+Uw&;>pJ$Au&hBsk0^5e~j_+kYji!#g#Uas<4%@kRT
z`zjpnbeNq@`vl|Svz|-zC1!bPEx^q!Gn6}?KcV1EkpHsbB3kDse9Zju<0+cg{j_2P
z;C-$`GjfjXLr>D-A|Ua>_K+}kax!%$M-NiZ(%ttt}Sll7xiM0rspp+-{eqwx%8!-Wtf;nP-gA0AKhOHePV*X@9eUt7!QYc2H
z`}%$Ke0<`7|9xRhLke1S`~pXRwmSv?j%oYnk66!BY)=R2kb3y!
zxXEU9jJDWp|9uqqw(`>-(ko+*-A-=JL6jyFRc~vKHZIv>PN;IUW349BTEp647Um9S
zLT>ZfEq@XZTs@WRBEXq>`uMT5Qniy<80$)8!Vc^@MN!drH75s#M66mOVT@t&5M;0*
zE3|2)hzIN^{loGsJ2($X*j5wpg~?O=Nb=xGI<$y*w*%DnNdz0deDJ*s%7q5Agsx;<
znOU!zIv2JUH&MwZ1B~gSUcH0TJ*AeDc}%Lg8ODmWgs$kJ-S8fxqRvok*k|R-T%8uu
zqNk9jou^jIs{ZwJV*o|Q*$ZRYst5a%w8k6;%q13tqt(t|8b96E6D)o4IG>pLpYYJ4
z+FnIj!HmbA6(d`ip9SR_r8S4D+o!n2;n1D&3hj-x`^<<;jpC|zo;+E)^?WEA!}+SH
z2fvh8zzOuFvhnsJWxc#ROWlrFN?&oT2+nrl~24WNh~?O*&QuZD+*#}K~zH^QGe
zug+(~ek<7nXHuzaAYC5O+38s9v`uV_p)?ZIP7pO#PM6a-jZ)H6E-|~zWjQhR7Oh?@
zq*PE)3eh;Zbj+isxv^B~N`>*|63fYeC=SC&Fm`hS2oF#(QSBUPGSh6Rl;pia_w~#fA&vYO#TFBv`r9M@ifz%_`-eke!)DmW
z&-{}ASrN(n=XoL)K{-$8RaHq`cgNK_A`73J4p|HY3ZG=U>~DZ+T>(%@1Fye%NNGJ<
z;>y6PIiB#u+R=d!m8_H}(4Q_Zhz+SUN?DbZGei42V=on(4P#p4CzYk64~+NLv@=$z
zF8p~;kYdW$%^sv52~X6_$~f99Q<+~N*XhNj+M`}+L8tdAhlN1{ENXIjrXOz#6-IG7
z`q@BKE?^hIh8fsd2@#EVS_%~3wZO#@S)F=;`I}4O1Z`gbcOmZdVWW5K>;L`TZOA4)
zK7FiW&51S)*UPtODE}-L>%-f;poih}$TpsS>6eQvvL{lHS9Q%u70#Q5w&$sB&VIeD
z_)e^chhpn#+RYtS+M$D2Ct~XDJGp0@E55VcQmSyeLBtq7G?AjGZnz`CxZxDKcMiJS
zjQdZlhuM#wmM@9=F)K*%T>S@YbT`T(L>o3X_`(9#HcMBKaM`z4^>H$P#(~pp1DU~}
z*Z=Q35!SCpJz5to9)R!EUn&Dc3($6XBa#}hfB)%IEyWjK;@^2j43nSEgp?MF9gA3W
zms@+xweRyOHVN1+mBqPLl$V%~hGtAd|L(YoJCopum~?;f*_e5waC#Cu04dmP7sdpG
zTJ`hu%hE!QFC!bzS=-u%L~FV^N1V}9uc;Z=dvI$8LIG+CA!=b^OXmn1otT)InYnNs
z85zfABos76azz);>z(=d(O|rWB9GTPd=Y{$!^*WqFB0ui`^)&Wl|%Rfc*K5Um+<4d
zyAxg&BKMR^%q|?S)l0%NAbUgSSK&3^yLQnNQWv%Qv=Z}6rUzSIzP`RKa_*2iSd42d
z)t5RVf<;$0&xJ-Qyb}{KPv81NmUo14L_9W11mbHSC$A|VsxA_?v
z6;?)h`elVXstiw^)vKM#0laeXD2`yBG+j44&Nuvcnl@4b54dt|tMBu}dUj6kAkEv?
zE+R^P^?97JG#SeEyiNJ4BZ>(7dx{i^SwJB9uq>d5z<>~y%UY(>mQhNUDw`C_?ZmMp
z&XMj}EI&_A8ykM_$+7O@#5~08My~z`yI-rhOjV5b)(ra-JZlfO(O+6ZgbQk9$OWC`
z-oAB%9L%djZPM*91&Si6Wo3^j1jgYz6^}8G?#s0#I6?rS_gsHylw9#V6U@~0o9DQ^g
zy*O;>lckVia5ZmlSQ|N)!Hs}3z^1CM-M_`djCQGrr=@Pybo3Cq92=(
zQig&)m(>i~WN6hmme*PV4=*62gi7$h9PoWVZu;!AjR(I%YTY?*`-?}rx6OCO4}2t$
z=+7PRV;Esm-v}wOIDP_iEYslYXwnr&5hduHSyhcTS?G>X&VQlX(A1Q&uxkl1OSdyd
z8WMW`^24=Xu8fMQ?=D`ul|U!0VZ1Uzbg){p5mUjdHz0c>lipsliCTZt=m^Z5oEfNw?s8tB?njOOH}Z;2F)eBf#(IZmc_sD)gF$
z(%7O0WwG6s>sH*&F0`68$@WpZ6S|~LSfX#E^65GH+kEN8Pli=|I`jqkBJ+0MM
zv0{6SjM&rnS+0kr#S_b{@pmBIie?C;pN&y`V_-Zg;RHoUL6HKNB2XcUl&~sByQ}7s&z~##;Eng@tUQkFAg~fXzo}ugL`7)6TM|`^4bOlz#$8m
z3Ql}^>;Z7TwU~x6`kAjfGe2)BNJ2%GN5*q6TZe>A``&nD6tt*OVphX#rj`Ss#AK;$
z2>8ZCN2igSYk}RCr38_ur!BW1SG)0H2!2fjTPj%rb9KP0uDA&Tw1l13BlBd
ztuQm^E`AD1GemTJUJtVvuQ+^l9cJ??aeGf^tozc|A_1fN*CJc)C*lWe8l0+|^Ia$!
z<=o|z48?i%$=AdzOO9Rhi;r(zQ>byUxR6EDpQXSr@&P;s!nzzl9I6WaD+2+2&
zWNx#6R9swQaRo%j5MXQWhlNWQ9N{j7B=D
zsMi~}4hzUoyz~?gAb&+M-9%*wC6Lq%?C?1k#E|7yh#lh~syn64;g;RO
zwy<4l?kzq+bfN%}8l^_asiMn^d5zGMsr|
zzS>EUo`K=#(qK;fyLS}}n_a@)syhCPVT=RHDZUYL&KAjui53WyWH@t(1#azeiCU?}
zc=t?;aC3dqXPTDr>d(?fN{LSy2C{}k?%u6~oU;s?QJc&+NOo@ve+*HsH%-d`m+^LL
zv}SKpG*6yp#G*dkrAwEjqqb6GHVh8BMZ&{JOhZGr_+}Rt(ghqpEe+)rUTF%im{htR*84zMnYiGyF9GeUu4W=>Yxn)i|a~Ok=>Y78a1et>gy;^H`3Y%I#wC`zEUSx96g%veXL)QOVFqs?ku%ilWp0?Bj#|
zd3APDf0N$iu;gTQWiUMz*zVb9Tz-9D-E~=pf!VT{UQ5vr|HQKjaGp`XN)
zAodHK>xxeq%;9eyuTBROpoYR_c|}ErPVL>1ue49Whp7UHfY;LYrmD};MvkD1e4pGl~bJnS-qCrMoXle7#%Y!WF`P
zk2BOoj++?lFSxfiP&Dc~X-7v#%C&BwG~ECCVq))-?wtFMaeD8hz3fV7;0hL-f2w@Rfw=0xMX
z41NcI0kAp)p$wL$P-4I*e}q7&nr13C$+Bo9yQc6Utlqro`SzBY=;qDrCq6qF3MrX<
zE)MZ@(xiFT^D^i#)d{TeEe70eskr3p`J`7$vM)8Kzi=Lh1$hu6bhu0b(Vpwc{`2xm
zlDCBI{Sz)7hBC&Hg9pP~xCmgN(qSjpJ+)z6QV@YJDAE}ty!!|nal-=jrpsGqx*l#BdI*{LluiWo{Hiz_-L$Wb
znFIQDq{dZYK~eU&r+K0nA}(b}*mfIU7BKJ8zdm@FbzX+IE`}HO25C#pdkj+
zkmR$5x2J{ng86x$Ki}_&bRmjZ=mfOIYsN{~BVAyf)NGD0urt~CDezm`i
zHF9FID|eo3%(n5!pwb#%s*@5EhZpj!{;fyg`*&a7omqjDzxOqwRGO~uzVi^4ga8^s
zNR)m|F;2j7LZw%sJ#Pmy>0URn{pTl-?7;5Ji<$CC-f78aP!>%;emu{&7yR?n9p^hX
zq80G4-PF1l&D4vPNfLqLKP$0hDolhR#Ie!?zyVkms9ls|AFpved{`U;!hpY8fLH&0
zHoho*a?8MgZ4fkKTA=18|3AMb!LA*I$rL}@TvVzgKARP-Dy^}$j&P0$HjN~p
zZRwfN$59Wjd!f=ib`@1O5vGSEE}Yqaoex_{CxAB+)D~K
zWIerQXX3M~c^|1QBhLou3kvo=Ccc^G%zn#(0_Ljx9OgxE_zi3@AyjIAx6JR`IT00u
z*Fo2Q+hP?Dh@X9z86f0vdbV_jfn7+*Ew>u|cZP@Y69^RY)tI{=LicQV8EL<__UrtA
zhe8DdeevMd#gk2j!k9mk^zGbTn|J;Y1@wo^&@Nsh`|xKuJT8eXoF@Y}b$q&S6M($>
zZ`-5^1ScJLGP;E0-3_}$|J*OKBffB+2?of0(K8`Ec?FARqyJgBWxwvrr-R$^fqu&x
ze+ysDJ1`&ZbuS*+ge5~!@W>4F@_(8^paKJBtr21{QJu$!yE^}~%G5URXj|BOeKmdfr=2?zcWmCVY8O3IxPj1R&iQLwk#D;%^Vzlr9WAmu
z|GgW>3Qv@NVWuTHkS=6V^-u+hIq
z6KhotTwaK%ao7JbyS83)BdYyi1hAeAc4})5ETDrr(W~`=`}R^AA7XE
z&Nutg{iIw1gaET`QY5TeW#$;CKTU~rK3)j*GarvCvUKpeLd>uFZ;wc!N6efyc{CZK
z7x+p3{gNEMTv{IX18S+lmx$?}y}f63+utSPy_TTJT5LWlgn;A}`QK*l!5xgeHYUJs
z#xnhTgP?dt>#z2uIRmCC^8I^$Ac8`%Rk2t;?f>2{2luzuA!(^}9IYypxoZ@dy;3gzNz`m-F>Za**cY1*GGZ5auYo@TGaB(~v7
zfcdZ3;Tu3@2t`8`A4AN?s}=aEYHui2n(Cn|6li{mz5E?3xRVP)m+bej80D_~G9Wex
zO-gzaFxr)2*fmZ@Gh0N1i+!wznV(>+Rd9ZOa*FNp{9mmKB^NZWHpC>1v4ht_2Ee{y!3uB5upB%=pEr`1Ew
zOW7D~GLe;;|1qEP%L$5j_EX<3BNSjIm;bZ+((vf~&!0yjI7$S9Z3cL>|Mu~R5$5dL
z0u5UZMDo6$#3lGu&*315nbU^`UOZSk{UbYRi0lYYs&-l#-u-gCpCWuoN?SuUON9tK
z-}bzZZn%8Vn1oIz0fnn=MRE^5-$m$=-PE@?2!$LCvwL`Vm>%9b
zI@W2$EPNiC@WPJeSv_bfmcG4>$HnKk=*&0!;&7KLgk~V4p6>Ubp-!#evuRDh^6x)?
zJ|Y6{3%KE*|1r=u*t~M~5rYN)uCc=r3^o1uaJcL5BL2jO$J?&G=naFi8{NNf5J&}I
z5>mx~QB3P>>*;xn<-q?l*CgyCl{k7e$A^JfWr@>vD?2I03K9=`Lizpexh5{x15t`c
zuSG%N!l*rlggR>9x3{uVs0uq*`T0(yWKS2+J|$+6^q@BK#&sSghg{guYv|R3;ZJY(>FOf!iqo@ng5Yb|RvPyar>o>-nv9jjZL7_;
z>i1>$baiP0i$2&9Eq^c_7)#2%e6IRnNo0HZ_SOUZap0&yW7Xm7CzbCl1N>*vtEMx+
z85t0GLp{lStW0qm?TjVaP*}MZ1E6fKw!a*3*pUhZICoxQhceThA&&dUjcdIcuVae3k}O<3r%3
zQDpQ5$R`>2YUI6)^A35BKUwgVYi4GGB|x9^^4>1CTT$6w8C_2R=dVW&7A*ouhx+jx
zw!X(QR@4P0|DLs9)qS`zl<%RzD@3hqo^?SP)1?05{$My_ziqw0fs4&A
zp`f=tAMZ?qMSZLs15Ap6m33mouHKshn`ndPBsp2QQM>Fl)_!_{J;N&3L>d8O9$@EZ
zY2csoiaEvojg;lTmfQ_Op_$*PF48Z_O?s03#il&jrNCn<6nzW`7=TYUJIi7nan(w|
zWXQdEA(A?@vZ$`4-|C=|mwNO7%HmA0D(~J!HBZ(CsN_w&6eJ<+e+sfG$hO;^%%D?H
zCCwch(*m84JrM0!S(VMvo_eg1>q&wsXu8N@`xV+_UiBxmOfyY(CLsyqR{gvbF|olqM|#%gF${kCm7q6tuLe2D66~RdSA$GZfT;
zd(W7f>cB^Wc}@T9WAM=>fMC=krtW1y^3Q7mEKmyKa&cfo56!lQJ?}|XW^%V(?3J{h
z&+V@Br00A+)n{eX{xd89tKK5B2PFj06gcG$76!w5F9L>{$C+
zL&PMSU048mHDE>=Y4j@jY)u&c)mjZ?l`eqe@_KKk3We|fY;{+J0!RSH%U>yocm&d9
zAP7KEP%Q@8VCR;;7eMVp=r8^5~vyMgJpiDtT-8%QR)oS2j|9elat;wYVd
ze;hgJaz9|An=3Ks&_MmtX#BLV70c%@mnK8KI^3nlzStV}51MEl#7!np+wJ?H6mfz;
z+>HilQz<>TDch4HeNbwMfU+kycVDT}PC0s55+pz%nbD5s!KgqVxr~2jx$MW#(z4`i
z?&dMk(_yAF+C`VlH`C#RIaigRx0|~jts8-e
zX_xi;_wNBv>_D!HN`3A)O8N-VyT2L1Wj=B?x(0TKv9}Cr
z>u3{M3==3F#VMXGslww5k881$3%-&^GNPdy&{@ffO5Vl%kUs_kz%LevLm7I4VHOl$+tr3;H
zGP(;?p(*Kusf_=qaFkxJ89;34aILr6tp0a{Kb@oVu2X`^0A64grNH|$=O+3AY_>Xh
zFqv-08n;(>+t|kYlO%3Mtl_Mw9c@T?zGp?&*aHxmVnA|_gOmJgZ(Rq(qFo^swxb8X
zJp<|n&{qEd$xJOFBZYz}LT}y#dmWC51;npUVjjJb!A3Nyxybg-%hZX)cb_wYDxU7D*t*GF8T(DvbSyxf}V|ymyUk}
z;Cx~DVQQwO7MtFH2(o23QYz?gDtHLl%^5r@A=;1swtEK+A@7+otG{WhL;#g96j3ovE++ykE)44mk+H*ze***
z`6>A!B4C9(T}9E}IpXXczYl)W{lP0d19!S7ASMs0gl@e$op?Id<_EdKok&GW&&)ld
zBB;K6{qXZyNGC;^F_dL+nr%P7it(r5w^ISs0NGzy&oj4w{>u^C5ASj{SF8b!tLm
zVmJSj)Zvi5ml;;t=;izG`~>$*T$rjGtG1#zV3Mx3UF++)bGgWc9gH}kWedh;*ja$66f$~Al0(on+pVTrJSaN
z3Q*)1N7>AGQs7dKAmrHw5zHU&_i>RtrJ$AjL2Eb*&;NVqg+v{VY{o597tCgtQ0J}$1u+slRZO6hXC
zh~CXEdu1$x^;ORp@(Vu@TVk~YSVoT~Ln%W
z{36=BH}}S@Wfyx>uA=miQQ<*BAfK)opmNXd>4+Xu&Q`m8;eu^XpR6#oXWf_5Ny?Pk
z6TT!&t&?9~E~!IEsg2a)ia{VGh0evuF8p9fu%RMap|!QMNg>%Z`cJ
z__;M%_9h3*Q|0Q^re-Re8mrfU>O4Q{IDX%7OkRqSk^4jh6~j)wI1!b1^Rfg3>v
z(xWBjgW2jKw)-1maEL=AmTwyp9?0V?CTntdty6&qvi0@zQ#?NKpZWcp(X$Rz)_VrN
z1rVtw8^*)=4s1ylWC6*tLXMgcjz2?z{DuYr>N?fBcV09IEO|mJ<)-xXX&ID)61dIz
zmKM_v1-hBbicM8b>fZ5Ixa=ni2>601bQMb(Zo9yhsj{b9{Pq@M!!hY2#jacqYwk*^
z&-aypnqM}=%5q%S>LMVL!|90ORmU=jQsGCs=7pA%tkpXsa<2QcX29V{Vbw7zEL37*
zVoU9j1aP9|1MrCHs(JIP`5OrXs~;bK8gm?jGo`Cl
z?W7Kshb#a5c~PAE$pttAq{d^Z9nqqPqVe)FABwgN02u=jgd3I_ifNQ11+V--YoA=~
zPXi)QF~hF7-b++28TOO0UmE>27Z%gvf!?MP79*hVlmh~8anNdY%oxUaeZ1^O!kKg8
z>8^(sfFG~D<7!E?9qKFcw0^ewRTicBnD>gxDm7O-X5
zeXs3o{-HBYkd}c#&T+lr%t)bOWrf`e2wJtnDxKxMd~{?A<9_~B16E$#absqnJ0UL}
z$T8m!WpKD9;|Qze*qFTvoAoL#*^aN4))*mq6?4b>6(YvO-HGTI1i7Hob;q)9DN+%j
z4Cml{^ZOc5mu^iZ84s4L29?Zbd&K$r1qqAV1Bsd%+-;yiLW8d7*-z}}!FaR9
z{iD#`3DqOTrdbdY1_L;;+b$V0$|n}V*|1bNED&YhS8Pg!-p9fWpUpxl%y9u_7R(J>
zRkw~0-b(RB1Wa+y=Z91bmJ^jyIf8;A;U{4FhjGy!QoZ(*uGnM>wgWkO`IcWp_H7Qj
z@xr{oE`rvGt{oxZZ&RN~ni70EI^MkiXMwa?G%v!gz#(GzoiORHLu-ktKqX_}fb<85
z$)IGL!%0g)m@f$46PNne`{?6cST6Y_*Oo#SAv2UG@w15H(b@&{a(Xz6C#T*se31Kb
zRv)gqbJ?$!`hKd)SnMN#+Qe6sUTi^VIPmsNcke##h%S|{v_qP8nva$s4tFtwQ+1~W
zZkW-c#q{yYCw=5y!^7%8@RT}Qw1zUI0ny6H&E0t5BB|i8N7NB7EM-}HoYB!1XWu)k@T2}lFRu8Qq8(Ec3<
zn;`sS0r&c(u1;zoMamNG5FA{}X)%Vza+|J)c%5>%r-NVhgU+7Skc4_Edg);MA5dlJ
zR6F5@78Y7Z9p5DA083bKot!*|8rkgB)SXM0JfXUnLq!24#;K_ng5g_^8$)=fe3-Ro
zrLqrhU8}HeN?uz-lk(YQJMCJeVXHCjZbK4w@u1)H>t-OUsQl)g1`oMv-@rrFM
z@r*!Njv$fa*=@tn_AC&XaDL)8CAE-{Hjl*^F1IfUTY^*s>%#AbTCA0;olA4Cv{`)D
z887@tBnC8O%x@Q%H}t%=b}^iN*m^1
Aq#)kEz)VC2N<
z`i(ao6_!C+SomwKW<;&h{ETA6;!GY00CN1g1-(0Z&
zdlH@;a=IObUfY&M7bMSqd;0(&I8!QO0vaxE+N+fey`ORs_befC2~wdq`>WG7DRlKT
zY-G3M=|_c)jg7%T;ZC_47gjjon6&L2Ctz{7gY3(hevE}R2+c`_PjI8BA!LNWm&f91
zy4pioWQ|LUQ?6XXy$o;emNQ7;@67`a_qloj;%tF;2ZWXa^+8djI-G0}!?N!L^Z`G|
zPTya~EG`YSk@D|cjmETiZftH2dE;hn59y=<)$h+a+R#LAw9vgvb#Ow-1CmK79ED_M
z`C$(>;nNtyg4F-M*lu4fw6YoJ^
z46({tIH9=+5sgVN&GB*YiC`mS*4vF_)Y{p1f
zw`VgrKAKd0P#GcSH)nEkq>f5%4Xfs~T@nD5T^oeSh7u|IV`UEqXI~>LcLt{FlKRY?
zkDcC&2P`wGs`B98dLRnw7^o7cLfnyBEG;M3YnC6&e+tKa=#?N0LSIYzv?aR&E4(z2
zJZrh@^eKZurCssi!yXjMfF)&HFeG$occh^~Y`Rezg!UouWJAy&1Zcav#z6L)1Az_E
zeYpqYk-YfS`}0O)Wi5;fH2U}96fRUtS}G($X~5%pk#awGtlpaO$b;48ZVIVy`tad3
zXm_$+)O}|-nCsFJff%UR4WxySXW@gGuY=LA@0c8pG)nJiO$7=#n3g))38%P(gp7R@
zA{+GBTg*!CKYX|z|E=Hb__Iy>M%U0s?)j7Bhj)Jk*j7PR9rgi(z>&DO>3xOdFTR8f
z_wfV2Gins&!|^NGVq|Z_rPYOz;%Mx?J$sHUD`V(`(&$;7wL1`=M$R0^WU3kh$DvmO
zhx4!s9H6E9K@P~GEg*~497BAos`k^4mydLyaNgrupnSngPP(7x}P^f|e0^RQSchP7aQ#JHvI&4N$=s*Or&1+@d
z7C*Q9Tp@E3J>!Pu%RvIN2zg8IA*MFj@w98gwMiLS<4*4G+Nq17z5nhkV`75GR7o#Q
zN0@WbifO9KN&A*&_-uP`uL4s?aO4~usV!3Akl?*eR7b>UAs;;Zg5r_S=Aq{!F?Ovr
z-fwU;-QmtW$10j!Zl=RkXLm?=dR5yqn#VFII$Cr2Qz`#8hH~UI#$Tm(C^+%Hmxwk)#a^)p7=|Y|2!P9
z=21{Uon-c9^>3P)Wvi9F-az^%q(<{_w6wR=QB(W1x0~f6D<4}~@hvX$GLK=%E`aK-&Cv8E~Kakot%QCzx%6dQOJv5i&#RQ@RK-o?MVe${Veg8W2S_dpy1v2
z*Og=5%Y;4u)oF`MCQ0z-?)$R%-oCz{mG<;38buer4G(+Wpl=d$5-
z6EmKSP|J9A(zlIXEUT!9es|^mKTLpkelbJf?h<^4#?b%MvUdj?=Tzo_U(
zQyN~Nu#iWW(4j|vzaA;4(fb}Fz0EnQ#ffU20xm*t`P;X7By$ED8^iniL+=H8c@y_n
zTa2Ij3SgF(&CJZN)`$~|F_g@?2cm!d`Unf0m}F0sVLRVB`P#~=acC$Ij(eL;RKlw
z=)UjEC@Cn;n}AN>4GgM~O##*-eA`g`AfBEIpLZ>$m0167p9k%WT0o1?k+gOCuQC(Ax*ts
zXFZdXwe(@s?J?!){pvOi{)hdFPa^r@&{d~ve0TTUQ?OY&12$-{?)&$5GONldUdAD5iUIgb!vc
z3_xnwf|9i;-zlARYwYQ{ZE9)?^6{rGM>pWFJ?I$R(Twd+{{?TwBA$SLqU1-UOk-_t
z`uB?q1L_6_7a;;k)UN(kStAiIwBop2pq;`h=Kao{THB>S7}U(ncJtDA-=|-hskElG
zo_Tf_2bXN34RsYDMy{LCc_5Rm%#Ow1!$YJoAohK{P8}UC9AI#88q^!iZb_wT{_;X1
z7hhP*0sayMLQjt;J3Cvwc0YHgM%+f_%UUcIh;-B+tEHpL8<*6
z&LZB&kM()>x3_cJnu9IBnhm>vj1)25csIpcCYE1VM!ZqF=G2YWkGP|;D^CcQ?4tEz
zZv%VNyLT)<&-8uD@uBpkxvTqN(!KVkzxb2U5{kWrB(~2FrzzY{_W2LCoiE}@NlD$K
zuI&4&-$N-{>U_L1cY+aHj~JFVm`kJk~rcW-2Ed+2Jp
z<0c=_qI(#3de9`+S?xeR70G4#P%7Nzduy0qK~Yhn#W;?lky=c4_VXxC<3<3`=GIo4
zJ9mN@6b+)k2OIYZ>4J&v&qiPh^7Cn!v%QS>X+26y@!{yuTji{pJ9KoJKf1A*I1SB@
z%~4C?Lg!t(3VVzMn3(vdTYf%1^km#FPi(ei1Ox;?ZDU7NEzEWyFckvQF>FrxTs}q-Qq?9>vg~3_GSC*Dg0@E2UJ%qnI5P0U?%go)p;`i5y
z3|2;n%d4H;^)m*-yTYe<`hJa;cTb0*4By8+dh;omI)3(eSD1q#a>itS(e!lR1^J3U^r(WMbUyzt>+47iaW+7ZyfaUhW8Xkt!Si%xP=kg~s>Y
zQAX;3ILiL3EUpo)mBF7K-i{PYVXmfye~(iIUSg(4!a0;zDuc6>zpo`m>r>av?{%7r
zZK~uS{*sm^;S$x9Wbii13y0Lb=B}TzukS1
z9)60~akZ%+cRM{+U0zf`h9tiNwE><
z6&V>ko2CA6`uJt<(o(}=65>~IydUwrN@Tp^47tE9e=n~K(002YTL5>*U|UDWY*yY}
zp)Hzi!G`z!`=_tBjF>@9FWwY@v_wrGD%R7Dwl&8)
zrr7_N2612f`raEshTe9<0s$mS-HSHwy^2Nhx|kqfRHHknyF`HFF!lDj(80o0oB;BV
z`rz=$`H6k}{aN0=#b5jFmjp|DIHb^9SG6_2=8qV;XdN!B_Jnn
z{QNNFwVhqYPD0;Eaa;GI)rU{ZorPU^s+Hu0SrY$P6Hpur?_h*QpFSOKv$2$rl)MS$
znpfXE<{!Bo-It2!q<*+Az+uQLDor0~L}MlHLh>Mrp|
zt-|SJAA!@OHVCH(u3vxl?AdwCntgVtXCz1jo>9{r4c+I%`mkv3<7ePk`qJeUcb13W
z%A_%ER-{VTM?QLk^?!^Td$VmMuz>ng-{$2By>Q8DbT?)mx}5BrynFZV@;^r326JjZ
zi-Jhr1?ywLED8z=?y|6Wh0vcSn+^#*dh}?$iAwYHqc@y>#IByDrLvK>%Jw&I9KU_1
zA71Z`D_2f>H}m447CZ`P
zJ-z`wz@c<4;#XI{4f#vOvxWYwAp(JoXC!@1ot>-@2#<{mUdF>?+2r~VDEvKDT6klt
z?}_7Fq^`*0_$nb+i*cfjNeCwr#c|oV&Gx)wV$AxcAv$u{>Z#R?K7al^yYBa_7(r)W
zsPXqgqzgs!AlOM`pHJ<9OrQ!
zmygd4vbasP5S>r;+D2gVZ3TLlE00z)c*pn^F3EocLw`EC`Tg@}R0QL7p-T|Pr!0Kh
zN<*jwg&^3&+4wPhw00^ZAb?rJ-tn`{Nn_9WH%-u=KZKi`)}C)=$jB+;{X@py!I^`P
z3aAo?Km
z-@9D^i7vj8)srV(IpZGV^$z1X6ZJktX%xKS;d#%XaRM?7t;9O*2E!#X+e>@wH7C1l
zu&Y1D&(?OyE?;g|D_OR|$DfiZrlHfhx5b?x;1-5k9c#YkcCnvwSxT&u%?WYSC
z7BA%R1*N4wT3XPIjKnJ|M>aOC(+y>C`S>Kq`6kB+MW5txRTYMKXj82HBR==zOX@j&
z-|pzE?V+MMS8zfogE2l^jHd$@tx|4(9|sq=>vmnIU}|dWvlL%qfNclwH#6PO32-$x
zGjka3$}3Zc4%FN5aGQ6$?C9kDq-}8))#iu$M{6FHwGZ%%@TrPKa0U(52p`v0L8TlkLPsp6(^>*SO7gy-a410p}Upo+=XeW>(
zq_V}PmZVF1PHVMojE)K>#r(K0qx^3PIliQ6V}1sd8P3t+o=0S=)O=EJb#Po97L*0L
z6SZ|^75!y7E+}wgj3bp!6t(PTt#x%_@b(doxZ>h;zk8l%sugiYMn*aumgWi<5QRZjOY7g=$aKsL`wuopTT1P6Nec_DA%nY1M;Eoc
zOb&km-(PNZ$Ls4?a#pq?q->|94Fr@gkL-!CPqi*j2xfYc1pNz{W
z2mv$elQ(m9q%#^+%>-qOv|Z}aw*Nq=*DuJsGlvru2XsV?(ehR3~s`Y5}2D^
zd>0Uq;&Jw?a=_)r0XJ>eYl7t4y_;OWcdfP(KHdhikss*F)D;%|kALdb5)$Hr2%2Kp
zF+?sv-Vk|T@K;iU9wcEH6DND)^@D>EH|}GI9>AJ^jzMF`37YCPPoQH4;mu}#bB$bSAD<^;(UgbPxr
zC0~z}y&f7}T^_tZ>Ao-DQw~1duv|QCZ#nW(9@c<&F>E1rmoxKiUY#Uy~o0zsJoT%;sUZVJYW9KDugu
zHy&?Ky!8jU0!v!9mRJmpZ5GYcv>XQJQkV~7N8Zl>8s>!|oSCCFm6t|Fa(UWbj;9AI
z(#^s`v0G5e41V7s?$LwdyYgVpC5=SV0N?;lPEObLI`kVX2@P`{f*+!yq;k{+5LCdc
z?oC7l5u0JV(Z&=v%+e6>jF#^2|4D@z&s5HJW_H_!>@Vr*oA6jbiyPY7DjK_6psWV$>otc7G)*OtpuOCVvq&A|~PCm0_B;0a__DG>K#xYjUoHOoahV#i9gH0&lO
zCjGq16^7QkU|*m6mmnKJ4@kx%q-k3^
zKXl&TApk!B)g}DUz15QoCx`s64)+gt%!0_c-UgF-Jn)f))uDm-4=F=I<1~zDRUZBw
zM*jSuTk_iO~mHDEs
zYG!Ngw#b#6JhqBq%^+l9K|+k3a3tvRl<07t>7LaQw%1)LsVm#g7@eIV14Colp-j{w
zXpk~_dV6o(3>G^+acljA&*Y7VUig}HpmOHZkbyt%mwqzoiW@|QB_)-9hP6V359Y}3
z8DG=dl_s|GXiqp{hDL6(K^qp5H$vMTUa0BYNG?x>;c14eoIn()ZT`jk+6m5MK>
zEVq*d1Cj}2I`nmue!Tce_oxglo~M|a?--4gbK9sFE22g)5|2m%KS=WNA@^nK#+4!m
z*54K%Z~SE0(oCwxzzQjJSfjp1{zwvBjo2NJDi-4f9<#nBC`!}pW0JAE)fLBUGc6e%
z1#5-?Vlg?KEa!vVH4@sn>no)?;fWTXp-Fzal^C|Y%$={F-
zXl^GL578>QK-vT76Vzj%Kk+M9iw&6EvX1*0g&J@$5U)D1zrprqS(DBiuT(fiX?jKjIV|T}PmLW*zPSGpUJ-7JcVpW)^xYs@*_*Wip;a}iR+6O~8mj->q5CJ158p}
zh>p!+Q@<{99EbFeQaL`7Zk|H=c5++eIWe%KXJ!`-Oklghv@LG&YN$+E!AGQ~(uRe-
zGVae+!&JWOong+(#`ehWZ{z*Yv+W*-t2gl^Oic?H3m{*3_-g3U;kHSaO&33c2Lbf{
z1Q4uu0f*Doyybb#S#lW#RXqL
z#Hy`yD=9oC{GWY%ND(KvDd3796Eg@^`dnnHJtt=$04d4^LeyCyK=%f0-5BiO57fnO
zH-n+{^(i~LxNQC)Ui+OQjunwbC`9<(aiemG_G89_Z=G$70_N|6mYY7%jstxE+L?*R
znYhYDu&x1DP%`kwE3^#2JPq3V2q?$?R`)6^$jnl6mCmT8IAoQPj4Op5Gc*K^R>rhM
zFx~^3l`qXL9hyZFw>=u>)kk@itP#uR6rA
zx0q(@ySqt7UH0rIzk{GnV+qR*+zmjcxx6m&>-@czkK*R${;F9X4Rau2v9Z!fBwPF)
zC*YPKB2UPyBdb4I9}3OedVv0Yaj0GZ>I2m+s`eB2T7knF6@s{`RXSdaVxeONEnVRH
zuyDQBoCgJtIrx(Xl{s*r8`@*S5r_a_b@v0>SSTqgPY*3oH}1zaB#YYY|IMc2wp~EM
z6!gUxeP4fE!16=4-1$oc>T_(@$OnX#mG9z^3DiP052_LrFv`rNws{ZY9W@tM6u^p3
zyMvP=B810pO%JzA2g_|3QSrRuD8Pwt0H%%d4;=0St)6;leOlUV-Qug{=;G%>CnoO4
z*QtTb4`Aldg@t(f03pCJk#7MIywpTYX>AM_?ScETE%-0|H-cw;?EpV;J8jCDzgjUK
z-o5U7jlw5htFER1MwC;Zc!@c>9OVP275Xx2<iSDxG~}@v;X6(T
zPyWf#2t_`Yc9sE{?8Z4i$ZIN5$xS;Ze%HP-i}t}jVQk|X|DIprD3P`=+kZ22BN`uOde
zBD52Tye^(#k;P3pd>JX2R+*aGg?v{8cu-bt8$^sZCZQb)NT*EOFt7b`Q&E>abnW`L
zmWwdiK0=w9A};s&iPx>3VmQ)ol(T<~j`pxiT}J-X^L_M*IJni$*3fNQ48<=l{iPz)
zKBh~v&~X8DGk!5Pf{{3-SN#DT-scNY#dXmoO3(kvB>0m}dkJ#XmyIwGfz4fjHq{bat8o10l>#PKOE@
zbkvPiJxe&?5~Z!JZNHfhegrD1_RRk2iJ4NC^dno)&0CIsldx_Wv@>%-g}33AHI{Lqd40It0&VI_bs
zAu38-vQ??4d3X1kD0=!PK1Ee{e*TTL+RR7)#f*L#V-G11cX~6lfHYdUI0YO13zE{C9ba|Nx8r@y|dwbGNpv#t~l#TTdXp(#WXv@OH<=QbJx1E^oetYU}S{vb$Onj_(qWeBLOUiA~@=FSuNC;^l-=zTj>}WLR56z
zsH(4cx|txxcG#AcLTjC1>2AgraQ(*vLPv%Xl5m
z?6qtxEoX*`zu|}G{TKYfc7q0`1^3!`RWAj_6?FD^=JdvSQ+CooHykvOsX}^i)dz;$
zfT~IYSh_I0m+7IcHKR>QnQ;DOJrfg5GS*|8-JTkvzRM%i^Np@VR36y9@jP~DUP&)T
ztAaanJTj4j)27(QDCnLgutrHPfAY>i!K^FRXT4_SZ?DLdn+D-yORT1OP;gq&YXJ)1
z*xjXt_5t*;4`#w=;UMKUE^TdX9YE$$R_-)0t8_(F-Wc?V7dtvSDBeJKS>Mnw+TNBC
zl3=t;SIkU$#N4q9L_VMG-{{eUE
zjE{M@?`7Oe{kc-M`Cssx;c;OfO1UG)&9tQqYRH@L+Hb^xy5(^H9Ug%FMg
z$I1vvL-a$o2RAnl);!J{YCX07FiZF|td))@`v>xdgok5TRP7`qx#$~jZ$~8Tcf=NR
zyFT*0ui>67?AHu|)lWNb{_J#(8+uMb&{KwXR6>HJeF<(!i3dx~;Yw*DsC73D4aGt-
z2zZpYd`eT)_jX3sLSBTA&=ge4ZEub`J>8Lb>Oa4~kpdMnE%4SpxgFVW^l7jl*y|%6
z9s;5rUVHo9AhNyJF=2>C-7qdOxy|t
zUufjFynbEh|H5UqtEipfMCnpdi3sEaK7imcv?yoJl(I
z5VFh9pRX5ooGD$t(#i2{P}#2@2Lpa6_}zA~1I~yqIQP(*TB~iiDipEaV(8zvdeiwa1Tn
z2lz~EW_>R~4a^&2ADmQCKF8?dGG&LQHM@T50F3bNEtOB?dhI^|k2+j_%iEsNE
zO=M(|DrA|ETs8tc3&#$~AW`b!=|=Ypi;5to-`L#^*hk9&9z7BvGJ;#eM1Z2wB|
z;#L29J7!NVQLjc7n`zAKuAW4sDlL9)lZ`Pz2ODxu5udcT(tI_7Jv|~h2P#jQvh-nk_9^91fI1LuN
zL(Gz(H<0gnmGT%L5Dp*-tt^ZlwY(&Azk+6Ypm-x4_wL4i{wCS<|JU)JsrV2R5GsiC
z6d|eM&4H}CR^?WwCMr$FC89HaI7>4OueVu6hiLm938(p+3$j9r_&o6;@+k=bGREDN
zsRwl!8sHFJ^zwAxk<<>L6)~V0k7<7ffq;ZW?a`xw$yrcde}~|q<#1I2@pN;SSjw*l
zdQAYn87J9G2q}`u%UgZ<@@0BPtr
z20>Gyf{%KY5h59k)665C$7koLMza1=zlG7}OcyFz;DiJ5=`Y}70u0n0v8$~2d#(#*
zShRi|OrEKK$|Gg=%!8^rHYD}6nG!Yp-3>FI*LFLs1#FP_1{dc
z=rpFbZ2ON!0YY&ojQ*3!1$R8J85uhFOsPJ2=8vWO4MnKef8rx4AI_pcDi?k
z%DwD@nHl3;yHlXQKNjMGP3ibgF4mmf@KMfAvKSZdWfq5@rVj%gMJ%u12Ih_lMXBLR
ziWO@lsD;nAdFXe3ng!_Kp~ct*At8M~3Tn6upurwsi%@}~8_V;UJAbX$mz_PHoII>paQbdkMDbbtL6W(mickp0&9tn>2pnsqD8U_(K0*O5W
ztE%pA&B;u7V*SlVzOfJ5oPeW0T^ULMnd?m0M))}f*e7Y-1)7sj@P5%=aM!}dPXCgX
z?YH@@F1p|ONi|5ek&~lSLjk1)PsYDr#(Dlj1XeMNH1JceKrfk;WqNDzkOfSaCED&l<+)opiDh{{9O(hVS*+
zNudpYnLzAm8B?p_m=ghjM{4D++$8bL#L(d!8HHF0yCT8?{}3umG?+0Ud;PkTN%Ij2
z;H#!lwBDaz^z*!FrZh{prWI1OaoG2&{$)I~@aqC$u)<$+y5|$@^5}H(c3^~J*hk!$
zSX}=sx;G4Xd%wSQ?JuTN0CL-!Ec$$7V?&{WiTZ-&mf>AqhbB~ad6BoQP;^C55Yz7R
zJA?k*oAxU_Pn{2OCe~goj$>0LKH8wY{7EF@HkjzW<$1*#cZ&0-j{GQ~*dRgL0XjgL
z@(mHRQfczp$~eVs_(I19%^_|mZy%2O-d>4WQ?OKtr;oZo|7Ng!3*~o>qWQ&7E(#mV
z{1l~ZJh)rHp`d?gNPP>yuvTA+8!ASDr_pkQL@SZqh+eU}Wi9xu_r
zw5Jm^-ZA&C##1_dNkvK)Yy*A$>qJD&3H$|sl!kr$s6OKeDht%<+b>!^m^eCr&(w;<
zo1%hbe|e1JN^MGLi9AAl04a&uusfHR2W?=APMDn6KH&Jc#)xfjK(!}XlwhdjRg)L4
zFY(cdVtO0L{nVoT?w1AzEwJ(cO)EvhsRJMrId#zZM?)(Veh(@1W>j2U^FRSrzKa7B
zv}r-8TM@j^1L31x3bFJy+FP~6xVS2C>XOwZBqd>syx=?WDcquig1+8vhTKPZsgL^G
zYYH({)jLf0rOvLqoShbX`|Sy5_d@La2~BZ{37RZ+I1)f7Btd~LLbowHgUTImyyUF5
zmS50rUc)CNlY>*oq{b>^FH2M}O~i@kv5;g5JDvPjN~)q0?oAmeU3&n+F_Tk2zT9rs
z(j*7G>mE3#-?>^v6@LrT=&|9=H+xmqrWcGoY9xv4nIsnU?_xXThPxwRQmY2=$L@$p
zPyP%G|C6)SQSTE@Yl&YU^lJ1w@f-V<*i1OLN?kikT!S@d^zdtR&ra`r;tp4xDFd%1
z5&jrN=#%W0o&m_Ovb<{J@Djdo&$bFL;vFn#@&jAb?(;5&H@zU7LtwnVgI*=_Ylw9!
zL6s_H$lx-yB+}QscW)8m$#s1EFZSF*iq7y?h_)XG1_Zes*X3m6zdxHPOQvTxUw|s%
z!S(BPFe!VJmzOLeizs;$ysb1L=k=&=1nY1rcVY`q5~h3q-ZJ40is}aQr`w+4c!sa{
zR=rT)Oo^=X##APdmomT-ldrn$HllTxyov^^*RB2#-t$zt
zvh_!xN}27w7@K)~ZiiKT=-b}r)o^G#kcqqa`>UE>Ec<1kCx*ES5+;+weq02|6fEjT
zLxYln9h|N`E%hNgP`r(Uxk|j73(fP1av#rLT#>&FnHdnF&;e=zI+dc^;2^iY0a3L<
zczn*Ce+2i!!oq)S_i$*NOIw`1-afI|-7WF1{mKCGWCLTG5ma~%B
zES2lmU`!v6aHb2E<3p{4zoh(p9;^GoR?{CH>4$n{;0JK}Y
z{g9EDjpGx9-(;PkfR6FyYp;PpOORh2G3wx*A)TCzeaKyGN|bC(OEkYcC~}R0r!MRc
z9h6k=ZJjSu5oSzh=SAL%nsE(P<1^=?vK&D(_TOJmUK0YbuF``bOG
zKn_!ekkLp1D?0@-hw1)(_wztX5$0<8jN3pmqCvI}R)*rDBiHhO{S1`Gv
zg+Y}V3vCXCqBJbvFT%Nt8AC!i)#Z4_G-&OBxkCFEZvu#%hzBkYr|Wv?x=)j<(*=Xf
zFCc-r!pJCv#FLSvdNtXOSdLt455H+hpY+7pK~!XBpy0V^2zXrrQc{tpPw{khgN=WG
zL4(!`gAxO@sI(;(z7)bUb=gTlsP-C2|D0zyiZA_e6DL45lon`MepIhJgGlrsN6SK7
zJu{)NtWs(sZ{N|_8gt2OWnuHqXtZAwxTJXME?eQy4D)Dm5Jk+KziRXAfR0Hl~Wa0%Ei
z6H>W-1IOj~`2}$yHjEK)!aye0;~MvP*r1G7
zqRZ5)FtX~0X54dEdRB5(Q>fla;KUXaNd}<(-nu@CvDllP(i#DF`3yLf3`bjCJ#QdK
zfNvfFsh=1gI{_4~;D{zV9d(vJh`ph@A?!skmb-Ct^UQUg05^#fePVUBeyeLQ&0<_u
zRlPNo9P&7=76%kj>X$F!VPQUAUKEs+xu#J_2*Ot@-=q^bG`{yH(=Qw^*>s>{5AT`N
zAvcUnZFTb6AXyR}9ae%{37ywPySk<(^_AaXMHz5-h=_J=u>X_1N3_)Yn5mUn;-EtL
z`$96GpW%wiE9OdGvJz};PK2qPD;5@VaOR&?d{Q`Zv48G&?SAxwNm`iFP|B4?3XAvM
z5~4mQpFq?(1yU@q$3V5BYJDiAJl|5v0+jj|DO;!`3`|A^jkvfU4Qw=#v2>@lc_GOe
zUVS^P_-&Kh%wTu+(2F)~S8eASH@`UXj_y0FVfz+?3N4&*Y~gg+b*0=d`i#ovFLsv=
zV3T9Ha1A$S!u}`O5W2)hlN26+9o5fa3zyBso`>%^&0v`M($6x;E9#OD~a)v~g;n?knO86!@-{e_Bhi&L0o)d{
zz8SaX{&a!3v6K1e_o!G7{%9@>bcofaQBcYxfB4WXfe9~){#jSp<2*
ztQUVPEw8*fINp+AHzoXxd@1$^h;&6p1P~JDkg83+O-1LV))$A@(lUP<>aoey)nrqC
zWc3jDcuNY|4MNcBc=_|a!&3^lkH{(Xp%8|#+P#262U;A{$)8(w?nU@{6$
zn}l~419AdiT&kxcjTl+IK)p}?3mgsxINY#opacbo0Xl5spRbE`Q$K))*dx4B=#9tl
zjMo;343!&AOfaVhD$$qD4&zB11Cn;E23)gpY
zTB3Ah&)8Br<>fo>)wM@TvB@+
z7n+6!84}1dVC0|y=pt~`^6SrJAnyQbq9EXSb>5fnFxZ;Ij`#X)+h)B$U`mmlLhD&M
z0H_pDNKjp^NI}B1W&~b6Igp=VO|q4#iFk6)3tTz0o2*}0AnQ-
zo6Q0gWiC{37o!_0E9`hQZdmQYB0B*064GQa7|k`2RSNf(C4&AdZ2k~X%;3_VKxo6G
z!Pa>>ZMM8Ve-&|gc|R0`ZU6ViMjB4@0Z$lvfvcC4bf#!^h{V?Ah38{7s#)
zxUDSD_B$U;uZ1-Dv7jDU>l;zJ4|p{;RxzmD^?ty0QCI+~57fk3qK@vFEKJ0Cg1`H2
zXC@}wX@yU~sILld74c_h2~IE4lV-xNO7gc=y&ff9tocQG}Y7fq`r0Q
zbPrf*ON=j(1&E0I740&iog3Ai`4$rLr;?I&Lqh;o#GdCAS&PFCU8rKSvP2M-_-kTf
zQjTePu@EvUnV3Seq9MD>)a@!oh8>3V0r+7bUPi-}z`Lc4#_e{{aELN;-D{z9kk0ad
zh%hk0j-I+6n>;oIikyfNJ`^fuy1E;@6IdgEmUhB`i}1^|AGY0v|J1oA>Gnk+y#ziZ
zoVA+xuAO(5f4d19Bh-(D(y{L#jxgEO1Qc=HMCIMFOwlqQ`<0cIH86mCeqfW7l;j?e
z%#N<0_wpsfmzeNm`ZWx|bZa~ox|7-iZa#-Yj_S_PdTa;TI+zU*TB&sdKpGV9krpRu
za1QvHTTp!_ORMLU%shpFex{=DcfMrZG7=86PAz9U73Vis4sOSjf}Z+?<}J6@`~}h6YGmKvDDi9icM(+5u{f_xRFK1C$nTt+Cn+klkskylz@NVb4rLrr!y1HI(
z5>K%|C9|=z4oL#~Q$~=Gkid`1`DHxfzA^P
zpoOH@=E4VNnhdz1(wiFL^zY|$U{lxVVVQK$yU>6~E&A}`!-kAEqiGQ4+6WR^)#aGa0_6Z0TjGZ@mQ
zLiSffe<)S+=p|v#jW78AXl!Iss9>fRNlk-NNG!$505gbdKd(T)8NuSRK6Gb(f_tJ!
zyy_mW3~8&X{%ivmImbj#|8w;B?@g6kSASw$gh#lhTSKZK$;{6FjpJF5F*{`-a6jm~
z3gAu-^EaL-=PGwKr;zgx6IFO`eHX#YldUg-Q4|*z4q^WRgNzAC-u8d@ZZOSW3l?84
zyLb0wDRj2_TW3c{PI@x^F1%TDlCWRr$2~_lVIn3pwhTr-N&mp}tzKxH`@(d=uxIS!
zthyJD?99xopAo~(3UWt*TKkAF-Na(en1>RY9>iq4)bp?6p+(Z|`cFU;EbcRAuR(Rz
z8o&-b1GTksW{>Maid0~R*B?`){EEgSCU*G7*NlyWV~6$~of|$!=HKUxTniq;RJ3F5
zfl%76qN=J&EGl0Dhm@kLt<6k+>_izHcOV?63q(DSHB)}^<(yr!sC;7HM+vS-*IPv^+8}qs+hI5q;i_WJFzAiV4khiYoYfE=;-^Le}r`H+l
z89+#Z`%#}ie^wzBJ$NEdX!AocMC3nQ03{_{G&>+;+Kmpt!X+?}Dk&YIFW7!p^5Kt8
zrmsr+Y5x-#nADUKk^Mx;9$nVIjcLXirN>>LH^`;4E$T1xc;nGFq{)~rWvfI)qGV+?
z7e+NkU+N}RUaV_kmboPV)`Z=3;0nue(X@f3rKQH_k6Bq*S1K|cUc7kW^f@Fes{mYL
z1-1~c
zb2~frBw{C>y`$HE*PDJ2pJ2^+b%fjD!v3xf?q0=NL3f;UTy*qyjmH-6W0iqv!~&eC
zlb%zzV#j}Z=lCnXXiGXUS(P??zEeW&iI?{9Ub&qL%qoEH?l1rA3X5AcH+OkFG5akez4uM2e+%dEr3jo
zZ}zR17b9A+l2R4GE8mMQ`7XPjr7-0nwA-&hV1CN1c?qMoEALYn450ZN^}t=djz=ql
zUs6-27Z;nReh{p$(;F;9YTf1gRZW%=%}w_jT+T;p^qKNK)4!sC3!jGwUrim>scCD}
zp(2{c?jB6D9p%5MbA*~B81lR+lBA5RA&|x(6jf6j@KRG(w^t?`aY@^!;;LWc)bL2--f)LH`o#2f%UD%S&*!=}7+;@STog+Y
ztE)V=#sV5>VZ6)nz7yyvx3+{6OFVsAKRW7jjUu+Y#>42F`m2&IFR_%mzCKbaDmf6W
zg{jc{4}JY-pFg(_Hu;CjeNihqtvq#>({?N7m6tC7LKjV6Zv4SxdQRi+
z3)0f;Oxk>P4@&&R@7-X!dDh)Eo-%evNeMD}G98Z-g0L|8f#KoqEG0J>4?{hM*}y9|
zzE1b+c+9VkIzspA=A(Q@3SLf^1xF!&O&qjmN_Hl?xP)L+sad9GN=m)JI(Y@_j^rR^
zaGGi6yNq^iKS0;gf69DqY@CGaHRrW!CD6$yymEyNv{NJ$70pYgTO;k#-Hz@KQnGP$
zoZkOpx8&>S5(Ro~s=LeF^>EL*TA@CAM{I9rpOi_<2OP!hxx`mk~7A5fnme{u=8=85CJ%tah$PuPymL|mw1
zxi;EZ{M3pJFW$H@hjQKN4Q-Dt#;2omiRH@k%E{rNlhvGnfAlN!xs7CmHEYoGv>>v0
z9u7KYW>2VMH#eHw5c46RyM}S=&K)l*j}bXZ$svrSo(6Bf@rk0YKGOO`y0BpvxYW`f
z;4&(>Q2UE`XrJbH+hA{Rng*-zyZ5JRJ)dbiXY%jvassO?0j`Xq%a!mq0)0tm8zrSg
z6++s(aQBIfZfJV{k_J$l*uY(bHaYe8{N{7790h)70uH;v^B$m%0o+@6e%^>H_!g
z-(A_*wnb`nKsutP3k+JzHvVRh+Ei)BapIW#p}+YCNUP~K^VgRLtln%)>!j;8ylAkJ
ziZuUhsx&UH%_24W-E(_w9P`a&gUdtvWhS7aQc+VYWj?D5gxe6oG3md2xeBqeb9rz&
z<2l`Xlb%T3m&q-homoobqlv$4K61Vywfg%<)UZoi^w~25;5d_!k(o6VKy)2Mr~7%;
zzR>VZ)j?V-?C-&(pAHGnwkRM{gQaV@A3l75i4Q!u5vcahpY5=`wd_3iFB0MJ{W`~-
z$;+$6dF{zRE6`Gb0P&XRJluu|r0#L2gV}498)6nHXg?g+S_%1!^V-t)LUN0fzt9@N
zn0f9DR#rWZlk%G(<)hvd)>}qT5L1&{Vo=(Ahya0MMNkvtQ6>KDPGXrQeKhL_ec!#f
zg&PZY#p?G#ehDvLwz+hCb*ejw;OfnFfrk(G0O$wY&;*#6(bESqv47Af`f}PYqh%|*
zg({l?CE!jGrYuT8pu9^_iO@$Z*c3g6EeFMEF(#a+z0&ftdt=z5d22fs##>;
zTs}xLpudOioBz}bh~9!$H~f)M}bSHog|vQ^?Kc(2VYk^(z5G&qNcB^5{`nY%+bS=TbUkB+viF
z>;vkyC2UXj>%>AIFMxM)bo?lk;34p$wm&tBv3>cH6)cv9hNi&d>>((+#DJeI`_2Q`k~%m#IXz2y
zOB_t*_rUJ20&E~v^phPOL&G%C5(zpz8Bdo8#{*Xqm)9lrdhORl9lyW7zy4Sy%iuQ?
zI=GP-U>Y%By>uC}mW5wzBm%D3@ZMLc#sc43V(T`y{&=PU+@rtxSP-|;Bi`YnSXG&B@e2L)Y)
zYomiE%YUb8#ju+^f^kP*!$ne=UD`LG_H6hkWAX7Eenl|Z{LKVjw?lk>=OE4zT*HX@N+VvslpYHX14OtXvmba_zm{
zSOhGuJAivktmeKOFIgFQmwfZN{Ks7=J+#l;EI*(R?=!JEYlhlCh+sQE=4?hrSPlKz
z;#QXVsqQDAHA6S{_CWdTF~m!RvQGo8A@um7gNR>Q2F)F}s)(ux&O-NWpdHW{ZxqbVCVTUQS
zPdtl@X+1qp0ZbE=OCop-_irQaF-=ln%8=)uT#BDCUIRisEi?-){
zLHZJi*)OhN_ekkkguIUSOrBVX&_M0numZtxBKD@`bVFDV!)v`;t^KoaDfl(n?Aii~%pvkL~~d$*dptd5q+VLcgC@zA@mq9tBXV
z|5Wbt^f{P-2eCjI*JDA!qKvH8)lt7KH!WbBEamM@bP48x0!y9~4;_65D`;D#ne+@P
zX1uSW8iTt*qPf)FkZjg>5hX4pnHuN`uc}$L^$(YUGn`!-BWTXKR?_j;5>#2-P
z+peawv)DBwgDB`ZgUrrC-wHPjo9Hzp(n{ThlPY+!t&y;_vCG_$uUoarXRnP65%e$N
z?6GKJW7UGV&#mDj+%vdEgJQ+o@!M=$&Bcj>c{BN1GW)rw@*kD=ELNFfuLI!ae;gJg
zi@BWmFRc#Xl9O{7b1mX3GRm9sAr|{pXuuB(_{esFhM46PSdB$EI&Cm2{Ud;AT%UKm
zuP-)%e^_992yWGb2)L&9-S!S-H|_oHU9dm$O1<55c@UuCwwYTGAI5|VQoc(`InmSE
zs!{)zAqA#6Sn0&2RZ%SwewP}8mF4D)C@5MarW+3NI#AL;2!in&xOv8+WFBHOQ2bA}
zS4SUqae$0<0tgFvOlS2R*NswV{OwW<7nFvO&4QFN
zFR~;7$rCGDzM$m_LqKuj2{lezuRncS&Q$N+^PGovWgSeANvW!eBt#B8nVWw-)u`JZ
zvsGgrD!9zQzHQ3|S8P>@ySvZspX{-Lh7`-dka`a=j3FlYLl+i;xOy@AK-JMDqpnkb
z_#y!GVXnW^DNDuQXz&wvHp+3Q_qD1jVMlvyZS7-~&*+vc?Cjf5!>&S$U1;WcZulFn
zS6OE!k81<(9G~zKD)G~5cO_U@?fljGs>K@~K-5N7@rm!?aA|dW;kvpALH(6xUz{hS
ze0-+vzcPLu*&{W4mftGQ+JgK4LH_2fVrhj-(CQ39Fg>tq>OlI7N^4>=;{vf;m~2p;E0k+4OEfBF>Qz0`Tm4Z
z9F<$ovVhbcOu$-&h2+pnK1V4jZIwLtf+y;VAWzKCUqZ3A0aCO{52pQ&fVj}CpZeC;
z(mc#APAo1O&a^@=c@l<_K!FFdHqK)ANy@$N9iP|sY&Owe3JD8$5f9cv&=(N^F!oKM
zz3O@AbLtnIm@d%zmekiLMDaU+)1CQQ9UapmEl(}7v2(IlV+m7jK#!1v5;?%uoPZ$w
z>nP57FTx-HiBLMa?T)G8!pssQ0yEFhz#%QSIcwecAE1uV*p{XgrYC6C@vggEI
zcGfdm51O3Jo9KvvxB{B;#@k0rTuG_2N{ZM-SOVbDRgjgt1rLS6By!Zs5QkxVG#V0X
z%2}zsf5t&+c2`FIQtiU86KHkb-z1fmkr{sb4-hE?K;-c$U>OJ-1bt$pJR5-`2M)O4LtF=jr|;`K*TMWt6+^a1~#1GEjr$Az)}Qi3pb
zRm9A9d@<4eyRX~P=>xvL91TWL&<#vY^|_85i)M%I1rzuENtJKv1aK4X>vjcFfaiFS
zu8Yven_yq>8C4KPNxtFw28(?2K{5MPK4ZtP?kA*IDTV?emnSPgJ}a@T>_S7~cPQk;
zAfF3X5C^eFSp5wpC639)cLeD{3h=y3VYu)>JfsP`!4&YW9A>exKw6G!zRQn<68F;j
zbWZ8v^PJe4>)G&PbX#+AJ!N)`q#hm?hkI-0-*}jqnAAsV%Bi}^a`3=BrXGU9qM$qj
zH7`!}oEs2f&iB-Z;odzT9S?qx9&_Qgra596!9YI-=d%hH)AO_!+AnpEd!yW+1l*vx
zrZLyy(w|Wb@X)@yVET#JePGUcJ4(ZAz5%$&-5t>Y+pv8XC^hjr)l9Q;pDv2o$7W+H
z5i0OocZ7`|HG!9bI`nt7+w<1QhzYGr@|*Y73Ozwv&%3;w1m>imzzLUMk|#_>djp-E
zjtn1oK3=E<9FcW70xM*hX}h4|TyDo03s+>pU5l}R9zbA&-)9N;3sO3VR8`@;8spS=T5)+Au7#t@T7nLt4A%GY*
z4u7*Bl{E*IBauAvU`9%APAfIJ;_0a$qJn|3-
zf{VBCZ``QcSqcM($=Ez7sRjs-rGrCVM+XURr~)Wt0OG+|U9G);jv
zmx&L$NY+@ECOs40S2CH(+#Oh&yZ>IC`z
z&avt3#kON7UN%c>2Ztnu)J?_ADXC)9Q^lOWfe{ftVcCR2{vW1iS^{Cb&vazLloG}A1Mgo|;UQ`r_McrkzYP>3eG}3H;(Q97|W=Dz=NP4kxZ_RZl)Lub9rX
zQff3DQ5mG2ucH*KBXGk+tT^2c9Zye>c(&&AT6;D?w14|=uW#6$=AM#Q^Fq0~3$%Cd
zLX!e6KRn)Y3(nPw1KoO~i#Vh)Yi8|IP3rgSEtx{DXpCwtl2V7+fgu1eH6=9p`q!<_D)LY&+Y=}of|MdLIBGj
z9c#KcTuJ~rHIa=C8!S4Db5(T-XsIamjt6N4B3nj7W80dZk)aA11_(daj%mB+vn+y$
zHsY}}pGN`1MMacS0IofG62po~rX6x~L)KF}?~8&GoT{gCa%}eZxHmT$x}tPmbJ&w0
zIpjz+MFYTnpguhc{^g23bE?aHd_N@GY}R&iV)7q(_ADqlOsQc38sTW&OVp3-=>h-l
zqH)aS3fFYfLY)^ozvQ~rVH(MjC^z590x~V`5f6n_ItYF|M2zR;as=j`#7moNK!_MXjs{@N5jgjWRy{|vLYjU
zv`9i!Mph`wNC?@9jI5CCz4yvqzw_Pm`TUOKcl^G`_mAgzj;9{)x7Yo;@9Vy<^E$8d
zq?ETEklQ)*bJYgw2^b=P$g#n%w^zKwl}zg*F_Aa~1Av2MWJ(*G$^3VIvHc9;B0UFF
z$FJ_$K
zx>5_&E2^IzURYh9VW^2Ieg>kGl5VFYB&*R*v|!V!^D(X#8eYo-6+pYtg$ZAAV3D~O>{
zMD2~)Qeovce`zqfj9D(@!OA&&%*=y4le!JeS^3O2Dv{88J{L5(xw$l?Jm@>08B$K>2e&(L9G1qyD^jx3|({QuI9ew9?uhJ&+hVaUP!PR
zD8Ko4M*2A<72xv`WzqYtX>4V-GzglP(7D!srz^_z{X6%)sdf#>FD5qe8GL7h3(BQH
z#!XDc_O_;%0_yYz%j_5Yc!;3#sGW0nSG=72Ia^!)*BrZe4Zfd&wHRHNd2^y+1!Gu*
zw99HkVvOoQVodh0yv2oUpN>|-iULF7?t{+AHisWkc7sh40~+LukdSgT9;zxUokr)-
zCxx)40pvSogIZ|NhHNf1Ig8un&E2l(c*BYWl)4PL-*>#fa_H2~%g_T?ncvXn6$d9SkWw=GYbL+H`kv@#=<-lji~g`?@aBv&EefL$L6}cRa5oSbM}u8H43i)N(oR4
zc@Q^(HIlQTbFt&x8b49&|8fD6HIIQ`1>xv4n5>(dbKpgS3U{hB_b{g>*d9AgOt
zPv+V5k>fNzfh2#tT1*Mim%E!1dihc=e>%QD5ty5u#ZX~ApFs8Gsm9cfYEi}+2(F*|
zRw})XAblp^ktZ6+E@3Y4?km!b%y_=hazwV`mdEh?K@;8r5GUt-LV$SibpW@XH#x>tx=6=Izt$n37E3+E6
zZa>f$=5+g6S$X`_DGCh@ru8GhAK?%22B*$urdtpB9Gl)+483i1bhuJKcCB53oPvTR
z5x2g?#Vqsl=oexRd}XO4OGf6gq4DcghHi037N`}64LG32p~$JNsj;!QM<<^Hqu7j+
z=j{I;L!b?tn*00LJ}&NVQ<1x4N~#qE%t^e-=?y|Q2
zKmh+=Z3w`jql@+mCDbi1LA}8)D7O2Y06S}3yTQL2Tk!Za@~TR_ib#x
zV<5Z7qk{y-CEJf>kNEG#CIOhvkh8ZLBdH%wp(s=
z#hdpddpyX7Cfhi@XYw&AgL2~;Vnpwtk@cV=S!f*F^^U1as7O)rL_bztwO^e-OSG}^
zlRh{2J1rpWv?O!+x5;sARz%g2A(uWTz4^eV$p0cG$$a076gI^_Qx^;^lE1#rMo}L+(TPB65Od{iOOfm*o!}xcq3jC+5M+mjY11I_m05`X_DsA!;-}r`bF3S=#aK
z_eX1t@(+jnfiaTFueU)+B_F|MA^X-yan>u2q4EkQ>96FqzyHQ~jr5eX#~T?L{YvXu
z@Lqp;x)#1BatQi_5&1uVghZoVmnQcj#D(>3IrdBmJidHg;2ZM5!AaP!=@z*`YILg~
z6_0A6hz=p|ER6qrBt10
zXE6@mPUEvUd*VDIu8a$(H8iY=dWdNsL?k6`ffaX`_2kLUBB#0Ab?OfL+WrIFHj3{2
z9(B*JkQ6>S_{2x*QxXS??K_xqNL8A9IgDiU2;@cQT&8#?48xVPVfJ
zs;Zs<&jlRq85yNC@FXAGTpU~2{u}EjX{e~>>ts>fU6=o9dG2yiYt-#^_$Q+
z)y;clM|8)+Lf+C+aC+L9_w3o)5ze1d>a}HMkM~lW&`+CkS=-y#oMdK>e*XOVQPT;y
z+L(&BbarIlWw#)24#*}b5;z%@he>eZzlc~Cf-J{zcv
zHz%Km8-bJ4;D-AgyB5Q_v=$}8cyCdKR9L-+zFC!Ep2xWOmh5WA+bq7i#0&
z(@A@rb{H3|Sv&&AjNNZ-hs@u-JNfd>n`db=(n^*6{nJOx>(f$(ZtdN>{UvbEzNAuM
zUS&`@$mHr!QdKQ)r}k-|?EMyOHAvbqrv){T&ks18hr8bAK<^l5&b!
zBVLYcX=eKg{t%C8S2}RLL=Cok1PcwgGV<3PT({=RB^Vcot*K^L9FpambX&GADte6)
zZ?a=q0Al0rql+*ZViIY=YgAR`o@`$vsh934{Y9#j)`G0$S==oX6D%c*SXA9?0T3r6
zw7sEK&ce*>o9{TVm(1@tz^lGKVKh~F4jv3a?qm4c>i^nC6J3foE1m&*Kd~)sC1yuue
z5Ae#LeEW6_rj+HwwKrj6^JXNvTDN?0u42Z(dImG(6cht;@;y~TO|af3OSzG?$8niI
zQtH@G2wG!&jiS5zFcBf2tc@uC4(W%lUtLr5@{fAW&T>MGj^pOpj`sGx@$oufW4?uj
zC+a0zg3!tvL6U@0*SjHA#~O+uqHa!1nwozgc5n!{M0EvIvAoZI9>U_>8Kp|nq9ndG
zKX{LDE)HFb!0^tF@XSZHjTy$I*>^YJ&cnufJJsmI2g4(kDji5dwAf
zjM<}|g!Bqse37>D-R(3Q|6}zk(QfztN$;4O#@)`Qip*N3M@Q7OgX@My}8}
zPIun!`+hdiLEqMP-}3aS1GI$BdjDo%c+S88^;cKnfR&Y#r32gh!{!OJC4S>hP*-Cu
zuT!E4y=TvCX}j1=b!^OGZf@?gGuw?bD?srXt!uHR_FN$+><6_b<;15?6|yafQ#D=p
z{~~hL&^YF@u`<`ma7+>t)YSa^(Gr$FgF`}o&JQi1U`sTq%_C=&Xy<+T!DaDA%Jt0W
zUHLiN7H(WKMdG!*r49Ywacl4)AMA8sU1l9Ndd%av=gN^)S=fEg-yAFNJx<~~7!
zF99ErhB&li_6rC=uuQuKB~V+I1;fXW5wm~K$miehs{B~dS`3d)h1-Vl;3mldXNT3PwNd`W2NiioxM4H^YzW|B-#zb9u_59hzTOMA6RExtkF
zU-qE(TG#Vx$Cr;=iNwS_0kg|9FFFkBBfATGhH(>WrbVj`{XG0!Pqj!!Mkd2;wFUGe
zqC$Pj1K=@)fwnjETu;ZtXvsb)d?s2Ih?tvE>#N*?x*&6vNLz{F2y4wuw^g@nEAhwy
zN{VegO$X$2*s*)+>fVR(52?dW{N&!fb7+jM4ip`ldnKN6_FzoXrE5vA>xXa0mF?R<
zz29hwxoKkY%iXRQu*3XGBXx@PLrTY9e^
zl|vxye2bHfneB31$9DSJk~PoY#Lg`ib&RuqVYNQZ$hGsw4=NoUP7oT?Gc)lD*0w4<
zw=f8M+uGU>AQiH$)ucHy8c<39-=@}rtAB5AufsPb@QQoq1}ci#zRe?b*b|RArd1p8
z)`(WtT#$TKguZ!GzOkB&!9da%ZC^4yHm^yo4r*5^*YEqrF50l&o1WgVvaV(P`vWC*r9ef?tKeX`^N_V>nv#O%MED%EEWK~AuzUyXH-`AR
zTU?wJA*<$BtRciU(u!_W!Aj+lvhuf<9G1;Bic`FwO+Lkx3Ye;Xc3HfNaP1ezMz~5*
ztl+~)Z%zD3TO}m-@;xQZ&5sDjyyX*5Ji4<10dZPsLa-xI;MNnX?kip2Lr$J>{?YK6
z8-Mo_>E#LThJtw_daBjB76iz~;?EgYj&Yiy>h++=$X8av^^s_1Ll_~GqA&Q#lhqUT
zRI(Q}njy>kYs~&1RlH0ct+xvMO_!7O^z;}64gGqG*tA~XU}I$!XCaPlAFkf#2Bj`w
zC6f4KDc?qv
z@}>kXNSSlvFXopzE&}(dgoO&A5-n&i)_pb@$f)hDnL2{^fvh(A{!||N7!_Na`QR5F
zst)zMIMx^qOI|->67O`|q3@Os5M|y0zTAf^Oi=v$-kJN75Lpljoks~qG0I`Q&k%?p
ziR+1K02_w)akx7aRjJ%$jaM5b{!6M)zZ%o5r@n%k`HKRFg=%Zd-o_4pDOt?1?lDoCE79Ti#*#3Gydo0`Rce2z=
z{OlFT(g4S@aBzf#g}GuoT)c5Z3`95?IXTHc4px>a1mb6V`#~KYi!)rc=@}V)5jWj^H}!_Yad!3xNWi+Ag2{68pAL?_GilYxZVAhwZ)s@(m%J%EJw-;
zgyFK*tL7=XFC_+f^smzafbC@NKZMZ}96&+Dniw3$K
zi*tf*Q7XmTq;V#%?n=<(A0OCt!Q+{e@~Kqcm9G4I1)EDp1CCX9mKWKL&^%}Cx@jW3
z=gJOGqXCQ~{_ioWdv?!}=i-G6b>go#myZy^
z;BBy)ClnXJu8VB8BdUWZCisN6N7mIf<2PGd?_gS+QDkYffdpK>hP0a%mVp!YVx@D~
zB*p{f+v%2V5-_?lb<#u6vaG$`n_fWbR^WlGc(EHdrLt6$d8Kj
z#}c=u8~QZhP)01>&8|Q#3NACgNLiVGyW@3MwW+>DN=Q@UMc=@{cz{{tF*@ID+^_J1
z9i??>$kDKc1$Wk=L#sVihWp4kMPr*Fv_)WfqfWq0iL6){S`8tDNrOYdDfCLw(SbQS
zztP!)pWbe@OPAQa&!HV0J~(&{6ex;npU3yk=!DqKh%S2czhm3y+*&yoYiT)&f*3cI
zdL9nOz`)8xnlzAJaIN?C^=aMt&9=OCVY{dt{(w$1g?&3oTa0VMd;#>qx`(Z?iOHJO
zDOJdh-c{9e8<+u`#!vr1Y5kRNcGnC2^_`7HAU}%4X%{lU+q1n55bxRrQ;6YO9q9PP
z%x!RzmYm4EMk?!uC5HmS)+fcytz-x}h*<-ARxA{%!RB;Sc
zRVlgc?C;$>B_ssby6OVqeV*D}Io77$j@L8e%bHN;+*mf{RU{Oj{U4bLal)KMKlZ}h
z^b@!)2*Fd_-E#PxFSi-Y|JvFe(wM&?QAutb-nEisR;
z#78JdD_{G~h3gob93ILf5kjd5q{4TQ6UN5M^YS&Ip5K_!ZYg?c=?f6z*?p
zYW5Xf&w_+7u3nI$s?zJ@;@B{E>XU7i4+A-Qw2cl+7yn#Y)%gB@Ebs4h7jSKDX%KzR
zuG`2lFnqZ>hid$&Mb-QV59M6-%q~}LuIrguD0QVuMB=`pxlVIVPR^Ua;oUR$`_K+b*`Jg!fAI*`$@$3XJ|M8YHv!1d00)Vdr+70?zo_-%BC#YIa)fp(S1%k?!g~wzrcUpv-9BL1@-|0fOG|k
z^-QE^yt%UDOt}EWXCYJc*w@$Fm)ZxNz7vKRLp%^iwBcyd1crKJx?!f9o&~x<2&5qJ
zL_@R&sx)=bY~KA1(G#Qp`!0GvKc9S7HojqYxu@lxjZMuTX|^1Tox67vTng_`cRtI?
zqCnf`6gztr?nmdi`Uh#&ry$o}o?*NI_;4ozHgqP7joUJE@g?5?%%i@bI^q&$TwMf~
z4!`rf2#SZj`;uw_;yCPx0#T#Bkm)gjEeV6Tg3h+{xo
zLKgiyjnKA5#pXrtNii<}tvU*XS=>CDvLOXxHf{Ao5IeB?Uht^u!>&r<=
z-ksax>u}g1Xcz7aeykeEob3BGP;G8s6buaOBdk?f`S^VI9sbGhx#jvbU%IvI8v4Oi
zgX816#|_j&>Y{GOnbe9=y4N){_&yJMX5VtGepccziFS44=_brj575-
z*7Wa$@Zf`r%?%Dd_q8~m=$8=yUmL&9l}0342p(}+nv5~r<}@`8wM<(r#!6qvzppoc
z%?FjabKs76Wq@-6
zJ(`KVy-77O+uSrXyLwVIjKn$Lv;)iiBWjD>Ju$6L7%Jq_`6F<_dDh8lZ#n2?=RFSv;sHNFZN&s0I&1
zj=^bMVf2;!_N4BJ@s}e|0;4}`E*2X*!Yd$PJl*MtDXL$0{&l_j+X$2K2o)tI8ca^y
zcr6SkLgw>iYoOzFEr$Jxw)me+|
z3=9f!X#PzwtQbZSaKLrlG>!C{|Bo;hB9u)Tp$}0pQGw%BJ>%VgC$PnCX#+wB`T>B`286>D3``+#99)$W(l!i%C(x1HT
zEB|QbYNz%_%^y$pb-Ge#i>9g?EcODinUgdZhx~XFD*u!cHlI_{wNI0!__Q#Qdm?pp
z`%(7IEp=ql3*OlQ*!{Vlek`;AXuw_kCs$aejydh2^M4xi;>=k*z^nJBjJW{77TXA-
zrh1_C`xz0$S59du#zilxf1=ALzfvQbcQ~y_l;hb2@FAcxwZA&V3Krl@dnqKL3mgy1
z1{a2vP)szo8q~TD^!vZfyV>D=J)R}mi3&^f~Pzdh8@C0?UaL>S)cJh7zqOiJbHOw
zZvRQ)A&@jC{#Y4;{Ev*{&V>s}NAk;dXkakyrx(~_BWX8_qb>j24&N^qcra6WK|=yvo(6N3%Nno${v}7}7aW0(7*7FV;Q@$u(tW&oMHhO5
zumzeCz#WE(F0^zie#J7SBONyk)qI<=CQ2ByLZ3+hZ>x8_xh7im3BA}cQQP3Y(nQFX
zpKnUY0=N|k)v!Ixijk#0#ovGbZRjahR>}H1)v;GcXM*K};wu?Upv?gqGHXs^M1m`7
zrwJ<+J3@_k-)t94a?H#Bl4HS_zs9IQnMJ{mKJQV-<*QHl%O8+bz|SM_l3IOl?#MW@
z2gtY#@B|T#)BM0}Uz)AEzJ><;k09pePNi{Dk%KTSzU3rnU3iv=nwkRWUghUZ>r0`B
z#s1Be|9cX~*w2oi#GPhE@IO(bIhcRnKU}Oj@KpW(aseD5c6d;PK%;2G8A?i$n*ExT
zbSLXH@`sEX+k?(ajY?D68AiA`gb01kBKIC<78dM~AsrCJ*e_EnkY4cD{U_^t2h^~~
zDX06NP>CIraEfe*H;ro=GiypCJ&t-tRUf+N^%YXkZ$;?tMuu}ngtWET3M$wB{%I}E
z*(7-OtU#6^C#Ri}alr4H7Tdw@hhb#G9IEGZ*%qREm?}3F@9yHRTwisXg?~bfUH5W`
zlkL|*RBqZ3#{@**SN+Q}GJ~hDiFKV{b5X^KHyyv%L)AMAMSRqV?{ICMQa%Pn18P#~=cJFsX
z!(z`fByam&vfJC7`-d2NEAeC16IzgmX4W^zWgY)XimCd^SL;RTIufa@bJ&Usz-JX
zbFVx`#FCqn8bRD*M1yU*ceao1_`ClN+T!|S{Qj86N&Ak!x6K-;P-}W$eGa}!
z;h;C`yUpD*sb{pvKjYq%5OdE)fioH+D$dJYT9c95jJsQC)kf-X_BU%ue@QJ3XLwg{
zpP_w*BMOTYn~*&q1X(f}W#yy0$nv1lJ@>7GjI84#j7GpLNieS7{hWRwU>_?LRn=?d
zCZnav?Z%Hy;xaNvWA9v{gvJsZJh)4$s`yHabh0-d{g2KXu@Psi^T?z_{E~^=gTBG<+s8N_-jNT>;lD
zq8ekoT;b-oibGUX={}>QcF?Eu!TcH}c6md#mEmv=z1po?SvmnQ6VZ};J{s!Jeu~G&
z&d&Jft3b;i>ct)>E-C(Oo3Nz?G4GQB9Zi#94zZ@|2o;_~kt6Ev33sYFQm!cIDW99^
zW`f$CLZ*oWOkPrJp0Z*{XbM_hKQil=Ore$xqYgfk8X~E!uRPP!cb5WAJHN`$XLxzq
zUBUOD{$vMj)eGjEt>TSV*UyBAy_GGKl{smBdCZ<+%z{LslBJ)D$_Fm-bXsYrVQ``+
z7wEwtFYio2o+1Z%2UT)j@|K`X`AuWC+;&k
z*+DbKF{U#LIqJ0E1Z%mL_G8h4o3X#;)`lFgzk6C%o<1#wZouVF`YLZVlD(fZZenVm
zBT`1@q~rB0bFzA=jz9{A@5FSxy~agr<_ZZZj%>l#-Q27BEn6dql%pjg7AJB#L>su8
zNj~35jhH$Hbo*rTNBcbgzu~H5j=i}#>GIB-i?L-DH)9DOPuFns$;+ot2RY{Ew4nP&
zwwrwA6&WqJ`uk^;5DkB)o|uhwvQ_80@f!#fD>0qOZ01o%`TVzUkMq1ebAXzWk6qir=*J;*5q(|mc{p{RGWO{C;Wop^k-DWrE|YA
z_M-IGde2#+f;DqeliIac8OBQOqT!WOi(?BsplFmdC;Ni6;5|5a$W=Zg{YEMUv2s(V
z(aaevT3g9nUA|Fja;VDHU^{*0%#j)OLC3kcBMeduaZ^=7a!2RM)~Zif)E<%M&BRPqglmD)ZP69b|E=)3(2=ej945iZl}*yv0Bef
zW^VdE6N6KGU4Lp$Ub{FAk+;F`!lmmIqKG-sx0V~t+Rli$c9xY)U*hMlO)B`^Pexwa
zo3nRV^7)x>)aPSvy*aI_S>bxrH9k2s#eOYkSN%cJv@mL_AfIa3+Tuv3M~WS$I9Cy1
zHQF+BN>?{>DpGl{`w+)9uRy8si`e(!XD#?rZ=8*Dak%MP@z7#Il=wzHLdN{gd@acY
zv&-AQ{jX9!=y3Ja1Y5HZCl?w%eOh_(4Cb8J)jdqs{yx!8)hsBGppzA4m?~W2S45hgJsL1wO3(N&{
zyqe92(ktHZJ5KLBtU7<0j`yv&zCNRjY?MKNS@`|hgW!!FX4^9QNP^ns4ab_XIysJgCwprmH?@bZyAPxu6W_w^!$zVEx9
z;!X1upGntx{#Uk4LyYi-V+ry5B<0fpsfvj-&$7`5b?AbeWcwgyH|(amzNCUBJz1Tb
zm-nmKla{DxYfXz=zaTPoWO-?+&h(9mRj)bJznrq8b!BAA0Ucq#9hb8LBB>3BQL
z{}z_<>b-lk5MSHLxF`?g+OtQWe{_1bPTcUT(;R4~uML+b)9ojg4$=5+wb8<@;Z$VgQOwwrPW*Xd
z(qcA2f=x*H+Tg^|E^rJgFWz1lE*?XU=ed!-pOlmg!|xC11>^<>)Z4ooWNe=!WTNF@
zMg)4TW=Kq$Ip|Sd{0U~!o!~6^o{^3PO<{lBzxNWFc_S6g4+f~l@H>Q)jNYo@K
zY%=DHoo;(v-j(z#12XlIGT#BrxICEZ$mty&Rd}>pWvpR0!$6|byK+yuT5!5TvzE9ZZXTQ9FN=maU7ZtF{ULMEsuPSbfCh_}EX5r`rU
z@Zv+9n!%c>j3eQuVgvYi`@i%>+gnN(E(!;~dL`4AF$6j%Ye@-(<$&kbDk%;3#_N@p
z>XkLkSc{f!$eTA5dpgPmYy`i3yO!-fQXf;>|DzbBY`e^vABPZ>9yXi9TIC0%Sn4qc
zte&iSxZ5R}b8G80Hq}Wjr@ki@Fzj%I)ND-%m#2Ep-P#l}4U%6h{dl>;L(dxbf~r71
z)gi4!@B_)Q7H&#V87}iRgs>BrX7X$1i)-NFoWaZD27CN=`SUch-ycNZD>`=s+?#Br
za{24z_x*`v+h>DQ__@=3d=Jp{Bf$h$OHGuxA8U+TG{3Ri)8`UpHR14harcJlVJJL-
zAZw_Uf4?4lkQZ4Np#nygIxy3-28*zEX-a3M&*ze$)fyWy@nUP91Dx^p{!XC>t3(R7
zu*k(RkP!B5Y?vFZTd=dRAr;x6U6A~U!&KTOvX#CaKJO_;0&bYjsR-0>=4$waWl<(oj_hc|sl0uf3I%Ta71#n>M(U<=93_Hu6ZOQUJ=Vs`rX$J~#2xo;FyxJva;?VnK(gN$NMzbX|4>}tDMCTT`Fg`ALR*R
zwJ|Zh?&GhTYj5+_zBn+FsS=?d09qM`4`qjVl)|(|q1dTx>qMAu_S~FqZ=M=`bd>Yd
zDdtkk(|$i1XWK*nyLR8{>WJm$)9&p3`PxbGH3!MJ>8`$4JTqkPUSBb;4kWv$LrM+a65lo(tUiCjT{W*s$_N4rCg4zg3{(f#Aji
zIMWRg==VLvLb#WYsMWI^V!!$d=M>gY*mcoHXf^y!Wq247p)*{_=B!;2(4j?=H5qkL
z<|HRt3PmP#<)&T{W^cp~QmaSD@G@J%CU!~nbnyDFojYIglMhs;8-AQF_11IafWqP}
zlVj_7vSq?XfB0k(yI$g{ew0V=dV8ngAm9%9%a`4YR)_6Wqo1<~3BCFCO9f1?rR<8Q
zzM>>vp<4I$9b&uFp`Y-)US&DvtObYh&lO&yN>dTBghG3me$y|p>tsvB%c+=jWcvd=
zC=TZ}*m=<>fCQ;5D=Zj~Q&Hu&=Guv4gBKOE^5A~|p2g(tDM%iF>IFIZUNSNUU+yNV
zDnT49Y5GHl{!0F$9;N(SRaPpz`zw^%e~M2b-Ja*oXchmqxi%2kLu^TQZ+ZNz*VXqw
zZD3AM*gdp2Yao^JLMI^SMk-D^othfYGg_WYknAPGbpB2LNyo);jgA&t?y@Vf7mRiK
zUcGp64%m2tS^LtZn8ia!JH5mlj@(0NY^E(h-3UHz!D{0Cf-lh$P9
zTY9
z!U<9N6h3A@duu0xT!M^m<76j&`TWp!EXE&KR<03_0Lbt28w*`*`UQu)4WNNo-JIM#
zSRGn_|M_9gEu{xLoG}i~UNoY(*z=yL=?D{f=^e6nZxTcsd7lSnTlYj;&RDWg
zCLe>{CmwpEn)f-4W^xu8@6h=`Gdj5wxG7ttZO&nSRhOgXl`12nY-^T<_`=Bc;|Lv(
zXqP1FuKdJWkNfuaNUo#=Ox#oye{Opa>wf)A8soV|f=hzr@;e21*y`Phpja$tm}&gf
z)s(&Ix_AT|k`HjIKk#D2o9Ad%sDF4tN(5&4Y3yBqr?RmZ7{6F=pFvpWIjzQcQKpO=
z`~~(aae~sDf`?0a(P37a>7FrhVnp6WcwRG%0BaT-;ZCdGxpSvIAGu+H0UhHvsU|^j
zbS<8=i-#&O&Yk`B{dW3aW@<&&CP4;z?|*sX{1;tyvBNmE>4wFHLjyB~!UsuxzA%J_
zC%~2TioWNjGp5VW<8CDWpqIZNzhTi3-x(S*u#WuEhP&TX(bYwUljJ`kbJl9@!_>r;
z_|rX0&bqm_^zbw57;?kz5f1MXJk8A9S1Recbh1r6LP6hvuH5bT?hlM~bgd$1&R9;7
zFlJDB{kVOFkgPdtA{yUCk0{7vGw*7F6TA8EJ>Sp^LNI!lkZ?8q_F>lwl3OjGY(ltn
z$_Sg#qD4RZp)xY>Y=}_Qc^fG2lxUbdO_jfwf|3YmPSB^;0$1GA4E$!jDZv
z6Ieyy%Cwz*gx`*wn3y=~3{7?DIjSZ>$|K%$w?QyBaUD5WHGvK6A;`-+tM*o<$Zgey
zxO8Sj#M?k{H|l3f7vE^4oS&91!F@CXdj7Yk4LNJvrV1^*@7ZO7TzMsL#i8K)W0sp&>^{pLjwo`TEAPFGXvpzXbs
zls7Hkm>j*FpoyOEj6*?SU?As#ohKjr_*hr{^&&(Kg->4#P!gTY$-8fwXYIwR-1KEf
zOpLhWwEJrn7E#S413GDvLhNgOqUnz!^Ru&ih>xl?=~BKkk|mtE&I_1h1>IBO+_`T`
zSg1E$CxffQ5=0rk@jj;|8qhC4;@vRWK63W@0Tq0Q*1ydYT(z;e=|{SI_g2g8bY)@k
z__ug1S@&NmOjF^7?-wCCM7eLD`F$S4CM5u5|A4M}iGNQU&c@68IX^Sg?y&)#)dP2+
zd5~*f&oL499ppI8OAXM2cKZIWti{N2Vs^aGr9y`cLQenU#2ys^Py
zbi@1VVP)OAL?>##z&g4ufLTyrKy4=V<8WgGX;c>vqOIe)|^>|~-c8P^it7XZ1EWR`P
zk(KY2<_fg???JX9_!7JA^u!64;1sWJmmB?8S1s1Yf%%x1-j7o~N1r<_#pNzxcNB
z#50A{c#Og?HnAl8_sgLNwRdCS{(5Dymy+)#Xo8!Uwy(wGayMg4mBDH?@HR8E?MlCElz`Jr(3lHq2)b%n~s&@
zR&B{6QtC{;1pJl(?;FR2fPD4$_I|_EBD7aa8s_SFwDRw(v=&PT!;^EaPCNz*@@#0F
z)p>up`qgIj-EN9*_B%62S>|mNRaAy5m^@)rKk_0n@*!3e;Gqqt`}w3u1nSB!fl)0Rh)O=>}jvc4;QCVB#JD
zPuN_`0=|R+eJPAyaFeM6aMA?ePZuR#Ts>Ho2|7q`lw+QN`x;?z*lgwwOYo03LKM4i
zH7BL!bXj*~f64C;`!9wJ9(k?mcscbAkIiyuE3x(&n)2t)KJ!C`qOMCv-Pb^FIG>p!
zD`Ok+?wt{u^XEtEwugI541a&pdo5}wHS&bE9bibqBL#h&qr>}Xxz7O{rlJz|l%@k4
zy0um5>(>{E;7g7|@&IS6(t$%hz&iAHE3y&^=eW7e{UANWt^48;X&|3XuSklfg{BND
z#WU#Tc_7qEWA^CeO(`v@m0kx(+J^<7@&k3x=$!goX}zHd5)cK|3n(CiJ6^V~E;u+|=H>5maXv!*BAc_E+QpAKM+u`IDJ_8$q7AMd~l4HB)+=N>$8nZk>LfxqrPxZ%f{
znS+SuMLKys244b>X*5-1?Po
zfQPb)CzWi^hZj@f|BeoJbxD01i;d@mn4a~@tOp3p;g287to@}|RaVwDDWj&U!r*e!
zj*S_gYd;s$fG{yQEMsWW#vlhRgEw;~dAm9ZQ4=SkAEB|AUqZ
z11Ld3CyFtTSYh{f^b!ojFG_8#aAGp;yC07fsPzNze9KQ9c>$)X=XQR`DWyN{*;!T{
zVfYQO6RSU`0SZ|hPyPLIKn>6!F(H~vbu5DxH)UPH&9c<|_PiC*pS1dwZ_LZ
zNVkHUfU%P;yOQR6+TOo^`}^Z%w(A*e>FFb5O{OB~85qgQApNZZN+tX3P#v!w;f(_V
zKX@e1XJv&mdkXFp-@3Z|-<;*_v5Dl=`UHx&Fkw+tquPy~Qk26F+RtnWO1etbJNCFM
zr|Cy&XIqkh)+FoXv=f5PKuXwfqdd&aY?74r!NI#X^iv~*r$@oow*B?l+K84PZEe0o
z)xsvNj_XT>Wk2+w^DCEaRlL1LTUVz_ugFPN<&0iWAV5*HGBVIkBZA$#!Ay54YWDt_
zn}6!|5^6<8!fR{EIkSKN{-Y93lSMSt#rgzT_sw7CUHb+{5P2}9l}OLMaDb{xiM;gq
z$&)YejO|6VciX=_0*a3UsrAd4H4)lRO$o;YE$JY}H$YLbI$s_0)L*h5?nTIf_o(@V-FzhD!e9us1ws;lreXLHmK_
z(>T@zs_&chK5L%=
z6>Ckz>$znM7LR_yQ7vSUFlnQ~8@KGF3ov_=qC+d!lu#luui%btUuvF}VQ>+d@2}4W
zQ{;v(A&a;&z#f)hwr(&R6Bl1US0msKtmqWL|L61qu#-GuNVl7oN8jV^BxDW}EZc&w
zrD%toR(S}Vh#{0Gu}ifOC_VBm!d4{$W2UzzobE=J`5lI0n?6POib~Ijs#fafJ0I%>EQV^TlAPOVZ6u`w2
ztn)Q5@4(SXf{Y)CIYfjk5B}d@EU(8P3_|UV7_Ka;z_hLWtP|I#a^CCa9a4L+V->iB
zoOcDw2{oHFdqKFRqHX1bIr8cPXKIXyF`~zs5yjApyE;42HP^56`x8&dGLjG>^bjQ8
z(~5;idItw(szWHWi#^0~yk}c(Mj)Mq{G=EW#vkF=>e*2)YzAhP=S*govl`A0w3VQP
zh8gRc&RkF1A;ldY9*1Y==RZ3NVh|j}46e)-RTt!93?0R`3hdD!jAiyYvq!^FXkq8%lneNOb
z!(71xB+2E!e_#51`^RZ?WWi?Hjc)lxsOzpSj6fHZ51PvSckg~WccW@>dRh+4gNH=^
z*!|hvvMX;QL^Q4V5YHJ)O7Nf(oEP$-Eb>Cy6ArE^kp|gUBZQbC(2MxY29P1V-2YK!
zC=XX@oNO}NwGTv)-aHLdqqlb)AcFB%8LUGz{)1>^PQIOoEaGgkMZE~&wtJ%~QJ{pR
zwWOp3^4%SQD;|{RoYkI9p>T4vn>*<=;(-
z@q}9*W|-f3$x%bmi7)kJS2TH6&8qF)dnvndUn93a30hcPd_=k5QBKBHMA^njqo
zX)yjf7i}=u@70}a|32zRliI(r>L+N~Dq6ZCy`^1|oF?U(!xQz?C=-u-M*H(aIP2_a
zy-R)^Pb}Q1oS1KvuKhtXl_kN8%^l+E`c-9md-?(c@
z*8;#Bcyl({u%kP}*d5Qwu9>n2!M~IDlj7?yR;+4rXbODGwWAfWI~^iqbsO%cuwqcHW^NUiSK!D1Da{i6aGE;RNZRZEC@1__JH*njA5A$=0
z^G1Wd%5Dy_Ck1wqu9G0KzA)D>`{8oz^C)VR4THLG#_TCkI8@d}twZlb<>WvOKFxOI@qS^F$b(GS15YpFL%vTIv%j!H?rhbGSbCcaCT
zs_?r@+6`}9GEX`zEUcBH`4Xx@&wS+D*VI7P7=&~=z;1L=v+oho05B_#2!3#HGQ7~f
zJXjmCZBptz^~JKy3l$VK(&6c@nBBL=8Y!@w=T`=5KWNqpm$oKpaDGOXLHOC@Q{4A4
zMHOe(bPK)O2VbsVU0uj;C~|Ki7cea>RN}qYuPkKM{vc3oY~AUw?8#(Mn=XHTD~
z%D%>3nt)t>Zct8ieNhzVBvTf2M$`kz#p-x+38Cc+`Q^sMdK(A&;(j7~Z4jgYlEvO(IJcNRQ@=Yf2
zIdTo7)uhJMa7WjKrQ_AbgTCS1am0;q@kd8L`Jmsm?0t`d;g3mA(Fq7n9rfbS_^Do0
zAPg;n9Z+s|()`qU;nD7_yI-&6-#YJT{`-Slhr@fBvMtc0h%7C>;Eh(+nk6(zD)2<{
zug~XAp!FPl>7~>l_$fwk=|x;&AE=-#D=A^Fu488jrpBxx=9(KRI+|wY!|!gcO<@}C
zn1YV!M~}@LrsP*f;Y^$DJJJwD|D7D(+(9b6XcA1NV-of)Lf0>LvyEc3w
zcgn(Xc_Zbf^hC%&@%r?Dt1<^m+t_U1fNtR%B6!&G-B%?@IcE}nISAV^pr;dX)Hg3t
z$Gj&wNuwII^0p7|Rey%k)zSD%*Y9%!C+SE2@^}2~E00Y%+ZCHbrxcy$P*Ni~IiC%t
z&dKCd-P~OY`ON2#a%m#9Fu-{&>OD_z*bl3iJ=kWghG?1YN
zAO2=zYKOXr=-9q{R8{(XeD_eQl-Jh27ISEvzD>)>XfSf^--man_ryd2Ha66BE=TclU!Ds~}n-1+u;rWgd+4qMOk-&bX2ac-L*
zVtDW+-)e1L>-LXlDvy2Se|=OJ7iXnL!4-~rG9I%tlRf@cP$
zMc-?=m;xoPN_W)ZGCPJ16(;V;PMCx|eR@CauH0cL$tbLMOIPM({^sh43lTC0ne^My
zM3b$t;RI$tPF&*{l0SQ7hikZlC!=C0Fr@`^U
z9FuX$!^2SL)vb$`B=t(OzK&@v1<)Y*$V&<7ZEu;cz+`7G6P_N|JTVwZr^Lhpa6e2%
z62Ldp#y6_VmABJ-M?xk2e76@0(82~9``}%|jn(Di3MBI4{~o2Su{t3!dc5?*l^$DI
zXmDJcg?E>9H#j0alOKfa2jBr>-=kwMHaKeki39%vj{9*Bcm@$}0JKy4J0M*wHUDG{&vc;shl*}gnM3t45^$n;)
z(vh<@+w@G7c{@8uBnou^W~5pT`Q|3Tj+h+^eFPU&=E)An$AoW~%DE^|u=gNU6+3X(
z>Xhq#P#9xKFxvt0b_E%agdEsg*Mxi(0&<+@%!#6%SO$(gZc<7_j5f@A(-uu2rzC=|
z$26H0wzAmSIX}19a?uHVCc?+J++_OMa+C7P92WU|$)gHF;#nPPJviF%l1M~M>{p({
z9-hL#JCQ9-MP8N}oF*I}Y+pX|M-@!<+G5V2Eg4nCfs|7lbi#D<6{v?NN3M?9#}Mu-
zlq7`v>cNBN$>5SMN$H!OlBoOXYho`};Ohg!B%FDhlh@l%1wI|LqN0-5&b1YQ|11mt
z{9~(pR8?a3POnCyEiMMJJedl^cXxB$ED8c>18M0eKJq0Dghp`LNA(66rSDKv6W>XI
zV@j|Y5+g5*oxd^nw^o>`A-+QXsF?lpXh{G-p^rXjBtPro_f_aVaM-~c%LB!-VauMv-aHFb#SP7shN5NVhP9cbzRP|1c#%LprXkp)zYGc
zJA-4B`^ILINf?uejpBQ-&?=>Y;;11nCT`6fc@g#U9lQ3gDC;76MHHg=lLJ7!Mw-+}
z4;+l6-<{i*D`2zqSU_rP*W@wTt-f#B3)fP@pUK~IWvx1jjNAqx{K^$m5s!^S$XhX@
zqz)3&51gI5qIEsR2SJHKEhJP@!jUIC*p~q$h3H1kUGUczRF>h6aM0VpW>QCXRwm((C3@*UB}utK%Xif_&nDx-!!UojUf{$aatad~#B!;nriLz+uxyyb50b!Hw`
zHxjZoaqo>%-_203YpxYvIdP__j~$ao5=mGEYHG)+0SScrNRfNqP_O8k6G3UUvKI2*
zq?QA6wpZfi-XEPSR6~y!BpQrG?*3*N*tO9prjUQ>!jEUhplQ>|2c90O|3m24(d^Xl*1yY9W~p0&>M;F0fp-@Rwgo_Xe(XAW8@{Xh?o
z97vsA^)F`;s+o@45*~1$VmO|kom@>%R|387Kr+@JChW4Z$yeBy3E;+X_DljQ4iX{i
z=$NO3QS8-^R$+phxvo3$?&Qyo@pKWS`05D4;OIyT>ry#;lnhmxDY!zD?j->cdi
zPp0<)I8jR4nT*t)rR}v63Q|vnq(gcra=*NE<2EST5u~SgZ^9_=VSvTPvih?O^Do`c
zD!BB(JO#wP+T(8EmC>y%sRtv^qA`HT(?W^&`C1Vx&~aQ`FSWL1Io=ipM%@?;w3S6U
zE^Ys&JII5O8WPf(UGrS`Cksf`M)8rbsLyUovqMLv(vX9rqtWi7Gc?Z&^O_t0Aj3UjjTH$a~I|&O*os!vB!~H32Rb2!8-_dp}3D
zg-x^6=ynDrsjCaz9Vw#jM9{1f{bKFynEmOw^1G-^QvVk;8oXz
zA%DQP>mL^-B*@*qN=e#I10_#_`kkJ#miDD?+XQICGN7_MtLE2z_%K=%3S4;`^^k46
z3d(kLLjgyD$=gc+w9C8ZI=9NJ7QS~Lrg)a}BTq6_Z|@(lmIj(5iFaJTcs;z-E(JzV
zsxB`VDWiSkO}e1#_Ug?x7Z-9MK<}3D=J;FBtAb8D=oNRi?n13`2z=wSuLfk1kwh?G
zYCgXe-0j1BEgmN39?&45Mt$xXd5svU9~kNHg{Lo}n|-d_Dfui%(r*Mv9D!b^V$;Bp
ze(!x|jj(e8srdzjxO}JeF|2N@h?&E!en_+`_l2x$GW`9U-$jDU2D}fho{>_CvM6P9
zxMedXUM8t)g$4h<3Icgl{kL3~bL7~bZLSx@@9f=#tVA91E8mAmWfUD&LvJag9~|j(
z$0bbA{r64eliO)$o!p*0&rh?RjJdO;@W8`kHCch>05W0Y%_%NH*RzdxV(ZJxzER58
zA&q}n>tWuJz~u)&u|NH(D+u=?J0NH`j5EKcjSj&UI3R~5
z)#{qru~>*8H@gI+&4;?1Z*@IOH9b4|6NQO|MYy}QWnbc48>DWx>41qNE>~u=QDi;J
z>E71<2tJk^`V$$3KVK0c0#P5b2x<}rh7HTN^9vGUQ)J4@Js)1aeA#q*dfNF*
zWVWf}mLkG3hl`Qn({_$=XWQW!G%~o&ci(qd`XhSh&KezjXyJWG-qkWs2w-B2_Qo-|
zbfPU36bWC
zVn$+NV|No05O}msTxPf(sE;CkBG%G+x4+Vf8){-j)?ra~-;XyA+P_RT2Gni;GTaM^
zs`F^#0STlg!>GZ9s*Tz&)?r~HZNTs7iB-N0Y{Dl%EgRRKTbek%4x63nw4&G8czd+;
z{Lg}v+rb&-+Ni)(M#9KW3*`qZb(rZU2mfgPcY8KL+j9THRS>B1Y};}!w0tUfe&Ai>
zvYd16&Z(o?-Eb-(7YWqS!U+2)vvJ`!rPeDGgI{H3eou2-kDzy_)XBtNYZ&d6$>%`fP9prm)*WLd$>L3I>fDx8N}(^Ut+kM53MJPMAjt(
zPYTkr6#!4>WQRI@A5
zCeM{j(Dc_U`L63ET>n8y*3-q8d}a=IVd=w)XuBmS3NBXJlr+9gcJEqW(0L@7d0yTRT4N)S=+)`KQ>yRO8P;
z@45QOt-8}&=h4v=K#Y0=pb)_2Fg}J9^&p-jRW9nRxh2_fD1QwCnjnF2m=JaaQV+PC
znW0{Z(wlD7MF^O0c+|2V-=IS2PJY^5b6@Br1kzm$SIQ{i={ao)WZJGrRO&$e{$h=u{UT!bvx{n*xrg&zfAf_V_|VWA-9SUYzX$No4&
z;c|+Im@=%D3zQYeKwV9
z{UKvr4YToEgoK21MhHdewMIC10s2&giv0w&`8pF4?65zlpoSm!}TOZ%rsGAHrJw8y)QGI-NWQmujA^H+3Bia$l3JNTo
zoIhXG&a^yuzHLO#szf^r_En6ySEeBmuajFaBC;N8J0J+_GBxY!Cd`7ifa(F~UI?tT
zHu}R<Gqc0LQ_4GvLU$eDz
z#619!w5iqMeptR;?WoBbk)(qO_of%!e|Cm`$!Dj_J{a3Wn7yu@rYWZ=381rX?Q*=n
z-gZloZw%;ZNS7JH$-nnL{)U%C58=tl4|ycX6fe%`@6tLZoZy*?5?Ol}=k@1ms&xCS
zxLVt>LqA{ViP1BtnN}_B?-sTLR1GRnn*bHsIn{XTno?m$(1lD#w2$>&{r|Be`d)=Eg+O`82yWr`Y^3gtDMAn)S=X@FCNt6&;VS2
zIl6v)Fsbh!WIK0yAf9I4FNY@h{Pz@L571g!)r%LO&dhR=0afwhRr&F~Ly#B*?(?(J
z6m2anJ7?uiCvZKZ^AHwSn=f>qB2^v$0AbE)<^A0_{Lx9y)Z1^s-Vr9hiTtOro
zUXwH9$Mx8cT-R!yH}pkVW5!r&te!(>-8*bT`5W&5>iQ!}mjz0OE^cmH-
zwQ8%m20smce3GXJ%j?nk6)Gm-Kv#rmb+{04J7Y|(mFZ5GO`5>m7Xu*7?i_mrPAxpe
zfJuwM$;U6X8L$7WuJ#9dTT#K`C%X4FKL%66Y*mEF2xC(#7Pig-{fBT$K*+_8!M5)7
z0zTzg2Xd3oztgsIKHk~O>-d>Rb2$HQ>vHIIc*Sx>@P;ultkBp@+asD#;e4}1BTuBj
z^B>a;xL1iRo;+KSK$SaQKkLR|>8Yx6gpnz{4g_|7+7>!cKXB!rFwOEa(czxnJ*uu=^9%b?a`Os0{B)C^zMaCH%%HJ
ztlNnlTd_mHs^8$7!WV8mx^F&G?8@H6w0ppNmZDMW5l$>dB@42pfRIEE7u99CY`r4q
zdjDcc2eh^jMlE!H)R&5ZZ@n`HK||ZWo=xuOM&7h^dbu}22bi(vqG-4E!yA7{iG)me|u{}PePJl^RESe>j3n(L%g%hTuzs+GeBE;p;|GLgg@Bx}J_Hh0=D6m~JNUceIAh{eC3c0ucj?YvW
zx*4E!@t#u~I)@^`!m&q7*GwRnRezyAE)K(0%U|GBO%`td1(6fM{lBh#Q!dZi9+s&z
z=xzbanuw4gQYFcd;eJFw`;N_6;8S$S(x-v~IP^V6^-IkpeuI=BN*n-GAdrQ78*B$@
z`_AVlH!!fn5mrm3ljY`!Wsk`pA;P9#_G=Ci9O8-aC`6fX*aovz@OrI)m;;H?R2Y}Z
zSL;z5`PZ8UFz)FYhx+-x0MJ#%qc1$#-P?0&-zG!&qYv4Wc@a(<3R+C87LWyHavcSD
zE)lR!C8bEDg%VKnVW;Is{kIO#hypHL`jn*2dI_G%9D-`zo7XtuHw?Uw_vxmah*{Br
zOiKe`O4rXFn!v9(5O&sCi9!z*(mr%OHlxRJd&5B4r)zAhRfY6}uM`u0a
zZ{&`hJ6O3ek}z0!`Wrr0$RF15NxF>6ojVsUGI$55Wu>pt$;lM-6LWNn%$?4@2{ihU?nhoZw_DO;2O@}ZOKU6?sGCMg
z(mrd`bZkzm!Gp>G=!%Dj_kEuq$T{1Ez`EvwA~Hx_z1*6eZ0awH9xv1?x6}7dlL|n6
zLMQq--i09I$|_5*v5Mc68^wo~5QHZ1q53COeq&QyxMbd?$(bhv9fUv@0_8tzz@zH-
zx8@RxKyXS4(t%sn8bL5<)vDrgS@1obVgP!^Y
z26-AK?CYSDR;P^t^`>8db8!I9h37L~^;o#w&)(_5adc9iK?^Ui4+0Z(y#fJF0UhE1
z=yHQW8cGPh1f4I_St)1IX;SOJH|YC#pF4sY3#Nt{Y%Bs-D}cf4P0z>s;?pxT-xpGd
zKiZ5_??+-nAEG;9Q?}XHXP?mjw!rluZ+k}+e|m0C5@=O`DW)qVzS@suVHyU>QbwSs
zy~;|lL9#z!Dd_=w2w7eLV-I`0pX{WZe+C_onEHAPn6Y{9!(B88XgenQfVr2!V^|9_
zzR&9i2SH7fS^=mEYjjI)q!RA+#LvtYIMnOy6aU8r00SFV%21=o0ffu)r^PY+1Alb(o
z-YD;sL^N!ZU!>8p5>Jdt(FB_LAKX;qD=MrsQ6H`y^K#O(8A*2w1c&W9q|~kWTpSJg+U<6Zj|@Qv7?)^2w(|1}8I|u=+Jv#iB(R_%
z+>Xmkfpx`S69q}N!^_HW)~g+ukpJF#dzbdko0sr)U%kDlw|A7Md(%F^P)@cdpAV_!
zGYA6-LZm!SBnTM9NZ!AR4561`^)=l4_eMnkCvR{;`o1kokhJ^
z6+}r)mfsN*qu$!$p}NH;)$t=Fxbm^FF(J%qkAi6u+`(;WF$O}s$)b$R5C=;$j5NCFAN0%6W!^I&X7ZVu|2xV~GB<9Es7>x9qMMMO%fQf9C?5C8+r!^F?W!k`+j_v2%qYJ#*3
zMSZtYNZ$t>{oO@Ll+VeDnxGvc-TnJZ$REh&6ka9OEM-AQH8!G?kdlT+N5dH5BL^08
zC%iZ^@8og{r@@m6;a7=?VF@}%0!r^W0`u|+&(02p-w5wv=X6%Gr?Z*h`Jz^m`~=g%xGV2O)!DWrIjpR*6M^OE?gT@78Vq|d=4>*iI#VC
z(xREKWs1+t;(#zb_SxBlYMhdc8GUvnH7rxJF$(nPij1st?wC7eWsYxc4-MoUuC7$nrxJ~;Gm0!K#NSXdb(
zO-wi=>H6!sQz9YRN|DYhmDWq;IytQ&C7J54+`YZjS}kKVeBpx9?BLVMwisri=uTso
z#k8e25V8DzUNMlNO_rz-kLAM*Rl;mJWWfh4E*)I8nP2BSv4zF0W^8aH9$Waz1z9PdmG`NT+Ia(awYI{H*y-A^s6dukwuPtdcHTvqlf@`thUrR?nNyE;0gg@xPs
zM|^8*kG~YDHU4}8N;ovxk4hi1TcHG!}>Lv8!q`;!+NOF#-*UL8M>9^jYqFLJ$qYTE@F2uE-*VCWC}CIt~v=B=|jml
zYA|<*rs*0htNWPKP*?d%{=2j%qxZG67sxOhdWS-~nnS>}^cM$OzR(IXjpf}Z3C
zNHr8B1#^UXJ$iLfM`!)1la8Vy-KS5x(`we%qRT5ZpnZ-Tkx5EO7-44CoBH)D-r!(K
zcCMwF=irCZQhI)Vr|g^@Ie6%|Z{OPQTV3sbpI1HaZfEyUm*mm#WnG9|9_Cm@NDc-Z
z-z=$%V+(~zOk_Z&xS``RjW*`CLY4D?3IB`du@@KsQCsAa+`awfxp4Q55*s7&##%MUR{0NddyQzOZ#X6>+$kWz0OjnluAVx<4?sS
z6t@H{w|;8g*c>*c*^Ki3E~%yEKVTeld8GCf^(6n~ry$)>XD1z~I*Y(1aKqksT$;Rv
zR+5A5w*w{9rPr
zRxW`oK?V_{k%?(44MM-1fR3WEvp6xFQW4%e*aaqtZ`Y2y{WjabiaNI%FvY|oJn&8Xs$|oYf8?G}V7{~^OfgBb{5>=2=BfcEV*g^*{iiU&6@
z1xUS|>m0hL9Vjd4T1b_X(*~2k0*Z?{XvK9~l$11-+c$BWd?yK~BE=UG*}1@4
z<%7#8N8;ZL-%}4wFk%gmj=Et6DvdJ={vv)}K@0IkuNn2tN)@15YtvO|d5tsYb#$;l
z)YK#f?*mic=${;A;ZRF`(wMEh(#(6yfQzfZ_sOU)Oay$L@Kn2R0ngVbo?`qG-T99P
zQ6GwnF>{|52-qC&_RoP#DtGz^9JF3#dywWsho%I77|d8ARF|Jm5hdWbgGeS7A;`!$1a(WHlU=kDV!c}SCc$AURu@|G^8`
zSb9zlp63zf6l`}`dAUBFccO{Z2Xh%Wx7$B{6oyNx85=9UGhAJJOvTSmWY|j3@I}85
zCNjOs)`*QGWE_Bn!TslANnv|2U_ZWmLBSO;yVyrYCHN&};3_24SoRJMfuK)_N_|?8
zyJ0=}>z7f|`crM~AQ(wKSguSii(1J1rCnab%zQVz>3D-nLSG-v!{Z2|aQ)7BT@@`Y
zBZ6d@s+yLbPRo3Etatt7>VtXd59akCUu)=rzKX-Z(VVF$4ob%Di$h!&LPA7(Vcv!Q
zO;Fhe%n}bE-9eM%rTzdj8=J;t=k7p8+{3wqJs`oE{2v}cTy5W
z%mA|(CmJSdM7TYVJnzYmgcTO@{i<=N`Sgh$v_$;1tImMdX6qjq$b4fZcxw!vM{lyW
z4hSC%je~=PsOZE*=rZtXg!v`@$LsExC{Ri_0@`9_)A8zHCq|8%>r{g7Pgr4Y8wP=O
ziZPd2mf7Q4PiX`^VdUb%k(5k(Be-=NhS?3>Qy6;*!y`Y`))K+GZ%+9sqoJy+J-%2B
z3LA0@*v~xr{)UGL#2;at3?G-Knv)Y9=qKq4e?FDx7qCnlES1O|q)rjbp3D@r)vl{6
zEuEmc<-`KF2m}o?KJwbn79b+Whf=xB+g2&iB?8tNbv7isaIzux1(0#bVbTWvV+ag4^5AzZiEGfJ(tN
zP%jSUF}zkRwDB$G5$N?;zyx7*4D4p=vWo-`ky^8H{UX@qd~#l*FY)$d1JFY-^kh;iCR8kY(b!D@Z;l>%i**s3OGXfYmqcU+jpU2
z$XR=AL#V12yIGH+Om&c_T}546d-g_PL)%dC=g+76y(Bm|{5IadyKe}`f7g_km$y++
z2xr5U(nX=~Di;F*xX=tdgNl(6E)l(g93)MUCCLM>K&lQINk@coR=;@8`VZxT-29(G
z3Y6~X$!S4qruNUD-+lB5#HNV!etwp_659?)QDB<19E22z1dK`5-8qo#dl?sZX}q7l5rim`Z6+#)y~o@qaYxGppsNlQoq%Da4-%v
za{Iwk_Bbj&6ZG2CeLhU=Kt>LZ#`1zspU_{vOlz&b|DiASt4e>)2}=mS50BGIao6QOnd!q1hFwcOlX0eXjN
z=GB7NQdfZPOufJV>1P5R^iNm(-b!baN_$v8a@64+K_&E@_D4T4c>L?F)@5VQML;el
z(BFSwIgc+mj3%(bj|?WsdXvzI5Wr-m`UKtlR`0VNXfG6u1O?-d8CO5#=kJGF3Z;Db
zKz4G1L{SBZ+gx5|pY31U-Y(>^7>H;!WL2srtUD>B7nr=0*ToMywO^qH&1&L=?-4uy
z&%9$=YDJ9g?O$y%BNs8JF;U`+$HF|0V2fdGy*V^{8wDwiDet|skYpp9542Qy{Urmx
zES?yS;K&g|cv0|YCpnpJYAQ7l(%PDu3z3lv=qz$_{Is;I5&Ey-&54LCvIhg5F1_y9
zS8FgZ96h+q>#qnovdh#<^EW~}6dwB{af5;$htB}J={+PDMg@ml_JxtgyBiEn!ww9t
zzlH8>eT$Otpe9pBj&o_SrH=acaot8FT4~_Z2nK5qY?#hw1Maj4<#)oc`a&bu#
zZbvh69S?gV$fPw7bk3HXu;IKyWuR=-3Sz}D%JZ_W(&*?j=-tzMXDue?xw%r{9*uAekd;|fB(MbBPaOeRsLIM57pErISF{f
zIpCdY?mcs~kssL$=jMg*xfCyeprN-S`dckOOQAJigkoN)AEc3ZlTr&J=OIoIFhhnm
zn^*S!u9lVzj_KRXSk|4d4hsy(43Lh_PP^HNSojt^EW9%?@UGddh+ea|8jyS)9Xa&(L0XetU~5K3`}nD@CPNB-
zGJg2#h`%H(IIt^HRfkLQUUyG!{5G1r&i{tm^Oq4}qC#LBeHA{R>09S}4kw4CpEVDJ
z&@qr`AdHk!Kw<9MIG8)ipIQ`=#z+q&c9yTE2L^x57RccYwZp
zA5*ga4UaUE{k^QIkzanEKZ>}kKgA;H>*<3Q4xjV#gaBI%b|Zkh@q4dAl4o-8w}H8N
zikX2N)ucPF)LF_2>8Vq4mLDxSDc&zCDS4Tkd=t{nJTA>&zn)3w6a&h2Q9gtJ
zwfrg1QN~5~xMcg{nB?RiRMZuKG0f2Q{~@B+Vs*lkp{wrXQUENh)>U{|%3Fxa9$~*^9EWrkw7PB_%Kui>}*U
zNaxFdxMCLx`;y$-GbEuZ6;pRUtsx-CK5pdQas==`5SfC%IE|bCCd|
zFme^(BCr_(Jo&SQe(Mp3S#ee%ihD)$R1n|;xd&nS<6nIlp*z(7l34&{^%p<;BPsH?rz-RGjZtl`_{Yyt6&{N?Mn-tTu|DK(F+2F@adg&6B<@6%+S(skE
zQOfF!Yd4}@LeL3xc)eYS$>DnAc+7BmcjY*+n5vhyv_C*Zpf;4Lg5=H}lu(~26gYubeLp+V->X_@7@j6NvCctg=3k8k9B+@~58~XZm
z(%Au};wu(w=+4c^xQaSL!AgH);&FU+53(54FNLJ+tREJdcAI*YJZ9{ioP6uCoyNhT
z7i5uw0}VyQ7w-MHSD6Y~(%I%O_;PDqi^W3yVs;XR&Cw1>i-j)#lPd|GF$qsG0Tq(Z
zh=8n7g)%okzXjSww}y1@BQS$!O>22ie?KAA1tgG9r4vTIcp;B><0_!e1HwP>(%H5P
zE&vwUMYr;j;{9gC>;2D~;Z(Db)6)kJ3>f}98%B~~x-d_~3n}hYS2NAN0Kk@o
zrI|_0ixCV6^2wX}aZnw)l&D}rwbcCgfKh`5UVg8U@V>iNNmN}CE7dZl^1?C!)Ge7I
z#g726>1_!hdHE7DGTbneGaO)lQmVxpPSCPtg#Py3yPeOUKLa+HH3ZqTtl=Wd73sxh
zlNr%b;!daDB_k5doEvE?8CI28Wz7mcD51}*%l5~yyn;eo_Z`3?KLJRq{mmOH6%v0j
z6ecSDABqgctBc!vYlLwfL>U=#Y=B{eg?$*f8iOfAO2yYtX<>TS)2I6Sw*aGqGEY*{
z$9(_bV1?IDNc>|_N3d;&AG5MjURMHFJ3XHgnRmgWx64zq?
zg;OoP_YF>uSERH4bE@#0HqFRIW3&ao^&Lhj0zPVHWz`r$wtD40eAfUOm76e{9uj0C
zUyG-w3)wZe6INmrrsV(Uuiwx0rb%O^vxS09lYGn%f=9o>?Z}HZJ$=-Bo!Ku9vUO4w
z;w$KEsMO%l(Czq2D&&>xd)qPL{78~u8X3v`qg8#TeUu@{to(>)+>G
z2tbD-0c7!siL4(vgE;D6U&lL~JQu6}ptaj&eB(t^1479^r(B_m38
z>jALqJns9CK$A{&_BOyl;o(i%XNZgoCAYuQzeNp6iw%LdX?M%$fq{kF|$r4uu~
ziyk%Tn?+`&)G}l#C9i&ohhg{Wm6gaqQS8~awrRl7i-*s5dRDk$5kMuH7G&Vs$|k)`
zl6alBjp%h;^f`fLUhjFJ*a$i#jG;`oZBF_GI~Gev?;4yO3PNwgT%ptI_%S8DmkT!X
zO>*=VWOZjpqNu6as04$N;y&w0QIA8$)~Kkaz7OVXoMHi6v$Nb@9<+cL5u#iclAnIH
z9C~78YD#_Z`0-<%K2b0PZQ^951RRtvquoca3w4%AM_y96i67>yKGf0*1ON~U67t#?
z6N4f9nt}9R=Kl?3`7a_hx#D8!>}avv4#$)#I4#2J0R#vZDJ#{^{bUhBnH53w`
zvwC=*#v~;8L6dSi0FP1PXXq2|8#l=>U79*OW{^`;V~(U(^aD(S*9a4+Qz6I)gLbxG
zM8w6~+JrMdTTf3>3Jw=iFRzzxL=Ie`z*Ik6WSYNN<@o%010=wkpjTo#_M%6W7)byC
zOqd=vJ;y^m%o%v<2z4NtA!%~i$iGQYYj3;1jEvZm1IGVx0WkF^Yae~gFxDT)mV`3p
zHJG4=`EBm`>Ub4Kf7WEs$B#8^H$?o#tIEYy#;c
zAN3-7S%vQ;D4)9@8bU8^7}Wa+f`CU*bo(v_JwE=9ijLQQVF}<~(wqrRgM)N{-?gs6
zeRa5;tGv0Kdk*#QikQ2QDjWhDizM$VS{@g!TsgHLwRSG6$OM+_9nn4I&~-o&U%Ysc
zkO$QuT17=gD$%2BV;(!!bRO>3*W=`y+oAwNY_+bf^|G_GlkxN%e>~p*Axg~lWF6dB
zzU==atw*UWzlFaQCXSAkbXhCQNts)rd|hS_hx8(u^Hj>YRyZg%T8$lINJ%%T=;#Fg
zg}hB?TN$PnhA3TKk@>_upzy$sqB<77e3w!?97d;nR*#L?0HtYhDq+Xwt5IBBTo@?G
zVaYi;ZPxayDk^4Q;=Bhb7P8u-Wilj7b@?5$AWWN6>~%_s>@^An$K_eA2O(q*zE}^S
z(+~%KA_dl?_hFkjMXL9CcBjsYg_EOlX=&+NDRQ#?JW%g%-@bi@La?S7S^Y&Lsq_zf
zr;bp`Wy$wf=z=&Hh?61+=p`spWzd`If{7KNzc%vtS;?~K?($rpjYV>qGXqS21vRKG
z9566r1f_VyUSjXB;^Z{fB6b1An9vEu{EM^4keX7`_PyAxtEus`KYf1sCR4c%G`=SS
zz0Z#ctIyBSF>wy0?Kb~-ejL$pUi}r)+Vdo5HDYwo!X5N;Z-Atvmo$v7`viy1S
z(`009uyS+YMh)C^=_^-44Qd&2rDarhF}^7OO&^5GXkNV`f#NC5#ek~771k_?<>%l0
z!3LPY{?ygwKncJ)y4}dm$*HL~jTwsck)+HvW|ZYDEa3rue$4B2=k{PmFgE)ls<+G*
z7Zw$icyzaSAPMz2F`MmdX#o^Jr?_RfD8o8Z;MT3lFVpXCkJ3<6hp%*Xb)j|@D>te(
zNKy46Wa_P!=w{C2fH;Qp6Ht+iu4_PY&h5HQ@aXa58E`2;$Odetv}+;$byDqb&(fN#
z!rWTqwUqSCu5}|2a7@eeJytUCzW$Ak29WbGbAO2%n2W}{{QnOLfqX{8_e2L6+tO(V
zQ03IhN)!V410)(87>M26LMVN|-JDjqm{?4VE^09(m?{{&kimFmkG`d45E{k|@(ZB0
zJOy`E%SwTG)D`Kwsh?K~yw3h;f@aSJ0Qi8kNeK)O!>RfP0L0NG7<|y6n+5|yfiE6^
zn8InC@ryNXUQ>AUysyXB#-STZPz|PT8sz8Sx0338llFdH3Fo0C(
zfWH!`ET--zdr%B$H6Xfl{sFQ;oWEpm-y~f9cS-&-QaC8UvA}YK!^kV7@&)P_PmtXO
znhymO3jA|dD$bxaP8wkFQGM|bIcgh?5F$){h>C{>31gS-_5?j^Yd@F?H9OTH3K32~
zoi|A_uo;~0?Dq0yXA6eGUD60$rS$YVn|phJk%|!u2snfOy&I52@oj9@L2UL8E!|%K
zAAkhDSdVVN#Lb&_&Kn>Snqr%zv9Pidgj7`^(j^r;GQ&GMV6bcN&4F@3ObpMj!a2%;
zp&@8sBdOkMb$`f4j*E-iSk!Yyrt7)K1Eq6+0JNY72y?>QyTN#4Df69;?28xIAkq<7
z9WJ7ay{0IqHTH#Q1LBZuGAb$7vyvD{X1k4PQaui|PjE;{okcHSMyVNoQ=T(tYW40+a+RQrlY`(N
zZ{LxZ2X6o9&Nzn>1ZP{$6?6VYD>$GOP4?j-TW^7`Zg4ux@UemPo-prRW@Oe+}@R3dF8DSsYzHPgz2vC
z?r?0-psbnqVVL+~qbS7qL
z&>WP6a0il@Wl3}lPe|w7`#b?BVB*>!2XfvOfrF3s&5r;O1O7?Ot5>dlJ9qAAK~0ee
z>OjDBgNDjW^z`|gn|6LdK{o&`s@#qT^D%@3Bb4c1*p7TrH*vB}rFr?l97zlwQg1Xf
zlc-t?TyhNvxC)ShG-SN;^4;lQzF?a6JW2ofn*)B**&pHLj0A#VQ+qp_MM?73++ud1
zYL36WG5%lH&C%M0fa<*r?tD#kb#2EgRrCJGx_IzjB$zM%MgBaFyecs<4M-e2i)>$J
zcU#+RVgDk$)n#|tWFfW4R~Jv+fP;s8b*+xyzrr{g+w!(soIDL1`SWjcyx-;);*YEs
z;umZa+KsezDAhR=6@X1*>A5sC_gn}QIXBk(opZdnzIF{>!&eK^bceVI#mlS@+DEKK
z&IOx}ccO|)OMT&)p(c+&m$U<_-T?!9zxu%$a9o6=1w3m4NfNu=MLf8>*vL=hjN30n
z4NB#_dZ3N%^lG_CQ8l4AFeQZ&4h5&X0x%dqeX;=PHtOwLs7ov-Kv5z)H&@Qn69d6Z
zb1fx+!~z5a>v(EKvRiLkZ+u#ik77=D00=01@I@8Uz7TLu+eg*N>5r3#Fy<
zQ0f9cRp5sYm0iLNVtQ^MO%iHoXjp=(P6btu8}>-Ln(TW&FhrHznuKaG3|NsyCi9SI
zJp)iR43iMGe4|4}_lncify9#|G#^H%%TK=p1Og?($D2Y)X&>%TppAK1WZr7L6L=I7BCFBd}FkrEA4XOozcOmgnO@=vR=ni?N9G~ZcSNx}aD(o)1qM8r`{5bzZdDi#o#K7H!G
zNqEeD!!r8a=+t%cNjdcyj3KK$fx35APbXn#2gg}4OC3eSv;
zxV;Yb@ga}{a#k6_(j_Im-`qPk+0;~`mhU{TAjE!SPq`Kl7D-vzOYApt?dKI-S5`P6
zSCzB2J~d{zt7lulE9O-6ALeOi#~>&?;w+ym8lF}__V>)U{P&V5l)1S&awKGA;+w~{
z#VvA}BO(-m2P$oDjwLU@+gV*L1%yBu8yix2CT9qu5gkCzgNv
zrnd^JDj+@u_xTraC-C8y|G+KL*7l)mgAEE#;FKG;X8!=owqO%@?WJS^OTjqBqC0DZ({d|
zI*UX70yueSCwoJZAjHB1U_V4PhQoy=xOiJ_udf^0?{qQi+ZMd4-0gmZs(+mJa2M^b
z{d|9~u#BE<2!-(f%Q^={t7}BQ@1~<2B{ks*N*1riupUbcm(-?8Wcr!Y#eblB8pb4G=Oc
z@;&8iv6r)^
zMo0I6%2hhB!{g!x5fU`m*Tu21B+w9WJUQ73g0#(5Mg|i>&u={S3e&Vn3@e+|32AJ+
znA2HJ{U`4MVvB~_Y
z_luy|2q(K@z*q-QS~&}qgO8Ly2ndqDH~XOdh3I4kVt{!Ljn?=u+$E!Yt&~R3IHMlg
z3IGOFo`OzE;ArLzT-71^hwQ?QevOHl&@&lHLLs(m9vUJmsOF`lxy{k!kB4Ul{Q;D^
zC*jxC-q*vQEKaVJaWH|8K;lMdI?gZmIM^BRdwir&DUl?Jj)@`6dve1`2-zQ#w5ME@
z&?emvta4`_Jqb2&KS0^gom#I-5oqyJX7Y&zhF?rf4DA~7ucOjp6CdWTk&qAIz{&s1
zF#H?6ewRn$=aVhXXVr)2z%uZMvVr|Va?dpEYjkDtZ5b5~6zadC(sw8-@io>WM_p#f
z^!uBJXJzZ+RH7P_Rwrv^PiOutP$sGtu!0rn{#~|89ay&DX}lLf#HR9Ec<}Zyf1cYt
zG;DuGx!L0_b|K>j_GlSHJrEP8;n?Lo!0?Gh0V4i45*jvKG`gFfzT4Ft8yoe%Uw#LD
z0kvmG+WrApsh>ZiM~NK?!$1a%yi(bY!hef{%M-n-1ud+hez
zf%}m8>Qypg(Oqh|uqtcf$1-!v(P0KHZg~EN6)V+BOP;wf;0`t5qt((;pborlo+@_?IgFFEpUJ(Li1IUyv
z0F~W&bOHF6gJJ2<@ah4T|4}h221;7l_<(Bj0j)}kGl3Z@R#4FU@0{2Jxeq`LLTFn-
z+AE4o>%w7MtBU;5QIL`SeLa&1FbEYka=?27*+L=H;QVJ+6zxBsgb<5+5N>VtWq#dIseRV%b
zTR${w`odnfe#i~kJ`}#%31sC~-i0uTC0+mL-s2V1q7AoZ7I^ff(5Y$OZ64H}<6pn7
zeJ1h@!u`L2>1PN`r56OqhL#*JKK<(ghK+bHLo#(8oTx;ubwg24t>4T{A?NWO6>?+=
zV`Smp4utt%QyUu*t*zGp%fJ6OJcwxl7QsgK4lPpZgkm}<>QX=$sJ&;OqyyO<#Yf&N#a5hxf&ZE{~|p$A7sY{^1xnl#5}8~
z7R{nwz2XJRDaHDFzG?!?bxE`PKg~K)+B=Wc5bAJnHqOHw5MY{a{mh|oJ`?s~`_;wq
z^hGm$Q&uk-dLNXfrKLF7JD~m?u*8NSM$xptb__{N$U7TqFojodd6@Yr>*aG+ka`fk
zv9W@}cUB*6Xb2Aw5kdwKXU;#UuenryavA^c!%?OOVT|kYIW{>ZCwIoo>?thaYL&0^2he^nRPn
z7J5$2t><&#q@{ENSBexR3wgb17WqBcy)M|j3b;IQeUZ4?tmNju<2vx+a^^6eZ)$w!
zT#EL>+%{S&;M=KW@=zvUegO}Y6cND>ojtuj(xu(p;{OG5doF?IFMJut;JHK=ggN7g
zQO_&J>KxdS-vPJFQD0H3lw<&gEyGfRpE-QGppi8U41u9aBjj>70dNJb(`YrG7ya%#Bq5W=}{i;zyZKaACO-_}nG&uYxd@xnLhm
zU|S>Mf0k4TB)k31gM+)CHQ10C|K+)nlA-~lnTu3*OIt#`Yuy6D%erkv6OcMw;#J5V
zn4onC#VGVA8=BCNWdw$vC(Xj!&`C%Bh0M&%d6W+$E*i=|KRXJ{`Ua0jRDOe^x@QicdKzCcYs?`;8tP
z9ubl3%Fp`#0JF*`pACY+e;-`qRsrEL+2hA0-`cN7|EmC6z=b?OFg5tIY{%|Wogcn$
zG(L(qF&uFe-&VOD3mGwR0@40eB$?D=U%%eH8MDwI-1Tz9>VY}OTu|j#{8IYlCIx1q*0KijQk*8|XC}Fm-b3{*vS)RK
zGa%nnPmM>yqd0*kOm1`5_YS;&O&t@B>`DuCB7M$MKaPZHx_PQ};H5
zUsVzyr}u%|X2WHOBgjq;4KG|%tgLC8Wo8;f`z))jj&bNtlvuRAJ*%1ky*+x$toVFJ
z!Dk5|KS=Oj?HC_gkC~x|3GqRYLJ>tB><$py0Pz4i7PYnMAu-A_STxc%Fg(UUy?W&~
zK@O236O)=L1Ye>DV;4{W&oc-kooG#vPT#yKOil?2KSYQ!$)Rbn0k9}Dh#z5M>c3^!
ziV0m&U)`N~A=eSUGXV$?>fxhDKL#_v`kdIoB3t3Fz(@t%OE1E^{yU{Il+a%T9AHdT
z{X&ZE;-(81*C}~bqtxFpQwJ6(73d&nC>-L<2Y+K7Qtj{B&f^3XT7mFlPym}RYw3ca$fzH4A`
z0r{c1tp{e67H$5H#RmY!Ij10DF?7r|%PVwTVA9H8DXZ$Y{lvsNN)X|AeUFlYTxJJA
zy;SE79R$%662ihISY>tsEX62&W`>E|>>;N7gH9l8imm>#M-|lUvqAY6UxGnN^k|U=
zve@RSh8U!o0T3~Rm7ku6e-_qo@mEIY-PE!sVBRX_?}e1sjk=A-`7U=T8Q5N7`$mj{
znH(Z9Z{GOwnRYjhkC!wZL4rgMd30-At8SEezm0!Y)q{7|fL{W$4nz-Y@bXHricBX1
zfqe(~ApsymC<&8!ygSFMb)XsL0}@v_KuTj0`ojhsv>|P>J*&RH)84WIVx=Uu|3lY%
z2XgtpeZwEAgo={AlbyY{D6%&pWMqcyvJ2TO$=+F6*?Wa-va^NkksTS&arV2e`?;U{
zx$b|y`4%7N`5wo7yu{~6I;Zo12_U$ew
z=Vd7DdXjHD~-N~6Dtb&;N~t_$lZ?SX54Hyzckd;xI&YO8s^mUKoL&w$aTFS
zBeXop7C77pu@wNdI0&T%1&!jVfIPAD$FNf^gPBD@G;-48!PPTg>XCW1UVsmZAfaIL
zp@Ip>n9$FkNrs1E+H?eL<<;yl?VJZb5Vqrx{qyoQoMB;yfHS>g*7pJZd-!jd2GYF0
z%2$q=h-!jbWnW)dOuarJWZ<(x#=3zzVQ7fCRcp)X`PX_Gf8>+u_)lP*0*=3E?4`6;
z7O;s>Av6iB6$ZGMpJ?ycIt?G&G`zm2&ZG;Xq##UmM}Ll7PT*BdNq8`+);Ak5}9E{gEkNpQm5L7N%up
zUa@Vce(RB#GXw}o5NRhxp$t5ayJ^Gsb_V$HmJ#E{Ne?de13=V(yE^bawRs?eUQqN6
zfMq@n4r0MW8eN>L*ZrBV1y9rjnIg)2C>ucRXlSC=eT-~H5C0Woy8zW)F|MWjl4N}R
z_|INHqKW1Q$P|QPCN&fQmd9|a$`CFSI&=u2VLJvTbHlIKAb6fDAN%+qZ$y8uUUaWV
z2vkfAVK6c~or3Fd)ii7j%w2ZicgP~+G8Oh8GcX8)TS9U~f3Fp^Dus%l%iXo9Kj6qe
zJz?+sZ!Ca*{S3cgP!89W#}Nz4+rVr3&BVk>FvY@x@yfdTl(iF>Rz0>byvk>A}Y!da3K_s>u8;~pnH{sZ
zIOqQ7)zo-i?-JeD-t~gdPWe&y8Xviscd*W8Ke-;*UqvMfk2{+Hm0~vBEctlyQPI(q
zLn$b|Ul<;&@qMuvlAW?^e}(#wQiArD7nv7M&leh@js~{7RKeKsOCRH9S#!;U47-Dv~xnm_CoU(8+pknOSXBoe*^QQVDj>Mk*E68*~^gnspW44uPW2v{?*PNp+`#CS~^-7v@UsCtNpB-P*5eu7{pfQ7#rZIz}UyGfK
z2{mI);*>Rxm}zn`xL;c)dCd8^xSr3qMnWU$*43-7kSCY8Zra#{K~+Kwh~F19EG!_j
z;8~q3=v(!%*=L<#8+87X#$LpbZ}{R$Oof|#8baUbq8uI=*iqNi=>%0}$aJfxfay&0nQZ
zYPmU6j}ChC3&CufJb4$r_AkF=Y85Hw>sFq{Z{mpD3G(+Zl{X-))F{&b3DCL7503G^
zzUrr^!fWLh_=27Lg4DjaM>xc*`zS7MZYrv#1n3@wQG^aT3rJj}-r_PewBFgZhp_}H
z0saa?t@UBCbt|{ft89L&>gsj_W(fv`qg}poJZiN*c|;B1#Fm-*0mto`G;N-^SRyWmrF(Qr
zo_P-@p@wCN8+NcVkk)y)H7)ea*!aQ2RudRP?Vp#24q7931qJoFYOMN`Ghl-W;R67l
z!&PAm(d03$RM^IBe!QP~A+@AysVj`Wv^n(wX=;DfRiksw@l$oNT?{`wasF7sVu5fh9)(?khSu2kg2^F(Ka@HwtI8{clI|b>^#A!#ilY8}^uf^=jXa5W@XKG__f}(af^p_Hgthf<;g;1T@Ocu~20oynQ%L0w{{p?`#b5ZNRt^ph
zC@K~fInqo__y#_CiEM&Yhvk~`#G7OhjLvYx;q-H=sTsQ-U}1oS5Bb5w)N~S5w4(pL
z>e++;eE&0XDM94tC8lsd9`8z1QRCKUms8ml$CG_+OG^_BA>?C3F_UyquvRauSs0mW
zV6tsZMfa_Lzd>PTnDLsB5OYb1J$S1py>=oZ_=ktQz#0N|ih?$*e`g@_d#)cKxeiev
zL@wVQjXaq|z&bH^j!oH6zt~uc(el#LHE~PJCA}ip1>Y)_+k)k|dNsb_=P&G7wC*CW
zPhAMC4j~lO7gM1@<1jT{&*~^ECzKIggM1h%b($JBNNYjq0jJ%5$Ef;a-hVxxonu*s
z$6pk*jDD0^gfCV3`*TqV{eU;F5_`NdEI~v4ns}xvj1~}w#FQ@JHhkii2D~&CFYm{yS|Pi0
zcT9T4dzQ6i$Vy$aBlp1=+cY{_FRF#U(xs;E?knD4=n6(?;a|D^eHB^cD{Ty6{7t*z
z|5~hU1yZHDx~I?-0#E3HdgV4&unt3svw8=S4u5XSh6{>8Lc
z6Xotcg$f97+=*1&oD83X84V2{ZOHjhh=3o#ym{F2<43^a;`QBKta80DWGQ^B!lWrT
zgTRt=aAdjr>g02(-<-sO5~3I*WA!Vc?mO_!B+8bxC_5M66xKLlKOf2x
ziMf~~O5J>qye2gTgSNK7;xZwSi6!iIuJom_Wq$gkzUKge(evlOKExQLr_Xm~yblVJ
zBO+OYYLahY;4M?rEFz-evyHiDa+a2KrKT*;7CX*iQ7w(7YYBEYE%;5y
za?Sszeik+u>{qUWYC1YnHa65FBRu!+ebUoc
zKXp;KK|oOOd&e$AffQ$=;^5oZ*o|me84V35AGai)buJ`)@FToydnCu`i<|Bj^*#3r
zC;Rtocw|s6ZVe;HDEqIIpb5+MJ|aTa$ViZwco})@o}L#Vwo57k!}AE-+(kZ@tuT2Y`+OIf9Y)zNzh5p;|q-a=FaOOKZjIbWJ31jSgZ_V=Z68QR-
z0jYw(%*+jWY6v}?tgJxH|9nEm1&Akj9w&~5aI-)%eMF(sYH~EV!n%I#Km^{owbfBE
zSsp}=P3GrSNs>;ol^LKvjy$iaDO;*-N8<|L%x2hZc$Le>i74K%#ssV6wH*|4BiBY*
zu4k%t!bF#AIAhK{$mPPVlvY$kgO=~7EYtUi?(xu>1&0M@;NsoH;9v-=-rJqMy;QjD
zK*R$a%Ao2<@6qWV4X9LziJeyw3kg|)Ywhgd4-O8NtoOWmvjP;}1~a6kQ*A`DtwJ4Z
zfUc>mt=(4b@cQXKqcpYK(@F-;2AOMi*@$t3U;_G7fP9vgkyp3+uTx1%Kxx3o!%9mF
zS}}ux;Y!s@@p2F%!ogbD+yt0!_~B*Sv@O}
z?7ZBO-J?`6Lz7By^z*@xf=;Nc#9Q|Y#M}kAX=!TSTwOJLtk_2-P;E1vK0KU%^-QO-
zf{uHb($-c>SU7QK-|<`fa&rP5uf-q(&_$%Bz6qd=j1&hNy(;PYkKN`RojN`h6{VMy
zkkHc$UGjL#&i=jj>=8Cx_(-_$&EOK3H!BI>f7Dcfojoo#ZYMF|QA3t{{-$c)NTNU#
zVoh>$wE-Li<*Ns-C)!L*tRw4r+1X$F`^hOO`M^x>96C4m_oEvdOR{Kqxd;eVn*RCS
zkgs2l=_m2P(ec!&zxp;OAd$rZoXoHleJ{SB2q@?gXb3QFKl`1-cco=Sr}Phj9G+^1WVDH0MA
zOkjCH!)18g%)&w{Tk*lG*VO=W3yO&WCVk(^YHpeO@fovl9Xb3Tbj^3i&6ooNR^F&G
zsx2UoDFj>g6Re}BCoUekY^MG7-(eM2;4|$oa??Jm@Zl{?WNy}1;P7LtHT{}
zgJimx2XOu@t*m%FKFI1p$O%`n>NH1pQCEs>`ZdHcsp@O08XCQWnd>myz-X>%Yl2k{
z77BIG@wRs`cFxG!5SHIpw)^+<*Fj+I(7cuo9>qnGS&kN+zEej4=l$*=NyUAc#!RcH
zHR>|<_V4JP)$B4bRzE39X=tE0KTkf8pkrerj2q3Qb#-N$sKkM$$wJPEWqLXR>M7SN
z622`l*vY6eTgsP}-F3#iFa88R?-pGEsRN_u&xi6Il0BS>W@fBmo=)ZVODEW0crJ!J
zshW9&%y)t+y_ZqQNf0a^1{8~CROrA4o>uln-{mY0~;F&ttVZ7
zuC9iJ^=(qB(Awxj5=zGZG7(~WXrJ9vQNf1F-eR2DyU}%*`GdN)JYZ^NR3mcoAoxQ1}<4=X&UZnKZ
z-3}Ub+sT71Ez5EeKZ((GJc%i{#iDCy0IGTF45Klms3ZzB!>07fkY=mhSXV9Bn<|XPL)s!>}i^L0(SFDU$a|V`So2bu6z6ym3r}l`}J!9K)!Rh
z?q9BPTuoc8eBR9l^zyMgcNXWjwiGlp@b&c@nAN211U~T}7blA`oNO0F`mzao-
zkDGm|bODrpPa}d>3?(cL7Fm%9(-HuEHbjTo?Nu5vKVq5ExJhV>2Z`-
z=!HB&8Z-{>LMs>&vf>xx%P(ddz((&?Rlnvm?YSrD?0(G~e&Zg@f5F4&i2?dd{HIT^
zK*vYkWbw!Pj6WC@Yq;h&%5~}=rzt-~_22y$`T@itr>b?Yzj1sH2!~fhMGOD@srtFF
z5C(ZbVc|_qrg^lXY6o_!F`I>Ov720`J46%Xb|Ewg)ZK8jZa}sdmMN1B@BILcsboG&2()7*6+S+qj-JEyTu_A-WMgi2|XI
zf<0jn9uQZhRrK_Fw;OG9UEseL@iX-pASJW+SW&d?^myCIcDq$gNyMf1FG!BTR2vHb
zxIw5zW@@@bCSVVYoh&ZnZ-0ILoJ{)?y%yHiI$HyWIy)X`rcx1l1A?!_VVO=U)b*;B
zl`gXTl9Cy829>rA$8T*L^&s`ACl-En2hI#|r|*y_)i@1^o|yACUNrcrWF$9_k0%xA
zdLh3Pw)e)&jA#5hfHk~cFU2uFdGh4v&z}y{e^*8eTuRUN;O;xW|1M+xP+I!pHUYuM
zTxAA9UkJm3!@@)h|8w;Rgari!A;6voD-#owXUYOo5arAC;;XQ09CNXgoVP{4#&Y<8
zl#$7FjneUE?p6xY&<2?+S9&|q3!
zJ&s)I{Z+iQ+#O3|VvCI*JETftXTtDZs8rp`nGg!{W|vtO)1@999uNQPuixs|pICX$
zlv~L~9Z@4^ofPc5mRjD(+A)^jJUTgfk{6niMJ*NLxw*p|8iJyk#p*nzcf_%9Z2jTr
zg8_rg$IwWXZz9XYl91ollzPrBC?w<-MkzLB
zej(|92q9_bkK*tVA!y_KBqfO)9)|rnzVdssGMIy#J6$QI{rk`mIt-WaMBZIRrReuY
z=|v7^K-XbPVP}Ow4
ztl#=DDJDo{TA
zvtX}T`1I0n=)TUEXICCQ0w(v5vIbKYEeR$Ehi=z)1qEFd-Rl
z`5tI!6SK=?sw$wLD^2p0-@_*yQP=7uAw6P_rdZ*t5Ai`fa67cN%w`+Rp(>d1U}c!7
zTqhJl5r723a87obt0K)i)_j$z?w+1EH8pux03l)2N_2j<9SGC@?oE_i^?zh(1RF0q
zR;Vzhp&TLi@})GY;mnz%ug?aI8ewM1mUVFQ%%;J{%y1b#JbszYW`JyFjVUD_o?4co
zN7Bz0X*~P`EZBL#MoR7P?}NfN^X8<>Qafb~%x}-;7pwtpyxKkxTPZ2MQd#9|?a968
z=OudYROM-FkE4`T?J2N>8{cN9r%Qx{CL}XWCjNy8r&d9NegGOrzxfJD|-#8F}VkC4re~fGM
zOdPF!S>0*>3;j}byO&>R`P4kr`t{V+JDPpmxP|hsT)xcZxPsT())o=v5C-j#WN8ZG
zoVdF#EEqUjX*oF&-rmnpQ2+QkG^B;cuc5B~a#i(;S(89W4_R1ktj7a1+7z8u!NIf6Ah}
zG&eu5ZyQ8?%0p|jw{#$%eENCmm6KDssWr1VTt3S_7B;r!-#EI|=df1jA^G1as8DC@vpzDI?^>lA8A
zSD2!MO3k?JoDOnaLP4xA0hFXlN)$^y&yL^(iO)9ppsrzILG^bQVKs$>DgfZq7FfRY
zA|l6GYxQ5dyFoLN7iLRR?roH^4P+}_2L4%VjKMibA#=TY^(P{hs2w1~e|Ebmp{f@`
zDfWRv`XM3|x?JC^M>gr{FuLdGEwnnLx$&nGzg1lPndBz0W
zN_X!Qji2A~i;1!@ppU&PEhQCk-Cszs6$Ntvu(?rSOX8@jf7olqTS%xYTAyx@{;dcV
zLb~H#n!;S@`Btdrl3kLAF-9lKQbL$ej4XmorgG*a@%5gjF#FG_h6Yg(KVi5N8V(h@
zQxIPeLc$j49`A0HwyYKOf6B{~v@VE;mKcn960s3{QS(zrUrEfP{qJ^vj!WMcLnRn9JH#!frKxW;kRA?lFn77R6EX4h2ksAw*i4yVVeJB9
zL5vC;!|SwXGB<&Vau%3>GE}AnL2iLgT(M~{7No*$EiL|)v&sHN
zwv%*4ki?HIdO-fg%Y8g))*H{dcj=N;{o(?iUFF&>o!>1uErB7z6LXDzpx=6cL^obQ&c(V%u;D|MmTrtE=|&ww3d|M!Hbh^dFrj4FJBs+
zCBZRp@bUd>BTShuZg;f|BV5isew}s`ot|gP^i*?XcsL>D3b%Eos;erPz{
zrNQa1^0cLH^^x#w36_FqddL{v^`J?tRnYKo>$*M-8=F6^
zoanEP$TLWW=Hd3la^P9aHgKURJ&D>t)G<9HqXlM#UIKJ^OsUt!HVA8mAi-vO`XzVw
z2~O(?Qht8!1|co*3&1{R1f9S1&!4d%OOXmA%g&|c;z~N+n_U>reWFv&NiTeA2)(fA
zpdc)Oiui+dOI2n-YyddQ;tCsg-;Vz=8A0vr&;uOZ`2G8N2sq}`{9Pg7V>31}x!yF_
ztOv(4^V8xb3k#Xp1l_^L3uTCnrKFewOx>2^((2An=wT4n);r1U$>-~%21pQJ*G!IH!8IU8XSk8;&;@S>X$;Vlm{An2he(9H9?qLVwa=2E5y{}QkSg&T%DL9Rd5
z8a?}=I@N4yK*PtE0NDnp$6Wwo5=Pt(fxGd}+MK;e_EpU_fo{#8ldCU(&rw{(q0qJ+
zmQWi5uUwI4QQ*?7#WA}?Dglx@op;Ud!2cJ
zt=!vb4-K~jRV>4CzwFEZjRk<{9R~O%badE(vtT+rRD|)0Nf5!JJFRz_n0(^2nYwfL
z?z<>ZHIPVyNdcJ~Q`Ld(6r^c!YkNo5T}7Ijn%@9+4Awj)5HB0=_F&}Ow@*=ngYRJm
z3_Vmv+R7|!0pDZ}lUq8xE`&;F5dH-bhtc)zx>5+;+=?An5k&55hx1NfRH{-6D-@~rb{}q%uFll6si;s|WKtl`nVKf)VHCtw*?H=p&zl@z
zg4KnP>%Ms%a<-?mkB=WEiWxv*?GY6CK=bMmz_BzmMj(K*YG~Xouc--|(BT1J$Kw(bLU%HaOwvC{k%}*-Or(a?Ugft_}Z0IX3#5^HUNrPlh~A
z79`z+DR`>duLJpJ{;(}A5jd_6`b5!(+d;X|bv=&T=>`S{Jps$f12yA|bIE`ZcVBdj
z^SPb&l-9{f9J6IBC3Kj7&|v!aH^l#dsUU<~V>$Y^dSYvOGB8-EZ!lBLs)AvAi2iL!
zi7JvO+f2JgC3z4);PdXLNBT@P6`JhPi>C?y0pVNZddEVrm
zb}#{oh#WOFvLHmkrLZX_^$k!(6pW04uUt=1-vMmVTd|9V)(j&BzaY}bp(NpN-aLrv
zXS?hTBGnnvIP+&mgr$%IIc`nWT`VVbx3{PCCg2!kE0Lb>rMQqOw0MKiv;tOKCYP!jB#i!dE{}k8gv!{PoqZ
zrf9i8Mp;$W`S=wkA?wq{!Ax1}7?!OF-K6+TbtcT4TTPJqqOE0pgE;#cbZfjJ;3?1*
zQq|EJ+^|C3qfePnux+3c5O`1;?W(VT=(IjCcERjkTyA{>1c%U^oeyuEPzaX!cXi2r
z3-idI*@5w*3Kx(!LFb#Z;dIydE={}TR^Io%CvhXjvR)W~+@&@|`{G
zxk+0>V{`L|DWc&PZ@4{9HmHG1XR4-W
zXAioct-Fcza%8Fo!u|;g26Y=0o$J4WC4)Ydo?cS7fm6|VWg%tEay?KZ3V_bkC6TE3C)rHC;^;9&;R@&X8IG$R8WqN_(m`e!^e;SeM9
zjB#>sJYO3gBZgZH85b@jUND5bbzT2D
zUQAY`%z9nmmDkvOwwIT`8yJ{N_j7$+>d6ybap&*&kW&6d%mPFO
zG`cYSiV(aXBP3y=2?@F}kl!uUV-uwNLGg;3i!1!?+j&<*RZmaqD_7d?;Ol)avw7hpB)i*FWo3Q4vphXTqW$QR
zAGkFCFmlREO+7t{GErH3P+sWhkX`;Kn8>!D=4(~
z_Tv3dX;@fru$#|vqy7JpwDq$^tgQGPj3!T%X4_Ejd3#4#&B$3>v*=cy2W4g+@MPb_
zvJ>GlQ>5eE#fMHj&(Mn^`Ap5ck=C}%h}c&oe(5%wd^qjmCzTiBymHWF-a$ovm*JlD
zgK=;crlyAsxJJN;dyuPs6Q&9_eA=wp!hmLfszIZFEaxv7GBT1`)4!gGU&dw&Nrj<<
z0Ew0B6*OD!>#aMQSqD800%_@Gp{GAXYc)N+nN?O%QFL|PWvRcaukQ&b?hQZ$VlAZ(eJ>NH?WAAcVe#pdVdcYy8;eGq*ZS~aoq>lbaa8W*&8pzqla
zLG9{T5wlvBu-&Y`5}0oq8ocY*ub1m}k!PyrvU6})JIeNrKy9KJAX9^b*O{3e^7DH@
z`L}7R&L%z~H1x{oC;`7vWdn9}@W;nmS{NcCBP{+3TClpH&Z~8YkZ}Iz&zAjFm3Y6h
z%?+|I<<`AZ)un5p@|Ht%5x@}ZHq|qps_KOP0$`lBAqNJ4*-HpJ-uH|C1&qp*(^DIp
z`Z%-X*O7yRw|T8~+J6*BeIFZJ23Don&b$(|snKIt3z|DSqtVdcSk~lr0TNiuUo+IFPXd@vWy|j)-|TR$XiN&h)g$AAy?5c*UkxR~IYtlpEue86d9Y
zu(!Bbxm*lYpq?aBKd7FfUlr~Hy^@R>p8Wh5kocSRC3ZHAR`5WdBClETmBiFF>Gqn)
zFP7yeH3=Yf9i%(+N*uDoDhcqsl3{>?zkU1mpoX-xS@>lozO0IhL;F8v;ef%OI{3}V
z%#2P?A2aDJ0&V-ZSD0;}HKYOF5W+OJ-nGekH|cZ&$GR4L%z-LNf6dv^^&7;ymmz5@
z95*#Igddnq&&$IeW|^-yZnp*cV(^C#YViY#3VJQAtsmmJ#9q9tb2}1^-%fE|6M$-m
zKyUxpglWB5zvuqOxYAxJ5bsq~97u)7KoT@o(CHhG6|s=>ZR2*u8mRP*Ify`YAFgF7
zsWlGfYRBpEEcffsxw)GmqZ!QDzGL@(^Fe`FD?`rBlvze}4ci?vrGRv?maLM3PS0=lB8NaO_%&&5McY1Y5;l
zJ#q3+^+W=~L?I*j1ZEUqjNJ0_YXl`M3>{|8Z;u3=H00lN54s$TNkys3Dd
zVk)|+Nm*8w73M8l;#!J#ON>4``vO{97J?NgW;+F9_2$&ANP`U1PB
z@Z^cvx3DDmO;`ReJ*V#fDJOgt)gPUZ&^uM&dr$aor_+KnF+15`UWJ~Rjg3C^Zks8+UbJ;|5V^V0+uQe9);^?eo#o~o
zTz;>G#{f7jfJpVX8pO}`sJgHzYdVG8g%;M|xoc8xYzt3cK
zu%F+7&Id>A=|k`(;65_HeDP*fJAb6uCjetmJ0x)qpqC`$5E>G~4cdJqOG_U&CM%;d
z<-`^SGqHNJ*X``u?VO#nVcaaFvU}ZZdAYf{rfb8*kOp%)EcrvAW?5eYLx%u5Pb?qL
zO%7DHkN4yHg|<&AA!2CiSeY1d2NT>uYFj4{@x|+n;#-h>wZdR+8F}GO`jq>||CKu;
zjU$LJpmEgp{d+)33FlJJF<)U}vV0q87M6X2`!p1sKuy{%XQcc(=^-~AT>-!6
zsS+rI7mbVYSE2U{bNLlD+En${;Ibq|Mq(lrwz=kM;L$TfD0mAO_p8_iv0q$VwXdSY
zln;c*Ir%UC9H*wGiNf4eP7&AP&{6VZrKGDKtv-sE=&4(ipmkDZ0rL#6H2KcW&GkDu
zI*LM;p7drM*p7ZcEz&12A9ERO{a3LwExa1FRzSLcT9g>l#;`w9=WLXOdX+5
z82az^MaStqr~wcQ?qi}(PcJFw?gO-1p!FMtq_i|h>|LIDwSZpZym@6f^zn~MTeEsA
zC}SH8QQ+drgH{m;znKi@><|$Vu{*7WxTd^gx`PGO3KozYZfa`shS8l*_l5>x{&*;S
zi2|_vy(}fK!;rk1ni}{9
z3>boZAKJRB0~xlZV}jZZr*f=M8KBcJ5}*4{AvC0<+Y
zfYWxZzi_eLCrM8`SU)nay}W~}6?|F4nbbE}f}i5POX==Gy4A`6otG&lIMggKRr?1=
zs@&tp9YlT-16paym(kvM-+J~*nPKY>@AJ$|WgXYZva%|nGj$hViL|Ormaj$f20~6u
z1Xk-cZ4%_<7dnld;5#5T>*bvZ)iYl1Q-E^B{KA3~B)99M1t#zpi%X^%K=^43&U{+;
zB&fJpCZqgm{g*${oAn?@STueFFUrX^B;djte1mk9+q}QKJMI6>^Tc03Gb_aaHS1YR
zBq>RAvj1AX^ooGE^Pxe;{hnSH4tDmr?`a~wzK(STR=P+%HoZbq0ZIzv$Ew_GfSS36
zo%i>*)IY#y(|nt4rxzE1EVhVX1+4MN$8R1iN1AlHbGcd@kB(dP(s~ztD11k3{LIs1IP%^#dQoI#Yn%;GPXM8pE5m*&;C>Xg
znw)=;{QC7AqJ$ZD2PPSroe*NKTVjnUXm<9%b;~WZIp^)Fsc~vFA`x1aCE{`3xF_hc
zHIq8s)kQ!ntC@dud98!iDgI{%fCw6>D{`cW))-0w9rvM~X@O!xm}N31K*
zG`?hJRw?z@30i4~n?id?)wE<$jf`B6h<78myH=&X@AuD)z#vz@oE)tu#YQwt(Vu6+
zo`{N`i%)N9w6*zFoL-OSpO2AWXOq2Ek8b6*F9o+)}xaO0i*Z}DOxY+Ll
zCrJZ?qCn;#j7W(zfaq+O>%BuVe26osw@UI_vZN_idq8r6+ikh#8}tS!ym_rJp~XTV
z?66e#EshIjxK?p_o!biw*O7|A7?ywLad40X8mFqNifD72(^5mrU;T^}W)qyApXgew
zUO^=$O@llERNW6kh&Tw)(a`}1%{(wL0HMES)@8`UIiXyIv`{Q9?|NtTc6R!K4l}@F
z(80C>He)!S*{K|kjKj)z3S=Zpaq$pYQDLD}t~zgy5}aUqS65jAHcxDC0G!>vt;!}g
z7!a;R%gY=1jlRF(8saP1=8h%&vm$g4j@Uj6+fF)uAW
z{TC?mL6@c@5Knp>!a@-@(ICL0jEsz&E>IdH%7M<#H-R1jcb$RFPWsY_b(_J02Wrun>pz^MJ@9&%3zb`nWKE1Uy10RIc
zgOO?^5z*JyzzdVU#Iac3P2#IJ$)o@#lfYMGhEz$n#eALCHSM8l>w37MWV0mz<*0Aa
zCi&LD;t2wxAoPX}%v3aY
z@WU1sX2`0EiuzSmncT)xiUK&QsVOgvULH%d0%UJW3I+m30ie*jE}w{!w6rrff>dt}
zg_JI!cCJg1q|(YH%FhqKxOgC6?=Lx2?_fku5X9WKP;hVHa&*VAe2Xfv8!aOUpCheK34u&p*F|Zwz
zBO(&8lc45RV=?Gmh#yZ_SZ0O+G=p`-L*Aud58
zC@hi$xKFyf^F=)SfI#DU0DT4$8JTQGC=>$V4UlF}hm;HqaBOYIx~(2nFM!dhtjv?|
zM^@`$RQyvF`~OR?$JL;SwZ>ATgWc`#ciQQi`We~D@~NN$18?a7@|*ghYz*g132M;2
z`k4{lU|FUFmI$1r`1G~B{QM#LSoZgJ3v{3q3w)?rPRErfh_8<;W+mmK-S;m&e{^L(
zWZ0Qjg1dlUsaGjQBD;N~Tra39l&RY)VCG}XAMHwBl3cjTAt4R`TwEH4wrY~>@^CK9
zK_F2S8XXvD9vPtk(n{|g5%_OU@Ak?JwM4*QP@E<)GS=#aMwPJSWI0?#3gXp!t>{aD
znyWkAeX_AZcJ2CgxaD>mKT@D{J-51=x4G+!tCKaT_H0~7VK8NUg7wjqX_$WH`Eeu^
z0Rg}ZRPez{Tf*L*)6=^OsOZ>OMZj$WApcWl5;e=_b(lXquwPzWY>xX-KyadK>ou~f
z*Z|eT#R1>_V0#ArN4XVO_eYN~*-ZcJY#hi;FtM@6oZ=4{bO?~eKQa=nx!LnF#@`X4
zWYE;-y8GEiU7Z9Z|65z{-NuW0QUn-I{F#};81&p4s;;4-W1AT;$FP)C|KN^r!>k>i
z-x(UQx5q+|$c(Gpot@c$KSyAXot=zS^x3I1ISgRs-QAx8;Ij!#otT)5u!x>AlhgKL
z0Rn`bCy-gW2M+@u$^aZ0AcCza^!wCI?*VKyDn1^@I#1uJpPzqk6&AF6;M4+OVm3Cd
z)6=!D43d&QwXaFx2Yss^09Xxq>1zl=zoossV5S&$2vSm3G1bS9AH(3Ni(QGO)q@j3
z!HIdm5{8Eh{TFy`?wK2(?E~aNfV}Y!ODr+Pm0!TJGBNTNm}NZe5YmC&iH4Pzk14zE(1mGgX(0w^DZCX3DSjIoB8CEj^%TPU7)bwL?`8o3^><)&
zB?(>`5uzZBkpNsK$nPT$2df6$1B4{Q%bTlj0Bj@xWP*k*fHX1r_%NoX$cif~s}m{_
zicc8>@}{lU_AAQQb<-;WR3TmCe50+k^)Uj@ZAI^$oyGI=>UV8Nc0{iGF2@cx7=Mr>
zi}>jL?*02<7_#%e#b0T3y{M?jKOq6VukR3XK?4If>9a@q1;z(z$`7XN$dP?{Lj&jb
zD7LQ0-tx00xZ$b?e#=ZyH8(Qb@Px8TIG~<3CyrqjYU
zugr51=Hf~i%I<%knE1fel^`x|{2pymR(}3`{Q4ukpNl34y$()RnZ-gNdj5!m6+JP`^yZXe?p)-VPfw=Z4`K-J}(^{hMj-H88FfY4#)H7ism_9J{7@)
z-JM-sbTkWO2$g~^nNH;FI*^zb7w<$wsWqi|eH#^OpPKqG_e>1<(bul;gPa;Ra?YKE
z;GDOL{HjS)Q&C|eCU)DBVu6xn6V!=lgzJ(_U8RBXakv=_5*o&2!bAwyFpfQ9+f3`*W^U>LXAU1f20>W^2oc(d(5g-x
zDns}i1f!aJnAHI5CtyaZ>={sG{Ly$p1T?u4x1(Et`yaEy!LbEh863dhU5J!*zK@1@(Cf1mA=l4zUa2W;m>C^$&{6xPf0+0nhr-|0Y@q
zGtgV7%z&cuqk0b)&@+mrrWH$785t}}Vj=;zXihAO1*x~lz`~lxfepvG43WRjeE|U<
zNq@zcaPOtVzo}?yrdgDhmfqzaPWi6v1^d#Gz6eiF83@bL@@`hU)|nK#E8^3R8=X-p
zpqU|E_B08%G6t?znLIRVFy8tqre`9p0$yHiJc%U!$j44jp;^;|gYtOde(z3@)t8`d
zTtkrN&Oo%w)3i1k`5X#`2rO|3;Q`W240#HR7Jcg`f|g{7s>8d5Jm*6>C%7CO9Dxs|
z+a2~-WPrJwoAbxY7KMjL1DJmcpaAh&3&S7SKy+f!ybrt%4w!-iSb(s$;4$+s&@^GE
zQzXl5`|MjK0`H#w+|vH&A4Qqh!=t`CI0OSlgMt#q9pwHA5%dpa*!`D9v+U#G;h|&y
zP70?LMD$)d+l1!j`Fz}hDrGA^sAEG_BnS%8f1G1f;&bZNK%(`n<$CE)A9eC#)1^2aN;i9moc&jsgSEJXoB>aMD
zV1@L*me8F4Z!Ex=LBAoeNkP-h9<~|8skP!bjMF#lAxxWZ_=lwyo`b{(0)9hiaHF6>
zLnSDf92=|F`i(9!(k|@l*FCV7bl@4*$F{#Gu5WM4JWIs^&f4Y6uND^X)&2roKMnmn
zBF;~Iz@2~zRu0fx+qqs3G5jT`PA2Cp&QW$AnIa`M?X&
zvwd9ATM7TR}?s*mn6@QZU(O)bf)y-WDebHC%h!i}Sj!Ktj=OaYRt
zrTcQsrHOG_(MuiH+B!B4Kl`q{)m8t1eRPE3)VR|ftuGKVwzspggS&M+^>-;Kh2K_m
z*}*gBLyegFT+1}g&9B@bVh4gaxk{eq8MnnCu4d{b
z6estVzW@C@Q(i=Fut^@ZNw=bEe84*)-SJWhy)3;6<_AUZ
zV|bq+LLBvaSDuloov5w^zDmX95HPu3-I%B_~92)$~`5r(ZUl
zYeAY|pxLK=f3uRg%x*#P_|Kxo&#&jE(pS9YyV-@DUsMiez;jc$?W%~yavfT@AGjdi(b$q}g
zJk%O5p)GS<6)e!Le003$hJ0Y!|NG+N-(tA3YnilIiwN~!$-drO8ijP$Y5rm2X#RK(
zrRNhsaVfzg#qMIFwj|&&T^Az4J#dE@E2l6DtfIgugBdn0fVQ~OdTUc~FF
z>hb*!n#_Z**td2M4n`Y1{P780Gy$48T=Kk;!Jt8yNhLkvdJDS{6Uu}MK7>iD@Dp4|
z4Xe=?!;(1o8UyJ#@#NSM4_7anXq^fYqn=>_CMur$wJLO(BTx1%icXLBR#ygykn`Ug
ze=smnPTCuG4Hc*Oey7%)EA-Yf?Gb5>W*L|IpSn#=nn{ef8@34dTH^5csbRnSH8wF>dXA4<*j~2urV4Y6~u2CHMEfi;Hc1mFZ8oFSYjgsck
zR!f=7wqYsgOO;T|(xb%RK?kdFw1Ctcz}zFyIjpW-{@xW$I-H~85=wFA$Eq*SE_4@V
zf(127jci3W29BNh8pqdiAmYF&bQ?vL09%JLc`V@In&Yr+da_lEqtWPTO-rA>l2=5K
z_rQlWp2Ilp{re45>C4{NizNNOxgL%S*1V*CkR*6x;CL^lCk)<0iXjPwBG!SMK*ISc
z&$N#$w=24vnfhlCkY}>q-Kez~FEQv1!$1+wc%zYPmCloksdPNBOdpR#p~f#~
z;-RS27&JcTfTPRbS(sJcnST=$DpJ5VLzEX|K#`vzZQO%=z{fVDfq+}}2ftfr@yR_N
z*1O(_nNEJ;d>>X+99dCy%hBtD8{-)xMFtpPU2<7;o%3X(l1YS|nHuXcyc1qJlv;fC
zeZ!=BPaN{nLCF4lkr%j%yg*!7n~_QsozhzEwy1i`yKrXOwzN1dukQ~1PD40i`H?L@
z|E(lH7#qvMPtC|lgbQ-8({2z)j){tBQxQZ%aTe6QcCc#lR*V;L_|)}*F$;hdRvi)H
z!xfvPf{rUy<2xv-7DnYJX*~Ly@BRI2v*hE7GUdkpeSqJ;52#no46;1gzva5utM!4e
zC#v+!$CJFD-}DU2fRo%wsd9#$|e6T~;;-d40(h_@}R5-{Rxp6;X)1
z>$FkgMGhkNzk{d^&WJ@py~CwK*YfNZ^tGDbicVB+2k4Zq6%`vpP(Jbyp5Hqc
zo{GottN5?}6eYyQePG=CcLeStk3SBuk}pfWq(!E^cWGs~%+6DnQ?}D?kX9rlUPtx(
zT3;`Kvl&tAcGKf@N9*KQOu;{UfCl!!`vt9;BF@3qwBk@Ujut!|VxjbE8#2()zpaAz
zGHpjk!S7O&-)@*xdq3QGVGf3NcoBy4^@I(=>0yax)syEk3v;yLK3@oLTsdB@wHin-
zHJ&>DY9&Y{EMf`r6RMQ`w%OiB9Yx-$bEY{E^?ddHk2~`zIMmZj;A^zd9E(K_Mzv
zCQ3h^$10NSra!V%)Af6bIMEC$kD;VE@^@Q_L+B<9Km+H2nqxay_qRGf#o2Gg8$mY7
z_?vq!)cV$c|6G7a_ICUQMhUsb4er$ky?ou=UgucIE^#6z3w2Iy&@kn?U9SZvV;#9h
zh|SB_rc{XM)|HWQMow7`6h=m>?25WgOD+HW?%#)<{&&bskX@>RG4#)R6ZrH)Nynn5
zlk+>HmKm8oS2}M^**bHh9`pU`7W?!D-9QBn9H=b$&M)-GBNsFfIpQzzl9L5S8ZYEd
z=7U`{aw1Y--pD7g_o*Dl4eCboJpX=qjzMEZJg89
zc=4ia{1`Ro84wtFOhZLQ)%fY9jFX6nNOmIVAdGK3MR|w#M}w2CYN81jR-NeWwf_9+
z^ZUh@{0$Axn>uEiB4{1y`OVGEdDmNVXe~yUdJ}YG$zh_&&KEe@C_;Yd%ESTxh7k=7
zZTa2^=XII@4JA|wyMK6i|E0W|NZ=~b?;s4o)0b%
zayY-X_wzivoH6@Xw*7?xl~bq)()N*gg+C@
zPbjY)>w_2BM~Pyd2{EIfNhS(K&Ft&zTY++C4f^)>Lkxo?W9kc&GYi{v`tIMaU-z52
z%A@QLVXR0U~%<7)3e+}t*-o{&%Z3tfWi
z}6}<&(V;_iwTBF^mk_C;MguSIg^T>jB=LX<4Ygz$<;p{lW-hG)lyYe
z6|NQ4J{S1z62IvR#6wzI528d_qI>tD!dj6@oo-9=3v4kzj??TB{o5R-+6=@_?YjDU
z<7+b9sG(dK$qhQ4z7S|4%f}Bduk})bXs`>(X&Xo7=PQ>+9PAIY=Gm(+B)3!GWweDJUqIVYG&ah6Lc(z0HuZN+C8vR1Mk`XB>ey
z5dvf&JUesuY^`Vb|5HF%)BTGv+_Df2ZoA*ZKCZC&6q)U-
zhk37GFAFv~!;7ATeZS;qd$rXFi@KT~78Z6DCn3WT0y(VwE+w{uC12+sp!`=6K&Nn6
zouHncqMhwh^6z%dF#h0PFb7>|FUN5(p>{~`-@pIL7HpQ6CgxgMHNL(uh>b}A%j8@3
zff-H?T0&yo8y@?2Kfm3TK$C6>M&2*O!&SveNu%p9W3|YrcR>$zEv>2X`?F?>G=S^|
zbULyqVe-hRzqxb3f1QIpQ6s^aN;ElR##g+&v9aOe=4R}(v+YsYzi;37hcFF7Zr3?r
zle{_z+!+q3&=nbQCO-BaoPgu-e9(R&I?W9Y1|ftFqZCF)*)jhZWuGaao%8EG*?QRO
z%-w2uH}VDjQak$I__sn4pOQD#lD&hk8;@$6=ZFQpo4M3u@rV-lE9)H}}3h0{ajI^0G5e@8HLI?`w7Y|ya@$7Y-CuxGl`8ltexV9n@#VBk>S
zjMUX}FRjV!Gv>upqB2SuUH>HCcACl|7g;r}4L--vCdQYixv&3I&T#s&B{+ey+<{^~
zme5InKIvv1JZ(=-U387Eti<;hggs>DHcEeaB>MDKnIr!$+kLl@kvg;D3OpyThUa7?
z?#*BBN+4qPj#LGa30+4hL*=o0MOh*U1(HRTrBjE4Z8oTnAT2}rY5nC+fTJxTubfYw
zt8AG+ihA%7UKM~cy$Ut*Syo+v*#N3x`#?s2g|xG~#$f3^JSP*%u0fRX?U@e!Lk#XV
zlZ{MqVip9%ziga9{7Y;Yz|gJrx8hDyTLOj^S&-?F$;>&@{cEW!BH~NS0?O0?;R!KU
z=w>8ccxzzv0BJgG@8iezKK|(S$pCQ|ioMJHuNUCRGqA>4<}I7{Cy$)JEeJf-bIqE!
zQcgF&TH0W`%^2YT-{pY{gJUQ4=XlPhf8G2waZ^C`qyD{+c-6s@{JAddG!PF7fD=RQ
z$3^bUEY)Z8%kRWP1-fw1OT5E=1?}6&)@M^oS31;^AoCFDaYTH43id`qs)X(4e-Obr
zcIl$*{Rg<)GgK;9>rRixaUMZ^e}dRS(?5)i%2#{zhsDhw+?Z^cOP`tH1$=o;C8=5g
zHXi^de{lq}nLqGDDA(B+(=RS57Z`wbbeu4=Aca-57?JeQ9+w8C_q=A=SpjG3!=
z%=}D8IHhAkE+D8B-u$Fo{Hz}fukpC=)C`pm*^0r{M77j%F24^|o*P_*Dz7do)I9ZN
zGBDYuw6|X%YGoJ4N&2ZkuZfvg@8}33L*S+O8SQU0Kalk4
zD+o6I^S}+L1ye!ra)nDaGAq`-b`bj?h@GMdu?0)Jc-~aO%kw{9l-=B3@vt8CeSh*)
zemQz^yzYh-ebe?0v{k?m9~Jz)O+Ri)TVC6hb|n)>(U>&~+1c0b(+jd*;SY;w(@*rZ
zX0g!O*-V?c`Tpbciw9AVF64JpP5>=hxT+xgGaw(A=&PIbl#n#OFg_vjp{`t38=p
zP>SY<@6yj@bD3#>WLR0!evi9~kY|WTv>83plw0%#+T`
zbExwx2;Mn=?$V=ngqlGps78o|#m#o8OhW~~-U%}X%P~6x3K*_4@7ZSNVvR9h<#1lK
zk+o2*XnfMf+M4!YNgMx#3r6Q8sUOB3VTgv6h3HwxuiS`t>CHPJ?YkYJS8N?NwI$9o
zu7*(}4FD+!9;k4^#%VnaX3NzA+QbhSzPe59nA-*iyI4jI?D@5Ri&4w23`1nI5Ah<<
zx$qst%5RY@LVI{aBh+twW@TbuO@@Y7KI^It7hb$*Y#f#gLP$5r?6my)Qrp4o{fE5c
z1(SA=n_~!O?JXd}YvMHjdA#G*TJiXkH96-jbRf019IfVUja1=N`n?APla4p6yMhUb
zU=tDXyWG;9HSvig_mn_uG6NX|mkizHfWNa<|G2@#HKfZNbeq2Uwlh|28evgoNA^y%
z*q?v0ST6r4CFklZL)U>K&$UHh%$X432=DK(Pnv9szQ=p_1F@`(WIeE|#l*S!&Z!2C
zk@ne)XZZbR^;jRsF&JEHLgmbMeC;2c*MDXLm`;O(r^b8N8#yH)IL;(G!em23ygZHJ
z3bIzp9g{Fv+YK!7VFHn;C3pvt
zd21#agiVF8vTC>AvdbkOKYbE8o74}-P_bu_4c?C!V%WOYJvkd%g{CG6GHz;MHgDYy
z@=bg7O3=K%)&~lkQfMpn*-(?9SM6N|l9HB;8#Ov&)5oNA)LpTioc-F5bET$<3MySn
z%4U{XlP|lxccJ6ta(iC^J@R5`GO&BFW>;sO+~OVJ5Jp6p>Hrf(&vx8<
zSqxI!^i(HSKGyT>@bctbWSG5f&F;>Hl@j-KHlA#p
zOy<{^BGsHinW{^W4glM5>VKx~LLGWgY@^cynhwM$a*TXE{sD=!8`*-D)1cf?!~OkV
zAoqomwRAM$N!`_fGKWkM?@Nj9BJMy71Aoq;?
zjIrs(p)pcU70OCgFGn&|2+^OlvU`MD3Y4RAG}4s_={*|Q0IR-#uxpdiqXg52&jLmt
z!qCXrD!_!_4c$=(pAc)l4PB*`NIVQ@^%WFuR;_7EuFbAgZ?2t7mvZ_lEwXYDWy+ib
zb_j(_3*x>^=qKIFw(816V@MVvYMPph`gR;|o2OyFSjo%Vf6sE9Y~;rffvP@}z{_tv
z%Y*q^iJ7Q>dhPj$BP;*O_eznCLrXTSf^1noe+n?L)k?A`vI|W=F
zm&T*GADy1(2u)+G8YA4qZ3nzscN0AY9yCSoQku0&?OghwNpMO#&l^YgL<;KgwDehZ
zjcB~%**8>o`4naVOY3A`f
zyfzq|{H}MRUXi;Bgd}6)88^l^*U)mCmV3u>zF*mSQYi&$_EMnSR4UY}H!m5Qr{;i}
zMc|I0j-4tzvkz@jR4d1QIy>Gj!)};j4Q+}LTMVUI1RURSo93A6!bd`z3#FXWE|elL
z%Jkkc&|5(&N$>wn7Timuu)YDP;5c<145ni27yGprrlo`6M+>}m*u!?9KQAxX&^YNe
zFYt;IqzRyw?NxLl1ImBbk~$>Ndrl&rVqRR>d7ku$WS$zxO#kMgtDPjjz{<*M;wXUX
zZ-MM+jScEzW0PR?RP)*F7l(YBLtgDZZcFqSC|{X#!%GZ{x6ccqI#~pPl6({n2-4}<
zrg3N8eXE2^Q%lX5iPQ1aJde2$U^FSRl%-X;3Cq
z{?}uFm?9o*TRd`J5gikpyO<2S|1;=%7X>T!3W>x3EFAqA1Hf%Io&jYqhPa{cA#y7Z
z%8+Fd&=$%Ci%l7Hi+~pf9pFP7TtPnn5yYkLtZKi7#ns`ObvL56uo7FaVv_gO`m|TD
zsEE*o+QopX9Vbh(MWj72Kt-kvZHO-eyW!JyB{^9|{PD+M&JT{A&lUjaP#d_0Lsu<*
zeFPvV60McXo}PxTgi@ShuZ?|Ty!%l*w~%q|h}DXM-j!zF#+7^3>%OD1SU2p!a(uO!5Kha|H0+3Oe?0M{0(_<
zCIFx$T)22RjI}$bf801A96ep%d=2$j9(kVcC)1T!$%q~gQI5jFa1i{8#6!;oCa0yL
z5#)k7w$JnsOk$_OLpNTqt~LNeWi)`LmK&P41{v5K@%nQhE<*_;5jpI^PoQFBKjUGy0V|)V67-<+cuwH#X>W)!eb36Q**pTi`J(X
zw8^O{=os$MwI4JW%dPdQ*?8vv_s3xUDN%w6jJ53n$B%&wswSPWKTHeynY}*D=uXRD
zZgA~dwrb;|K0bmnPet~|WsO|D2rx;da;F
zB^0JG7Kk-!2>RLLI3$f-ek}JYOPCgyfq?&QcvwXz51rw$oh0}kmzOz{P$wPujxL0WeaQp4};nFa4yPB&Ey9u>_u!=mt
zl)`C|{ms3a1DEopiMhcn!96DN^64pqh1CsjlH2R#new8
z=hQT*3UgN&np}o1f9bx}mZsg)pE1u=uR^UtbulxhLf`rQQ
zUjmRApTGhTI5zOXqbkq1Chv1VFu`T+Ap=ux9u$xe6oZdyuX(`R6scUGHzo
zUGrQu1r+*F%-ov@5vFe1iiOrc?`wE?*nwY9l{S-}kJ`D+_2{ip96&pV;(XWH_lATZjIMtrY+Zyui#j+tBjy)RuFdB!Tw
zD#F*d`c`COo#!t7lU3rxOh+xajN(A1t@}{SzY1M~Y$)BYOTC9>J(jH?S=@7b>6>^G
zR!OOIhwk&`qe-y#og^i5@bCLVAsKK+@~)$S@T`EAYGrMSNupZI7*ea9BEqc
zsK{gGFucb=-*&)R`}N86wb{(4#hz=OGM+ca$Dfc%(|C4i=NxaJhnwJv^WT&d}qSmS(#kv`2H#NIz};L$&Cg`XWTe?
z*rhWwsr6m0!<<8`l^re(UhE?6B5=3T)z&S9Hk*lvt3cf?7Cr3t`!~NqM1Rw#5IMMy
zW0$l`S5I%`=NXrpehM8BqsZ1>PyisaA%UDoZr|$$P;;vRLq=mFa`uip9}ELD0CrcX-(Fn)R!>z5-q=dG6nS%W9Ly&k1Sq@FZ$LQy~aYV!^qV
z!*+$Zuel9|#?+P@jGqx4OL|j80Gd
znWtBL2i7SLC|jXggYs0k^JQ<=HkQkrWgZWZiwVW}*{1
z`#+`hIW%%|9v{N)8qii}Go8p4J-H$pZ-av)BRr-u1hhW?n3%|p6g-^`Q-MoEzVKWd
zXiOT_!BMUDW*AYOo(ZATDrDuV#Gib@gWxIOs;r2%st;*lV9tv(7aIniP`|M_Iw4!I
zwR`J!whh$QNqeq_DMboE2qL_-etB}Ge70d^l$ql%@Ot5p_F$wdLhzh_o>cG1ZFxC>y?d5%cL2`6_wHl++Kw%C%zmC2uevI!jBL
zMK-;zOy?v%N$t2g0hLtTb8Js(D_hn>Wg@Ff^@|Y4w-Yd~#vNun^9Og*w$lBwG;f-B
zCr8pntPutzk0nW;ha&miC#NZ7K{zz6a(|(%0A&-k7dr4E!zH$VqYQ(9QmRLwNn%
z=YW;gC5Rcfc^qqAX)En+6504L*^7&bL8O^!%+zRW0;qVP*DeM=J$3Rjrn6?GcBp*i
z`e@C{bX#L@>Gzt%K`n&#r?K6pHaQ)T>@1l0j+dXZzYY@uI;~LlTF>Z8tb^T~zwR5J
zEq9m@k#@GM*}s23D@<=^0^)pF|8+jBmkl1&2KnWv;Ctp4N{zdIEiHmgxw5<_oE3b!
zEAh7kIlNxc5Jh`D6PtuX(>CSLXOoGL`y<6Is6`wSCPCSjZU6%-8TPmtDSamf#~b7o
z_tcu~c`N+F+nx^|Vnt8u&7r{wnbw!0xZ*taSqjLVIBk1`7!DW
z3d#CYQa+mz%hMwEwd&uR1WVJp$7k-sx92h7!(V)WV!{{R)FIvJt?9`~{jK$dYO_GE
zvB^l~ui+J>eySw{LL49Ipyp#qAS^Saw
z8uBgf&lk5_!=?F)S1}ljgRepI=eML?zvE}D(~&C2i*c)iU#%r
zdM3%SOXSp0dY`92A6Uz#s8P*=Cs}BME@>TF-KQUBp3nR1uRv*!p82wWglZ;@l)^0P|7u%g&=fQ>9<
z!*~`0+p0$NWgphF{XavDM(wb}cQzKAdIw4ta>OjgA;ZNUVkxR^wdGh?DU9EV(w)8_DJcn}vawcn#xOTU+o`L>_MBF+b)R7s
z78TYp+)sCf43Br^PT2;}`|OE$a^rKCuG$}eGAp_Y@oX6MY%OoM$)AIaG<>%0V5{4;
zo!nBRu0%OM$aRaVxZdygAE>%mweikrVzin1Yotl~gpbm@1)2lP*|vzA{KSnXYLlx^
z>?$H7Os%NjUQ%Q!J44UT%PsVaVP)KW>2_Ti_``7thZHtV5K;q;G2jfsjz!RH&32)l
zn%V-A$I`5VvgbzVs=u=fZJAFcY3KDe{Q$_ay@N)}hf%YCg3U2NBC4pNVhA;CB-Q`g
zWb6JMP%{!F?v}4faNJy~S23?gedp0NL%jOs6=M#@Js#xGh$Q#yUH{)4YEMJ;-YB{q&i;U|-j)#5P-lO5vr1_=ZeCOdA`qwkrIr5UojWQH=Jo!V{mO9(sIn_H
zPnuQSD4$N6Uqty=BE(IBjjewKKJuV$^v2bUZ?5yp4%6=WC{v^6$NxUs{|fm-Zv8*V
zCI7G8Zf}(elV)ZD3LpJ4{te<2ir(8?Bwm#0z8gyiP@TGs{|r~wEQ!h-f_-Pqd~cbZ
jB=+xY|9AgA+qS#U<#NV=jF`_Y
PGPEASY
VKS-JAVA
CERT-D-PGPAINLESS
CERT-D-JAVA
WKD-JAVA
PGPAINLESS
SOP-JAVA
pgpeasy
vks-java
vks-java-cli
pgpainless-cert-d
pgpainless-cert-d-cli
pgp-certificate-store
pgp-cert-d-java
pgp-cert-d-java-jdbc-sqlite-lookup
wkd-java
wkd-java-cli
wkd-test-suite
pgpainless-core
pgpainless-sop
pgpainless-cli
sop-java
sop-java-picocli

\ No newline at end of file
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 19390f15..a6618021 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -20,6 +20,6 @@ Contents
 
 .. toctree::
 
-   quickstart.md
    ecosystem.md
+   quickstart.md
    sop.md
diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index c1d39d47..4be4f59e 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -2,6 +2,10 @@
 
 Coming soon.
 
+:::{note}
+This chapter is work in progress.
+:::
+
 ### Setup
 bla
 
diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
index 10a06541..765cc42d 100644
--- a/docs/source/pgpainless-sop/quickstart.md
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -35,7 +35,7 @@ dependencies {
 ```
 
 :::{important}
-Replace `XYZ` with the current version, e.g. {{ env.config.version }}!
+Replace `XYZ` with the current version, in this case {{ env.config.version }}!
 :::
 
 The entry point to the API is the `SOP` interface, for which `pgpainless-sop` provides a concrete implementation
@@ -366,4 +366,101 @@ prior to calling `data(_)`.
 
 The `SigningResult` object you got back in both cases contains information about the signature.
 
-### Verify a Signature
\ No newline at end of file
+### Verify a Signature
+
+In order to verify signed messages, there are two API endpoints available.
+
+#### Inline and Cleartext Signatures
+
+To verify inline-signed messages, or messages that make use of the cleartext signature framework,
+use the `inlineVerify()` API:
+
+```java
+byte[] signingCert = ...;
+byte[] signedMessage = ...;
+
+ReadyWithResult> readyWithResult = sop.inlineVerify()
+        .cert(signingCert)
+        .data(signedMessage);
+```
+
+The `cert(_)` method MUST be called at least once. It takes either a byte array or an `InputStream` containing
+an OpenPGP certificate.
+If you are not sure, which certificate was used to sign the message, you can provide multiple certificates.
+
+It is also possible to reject signatures that were not made within a certain time window by calling
+`notBefore(Date timestamp)` and/or `notAfter(Date timestamp)`.
+Signatures made before the `notBefore(_)` or after the `notAfter(_)` constraints will be rejected.
+
+You can now either write out the plaintext message to an `OutputStream`...
+
+```java
+OutputStream out = ...;
+List verifications = readyWithResult.writeTo(out);
+```
+
+... or you can acquire the plaintext message as a byte array directly:
+
+```java
+ByteArrayAndResult> bytesAndResult = readyWithResult.toByteArrayAndResult();
+byte[] plaintextMessage = bytesAndResult.getBytes();
+List verifications = bytesAndResult.getResult();
+```
+
+In both cases, the plaintext message will have the signatures stripped.
+
+#### Detached Signatures
+
+To verify detached signatures (signatures that come separate from the message itself), you can use the
+`detachedVerify()` API:
+
+```java
+byte[] signingCert = ...;
+byte[] message = ...;
+byte[] detachedSignature = ...;
+
+List verifications = sop.detachedVerify()
+        .cert(signingCert)
+        .signatures(detachedSignature)
+        .data(signedMessage);
+```
+
+You can provide one or more OpenPGP certificates using `cert(_)`, providing either a byte array or an `InputStream`.
+
+The detached signatures need to be provided separately using the `signatures(_)` method call.
+You can provide as many detached signatures as you like, and those can be binary or ASCII armored.
+
+Like with Inline Signatures, you can constrain the time window for signature validity using
+`notAfter(_)` and `notBefore(_)`.
+
+#### Verifications
+
+In all above cases, the `verifications` list will contain `Verification` objects for each verifiable, valid signature.
+Those objects contain information about the signatures:
+`verification.getSigningCertFingerprint()` will return the fingerprint of the certificate that created the signature.
+`verification.getSigningKeyFingerprint()` will return the fingerprint of the used signing subkey within that certificate.
+
+### Detach Signatures from Messages
+
+It is also possible, to detach inline or cleartext signatures from signed messages to transform them into
+detached signatures.
+The same way you can turn inline or cleartext signed messages into plaintext messages.
+
+To detach signatures from messages, use the `inlineDetach()` API:
+
+```java
+byte[] signedMessage = ...;
+
+ReadyWithResult readyWithResult = sop.inlineDetach()
+        .message(signedMessage);
+ByteArrayAndResult bytesAndResult = readyWithResult.toByteArrayAndResult();
+
+byte[] plaintext = bytesAndResult.getBytes();
+Signatures signatures = bytesAndResult.getResult();
+byte[] encodedSignatures = signatures.getBytes();
+```
+
+By default, the signatures output will be ASCII armored. This can be disabled by calling `noArmor()`
+prior to `message(_)`.
+
+The detached signatures can now be verified like in the section above.
diff --git a/docs/source/sop.md b/docs/source/sop.md
index 5dbf6dc7..d092f50b 100644
--- a/docs/source/sop.md
+++ b/docs/source/sop.md
@@ -1,3 +1,10 @@
 # Stateless OpenPGP Protocol (SOP)
 
-Lorem ipsum dolor sit amet.
\ No newline at end of file
+The [Stateless OpenPGP Protocol](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
+(short *SOP*) is a specification of a standardized command line interface for a limited set of OpenPGP operations.
+
+By standardizing the interface, users are able to choose between different, compatible implementations.
+
+:::{note}
+This chapter is work in progress.
+:::
\ No newline at end of file

From 6169a37086e8c8804e5eac90e8022aaaa53803de Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 00:29:43 +0200
Subject: [PATCH 0536/1450] Add readthedocs badge

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 271024b0..92a3e3ee 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
 [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/)
 [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A)
 [![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)
+[![Documentation Status](https://readthedocs.org/projects/pgpainless/badge/?version=latest)](https://pgpainless.readthedocs.io/en/latest/?badge=latest)
 
 **PGPainless is an easy-to-use OpenPGP library for Java and Android applications**
 

From ac52c4bbc55a249236dc60651bb466af49a153db Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 00:32:18 +0200
Subject: [PATCH 0537/1450] Fix documentation link to verifications section

---
 docs/source/pgpainless-sop/quickstart.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
index 765cc42d..8c8aabb4 100644
--- a/docs/source/pgpainless-sop/quickstart.md
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -239,7 +239,7 @@ If you provided the senders certificate for the purpose of signature verificatio
 probably want to check, if the message was actually signed by the sender by checking `result.getVerifications()`.
 
 :::{note}
-Signature verification will be discussed in more detail in section [](#verify-a-signature)
+Signature verification will be discussed in more detail in section [](#verifications)
 :::
 
 If the message was encrypted symmetrically using a password, you can also decrypt is symmetrically by calling

From 3842aa9cedef5376e1ae1826b8d8e2339f9882cc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 15:08:45 +0200
Subject: [PATCH 0538/1450] Add test to explore behavior when dealing with V3
 keys

---
 .../org/pgpainless/key/V3KeyBehaviorTest.java | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/V3KeyBehaviorTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/V3KeyBehaviorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/V3KeyBehaviorTest.java
new file mode 100644
index 00000000..a1d768ae
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/V3KeyBehaviorTest.java
@@ -0,0 +1,86 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+/**
+ * V3 keys are not supported by PGPainless.
+ * However, some basic functions like parsing the keys or converting a secret key to a certificate still work.
+ */
+public class V3KeyBehaviorTest {
+
+    private static final String V3Cert = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "\n" +
+            "mQCNA2JqgDIAAAEEAOYdcIKFQ5ZWBx0D5DKwMMNFcIhFyqmfDJ0v23ehMxOkXN/o\n" +
+            "HO/43+dq6ZqQn0gNw53Tp9no+EmcCYNrZuN0C4Zu8XHSyY6UB+CqzNkz/CwmV10E\n" +
+            "dRDipcG1O6scJyy2MWpuOG67til+o+wOLgEkkVkSW8Bl2oqtzVVP4swtKLRZAAUR\n" +
+            "tClKb2huIFEuIFNtaXRoIDwxMjM0NS42Nzg5QGNvbXB1c2VydmUuY29tPokAlQMF\n" +
+            "EGJqgDJVT+LMLSi0WQEBgiwEALKQnuzza+oIgp7CAukW6qhUaOV/Cf3P4bWhru+v\n" +
+            "8bED+YUOvgTytnXK1QUxQJ/PLnYV860NBRVR46kCtpZDgl+NeQe4O5lxbZVGHZy1\n" +
+            "P+FUcbvUaA5ZQEfcR5cBJKcWO9RUTf28SMSyJ1ozFm0yPmOa2J5MwHylIbVAlc9c\n" +
+            "ag3J\n" +
+            "=GebS\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+    private static final String V3Key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "\n" +
+            "lQHYA2JqgDIAAAEEAOYdcIKFQ5ZWBx0D5DKwMMNFcIhFyqmfDJ0v23ehMxOkXN/o\n" +
+            "HO/43+dq6ZqQn0gNw53Tp9no+EmcCYNrZuN0C4Zu8XHSyY6UB+CqzNkz/CwmV10E\n" +
+            "dRDipcG1O6scJyy2MWpuOG67til+o+wOLgEkkVkSW8Bl2oqtzVVP4swtKLRZAAUR\n" +
+            "AAP+JBiyRqt+DYr8GKE85NBX9nlS6DMaxUYgGKgibR5OSVsJjIjNUtG0sNmODjTN\n" +
+            "sPMZqlNln6wS3l7APMWNoStNGc9JG9Puz3eR2W69lPDzhuxuxrHIUBO+3UlEQB/p\n" +
+            "N3NPhnwCjh3OWHSMM6rzsX5ExUv0Z4FypnzvMG1x6GRJDVECAO6PyY8NDHsktMVN\n" +
+            "HAdgC61iIOz+GbLhNGeikuB+DQpSoyckAF0N5reBxRbyjzNZQ7aVvWpxigUp5OdK\n" +
+            "HMK7YcwTAgD275bcqhd+oWHDhyesi6RVswlqGfix48qahf9wOmDkc0nzp8evy/4V\n" +
+            "4Qu5zUJGVzi4aEIbFaAnc5lMD9/ydTNjAf485vh4MDFRd3tPvx9mPrHQgaArCBX8\n" +
+            "9oImPDk0oaKixwSIFzXeg1qZQeLiwv26Fs8gawWsLVZpR4+zZc1nhZlGnrQpSm9o\n" +
+            "biBRLiBTbWl0aCA8MTIzNDUuNjc4OUBjb21wdXNlcnZlLmNvbT6JAJUDBRBiaoAy\n" +
+            "VU/izC0otFkBAYIsBACykJ7s82vqCIKewgLpFuqoVGjlfwn9z+G1oa7vr/GxA/mF\n" +
+            "Dr4E8rZ1ytUFMUCfzy52FfOtDQUVUeOpAraWQ4JfjXkHuDuZcW2VRh2ctT/hVHG7\n" +
+            "1GgOWUBH3EeXASSnFjvUVE39vEjEsidaMxZtMj5jmtieTMB8pSG1QJXPXGoNyQ==\n" +
+            "=p7Lr\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    @Test
+    public void readV3PublicKey() throws IOException {
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(V3Cert);
+        assertEquals(3, cert.getPublicKey().getVersion());
+        assertEquals("John Q. Smith <12345.6789@compuserve.com>", cert.getPublicKey().getUserIDs().next());
+    }
+
+    @Test
+    public void readV3SecretKey() throws IOException {
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(V3Key);
+        assertEquals(3, key.getPublicKey().getVersion());
+        assertEquals("John Q. Smith <12345.6789@compuserve.com>", key.getPublicKey().getUserIDs().next());
+    }
+
+    @Test
+    public void extractV3Cert() throws IOException {
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(V3Key);
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(V3Cert);
+
+        PGPPublicKeyRing extractedCert = PGPainless.extractCertificate(key);
+        assertArrayEquals(cert.getEncoded(), extractedCert.getEncoded());
+    }
+
+    @Test
+    public void v3FingerprintNotSupported() throws IOException {
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(V3Key);
+        assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.of(key));
+
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(V3Cert);
+        assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.of(cert));
+    }
+}

From a131fe32aa241d535938b45bd8eee7cd41671efc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 15:57:43 +0200
Subject: [PATCH 0539/1450] Extend sphinx documentation

---
 docs/source/conf.py                       |   5 +-
 docs/source/pgpainless-core/quickstart.md | 112 ++++++++++++++++++++--
 docs/source/pgpainless-sop/quickstart.md  |   2 +-
 3 files changed, 108 insertions(+), 11 deletions(-)

diff --git a/docs/source/conf.py b/docs/source/conf.py
index 7c6a130e..adea465d 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -15,7 +15,10 @@ release = latest_tag
 version = release
 
 myst_substitutions = {
-  "repo_host" : "codeberg.org" # or 'github.com'
+  "repo_host" : "codeberg.org", # or 'github.com'
+#  "repo_host" : "github.com",
+  "repo_pgpainless_src" : "codeberg.org/pgpainless/pgpainless/src/branch",
+#  "repo_pgpainless_src" : "github.com/pgpainless/pgpainless/tree",
 }
 
 # -- General configuration
diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index 4be4f59e..e20a53ec 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -1,31 +1,125 @@
 ## PGPainless API with pgpainless-core
 
-Coming soon.
+The `pgpainless-core` module contains the bulk of the actual OpenPGP implementation.
 
 :::{note}
 This chapter is work in progress.
 :::
 
 ### Setup
-bla
+
+PGPainless' releases are published to and can be fetched from Maven Central.
+To get started, you first need to include `pgpainless-core` in your projects build script:
+
+```
+// If you use Gradle
+...
+dependencies {
+    ...
+    implementation "org.pgpainless:pgpainless-core:XYZ"
+    ...
+}
+
+// If you use Maven
+...
+
+    ...
+    
+        org.pgpainless
+        pgpainless-core
+        XYZ
+    
+    ...
+
+```
+
+This will automatically pull in PGPainless' dependencies, such as Bouncy Castle.
+
+:::{important}
+Replace `XYZ` with the current version, in this case {{ env.config.version }}!
+:::
+
+The entry point to the API is the `PGPainless` class.
+For many common use-cases, examples can be found in the
+{{ '[examples package](https://{}/main/pgpainless-core/src/test/java/org/pgpainless/example)'.format(repo_pgpainless_src) }}.
+There is a very good chance that you can find code examples there that fit your needs.
+
+### Read and Write Keys
+Reading keys from ASCII armored strings or from binary files is easy:
+
+```java
+String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n"...;
+PGPSecretKeyRing secretKey = PGPainless.readKeyRing()
+        .secretKeyRing(key);
+```
+
+Similarly, keys or certificates can quickly be exported:
+
+```java
+// ASCII armored key
+PGPSecretKeyRing secretKey = ...;
+String armored = PGPainless.asciiArmor(secretKey);
+        
+// binary (unarmored) key
+byte[] binary = secretKey.getEncoded();
+```
 
 ### Generate a Key
-bla
+PGPainless comes with a simple to use `KeyRingBuilder` class that helps you to quickly generate modern OpenPGP keys.
+There are some predefined key archetypes, but it is possible to fully customize the key generation to fit your needs.
+
+```java
+// EdDSA primary key with EdDSA signing- and XDH encryption subkeys
+PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
+        .modernKeyRing("Romeo ", "thisIsAPassword");
+
+// RSA key without additional subkeys
+PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
+        .simpleRsaKeyRing("Juliet ", RsaLength._4096);
+```
+
+To generate a customized key, use `PGPainless.buildKeyRing()` instead:
+
+```java
+// Customized key
+PGPSecretKeyRing keyRing = PGPainless.buildKeyRing()
+        .setPrimaryKey(KeySpec.getBuilder(
+                RSA.withLength(RsaLength._8192),
+                KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)
+                        .overrideCompressionAlgorithms(CompressionAlgorithm.ZLIB)
+        ).addSubkey(
+                KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA)
+        ).addSubkey(
+                KeySpec.getBuilder(
+                        ECDH.fromCurve(EllipticCurve._P256),
+                        KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)
+        ).addUserId("Juliet ")
+        .addUserId("xmpp:juliet@capulet.lit")
+        .setPassphrase(Passphrase.fromPassword("romeo_oh_Romeo<3"))
+        .build();
+```
+
+As you can see, it is possible to generate all kinds of different keys.
 
 ### Extract a Certificate
-bla
+If you have a secret key, you might want to extract a public key certificate from it:
+
+```java
+PGPSecretKeyRing secretKey = ...;
+PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
+```
 
 ### Apply / Remove ASCII Armor
-bla
+TODO
 
 ### Encrypt a Message
-bla
+TODO
 
 ### Decrypt a Message
-bla
+TODO
 
 ### Sign a Message
-bla
+TODO
 
 ### Verify a Signature
-bla
+TODO
diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
index 8c8aabb4..ecd7d81d 100644
--- a/docs/source/pgpainless-sop/quickstart.md
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -239,7 +239,7 @@ If you provided the senders certificate for the purpose of signature verificatio
 probably want to check, if the message was actually signed by the sender by checking `result.getVerifications()`.
 
 :::{note}
-Signature verification will be discussed in more detail in section [](#verifications)
+Signature verification will be discussed in more detail in section "Verifications".
 :::
 
 If the message was encrypted symmetrically using a password, you can also decrypt is symmetrically by calling

From 7169b369b320b751a2a191f465af58cbae515ac5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 17:45:58 +0200
Subject: [PATCH 0540/1450] Add documentation about documentation to
 documentation readme

heh
---
 docs/README.md      | 19 +++++++++++++------
 docs/source/conf.py |  2 +-
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index 1ed74654..73f97fab 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,16 +1,23 @@
 # User Guide for PGPainless
 
+Documentation for PGPainless is built from Markdown using Sphinx and MyST.
+
+A built version of the documentation is available on http://pgpainless.rtfd.io/
+
+## Useful resources
+
+* [Sphix Documentation Generator](https://www.sphinx-doc.org/en/master/)
+* [MyST Markdown Syntax](https://myst-parser.readthedocs.io/en/latest/index.html)
+
 ## Build the Guide
 
+To build:
+
 ```shell
 $ make {html|epub|latexpdf}
 ```
 
-Note: Building requires `mermaid-cli` to be installed in this directory:
+Note: Building diagrams from source requires `mermaid-cli` to be installed.
 ```shell
-$ # Move here
-$ cd pgpainless/docs
-$ npm install @mermaid-js/mermaid-cli
+$ npm install -g @mermaid-js/mermaid-cli
 ```
-
-TODO: This is ugly. Install mermaid-cli globally? Perhaps point to user-installed mermaid-cli in conf.py's mermaid_cmd
\ No newline at end of file
diff --git a/docs/source/conf.py b/docs/source/conf.py
index adea465d..aeb057b3 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -15,7 +15,7 @@ release = latest_tag
 version = release
 
 myst_substitutions = {
-  "repo_host" : "codeberg.org", # or 'github.com'
+  "repo_host" : "codeberg.org",
 #  "repo_host" : "github.com",
   "repo_pgpainless_src" : "codeberg.org/pgpainless/pgpainless/src/branch",
 #  "repo_pgpainless_src" : "github.com/pgpainless/pgpainless/tree",

From b217b8b218ad7810ec784256fced46d76b397eb5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 18:26:45 +0200
Subject: [PATCH 0541/1450] cli: Use dedicated shadow plugin for building fat
 jar

'gradle shadowJar' can be used to build a fat jar
'gradle jar' now only builds slim jar
---
 pgpainless-cli/README.md    | 4 ++--
 pgpainless-cli/build.gradle | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/pgpainless-cli/README.md b/pgpainless-cli/README.md
index f3cf2861..3cf0c97f 100644
--- a/pgpainless-cli/README.md
+++ b/pgpainless-cli/README.md
@@ -13,14 +13,14 @@ PGPainless-CLI is an implementation of the [Stateless OpenPGP Command Line Inter
 It plugs `pgpainless-sop` into `sop-java-picocli`.
 
 ## Build
-To build an executable, `gradle jar` should be sufficient. The resulting jar file can be found in `pgpainless-sop/build/libs/`.
+To build an executable, `gradle shadowJar` should be sufficient. The resulting jar file can be found in `pgpainless-cli/build/libs/`.
 
 ## Execute
 
 The jar file produced in the step above is executable as is.
 
 ```
-java -jar pgpainless-cli-XXX.jar help
+java -jar pgpainless-cli-XXX-all.jar help
 ```
 
 Alternatively you can use the provided `./pgpainless-cli` script to directly build and execute PGPainless' Stateless Command Line Interface from within Gradle.
diff --git a/pgpainless-cli/build.gradle b/pgpainless-cli/build.gradle
index 7317524b..3d9a6a09 100644
--- a/pgpainless-cli/build.gradle
+++ b/pgpainless-cli/build.gradle
@@ -4,6 +4,7 @@
 
 plugins {
     id 'application'
+    id "com.github.johnrengelman.shadow" version "6.1.0"
 }
 def generatedVersionDir = "${buildDir}/generated-version"
 
@@ -51,7 +52,7 @@ mainClassName = 'org.pgpainless.cli.PGPainlessCLI'
 application {
     mainClass = mainClassName
 }
-
+/**
 jar {
     duplicatesStrategy(DuplicatesStrategy.EXCLUDE)
     manifest {
@@ -66,6 +67,7 @@ jar {
         exclude "META-INF/*.RSA"
     }
 }
+ */
 
 run {
     // https://stackoverflow.com/questions/59445306/pipe-into-gradle-run
@@ -76,4 +78,4 @@ run {
     }
 }
 
-tasks."jar".dependsOn(":pgpainless-core:assemble", ":pgpainless-sop:assemble")
+// tasks."jar".dependsOn(":pgpainless-core:assemble", ":pgpainless-sop:assemble")

From 1bd2d68a1178758e271f6daa6a12f8f892b73fff Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 8 Jul 2022 18:57:03 +0200
Subject: [PATCH 0542/1450] Start pgpainless-cli usage guide

---
 docs/source/index.rst               |  1 +
 docs/source/pgpainless-cli/usage.md | 78 +++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 docs/source/pgpainless-cli/usage.md

diff --git a/docs/source/index.rst b/docs/source/index.rst
index a6618021..cbe82355 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -22,4 +22,5 @@ Contents
 
    ecosystem.md
    quickstart.md
+   pgpainless-cli/usage.md
    sop.md
diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
new file mode 100644
index 00000000..3e7d5055
--- /dev/null
+++ b/docs/source/pgpainless-cli/usage.md
@@ -0,0 +1,78 @@
+# User Guide PGPainless-CLI
+
+The module `pgpainless-cli` contains a command line application which conforms to the
+[Stateless OpenPGP Command Line Interface](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/).
+
+You can use it to generate keys, encrypt, sign and decrypt messages, as well as verify signatures.
+
+## Implementation
+
+Essentially, `pgpainless-cli` is just a very small composing module, which injects `pgpainless-sop` as a
+concrete implementation of `sop-java` into `sop-java-picocli`.
+
+## Build
+
+To build a standalone *fat*-jar:
+```shell
+$ cd pgpainless-cli/
+$ gradle shadowJar
+```
+
+The fat-jar can afterwards be found in `build/libs/`.
+
+To build a [distributable](https://docs.gradle.org/current/userguide/distribution_plugin.html):
+
+```shell
+$ cd pgpainless-cli/
+$ gradle installDist
+```
+
+Afterwards, an uncompressed distributable is installed in `build/install/`.
+To execute the application, you can call `build/install/bin/pgpainless-cli{.bat}`
+
+## Usage
+
+Hereafter, the program will be referred to as `pgpainless-cli`.
+
+```
+$ pgpainless-cli help
+Stateless OpenPGP Protocol
+Usage: pgpainless-cli [COMMAND]
+
+Commands:
+  help           Stateless OpenPGP Protocol
+  armor          Stateless OpenPGP Protocol
+  dearmor        Stateless OpenPGP Protocol
+  decrypt        Stateless OpenPGP Protocol
+  inline-detach  Stateless OpenPGP Protocol
+  encrypt        Stateless OpenPGP Protocol
+  extract-cert   Stateless OpenPGP Protocol
+  generate-key   Stateless OpenPGP Protocol
+  sign           Stateless OpenPGP Protocol
+  verify         Stateless OpenPGP Protocol
+  inline-sign    Stateless OpenPGP Protocol
+  inline-verify  Stateless OpenPGP Protocol
+  version        Stateless OpenPGP Protocol
+
+Exit Codes:
+   0   Successful program execution.
+   1   Generic program error
+   3   Verification requested but no verifiable signature found
+  13   Unsupported asymmetric algorithm
+  17   Certificate is not encryption capable
+  19   Usage error: Missing argument
+  23   Incomplete verification instructions
+  29   Unable to decrypt
+  31   Password is not human-readable
+  37   Unsupported Option
+  41   Invalid data or data of wrong type encountered
+  53   Non-text input received where text was expected
+  59   Output file already exists
+  61   Input file does not exist
+  67   Cannot unlock password protected secret key
+  69   Unsupported subcommand
+  71   Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+  73   Ambiguous input (a filename matching the designator already exists)
+  79   Key is not signing capable
+Powered by picocli
+```
\ No newline at end of file

From 520fcd7cbf044485786db1bb82416ce8b13e95ac Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 10 Jul 2022 22:44:48 +0200
Subject: [PATCH 0543/1450] Fix help text in pgpainless-cli documentation

---
 docs/source/pgpainless-cli/usage.md | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index 3e7d5055..d1694ea7 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -40,19 +40,20 @@ Stateless OpenPGP Protocol
 Usage: pgpainless-cli [COMMAND]
 
 Commands:
-  help           Stateless OpenPGP Protocol
-  armor          Stateless OpenPGP Protocol
-  dearmor        Stateless OpenPGP Protocol
-  decrypt        Stateless OpenPGP Protocol
-  inline-detach  Stateless OpenPGP Protocol
-  encrypt        Stateless OpenPGP Protocol
-  extract-cert   Stateless OpenPGP Protocol
-  generate-key   Stateless OpenPGP Protocol
-  sign           Stateless OpenPGP Protocol
-  verify         Stateless OpenPGP Protocol
-  inline-sign    Stateless OpenPGP Protocol
-  inline-verify  Stateless OpenPGP Protocol
-  version        Stateless OpenPGP Protocol
+  help           Display usage information for the specified subcommand
+  armor          Add ASCII Armor to standard input
+  dearmor        Remove ASCII Armor from standard input
+  decrypt        Decrypt a message from standard input
+  inline-detach  Split signatures from a clearsigned message
+  encrypt        Encrypt a message from standard input
+  extract-cert   Extract a public key certificate from a secret key from
+                   standard input
+  generate-key   Generate a secret key
+  sign           Create a detached signature on the data from standard input
+  verify         Verify a detached signature over the data from standard input
+  inline-sign    Create an inline-signed message from data on standard input
+  inline-verify  Verify inline-signed data from standard input
+  version        Display version information about the tool
 
 Exit Codes:
    0   Successful program execution.

From 52c8439da5abc36f6995653ba4531e76f8c185c7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 10 Jul 2022 23:02:00 +0200
Subject: [PATCH 0544/1450] Prevent third-party assigned user-ids from being
 accidentally returned as primary user-id

Fixes #293
---
 .../main/java/org/pgpainless/key/info/KeyRingInfo.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 7999b592..b69e301b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -289,16 +289,16 @@ public class KeyRingInfo {
             return null;
         }
 
-        String firstUserId = userIds.get(0);
-        if (userIds.size() == 1) {
-            return firstUserId;
-        }
-
+        String firstUserId = null;
         for (String userId : userIds) {
             PGPSignature certification = signatures.userIdCertifications.get(userId);
             if (certification == null) {
                 continue;
             }
+
+            if (firstUserId == null) {
+                firstUserId = userId;
+            }
             Date creationTime = certification.getCreationTime();
 
             if (certification.getHashedSubPackets().isPrimaryUserID()) {

From 50d31eb46364e9a0eecdf2174cbbf5afea484682 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 11 Jul 2022 14:15:54 +0200
Subject: [PATCH 0545/1450] KeyRingTemplates: Add methods taking Passphrase as
 argument

---
 .../key/generation/KeyRingTemplates.java      | 36 ++++++++++++-------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index e2cf7190..444e7d74 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -58,7 +58,7 @@ public final class KeyRingTemplates {
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleRsaKeyRing(userId, length, null);
+        return simpleRsaKeyRing(userId, length, Passphrase.emptyPassphrase());
     }
 
     /**
@@ -96,13 +96,19 @@ public final class KeyRingTemplates {
      */
     public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+        Passphrase passphrase = Passphrase.emptyPassphrase();
+        if (!isNullOrEmpty(password)) {
+            passphrase = Passphrase.fromPassword(password);
+        }
+        return simpleRsaKeyRing(userId, length, passphrase);
+    }
+
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, @Nonnull Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS))
-                .addUserId(userId);
-
-        if (!isNullOrEmpty(password)) {
-            builder.setPassphrase(Passphrase.fromPassword(password));
-        }
+                .addUserId(userId)
+                .setPassphrase(passphrase);
         return builder.build();
     }
 
@@ -139,7 +145,7 @@ public final class KeyRingTemplates {
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleEcKeyRing(userId, null);
+        return simpleEcKeyRing(userId, Passphrase.emptyPassphrase());
     }
 
     /**
@@ -177,14 +183,20 @@ public final class KeyRingTemplates {
      */
     public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+        Passphrase passphrase = Passphrase.emptyPassphrase();
+        if (!isNullOrEmpty(password)) {
+            passphrase = Passphrase.fromPassword(password);
+        }
+        return simpleEcKeyRing(userId, passphrase);
+    }
+
+    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, @Nonnull Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
                 .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
-                .addUserId(userId);
-
-        if (!isNullOrEmpty(password)) {
-            builder.setPassphrase(Passphrase.fromPassword(password));
-        }
+                .addUserId(userId)
+                .setPassphrase(passphrase);
         return builder.build();
     }
 

From df7505eadba46aa6dffd0ccdfa04abcfcbe31028 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 11 Jul 2022 16:11:40 +0200
Subject: [PATCH 0546/1450] Add more documentation

---
 docs/source/index.rst                        |   1 +
 docs/source/pgpainless-core/edit_keys.md     |   1 +
 docs/source/pgpainless-core/generate_keys.md | 101 +++++++++++++++++++
 docs/source/pgpainless-core/indepth.rst      |  14 +++
 docs/source/pgpainless-core/passphrase.md    |  60 +++++++++++
 docs/source/pgpainless-core/quickstart.md    |  25 +----
 docs/source/pgpainless-core/userids.md       |  33 ++++++
 7 files changed, 213 insertions(+), 22 deletions(-)
 create mode 100644 docs/source/pgpainless-core/edit_keys.md
 create mode 100644 docs/source/pgpainless-core/generate_keys.md
 create mode 100644 docs/source/pgpainless-core/indepth.rst
 create mode 100644 docs/source/pgpainless-core/passphrase.md
 create mode 100644 docs/source/pgpainless-core/userids.md

diff --git a/docs/source/index.rst b/docs/source/index.rst
index cbe82355..362d340d 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -24,3 +24,4 @@ Contents
    quickstart.md
    pgpainless-cli/usage.md
    sop.md
+   pgpainless-core/indepth.rst
\ No newline at end of file
diff --git a/docs/source/pgpainless-core/edit_keys.md b/docs/source/pgpainless-core/edit_keys.md
new file mode 100644
index 00000000..d7ed93e7
--- /dev/null
+++ b/docs/source/pgpainless-core/edit_keys.md
@@ -0,0 +1 @@
+# Edit Keys
diff --git a/docs/source/pgpainless-core/generate_keys.md b/docs/source/pgpainless-core/generate_keys.md
new file mode 100644
index 00000000..2b84ce1e
--- /dev/null
+++ b/docs/source/pgpainless-core/generate_keys.md
@@ -0,0 +1,101 @@
+# PGPainless In-Depth: Generate Keys
+
+There are two API endpoints for generating OpenPGP keys using `pgpainless-core`:
+
+`PGPainless.generateKeyRing()` presents a selection of pre-configured OpenPGP key archetypes:
+
+```java
+// Modern, EC-based OpenPGP key with dedicated primary certification key
+// This method is recommended by the authors
+PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
+        .modernKeyRing(
+                "Alice ",
+                Passphrase.fromPassword("sw0rdf1sh"));
+
+// Simple, EC-based OpenPGP key with combined certification and signing key
+// plus encryption subkey
+PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
+        .simpleEcKeyRing(
+                "Alice ",
+                Passphrase.fromPassword("0r4ng3"));
+
+// Simple, RSA OpenPGP key made of a single RSA key used for all operations
+PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
+        .simpleRsaKeyRing(
+                "Alice ",
+                RsaLength._4096, Passphrase.fromPassword("m0nk3y")):
+```
+
+If you have special requirements on algorithms you can use `PGPainless.buildKeyRing()` instead, which offers more
+control over parameters:
+
+```java
+// Customized key
+
+// Specification for primary key
+KeySpecBuilder primaryKeySpec = KeySpec.getBuilder(
+        KeyType.RSA(RsaLength._8192),                               // 8192 bits RSA key
+        KeyFlag.CERTIFY_OTHER)                                      // used for certification
+        // optionally override algorithm preferences
+        .overridePreferredCompressionAlgorithms(CompressionAlgorithm.ZLIB)
+        .overridePreferredHashAlgorithms(HashAlgorithm.SHA512, HashAlgorithm.SHA384)
+        .overridePreferredSymmetricKeyAlgorithms(SymmetricKeyAlgorithm.AES256);
+
+// Specification for a signing subkey
+KeySpecBuilder signingSubKeySpec = KeySpec.getBuilder(
+        KeyType.ECDSA(EllipticCurve._P256),                         // P-256 ECDSA key
+        KeyFlag.SIGN_DATA);                                         // Used for signing
+
+// Specification for an encryption subkey
+KeySpecBuilder encryptionSubKeySpec = KeySpec.getBuilder(
+        KeyType.ECDH(EllipticCurve._P256),
+        KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE);
+
+// Build the key itself
+PGPSecretKeyRing secretKey = PGPainless.buildKeyRing()
+        .setPrimaryKey(primaryKeySpec)
+        .addSubkey(signingSubKeySpec)
+        .addSubkey(encryptionSubKeySpec)
+        .addUserId("Juliet ")                  // Primary User-ID
+        .addUserId("xmpp:juliet@capulet.lit")                       // Additional User-ID
+        .setPassphrase(Passphrase.fromPassword("romeo_oh_Romeo<3")) // passphrase protection
+        .build();
+```
+
+To specify, which algorithm to use for a single (sub) key, `KeySpec.getBuilder(_)` can be used, passing a `KeyType`,
+as well as some `KeyFlag`s as argument.
+
+`KeyType` defines an algorithm and its parameters, e.g. RSA with a certain key size, or ECDH over a certain
+elliptic curve.
+Currently, PGPainless supports the following `KeyType`s:
+* `KeyType.RSA(_)`: Signing, Certification, Encryption
+* `KeyType.ECDH(_)`: Encryption
+* `KeyType.ECDSA(_)`: Signing, Certification
+* `KeyType.EDDSA(_)`: Signing, Certification
+* `KeyType.XDH(_)`: Encryption
+
+The `KeyFlag`s are used to specify, how the key will be used later on. A signing key can only be used for signing,
+if it carries the `KeyFlag.SIGN_DATA`.
+A key can carry multiple key flags.
+
+It is possible to override the default algorithm preferences used by PGPainless with custom preferences.
+An algorithm preference list contains algorithms from most to least preferred.
+
+Every OpenPGP key MUST have a primary key. The primary key MUST be capable of certification, so you MUST use an
+algorithm that can be used to generate signatures.
+The primary key can be set by calling `setPrimaryKey(primaryKeySpec)`.
+
+Furthermore, an OpenPGP key can contain zero or more subkeys.
+Those can be set by repeatedly calling `addSubkey(subkeySpec)`.
+
+OpenPGP keys are usually bound to User-IDs like names and/or email addresses.
+There can be multiple user-ids bound to a key, in which case the very first User-ID will be marked as primary.
+To add a User-ID to the key, call `addUserId(userId)`.
+
+By default, keys do not have an expiration date. This can be changed by setting an expiration date using
+`setExpirationDate(date)`.
+
+To enable password protection for the OpenPGP key, you can call `setPassphrase(passphrase)`.
+If this method is not called, or if the passed in `Passphrase` is empty, the key will be unprotected.
+
+Finally, calling `build()` will generate a fresh OpenPGP key according to the specifications given.
\ No newline at end of file
diff --git a/docs/source/pgpainless-core/indepth.rst b/docs/source/pgpainless-core/indepth.rst
new file mode 100644
index 00000000..b1c4beba
--- /dev/null
+++ b/docs/source/pgpainless-core/indepth.rst
@@ -0,0 +1,14 @@
+In-Depth Guide to pgpainless-core
+=================================
+
+This is an in-depth introduction to OpenPGP using PGPainless.
+If you are looking for a quickstart introduction instead, check out [](quickstart.md).
+
+Contents
+--------
+
+.. toctree::
+   generate_keys.md
+   edit_keys.md
+   userids.md
+   passphrase.md
diff --git a/docs/source/pgpainless-core/passphrase.md b/docs/source/pgpainless-core/passphrase.md
new file mode 100644
index 00000000..27769aad
--- /dev/null
+++ b/docs/source/pgpainless-core/passphrase.md
@@ -0,0 +1,60 @@
+# Passwords
+
+In Java based applications, passing passwords as `String` objects has the
+[disadvantage](https://stackoverflow.com/a/8881376/11150851) that you have to rely on garbage collection to clean up
+once they are no longer used.
+For that reason, `char[]` is the preferred method for dealing with passwords.
+Once a password is no longer used, the character array can simply be overwritten to remove the sensitive data from
+memory.
+
+## Passphrase
+PGPainless uses a wrapper class `Passphrase`, which takes care for the wiping of unused passwords:
+
+```java
+Passphrase passphrase = new Passphrase(new char[] {'h', 'e', 'l', 'l', 'o'});
+assertTrue(passphrase.isValid());
+
+assertArrayEquals(new char[] {'h', 'e', 'l', 'l', 'o'}, passphrase.getChars()):
+
+// Once we are done, we can clean the data
+passphrase.clear();
+
+assertFalse(passphrase.isValid());
+assertNull(passphrase.getChars());
+```
+
+Furthermore, `Passphrase` can also wrap empty passphrases, which increases null-safety of the API:
+
+```java
+Passphrase empty = Passphrase.emptyPassphrase();
+assertTrue(empty.isValid());
+assertTrue(empty.isEmpty());
+assertNull(empty.getChars());
+
+empty.clear();
+
+assertFalse(empty.isValid());
+```
+
+## SecretKeyRingProtector
+
+There are certain operations that require you to provide the passphrase for a key.
+Examples are decryption of messages, or creating signatures / certifications.
+
+The primary way of telling PGPainless, which password to use for a certain key is the `SecretKeyRingProtector`
+interface.
+There are multiple implementations of this interface, which may or may not suite your needs:
+
+```java
+// If your key is not password protected, this implementation is for you:
+SecretKeyRingProtector unprotected = SecretKeyRingProtector
+        .unprotectedKeys();
+
+// If you use a single passphrase for all (sub-) keys, take this:
+SecretKeyRingProtector singlePassphrase = SecretKeyRingProtector
+        .unlockAnyKeyWith(passphrase);
+
+// If you want to be flexible, use this:
+CachingSecretKeyRingProtector flexible = SecretKeyRingProtector
+        .defaultSecretKeyRingProtector(passphraseCallback);
+```
\ No newline at end of file
diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index e20a53ec..f2a018ef 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -2,6 +2,8 @@
 
 The `pgpainless-core` module contains the bulk of the actual OpenPGP implementation.
 
+This is a quickstart guide. For more in-depth exploration of the API, checkout [](indepth.md).
+
 :::{note}
 This chapter is work in progress.
 :::
@@ -65,7 +67,7 @@ byte[] binary = secretKey.getEncoded();
 ```
 
 ### Generate a Key
-PGPainless comes with a simple to use `KeyRingBuilder` class that helps you to quickly generate modern OpenPGP keys.
+PGPainless comes with a method to quickly generate modern OpenPGP keys.
 There are some predefined key archetypes, but it is possible to fully customize the key generation to fit your needs.
 
 ```java
@@ -78,27 +80,6 @@ PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
         .simpleRsaKeyRing("Juliet ", RsaLength._4096);
 ```
 
-To generate a customized key, use `PGPainless.buildKeyRing()` instead:
-
-```java
-// Customized key
-PGPSecretKeyRing keyRing = PGPainless.buildKeyRing()
-        .setPrimaryKey(KeySpec.getBuilder(
-                RSA.withLength(RsaLength._8192),
-                KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)
-                        .overrideCompressionAlgorithms(CompressionAlgorithm.ZLIB)
-        ).addSubkey(
-                KeySpec.getBuilder(ECDSA.fromCurve(EllipticCurve._P256), KeyFlag.SIGN_DATA)
-        ).addSubkey(
-                KeySpec.getBuilder(
-                        ECDH.fromCurve(EllipticCurve._P256),
-                        KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE)
-        ).addUserId("Juliet ")
-        .addUserId("xmpp:juliet@capulet.lit")
-        .setPassphrase(Passphrase.fromPassword("romeo_oh_Romeo<3"))
-        .build();
-```
-
 As you can see, it is possible to generate all kinds of different keys.
 
 ### Extract a Certificate
diff --git a/docs/source/pgpainless-core/userids.md b/docs/source/pgpainless-core/userids.md
new file mode 100644
index 00000000..ff2db82c
--- /dev/null
+++ b/docs/source/pgpainless-core/userids.md
@@ -0,0 +1,33 @@
+# User-IDs
+
+User-IDs are identities that users go by. A User-ID might be a name, an email address or both.
+User-IDs can also contain both and even have a comment.
+
+In general, the format of a User-ID is not fixed, so it can contain arbitrary strings.
+However, it is agreed upon to use the
+Below is a selection of possible User-IDs:
+
+```
+Firstname Lastname  [Comment]
+Firstname Lastname
+Firstname Lastname [Comment]
+
+ [Comment]
+```
+
+PGPainless comes with a builder class `UserId`, which can be used to safely construct User-IDs:
+
+```java
+UserId nameAndEMail = UserId.nameAndEmail("Jane Doe", "jane@pgpainless.org");
+assertEquals("Jane Doe ", nameAndEmail.toString()):
+
+UserId onlyEmail = UserId.onlyEmail("john@pgpainless.org");
+assertEquals("", onlyEmail.toString());
+
+UserId full = UserId.newBuilder()
+        .withName("Peter Pattern")
+        .withEmail("peter@pgpainless.org")
+        .withComment("Work Address")
+        .build();
+assertEquals("Peter Pattern  [Work Address]", full.toString());
+```
\ No newline at end of file

From 56abb5175778ba44f4ef609515680ab8a46e9997 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 12 Jul 2022 08:49:30 +0200
Subject: [PATCH 0547/1450] Small formatting changes of doc index

---
 docs/source/index.rst | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/docs/source/index.rst b/docs/source/index.rst
index 362d340d..a29e6c03 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -1,17 +1,23 @@
 PGPainless - Painless OpenPGP
 =============================
 
-**OpenPGP** (`RFC 4480 `_) is an Internet Standard mostly used for email encryption.
+**OpenPGP** (`RFC 4480 `_) is an Internet Standard mostly used for email
+encryption.
 It provides mechanisms to ensure *confidentiality*, *integrity* and *authenticity* of messages.
-However, OpenPGP can also be used for other purposes, such as secure messaging or as a signature mechanism for software distribution.
+However, OpenPGP can also be used for other purposes, such as secure messaging or as a signature mechanism for
+software distribution.
 
-**PGPainless** strives to improve the (currently pretty dire) state of the ecosystem of Java libraries and tooling for OpenPGP.
+**PGPainless** strives to improve the (currently pretty dire) state of the ecosystem of Java libraries and tooling
+for OpenPGP.
 
 The library focuses on being easy and intuitive to use without getting into your way.
-Common functions such as creating keys, encrypting data, and so on are implemented using a builder structure that guides you through the necessary steps.
+Common functions such as creating keys, encrypting data, and so on are implemented using a builder structure that
+guides you through the necessary steps.
 
-Internally, it is based on `Bouncy Castles `_ mighty, but low-level OpenPGP API.
-PGPainless' goal is to empower you to use OpenPGP without needing to write all the boilerplate code required by Bouncy Castle.
+Internally, it is based on `Bouncy Castles `_ mighty, but low-level ``bcpg``
+OpenPGP API.
+PGPainless' goal is to empower you to use OpenPGP without needing to write all the boilerplate code required by
+Bouncy Castle.
 It aims to be secure by default while allowing customization if required.
 
 

From 223cf009fc1e58d826c0a2e990229059613eb3d4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 12 Jul 2022 10:33:43 +0200
Subject: [PATCH 0548/1450] Fix User-ID format in documentation and note
 invalid user-id formats in tests

---
 docs/source/pgpainless-core/userids.md                     | 7 +++----
 .../test/java/org/pgpainless/key/info/KeyRingInfoTest.java | 2 ++
 .../java/org/pgpainless/signature/SignatureUtilsTest.java  | 1 +
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/source/pgpainless-core/userids.md b/docs/source/pgpainless-core/userids.md
index ff2db82c..78126828 100644
--- a/docs/source/pgpainless-core/userids.md
+++ b/docs/source/pgpainless-core/userids.md
@@ -8,11 +8,10 @@ However, it is agreed upon to use the
 Below is a selection of possible User-IDs:
 
 ```
-Firstname Lastname  [Comment]
+Firstname Lastname (Comment) 
 Firstname Lastname
-Firstname Lastname [Comment]
+Firstname Lastname (Comment)
 
- [Comment]
 ```
 
 PGPainless comes with a builder class `UserId`, which can be used to safely construct User-IDs:
@@ -29,5 +28,5 @@ UserId full = UserId.newBuilder()
         .withEmail("peter@pgpainless.org")
         .withComment("Work Address")
         .build();
-assertEquals("Peter Pattern  [Work Address]", full.toString());
+assertEquals("Peter Pattern (Work Address) ", full.toString());
 ```
\ No newline at end of file
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index 43273315..f49d5a46 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -704,6 +704,8 @@ public class KeyRingInfoTest {
 
     @Test
     public void getEmailsTest() throws IOException {
+        // NOTE: The User-ID Format for the ID "Alice Anderson  [Primary Mail Address]" is incorrect.
+        // TODO: Fix?
         String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
                 "Version: PGPainless\n" +
                 "Comment: B4A8 9FE8 9D59 31E6 BCF7  DC2F 6BA1 2CC7 9A08 8D73\n" +
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
index ac67d2de..f57ed2c4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureUtilsTest.java
@@ -119,6 +119,7 @@ public class SignatureUtilsTest {
                 "-----END PGP PUBLIC KEY BLOCK-----\n";
 
         String aliceId = "Alice ";
+        // TODO: Fix wrong user-id format of pet name
         String charliesPetNameForAlice = "Alice Example  [from work]";
 
         long aliceKeyId = 1059762964264170602L;

From 4730ac427b461c0de1354b4c7ce78c855aa4b9fd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 13 Jul 2022 14:54:16 +0200
Subject: [PATCH 0549/1450] Add test for #298

---
 ...dDoesNotBreakEncryptionCapabilityTest.java | 84 +++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java
new file mode 100644
index 00000000..1995b8bf
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java
@@ -0,0 +1,84 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.modification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Test for #298.
+ */
+public class FixUserIdDoesNotBreakEncryptionCapabilityTest {
+
+    private static final String SECRET_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "\n" +
+            "lFgEYsyc4hYJKwYBBAHaRw8BAQdAjm3bQ61H2E6/xzjjHjl6G+mNl72r7fwdux9f\n" +
+            "CXQrCpoAAQDwY5Vblm+7Dq8NfP5gqThyv+23aMBYLr3UgJAZyAgu/RDBtCQoQilv\n" +
+            "YiAoSilvaG5zb24gPGJqQGV2YWx1YXRpb24udGVzdD6IkAQTFggAOBYhBI70BlHo\n" +
+            "XvYV3ufIc8MDl+w8xmx4BQJizJziAhsjBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA\n" +
+            "AAoJEMMDl+w8xmx4ZAMBAIZsBqoClMlwymvNWIENCAZMQSy9NpBABk3jDyEjbhgs\n" +
+            "AP9sGI7URQNUDXiV+sIzvastNX/nOZ7fkwp6Xrx+74WxC5xdBGLMnOISCisGAQQB\n" +
+            "l1UBBQEBB0CGU2EGdS4mvy0apuPukStWSqEDH16AFSGEeTt2GyN1IQMBCAcAAP9J\n" +
+            "nrIGndqzxxIUHVsoImYIu9SFl9Z1tCSia6mADTtbsA88iHgEGBYIACAWIQSO9AZR\n" +
+            "6F72Fd7nyHPDA5fsPMZseAUCYsyc4gIbDAAKCRDDA5fsPMZseACnAQDIR7QwBTIs\n" +
+            "Hfu4XIpZTyipOy6ZOEKlY3akyb9TtOq1wAD8Da+0Insssuf0J5WPqShJ/wMX3+xk\n" +
+            "gqeRV2HyogQ7aAE=\n" +
+            "=6zZo\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+    private static final String CERTIFICATE = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "\n" +
+            "mDMEYsyc4hYJKwYBBAHaRw8BAQdAjm3bQ61H2E6/xzjjHjl6G+mNl72r7fwdux9f\n" +
+            "CXQrCpq0JChCKW9iIChKKW9obnNvbiA8YmpAZXZhbHVhdGlvbi50ZXN0PoiQBBMW\n" +
+            "CAA4FiEEjvQGUehe9hXe58hzwwOX7DzGbHgFAmLMnOICGyMFCwkIBwIGFQoJCAsC\n" +
+            "BBYCAwECHgECF4AACgkQwwOX7DzGbHhkAwEAhmwGqgKUyXDKa81YgQ0IBkxBLL02\n" +
+            "kEAGTeMPISNuGCwA/2wYjtRFA1QNeJX6wjO9qy01f+c5nt+TCnpevH7vhbELuDgE\n" +
+            "Ysyc4hIKKwYBBAGXVQEFAQEHQIZTYQZ1Lia/LRqm4+6RK1ZKoQMfXoAVIYR5O3Yb\n" +
+            "I3UhAwEIB4h4BBgWCAAgFiEEjvQGUehe9hXe58hzwwOX7DzGbHgFAmLMnOICGwwA\n" +
+            "CgkQwwOX7DzGbHgApwEAyEe0MAUyLB37uFyKWU8oqTsumThCpWN2pMm/U7TqtcAA\n" +
+            "/A2vtCJ7LLLn9CeVj6koSf8DF9/sZIKnkVdh8qIEO2gB\n" +
+            "=3sNT\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+
+    private static final String userIdBefore = "(B)ob (J)ohnson ";
+    private static final String userIdAfter = "\"(B)ob (J)ohnson\" ";
+
+    @Test
+    public void replaceUserIdWithFixedVersionDoesNotHinderEncryptionCapability() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPSecretKeyRing modified = PGPainless.modifyKeyRing(secretKeys)
+                .addUserId(userIdAfter, new SelfSignatureSubpackets.Callback() {
+                    @Override
+                    public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
+                        hashedSubpackets.setPrimaryUserId();
+                    }
+                }, protector)
+                .removeUserId(userIdBefore, protector)
+                .done();
+
+        KeyRingInfo before = PGPainless.inspectKeyRing(secretKeys);
+        KeyRingInfo after = PGPainless.inspectKeyRing(modified);
+
+        assertTrue(before.isUsableForEncryption());
+        assertTrue(before.isUsableForSigning());
+        assertTrue(before.isUserIdValid(userIdBefore));
+        assertFalse(before.isUserIdValid(userIdAfter));
+
+        assertTrue(after.isUsableForEncryption());
+        assertTrue(after.isUsableForSigning());
+        assertFalse(after.isUserIdValid(userIdBefore));
+        assertTrue(after.isUserIdValid(userIdAfter));
+    }
+}

From 2ad67a85fbead82e593a975427a17726de82c174 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 15 Jul 2022 13:20:23 +0200
Subject: [PATCH 0550/1450] Add test to make sure we do not allow unencrypted
 as sym alg preference

---
 ...upidAlgorithmPreferenceEncryptionTest.java | 106 ++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java
new file mode 100644
index 00000000..42aa0856
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java
@@ -0,0 +1,106 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.generation;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class StupidAlgorithmPreferenceEncryptionTest {
+
+    // RSA key with symmetric algorithm preference "NULL" (unencrypted).
+    private static final String STUPID_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 6CA6 C4F3 CF01 CAC9 C954  0BD6 5BDA 78ED C479 A8E9\n" +
+            "Comment: This is Stupid\n" +
+            "\n" +
+            "lQcYBGLRTLUBEADg2W4x7HgoBDJS7qYCqheyY/J/SNKJ7AvPTTd8V7S9rxZ6kZlo\n" +
+            "556q1+KJA+/jWJ3LFvuNCyTW/utQxxLYylDFTaI4KJ5MWWLtvlph+VjolI/+u8B6\n" +
+            "qSeZl72uXiEFW8vnQfBliXOyWCudLHh4cRj/DgxEbL3Cm9FXH0/XYRKweSPRhOkX\n" +
+            "Mh/veiTe7a6RcwGOi0DNcRth5g4MggspgHQmNcHq2XGeOOpQUeJXPjNsKZIShI3M\n" +
+            "nYVz78xqVNdn2xJjUq6H/bREV5fDn73xWcNCxyNSl7rvk7kcYNKf977MgoVPSUlN\n" +
+            "sOZ19/YFMU+Bexqsdvzf/txn9BzgUhwufpeUrSFLIwiy+X7fY+pURR4G4hpeg1eD\n" +
+            "xAl5FFRAtDqk7C6XlaP9j0qxZmbYrTfqbIS5+u0iJ93nO3CIWE87pnzhZH9E00jM\n" +
+            "H6e6IV4op8pcG+6mvg1NPeJg6uwpUwzmbmnvF85WtQ4QVmOSPjFigZPSkNf/4qNm\n" +
+            "05IP8mCGNd7Xl+J4I6JGVNjhB9Vk9/3wbVrtjD00EAkTgiSmjT2lt5TiE6rVjQJ4\n" +
+            "krvte70UNH4yuoGOap1w993HmcYSObe4Q3JBhLA7F9lnprAi+kL8gc0SFEAk5tOX\n" +
+            "H4Cqnk4ml01IamGOzXa01p//1NrxyMVYefD1+JT6X4wogUzvwLJqTehICQARAQAB\n" +
+            "AA/+MRiI7TG7EtHHw0AE07QcNIGKY6yc/Cykb4FmyinEd16Rw/Wiz7szdA5rkotf\n" +
+            "h/7DhaLhDm0OgDttWlf9j4StmkdXUnfcCMPDzDGyPo5ZkX9O6cpJPv9MfEcbzcUT\n" +
+            "5L2kijxlp2YZ8yk5bLpXG8VmNdr1ZsNvs9yeGy3lGxxBHnN1FLy2wK/bNUkwX9T6\n" +
+            "NxwrjNpvLeyyk+/NxYFnuoon0mgOjZ8pJek7kIowp+gXBlkVYiG7bKBAkY4czmL0\n" +
+            "HeNB4podLeiBwiJ2KuroaJi3AA/HcLNcyA8zbjTeCLvp13Hwdd2EuggUalHYUE3y\n" +
+            "FE2zB1F76dUWf0RYQcrsCGLv6cf3uu2yxNttUlzKrni1lcwvA6ZyauUuLg8E9chi\n" +
+            "oT5zkpxnEdR1eVRBZQDWGXQuXpDiDxAu/bMyW3uhLRLKhP2D0+m0TeCBsIwU5Fdz\n" +
+            "nn13IjY/zsUUQT2rxCSnU4ooFXkzT2FTVAKbX+0/raFS6JJsQI4wJPoFMm5QycwR\n" +
+            "kWRiKUzcDTLKXtyISwZvPaQnomuExdKJFaW/+FEtYgqyfFYHR7Nmo1e7HxkEjmkm\n" +
+            "IxYMOApNXAkwBR8nMdUzchN0C6fogCUk+gj41eU4s6yzHjiRvmt85/N8T+34+MUk\n" +
+            "xRCtytNEseTvfs4vFPKksz9QK8vUpjIhXdxVrr/Asl4At5kIAOTZ9Psq/jQydg9u\n" +
+            "4A4X5JHTPszw9GKo43u020PPxgOe6nuYlF0sWBzjPoKvkkN4mEOYi5SRmmnChrZV\n" +
+            "r82QEsjhQToxE0I4PYnhXJgNlNn4aNCK4a3oD1rqQQC4DE/hDtogFQIovqiLT3cS\n" +
+            "kdcLcnUs2G7QYEdXWPXowdclxQQwlpCjd9VO2UNdNITmkloT5nZ0WLik323kEF7z\n" +
+            "3cZXj/uRnPa/Y5whFa1AA7cPIDht5B+BXw+TEzeTkmjxO/GEVMdJl8unUIyt+G5N\n" +
+            "FKsFG86nezLT9m77Yu3rrA/z+uRa0vVot63is8Spiuc6hkRBFlC6xsBVnC/OZnrf\n" +
+            "dG+Fk2MIAPuF7x82gAdX+M1u1kvrAR1Ze0fy+CYkvUokA+q0C7hsc1Gdh2bemBWf\n" +
+            "Dt+pr3Td2xn2YfCb8lSF6+o8p8qe4kkq2eNLd1/k5SSA1SSrP2J97ByhWdX6tNnf\n" +
+            "mT37izMdS2mRVjBcVR1zdhwaXN3m5+bqUpggrmuz9lwemnUPfSn5shO0YomQp9z1\n" +
+            "I1dkuIAF+InCZH7NyNWAoVLJ0Bk7MPQTZNVn/iEsfDWcPQEpumF1aY8+cpvUqeEZ\n" +
+            "r8nPsZ1r2P2WAjC7o9uYEL+47AAFMxD3Ps8GHR9cG9GSVn88NetNQ22Vm2GafRYi\n" +
+            "Y+Fny5cfxWTLUSldQuehwmLsJZXp0KMIAKL7XxabHx5B0h5leCdB6y82fz3TTQV2\n" +
+            "khwodAQ06itzG0fhMAF0O87KFDOq9p+Bx4n6MzHunEL2rJuF+KLOAMnyHRVQ40a1\n" +
+            "V/8JnsjCViceicLKWVQgxlBIFFAlHRoHrAc2g1Sup96zt5kmojNhEtFeJNQkQcpa\n" +
+            "x7atpyrlD2j8oMdr0dJluQcSGhS3/Y/LLCWtNbijykGDfBMQn0tHEgESwVx5muIj\n" +
+            "Hn5yfRIA0/MBg9Py9H4r52Ab6XBs7mDZSrmOoXcCzQY3RgykP01Q8/ipIo7C/Yi6\n" +
+            "aun8QzBLvykeRFfEu1SM523jLMn66CLqKDQR+8IxDgORFwXhwSfGVVl2iLQOVGhp\n" +
+            "cyBpcyBTdHVwaWSJAkgEEwEKADwFAmLRTLUJEFvaeO3EeajpFiEEbKbE888BysnJ\n" +
+            "VAvWW9p47cR5qOkCngECmw8FFgIDAQACCwACFQoCmQEAABRQEACNK0cNjEUcOEJh\n" +
+            "cfG2Hjs6oWClklV9eSNcVQU7S3wT+xr+WwV5S8TJaZtLlvsnp9ZaS4u5/1zY1+ll\n" +
+            "Ahzclg5BU4jihs4N+aBWRf2XovnH8cEHEneu9pXs0Sunj/DVCfHRuRe5Z8Vng9SN\n" +
+            "rofxSfvL9PD5zTwWLHJUZD+yTxI9hmj3G37OTVQbmhtjXGZ0IRaa5fjO9FTwUske\n" +
+            "fhB/7TIwrSDByhj857uF1j4d1i3WjSvps3FuVBuUYc+RLEm8QgkGWGu/QHjvkmUe\n" +
+            "fM1onDXL8JHYX0ULZ1s/sH5oTUXVH6ZQOdFIQeENeYSDZN5P5bDzshO/Dwn5t2f8\n" +
+            "yuV9nxdlK6TGUByyOINkoMf6U7IJfPmdThcqmUoPjUav2ha4uNOhJEL3a1R9RrDk\n" +
+            "q+kiKrT65QTuVl5pE5JjjEuVuGuMjlWnh2aieG9z8sIXqela/1LlOe0MboVTTVv9\n" +
+            "FvR4kz3GGfqSYHTu229R7QEthd9y3NMrPeW8i2ZCZMch3FMhym5sDiSw1okKC4rE\n" +
+            "hhNECnwdCw9DGdqEPgh8RWpjVKQNdCk1gjH+/EnCjlMl7pRcdzkBbKE0TuZTP3ww\n" +
+            "V0q86MQmyWkFO9fQQ9LakERO1OzP0fMob7mce8ZdP7qENAqAYRQLJR4iHPSjcRFz\n" +
+            "WFv0UlYdnSNZfY0vroIMxnM1w4XJVg==\n" +
+            "=4plS\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    @Test
+    public void testEncryptionIsNotUnencrypted() throws PGPException, IOException {
+        PGPSecretKeyRing stupidKey = PGPainless.readKeyRing().secretKeyRing(STUPID_KEY);
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(stupidKey);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(
+                        new EncryptionOptions().addRecipient(certificate)
+                ));
+
+        encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8));
+        encryptionStream.close();
+
+        EncryptionResult metadata = encryptionStream.getResult();
+        assertTrue(metadata.isEncryptedFor(certificate));
+        assertEquals(PGPainless.getPolicy().getSymmetricKeyEncryptionAlgorithmPolicy().getDefaultSymmetricKeyAlgorithm(),
+                metadata.getEncryptionAlgorithm());
+    }
+}

From 32e1f1234bb9be20d1be3bc68c311418ef9f87fd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 15 Jul 2022 13:21:59 +0200
Subject: [PATCH 0551/1450] Add
 KeyRingUtils.publicKeyRingCollectionFrom(PGPSecretKeyRingCollection)

---
 .../org/pgpainless/key/util/KeyRingUtils.java | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 21c5b575..66536b88 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -161,6 +161,25 @@ public final class KeyRingUtils {
         return publicKeyRing;
     }
 
+    /**
+     * Extract {@link PGPPublicKeyRing PGPPublicKeyRings} from all {@link PGPSecretKeyRing PGPSecretKeyRings} in
+     * the given {@link PGPSecretKeyRingCollection} and return them as a {@link PGPPublicKeyRingCollection}.
+     *
+     * @param secretKeyRings secret key ring collection
+     * @return public key ring collection
+     * @throws PGPException TODO: remove
+     * @throws IOException TODO: remove
+     */
+    @Nonnull
+    public static PGPPublicKeyRingCollection publicKeyRingCollectionFrom(@Nonnull PGPSecretKeyRingCollection secretKeyRings)
+            throws PGPException, IOException {
+        List certificates = new ArrayList<>();
+        for (PGPSecretKeyRing secretKey : secretKeyRings) {
+            certificates.add(PGPainless.extractCertificate(secretKey));
+        }
+        return new PGPPublicKeyRingCollection(certificates);
+    }
+
     /**
      * Unlock a {@link PGPSecretKey} and return the resulting {@link PGPPrivateKey}.
      *

From dec3c8be60e44125918c0935ae8bc14cc4a10b0a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 15 Jul 2022 14:00:41 +0200
Subject: [PATCH 0552/1450] Add
 SecretKeyRingEditor.replaceUserId(old,new,protector)

---
 .../secretkeyring/SecretKeyRingEditor.java    | 51 +++++++++++-
 .../SecretKeyRingEditorInterface.java         | 20 +++++
 ...dDoesNotBreakEncryptionCapabilityTest.java | 80 ++++++++++++++++++-
 3 files changed, 149 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 7418401f..e1b1b23e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -205,12 +205,61 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
     @Override
     public SecretKeyRingEditorInterface removeUserId(
             CharSequence userId,
-            SecretKeyRingProtector protector) throws PGPException {
+            SecretKeyRingProtector protector)
+            throws PGPException {
         return removeUserId(
                 SelectUserId.exactMatch(userId.toString()),
                 protector);
     }
 
+    @Override
+    public SecretKeyRingEditorInterface replaceUserId(@Nonnull CharSequence oldUserId,
+                                                      @Nonnull CharSequence newUserId,
+                                                      @Nonnull SecretKeyRingProtector protector)
+            throws PGPException {
+        String oldUID = oldUserId.toString().trim();
+        String newUID = newUserId.toString().trim();
+        if (oldUID.isEmpty()) {
+            throw new IllegalArgumentException("Old user-id cannot be empty.");
+        }
+
+        if (newUID.isEmpty()) {
+            throw new IllegalArgumentException("New user-id cannot be empty.");
+        }
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        if (!info.isUserIdValid(oldUID)) {
+            throw new NoSuchElementException("Key does not carry user-id '" + oldUID + "', or it is not valid.");
+        }
+
+        PGPSignature oldCertification = info.getLatestUserIdCertification(oldUID);
+        if (oldCertification == null) {
+            throw new AssertionError("Certification for old user-id MUST NOT be null.");
+        }
+
+        // Bind new user-id
+        addUserId(newUserId, new SelfSignatureSubpackets.Callback() {
+            @Override
+            public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
+                SignatureSubpacketsHelper.applyFrom(oldCertification.getHashedSubPackets(), (SignatureSubpackets) hashedSubpackets);
+                // Primary user-id
+                if (oldUID.equals(info.getPrimaryUserId())) {
+                    // Implicit primary user-id
+                    if (!oldCertification.getHashedSubPackets().isPrimaryUserID()) {
+                        hashedSubpackets.setPrimaryUserId();
+                    }
+                }
+            }
+
+            @Override
+            public void modifyUnhashedSubpackets(SelfSignatureSubpackets unhashedSubpackets) {
+                SignatureSubpacketsHelper.applyFrom(oldCertification.getUnhashedSubPackets(), (SignatureSubpackets) unhashedSubpackets);
+            }
+        }, protector);
+
+        return revokeUserId(oldUID, protector);
+    }
+
     // TODO: Move to utility class?
     private String sanitizeUserId(@Nonnull CharSequence userId) {
         // TODO: Further research how to sanitize user IDs.
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
index 6f4d34b8..7014d518 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
@@ -104,6 +104,26 @@ public interface SecretKeyRingEditorInterface {
                                               SecretKeyRingProtector protector)
         throws PGPException;
 
+    /**
+     * Replace a user-id on the key with a new one.
+     * The old user-id gets soft revoked and the new user-id gets bound with the same signature subpackets as the
+     * old one, with one exception:
+     * If the old user-id was implicitly primary (did not carry a {@link org.bouncycastle.bcpg.sig.PrimaryUserID} packet,
+     * but effectively was primary, then the new user-id will be explicitly marked as primary.
+     *
+     * @param oldUserId old user-id
+     * @param newUserId new user-id
+     * @param protector protector to unlock the secret key
+     * @return the builder
+     * @throws PGPException in case we cannot generate a revocation and certification signature
+     * @throws java.util.NoSuchElementException if the old user-id was not found on the key; or if the oldUserId
+     *                                          was already invalid
+     */
+    SecretKeyRingEditorInterface replaceUserId(CharSequence oldUserId,
+                                               CharSequence newUserId,
+                                               SecretKeyRingProtector protector)
+        throws PGPException;
+
     /**
      * Add a subkey to the key ring.
      * The subkey will be generated from the provided {@link KeySpec}.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java
index 1995b8bf..e0429287 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/FixUserIdDoesNotBreakEncryptionCapabilityTest.java
@@ -5,16 +5,31 @@
 package org.pgpainless.key.modification;
 
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.NoSuchElementException;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
@@ -55,7 +70,7 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest {
     private static final String userIdAfter = "\"(B)ob (J)ohnson\" ";
 
     @Test
-    public void replaceUserIdWithFixedVersionDoesNotHinderEncryptionCapability() throws IOException, PGPException {
+    public void manualReplaceUserIdWithFixedVersionDoesNotHinderEncryptionCapability() throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
         PGPSecretKeyRing modified = PGPainless.modifyKeyRing(secretKeys)
@@ -81,4 +96,67 @@ public class FixUserIdDoesNotBreakEncryptionCapabilityTest {
         assertFalse(after.isUserIdValid(userIdBefore));
         assertTrue(after.isUserIdValid(userIdAfter));
     }
+
+    @Test
+    public void testReplaceUserId_missingOldUserIdThrows() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
+        assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys)
+                .replaceUserId("missing", userIdAfter, SecretKeyRingProtector.unprotectedKeys()));
+    }
+
+    @Test
+    public void testReplaceUserId_emptyOldUserIdThrows() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
+        assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys)
+                .replaceUserId("     ", userIdAfter, SecretKeyRingProtector.unprotectedKeys()));
+    }
+
+    @Test
+    public void testReplaceUserId_emptyNewUserIdThrows() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
+        assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys)
+                .replaceUserId(userIdBefore, "     ", SecretKeyRingProtector.unprotectedKeys()));
+    }
+
+    @Test
+    public void testReplaceImplicitUserIdDoesNotBreakStuff() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(SECRET_KEY);
+
+        PGPSecretKeyRing edited = PGPainless.modifyKeyRing(secretKeys)
+                .replaceUserId(userIdBefore, userIdAfter, SecretKeyRingProtector.unprotectedKeys())
+                .done();
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(edited);
+        assertTrue(info.isUserIdValid(userIdAfter));
+        assertEquals(userIdAfter, info.getPrimaryUserId());
+
+        assertTrue(info.getLatestUserIdCertification(userIdAfter).getHashedSubPackets().isPrimaryUserID());
+
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(edited);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(new EncryptionOptions()
+                        .addRecipient(cert)));
+
+        encryptionStream.write("Hello".getBytes(StandardCharsets.UTF_8));
+        encryptionStream.close();
+
+        EncryptionResult result = encryptionStream.getResult();
+        assertTrue(result.isEncryptedFor(cert));
+
+        ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray());
+        ByteArrayOutputStream plain = new ByteArrayOutputStream();
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(new ConsumerOptions()
+                        .addDecryptionKey(edited));
+
+        Streams.pipeAll(decryptionStream, plain);
+        decryptionStream.close();
+
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+        assertTrue(metadata.isEncrypted());
+    }
 }

From ba191a1d0ff1064da279227da429c93ab1d4ece5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 15 Jul 2022 14:19:45 +0200
Subject: [PATCH 0553/1450] Prevent adding NULL to symmetric algorithm
 preference when generating key

Fixes #301
---
 .../pgpainless/key/generation/KeySpecBuilder.java  |  5 +++++
 .../StupidAlgorithmPreferenceEncryptionTest.java   | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
index 2d7010d8..559dd3ce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
@@ -64,6 +64,11 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
     @Override
     public KeySpecBuilder overridePreferredSymmetricKeyAlgorithms(
             @Nonnull SymmetricKeyAlgorithm... preferredSymmetricKeyAlgorithms) {
+        for (SymmetricKeyAlgorithm algo : preferredSymmetricKeyAlgorithms) {
+            if (algo == SymmetricKeyAlgorithm.NULL) {
+                throw new IllegalArgumentException("NULL (unencrypted) is an invalid symmetric key algorithm preference.");
+            }
+        }
         this.preferredSymmetricAlgorithms = new LinkedHashSet<>(Arrays.asList(preferredSymmetricKeyAlgorithms));
         return this;
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java
index 42aa0856..19d5fdd1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/StupidAlgorithmPreferenceEncryptionTest.java
@@ -9,20 +9,34 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.rsa.RsaLength;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class StupidAlgorithmPreferenceEncryptionTest {
 
+    @Test
+    public void testPreventUnencryptedAlgorithmPreferenceDuringKeyGeneration() {
+        KeySpecBuilder specBuilder = KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), KeyFlag.CERTIFY_OTHER);
+        assertThrows(IllegalArgumentException.class, () ->
+                specBuilder.overridePreferredSymmetricKeyAlgorithms(
+                        SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192,
+                        SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.NULL));
+    }
+
     // RSA key with symmetric algorithm preference "NULL" (unencrypted).
     private static final String STUPID_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +

From fe913172d5bb940ade085c9c6df2643c849380a2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 16 Jul 2022 12:58:22 +0200
Subject: [PATCH 0554/1450] Add missing javadoc

---
 .../src/main/java/org/pgpainless/key/OpenPgpFingerprint.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index 6abe207b..86ac8265 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -70,8 +70,8 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable
Date: Sat, 16 Jul 2022 13:00:15 +0200
Subject: [PATCH 0555/1450] Update changelog

---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39f795af..c6075d1c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,21 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.2
+- Add `KeyRingInfo(Policy)` constructor
+- Delete unused `KeyRingValidator` class
+- Add `PGPainless.certify()` API
+  - `certify().userIdOnCertificate()` can be used to certify other users User-IDs
+  - `certify().certificate()` can be used to create direct-key signatures on other users keys
+- We now have a [User Guide!](https://pgpainless.rtfd.io/)
+- Fixed build script
+  - `pgpainless-cli`s `gradle build` task no longer builds fat jar
+  - Fat jars are now built by dedicated shadow plugin
+- Fix third-party assigned user-ids on keys to accidentally get picked up as primary user-id
+- Add `KeyRingUtils.publicKeyRingCollectionFrom(PGPSecretKeyRingCollection)`
+- Add `SecretKeyRingEditor.replaceUserId(oldUid, newUid, protector)`
+- Prevent adding `SymmetricKeyAlgorithm.NULL` (unencrypted) as encryption algo preference when generating keys
+
 ## 1.3.1
 - Fix reproducibility of builds by setting fixed file permissions in archive task
 - Improve encryption performance by buffering streams

From 93e50b75feb17acf39f1c7dddb279980d9675869 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 16 Jul 2022 13:02:55 +0200
Subject: [PATCH 0556/1450] PGPainless 1.3.2

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 92a3e3ee..aee0c2f2 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.1'
+	implementation 'org.pgpainless:pgpainless-core:1.3.2'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 58c1e9c9..8eb0ed50 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.1"
+    implementation "org.pgpainless:pgpainless-sop:1.3.2"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.1
+        1.3.2
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 178eb300..bb3114e5 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From d4953bd8f66c6d78a58890eab72b40421f1ce51f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 16 Jul 2022 13:05:08 +0200
Subject: [PATCH 0557/1450] PGPainless 1.3.3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index bb3114e5..7f57ac2a 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.2'
-        isSnapshot = false
+        shortVersion = '1.3.3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 59adbe1d0ac4082c377c3f79e1a94a7c46397484 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 18 Jul 2022 11:30:25 +0200
Subject: [PATCH 0558/1450] Add SHA3 hash algorithms to HashAlgorithm class

---
 .../src/main/java/org/pgpainless/algorithm/HashAlgorithm.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
index 12feb678..0b9368bb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/HashAlgorithm.java
@@ -27,6 +27,8 @@ public enum HashAlgorithm {
     SHA384     (HashAlgorithmTags.SHA384, "SHA384"),
     SHA512     (HashAlgorithmTags.SHA512, "SHA512"),
     SHA224     (HashAlgorithmTags.SHA224, "SHA224"),
+    SHA3_256   (12, "SHA3-256"),
+    SHA3_512   (14, "SHA3-512"),
     ;
 
     private static final Map ID_MAP = new HashMap<>();

From cd5982cd478818ca374eaa7eb3a600d21e8bdf32 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 18 Jul 2022 11:30:37 +0200
Subject: [PATCH 0559/1450] Add AEADAlgorithm class and test

---
 .../pgpainless/algorithm/AEADAlgorithm.java   | 95 +++++++++++++++++++
 .../algorithm/AEADAlgorithmTest.java          | 50 ++++++++++
 2 files changed, 145 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/AEADAlgorithmTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
new file mode 100644
index 00000000..106d6bff
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
@@ -0,0 +1,95 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.NoSuchElementException;
+
+/**
+ * List of AEAD algorithms defined in crypto-refresh-06.
+ *
+ * @see 
+ *     Crypto-Refresh-06 §9.6 - AEAD Algorithms
+ */
+public enum AEADAlgorithm {
+
+    EAX(1, 16, 16),
+    OCB(2, 15, 16),
+    GCM(3, 12, 16),
+    ;
+
+    private final int algorithmId;
+    private final int ivLength;
+    private final int tagLength;
+
+    private static final Map MAP = new HashMap<>();
+
+    static {
+        for (AEADAlgorithm h : AEADAlgorithm.values()) {
+            MAP.put(h.algorithmId, h);
+        }
+    }
+
+    AEADAlgorithm(int id, int ivLength, int tagLength) {
+        this.algorithmId = id;
+        this.ivLength = ivLength;
+        this.tagLength = tagLength;
+    }
+
+    public int getAlgorithmId() {
+        return algorithmId;
+    }
+
+    /**
+     * Return the length (in octets) of the IV.
+     *
+     * @return iv length
+     */
+    public int getIvLength() {
+        return ivLength;
+    }
+
+    /**
+     * Return the length (in octets) of the authentication tag.
+     *
+     * @return tag length
+     */
+    public int getTagLength() {
+        return tagLength;
+    }
+
+    /**
+     * Return the {@link AEADAlgorithm} value that corresponds to the provided algorithm id.
+     * If an invalid algorithm id was provided, null is returned.
+     *
+     * @param id numeric id
+     * @return enum value
+     */
+    @Nullable
+    public static AEADAlgorithm fromId(int id) {
+        return MAP.get(id);
+    }
+
+    /**
+     * Return the  {@link AEADAlgorithm} value that corresponds to the provided algorithm id.
+     * If an invalid algorithm id was provided, throw a {@link NoSuchElementException}.
+     *
+     * @param id algorithm id
+     * @return enum value
+     * @throws NoSuchElementException in case of an unknown algorithm id
+     */
+    @Nonnull
+    public static AEADAlgorithm requireFromId(int id) {
+        AEADAlgorithm algorithm = fromId(id);
+        if (algorithm == null) {
+            throw new NoSuchElementException("No AEADAlgorithm found for id " + id);
+        }
+        return algorithm;
+    }
+
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/AEADAlgorithmTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/AEADAlgorithmTest.java
new file mode 100644
index 00000000..58423190
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/AEADAlgorithmTest.java
@@ -0,0 +1,50 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.NoSuchElementException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class AEADAlgorithmTest {
+
+    @Test
+    public void testEAXParameters() {
+        AEADAlgorithm eax = AEADAlgorithm.EAX;
+        assertEquals(1, eax.getAlgorithmId());
+        assertEquals(16, eax.getIvLength());
+        assertEquals(16, eax.getTagLength());
+    }
+
+    @Test
+    public void testOCBParameters() {
+        AEADAlgorithm ocb = AEADAlgorithm.OCB;
+        assertEquals(2, ocb.getAlgorithmId());
+        assertEquals(15, ocb.getIvLength());
+        assertEquals(16, ocb.getTagLength());
+    }
+
+    @Test
+    public void testGCMParameters() {
+        AEADAlgorithm gcm = AEADAlgorithm.GCM;
+        assertEquals(3, gcm.getAlgorithmId());
+        assertEquals(12, gcm.getIvLength());
+        assertEquals(16, gcm.getTagLength());
+    }
+
+    @Test
+    public void testFromId() {
+        assertEquals(AEADAlgorithm.EAX, AEADAlgorithm.requireFromId(1));
+        assertEquals(AEADAlgorithm.OCB, AEADAlgorithm.requireFromId(2));
+        assertEquals(AEADAlgorithm.GCM, AEADAlgorithm.requireFromId(3));
+
+        assertNull(AEADAlgorithm.fromId(99));
+        assertThrows(NoSuchElementException.class, () -> AEADAlgorithm.requireFromId(99));
+    }
+}

From 9b6d08f3c5d09497604328bb8be09b4528feacc3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 18 Jul 2022 12:03:16 +0200
Subject: [PATCH 0560/1450] Add MODIFICATION_DETECTION_2 feature constant

---
 .../java/org/pgpainless/algorithm/Feature.java    | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
index 52de27bf..a0fc2974 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/Feature.java
@@ -23,7 +23,8 @@ import javax.annotation.Nullable;
 public enum Feature {
 
     /**
-     * Support for Symmetrically Encrypted Integrity Protected Data Packets using Modification Detection Code Packets.
+     * Support for Symmetrically Encrypted Integrity Protected Data Packets (version 1) using Modification
+     * Detection Code Packets.
      *
      * @see 
      *     RFC-4880 §5.14: Modification Detection Code Packet
@@ -35,6 +36,7 @@ public enum Feature {
      * If a key announces this feature, it signals support for consuming AEAD Encrypted Data Packets.
      *
      * NOTE: PGPAINLESS DOES NOT YET SUPPORT THIS FEATURE!!!
+     * NOTE: This value is currently RESERVED.
      *
      * @see 
      *     AEAD Encrypted Data Packet
@@ -49,11 +51,20 @@ public enum Feature {
      * In addition, fingerprints of version 5 keys are calculated differently from version 4 keys.
      *
      * NOTE: PGPAINLESS DOES NOT YET SUPPORT THIS FEATURE!!!
+     * NOTE: This value is currently RESERVED.
      *
      * @see 
      *     Public-Key Packet Formats
      */
-    VERSION_5_PUBLIC_KEY(Features.FEATURE_VERSION_5_PUBLIC_KEY)
+    VERSION_5_PUBLIC_KEY(Features.FEATURE_VERSION_5_PUBLIC_KEY),
+
+    /**
+     * Support for Symmetrically Encrypted Integrity Protected Data packet version 2.
+     *
+     * @see 
+     *     crypto-refresh-06 §5.13.2. Version 2 Sym. Encrypted Integrity Protected Data Packet Format
+     */
+    MODIFICATION_DETECTION_2((byte) 0x08),
     ;
 
     private static final Map MAP = new ConcurrentHashMap<>();

From e67d5b405cb21b203be1e07053d94a11ff616a7e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 18 Jul 2022 14:50:53 +0200
Subject: [PATCH 0561/1450] Add javadoc to
 ProducerOptions.noEncryptionNoSigning()

---
 .../org/pgpainless/encryption_signing/ProducerOptions.java  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index c0e60181..a015a581 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -69,6 +69,12 @@ public final class ProducerOptions {
         return new ProducerOptions(encryptionOptions, null);
     }
 
+    /**
+     * Only wrap the data in an OpenPGP packet.
+     * No encryption or signing will be applied.
+     *
+     * @return builder
+     */
     public static ProducerOptions noEncryptionNoSigning() {
         return new ProducerOptions(null, null);
     }

From f966c1ed073a0e378f84083546d5971f83f748b6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 20 Jul 2022 18:07:42 +0200
Subject: [PATCH 0562/1450] Explicitly cast Long to long to fix ambiguity in
 debian tests

---
 .../decryption_verification/MessageInspectorTest.java           | 2 +-
 .../VerifyWithMissingPublicKeyCallback.java                     | 2 +-
 .../key/protection/CachingSecretKeyRingProtectorTest.java       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java
index dd47ec4b..b7382360 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageInspectorTest.java
@@ -33,7 +33,7 @@ public class MessageInspectorTest {
         assertFalse(info.isSignedOnly());
         assertTrue(info.isEncrypted());
         assertEquals(1, info.getKeyIds().size());
-        assertEquals(KeyIdUtil.fromLongKeyId("4766F6B9D5F21EB6"), info.getKeyIds().get(0));
+        assertEquals(KeyIdUtil.fromLongKeyId("4766F6B9D5F21EB6"), (long) info.getKeyIds().get(0));
     }
 
     @Test
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
index e4e9427b..bcbad822 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
@@ -66,7 +66,7 @@ public class VerifyWithMissingPublicKeyCallback {
                             @Nullable
                             @Override
                             public PGPPublicKeyRing onMissingPublicKeyEncountered(@Nonnull Long keyId) {
-                                assertEquals(signingKey.getKeyID(), keyId, "Signing key-ID mismatch.");
+                                assertEquals(signingKey.getKeyID(), (long) keyId, "Signing key-ID mismatch.");
                                 return signingPubKeys;
                             }
                         }));
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java
index 6c103ea3..d1f5f9e6 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/CachingSecretKeyRingProtectorTest.java
@@ -129,7 +129,7 @@ public class CachingSecretKeyRingProtectorTest {
 
             Passphrase passphrase = withCallback.getPassphraseFor(x);
             assertNotNull(passphrase);
-            assertEquals(doubled, Long.valueOf(new String(passphrase.getChars())));
+            assertEquals(doubled, (long) Long.valueOf(new String(passphrase.getChars())));
         }
     }
 

From 914f2bf5b6e11f6c4c440ec49354ccd6baf0cc77 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 20 Jul 2022 18:15:38 +0200
Subject: [PATCH 0563/1450] Add IRC channel to readme

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index aee0c2f2..4cc41e52 100644
--- a/README.md
+++ b/README.md
@@ -198,6 +198,8 @@ Do you need a custom feature? Are you unsure of what's the best way to integrate
 We offer paid professional services. Don't hesitate to send an inquiry to [info@pgpainless.org](mailto:info@pgpainless.org).
 
 ## Development
+Join the projects IRC channel [**#pgpainless**](ircs://irc.oftc.net:6697/#pgpainless) on OFTC if you have any questions!
+
 PGPainless is developed in - and accepts contributions from - the following places:
 
 * [Github](https://github.com/pgpainless/pgpainless)

From cb8e0d795103736bd7c4b39bb16011ae35b96e16 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 21 Jul 2022 13:17:26 +0200
Subject: [PATCH 0564/1450] Create FUNDING.yml

---
 .github/FUNDING.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 00000000..ca136f30
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: vanitasvitae # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+#patreon: # Replace with a single Patreon username
+#open_collective: # Replace with a single Open Collective username
+#ko_fi: # Replace with a single Ko-fi username
+#tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+#community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+#liberapay: # Replace with a single Liberapay username
+#issuehunt: # Replace with a single IssueHunt username
+#otechie: # Replace with a single Otechie username
+#lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+#custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

From c4bffad4785670d9a27c32c0a84a0fc7da6f3032 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 21 Jul 2022 21:34:44 +0200
Subject: [PATCH 0565/1450] Abort (skip) tests reading from resources

---
 .../key/parsing/KeyRingReaderTest.java        | 82 ++++++++++++-------
 1 file changed, 53 insertions(+), 29 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
index 9349a864..b3fe66d4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@@ -14,6 +14,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
@@ -50,11 +51,38 @@ class KeyRingReaderTest {
     private InputStream requireResource(String resourceName) {
         InputStream inputStream = getClass().getClassLoader().getResourceAsStream(resourceName);
         if (inputStream == null) {
-            throw new TestAbortedException("Cannot read resource " + resourceName);
+            throw new TestAbortedException("Cannot read resource " + resourceName + ": InputStream is null.");
         }
         return inputStream;
     }
 
+    private URI getResourceURI(String resourceName) {
+        try {
+            URL url = getClass().getClassLoader().getResource(resourceName);
+            if (url == null) {
+                throw new TestAbortedException("Cannot read resource " + resourceName + ": URL is null.");
+            }
+            return url.toURI();
+        } catch (URISyntaxException | IllegalArgumentException e) {
+            throw new TestAbortedException("Cannot read resource " + resourceName, e);
+        }
+    }
+
+    private File getFileFromResource(String resourceName) {
+        URI uri = getResourceURI(resourceName);
+        try {
+            return new File(uri);
+        } catch (IllegalArgumentException e) {
+            // When executing the tests from pgpainless-test.jar, we cannot read resources as
+            //  URI is not hierarchical.
+            throw new TestAbortedException("Cannot read resource " + resourceName, e);
+        }
+    }
+
+    private byte[] readFromResource(String resourceName) throws IOException {
+        return Files.readAllBytes(getFileFromResource(resourceName).toPath());
+    }
+
     @Test
     public void assertThatPGPUtilsDetectAsciiArmoredData() throws IOException, PGPException {
         InputStream inputStream = requireResource("pub_keys_10_pieces.asc");
@@ -93,18 +121,16 @@ class KeyRingReaderTest {
     }
 
     @Test
-    void publicKeyRingCollectionFromString() throws IOException, PGPException, URISyntaxException {
-        URL resource = getClass().getClassLoader().getResource("pub_keys_10_pieces.asc");
-        String armoredString = new String(Files.readAllBytes(new File(resource.toURI()).toPath()));
+    void publicKeyRingCollectionFromString() throws IOException, PGPException {
+        String armoredString = new String(readFromResource("pub_keys_10_pieces.asc"));
         InputStream inputStream = new ByteArrayInputStream(armoredString.getBytes(StandardCharsets.UTF_8));
         PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(inputStream);
         assertEquals(10, rings.size());
     }
 
     @Test
-    void publicKeyRingCollectionFromBytes() throws IOException, PGPException, URISyntaxException {
-        URL resource = getClass().getClassLoader().getResource("pub_keys_10_pieces.asc");
-        byte[] bytes = Files.readAllBytes(new File(resource.toURI()).toPath());
+    void publicKeyRingCollectionFromBytes() throws IOException, PGPException {
+        byte[] bytes = readFromResource("pub_keys_10_pieces.asc");
         InputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
         PGPPublicKeyRingCollection rings = PGPainless.readKeyRing().publicKeyRingCollection(byteArrayInputStream);
         assertEquals(10, rings.size());
@@ -114,7 +140,7 @@ class KeyRingReaderTest {
      * One armored pub key
      */
     @Test
-    void parsePublicKeysSingleArmored() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysSingleArmored() throws IOException, PGPException {
         assertEquals(1, getPgpPublicKeyRingsFromResource("single_pub_key_armored.asc").size());
     }
 
@@ -122,7 +148,7 @@ class KeyRingReaderTest {
      * One binary pub key
      */
     @Test
-    void parsePublicKeysSingleBinary() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysSingleBinary() throws IOException, PGPException {
         assertEquals(1, getPgpPublicKeyRingsFromResource("single_pub_key_binary.key").size());
     }
 
@@ -130,7 +156,7 @@ class KeyRingReaderTest {
      * Many armored pub keys with a single -----BEGIN PGP PUBLIC KEY BLOCK-----...-----END PGP PUBLIC KEY BLOCK-----
      */
     @Test
-    void parsePublicKeysMultiplyArmoredSingleHeader() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysMultiplyArmoredSingleHeader() throws IOException, PGPException {
         assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_single_header.asc").size());
     }
 
@@ -138,7 +164,7 @@ class KeyRingReaderTest {
      * Many armored pub keys where each has own -----BEGIN PGP PUBLIC KEY BLOCK-----...-----END PGP PUBLIC KEY BLOCK-----
      */
     @Test
-    void parsePublicKeysMultiplyArmoredOwnHeader() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysMultiplyArmoredOwnHeader() throws IOException, PGPException {
         assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_own_header.asc").size());
     }
 
@@ -147,7 +173,7 @@ class KeyRingReaderTest {
      * Each of those blocks can have a different count of keys.
      */
     @Test
-    void parsePublicKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException {
         assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_armored_own_with_single_header.asc").size());
     }
 
@@ -155,7 +181,7 @@ class KeyRingReaderTest {
      * Many binary pub keys
      */
     @Test
-    void parsePublicKeysMultiplyBinary() throws IOException, PGPException, URISyntaxException {
+    void parsePublicKeysMultiplyBinary() throws IOException, PGPException {
         assertEquals(10, getPgpPublicKeyRingsFromResource("10_pub_keys_binary.key").size());
     }
 
@@ -163,7 +189,7 @@ class KeyRingReaderTest {
      * One armored private key
      */
     @Test
-    void parseSecretKeysSingleArmored() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysSingleArmored() throws IOException, PGPException {
         assertEquals(1, getPgpSecretKeyRingsFromResource("single_prv_key_armored.asc").size());
     }
 
@@ -171,7 +197,7 @@ class KeyRingReaderTest {
      * One binary private key
      */
     @Test
-    void parseSecretKeysSingleBinary() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysSingleBinary() throws IOException, PGPException {
         assertEquals(1, getPgpSecretKeyRingsFromResource("single_prv_key_binary.key").size());
     }
 
@@ -180,7 +206,7 @@ class KeyRingReaderTest {
      * -----BEGIN PGP PRIVATE KEY BLOCK-----...-----END PGP PRIVATE KEY BLOCK-----
      */
     @Test
-    void parseSecretKeysMultiplyArmoredSingleHeader() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysMultiplyArmoredSingleHeader() throws IOException, PGPException {
         assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_single_header.asc").size());
     }
 
@@ -188,7 +214,7 @@ class KeyRingReaderTest {
      * Many armored private keys where each has own -----BEGIN PGP PRIVATE KEY BLOCK-----...-----END PGP PRIVATE KEY BLOCK-----
      */
     @Test
-    void parseSecretKeysMultiplyArmoredOwnHeader() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysMultiplyArmoredOwnHeader() throws IOException, PGPException {
         assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_own_header.asc").size());
     }
 
@@ -197,7 +223,7 @@ class KeyRingReaderTest {
      * Each of those blocks can have a different count of keys.
      */
     @Test
-    void parseSecretKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException {
         assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_armored_own_with_single_header.asc").size());
     }
 
@@ -205,7 +231,7 @@ class KeyRingReaderTest {
      * Many binary private keys
      */
     @Test
-    void parseSecretKeysMultiplyBinary() throws IOException, PGPException, URISyntaxException {
+    void parseSecretKeysMultiplyBinary() throws IOException, PGPException {
         assertEquals(10, getPgpSecretKeyRingsFromResource("10_prv_keys_binary.key").size());
     }
 
@@ -213,7 +239,7 @@ class KeyRingReaderTest {
      * Many armored keys(private or pub) where each has own -----BEGIN PGP ... KEY BLOCK-----...-----END PGP ... KEY BLOCK-----
      */
     @Test
-    void parseKeysMultiplyArmoredOwnHeader() throws IOException, PGPException, URISyntaxException {
+    void parseKeysMultiplyArmoredOwnHeader() throws IOException, PGPException {
         assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_armored_own_header.asc").size());
     }
 
@@ -222,7 +248,7 @@ class KeyRingReaderTest {
      * Each of those blocks can have a different count of keys.
      */
     @Test
-    void parseKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException, URISyntaxException {
+    void parseKeysMultiplyArmoredOwnWithSingleHeader() throws IOException, PGPException {
         assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_armored_own_with_single_header.asc").size());
     }
 
@@ -230,28 +256,26 @@ class KeyRingReaderTest {
      * Many binary keys(private or pub)
      */
     @Test
-    void parseKeysMultiplyBinary() throws IOException, PGPException, URISyntaxException {
+    void parseKeysMultiplyBinary() throws IOException, PGPException {
         assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_binary.key").size());
     }
 
-    private InputStream getFileInputStreamFromResource(String fileName) throws IOException, URISyntaxException {
-        URL resource = getClass().getClassLoader().getResource(fileName);
-        assert resource != null;
-        return new FileInputStream(new File(resource.toURI()));
+    private InputStream getFileInputStreamFromResource(String fileName) throws IOException {
+        return new FileInputStream(getFileFromResource(fileName));
     }
 
     private PGPKeyRingCollection getPGPKeyRingsFromResource(String fileName)
-            throws IOException, URISyntaxException, PGPException {
+            throws IOException, PGPException {
         return PGPainless.readKeyRing().keyRingCollection(getFileInputStreamFromResource(fileName), true);
     }
 
     private PGPPublicKeyRingCollection getPgpPublicKeyRingsFromResource(String fileName)
-            throws IOException, URISyntaxException, PGPException {
+            throws IOException, PGPException {
         return PGPainless.readKeyRing().publicKeyRingCollection(getFileInputStreamFromResource(fileName));
     }
 
     private PGPSecretKeyRingCollection getPgpSecretKeyRingsFromResource(String fileName)
-            throws IOException, URISyntaxException, PGPException {
+            throws IOException, PGPException {
         return PGPainless.readKeyRing().secretKeyRingCollection(getFileInputStreamFromResource(fileName));
     }
 

From 5a86d9db629e1c411fcdc47111201a08fefb3499 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Charaoui?= 
Date: Thu, 21 Jul 2022 19:38:22 -0400
Subject: [PATCH 0566/1450] Fix tests that read from jar-embedded resources

It seems that none of the functions used here actually require a File
object as arguments, and will happily work on InputStream objects.
This also changes readFromResource() to use InputStream.readAllBytes()
instead of File.readAllBytes(), which is available from Java 9.
---
 .../key/parsing/KeyRingReaderTest.java        | 37 +++----------------
 1 file changed, 5 insertions(+), 32 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
index b3fe66d4..23479a78 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@@ -14,7 +14,6 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
@@ -56,31 +55,9 @@ class KeyRingReaderTest {
         return inputStream;
     }
 
-    private URI getResourceURI(String resourceName) {
-        try {
-            URL url = getClass().getClassLoader().getResource(resourceName);
-            if (url == null) {
-                throw new TestAbortedException("Cannot read resource " + resourceName + ": URL is null.");
-            }
-            return url.toURI();
-        } catch (URISyntaxException | IllegalArgumentException e) {
-            throw new TestAbortedException("Cannot read resource " + resourceName, e);
-        }
-    }
-
-    private File getFileFromResource(String resourceName) {
-        URI uri = getResourceURI(resourceName);
-        try {
-            return new File(uri);
-        } catch (IllegalArgumentException e) {
-            // When executing the tests from pgpainless-test.jar, we cannot read resources as
-            //  URI is not hierarchical.
-            throw new TestAbortedException("Cannot read resource " + resourceName, e);
-        }
-    }
-
     private byte[] readFromResource(String resourceName) throws IOException {
-        return Files.readAllBytes(getFileFromResource(resourceName).toPath());
+        InputStream inputStream = requireResource(resourceName);
+        return inputStream.readAllBytes();
     }
 
     @Test
@@ -260,23 +237,19 @@ class KeyRingReaderTest {
         assertEquals(10, getPGPKeyRingsFromResource("10_prv_and_pub_keys_binary.key").size());
     }
 
-    private InputStream getFileInputStreamFromResource(String fileName) throws IOException {
-        return new FileInputStream(getFileFromResource(fileName));
-    }
-
     private PGPKeyRingCollection getPGPKeyRingsFromResource(String fileName)
             throws IOException, PGPException {
-        return PGPainless.readKeyRing().keyRingCollection(getFileInputStreamFromResource(fileName), true);
+        return PGPainless.readKeyRing().keyRingCollection(requireResource(fileName), true);
     }
 
     private PGPPublicKeyRingCollection getPgpPublicKeyRingsFromResource(String fileName)
             throws IOException, PGPException {
-        return PGPainless.readKeyRing().publicKeyRingCollection(getFileInputStreamFromResource(fileName));
+        return PGPainless.readKeyRing().publicKeyRingCollection(requireResource(fileName));
     }
 
     private PGPSecretKeyRingCollection getPgpSecretKeyRingsFromResource(String fileName)
             throws IOException, PGPException {
-        return PGPainless.readKeyRing().secretKeyRingCollection(getFileInputStreamFromResource(fileName));
+        return PGPainless.readKeyRing().secretKeyRingCollection(requireResource(fileName));
     }
 
     @Test

From cb23cad625cb525641a501c9a681e14a525f5322 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Jul 2022 13:59:15 +0200
Subject: [PATCH 0567/1450] Fix checkstyle issues and java API compatibility

---
 .../org/pgpainless/key/parsing/KeyRingReaderTest.java     | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
index 23479a78..404440ca 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@@ -10,14 +10,9 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.URISyntaxException;
-import java.net.URL;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
@@ -34,6 +29,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.opentest4j.TestAbortedException;
 import org.pgpainless.PGPainless;
@@ -57,7 +53,7 @@ class KeyRingReaderTest {
 
     private byte[] readFromResource(String resourceName) throws IOException {
         InputStream inputStream = requireResource(resourceName);
-        return inputStream.readAllBytes();
+        return Streams.readAll(inputStream);
     }
 
     @Test

From 895fcced9aaebead36951212f01382f19e06e656 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Jul 2022 20:21:02 +0200
Subject: [PATCH 0568/1450] Add gradle CI action

---
 .github/workflows/gradle_push.yml             | 32 +++++++++++++++++++
 .../OpenPgpInputStreamTest.java               |  3 +-
 2 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/gradle_push.yml

diff --git a/.github/workflows/gradle_push.yml b/.github/workflows/gradle_push.yml
new file mode 100644
index 00000000..189dc6ce
--- /dev/null
+++ b/.github/workflows/gradle_push.yml
@@ -0,0 +1,32 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+
+name: CI on main branch
+
+on:
+  push:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+      - name: Build, Check and Coverage
+        uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+        env:
+          COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+        with:
+          arguments: check jacocoRootReport coveralls
\ No newline at end of file
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
index a39ee70f..d731fb87 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpInputStreamTest.java
@@ -23,7 +23,6 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
@@ -36,7 +35,7 @@ public class OpenPgpInputStreamTest {
 
     private static final Random RANDOM = new Random();
 
-    @RepeatedTest(100)
+    @Test
     public void randomBytesDoNotContainOpenPgpData() throws IOException {
         byte[] randomBytes = new byte[1000000];
         RANDOM.nextBytes(randomBytes);

From 55c9b6ed9e9dd7bc3c5b3b024da9e6f20c8da082 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Jul 2022 20:48:53 +0200
Subject: [PATCH 0569/1450] Add reuse headers to files in .github

---
 .github/FUNDING.yml               | 4 ++++
 .github/workflows/gradle_push.yml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index ca136f30..36f6550a 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2021 Paul Schaub 
+#
+# SPDX-License-Identifier: Apache-2.0
+
 # These are supported funding model platforms
 
 github: vanitasvitae # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
diff --git a/.github/workflows/gradle_push.yml b/.github/workflows/gradle_push.yml
index 189dc6ce..395fed9b 100644
--- a/.github/workflows/gradle_push.yml
+++ b/.github/workflows/gradle_push.yml
@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2021 Paul Schaub 
+#
+# SPDX-License-Identifier: Apache-2.0
+
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support

From 324244ae134a79e01fb50d855a43337bbe332cd0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Jul 2022 20:50:01 +0200
Subject: [PATCH 0570/1450] Update badges

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4cc41e52..6eae7902 100644
--- a/README.md
+++ b/README.md
@@ -6,9 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless - Use OpenPGP Painlessly!
 
-[![Travis (.com)](https://travis-ci.com/pgpainless/pgpainless.svg?branch=master)](https://travis-ci.com/pgpainless/pgpainless)
+[![Travis (.com)](https://travis-ci.com/pgpainless/pgpainless.svg?branch=main)](https://travis-ci.com/pgpainless/pgpainless)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
-[![Coverage Status](https://coveralls.io/repos/github/pgpainless/pgpainless/badge.svg?branch=master)](https://coveralls.io/github/pgpainless/pgpainless?branch=master)
+[![Coverage Status](https://coveralls.io/repos/github/pgpainless/pgpainless/badge.svg?branch=main)](https://coveralls.io/github/pgpainless/pgpainless?branch=main)
 [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/)
 [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A)
 [![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/pgpainless)](https://api.reuse.software/info/github.com/pgpainless/pgpainless)

From e622a2256e3aa471ae86ff6f5f2319476e20c2ef Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 22 Jul 2022 20:53:42 +0200
Subject: [PATCH 0571/1450] Rename build job and point build badge to github
 action

---
 .github/workflows/gradle_push.yml | 2 +-
 README.md                         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/gradle_push.yml b/.github/workflows/gradle_push.yml
index 395fed9b..0d32e038 100644
--- a/.github/workflows/gradle_push.yml
+++ b/.github/workflows/gradle_push.yml
@@ -9,7 +9,7 @@
 # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
 # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
 
-name: CI on main branch
+name: Build
 
 on:
   push:
diff --git a/README.md b/README.md
index 6eae7902..02253a83 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless - Use OpenPGP Painlessly!
 
-[![Travis (.com)](https://travis-ci.com/pgpainless/pgpainless.svg?branch=main)](https://travis-ci.com/pgpainless/pgpainless)
+[![Build Status](https://github.com/pgpainless/pgpainless/actions/workflows/gradle_push.yml/badge.svg)](https://github.com/pgpainless/pgpainless/actions/workflows/gradle_push.yml)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
 [![Coverage Status](https://coveralls.io/repos/github/pgpainless/pgpainless/badge.svg?branch=main)](https://coveralls.io/github/pgpainless/pgpainless?branch=main)
 [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/)

From cc9af93e750dbcee8e5f48363a6a0bef17459b30 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 23 Jul 2022 01:16:28 +0200
Subject: [PATCH 0572/1450] Fix command usage strings not being picked up due
 to renamed parent command

---
 .../src/main/java/org/pgpainless/cli/PGPainlessCLI.java          | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
index 35791a3e..c53ced17 100644
--- a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
+++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
@@ -14,7 +14,6 @@ import sop.cli.picocli.SopCLI;
 public class PGPainlessCLI {
 
     static {
-        SopCLI.EXECUTABLE_NAME = "pgpainless-cli";
         SopCLI.setSopInstance(new SOPImpl());
     }
 

From bd10630fb4b93deb0d4bcf17a0b5e42a1e311e07 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 24 Jul 2022 12:42:16 +0200
Subject: [PATCH 0573/1450] PGPainless 1.3.3

---
 CHANGELOG.md             | 5 +++++
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6075d1c..cd96baef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.3
+- Improve test compatibility against older JUnit versions
+- Fix tests that read from jar-embedded resources (thanks @jcharaoui)
+- `pgpainless-cli help`: Fix i18n strings
+
 ## 1.3.2
 - Add `KeyRingInfo(Policy)` constructor
 - Delete unused `KeyRingValidator` class
diff --git a/README.md b/README.md
index 02253a83..091b0cba 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.2'
+	implementation 'org.pgpainless:pgpainless-core:1.3.3'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 8eb0ed50..46aa8c21 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.2"
+    implementation "org.pgpainless:pgpainless-sop:1.3.3"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.2
+        1.3.3
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 7f57ac2a..c2cd69bf 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.3'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 8bbb3aa8bac34efc47cd3bd39dc29cb475b1c39b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 24 Jul 2022 12:45:16 +0200
Subject: [PATCH 0574/1450] PGPainless 1.3.4-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index c2cd69bf..9c5cae1f 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.3'
-        isSnapshot = false
+        shortVersion = '1.3.4'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From c1de66e1d7b8458aca2979e20884c3c378b04a4d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 2 Aug 2022 16:53:01 +0200
Subject: [PATCH 0575/1450] Fix javadoc lying about only encrypting to single
 subkeys

Fixes #305
---
 .../pgpainless/encryption_signing/EncryptionOptions.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 99059c0a..2a75ee4e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -48,11 +48,11 @@ import org.pgpainless.util.Passphrase;
  * This will cause PGPainless to use the provided algorithm for message encryption, instead of negotiating an algorithm
  * by inspecting the provided recipient keys.
  *
- * By default, PGPainless will only encrypt to a single encryption capable subkey per recipient key.
- * This behavior can be changed, e.g. by calling
+ * By default, PGPainless will encrypt to all suitable, encryption capable subkeys on each recipient's certificate.
+ * This behavior can be changed per recipient, e.g. by calling
  * 
  * {@code
- * opt.addRecipient(aliceKey, EncryptionOptions.encryptToAllCapableSubkeys());
+ * opt.addRecipient(aliceKey, EncryptionOptions.encryptToFirstSubkey());
  * }
  * 

  * when adding the recipient key.

From ca09ac62caa1134ac84774aeb034341f6255ef86 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 Aug 2022 13:37:18 +0200
Subject: [PATCH 0576/1450] KeyRingInfo.isUsableFor*(): Check if primary key is
 revoked

---
 .../org/pgpainless/key/info/KeyRingInfo.java  |  6 ++-
 .../key/modification/RevokedKeyTest.java      | 44 +++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokedKeyTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index b69e301b..85cc8f28 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -1048,10 +1048,14 @@ public class KeyRingInfo {
      * @return true if usable for encryption
      */
     public boolean isUsableForEncryption(@Nonnull EncryptionPurpose purpose) {
-        return !getEncryptionSubkeys(purpose).isEmpty();
+        return isKeyValidlyBound(getKeyId()) && !getEncryptionSubkeys(purpose).isEmpty();
     }
 
     public boolean isUsableForSigning() {
+        if (!isKeyValidlyBound(getKeyId())) {
+            return false;
+        }
+
         List signingKeys = getSigningSubkeys();
         for (PGPPublicKey pk : signingKeys) {
             PGPSecretKey sk = getSecretKey(pk.getKeyID());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokedKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokedKeyTest.java
new file mode 100644
index 00000000..6082308d
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokedKeyTest.java
@@ -0,0 +1,44 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.modification;
+
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.info.KeyRingInfo;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+public class RevokedKeyTest {
+
+    private static final String REVOKED = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "\n" +
+            "xjMEYumXWhYJKwYBBAHaRw8BAQdAsesa7C2dtchG2LDYRPVgNiyXDDltTIW0\n" +
+            "7hbPKuklr+LCeAQgFgoACQUCYume7wIdAAAhCRARRbJWkH7x7hYhBCHmM1W/\n" +
+            "k8Vt/xDX4xFFslaQfvHusjoBAKeMumYgtr1uwbcNobWhojRjik+Uq7jER1Ph\n" +
+            "zrZPPwyaAP9NpV4//AB5BbwUgHMhCErD8L6GZEBOpCWYDgS00eKmCc0kVGVz\n" +
+            "dCBVc2VyIDx0ZXN0LnVzZXJAZmxvd2NyeXB0LnRlc3Q+wqcEExYIADgWIQQh\n" +
+            "5jNVv5PFbf8Q1+MRRbJWkH7x7gUCYumXWgIbAwULCQgHAgYVCgkICwIEFgID\n" +
+            "AQIeAQIXgAAhCRARRbJWkH7x7hYhBCHmM1W/k8Vt/xDX4xFFslaQfvHu0GUB\n" +
+            "AJ/FAi0K0YQ/gv9fO2EwSLH9imrXSxtfkzAyCQS32A/IAQDdqUfbABEoQvo2\n" +
+            "n1ktpVXroW3XPe3HlYFwSQzpVSHADc44BGLpl1oSCisGAQQBl1UBBQEBB0DJ\n" +
+            "8e0hG6v64O4P3qa9n8FxrkNoKS+J+fAW1Vzpf5tBUQMBCAfCjwQYFggAIBYh\n" +
+            "BCHmM1W/k8Vt/xDX4xFFslaQfvHuBQJi6ZdaAhsMACEJEBFFslaQfvHuFiEE\n" +
+            "IeYzVb+TxW3/ENfjEUWyVpB+8e51yAD/ewAe43L4bXYehVAKq+/CSfXEpYxU\n" +
+            "8kZv/mfA6nRfvOIA/iTx2uNw5NzC6TM5ZCBrXVxVGPmR9SwjnBHRmzVAmT8B\n" +
+            "=pY9e\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+
+    @Test
+    public void test() throws IOException {
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(REVOKED);
+        KeyRingInfo info = PGPainless.inspectKeyRing(cert);
+
+        assertFalse(info.isUsableForSigning());
+        assertFalse(info.isUsableForEncryption());
+    }
+}

From a48ca4ede7a96570dc7c75239f6d13954274e072 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 Aug 2022 19:57:59 +0200
Subject: [PATCH 0577/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd96baef..4a8be4a2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.4-SNAPSHOT
+- Fix `KeyRingInfo.isUsableForEncryption()`, `KeyRingInfo.isUsableForSigning()` not detecting revoked primary keys
+
 ## 1.3.3
 - Improve test compatibility against older JUnit versions
 - Fix tests that read from jar-embedded resources (thanks @jcharaoui)

From 3ceb4c1a36c26be9422f64e88a0e65d7cef7f4d2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 Aug 2022 20:02:58 +0200
Subject: [PATCH 0578/1450] Acknowledge donors

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 091b0cba..1ea9faaf 100644
--- a/README.md
+++ b/README.md
@@ -232,4 +232,7 @@ Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainl
 NGI Assure is made possible with financial support from the [European Commission](https://ec.europa.eu/)'s [Next Generation Internet](https://ngi.eu/) programme, under the aegis of [DG Communications Networks, Content and Technology](https://ec.europa.eu/info/departments/communications-networks-content-and-technology_en).
 [![NGI Assure Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/NGIAssure_tag.svg)](https://nlnet.nl/assure/)
 
-Continuous Integration is kindly provided by [Travis-CI.com](https://travis-ci.com/).
+Big thank you also to those who decided to support the work by donating!  
+Notably @msfjarvis
+
+You make my day!

From b23a1d77a3367fab6f889d17808cc69c36760441 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 14:05:12 +0200
Subject: [PATCH 0579/1450] Bump sop-java version to 4.0.1 and override
 executable name

---
 .../src/main/java/org/pgpainless/cli/PGPainlessCLI.java         | 1 +
 version.gradle                                                  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
index c53ced17..35791a3e 100644
--- a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
+++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
@@ -14,6 +14,7 @@ import sop.cli.picocli.SopCLI;
 public class PGPainlessCLI {
 
     static {
+        SopCLI.EXECUTABLE_NAME = "pgpainless-cli";
         SopCLI.setSopInstance(new SOPImpl());
     }
 
diff --git a/version.gradle b/version.gradle
index 9c5cae1f..fbed35bd 100644
--- a/version.gradle
+++ b/version.gradle
@@ -13,6 +13,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.0'
+        sopJavaVersion = '4.0.1'
     }
 }

From e36c1a00b1e9f75195f54723c043e44c86e658bc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 14:12:33 +0200
Subject: [PATCH 0580/1450] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a8be4a2..531bef0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.3.4-SNAPSHOT
 - Fix `KeyRingInfo.isUsableForEncryption()`, `KeyRingInfo.isUsableForSigning()` not detecting revoked primary keys
+- Bump `sop-java` and `sop-java-picocli` to `4.0.1`
+  - Fixes help text strings being resolved properly while allowing to override executable name
 
 ## 1.3.3
 - Improve test compatibility against older JUnit versions

From 6c936a25702ce83a7601f51fef5d334364635677 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 14:55:08 +0200
Subject: [PATCH 0581/1450] PGPainless 1.3.4

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 531bef0f..98324bea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.4-SNAPSHOT
+## 1.3.4
 - Fix `KeyRingInfo.isUsableForEncryption()`, `KeyRingInfo.isUsableForSigning()` not detecting revoked primary keys
 - Bump `sop-java` and `sop-java-picocli` to `4.0.1`
   - Fixes help text strings being resolved properly while allowing to override executable name
diff --git a/README.md b/README.md
index 1ea9faaf..c62cfc78 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.3'
+	implementation 'org.pgpainless:pgpainless-core:1.3.4'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 46aa8c21..3dc4e6c7 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.3"
+    implementation "org.pgpainless:pgpainless-sop:1.3.4"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.3
+        1.3.4
     
     ...
 
diff --git a/version.gradle b/version.gradle
index fbed35bd..637bf204 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.4'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From ff750d32fbdc7a7c1c17cc8a23df978c514cd6cf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 14:58:04 +0200
Subject: [PATCH 0582/1450] PGPainless 1.3.5-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 637bf204..bd645100 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.4'
-        isSnapshot = false
+        shortVersion = '1.3.5'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 38d04dca3526b0815644bca7d90c0ed67ff21bd6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 15:15:58 +0200
Subject: [PATCH 0583/1450] Merge gh-pages stuff into main

---
 CNAME                 |  1 +
 _config.yml           |  2 ++
 _layouts/default.html | 78 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 CNAME
 create mode 100644 _config.yml
 create mode 100644 _layouts/default.html

diff --git a/CNAME b/CNAME
new file mode 100644
index 00000000..b0cdad30
--- /dev/null
+++ b/CNAME
@@ -0,0 +1 @@
+gh.pgpainless.org
\ No newline at end of file
diff --git a/_config.yml b/_config.yml
new file mode 100644
index 00000000..40d208bd
--- /dev/null
+++ b/_config.yml
@@ -0,0 +1,2 @@
+logo: /assets/logo.png
+theme: jekyll-theme-minimal
diff --git a/_layouts/default.html b/_layouts/default.html
new file mode 100644
index 00000000..1df1e014
--- /dev/null
+++ b/_layouts/default.html
@@ -0,0 +1,78 @@
+
+
+  
+    
+    
+    {{ site.title | default: site.github.repository_name }} by {{ 
+site.github.owner_name }}
+
+    
+    
+    
+  
+  
+    

+      

+        
{{ site.title | default: site.github.repository_name }}

+	{% if site.logo %}
+          Logo
+	{% endif %}
+        
{{ site.description | default: site.github.project_tagline 
+}}

+
+        Home
+        

+	Releases
+	

+        Javadoc
+        

+        Coverage
+        

+
+
+        {% if site.github.is_project_page %}
+          
View the Project on GitHub {{ github_name }}

+        {% endif %}
+
+        {% if site.github.is_user_page %}
+          
View My 
+GitHub Profile

+        {% endif %}
+
+        {% if site.show_downloads %}
+          
+        {% endif %}
+      

+      

+
+      {{ content }}
+
+      

+      
+    

+    
+  
+

From 5b186fc387e6702907053c25b566227736fe56ee Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 15:21:16 +0200
Subject: [PATCH 0584/1450] Fix licenses for gh pages layout stuff

---
 .reuse/dep5               | 13 +++++
 LICENSES/CC-BY-SA-3.0.txt | 99 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 LICENSES/CC-BY-SA-3.0.txt

diff --git a/.reuse/dep5 b/.reuse/dep5
index f7656261..329ef6a7 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -43,3 +43,16 @@ License: CC0-1.0
 Files: audit/*
 Copyright: 2021 Paul Schaub 
 License: CC0-1.0
+
+# GH Pages
+Files: CNAME
+Copyright: 2022 Paul Schaub 
+License: CC0-1.0
+
+Files: _config.yml
+Copyright: 2022 Paul Schaub 
+License: CC0-1.0
+
+Files: _layouts/*
+Copyright: 2022 Paul Schaub , 2017 Steve Smith
+License: CC-BY-SA-3.0
\ No newline at end of file
diff --git a/LICENSES/CC-BY-SA-3.0.txt b/LICENSES/CC-BY-SA-3.0.txt
new file mode 100644
index 00000000..39a8591c
--- /dev/null
+++ b/LICENSES/CC-BY-SA-3.0.txt
@@ -0,0 +1,99 @@
+Creative Commons Attribution-ShareAlike 3.0 Unported
+
+ CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE.
+
+License
+
+THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.
+
+BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
+
+1. Definitions
+
+     a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
+
+     b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined below) for the purposes of this License.
+
+     c. "Creative Commons Compatible License" means a license that is listed at http://creativecommons.org/compatiblelicenses that has been approved by Creative Commons as being essentially equivalent to this License, including, at a minimum, because that license: (i) contains terms that have the same purpose, meaning and effect as the License Elements of this License; and, (ii) explicitly permits the relicensing of adaptations of works made available under that license under this License or a Creative Commons jurisdiction license with the same License Elements as this License.
+
+     d. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership.
+
+     e. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike.
+
+     f. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
+
+     g. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
+
+     h. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
+
+     i. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
+
+     j. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
+
+     k. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
+
+2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
+
+3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
+
+     a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;
+
+     b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";
+
+     c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and,
+
+     d. to Distribute and Publicly Perform Adaptations.
+
+     e. For the avoidance of doubt:
+
+          i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
+
+          ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and,
+
+          iii. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License.
+
+The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved.
+
+4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
+
+     a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(c), as requested.
+
+     b. You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. If you license the Adaptation under one of the licenses mentioned in (iv), you must comply with the terms of that license. If you license the Adaptation under the terms of any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable License"), you must comply with the terms of the Applicable License generally and the following provisions: (I) You must include a copy of, or the URI for, the Applicable License with every copy of each Adaptation You Distribute or Publicly Perform; (II) You may not offer or impose any terms on the Adaptation that restrict the terms of the Applicable License or the ability of the recipient of the Adaptation to exercise the rights granted to that recipient under the terms of the Applicable License; (III) You must keep intact all notices that refer to the Applicable License and to the disclaimer of warranties with every copy of the Work as included in the Adaptation You Distribute or Publicly Perform; (IV) when You Distribute or Publicly Perform the Adaptation, You may not impose any effective technological measures on the Adaptation that restrict the ability of a recipient of the Adaptation from You to exercise the rights granted to that recipient under the terms of the Applicable License. This Section 4(b) applies to the Adaptation as incorporated in a Collection, but this does not require the Collection apart from the Adaptation itself to be made subject to the terms of the Applicable License.
+
+     c. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Ssection 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
+
+     d. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise.
+
+5. Representations, Warranties and Disclaimer
+
+UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
+
+6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+7. Termination
+
+     a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
+
+     b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
+
+8. Miscellaneous
+
+     a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
+
+     b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.
+
+     c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
+
+     d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
+
+     e. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
+
+     f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
+
+Creative Commons Notice
+
+Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor.
+
+Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of the License.
+
+Creative Commons may be contacted at http://creativecommons.org/.

From 06b66dcc17dd13ebf5d31d7aedad55af52ce3983 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 15:33:09 +0200
Subject: [PATCH 0585/1450] Exclude irrelevant md files from gh-pages

---
 _config.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/_config.yml b/_config.yml
index 40d208bd..bdfcc3ab 100644
--- a/_config.yml
+++ b/_config.yml
@@ -1,2 +1,8 @@
 logo: /assets/logo.png
 theme: jekyll-theme-minimal
+
+exclude:
+  - CHANGELOG.md
+  - CODE_OF_CONDUCT.md
+  - SECURITY.md
+  - docs

From 0257c4d99ea69efc8857ce901c5c266355c7ddb0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 15:38:44 +0200
Subject: [PATCH 0586/1450] Add pages logo

---
 .reuse/dep5           |   6 +++++-
 _layouts/default.html |   4 ++--
 assets/logo.png       | Bin 0 -> 14740 bytes
 3 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 assets/logo.png

diff --git a/.reuse/dep5 b/.reuse/dep5
index 329ef6a7..28dd7917 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -32,6 +32,10 @@ Files: assets/pgpainless.svg
 Copyright: 2021 Paul Schaub 
 License: CC-BY-3.0
 
+Files: assets/logo.png
+Copyright: 2022 Paul Schaub 
+License: CC-BY-3.0
+
 Files: assets/test_vectors/*
 Copyright: 2018 Paul Schaub 
 License: CC0-1.0
@@ -55,4 +59,4 @@ License: CC0-1.0
 
 Files: _layouts/*
 Copyright: 2022 Paul Schaub , 2017 Steve Smith
-License: CC-BY-SA-3.0
\ No newline at end of file
+License: CC-BY-SA-3.0
diff --git a/_layouts/default.html b/_layouts/default.html
index 1df1e014..8fa354dc 100644
--- a/_layouts/default.html
+++ b/_layouts/default.html
@@ -30,10 +30,10 @@ src="//html5shiv.googlecode.com/svn/trunk/html5.js">
 href="https://search.maven.org/search?q=g:org.pgpainless%20AND%20a:pgpainless-core&core=gav">Releases
 	

         Javadoc
+href=" https://javadoc.io/doc/org.pgpainless ">Javadoc
         

         Coverage
+href="https://coveralls.io/github/pgpainless/pgpainless">Coverage
         

 
 
diff --git a/assets/logo.png b/assets/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..6cfae8208b74a71af609b752921d128d4b60f6d4
GIT binary patch
literal 14740
zcmbVzcQn`k-}lGL9+^ot*_4@`O=M(dWR)#K_MRD;$tHY|$jFLhtL%KNLL&2%nVEe*
z^}GJL&$-XJ?(6!U^F6=P+k3rU&*$^8-qG5cD#Qd=2@nVbv6`ylJp=+H@!~%`O!x`u
zkNhkILfk}6QBKc0d+mphsotY=*)!UGB~hi@`*-zJpLF6V;_I+nzT8RF-5;8$;lkS~
zIEo@~txrtNG;z3xU!mRLXBAq_#gZT5^p5jbl()0r^{@0}v~57YtIgokoYich&E>qs
z#)^Z+!TwnH!EAT4s{sK4aP3)45flyr5!}pFg+OFugy0}%iST$42;18h7>HX~n1qNn
zS~4R9VlcQ36XALZn;H=;^xqx&mB|b-dm~zrg*vwAp8bIWTe})i;M!LnLM>xyo76>w<+4I+xmFM#bvVwwwZ{ED&=H`Y!OioSFuKxJ?
z^=n^WUweD|9Y$a4WQn=#Z*5i8)v=oq
zGT~#YKmGC1@1SN#X6mD#7+RikYr9XN((J?dz`%14=3rQbF?k(5Il1-_EZpASUj7Ho
zoYb*uhR7RcW@fUovbeZWTU%Ry=0BH}w%3GnV`Hl8dw6--+SqJN*71moXL#^^;We&Z
z*_$xW6MPgCA5Q}JM!{62Cl4>x!(+G6eOZ+zG@_y5AXnN?IsTej6In1lHg(?E=qR$N
z$gJ7>COdmkV`GMg_!VLXDeu8-aSRNMkrJ(jckfutNZN2PV;hoFQfT;1RhtMf$tfs0
zJ33SiF{*;;UP_IkQ12Wk_{TJOLT*=i|M?~Dw_jUVm&A|#3fI=iU-$lfT59T-Nl9`|
zWF1mcQpw55YwPQ3G??0|LOVB(Gijm!=pWqUgqz~&Jgq4OH~2K`_5DK
zNfnq(2wS6T*OOEO&kmR2ho=Xv=dcL4*q1J~>`ywvqumH2_L8%B^6fKYP;=m^FG}CF
zzxZyJ=;LX4zE^B`yqX1^zeh`T38{IR%fRqKXf(R??OQ$`9!a0=g*5ZP=zQgenmH08E;CXn{ovNy7S(;(;_gPb
z=<;5^9B+EM+Whe&6d*LQ%k`$Zy1GV2-h02t_)O}VoTyWwsEU!u#0tz4xF%myQ&YXm
z&ldZU>!^s6?!G=p*g&w;Ha0dCB8l234Xv%M17SbzEZ5Z3jG$0e`$dUxp7Q%O%7%t%
z9?Y}(GHsY2KYrY7Ip#+Xb(j|v7Q%sketsE@1Q{AHGcstYsFZw(&d6zKRCFkJ6fn;4
z2dj+cVAJsP^CQdt=Gl)FumAYq)%EPMe14(@Ep*|alRqkoirDJ8>zrI%Aq}425V@UJ
z5eo|sQS2vL8XEo46dV_=K=ds(W{5WDH4%qV_=&+=W2O4!z|ZmYtY(3tL;S%^7J_7{(D(6`tec$I$qg
z{_4j?N0(MqT$d)&GQ5BPa4E}${2Hf#K;`(j0jl%WZ#Z%a>ZsJ^RZGj6mh358N{?zn
zNHg-D{hd1m?YeKFTP8DL>Enhd-Me>>ymT`+FVEb-fEtaVt*ogzxc0q9?YW7Yn;`t%
zev60s=GfSnsHkZFL0M7J)7_QfSFe~h`1>a&CcI!5&dyq}s6T~f_bR}b`b$C?<9&wr
zZi@s-fv_lHVPTC~2B)pem$0$BK7ArbpH7$uv7-cn+gQ*Y5rq9-SINk#YzD3_9d}y}
zWQv@fo%J91ot^kBN#dL`Rej;)=hwV@_t85QFRz2nC{jjA&;D=U(t85`+!Pg+2|W3m
zuMjo;<44At7&KTUGQ5YOoz;~zHW;==TU(oX;9*2H!;c?7F6#N=!!Dx)4F_lEoSW94
z-kLOASsniQ^Bk(>1`pTHEKzLm&%op7J+;4szQt79j|IKi+n;g~`aTc4P*6xHW9{-T
zl+#ruoey4{Ht#-*yDx=DMhbps-I14F?2(d?tF#7aJuhX?STM
zDQGZV%^3&f@0V^76Qhc$=Zz(`omin^!D{-pz)+I)57Dp
z`T0G)yl7&(-%Fwr*eYim1AAEE+Jtb>n_
zPlQap&2-Cm_q9VY{2^V~o?J-49!?Z=gf1cSz-EAEwFIMMXl5oiB;Lx(3Tm*TqGIs2
z`5Npe_Z_3Nrwl!Zngu>AeZEc0V#=@S<6mirOzj&s|$WM}+&7J*A_E-uYGW>^78U4E6*t4bQu}?hk$P2O0&h13NUZm
z+FrQi=H`}Y=3JHV;M|D6g{-J}+#ZTUR8D1JVgmIP|A7WZnuf)amFxN0X`(^GO);^b
zHMXQ!^f%p~VPI2JT=A}vm5}g->VNMySD;gB8lB!kJ!Jrx(x2v#pUy)((T)b@qHh}!EWIC
z`uf4<&(D(=m+07Aov5y_EGiPQ>AzBLw$%ok(6zNR?D#eo9`E(p+!kq3(ecqyN=F(g
z3kQc7zkr(BTH*3__{TM92v$}s1dGU1tGh2WDv`+@!yO*rT-Fm6fbRF22Zb4yE+b*C^xK7CRyH$&j@HoI27Z*&;rzVzT|4wr|gY-Po++^h|=?7f`D
zT*NWOHFEOMx&WEW1Q9Up+a{Il?YYMH;gvo}O-(hLvb7=5oq<{1H7O&t8BYg4K0G}9
zdvyXpPgPahgv|LYLq$i2JltvegG;Q@iUn`qKCcXLaoIEvI;Ao{ZWeZ)6!xzfu(P)Z
zfNWE2V{q3sGUD|%!2?wjH{@n&Uvqo$=He9fLy;GXEe3pXr|4AOM)YaF!H3d8f
z4ePLn`>Cs|vvg)`p}W&2ZTFtEDJJaypIH14ILQC*&~O-%NJopbmX;P=QU*P!50Nc*%XMh-NIaHnkf>H>sgoR78yT6}&Mv{~t6Ox*j
zx4F2ebQFdgybV}fZ-+%^@o|&+N8hJMyJ!Gph!FSX!GT=qEDx%l%rL{a5wqbn*Z($v(veED*BcQ?|}^4Xni
zODbw=nVo*2ixU@~oSeW^1FR&OdaKj8HBcH&j%ai2j3h>?TVSI
z7OoUaotl=GayB^Ey{z7`v}6OA%pW$MNm5i&di3ZK@DfDvBO4oKW##?dT|nlf
zD6!!x@8ujX)dU^{+sA_$KV)l!(biV6pPXC>w^X8h%*&TAV`F1sF*7nU-a>gle_mQz
z3fnp&{yD0tE;Q<`ql5;0YdBTr_=f3GOO~!(h|v4;b$Jqs!1~43cOrg(Yw#w
z(u;~7d3bpE`Zg)DFbA+5!|ygYegCzzbZG>ehYzl_YpEFL60-M+&L#0I(RBzq&5ZBr
z+n5*vl*(ogFcv^a&*S1$6DSVKO&gPUhZW#x9163Zq0!M@fcPyQ=zCgPr0Ds5k9(!U
ze03_KRXqDBEFuC-8xWOd6Pbr9$MrjwmX^qBO#E5)vEV{xzLl
zIg3i@U4Wi7({IQ9wbw-PO+!KMr6%l1kS1PNRo!4`@1C5@^x!jv
zg?N#es14NgXcbUjSqgs?e)D1I7F!i(42v12r-6Y1Xbpeoq8Nees!ep@!terIJJ{QM
zRosmYZCtgwzRqrjc~uIZcZN>f?O|YGOI{u$TK=z1M>xLN3M6-kJ|^4S|RYz5?4
z|B==Z{s$fU!GjC_VQM-JLJ$lJGqY0{FHc|;0Oy>YoFa*6f32+C@?0}Ij)M1TO2YU|I>3is5$wjYg?5}Ro{4S-SYm~5`Zit+x_`&pueBjdj(ab4rq(OSyM;v
ze3ByJ)XUx7osp3dUMbX#R+i|%w{KVM#|VIbPBr_uKYhB_9){avfO$rR#%=$4>&Y){
zbckYqZ!h$Mn6=lUVq%Ok{m_G&XcvJpiHejfZ}@2Abs`VOmM9$
zn&P1f6;*EYi9cvxiHT$={a1hbg@%AKbMx|Qn49O#Rc!uj&4a0ynySC8{p3lt#&zrW
zmqbKFph?-%m!%hK9zk`T1zxh0YWK@r1!DrYa*vUELi}_B7&6
z0s>A!&=CK_l$??A-NfbN)8#?>>z|ile4fU3xPgH6!Bx5n%C@ke;Le>pSFV%+kpTJ<
zc(|Ar7#L{kKj;Tf#u)f_EVy{;kf`G2DAC{(1bP2>`K%
zO9vo`zrCqEc>((wxw#DS`yr;#8?Ty5bsB&46&b&IxKfy)y2(NdOK_tqVQzqy8k?FH
z6cpHB>B@y=Wjrvi9xV&d;9-L{@i(%eu5JvN(=I=Eq*w?}S~xbZQPrzgui6F&NqqXG
zrKSJ;`2)2$Rqs6iS(2z1NM&4XY#%HHZ2a)%C#(bJcjQU2As#_C2kJSex)6c
zqZPVAEN^2|TvH>2KDDMXGy5UX@)vU?7u-De
za-;#!9{e6FTOP_wu#TVAFEe0vp&%l{jMb5mk-3#SrJ<^7)bKb*k6UR*P&OMl=?|};
zN;BnYX@+`wl-oA#w^j3g<+q=y%M%kn_nPr3DJvsfj|YJixQ>RdZp!Xib&fXY?!keU
zrsm6@hj^b`8ydWp2Xne?w|%*1Ov&XfZZ6EWhkZFXg29CJiuIE@T47zlWf2leS#)_M
zZ&6Lyht=2FiFL>i!~XRW%O_#<@888GC9Ja7E*koQ6H_xj@B66k@QDY0#Li(}8`BxW
z_V@JlsU~go<>1Lcuh7bsimt!E5OqcBGB&j*2zC#eJh|dwmB??f2E;^NaumSt?Cc!gKqs@St8P*Rd3$?n
zQ$}p9_;2@cAP>+z-tKC6ArVRW`IhePLLEP#!oo|+hGXL56mM~eDCw;Ed#1r+=LN<=
zdwOVP6^bm4jEqc7Ok`Jo`MRUvL}L=hB{YZ4nUAqZk$mmbJFdqwut&>
zW?D*0aK}hmPPY4yUeAV#H8MhftM2XX;o#sT&E$V>r=`B~Oq+AM!38ul>g4eYSeKsu
z49T^n2nY&~2%2l^dlxdA#BvX&3?b8~XOE@xd?ZK3M&U6`1d+NWkefJi5M2Fven{D}RH=?~(!
z>LfKW<{u~AM6MDEdCC(XkNW?uD
z58tY-?M1-~3Gny7P)`(u>BMB1K>&FXWfn-Ks(lay9mSxZLe-489
zpsTGNT)^^5DoK@+ntFU{O1&lrHo)NL&$v1|2u#A9r>o<`K}W^4wYz1NE%JJoUoAq1
z1jx8M_5Ix=!Wg$;I4A>11DlY4rAdQks^JIAETG&6ySrbVx`59!^vOr=4!y8T3@C4J
zYeV!*f0jMj!fOAB(4wTLfBuVNGRh^u#iz}hcvb+A8*IU%@2a}G6v-wQh_|3BmXwr?
zxZrL)WX1@IXp0qSQLTx9wUw1^ZEBKGq{4W}8ACuq!q3N7^qu6C6hF94{n(Q=X7FQcd0!$rp1q*cXf3s
zDk{F>REbDxiH^KfnzbRHe?wL_&*l$c@LiXX(-g3antgUi7-dZL_4kYtD3t)IIv#E>
zevy21+rnZNx>%RhA8X06@$r|LnOCW(ih#fs{)DERiEGSDO-d(9q~fgAot3pgW>nj}
zH*O-#(?u#
zk{8GU0LM_K2;sU13PfoiA0J`TgKF!~WG~rd@pwI%$&CP2f+i@;LrO}jVloB`{zj43
zu=2s9oqMm24>k?0N)lzO(Q9kGsdrLeFKmK7KWxBG`k!CjT^{4(=9d3(<3(7Qg0*#_
zTQ?GkoP94?6Hr#WeGRO!K_6?*vK9
zhTiUxI3Y!BAS`6Mqbp1rNc3+4-c=S!7R+#htGp&CR4_E8nR^o-OU);*|Lx!IO9zE3
zpIce;qUW;dB?F^qX_3jH24hc~O2})&RPSzSS=mUCDtR;%PQLNj<#n=CkV}P4nB3@M
zIW8t9QJy8xIJ1wwshaK3mR@gAqgPgd)xV1?J-W>+bUM
zm^oHpNko#+$Go`$0GEgmQ=Jy{U}3^skR{((B~GvS5Gm<^*YKKKPyWf1o7*|^w`e2d
z<29j@a;#+j&SL3xe+m0HXnS8Z)^38x`>v)&hpNVPPG0Y>Gz%p`k}MfhE2!|l(&N}U
zIaL9zsOef&r!S%Ec}?jv!O(j#x4Efh>mJ@WXXohX=j&VGu)Yaq%oAbtDo1JQk6gON
zuN<7Ab9;z-d3iO|)+*}9{SI!s_iblLc5`6?xw`~h1@@4Neq3dxKyisQv?*2Tls#Yr
zHLZ)Gp`oi2l{_CCwK@IgpNnZz6-qEwQ7XH0FO(Tp#&lchb;E4Gq_3MWJTjttM5~v%
zwN5$tGU#xTMj{I~Jm&gT{2Rn4^_%dLfGU-YbgWM`45zZblC2p)X#e=5GYahTMqQle
zdpm|ZK(lywcsv$gW8?95zi(_DZpJP=v^~7Jo2GgN(J>K8$&#e{@7N=b?EDeTQ+-~2
zV(gbzb}~5psdsALz5ANV`ug?j+utUw!8zU%kqO@3cGIji)zL}H%2F@EdD*Pj#!O}u
z19UUL#z$HC(xmLRl9Cdh$?*q(VPGI>JSQdksmbhe2+hbtwB+!~Jvlf${}5l&Z=bix
z_-q+eZfH_=Q)_7%8PSFJeO^i9cTWlqU;&_xt)NatgcMy76B8?HSO?tiy~Tub!zPao
zU&4|*kDR58P>H{0@8BRmvj#o*a!c!X0e}&M`ph{ADGs4+_lR;hs)n+~!>pMr!E|J9
zRS!U;*fVJ)J*2$1W?`jNX4d>RKTb?d#numiHU+i4pN-uS=+jxh$H<2$k^
ze5rR57-i#|3S>e5C)C%aRQk9xD4E_ewGBcu2|m7@_e2l?BVk6lzhcmw0Lke1?f`&h
z;fq>^?Qna!CKZf!ef@~q?AB}IZVM-eJF1yYu5%p#)suvkM!I8ZNa-cQk)<#ju1%z$
z+EqjdIgaxp7q_lqzraAj~lHyfX`Q4*jvWH*>~Rpx`hIf(rrHG@rUO5Phg
z$VJ{Muo!T>-T)j3Sc2AR8ay5WA>q!}79=Gsk;3dC3xNpcn*QJ@Zh-xZ=rPIo5MVhXl*cFcVi
zsQ`Zh3koUVjO^1Lys&&=QNezyt*s3j!*Ta&bWoprx
z8Ve2yF9o|9LPHWIol;VKY)s&wLPA2IZp9S9po6KF;6gw%eRiA(GYcd@C^wMHjCetm
zsd)Rgdl#811@^|P-TMA%yLntZUY}u~^$b;uQ?q%6hmN<)8X6jYGlN|kJ;)p>PPc%Y
z7QQVgBBJkWQcjA2A-b}*rsrz{*9zxB@6chtY+gB`b#io6FebF1&y4!^?A~
zhC2o&NX0f%6#fyph#1fJc{aDmCk_i=_U_$1wDTNM?13GFRr-(u+|PD_kl{42n51z`
zqo_eB|E*9Z&{>Iw>Q8aBVYS!VSb&du1hOM{8nnltyqP#SRM5_+Cnt$;
z*Ig46hMbh#4bD*GYHIkuW4vL=VgS&+<3dM97FeU$=4i~?N$YCUa
zPCfTWrzKO=ITJO7I@B&@f;MUT!SgPLI66FYwcgF?fcvAQ07Xh7{AQS19XzD*U0S1g7Dan)cBC(W)lhRB3
z3iFb)mw^5M${8X^+UOyy0kPlu6sF|dO9wxLN@@;O)ZpxE?QDt
zT;S~99Yf_|aD|JL^R_X`xts-8q>aTuhEUX?#k*NFZ%;JA3isMR@bw-1eJ_!dPW6
zm4UXJiF0FMs$1F)X6M&5g4zueRZmAJwF?GV)Rm?lk&*QTHyH5rLzRl7UC#r{ATjTNe(OX5fmJnH^lAWMZCJd
z1syigke!kMZsziHPAyQ$XVdebsTp5S8Rl9WGc;FvFow{~z7_IVTMc~UN0d}l!~P2b
zf`a5`;z2NoI-hX2+XHLyadzh0wn-B(*Id4KpF1^I%7@%u>EfBxAg_b0IfTfU0D;f@(
z%bf1&UK?;5j;EJ&<<*ve{thxS*T+VU>&GDVBpM*)0Tdb<8L8U3O9%{*F!Av{AAEDv
z%$(ArnJ4qS@R635mPA(C%aKHvm*%{{qv*jUAk?7LLAkDQAL%+c{06q0ntLr37c{48E`9%%A-niZppy1LY*DfIag&A#h-z6KJXlDd)-&VY*BQ7b+m
zQWd>nb6-C{KoAG(Q;?$B{`8%Tk8faPqy`44Paoi{pVij51IiF}vwT3@q-vg0Ah*CU
z&I%|&colS`Plhv&l^-MR((i+Fav!~zmiK!^OSb5Kt`V=OpkRmIjBdL$?^fDHPQ!)}
zhyk?QXT3fbaR7k%H$?`?!43zsoOXP4bfZqzcJNvzADA{B^M;_=GjBn>4dn#nd=^qC
z5O#XT?Q5#1Hwrrb4H3<3RW{=mfAQkzbwC%uVKsuRR-u)#yiu*YFnhw**z+?pAwWrc
z`jL~H8}+rVZYvWK4vm;PDER&`anU
z8{cWo0lZhpx!ePlb8>nL21Rfs;dPkEkd+}^jgbS_W|t09SM4|L!vXusD{!ZR+5|EP
z%E@-PK&kH~pMu^f1t1X!=PfNS&##8kg2ai3kKcauVCDsv?n-MaSLz+8V1mj*R)wQX
zO5%41RSftfB+Bn3c?`N~@IeWnt2?<>UiJTXY
zcNZd95e}`8T}dzXS?o=H?eGcXC!18lpY84BJ4LDvGQc*3MEbBG=VnA@1k($`84B;r
z!Fq%~(*J@UoI*pxD5O(38@Zalzf{Yz{rTYV@Z~W)VPRn+dWjbynE+GA9RYM9mh{P7v)y$rxfceb}D>zz$JJ?nw7*9inoz>khM
zTZ2ybCP3{5Im6Oz6O_W2{ARvjBa_AMeOgq;iz;&6~gigwjXYJT+g
z8W*|gG2!~i>>dTkh#^+(Uq@L@OR16FoU@>_LTq0%A2pTSIovL%B`7V7G;ex6D%q3a*
zdXAJ&a&_K$swjHZO>F%7L3Q;eZExV43%FK5Ly-q-TotWJ7A*`UX)~1{e39No#mlc2pEEPXlJs7>+HM^ayCGw5AWZ<
zauyd8o9OH;%+JSguCZW3Qcw_UW?Sw-zDV)-;W#S@Z6I!3{}{9;`1H3Pd+x_XTqPaw
zPmu>&4_qU0UU)#>3KVLb&)a`s8iM?_Tf)5j{37~UQey2py9)BxLi_07X@&o|9|o-;
z!7ycL9OgX~{C+{2Sy?kOWWljHe$V=D1e$5F+4#-310_DG!
zmoM@K*RI7?#;T|Bw-@ZNC2491zxR$DJD2zaR^by;cu!szPUiT@!@f5*M3DWvGe)nv|7OIjlPV;7X{rlM}DCuJ}LSX9I<4YlJ9@
zi;IKdo|bWuae;8)&!F>wm*sy-Il;7nx4bz1)&u}=zeb_|Y+DE7RgxjINo1}_n$oDhy71r
z?B)lP9TIQWfd~jsTx4Xdy6{j~Tem1EQi{~mW?BNW4sQbR1rWd?jj)3tFd-Bs6PeNd
z`-_W6d8pmH{Z3+d-=BvQIrcAh6j2n;0?#
z?Ax;mVBdUEu&RC!u5MM;7FeF})L^neh6VZ(v<66<+-bcmZugZ5A{vkd!NtYhiGr^s
zz>#xuc7_C)&gOGWuw-!={mB>^6XqXj-Dbq5_6q>~QKFRx(bQY*sf7S~BV~7o&e>CX
z0wKx^9y?5C10XJjhOynhAjt&gFFeN?{tj$lSag^GaA`2SHSXR8r3Oeq-D!SMMc0}&o!09RnzK$ZnQ0=U$XvRswk
zI@WQeRIdpF%n(jJJv-h+I?k1V;|f*}FIa}3?Tdi3H(^6ILfZDwT5-3ixHz6cT7rcI
z#z~Y1-w9yd8NW?wKfhxz0Z?_b-B|*7TKxERwY92gZQ+pr*P*NnIuAreY<0mj7&^mo
zNt_*^3FojiY8GeEdI~!Yx;1G2s0ddRI7!giPTu*!`5EL1u5@H^MS7DPaf|4h0sI9h
z8x|HOVBVt9M7`0|+v|%iN(28Nz5yT%DQsP>lgwvl!^P
zA^WlIuZ*y|TKRC-Icv@aUD4`_9tcprD|!
zlW@Ql@V?=52I5>(asup7aL-ftL*fPp2cg-6X7=TwAgZqFvXTyjCwE7pLAc7bzP8i6$Bb2F;`Sb{4P-
zD@se512oddXJ*decas_XsP9A46m1wD08PK^M}Jc6NWf6hi3K_
zGO`yUJAY-|L@aZ9j`6--fp4giDUiw_Ct**66Q1W>HK_rfj_
z`$9GYKAcfLBFpzUJ=znS@$Q7g_3p~MQK&FgMwYI>)J8mp6>O)>mLI;?*n)NCe)`GZ
z(sGVap!v2h@At=msgR_UR{n(LNF*DIk^Hf%r>CZd23x@U7fCN(bR9pn)DZ`ai0+KI
zQn_KdH#8;=fD-Ty?2j;zVF7ByfUPM
zbaXB!aD>P?E__LXSn)Np{`H?*d>3PuG3ex`!zd?wbOOy|4DM=nad8hQFFZ4OsT>MW>g8A(Lm>i-z0Rhq*3gchDx&j{qHw|*$g#^bSdeaZWcikfG;pWH-RPqe}JtA8+kGcBzHh&tG|C+{J_+B8HY{0P4dh1qcmDb;18D`^$7X*xOgv
z)KEk#!q+3g%&^1YeMki+zZ|kPx_J@QZzwbZ0s`-B1I(7QJAc!mPb4we
zAhy7CynZTejhQEa&j^03|5Ao6e3pbzhK#QDr#NOa98doiHvg`Hfwy3s)=fMB4Vc4>
z5W$IFU4<_rfY6u98~-^eK9+@+3Sw(V=SVOkv{0~-K)_O?>9_`AMPJ|t%uyutEM_2z(gKVOhMqupU*HcUJoV@
z2jc?4@%Q(Szb1|XZ}&)2F*4@TI4cCkF7`qfwS_nz-&=5l>T7Eg&pweA{|*_eguIln
z@QYnr^8YIYI(C%mY5|h~WaAH>>o7rC;dw&gV;v@Ui3fVCjdNf3r!Mj3eaLfwS`Rszy|V=u((if(EnjF!6zghPuDR2eIJ
Date: Thu, 4 Aug 2022 15:45:03 +0200
Subject: [PATCH 0587/1450] Fix pages widths

---
 _layouts/default.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_layouts/default.html b/_layouts/default.html
index 8fa354dc..b97cd792 100644
--- a/_layouts/default.html
+++ b/_layouts/default.html
@@ -15,7 +15,7 @@ src="//html5shiv.googlecode.com/svn/trunk/html5.js">
     
   
   
-    

+    

       

         
{{ site.title | default: site.github.repository_name }}

 	{% if site.logo %}
@@ -58,7 +58,7 @@ Ball
           
         {% endif %}
       

-      

+      

 
       {{ content }}
 

From fb5f039991c53982287324a1c7d48422f4fe184d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 4 Aug 2022 15:48:35 +0200
Subject: [PATCH 0588/1450] Tweaks to layout

---
 _layouts/default.html | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/_layouts/default.html b/_layouts/default.html
index b97cd792..879bb4a0 100644
--- a/_layouts/default.html
+++ b/_layouts/default.html
@@ -17,7 +17,6 @@ src="//html5shiv.googlecode.com/svn/trunk/html5.js">
   
     

       

-        
{{ site.title | default: site.github.repository_name }}

 	{% if site.logo %}
           Logo
 	{% endif %}
@@ -26,14 +25,13 @@ src="//html5shiv.googlecode.com/svn/trunk/html5.js">
 
         Home
         

-	Releases
-	

-        Javadoc
+	    Releases
+	    

+        Documentation
         

-        Coverage
+        Javadoc
+        

+        Coverage
         

 
 

From a1eceaf8e10e2e0c0255057e99a6e84cb280e5f2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 8 Aug 2022 00:23:58 +0200
Subject: [PATCH 0589/1450] Add manpages, script to generate manpages

---
 .reuse/dep5                                   |   9 +
 .../packaging/man/pgpainless-cli-armor.1      | 138 ++++++++++++
 .../packaging/man/pgpainless-cli-dearmor.1    | 132 ++++++++++++
 .../packaging/man/pgpainless-cli-decrypt.1    | 201 +++++++++++++++++
 .../packaging/man/pgpainless-cli-encrypt.1    | 170 +++++++++++++++
 .../man/pgpainless-cli-extract-cert.1         | 138 ++++++++++++
 .../man/pgpainless-cli-generate-completion.1  | 151 +++++++++++++
 .../man/pgpainless-cli-generate-key.1         | 152 +++++++++++++
 .../packaging/man/pgpainless-cli-help.1       | 146 +++++++++++++
 .../man/pgpainless-cli-inline-detach.1        | 143 ++++++++++++
 .../man/pgpainless-cli-inline-sign.1          | 165 ++++++++++++++
 .../man/pgpainless-cli-inline-verify.1        | 165 ++++++++++++++
 .../packaging/man/pgpainless-cli-sign.1       | 164 ++++++++++++++
 .../packaging/man/pgpainless-cli-verify.1     | 153 +++++++++++++
 .../packaging/man/pgpainless-cli-version.1    | 143 ++++++++++++
 pgpainless-cli/packaging/man/pgpainless-cli.1 | 203 ++++++++++++++++++
 pgpainless-cli/rewriteManPages.sh             |  24 +++
 17 files changed, 2397 insertions(+)
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-armor.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-help.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-sign.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-verify.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-version.1
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli.1
 create mode 100755 pgpainless-cli/rewriteManPages.sh

diff --git a/.reuse/dep5 b/.reuse/dep5
index 28dd7917..96efa937 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -60,3 +60,12 @@ License: CC0-1.0
 Files: _layouts/*
 Copyright: 2022 Paul Schaub , 2017 Steve Smith
 License: CC-BY-SA-3.0
+
+# Man Pages
+Files: pgpainless-cli/rewriteManPages.sh
+Copyright: 2022 Paul Schaub 
+License: Apache-2.0
+
+Files: pgpainless-cli/packaging/man/*
+Copyright: 2022 Paul Schaub 
+License: Apache-2.0
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-armor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
new file mode 100644
index 00000000..bc0efe20
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
@@ -0,0 +1,138 @@
+'\" t
+.\"     Title: pgpainless-cli-armor
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-ARMOR" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-armor \- Add ASCII Armor to standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli armor\fP [\fB\-\-label\fP=\fI{auto|sig|key|cert|message}\fP]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-label\fP=\fI{auto|sig|key|cert|message}\fP
+.RS 4
+Label to be used in the header and tail of the armoring
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
new file mode 100644
index 00000000..0dacf89c
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
@@ -0,0 +1,132 @@
+'\" t
+.\"     Title: pgpainless-cli-dearmor
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-DEARMOR" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-dearmor \- Remove ASCII Armor from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli dearmor\fP
+.SH "DESCRIPTION"
+
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
new file mode 100644
index 00000000..c97eb7e9
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
@@ -0,0 +1,201 @@
+'\" t
+.\"     Title: pgpainless-cli-decrypt
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-DECRYPT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-decrypt \- Decrypt a message from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli decrypt\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
+[\fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP] [\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP]
+[\fB\-\-verify\-with\fP=\fICERT\fP]... [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]...
+[\fB\-\-with\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP]...
+[\fIKEY\fP...]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-not\-after\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to current system time (\(aqnow\(aq).
+.sp
+Accepts special value \(aq\-\(aq for end of time.
+.RE
+.sp
+\fB\-\-not\-before\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to beginning of time (\(aq\-\(aq).
+.RE
+.sp
+\fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP
+.RS 4
+Can be used to learn the session key on successful decryption
+.RE
+.sp
+\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP
+.RS 4
+Emits signature verification status to the designated output
+.RE
+.sp
+\fB\-\-verify\-with\fP=\fICERT\fP
+.RS 4
+Certificates for signature verification
+.RE
+.sp
+\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+.RS 4
+Passphrase to unlock the secret key(s).
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+.RE
+.sp
+\fB\-\-with\-password\fP=\fIPASSWORD\fP
+.RS 4
+Symmetric passphrase to decrypt the message with.
+.sp
+Enables decryption based on any "SKESK" packets in the "CIPHERTEXT".
+.RE
+.sp
+\fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP
+.RS 4
+Symmetric message key (session key).
+.sp
+Enables decryption of the "CIPHERTEXT" using the session key directly against the "SEIPD" packet.
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fIKEY\fP...]
+.RS 4
+Secret keys to attempt decryption with
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
new file mode 100644
index 00000000..78c8e434
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
@@ -0,0 +1,170 @@
+'\" t
+.\"     Title: pgpainless-cli-encrypt
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-ENCRYPT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-encrypt \- Encrypt a message from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli encrypt\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text}\fP] [\fB\-\-sign\-with\fP=\fIKEY\fP]...
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-password\fP=\fIPASSWORD\fP]...
+[\fICERTS\fP...]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-as\fP=\fI{binary|text}\fP
+.RS 4
+Type of the input data. Defaults to \(aqbinary\(aq
+.RE
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.sp
+\fB\-\-sign\-with\fP=\fIKEY\fP
+.RS 4
+Sign the output with a private key
+.RE
+.sp
+\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+.RS 4
+Passphrase to unlock the secret key(s).
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+.RE
+.sp
+\fB\-\-with\-password\fP=\fIPASSWORD\fP
+.RS 4
+Encrypt the message with a password.
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fICERTS\fP...]
+.RS 4
+Certificates the message gets encrypted to
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1 b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
new file mode 100644
index 00000000..7beaad14
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
@@ -0,0 +1,138 @@
+'\" t
+.\"     Title: pgpainless-cli-extract-cert
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-EXTRACT\-CERT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-extract\-cert \- Extract a public key certificate from a secret key from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli extract\-cert\fP [\fB\-\-[no\-]armor\fP]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
new file mode 100644
index 00000000..dfc5448a
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
@@ -0,0 +1,151 @@
+'\" t
+.\"     Title: pgpainless-cli-generate-completion
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: generate-completion 4.6.3
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-GENERATE\-COMPLETION" "1" "2022-08-07" "generate\-completion 4.6.3" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-generate\-completion \- Generate bash/zsh completion script for pgpainless\-cli.
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli generate\-completion\fP [\fB\-hV\fP]
+.SH "DESCRIPTION"
+.sp
+Generate bash/zsh completion script for pgpainless\-cli.
+Run the following command to give \f(CRpgpainless\-cli\fP TAB completion in the current shell:
+.sp
+.if n .RS 4
+.nf
+source <(pgpainless\-cli generate\-completion)
+.fi
+.if n .RE
+.SH "OPTIONS"
+.sp
+\fB\-h\fP, \fB\-\-help\fP
+.RS 4
+Show this help message and exit.
+.RE
+.sp
+\fB\-V\fP, \fB\-\-version\fP
+.RS 4
+Print version information and exit.
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
new file mode 100644
index 00000000..66d6d1b9
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
@@ -0,0 +1,152 @@
+'\" t
+.\"     Title: pgpainless-cli-generate-key
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-GENERATE\-KEY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-generate\-key \- Generate a secret key
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli generate\-key\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP] [\fI\fP...]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.sp
+\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+.RS 4
+Password to protect the private key with
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fI\fP...]
+.RS 4
+User\-ID, e.g. "Alice <\c
+.MTO "alice\(atexample.com" "" ">""
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-help.1 b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
new file mode 100644
index 00000000..8688615a
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
@@ -0,0 +1,146 @@
+'\" t
+.\"     Title: pgpainless-cli-help
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-HELP" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-help \- Display usage information for the specified subcommand
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli help\fP [\fB\-h\fP] [\fICOMMAND\fP]
+.SH "DESCRIPTION"
+.sp
+When no COMMAND is given, the usage help for the main command is displayed.
+If a COMMAND is specified, the help for that command is shown.
+.SH "OPTIONS"
+.sp
+\fB\-h\fP, \fB\-\-help\fP
+.RS 4
+Show usage help for the help command and exit.
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fICOMMAND\fP]
+.RS 4
+The COMMAND to display the usage help message for.
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
new file mode 100644
index 00000000..ccb4901a
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
@@ -0,0 +1,143 @@
+'\" t
+.\"     Title: pgpainless-cli-inline-detach
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-INLINE\-DETACH" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-inline\-detach \- Split signatures from a clearsigned message
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli inline\-detach\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-signatures\-out\fP=\fISIGNATURES\fP]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.sp
+\fB\-\-signatures\-out\fP=\fISIGNATURES\fP
+.RS 4
+Destination to which a detached signatures block will be written
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
new file mode 100644
index 00000000..90d8908f
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
@@ -0,0 +1,165 @@
+'\" t
+.\"     Title: pgpainless-cli-inline-sign
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-INLINE\-SIGN" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-inline\-sign \- Create an inline\-signed message from data on standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli inline\-sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text|cleartextsigned}\fP]
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-as\fP=\fI{binary|text|cleartextsigned}\fP
+.RS 4
+Specify the signature format of the signed message
+.sp
+\(aqtext\(aq and \(aqbinary\(aq will produce inline\-signed messages.
+.sp
+\(aqcleartextsigned\(aq will make use of the cleartext signature framework.
+.sp
+Defaults to \(aqbinary\(aq.
+.sp
+If \(aq\-\-as=text\(aq and the input data is not valid UTF\-8, inline\-sign fails with return code 53.
+.RE
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.sp
+\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+.RS 4
+Passphrase to unlock the secret key(s).
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fIKEYS\fP...]
+.RS 4
+Secret keys used for signing
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
new file mode 100644
index 00000000..2f989285
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
@@ -0,0 +1,165 @@
+'\" t
+.\"     Title: pgpainless-cli-inline-verify
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-INLINE\-VERIFY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-inline\-verify \- Verify inline\-signed data from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli inline\-verify\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
+[\fB\-\-verifications\-out\fP=\fI\fP] \fICERT\fP...
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-not\-after\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to current system time ("now").
+.sp
+Accepts special value "\-" for end of time.
+.RE
+.sp
+\fB\-\-not\-before\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to beginning of time ("\-").
+.RE
+.sp
+\fB\-\-verifications\-out\fP=\fI\fP
+.RS 4
+File to write details over successful verifications to
+.RE
+.SH "ARGUMENTS"
+.sp
+\fICERT\fP...
+.RS 4
+Public key certificates for signature verification
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
new file mode 100644
index 00000000..cc830e7f
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
@@ -0,0 +1,164 @@
+'\" t
+.\"     Title: pgpainless-cli-sign
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-SIGN" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-sign \- Create a detached signature on the data from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text}\fP] [\fB\-\-micalg\-out\fP=\fIMICALG\fP]
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-as\fP=\fI{binary|text}\fP
+.RS 4
+Specify the output format of the signed message
+.sp
+Defaults to \(aqbinary\(aq.
+.RE
+.sp
+\fB\-\-micalg\-out\fP=\fIMICALG\fP
+.RS 4
+Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content\-Type (RFC3156)
+.RE
+.sp
+\fB\-\-[no\-]armor\fP
+.RS 4
+ASCII armor the output
+.RE
+.sp
+\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+.RS 4
+Passphrase to unlock the secret key(s).
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+.RE
+.SH "ARGUMENTS"
+.sp
+[\fIKEYS\fP...]
+.RS 4
+Secret keys used for signing
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
new file mode 100644
index 00000000..297f8374
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
@@ -0,0 +1,153 @@
+'\" t
+.\"     Title: pgpainless-cli-verify
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-VERIFY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-verify \- Verify a detached signature over the data from standard input
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli verify\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP] \fISIGNATURE\fP \fICERT\fP...
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-not\-after\fP=\fIDATE\fP, \fB\-\-not\-before\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to beginning of time ("\-").
+.RE
+.SH "ARGUMENTS"
+.sp
+\fISIGNATURE\fP
+.RS 4
+Detached signature
+.RE
+.sp
+\fICERT\fP...
+.RS 4
+Public key certificates for signature verification
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-version.1 b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
new file mode 100644
index 00000000..0a235d7a
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
@@ -0,0 +1,143 @@
+'\" t
+.\"     Title: pgpainless-cli-version
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-VERSION" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-version \- Display version information about the tool
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli version\fP [\fB\-\-extended\fP | \fB\-\-backend\fP]
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-backend\fP
+.RS 4
+Print information about the cryptographic backend
+.RE
+.sp
+\fB\-\-extended\fP
+.RS 4
+Print an extended version string
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli.1 b/pgpainless-cli/packaging/man/pgpainless-cli.1
new file mode 100644
index 00000000..171c394e
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli.1
@@ -0,0 +1,203 @@
+'\" t
+.\"     Title: pgpainless-cli
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"      Date: 2022-08-07
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli \- Stateless OpenPGP Protocol
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli\fP [COMMAND]
+.SH "DESCRIPTION"
+
+.SH "COMMANDS"
+.sp
+\fBhelp\fP
+.RS 4
+Display usage information for the specified subcommand
+.RE
+.sp
+\fBarmor\fP
+.RS 4
+Add ASCII Armor to standard input
+.RE
+.sp
+\fBdearmor\fP
+.RS 4
+Remove ASCII Armor from standard input
+.RE
+.sp
+\fBdecrypt\fP
+.RS 4
+Decrypt a message from standard input
+.RE
+.sp
+\fBinline\-detach\fP
+.RS 4
+Split signatures from a clearsigned message
+.RE
+.sp
+\fBencrypt\fP
+.RS 4
+Encrypt a message from standard input
+.RE
+.sp
+\fBextract\-cert\fP
+.RS 4
+Extract a public key certificate from a secret key from standard input
+.RE
+.sp
+\fBgenerate\-key\fP
+.RS 4
+Generate a secret key
+.RE
+.sp
+\fBsign\fP
+.RS 4
+Create a detached signature on the data from standard input
+.RE
+.sp
+\fBverify\fP
+.RS 4
+Verify a detached signature over the data from standard input
+.RE
+.sp
+\fBinline\-sign\fP
+.RS 4
+Create an inline\-signed message from data on standard input
+.RE
+.sp
+\fBinline\-verify\fP
+.RS 4
+Verify inline\-signed data from standard input
+.RE
+.sp
+\fBversion\fP
+.RS 4
+Display version information about the tool
+.RE
+.sp
+\fBgenerate\-completion\fP
+.RS 4
+Generate bash/zsh completion script for pgpainless\-cli.
+.RE
+.SH "EXIT CODES:"
+.sp
+\fB0\fP
+.RS 4
+Successful program execution
+.RE
+.sp
+\fB1\fP
+.RS 4
+Generic program error
+.RE
+.sp
+\fB3\fP
+.RS 4
+Verification requested but no verifiable signature found
+.RE
+.sp
+\fB13\fP
+.RS 4
+Unsupported asymmetric algorithm
+.RE
+.sp
+\fB17\fP
+.RS 4
+Certificate is not encryption capable
+.RE
+.sp
+\fB19\fP
+.RS 4
+Usage error: Missing argument
+.RE
+.sp
+\fB23\fP
+.RS 4
+Incomplete verification instructions
+.RE
+.sp
+\fB29\fP
+.RS 4
+Unable to decrypt
+.RE
+.sp
+\fB31\fP
+.RS 4
+Password is not human\-readable
+.RE
+.sp
+\fB37\fP
+.RS 4
+Unsupported Option
+.RE
+.sp
+\fB41\fP
+.RS 4
+Invalid data or data of wrong type encountered
+.RE
+.sp
+\fB53\fP
+.RS 4
+Non\-text input received where text was expected
+.RE
+.sp
+\fB59\fP
+.RS 4
+Output file already exists
+.RE
+.sp
+\fB61\fP
+.RS 4
+Input file does not exist
+.RE
+.sp
+\fB67\fP
+.RS 4
+Cannot unlock password protected secret key
+.RE
+.sp
+\fB69\fP
+.RS 4
+Unsupported subcommand
+.RE
+.sp
+\fB71\fP
+.RS 4
+Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+.RE
+.sp
+\fB73\fP
+.RS 4
+Ambiguous input (a filename matching the designator already exists)
+.RE
+.sp
+\fB79\fP
+.RS 4
+Key is not signing capable
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/rewriteManPages.sh b/pgpainless-cli/rewriteManPages.sh
new file mode 100755
index 00000000..321dbdde
--- /dev/null
+++ b/pgpainless-cli/rewriteManPages.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+SOP_DIR=$(realpath $SCRIPT_DIR/../../sop-java)
+[ ! -d "$SOP_DIR" ] && echo "sop-java repository MUST be cloned next to pgpainless repo" && exit 1;
+SRC_DIR=$SOP_DIR/sop-java-picocli/build/docs/manpage
+[ ! -d "$SRC_DIR" ] && echo "No sop manpages found." && exit 1;
+DEST_DIR=$SCRIPT_DIR/packaging/man
+mkdir -p $DEST_DIR
+
+for page in $SRC_DIR/*
+do
+    SRC="${page##*/}"
+    DEST="${SRC/sop/pgpainless-cli}"
+    sed \
+        -e 's#.\\"     Title: sop#.\\"     Title: pgpainless-cli#g' \
+        -e 's/Manual: Sop Manual/Manual: PGPainless-CLI Manual/g' \
+        -e 's/.TH "SOP/.TH "PGPAINLESS\\-CLI/g' \
+        -e 's/"Sop Manual"/"PGPainless\\-CLI Manual"/g' \
+        -e 's/\\fBsop/\\fBpgpainless\\-cli/g' \
+        -e 's/sop/pgpainless\\-cli/g' \
+        $page > $DEST_DIR/$DEST
+done
+

From e6b89e2c3b29caf4b98b43947eeb9a877f0e6edb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 8 Aug 2022 13:14:18 +0200
Subject: [PATCH 0590/1450] Add KeyRingReader.keyRing(*) mnethods to read
 either a public or secret key ring

---
 .../pgpainless/key/parsing/KeyRingReader.java | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
index 0021f74e..b5b8ea65 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
@@ -14,6 +14,7 @@ import java.util.List;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyRing;
 import org.bouncycastle.openpgp.PGPMarker;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
@@ -32,6 +33,42 @@ public class KeyRingReader {
     @SuppressWarnings("CharsetObjectCanBeUsed")
     public static final Charset UTF8 = Charset.forName("UTF-8");
 
+    /**
+     * Read a {@link PGPKeyRing} (either {@link PGPSecretKeyRing} or {@link PGPPublicKeyRing}) from the given
+     * {@link InputStream}.
+     *
+     * @param inputStream inputStream containing the OpenPGP key or certificate
+     * @return key ring
+     * @throws IOException in case of an IO error
+     */
+    public PGPKeyRing keyRing(@Nonnull InputStream inputStream) throws IOException {
+        return readKeyRing(inputStream);
+    }
+
+    /**
+     * Read a {@link PGPKeyRing} (either {@link PGPSecretKeyRing} or {@link PGPPublicKeyRing}) from the given
+     * byte array.
+     *
+     * @param bytes byte array containing the OpenPGP key or certificate
+     * @return key ring
+     * @throws IOException in case of an IO error
+     */
+    public PGPKeyRing keyRing(@Nonnull byte[] bytes) throws IOException {
+        return keyRing(new ByteArrayInputStream(bytes));
+    }
+
+    /**
+     * Read a {@link PGPKeyRing} (either {@link PGPSecretKeyRing} or {@link PGPPublicKeyRing}) from the given
+     * ASCII armored string.
+     *
+     * @param asciiArmored ASCII armored OpenPGP key or certificate
+     * @return key ring
+     * @throws IOException in case of an IO error
+     */
+    public PGPKeyRing keyRing(@Nonnull String asciiArmored) throws IOException {
+        return keyRing(asciiArmored.getBytes(UTF8));
+    }
+
     public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream) throws IOException {
         return readPublicKeyRing(inputStream);
     }
@@ -95,6 +132,55 @@ public class KeyRingReader {
         return keyRingCollection(asciiArmored.getBytes(UTF8), isSilent);
     }
 
+    /**
+     * Read a {@link PGPKeyRing} (either {@link PGPSecretKeyRing} or {@link PGPPublicKeyRing}) from the given
+     * {@link InputStream}.
+     * This method will attempt to read at most {@link #MAX_ITERATIONS} objects from the stream before aborting.
+     * The first {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing} will be returned.
+     *
+     * @param inputStream inputStream containing the OpenPGP key or certificate
+     * @return key ring
+     * @throws IOException in case of an IO error
+     */
+    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream) throws IOException {
+        return readKeyRing(inputStream, MAX_ITERATIONS);
+    }
+
+    /**
+     * Read a {@link PGPKeyRing} (either {@link PGPSecretKeyRing} or {@link PGPPublicKeyRing}) from the given
+     * {@link InputStream}.
+     * This method will attempt to read at most 
maxIterations
 objects from the stream before aborting.
+     * The first {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing} will be returned.
+     *
+     * @param inputStream inputStream containing the OpenPGP key or certificate
+     * @param maxIterations maximum number of objects that are read before the method will abort
+     * @return key ring
+     * @throws IOException in case of an IO error
+     */
+    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
+        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
+                ArmorUtils.getDecoderStream(inputStream));
+        int i = 0;
+        Object next;
+        do {
+            next = objectFactory.nextObject();
+            if (next == null) {
+                return null;
+            }
+            if (next instanceof PGPMarker) {
+                continue;
+            }
+            if (next instanceof PGPSecretKeyRing) {
+                return (PGPSecretKeyRing) next;
+            }
+            if (next instanceof PGPPublicKeyRing) {
+                return (PGPPublicKeyRing) next;
+            }
+        } while (++i < maxIterations);
+
+        throw new IOException("Loop exceeded max iteration count.");
+    }
+
     public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream) throws IOException {
         return readPublicKeyRing(inputStream, MAX_ITERATIONS);
     }

From b9845912ee1112a76158c2129b359056519c694e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 8 Aug 2022 13:20:28 +0200
Subject: [PATCH 0591/1450] Add tests for readKeyRing()

---
 .../key/parsing/KeyRingReaderTest.java        | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
index 404440ca..8a634200 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/parsing/KeyRingReaderTest.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.key.parsing;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -23,6 +24,7 @@ import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.bcpg.MarkerPacket;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
@@ -562,4 +564,54 @@ class KeyRingReaderTest {
         assertThrows(IOException.class, () ->
                 KeyRingReader.readPublicKeyRingCollection(new ByteArrayInputStream(bytes.toByteArray()), 512));
     }
+
+    @Test
+    public void testReadKeyRingWithBinaryPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys);
+        byte[] bytes = publicKeys.getEncoded();
+
+        PGPKeyRing keyRing = PGPainless.readKeyRing()
+                .keyRing(bytes);
+
+        assertTrue(keyRing instanceof PGPPublicKeyRing);
+        assertArrayEquals(keyRing.getEncoded(), publicKeys.getEncoded());
+    }
+
+    @Test
+    public void testReadKeyRingWithBinarySecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        byte[] bytes = secretKeys.getEncoded();
+
+        PGPKeyRing keyRing = PGPainless.readKeyRing()
+                .keyRing(bytes);
+
+        assertTrue(keyRing instanceof PGPSecretKeyRing);
+        assertArrayEquals(keyRing.getEncoded(), secretKeys.getEncoded());
+    }
+
+    @Test
+    public void testReadKeyRingWithArmoredPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys);
+        String armored = PGPainless.asciiArmor(publicKeys);
+
+        PGPKeyRing keyRing = PGPainless.readKeyRing()
+                .keyRing(armored);
+
+        assertTrue(keyRing instanceof PGPPublicKeyRing);
+        assertArrayEquals(keyRing.getEncoded(), publicKeys.getEncoded());
+    }
+
+    @Test
+    public void testReadKeyRingWithArmoredSecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice ");
+        String armored = PGPainless.asciiArmor(secretKeys);
+
+        PGPKeyRing keyRing = PGPainless.readKeyRing()
+                .keyRing(armored);
+
+        assertTrue(keyRing instanceof PGPSecretKeyRing);
+        assertArrayEquals(keyRing.getEncoded(), secretKeys.getEncoded());
+    }
 }

From bc5dc50b788ec4826dde1ab32cb4fbc72df5eba3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 9 Aug 2022 15:08:59 +0200
Subject: [PATCH 0592/1450] Add KeyRingInfo.isSigningCapable()

Fixes #307
---
 .../org/pgpainless/key/info/KeyRingInfo.java  | 28 ++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 85cc8f28..cb328300 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -1051,10 +1051,36 @@ public class KeyRingInfo {
         return isKeyValidlyBound(getKeyId()) && !getEncryptionSubkeys(purpose).isEmpty();
     }
 
-    public boolean isUsableForSigning() {
+    /**
+     * Returns true, if the key ring is capable of signing.
+     * Contrary to {@link #isUsableForSigning()}, this method also returns true, if this {@link KeyRingInfo} is based
+     * on a key ring which has at least one valid public key marked for signing.
+     * The secret key is not required for the key ring to qualify as signing capable.
+     *
+     * @return true if key corresponding to the cert is capable of signing
+     */
+    public boolean isSigningCapable() {
+        // check if primary-key is revoked / expired
         if (!isKeyValidlyBound(getKeyId())) {
             return false;
         }
+        // check if it has signing-capable key
+        return !getSigningSubkeys().isEmpty();
+    }
+
+    /**
+     * Returns true, if this {@link KeyRingInfo} is based on a {@link PGPSecretKeyRing}, which has a valid signing key
+     * which is ready to be used (i.e. secret key is present and is not on a smart-card).
+     *
+     * If you just want to check, whether a key / certificate has signing capable subkeys,
+     * use {@link #isSigningCapable()} instead.
+     *
+     * @return true if key is ready to be used for signing
+     */
+    public boolean isUsableForSigning() {
+        if (!isSigningCapable()) {
+            return false;
+        }
 
         List signingKeys = getSigningSubkeys();
         for (PGPPublicKey pk : signingKeys) {

From b3c6a33afe6de74043fcb796372a2f0a8bb72f7c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 11 Aug 2022 10:36:32 +0200
Subject: [PATCH 0593/1450] Update readme

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 98324bea..32651964 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,13 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.5-SNAPSHOT
+- Add `KeyRingInfo.isCapableOfSigning()`
+- Add `KeyRingReader.readKeyRing(*)` methods that can take both secret- and public keys
+- Add manpages
+  - Add script to generate manpages from sop-java-picocli
+- Build website from main branch
+
 ## 1.3.4
 - Fix `KeyRingInfo.isUsableForEncryption()`, `KeyRingInfo.isUsableForSigning()` not detecting revoked primary keys
 - Bump `sop-java` and `sop-java-picocli` to `4.0.1`

From c361fecdd931900e61fe0e1683dadee64c402756 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 11 Aug 2022 15:56:32 +0200
Subject: [PATCH 0594/1450] PGPainless 1.3.5

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 32651964..40035c0b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.5-SNAPSHOT
+## 1.3.5
 - Add `KeyRingInfo.isCapableOfSigning()`
 - Add `KeyRingReader.readKeyRing(*)` methods that can take both secret- and public keys
 - Add manpages
diff --git a/README.md b/README.md
index c62cfc78..a733e426 100644
--- a/README.md
+++ b/README.md
@@ -189,7 +189,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.4'
+	implementation 'org.pgpainless:pgpainless-core:1.3.5'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 3dc4e6c7..d5e22046 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.4"
+    implementation "org.pgpainless:pgpainless-sop:1.3.5"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.4
+        1.3.5
     
     ...
 
diff --git a/version.gradle b/version.gradle
index bd645100..a0424908 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.5'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From bbcbba021d635c1e78567ae89e82b32e2dd0eca6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 11 Aug 2022 15:58:57 +0200
Subject: [PATCH 0595/1450] PGPainless 1.3.6-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index a0424908..3baa01be 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.5'
-        isSnapshot = false
+        shortVersion = '1.3.6'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From aeffcdd8ee77e97c4c6ef6badcbd672beea34f52 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 12 Aug 2022 13:05:17 +0200
Subject: [PATCH 0596/1450] Add repology packaging status badge

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index a733e426..778f91c1 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,8 @@ SPDX-License-Identifier: Apache-2.0
 
 **PGPainless is an easy-to-use OpenPGP library for Java and Android applications**
 
+[![Packaging status](https://repology.org/badge/vertical-allrepos/pgpainless.svg)](https://repology.org/project/pgpainless/versions)
+
 ## About
 
 PGPainless aims to make using OpenPGP in Java projects as simple as possible.

From 6b3d676531eaa53aba3a713b5d741a7cd8109311 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 12 Aug 2022 13:06:09 +0200
Subject: [PATCH 0597/1450] Move maven packaging badge next to repology badge

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 778f91c1..482b8ac9 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,6 @@ SPDX-License-Identifier: Apache-2.0
 # PGPainless - Use OpenPGP Painlessly!
 
 [![Build Status](https://github.com/pgpainless/pgpainless/actions/workflows/gradle_push.yml/badge.svg)](https://github.com/pgpainless/pgpainless/actions/workflows/gradle_push.yml)
-[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
 [![Coverage Status](https://coveralls.io/repos/github/pgpainless/pgpainless/badge.svg?branch=main)](https://coveralls.io/github/pgpainless/pgpainless?branch=main)
 [![Interoperability Test-Suite](https://badgen.net/badge/Sequoia%20Test%20Suite/%232/green)](https://tests.sequoia-pgp.org/)
 [![PGP](https://img.shields.io/badge/pgp-A027%20DB2F%203E1E%20118A-blue)](https://keyoxide.org/7F9116FEA90A5983936C7CFAA027DB2F3E1E118A)
@@ -17,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 **PGPainless is an easy-to-use OpenPGP library for Java and Android applications**
 
 [![Packaging status](https://repology.org/badge/vertical-allrepos/pgpainless.svg)](https://repology.org/project/pgpainless/versions)
+[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-core)](https://search.maven.org/artifact/org.pgpainless/pgpainless-core)
 
 ## About
 

From 054828ef8c1fd1ff0c0bffa183fcd663b9e0adbc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 10:37:55 +0200
Subject: [PATCH 0598/1450] Remove deprecated
 EncryptionResult.getSymmetricKeyAlgorithm()

Use getEncryptionAlgorithm() instead
---
 .../encryption_signing/EncryptionResult.java        | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
index 10342a3c..4112092c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionResult.java
@@ -46,19 +46,6 @@ public final class EncryptionResult {
         this.fileEncoding = encoding;
     }
 
-    /**
-     * Return the symmetric encryption algorithm used to encrypt the message.
-     * @return symmetric encryption algorithm
-     *
-     * @deprecated use {@link #getEncryptionAlgorithm()} instead.
-     *
-     * TODO: Remove in 1.2.X
-     */
-    @Deprecated
-    public SymmetricKeyAlgorithm getSymmetricKeyAlgorithm() {
-        return getEncryptionAlgorithm();
-    }
-
     /**
      * Return the symmetric encryption algorithm used to encrypt the message.
      *

From 7faa6c580ab1102faf43c1a9e68fd12ca6f49a1b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 10:38:44 +0200
Subject: [PATCH 0599/1450] Remove deprecated
 ArmorUtils.createArmoredOutputStream()

---
 .../java/org/pgpainless/util/ArmorUtils.java  | 22 -------------------
 1 file changed, 22 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 48bdc0cc..160d8d0a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -267,28 +267,6 @@ public final class ArmorUtils {
         return armoredOutputStream;
     }
 
-    /**
-     * Return an {@link ArmoredOutputStream} prepared with headers for the given key ring, which wraps the given
-     * {@link OutputStream}.
-     *
-     * The armored output stream can be used to encode the key ring by calling {@link PGPKeyRing#encode(OutputStream)}
-     * with the armored output stream as an argument.
-     *
-     * @param keyRing key ring
-     * @param outputStream wrapped output stream
-     * @return armored output stream
-     *
-     * @deprecated use {@link #toAsciiArmoredStream(PGPKeyRing, OutputStream)} instead
-     *
-     * TODO: Remove in 1.2.X
-     */
-    @Deprecated
-    @Nonnull
-    public static ArmoredOutputStream createArmoredOutputStreamFor(@Nonnull PGPKeyRing keyRing,
-                                                                   @Nonnull OutputStream outputStream) {
-        return toAsciiArmoredStream(keyRing, outputStream);
-    }
-
     /**
      * Generate a header map for ASCII armor from the given {@link PGPKeyRing}.
      *

From 6f161c83363181f10c570baef2dc1f335c518e7f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 10:42:18 +0200
Subject: [PATCH 0600/1450] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40035c0b..b44e5502 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.6-SNAPSHOT
+- Remove deprecated methods
+  - `ArmorUtils.createArmoredOutputStreamFor()` -> use `ArmorUtils.toAsciiArmoredStream()` instead
+  - `EncryptionResult.getSymmetricKeyAlgorithm()` -> use `EncryptionResult.getEncryptionAlgorithm()` instead
+
 ## 1.3.5
 - Add `KeyRingInfo.isCapableOfSigning()`
 - Add `KeyRingReader.readKeyRing(*)` methods that can take both secret- and public keys

From 405e67c0cbcd1448dbb87d7dadef589e65cced2c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 11:06:17 +0200
Subject: [PATCH 0601/1450] Add documentation to AlgorithmNegotiator classes

---
 .../negotiation/HashAlgorithmNegotiator.java  | 33 +++++++++++++++++++
 .../SymmetricKeyAlgorithmNegotiator.java      | 21 ++++++++++--
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java
index f76a2c26..18fe53f9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/HashAlgorithmNegotiator.java
@@ -9,18 +9,51 @@ import java.util.Set;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.policy.Policy;
 
+/**
+ * Interface for a class that negotiates {@link HashAlgorithm HashAlgorithms}.
+ *
+ * You can provide your own implementation using custom logic by implementing the
+ * {@link #negotiateHashAlgorithm(Set)} method.
+ */
 public interface HashAlgorithmNegotiator {
 
+    /**
+     * Pick one {@link HashAlgorithm} from the ordered set of acceptable algorithms.
+     *
+     * @param orderedHashAlgorithmPreferencesSet hash algorithm preferences
+     * @return picked algorithms
+     */
     HashAlgorithm negotiateHashAlgorithm(Set orderedHashAlgorithmPreferencesSet);
 
+    /**
+     * Return an instance that negotiates {@link HashAlgorithm HashAlgorithms} used for non-revocation signatures
+     * based on the given {@link Policy}.
+     *
+     * @param policy algorithm policy
+     * @return negotiator
+     */
     static HashAlgorithmNegotiator negotiateSignatureHashAlgorithm(Policy policy) {
         return negotiateByPolicy(policy.getSignatureHashAlgorithmPolicy());
     }
 
+    /**
+     * Return an instance that negotiates {@link HashAlgorithm HashAlgorithms} used for revocation signatures
+     * based on the given {@link Policy}.
+     *
+     * @param policy algorithm policy
+     * @return negotiator
+     */
     static HashAlgorithmNegotiator negotiateRevocationSignatureAlgorithm(Policy policy) {
         return negotiateByPolicy(policy.getRevocationSignatureHashAlgorithmPolicy());
     }
 
+    /**
+     * Return an instance that negotiates {@link HashAlgorithm HashAlgorithms} based on the given
+     * {@link Policy.HashAlgorithmPolicy}.
+     *
+     * @param hashAlgorithmPolicy algorithm policy for hash algorithms
+     * @return negotiator
+     */
     static HashAlgorithmNegotiator negotiateByPolicy(Policy.HashAlgorithmPolicy hashAlgorithmPolicy) {
         return new HashAlgorithmNegotiator() {
             @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java
index 427bcc69..de8ced24 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/negotiation/SymmetricKeyAlgorithmNegotiator.java
@@ -22,18 +22,35 @@ public interface SymmetricKeyAlgorithmNegotiator {
 
     /**
      * Negotiate a symmetric encryption algorithm.
+     * If the override is non-null, it will be returned instead of performing an actual negotiation.
+     * Otherwise, the list of ordered sets containing the preferences of different recipient keys will be
+     * used to determine a suitable symmetric encryption algorithm.
      *
      * @param policy algorithm policy
      * @param override algorithm override (if not null, return this)
      * @param keyPreferences list of preferences per key
      * @return negotiated algorithm
      */
-    SymmetricKeyAlgorithm negotiate(Policy.SymmetricKeyAlgorithmPolicy policy, SymmetricKeyAlgorithm override, List> keyPreferences);
+    SymmetricKeyAlgorithm negotiate(
+            Policy.SymmetricKeyAlgorithmPolicy policy,
+            SymmetricKeyAlgorithm override,
+            List> keyPreferences);
 
+    /**
+     * Return an instance that negotiates a {@link SymmetricKeyAlgorithm} by selecting the most popular acceptable
+     * algorithm from the list of preferences.
+     *
+     * This negotiator has the best chances to select an algorithm which is understood by all recipients.
+     *
+     * @return negotiator that selects by popularity
+     */
     static SymmetricKeyAlgorithmNegotiator byPopularity() {
         return new SymmetricKeyAlgorithmNegotiator() {
             @Override
-            public SymmetricKeyAlgorithm negotiate(Policy.SymmetricKeyAlgorithmPolicy policy, SymmetricKeyAlgorithm override, List> preferences) {
+            public SymmetricKeyAlgorithm negotiate(
+                    Policy.SymmetricKeyAlgorithmPolicy policy,
+                    SymmetricKeyAlgorithm override,
+                    List> preferences) {
                 if (override == SymmetricKeyAlgorithm.NULL) {
                     throw new IllegalArgumentException("Algorithm override cannot be NULL (plaintext).");
                 }

From d019c0d5db2fd948e0e823b491322b2c9588ff3d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 11:09:32 +0200
Subject: [PATCH 0602/1450] Add RevocationState implementation from wot branch

---
 .../pgpainless/algorithm/RevocationState.java | 134 ++++++++++++++++--
 .../algorithm/RevocationStateType.java        |  23 +++
 2 files changed, 144 insertions(+), 13 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationStateType.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
index 5a0fa142..bf17ca2b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
@@ -4,20 +4,128 @@
 
 package org.pgpainless.algorithm;
 
-public enum RevocationState {
+import org.pgpainless.util.DateUtil;
 
-    /**
-     * Certificate is not revoked.
-     */
-    notRevoked,
+import javax.annotation.Nonnull;
+import java.util.Date;
+import java.util.NoSuchElementException;
 
-    /**
-     * Certificate is revoked with a soft revocation.
-     */
-    softRevoked,
+public class RevocationState implements Comparable {
 
-    /**
-     * Certificate is revoked with a hard revocation.
-     */
-    hardRevoked
+    private final RevocationStateType type;
+    private final Date date;
+
+    private RevocationState(RevocationStateType type) {
+        this(type, null);
+    }
+
+    private RevocationState(RevocationStateType type, Date date) {
+        this.type = type;
+        if (type == RevocationStateType.softRevoked && date == null) {
+            throw new NullPointerException("If type is 'softRevoked' then date cannot be null.");
+        }
+        this.date = date;
+    }
+
+    public static RevocationState notRevoked() {
+        return new RevocationState(RevocationStateType.notRevoked);
+    }
+
+    public static RevocationState softRevoked(@Nonnull Date date) {
+        return new RevocationState(RevocationStateType.softRevoked, date);
+    }
+
+    public static RevocationState hardRevoked() {
+        return new RevocationState(RevocationStateType.hardRevoked);
+    }
+
+    public RevocationStateType getType() {
+        return type;
+    }
+
+    public @Nonnull Date getDate() {
+        if (!isSoftRevocation()) {
+            throw new NoSuchElementException("RevocationStateType is not equal to 'softRevoked'. Cannot extract date.");
+        }
+        return date;
+    }
+
+    public boolean isHardRevocation() {
+        return getType() == RevocationStateType.hardRevoked;
+    }
+
+    public boolean isSoftRevocation() {
+        return getType() == RevocationStateType.softRevoked;
+    }
+
+    public boolean isNotRevoked() {
+        return getType() == RevocationStateType.notRevoked;
+    }
+
+    @Override
+    public String toString() {
+        String out = getType().toString();
+        if (isSoftRevocation()) {
+            out = out + " (" + DateUtil.formatUTCDate(date) + ")";
+        }
+        return out;
+    }
+
+    @Override
+    public int compareTo(@Nonnull RevocationState o) {
+        switch (getType()) {
+            case notRevoked:
+                if (o.isNotRevoked()) {
+                    return 0;
+                } else {
+                    return -1;
+                }
+
+            case softRevoked:
+                if (o.isNotRevoked()) {
+                    return 1;
+                } else if (o.isSoftRevocation()) {
+                    // Compare soft dates in reverse
+                    return o.getDate().compareTo(getDate());
+                } else {
+                    return -1;
+                }
+
+            case hardRevoked:
+                if (o.isHardRevocation()) {
+                    return 0;
+                } else {
+                    return 1;
+                }
+
+            default:
+                throw new AssertionError("Unknown type: " + type);
+        }
+    }
+
+    @Override
+    public int hashCode() {
+        return type.hashCode() * 31 + (isSoftRevocation() ? getDate().hashCode() : 0);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (this == obj) {
+            return true;
+        }
+        if (!(obj instanceof RevocationState)) {
+            return false;
+        }
+        RevocationState other = (RevocationState) obj;
+        if (getType() != other.getType()) {
+            return false;
+        }
+        if (isSoftRevocation()) {
+            return DateUtil.toSecondsPrecision(getDate()).getTime() == DateUtil.toSecondsPrecision(other.getDate()).getTime();
+        }
+        return true;
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationStateType.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationStateType.java
new file mode 100644
index 00000000..d1757255
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationStateType.java
@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+public enum RevocationStateType {
+
+    /**
+     * Certificate is not revoked.
+     */
+    notRevoked,
+
+    /**
+     * Certificate is revoked with a soft revocation.
+     */
+    softRevoked,
+
+    /**
+     * Certificate is revoked with a hard revocation.
+     */
+    hardRevoked
+}

From c73905d179c77c7aca04bd6a067dc09d15ec8a52 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 11:12:42 +0200
Subject: [PATCH 0603/1450] Import RevocationStateTest from wot branch

---
 .../pgpainless/algorithm/RevocationState.java |  2 +-
 .../algorithm/RevocationStateTest.java        | 96 +++++++++++++++++++
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
index bf17ca2b..8e4a60d3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/RevocationState.java
@@ -10,7 +10,7 @@ import javax.annotation.Nonnull;
 import java.util.Date;
 import java.util.NoSuchElementException;
 
-public class RevocationState implements Comparable {
+public final class RevocationState implements Comparable {
 
     private final RevocationStateType type;
     private final Date date;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
new file mode 100644
index 00000000..c1e45413
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
@@ -0,0 +1,96 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.util.DateUtil;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.NoSuchElementException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class RevocationStateTest {
+
+    @Test
+    public void testNotRevoked() {
+        RevocationState state = RevocationState.notRevoked();
+        assertEquals(RevocationStateType.notRevoked, state.getType());
+        assertTrue(state.isNotRevoked());
+        assertFalse(state.isHardRevocation());
+        assertFalse(state.isSoftRevocation());
+        assertThrows(NoSuchElementException.class, state::getDate);
+        assertEquals("notRevoked", state.toString());
+    }
+
+    @Test
+    public void testHardRevoked() {
+        RevocationState state = RevocationState.hardRevoked();
+        assertEquals(RevocationStateType.hardRevoked, state.getType());
+        assertTrue(state.isHardRevocation());
+        assertFalse(state.isSoftRevocation());
+        assertFalse(state.isNotRevoked());
+
+        assertThrows(NoSuchElementException.class, state::getDate);
+        assertEquals("hardRevoked", state.toString());
+    }
+
+    @Test
+    public void testSoftRevoked() {
+        Date date = DateUtil.parseUTCDate("2022-08-03 18:26:35 UTC");
+        assertNotNull(date);
+
+        RevocationState state = RevocationState.softRevoked(date);
+        assertEquals(RevocationStateType.softRevoked, state.getType());
+        assertTrue(state.isSoftRevocation());
+        assertFalse(state.isHardRevocation());
+        assertFalse(state.isNotRevoked());
+        assertEquals(date, state.getDate());
+
+        assertEquals("softRevoked (2022-08-03 18:26:35 UTC)", state.toString());
+    }
+
+    @Test
+    public void testSoftRevokedNullDateThrows() {
+        assertThrows(NullPointerException.class, () -> RevocationState.softRevoked(null));
+    }
+
+    @Test
+    public void orderTest() {
+        assertEquals(RevocationState.notRevoked(), RevocationState.notRevoked());
+        assertEquals(RevocationState.hardRevoked(), RevocationState.hardRevoked());
+        Date now = new Date();
+        assertEquals(RevocationState.softRevoked(now), RevocationState.softRevoked(now));
+
+        assertEquals(0, RevocationState.notRevoked().compareTo(RevocationState.notRevoked()));
+        assertEquals(0, RevocationState.hardRevoked().compareTo(RevocationState.hardRevoked()));
+        assertTrue(RevocationState.hardRevoked().compareTo(RevocationState.notRevoked()) > 0);
+
+        List states = new ArrayList<>();
+        RevocationState earlySoft = RevocationState.softRevoked(DateUtil.parseUTCDate("2000-05-12 10:44:01 UTC"));
+        RevocationState laterSoft = RevocationState.softRevoked(DateUtil.parseUTCDate("2022-08-03 18:26:35 UTC"));
+        RevocationState hard = RevocationState.hardRevoked();
+        RevocationState not = RevocationState.notRevoked();
+        RevocationState not2 = RevocationState.notRevoked();
+        states.add(laterSoft);
+        states.add(not);
+        states.add(not2);
+        states.add(hard);
+        states.add(earlySoft);
+
+        Collections.shuffle(states);
+        Collections.sort(states);
+
+        assertEquals(states, Arrays.asList(not, not2, laterSoft, earlySoft, hard));
+    }
+}

From 0cc884523ca79f04dbdb17f676dc1d8b4719061d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 11:30:10 +0200
Subject: [PATCH 0604/1450] Integrate RevocationState into KeyRingInfo class

---
 .../org/pgpainless/key/info/KeyRingInfo.java   | 18 +++++++++++++++++-
 .../pgpainless/key/info/KeyRingInfoTest.java   |  8 +++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index cb328300..995bded4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -36,6 +36,7 @@ import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
+import org.pgpainless.algorithm.RevocationState;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.OpenPgpFingerprint;
@@ -58,6 +59,7 @@ public class KeyRingInfo {
     private final Signatures signatures;
     private final Date referenceDate;
     private final String primaryUserId;
+    private final RevocationState revocationState;
 
     /**
      * Evaluate the key ring at creation time of the given signature.
@@ -101,6 +103,16 @@ public class KeyRingInfo {
         this.signatures = new Signatures(keys, validationDate, policy);
         this.referenceDate = validationDate;
         this.primaryUserId = findPrimaryUserId();
+        this.revocationState = findRevocationState();
+    }
+
+    private RevocationState findRevocationState() {
+        PGPSignature revocation = signatures.primaryKeyRevocation;
+        if (revocation != null) {
+            return SignatureUtils.isHardRevocation(revocation) ?
+                    RevocationState.hardRevoked() : RevocationState.softRevoked(revocation.getCreationTime());
+        }
+        return RevocationState.notRevoked();
     }
 
     /**
@@ -650,13 +662,17 @@ public class KeyRingInfo {
         return mostRecent;
     }
 
+    public RevocationState getRevocationState() {
+        return revocationState;
+    }
+
     /**
      * Return the date on which the primary key was revoked, or null if it has not yet been revoked.
      *
      * @return revocation date or null
      */
     public @Nullable Date getRevocationDate() {
-        return getRevocationSelfSignature() == null ? null : getRevocationSelfSignature().getCreationTime();
+        return getRevocationState().isSoftRevocation() ? getRevocationState().getDate() : null;
     }
 
     /**
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
index f49d5a46..61e09477 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/KeyRingInfoTest.java
@@ -49,6 +49,7 @@ import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnprotectedKeysProtector;
 import org.pgpainless.key.util.KeyRingUtils;
+import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.key.util.UserId;
 import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.Passphrase;
@@ -105,7 +106,12 @@ public class KeyRingInfoTest {
         assertNull(sInfo.getRevocationDate());
         assertNull(pInfo.getRevocationDate());
         Date revocationDate = DateUtil.now();
-        PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys).revoke(new UnprotectedKeysProtector()).done();
+        PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys).revoke(
+                new UnprotectedKeysProtector(),
+                RevocationAttributes.createKeyRevocation()
+                        .withReason(RevocationAttributes.Reason.KEY_RETIRED)
+                        .withoutDescription()
+        ).done();
         KeyRingInfo rInfo = PGPainless.inspectKeyRing(revoked);
         assertNotNull(rInfo.getRevocationDate());
         assertEquals(revocationDate.getTime(), rInfo.getRevocationDate().getTime(), 5);

From 1b04d67e1a768405bb6300fc51b676a51eff3450 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 11:30:26 +0200
Subject: [PATCH 0605/1450] Remove unused SignatureSubpacketGeneratorUtil class
 and tests

---
 .../SignatureSubpacketGeneratorUtil.java      | 75 -------------------
 .../SignatureSubpacketGeneratorUtilTest.java  | 40 ----------
 2 files changed, 115 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
deleted file mode 100644
index 8fc02e7f..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketGeneratorUtil.java
+++ /dev/null
@@ -1,75 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.signature.subpackets;
-
-import java.util.Date;
-import javax.annotation.Nonnull;
-
-import org.bouncycastle.bcpg.SignatureSubpacket;
-import org.bouncycastle.bcpg.SignatureSubpacketTags;
-import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
-
-/**
- * Utility class that helps to deal with BCs SignatureSubpacketGenerator class.
- */
-public final class SignatureSubpacketGeneratorUtil {
-
-    private SignatureSubpacketGeneratorUtil() {
-
-    }
-
-    /**
-     * Remove all packets of the given type from the {@link PGPSignatureSubpacketGenerator PGPSignatureSubpacketGenerators}
-     * internal set.
-     *
-     * @param subpacketType type of subpacket to remove
-     * @param subpacketGenerator subpacket generator
-     */
-    public static void removeAllPacketsOfType(org.pgpainless.algorithm.SignatureSubpacket subpacketType,
-                                              PGPSignatureSubpacketGenerator subpacketGenerator) {
-        removeAllPacketsOfType(subpacketType.getCode(), subpacketGenerator);
-    }
-
-    /**
-     * Remove all packets of the given type from the {@link PGPSignatureSubpacketGenerator PGPSignatureSubpacketGenerators}
-     * internal set.
-     *
-     * @param type type of subpacket to remove
-     * @param subpacketGenerator subpacket generator
-     */
-    public static void removeAllPacketsOfType(int type, PGPSignatureSubpacketGenerator subpacketGenerator) {
-        for (SignatureSubpacket subpacket : subpacketGenerator.getSubpackets(type)) {
-            subpacketGenerator.removePacket(subpacket);
-        }
-    }
-
-    /**
-     * Replace all occurrences of a signature creation time subpackets in the subpacket generator
-     * with a single new instance representing the provided date.
-     *
-     * @param date signature creation time
-     * @param subpacketGenerator subpacket generator
-     */
-    public static void setSignatureCreationTimeInSubpacketGenerator(Date date, PGPSignatureSubpacketGenerator subpacketGenerator) {
-        removeAllPacketsOfType(SignatureSubpacketTags.CREATION_TIME, subpacketGenerator);
-        subpacketGenerator.setSignatureCreationTime(false, date);
-    }
-
-    /**
-     * Replace all occurrences of key expiration time subpackets in the subpacket generator
-     * with a single instance representing the new expiration time.
-     *
-     * @param expirationDate expiration time as date or null for no expiration
-     * @param creationDate date on which the key was created
-     * @param subpacketGenerator subpacket generator
-     */
-    public static void setKeyExpirationDateInSubpacketGenerator(Date expirationDate,
-                                                                @Nonnull Date creationDate,
-                                                                PGPSignatureSubpacketGenerator subpacketGenerator) {
-        removeAllPacketsOfType(SignatureSubpacketTags.KEY_EXPIRE_TIME, subpacketGenerator);
-        long secondsToExpire = SignatureSubpacketsUtil.getKeyLifetimeInSeconds(expirationDate, creationDate);
-        subpacketGenerator.setKeyExpirationTime(true, secondsToExpire);
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java
deleted file mode 100644
index fe10cf1e..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/util/SignatureSubpacketGeneratorUtilTest.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.util;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-
-import java.util.Date;
-
-import org.bouncycastle.bcpg.SignatureSubpacketTags;
-import org.bouncycastle.bcpg.sig.Features;
-import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
-import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.algorithm.SignatureSubpacket;
-import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil;
-
-public class SignatureSubpacketGeneratorUtilTest {
-
-    @Test
-    public void testRemoveAllPacketsOfTypeRemovesAll() {
-        PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator();
-        generator.setFeature(false, Features.FEATURE_MODIFICATION_DETECTION);
-        generator.setSignatureCreationTime(false, new Date());
-        generator.setSignatureCreationTime(true, new Date());
-        PGPSignatureSubpacketVector vector = generator.generate();
-
-        assertEquals(2, vector.getSubpackets(SignatureSubpacketTags.CREATION_TIME).length);
-        assertNotNull(vector.getSubpackets(SignatureSubpacketTags.FEATURES));
-
-        generator = new PGPSignatureSubpacketGenerator(vector);
-        SignatureSubpacketGeneratorUtil.removeAllPacketsOfType(SignatureSubpacket.signatureCreationTime, generator);
-        vector = generator.generate();
-
-        assertEquals(0, vector.getSubpackets(SignatureSubpacketTags.CREATION_TIME).length);
-        assertNotNull(vector.getSubpackets(SignatureSubpacketTags.FEATURES));
-    }
-}

From 3f82bd31149321292b909a8e7e84573092ea7fee Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 12:03:01 +0200
Subject: [PATCH 0606/1450] Quickstart guide: Add section on ASCII armor

---
 docs/source/pgpainless-core/quickstart.md | 63 ++++++++++++++++++++---
 1 file changed, 56 insertions(+), 7 deletions(-)

diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index f2a018ef..a965799a 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -91,15 +91,64 @@ PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
 ```
 
 ### Apply / Remove ASCII Armor
+ASCII armor is a layer of radix64 encoding that can be used to wrap binary OpenPGP data in order to make it save to
+transport via text-based channels (e.g. email bodies).
+
+The way in which ASCII armor can be applied depends on the type of data that you want to protect.
+The easies way to ASCII armor an OpenPGP key or certificate is by using PGPainless' `asciiArmor()` method:
+
+```java
+PGPPublicKey certificate = ...;
+String asciiArmored = PGPainless.asciiArmor(certificate);
+```
+
+If you want to ASCII armor ciphertext, you can enable ASCII armoring during encrypting/signing by requesting
+PGPainless to armor the result:
+
+```java
+ProducerOptions producerOptions = ...; // prepare as usual (see next section)
+
+producerOptions.setAsciiArmor(true); // enable armoring
+
+EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+        .onOutputStream(out)
+        .withOptions(producerOptions);
+
+...
+```
+
+If you have an already encrypted / signed binary message and want to add ASCII armoring retrospectively, you need
+to make use of BouncyCastle's `ArmoredOutputStream` as follows:
+
+```java
+InputStream binaryOpenPgpIn = ...; // e.g. new ByteArrayInputStream(binaryMessage);
+
+OutputStream output = ...; // e.g. new ByteArrayOutputStream();
+ArmoredOutputStream armorOut = ArmoredOutputStreamFactory.get(output);
+
+Streams.pipeAll(binaryOpenPgpIn, armorOut);
+armorOut.close(); // important!
+```
+
+The output stream will now contain the ASCII armored representation of the binary data.
+
+To remove ASCII armor, you can make use of BouncyCastle's `ArmoredInputStream` as follows:
+
+```java
+InputStream input = ...; // e.g. new ByteArrayInputStream(armoredString.getBytes(StandardCharsets.UTF8));
+OutputStream output = ...;
+
+ArmoredInputStream armorIn = new ArmoredInputStream(input);
+Streams.pipeAll(armorIn, output);
+armorIn.close();
+```
+
+The output stream will now contain the binary OpenPGP data.
+
+### Encrypt and/or Sign a Message
 TODO
 
-### Encrypt a Message
-TODO
-
-### Decrypt a Message
-TODO
-
-### Sign a Message
+### Decrypt and/or Verify a Message
 TODO
 
 ### Verify a Signature

From 39ff2bca73b81ee539a44962c5e96ed6aae5db62 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 12:35:51 +0200
Subject: [PATCH 0607/1450] Fix javadoc of SigningOptions methods

---
 .../encryption_signing/SigningOptions.java    | 26 ++++++++++++++-----
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index f81bf5aa..43db00d1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -104,6 +104,7 @@ public final class SigningOptions {
      * @param signingKey key ring containing the signing key
      * @return this
      *
+     * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or a signing method cannot be created
      */
     public SigningOptions addSignature(SecretKeyRingProtector signingKeyProtector,
@@ -119,6 +120,7 @@ public final class SigningOptions {
      * @param signingKeys collection of signing keys
      * @param signatureType type of signature (binary, canonical text)
      * @return this
+     *
      * @throws KeyException if something is wrong with any of the keys
      * @throws PGPException if any of the keys cannot be unlocked or a signing method cannot be created
      */
@@ -140,9 +142,10 @@ public final class SigningOptions {
      * @param secretKeyDecryptor decryptor to unlock the signing secret key
      * @param secretKey signing key
      * @param signatureType type of signature (binary, canonical text)
+     * @return this
+     *
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
-     * @return this
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
                                              PGPSecretKeyRing secretKey,
@@ -163,7 +166,8 @@ public final class SigningOptions {
      * @param userId user-id of the signer
      * @param signatureType signature type (binary, canonical text)
      * @return this
-     * @throws KeyException if the key is invalid
+     *
+     * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
@@ -187,8 +191,8 @@ public final class SigningOptions {
      * @param signatureType signature type (binary, canonical text)
      * @param subpacketsCallback callback to modify the hashed and unhashed subpackets of the signature
      * @return this
-     * @throws KeyException
-     * if the key is invalid
+     *
+     * @throws KeyException if the key is invalid
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
     public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
@@ -234,6 +238,8 @@ public final class SigningOptions {
      * @param signingKeys collection of signing key rings
      * @param signatureType type of the signature (binary, canonical text)
      * @return this
+     *
+     * @throws KeyException if something is wrong with any of the keys
      * @throws PGPException if any of the keys cannot be validated or unlocked, or if any signing method cannot be created
      */
     public SigningOptions addDetachedSignatures(SecretKeyRingProtector secretKeyDecryptor,
@@ -255,8 +261,10 @@ public final class SigningOptions {
      * @param secretKeyDecryptor decryptor to unlock the secret signing key
      * @param secretKey signing key
      * @param signatureType type of data that is signed (binary, canonical text)
-     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      * @return this
+     *
+     * @throws KeyException if something is wrong with the key
+     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
     public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
                                                PGPSecretKeyRing secretKey,
@@ -277,8 +285,10 @@ public final class SigningOptions {
      * @param secretKey signing key
      * @param userId user-id
      * @param signatureType type of data that is signed (binary, canonical text)
-     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      * @return this
+     *
+     * @throws KeyException if something is wrong with the key
+     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
     public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
                                                PGPSecretKeyRing secretKey,
@@ -301,8 +311,10 @@ public final class SigningOptions {
      * @param userId user-id
      * @param signatureType type of data that is signed (binary, canonical text)
      * @param subpacketCallback callback to modify hashed and unhashed subpackets of the signature
-     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      * @return this
+     *
+     * @throws KeyException if something is wrong with the key
+     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
     public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
                                                PGPSecretKeyRing secretKey,

From d1001412a15c83313f3bd3f35e6602fab9f38daf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 12:36:16 +0200
Subject: [PATCH 0608/1450] Add SigningOptions.addDetachedSignature(protector,
 key) shortcut method

---
 .../encryption_signing/SigningOptions.java      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 43db00d1..0a7c47c4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -252,6 +252,23 @@ public final class SigningOptions {
         return this;
     }
 
+    /**
+     * Create a detached signature.
+     * The signature will be of type {@link DocumentSignatureType#BINARY_DOCUMENT}.
+     *
+     * @param secretKeyDecryptor decryptor to unlock the secret signing key
+     * @param signingKey signing key
+     * @return this
+     *
+     * @throws KeyException if something is wrong with the key
+     * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
+     */
+    public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
+                                               PGPSecretKeyRing signingKey)
+            throws PGPException {
+        return addDetachedSignature(secretKeyDecryptor, signingKey, DocumentSignatureType.BINARY_DOCUMENT);
+    }
+
     /**
      * Create a detached signature.
      * Detached signatures are not being added into the PGP message itself.

From 5746985bb77e145db569b4c6f9ab9f5ffeaec8ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 12:46:36 +0200
Subject: [PATCH 0609/1450] Add EncryptionOptions.get() factory method

---
 .../encryption_signing/EncryptionOptions.java       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 2a75ee4e..6d2ca642 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -80,6 +80,19 @@ public class EncryptionOptions {
         this.purpose = purpose;
     }
 
+    /**
+     * Factory method to create an {@link EncryptionOptions} object which will encrypt for keys
+     * which carry either the {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS} or
+     * {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE} flag.
+     *
+     * Use this if you are not sure.
+     *
+     * @return encryption options
+     */
+    public static EncryptionOptions get() {
+        return new EncryptionOptions();
+    }
+
     /**
      * Factory method to create an {@link EncryptionOptions} object which will encrypt for keys
      * which carry the flag {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS}.

From bc24c4626ab1af839977ce8750c50a63420c8f73 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 13:00:50 +0200
Subject: [PATCH 0610/1450] Add ConsumerOptions.get() factory method

---
 .../pgpainless/decryption_verification/ConsumerOptions.java   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 7b8d1e70..b6117a60 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -55,6 +55,10 @@ public class ConsumerOptions {
 
     private MultiPassStrategy multiPassStrategy = new InMemoryMultiPassStrategy();
 
+    public static ConsumerOptions get() {
+        return new ConsumerOptions();
+    }
+
     /**
      * Consider signatures on the message made before the given timestamp invalid.
      * Null means no limitation.

From 4efe8fb468cafb1ba478d1d8bdb332657d968565 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 13:18:02 +0200
Subject: [PATCH 0611/1450] Quickstart guide: Add sections on encrypting,
 signing, decryption, verification

---
 docs/source/pgpainless-core/quickstart.md | 179 +++++++++++++++++++++-
 1 file changed, 176 insertions(+), 3 deletions(-)

diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index a965799a..371a5f6f 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -132,6 +132,22 @@ armorOut.close(); // important!
 
 The output stream will now contain the ASCII armored representation of the binary data.
 
+If the data you want to wrap in ASCII armor is non-OpenPGP data (e.g. the String "Hello World!"),
+you need to use the following code:
+
+```java
+InputStream inputStream = ...;
+OutputStream output = ...;
+
+EncryptionStream armorStream = PGPainless.encryptAndOrSign()
+        .onOutputStream(output)
+        .withOptions(ProducerOptions.noEncryptionNoSigning()
+                .setAsciiArmor(true));
+
+Streams.pipeAll(inputStream, armorStream);
+armorStream.close();
+```
+
 To remove ASCII armor, you can make use of BouncyCastle's `ArmoredInputStream` as follows:
 
 ```java
@@ -146,10 +162,167 @@ armorIn.close();
 The output stream will now contain the binary OpenPGP data.
 
 ### Encrypt and/or Sign a Message
-TODO
+Encrypting and signing messages is done using the same API in PGPainless.
+The type of action depends on the configuration of the `ProducerOptions` class, which in term accepts
+`SigningOptions` and `EncryptionOptions` objects:
+
+```java
+// Encrypt only
+ProducerOptions options = ProducerOptions.encrypt(encryptionOptions);
+
+// Sign only
+ProducerOptions options = ProducerOptions.sign(signingOptions);
+
+// Sign and encrypt
+ProducerOptions options = ProducerOptions.signAndEncrypt(signingOptions, encryptionOptions);
+```
+
+The `ProducerOptions` object can then be passed into the `encryptAndOrSign()` API:
+
+```java
+InputStream plaintext = ...; // The data that shall be encrypted and/or signed
+OutputStream ciphertext = ...; // Destination for the ciphertext
+
+EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+        .onOutputStream(ciphertext)
+        .withOptions(options); // pass in the options object
+
+Streams.pipeAll(plaintext, encryptionStream); // pipe the data through
+encryptionStream.close(); // important! Close the stream to finish encryption/signing
+
+EncryptionResult result = encryptionStream.getResult(); // metadata
+```
+
+The `ciphertext` output stream now contains the encrypted and/or signed data.
+
+Now lets take a look at the configuration of the `SigningOptions` object and how to instruct PGPainless to add a simple
+signature to the message:
+
+```java
+PGPSecretKeyRing signingKey = ...; // Key used for signing
+SecretKeyRingProtector protector = ...; // Protector to unlock the signing key
+
+SigningOptions signOptions = SigningOptions.get()
+        .addSignature(protector, signingKey);
+```
+This will add an inline signature to the message.
+
+It is possible to add multiple signatures from different keys by repeating the `addSignature()` method call.
+
+If instead of an inline signature, you want to create a detached signature instead (e.g. because you do not want
+to alter the data you are signing), you can add the signature as follows:
+
+```java
+signOptions.addDetachedSignature(protector, signingKey);
+```
+
+Passing in the `SigningOptions` object like this will result in the signature not being added to the message itself.
+Instead, the signature can later be acquired from the `EncryptionResult` object via `EncryptionResult.getDetachedSignatures()`.
+That way, it can be distributed independent of the message.
+
+The `EncryptionOptions` object can be configured in a similar way:
+
+```java
+PGPPublicKey certificate = ...;
+
+EncryptionOptions encOptions = EncryptionOptions.get()
+        .addRecipient(certificate);
+```
+
+Once again, it is possible to add multiple recipients by repeating the `addRecipient()` method call.
+
+You can also encrypt a message to a password like this:
+```java
+encOptions.addPassphrase(Passphrase.fromPassword("sw0rdf1sh"));
+```
+
+Both methods can be used in combination to create a message which can be decrypted with either a recipients secret key
+or the passphrase.
 
 ### Decrypt and/or Verify a Message
-TODO
+Decryption and verification of a message is both done using the same API.
+Whether a message was actually signed / encrypted can be determined after the message has been processed by checking
+the `OpenPgpMetadata` object which can be obtained from the `DecryptionStream`.
+
+To configure the decryption / verification process, the `ConsumerOptions` object is used:
+
+```java
+PGPPublicKeyRing verificationCert = ...; // optional, signers certificate for signature verification
+PGPSecretKeyRing decryptionKey = ...; // optional, decryption key
+
+ConsumerOptions options = ConsumerOptions.get()
+        .addVerificationCert(verificationCert) // add a verification cert for signature verification
+        .addDecryptionKey(decryptionKey); // add a secret key for message decryption
+```
+
+Both verification certificates and decryption keys are optional.
+If you know the message is signed, but not encrypted you can omit providing a decryption key.
+Same goes for if you know that the message is encrypted, but not signed.
+In this case you can omit the verification certificate.
+
+On the other hand, providing these parameters does not hurt.
+PGPainless will ignore unused keys / certificates, so if you provide a decryption key and the message is not encrypted,
+nothing bad will happen.
+
+It is possible to provide multiple verification certs and decryption keys. PGPainless will pick suitable ones on the fly.
+If the message is signed with key `0xAAAA` and you provide certificates `0xAAAA` and `0xBBBB`, it will verify
+with cert `0xAAAA` and ignore `0xBBBB`.
+
+To do the actual decryption / verification of the message, do the following:
+
+```java
+InputStream ciphertext = ...; // encrypted and/or signed message
+OutputStream plaintext = ...; // destination for the plaintext
+
+ConsumerOptions options = ...; // see above
+DecryptionStream consumerStream = PGPainless.decryptAndOrVerify()
+        .onInputStream(ciphertext)
+        .withOptions(options);
+
+Streams.pipeAll(consumerStream, plaintext);
+consumerStream.close(); // important!
+
+// The result will contain metadata of the message
+OpenPgpMetadata result = consumerStream.getResult();
+```
+
+After the message has been processed, you can consult the `OpenPgpMetadata` object to determine the nature of the message:
+
+```java
+boolean wasEncrypted = result.isEncrypted();
+SubkeyIdentifier decryptionKey = result.getDecryptionKey();
+Map validSignatures = result.getVerifiedSignatures();
+boolean wasSignedByCert = result.containsVerifiedSignatureFrom(certificate);
+
+// For files:
+String fileName = result.getFileName();
+Date modificationData = result.getModificationDate();
+```
 
 ### Verify a Signature
-TODO
+In some cases, detached signatures are distributed alongside the message.
+This is the case for example with Debians `Release` and `Release.gpg` files.
+Here, `Release` is the plaintext message, which is unaltered by the signing process while `Release.gpg` contains
+the detached OpenPGP signature.
+
+To verify a detached signature, you need to call the PGPainless API like this:
+
+```java
+InputStream plaintext = ...; // e.g. new FileInputStream(releaseFile);
+InputStream detachedSignature = ...; // e.g. new FileInputStream(releaseGpgFile);
+PGPPublicKeyRing certificate = ...; // e.g. debians public signing key
+
+ConsumerOptions options = ConsumerOptions.get()
+        .addVerificationCert(certificate) // provide certificate for verification
+        .addVerificationOfDetachedSignatures(detachedSignature) // provide detached signature
+
+DecryptionStream verificationStream = PGPainless.decryptAndOrVerify()
+        .onInputStream(plaintext)
+        .withOptions(options);
+
+Streams.drain(verificationStream); // push all the data through the stream
+verificationStream.close(); // finish verification
+
+OpenPgpMetadata result = verificationStream.getResult(); // get metadata of signed message
+assertTrue(result.containsVerifiedSignatureFrom(certificate)); // check if message was in fact signed
+```
\ No newline at end of file

From a2bfb55d87c59b0273dcd84195cb8499eddcda1a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 13:22:44 +0200
Subject: [PATCH 0612/1450] Use *Options.get() factory methods in SOP module

---
 .../src/main/java/org/pgpainless/sop/DecryptImpl.java           | 2 +-
 .../src/main/java/org/pgpainless/sop/DetachedSignImpl.java      | 2 +-
 .../src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java    | 2 +-
 .../src/main/java/org/pgpainless/sop/EncryptImpl.java           | 2 +-
 .../src/main/java/org/pgpainless/sop/InlineSignImpl.java        | 2 +-
 .../src/main/java/org/pgpainless/sop/InlineVerifyImpl.java      | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 7d8481e3..4957f748 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -35,7 +35,7 @@ import sop.operation.Decrypt;
 
 public class DecryptImpl implements Decrypt {
 
-    private final ConsumerOptions consumerOptions = new ConsumerOptions();
+    private final ConsumerOptions consumerOptions = ConsumerOptions.get();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     @Override
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index 704b5af5..0ce326a9 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -39,7 +39,7 @@ public class DetachedSignImpl implements DetachedSign {
 
     private boolean armor = true;
     private SignAs mode = SignAs.Binary;
-    private final SigningOptions signingOptions = new SigningOptions();
+    private final SigningOptions signingOptions = SigningOptions.get();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
 
     @Override
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 81cb08ff..e6e2768e 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -24,7 +24,7 @@ import sop.operation.DetachedVerify;
 
 public class DetachedVerifyImpl implements DetachedVerify {
 
-    private final ConsumerOptions options = new ConsumerOptions();
+    private final ConsumerOptions options = ConsumerOptions.get();
 
     @Override
     public DetachedVerify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 0843ae08..1b95d87c 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -36,7 +36,7 @@ import sop.util.ProxyOutputStream;
 
 public class EncryptImpl implements Encrypt {
 
-    EncryptionOptions encryptionOptions = new EncryptionOptions();
+    EncryptionOptions encryptionOptions = EncryptionOptions.get();
     SigningOptions signingOptions = null;
     MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
     private final Set signingKeys = new HashSet<>();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index 639d8c6e..3bdc8fc3 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -80,7 +80,7 @@ public class InlineSignImpl implements InlineSign {
         for (PGPSecretKeyRing key : signingKeys) {
             try {
                 if (mode == InlineSignAs.CleartextSigned) {
-                    signingOptions.addDetachedSignature(protector, key, DocumentSignatureType.BINARY_DOCUMENT);
+                    signingOptions.addDetachedSignature(protector, key);
                 } else {
                     signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
                 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 7c31f44b..1e8c4fee 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -26,7 +26,7 @@ import sop.operation.InlineVerify;
 
 public class InlineVerifyImpl implements InlineVerify {
 
-    private final ConsumerOptions options = new ConsumerOptions();
+    private final ConsumerOptions options = ConsumerOptions.get();
 
     @Override
     public InlineVerify notBefore(Date timestamp) throws SOPGPException.UnsupportedOption {

From 76905cc1e828bfad386d343683d8405fbc9654d1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 13:28:08 +0200
Subject: [PATCH 0613/1450] Add installation hint to cli usage guide

---
 docs/source/pgpainless-cli/usage.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index d1694ea7..967bfc11 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -10,6 +10,18 @@ You can use it to generate keys, encrypt, sign and decrypt messages, as well as
 Essentially, `pgpainless-cli` is just a very small composing module, which injects `pgpainless-sop` as a
 concrete implementation of `sop-java` into `sop-java-picocli`.
 
+## Install
+
+The `pgpainless-cli` command line application is available in Debian unstable / Ubuntu 22.10 and can be installed via APT:
+```shell
+$ sudo apt install pgpainless-cli
+```
+
+This method comes with man-pages:
+```shell
+$ man pgpainless-cli
+```
+
 ## Build
 
 To build a standalone *fat*-jar:

From c6676d3c91583e5b66ea1c774d71ef55eff26e59 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 14:12:02 +0200
Subject: [PATCH 0614/1450] Add support for generating keys without user-ids

Fixes #296
---
 .../key/generation/KeyRingBuilder.java        | 44 ++++-----
 .../consumer/CertificateValidator.java        |  3 +-
 .../GenerateKeyWithoutUserIdTest.java         | 93 +++++++++++++++++++
 3 files changed, 118 insertions(+), 22 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
index 88ed6ecd..10970fc2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
@@ -143,9 +143,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
     @Override
     public PGPSecretKeyRing build() throws NoSuchAlgorithmException, PGPException,
             InvalidAlgorithmParameterException {
-        if (userIds.isEmpty()) {
-            throw new IllegalStateException("At least one user-id is required.");
-        }
         PGPDigestCalculator keyFingerprintCalculator = ImplementationFactory.getInstance().getV4FingerprintCalculator();
         PBESecretKeyEncryptor secretKeyEncryptor = buildSecretKeyEncryptor(keyFingerprintCalculator);
         PBESecretKeyDecryptor secretKeyDecryptor = buildSecretKeyDecryptor();
@@ -157,19 +154,35 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
         PGPContentSignerBuilder signer = buildContentSigner(certKey);
         PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(signer);
 
-        // Prepare primary user-id sig
         SignatureSubpackets hashedSubPacketGenerator = primaryKeySpec.getSubpacketGenerator();
         hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.getPublicKey());
-        hashedSubPacketGenerator.setPrimaryUserId();
         if (expirationDate != null) {
             hashedSubPacketGenerator.setKeyExpirationTime(certKey.getPublicKey(), expirationDate);
         }
+        if (!userIds.isEmpty()) {
+            hashedSubPacketGenerator.setPrimaryUserId();
+        }
+
         PGPSignatureSubpacketGenerator generator = new PGPSignatureSubpacketGenerator();
         SignatureSubpacketsHelper.applyTo(hashedSubPacketGenerator, generator);
         PGPSignatureSubpacketVector hashedSubPackets = generator.generate();
+        PGPKeyRingGenerator ringGenerator;
+        if (userIds.isEmpty()) {
+            ringGenerator = new PGPKeyRingGenerator(
+                    certKey,
+                    keyFingerprintCalculator,
+                    hashedSubPackets,
+                    null,
+                    signer,
+                    secretKeyEncryptor);
+        } else {
+            String primaryUserId = userIds.entrySet().iterator().next().getKey();
+            ringGenerator = new PGPKeyRingGenerator(
+                    SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey,
+                    primaryUserId, keyFingerprintCalculator,
+                    hashedSubPackets, null, signer, secretKeyEncryptor);
+        }
 
-        PGPKeyRingGenerator ringGenerator = buildRingGenerator(
-                certKey, signer, keyFingerprintCalculator, hashedSubPackets, secretKeyEncryptor);
         addSubKeys(certKey, ringGenerator);
 
         // Generate secret key ring with only primary user id
@@ -182,7 +195,9 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
         PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKeyRing.getSecretKey(), secretKeyDecryptor);
         Iterator> userIdIterator =
                 this.userIds.entrySet().iterator();
-        userIdIterator.next(); // Skip primary user id
+        if (userIdIterator.hasNext()) {
+            userIdIterator.next(); // Skip primary user id
+        }
         while (userIdIterator.hasNext()) {
             Map.Entry additionalUserId = userIdIterator.next();
             String userIdString = additionalUserId.getKey();
@@ -217,19 +232,6 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
         return secretKeyRing;
     }
 
-    private PGPKeyRingGenerator buildRingGenerator(PGPKeyPair certKey,
-                                                   PGPContentSignerBuilder signer,
-                                                   PGPDigestCalculator keyFingerprintCalculator,
-                                                   PGPSignatureSubpacketVector hashedSubPackets,
-                                                   PBESecretKeyEncryptor secretKeyEncryptor)
-            throws PGPException {
-        String primaryUserId = userIds.entrySet().iterator().next().getKey();
-        return new PGPKeyRingGenerator(
-                SignatureType.POSITIVE_CERTIFICATION.getCode(), certKey,
-                primaryUserId, keyFingerprintCalculator,
-                hashedSubPackets, null, signer, secretKeyEncryptor);
-    }
-
     private void addSubKeys(PGPKeyPair primaryKey, PGPKeyRingGenerator ringGenerator)
             throws NoSuchAlgorithmException, PGPException, InvalidAlgorithmParameterException {
         for (KeySpec subKeySpec : subkeySpecs) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 809ea003..4c4c6689 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -138,6 +138,7 @@ public final class CertificateValidator {
         }
 
         boolean anyUserIdValid = false;
+        boolean hasAnyUserIds = !userIdSignatures.keySet().isEmpty();
         for (String userId : userIdSignatures.keySet()) {
             if (!userIdSignatures.get(userId).isEmpty()) {
                 PGPSignature current = userIdSignatures.get(userId).get(0);
@@ -149,7 +150,7 @@ public final class CertificateValidator {
             }
         }
 
-        if (!anyUserIdValid) {
+        if (hasAnyUserIds && !anyUserIdValid) {
             throw new SignatureValidationException("No valid user-id found.", rejections);
         }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java
new file mode 100644
index 00000000..8b022a21
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java
@@ -0,0 +1,93 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.generation;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.JUtils;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import org.pgpainless.key.generation.type.xdh.XDHSpec;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.util.DateUtil;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class GenerateKeyWithoutUserIdTest {
+
+    @Test
+    public void generateKeyWithoutUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        Date expirationDate = DateUtil.toSecondsPrecision(new Date(DateUtil.now().getTime() + 1000 * 6000));
+        PGPSecretKeyRing secretKey = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
+                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .setExpirationDate(expirationDate)
+                .build();
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
+        assertNull(info.getPrimaryUserId());
+        assertTrue(info.getUserIds().isEmpty());
+        JUtils.assertDateEquals(expirationDate, info.getPrimaryKeyExpirationDate());
+
+        InputStream plaintextIn = new ByteArrayInputStream("Hello, World!\n".getBytes());
+        ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream();
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
+
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertextOut)
+                .withOptions(ProducerOptions.signAndEncrypt(
+                        EncryptionOptions.get()
+                                .addRecipient(certificate),
+                        SigningOptions.get()
+                                .addSignature(protector, secretKey)
+                ));
+        Streams.pipeAll(plaintextIn, encryptionStream);
+        encryptionStream.close();
+
+        EncryptionResult result = encryptionStream.getResult();
+        assertTrue(result.isEncryptedFor(certificate));
+
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray());
+        ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(ConsumerOptions.get()
+                        .addDecryptionKey(secretKey)
+                        .addVerificationCert(certificate));
+
+        Streams.pipeAll(decryptionStream, plaintextOut);
+        decryptionStream.close();
+
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+
+        assertTrue(metadata.containsVerifiedSignatureFrom(certificate));
+        assertTrue(metadata.isEncrypted());
+    }
+}

From cf43c5f83b46faad373e2072fbaa605a64b41808 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 14:43:41 +0200
Subject: [PATCH 0615/1450] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b44e5502..0421a2c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,11 @@ SPDX-License-Identifier: CC0-1.0
 - Remove deprecated methods
   - `ArmorUtils.createArmoredOutputStreamFor()` -> use `ArmorUtils.toAsciiArmoredStream()` instead
   - `EncryptionResult.getSymmetricKeyAlgorithm()` -> use `EncryptionResult.getEncryptionAlgorithm()` instead
+- Add `KeyRingInfo.getRevocationState()`
+  - Better way to determine whether a key is revoked
+- Add `SigningOptions.addDetachedSignature(protector, key)` shortcut method
+- Add `EncryptionOptions.get()`, `ConsumerOptions.get()` factory methods
+- Add support for generating keys without user-id (only using `PGPainless.buildKeyRing()` for now)
 
 ## 1.3.5
 - Add `KeyRingInfo.isCapableOfSigning()`

From 251bbaeaa7a416360cd4d151d9970827ceef84cb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 30 Aug 2022 22:35:50 +0200
Subject: [PATCH 0616/1450] Remove branches section from README

---
 README.md | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/README.md b/README.md
index 482b8ac9..2e14efc1 100644
--- a/README.md
+++ b/README.md
@@ -212,18 +212,6 @@ We are using SemVer (MAJOR.MINOR.PATCH) versioning, although MINOR releases coul
 If you want to contribute a bug fix, please check the `release/X.Y` branches first to see, what the oldest release is
 which contains the bug you are fixing. That way we can update older revisions of the library easily.
 
-### Branches
-* `release/X.Y` contains the state of the latest `X.Y.Z` PATCH release + next PATCH snapshot definition.
-* `master` contains the state of the latest MINOR release + some smaller changes that will make it into the next PATCH release.
-* `development` contains new features that will make it into the next MINOR release.
-
-#### Example:
-Latest release: 1.1.4
-* `release/1.0` contains the state of `1.0.5-SNAPSHOT`
-* `release/1.1` contains the state of `1.1.5-SNAPSHOT`
-* `master` contains the state `release/1.1` plus patch level changes that will make it into `1.1.5`.
-* `development` contains the state which will at some point become `1.2.0`.
-
 Please follow the [code of conduct](CODE_OF_CONDUCT.md) if you want to be part of the project.
 
 ## Acknowledgements

From 15046cdc32d0fe0eb14910892bc0742dc04f2954 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 31 Aug 2022 21:37:31 +0200
Subject: [PATCH 0617/1450] Switch default S2K for secret key protection over
 to use SHA256 and add documentation

---
 .../protection/KeyRingProtectionSettings.java | 61 +++++++++++++++++--
 .../InvalidProtectionSettingsTest.java        | 20 ++++++
 2 files changed, 77 insertions(+), 4 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java
index ede286c6..a93534ab 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/KeyRingProtectionSettings.java
@@ -9,18 +9,39 @@ import javax.annotation.Nonnull;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 
+/**
+ * Secret key protection settings for iterated and salted S2K.
+ */
 public class KeyRingProtectionSettings {
 
     private final SymmetricKeyAlgorithm encryptionAlgorithm;
     private final HashAlgorithm hashAlgorithm;
     private final int s2kCount;
 
+    /**
+     * Create a {@link KeyRingProtectionSettings} object using the given encryption algorithm, SHA1 and
+     * 65536 iterations.
+     *
+     * @param encryptionAlgorithm encryption algorithm
+     */
     public KeyRingProtectionSettings(@Nonnull SymmetricKeyAlgorithm encryptionAlgorithm) {
-        this(encryptionAlgorithm, HashAlgorithm.SHA1, 0x60); // Same s2kCount as used in BC.
+        this(encryptionAlgorithm, HashAlgorithm.SHA1, 0x60); // Same s2kCount (encoded) as used in BC.
     }
 
+    /**
+     * Constructor for custom salted and iterated S2K protection settings.
+     * The salt gets randomly chosen by the library each time.
+     *
+     * Note, that the s2kCount is the already encoded single-octet number.
+     *
+     * @see Encoding Formula
+     *
+     * @param encryptionAlgorithm encryption algorithm
+     * @param hashAlgorithm hash algorithm
+     * @param s2kCount encoded s2k iteration count
+     */
     public KeyRingProtectionSettings(@Nonnull SymmetricKeyAlgorithm encryptionAlgorithm, @Nonnull HashAlgorithm hashAlgorithm, int s2kCount) {
-        this.encryptionAlgorithm = encryptionAlgorithm;
+        this.encryptionAlgorithm = validateEncryptionAlgorithm(encryptionAlgorithm);
         this.hashAlgorithm = hashAlgorithm;
         if (s2kCount < 1) {
             throw new IllegalArgumentException("s2kCount cannot be less than 1.");
@@ -28,18 +49,50 @@ public class KeyRingProtectionSettings {
         this.s2kCount = s2kCount;
     }
 
-    public static KeyRingProtectionSettings secureDefaultSettings() {
-        return new KeyRingProtectionSettings(SymmetricKeyAlgorithm.AES_256);
+    private static SymmetricKeyAlgorithm validateEncryptionAlgorithm(SymmetricKeyAlgorithm encryptionAlgorithm) {
+        switch (encryptionAlgorithm) {
+            case NULL:
+                throw new IllegalArgumentException("Unencrypted is not allowed here!");
+            default:
+                return encryptionAlgorithm;
+        }
     }
 
+    /**
+     * Secure default settings using {@link SymmetricKeyAlgorithm#AES_256}, {@link HashAlgorithm#SHA256}
+     * and an iteration count of 65536.
+     *
+     * @return secure protection settings
+     */
+    public static KeyRingProtectionSettings secureDefaultSettings() {
+        return new KeyRingProtectionSettings(SymmetricKeyAlgorithm.AES_256, HashAlgorithm.SHA256, 0x60);
+    }
+
+    /**
+     * Return the encryption algorithm.
+     *
+     * @return encryption algorithm
+     */
     public @Nonnull SymmetricKeyAlgorithm getEncryptionAlgorithm() {
         return encryptionAlgorithm;
     }
 
+    /**
+     * Return the hash algorithm.
+     *
+     * @return hash algorithm
+     */
     public @Nonnull HashAlgorithm getHashAlgorithm() {
         return hashAlgorithm;
     }
 
+    /**
+     * Return the (encoded!) s2k iteration count.
+     *
+     * @see Encoding Formula
+     *
+     * @return encoded s2k count
+     */
     public int getS2kCount() {
         return s2kCount;
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java
new file mode 100644
index 00000000..b0746398
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/protection/InvalidProtectionSettingsTest.java
@@ -0,0 +1,20 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.protection;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class InvalidProtectionSettingsTest {
+
+    @Test
+    public void unencryptedKeyRingProtectionSettingsThrows() {
+        assertThrows(IllegalArgumentException.class, () ->
+                new KeyRingProtectionSettings(SymmetricKeyAlgorithm.NULL, HashAlgorithm.SHA256, 0x60));
+    }
+}

From 328b8ccf8aa7f1a58bbce90f20648e8158eb6a2c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 31 Aug 2022 21:38:09 +0200
Subject: [PATCH 0618/1450] Add information about KeyRingProtectionSettings to
 documentation

---
 docs/source/pgpainless-core/passphrase.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/source/pgpainless-core/passphrase.md b/docs/source/pgpainless-core/passphrase.md
index 27769aad..4a6e4393 100644
--- a/docs/source/pgpainless-core/passphrase.md
+++ b/docs/source/pgpainless-core/passphrase.md
@@ -57,4 +57,14 @@ SecretKeyRingProtector singlePassphrase = SecretKeyRingProtector
 // If you want to be flexible, use this:
 CachingSecretKeyRingProtector flexible = SecretKeyRingProtector
         .defaultSecretKeyRingProtector(passphraseCallback);
-```
\ No newline at end of file
+```
+
+The last example shows how to instantiate the `CachingSecretKeyRingProtector` with a `SecretKeyPassphraseProvider`.
+As the name suggests, the `CachingSecretKeyRingProtector` caches passphrases in a map.
+If you try to unlock a protected secret key for which no passphrase is cached, the `getPassphraseFor()` method of
+the `SecretKeyPassphraseProvider` will be called to interactively ask for the missing passphrase. Afterwards, the
+acquired passphrase will be cached for future use.
+
+Most `SecretKeyRingProtector` implementations can be instantiated with custom `KeyRingProtectionSettings`.
+By default, most implementations use `KeyRingProtectionSettings.secureDefaultSettings()` which corresponds to iterated
+and salted S2K using AES256 and SHA256 with an iteration count of 65536.

From 3030de7f3f15b9768de8d21861f3064d84161830 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 31 Aug 2022 21:59:40 +0200
Subject: [PATCH 0619/1450] Add further information about key protectors to
 documentation

---
 docs/source/pgpainless-core/passphrase.md | 28 +++++++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/docs/source/pgpainless-core/passphrase.md b/docs/source/pgpainless-core/passphrase.md
index 4a6e4393..2c370006 100644
--- a/docs/source/pgpainless-core/passphrase.md
+++ b/docs/source/pgpainless-core/passphrase.md
@@ -42,7 +42,7 @@ There are certain operations that require you to provide the passphrase for a ke
 Examples are decryption of messages, or creating signatures / certifications.
 
 The primary way of telling PGPainless, which password to use for a certain key is the `SecretKeyRingProtector`
-interface.
+interface which maps `Passphrases` to (sub-)keys.
 There are multiple implementations of this interface, which may or may not suite your needs:
 
 ```java
@@ -59,11 +59,29 @@ CachingSecretKeyRingProtector flexible = SecretKeyRingProtector
         .defaultSecretKeyRingProtector(passphraseCallback);
 ```
 
-The last example shows how to instantiate the `CachingSecretKeyRingProtector` with a `SecretKeyPassphraseProvider`.
-As the name suggests, the `CachingSecretKeyRingProtector` caches passphrases in a map.
+`SecretKeyRingProtector.unprotectedKeys()` will return an empty passphrase for any key.
+It is best used when dealing with unencrypted secret keys.
+
+`SecretKeyRingProtector.unlockAnyKeyWith(passphrase)` will return the same exact passphrase for any given key.
+You should use this if you have a single key with a static passphrase.
+
+The last example shows how to instantiate the `CachingSecretKeyRingProtector` with a `SecretKeyPassphraseProvider`
+as argument.
+As the name suggests, the `CachingSecretKeyRingProtector` caches passphrases it knows about in a map.
+That way, you only have to provide the passphrase for a certain key only once, after which it will be remembered.
 If you try to unlock a protected secret key for which no passphrase is cached, the `getPassphraseFor()` method of
-the `SecretKeyPassphraseProvider` will be called to interactively ask for the missing passphrase. Afterwards, the
-acquired passphrase will be cached for future use.
+the `SecretKeyPassphraseProvider` callback will be called to interactively ask for the missing passphrase.
+Afterwards, the acquired passphrase will be cached for future use.
+
+:::{note}
+While especially the `CachingSecretKeyRingProtector` can handle multiple keys without problems, it is advised
+to use individual `SecretKeyRingProtector` objects per key.
+The reason for this is, that internally the 64bit key-id is used to resolve `Passphrase` objects and collisions are not
+unlikely in this key-space.
+Furthermore, multiple OpenPGP keys could contain the same subkey, but with different passphrases set.
+If the same `SecretKeyRingProtector` is used for two OpenPGP keys with the same subkey, but different passwords,
+the key-id collision will cause the password to be overwritten for one of the keys, which might result in issues.
+:::
 
 Most `SecretKeyRingProtector` implementations can be instantiated with custom `KeyRingProtectionSettings`.
 By default, most implementations use `KeyRingProtectionSettings.secureDefaultSettings()` which corresponds to iterated

From c3dc3c9d8734894cc7bb0c6837a933fcc3a6216f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 12:19:34 +0200
Subject: [PATCH 0620/1450] Allow modification of keys with custom reference
 date

Also, bind subkeys using SubkeyBindingSignatureBuilder
---
 .../main/java/org/pgpainless/PGPainless.java  |   6 +-
 .../org/pgpainless/key/info/KeyRingInfo.java  |  14 +-
 .../secretkeyring/SecretKeyRingEditor.java    | 124 ++++++++--------
 .../PrimaryKeyBindingSignatureBuilder.java    |  11 ++
 .../SubkeyBindingSignatureBuilder.java        |   9 ++
 .../KeyGenerationSubpacketsTest.java          |  12 +-
 .../modification/ChangeExpirationTest.java    |  33 ++---
 ...gePrimaryUserIdAndExpirationDatesTest.java | 140 ++++++++++--------
 ...reSubpacketsArePreservedOnNewSigTest.java} |  18 +--
 ...irdPartyDirectKeySignatureBuilderTest.java |  10 +-
 10 files changed, 207 insertions(+), 170 deletions(-)
 rename pgpainless-core/src/test/java/org/pgpainless/key/modification/{OldSignatureSubpacketsArePreservedOnNewSig.java => OldSignatureSubpacketsArePreservedOnNewSigTest.java} (80%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 74a1f239..fd670fc9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -127,7 +127,11 @@ public final class PGPainless {
      * @return builder
      */
     public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys) {
-        return new SecretKeyRingEditor(secretKeys);
+        return modifyKeyRing(secretKeys, null);
+    }
+
+    public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys, Date referenceTime) {
+        return new SecretKeyRingEditor(secretKeys, referenceTime);
     }
 
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 995bded4..b818290b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -85,10 +85,10 @@ public class KeyRingInfo {
      * Evaluate the key ring at the provided validation date.
      *
      * @param keys key ring
-     * @param validationDate date of validation
+     * @param referenceDate date of validation
      */
-    public KeyRingInfo(PGPKeyRing keys, Date validationDate) {
-        this(keys, PGPainless.getPolicy(), validationDate);
+    public KeyRingInfo(PGPKeyRing keys, Date referenceDate) {
+        this(keys, PGPainless.getPolicy(), referenceDate);
     }
 
     /**
@@ -96,12 +96,12 @@ public class KeyRingInfo {
      *
      * @param keys key ring
      * @param policy policy
-     * @param validationDate validation date
+     * @param referenceDate validation date
      */
-    public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) {
+    public KeyRingInfo(PGPKeyRing keys, Policy policy, Date referenceDate) {
+        this.referenceDate = referenceDate != null ? referenceDate : new Date();
         this.keys = keys;
-        this.signatures = new Signatures(keys, validationDate, policy);
-        this.referenceDate = validationDate;
+        this.signatures = new Signatures(keys, this.referenceDate, policy);
         this.primaryUserId = findPrimaryUserId();
         this.revocationState = findRevocationState();
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index e1b1b23e..20876c36 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -4,35 +4,17 @@
 
 package org.pgpainless.key.modification.secretkeyring;
 
-import static org.pgpainless.util.CollectionUtils.concat;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.NoSuchElementException;
-import java.util.Set;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
-
 import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SecretKeyPacket;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
-import org.bouncycastle.openpgp.PGPKeyRingGenerator;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
-import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.AlgorithmSuite;
 import org.pgpainless.algorithm.CompressionAlgorithm;
@@ -57,26 +39,49 @@ import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvi
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.signature.builder.DirectKeySelfSignatureBuilder;
+import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder;
 import org.pgpainless.signature.builder.RevocationSignatureBuilder;
 import org.pgpainless.signature.builder.SelfSignatureBuilder;
+import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder;
 import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
-import org.pgpainless.util.CollectionUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.selection.userid.SelectUserId;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.NoSuchElementException;
+import java.util.Set;
+
+import static org.pgpainless.util.CollectionUtils.concat;
+
 public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
 
     private PGPSecretKeyRing secretKeyRing;
+    private final Date referenceTime;
 
     public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing) {
+        this(secretKeyRing, null);
+    }
+
+    public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing, Date referenceTime) {
         if (secretKeyRing == null) {
             throw new NullPointerException("SecretKeyRing MUST NOT be null.");
         }
         this.secretKeyRing = secretKeyRing;
+        this.referenceTime = referenceTime;
     }
 
     @Override
@@ -99,7 +104,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
 
         // retain key flags from previous signature
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         if (info.isHardRevoked(userId.toString())) {
             throw new IllegalArgumentException("User-ID " + userId + " is hard revoked and cannot be re-certified.");
         }
@@ -121,6 +126,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         }
 
         SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector);
+        if (referenceTime != null) {
+            builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
         builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION);
 
         // Retain signature subpackets of previous signatures
@@ -145,7 +153,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
 
         // Determine previous key expiration date
         PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         String primaryUserId = info.getPrimaryUserId();
         PGPSignature signature = primaryUserId == null ?
                 info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId);
@@ -169,7 +177,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
                 protector);
 
         // unmark previous primary user-ids to be non-primary
-        info = PGPainless.inspectKeyRing(secretKeyRing);
+        info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         for (String otherUserId : info.getValidAndExpiredUserIds()) {
             if (userId.toString().equals(otherUserId)) {
                 continue;
@@ -227,7 +235,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             throw new IllegalArgumentException("New user-id cannot be empty.");
         }
 
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         if (!info.isUserIdValid(oldUID)) {
             throw new NoSuchElementException("Key does not carry user-id '" + oldUID + "', or it is not valid.");
         }
@@ -333,46 +341,34 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         }
 
         PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
-        PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.requireFromId(primaryKey.getPublicKey().getAlgorithm());
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator
                 .negotiateSignatureHashAlgorithm(PGPainless.getPolicy())
                 .negotiateHashAlgorithm(info.getPreferredHashAlgorithms());
 
-        // While we'd like to rely on our own BindingSignatureBuilder implementation,
-        //  unfortunately we have to use BCs PGPKeyRingGenerator class since there is no public constructor
-        //  for subkeys. See https://github.com/bcgit/bc-java/pull/1063
-        PGPKeyRingGenerator ringGenerator = new PGPKeyRingGenerator(
-                secretKeyRing,
-                primaryKeyProtector.getDecryptor(primaryKey.getKeyID()),
-                ImplementationFactory.getInstance().getV4FingerprintCalculator(),
-                ImplementationFactory.getInstance().getPGPContentSignerBuilder(
-                        signingKeyAlgorithm, hashAlgorithm),
-                subkeyProtector.getEncryptor(subkey.getKeyID()));
+        PGPSecretKey secretSubkey = new PGPSecretKey(subkey.getPrivateKey(), subkey.getPublicKey(), ImplementationFactory.getInstance()
+                .getV4FingerprintCalculator(), false, subkeyProtector.getEncryptor(subkey.getKeyID()));
 
-        SelfSignatureSubpackets hashedSubpackets = SignatureSubpackets.createHashedSubpackets(primaryKey.getPublicKey());
-        SelfSignatureSubpackets unhashedSubpackets = SignatureSubpackets.createEmptySubpackets();
-        hashedSubpackets.setKeyFlags(flags);
+        SubkeyBindingSignatureBuilder skBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector, hashAlgorithm);
+        if (referenceTime != null) {
+            skBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
+        skBindingBuilder.getHashedSubpackets().setKeyFlags(flags);
 
-        if (bindingSignatureCallback != null) {
-            bindingSignatureCallback.modifyHashedSubpackets(hashedSubpackets);
-            bindingSignatureCallback.modifyUnhashedSubpackets(unhashedSubpackets);
+        if (subkeyAlgorithm.isSigningCapable()) {
+            PrimaryKeyBindingSignatureBuilder pkBindingBuilder = new PrimaryKeyBindingSignatureBuilder(secretSubkey, subkeyProtector, hashAlgorithm);
+            if (referenceTime != null) {
+                pkBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+            }
+            PGPSignature pkBinding = pkBindingBuilder.build(primaryKey.getPublicKey());
+            skBindingBuilder.getHashedSubpackets().addEmbeddedSignature(pkBinding);
         }
 
-        boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) ||
-                CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER);
-        PGPContentSignerBuilder primaryKeyBindingSigner = null;
-        if (isSigningKey) {
-            primaryKeyBindingSigner = ImplementationFactory.getInstance().getPGPContentSignerBuilder(subkeyAlgorithm, hashAlgorithm);
-        }
-
-        ringGenerator.addSubKey(subkey,
-                SignatureSubpacketsHelper.toVector((SignatureSubpackets) hashedSubpackets),
-                SignatureSubpacketsHelper.toVector((SignatureSubpackets) unhashedSubpackets),
-                primaryKeyBindingSigner);
-
-        secretKeyRing = ringGenerator.generateSecretKeyRing();
+        skBindingBuilder.applyCallback(bindingSignatureCallback);
+        PGPSignature skBinding = skBindingBuilder.build(secretSubkey.getPublicKey());
 
+        secretSubkey = KeyRingUtils.secretKeyPlusSignature(secretSubkey, skBinding);
+        secretKeyRing = KeyRingUtils.keysPlusSecretKey(secretKeyRing, secretSubkey);
         return this;
     }
 
@@ -558,6 +554,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
                 SignatureType.CERTIFICATION_REVOCATION,
                 primarySecretKey,
                 protector);
+        if (referenceTime != null) {
+            signatureBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
 
         signatureBuilder.applyCallback(callback);
 
@@ -585,14 +584,14 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         }
 
         // reissue primary user-id sig
-        String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing).getPossiblyExpiredPrimaryUserId();
+        String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing, referenceTime).getPossiblyExpiredPrimaryUserId();
         if (primaryUserId != null) {
             PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId);
             PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig);
             secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig);
         }
 
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         for (String userId : info.getValidUserIds()) {
             if (userId.equals(primaryUserId)) {
                 continue;
@@ -618,6 +617,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             PGPSignature prevUserIdSig)
             throws PGPException {
         SelfSignatureBuilder builder = new SelfSignatureBuilder(secretKeyRing.getSecretKey(), secretKeyRingProtector, prevUserIdSig);
+        if (referenceTime != null) {
+            builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
         builder.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -638,6 +640,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         PGPPublicKey publicKey = primaryKey.getPublicKey();
 
         SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevUserIdSig);
+        if (referenceTime != null) {
+            builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
         builder.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -662,6 +667,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         final Date keyCreationTime = publicKey.getCreationTime();
 
         DirectKeySelfSignatureBuilder builder = new DirectKeySelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
+        if (referenceTime != null) {
+            builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
+        }
         builder.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -677,12 +685,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
     }
 
     private PGPSignature getPreviousDirectKeySignature() {
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         return info.getLatestDirectKeySelfSignature();
     }
 
     private PGPSignature getPreviousUserIdSignatures(String userId) {
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
         return info.getLatestUserIdCertification(userId);
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java
index 93339f86..156e739f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/PrimaryKeyBindingSignatureBuilder.java
@@ -10,9 +10,11 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
+import org.pgpainless.signature.subpackets.SignatureSubpackets;
 
 public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder {
 
@@ -21,6 +23,15 @@ public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder<
         super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector);
     }
 
+    public PrimaryKeyBindingSignatureBuilder(PGPSecretKey secretSubKey,
+                                             SecretKeyRingProtector subkeyProtector,
+                                             HashAlgorithm hashAlgorithm)
+            throws PGPException {
+        super(SignatureType.PRIMARYKEY_BINDING, secretSubKey, subkeyProtector, hashAlgorithm,
+                SignatureSubpackets.createHashedSubpackets(secretSubKey.getPublicKey()),
+                SignatureSubpackets.createEmptySubpackets());
+    }
+
     public SelfSignatureSubpackets getHashedSubpackets() {
         return hashedSubpackets;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java
index 9c51955d..c15e219e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/SubkeyBindingSignatureBuilder.java
@@ -10,9 +10,11 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
+import org.pgpainless.signature.subpackets.SignatureSubpackets;
 
 public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder {
 
@@ -21,6 +23,13 @@ public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder
-                PGPainless.modifyKeyRing(finalSecretKeys).addUserId("A", protector));
+                PGPainless.modifyKeyRing(finalSecretKeys, threeHoursLater).addUserId("A", protector));
     }
 
     @Test
     public void generateA_primaryExpire_isExpired()
-            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
@@ -76,71 +81,77 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
         assertIsPrimaryUserId("A", info);
 
-        Thread.sleep(1000);
+        Date now = new Date();
+        Date later = new Date(now.getTime() + millisInHour);
 
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(), protector) // expire the whole key
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, now)
+                .setExpirationDate(later, protector) // expire the whole key
                 .done();
 
-        Thread.sleep(1000);
+        Date evenLater = new Date(now.getTime() + 2 * millisInHour);
 
-        info = PGPainless.inspectKeyRing(secretKeys);
+        info = PGPainless.inspectKeyRing(secretKeys, evenLater);
         assertFalse(info.isUserIdValid("A")); // is expired by now
     }
 
     @Test
     public void generateA_primaryB_primaryExpire_bIsStillPrimary()
-            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
+        Date now = new Date();
+        // Generate key with primary user-id A
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
         assertIsPrimaryUserId("A", info);
 
-        Thread.sleep(1000);
-
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+        // later set primary user-id to B
+        Date t1 = new Date(now.getTime() + millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
                 .addPrimaryUserId("B", protector)
                 .done();
-        info = PGPainless.inspectKeyRing(secretKeys);
-
+        info = PGPainless.inspectKeyRing(secretKeys, t1);
         assertIsPrimaryUserId("B", info);
         assertIsNotPrimaryUserId("A", info);
 
-        Thread.sleep(1000);
-
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(new Date().getTime() + 1000), protector) // expire the whole key in 1 sec
+        // Even later expire the whole key
+        Date t2 = new Date(now.getTime() + 2 * millisInHour);
+        Date expiration = new Date(now.getTime() + 10 * millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
+                .setExpirationDate(expiration, protector) // expire the whole key in 1 hour
                 .done();
 
-        info = PGPainless.inspectKeyRing(secretKeys);
+        Date t3 = new Date(now.getTime() + 3 * millisInHour);
+
+        info = PGPainless.inspectKeyRing(secretKeys, t3);
         assertIsValid("A", info);
         assertIsValid("B", info);
         assertIsPrimaryUserId("B", info);
         assertIsNotPrimaryUserId("A", info);
 
-        Thread.sleep(2000);
-
-        info = PGPainless.inspectKeyRing(secretKeys);
+        info = PGPainless.inspectKeyRing(secretKeys, expiration);
         assertIsPrimaryUserId("B", info);   // B is still primary, even though
         assertFalse(info.isUserIdValid("A"));      // key is expired by now
         assertFalse(info.isUserIdValid("B"));
     }
 
     @Test
-    public void generateA_expire_certify() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
+    public void generateA_expire_certify()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(new Date().getTime() + 1000), protector)
+        Date now = new Date();
+        Date t1 = new Date(now.getTime() + millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, now)
+                .setExpirationDate(t1, protector)
                 .done();
 
-        Thread.sleep(2000);
-
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(new Date().getTime() + 2000), protector)
+        Date t2 = new Date(now.getTime() + 2 * millisInHour);
+        Date t4 = new Date(now.getTime() + 4 * millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
+                .setExpirationDate(t4, protector)
                 .done();
 
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@@ -150,49 +161,48 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
 
     @Test
     public void generateA_expire_primaryB_expire_isPrimaryB()
-            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
-        Thread.sleep(1000);
-
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(), protector)
+        Date now = new Date();
+        Date t1 = new Date(now.getTime() + millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
+                .setExpirationDate(t1, protector)
                 .done();
 
-        Thread.sleep(2000);
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        Date t2 = new Date(now.getTime() + 2 * millisInHour);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t2);
 
         assertIsPrimaryUserId("A", info);
         assertIsNotValid("A", info); // A is expired
 
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
                 .addPrimaryUserId("B", protector)
                 .done();
 
-        info = PGPainless.inspectKeyRing(secretKeys);
+        Date t3 = new Date(now.getTime() + 3 * millisInHour);
+        info = PGPainless.inspectKeyRing(secretKeys, t3);
 
         assertIsPrimaryUserId("B", info);
         assertIsNotValid("B", info); // A and B are still expired
         assertIsNotValid("A", info);
 
-        Thread.sleep(1000);
-
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
-                .setExpirationDate(new Date(new Date().getTime() + 10000), protector)
+        Date t4 = new Date(now.getTime() + 4 * millisInHour);
+        Date t5 = new Date(now.getTime() + 5 * millisInHour);
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t3)
+                .setExpirationDate(t5, protector)
                 .done();
 
-        Thread.sleep(1000);
-        info = PGPainless.inspectKeyRing(secretKeys);
-
+        info = PGPainless.inspectKeyRing(secretKeys, t4);
         assertIsValid("B", info);
         assertIsValid("A", info); // A got re-validated when changing exp date
         assertIsPrimaryUserId("B", info);
 
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t4)
                 .addUserId("A", protector) // re-certify A as non-primary user-id
                 .done();
-        info = PGPainless.inspectKeyRing(secretKeys);
+        info = PGPainless.inspectKeyRing(secretKeys, t4);
 
         assertIsValid("B", info);
         assertIsValid("A", info);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java
similarity index 80%
rename from pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java
rename to pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java
index f7d4d181..674cd6e5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSig.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/OldSignatureSubpacketsArePreservedOnNewSigTest.java
@@ -10,7 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals;
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Calendar;
 import java.util.Date;
 
 import org.bouncycastle.openpgp.PGPException;
@@ -23,12 +22,14 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.key.protection.UnprotectedKeysProtector;
 import org.pgpainless.util.TestAllImplementations;
 
-public class OldSignatureSubpacketsArePreservedOnNewSig {
+public class OldSignatureSubpacketsArePreservedOnNewSigTest {
+
+    private static final long millisInHour = 1000 * 60 * 60;
 
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
     public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig()
-            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException {
+            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .simpleEcKeyRing("Alice ");
 
@@ -37,17 +38,14 @@ public class OldSignatureSubpacketsArePreservedOnNewSig {
 
         assertEquals(0, oldPackets.getKeyExpirationTime());
 
-        Thread.sleep(1000);
         Date now = new Date();
-        Calendar calendar = Calendar.getInstance();
-        calendar.setTime(now);
-        calendar.add(Calendar.DATE, 5);
-        Date expiration = calendar.getTime(); // in 5 days
+        Date t1 = new Date(now.getTime() + millisInHour);
+        Date expiration = new Date(now.getTime() + 5 * 24 * millisInHour); // in 5 days
 
-        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+        secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
                 .setExpirationDate(expiration, new UnprotectedKeysProtector())
                 .done();
-        PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice ");
+        PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys, t1).getLatestUserIdCertification("Alice ");
         PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets();
 
         assertNotEquals(0, newPackets.getKeyExpirationTime());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
index 46dc1ac5..72acc125 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilderTest.java
@@ -11,6 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertNotNull;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Collections;
+import java.util.Date;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
@@ -32,7 +33,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 public class ThirdPartyDirectKeySignatureBuilderTest {
 
     @Test
-    public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException {
+    public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .modernKeyRing("Alice");
 
@@ -40,9 +41,12 @@ public class ThirdPartyDirectKeySignatureBuilderTest {
                 secretKeys.getSecretKey(),
                 SecretKeyRingProtector.unprotectedKeys());
 
+        Date now = new Date();
+        Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
         dsb.applyCallback(new SelfSignatureSubpackets.Callback() {
             @Override
             public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
+                hashedSubpackets.setSignatureCreationTime(t1);
                 hashedSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER);
                 hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA512);
                 hashedSubpackets.setPreferredCompressionAlgorithms(CompressionAlgorithm.ZIP);
@@ -51,13 +55,11 @@ public class ThirdPartyDirectKeySignatureBuilderTest {
             }
         });
 
-        Thread.sleep(1000);
-
         PGPSignature directKeySig = dsb.build(secretKeys.getPublicKey());
         assertNotNull(directKeySig);
         secretKeys = KeyRingUtils.injectCertification(secretKeys, secretKeys.getPublicKey(), directKeySig);
 
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t1);
         PGPSignature signature = info.getLatestDirectKeySelfSignature();
 
         assertNotNull(signature);

From 7189516dd4cc4b0022d9651881de22ca384b3815 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 13:46:32 +0200
Subject: [PATCH 0621/1450] Add documentation for modifyKeyRing(keys, date)

---
 .../src/main/java/org/pgpainless/PGPainless.java   | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index fd670fc9..3f71051f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -118,8 +118,8 @@ public final class PGPainless {
     }
 
     /**
-     * Make changes to a key ring.
-     * This method can be used to change key expiration dates and passphrases, or add/remove/revoke subkeys.
+     * Make changes to a secret key.
+     * This method can be used to change key expiration dates and passphrases, or add/revoke subkeys.
      *
      * After making the desired changes in the builder, the modified key ring can be extracted using {@link SecretKeyRingEditorInterface#done()}.
      *
@@ -130,6 +130,16 @@ public final class PGPainless {
         return modifyKeyRing(secretKeys, null);
     }
 
+    /**
+     * Make changes to a secret key at the given reference time.
+     * This method can be used to change key expiration dates and passphrases, or add/revoke user-ids and subkeys.
+     *
+     * After making the desired changes in the builder, the modified key can be extracted using {@link SecretKeyRingEditorInterface#done()}.
+     *
+     * @param secretKeys secret key ring
+     * @param referenceTime reference time used as signature creation date
+     * @return builder
+     */
     public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys, Date referenceTime) {
         return new SecretKeyRingEditor(secretKeys, referenceTime);
     }

From 3cd5a95d898703875c500391a14019e3eff14668 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 13:48:02 +0200
Subject: [PATCH 0622/1450] Rename inspectionDate to referenceTime

---
 .../src/main/java/org/pgpainless/PGPainless.java            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 3f71051f..9ff2a3b0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -163,11 +163,11 @@ public final class PGPainless {
      * This method can be used to determine expiration dates, key flags and other information about a key at a specific time.
      *
      * @param keyRing key ring
-     * @param inspectionDate date of inspection
+     * @param referenceTime date of inspection
      * @return access object
      */
-    public static KeyRingInfo inspectKeyRing(PGPKeyRing keyRing, Date inspectionDate) {
-        return new KeyRingInfo(keyRing, inspectionDate);
+    public static KeyRingInfo inspectKeyRing(PGPKeyRing keyRing, Date referenceTime) {
+        return new KeyRingInfo(keyRing, referenceTime);
     }
 
     /**

From 3a33bb126a6f619ba662c52cf8b892bafc1c1d1a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 14:24:37 +0200
Subject: [PATCH 0623/1450] Add RNGPerformanceTest to help diagnose performance
 bottlenecks

Related to https://github.com/pgpainless/pgpainless/issues/309
---
 .../investigations/RNGPerformanceTest.java    | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/investigations/RNGPerformanceTest.java

diff --git a/pgpainless-core/src/test/java/investigations/RNGPerformanceTest.java b/pgpainless-core/src/test/java/investigations/RNGPerformanceTest.java
new file mode 100644
index 00000000..e583089d
--- /dev/null
+++ b/pgpainless-core/src/test/java/investigations/RNGPerformanceTest.java
@@ -0,0 +1,88 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package investigations;
+
+import org.bouncycastle.crypto.digests.SHA1Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.prng.DigestRandomGenerator;
+import org.junit.jupiter.api.Test;
+import org.junit.platform.commons.logging.Logger;
+import org.junit.platform.commons.logging.LoggerFactory;
+
+import java.security.SecureRandom;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Random;
+
+/**
+ * Evaluate performance of random number generators.
+ */
+public class RNGPerformanceTest {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(RNGPerformanceTest.class);
+    private static final int bytesInMebiByte = 1024 * 1024;
+
+    @Test
+    public void evaluateRandomPerformance() {
+        Random random = new Random();
+        byte[] bytes = new byte[bytesInMebiByte];
+
+        Instant start = Instant.now();
+        random.nextBytes(bytes);
+        Instant end = Instant.now();
+
+        Duration duration = Duration.between(start, end);
+        LOGGER.info(() -> String.format(
+                "Random.nextBytes() took %s milliseconds to generate 1 MiB of data",
+                duration.toMillis()));
+    }
+
+    @Test
+    public void evaluateSecureRandomPerformance() {
+        SecureRandom random = new SecureRandom();
+        byte[] bytes = new byte[bytesInMebiByte];
+
+        Instant start = Instant.now();
+        random.nextBytes(bytes);
+        Instant end = Instant.now();
+
+        Duration duration = Duration.between(start, end);
+        LOGGER.info(() -> String.format(
+                "SecureRandom.nextBytes() took %s milliseconds to generate 1 MiB of data",
+                duration.toMillis()));
+    }
+
+    @Test
+    public void evaluateSHA256BasedDigestRandomGeneratorPerformance() {
+        SHA256Digest digest = new SHA256Digest();
+        DigestRandomGenerator random = new DigestRandomGenerator(digest);
+        byte[] bytes = new byte[bytesInMebiByte];
+
+        Instant start = Instant.now();
+        random.nextBytes(bytes);
+        Instant end = Instant.now();
+
+        Duration duration = Duration.between(start, end);
+        LOGGER.info(() -> String.format(
+                "SHA256-based DigestRandomGenerator.nextBytes() took %s milliseconds to generate 1 MiB of data",
+                duration.toMillis()));
+    }
+
+    @Test
+    public void evaluateSHA1BasedDigestRandomGeneratorPerformance() {
+        SHA1Digest digest = new SHA1Digest();
+        DigestRandomGenerator random = new DigestRandomGenerator(digest);
+        byte[] bytes = new byte[bytesInMebiByte];
+
+        Instant start = Instant.now();
+        random.nextBytes(bytes);
+        Instant end = Instant.now();
+
+        Duration duration = Duration.between(start, end);
+        LOGGER.info(() -> String.format(
+                "SHA1-based DigestRandomGenerator.nextBytes() took %s milliseconds to generate 1 MiB of data",
+                duration.toMillis()));
+    }
+}

From f2903515e7d10bcbd107bc495aa5d294658631b1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 18:04:04 +0200
Subject: [PATCH 0624/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0421a2c8..8cc9f494 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,9 @@ SPDX-License-Identifier: CC0-1.0
 - Add `SigningOptions.addDetachedSignature(protector, key)` shortcut method
 - Add `EncryptionOptions.get()`, `ConsumerOptions.get()` factory methods
 - Add support for generating keys without user-id (only using `PGPainless.buildKeyRing()` for now)
+- Switch to `SHA256` as default `S2K` hash algorithm for secret key protection
+- Allow to set custom reference time when modifying secret keys
+- Add diagnostic test to explore system PRNG performance
 
 ## 1.3.5
 - Add `KeyRingInfo.isCapableOfSigning()`

From f6f9df6e7fc1a67587107b540eae6950712d896d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 18:04:38 +0200
Subject: [PATCH 0625/1450] PGPainless 1.3.6

---
 CHANGELOG.md   | 2 +-
 version.gradle | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8cc9f494..f558b3b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.6-SNAPSHOT
+## 1.3.6
 - Remove deprecated methods
   - `ArmorUtils.createArmoredOutputStreamFor()` -> use `ArmorUtils.toAsciiArmoredStream()` instead
   - `EncryptionResult.getSymmetricKeyAlgorithm()` -> use `EncryptionResult.getEncryptionAlgorithm()` instead
diff --git a/version.gradle b/version.gradle
index 3baa01be..cfe82d63 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.6'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From a188b62170f983838fc0b398ddbc5562b3c827c3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 18:06:28 +0200
Subject: [PATCH 0626/1450] PGPainless 1.3.7-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index cfe82d63..f361dc8d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.6'
-        isSnapshot = false
+        shortVersion = '1.3.7'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 7bff3128cbd3ab6007ed539d74634cf627ccfd16 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 3 Sep 2022 18:07:32 +0200
Subject: [PATCH 0627/1450] Update READMEs

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 2e14efc1..b8bd3c51 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.5'
+	implementation 'org.pgpainless:pgpainless-core:1.3.6'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index d5e22046..ad96b8dc 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.5"
+    implementation "org.pgpainless:pgpainless-sop:1.3.6"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.5
+        1.3.6
     
     ...
 

From 0d23809524cafe74b4f0777378e98b37987b87e6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 13:28:00 +0200
Subject: [PATCH 0628/1450] Update README of docs directory

---
 docs/README.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/README.md b/docs/README.md
index 73f97fab..f3e156ef 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -17,7 +17,15 @@ To build:
 $ make {html|epub|latexpdf}
 ```
 
-Note: Building diagrams from source requires `mermaid-cli` to be installed.
+Note: Diagrams are currently not built from source.
+Instead, pre-built image files are used directly, because there are issues with mermaid in CLI systems.
+
+If you want to build the diagrams from source, you need `mermaid-cli` to be installed on your system.
 ```shell
 $ npm install -g @mermaid-js/mermaid-cli
 ```
+
+You can then use `mmdc` to build/update single diagram files like this:
+```shell
+mmdc --theme default --width 1600 --backgroundColor transparent -i ecosystem_dia.md -o ecosystem_dia.svg
+```

From fb0908ffd10760f04a7d7b55ca4b82110ebe66c5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 13:46:12 +0200
Subject: [PATCH 0629/1450] Add explanation for secret key protector hint to
 documentation

---
 docs/source/pgpainless-core/passphrase.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/source/pgpainless-core/passphrase.md b/docs/source/pgpainless-core/passphrase.md
index 2c370006..3127ab25 100644
--- a/docs/source/pgpainless-core/passphrase.md
+++ b/docs/source/pgpainless-core/passphrase.md
@@ -81,6 +81,7 @@ unlikely in this key-space.
 Furthermore, multiple OpenPGP keys could contain the same subkey, but with different passphrases set.
 If the same `SecretKeyRingProtector` is used for two OpenPGP keys with the same subkey, but different passwords,
 the key-id collision will cause the password to be overwritten for one of the keys, which might result in issues.
+See `FLO-04-004 WP2` of the [2021 security audit](https://cure53.de/pentest-report_pgpainless.pdf) for more details.
 :::
 
 Most `SecretKeyRingProtector` implementations can be instantiated with custom `KeyRingProtectionSettings`.

From c80e0dd0d5cad7e6094656755a4660dbeac4b36b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 13:56:29 +0200
Subject: [PATCH 0630/1450] Add further information to docs index

---
 docs/source/index.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/source/index.rst b/docs/source/index.rst
index a29e6c03..06c115ec 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -20,6 +20,11 @@ PGPainless' goal is to empower you to use OpenPGP without needing to write all t
 Bouncy Castle.
 It aims to be secure by default while allowing customization if required.
 
+From its inception in 2018 as part of a `Google Summer of Code project `_,
+the library was steadily advanced.
+Since 2020, FlowCrypt is the primary sponsor of its development.
+In 2022, PGPainless received a `grant from NLnet for creating a Web-of-Trust implementation `_ as part of NGI Assure.
+
 
 Contents
 --------

From 70ce4d45f452aa22d7e6fad3184b296490786b31 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 14:20:11 +0200
Subject: [PATCH 0631/1450] Remove unused
 CRCinArmoredInputStreamWrapper.possiblyWrap()

---
 .../util/CRCingArmoredInputStreamWrapper.java        | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java b/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java
index ff97013a..2c43339b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/CRCingArmoredInputStreamWrapper.java
@@ -27,18 +27,6 @@ public class CRCingArmoredInputStreamWrapper extends ArmoredInputStream {
         this.inputStream = inputStream;
     }
 
-    public static InputStream possiblyWrap(InputStream inputStream) throws IOException {
-        if (inputStream instanceof CRCingArmoredInputStreamWrapper) {
-            return inputStream;
-        }
-
-        if (inputStream instanceof ArmoredInputStream) {
-            return new CRCingArmoredInputStreamWrapper((ArmoredInputStream) inputStream);
-        }
-
-        return inputStream;
-    }
-
     @Override
     public boolean isClearText() {
         return inputStream.isClearText();

From 4ec38bb63b9102d94a504e388cd0ce5358049331 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 14:37:23 +0200
Subject: [PATCH 0632/1450] Add tests for ArmoredInputStreamFactory

---
 .../util/ArmoredInputStreamFactoryTest.java   | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/ArmoredInputStreamFactoryTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmoredInputStreamFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmoredInputStreamFactoryTest.java
new file mode 100644
index 00000000..147b957d
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmoredInputStreamFactoryTest.java
@@ -0,0 +1,51 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.util;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class ArmoredInputStreamFactoryTest {
+
+    // Hello World!\n
+    String armored = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "owE7LZzEAAIeqTk5+Qrh+UU5KYpcAA==\n" +
+            "=g3nV\n" +
+            "-----END PGP MESSAGE-----";
+
+    @Test
+    public void testGet() throws IOException {
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(armored.getBytes());
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(inputStream);
+        assertNotNull(armorIn);
+    }
+
+    @Test
+    public void testGet_willWrapArmoredInputStreamWithCRC() throws IOException {
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(armored.getBytes());
+        ArmoredInputStream plainArmor = new ArmoredInputStream(inputStream);
+
+        ArmoredInputStream armor = ArmoredInputStreamFactory.get(plainArmor);
+        assertTrue(armor instanceof CRCingArmoredInputStreamWrapper);
+    }
+
+    @Test
+    public void testGet_onCRCinArmoredInputStream() throws IOException {
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(armored.getBytes());
+        CRCingArmoredInputStreamWrapper crc = new CRCingArmoredInputStreamWrapper(new ArmoredInputStream(inputStream));
+
+        ArmoredInputStream armor = ArmoredInputStreamFactory.get(crc);
+        assertSame(crc, armor);
+    }
+}

From 5be42b22bd45c8f087faf811c89824084e9d51cc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 14:45:22 +0200
Subject: [PATCH 0633/1450] Add test for KeyRingUtils.keysPlusPublicKey

---
 .../pgpainless/key/util/KeyRingUtilTest.java  | 42 +++++++++++++++----
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
index b75969fc..11fd5cd3 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/util/KeyRingUtilTest.java
@@ -4,16 +4,11 @@
 
 package org.pgpainless.key.util;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.util.Random;
-
 import org.bouncycastle.bcpg.attr.ImageAttribute;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureGenerator;
@@ -22,12 +17,26 @@ import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.generation.KeyRingBuilder;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.ecc.EllipticCurve;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.util.CollectionUtils;
 
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class KeyRingUtilTest {
 
     @Test
@@ -62,4 +71,21 @@ public class KeyRingUtilTest {
         assertEquals(userAttr, secretKeys.getPublicKey().getUserAttributes().next());
         assertEquals(sigCount + 1, CollectionUtils.iteratorToList(secretKeys.getPublicKey().getSignatures()).size());
     }
+
+    @Test
+    public void testKeysPlusPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
+        PGPPublicKeyRing publicKeys = PGPainless.extractCertificate(secretKeys);
+
+        PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(KeySpec.getBuilder(
+                KeyType.ECDH(EllipticCurve._P256), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).build());
+        PGPPublicKey pubkey = keyPair.getPublicKey();
+        assertFalse(pubkey.isMasterKey());
+
+        PGPSecretKeyRing secretKeysPlus = KeyRingUtils.keysPlusPublicKey(secretKeys, pubkey);
+        assertNotNull(secretKeysPlus.getPublicKey(pubkey.getKeyID()));
+
+        PGPPublicKeyRing publicKeysPlus = KeyRingUtils.keysPlusPublicKey(publicKeys, pubkey);
+        assertNotNull(publicKeysPlus.getPublicKey(pubkey.getKeyID()));
+    }
 }

From cd0b9603e7b80e84cb94c91644ebe86094cfed0b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 15:15:58 +0200
Subject: [PATCH 0634/1450] Add KeyRingUtils.injectCertification(keys,
 certification)

---
 .../org/pgpainless/key/util/KeyRingUtils.java    | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 66536b88..0bcdf8d1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -238,7 +238,21 @@ public final class KeyRingUtils {
     }
 
     /**
-     * Inject a key certification into the given key ring.
+     * Inject a key certification for the primary key into the given key ring.
+     *
+     * @param keyRing key ring
+     * @param certification key signature
+     * @return key ring with injected signature
+     * @param  either {@link PGPPublicKeyRing} or {@link PGPSecretKeyRing}
+     */
+    @Nonnull
+    public static  T injectCertification(@Nonnull T keyRing,
+                                                               @Nonnull PGPSignature certification) {
+        return injectCertification(keyRing, keyRing.getPublicKey(), certification);
+    }
+
+    /**
+     * Inject a key certification for the given key into the given key ring.
      *
      * @param keyRing key ring
      * @param certifiedKey signed public key

From 9106d98449ae28164c6ead62047156e1533d73e1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 15:25:29 +0200
Subject: [PATCH 0635/1450] Add tests for Certificate merging

---
 .../pgpainless/key/TestMergeCertificate.java  | 106 ++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java b/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java
new file mode 100644
index 00000000..34861a5c
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/TestMergeCertificate.java
@@ -0,0 +1,106 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.junit.JUtils;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.util.KeyRingUtils;
+import org.pgpainless.signature.SignatureUtils;
+import org.pgpainless.util.DateUtil;
+
+import java.io.IOException;
+import java.util.Date;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class TestMergeCertificate {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9F3E C7B3 3FCF 807E 516D  5DA1 C102 B0FC 9A1C 69E9\n" +
+            "Comment: Revik Okemi \n" +
+            "\n" +
+            "lFgEYxXwbRYJKwYBBAHaRw8BAQdAtAWpi1+uUUpe37nSQqybiLpcAoa5KhlpLZmk\n" +
+            "IkqLXn8AAP4s+6jp7OInR4PqasuH0YefMEfPu9ZY5ZHjq3HFoaqEpxTxtBhSZXZp\n" +
+            "ayBPa2VtaSA8cmV2QG9rZS5taT6IjwQTFgoAQQUCYxXwbQkQwQKw/JocaekWIQSf\n" +
+            "PsezP8+AflFtXaHBArD8mhxp6QKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAAi\n" +
+            "SAEApd8RdhvF33eiUgXlMBU3/ob1/NdMIbVJCBUXj7URYzUBAKxH+BwesiSagsXO\n" +
+            "KbQEOjzu1R7Nd2Hmf+gue9AVQQ0BnF0EYxXwbRIKKwYBBAGXVQEFAQEHQPLc0OH8\n" +
+            "8v+govDgUQs7gnM5NK3H+haFCsq/ILMBb48YAwEIBwAA/2CXgEXUIi4s38GaVbDK\n" +
+            "ts7nj3CWwEOAqtLsO8+QcXmoEyuIdQQYFgoAHQUCYxXwbQKeAQKbDAUWAgMBAAQL\n" +
+            "CQgHBRUKCQgLAAoJEMECsPyaHGnpO7AA/2zF7j5cgxCZ+Ws+ENj6Uzgq47kqsRxa\n" +
+            "Ii4kPjW1HmCtAP4rie2Z0ra/1alG/wu2bUtxHgEkeTBsHP8pOM5Xz4JVDZxYBGMV\n" +
+            "8G0WCSsGAQQB2kcPAQEHQHofxjdBzpFaLsiyEDRaotbB5/New7vdtAHV7t5rv1BU\n" +
+            "AAD/fnI4ilbhsRYaGSGX5ma7VfkgWiK7UQi04YpJVV3HOEYO/ojVBBgWCgB9BQJj\n" +
+            "FfBtAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCYxXwbQAKCRCUM1S1\n" +
+            "VUVbouF5AQDQUJIkFikWriyhSMWEUS52l0i3SlllmPCJuDc1dy389AD9FXCU5+W0\n" +
+            "GT2N1hRb8eIf+0aDiVLCdV3folVbuPaNvgcACgkQwQKw/Jocaem+GwD+NJD8EIdP\n" +
+            "Nf4Q3IvT9YFXEbilk+mKw3IdV68DsQxEtQoBAPkugEJxuI2XNEdl6sigtGF94q3u\n" +
+            "IzX9xT12kqD4GtgO\n" +
+            "=slQ4\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    private static final String SOFT_REVOCATION = "-----BEGIN PGP SIGNATURE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "iHsEIBYKAC0FAmMV8kcJEMECsPyaHGnpFiEEnz7Hsz/PgH5RbV2hwQKw/JocaekC\n" +
+            "hwACHQMAAMTqAP9XbUer/yjcAUOpbggqC35zrhzXi4/zc6QuuM9NSLnePwD/YZCn\n" +
+            "NoE+7B24C/SZVr7d4U0ryB2gNWJdvfMfQnGLaQA=\n" +
+            "=d2pq\n" +
+            "-----END PGP SIGNATURE-----";
+    private static final Date SOFT_REVOCATION_DATE = DateUtil.parseUTCDate("2022-09-05 12:57:43 UTC");
+
+    private static final String HARD_REVOCATION = "-----BEGIN PGP SIGNATURE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "iHsEIBYKAC0FAmMV8pUJEMECsPyaHGnpFiEEnz7Hsz/PgH5RbV2hwQKw/JocaekC\n" +
+            "hwACHQIAAFaCAQCZPxqJHe87GqLjaDuMdTPdI1dT8kuHvBC4LfhMP2VobQEAiCgQ\n" +
+            "WMqWZTfJmbhubnUhEnTu/+qPFiHChgDnaJmoMAk=\n" +
+            "=pl4A\n" +
+            "-----END PGP SIGNATURE-----";
+
+    @Test
+    public void testRevocationStateWithDifferentRevocationsMerged() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(certificate);
+        assertTrue(info.getRevocationState().isNotRevoked());
+
+        PGPSignature softRevocation = SignatureUtils.readSignatures(SOFT_REVOCATION).get(0);
+        PGPPublicKeyRing softRevoked = KeyRingUtils.injectCertification(certificate, softRevocation);
+
+        info = PGPainless.inspectKeyRing(softRevoked, softRevoked.getPublicKey().getCreationTime());
+        assertTrue(info.getRevocationState().isNotRevoked(),
+                "Expect: Cert is not revoked at creation time, although we already added soft revocation");
+
+        info = KeyRingInfo.evaluateForSignature(softRevoked, softRevocation);
+        assertTrue(info.getRevocationState().isSoftRevocation(), "Expect: Cert is now revoked, since now is after soft revocation creation");
+        JUtils.assertDateEquals(SOFT_REVOCATION_DATE, info.getRevocationDate());
+
+        PGPSignature hardRevocation = SignatureUtils.readSignatures(HARD_REVOCATION).get(0);
+        PGPPublicKeyRing hardRevoked = KeyRingUtils.injectCertification(certificate, hardRevocation);
+
+        info = PGPainless.inspectKeyRing(hardRevoked);
+        assertTrue(info.getRevocationState().isHardRevocation());
+
+        info = PGPainless.inspectKeyRing(hardRevoked, hardRevoked.getPublicKey().getCreationTime());
+        assertTrue(info.getRevocationState().isHardRevocation(), "Expect: Key is hard revoked, no matter reference time");
+
+        PGPPublicKeyRing merged = PGPainless.mergeCertificate(certificate, softRevoked);
+        info = PGPainless.inspectKeyRing(merged);
+        assertTrue(info.getRevocationState().isSoftRevocation());
+
+        merged = PGPainless.mergeCertificate(merged, hardRevoked);
+        info = PGPainless.inspectKeyRing(merged);
+        assertTrue(info.getRevocationState().isHardRevocation());
+    }
+}

From 0bafc410a02f1a6b807292654bc09108206b0004 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 15:41:58 +0200
Subject: [PATCH 0636/1450] Add missing parseAndCombineSignatures call

For some reason this was missing from the single-byte read() method
of the SignatureInputStream, causing issues if draining the stream
byte by byte
---
 .../pgpainless/decryption_verification/SignatureInputStream.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
index 33e6139b..42ca4dc9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
@@ -67,6 +67,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
             final int data = super.read();
             final boolean endOfStream = data == -1;
             if (endOfStream) {
+                parseAndCombineSignatures();
                 verifyOnePassSignatures();
                 verifyDetachedSignatures();
             } else {

From 0dd54f27b7eeab8ce78c4dc52af3c8d6dc256c38 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 15:43:32 +0200
Subject: [PATCH 0637/1450] Add test for processing message byte by byte

---
 .../DecryptAndVerifyMessageTest.java          | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
index 152f4c33..f7402238 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
@@ -78,4 +78,44 @@ public class DecryptAndVerifyMessageTest {
         assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.JULIET_FINGERPRINT));
         assertEquals(new SubkeyIdentifier(TestKeys.JULIET_FINGERPRINT), metadata.getDecryptionKey());
     }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void decryptMessageAndVerifySignatureByteByByteTest() throws Exception {
+        String encryptedMessage = TestKeys.MSG_SIGN_CRYPT_JULIET_JULIET;
+
+        ConsumerOptions options = new ConsumerOptions()
+                .addDecryptionKey(juliet)
+                .addVerificationCert(KeyRingUtils.publicKeyRingFrom(juliet));
+
+        DecryptionStream decryptor = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(encryptedMessage.getBytes()))
+                .withOptions(options);
+
+        ByteArrayOutputStream toPlain = new ByteArrayOutputStream();
+        int r;
+        while ((r = decryptor.read()) != -1) {
+            toPlain.write(r);
+        }
+
+        decryptor.close();
+        toPlain.close();
+        OpenPgpMetadata metadata = decryptor.getResult();
+
+        byte[] expected = TestKeys.TEST_MESSAGE_01_PLAIN.getBytes(UTF8);
+        byte[] actual = toPlain.toByteArray();
+
+        assertArrayEquals(expected, actual);
+
+        assertTrue(metadata.isEncrypted());
+        assertTrue(metadata.isSigned());
+        assertFalse(metadata.isCleartextSigned());
+        assertTrue(metadata.isVerified());
+        assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
+        assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getSymmetricKeyAlgorithm());
+        assertEquals(1, metadata.getSignatures().size());
+        assertEquals(1, metadata.getVerifiedSignatures().size());
+        assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.JULIET_FINGERPRINT));
+        assertEquals(new SubkeyIdentifier(TestKeys.JULIET_FINGERPRINT), metadata.getDecryptionKey());
+    }
 }

From bed18dc0adeda70fa4fd2f85398107842eccc846 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Sep 2022 15:51:19 +0200
Subject: [PATCH 0638/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f558b3b3..250a80c2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.7-SNAPSHOT
+- Add `KeyRingUtils.injectCertification(keys, certification)`
+- Bugfix: Fix signature verification when `DecryptionStream` is drained byte-by-byte using `read()` call
+
 ## 1.3.6
 - Remove deprecated methods
   - `ArmorUtils.createArmoredOutputStreamFor()` -> use `ArmorUtils.toAsciiArmoredStream()` instead

From 31c4570d10a3252dd5e596440af4410e789907fb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 13:48:59 +0200
Subject: [PATCH 0639/1450] Move finalization of signatures into own method

---
 .../SignatureInputStream.java                      | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
index 42ca4dc9..275acc17 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
@@ -67,9 +67,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
             final int data = super.read();
             final boolean endOfStream = data == -1;
             if (endOfStream) {
-                parseAndCombineSignatures();
-                verifyOnePassSignatures();
-                verifyDetachedSignatures();
+                finalizeSignatures();
             } else {
                 byte b = (byte) data;
                 updateOnePassSignatures(b);
@@ -84,9 +82,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
 
             final boolean endOfStream = read == -1;
             if (endOfStream) {
-                parseAndCombineSignatures();
-                verifyOnePassSignatures();
-                verifyDetachedSignatures();
+                finalizeSignatures();
             } else {
                 updateOnePassSignatures(b, off, read);
                 updateDetachedSignatures(b, off, read);
@@ -94,6 +90,12 @@ public abstract class SignatureInputStream extends FilterInputStream {
             return read;
         }
 
+        private void finalizeSignatures() {
+            parseAndCombineSignatures();
+            verifyOnePassSignatures();
+            verifyDetachedSignatures();
+        }
+
         public void parseAndCombineSignatures() {
             if (objectFactory == null) {
                 return;

From e78880602a002db5269e5416ae1d1d01c4dfdfe8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 17:29:04 +0200
Subject: [PATCH 0640/1450] Add diagram of pushdown automaton for the OpenPGP
 Message Format

---
 misc/OpenPGPMessageFormat.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 misc/OpenPGPMessageFormat.md

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
new file mode 100644
index 00000000..daaa715e
--- /dev/null
+++ b/misc/OpenPGPMessageFormat.md
@@ -0,0 +1,30 @@
+
+
+# Pushdown Automaton for the OpenPGP Message Format
+
+See [RFC4880 §11.3. OpenPGP Messages](https://www.rfc-editor.org/rfc/rfc4880#section-11.3) for the formal definition.
+
+A simulation of the automaton can be found [here](https://automatonsimulator.com/#%7B%22type%22%3A%22PDA%22%2C%22pda%22%3A%7B%22transitions%22%3A%7B%22start%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s12%22%2C%22stackPushChar%22%3A%22%23%22%7D%5D%2C%22%23%22%3A%5B%5D%7D%7D%2C%22s0%22%3A%7B%22C%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%2C%22L%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s1%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%2C%22o%22%3A%5B%5D%7D%2C%22O%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s9%22%2C%22stackPushChar%22%3A%22o%22%7D%5D%7D%2C%22E%22%3A%7B%22M%22%3A%5B%5D%7D%2C%22p%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s1%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s6%22%3A%7B%22p%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s8%22%3A%7B%22%22%3A%7B%22E%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s9%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s10%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s4%22%3A%7B%22%22%3A%7B%22o%22%3A%5B%5D%7D%7D%2C%22s12%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%7D%2C%22startState%22%3A%22start%22%2C%22acceptStates%22%3A%5B%22s4%22%5D%7D%2C%22states%22%3A%7B%22start%22%3A%7B%7D%2C%22s12%22%3A%7B%22top%22%3A395.00001525878906%2C%22left%22%3A99%2C%22displayId%22%3A%22Add%20Terminal%22%7D%2C%22s0%22%3A%7B%22top%22%3A259.00001525878906%2C%22left%22%3A162%2C%22displayId%22%3A%22OpenPGP%20Message%22%7D%2C%22s1%22%3A%7B%22top%22%3A304.00001525878906%2C%22left%22%3A524%2C%22displayId%22%3A%22Literal%20Message%22%7D%2C%22s9%22%3A%7B%22top%22%3A476.00001525878906%2C%22left%22%3A282%2C%22displayId%22%3A%22One%20Pass%20Signatures%22%7D%2C%22s6%22%3A%7B%22top%22%3A100%2C%22left%22%3A324%2C%22displayId%22%3A%22ESKs%22%7D%2C%22s8%22%3A%7B%22top%22%3A202%2C%22left%22%3A471%2C%22displayId%22%3A%22Encrypted%20Data%22%7D%2C%22s4%22%3A%7B%22isAccept%22%3Atrue%2C%22top%22%3A381.00001525878906%2C%22left%22%3A832%2C%22displayId%22%3A%22Accept%22%7D%2C%22s10%22%3A%7B%22top%22%3A237.00001525878906%2C%22left%22%3A809%2C%22displayId%22%3A%22Corresponding%20Signatures%22%7D%7D%2C%22transitions%22%3A%5B%7B%22stateA%22%3A%22start%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2C%23%22%2C%22stateB%22%3A%22s12%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22C%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22L%2CM%2C%CF%B5%22%2C%22stateB%22%3A%22s1%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22S%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22O%2CM%2Co%22%2C%22stateB%22%3A%22s9%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22p%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22s%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22I%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22J%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22p%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22s%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22I%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22J%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s8%22%2C%22label%22%3A%22%CF%B5%2CE%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s9%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s12%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%5D%2C%22bulkTests%22%3A%7B%22accept%22%3A%22L%5CnCL%5CnCCL%5CnSL%5CnSSL%5CnSCL%5CnSpICL%5CnOLS%5CnOOLSS%5CnCspIL%5CnppppJCOLS%5CnOspILS%5CnOpJCLS%5CnOCLS%5CnCOCLS%22%2C%22reject%22%3A%22C%5CnO%5CnOL%5CnLS%5CnLL%5CnS%5Cns%5Cnp%5CnOOLS%22%7D%7D).
+
+```mermaid
+graph LR
+    start((start)) -- "Îĩ,Îĩ/m#" --> pgpmsg((OpenPGP Message))
+    pgpmsg -- "Literal Data,m/Îĩ" --> literal((Literal Message))
+    literal -- "Îĩ,#/Îĩ" --> accept((Valid))
+    literal -- "Signature,o/Îĩ" --> sig4ops((Corresponding Signature))
+    sig4ops -- "Signature,o/Îĩ" --> sig4ops
+    sig4ops -- "Îĩ,#/Îĩ" --> accept
+    pgpmsg -- "OnePassSignature,m/o" --> ops((One-Pass-Signed Message))
+    ops -- "Îĩ,Îĩ/m" --> pgpmsg
+    pgpmsg -- "Signature,m/m" --> pgpmsg
+    pgpmsg -. "Compressed Data,m/m" .-> pgpmsg
+    pgpmsg -- "SKESK|PKESK,m/k" --> esks((ESKs))
+    pgpmsg -- "Sym. Enc. (Int. Prot.) Data,m/e" --> enc
+    esks -- "SKESK|PKESK,k/k" --> esks
+    esks -- "Sym. Enc. (Int. Prot.) Data,k/e" --> enc((Encrypted Data))
+    enc -. "Îĩ,e/m" .-> pgpmsg
+```
\ No newline at end of file

From 27476831d927f35879dd49fba726a0c6526821fb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 17:56:46 +0200
Subject: [PATCH 0641/1450] Add hint about dotted line in message format
 diagram

---
 misc/OpenPGPMessageFormat.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index daaa715e..524798df 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -27,4 +27,8 @@ graph LR
     esks -- "SKESK|PKESK,k/k" --> esks
     esks -- "Sym. Enc. (Int. Prot.) Data,k/e" --> enc((Encrypted Data))
     enc -. "Îĩ,e/m" .-> pgpmsg
-```
\ No newline at end of file
+```
+
+The dotted line indicates a nested transition.
+For example the arrow `Compressed Data,m/m` indicates, that the content of the Compressed Data packet itself
+is an OpenPGP Message.
\ No newline at end of file

From 36cb6918a4a127e3cac017e275c6ce5901d472ed Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 18:16:11 +0200
Subject: [PATCH 0642/1450] Refine PDA diagram

---
 misc/OpenPGPMessageFormat.md | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index 524798df..d713d295 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -21,12 +21,17 @@ graph LR
     pgpmsg -- "OnePassSignature,m/o" --> ops((One-Pass-Signed Message))
     ops -- "Îĩ,Îĩ/m" --> pgpmsg
     pgpmsg -- "Signature,m/m" --> pgpmsg
-    pgpmsg -. "Compressed Data,m/m" .-> pgpmsg
+    pgpmsg -- "Compressed Data,m/Îĩ" --> comp((Compressed Message))
+    comp -. "Îĩ,Îĩ/m" .-> pgpmsg
+    comp -- "Îĩ,#/Îĩ" --> accept
+    comp -- "Signature,o/Îĩ" --> sig4ops
     pgpmsg -- "SKESK|PKESK,m/k" --> esks((ESKs))
-    pgpmsg -- "Sym. Enc. (Int. Prot.) Data,m/e" --> enc
+    pgpmsg -- "Sym. Enc. (Int. Prot.) Data,m/Îĩ" --> enc
     esks -- "SKESK|PKESK,k/k" --> esks
-    esks -- "Sym. Enc. (Int. Prot.) Data,k/e" --> enc((Encrypted Data))
-    enc -. "Îĩ,e/m" .-> pgpmsg
+    esks -- "Sym. Enc. (Int. Prot.) Data,k/Îĩ" --> enc((Encrypted Message))
+    enc -. "Îĩ,Îĩ/m" .-> pgpmsg
+    enc -- "Îĩ,#/Îĩ" --> accept
+    enc -- "Signature,o/Îĩ" --> sig4ops
 ```
 
 The dotted line indicates a nested transition.

From ba5eea8b9c03bff824172d120415b67ec1dfd5e8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 18:27:54 +0200
Subject: [PATCH 0643/1450] Add alphabet description

---
 misc/OpenPGPMessageFormat.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index d713d295..36b787ce 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -34,6 +34,27 @@ graph LR
     enc -- "Signature,o/Îĩ" --> sig4ops
 ```
 
+The input alphabet consists of the following OpenPGP packets:
+* `Literal Data`: Literal Data Packet
+* `Signature`: Signature Packet
+* `OnePassSignature`: One-Pass-Signature Packet
+* `Compressed Data`: Compressed Data Packet
+* `SKESK`: Symmetric-Key Encrypted Session Key Packet
+* `PKESK`: Public-Key Encrypted Session Key Packet
+* `Sym. Enc. Data`: Symmetrically Encrypted Data Packet
+* `Sym. Enc. Int. Prot. Data`: Symmetrically Encrypted Integrity Protected Data Packet
+
+Additionally, `Îĩ` is used to transition without reading OpenPGP packets.
+
+The following stack alphabet is used:
+* `m`: OpenPGP Message
+* `o`: One-Pass-Signature packet.
+* `k`: Encrypted Session Key
+* `#`: Terminal for valid OpenPGP messages
+
+Note: The standards document states, that Marker Packets shall be ignored as well.
+For the sake of readability, those transitions are omitted here.
+
 The dotted line indicates a nested transition.
 For example the arrow `Compressed Data,m/m` indicates, that the content of the Compressed Data packet itself
 is an OpenPGP Message.
\ No newline at end of file

From 21cadcb8eb6e6f4d2eb5d0c8ee3c2d5987ca0a84 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 18:33:36 +0200
Subject: [PATCH 0644/1450] Introduce dedicated state for Signed Message

---
 misc/OpenPGPMessageFormat.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index 36b787ce..c3631109 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -20,7 +20,8 @@ graph LR
     sig4ops -- "Îĩ,#/Îĩ" --> accept
     pgpmsg -- "OnePassSignature,m/o" --> ops((One-Pass-Signed Message))
     ops -- "Îĩ,Îĩ/m" --> pgpmsg
-    pgpmsg -- "Signature,m/m" --> pgpmsg
+    pgpmsg -- "Signature,m/Îĩ" --> signed((Signed Message))
+    signed -- "Îĩ,Îĩ/m" --> pgpmsg
     pgpmsg -- "Compressed Data,m/Îĩ" --> comp((Compressed Message))
     comp -. "Îĩ,Îĩ/m" .-> pgpmsg
     comp -- "Îĩ,#/Îĩ" --> accept

From c01f2db5ef32ac8e5b5078d7c73bdcae8bb3af01 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 19:35:41 +0200
Subject: [PATCH 0645/1450] Add formal definition of PDA

---
 misc/OpenPGPMessageFormat.md | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index c3631109..32943eff 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -10,6 +10,8 @@ See [RFC4880 §11.3. OpenPGP Messages](https://www.rfc-editor.org/rfc/rfc4880#se
 
 A simulation of the automaton can be found [here](https://automatonsimulator.com/#%7B%22type%22%3A%22PDA%22%2C%22pda%22%3A%7B%22transitions%22%3A%7B%22start%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s12%22%2C%22stackPushChar%22%3A%22%23%22%7D%5D%2C%22%23%22%3A%5B%5D%7D%7D%2C%22s0%22%3A%7B%22C%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%2C%22L%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s1%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%2C%22o%22%3A%5B%5D%7D%2C%22O%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s9%22%2C%22stackPushChar%22%3A%22o%22%7D%5D%7D%2C%22E%22%3A%7B%22M%22%3A%5B%5D%7D%2C%22p%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s1%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s6%22%3A%7B%22p%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s8%22%3A%7B%22%22%3A%7B%22E%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s9%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s10%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s4%22%3A%7B%22%22%3A%7B%22o%22%3A%5B%5D%7D%7D%2C%22s12%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%7D%2C%22startState%22%3A%22start%22%2C%22acceptStates%22%3A%5B%22s4%22%5D%7D%2C%22states%22%3A%7B%22start%22%3A%7B%7D%2C%22s12%22%3A%7B%22top%22%3A395.00001525878906%2C%22left%22%3A99%2C%22displayId%22%3A%22Add%20Terminal%22%7D%2C%22s0%22%3A%7B%22top%22%3A259.00001525878906%2C%22left%22%3A162%2C%22displayId%22%3A%22OpenPGP%20Message%22%7D%2C%22s1%22%3A%7B%22top%22%3A304.00001525878906%2C%22left%22%3A524%2C%22displayId%22%3A%22Literal%20Message%22%7D%2C%22s9%22%3A%7B%22top%22%3A476.00001525878906%2C%22left%22%3A282%2C%22displayId%22%3A%22One%20Pass%20Signatures%22%7D%2C%22s6%22%3A%7B%22top%22%3A100%2C%22left%22%3A324%2C%22displayId%22%3A%22ESKs%22%7D%2C%22s8%22%3A%7B%22top%22%3A202%2C%22left%22%3A471%2C%22displayId%22%3A%22Encrypted%20Data%22%7D%2C%22s4%22%3A%7B%22isAccept%22%3Atrue%2C%22top%22%3A381.00001525878906%2C%22left%22%3A832%2C%22displayId%22%3A%22Accept%22%7D%2C%22s10%22%3A%7B%22top%22%3A237.00001525878906%2C%22left%22%3A809%2C%22displayId%22%3A%22Corresponding%20Signatures%22%7D%7D%2C%22transitions%22%3A%5B%7B%22stateA%22%3A%22start%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2C%23%22%2C%22stateB%22%3A%22s12%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22C%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22L%2CM%2C%CF%B5%22%2C%22stateB%22%3A%22s1%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22S%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22O%2CM%2Co%22%2C%22stateB%22%3A%22s9%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22p%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22s%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22I%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22J%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22p%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22s%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22I%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22J%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s8%22%2C%22label%22%3A%22%CF%B5%2CE%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s9%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s12%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%5D%2C%22bulkTests%22%3A%7B%22accept%22%3A%22L%5CnCL%5CnCCL%5CnSL%5CnSSL%5CnSCL%5CnSpICL%5CnOLS%5CnOOLSS%5CnCspIL%5CnppppJCOLS%5CnOspILS%5CnOpJCLS%5CnOCLS%5CnCOCLS%22%2C%22reject%22%3A%22C%5CnO%5CnOL%5CnLS%5CnLL%5CnS%5Cns%5Cnp%5CnOOLS%22%7D%7D).
 
+The graph representation of the [Pushdown Automaton](https://en.wikipedia.org/wiki/Pushdown_automaton) looks like the following:
+
 ```mermaid
 graph LR
     start((start)) -- "Îĩ,Îĩ/m#" --> pgpmsg((OpenPGP Message))
@@ -35,6 +37,20 @@ graph LR
     enc -- "Signature,o/Îĩ" --> sig4ops
 ```
 
+Formally, the PDA is defined as $M = (\mathcal{Q}, \Sigma, \Upgamma, \delta, q_0, Z, F)$, where
+* $\mathcal{Q}$ is a finite set of states
+* $\Sigma$ is a finite set which is called the input alphabet
+* $\Upgamma$ is a finite set which is called the stack alphabet
+* $\delta$ is a finite set of $\mathcal{Q}\times(\Sigma\cup\{\epsilon\})\times\Upgamma\times\mathcal{Q}\times\Upgamma^*$, the transition relation
+* $q_0\in\mathcal{Q}$ is the start state
+* $Z\in\Upgamma$ is the initial stack symbol
+* $F\subseteq\mathcal{Q}$ is the set of accepting states
+
+In our diagram, the initial state $q_0$ is called `start`.
+The initial stack symbol $Z$ is `Îĩ` (TODO: Make it `#`?).
+The set of accepting states is $F=\text{valid}$.
+$\delta$ is defined by the transitions shown in the graph diagram.
+
 The input alphabet consists of the following OpenPGP packets:
 * `Literal Data`: Literal Data Packet
 * `Signature`: Signature Packet
@@ -57,5 +73,5 @@ Note: The standards document states, that Marker Packets shall be ignored as wel
 For the sake of readability, those transitions are omitted here.
 
 The dotted line indicates a nested transition.
-For example the arrow `Compressed Data,m/m` indicates, that the content of the Compressed Data packet itself
-is an OpenPGP Message.
\ No newline at end of file
+For example, the transition `(Compressed Message, Îĩ, Îĩ, OpenPGP Message, m)`  indicates, that the content of the
+Compressed Data packet itself is an OpenPGP Message.
\ No newline at end of file

From acb845d28060698c3b0e200ee0b24f6898928fa4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 19:37:36 +0200
Subject: [PATCH 0646/1450] Change transition to latex

---
 misc/OpenPGPMessageFormat.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index 32943eff..6643de33 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -73,5 +73,5 @@ Note: The standards document states, that Marker Packets shall be ignored as wel
 For the sake of readability, those transitions are omitted here.
 
 The dotted line indicates a nested transition.
-For example, the transition `(Compressed Message, Îĩ, Îĩ, OpenPGP Message, m)`  indicates, that the content of the
+For example, the transition $(\text{Compressed Message}, \epsilon, \epsilon, \text{OpenPGP Message}, m)$  indicates, that the content of the
 Compressed Data packet itself is an OpenPGP Message.
\ No newline at end of file

From 14941e77b34f3c5f95211dc4785234a3c4b2d341 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 19:54:50 +0200
Subject: [PATCH 0647/1450] More latex, less markdown

---
 misc/OpenPGPMessageFormat.md | 38 ++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index 6643de33..94412958 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -41,32 +41,32 @@ Formally, the PDA is defined as $M = (\mathcal{Q}, \Sigma, \Upgamma, \delta, q_0
 * $\mathcal{Q}$ is a finite set of states
 * $\Sigma$ is a finite set which is called the input alphabet
 * $\Upgamma$ is a finite set which is called the stack alphabet
-* $\delta$ is a finite set of $\mathcal{Q}\times(\Sigma\cup\{\epsilon\})\times\Upgamma\times\mathcal{Q}\times\Upgamma^*$, the transition relation
+* $\delta$ is a finite set of $\mathcal{Q}\times(\Sigma\cup\textbraceleft\epsilon\textbraceright)\times\Upgamma\times\mathcal{Q}\times\Upgamma^*$, the transition relation
 * $q_0\in\mathcal{Q}$ is the start state
 * $Z\in\Upgamma$ is the initial stack symbol
 * $F\subseteq\mathcal{Q}$ is the set of accepting states
 
-In our diagram, the initial state $q_0$ is called `start`.
-The initial stack symbol $Z$ is `Îĩ` (TODO: Make it `#`?).
-The set of accepting states is $F=\text{valid}$.
+In our diagram, the initial state is $q_0 = \text{start}$.
+The initial stack symbol is $Z=\epsilon$ (TODO: Make it `#`?).
+The set of accepting states is $F=\textbraceleft\text{valid}\textbraceright$.
 $\delta$ is defined by the transitions shown in the graph diagram.
 
-The input alphabet consists of the following OpenPGP packets:
-* `Literal Data`: Literal Data Packet
-* `Signature`: Signature Packet
-* `OnePassSignature`: One-Pass-Signature Packet
-* `Compressed Data`: Compressed Data Packet
-* `SKESK`: Symmetric-Key Encrypted Session Key Packet
-* `PKESK`: Public-Key Encrypted Session Key Packet
-* `Sym. Enc. Data`: Symmetrically Encrypted Data Packet
-* `Sym. Enc. Int. Prot. Data`: Symmetrically Encrypted Integrity Protected Data Packet
+The input alphabet $\Sigma$ consists of the following OpenPGP packets:
+* $\text{Literal Data}$: Literal Data Packet
+* $\text{Signature}$: Signature Packet
+* $\text{OnePassSignature}$: One-Pass-Signature Packet
+* $\text{Compressed Data}$: Compressed Data Packet
+* $\text{SKESK}$: Symmetric-Key Encrypted Session Key Packet
+* $\text{PKESK}$: Public-Key Encrypted Session Key Packet
+* $\text{Sym. Enc. Data}$: Symmetrically Encrypted Data Packet
+* $\text{Sym. Enc. Int. Prot. Data}$: Symmetrically Encrypted Integrity Protected Data Packet
 
-Additionally, `Îĩ` is used to transition without reading OpenPGP packets.
+Additionally, $\epsilon$ is used to transition without reading OpenPGP packets or popping the stack.
 
-The following stack alphabet is used:
-* `m`: OpenPGP Message
-* `o`: One-Pass-Signature packet.
-* `k`: Encrypted Session Key
+The following stack alphabet $\Upgamma$ is used:
+* $m$: OpenPGP Message
+* $o$: One-Pass-Signature packet.
+* $k$: Encrypted Session Key
 * `#`: Terminal for valid OpenPGP messages
 
 Note: The standards document states, that Marker Packets shall be ignored as well.
@@ -74,4 +74,4 @@ For the sake of readability, those transitions are omitted here.
 
 The dotted line indicates a nested transition.
 For example, the transition $(\text{Compressed Message}, \epsilon, \epsilon, \text{OpenPGP Message}, m)$  indicates, that the content of the
-Compressed Data packet itself is an OpenPGP Message.
\ No newline at end of file
+Compressed Data packet itself is an OpenPGP Message.

From bf0370fdc1ba22e5c6a25a894b3260f1a4baed1d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 7 Sep 2022 20:32:47 +0200
Subject: [PATCH 0648/1450] Add grammar from RFC to diagram

---
 misc/OpenPGPMessageFormat.md | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/misc/OpenPGPMessageFormat.md b/misc/OpenPGPMessageFormat.md
index 94412958..d04160cc 100644
--- a/misc/OpenPGPMessageFormat.md
+++ b/misc/OpenPGPMessageFormat.md
@@ -10,7 +10,39 @@ See [RFC4880 §11.3. OpenPGP Messages](https://www.rfc-editor.org/rfc/rfc4880#se
 
 A simulation of the automaton can be found [here](https://automatonsimulator.com/#%7B%22type%22%3A%22PDA%22%2C%22pda%22%3A%7B%22transitions%22%3A%7B%22start%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s12%22%2C%22stackPushChar%22%3A%22%23%22%7D%5D%2C%22%23%22%3A%5B%5D%7D%7D%2C%22s0%22%3A%7B%22C%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%2C%22L%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s1%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%2C%22o%22%3A%5B%5D%7D%2C%22O%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s9%22%2C%22stackPushChar%22%3A%22o%22%7D%5D%7D%2C%22E%22%3A%7B%22M%22%3A%5B%5D%7D%2C%22p%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22M%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s1%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s6%22%3A%7B%22p%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22s%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s6%22%2C%22stackPushChar%22%3A%22X%22%7D%5D%7D%2C%22I%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%2C%22J%22%3A%7B%22X%22%3A%5B%7B%22state%22%3A%22s8%22%2C%22stackPushChar%22%3A%22E%22%7D%5D%7D%7D%2C%22s8%22%3A%7B%22%22%3A%7B%22E%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s9%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%2C%22s10%22%3A%7B%22%22%3A%7B%22%22%3A%5B%5D%2C%22%23%22%3A%5B%7B%22state%22%3A%22s4%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%2C%22S%22%3A%7B%22o%22%3A%5B%7B%22state%22%3A%22s10%22%2C%22stackPushChar%22%3A%22%22%7D%5D%7D%7D%2C%22s4%22%3A%7B%22%22%3A%7B%22o%22%3A%5B%5D%7D%7D%2C%22s12%22%3A%7B%22%22%3A%7B%22%22%3A%5B%7B%22state%22%3A%22s0%22%2C%22stackPushChar%22%3A%22M%22%7D%5D%7D%7D%7D%2C%22startState%22%3A%22start%22%2C%22acceptStates%22%3A%5B%22s4%22%5D%7D%2C%22states%22%3A%7B%22start%22%3A%7B%7D%2C%22s12%22%3A%7B%22top%22%3A395.00001525878906%2C%22left%22%3A99%2C%22displayId%22%3A%22Add%20Terminal%22%7D%2C%22s0%22%3A%7B%22top%22%3A259.00001525878906%2C%22left%22%3A162%2C%22displayId%22%3A%22OpenPGP%20Message%22%7D%2C%22s1%22%3A%7B%22top%22%3A304.00001525878906%2C%22left%22%3A524%2C%22displayId%22%3A%22Literal%20Message%22%7D%2C%22s9%22%3A%7B%22top%22%3A476.00001525878906%2C%22left%22%3A282%2C%22displayId%22%3A%22One%20Pass%20Signatures%22%7D%2C%22s6%22%3A%7B%22top%22%3A100%2C%22left%22%3A324%2C%22displayId%22%3A%22ESKs%22%7D%2C%22s8%22%3A%7B%22top%22%3A202%2C%22left%22%3A471%2C%22displayId%22%3A%22Encrypted%20Data%22%7D%2C%22s4%22%3A%7B%22isAccept%22%3Atrue%2C%22top%22%3A381.00001525878906%2C%22left%22%3A832%2C%22displayId%22%3A%22Accept%22%7D%2C%22s10%22%3A%7B%22top%22%3A237.00001525878906%2C%22left%22%3A809%2C%22displayId%22%3A%22Corresponding%20Signatures%22%7D%7D%2C%22transitions%22%3A%5B%7B%22stateA%22%3A%22start%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2C%23%22%2C%22stateB%22%3A%22s12%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22C%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22L%2CM%2C%CF%B5%22%2C%22stateB%22%3A%22s1%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22S%2CM%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22O%2CM%2Co%22%2C%22stateB%22%3A%22s9%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22p%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22s%2CM%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22I%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s0%22%2C%22label%22%3A%22J%2CM%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s1%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22p%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22s%2CX%2CX%22%2C%22stateB%22%3A%22s6%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22I%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s6%22%2C%22label%22%3A%22J%2CX%2CE%22%2C%22stateB%22%3A%22s8%22%7D%2C%7B%22stateA%22%3A%22s8%22%2C%22label%22%3A%22%CF%B5%2CE%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s9%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22%CF%B5%2C%23%2C%CF%B5%22%2C%22stateB%22%3A%22s4%22%7D%2C%7B%22stateA%22%3A%22s10%22%2C%22label%22%3A%22S%2Co%2C%CF%B5%22%2C%22stateB%22%3A%22s10%22%7D%2C%7B%22stateA%22%3A%22s12%22%2C%22label%22%3A%22%CF%B5%2C%CF%B5%2CM%22%2C%22stateB%22%3A%22s0%22%7D%5D%2C%22bulkTests%22%3A%7B%22accept%22%3A%22L%5CnCL%5CnCCL%5CnSL%5CnSSL%5CnSCL%5CnSpICL%5CnOLS%5CnOOLSS%5CnCspIL%5CnppppJCOLS%5CnOspILS%5CnOpJCLS%5CnOCLS%5CnCOCLS%22%2C%22reject%22%3A%22C%5CnO%5CnOL%5CnLS%5CnLL%5CnS%5Cns%5Cnp%5CnOOLS%22%7D%7D).
 
-The graph representation of the [Pushdown Automaton](https://en.wikipedia.org/wiki/Pushdown_automaton) looks like the following:
+RFC4880 defines the grammar of OpenPGP messages as follows:
+```
+   OpenPGP Message :- Encrypted Message | Signed Message |
+                      Compressed Message | Literal Message.
+
+   Compressed Message :- Compressed Data Packet.
+
+   Literal Message :- Literal Data Packet.
+
+   ESK :- Public-Key Encrypted Session Key Packet |
+          Symmetric-Key Encrypted Session Key Packet.
+
+   ESK Sequence :- ESK | ESK Sequence, ESK.
+
+   Encrypted Data :- Symmetrically Encrypted Data Packet |
+         Symmetrically Encrypted Integrity Protected Data Packet
+
+   Encrypted Message :- Encrypted Data | ESK Sequence, Encrypted Data.
+
+   One-Pass Signed Message :- One-Pass Signature Packet,
+               OpenPGP Message, Corresponding Signature Packet.
+
+   Signed Message :- Signature Packet, OpenPGP Message |
+               One-Pass Signed Message.
+
+   In addition, decrypting a Symmetrically Encrypted Data packet or a
+   Symmetrically Encrypted Integrity Protected Data packet as well as
+   decompressing a Compressed Data packet must yield a valid OpenPGP
+   Message.
+```
+
+This grammar can be translated into a [pushdown automaton](https://en.wikipedia.org/wiki/Pushdown_automaton) with
+the following graphical representation:
 
 ```mermaid
 graph LR

From 7480c47fa7c9fe9eac5029c02617ac0b6c79840a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 8 Sep 2022 18:15:52 +0200
Subject: [PATCH 0649/1450] Add behavior test to ensure that ArmoredInputStream
 cuts away any data outside of the armor

---
 ...rArmoredDataWithAppendedCleartextTest.java | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/ArmoredInputStreamOverArmoredDataWithAppendedCleartextTest.java

diff --git a/pgpainless-core/src/test/java/org/bouncycastle/ArmoredInputStreamOverArmoredDataWithAppendedCleartextTest.java b/pgpainless-core/src/test/java/org/bouncycastle/ArmoredInputStreamOverArmoredDataWithAppendedCleartextTest.java
new file mode 100644
index 00000000..06921294
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/bouncycastle/ArmoredInputStreamOverArmoredDataWithAppendedCleartextTest.java
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.bouncycastle;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class ArmoredInputStreamOverArmoredDataWithAppendedCleartextTest {
+
+    private static final String ASCII_ARMORED_WITH_APPENDED_GARBAGE = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "yxRiAAAAAABIZWxsbywgV29ybGQhCg==\n" +
+            "=WGju\n" +
+            "-----END PGP MESSAGE-----\n" +
+            "This is a bunch of crap that we appended.";
+    @Test
+    public void testArmoredInputStreamCutsOffAnyDataAfterTheAsciiArmor() throws IOException {
+        InputStream inputStream = new ByteArrayInputStream(ASCII_ARMORED_WITH_APPENDED_GARBAGE.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = new ArmoredInputStream(inputStream);
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(armorIn, out);
+        armorIn.close();
+
+        assertEquals(22, out.size(), "ArmoredInputStream cuts off any appended data outside the ASCII armor.");
+    }
+}

From 8dfabf184244df4fd2e550cb9dcc4654f48a7d7c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 12 Sep 2022 15:25:43 +0200
Subject: [PATCH 0650/1450] Test decryption of messages using Session Key

---
 ...ionOfMessageWithoutESKUsingSessionKey.java | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
new file mode 100644
index 00000000..a7904c34
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
@@ -0,0 +1,72 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSessionKey;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.util.SessionKey;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class TestDecryptionOfMessageWithoutESKUsingSessionKey {
+
+    private static final String encryptedMessageWithSKESK = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "jA0ECQMCc7jNEadAMZJg0j8BNtJwO2PLoRdG+VynivV7XpHp2Nw/S489vksUKct6\n" +
+            "7CYTFpVTzB4IcJwmUGMmre/N1KMTznEBzy3Txa1QVBc=\n" +
+            "=3M8l\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String encryptedMessageWithoutESK = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "0j8BNtJwO2PLoRdG+VynivV7XpHp2Nw/S489vksUKct67CYTFpVTzB4IcJwmUGMm\n" +
+            "re/N1KMTznEBzy3Txa1QVBc=\n" +
+            "=t+pk\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final SessionKey sessionKey = new SessionKey(
+            PGPSessionKey.fromAsciiRepresentation("9:26be99bc478520fbc8ab8fb84991dace4b82cfb9b00f7d05c051d69b8cea8a7f"));
+
+    @Test
+    public void decryptMessageWithSKESK() throws PGPException, IOException {
+        ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithSKESK.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(ConsumerOptions.get()
+                        .setSessionKey(sessionKey));
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+        assertEquals("Hello, World!\n", out.toString());
+    }
+
+    // TODO: Enable when BC 172 gets released with our fix
+    @Disabled("Bug in BC 171. See https://github.com/bcgit/bc-java/pull/1228")
+    @Test
+    public void decryptMessageWithoutSKESK() throws PGPException, IOException {
+        ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithoutESK.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(in)
+                .withOptions(ConsumerOptions.get()
+                        .setSessionKey(sessionKey));
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+        assertEquals("Hello, World!\n", out.toString());
+    }
+}

From 9e403c11248086268d8ef391226bb2218a06f76f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 20:22:12 +0200
Subject: [PATCH 0651/1450] Add
 ImplementationFactory.getSessionKeyDataDecryptorFactory() and impls

---
 .../implementation/BcImplementationFactory.java       |  5 +++++
 .../implementation/ImplementationFactory.java         | 11 +++++++++++
 .../implementation/JceImplementationFactory.java      |  6 ++++++
 3 files changed, 22 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
index c8e20521..b7bbd5f9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
@@ -113,6 +113,11 @@ public class BcImplementationFactory extends ImplementationFactory {
         return new BcPublicKeyDataDecryptorFactory(privateKey);
     }
 
+    @Override
+    public SessionKeyDataDecryptorFactory getSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) {
+        return new BcSessionKeyDataDecryptorFactory(sessionKey);
+    }
+
     @Override
     public PublicKeyKeyEncryptionMethodGenerator getPublicKeyKeyEncryptionMethodGenerator(PGPPublicKey key) {
         return new BcPublicKeyKeyEncryptionMethodGenerator(key);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
index 94967dee..ebd776a6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
@@ -32,6 +32,7 @@ import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.PublicKeyAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.SessionKey;
 
 public abstract class ImplementationFactory {
 
@@ -91,6 +92,16 @@ public abstract class ImplementationFactory {
 
     public abstract PublicKeyDataDecryptorFactory getPublicKeyDataDecryptorFactory(PGPPrivateKey privateKey);
 
+    public SessionKeyDataDecryptorFactory getSessionKeyDataDecryptorFactory(SessionKey sessionKey) {
+        PGPSessionKey pgpSessionKey = new PGPSessionKey(
+                sessionKey.getAlgorithm().getAlgorithmId(),
+                sessionKey.getKey()
+        );
+        return getSessionKeyDataDecryptorFactory(pgpSessionKey);
+    }
+
+    public abstract SessionKeyDataDecryptorFactory getSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey);
+
     public abstract PublicKeyKeyEncryptionMethodGenerator getPublicKeyKeyEncryptionMethodGenerator(PGPPublicKey key);
 
     public abstract PBEKeyEncryptionMethodGenerator getPBEKeyEncryptionMethodGenerator(Passphrase passphrase);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
index 504b197e..f4efd11e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
@@ -103,6 +103,12 @@ public class JceImplementationFactory extends ImplementationFactory {
                 .build(privateKey);
     }
 
+    @Override
+    public SessionKeyDataDecryptorFactory getSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) {
+            return new JceSessionKeyDataDecryptorFactoryBuilder()
+                    .build(sessionKey);
+    }
+
     public PublicKeyKeyEncryptionMethodGenerator getPublicKeyKeyEncryptionMethodGenerator(PGPPublicKey key) {
         return new JcePublicKeyKeyEncryptionMethodGenerator(key)
                 .setProvider(ProviderFactory.getProvider());

From 0e45de9b4a0d0dc2a99429bc5ae1445ed2160ff4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 20:22:22 +0200
Subject: [PATCH 0652/1450] Formatting

---
 .../pgpainless/implementation/ImplementationFactory.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
index ebd776a6..51c76c6f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
@@ -50,7 +50,7 @@ public abstract class ImplementationFactory {
     }
 
     public PBESecretKeyEncryptor getPBESecretKeyEncryptor(SymmetricKeyAlgorithm symmetricKeyAlgorithm,
-                                                   Passphrase passphrase)
+                                                          Passphrase passphrase)
             throws PGPException {
         return getPBESecretKeyEncryptor(symmetricKeyAlgorithm,
                 getPGPDigestCalculator(HashAlgorithm.SHA1), passphrase);
@@ -59,8 +59,8 @@ public abstract class ImplementationFactory {
     public abstract PBESecretKeyEncryptor getPBESecretKeyEncryptor(PGPSecretKey secretKey, Passphrase passphrase) throws PGPException;
 
     public abstract PBESecretKeyEncryptor getPBESecretKeyEncryptor(SymmetricKeyAlgorithm symmetricKeyAlgorithm,
-                                                          PGPDigestCalculator digestCalculator,
-                                                          Passphrase passphrase);
+                                                                   PGPDigestCalculator digestCalculator,
+                                                                   Passphrase passphrase);
 
     public abstract PBESecretKeyDecryptor getPBESecretKeyDecryptor(Passphrase passphrase) throws PGPException;
 

From 609bb4556aba7f005eba3226b2c5dc1aeb4c0d43 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 20:26:13 +0200
Subject: [PATCH 0653/1450] Use
 ImplementationFactory.getSessionKeyDataDecryptorFactory() method

---
 .../decryption_verification/DecryptionStreamFactory.java     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 77ad92bb..a787280a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -256,9 +256,8 @@ public final class DecryptionStreamFactory {
             PGPEncryptedDataList pgpEncryptedDataList,
             SessionKey sessionKey)
             throws PGPException {
-        PGPSessionKey pgpSessionKey = new PGPSessionKey(sessionKey.getAlgorithm().getAlgorithmId(), sessionKey.getKey());
-        SessionKeyDataDecryptorFactory decryptorFactory =
-                ImplementationFactory.getInstance().provideSessionKeyDataDecryptorFactory(pgpSessionKey);
+        SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                .getSessionKeyDataDecryptorFactory(sessionKey);
         InputStream decryptedDataStream = null;
         PGPEncryptedData encryptedData = null;
         for (PGPEncryptedData pgpEncryptedData : pgpEncryptedDataList) {

From 639d2a19f87127e2baef357f0bba102d27a80e1f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 20:27:16 +0200
Subject: [PATCH 0654/1450] Remove unused
 provideSessionKeyDataDecryptorFactory() methods

---
 .../pgpainless/implementation/BcImplementationFactory.java   | 5 -----
 .../org/pgpainless/implementation/ImplementationFactory.java | 2 --
 .../pgpainless/implementation/JceImplementationFactory.java  | 5 -----
 3 files changed, 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
index b7bbd5f9..c8e86311 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/BcImplementationFactory.java
@@ -148,11 +148,6 @@ public class BcImplementationFactory extends ImplementationFactory {
                 .build(passphrase.getChars());
     }
 
-    @Override
-    public SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) {
-        return new BcSessionKeyDataDecryptorFactory(sessionKey);
-    }
-
     @Override
     public PGPObjectFactory getPGPObjectFactory(byte[] bytes) {
         return new BcPGPObjectFactory(bytes);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
index 51c76c6f..06065838 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/ImplementationFactory.java
@@ -118,8 +118,6 @@ public abstract class ImplementationFactory {
                                                                    HashAlgorithm hashAlgorithm, int s2kCount,
                                                                    Passphrase passphrase) throws PGPException;
 
-    public abstract SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey);
-
     public abstract PGPObjectFactory getPGPObjectFactory(InputStream inputStream);
 
     public abstract PGPObjectFactory getPGPObjectFactory(byte[] bytes);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
index f4efd11e..31a7f128 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/implementation/JceImplementationFactory.java
@@ -137,11 +137,6 @@ public class JceImplementationFactory extends ImplementationFactory {
                 .build(passphrase.getChars());
     }
 
-    @Override
-    public SessionKeyDataDecryptorFactory provideSessionKeyDataDecryptorFactory(PGPSessionKey sessionKey) {
-        return new JceSessionKeyDataDecryptorFactoryBuilder().build(sessionKey);
-    }
-
     @Override
     public PGPObjectFactory getPGPObjectFactory(InputStream inputStream) {
         return new JcaPGPObjectFactory(inputStream);

From 5bccc1960e51a1cdcc085a780a3bd663e0b7897f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 27 Sep 2022 16:11:45 +0200
Subject: [PATCH 0655/1450] Add PGPainless.asciiArmor(key, outputStream)

---
 .../main/java/org/pgpainless/PGPainless.java  | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 9ff2a3b0..e41304b7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -5,9 +5,11 @@
 package org.pgpainless;
 
 import java.io.IOException;
+import java.io.OutputStream;
 import java.util.Date;
 import javax.annotation.Nonnull;
 
+import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
@@ -89,9 +91,10 @@ public final class PGPainless {
      * @param key key or certificate
      * @return ascii armored string
      *
-     * @throws IOException in case of an error in the {@link org.bouncycastle.bcpg.ArmoredOutputStream}
+     * @throws IOException in case of an error in the {@link ArmoredOutputStream}
      */
-    public static String asciiArmor(@Nonnull PGPKeyRing key) throws IOException {
+    public static String asciiArmor(@Nonnull PGPKeyRing key)
+            throws IOException {
         if (key instanceof PGPSecretKeyRing) {
             return ArmorUtils.toAsciiArmoredString((PGPSecretKeyRing) key);
         } else {
@@ -99,6 +102,21 @@ public final class PGPainless {
         }
     }
 
+    /**
+     * Wrap a key of certificate in ASCII armor and write the result into the given {@link OutputStream}.
+     *
+     * @param key key or certificate
+     * @param outputStream output stream
+     *
+     * @throws IOException in case of an error ion the {@link ArmoredOutputStream}
+     */
+    public static void asciiArmor(@Nonnull PGPKeyRing key, @Nonnull OutputStream outputStream)
+            throws IOException {
+        ArmoredOutputStream armorOut = ArmorUtils.toAsciiArmoredStream(key, outputStream);
+        key.encode(armorOut);
+        armorOut.close();
+    }
+
     /**
      * Create an {@link EncryptionStream}, which can be used to encrypt and/or sign data using OpenPGP.
      *

From dac059c70280d77763ccec1bea7770363c596142 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 27 Sep 2022 16:17:22 +0200
Subject: [PATCH 0656/1450] Add test for PGPainless.asciiArmor(key, stream)

---
 .../src/test/java/org/pgpainless/util/ArmorUtilsTest.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
index c320c649..5eb32179 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
@@ -128,6 +128,14 @@ public class ArmorUtilsTest {
         assertTrue(ascii.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
     }
 
+    @Test
+    public void testAsciiArmorToStream() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+        PGPainless.asciiArmor(secretKeys, bytes);
+        assertTrue(bytes.toString().startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
+    }
+
     @Test
     public void testSetCustomVersionHeader() throws IOException {
         ArmoredOutputStreamFactory.setVersionInfo("MyVeryFirstOpenPGPProgram 1.0");

From d74a8d040801f4f80f359865c7c3c41ac1d69f9e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 27 Sep 2022 16:28:31 +0200
Subject: [PATCH 0657/1450] Add PGPainless.asciiArmor(PGPSignature)

---
 .../main/java/org/pgpainless/PGPainless.java  | 15 +++++++++
 .../java/org/pgpainless/util/ArmorUtils.java  | 32 +++++++++++++++++++
 .../org/pgpainless/util/ArmorUtilsTest.java   | 17 ++++++++++
 3 files changed, 64 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index e41304b7..33cf7faa 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -14,6 +14,7 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.pgpainless.decryption_verification.DecryptionBuilder;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.encryption_signing.EncryptionBuilder;
@@ -27,6 +28,7 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac
 import org.pgpainless.key.parsing.KeyRingReader;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.policy.Policy;
+import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.ArmorUtils;
 
 public final class PGPainless {
@@ -102,6 +104,19 @@ public final class PGPainless {
         }
     }
 
+    /**
+     * Wrap the detached signature in ASCII armor.
+     *
+     * @param signature detached signature
+     * @return ascii armored string
+     *
+     * @throws IOException in case of an error in the {@link ArmoredOutputStream}
+     */
+    public static String asciiArmor(@Nonnull PGPSignature signature)
+            throws IOException {
+        return ArmorUtils.toAsciiArmoredString(signature);
+    }
+
     /**
      * Wrap a key of certificate in ASCII armor and write the result into the given {@link OutputStream}.
      *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 160d8d0a..8a51ff3d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -156,6 +156,38 @@ public final class ArmorUtils {
         return sb.toString();
     }
 
+    /**
+     * Return the ASCII armored representation of the given detached signature.
+     * The signature will not be stripped of non-exportable subpackets or trust-packets.
+     * If you need to strip those (e.g. because the signature is intended to be sent to a third party), use
+     * {@link #toAsciiArmoredString(PGPSignature, boolean)} and provide 
true
 as boolean value.
+     *
+     * @param signature signature
+     * @return ascii armored string
+     *
+     * @throws IOException in case of an error in the {@link ArmoredOutputStream}
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPSignature signature) throws IOException {
+        return toAsciiArmoredString(signature, false);
+    }
+
+    /**
+     * Return the ASCII armored representation of the given detached signature.
+     * If 
export
 is true, the signature will be stripped of non-exportable subpackets or trust-packets.
+     * If it is 
false
, the signature will be encoded as-is.
+     *
+     * @param signature signature
+     * @return ascii armored string
+     *
+     * @throws IOException in case of an error in the {@link ArmoredOutputStream}
+     */
+    @Nonnull
+    public static String toAsciiArmoredString(@Nonnull PGPSignature signature, boolean export)
+            throws IOException {
+        return toAsciiArmoredString(signature.getEncoded(export));
+    }
+
     /**
      * Return the ASCII armored encoding of the given OpenPGP data bytes.
      *
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
index 5eb32179..b83c0d03 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/ArmorUtilsTest.java
@@ -24,6 +24,7 @@ import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.AfterAll;
@@ -39,6 +40,7 @@ import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.generation.KeySpec;
 import org.pgpainless.key.generation.type.ecc.EllipticCurve;
 import org.pgpainless.key.generation.type.ecc.ecdsa.ECDSA;
+import org.pgpainless.signature.SignatureUtils;
 
 public class ArmorUtilsTest {
 
@@ -128,6 +130,21 @@ public class ArmorUtilsTest {
         assertTrue(ascii.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
     }
 
+    @Test
+    public void signatureToAsciiArmoredString() throws PGPException, IOException {
+        String SIG = "-----BEGIN PGP SIGNATURE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "iHUEARMKAB0WIQRPZlxNwsRmC8ZCXkFXNuaTGs83DAUCYJ/x5gAKCRBXNuaTGs83\n" +
+                "DFRwAP9/4wMvV3WcX59Clo7mkRce6iwW3VBdiN+yMu3tjmHB2wD/RfE28Q1v4+eo\n" +
+                "ySNgbyvqYYsNr0fnBwaG3aaj+u5ExiE=\n" +
+                "=Z2SO\n" +
+                "-----END PGP SIGNATURE-----\n";
+        PGPSignature signature = SignatureUtils.readSignatures(SIG).get(0);
+        String armored = PGPainless.asciiArmor(signature);
+        assertEquals(SIG, armored);
+    }
+
     @Test
     public void testAsciiArmorToStream() throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();

From 6a2a604ba408f93fcb6c50e2eb01419afbb3bca1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 27 Sep 2022 16:47:23 +0200
Subject: [PATCH 0658/1450] Update TODO for BC 173

---
 .../TestDecryptionOfMessageWithoutESKUsingSessionKey.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
index a7904c34..c9778426 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
@@ -55,8 +55,8 @@ public class TestDecryptionOfMessageWithoutESKUsingSessionKey {
         assertEquals("Hello, World!\n", out.toString());
     }
 
-    // TODO: Enable when BC 172 gets released with our fix
-    @Disabled("Bug in BC 171. See https://github.com/bcgit/bc-java/pull/1228")
+    // TODO: Enable when BC 173 gets released with our fix
+    @Disabled("Bug in BC 172. See https://github.com/bcgit/bc-java/pull/1228")
     @Test
     public void decryptMessageWithoutSKESK() throws PGPException, IOException {
         ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithoutESK.getBytes(StandardCharsets.UTF_8));

From f94917d01f11308e5fc5d0d4ef690f65151d7e08 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 28 Sep 2022 13:18:34 +0200
Subject: [PATCH 0659/1450] Fix checkstyle issue

---
 pgpainless-core/src/main/java/org/pgpainless/PGPainless.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 33cf7faa..6da77c80 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -28,7 +28,6 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac
 import org.pgpainless.key.parsing.KeyRingReader;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.policy.Policy;
-import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.ArmorUtils;
 
 public final class PGPainless {

From 2c76f66987d03bfc0738e617a0fe8a99525718ab Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 4 Oct 2022 19:13:01 +0200
Subject: [PATCH 0660/1450] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 250a80c2..f933f760 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.3.7-SNAPSHOT
 - Add `KeyRingUtils.injectCertification(keys, certification)`
 - Bugfix: Fix signature verification when `DecryptionStream` is drained byte-by-byte using `read()` call
+- Add `PGPainless.asciiArmor(key, outputStream)`
+- Add `PGPainless.asciiArmor(signature)`
 
 ## 1.3.6
 - Remove deprecated methods

From 19ee2ebacf7ab26dfed102180b511a6058f3eaa0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 5 Oct 2022 12:27:38 +0200
Subject: [PATCH 0661/1450] PGPainless 1.3.7

---
 CHANGELOG.md             | 4 ++--
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f933f760..1b5cc621 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,9 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.7-SNAPSHOT
-- Add `KeyRingUtils.injectCertification(keys, certification)`
+## 1.3.7
 - Bugfix: Fix signature verification when `DecryptionStream` is drained byte-by-byte using `read()` call
+- Add `KeyRingUtils.injectCertification(keys, certification)`
 - Add `PGPainless.asciiArmor(key, outputStream)`
 - Add `PGPainless.asciiArmor(signature)`
 
diff --git a/README.md b/README.md
index b8bd3c51..7cdd25e4 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.6'
+	implementation 'org.pgpainless:pgpainless-core:1.3.7'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index ad96b8dc..ab074514 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.6"
+    implementation "org.pgpainless:pgpainless-sop:1.3.7"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.6
+        1.3.7
     
     ...
 
diff --git a/version.gradle b/version.gradle
index f361dc8d..cd80793d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.7'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 00eafc3957df02f2439bfaa304168725437e4e7a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 5 Oct 2022 12:31:20 +0200
Subject: [PATCH 0662/1450] PGPainless 1.3.8-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index cd80793d..1352ec44 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.7'
-        isSnapshot = false
+        shortVersion = '1.3.8'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.71'

From 8834d8ad1047c9f593af82eba5c3b388db1f80f0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Oct 2022 15:13:49 +0200
Subject: [PATCH 0663/1450] Increase timeframe for some tests which check
 expiration dates

---
 .../GenerateKeyWithAdditionalUserIdTest.java  | 10 ++++---
 .../GenerateKeyWithoutUserIdTest.java         | 24 ++++++++++++----
 .../timeframe/TestTimeFrameProvider.java      | 28 +++++++++++++++++++
 .../pgpainless/timeframe/package-info.java    |  8 ++++++
 4 files changed, 60 insertions(+), 10 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/timeframe/TestTimeFrameProvider.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/timeframe/package-info.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
index b05dbe1e..2e2ffc8d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
@@ -25,7 +25,7 @@ import org.pgpainless.key.generation.type.KeyType;
 import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.UserId;
-import org.pgpainless.util.DateUtil;
+import org.pgpainless.timeframe.TestTimeFrameProvider;
 import org.pgpainless.util.TestAllImplementations;
 
 public class GenerateKeyWithAdditionalUserIdTest {
@@ -33,11 +33,13 @@ public class GenerateKeyWithAdditionalUserIdTest {
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
     public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
-        Date expiration = new Date(DateUtil.now().getTime() + 60 * 1000);
+        Date now = new Date();
+        Date expiration = TestTimeFrameProvider.defaultExpirationForCreationDate(now);
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(
                         KeyType.RSA(RsaLength._3072),
-                                KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS))
+                                KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS)
+                        .setKeyCreationDate(now))
                 .addUserId(UserId.onlyEmail("primary@user.id"))
                 .addUserId(UserId.onlyEmail("additional@user.id"))
                 .addUserId(UserId.onlyEmail("additional2@user.id"))
@@ -46,7 +48,7 @@ public class GenerateKeyWithAdditionalUserIdTest {
                 .build();
         PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys);
 
-        JUtils.assertEquals(expiration.getTime(), PGPainless.inspectKeyRing(publicKeys).getPrimaryKeyExpirationDate().getTime(), 2000);
+        JUtils.assertDateEquals(expiration, PGPainless.inspectKeyRing(publicKeys).getPrimaryKeyExpirationDate());
 
         Iterator userIds = publicKeys.getPublicKey().getUserIDs();
         assertEquals("primary@user.id", userIds.next());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java
index 8b022a21..24484cd0 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithoutUserIdTest.java
@@ -15,6 +15,7 @@ import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
@@ -25,7 +26,7 @@ import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
 import org.pgpainless.key.generation.type.xdh.XDHSpec;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.util.DateUtil;
+import org.pgpainless.timeframe.TestTimeFrameProvider;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -34,6 +35,7 @@ import java.io.InputStream;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Date;
+import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -42,11 +44,12 @@ public class GenerateKeyWithoutUserIdTest {
 
     @Test
     public void generateKeyWithoutUserId() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        Date expirationDate = DateUtil.toSecondsPrecision(new Date(DateUtil.now().getTime() + 1000 * 6000));
+        Date now = new Date();
+        Date expirationDate = TestTimeFrameProvider.defaultExpirationForCreationDate(now);
         PGPSecretKeyRing secretKey = PGPainless.buildKeyRing()
-                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
-                .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
-                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER).setKeyCreationDate(now))
+                .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA).setKeyCreationDate(now))
+                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE).setKeyCreationDate(now))
                 .setExpirationDate(expirationDate)
                 .build();
 
@@ -87,7 +90,16 @@ public class GenerateKeyWithoutUserIdTest {
 
         OpenPgpMetadata metadata = decryptionStream.getResult();
 
-        assertTrue(metadata.containsVerifiedSignatureFrom(certificate));
+        assertTrue(metadata.containsVerifiedSignatureFrom(certificate),
+                failuresToString(metadata.getInvalidInbandSignatures()));
         assertTrue(metadata.isEncrypted());
     }
+
+    private static String failuresToString(List failureList) {
+        StringBuilder sb = new StringBuilder();
+        for (SignatureVerification.Failure failure : failureList) {
+            sb.append(failure.toString()).append('\n');
+        }
+        return sb.toString();
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/timeframe/TestTimeFrameProvider.java b/pgpainless-core/src/test/java/org/pgpainless/timeframe/TestTimeFrameProvider.java
new file mode 100644
index 00000000..9d32a405
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/timeframe/TestTimeFrameProvider.java
@@ -0,0 +1,28 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.timeframe;
+
+import java.util.Calendar;
+import java.util.Date;
+import java.util.TimeZone;
+
+public class TestTimeFrameProvider {
+
+    /**
+     * Return an expiration date which is 7h 13m and 31s from the given date.
+     *
+     * @param now t0
+     * @return t1 which is t0 +7h13m31s
+     */
+    public static Date defaultExpirationForCreationDate(Date now) {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        calendar.setTime(now);
+        calendar.add(Calendar.HOUR, 7);
+        calendar.add(Calendar.MINUTE, 13);
+        calendar.add(Calendar.SECOND, 31);
+        return calendar.getTime();
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/timeframe/package-info.java b/pgpainless-core/src/test/java/org/pgpainless/timeframe/package-info.java
new file mode 100644
index 00000000..dfada70c
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/timeframe/package-info.java
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Test classes for timeframes.
+ */
+package org.pgpainless.timeframe;

From 754fcf72a18c930c42da70ce8905cdf3023f11bf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 31 Oct 2022 11:43:24 +0100
Subject: [PATCH 0664/1450] Implement ProducerOptions.setHideArmorHeaders()

Fixes #328
---
 .../encryption_signing/EncryptionStream.java  |  2 +-
 .../encryption_signing/ProducerOptions.java   | 19 +++++++++++
 .../util/ArmoredOutputStreamFactory.java      | 11 ++++++
 .../HideArmorHeadersTest.java                 | 34 +++++++++++++++++++
 4 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HideArmorHeadersTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 50f5cb5f..27d35ea5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -86,7 +86,7 @@ public final class EncryptionStream extends OutputStream {
         outermostStream = new BufferedOutputStream(outermostStream);
 
         LOGGER.debug("Wrap encryption output in ASCII armor");
-        armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream);
+        armorOutputStream = ArmoredOutputStreamFactory.get(outermostStream, options);
         if (options.hasComment()) {
             String[] commentLines = options.getComment().split("\n");
             for (String commentLine : commentLines) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
index a015a581..4948a7fe 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/ProducerOptions.java
@@ -22,6 +22,7 @@ public final class ProducerOptions {
     private StreamEncoding encodingField = StreamEncoding.BINARY;
     private boolean applyCRLFEncoding = false;
     private boolean cleartextSigned = false;
+    private boolean hideArmorHeaders = false;
 
     private CompressionAlgorithm compressionAlgorithmOverride = PGPainless.getPolicy().getCompressionAlgorithmPolicy()
             .defaultCompressionAlgorithm();
@@ -302,4 +303,22 @@ public final class ProducerOptions {
     public @Nullable SigningOptions getSigningOptions() {
         return signingOptions;
     }
+
+    public boolean isHideArmorHeaders() {
+        return hideArmorHeaders;
+    }
+
+    /**
+     * If set to 
true
, armor headers like version or comments will be omitted from armored output.
+     * By default, armor headers are not hidden.
+     * Note: If comments are added via {@link #setComment(String)}, those are not omitted, even if
+     * {@link #hideArmorHeaders} is set to 
true
.
+     *
+     * @param hideArmorHeaders true or false
+     * @return this
+     */
+    public ProducerOptions setHideArmorHeaders(boolean hideArmorHeaders) {
+        this.hideArmorHeaders = hideArmorHeaders;
+        return this;
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
index 2e1377a0..403115ba 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
@@ -7,6 +7,7 @@ package org.pgpainless.util;
 import java.io.OutputStream;
 
 import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
 
 /**
  * Factory to create configured {@link ArmoredOutputStream ArmoredOutputStreams}.
@@ -37,6 +38,16 @@ public final class ArmoredOutputStreamFactory {
         return armoredOutputStream;
     }
 
+    public static ArmoredOutputStream get(OutputStream outputStream, ProducerOptions options) {
+        if (options.isHideArmorHeaders()) {
+            ArmoredOutputStream armorOut = new ArmoredOutputStream(outputStream);
+            armorOut.clearHeaders();
+            return armorOut;
+        } else {
+            return get(outputStream);
+        }
+    }
+
     /**
      * Overwrite the version header of ASCII armors with a custom value.
      * Newlines in the version info string result in multiple version header entries.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HideArmorHeadersTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HideArmorHeadersTest.java
new file mode 100644
index 00000000..242b430b
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/HideArmorHeadersTest.java
@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.util.Passphrase;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class HideArmorHeadersTest {
+
+    @Test
+    public void testVersionHeaderIsOmitted() throws PGPException, IOException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(
+                        EncryptionOptions.get()
+                                .addPassphrase(Passphrase.fromPassword("sw0rdf1sh")))
+                        .setHideArmorHeaders(true));
+
+        encryptionStream.write("Hello, World!\n".getBytes());
+        encryptionStream.close();
+
+        assertTrue(out.toString().startsWith("-----BEGIN PGP MESSAGE-----\n\n")); // No "Version: PGPainless"
+    }
+}

From f5e4c7571c86a2272798f6c07aa499112e620502 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 2 Nov 2022 10:37:06 +0100
Subject: [PATCH 0665/1450] Bump BC to 1.72, BCPG to 1.72.1

---
 pgpainless-core/build.gradle | 3 ++-
 version.gradle               | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index f1b852ca..3c73121f 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -21,7 +21,8 @@ dependencies {
 
     // Bouncy Castle
     api "org.bouncycastle:bcprov-jdk15to18:$bouncyCastleVersion"
-    api "org.bouncycastle:bcpg-jdk15to18:$bouncyCastleVersion"
+    api "org.bouncycastle:bcpg-jdk15to18:$bouncyPgVersion"
+    // api(files("../libs/bcpg-jdk18on-1.70.jar"))
 
     // @Nullable, @Nonnull annotations
     implementation "com.google.code.findbugs:jsr305:3.0.2"
diff --git a/version.gradle b/version.gradle
index 1352ec44..9b1dc318 100644
--- a/version.gradle
+++ b/version.gradle
@@ -8,7 +8,10 @@ allprojects {
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
-        bouncyCastleVersion = '1.71'
+        bouncyCastleVersion = '1.72'
+        // unfortunately we rely on 1.72.1 for a patch for https://github.com/bcgit/bc-java/issues/1257
+        //  which is a bug we introduced with a PR against BC :/ oops
+        bouncyPgVersion = '1.72.1'
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'

From b0258f8c5b5189434556670ac9c76cb131f7debb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 2 Nov 2022 10:57:53 +0100
Subject: [PATCH 0666/1450] Update CHANGELOG

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b5cc621..8a31584c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.8-SNAPSHOT
+- Bump `bcprov` to `1.72`
+- Bump `bcpg` to `1.72.1`
+- Add `ProducerOptions.setHideArmorHeaders(boolean)` to hide automatically added armor headers
+    in encrypted messages
+
 ## 1.3.7
 - Bugfix: Fix signature verification when `DecryptionStream` is drained byte-by-byte using `read()` call
 - Add `KeyRingUtils.injectCertification(keys, certification)`

From df258b46c1fe590f60b6b267e48b2dde1ca62f25 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 11:46:07 +0100
Subject: [PATCH 0667/1450] PGPainless 1.3.8

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a31584c..89adc4a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.8-SNAPSHOT
+## 1.3.8
 - Bump `bcprov` to `1.72`
 - Bump `bcpg` to `1.72.1`
 - Add `ProducerOptions.setHideArmorHeaders(boolean)` to hide automatically added armor headers
diff --git a/README.md b/README.md
index 7cdd25e4..305e5cea 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.7'
+	implementation 'org.pgpainless:pgpainless-core:1.3.8'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index ab074514..ebb1736c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.7"
+    implementation "org.pgpainless:pgpainless-sop:1.3.8"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.7
+        1.3.8
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 9b1dc318..f89cec34 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.8'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 3000e496bceaf6e4a9bb5960d5e63600ef140600 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 11:48:58 +0100
Subject: [PATCH 0668/1450] PGPainless 1.3.9-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index f89cec34..680b9d45 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.8'
-        isSnapshot = false
+        shortVersion = '1.3.9'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From e67c43a6f7376f26cb519d7f1c042b7d2a59cb05 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 15:03:35 +0100
Subject: [PATCH 0669/1450] Bump sop-java to 4.0.2 and improve exception
 handling

---
 .../java/org/pgpainless/sop/DecryptImpl.java  | 19 ++++++++++++++++---
 .../java/org/pgpainless/sop/EncryptImpl.java  |  6 ++++--
 .../org/pgpainless/sop/ExtractCertImpl.java   |  5 +++++
 .../org/pgpainless/sop/InlineVerifyImpl.java  |  3 +++
 version.gradle                                |  2 +-
 5 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 4957f748..f18ed732 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -61,6 +61,11 @@ public class DecryptImpl implements Decrypt {
 
             consumerOptions.addVerificationCerts(certs);
 
+        } catch (IOException e) {
+            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
+                throw new SOPGPException.BadData(e);
+            }
+            throw e;
         } catch (PGPException e) {
             throw new SOPGPException.BadData(e);
         }
@@ -96,15 +101,23 @@ public class DecryptImpl implements Decrypt {
     }
 
     @Override
-    public DecryptImpl withKey(InputStream keyIn) throws SOPGPException.BadData, SOPGPException.UnsupportedAsymmetricAlgo {
+    public DecryptImpl withKey(InputStream keyIn) throws SOPGPException.BadData, IOException, SOPGPException.UnsupportedAsymmetricAlgo {
         try {
             PGPSecretKeyRingCollection secretKeyCollection = PGPainless.readKeyRing()
                     .secretKeyRingCollection(keyIn);
+            if (secretKeyCollection.size() == 0) {
+                throw new SOPGPException.BadData("No key data found.");
+            }
             for (PGPSecretKeyRing key : secretKeyCollection) {
                 protector.addSecretKey(key);
                 consumerOptions.addDecryptionKey(key, protector);
             }
-        } catch (IOException | PGPException e) {
+        } catch (IOException e) {
+            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
+                throw new SOPGPException.BadData(e);
+            }
+            throw e;
+        } catch (PGPException e) {
             throw new SOPGPException.BadData(e);
         }
         return this;
@@ -132,7 +145,7 @@ public class DecryptImpl implements Decrypt {
                     .onInputStream(ciphertext)
                     .withOptions(consumerOptions);
         } catch (MissingDecryptionMethodException e) {
-            throw new SOPGPException.CannotDecrypt();
+            throw new SOPGPException.CannotDecrypt("No usable decryption key or password provided.", e);
         } catch (WrongPassphraseException e) {
             throw new SOPGPException.KeyIsProtected();
         } catch (PGPException | IOException e) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 1b95d87c..9658bd17 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -100,8 +100,10 @@ public class EncryptImpl implements Encrypt {
     public Encrypt withCert(InputStream cert) throws SOPGPException.CertCannotEncrypt, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
         try {
             PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing()
-                    .keyRingCollection(cert, false)
-                    .getPgpPublicKeyRingCollection();
+                            .publicKeyRingCollection(cert);
+            if (certificates.size() == 0) {
+                throw new SOPGPException.BadData("No certificate data found.");
+            }
             encryptionOptions.addRecipients(certificates);
         } catch (KeyException.UnacceptableEncryptionKeyException e) {
             throw new SOPGPException.CertCannotEncrypt(e.getMessage(), e);
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
index 5f694208..16848383 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
@@ -35,6 +35,11 @@ public class ExtractCertImpl implements ExtractCert {
         PGPSecretKeyRingCollection keys;
         try {
             keys = PGPainless.readKeyRing().secretKeyRingCollection(keyInputStream);
+        } catch (IOException e) {
+            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
+                throw new SOPGPException.BadData(e);
+            }
+            throw e;
         } catch (PGPException e) {
             throw new IOException("Cannot read keys.", e);
         }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 1e8c4fee..e9994f38 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -19,6 +19,7 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import sop.ReadyWithResult;
 import sop.Verification;
 import sop.exception.SOPGPException;
@@ -84,6 +85,8 @@ public class InlineVerifyImpl implements InlineVerify {
                     }
 
                     return verificationList;
+                } catch (MissingDecryptionMethodException e) {
+                    throw new SOPGPException.BadData("Cannot verify encrypted message.", e);
                 } catch (PGPException e) {
                     throw new SOPGPException.BadData(e);
                 }
diff --git a/version.gradle b/version.gradle
index 680b9d45..36822069 100644
--- a/version.gradle
+++ b/version.gradle
@@ -16,6 +16,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.1'
+        sopJavaVersion = '4.0.2'
     }
 }

From db9745d7a29a7e738d39fae209202bfc0b94110d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 15:06:50 +0100
Subject: [PATCH 0670/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 89adc4a7..66ba62a0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.9-SNAPSHOT
+- Bump `sop-java` to `4.0.2`
+- SOP: Improve exception handling
+
 ## 1.3.8
 - Bump `bcprov` to `1.72`
 - Bump `bcpg` to `1.72.1`

From 095e58eddc04af5a15adb7d8423209058291475a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 15:08:07 +0100
Subject: [PATCH 0671/1450] Update man page documentation

---
 .../packaging/man/pgpainless-cli-armor.1      | 101 +---------------
 .../packaging/man/pgpainless-cli-dearmor.1    | 102 +---------------
 .../packaging/man/pgpainless-cli-decrypt.1    | 109 ++---------------
 .../packaging/man/pgpainless-cli-encrypt.1    | 111 ++----------------
 .../man/pgpainless-cli-extract-cert.1         | 101 +---------------
 .../man/pgpainless-cli-generate-completion.1  |  13 +-
 .../man/pgpainless-cli-generate-key.1         | 110 ++---------------
 .../packaging/man/pgpainless-cli-help.1       |  13 +-
 .../man/pgpainless-cli-inline-detach.1        | 101 +---------------
 .../man/pgpainless-cli-inline-sign.1          | 108 ++---------------
 .../man/pgpainless-cli-inline-verify.1        | 111 ++----------------
 .../packaging/man/pgpainless-cli-sign.1       | 111 ++----------------
 .../packaging/man/pgpainless-cli-verify.1     | 109 ++---------------
 .../packaging/man/pgpainless-cli-version.1    | 101 +---------------
 pgpainless-cli/packaging/man/pgpainless-cli.1 |  16 ++-
 15 files changed, 124 insertions(+), 1193 deletions(-)

diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-armor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
index bc0efe20..d85b6bf9 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-armor
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-ARMOR" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-ARMOR" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,7 @@
 pgpainless\-cli\-armor \- Add ASCII Armor to standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli armor\fP [\fB\-\-label\fP=\fI{auto|sig|key|cert|message}\fP]
+\fBpgpainless\-cli armor\fP [\fB\-\-stacktrace\fP] [\fB\-\-label\fP=\fI{auto|sig|key|cert|message}\fP]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -40,99 +40,8 @@ pgpainless\-cli\-armor \- Add ASCII Armor to standard input
 .RS 4
 Label to be used in the header and tail of the armoring
 .RE
-.SH "EXIT CODES:"
 .sp
-\fB0\fP
+\fB\-\-stacktrace\fP
 .RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
+Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
index 0dacf89c..98fae5ea 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-dearmor
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-DEARMOR" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-DEARMOR" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,102 +31,12 @@
 pgpainless\-cli\-dearmor \- Remove ASCII Armor from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli dearmor\fP
+\fBpgpainless\-cli dearmor\fP [\fB\-\-stacktrace\fP]
 .SH "DESCRIPTION"
 
-.SH "EXIT CODES:"
+.SH "OPTIONS"
 .sp
-\fB0\fP
+\fB\-\-stacktrace\fP
 .RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
+Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
index c97eb7e9..400adcff 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-decrypt
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-DECRYPT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-DECRYPT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,7 @@
 pgpainless\-cli\-decrypt \- Decrypt a message from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli decrypt\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
+\fBpgpainless\-cli decrypt\fP [\fB\-\-stacktrace\fP] [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
 [\fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP] [\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP]
 [\fB\-\-verify\-with\fP=\fICERT\fP]... [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]...
 [\fB\-\-with\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP]...
@@ -65,6 +65,11 @@ Defaults to beginning of time (\(aq\-\(aq).
 Can be used to learn the session key on successful decryption
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP
 .RS 4
 Emits signature verification status to the designated output
@@ -87,6 +92,8 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 Symmetric passphrase to decrypt the message with.
 .sp
 Enables decryption based on any "SKESK" packets in the "CIPHERTEXT".
+.sp
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
 .RE
 .sp
 \fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP
@@ -102,100 +109,4 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
 [\fIKEY\fP...]
 .RS 4
 Secret keys to attempt decryption with
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
index 78c8e434..5cb9495b 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-encrypt
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-ENCRYPT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-ENCRYPT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,9 +31,9 @@
 pgpainless\-cli\-encrypt \- Encrypt a message from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli encrypt\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text}\fP] [\fB\-\-sign\-with\fP=\fIKEY\fP]...
-[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-password\fP=\fIPASSWORD\fP]...
-[\fICERTS\fP...]
+\fBpgpainless\-cli encrypt\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=\fI{binary|text}\fP]
+[\fB\-\-sign\-with\fP=\fIKEY\fP]... [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]...
+[\fB\-\-with\-password\fP=\fIPASSWORD\fP]... [\fICERTS\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -53,6 +53,11 @@ ASCII armor the output
 Sign the output with a private key
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
@@ -71,100 +76,4 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
 [\fICERTS\fP...]
 .RS 4
 Certificates the message gets encrypted to
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1 b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
index 7beaad14..0482c183 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-extract-cert
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-EXTRACT\-CERT" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-EXTRACT\-CERT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,7 @@
 pgpainless\-cli\-extract\-cert \- Extract a public key certificate from a secret key from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli extract\-cert\fP [\fB\-\-[no\-]armor\fP]
+\fBpgpainless\-cli extract\-cert\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -40,99 +40,8 @@ pgpainless\-cli\-extract\-cert \- Extract a public key certificate from a secret
 .RS 4
 ASCII armor the output
 .RE
-.SH "EXIT CODES:"
 .sp
-\fB0\fP
+\fB\-\-stacktrace\fP
 .RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
+Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
index dfc5448a..637b1231 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-generate-completion
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: generate-completion 4.6.3
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-GENERATE\-COMPLETION" "1" "2022-08-07" "generate\-completion 4.6.3" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-GENERATE\-COMPLETION" "1" "2022-11-06" "generate\-completion 4.6.3" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -28,10 +28,10 @@
 .  LINKSTYLE blue R < >
 .\}
 .SH "NAME"
-pgpainless\-cli\-generate\-completion \- Generate bash/zsh completion script for pgpainless\-cli.
+pgpainless\-cli\-generate\-completion \- Stateless OpenPGP Protocol
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli generate\-completion\fP [\fB\-hV\fP]
+\fBpgpainless\-cli generate\-completion\fP [\fB\-hV\fP] [\fB\-\-stacktrace\fP]
 .SH "DESCRIPTION"
 .sp
 Generate bash/zsh completion script for pgpainless\-cli.
@@ -49,6 +49,11 @@ source <(pgpainless\-cli generate\-completion)
 Show this help message and exit.
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-V\fP, \fB\-\-version\fP
 .RS 4
 Print version information and exit.
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
index 66d6d1b9..ef950df9 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-generate-key
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-GENERATE\-KEY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-GENERATE\-KEY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,8 @@
 pgpainless\-cli\-generate\-key \- Generate a secret key
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli generate\-key\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP] [\fI\fP...]
+\fBpgpainless\-cli generate\-key\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]
+[\fIUSERID\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -41,6 +42,11 @@ pgpainless\-cli\-generate\-key \- Generate a secret key
 ASCII armor the output
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Password to protect the private key with
@@ -49,104 +55,8 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 .RE
 .SH "ARGUMENTS"
 .sp
-[\fI\fP...]
+[\fIUSERID\fP...]
 .RS 4
 User\-ID, e.g. "Alice <\c
 .MTO "alice\(atexample.com" "" ">""
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-help.1 b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
index 8688615a..67ef1ce6 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-help.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-help
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-HELP" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-HELP" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -28,10 +28,10 @@
 .  LINKSTYLE blue R < >
 .\}
 .SH "NAME"
-pgpainless\-cli\-help \- Display usage information for the specified subcommand
+pgpainless\-cli\-help \- Stateless OpenPGP Protocol
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli help\fP [\fB\-h\fP] [\fICOMMAND\fP]
+\fBpgpainless\-cli help\fP [\fB\-h\fP] [\fB\-\-stacktrace\fP] [\fICOMMAND\fP]
 .SH "DESCRIPTION"
 .sp
 When no COMMAND is given, the usage help for the main command is displayed.
@@ -42,6 +42,11 @@ If a COMMAND is specified, the help for that command is shown.
 .RS 4
 Show usage help for the help command and exit.
 .RE
+.sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
 .SH "ARGUMENTS"
 .sp
 [\fICOMMAND\fP]
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
index ccb4901a..3d356293 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-inline-detach
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-DETACH" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-DETACH" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,7 @@
 pgpainless\-cli\-inline\-detach \- Split signatures from a clearsigned message
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli inline\-detach\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-signatures\-out\fP=\fISIGNATURES\fP]
+\fBpgpainless\-cli inline\-detach\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-signatures\-out\fP=\fISIGNATURES\fP]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -45,99 +45,8 @@ ASCII armor the output
 .RS 4
 Destination to which a detached signatures block will be written
 .RE
-.SH "EXIT CODES:"
 .sp
-\fB0\fP
+\fB\-\-stacktrace\fP
 .RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
+Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
index 90d8908f..3f653b40 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-inline-sign
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-SIGN" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-SIGN" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,8 @@
 pgpainless\-cli\-inline\-sign \- Create an inline\-signed message from data on standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli inline\-sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text|cleartextsigned}\fP]
+\fBpgpainless\-cli inline\-sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=
+\fI{binary|text|cleartextsigned}\fP]
 [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
 .SH "DESCRIPTION"
 
@@ -55,6 +56,11 @@ If \(aq\-\-as=text\(aq and the input data is not valid UTF\-8, inline\-sign fail
 ASCII armor the output
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
@@ -66,100 +72,4 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 [\fIKEYS\fP...]
 .RS 4
 Secret keys used for signing
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
index 2f989285..73f8316d 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-inline-verify
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-VERIFY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-VERIFY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,8 +31,8 @@
 pgpainless\-cli\-inline\-verify \- Verify inline\-signed data from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli inline\-verify\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
-[\fB\-\-verifications\-out\fP=\fI\fP] \fICERT\fP...
+\fBpgpainless\-cli inline\-verify\fP [\fB\-\-stacktrace\fP] [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
+[\fB\-\-verifications\-out\fP=\fI\fP] [\fICERT\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -57,109 +57,18 @@ Reject signatures with a creation date not in range.
 Defaults to beginning of time ("\-").
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-verifications\-out\fP=\fI\fP
 .RS 4
 File to write details over successful verifications to
 .RE
 .SH "ARGUMENTS"
 .sp
-\fICERT\fP...
+[\fICERT\fP...]
 .RS 4
 Public key certificates for signature verification
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
index cc830e7f..3c63dccf 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-sign
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-SIGN" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-SIGN" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,8 +31,8 @@
 pgpainless\-cli\-sign \- Create a detached signature on the data from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-as\fP=\fI{binary|text}\fP] [\fB\-\-micalg\-out\fP=\fIMICALG\fP]
-[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
+\fBpgpainless\-cli sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=\fI{binary|text}\fP]
+[\fB\-\-micalg\-out\fP=\fIMICALG\fP] [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -42,6 +42,8 @@ pgpainless\-cli\-sign \- Create a detached signature on the data from standard i
 Specify the output format of the signed message
 .sp
 Defaults to \(aqbinary\(aq.
+.sp
+If \(aq\-\-as=text\(aq and the input data is not valid UTF\-8, sign fails with return code 53.
 .RE
 .sp
 \fB\-\-micalg\-out\fP=\fIMICALG\fP
@@ -54,6 +56,11 @@ Emits the digest algorithm used to the specified file in a way that can be used
 ASCII armor the output
 .RE
 .sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
+.sp
 \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
@@ -65,100 +72,4 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 [\fIKEYS\fP...]
 .RS 4
 Secret keys used for signing
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
index 297f8374..a07ef2d7 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-verify
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-VERIFY" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-VERIFY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,8 @@
 pgpainless\-cli\-verify \- Verify a detached signature over the data from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli verify\fP [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP] \fISIGNATURE\fP \fICERT\fP...
+\fBpgpainless\-cli verify\fP [\fB\-\-stacktrace\fP] [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP] \fISIGNATURE\fP
+\fICERT\fP...
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -44,6 +45,11 @@ Reject signatures with a creation date not in range.
 .sp
 Defaults to beginning of time ("\-").
 .RE
+.sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
 .SH "ARGUMENTS"
 .sp
 \fISIGNATURE\fP
@@ -53,101 +59,4 @@ Detached signature
 .sp
 \fICERT\fP...
 .RS 4
-Public key certificates for signature verification
-.RE
-.SH "EXIT CODES:"
-.sp
-\fB0\fP
-.RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-version.1 b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
index 0a235d7a..9e80f4b3 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-version.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli-version
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-VERSION" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-VERSION" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,7 +31,7 @@
 pgpainless\-cli\-version \- Display version information about the tool
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli version\fP [\fB\-\-extended\fP | \fB\-\-backend\fP]
+\fBpgpainless\-cli version\fP [\fB\-\-stacktrace\fP] [\fB\-\-extended\fP | \fB\-\-backend\fP]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -45,99 +45,8 @@ Print information about the cryptographic backend
 .RS 4
 Print an extended version string
 .RE
-.SH "EXIT CODES:"
 .sp
-\fB0\fP
+\fB\-\-stacktrace\fP
 .RS 4
-Successful program execution
-.RE
-.sp
-\fB1\fP
-.RS 4
-Generic program error
-.RE
-.sp
-\fB3\fP
-.RS 4
-Verification requested but no verifiable signature found
-.RE
-.sp
-\fB13\fP
-.RS 4
-Unsupported asymmetric algorithm
-.RE
-.sp
-\fB17\fP
-.RS 4
-Certificate is not encryption capable
-.RE
-.sp
-\fB19\fP
-.RS 4
-Usage error: Missing argument
-.RE
-.sp
-\fB23\fP
-.RS 4
-Incomplete verification instructions
-.RE
-.sp
-\fB29\fP
-.RS 4
-Unable to decrypt
-.RE
-.sp
-\fB31\fP
-.RS 4
-Password is not human\-readable
-.RE
-.sp
-\fB37\fP
-.RS 4
-Unsupported Option
-.RE
-.sp
-\fB41\fP
-.RS 4
-Invalid data or data of wrong type encountered
-.RE
-.sp
-\fB53\fP
-.RS 4
-Non\-text input received where text was expected
-.RE
-.sp
-\fB59\fP
-.RS 4
-Output file already exists
-.RE
-.sp
-\fB61\fP
-.RS 4
-Input file does not exist
-.RE
-.sp
-\fB67\fP
-.RS 4
-Cannot unlock password protected secret key
-.RE
-.sp
-\fB69\fP
-.RS 4
-Unsupported subcommand
-.RE
-.sp
-\fB71\fP
-.RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
-.RE
-.sp
-\fB73\fP
-.RS 4
-Ambiguous input (a filename matching the designator already exists)
-.RE
-.sp
-\fB79\fP
-.RS 4
-Key is not signing capable
+Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli.1 b/pgpainless-cli/packaging/man/pgpainless-cli.1
index 171c394e..14bd9fb9 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli.1
@@ -2,12 +2,12 @@
 .\"     Title: pgpainless-cli
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-08-07
+.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI" "1" "2022-08-07" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -31,14 +31,20 @@
 pgpainless\-cli \- Stateless OpenPGP Protocol
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli\fP [COMMAND]
+\fBpgpainless\-cli\fP [\fB\-\-stacktrace\fP] [COMMAND]
 .SH "DESCRIPTION"
 
+.SH "OPTIONS"
+.sp
+\fB\-\-stacktrace\fP
+.RS 4
+Print Stacktrace
+.RE
 .SH "COMMANDS"
 .sp
 \fBhelp\fP
 .RS 4
-Display usage information for the specified subcommand
+Stateless OpenPGP Protocol
 .RE
 .sp
 \fBarmor\fP
@@ -103,7 +109,7 @@ Display version information about the tool
 .sp
 \fBgenerate\-completion\fP
 .RS 4
-Generate bash/zsh completion script for pgpainless\-cli.
+Stateless OpenPGP Protocol
 .RE
 .SH "EXIT CODES:"
 .sp

From 78de682a14843b27806a1c0b0f6e01900bcbad8b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 15:16:28 +0100
Subject: [PATCH 0672/1450] PGPainless 1.3.9

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66ba62a0..b5ea7c57 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.9-SNAPSHOT
+## 1.3.9
 - Bump `sop-java` to `4.0.2`
 - SOP: Improve exception handling
 
diff --git a/README.md b/README.md
index 305e5cea..6c1f8368 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.8'
+	implementation 'org.pgpainless:pgpainless-core:1.3.9'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index ebb1736c..2dd87b60 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.8"
+    implementation "org.pgpainless:pgpainless-sop:1.3.9"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.8
+        1.3.9
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 36822069..5613a109 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.9'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From b4420772a0371c94e479efe0899e581c97042097 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 15:18:26 +0100
Subject: [PATCH 0673/1450] PGPainless 1.3.10-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 5613a109..ec61ab42 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.9'
-        isSnapshot = false
+        shortVersion = '1.3.10'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From b02ae86ff62cfbc5b172ff732a6540a8dfa54e40 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 22:59:38 +0100
Subject: [PATCH 0674/1450] Annotate SignatureSubpacketsUtil methods with
 @Nullable and @Nonnull

---
 .../subpackets/SignatureSubpacketsUtil.java   | 72 +++++++++----------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index 9ebc03e8..cbcbeafc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -68,7 +68,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return issuer fingerprint or null
      */
-    public static IssuerFingerprint getIssuerFingerprint(PGPSignature signature) {
+    public static @Nullable IssuerFingerprint getIssuerFingerprint(PGPSignature signature) {
         return hashedOrUnhashed(signature, SignatureSubpacket.issuerFingerprint);
     }
 
@@ -79,7 +79,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return v4 fingerprint of the issuer, or null
      */
-    public static OpenPgpFingerprint getIssuerFingerprintAsOpenPgpFingerprint(PGPSignature signature) {
+    public static @Nullable OpenPgpFingerprint getIssuerFingerprintAsOpenPgpFingerprint(PGPSignature signature) {
         IssuerFingerprint subpacket = getIssuerFingerprint(signature);
         if (subpacket == null) {
             return null;
@@ -101,7 +101,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return issuer key-id or null
      */
-    public static IssuerKeyID getIssuerKeyId(PGPSignature signature) {
+    public static @Nullable IssuerKeyID getIssuerKeyId(PGPSignature signature) {
         return hashedOrUnhashed(signature, SignatureSubpacket.issuerKeyId);
     }
 
@@ -112,7 +112,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return issuer key-id as {@link Long}
      */
-    public static Long getIssuerKeyIdAsLong(PGPSignature signature) {
+    public static @Nullable Long getIssuerKeyIdAsLong(PGPSignature signature) {
         IssuerKeyID keyID = getIssuerKeyId(signature);
         if (keyID == null) {
             return null;
@@ -128,7 +128,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return revocation reason
      */
-    public static RevocationReason getRevocationReason(PGPSignature signature) {
+    public static @Nullable RevocationReason getRevocationReason(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.revocationReason);
     }
 
@@ -140,7 +140,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return signature creation time subpacket
      */
-    public static SignatureCreationTime getSignatureCreationTime(PGPSignature signature) {
+    public static @Nullable SignatureCreationTime getSignatureCreationTime(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.signatureCreationTime);
     }
 
@@ -151,7 +151,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return signature expiration time
      */
-    public static SignatureExpirationTime getSignatureExpirationTime(PGPSignature signature) {
+    public static @Nullable SignatureExpirationTime getSignatureExpirationTime(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.signatureExpirationTime);
     }
 
@@ -163,7 +163,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return expiration time as date
      */
-    public static Date getSignatureExpirationTimeAsDate(PGPSignature signature) {
+    public static @Nullable Date getSignatureExpirationTimeAsDate(PGPSignature signature) {
         SignatureExpirationTime subpacket = getSignatureExpirationTime(signature);
         if (subpacket == null) {
             return null;
@@ -178,7 +178,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return key expiration time
      */
-    public static KeyExpirationTime getKeyExpirationTime(PGPSignature signature) {
+    public static @Nullable KeyExpirationTime getKeyExpirationTime(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.keyExpirationTime);
     }
 
@@ -192,7 +192,7 @@ public final class SignatureSubpacketsUtil {
      * @param signingKey signature creation key
      * @return key expiration time as date
      */
-    public static Date getKeyExpirationTimeAsDate(PGPSignature signature, PGPPublicKey signingKey) {
+    public static @Nullable Date getKeyExpirationTimeAsDate(PGPSignature signature, PGPPublicKey signingKey) {
         if (signature.getKeyID() != signingKey.getKeyID()) {
             throw new IllegalArgumentException("Provided key (" + Long.toHexString(signingKey.getKeyID()) + ") did not create the signature (" + Long.toHexString(signature.getKeyID()) + ")");
         }
@@ -230,7 +230,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return revocable subpacket
      */
-    public static Revocable getRevocable(PGPSignature signature) {
+    public static @Nullable Revocable getRevocable(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.revocable);
     }
 
@@ -240,7 +240,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return symm. algo. prefs
      */
-    public static PreferredAlgorithms getPreferredSymmetricAlgorithms(PGPSignature signature) {
+    public static @Nullable PreferredAlgorithms getPreferredSymmetricAlgorithms(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.preferredSymmetricAlgorithms);
     }
 
@@ -252,7 +252,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return ordered set of symmetric key algorithm preferences
      */
-    public static Set parsePreferredSymmetricKeyAlgorithms(PGPSignature signature) {
+    public static @Nonnull Set parsePreferredSymmetricKeyAlgorithms(PGPSignature signature) {
         Set algorithms = new LinkedHashSet<>();
         PreferredAlgorithms preferences = getPreferredSymmetricAlgorithms(signature);
         if (preferences != null) {
@@ -272,7 +272,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return hash algo prefs
      */
-    public static PreferredAlgorithms getPreferredHashAlgorithms(PGPSignature signature) {
+    public static @Nullable PreferredAlgorithms getPreferredHashAlgorithms(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.preferredHashAlgorithms);
     }
 
@@ -284,7 +284,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return ordered set of hash algorithm preferences
      */
-    public static Set parsePreferredHashAlgorithms(PGPSignature signature) {
+    public static @Nonnull Set parsePreferredHashAlgorithms(PGPSignature signature) {
         Set algorithms = new LinkedHashSet<>();
         PreferredAlgorithms preferences = getPreferredHashAlgorithms(signature);
         if (preferences != null) {
@@ -304,7 +304,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return compression algo prefs
      */
-    public static PreferredAlgorithms getPreferredCompressionAlgorithms(PGPSignature signature) {
+    public static @Nullable PreferredAlgorithms getPreferredCompressionAlgorithms(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.preferredCompressionAlgorithms);
     }
 
@@ -316,7 +316,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return ordered set of compression algorithm preferences
      */
-    public static Set parsePreferredCompressionAlgorithms(PGPSignature signature) {
+    public static @Nonnull Set parsePreferredCompressionAlgorithms(PGPSignature signature) {
         Set algorithms = new LinkedHashSet<>();
         PreferredAlgorithms preferences = getPreferredCompressionAlgorithms(signature);
         if (preferences != null) {
@@ -336,7 +336,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return primary user id
      */
-    public static PrimaryUserID getPrimaryUserId(PGPSignature signature) {
+    public static @Nullable PrimaryUserID getPrimaryUserId(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.primaryUserId);
     }
 
@@ -346,7 +346,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return key flags
      */
-    public static KeyFlags getKeyFlags(PGPSignature signature) {
+    public static @Nullable KeyFlags getKeyFlags(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.keyFlags);
     }
 
@@ -357,7 +357,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return list of key flags
      */
-    public static List parseKeyFlags(@Nullable PGPSignature signature) {
+    public static @Nullable List parseKeyFlags(@Nullable PGPSignature signature) {
         if (signature == null) {
             return null;
         }
@@ -374,7 +374,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return features subpacket
      */
-    public static Features getFeatures(PGPSignature signature) {
+    public static @Nullable Features getFeatures(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.features);
     }
 
@@ -401,7 +401,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return signature target
      */
-    public static SignatureTarget getSignatureTarget(PGPSignature signature) {
+    public static @Nullable SignatureTarget getSignatureTarget(PGPSignature signature) {
         return hashedOrUnhashed(signature, SignatureSubpacket.signatureTarget);
     }
 
@@ -411,7 +411,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return hashed notations
      */
-    public static List getHashedNotationData(PGPSignature signature) {
+    public static @Nonnull List getHashedNotationData(PGPSignature signature) {
         NotationData[] notations = signature.getHashedSubPackets().getNotationDataOccurrences();
         return Arrays.asList(notations);
     }
@@ -424,7 +424,7 @@ public final class SignatureSubpacketsUtil {
      * @param notationName notation name
      * @return list of matching notation data objects
      */
-    public static List getHashedNotationData(PGPSignature signature, String notationName) {
+    public static @Nonnull List getHashedNotationData(PGPSignature signature, String notationName) {
         List allNotations = getHashedNotationData(signature);
         List withName = new ArrayList<>();
         for (NotationData data : allNotations) {
@@ -441,7 +441,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return unhashed notations
      */
-    public static List getUnhashedNotationData(PGPSignature signature) {
+    public static @Nonnull List getUnhashedNotationData(PGPSignature signature) {
         NotationData[] notations = signature.getUnhashedSubPackets().getNotationDataOccurrences();
         return Arrays.asList(notations);
     }
@@ -454,7 +454,7 @@ public final class SignatureSubpacketsUtil {
      * @param notationName notation name
      * @return list of matching notation data objects
      */
-    public static List getUnhashedNotationData(PGPSignature signature, String notationName) {
+    public static @Nonnull List getUnhashedNotationData(PGPSignature signature, String notationName) {
         List allNotations = getUnhashedNotationData(signature);
         List withName = new ArrayList<>();
         for (NotationData data : allNotations) {
@@ -471,7 +471,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return revocation key
      */
-    public static RevocationKey getRevocationKey(PGPSignature signature) {
+    public static @Nullable RevocationKey getRevocationKey(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.revocationKey);
     }
 
@@ -482,7 +482,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return signers user-id
      */
-    public static SignerUserID getSignerUserID(PGPSignature signature) {
+    public static @Nullable SignerUserID getSignerUserID(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.signerUserId);
     }
 
@@ -492,7 +492,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return intended recipient fingerprint subpackets
      */
-    public static List getIntendedRecipientFingerprints(PGPSignature signature) {
+    public static @Nonnull List getIntendedRecipientFingerprints(PGPSignature signature) {
         org.bouncycastle.bcpg.SignatureSubpacket[] subpackets = signature.getHashedSubPackets().getSubpackets(SignatureSubpacket.intendedRecipientFingerprint.getCode());
         List intendedRecipients = new ArrayList<>(subpackets.length);
         for (org.bouncycastle.bcpg.SignatureSubpacket subpacket : subpackets) {
@@ -509,7 +509,7 @@ public final class SignatureSubpacketsUtil {
      *
      * @throws PGPException in case the embedded signatures cannot be parsed
      */
-    public static PGPSignatureList getEmbeddedSignature(PGPSignature signature) throws PGPException {
+    public static @Nullable PGPSignatureList getEmbeddedSignature(PGPSignature signature) throws PGPException {
         PGPSignatureList hashed = signature.getHashedSubPackets().getEmbeddedSignatures();
         if (!hashed.isEmpty()) {
             return hashed;
@@ -523,7 +523,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return exportable certification subpacket
      */
-    public static Exportable getExportableCertification(PGPSignature signature) {
+    public static @Nullable Exportable getExportableCertification(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.exportableCertification);
     }
 
@@ -533,7 +533,7 @@ public final class SignatureSubpacketsUtil {
      * @param signature signature
      * @return trust signature subpacket
      */
-    public static TrustSignature getTrustSignature(PGPSignature signature) {
+    public static @Nullable TrustSignature getTrustSignature(PGPSignature signature) {
         return hashed(signature, SignatureSubpacket.trustSignature);
     }
 
@@ -546,7 +546,7 @@ public final class SignatureSubpacketsUtil {
      * @param 
 generic subpacket type
      * @return list of subpackets from the hashed area
      */
-    private static 
 P hashed(PGPSignature signature, SignatureSubpacket type) {
+    private static @Nullable 
 P hashed(PGPSignature signature, SignatureSubpacket type) {
         return getSignatureSubpacket(signature.getHashedSubPackets(), type);
     }
 
@@ -559,7 +559,7 @@ public final class SignatureSubpacketsUtil {
      * @param 
 generic subpacket type
      * @return list of subpackets from the unhashed area
      */
-    private static 
 P unhashed(PGPSignature signature, SignatureSubpacket type) {
+    private static @Nullable 
 P unhashed(PGPSignature signature, SignatureSubpacket type) {
         return getSignatureSubpacket(signature.getUnhashedSubPackets(), type);
     }
 
@@ -572,7 +572,7 @@ public final class SignatureSubpacketsUtil {
      * @param 
 generic subpacket type
      * @return list of subpackets from the hashed/unhashed area
      */
-    private static 
 P hashedOrUnhashed(PGPSignature signature, SignatureSubpacket type) {
+    private static @Nullable 
 P hashedOrUnhashed(PGPSignature signature, SignatureSubpacket type) {
         P hashedSubpacket = hashed(signature, type);
         return hashedSubpacket != null ? hashedSubpacket : unhashed(signature, type);
     }
@@ -585,7 +585,7 @@ public final class SignatureSubpacketsUtil {
      * @param 
 generic return type of the subpacket
      * @return last occurrence of the subpacket in the vector
      */
-    public static 
 P getSignatureSubpacket(PGPSignatureSubpacketVector vector, SignatureSubpacket type) {
+    public static @Nullable 
 P getSignatureSubpacket(PGPSignatureSubpacketVector vector, SignatureSubpacket type) {
         if (vector == null) {
             // Almost never happens, but may be caused by broken signatures.
             return null;

From 50d18a45815d2d15b3af01e3d7aa7abbdac120bd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 23:00:28 +0100
Subject: [PATCH 0675/1450] Fix NPE when validating signature made by key
 without keyflags on direct key sigature

(Presumably) fixes #332
---
 .../pgpainless/signature/consumer/CertificateValidator.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
index 4c4c6689..c629de2d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/CertificateValidator.java
@@ -171,7 +171,9 @@ public final class CertificateValidator {
 
         if (signingSubkey == primaryKey) {
             if (!directKeySignatures.isEmpty()) {
-                if (KeyFlag.hasKeyFlag(SignatureSubpacketsUtil.getKeyFlags(directKeySignatures.get(0)).getFlags(), KeyFlag.SIGN_DATA)) {
+                PGPSignature directKeySignature = directKeySignatures.get(0);
+                KeyFlags keyFlags = SignatureSubpacketsUtil.getKeyFlags(directKeySignature);
+                if (keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
                     return true;
                 }
             }
@@ -225,7 +227,7 @@ public final class CertificateValidator {
                 }
                 PGPSignature directKeySig = directKeySignatures.get(0);
                 KeyFlags directKeyFlags = SignatureSubpacketsUtil.getKeyFlags(directKeySig);
-                if (!KeyFlag.hasKeyFlag(directKeyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
+                if (directKeyFlags == null || !KeyFlag.hasKeyFlag(directKeyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
                     throw new SignatureValidationException("Signature was made by key which is not capable of signing (no keyflags on binding sig, no SIGN flag on direct-key sig).");
                 }
             } else if (!KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA)) {

From 5ebeeed3e8b86a5940da583c1edfb7e268f6c4df Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Nov 2022 16:49:06 +0100
Subject: [PATCH 0676/1450] Bump sop-java to 4.0.3

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index ec61ab42..0f15467b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -16,6 +16,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.2'
+        sopJavaVersion = '4.0.3'
     }
 }

From 3cd621b436de3cb2cffd01fd7fb52f9a5f1cbbd2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Nov 2022 16:51:19 +0100
Subject: [PATCH 0677/1450] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5ea7c57..5b1ec6da 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.10-SNAPSHOT
+- Bump `sop-java` to `4.0.3`
+- Fix: Fix NPE when verifying signature made by key without key flags on direct-key signature
+
 ## 1.3.9
 - Bump `sop-java` to `4.0.2`
 - SOP: Improve exception handling

From 4143ad3165b397561f2ee410f6d724f95c531b2f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Nov 2022 16:55:00 +0100
Subject: [PATCH 0678/1450] PGPainless 1.3.10

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b1ec6da..efff7de9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.10-SNAPSHOT
+## 1.3.10
 - Bump `sop-java` to `4.0.3`
 - Fix: Fix NPE when verifying signature made by key without key flags on direct-key signature
 
diff --git a/README.md b/README.md
index 6c1f8368..c24728e9 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.9'
+	implementation 'org.pgpainless:pgpainless-core:1.3.10'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 2dd87b60..6c82fdcd 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.9"
+    implementation "org.pgpainless:pgpainless-sop:1.3.10"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.9
+        1.3.10
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 0f15467b..8a7dd76c 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.10'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From faae5c64b1685ae4a17729f22b11cad18dcf915f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 7 Nov 2022 16:57:22 +0100
Subject: [PATCH 0679/1450] PGPainless 1.3.11-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 8a7dd76c..a8b3c6b7 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.10'
-        isSnapshot = false
+        shortVersion = '1.3.11'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From c253732ad96159a99710e8165c6a8e701013c1ab Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 15:30:29 +0100
Subject: [PATCH 0680/1450] Do not reject bnacksig signatures when they predate
 subkey binding date

Fixes #334
---
 .../org/pgpainless/signature/consumer/SignatureValidator.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 56614f4f..af245235 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -375,7 +375,9 @@ public abstract class SignatureValidator {
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 signatureHasHashedCreationTime().verify(signature);
                 signatureDoesNotPredateSigningKey(creator).verify(signature);
-                signatureDoesNotPredateSigningKeyBindingDate(creator).verify(signature);
+                if (signature.getSignatureType() != SignatureType.PRIMARYKEY_BINDING.getCode()) {
+                    signatureDoesNotPredateSigningKeyBindingDate(creator).verify(signature);
+                }
             }
         };
     }

From c77c96f8498e962ea70497cffb40982f76d85ced Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 15:30:57 +0100
Subject: [PATCH 0681/1450] SOP verify: force data to be non-openpgp data

---
 .../src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index e6e2768e..1f9aa32b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -62,6 +62,8 @@ public class DetachedVerifyImpl implements DetachedVerify {
 
     @Override
     public List data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
+        options.forceNonOpenPgpData();
+
         DecryptionStream decryptionStream;
         try {
             decryptionStream = PGPainless.decryptAndOrVerify()

From 1c127933bd0c0b0c63264eefd1b34273fd703726 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 15:50:01 +0100
Subject: [PATCH 0682/1450] Update changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index efff7de9..58c4b052 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.11-SNAPSHOT
+- Fix: When verifying subkey binding signatures with embedded recycled primary
+  key binding signatures, do not reject signature if primary key binding
+  predates subkey binding
+- SOP `verify`: Forcefully expect `data()` to be non-OpenPGP data
+
 ## 1.3.10
 - Bump `sop-java` to `4.0.3`
 - Fix: Fix NPE when verifying signature made by key without key flags on direct-key signature

From e15dd70b85b3292ecf83514a6fd58b229e354b2a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:01:20 +0100
Subject: [PATCH 0683/1450] SOP: Unify key/certificate reading code

---
 .../java/org/pgpainless/sop/DecryptImpl.java  | 39 +++---------
 .../pgpainless/sop/DetachedVerifyImpl.java    |  9 +--
 .../java/org/pgpainless/sop/EncryptImpl.java  | 31 ++++------
 .../org/pgpainless/sop/ExtractCertImpl.java   | 17 +-----
 .../org/pgpainless/sop/InlineSignImpl.java    | 19 +++---
 .../org/pgpainless/sop/InlineVerifyImpl.java  |  9 +--
 .../java/org/pgpainless/sop/KeyReader.java    | 61 +++++++++++++++++++
 7 files changed, 93 insertions(+), 92 deletions(-)
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index f18ed732..11b20f82 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -52,22 +52,9 @@ public class DecryptImpl implements Decrypt {
 
     @Override
     public DecryptImpl verifyWithCert(InputStream certIn) throws SOPGPException.BadData, IOException {
-        try {
-            PGPPublicKeyRingCollection certs = PGPainless.readKeyRing().keyRingCollection(certIn, false)
-                    .getPgpPublicKeyRingCollection();
-            if (certs.size() == 0) {
-                throw new SOPGPException.BadData(new PGPException("No certificates provided."));
-            }
-
+        PGPPublicKeyRingCollection certs = KeyReader.readPublicKeys(certIn, true);
+        if (certs != null) {
             consumerOptions.addVerificationCerts(certs);
-
-        } catch (IOException e) {
-            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
-                throw new SOPGPException.BadData(e);
-            }
-            throw e;
-        } catch (PGPException e) {
-            throw new SOPGPException.BadData(e);
         }
         return this;
     }
@@ -102,23 +89,11 @@ public class DecryptImpl implements Decrypt {
 
     @Override
     public DecryptImpl withKey(InputStream keyIn) throws SOPGPException.BadData, IOException, SOPGPException.UnsupportedAsymmetricAlgo {
-        try {
-            PGPSecretKeyRingCollection secretKeyCollection = PGPainless.readKeyRing()
-                    .secretKeyRingCollection(keyIn);
-            if (secretKeyCollection.size() == 0) {
-                throw new SOPGPException.BadData("No key data found.");
-            }
-            for (PGPSecretKeyRing key : secretKeyCollection) {
-                protector.addSecretKey(key);
-                consumerOptions.addDecryptionKey(key, protector);
-            }
-        } catch (IOException e) {
-            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
-                throw new SOPGPException.BadData(e);
-            }
-            throw e;
-        } catch (PGPException e) {
-            throw new SOPGPException.BadData(e);
+        PGPSecretKeyRingCollection secretKeyCollection = KeyReader.readSecretKeys(keyIn, true);
+
+        for (PGPSecretKeyRing key : secretKeyCollection) {
+            protector.addSecretKey(key);
+            consumerOptions.addDecryptionKey(key, protector);
         }
         return this;
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 1f9aa32b..3065addf 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -39,13 +39,8 @@ public class DetachedVerifyImpl implements DetachedVerify {
     }
 
     @Override
-    public DetachedVerify cert(InputStream cert) throws SOPGPException.BadData {
-        PGPPublicKeyRingCollection certificates;
-        try {
-            certificates = PGPainless.readKeyRing().publicKeyRingCollection(cert);
-        } catch (IOException | PGPException e) {
-            throw new SOPGPException.BadData(e);
-        }
+    public DetachedVerify cert(InputStream cert) throws SOPGPException.BadData, IOException {
+        PGPPublicKeyRingCollection certificates = KeyReader.readPublicKeys(cert, true);
         options.addVerificationCerts(certificates);
         return this;
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 9658bd17..61a46731 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -58,28 +58,23 @@ public class EncryptImpl implements Encrypt {
 
     @Override
     public Encrypt signWith(InputStream keyIn)
-            throws SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData {
+            throws SOPGPException.KeyCannotSign, SOPGPException.UnsupportedAsymmetricAlgo, SOPGPException.BadData, IOException {
         if (signingOptions == null) {
             signingOptions = SigningOptions.get();
         }
-
-        try {
-            PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
-            if (keys.size() != 1) {
-                throw new SOPGPException.BadData(new AssertionError("Exactly one secret key at a time expected. Got " + keys.size()));
-            }
-            PGPSecretKeyRing signingKey = keys.iterator().next();
-
-            KeyRingInfo info = PGPainless.inspectKeyRing(signingKey);
-            if (info.getSigningSubkeys().isEmpty()) {
-                throw new SOPGPException.KeyCannotSign("Key " + OpenPgpFingerprint.of(signingKey) + " cannot sign.");
-            }
-
-            protector.addSecretKey(signingKey);
-            signingKeys.add(signingKey);
-        } catch (IOException | PGPException e) {
-            throw new SOPGPException.BadData(e);
+        PGPSecretKeyRingCollection keys = KeyReader.readSecretKeys(keyIn, true);
+        if (keys.size() != 1) {
+            throw new SOPGPException.BadData(new AssertionError("Exactly one secret key at a time expected. Got " + keys.size()));
         }
+        PGPSecretKeyRing signingKey = keys.iterator().next();
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(signingKey);
+        if (info.getSigningSubkeys().isEmpty()) {
+            throw new SOPGPException.KeyCannotSign("Key " + OpenPgpFingerprint.of(signingKey) + " cannot sign.");
+        }
+
+        protector.addSecretKey(signingKey);
+        signingKeys.add(signingKey);
         return this;
     }
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
index 16848383..5be3ad31 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
@@ -10,7 +10,6 @@ import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.List;
 
-import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
@@ -32,21 +31,7 @@ public class ExtractCertImpl implements ExtractCert {
 
     @Override
     public Ready key(InputStream keyInputStream) throws IOException, SOPGPException.BadData {
-        PGPSecretKeyRingCollection keys;
-        try {
-            keys = PGPainless.readKeyRing().secretKeyRingCollection(keyInputStream);
-        } catch (IOException e) {
-            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
-                throw new SOPGPException.BadData(e);
-            }
-            throw e;
-        } catch (PGPException e) {
-            throw new IOException("Cannot read keys.", e);
-        }
-
-        if (keys == null || keys.size() == 0) {
-            throw new SOPGPException.BadData(new PGPException("No key data found."));
-        }
+        PGPSecretKeyRingCollection keys = KeyReader.readSecretKeys(keyInputStream, true);
 
         List certs = new ArrayList<>();
         for (PGPSecretKeyRing key : keys) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index 3bdc8fc3..c0bd29f4 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -51,19 +51,14 @@ public class InlineSignImpl implements InlineSign {
 
     @Override
     public InlineSign key(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
-        try {
-            PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
-
-            for (PGPSecretKeyRing key : keys) {
-                KeyRingInfo info = PGPainless.inspectKeyRing(key);
-                if (!info.isUsableForSigning()) {
-                    throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
-                }
-                protector.addSecretKey(key);
-                signingKeys.add(key);
+        PGPSecretKeyRingCollection keys = KeyReader.readSecretKeys(keyIn, true);
+        for (PGPSecretKeyRing key : keys) {
+            KeyRingInfo info = PGPainless.inspectKeyRing(key);
+            if (!info.isUsableForSigning()) {
+                throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
             }
-        } catch (PGPException | KeyException e) {
-            throw new SOPGPException.BadData(e);
+            protector.addSecretKey(key);
+            signingKeys.add(key);
         }
         return this;
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index e9994f38..4af53685 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -42,13 +42,8 @@ public class InlineVerifyImpl implements InlineVerify {
     }
 
     @Override
-    public InlineVerify cert(InputStream cert) throws SOPGPException.BadData {
-        PGPPublicKeyRingCollection certificates;
-        try {
-            certificates = PGPainless.readKeyRing().publicKeyRingCollection(cert);
-        } catch (IOException | PGPException e) {
-            throw new SOPGPException.BadData(e);
-        }
+    public InlineVerify cert(InputStream cert) throws SOPGPException.BadData, IOException {
+        PGPPublicKeyRingCollection certificates = KeyReader.readPublicKeys(cert, true);
         options.addVerificationCerts(certificates);
         return this;
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
new file mode 100644
index 00000000..064a5e39
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
@@ -0,0 +1,61 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
+import org.pgpainless.PGPainless;
+import sop.exception.SOPGPException;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+class KeyReader {
+
+    static PGPSecretKeyRingCollection readSecretKeys(InputStream keyInputStream, boolean requireContent)
+            throws IOException, SOPGPException.BadData {
+        PGPSecretKeyRingCollection keys;
+        try {
+            keys = PGPainless.readKeyRing().secretKeyRingCollection(keyInputStream);
+        } catch (IOException e) {
+            String message = e.getMessage();
+            if (message == null) {
+                throw e;
+            }
+            if (message.startsWith("unknown object in stream:") ||
+                    message.startsWith("invalid header encountered")) {
+                throw new SOPGPException.BadData(e);
+            }
+            throw e;
+        } catch (PGPException e) {
+            throw new IOException("Cannot read keys.", e);
+        }
+
+        if (requireContent && (keys == null || keys.size() == 0)) {
+            throw new SOPGPException.BadData(new PGPException("No key data found."));
+        }
+
+        return keys;
+    }
+
+    static PGPPublicKeyRingCollection readPublicKeys(InputStream certIn, boolean requireContent) throws IOException {
+        PGPPublicKeyRingCollection certs;
+        try {
+            certs = PGPainless.readKeyRing().publicKeyRingCollection(certIn);
+        } catch (IOException e) {
+            if (e.getMessage() != null && e.getMessage().startsWith("unknown object in stream:")) {
+                throw new SOPGPException.BadData(e);
+            }
+            throw e;
+        } catch (PGPException e) {
+            throw new SOPGPException.BadData(e);
+        }
+        if (requireContent && (certs == null || certs.size() == 0)) {
+            throw new SOPGPException.BadData(new PGPException("No cert data found."));
+        }
+        return certs;
+    }
+}

From fd55ce3657057f43dc9c682a445e232efce23437 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:01:52 +0100
Subject: [PATCH 0684/1450] Fix key/password matching in SOPs detached sign
 command

---
 .../org/pgpainless/sop/DetachedSignImpl.java  | 31 ++++++++++++-------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index 0ce326a9..f6ab8172 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -24,6 +24,7 @@ import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.KeyException;
+import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
@@ -41,6 +42,7 @@ public class DetachedSignImpl implements DetachedSign {
     private SignAs mode = SignAs.Binary;
     private final SigningOptions signingOptions = SigningOptions.get();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+    private final List signingKeys = new ArrayList<>();
 
     @Override
     public DetachedSign noArmor() {
@@ -56,19 +58,14 @@ public class DetachedSignImpl implements DetachedSign {
 
     @Override
     public DetachedSign key(InputStream keyIn) throws SOPGPException.KeyCannotSign, SOPGPException.BadData, IOException {
-        try {
-            PGPSecretKeyRingCollection keys = PGPainless.readKeyRing().secretKeyRingCollection(keyIn);
-
-            for (PGPSecretKeyRing key : keys) {
-                KeyRingInfo info = PGPainless.inspectKeyRing(key);
-                if (!info.isUsableForSigning()) {
-                    throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
-                }
-                protector.addSecretKey(key);
-                signingOptions.addDetachedSignature(protector, key, modeToSigType(mode));
+        PGPSecretKeyRingCollection keys = KeyReader.readSecretKeys(keyIn, true);
+        for (PGPSecretKeyRing key : keys) {
+            KeyRingInfo info = PGPainless.inspectKeyRing(key);
+            if (!info.isUsableForSigning()) {
+                throw new SOPGPException.KeyCannotSign("Key " + info.getFingerprint() + " does not have valid, signing capable subkeys.");
             }
-        } catch (PGPException | KeyException e) {
-            throw new SOPGPException.BadData(e);
+            protector.addSecretKey(key);
+            signingKeys.add(key);
         }
         return this;
     }
@@ -82,6 +79,16 @@ public class DetachedSignImpl implements DetachedSign {
 
     @Override
     public ReadyWithResult data(InputStream data) throws IOException {
+        for (PGPSecretKeyRing key : signingKeys) {
+            try {
+                signingOptions.addDetachedSignature(protector, key, modeToSigType(mode));
+            } catch (KeyException.UnacceptableSigningKeyException | KeyException.MissingSecretKeyException e) {
+                throw new SOPGPException.KeyCannotSign("Key " + OpenPgpFingerprint.of(key) + " cannot sign.", e);
+            } catch (PGPException e) {
+                throw new SOPGPException.KeyIsProtected("Key " + OpenPgpFingerprint.of(key) + " cannot be unlocked.", e);
+            }
+        }
+
         ByteArrayOutputStream buffer = new ByteArrayOutputStream();
         try {
             EncryptionStream signingStream = PGPainless.encryptAndOrSign()

From 858f8e00f3f38c32be10171bfbe2e04d0d49c364 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:02:16 +0100
Subject: [PATCH 0685/1450] Rework CLI tests

---
 .../pgpainless/cli/commands/ArmorCmdTest.java |  99 +--
 .../org/pgpainless/cli/commands/CLITest.java  | 166 +++++
 .../cli/commands/DearmorCmdTest.java          |  89 ++-
 .../cli/commands/ExtractCertCmdTest.java      |  76 ++-
 .../cli/commands/GenerateCertCmdTest.java     | 106 ---
 .../cli/commands/GenerateKeyCmdTest.java      |  96 +++
 .../cli/commands/InlineDetachCmdTest.java     | 143 ++---
 .../RoundTripEncryptDecryptCmdTest.java       | 606 +++++++++++++++---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 236 +++++++
 .../commands/RoundTripSignVerifyCmdTest.java  | 360 ++++++++---
 .../cli/commands/VersionCmdTest.java          |  44 ++
 11 files changed, 1548 insertions(+), 473 deletions(-)
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
 delete mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
index 711796e6..c1fb810f 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
@@ -5,87 +5,96 @@
 package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.PrintStream;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
 
-import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
 
-public class ArmorCmdTest {
+public class ArmorCmdTest extends CLITest {
 
-    private static PrintStream originalSout;
-
-    @BeforeEach
-    public void saveSout() {
-        originalSout = System.out;
+    public ArmorCmdTest() {
+        super(LoggerFactory.getLogger(ArmorCmdTest.class));
     }
 
-    @AfterEach
-    public void restoreSout() {
-        System.setOut(originalSout);
-    }
+    private static final String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 62E9 DDA4 F20F 8341 D2BC  4B4C 8B07 5177 01F9 534C\n" +
+            "Comment: alice@pgpainless.org\n" +
+            "\n" +
+            "lFgEY2vOkhYJKwYBBAHaRw8BAQdAqGOtLd1tKnuwaYYcdr2/7C0cPiCCggRMKG+W\n" +
+            "t32QQdEAAP9VaBzjk/AaAqyykZnQHmS1HByEvRLv5/4yJMSr22451BFjtBRhbGlj\n" +
+            "ZUBwZ3BhaW5sZXNzLm9yZ4iOBBMWCgBBBQJja86SCRCLB1F3AflTTBYhBGLp3aTy\n" +
+            "D4NB0rxLTIsHUXcB+VNMAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACZhAP4s\n" +
+            "8hn/RBDvyLvGROOd15EYATnWlgyi+b5WXP6cELalJwD1FZy3RROhfNtZWcJPS43f\n" +
+            "G03pYNyb0NXoitIMAaXEB5xdBGNrzpISCisGAQQBl1UBBQEBB0CqCcYethOynfni\n" +
+            "8uRO+r/cZWp9hCLy8pRIExKqzcyEFAMBCAcAAP9sRRLoZkLpDaTNNrtIBovXu2AN\n" +
+            "hL8keUMWtVcuEHnkQA6iiHUEGBYKAB0FAmNrzpICngECmwwFFgIDAQAECwkIBwUV\n" +
+            "CgkICwAKCRCLB1F3AflTTBVpAP491etrjqCMWx2bBaw3K1vP0Mix6U0vF3J4kP9U\n" +
+            "eZm6owEA4kX9VAGESvLgIc7CEiswmxdWjxnLQyCRtWXfjgFmYQucWARja86SFgkr\n" +
+            "BgEEAdpHDwEBB0DBslhDpWC6CV3xJUSo071NSO5Cf4fgOwOj+QHs8mpFbwABAPkQ\n" +
+            "ioSydYiMi04LyfPohyrhhcdJDHallQg+jYHHUb2pEJCI1QQYFgoAfQUCY2vOkgKe\n" +
+            "AQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNrzpIACgkQiHlkvEXh+f1e\n" +
+            "ywEA9A2GLU9LxCJxZf2X4qcZY//YJDChIZHPnY0Vaek1DsMBAN1YILrH2rxQeCXj\n" +
+            "m4bUKfJIRrGt6ZJscwORgNI1dFQFAAoJEIsHUXcB+VNMK3gA/3vvPm57JsHA860w\n" +
+            "lB4D1II71oFNL8TFnJqTAvpSKe1AAP49S4mKB4PE0ElcDo7n+nEYt6ba8IMRDlMo\n" +
+            "rsH85mUgCw==\n" +
+            "=EMKf\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
 
     @Test
-    @FailOnSystemExit
-    public void armorSecretKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org");
-        byte[] bytes = secretKey.getEncoded();
+    public void armorSecretKey() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(key);
+        byte[] binary = secretKeys.getEncoded();
 
-        System.setIn(new ByteArrayInputStream(bytes));
-        ByteArrayOutputStream armorOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(armorOut));
-        PGPainlessCLI.execute("armor");
+        pipeBytesToStdin(binary);
+        ByteArrayOutputStream armorOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("armor"));
 
         PGPSecretKeyRing armored = PGPainless.readKeyRing().secretKeyRing(armorOut.toString());
-        assertArrayEquals(secretKey.getEncoded(), armored.getEncoded());
+        assertArrayEquals(secretKeys.getEncoded(), armored.getEncoded());
     }
 
     @Test
-    @FailOnSystemExit
-    public void armorPublicKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org");
+    public void armorPublicKey() throws IOException {
+        PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(key);
         PGPPublicKeyRing publicKey = PGPainless.extractCertificate(secretKey);
         byte[] bytes = publicKey.getEncoded();
 
-        System.setIn(new ByteArrayInputStream(bytes));
-        ByteArrayOutputStream armorOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(armorOut));
-        PGPainlessCLI.execute("armor");
+        pipeBytesToStdin(bytes);
+        ByteArrayOutputStream armorOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("armor"));
 
         PGPPublicKeyRing armored = PGPainless.readKeyRing().publicKeyRing(armorOut.toString());
         assertArrayEquals(publicKey.getEncoded(), armored.getEncoded());
     }
 
     @Test
-    @FailOnSystemExit
-    public void armorMessage() {
+    public void armorMessage() throws IOException {
         String message = "Hello, World!\n";
 
-        System.setIn(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)));
-        ByteArrayOutputStream armorOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(armorOut));
-        PGPainlessCLI.execute("armor");
+        pipeStringToStdin(message);
+        ByteArrayOutputStream armorOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("armor"));
 
         String armored = armorOut.toString();
-
         assertTrue(armored.startsWith("-----BEGIN PGP MESSAGE-----\n"));
         assertTrue(armored.contains("SGVsbG8sIFdvcmxkIQo="));
     }
 
+    @Test
+    public void labelNotYetSupported() throws IOException {
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("armor", "--label", "Message");
+        assertEquals(SOPGPException.UnsupportedOption.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
new file mode 100644
index 00000000..d5d076cc
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
@@ -0,0 +1,166 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import javax.annotation.Nonnull;
+
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.opentest4j.TestAbortedException;
+import org.pgpainless.cli.TestUtils;
+import org.pgpainless.sop.SOPImpl;
+import org.slf4j.Logger;
+import sop.cli.picocli.SopCLI;
+
+public abstract class CLITest {
+
+    protected File testDirectory;
+    protected InputStream stdin;
+    protected PrintStream stdout;
+
+    protected final Logger LOGGER;
+
+
+    public CLITest(@Nonnull Logger logger) {
+        LOGGER = logger;
+        SopCLI.setSopInstance(new SOPImpl());
+    }
+
+    @BeforeEach
+    public void setup() throws IOException {
+        testDirectory = TestUtils.createTempDirectory();
+        testDirectory.deleteOnExit();
+        LOGGER.debug(testDirectory.getAbsolutePath());
+        stdin = System.in;
+        stdout = System.out;
+    }
+
+    @AfterEach
+    public void cleanup() throws IOException {
+        resetStreams();
+    }
+
+    public File nonExistentFile(String name) {
+        File file = new File(testDirectory, name);
+        if (file.exists()) {
+            throw new TestAbortedException("File " + file.getAbsolutePath() + " already exists.");
+        }
+        return file;
+    }
+
+    public File pipeStdoutToFile(String name) throws IOException {
+        File file = new File(testDirectory, name);
+        file.deleteOnExit();
+        if (!file.createNewFile()) {
+            throw new TestAbortedException("Cannot create new file " + file.getAbsolutePath());
+        }
+        System.setOut(new PrintStream(Files.newOutputStream(file.toPath())));
+        return file;
+    }
+
+    public ByteArrayOutputStream pipeStdoutToStream() {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        pipeStdoutToStream(out);
+        return out;
+    }
+
+    public void pipeStdoutToStream(OutputStream stream) {
+        System.setOut(new PrintStream(stream));
+    }
+
+    public void pipeFileToStdin(File file) throws IOException {
+        System.setIn(Files.newInputStream(file.toPath()));
+    }
+
+    public void pipeBytesToStdin(byte[] bytes) {
+        System.setIn(new ByteArrayInputStream(bytes));
+    }
+
+    public void pipeStringToStdin(String string) {
+        System.setIn(new ByteArrayInputStream(string.getBytes(StandardCharsets.UTF_8)));
+    }
+
+    public void resetStdout() {
+        if (System.out != stdout) {
+            System.out.flush();
+            System.out.close();
+        }
+        System.setOut(stdout);
+    }
+
+    public void resetStdin() throws IOException {
+        if (System.in != stdin) {
+            System.in.close();
+        }
+        System.setIn(stdin);
+    }
+
+    public void resetStreams() throws IOException {
+        resetStdout();
+        resetStdin();
+    }
+
+    public File writeFile(String name, String data) throws IOException {
+        return writeFile(name, data.getBytes(StandardCharsets.UTF_8));
+    }
+
+    public File writeFile(String name, byte[] bytes) throws IOException {
+        return writeFile(name, new ByteArrayInputStream(bytes));
+    }
+
+    public File writeFile(String name, InputStream data) throws IOException {
+        File file = new File(testDirectory, name);
+        if (!file.createNewFile()) {
+            throw new TestAbortedException("Cannot create new file " + file.getAbsolutePath());
+        }
+        file.deleteOnExit();
+        try (FileOutputStream fileOut = new FileOutputStream(file)) {
+            Streams.pipeAll(data, fileOut);
+            fileOut.flush();
+        }
+        return file;
+    }
+
+    public byte[] readBytesFromFile(File file) {
+        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+        try (FileInputStream fileIn = new FileInputStream(file)) {
+            Streams.pipeAll(fileIn, buffer);
+        } catch (FileNotFoundException e) {
+            throw new TestAbortedException("File " + file.getAbsolutePath() + " does not exist!", e);
+        } catch (IOException e) {
+            throw new TestAbortedException("Cannot read from file " + file.getAbsolutePath(), e);
+        }
+        return buffer.toByteArray();
+    }
+
+    public String readStringFromFile(File file) {
+        return new String(readBytesFromFile(file), StandardCharsets.UTF_8);
+    }
+
+    public int executeCommand(String... command) throws IOException {
+        int exitCode = SopCLI.execute(command);
+        resetStreams();
+        return exitCode;
+    }
+
+    public void assertSuccess(int exitCode) {
+        assertEquals(0, exitCode, "Expected successful program execution");
+    }
+}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index a49f4db1..4ebaf21d 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -7,73 +7,73 @@ package org.pgpainless.cli.commands;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.PrintStream;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
 
-import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
+import org.slf4j.LoggerFactory;
 
-public class DearmorCmdTest {
+public class DearmorCmdTest extends CLITest {
 
-    private PrintStream originalSout;
-
-    @BeforeEach
-    public void saveSout() {
-        this.originalSout = System.out;
+    public DearmorCmdTest() {
+        super(LoggerFactory.getLogger(DearmorCmdTest.class));
     }
 
-    @AfterEach
-    public void restoreSout() {
-        System.setOut(originalSout);
-    }
+    private static final String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 62E9 DDA4 F20F 8341 D2BC  4B4C 8B07 5177 01F9 534C\n" +
+            "Comment: alice@pgpainless.org\n" +
+            "\n" +
+            "lFgEY2vOkhYJKwYBBAHaRw8BAQdAqGOtLd1tKnuwaYYcdr2/7C0cPiCCggRMKG+W\n" +
+            "t32QQdEAAP9VaBzjk/AaAqyykZnQHmS1HByEvRLv5/4yJMSr22451BFjtBRhbGlj\n" +
+            "ZUBwZ3BhaW5sZXNzLm9yZ4iOBBMWCgBBBQJja86SCRCLB1F3AflTTBYhBGLp3aTy\n" +
+            "D4NB0rxLTIsHUXcB+VNMAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACZhAP4s\n" +
+            "8hn/RBDvyLvGROOd15EYATnWlgyi+b5WXP6cELalJwD1FZy3RROhfNtZWcJPS43f\n" +
+            "G03pYNyb0NXoitIMAaXEB5xdBGNrzpISCisGAQQBl1UBBQEBB0CqCcYethOynfni\n" +
+            "8uRO+r/cZWp9hCLy8pRIExKqzcyEFAMBCAcAAP9sRRLoZkLpDaTNNrtIBovXu2AN\n" +
+            "hL8keUMWtVcuEHnkQA6iiHUEGBYKAB0FAmNrzpICngECmwwFFgIDAQAECwkIBwUV\n" +
+            "CgkICwAKCRCLB1F3AflTTBVpAP491etrjqCMWx2bBaw3K1vP0Mix6U0vF3J4kP9U\n" +
+            "eZm6owEA4kX9VAGESvLgIc7CEiswmxdWjxnLQyCRtWXfjgFmYQucWARja86SFgkr\n" +
+            "BgEEAdpHDwEBB0DBslhDpWC6CV3xJUSo071NSO5Cf4fgOwOj+QHs8mpFbwABAPkQ\n" +
+            "ioSydYiMi04LyfPohyrhhcdJDHallQg+jYHHUb2pEJCI1QQYFgoAfQUCY2vOkgKe\n" +
+            "AQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNrzpIACgkQiHlkvEXh+f1e\n" +
+            "ywEA9A2GLU9LxCJxZf2X4qcZY//YJDChIZHPnY0Vaek1DsMBAN1YILrH2rxQeCXj\n" +
+            "m4bUKfJIRrGt6ZJscwORgNI1dFQFAAoJEIsHUXcB+VNMK3gA/3vvPm57JsHA860w\n" +
+            "lB4D1II71oFNL8TFnJqTAvpSKe1AAP49S4mKB4PE0ElcDo7n+nEYt6ba8IMRDlMo\n" +
+            "rsH85mUgCw==\n" +
+            "=EMKf\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
 
     @Test
-    @FailOnSystemExit
-    public void dearmorSecretKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org");
-        String armored = PGPainless.asciiArmor(secretKey);
+    public void dearmorSecretKey() throws IOException {
+        PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(key);
 
-        System.setIn(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)));
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("dearmor");
+        pipeStringToStdin(key);
+        ByteArrayOutputStream dearmored = pipeStdoutToStream();
+        assertSuccess(executeCommand("dearmor"));
 
-        assertArrayEquals(secretKey.getEncoded(), out.toByteArray());
+        assertArrayEquals(secretKey.getEncoded(), dearmored.toByteArray());
     }
 
 
     @Test
-    @FailOnSystemExit
-    public void dearmorCertificate() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing()
-                .modernKeyRing("alice@pgpainless.org");
+    public void dearmorCertificate() throws IOException {
+        PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(key);
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
-        String armored = PGPainless.asciiArmor(certificate);
+        String armoredCert = PGPainless.asciiArmor(certificate);
 
-        System.setIn(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)));
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("dearmor");
+        pipeStringToStdin(armoredCert);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("dearmor"));
 
         assertArrayEquals(certificate.getEncoded(), out.toByteArray());
     }
 
     @Test
-    @FailOnSystemExit
-    public void dearmorMessage() {
+    public void dearmorMessage() throws IOException {
         String armored = "-----BEGIN PGP MESSAGE-----\n" +
                 "Version: BCPG v1.69\n" +
                 "\n" +
@@ -81,10 +81,9 @@ public class DearmorCmdTest {
                 "=fkLo\n" +
                 "-----END PGP MESSAGE-----";
 
-        System.setIn(new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8)));
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("dearmor");
+        pipeStringToStdin(armored);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("dearmor"));
 
         assertEquals("Hello, World\n", out.toString());
     }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
index 1d20fb0e..3eebcb47 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
@@ -4,42 +4,96 @@
 
 package org.pgpainless.cli.commands;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
-import java.io.PrintStream;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 
-import com.ginsberg.junit.exit.FailOnSystemExit;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.key.info.KeyRingInfo;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
 
-public class ExtractCertCmdTest {
+public class ExtractCertCmdTest extends CLITest {
+
+    public ExtractCertCmdTest() {
+        super(LoggerFactory.getLogger(ExtractCertCmdTest.class));
+    }
 
     @Test
-    @FailOnSystemExit
     public void testExtractCert() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .simpleEcKeyRing("Juliet Capulet ");
-        ByteArrayInputStream inputStream = new ByteArrayInputStream(secretKeys.getEncoded());
-        System.setIn(inputStream);
 
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
+        pipeBytesToStdin(secretKeys.getEncoded());
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("extract-cert", "--armor"));
+
+        assertTrue(out.toString().startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\n"));
 
-        PGPainlessCLI.execute("extract-cert");
         PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(out.toByteArray());
         KeyRingInfo info = PGPainless.inspectKeyRing(publicKeys);
         assertFalse(info.isSecretKey());
         assertTrue(info.isUserIdValid("Juliet Capulet "));
     }
+
+    @Test
+    public void testExtractCertFromCertFails() throws IOException {
+        // Generate key
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key", "Alice "));
+
+        // extract cert from key (success)
+        pipeFileToStdin(keyFile);
+        File certFile = pipeStdoutToFile("cert.asc");
+        assertSuccess(executeCommand("extract-cert"));
+
+        // extract cert from cert (fail)
+        pipeFileToStdin(certFile);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("extract-cert");
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void extractCertFromGarbageFails() throws IOException {
+        pipeStringToStdin("This is a bunch of garbage!");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("extract-cert");
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testExtractCertUnarmored() throws IOException {
+        // Generate key
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key", "Alice "));
+
+        // extract cert from key (success)
+        pipeFileToStdin(keyFile);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("extract-cert", "--no-armor"));
+
+        assertFalse(out.toString().startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\n"));
+
+        pipeBytesToStdin(out.toByteArray());
+        ByteArrayOutputStream armored = pipeStdoutToStream();
+        assertSuccess(executeCommand("armor"));
+
+        assertTrue(armored.toString().startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\n"));
+    }
+
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
deleted file mode 100644
index 63afc39f..00000000
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateCertCmdTest.java
+++ /dev/null
@@ -1,106 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.cli.commands;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.pgpainless.cli.TestUtils.ARMOR_PRIVATE_KEY_HEADER_BYTES;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
-
-import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
-import org.pgpainless.cli.TestUtils;
-import org.pgpainless.key.info.KeyInfo;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.UnlockSecretKey;
-import org.pgpainless.util.Passphrase;
-
-public class GenerateCertCmdTest {
-
-    @Test
-    @FailOnSystemExit
-    public void testKeyGeneration() throws IOException, PGPException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("generate-key", "--armor", "Juliet Capulet ");
-
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(out.toByteArray());
-        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
-        assertTrue(info.isFullyDecrypted());
-        assertTrue(info.isUserIdValid("Juliet Capulet "));
-
-        for (PGPSecretKey key : secretKeys) {
-            assertTrue(testPassphrase(key, null));
-        }
-
-        byte[] outBegin = new byte[37];
-        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
-        assertArrayEquals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES);
-    }
-
-    @Test
-    @FailOnSystemExit
-    public void testGenerateKeyWithPassword() throws IOException, PGPException {
-        PrintStream orig = System.out;
-        try {
-            // Write password to file
-            File tempDir = TestUtils.createTempDirectory();
-            File passwordFile = TestUtils.writeTempFile(tempDir, "sw0rdf1sh".getBytes(StandardCharsets.UTF_8));
-
-            ByteArrayOutputStream out = new ByteArrayOutputStream();
-            System.setOut(new PrintStream(out));
-            PGPainlessCLI.execute("generate-key", "Juliet Capulet ",
-                    "--with-key-password", passwordFile.getAbsolutePath());
-
-            PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(out.toByteArray());
-            KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
-            assertFalse(info.isFullyDecrypted());
-            assertTrue(info.isFullyEncrypted());
-
-            for (PGPSecretKey key : secretKeys) {
-                assertTrue(testPassphrase(key, "sw0rdf1sh"));
-            }
-        } finally {
-            System.setOut(orig);
-        }
-    }
-
-    private boolean testPassphrase(PGPSecretKey key, String passphrase) throws PGPException {
-        if (KeyInfo.isEncrypted(key)) {
-            UnlockSecretKey.unlockSecretKey(key, Passphrase.fromPassword(passphrase));
-        } else {
-            if (passphrase != null) {
-                return false;
-            }
-            UnlockSecretKey.unlockSecretKey(key, (PBESecretKeyDecryptor) null);
-        }
-        return true;
-    }
-
-    @Test
-    @FailOnSystemExit
-    public void testNoArmor() {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("generate-key", "--no-armor", "Test ");
-
-        byte[] outBegin = new byte[37];
-        System.arraycopy(out.toByteArray(), 0, outBegin, 0, 37);
-        assertFalse(Arrays.equals(outBegin, ARMOR_PRIVATE_KEY_HEADER_BYTES));
-    }
-}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
new file mode 100644
index 00000000..2e4e6e7f
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
@@ -0,0 +1,96 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.encoders.Hex;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
+
+public class GenerateKeyCmdTest extends CLITest {
+
+    public GenerateKeyCmdTest() {
+        super(LoggerFactory.getLogger(GenerateKeyCmdTest.class));
+    }
+
+    @Test
+    public void testGenerateKey() throws IOException {
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key", "Alice "));
+
+        String key = readStringFromFile(keyFile);
+        assertTrue(key.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(key);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        assertTrue(info.isFullyDecrypted());
+        assertEquals(Collections.singletonList("Alice "), info.getUserIds());
+    }
+
+    @Test
+    public void testGenerateBinaryKey() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("generate-key", "--no-armor",
+                "Alice "));
+
+        byte[] key = out.toByteArray();
+        String firstHexOctet = Hex.toHexString(key, 0, 1);
+        assertTrue(firstHexOctet.equals("c5") || firstHexOctet.equals("94"));
+    }
+
+    @Test
+    public void testGenerateKeyWithMultipleUserIds() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("generate-key",
+                "Alice ", "Alice "));
+
+        String key = out.toString();
+        assertTrue(key.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(key);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        assertTrue(info.isFullyDecrypted());
+        assertEquals(Arrays.asList("Alice ", "Alice "), info.getUserIds());
+    }
+
+    @Test
+    public void testPasswordProtectedKey() throws IOException, PGPException {
+        File passwordFile = writeFile("password", "sw0rdf1sh");
+        passwordFile.deleteOnExit();
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("generate-key",
+                "--with-key-password", passwordFile.getAbsolutePath(), "Alice "));
+
+        String key = out.toString();
+        assertTrue(key.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\n"));
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(key);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        assertTrue(info.isFullyEncrypted());
+
+        assertNotNull(UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), Passphrase.fromPassword("sw0rdf1sh")));
+    }
+
+    @Test
+    public void testGeneratePasswordProtectedKey_missingPasswordFile() throws IOException {
+        int exit = executeCommand("generate-key",
+                "--with-key-password", "nonexistent", "Alice ");
+
+        assertEquals(SOPGPException.MissingInput.EXIT_CODE, exit, "Expected MISSING_INPUT (" + SOPGPException.MissingInput.EXIT_CODE + ")");
+    }
+}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
index aed4c581..eabdd6ad 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
@@ -6,33 +6,18 @@ package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.PrintStream;
 import java.nio.charset.StandardCharsets;
 
-import com.ginsberg.junit.exit.ExpectSystemExitWithStatus;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.pgpainless.cli.PGPainlessCLI;
 import org.pgpainless.cli.TestUtils;
+import org.slf4j.LoggerFactory;
 import sop.exception.SOPGPException;
 
-public class InlineDetachCmdTest {
-
-    private PrintStream originalSout;
-    private static File tempDir;
-    private static File certFile;
+public class InlineDetachCmdTest extends CLITest {
 
     private static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
             "Version: BCPG v1.64\n" +
@@ -49,28 +34,6 @@ public class InlineDetachCmdTest {
             "=a1W7\n" +
             "-----END PGP PUBLIC KEY BLOCK-----";
 
-    @BeforeAll
-    public static void createTempDir() throws IOException {
-        tempDir = TestUtils.createTempDirectory();
-
-        certFile = new File(tempDir, "cert.asc");
-        assertTrue(certFile.createNewFile());
-        try (FileOutputStream out = new FileOutputStream(certFile)) {
-            ByteArrayInputStream in = new ByteArrayInputStream(CERT.getBytes(StandardCharsets.UTF_8));
-            Streams.pipeAll(in, out);
-        }
-    }
-
-    @BeforeEach
-    public void saveSout() {
-        this.originalSout = System.out;
-    }
-
-    @AfterEach
-    public void restoreSout() {
-        System.setOut(originalSout);
-    }
-
     private static final String CLEAR_SIGNED_MESSAGE = "-----BEGIN PGP SIGNED MESSAGE-----\n" +
             "Hash: SHA512\n" +
             "\n" +
@@ -103,91 +66,67 @@ public class InlineDetachCmdTest {
             "Unfold the imagined happiness that both\n" +
             "Receive in either by this dear encounter.";
 
+    public InlineDetachCmdTest() {
+        super(LoggerFactory.getLogger(InlineDetachCmdTest.class));
+    }
+
     @Test
     public void detachInbandSignatureAndMessage() throws IOException {
-        // Clearsigned In
-        ByteArrayInputStream clearSignedIn = new ByteArrayInputStream(CLEAR_SIGNED_MESSAGE.getBytes(StandardCharsets.UTF_8));
-        System.setIn(clearSignedIn);
+        pipeStringToStdin(CLEAR_SIGNED_MESSAGE);
+        ByteArrayOutputStream msgOut = pipeStdoutToStream();
+        File sigFile = nonExistentFile("sig.out");
 
-        // Plaintext Out
-        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(msgOut));
-
-        // Detach
-        File tempSigFile = new File(tempDir, "sig.out");
-        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + tempSigFile.getAbsolutePath()});
+        assertSuccess(executeCommand("inline-detach", "--signatures-out", sigFile.getAbsolutePath()));
+        assertTrue(sigFile.exists(), "Signature file must have been written.");
 
         // Test equality with expected values
         assertEquals(CLEAR_SIGNED_BODY, msgOut.toString());
-        try (FileInputStream sigIn = new FileInputStream(tempSigFile)) {
-            ByteArrayOutputStream sigBytes = new ByteArrayOutputStream();
-            Streams.pipeAll(sigIn, sigBytes);
-            String sig = sigBytes.toString();
-            TestUtils.assertSignatureIsArmored(sigBytes.toByteArray());
-            TestUtils.assertSignatureEquals(CLEAR_SIGNED_SIGNATURE, sig);
-        } catch (FileNotFoundException e) {
-            fail("Signature File must have been written.", e);
-        }
+        String sig = readStringFromFile(sigFile);
+        TestUtils.assertSignatureIsArmored(sig.getBytes());
+        TestUtils.assertSignatureEquals(CLEAR_SIGNED_SIGNATURE, sig);
 
         // Check if produced signature still checks out
-        System.setIn(new ByteArrayInputStream(msgOut.toByteArray()));
-        ByteArrayOutputStream verifyOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(verifyOut));
-        PGPainlessCLI.main(new String[] {"verify", tempSigFile.getAbsolutePath(), certFile.getAbsolutePath()});
-
-        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n", verifyOut.toString());
+        File certFile = writeFile("cert.asc", CERT);
+        pipeStringToStdin(msgOut.toString());
+        ByteArrayOutputStream verifyOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), certFile.getAbsolutePath()));
+        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n",
+                verifyOut.toString());
     }
 
     @Test
     public void detachInbandSignatureAndMessageNoArmor() throws IOException {
-        // Clearsigned In
-        ByteArrayInputStream clearSignedIn = new ByteArrayInputStream(CLEAR_SIGNED_MESSAGE.getBytes(StandardCharsets.UTF_8));
-        System.setIn(clearSignedIn);
+        pipeStringToStdin(CLEAR_SIGNED_MESSAGE);
+        ByteArrayOutputStream msgOut = pipeStdoutToStream();
+        File sigFile = nonExistentFile("sig.out");
 
-        // Plaintext Out
-        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(msgOut));
-
-        // Detach
-        File tempSigFile = new File(tempDir, "sig.asc");
-        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + tempSigFile.getAbsolutePath(), "--no-armor"});
+        assertSuccess(executeCommand("inline-detach", "--signatures-out", sigFile.getAbsolutePath(), "--no-armor"));
 
         // Test equality with expected values
         assertEquals(CLEAR_SIGNED_BODY, msgOut.toString());
-        try (FileInputStream sigIn = new FileInputStream(tempSigFile)) {
-            ByteArrayOutputStream sigBytes = new ByteArrayOutputStream();
-            Streams.pipeAll(sigIn, sigBytes);
-            byte[] sig = sigBytes.toByteArray();
-            TestUtils.assertSignatureIsNotArmored(sig);
-            TestUtils.assertSignatureEquals(CLEAR_SIGNED_SIGNATURE.getBytes(StandardCharsets.UTF_8), sig);
-        } catch (FileNotFoundException e) {
-            fail("Signature File must have been written.", e);
-        }
+        assertTrue(sigFile.exists(), "Signature file must have been written.");
+        byte[] sig = readBytesFromFile(sigFile);
+
+        TestUtils.assertSignatureIsNotArmored(sig);
+        TestUtils.assertSignatureEquals(CLEAR_SIGNED_SIGNATURE.getBytes(StandardCharsets.UTF_8), sig);
 
         // Check if produced signature still checks out
-        System.setIn(new ByteArrayInputStream(msgOut.toByteArray()));
-        ByteArrayOutputStream verifyOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(verifyOut));
-        PGPainlessCLI.main(new String[] {"verify", tempSigFile.getAbsolutePath(), certFile.getAbsolutePath()});
-
-        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n", verifyOut.toString());
+        pipeBytesToStdin(msgOut.toByteArray());
+        ByteArrayOutputStream verifyOut = pipeStdoutToStream();
+        File certFile = writeFile("cert.asc", CERT);
+        assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), certFile.getAbsolutePath()));
+        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n",
+                verifyOut.toString());
     }
 
     @Test
-    @ExpectSystemExitWithStatus(SOPGPException.OutputExists.EXIT_CODE)
     public void existingSignatureOutCausesException() throws IOException {
-        // Clearsigned In
-        ByteArrayInputStream clearSignedIn = new ByteArrayInputStream(CLEAR_SIGNED_MESSAGE.getBytes(StandardCharsets.UTF_8));
-        System.setIn(clearSignedIn);
-
-        // Plaintext Out
-        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(msgOut));
-
-        // Detach
-        File existingSigFile = new File(tempDir, "sig.existing");
-        assertTrue(existingSigFile.createNewFile());
-        PGPainlessCLI.main(new String[] {"inline-detach", "--signatures-out=" + existingSigFile.getAbsolutePath()});
+        pipeStringToStdin(CLEAR_SIGNED_MESSAGE);
+        ByteArrayOutputStream msgOut = pipeStdoutToStream();
+        File existingSigFile = writeFile("sig.asc", CLEAR_SIGNED_SIGNATURE);
+        int exit = executeCommand("inline-detach", "--signatures-out", existingSigFile.getAbsolutePath());
+        assertEquals(SOPGPException.OutputExists.EXIT_CODE, exit);
+        assertEquals(0, msgOut.size());
     }
 
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
index dba9f47b..5d183ea6 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
@@ -5,111 +5,557 @@
 package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.OutputStream;
-import java.io.PrintStream;
-import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
 
 import com.ginsberg.junit.exit.FailOnSystemExit;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
-import org.pgpainless.cli.PGPainlessCLI;
-import org.pgpainless.cli.TestUtils;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import org.pgpainless.key.generation.type.xdh.XDHSpec;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
 
-public class RoundTripEncryptDecryptCmdTest {
+public class RoundTripEncryptDecryptCmdTest extends CLITest {
 
-    private static File tempDir;
-    private static PrintStream originalSout;
-
-    @BeforeAll
-    public static void prepare() throws IOException {
-        tempDir = TestUtils.createTempDirectory();
+    public RoundTripEncryptDecryptCmdTest() {
+        super(LoggerFactory.getLogger(RoundTripEncryptDecryptCmdTest.class));
     }
 
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: A2EC 077F C977 E15D D799  EFF9 2C0D 3C12 3CF5 1C08\n" +
+            "Comment: Alice \n" +
+            "\n" +
+            "lFgEY2veRhYJKwYBBAHaRw8BAQdAeJYBoCcnGPQ3nchyyBrWQ83q3hqJnfZn2mqh\n" +
+            "d1M7WwsAAP0R1ELnfdJhXcfjaYPLHzwy1i34FxP5g3tvdgg9Q7VmchActBxBbGlj\n" +
+            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmNr3kYJECwNPBI89RwI\n" +
+            "FiEEouwHf8l34V3Xme/5LA08Ejz1HAgCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
+            "AQAAe6YA/2sO483Vi2Fgs4ejv8FykyO96IVrMoYhw3Od4LyWEyDfAQDi15LxJJm6\n" +
+            "T2sXdENVigdwDJiELxjOtbmivuJutxkWCJxdBGNr3kYSCisGAQQBl1UBBQEBB0CS\n" +
+            "zXjySHqlicxG3QlrVeTIqwKitL1sWsx0MCDmT1C8dAMBCAcAAP9VNkfMQvYAlYSP\n" +
+            "aYEkwEOc8/XpiloVKtPzxwVCPlXFeBDCiHUEGBYKAB0FAmNr3kYCngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRAsDTwSPPUcCOT4AQDZcN5a/e8Qr+LNBIyXXLgJWGsL\n" +
+            "59nsKHBbDURnxbEnMQEAybS8u+Rsb82yW4CfaA4CLRTC3eDc5Y4QwYWzLogWNwic\n" +
+            "WARja95GFgkrBgEEAdpHDwEBB0DcdwQufWLq6ASku4JWBBd9JplRVhK0cXWuTE73\n" +
+            "uWltuwABAI0bVQXvgDnxTs6kUO7JIWtokM5lI/1bfG4L1YOfnXIgD7CI1QQYFgoA\n" +
+            "fQUCY2veRgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNr3kYACgkQ\n" +
+            "7NC/hj9lyaWVAwEA3ze1LCi1reGfB5tS3Au6A8aalyk4UV0iVOXxwV5r+E4BAJGz\n" +
+            "ZMFF/iQ/rOcSAsHPp4ggezZALDIkT2Hrn6iLDdsLAAoJECwNPBI89RwIuBIBAMxG\n" +
+            "u/s4maOFozcO4JoCZTsLHGy70SG6UuVQjK0EyJJ1APoDEfK+qTlC7/FoijMA6Ew9\n" +
+            "aesZ2IHgpwA7jlyHSgwLDw==\n" +
+            "=H3HU\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+    private static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: A2EC 077F C977 E15D D799  EFF9 2C0D 3C12 3CF5 1C08\n" +
+            "Comment: Alice \n" +
+            "\n" +
+            "mDMEY2veRhYJKwYBBAHaRw8BAQdAeJYBoCcnGPQ3nchyyBrWQ83q3hqJnfZn2mqh\n" +
+            "d1M7Wwu0HEFsaWNlIDxhbGljZUBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCY2ve\n" +
+            "RgkQLA08Ejz1HAgWIQSi7Ad/yXfhXdeZ7/ksDTwSPPUcCAKeAQKbAQUWAgMBAAQL\n" +
+            "CQgHBRUKCQgLApkBAAB7pgD/aw7jzdWLYWCzh6O/wXKTI73ohWsyhiHDc53gvJYT\n" +
+            "IN8BAOLXkvEkmbpPaxd0Q1WKB3AMmIQvGM61uaK+4m63GRYIuDgEY2veRhIKKwYB\n" +
+            "BAGXVQEFAQEHQJLNePJIeqWJzEbdCWtV5MirAqK0vWxazHQwIOZPULx0AwEIB4h1\n" +
+            "BBgWCgAdBQJja95GAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQLA08Ejz1HAjk\n" +
+            "+AEA2XDeWv3vEK/izQSMl1y4CVhrC+fZ7ChwWw1EZ8WxJzEBAMm0vLvkbG/NsluA\n" +
+            "n2gOAi0Uwt3g3OWOEMGFsy6IFjcIuDMEY2veRhYJKwYBBAHaRw8BAQdA3HcELn1i\n" +
+            "6ugEpLuCVgQXfSaZUVYStHF1rkxO97lpbbuI1QQYFgoAfQUCY2veRgKeAQKbAgUW\n" +
+            "AgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNr3kYACgkQ7NC/hj9lyaWVAwEA3ze1\n" +
+            "LCi1reGfB5tS3Au6A8aalyk4UV0iVOXxwV5r+E4BAJGzZMFF/iQ/rOcSAsHPp4gg\n" +
+            "ezZALDIkT2Hrn6iLDdsLAAoJECwNPBI89RwIuBIBAMxGu/s4maOFozcO4JoCZTsL\n" +
+            "HGy70SG6UuVQjK0EyJJ1APoDEfK+qTlC7/FoijMA6Ew9aesZ2IHgpwA7jlyHSgwL\n" +
+            "Dw==\n" +
+            "=c1PZ\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+
     @Test
     @FailOnSystemExit
     public void encryptAndDecryptAMessage() throws IOException {
-        originalSout = System.out;
-        File julietKeyFile = new File(tempDir, "juliet.key");
-        assertTrue(julietKeyFile.createNewFile());
+        // Juliets key and cert
+        File julietKeyFile = pipeStdoutToFile("juliet.key");
+        assertSuccess(executeCommand("generate-key", "Juliet "));
 
-        File julietCertFile = new File(tempDir, "juliet.asc");
-        assertTrue(julietCertFile.createNewFile());
+        pipeFileToStdin(julietKeyFile);
+        File julietCertFile = pipeStdoutToFile("juliet.cert");
+        assertSuccess(executeCommand("extract-cert"));
 
-        File romeoKeyFile = new File(tempDir, "romeo.key");
-        assertTrue(romeoKeyFile.createNewFile());
+        // Romeos key and cert
+        File romeoKeyFile = pipeStdoutToFile("romeo.key");
+        assertSuccess(executeCommand("generate-key", "Romeo "));
 
-        File romeoCertFile = new File(tempDir, "romeo.asc");
-        assertTrue(romeoCertFile.createNewFile());
-
-        File msgAscFile = new File(tempDir, "msg.asc");
-        assertTrue(msgAscFile.createNewFile());
-
-        OutputStream julietKeyOut = new FileOutputStream(julietKeyFile);
-        System.setOut(new PrintStream(julietKeyOut));
-        PGPainlessCLI.execute("generate-key", "Juliet Capulet ");
-        julietKeyOut.close();
-
-        FileInputStream julietKeyIn = new FileInputStream(julietKeyFile);
-        System.setIn(julietKeyIn);
-        OutputStream julietCertOut = new FileOutputStream(julietCertFile);
-        System.setOut(new PrintStream(julietCertOut));
-        PGPainlessCLI.execute("extract-cert");
-        julietKeyIn.close();
-        julietCertOut.close();
-
-        OutputStream romeoKeyOut = new FileOutputStream(romeoKeyFile);
-        System.setOut(new PrintStream(romeoKeyOut));
-        PGPainlessCLI.execute("generate-key", "Romeo Montague ");
-        romeoKeyOut.close();
-
-        FileInputStream romeoKeyIn = new FileInputStream(romeoKeyFile);
-        System.setIn(romeoKeyIn);
-        OutputStream romeoCertOut = new FileOutputStream(romeoCertFile);
-        System.setOut(new PrintStream(romeoCertOut));
-        PGPainlessCLI.execute("extract-cert");
-        romeoKeyIn.close();
-        romeoCertOut.close();
+        File romeoCertFile = pipeStdoutToFile("romeo.cert");
+        pipeFileToStdin(romeoKeyFile);
+        assertSuccess(executeCommand("extract-cert"));
 
+        // Romeo encrypts signs and encrypts for Juliet and himself
         String msg = "Hello World!\n";
-        ByteArrayInputStream msgIn = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8));
-        System.setIn(msgIn);
-        OutputStream msgAscOut = new FileOutputStream(msgAscFile);
-        System.setOut(new PrintStream(msgAscOut));
-        PGPainlessCLI.execute("encrypt",
-                "--sign-with", romeoKeyFile.getAbsolutePath(),
-                julietCertFile.getAbsolutePath());
-        msgAscOut.close();
+        File encryptedMessageFile = pipeStdoutToFile("msg.asc");
+        pipeStringToStdin(msg);
+        assertSuccess(executeCommand("encrypt", "--sign-with", romeoKeyFile.getAbsolutePath(),
+                julietCertFile.getAbsolutePath(), romeoCertFile.getAbsolutePath()));
 
-        File verifyFile = new File(tempDir, "verify.txt");
-
-        FileInputStream msgAscIn = new FileInputStream(msgAscFile);
-        System.setIn(msgAscIn);
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        PrintStream pOut = new PrintStream(out);
-        System.setOut(pOut);
-        PGPainlessCLI.execute("decrypt",
-                "--verify-out", verifyFile.getAbsolutePath(),
+        // Juliet can decrypt and verify with Romeos cert
+        pipeFileToStdin(encryptedMessageFile);
+        File verificationsFile = nonExistentFile("verifications");
+        ByteArrayOutputStream decrypted = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--verifications-out", verificationsFile.getAbsolutePath(),
                 "--verify-with", romeoCertFile.getAbsolutePath(),
-                julietKeyFile.getAbsolutePath());
-        msgAscIn.close();
+                julietKeyFile.getAbsolutePath()));
+        assertEquals(msg, decrypted.toString());
+
+        // Romeo can decrypt and verify too
+        pipeFileToStdin(encryptedMessageFile);
+        File anotherVerificationsFile = nonExistentFile("anotherVerifications");
+        decrypted = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--verifications-out", anotherVerificationsFile.getAbsolutePath(),
+                "--verify-with", romeoCertFile.getAbsolutePath(),
+                romeoKeyFile.getAbsolutePath()));
+        assertEquals(msg, decrypted.toString());
+
+        String julietsVerif = readStringFromFile(verificationsFile);
+        String romeosVerif = readStringFromFile(anotherVerificationsFile);
+        assertEquals(julietsVerif, romeosVerif);
+        assertFalse(julietsVerif.isEmpty());
+        assertEquals(103, julietsVerif.length()); // 103 is number of symbols in [DATE, FINGER, FINGER] for V4
+    }
+
+    @Test
+    public void testMissingArgumentsIfNoArgsSupplied() throws IOException {
+        int exit = executeCommand("encrypt");
+        assertEquals(SOPGPException.MissingArg.EXIT_CODE, exit);
+    }
+
+    @Test
+    public void testEncryptingForKeyFails() throws IOException {
+        File notACert = writeFile("key.asc", KEY);
+
+        pipeStringToStdin("Hello, World!");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", notACert.getAbsolutePath());
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testEncrypt_SignWithCertFails() throws IOException {
+        File cert = writeFile("cert.asc", CERT);
+        // noinspection UnnecessaryLocalVariable
+        File notAKey = cert;
+
+        pipeStringToStdin("Hello, World!");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", "--sign-with", notAKey.getAbsolutePath(), cert.getAbsolutePath());
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testDecryptVerifyOut_withoutVerifyWithFails() throws IOException {
+        File key = writeFile("key.asc", KEY);
+
+        File verifications = nonExistentFile("verifications");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", "--verifications-out", verifications.getAbsolutePath(), key.getAbsolutePath());
+
+        assertEquals(SOPGPException.IncompleteVerification.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testVerificationsOutAlreadyExistFails() throws IOException {
+        File key = writeFile("key.asc", KEY);
+        File cert = writeFile("cert.asc", CERT);
+
+        File verifications = writeFile("verifications", "this file is not empty");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", "--verify-with", cert.getAbsolutePath(),
+                "--verifications-out", verifications.getAbsolutePath(),
+                key.getAbsolutePath());
+
+        assertEquals(SOPGPException.OutputExists.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testSessionKeyOutWritesSessionKeyOut() throws IOException {
+        File key = writeFile("key.asc", KEY);
+        File sessionKeyFile = nonExistentFile("session.key");
+
+        String plaintext = "Hello, World!\n";
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+        String sessionKey = "9:B6FAD96B7ED2DA27D8A36EAEA75DAB7AC587180B14D8A24BD7263524F3DDECC3\n";
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--session-key-out", sessionKeyFile.getAbsolutePath(), key.getAbsolutePath()));
+
+        assertEquals(plaintext, plaintextOut.toString());
+        String resultSessionKey = readStringFromFile(sessionKeyFile);
+        assertEquals(sessionKey, resultSessionKey);
+    }
+
+    @Test
+    public void decryptMessageWithSessionKey() throws IOException {
+        String plaintext = "Hello, World!\n";
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+        String sessionKey = "9:B6FAD96B7ED2DA27D8A36EAEA75DAB7AC587180B14D8A24BD7263524F3DDECC3\n";
+
+        File sessionKeyFile = writeFile("session.key", sessionKey);
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-session-key", sessionKeyFile.getAbsolutePath()));
+
+        assertEquals(plaintext, plaintextOut.toString());
+    }
+
+    @Test
+    public void testDecryptWithSessionKeyVerifyWithYieldsExpectedVerifications() throws IOException {
+        String plaintext = "Hello, World!\n";
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+        String sessionKey = "9:B6FAD96B7ED2DA27D8A36EAEA75DAB7AC587180B14D8A24BD7263524F3DDECC3\n";
+
+        File cert = writeFile("cert.asc", CERT);
+        File sessionKeyFile = writeFile("session.key", sessionKey);
+        File verifications = nonExistentFile("verifications");
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-session-key", sessionKeyFile.getAbsolutePath(),
+                "--verify-with", cert.getAbsolutePath(), "--verifications-out", verifications.getAbsolutePath()));
+
+        assertEquals(plaintext, out.toString());
+        String verificationString = readStringFromFile(verifications);
+        assertEquals("2022-11-09T17:22:48Z C0DCEC44B1A173664B05DABCECD0BF863F65C9A5 A2EC077FC977E15DD799EFF92C0D3C123CF51C08\n",
+                verificationString);
+    }
+
+    @Test
+    public void encryptAndDecryptMessageWithPassphrase() throws IOException {
+        File passwordFile = writeFile("password", "c1tizâ‚Ŧn4");
+        String message = "I cannot think of meaningful messages for test vectors rn";
+
+        pipeStringToStdin(message);
+        ByteArrayOutputStream ciphertext = pipeStdoutToStream();
+        assertSuccess(executeCommand("encrypt", "--with-password", passwordFile.getAbsolutePath()));
+
+        String ciphertextString = ciphertext.toString();
+        assertTrue(ciphertextString.startsWith("-----BEGIN PGP MESSAGE-----\n"));
+
+        pipeBytesToStdin(ciphertext.toByteArray());
+        ByteArrayOutputStream plaintext = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-password", passwordFile.getAbsolutePath()));
+
+        assertEquals(message, plaintext.toString());
+    }
+
+    @Test
+    public void testEncryptWithIncapableCert() throws PGPException,
+            InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
+                .addUserId("No Crypt ")
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
+                .build();
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
+        File certFile = writeFile("cert.pgp", cert.getEncoded());
+
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", certFile.getAbsolutePath());
+
+        assertEquals(SOPGPException.CertCannotEncrypt.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testSignWithIncapableKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
+                .addUserId("Cannot Sign ")
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .build();
+        File keyFile = writeFile("key.pgp", secretKeys.getEncoded());
+        File certFile = writeFile("cert.pgp", PGPainless.extractCertificate(secretKeys).getEncoded());
+
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", "--sign-with", keyFile.getAbsolutePath(),
+                certFile.getAbsolutePath());
+
+        assertEquals(SOPGPException.KeyCannotSign.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testEncryptDecryptRoundTripWithPasswordProtectedKey() throws IOException {
+        // generate password protected key
+        File passwordFile = writeFile("password", "fooBarBaz420");
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key",
+                "--with-key-password", passwordFile.getAbsolutePath(),
+                "Pascal Password "));
+
+        // extract cert
+        File certFile = pipeStdoutToFile("cert.asc");
+        pipeFileToStdin(keyFile);
+        assertSuccess(executeCommand("extract-cert"));
+
+        // encrypt and sign message
+        String msg = "Hello, World!\n";
+        pipeStringToStdin(msg);
+        File encryptedFile = pipeStdoutToFile("msg.asc");
+        assertSuccess(executeCommand("encrypt",
+                "--sign-with", keyFile.getAbsolutePath(),
+                "--with-key-password", passwordFile.getAbsolutePath(),
+                "--no-armor",
+                "--as", "binary",
+                certFile.getAbsolutePath()));
+
+        // Decrypt
+        File verificationsFile = nonExistentFile("verifications");
+        pipeFileToStdin(encryptedFile);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt",
+                "--verify-with", certFile.getAbsolutePath(),
+                "--verifications-out", verificationsFile.getAbsolutePath(),
+                "--with-key-password", passwordFile.getAbsolutePath(),
+                keyFile.getAbsolutePath()));
 
         assertEquals(msg, out.toString());
     }
 
-    @AfterAll
-    public static void after() {
-        System.setOut(originalSout);
-        // CHECKSTYLE:OFF
-        System.out.println(tempDir.getAbsolutePath());
-        // CHECKSTYLE:ON
+    @Test
+    public void decryptGarbageFails() throws IOException {
+        File keyFile = writeFile("key.asc", KEY);
+        pipeStringToStdin("Some Garbage!");
+        int exitCode = executeCommand("decrypt", keyFile.getAbsolutePath());
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+    }
+
+    @Test
+    public void decryptMessageWithWrongKeyFails() throws IOException {
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key", "Bob "));
+        // message was *not* created with key above
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", keyFile.getAbsolutePath());
+        assertEquals(SOPGPException.CannotDecrypt.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void encryptWithPasswordADecryptWithPasswordBFails() throws IOException {
+        File password1 = writeFile("password1", "swordfish");
+        File password2 = writeFile("password2", "orange");
+
+        pipeStringToStdin("Bonjour, le monde!\n");
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("encrypt", "--with-password", password1.getAbsolutePath()));
+
+        pipeBytesToStdin(ciphertextOut.toByteArray());
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", "--with-password", password2.getAbsolutePath());
+        assertEquals(SOPGPException.CannotDecrypt.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void encryptWithGarbageCertFails() throws IOException {
+        File garbageCert = writeFile("cert.asc", "This is garbage!");
+
+        pipeStringToStdin("Hallo, Welt!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", garbageCert.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void encrypt_signWithGarbageKeyFails() throws IOException {
+        File cert = writeFile("cert.asc", CERT);
+        File garbageKey = writeFile("key.asc", "This is not a key!");
+
+        pipeStringToStdin("Salut!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", "--sign-with", garbageKey.getAbsolutePath(),
+                cert.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void decrypt_withGarbageKeyFails() throws IOException {
+        File key = writeFile("key.asc", "this is garbage");
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", key.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void decrypt_verifyWithGarbageCertFails() throws IOException {
+        File key = writeFile("key.asc", KEY);
+        File cert = writeFile("cert.asc", "now this is garbage");
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+        File verificationsFile = nonExistentFile("verifications");
+
+        pipeStringToStdin(ciphertext);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("decrypt", key.getAbsolutePath(),
+                "--verify-with", cert.getAbsolutePath(),
+                "--verifications-out", verificationsFile.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void encryptWithProtectedKey_wrongPassphraseFails() throws IOException {
+        File password = writeFile("passphrase1", "orange");
+        File wrongPassword = writeFile("passphrase2", "blue");
+
+        File keyFile = pipeStdoutToFile("key.asc");
+        assertSuccess(executeCommand("generate-key", "Pedro ",
+                "--with-key-password", password.getAbsolutePath()));
+
+        File certFile = pipeStdoutToFile("cert.asc");
+        pipeFileToStdin(keyFile);
+        assertSuccess(executeCommand("extract-cert"));
+
+        // Use no passphrase to unlock the key
+        String msg = "Guten Tag, Welt!\n";
+        pipeStringToStdin(msg);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("encrypt", "--sign-with", keyFile.getAbsolutePath(),
+                certFile.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        // use wrong passphrase to unlock key when signing message
+        pipeStringToStdin("Guten Tag, Welt!\n");
+        out = pipeStdoutToStream();
+        exitCode = executeCommand("encrypt", "--sign-with", keyFile.getAbsolutePath(),
+                "--with-key-password", wrongPassword.getAbsolutePath(),
+                certFile.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        // use correct passphrase and encrypt+sign message
+        pipeStringToStdin("Guten Tag, Welt!\n");
+        out = pipeStdoutToStream();
+        assertSuccess(executeCommand("encrypt", "--sign-with", keyFile.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath(),
+                certFile.getAbsolutePath()));
+        String ciphertext = out.toString();
+
+        // Use no passphrase to decrypt key when decrypting
+        pipeStringToStdin(ciphertext);
+        out = pipeStdoutToStream();
+        exitCode = executeCommand("decrypt", keyFile.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        // Use wrong passphrase to decrypt key when decrypting
+        pipeStringToStdin(ciphertext);
+        out = pipeStdoutToStream();
+        exitCode = executeCommand("decrypt", "--with-key-password", wrongPassword.getAbsolutePath(),
+                keyFile.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        // User correct passphrase to decrypt key when decrypting
+        pipeStringToStdin(ciphertext);
+        out = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-key-password", password.getAbsolutePath(),
+                keyFile.getAbsolutePath()));
+        assertEquals(msg, out.toString());
     }
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
new file mode 100644
index 00000000..c80019d1
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -0,0 +1,236 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import org.junit.jupiter.api.Test;
+import org.slf4j.LoggerFactory;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
+
+    public RoundTripInlineSignInlineVerifyCmdTest() {
+        super(LoggerFactory.getLogger(RoundTripInlineSignInlineVerifyCmdTest.class));
+    }
+
+    private static final String KEY_1_PASSWORD = "takeDemHobbits2Isengard";
+    private static final String KEY_1 = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 59F4 EC7D 4A87 3E69 7029  8FDE 9FF0 8738 DFC0 0224\n" +
+            "Comment: Legolas \n" +
+            "\n" +
+            "lIYEY2wKdxYJKwYBBAHaRw8BAQdALfUbOSOsPDg4IgX7Mrub3EtkX0rp02orL/0j\n" +
+            "2VpV1rf+CQMCVICwUO0SkvdgcPdvXO1cW4KIp6HCVVV6VgU5cvBlmrk9PNUQVBkb\n" +
+            "6S7oXQu0CgGwJ+QdbooBQqOjMy2MDy+UXaURTaVyWcmetsZJZzD2wrQhTGVnb2xh\n" +
+            "cyA8bGVnb2xhc0BmZWxsb3dzaGlwLnJpbmc+iI8EExYKAEEFAmNsCncJEJ/whzjf\n" +
+            "wAIkFiEEWfTsfUqHPmlwKY/en/CHON/AAiQCngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
+            "CwKZAQAAE10BAN9tN4Le1p4giS6P/yFuKFlDBOeiq1S4EqwYG7qdcqemAP45O3w4\n" +
+            "3sXliOJBGDR/l/lOMHdPcTOb7VRwWbpIqx8LBJyLBGNsCncSCisGAQQBl1UBBQEB\n" +
+            "B0AMc+7s6uBqAQcDvfKkD5zYbmB9ZfwIjRWQq/XF+g8KQwMBCAf+CQMCVICwUO0S\n" +
+            "kvdgHLmKhKW1xxCNZAqQcIHa9F/cqb6Sq/oVFHj2bEYzmGVvFCVUpP7KJWGTeFT+\n" +
+            "BYK779quIqjxHOfzC3Jmo3BHkUPWYOa0rIh1BBgWCgAdBQJjbAp3Ap4BApsMBRYC\n" +
+            "AwEABAsJCAcFFQoJCAsACgkQn/CHON/AAiRUewD9HtKrCUf3S1yR28emzITWPgJS\n" +
+            "UA5mkzEMnYspV7zU4jgA/R6jj/5QqPszElCQNZGtvsDUwYo10iRlQkxPshcPNakJ\n" +
+            "nIYEY2wKdxYJKwYBBAHaRw8BAQdAYxpRGib/f/tu65gbsV22nmysVVmVgiQuDxyH\n" +
+            "rz7VCi/+CQMCVICwUO0SkvdgOYYbWltjQRDM3SW/Zw/DiZN9MYZYa0MTgs0SHoaM\n" +
+            "5LU7jMxNmPR1UtSqEO36QqW91q4fpEkGrdWE4gwjm1bth8pyYKiSFojVBBgWCgB9\n" +
+            "BQJjbAp3Ap4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCY2wKdwAKCRCW\n" +
+            "K491s9xIMHwKAQDpSWQqiFxFvls9eRGtJ1eQT+L3Z2rDel5zNV44IdTf/wEA0vnJ\n" +
+            "ouSKKuiH6Ck2OEkXbElH6gdQvOCYA7Z9gVeeHQoACgkQn/CHON/AAiSD6QD+LTZx\n" +
+            "NU+t4wQlWOkSsjOLsH/Sk5DZq+4HyQnStlxUJpUBALZFkZps65IP03VkPnQWigfs\n" +
+            "YgztJA1z/rmm3fmFgMMG\n" +
+            "=daDH\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+    private static final String CERT_1 = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 59F4 EC7D 4A87 3E69 7029  8FDE 9FF0 8738 DFC0 0224\n" +
+            "Comment: Legolas \n" +
+            "\n" +
+            "mDMEY2wKdxYJKwYBBAHaRw8BAQdALfUbOSOsPDg4IgX7Mrub3EtkX0rp02orL/0j\n" +
+            "2VpV1re0IUxlZ29sYXMgPGxlZ29sYXNAZmVsbG93c2hpcC5yaW5nPoiPBBMWCgBB\n" +
+            "BQJjbAp3CRCf8Ic438ACJBYhBFn07H1Khz5pcCmP3p/whzjfwAIkAp4BApsBBRYC\n" +
+            "AwEABAsJCAcFFQoJCAsCmQEAABNdAQDfbTeC3taeIIkuj/8hbihZQwTnoqtUuBKs\n" +
+            "GBu6nXKnpgD+OTt8ON7F5YjiQRg0f5f5TjB3T3Ezm+1UcFm6SKsfCwS4OARjbAp3\n" +
+            "EgorBgEEAZdVAQUBAQdADHPu7OrgagEHA73ypA+c2G5gfWX8CI0VkKv1xfoPCkMD\n" +
+            "AQgHiHUEGBYKAB0FAmNsCncCngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRCf8Ic4\n" +
+            "38ACJFR7AP0e0qsJR/dLXJHbx6bMhNY+AlJQDmaTMQydiylXvNTiOAD9HqOP/lCo\n" +
+            "+zMSUJA1ka2+wNTBijXSJGVCTE+yFw81qQm4MwRjbAp3FgkrBgEEAdpHDwEBB0Bj\n" +
+            "GlEaJv9/+27rmBuxXbaebKxVWZWCJC4PHIevPtUKL4jVBBgWCgB9BQJjbAp3Ap4B\n" +
+            "ApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUCY2wKdwAKCRCWK491s9xIMHwK\n" +
+            "AQDpSWQqiFxFvls9eRGtJ1eQT+L3Z2rDel5zNV44IdTf/wEA0vnJouSKKuiH6Ck2\n" +
+            "OEkXbElH6gdQvOCYA7Z9gVeeHQoACgkQn/CHON/AAiSD6QD+LTZxNU+t4wQlWOkS\n" +
+            "sjOLsH/Sk5DZq+4HyQnStlxUJpUBALZFkZps65IP03VkPnQWigfsYgztJA1z/rmm\n" +
+            "3fmFgMMG\n" +
+            "=/lYl\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+    private static final String CERT_1_SIGNING_KEY =
+            "D8906FEB9842569834FEDA9E962B8F75B3DC4830 59F4EC7D4A873E6970298FDE9FF08738DFC00224";
+
+    private static final String KEY_2 = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: AEA0 FD2C 899D 3FC0 7781  5F00 2656 0D2A E53D B86F\n" +
+            "Comment: Gollum \n" +
+            "\n" +
+            "lFgEY2wKphYJKwYBBAHaRw8BAQdA9MXACulaJvjIuMKbsc+/fLJ523lODbHmuTpc\n" +
+            "jpPdjaEAAP9Edg7yeIGEeNP0GrndUpNeZyFAXAlCHJObDbS80G6BBw9ktBlHb2xs\n" +
+            "dW0gPGdvbGx1bUBkZWVwLmNhdmU+iI8EExYKAEEFAmNsCqYJECZWDSrlPbhvFiEE\n" +
+            "rqD9LImdP8B3gV8AJlYNKuU9uG8CngECmwEFFgIDAQAECwkIBwUVCgkICwKZAQAA\n" +
+            "KSkBAOMq6ymNH83E5CBA/mn3DYLhnujzC9cVf/iX2zrsdXMvAQCWdfFy/PlGhP3K\n" +
+            "M+ej6WIRsx24Yy/NhNPcRJUzcv6dC5xdBGNsCqYSCisGAQQBl1UBBQEBB0DiN/5n\n" +
+            "AFQafWjnSkKhctFCNkfVRrnAea/2T/D8fYWeYwMBCAcAAP9HbxOhwxqz8I+pwk3e\n" +
+            "kZXNolWqagrYZkpNvqlBb/JJWBGViHUEGBYKAB0FAmNsCqYCngECmwwFFgIDAQAE\n" +
+            "CwkIBwUVCgkICwAKCRAmVg0q5T24bw2EAP4pUHVA2pkVspzEttIaQxdoHcnbwjae\n" +
+            "q12TmWqWDFFvwgD+O2EqHn0iXW49EOQrlP8g+bdWUlT0ZIW3C3Fv7nNA3AScWARj\n" +
+            "bAqmFgkrBgEEAdpHDwEBB0BHsmdF1Q0aU3YRVDeXGb904Nb7H/cxcasDhcbu2FTo\n" +
+            "HAAA/j1+WzozN/3lefo76eyENKkXl4f1rQlUreqytuaTsb0WEq6I1QQYFgoAfQUC\n" +
+            "Y2wKpgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNsCqYACgkQj73T\n" +
+            "bQGDFnN9OwD/QDDi1qq7DrGlENQf2mPDh36YgM7bREY1vHEbbUNoqy4A/RJzMuwt\n" +
+            "L1M49UzQS7OIGP12/9cT66XPGjpCL+6zLPwCAAoJECZWDSrlPbhvw3ABAOE7/Iit\n" +
+            "ntMexrSK5jCd9JdCCNb2rjR6XA18rXFGOrVBAPwLKAogNFQlP2kUsObTnIaTCro2\n" +
+            "cjK8WE1pfIwQ0ArPCQ==\n" +
+            "=SzrG\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+    private static final String CERT_2 = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: AEA0 FD2C 899D 3FC0 7781  5F00 2656 0D2A E53D B86F\n" +
+            "Comment: Gollum \n" +
+            "\n" +
+            "mDMEY2wKphYJKwYBBAHaRw8BAQdA9MXACulaJvjIuMKbsc+/fLJ523lODbHmuTpc\n" +
+            "jpPdjaG0GUdvbGx1bSA8Z29sbHVtQGRlZXAuY2F2ZT6IjwQTFgoAQQUCY2wKpgkQ\n" +
+            "JlYNKuU9uG8WIQSuoP0siZ0/wHeBXwAmVg0q5T24bwKeAQKbAQUWAgMBAAQLCQgH\n" +
+            "BRUKCQgLApkBAAApKQEA4yrrKY0fzcTkIED+afcNguGe6PML1xV/+JfbOux1cy8B\n" +
+            "AJZ18XL8+UaE/coz56PpYhGzHbhjL82E09xElTNy/p0LuDgEY2wKphIKKwYBBAGX\n" +
+            "VQEFAQEHQOI3/mcAVBp9aOdKQqFy0UI2R9VGucB5r/ZP8Px9hZ5jAwEIB4h1BBgW\n" +
+            "CgAdBQJjbAqmAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQJlYNKuU9uG8NhAD+\n" +
+            "KVB1QNqZFbKcxLbSGkMXaB3J28I2nqtdk5lqlgxRb8IA/jthKh59Il1uPRDkK5T/\n" +
+            "IPm3VlJU9GSFtwtxb+5zQNwEuDMEY2wKphYJKwYBBAHaRw8BAQdAR7JnRdUNGlN2\n" +
+            "EVQ3lxm/dODW+x/3MXGrA4XG7thU6ByI1QQYFgoAfQUCY2wKpgKeAQKbAgUWAgMB\n" +
+            "AAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNsCqYACgkQj73TbQGDFnN9OwD/QDDi1qq7\n" +
+            "DrGlENQf2mPDh36YgM7bREY1vHEbbUNoqy4A/RJzMuwtL1M49UzQS7OIGP12/9cT\n" +
+            "66XPGjpCL+6zLPwCAAoJECZWDSrlPbhvw3ABAOE7/IitntMexrSK5jCd9JdCCNb2\n" +
+            "rjR6XA18rXFGOrVBAPwLKAogNFQlP2kUsObTnIaTCro2cjK8WE1pfIwQ0ArPCQ==\n" +
+            "=j1LR\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+    private static final String CERT_2_SIGNING_KEY =
+            "7A073EDF273C902796D259528FBDD36D01831673 AEA0FD2C899D3FC077815F0026560D2AE53DB86F";
+
+    private static final String MESSAGE = "One does not simply use OpenPGP!\n" +
+            "\n" +
+            "There is only one Lord of the Keys, only one who can bend them to his will. And he does not share power.";
+
+    @Test
+    public void createCleartextSignedMessage() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password", KEY_1_PASSWORD);
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                "--as", "cleartextsigned",
+                key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        String cleartextSigned = ciphertextOut.toString();
+        assertTrue(cleartextSigned.startsWith("-----BEGIN PGP SIGNED MESSAGE-----\n" +
+                "Hash: "));
+        assertTrue(cleartextSigned.contains(MESSAGE));
+        assertTrue(cleartextSigned.contains("\n-----BEGIN PGP SIGNATURE-----\n"));
+        assertTrue(cleartextSigned.endsWith("-----END PGP SIGNATURE-----\n"));
+    }
+
+    @Test
+    public void createAndVerifyCleartextSignedMessage() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password", KEY_1_PASSWORD);
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                "--as", "cleartextsigned",
+                key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        File cert = writeFile("cert.asc", CERT_1);
+        File verifications = nonExistentFile("verifications");
+        pipeStringToStdin(ciphertextOut.toString());
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-verify",
+                "--verifications-out", verifications.getAbsolutePath(),
+                cert.getAbsolutePath()));
+
+        assertEquals(MESSAGE, plaintextOut.toString());
+        String verificationString = readStringFromFile(verifications);
+        assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
+    }
+
+    @Test
+    public void createAndVerifyMultiKeyBinarySignedMessage() throws IOException {
+        File key1Pass = writeFile("password", KEY_1_PASSWORD);
+        File key1 = writeFile("key1.asc", KEY_1);
+        File key2 = writeFile("key2.asc", KEY_2);
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                "--as", "binary",
+                "--no-armor",
+                key2.getAbsolutePath(),
+                "--with-key-password", key1Pass.getAbsolutePath(),
+                key1.getAbsolutePath()));
+
+        assertFalse(ciphertextOut.toString().startsWith("-----BEGIN PGP SIGNED MESSAGE-----\n"));
+        byte[] unarmoredMessage = ciphertextOut.toByteArray();
+
+        File cert1 = writeFile("cert1.asc", CERT_1);
+        File cert2 = writeFile("cert2.asc", CERT_2);
+        File verificationFile = nonExistentFile("verifications");
+        pipeBytesToStdin(unarmoredMessage);
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-verify",
+                "--verifications-out", verificationFile.getAbsolutePath(),
+                cert1.getAbsolutePath(), cert2.getAbsolutePath()));
+
+        assertEquals(MESSAGE, plaintextOut.toString());
+        String verification = readStringFromFile(verificationFile);
+        assertTrue(verification.contains(CERT_1_SIGNING_KEY));
+        assertTrue(verification.contains(CERT_2_SIGNING_KEY));
+    }
+
+    @Test
+    public void createTextSignedMessageInlineDetachAndDetachedVerify() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password", KEY_1_PASSWORD);
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                "--as", "cleartextsigned",
+                key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        File sigFile = nonExistentFile("sig.asc");
+        pipeStringToStdin(ciphertextOut.toString());
+        ByteArrayOutputStream msgOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-detach",
+                "--signatures-out", sigFile.getAbsolutePath()));
+        assertEquals(MESSAGE, msgOut.toString());
+
+        File cert = writeFile("cert.asc", CERT_1);
+        pipeStringToStdin(msgOut.toString());
+        ByteArrayOutputStream verificationsOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("verify",
+                sigFile.getAbsolutePath(),
+                cert.getAbsolutePath()));
+
+        String verificationString = verificationsOut.toString();
+        assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
+    }
+}
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
index 0fce1273..7f420054 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
@@ -5,129 +5,321 @@
 package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.FileReader;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.PrintStream;
-import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Date;
 
-import com.ginsberg.junit.exit.FailOnSystemExit;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
-import org.pgpainless.cli.PGPainlessCLI;
-import org.pgpainless.cli.TestUtils;
+import org.pgpainless.algorithm.KeyFlag;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import org.pgpainless.key.generation.type.xdh.XDHSpec;
 import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.util.KeyRingUtils;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
+import sop.util.UTCUtil;
 
-public class RoundTripSignVerifyCmdTest {
+public class RoundTripSignVerifyCmdTest extends CLITest {
 
-    private static File tempDir;
-    private static PrintStream originalSout;
+    public RoundTripSignVerifyCmdTest() {
+        super(LoggerFactory.getLogger(RoundTripSignVerifyCmdTest.class));
+    }
 
-    @BeforeAll
-    public static void prepare() throws IOException {
-        tempDir = TestUtils.createTempDirectory();
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9DA0 9423 C9F9 4BA4 CCA3  0951 099B 11BF 296A 373E\n" +
+            "Comment: Sigmund \n" +
+            "\n" +
+            "lFgEY2vzkhYJKwYBBAHaRw8BAQdA+Z2OAFQf0k64Au7hIZfXh/ijclabddvwh7Nh\n" +
+            "kedJ3ZUAAQCZy5p1cvQvRIWUopHwhnrD/oVAa1dNT/nA3cihQ5gkZBHPtCBTaWdt\n" +
+            "dW5kIDxzaWdtdW5kQHBncGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJja/OSCRAJmxG/\n" +
+            "KWo3PhYhBJ2glCPJ+UukzKMJUQmbEb8pajc+Ap4BApsBBRYCAwEABAsJCAcFFQoJ\n" +
+            "CAsCmQEAACM9AP9APloI2waD5gXsJqzenRVU4n/VmZUvcdUyhlbpab/0HQEAlaTw\n" +
+            "ZvxVyaf8EMFSJOY+LcgacHaZDHRPA1nS3bIfKwycXQRja/OSEgorBgEEAZdVAQUB\n" +
+            "AQdA1WL4QKgRxbvzW91ICM6PoICSNh2QHK6j0pIdN/cqXz0DAQgHAAD/bOk3WqbF\n" +
+            "QAE8xxm0w/KDZzL1N0yPcBQ5z4XKmu77FCgQ04h1BBgWCgAdBQJja/OSAp4BApsM\n" +
+            "BRYCAwEABAsJCAcFFQoJCAsACgkQCZsRvylqNz6rgQEAzoG6HnPCYi2i2c6/ufuy\n" +
+            "pBkLby2u1JjD0CWSbrM4dZ0A/j/pI4a9b8LcrZcuY2QwHqsXPAJp8QtOOQN6gTvN\n" +
+            "WcQNnFgEY2vzkhYJKwYBBAHaRw8BAQdAsxcDCvst/GbWxQvvOpChSvmbqWeuBgm3\n" +
+            "1vRoujFVFcYAAP9Ww46yfWipb8OivTSX+PvgdUhEeVgxENpsyOQLLhQP/RFziNUE\n" +
+            "GBYKAH0FAmNr85ICngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJja/OS\n" +
+            "AAoJENqfQTmGIR3GtsMBAL+b1Zo5giQKJGEyx5aGwAz3AwtGiT6QDS9FH6HyM855\n" +
+            "AP4uAXDiaNxYTugqnG471jYX/hhJqIROeDGrEIkkAp+qDwAKCRAJmxG/KWo3PhOX\n" +
+            "AP45LPV6I4+D3h8etdiEA2DVvNcpRA8l4WkNcq4q8H1SjwD/c/rX3FCUIWLlAHoR\n" +
+            "WxCFj+gDgqDNLzwoA4iNo1VMtQc=\n" +
+            "=/Np6\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    private static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9DA0 9423 C9F9 4BA4 CCA3  0951 099B 11BF 296A 373E\n" +
+            "Comment: Sigmund \n" +
+            "\n" +
+            "mDMEY2vzkhYJKwYBBAHaRw8BAQdA+Z2OAFQf0k64Au7hIZfXh/ijclabddvwh7Nh\n" +
+            "kedJ3ZW0IFNpZ211bmQgPHNpZ211bmRAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEF\n" +
+            "AmNr85IJEAmbEb8pajc+FiEEnaCUI8n5S6TMowlRCZsRvylqNz4CngECmwEFFgID\n" +
+            "AQAECwkIBwUVCgkICwKZAQAAIz0A/0A+WgjbBoPmBewmrN6dFVTif9WZlS9x1TKG\n" +
+            "Vulpv/QdAQCVpPBm/FXJp/wQwVIk5j4tyBpwdpkMdE8DWdLdsh8rDLg4BGNr85IS\n" +
+            "CisGAQQBl1UBBQEBB0DVYvhAqBHFu/Nb3UgIzo+ggJI2HZAcrqPSkh039ypfPQMB\n" +
+            "CAeIdQQYFgoAHQUCY2vzkgKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEAmbEb8p\n" +
+            "ajc+q4EBAM6Buh5zwmItotnOv7n7sqQZC28trtSYw9Alkm6zOHWdAP4/6SOGvW/C\n" +
+            "3K2XLmNkMB6rFzwCafELTjkDeoE7zVnEDbgzBGNr85IWCSsGAQQB2kcPAQEHQLMX\n" +
+            "Awr7Lfxm1sUL7zqQoUr5m6lnrgYJt9b0aLoxVRXGiNUEGBYKAH0FAmNr85ICngEC\n" +
+            "mwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJja/OSAAoJENqfQTmGIR3GtsMB\n" +
+            "AL+b1Zo5giQKJGEyx5aGwAz3AwtGiT6QDS9FH6HyM855AP4uAXDiaNxYTugqnG47\n" +
+            "1jYX/hhJqIROeDGrEIkkAp+qDwAKCRAJmxG/KWo3PhOXAP45LPV6I4+D3h8etdiE\n" +
+            "A2DVvNcpRA8l4WkNcq4q8H1SjwD/c/rX3FCUIWLlAHoRWxCFj+gDgqDNLzwoA4iN\n" +
+            "o1VMtQc=\n" +
+            "=KuJ4\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+    private static final String PLAINTEXT = "Hello, World!\n";
+    private static final String BINARY_SIG = "-----BEGIN PGP SIGNATURE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "iHUEABYKACcFAmNr9BgJENqfQTmGIR3GFiEEREwQqwEe+EJMg/Cp2p9BOYYhHcYA\n" +
+            "AKocAP48P2C3TU33T3Zy73clw0eBa1oW9pwxTGuFxhgOBzmoSwEArj0781GlpTB0\n" +
+            "Vnr2PjPYEqzB+ZuOzOnGhsVGob4c3Ao=\n" +
+            "=VWAZ\n" +
+            "-----END PGP SIGNATURE-----";
+    private static final String BINARY_SIG_VERIFICATION =
+            "2022-11-09T18:40:24Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E\n";
+    private static final String TEXT_SIG = "-----BEGIN PGP SIGNATURE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "iHUEARYKACcFAmNr9E4JENqfQTmGIR3GFiEEREwQqwEe+EJMg/Cp2p9BOYYhHcYA\n" +
+            "AG+CAQD1B3GAAlyxahSiGhvJv7YAI1m6qGcI7dIXcV7FkAFPSgEAlZ0UpCC8oGR+\n" +
+            "hi/mQlex4z0hDWSA4abAjclPTJ+qkAI=\n" +
+            "=s5xn\n" +
+            "-----END PGP SIGNATURE-----";
+    private static final String TEXT_SIG_VERIFICATION =
+            "2022-11-09T18:41:18Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E\n";
+    private static final Date TEXT_SIG_CREATION = UTCUtil.parseUTCDate("2022-11-09T18:41:18Z");
+
+    @Test
+    public void createArmoredSignature() throws IOException {
+        File keyFile = writeFile("key.asc", KEY);
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("sign", "--as", "text", keyFile.getAbsolutePath()));
+        assertTrue(out.toString().startsWith("-----BEGIN PGP SIGNATURE-----\n"));
     }
 
     @Test
-    @FailOnSystemExit
-    public void testSignatureCreationAndVerification() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        originalSout = System.out;
-        InputStream originalIn = System.in;
+    public void createUnarmoredSignature() throws IOException {
+        File keyFile = writeFile("key.asc", KEY);
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("sign", "--no-armor", keyFile.getAbsolutePath()));
+        assertFalse(out.toString().startsWith("-----BEGIN PGP SIGNATURE-----\n"));
+    }
 
-        // Write alice key to disc
-        File aliceKeyFile = new File(tempDir, "alice.key");
-        assertTrue(aliceKeyFile.createNewFile());
-        PGPSecretKeyRing aliceKeys = PGPainless.generateKeyRing()
-                .modernKeyRing("alice");
-        OutputStream aliceKeyOut = new FileOutputStream(aliceKeyFile);
-        Streams.pipeAll(new ByteArrayInputStream(aliceKeys.getEncoded()), aliceKeyOut);
-        aliceKeyOut.close();
+    @Test
+    public void unarmorArmoredSigAndVerify() throws IOException {
+        File certFile = writeFile("cert.asc", CERT);
 
-        // Write alice pub key to disc
-        File aliceCertFile = new File(tempDir, "alice.pub");
-        assertTrue(aliceCertFile.createNewFile());
-        PGPPublicKeyRing alicePub = KeyRingUtils.publicKeyRingFrom(aliceKeys);
-        OutputStream aliceCertOut = new FileOutputStream(aliceCertFile);
-        Streams.pipeAll(new ByteArrayInputStream(alicePub.getEncoded()), aliceCertOut);
-        aliceCertOut.close();
+        pipeStringToStdin(BINARY_SIG);
+        File unarmoredSigFile = pipeStdoutToFile("sig.pgp");
+        assertSuccess(executeCommand("dearmor"));
 
-        // Write test data to disc
-        String data = "If privacy is outlawed, only outlaws will have privacy.\n";
-        File dataFile = new File(tempDir, "data");
-        assertTrue(dataFile.createNewFile());
-        FileOutputStream dataOut = new FileOutputStream(dataFile);
-        Streams.pipeAll(new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8)), dataOut);
-        dataOut.close();
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("verify", unarmoredSigFile.getAbsolutePath(), certFile.getAbsolutePath()));
 
-        // Define micalg output file
-        File micalgOut = new File(tempDir, "micalg");
+        assertEquals(BINARY_SIG_VERIFICATION, out.toString());
+    }
 
-        // Sign test data
-        FileInputStream dataIn = new FileInputStream(dataFile);
-        System.setIn(dataIn);
-        File sigFile = new File(tempDir, "sig.asc");
-        assertTrue(sigFile.createNewFile());
-        FileOutputStream sigOut = new FileOutputStream(sigFile);
-        System.setOut(new PrintStream(sigOut));
-        PGPainlessCLI.execute("sign", "--armor", "--micalg-out", micalgOut.getAbsolutePath(), aliceKeyFile.getAbsolutePath());
-        sigOut.close();
+    @Test
+    public void testNotBefore() throws IOException {
+        File cert = writeFile("cert.asc", CERT);
+        File sigFile = writeFile("sig.asc", TEXT_SIG);
+        Date plus1Minute = new Date(TEXT_SIG_CREATION.getTime() + 1000 * 60);
+
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("verify", sigFile.getAbsolutePath(), cert.getAbsolutePath(),
+                "--not-before", UTCUtil.formatUTCDate(plus1Minute));
+
+        assertEquals(SOPGPException.NoSignature.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        Date minus1Minute = new Date(TEXT_SIG_CREATION.getTime() - 1000 * 60);
+        pipeStringToStdin(PLAINTEXT);
+        out = pipeStdoutToStream();
+        exitCode = executeCommand("verify", sigFile.getAbsolutePath(), cert.getAbsolutePath(),
+                "--not-before", UTCUtil.formatUTCDate(minus1Minute));
+
+        assertSuccess(exitCode);
+        assertEquals(TEXT_SIG_VERIFICATION, out.toString());
+    }
+
+    @Test
+    public void testNotAfter() throws IOException {
+        File cert = writeFile("cert.asc", CERT);
+        File sigFile = writeFile("sig.asc", TEXT_SIG);
+
+        Date minus1Minute = new Date(TEXT_SIG_CREATION.getTime() - 1000 * 60);
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("verify", sigFile.getAbsolutePath(), cert.getAbsolutePath(),
+                "--not-after", UTCUtil.formatUTCDate(minus1Minute));
+
+        assertEquals(SOPGPException.NoSignature.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+
+        Date plus1Minute = new Date(TEXT_SIG_CREATION.getTime() + 1000 * 60);
+        pipeStringToStdin(PLAINTEXT);
+        out = pipeStdoutToStream();
+        exitCode = executeCommand("verify", sigFile.getAbsolutePath(), cert.getAbsolutePath(),
+                "--not-after", UTCUtil.formatUTCDate(plus1Minute));
+
+        assertSuccess(exitCode);
+        assertEquals(TEXT_SIG_VERIFICATION, out.toString());
+    }
+
+    @Test
+    public void testSignWithIncapableKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
+                .addUserId("Cannot Sign ")
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .build();
+        File keyFile = writeFile("key.pgp", secretKeys.getEncoded());
+
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("sign", keyFile.getAbsolutePath());
+
+        assertEquals(SOPGPException.KeyCannotSign.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void testSignatureCreationAndVerification()
+            throws IOException {
+        // Create key and cert
+        File aliceKeyFile = pipeStdoutToFile("alice.key");
+        assertSuccess(executeCommand("generate-key", "Alice "));
+        File aliceCertFile = pipeStdoutToFile("alice.cert");
+        pipeFileToStdin(aliceKeyFile);
+        assertSuccess(executeCommand("extract-cert"));
+
+        File micalgOut = nonExistentFile("micalg");
+        String msg = "If privacy is outlawed, only outlaws will have privacy.\n";
+        File dataFile = writeFile("data", msg);
+
+        // sign data
+        File sigFile = pipeStdoutToFile("sig.asc");
+        pipeFileToStdin(dataFile);
+        assertSuccess(executeCommand("sign",
+                "--armor",
+                "--as", "binary",
+                "--micalg-out", micalgOut.getAbsolutePath(),
+                aliceKeyFile.getAbsolutePath()));
 
         // verify test data signature
-        ByteArrayOutputStream verifyOut = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(verifyOut));
-        dataIn = new FileInputStream(dataFile);
-        System.setIn(dataIn);
-        PGPainlessCLI.execute("verify", sigFile.getAbsolutePath(), aliceCertFile.getAbsolutePath());
-        dataIn.close();
+        pipeFileToStdin(dataFile);
+        ByteArrayOutputStream verificationsOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), aliceCertFile.getAbsolutePath()));
 
         // Test verification output
 
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(readBytesFromFile(aliceCertFile));
+        KeyRingInfo info = PGPainless.inspectKeyRing(cert);
+
         // [date] [signing-key-fp] [primary-key-fp] signed by [key.pub]
-        String verification = verifyOut.toString();
+        String verification = verificationsOut.toString();
         String[] split = verification.split(" ");
-        OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(aliceKeys);
-        OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(new KeyRingInfo(alicePub, new Date()).getSigningSubkeys().get(0));
+        OpenPgpV4Fingerprint primaryKeyFingerprint = new OpenPgpV4Fingerprint(cert);
+        OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(info.getSigningSubkeys().get(0));
         assertEquals(signingKeyFingerprint.toString(), split[1].trim(), verification);
         assertEquals(primaryKeyFingerprint.toString(), split[2].trim());
 
         // Test micalg output
-        assertTrue(micalgOut.exists());
-        FileReader fileReader = new FileReader(micalgOut);
-        BufferedReader bufferedReader = new BufferedReader(fileReader);
-        String line = bufferedReader.readLine();
-        assertNull(bufferedReader.readLine());
-        bufferedReader.close();
-        assertEquals("pgp-sha512", line);
-
-        System.setIn(originalIn);
+        String content = readStringFromFile(micalgOut);
+        assertEquals("pgp-sha512", content);
     }
 
-    @AfterAll
-    public static void after() {
-        System.setOut(originalSout);
-        // CHECKSTYLE:OFF
-        System.out.println(tempDir.getAbsolutePath());
-        // CHECKSTYLE:ON
+    private static final String PROTECTED_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 738E EAB2 503D 322D 613A  C42A B18E 8BF8 884F C050\n" +
+            "Comment: Axel \n" +
+            "\n" +
+            "lIYEY2v6aRYJKwYBBAHaRw8BAQdA3PXtH19zYpVQ9zTU3zlY+iXUptelAO3z4vK/\n" +
+            "M2FkmrP+CQMCYgVa6K+InVJguITSDIA+HQ6vhOZ5Dbanqx7GFbJbJLD2fWrxhTSr\n" +
+            "BUWGaUWTqN647auD/kUI8phH1cedVL6CzVR+YWvaWj9zZHr/CYXLobQaQXhlbCA8\n" +
+            "YXhlbEBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCY2v6aQkQsY6L+IhPwFAWIQRz\n" +
+            "juqyUD0yLWE6xCqxjov4iE/AUAKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAACq\n" +
+            "zgEAkxB+dUI7Jjcg5zRvT1EfE9DKCI1qTsxOAU/ZXLcSXLkBAJtWRsyptetZvjzB\n" +
+            "Ze2A7ArOl4q+IvKvun/d783YyRMInIsEY2v6aRIKKwYBBAGXVQEFAQEHQPFmlZ+o\n" +
+            "jCGEo2X0474vJfRG7blctuZXmCbC0sLO7MgzAwEIB/4JAwJiBVror4idUmDFhBq4\n" +
+            "lEhJxjCVc6aSD6+EWRT3YdplqCmNdynnrPombUFst6LfJFzns3H3d0rCeXHfQr93\n" +
+            "GrHTLkHfW8G3x0PJJPiqFkBviHUEGBYKAB0FAmNr+mkCngECmwwFFgIDAQAECwkI\n" +
+            "BwUVCgkICwAKCRCxjov4iE/AUNC2AP9WDx4lHt9oYFLSrM8vMLRFI31U8TkYrtCe\n" +
+            "pYICE76cIAEA5+wEbtE5vQrLxOqIRueVVdzwK9kTeMvSIQfc9PNoyQKchgRja/pp\n" +
+            "FgkrBgEEAdpHDwEBB0CyAEVlCUbFr3dBBG3MQ84hjCPfYqSx9kYsTN8j5Og6uP4J\n" +
+            "AwJiBVror4idUmCIFuAYXia0YpEhEpB/Lrn/D6/WAUPEgZjNLMvJzL//EmhkWfEa\n" +
+            "OfQz/fslj1erWNjLKNiW5C/TvGapDfjbn596AkNlcd1JiNUEGBYKAH0FAmNr+mkC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJja/ppAAoJELRgil1uCuQj\n" +
+            "VUYBAJecbedwwqWQITVqucEBIraTRoc6ZGkN8jytDp8z9CsBAQDrb/W/J/kze6ln\n" +
+            "nRyJSriWF3SjcKOGIRkUslmdJEPPCQAKCRCxjov4iE/AUAvbAQDBBgQFG8acTT5L\n" +
+            "cyIi1Ix9/XBG7G23SSs6l7Beap8M+wEAmK13NYuq7Mv/mct8iIKZbBFH9aAiY+nX\n" +
+            "3Uct4Q5f0w0=\n" +
+            "=K65R\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+    private static final String PASSPHRASE = "orange";
+    private static final String SIGNING_KEY = "9846F3606EE875FB77EC8808B4608A5D6E0AE423 738EEAB2503D322D613AC42AB18E8BF8884FC050";
+
+    @Test
+    public void signWithProtectedKey_missingPassphraseFails() throws IOException {
+        File key = writeFile("key.asc", PROTECTED_KEY);
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("sign", key.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
     }
+
+    @Test
+    public void signWithProtectedKey_wrongPassphraseFails() throws IOException {
+        File password = writeFile("password", "blue");
+        File key = writeFile("key.asc", PROTECTED_KEY);
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("sign", key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath());
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void signWithProtectedKey() throws IOException {
+        File password = writeFile("password", PASSPHRASE);
+        File key = writeFile("key.asc", PROTECTED_KEY);
+        pipeStringToStdin(PROTECTED_KEY);
+        File cert = pipeStdoutToFile("cert.asc");
+        assertSuccess(executeCommand("extract-cert"));
+
+        pipeStringToStdin(PLAINTEXT);
+        File sigFile = pipeStdoutToFile("sig.asc");
+        assertSuccess(executeCommand("sign", key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        pipeStringToStdin(PLAINTEXT);
+        ByteArrayOutputStream verificationOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), cert.getAbsolutePath()));
+        assertTrue(verificationOut.toString().contains(SIGNING_KEY));
+    }
+
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java
new file mode 100644
index 00000000..2e4aa7e4
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java
@@ -0,0 +1,44 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import org.junit.jupiter.api.Test;
+import org.slf4j.LoggerFactory;
+
+public class VersionCmdTest extends CLITest {
+
+    public VersionCmdTest() {
+        super(LoggerFactory.getLogger(VersionCmdTest.class));
+    }
+
+    @Test
+    public void testVersion() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("version"));
+        assertTrue(out.toString().startsWith("PGPainless-SOP "));
+    }
+
+    @Test
+    public void testGetBackendVersion() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("version", "--backend"));
+        assertTrue(out.toString().startsWith("Bouncy Castle "));
+    }
+
+    @Test
+    public void testExtendedVersion() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("version", "--extended"));
+        String info = out.toString();
+        assertTrue(info.startsWith("PGPainless-SOP "));
+        assertTrue(info.contains("Bouncy Castle"));
+        assertTrue(info.contains("Stateless OpenPGP Protocol"));
+    }
+}

From 52c0ec120809883c9a560df95c32762bfc120cb2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:08:38 +0100
Subject: [PATCH 0686/1450] update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58c4b052..158b5150 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ SPDX-License-Identifier: CC0-1.0
   key binding signatures, do not reject signature if primary key binding
   predates subkey binding
 - SOP `verify`: Forcefully expect `data()` to be non-OpenPGP data
+- SOP `sign`: Fix matching of keys and passphrases
+- CLI: Added tons of tests \o/
 
 ## 1.3.10
 - Bump `sop-java` to `4.0.3`

From c35deaed165c5ca18527a22d1e09aac180f08774 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:12:23 +0100
Subject: [PATCH 0687/1450] PGPainless 1.3.11

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 6 +++---
 version.gradle           | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 158b5150..db710e47 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.11-SNAPSHOT
+## 1.3.11
 - Fix: When verifying subkey binding signatures with embedded recycled primary
   key binding signatures, do not reject signature if primary key binding
   predates subkey binding
diff --git a/README.md b/README.md
index c24728e9..09ae92a3 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.10'
+	implementation 'org.pgpainless:pgpainless-core:1.3.11'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 6c82fdcd..27864e38 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-SOP
 
-[![Spec Revision: 3](https://img.shields.io/badge/Spec%20Revision-3-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
+[![Spec Revision: 4](https://img.shields.io/badge/Spec%20Revision-4-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-sop)](https://search.maven.org/artifact/org.pgpainless/pgpainless-sop)
 [![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-sop/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-sop)
 
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.10"
+    implementation "org.pgpainless:pgpainless-sop:1.3.11"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.10
+        1.3.11
     
     ...
 
diff --git a/version.gradle b/version.gradle
index a8b3c6b7..3afdf817 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.11'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 2d6f9738ecc390ae037a70f68a79bb7b3bbce99f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:14:36 +0100
Subject: [PATCH 0688/1450] PGPainless 1.3.12-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 3afdf817..a6e0a54f 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.11'
-        isSnapshot = false
+        shortVersion = '1.3.12'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 48005da7f3c6ecff2c3a3ad27e7414c9ab023811 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:18:22 +0100
Subject: [PATCH 0689/1450] SOP : Do not armor already-armored data.

---
 .../main/java/org/pgpainless/sop/ArmorImpl.java  | 16 +++++++++++++++-
 .../test/java/org/pgpainless/sop/ArmorTest.java  |  4 +++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
index 71bc3e6b..d65c2925 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
@@ -11,6 +11,7 @@ import java.io.OutputStream;
 
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.util.io.Streams;
+import org.pgpainless.decryption_verification.OpenPgpInputStream;
 import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.Ready;
 import sop.enums.ArmorLabel;
@@ -31,8 +32,21 @@ public class ArmorImpl implements Armor {
             public void writeTo(OutputStream outputStream) throws IOException {
                 // By buffering the output stream, we can improve performance drastically
                 BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(outputStream);
+
+                // Determine nature of the given data
+                OpenPgpInputStream openPgpIn = new OpenPgpInputStream(data);
+                openPgpIn.reset();
+
+                if (openPgpIn.isAsciiArmored()) {
+                    // armoring already-armored data is an idempotent operation
+                    Streams.pipeAll(openPgpIn, bufferedOutputStream);
+                    bufferedOutputStream.flush();
+                    openPgpIn.close();
+                    return;
+                }
+
                 ArmoredOutputStream armor = ArmoredOutputStreamFactory.get(bufferedOutputStream);
-                Streams.pipeAll(data, armor);
+                Streams.pipeAll(openPgpIn, armor);
                 bufferedOutputStream.flush();
                 armor.close();
             }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
index 95129dfa..3830912a 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ArmorTest.java
@@ -29,7 +29,9 @@ public class ArmorTest {
     @Test
     public void armor() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         byte[] data = PGPainless.generateKeyRing().modernKeyRing("Alice").getEncoded();
-        byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data).getBytes(StandardCharsets.UTF_8);
+        byte[] knownGoodArmor = ArmorUtils.toAsciiArmoredString(data)
+                .replace("Version: PGPainless\n", "") // armor command does not add version anymore
+                .getBytes(StandardCharsets.UTF_8);
         byte[] armored = new SOPImpl()
                 .armor()
                 .data(data)

From 86b06ee5e3f7040505b5e26f610938820b89eef7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:45:25 +0100
Subject: [PATCH 0690/1450] SOP: Hide armor version header by default

---
 .../util/ArmoredOutputStreamFactory.java       | 18 ++++++++++++++----
 .../main/java/org/pgpainless/sop/SOPImpl.java  |  5 +++++
 .../org/pgpainless/sop/ExtractCertTest.java    |  2 --
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
index 403115ba..67cc1c20 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
@@ -31,7 +31,11 @@ public final class ArmoredOutputStreamFactory {
      */
     public static ArmoredOutputStream get(OutputStream outputStream) {
         ArmoredOutputStream armoredOutputStream = new ArmoredOutputStream(outputStream);
-        armoredOutputStream.setHeader(ArmorUtils.HEADER_VERSION, version);
+        armoredOutputStream.clearHeaders();
+        if (version != null && !version.isEmpty()) {
+            armoredOutputStream.setHeader(ArmorUtils.HEADER_VERSION, version);
+        }
+
         for (String comment : comment) {
             ArmorUtils.addCommentHeader(armoredOutputStream, comment);
         }
@@ -55,10 +59,16 @@ public final class ArmoredOutputStreamFactory {
      * @param versionString version string
      */
     public static void setVersionInfo(String versionString) {
-        if (versionString == null || versionString.trim().isEmpty()) {
-            throw new IllegalArgumentException("Version Info MUST NOT be null NOR empty.");
+        if (versionString == null) {
+            version = null;
+            return;
+        }
+        String trimmed = versionString.trim();
+        if (trimmed.isEmpty()) {
+            version = null;
+        } else {
+            version = trimmed;
         }
-        version = versionString;
     }
 
     /**
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
index 35ff8994..28772f10 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.sop;
 
+import org.pgpainless.util.ArmoredOutputStreamFactory;
 import sop.SOP;
 import sop.operation.Armor;
 import sop.operation.Dearmor;
@@ -20,6 +21,10 @@ import sop.operation.Version;
 
 public class SOPImpl implements SOP {
 
+    static {
+        ArmoredOutputStreamFactory.setVersionInfo(null);
+    }
+
     @Override
     public Version version() {
         return new VersionImpl();
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java
index 84a1f471..b3910482 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ExtractCertTest.java
@@ -18,7 +18,6 @@ import sop.exception.SOPGPException;
 public class ExtractCertTest {
 
     public static final String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-            "Version: PGPainless\n" +
             "Comment: A8D9 9FF4 C8DD BBA6 C610  A6B7 9ACB 2195 A9BC DF5B\n" +
             "Comment: Alice \n" +
             "\n" +
@@ -42,7 +41,6 @@ public class ExtractCertTest {
             "-----END PGP PRIVATE KEY BLOCK-----\n";
 
     public static final String cert = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-            "Version: PGPainless\n" +
             "Comment: A8D9 9FF4 C8DD BBA6 C610  A6B7 9ACB 2195 A9BC DF5B\n" +
             "Comment: Alice \n" +
             "\n" +

From 243d64fcb486310d92cfed7bbc88b0e016395b26 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:46:05 +0100
Subject: [PATCH 0691/1450] Bump sop-java to 4.0.5 and adopt changes
 (--as=clearsigned)

---
 .../commands/RoundTripInlineSignInlineVerifyCmdTest.java  | 6 +++---
 .../src/main/java/org/pgpainless/sop/InlineSignImpl.java  | 8 ++++----
 .../test/java/org/pgpainless/sop/InlineDetachTest.java    | 2 +-
 .../org/pgpainless/sop/InlineSignVerifyRoundtripTest.java | 2 +-
 version.gradle                                            | 2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index c80019d1..3d7980b0 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -134,7 +134,7 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         pipeStringToStdin(MESSAGE);
         ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
         assertSuccess(executeCommand("inline-sign",
-                "--as", "cleartextsigned",
+                "--as", "clearsigned",
                 key.getAbsolutePath(),
                 "--with-key-password", password.getAbsolutePath()));
 
@@ -154,7 +154,7 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         pipeStringToStdin(MESSAGE);
         ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
         assertSuccess(executeCommand("inline-sign",
-                "--as", "cleartextsigned",
+                "--as", "clearsigned",
                 key.getAbsolutePath(),
                 "--with-key-password", password.getAbsolutePath()));
 
@@ -212,7 +212,7 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         pipeStringToStdin(MESSAGE);
         ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
         assertSuccess(executeCommand("inline-sign",
-                "--as", "cleartextsigned",
+                "--as", "clearsigned",
                 key.getAbsolutePath(),
                 "--with-key-password", password.getAbsolutePath()));
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index c0bd29f4..d0cfbfcd 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -32,7 +32,7 @@ import sop.operation.InlineSign;
 public class InlineSignImpl implements InlineSign {
 
     private boolean armor = true;
-    private InlineSignAs mode = InlineSignAs.Binary;
+    private InlineSignAs mode = InlineSignAs.binary;
     private final SigningOptions signingOptions = new SigningOptions();
     private final MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
     private final List signingKeys = new ArrayList<>();
@@ -74,7 +74,7 @@ public class InlineSignImpl implements InlineSign {
     public Ready data(InputStream data) throws SOPGPException.KeyIsProtected, IOException, SOPGPException.ExpectedText {
         for (PGPSecretKeyRing key : signingKeys) {
             try {
-                if (mode == InlineSignAs.CleartextSigned) {
+                if (mode == InlineSignAs.clearsigned) {
                     signingOptions.addDetachedSignature(protector, key);
                 } else {
                     signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
@@ -87,7 +87,7 @@ public class InlineSignImpl implements InlineSign {
         }
 
         ProducerOptions producerOptions = ProducerOptions.sign(signingOptions);
-        if (mode == InlineSignAs.CleartextSigned) {
+        if (mode == InlineSignAs.clearsigned) {
             producerOptions.setCleartextSigned();
             producerOptions.setAsciiArmor(true);
         } else {
@@ -119,7 +119,7 @@ public class InlineSignImpl implements InlineSign {
     }
 
     private static DocumentSignatureType modeToSigType(InlineSignAs mode) {
-        return mode == InlineSignAs.Binary ? DocumentSignatureType.BINARY_DOCUMENT
+        return mode == InlineSignAs.binary ? DocumentSignatureType.BINARY_DOCUMENT
                 : DocumentSignatureType.CANONICAL_TEXT_DOCUMENT;
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
index b4bfe815..1054babb 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
@@ -63,7 +63,7 @@ public class InlineDetachTest {
         byte[] cleartextSigned = sop.inlineSign()
                 .key(key)
                 .withKeyPassword("sw0rdf1sh")
-                .mode(InlineSignAs.CleartextSigned)
+                .mode(InlineSignAs.clearsigned)
                 .data(data).getBytes();
 
         // actually detach the message
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
index ee892501..b24b729c 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
@@ -36,7 +36,7 @@ public class InlineSignVerifyRoundtripTest {
         byte[] inlineSigned = sop.inlineSign()
                 .key(key)
                 .withKeyPassword("sw0rdf1sh")
-                .mode(InlineSignAs.CleartextSigned)
+                .mode(InlineSignAs.clearsigned)
                 .data(message).getBytes();
 
         ByteArrayAndResult> result = sop.inlineVerify()
diff --git a/version.gradle b/version.gradle
index a6e0a54f..ee8e64fb 100644
--- a/version.gradle
+++ b/version.gradle
@@ -16,6 +16,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.3'
+        sopJavaVersion = '4.0.5'
     }
 }

From ae88fdf4ab0ba32b819b1dd40d76fb76d815ca44 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:49:28 +0100
Subject: [PATCH 0692/1450] Document
 ArmoredOutputStreamFactory.setVersionInfo(null)

---
 .../java/org/pgpainless/util/ArmoredOutputStreamFactory.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
index 67cc1c20..fb2cd4f5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
@@ -55,6 +55,7 @@ public final class ArmoredOutputStreamFactory {
     /**
      * Overwrite the version header of ASCII armors with a custom value.
      * Newlines in the version info string result in multiple version header entries.
+     * If this is set to 
null
, then the version header is omitted altogether.
      *
      * @param versionString version string
      */

From 3fc19f56afe48566f0af49fcb034c994390b6198 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:52:53 +0100
Subject: [PATCH 0693/1450] Update changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index db710e47..b3ff90f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.12-SNAPSHOT
+- Bump `sop-java` to `4.0.5`
+- Fix: `sop inline-sign`: Adopt `--as=clearsigned` instead of `--as=cleartextsigned`
+- SOP: Hide `Version: PGPainless` armor header in all armored outputs
+- Fix: `sop armor`: Do not re-armor already armored data
+
 ## 1.3.11
 - Fix: When verifying subkey binding signatures with embedded recycled primary
   key binding signatures, do not reject signature if primary key binding

From 678dac902f4b9bfee8cda0a292e7d11f416b1db7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 13:57:28 +0100
Subject: [PATCH 0694/1450] PGPainless 1.3.12

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3ff90f0..f49dcf60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.12-SNAPSHOT
+## 1.3.12
 - Bump `sop-java` to `4.0.5`
 - Fix: `sop inline-sign`: Adopt `--as=clearsigned` instead of `--as=cleartextsigned`
 - SOP: Hide `Version: PGPainless` armor header in all armored outputs
diff --git a/README.md b/README.md
index 09ae92a3..94ea915b 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.11'
+	implementation 'org.pgpainless:pgpainless-core:1.3.12'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 27864e38..ee27b0b5 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.11"
+    implementation "org.pgpainless:pgpainless-sop:1.3.12"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.11
+        1.3.12
     
     ...
 
diff --git a/version.gradle b/version.gradle
index ee8e64fb..b3d2b4f6 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.12'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 95ba4e46ca2bcfaefbf3c9cb33f32af31accb59e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 14:00:36 +0100
Subject: [PATCH 0695/1450] PGPainless 1.3.13-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index b3d2b4f6..9bf15d8c 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.12'
-        isSnapshot = false
+        shortVersion = '1.3.13'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 40715c3e0416d1b36166b25c6cfda4a667efa544 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:26:26 +0100
Subject: [PATCH 0696/1450] Bump sop-java to 4.0.7

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 9bf15d8c..6d0daa22 100644
--- a/version.gradle
+++ b/version.gradle
@@ -16,6 +16,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.5'
+        sopJavaVersion = '4.0.7'
     }
 }

From d7c567649db34d103b597522521e3cd8f98f4e3d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:26:43 +0100
Subject: [PATCH 0697/1450] Improve documentation of bouncyPgVersion

---
 version.gradle | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 6d0daa22..9d05c960 100644
--- a/version.gradle
+++ b/version.gradle
@@ -9,8 +9,10 @@ allprojects {
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'
-        // unfortunately we rely on 1.72.1 for a patch for https://github.com/bcgit/bc-java/issues/1257
+        // When using bouncyCastleVersion 1.72:
+        // unfortunately we rely on 1.72.1 or 1.72.3 for a patch for https://github.com/bcgit/bc-java/issues/1257
         //  which is a bug we introduced with a PR against BC :/ oops
+        // When bouncyCastleVersion is 1.71, bouncyPgVersion can simply be set to 1.71 as well.
         bouncyPgVersion = '1.72.1'
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'

From 29009cf2246268d76987c58e448f257a7a543a1e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:27:45 +0100
Subject: [PATCH 0698/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f49dcf60..9b727a6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.3.13-SNAPSHOT
+- Bump `sop-java` to `4.0.7`
+
 ## 1.3.12
 - Bump `sop-java` to `4.0.5`
 - Fix: `sop inline-sign`: Adopt `--as=clearsigned` instead of `--as=cleartextsigned`

From aacfc0f995490eb2a9e467c099aad1e85aa05f12 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:33:04 +0100
Subject: [PATCH 0699/1450] PGPainless 1.3.13

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9b727a6b..551728aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.3.13-SNAPSHOT
+## 1.3.13
 - Bump `sop-java` to `4.0.7`
 
 ## 1.3.12
diff --git a/README.md b/README.md
index 94ea915b..90f6be81 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.12'
+	implementation 'org.pgpainless:pgpainless-core:1.3.13'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index ee27b0b5..4a18136d 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.12"
+    implementation "org.pgpainless:pgpainless-sop:1.3.13"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.12
+        1.3.13
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 9d05c960..9cb598cf 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.3.13'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From ec7237390a5712a2144c1081ffdb571719a80e20 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:36:54 +0100
Subject: [PATCH 0700/1450] PGPainless 1.3.14-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 9cb598cf..dc50f086 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.13'
-        isSnapshot = false
+        shortVersion = '1.3.14'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From bc73d26118921f5f07804b9f0248bb28c9d05e94 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 8 Sep 2022 18:23:20 +0200
Subject: [PATCH 0701/1450] Add Pushdown Automaton for checking OpenPGP message
 syntax

The automaton implements what is described in
https://github.com/pgpainless/pgpainless/blob/main/misc/OpenPGPMessageFormat.md

However, some differences exist to adopt it to BouncyCastle

Part of #237
---
 .../PushdownAutomaton.java                    | 391 ++++++++++++++++++
 .../MalformedOpenPgpMessageException.java     |  31 ++
 .../PushDownAutomatonTest.java                | 205 +++++++++
 3 files changed, 627 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
new file mode 100644
index 00000000..6930de4b
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
@@ -0,0 +1,391 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedDataList;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+import java.util.Stack;
+
+import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.msg;
+import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.ops;
+import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.terminus;
+
+/**
+ * Pushdown Automaton to verify the correct syntax of OpenPGP messages during decryption.
+ * 

+ * OpenPGP messages MUST follow certain rules in order to be well-formed.
+ * Section §11.3. of RFC4880 specifies a formal grammar for OpenPGP messages.
+ * 

+ * This grammar was transformed into a pushdown automaton, which is implemented below.
+ * The automaton only ends up in a valid state ({@link #isValid()} iff the OpenPGP message conformed to the
+ * grammar.
+ * 

+ * There are some specialties with this implementation though:
+ * Bouncy Castle combines ESKs and Encrypted Data Packets into a single object, so we do not have to
+ * handle those manually.
+ * 

+ * Bouncy Castle further combines OnePassSignatures and Signatures into lists, so instead of pushing multiple
+ * 'o's onto the stack repeatedly, a sequence of OnePassSignatures causes a single 'o' to be pushed to the stack.
+ * The same is true for Signatures.
+ * 

+ * Therefore, a message is valid, even if the number of OnePassSignatures and Signatures does not match.
+ * If a message contains at least one OnePassSignature, it is sufficient if there is at least one Signature to
+ * not cause a {@link MalformedOpenPgpMessageException}.
+ *
+ * @see RFC4880 §11.3. OpenPGP Messages
+ */
+public class PushdownAutomaton {
+
+    public enum InputAlphabet {
+        /**
+         * A {@link PGPLiteralData} packet.
+         */
+        LiteralData,
+        /**
+         * A {@link PGPSignatureList} object.
+         */
+        Signatures,
+        /**
+         * A {@link PGPOnePassSignatureList} object.
+         */
+        OnePassSignatures,
+        /**
+         * A {@link PGPCompressedData} packet.
+         * The contents of this packet MUST form a valid OpenPGP message, so a nested PDA is opened to verify
+         * its nested packet sequence.
+         */
+        CompressedData,
+        /**
+         * A {@link PGPEncryptedDataList} object.
+         * This object combines multiple ESKs and the corresponding Symmetrically Encrypted
+         * (possibly Integrity Protected) Data packet.
+         */
+        EncryptedData,
+        /**
+         * Marks the end of a (sub-) sequence.
+         * This input is given if the end of an OpenPGP message is reached.
+         * This might be the case for the end of the whole ciphertext, or the end of a packet with nested contents
+         * (e.g. the end of a Compressed Data packet).
+         */
+        EndOfSequence
+    }
+
+    public enum StackAlphabet {
+        /**
+         * OpenPGP Message.
+         */
+        msg,
+        /**
+         * OnePassSignature (in case of BC this represents a OnePassSignatureList).
+         */
+        ops,
+        /**
+         * ESK. Not used, as BC combines encrypted data with their encrypted session keys.
+         */
+        esk,
+        /**
+         * Special symbol representing the end of the message.
+         */
+        terminus
+    }
+
+    /**
+     * Set of states of the automaton.
+     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, PushdownAutomaton)}
+     * method.
+     */
+    public enum State {
+
+        OpenPgpMessage {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                if (stackItem != msg) {
+                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+                switch (input) {
+
+                    case LiteralData:
+                        return LiteralMessage;
+
+                    case Signatures:
+                        automaton.pushStack(msg);
+                        return OpenPgpMessage;
+
+                    case OnePassSignatures:
+                        automaton.pushStack(ops);
+                        automaton.pushStack(msg);
+                        return OpenPgpMessage;
+
+                    case CompressedData:
+                        return CompressedMessage;
+
+                    case EncryptedData:
+                        return EncryptedMessage;
+
+                    case EndOfSequence:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        LiteralMessage {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        CompressedMessage {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        EncryptedMessage {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        CorrespondingSignature {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                if (stackItem == terminus && input == InputAlphabet.EndOfSequence && automaton.stack.isEmpty()) {
+                    return Valid;
+                } else {
+                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        Valid {
+            @Override
+            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+                throw new MalformedOpenPgpMessageException(this, input, null);
+            }
+        },
+        ;
+
+        /**
+         * Pop the automatons stack and transition to another state.
+         * If no valid transition from the current state is available given the popped stack item and input symbol,
+         * a {@link MalformedOpenPgpMessageException} is thrown.
+         * Otherwise, the stack is manipulated according to the valid transition and the new state is returned.
+         *
+         * @param input     input symbol
+         * @param automaton automaton
+         * @return new state of the automaton
+         * @throws MalformedOpenPgpMessageException in case of an illegal input symbol
+         */
+        abstract State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException;
+    }
+
+    private final Stack stack = new Stack<>();
+    private State state;
+    // Some OpenPGP packets have nested contents (e.g. compressed / encrypted data).
+    PushdownAutomaton nestedSequence = null;
+
+    public PushdownAutomaton() {
+        state = State.OpenPgpMessage;
+        stack.push(terminus);
+        stack.push(msg);
+    }
+
+    /**
+     * Process the next input packet.
+     *
+     * @param input input
+     * @throws MalformedOpenPgpMessageException in case the input packet is illegal here
+     */
+    public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
+        _next(input);
+    }
+
+    /**
+     * Process the next input packet.
+     * This method returns true, iff the given input triggered a successful closing of this PDAs nested PDA.
+     * 

+     * This is for example the case, if the current packet is a Compressed Data packet which contains a
+     * valid nested OpenPGP message and the last input was {@link InputAlphabet#EndOfSequence} indicating the
+     * end of the Compressed Data packet.
+     * 

+     * If the input triggered this PDAs nested PDA to close its nested PDA, this method returns false
+     * in order to prevent this PDA from closing its nested PDA prematurely.
+     *
+     * @param input input
+     * @return true if this just closed its nested sequence, false otherwise
+     * @throws MalformedOpenPgpMessageException if the input is illegal
+     */
+    private boolean _next(InputAlphabet input) throws MalformedOpenPgpMessageException {
+        if (nestedSequence != null) {
+            boolean sequenceInNestedSequenceWasClosed = nestedSequence._next(input);
+            if (sequenceInNestedSequenceWasClosed) return false; // No need to close out nested sequence too.
+        } else {
+            // make a state transition in this automaton
+            state = state.transition(input, this);
+
+            // If the processed packet contains nested sequence, open nested automaton for it
+            if (input == InputAlphabet.CompressedData || input == InputAlphabet.EncryptedData) {
+                nestedSequence = new PushdownAutomaton();
+            }
+        }
+
+        if (input != InputAlphabet.EndOfSequence) {
+            return false;
+        }
+
+        // Close nested sequence if needed
+        boolean nestedIsInnerMost = nestedSequence != null && nestedSequence.isInnerMost();
+        if (nestedIsInnerMost) {
+            if (nestedSequence.isValid()) {
+                // Close nested sequence
+                nestedSequence = null;
+                return true;
+            } else {
+                throw new MalformedOpenPgpMessageException("Climbing up nested message validation failed." +
+                        " Automaton for current nesting level is not in valid state: " + nestedSequence.getState() + " " + nestedSequence.stack.peek() + " (Input was " + input + ")");
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Return the current state of the PDA.
+     *
+     * @return state
+     */
+    private State getState() {
+        return state;
+    }
+
+    /**
+     * Return true, if the PDA is in a valid state (the OpenPGP message is valid).
+     *
+     * @return true if valid, false otherwise
+     */
+    public boolean isValid() {
+        return getState() == State.Valid && stack.isEmpty();
+    }
+
+    /**
+     * Pop an item from the stack.
+     *
+     * @return stack item
+     */
+    private StackAlphabet popStack() {
+        return stack.pop();
+    }
+
+    /**
+     * Push an item onto the stack.
+     *
+     * @param item item
+     */
+    private void pushStack(StackAlphabet item) {
+        stack.push(item);
+    }
+
+    /**
+     * Return true, if this packet sequence has no nested sequence.
+     * A nested sequence is for example the content of a Compressed Data packet.
+     *
+     * @return true if PDA is innermost, false if it has a nested sequence
+     */
+    private boolean isInnerMost() {
+        return nestedSequence == null;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder out = new StringBuilder("State: ").append(state)
+                .append(", Stack (asc.): ").append(stack)
+                .append('\n');
+        if (nestedSequence != null) {
+            // recursively call toString() on nested PDAs and indent their representation
+            String nestedToString = nestedSequence.toString();
+            String[] lines = nestedToString.split("\n");
+            for (int i = 0; i < lines.length; i++) {
+                String nestedLine = lines[i];
+                out.append(i == 0 ? "⤡ " : "  ") // indent nested PDA
+                        .append(nestedLine)
+                        .append('\n');
+            }
+        }
+        return out.toString();
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
new file mode 100644
index 00000000..07fed365
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -0,0 +1,31 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.exception;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.pgpainless.decryption_verification.PushdownAutomaton;
+
+/**
+ * Exception that gets thrown if the OpenPGP message is malformed.
+ * Malformed messages are messages which do not follow the grammar specified in the RFC.
+ *
+ * @see RFC4880 §11.3. OpenPGP Messages
+ */
+public class MalformedOpenPgpMessageException extends PGPException {
+
+    public MalformedOpenPgpMessageException(String message) {
+        super(message);
+    }
+
+    public MalformedOpenPgpMessageException(String message, MalformedOpenPgpMessageException cause) {
+        super(message, cause);
+    }
+
+    public MalformedOpenPgpMessageException(PushdownAutomaton.State state,
+                                            PushdownAutomaton.InputAlphabet input,
+                                            PushdownAutomaton.StackAlphabet stackItem) {
+        this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java
new file mode 100644
index 00000000..1bd07308
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java
@@ -0,0 +1,205 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class PushDownAutomatonTest {
+
+    /**
+     * MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS MSG SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * SIG MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS COMP(MSG) SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS ENC(COMP(COMP(MSG))) SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOpsSignedEncryptedCompressedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * MSG SIG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testLiteralPlusSigsFails() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.Signatures));
+    }
+
+    /**
+     * MSG MSG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG MSG) SIG is invalid (two literal packets are illegal).
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG) MSG SIG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails2() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG SIG) is invalid (MSG SIG does not form valid nested message).
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testCorrespondingSignaturesOfOpsSignedMessageAreLayerFurtherDownFails() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.Signatures));
+    }
+
+    /**
+     * Empty COMP is invalid.
+     */
+    @Test
+    public void testEmptyCompressedDataIsInvalid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence));
+    }
+
+    @Test
+    public void testOPSSignedEncryptedCompressedOPSSignedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PushdownAutomaton automaton = new PushdownAutomaton();
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+}

From bf8949d7f4f4651289baed158de7d61e2d938c59 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 12 Sep 2022 15:28:54 +0200
Subject: [PATCH 0702/1450] WIP: Implement custom PGPDecryptionStream

---
 .../pgpainless/algorithm/OpenPgpPacket.java   |  71 +++++
 .../PGPDecryptionStream.java                  | 238 ++++++++++++++
 .../PushdownAutomaton.java                    |   6 +
 .../MalformedOpenPgpMessageException.java     |  11 +
 .../algorithm/OpenPgpPacketTest.java          |  38 +++
 .../PGPDecryptionStreamTest.java              | 290 ++++++++++++++++++
 6 files changed, 654 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/algorithm/OpenPgpPacketTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
new file mode 100644
index 00000000..63d14a31
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
@@ -0,0 +1,71 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import org.bouncycastle.bcpg.PacketTags;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.NoSuchElementException;
+
+public enum OpenPgpPacket {
+    PKESK(PacketTags.PUBLIC_KEY_ENC_SESSION),
+    SIG(PacketTags.SIGNATURE),
+    SKESK(PacketTags.SYMMETRIC_KEY_ENC_SESSION),
+    OPS(PacketTags.ONE_PASS_SIGNATURE),
+    SK(PacketTags.SECRET_KEY),
+    PK(PacketTags.PUBLIC_KEY),
+    SSK(PacketTags.SECRET_SUBKEY),
+    COMP(PacketTags.COMPRESSED_DATA),
+    SED(PacketTags.SYMMETRIC_KEY_ENC),
+    MARKER(PacketTags.MARKER),
+    LIT(PacketTags.LITERAL_DATA),
+    TRUST(PacketTags.TRUST),
+    UID(PacketTags.USER_ID),
+    PSK(PacketTags.PUBLIC_SUBKEY),
+    UATTR(PacketTags.USER_ATTRIBUTE),
+    SEIPD(PacketTags.SYM_ENC_INTEGRITY_PRO),
+    MOD(PacketTags.MOD_DETECTION_CODE),
+
+    EXP_1(PacketTags.EXPERIMENTAL_1),
+    EXP_2(PacketTags.EXPERIMENTAL_2),
+    EXP_3(PacketTags.EXPERIMENTAL_3),
+    EXP_4(PacketTags.EXPERIMENTAL_4),
+    ;
+
+    static final Map MAP = new HashMap<>();
+
+    static {
+        for (OpenPgpPacket p : OpenPgpPacket.values()) {
+            MAP.put(p.getTag(), p);
+        }
+    }
+
+    final int tag;
+
+    @Nullable
+    public static OpenPgpPacket fromTag(int tag) {
+        return MAP.get(tag);
+    }
+
+    @Nonnull
+    public static OpenPgpPacket requireFromTag(int tag) {
+        OpenPgpPacket p = fromTag(tag);
+        if (p == null) {
+            throw new NoSuchElementException("No OpenPGP packet known for tag " + tag);
+        }
+        return p;
+    }
+
+    OpenPgpPacket(int tag) {
+        this.tag = tag;
+    }
+
+    int getTag() {
+        return tag;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java
new file mode 100644
index 00000000..c3053555
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java
@@ -0,0 +1,238 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.bcpg.ModDetectionCodePacket;
+import org.bouncycastle.bcpg.OnePassSignaturePacket;
+import org.bouncycastle.bcpg.Packet;
+import org.bouncycastle.bcpg.PacketTags;
+import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
+import org.bouncycastle.bcpg.SignaturePacket;
+import org.bouncycastle.bcpg.SymmetricEncDataPacket;
+import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket;
+import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket;
+import org.bouncycastle.bcpg.TrustPacket;
+import org.bouncycastle.bcpg.UserAttributePacket;
+import org.bouncycastle.bcpg.UserIDPacket;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedDataList;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.implementation.ImplementationFactory;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.NoSuchElementException;
+import java.util.Stack;
+
+public class PGPDecryptionStream extends InputStream {
+
+    PushdownAutomaton automaton = new PushdownAutomaton();
+    // nested streams, outermost at the bottom of the stack
+    Stack packetLayers = new Stack<>();
+
+    public PGPDecryptionStream(InputStream inputStream) throws IOException, PGPException {
+        try {
+            packetLayers.push(Layer.initial(inputStream));
+            walkLayer();
+        } catch (MalformedOpenPgpMessageException e) {
+            throw e.toRuntimeException();
+        }
+    }
+
+    private void walkLayer() throws PGPException, IOException {
+        if (packetLayers.isEmpty()) {
+            return;
+        }
+
+        Layer layer = packetLayers.peek();
+        BCPGInputStream inputStream = (BCPGInputStream) layer.inputStream;
+
+        loop: while (true) {
+            if (inputStream.nextPacketTag() == -1) {
+                popLayer();
+                break loop;
+            }
+            OpenPgpPacket tag = nextTagOrThrow(inputStream);
+            switch (tag) {
+
+                case PKESK:
+                    PublicKeyEncSessionPacket pkeskPacket = (PublicKeyEncSessionPacket) inputStream.readPacket();
+                    PGPEncryptedDataList encList = null;
+                    break;
+                case SIG:
+                    automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+
+                    ByteArrayOutputStream buf = new ByteArrayOutputStream();
+                    BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
+                    while (inputStream.nextPacketTag() == PacketTags.SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
+                        Packet packet = inputStream.readPacket();
+                        if (packet instanceof SignaturePacket) {
+                            SignaturePacket sig = (SignaturePacket) packet;
+                            sig.encode(bcpgOut);
+                        }
+                    }
+                    PGPSignatureList signatures = (PGPSignatureList) ImplementationFactory.getInstance()
+                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
+                    break;
+                case SKESK:
+                    SymmetricKeyEncSessionPacket skeskPacket = (SymmetricKeyEncSessionPacket) inputStream.readPacket();
+
+                    break;
+                case OPS:
+                    automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
+                    buf = new ByteArrayOutputStream();
+                    bcpgOut = new BCPGOutputStream(buf);
+                    while (inputStream.nextPacketTag() == PacketTags.ONE_PASS_SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
+                        Packet packet = inputStream.readPacket();
+                        if (packet instanceof OnePassSignaturePacket) {
+                            OnePassSignaturePacket sig = (OnePassSignaturePacket) packet;
+                            sig.encode(bcpgOut);
+                        }
+                    }
+                    PGPOnePassSignatureList onePassSignatures = (PGPOnePassSignatureList) ImplementationFactory.getInstance()
+                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
+                    break;
+                case SK:
+                    break;
+                case PK:
+                    break;
+                case SSK:
+                    break;
+                case COMP:
+                    automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
+                    PGPCompressedData compressedData = new PGPCompressedData(inputStream);
+                    inputStream = new BCPGInputStream(compressedData.getDataStream());
+                    packetLayers.push(Layer.CompressedData(inputStream));
+                    break;
+                case SED:
+                    automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
+                    SymmetricEncDataPacket symmetricEncDataPacket = (SymmetricEncDataPacket) inputStream.readPacket();
+                    break;
+                case MARKER:
+                    inputStream.readPacket(); // discard
+                    break;
+                case LIT:
+                    automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
+                    PGPLiteralData literalData = new PGPLiteralData(inputStream);
+                    packetLayers.push(Layer.LiteralMessage(literalData.getDataStream()));
+                    break loop;
+                case TRUST:
+                    TrustPacket trustPacket = (TrustPacket) inputStream.readPacket();
+                    break;
+                case UID:
+                    UserIDPacket userIDPacket = (UserIDPacket) inputStream.readPacket();
+                    break;
+                case PSK:
+                    break;
+                case UATTR:
+                    UserAttributePacket userAttributePacket = (UserAttributePacket) inputStream.readPacket();
+                    break;
+                case SEIPD:
+                    automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
+                    SymmetricEncIntegrityPacket symmetricEncIntegrityPacket = (SymmetricEncIntegrityPacket) inputStream.readPacket();
+                    break;
+                case MOD:
+                    ModDetectionCodePacket modDetectionCodePacket = (ModDetectionCodePacket) inputStream.readPacket();
+                    break;
+                case EXP_1:
+                    break;
+                case EXP_2:
+                    break;
+                case EXP_3:
+                    break;
+                case EXP_4:
+                    break;
+            }
+        }
+    }
+
+    private OpenPgpPacket nextTagOrThrow(BCPGInputStream inputStream)
+            throws IOException, InvalidOpenPgpPacketException {
+        try {
+            return OpenPgpPacket.requireFromTag(inputStream.nextPacketTag());
+        } catch (NoSuchElementException e) {
+            throw new InvalidOpenPgpPacketException(e.getMessage());
+        }
+    }
+
+    private void popLayer() throws MalformedOpenPgpMessageException {
+        if (packetLayers.pop().isNested)
+            automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+    }
+
+    @Override
+    public int read() throws IOException {
+        if (packetLayers.isEmpty()) {
+            try {
+                automaton.assertValid();
+            } catch (MalformedOpenPgpMessageException e) {
+                throw e.toRuntimeException();
+            }
+            return -1;
+        }
+
+        int r = -1;
+        try {
+            r = packetLayers.peek().inputStream.read();
+        } catch (IOException e) {
+        }
+        if (r == -1) {
+            try {
+                popLayer();
+                walkLayer();
+            } catch (MalformedOpenPgpMessageException e) {
+                throw e.toRuntimeException();
+            }
+            catch (PGPException e) {
+                throw new RuntimeException(e);
+            }
+            return read();
+        }
+        return r;
+    }
+
+    public static class InvalidOpenPgpPacketException extends PGPException {
+
+        public InvalidOpenPgpPacketException(String message) {
+            super(message);
+        }
+    }
+
+    private static class Layer {
+        InputStream inputStream;
+        boolean isNested;
+
+        private Layer(InputStream inputStream, boolean isNested) {
+            this.inputStream = inputStream;
+            this.isNested = isNested;
+        }
+
+        static Layer initial(InputStream inputStream) {
+            BCPGInputStream bcpgIn;
+            if (inputStream instanceof BCPGInputStream) {
+                bcpgIn = (BCPGInputStream) inputStream;
+            } else {
+                bcpgIn = new BCPGInputStream(inputStream);
+            }
+            return new Layer(bcpgIn, true);
+        }
+
+        static Layer LiteralMessage(InputStream inputStream) {
+            return new Layer(inputStream, false);
+        }
+
+        static Layer CompressedData(InputStream inputStream) {
+            return new Layer(inputStream, true);
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
index 6930de4b..86075280 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
@@ -342,6 +342,12 @@ public class PushdownAutomaton {
         return getState() == State.Valid && stack.isEmpty();
     }
 
+    public void assertValid() throws MalformedOpenPgpMessageException {
+        if (!isValid()) {
+            throw new MalformedOpenPgpMessageException("Pushdown Automaton is not in an acceptable state: " + toString());
+        }
+    }
+
     /**
      * Pop an item from the stack.
      *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index 07fed365..9ce2284d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -28,4 +28,15 @@ public class MalformedOpenPgpMessageException extends PGPException {
                                             PushdownAutomaton.StackAlphabet stackItem) {
         this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
+
+    public RTE toRuntimeException() {
+        return new RTE(this);
+    }
+
+    public static class RTE extends RuntimeException {
+
+        public RTE(MalformedOpenPgpMessageException e) {
+            super(e);
+        }
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/OpenPgpPacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/OpenPgpPacketTest.java
new file mode 100644
index 00000000..88146605
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/OpenPgpPacketTest.java
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.algorithm;
+
+import org.bouncycastle.bcpg.PacketTags;
+import org.junit.jupiter.api.Test;
+
+import java.util.NoSuchElementException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class OpenPgpPacketTest {
+
+    @Test
+    public void testFromInvalidTag() {
+        int tag = PacketTags.RESERVED;
+        assertNull(OpenPgpPacket.fromTag(tag));
+        assertThrows(NoSuchElementException.class,
+                () -> OpenPgpPacket.requireFromTag(tag));
+    }
+
+    @Test
+    public void testFromExistingTags() {
+        for (OpenPgpPacket p : OpenPgpPacket.values()) {
+            assertEquals(p, OpenPgpPacket.fromTag(p.getTag()));
+            assertEquals(p, OpenPgpPacket.requireFromTag(p.getTag()));
+        }
+    }
+
+    @Test
+    public void testPKESKTagMatches() {
+        assertEquals(PacketTags.PUBLIC_KEY_ENC_SESSION, OpenPgpPacket.PKESK.getTag());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
new file mode 100644
index 00000000..bb2742b5
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
@@ -0,0 +1,290 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.CompressionAlgorithmTags;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.util.ArmoredInputStreamFactory;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class PGPDecryptionStreamTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: DA05 848F 37D4 68E6 F982  C889 7A70 1FC6 904D 3F4C\n" +
+            "Comment: Alice \n" +
+            "\n" +
+            "lFgEYxzSCBYJKwYBBAHaRw8BAQdAeJU8m4GOJb1eQgv/ryilFHRfNLTYFMNqL6zj\n" +
+            "r0vF7dsAAP42rAtngpJ6dZxoZlJX0Je65zk1VMPeTrXaWfPS2HSKBRGptBxBbGlj\n" +
+            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMc0ggJEHpwH8aQTT9M\n" +
+            "FiEE2gWEjzfUaOb5gsiJenAfxpBNP0wCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
+            "AQAApZEBALUXHtvswPZG28YO+16Men6/fpk+scvqpNMnD4ty3IkAAPwK6TuXjNnZ\n" +
+            "0XuWdnilvLMV23Ai1d5g6em+lwLK5M2SApxdBGMc0ggSCisGAQQBl1UBBQEBB0D8\n" +
+            "mNUVX8y2MXFaSeFYqOTPFnGT7dgNVdn6yc0UtkkHOgMBCAcAAP9y9OtP4SX9voPb\n" +
+            "ID2u9PkJKgo4hTB8NK5LouGppdRtEBGriHUEGBYKAB0FAmMc0ggCngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRB6cB/GkE0/TAywAQDpZRJS/joFH4+xcwheqWfI7ay/\n" +
+            "WfojUoGQMYGnUjsgYwEAkceRUsgkqI0SVgYvuglfaQpZ9k2ns1mZGVLkXvu/yQyc\n" +
+            "WARjHNIIFgkrBgEEAdpHDwEBB0BGN9BybSOrj8B6gim1SjbB/IiqAshlzMDunVkQ\n" +
+            "X23npQABAJqvjOOY7qhBuTusC5/Q5+25iLrhMn4TI+LXlJHMVNOaE0OI1QQYFgoA\n" +
+            "fQUCYxzSCAKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmMc0ggACgkQ\n" +
+            "KALh4BJQXl6yTQD/dh0N5228Uwtu7XHy6dmpMRX62cac5tXQ9WaDzpy8STgBAMdn\n" +
+            "Mq948UOYEhdk/ZY2/hwux/4t+FHvqrXW8ziBe4cLAAoJEHpwH8aQTT9M1hQA/3Ms\n" +
+            "P3kzoed3VsWu1ZMr7dKEngbc6SoJ2XPayzN0QYJaAQCIY5NcT9mZF97HWV3Vgeum\n" +
+            "00sWMHXfkW3+nl5OpUZaDA==\n" +
+            "=THgv\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    private static final String PLAINTEXT = "Hello, World!\n";
+
+    private static final String LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "yxRiAAAAAABIZWxsbywgV29ybGQhCg==\n" +
+            "=WGju\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String LIT_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "yxRiAAAAAABIZWxsbywgV29ybGQhCssUYgAAAAAASGVsbG8sIFdvcmxkIQo=\n" +
+            "=A91Q\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owE7LZLEAAIeqTk5+ToK4flFOSmKXAA=\n" +
+            "=ZYDg\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String COMP = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owEDAA==\n" +
+            "=MDzg\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String COMP_COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owEBRwC4/6MDQlpoOTFBWSZTWVuW2KAAAAr3hGAQBABgBABAAIAWBJAAAAggADFM\n" +
+            "ABNBqBo00N6puqWR+TqInoXQ58XckU4UJBbltigA\n" +
+            "=K9Zl\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String SIG_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "iHUEABYKACcFAmMc1i0JECgC4eASUF5eFiEEjN3RiJxCf/TyYOQjKALh4BJQXl4A\n" +
+            "AHkrAP98uPpqrgIix7epgL7MM1cjXXGSxqbDfXHwgptk1YGQlgD/fw89VGcXwFaI\n" +
+            "2k7kpXQYy/1BqnovM/jZ3X3mXhhTaAOjATstksQAAh6pOTn5Ogrh+UU5KYpcAA==\n" +
+            "=WKPn\n" +
+            "-----END PGP MESSAGE-----";
+
+    @Test
+    public void genLIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        armorOut.close();
+    }
+
+    @Test
+    public void processLIT() throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decIn, out);
+        assertEquals(PLAINTEXT, out.toString());
+        armorIn.close();
+    }
+
+    @Test
+    public void getLIT_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+
+        litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+
+        armorOut.close();
+    }
+
+    @Test
+    public void processLIT_LIT() throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT_LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        assertThrows(MalformedOpenPgpMessageException.RTE.class, () -> Streams.pipeAll(decIn, out));
+    }
+
+    @Test
+    public void genCOMP_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut = compGen.open(armorOut);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(compOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        compOut.close();
+        armorOut.close();
+    }
+
+    @Test
+    public void processCOMP_LIT() throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decIn, out);
+        decIn.close();
+        armorIn.close();
+
+        assertEquals(PLAINTEXT, out.toString());
+    }
+
+    @Test
+    public void genCOMP() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut = compGen.open(armorOut);
+        compOut.close();
+        armorOut.close();
+    }
+
+    @Test
+    public void processCOMP() throws IOException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        assertThrows(MalformedOpenPgpMessageException.RTE.class, () -> {
+            PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+            Streams.drain(decIn);
+        });
+    }
+
+    @Test
+    public void genCOMP_COMP_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+
+        PGPCompressedDataGenerator compGen1 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut1 = compGen1.open(armorOut);
+
+        PGPCompressedDataGenerator compGen2 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.BZIP2);
+        OutputStream compOut2 = compGen2.open(compOut1);
+
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(compOut2, PGPLiteralDataGenerator.BINARY, "", PGPLiteralDataGenerator.NOW, new byte[1 << 9]);
+
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        compOut2.close();
+        compOut1.close();
+        armorOut.close();
+    }
+
+    @Test
+    public void processCOMP_COMP_LIT() throws PGPException, IOException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_COMP_LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decIn, out);
+        decIn.close();
+
+        assertEquals(PLAINTEXT, out.toString());
+    }
+
+    @Test
+    public void genKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        System.out.println(PGPainless.asciiArmor(
+                PGPainless.generateKeyRing().modernKeyRing("Alice ")
+        ));
+    }
+
+    @Test
+    public void genSIG_LIT() throws PGPException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
+        EncryptionStream signer = PGPainless.encryptAndOrSign()
+                .onOutputStream(msgOut)
+                .withOptions(
+                        ProducerOptions.sign(
+                                SigningOptions.get()
+                                        .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)
+                        ).setAsciiArmor(false)
+                );
+
+        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), signer);
+        signer.close();
+        EncryptionResult result = signer.getResult();
+        PGPSignature detachedSignature = result.getDetachedSignatures().get(result.getDetachedSignatures().keySet().iterator().next()).iterator().next();
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
+        armorOut.flush();
+        detachedSignature.encode(armorOut);
+        armorOut.write(msgOut.toByteArray());
+        armorOut.close();
+
+        String armored = out.toString();
+        System.out.println(armored
+                .replace("-----BEGIN PGP SIGNATURE-----\n", "-----BEGIN PGP MESSAGE-----\n")
+                .replace("-----END PGP SIGNATURE-----", "-----END PGP MESSAGE-----"));
+    }
+
+    @Test
+    public void processSIG_LIT() throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(SIG_LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decIn, out);
+        decIn.close();
+
+        System.out.println(out);
+    }
+}

From e86062c427dde86b3d75c5af2b3aa1f75c6b11a1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 19:23:59 +0200
Subject: [PATCH 0703/1450] WIP: Replace nesting with independent instancing

---
 ...ream.java => MessageDecryptionStream.java} | 210 ++++++-----
 .../OpenPgpMessageInputStream.java            | 331 ++++++++++++++++++
 .../automaton/InputAlphabet.java              |  41 +++
 .../NestingPDA.java}                          |  90 +----
 .../automaton/PDA.java                        | 237 +++++++++++++
 .../automaton/StackAlphabet.java              |  20 ++
 .../MalformedOpenPgpMessageException.java     |  25 +-
 .../org/pgpainless/key/info/KeyRingInfo.java  |  40 ++-
 .../OpenPgpMessageInputStreamTest.java        |  86 +++++
 .../PGPDecryptionStreamTest.java              |  73 +++-
 .../PushDownAutomatonTest.java                | 205 -----------
 .../automaton/NestingPDATest.java             | 205 +++++++++++
 .../automaton/PDATest.java                    |  75 ++++
 13 files changed, 1227 insertions(+), 411 deletions(-)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{PGPDecryptionStream.java => MessageDecryptionStream.java} (59%)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{PushdownAutomaton.java => automaton/NestingPDA.java} (78%)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
similarity index 59%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
index c3053555..335e9d57 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PGPDecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
@@ -12,41 +12,50 @@ import org.bouncycastle.bcpg.Packet;
 import org.bouncycastle.bcpg.PacketTags;
 import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
 import org.bouncycastle.bcpg.SignaturePacket;
-import org.bouncycastle.bcpg.SymmetricEncDataPacket;
-import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket;
 import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket;
-import org.bouncycastle.bcpg.TrustPacket;
-import org.bouncycastle.bcpg.UserAttributePacket;
-import org.bouncycastle.bcpg.UserIDPacket;
 import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPPBEEncryptedData;
 import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.decryption_verification.automaton.InputAlphabet;
+import org.pgpainless.decryption_verification.automaton.NestingPDA;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.exception.MessageNotIntegrityProtectedException;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.util.Passphrase;
 
+import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.SequenceInputStream;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.NoSuchElementException;
 import java.util.Stack;
 
-public class PGPDecryptionStream extends InputStream {
+public class MessageDecryptionStream extends InputStream {
 
-    PushdownAutomaton automaton = new PushdownAutomaton();
+    private final ConsumerOptions options;
+
+    NestingPDA automaton = new NestingPDA();
     // nested streams, outermost at the bottom of the stack
     Stack packetLayers = new Stack<>();
+    List pkeskList = new ArrayList<>();
+    List skeskList = new ArrayList<>();
 
-    public PGPDecryptionStream(InputStream inputStream) throws IOException, PGPException {
-        try {
-            packetLayers.push(Layer.initial(inputStream));
-            walkLayer();
-        } catch (MalformedOpenPgpMessageException e) {
-            throw e.toRuntimeException();
-        }
+    public MessageDecryptionStream(InputStream inputStream, ConsumerOptions options)
+            throws IOException, PGPException {
+        this.options = options;
+        packetLayers.push(Layer.initial(inputStream));
+        walkLayer();
     }
 
     private void walkLayer() throws PGPException, IOException {
@@ -54,6 +63,7 @@ public class PGPDecryptionStream extends InputStream {
             return;
         }
 
+        // We are currently in the deepest layer
         Layer layer = packetLayers.peek();
         BCPGInputStream inputStream = (BCPGInputStream) layer.inputStream;
 
@@ -65,33 +75,23 @@ public class PGPDecryptionStream extends InputStream {
             OpenPgpPacket tag = nextTagOrThrow(inputStream);
             switch (tag) {
 
-                case PKESK:
-                    PublicKeyEncSessionPacket pkeskPacket = (PublicKeyEncSessionPacket) inputStream.readPacket();
-                    PGPEncryptedDataList encList = null;
-                    break;
-                case SIG:
-                    automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
+                case LIT:
+                    automaton.next(InputAlphabet.LiteralData);
+                    PGPLiteralData literalData = new PGPLiteralData(inputStream);
+                    packetLayers.push(Layer.literalMessage(literalData.getDataStream()));
+                    break loop;
 
+                case COMP:
+                    automaton.next(InputAlphabet.CompressedData);
+                    PGPCompressedData compressedData = new PGPCompressedData(inputStream);
+                    inputStream = new BCPGInputStream(compressedData.getDataStream());
+                    packetLayers.push(Layer.compressedData(inputStream));
+                    break;
+
+                case OPS:
+                    automaton.next(InputAlphabet.OnePassSignatures);
                     ByteArrayOutputStream buf = new ByteArrayOutputStream();
                     BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-                    while (inputStream.nextPacketTag() == PacketTags.SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
-                        Packet packet = inputStream.readPacket();
-                        if (packet instanceof SignaturePacket) {
-                            SignaturePacket sig = (SignaturePacket) packet;
-                            sig.encode(bcpgOut);
-                        }
-                    }
-                    PGPSignatureList signatures = (PGPSignatureList) ImplementationFactory.getInstance()
-                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
-                    break;
-                case SKESK:
-                    SymmetricKeyEncSessionPacket skeskPacket = (SymmetricKeyEncSessionPacket) inputStream.readPacket();
-
-                    break;
-                case OPS:
-                    automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-                    buf = new ByteArrayOutputStream();
-                    bcpgOut = new BCPGOutputStream(buf);
                     while (inputStream.nextPacketTag() == PacketTags.ONE_PASS_SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
                         Packet packet = inputStream.readPacket();
                         if (packet instanceof OnePassSignaturePacket) {
@@ -102,60 +102,103 @@ public class PGPDecryptionStream extends InputStream {
                     PGPOnePassSignatureList onePassSignatures = (PGPOnePassSignatureList) ImplementationFactory.getInstance()
                             .getPGPObjectFactory(buf.toByteArray()).nextObject();
                     break;
-                case SK:
+
+                case SIG:
+                    automaton.next(InputAlphabet.Signatures);
+
+                    buf = new ByteArrayOutputStream();
+                    bcpgOut = new BCPGOutputStream(buf);
+                    while (inputStream.nextPacketTag() == PacketTags.SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
+                        Packet packet = inputStream.readPacket();
+                        if (packet instanceof SignaturePacket) {
+                            SignaturePacket sig = (SignaturePacket) packet;
+                            sig.encode(bcpgOut);
+                        }
+                    }
+                    PGPSignatureList signatures = (PGPSignatureList) ImplementationFactory.getInstance()
+                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
                     break;
-                case PK:
+
+                case PKESK:
+                    PublicKeyEncSessionPacket pkeskPacket = (PublicKeyEncSessionPacket) inputStream.readPacket();
+                    pkeskList.add(pkeskPacket);
                     break;
-                case SSK:
-                    break;
-                case COMP:
-                    automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-                    PGPCompressedData compressedData = new PGPCompressedData(inputStream);
-                    inputStream = new BCPGInputStream(compressedData.getDataStream());
-                    packetLayers.push(Layer.CompressedData(inputStream));
+
+                case SKESK:
+                    SymmetricKeyEncSessionPacket skeskPacket = (SymmetricKeyEncSessionPacket) inputStream.readPacket();
+                    skeskList.add(skeskPacket);
                     break;
+
                 case SED:
-                    automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
-                    SymmetricEncDataPacket symmetricEncDataPacket = (SymmetricEncDataPacket) inputStream.readPacket();
-                    break;
+                    if (!options.isIgnoreMDCErrors()) {
+                        throw new MessageNotIntegrityProtectedException();
+                    }
+                    // No break; we continue below!
+                case SEIPD:
+                    automaton.next(InputAlphabet.EncryptedData);
+                    PGPEncryptedDataList encryptedDataList = assembleEncryptedDataList(inputStream);
+
+                    for (PGPEncryptedData encData : encryptedDataList) {
+                        if (encData instanceof PGPPBEEncryptedData) {
+                            PGPPBEEncryptedData skenc = (PGPPBEEncryptedData) encData;
+                            for (Passphrase passphrase : options.getDecryptionPassphrases()) {
+                                PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                                        .getPBEDataDecryptorFactory(passphrase);
+                                InputStream decryptedIn = skenc.getDataStream(decryptorFactory);
+                                packetLayers.push(Layer.encryptedData(new BCPGInputStream(decryptedIn)));
+                                walkLayer();
+                                break loop;
+                            }
+                        }
+                    }
+                    throw new MissingDecryptionMethodException("Cannot decrypt message.");
+
                 case MARKER:
                     inputStream.readPacket(); // discard
                     break;
-                case LIT:
-                    automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-                    PGPLiteralData literalData = new PGPLiteralData(inputStream);
-                    packetLayers.push(Layer.LiteralMessage(literalData.getDataStream()));
-                    break loop;
-                case TRUST:
-                    TrustPacket trustPacket = (TrustPacket) inputStream.readPacket();
-                    break;
-                case UID:
-                    UserIDPacket userIDPacket = (UserIDPacket) inputStream.readPacket();
-                    break;
+
+                case SK:
+                case PK:
+                case SSK:
                 case PSK:
-                    break;
+                case TRUST:
+                case UID:
                 case UATTR:
-                    UserAttributePacket userAttributePacket = (UserAttributePacket) inputStream.readPacket();
-                    break;
-                case SEIPD:
-                    automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
-                    SymmetricEncIntegrityPacket symmetricEncIntegrityPacket = (SymmetricEncIntegrityPacket) inputStream.readPacket();
-                    break;
+                    throw new MalformedOpenPgpMessageException("OpenPGP packet " + tag + " MUST NOT be part of OpenPGP messages.");
                 case MOD:
                     ModDetectionCodePacket modDetectionCodePacket = (ModDetectionCodePacket) inputStream.readPacket();
                     break;
                 case EXP_1:
-                    break;
                 case EXP_2:
-                    break;
                 case EXP_3:
-                    break;
                 case EXP_4:
-                    break;
+                    throw new MalformedOpenPgpMessageException("Experimental packet " + tag + " found inside the message.");
             }
         }
     }
 
+    private PGPEncryptedDataList assembleEncryptedDataList(BCPGInputStream inputStream)
+            throws IOException {
+        ByteArrayOutputStream buf = new ByteArrayOutputStream();
+        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
+
+        for (SymmetricKeyEncSessionPacket skesk : skeskList) {
+            bcpgOut.write(skesk.getEncoded());
+        }
+        skeskList.clear();
+        for (PublicKeyEncSessionPacket pkesk : pkeskList) {
+            bcpgOut.write(pkesk.getEncoded());
+        }
+        pkeskList.clear();
+
+        SequenceInputStream sqin = new SequenceInputStream(
+                new ByteArrayInputStream(buf.toByteArray()), inputStream);
+
+        PGPEncryptedDataList encryptedDataList = (PGPEncryptedDataList) ImplementationFactory.getInstance()
+                .getPGPObjectFactory(sqin).nextObject();
+        return encryptedDataList;
+    }
+
     private OpenPgpPacket nextTagOrThrow(BCPGInputStream inputStream)
             throws IOException, InvalidOpenPgpPacketException {
         try {
@@ -167,17 +210,13 @@ public class PGPDecryptionStream extends InputStream {
 
     private void popLayer() throws MalformedOpenPgpMessageException {
         if (packetLayers.pop().isNested)
-            automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
+            automaton.next(InputAlphabet.EndOfSequence);
     }
 
     @Override
     public int read() throws IOException {
         if (packetLayers.isEmpty()) {
-            try {
-                automaton.assertValid();
-            } catch (MalformedOpenPgpMessageException e) {
-                throw e.toRuntimeException();
-            }
+            automaton.assertValid();
             return -1;
         }
 
@@ -187,13 +226,10 @@ public class PGPDecryptionStream extends InputStream {
         } catch (IOException e) {
         }
         if (r == -1) {
+            popLayer();
             try {
-                popLayer();
                 walkLayer();
-            } catch (MalformedOpenPgpMessageException e) {
-                throw e.toRuntimeException();
-            }
-            catch (PGPException e) {
+            } catch (PGPException e) {
                 throw new RuntimeException(e);
             }
             return read();
@@ -227,11 +263,15 @@ public class PGPDecryptionStream extends InputStream {
             return new Layer(bcpgIn, true);
         }
 
-        static Layer LiteralMessage(InputStream inputStream) {
+        static Layer literalMessage(InputStream inputStream) {
             return new Layer(inputStream, false);
         }
 
-        static Layer CompressedData(InputStream inputStream) {
+        static Layer compressedData(InputStream inputStream) {
+            return new Layer(inputStream, true);
+        }
+
+        static Layer encryptedData(InputStream inputStream) {
             return new Layer(inputStream, true);
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
new file mode 100644
index 00000000..549fe46b
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -0,0 +1,331 @@
+package org.pgpainless.decryption_verification;
+
+import com.sun.tools.javac.code.Attribute;
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.BCPGOutputStream;
+import org.bouncycastle.bcpg.OnePassSignaturePacket;
+import org.bouncycastle.bcpg.Packet;
+import org.bouncycastle.bcpg.PacketTags;
+import org.bouncycastle.bcpg.SignaturePacket;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedData;
+import org.bouncycastle.openpgp.PGPEncryptedDataList;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPPBEEncryptedData;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.EncryptionPurpose;
+import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.decryption_verification.automaton.InputAlphabet;
+import org.pgpainless.decryption_verification.automaton.PDA;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.exception.MessageNotIntegrityProtectedException;
+import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.Tuple;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+public class OpenPgpMessageInputStream extends InputStream {
+
+    protected final PDA automaton = new PDA();
+    protected final ConsumerOptions options;
+    protected final BCPGInputStream bcpgIn;
+    protected InputStream in;
+
+    private List signatures = new ArrayList<>();
+    private List onePassSignatures = new ArrayList<>();
+
+    public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
+            throws IOException, PGPException {
+        this.options = options;
+        // TODO: Use BCPGInputStream.wrap(inputStream);
+        if (inputStream instanceof BCPGInputStream) {
+            this.bcpgIn = (BCPGInputStream) inputStream;
+        } else {
+            this.bcpgIn = new BCPGInputStream(inputStream);
+        }
+
+        walk();
+    }
+
+    private void walk() throws IOException, PGPException {
+        loop: while (true) {
+
+            int tag = bcpgIn.nextPacketTag();
+            if (tag == -1) {
+                break loop;
+            }
+
+            OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
+            switch (nextPacket) {
+                case LIT:
+                    automaton.next(InputAlphabet.LiteralData);
+                    PGPLiteralData literalData = new PGPLiteralData(bcpgIn);
+                    in = literalData.getDataStream();
+                    break loop;
+
+                case COMP:
+                    automaton.next(InputAlphabet.CompressedData);
+                    PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
+                    in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options);
+                    break loop;
+
+                case OPS:
+                    automaton.next(InputAlphabet.OnePassSignatures);
+                    readOnePassSignatures();
+                    break;
+
+                case SIG:
+                    automaton.next(InputAlphabet.Signatures);
+                    readSignatures();
+                    break;
+
+                case PKESK:
+                case SKESK:
+                case SED:
+                case SEIPD:
+                    automaton.next(InputAlphabet.EncryptedData);
+                    PGPEncryptedDataList encDataList = new PGPEncryptedDataList(bcpgIn);
+
+                    // TODO: Replace with !encDataList.isIntegrityProtected()
+                    if (!encDataList.get(0).isIntegrityProtected()) {
+                        throw new MessageNotIntegrityProtectedException();
+                    }
+
+                    SortedESKs esks = new SortedESKs(encDataList);
+
+                    // TODO: try session keys
+
+                    // Try passwords
+                    for (PGPPBEEncryptedData skesk : esks.skesks) {
+                        for (Passphrase passphrase : options.getDecryptionPassphrases()) {
+                            PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                                    .getPBEDataDecryptorFactory(passphrase);
+                            try {
+                                InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                                in = new OpenPgpMessageInputStream(decrypted, options);
+                                break loop;
+                            } catch (PGPException e) {
+                                // password mismatch? Try next password
+                            }
+
+                        }
+                    }
+
+                    // Try (known) secret keys
+                    for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                        long keyId = pkesk.getKeyID();
+                        PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
+                        if (decryptionKeys == null) {
+                            continue;
+                        }
+                        SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
+                        PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
+                        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
+
+                        PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                                .getPublicKeyDataDecryptorFactory(privateKey);
+                        try {
+                            InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                            in = new OpenPgpMessageInputStream(decrypted, options);
+                            break loop;
+                        } catch (PGPException e) {
+                            // hm :/
+                        }
+                    }
+
+                    // try anonymous secret keys
+                    for (PGPPublicKeyEncryptedData pkesk : esks.anonPkesks) {
+                        for (Tuple decryptionKeyCandidate : findPotentialDecryptionKeys(pkesk)) {
+                            SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
+                            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
+                            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                                    .getPublicKeyDataDecryptorFactory(privateKey);
+
+                            try {
+                                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                                in = new OpenPgpMessageInputStream(decrypted, options);
+                                break loop;
+                            } catch (PGPException e) {
+                                // hm :/
+                            }
+                        }
+                    }
+
+                    // TODO: try interactive password callbacks
+
+                    break loop;
+
+                case MARKER:
+                    bcpgIn.readPacket(); // skip marker packet
+                    break;
+
+                case SK:
+                case PK:
+                case SSK:
+                case PSK:
+                case TRUST:
+                case UID:
+                case UATTR:
+
+                case MOD:
+                    break;
+
+                case EXP_1:
+                case EXP_2:
+                case EXP_3:
+                case EXP_4:
+                    break;
+            }
+        }
+    }
+
+    private List> findPotentialDecryptionKeys(PGPPublicKeyEncryptedData pkesk) {
+        int algorithm = pkesk.getAlgorithm();
+        List> decryptionKeyCandidates = new ArrayList<>();
+
+        for (PGPSecretKeyRing secretKeys : options.getDecryptionKeys()) {
+            KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+            for (PGPPublicKey publicKey : info.getEncryptionSubkeys(EncryptionPurpose.ANY)) {
+                if (publicKey.getAlgorithm() == algorithm && info.isSecretKeyAvailable(publicKey.getKeyID())) {
+                    PGPSecretKey candidate = secretKeys.getSecretKey(publicKey.getKeyID());
+                    decryptionKeyCandidates.add(new Tuple<>(secretKeys, candidate));
+                }
+            }
+        }
+        return decryptionKeyCandidates;
+    }
+
+    private PGPSecretKeyRing getDecryptionKey(long keyID) {
+        for (PGPSecretKeyRing secretKeys : options.getDecryptionKeys()) {
+            PGPSecretKey decryptionKey = secretKeys.getSecretKey(keyID);
+            if (decryptionKey == null) {
+                continue;
+            }
+            return secretKeys;
+        }
+        return null;
+    }
+
+    private void readOnePassSignatures() throws IOException {
+        ByteArrayOutputStream buf = new ByteArrayOutputStream();
+        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
+        int tag = bcpgIn.nextPacketTag();
+        while (tag == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
+            Packet packet = bcpgIn.readPacket();
+            if (tag == PacketTags.ONE_PASS_SIGNATURE) {
+                OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
+                sigPacket.encode(bcpgOut);
+            }
+        }
+        bcpgOut.close();
+
+        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
+        PGPOnePassSignatureList signatureList = (PGPOnePassSignatureList) objectFactory.nextObject();
+        for (PGPOnePassSignature ops : signatureList) {
+            onePassSignatures.add(ops);
+        }
+    }
+
+    private void readSignatures() throws IOException {
+        ByteArrayOutputStream buf = new ByteArrayOutputStream();
+        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
+        int tag = bcpgIn.nextPacketTag();
+        while (tag == PacketTags.SIGNATURE || tag == PacketTags.MARKER) {
+            Packet packet = bcpgIn.readPacket();
+            if (tag == PacketTags.SIGNATURE) {
+                SignaturePacket sigPacket = (SignaturePacket) packet;
+                sigPacket.encode(bcpgOut);
+            }
+        }
+        bcpgOut.close();
+
+        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
+        PGPSignatureList signatureList = (PGPSignatureList) objectFactory.nextObject();
+        for (PGPSignature signature : signatureList) {
+            signatures.add(signature);
+        }
+    }
+
+    @Override
+    public int read() throws IOException {
+        int r = -1;
+        try {
+            r = in.read();
+        } catch (IOException e) {
+            //
+        }
+        if (r == -1) {
+            if (in instanceof OpenPgpMessageInputStream) {
+                in.close();
+            } else {
+                try {
+                    walk();
+                } catch (PGPException e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        }
+        return r;
+    }
+
+    @Override
+    public void close() throws IOException {
+        try {
+            in.close();
+            // Nested streams (except LiteralData) need to be closed.
+            if (automaton.getState() != PDA.State.LiteralMessage) {
+                automaton.next(InputAlphabet.EndOfSequence);
+                automaton.assertValid();
+            }
+        } catch (IOException e) {
+            //
+        }
+
+        super.close();
+    }
+
+    private static class SortedESKs {
+
+        private List skesks = new ArrayList<>();
+        private List pkesks = new ArrayList<>();
+        private List anonPkesks = new ArrayList<>();
+
+        SortedESKs(PGPEncryptedDataList esks) {
+            for (PGPEncryptedData esk : esks) {
+                if (esk instanceof PGPPBEEncryptedData) {
+                    skesks.add((PGPPBEEncryptedData) esk);
+                } else if (esk instanceof PGPPublicKeyEncryptedData) {
+                    PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
+                    if (pkesk.getKeyID() != 0) {
+                        pkesks.add(pkesk);
+                    } else {
+                        anonPkesks.add(pkesk);
+                    }
+                } else {
+                    throw new IllegalArgumentException("Unknown ESK class type.");
+                }
+            }
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
new file mode 100644
index 00000000..d015a4b3
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
@@ -0,0 +1,41 @@
+package org.pgpainless.decryption_verification.automaton;
+
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedDataList;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPOnePassSignatureList;
+import org.bouncycastle.openpgp.PGPSignatureList;
+
+public enum InputAlphabet {
+    /**
+     * A {@link PGPLiteralData} packet.
+     */
+    LiteralData,
+    /**
+     * A {@link PGPSignatureList} object.
+     */
+    Signatures,
+    /**
+     * A {@link PGPOnePassSignatureList} object.
+     */
+    OnePassSignatures,
+    /**
+     * A {@link PGPCompressedData} packet.
+     * The contents of this packet MUST form a valid OpenPGP message, so a nested PDA is opened to verify
+     * its nested packet sequence.
+     */
+    CompressedData,
+    /**
+     * A {@link PGPEncryptedDataList} object.
+     * This object combines multiple ESKs and the corresponding Symmetrically Encrypted
+     * (possibly Integrity Protected) Data packet.
+     */
+    EncryptedData,
+    /**
+     * Marks the end of a (sub-) sequence.
+     * This input is given if the end of an OpenPGP message is reached.
+     * This might be the case for the end of the whole ciphertext, or the end of a packet with nested contents
+     * (e.g. the end of a Compressed Data packet).
+     */
+    EndOfSequence
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
similarity index 78%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
index 86075280..cf5ee674 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/PushdownAutomaton.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
@@ -1,17 +1,12 @@
-package org.pgpainless.decryption_verification;
+package org.pgpainless.decryption_verification.automaton;
 
-import org.bouncycastle.openpgp.PGPCompressedData;
-import org.bouncycastle.openpgp.PGPEncryptedDataList;
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPOnePassSignatureList;
-import org.bouncycastle.openpgp.PGPSignatureList;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
 import java.util.Stack;
 
-import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.msg;
-import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.ops;
-import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlphabet.terminus;
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.msg;
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ops;
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.terminus;
 
 /**
  * Pushdown Automaton to verify the correct syntax of OpenPGP messages during decryption.
@@ -37,71 +32,18 @@ import static org.pgpainless.decryption_verification.PushdownAutomaton.StackAlph
  *
  * @see RFC4880 §11.3. OpenPGP Messages
  */
-public class PushdownAutomaton {
-
-    public enum InputAlphabet {
-        /**
-         * A {@link PGPLiteralData} packet.
-         */
-        LiteralData,
-        /**
-         * A {@link PGPSignatureList} object.
-         */
-        Signatures,
-        /**
-         * A {@link PGPOnePassSignatureList} object.
-         */
-        OnePassSignatures,
-        /**
-         * A {@link PGPCompressedData} packet.
-         * The contents of this packet MUST form a valid OpenPGP message, so a nested PDA is opened to verify
-         * its nested packet sequence.
-         */
-        CompressedData,
-        /**
-         * A {@link PGPEncryptedDataList} object.
-         * This object combines multiple ESKs and the corresponding Symmetrically Encrypted
-         * (possibly Integrity Protected) Data packet.
-         */
-        EncryptedData,
-        /**
-         * Marks the end of a (sub-) sequence.
-         * This input is given if the end of an OpenPGP message is reached.
-         * This might be the case for the end of the whole ciphertext, or the end of a packet with nested contents
-         * (e.g. the end of a Compressed Data packet).
-         */
-        EndOfSequence
-    }
-
-    public enum StackAlphabet {
-        /**
-         * OpenPGP Message.
-         */
-        msg,
-        /**
-         * OnePassSignature (in case of BC this represents a OnePassSignatureList).
-         */
-        ops,
-        /**
-         * ESK. Not used, as BC combines encrypted data with their encrypted session keys.
-         */
-        esk,
-        /**
-         * Special symbol representing the end of the message.
-         */
-        terminus
-    }
+public class NestingPDA {
 
     /**
      * Set of states of the automaton.
-     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, PushdownAutomaton)}
+     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, NestingPDA)}
      * method.
      */
     public enum State {
 
         OpenPgpMessage {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 if (stackItem != msg) {
                     throw new MalformedOpenPgpMessageException(this, input, stackItem);
@@ -135,7 +77,7 @@ public class PushdownAutomaton {
 
         LiteralMessage {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
 
@@ -165,7 +107,7 @@ public class PushdownAutomaton {
 
         CompressedMessage {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
                     case Signatures:
@@ -194,7 +136,7 @@ public class PushdownAutomaton {
 
         EncryptedMessage {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
                     case Signatures:
@@ -223,7 +165,7 @@ public class PushdownAutomaton {
 
         CorrespondingSignature {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 if (stackItem == terminus && input == InputAlphabet.EndOfSequence && automaton.stack.isEmpty()) {
                     return Valid;
@@ -235,7 +177,7 @@ public class PushdownAutomaton {
 
         Valid {
             @Override
-            State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException {
+            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
                 throw new MalformedOpenPgpMessageException(this, input, null);
             }
         },
@@ -252,15 +194,15 @@ public class PushdownAutomaton {
          * @return new state of the automaton
          * @throws MalformedOpenPgpMessageException in case of an illegal input symbol
          */
-        abstract State transition(InputAlphabet input, PushdownAutomaton automaton) throws MalformedOpenPgpMessageException;
+        abstract State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException;
     }
 
     private final Stack stack = new Stack<>();
     private State state;
     // Some OpenPGP packets have nested contents (e.g. compressed / encrypted data).
-    PushdownAutomaton nestedSequence = null;
+    NestingPDA nestedSequence = null;
 
-    public PushdownAutomaton() {
+    public NestingPDA() {
         state = State.OpenPgpMessage;
         stack.push(terminus);
         stack.push(msg);
@@ -301,7 +243,7 @@ public class PushdownAutomaton {
 
             // If the processed packet contains nested sequence, open nested automaton for it
             if (input == InputAlphabet.CompressedData || input == InputAlphabet.EncryptedData) {
-                nestedSequence = new PushdownAutomaton();
+                nestedSequence = new NestingPDA();
             }
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
new file mode 100644
index 00000000..6b989720
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -0,0 +1,237 @@
+package org.pgpainless.decryption_verification.automaton;
+
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+import java.util.Stack;
+
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.msg;
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ops;
+import static org.pgpainless.decryption_verification.automaton.StackAlphabet.terminus;
+
+public class PDA {
+    /**
+     * Set of states of the automaton.
+     * Each state defines its valid transitions in their {@link NestingPDA.State#transition(InputAlphabet, NestingPDA)}
+     * method.
+     */
+    public enum State {
+
+        OpenPgpMessage {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                if (stackItem != msg) {
+                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+                switch (input) {
+
+                    case LiteralData:
+                        return LiteralMessage;
+
+                    case Signatures:
+                        automaton.pushStack(msg);
+                        return OpenPgpMessage;
+
+                    case OnePassSignatures:
+                        automaton.pushStack(ops);
+                        automaton.pushStack(msg);
+                        return OpenPgpMessage;
+
+                    case CompressedData:
+                        return CompressedMessage;
+
+                    case EncryptedData:
+                        return EncryptedMessage;
+
+                    case EndOfSequence:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        LiteralMessage {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        CompressedMessage {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        EncryptedMessage {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                switch (input) {
+                    case Signatures:
+                        if (stackItem == ops) {
+                            return CorrespondingSignature;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case EndOfSequence:
+                        if (stackItem == terminus && automaton.stack.isEmpty()) {
+                            return Valid;
+                        } else {
+                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                        }
+
+                    case LiteralData:
+                    case OnePassSignatures:
+                    case CompressedData:
+                    case EncryptedData:
+                    default:
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        CorrespondingSignature {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                StackAlphabet stackItem = automaton.popStack();
+                if (stackItem == terminus && input == InputAlphabet.EndOfSequence && automaton.stack.isEmpty()) {
+                    return Valid;
+                } else {
+                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                }
+            }
+        },
+
+        Valid {
+            @Override
+            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
+                throw new MalformedOpenPgpMessageException(this, input, null);
+            }
+        },
+        ;
+
+        /**
+         * Pop the automatons stack and transition to another state.
+         * If no valid transition from the current state is available given the popped stack item and input symbol,
+         * a {@link MalformedOpenPgpMessageException} is thrown.
+         * Otherwise, the stack is manipulated according to the valid transition and the new state is returned.
+         *
+         * @param input     input symbol
+         * @param automaton automaton
+         * @return new state of the automaton
+         * @throws MalformedOpenPgpMessageException in case of an illegal input symbol
+         */
+        abstract State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException;
+    }
+
+    private final Stack stack = new Stack<>();
+    private State state;
+
+    public PDA() {
+        state = State.OpenPgpMessage;
+        stack.push(terminus);
+        stack.push(msg);
+    }
+
+    public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
+        State old = state;
+        StackAlphabet stackItem = stack.isEmpty() ? null : stack.peek();
+        state = state.transition(input, this);
+        System.out.println("Transition from " + old + " to " + state + " via " + input + " with stack " + stackItem);
+    }
+
+    /**
+     * Return the current state of the PDA.
+     *
+     * @return state
+     */
+    public State getState() {
+        return state;
+    }
+
+    /**
+     * Return true, if the PDA is in a valid state (the OpenPGP message is valid).
+     *
+     * @return true if valid, false otherwise
+     */
+    public boolean isValid() {
+        return getState() == State.Valid && stack.isEmpty();
+    }
+
+    public void assertValid() throws MalformedOpenPgpMessageException {
+        if (!isValid()) {
+            throw new MalformedOpenPgpMessageException("Pushdown Automaton is not in an acceptable state: " + toString());
+        }
+    }
+
+    /**
+     * Pop an item from the stack.
+     *
+     * @return stack item
+     */
+    private StackAlphabet popStack() {
+        return stack.pop();
+    }
+
+    /**
+     * Push an item onto the stack.
+     *
+     * @param item item
+     */
+    private void pushStack(StackAlphabet item) {
+        stack.push(item);
+    }
+
+    @Override
+    public String toString() {
+        return "State: " + state + " Stack: " + stack;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
new file mode 100644
index 00000000..97dad3d8
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
@@ -0,0 +1,20 @@
+package org.pgpainless.decryption_verification.automaton;
+
+public enum StackAlphabet {
+    /**
+     * OpenPGP Message.
+     */
+    msg,
+    /**
+     * OnePassSignature (in case of BC this represents a OnePassSignatureList).
+     */
+    ops,
+    /**
+     * ESK. Not used, as BC combines encrypted data with their encrypted session keys.
+     */
+    esk,
+    /**
+     * Special symbol representing the end of the message.
+     */
+    terminus
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index 9ce2284d..21b6e807 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -4,8 +4,10 @@
 
 package org.pgpainless.exception;
 
-import org.bouncycastle.openpgp.PGPException;
-import org.pgpainless.decryption_verification.PushdownAutomaton;
+import org.pgpainless.decryption_verification.automaton.InputAlphabet;
+import org.pgpainless.decryption_verification.automaton.NestingPDA;
+import org.pgpainless.decryption_verification.automaton.PDA;
+import org.pgpainless.decryption_verification.automaton.StackAlphabet;
 
 /**
  * Exception that gets thrown if the OpenPGP message is malformed.
@@ -13,7 +15,7 @@ import org.pgpainless.decryption_verification.PushdownAutomaton;
  *
  * @see RFC4880 §11.3. OpenPGP Messages
  */
-public class MalformedOpenPgpMessageException extends PGPException {
+public class MalformedOpenPgpMessageException extends RuntimeException {
 
     public MalformedOpenPgpMessageException(String message) {
         super(message);
@@ -23,20 +25,17 @@ public class MalformedOpenPgpMessageException extends PGPException {
         super(message, cause);
     }
 
-    public MalformedOpenPgpMessageException(PushdownAutomaton.State state,
-                                            PushdownAutomaton.InputAlphabet input,
-                                            PushdownAutomaton.StackAlphabet stackItem) {
+    public MalformedOpenPgpMessageException(NestingPDA.State state,
+                                            InputAlphabet input,
+                                            StackAlphabet stackItem) {
         this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
 
-    public RTE toRuntimeException() {
-        return new RTE(this);
+    public MalformedOpenPgpMessageException(PDA.State state, InputAlphabet input, StackAlphabet stackItem) {
+        this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
 
-    public static class RTE extends RuntimeException {
-
-        public RTE(MalformedOpenPgpMessageException e) {
-            super(e);
-        }
+    public MalformedOpenPgpMessageException(String message, PDA automaton) {
+        super(message + automaton.toString());
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index b818290b..fa4168dd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -1100,29 +1100,33 @@ public class KeyRingInfo {
 
         List signingKeys = getSigningSubkeys();
         for (PGPPublicKey pk : signingKeys) {
-            PGPSecretKey sk = getSecretKey(pk.getKeyID());
-            if (sk == null) {
-                // Missing secret key
-                continue;
-            }
-            S2K s2K = sk.getS2K();
-            // Unencrypted key
-            if (s2K == null) {
-                return true;
-            }
-
-            // Secret key on smart-card
-            int s2kType = s2K.getType();
-            if (s2kType >= 100 && s2kType <= 110) {
-                continue;
-            }
-            // protected secret key
-            return true;
+            return isSecretKeyAvailable(pk.getKeyID());
         }
         // No usable secret key found
         return false;
     }
 
+    public boolean isSecretKeyAvailable(long keyId) {
+        PGPSecretKey sk = getSecretKey(keyId);
+        if (sk == null) {
+            // Missing secret key
+            return false;
+        }
+        S2K s2K = sk.getS2K();
+        // Unencrypted key
+        if (s2K == null) {
+            return true;
+        }
+
+        // Secret key on smart-card
+        int s2kType = s2K.getType();
+        if (s2kType >= 100 && s2kType <= 110) {
+            return false;
+        }
+        // protected secret key
+        return true;
+    }
+
     private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) {
         if (getPublicKey(keyID) == null) {
             throw new NoSuchElementException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
new file mode 100644
index 00000000..ae6390ce
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -0,0 +1,86 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.util.ArmoredInputStreamFactory;
+import org.pgpainless.util.Passphrase;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_COMP_LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT_LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PASSPHRASE;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PLAINTEXT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SENC_LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SIG_LIT;
+
+public class OpenPgpMessageInputStreamTest {
+
+    @Test
+    public void testProcessLIT() throws IOException, PGPException {
+        String plain = process(LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    @Test
+    public void testProcessLIT_LIT_fails() {
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> process(LIT_LIT, ConsumerOptions.get()));
+    }
+
+    @Test
+    public void testProcessCOMP_LIT() throws PGPException, IOException {
+        String plain = process(COMP_LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    @Test
+    public void testProcessCOMP_fails() {
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> process(COMP, ConsumerOptions.get()));
+    }
+
+    @Test
+    public void testProcessCOMP_COMP_LIT() throws PGPException, IOException {
+        String plain = process(COMP_COMP_LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    @Test
+    public void testProcessSIG_LIT() throws PGPException, IOException {
+        String plain = process(SIG_LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    @Test
+    public void testProcessSENC_LIT() throws PGPException, IOException {
+        String plain = process(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    private String process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+        OpenPgpMessageInputStream in = get(armoredMessage, options);
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(in, out);
+        in.close();
+        return out.toString();
+    }
+
+    private OpenPgpMessageInputStream get(String armored, ConsumerOptions options) throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        OpenPgpMessageInputStream pgpIn = new OpenPgpMessageInputStream(armorIn, options);
+        return pgpIn;
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
index bb2742b5..a84da9d5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
@@ -12,6 +12,8 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
@@ -19,6 +21,7 @@ import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredInputStreamFactory;
+import org.pgpainless.util.Passphrase;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -33,7 +36,7 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class PGPDecryptionStreamTest {
 
-    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+    public static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +
             "Comment: DA05 848F 37D4 68E6 F982  C889 7A70 1FC6 904D 3F4C\n" +
             "Comment: Alice \n" +
@@ -58,9 +61,10 @@ public class PGPDecryptionStreamTest {
             "=THgv\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
-    private static final String PLAINTEXT = "Hello, World!\n";
+    public static final String PLAINTEXT = "Hello, World!\n";
+    public static final String PASSPHRASE = "sw0rdf1sh";
 
-    private static final String LIT = "" +
+    public static final String LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -68,7 +72,7 @@ public class PGPDecryptionStreamTest {
             "=WGju\n" +
             "-----END PGP MESSAGE-----";
 
-    private static final String LIT_LIT = "" +
+    public static final String LIT_LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -76,7 +80,7 @@ public class PGPDecryptionStreamTest {
             "=A91Q\n" +
             "-----END PGP MESSAGE-----";
 
-    private static final String COMP_LIT = "" +
+    public static final String COMP_LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -84,7 +88,7 @@ public class PGPDecryptionStreamTest {
             "=ZYDg\n" +
             "-----END PGP MESSAGE-----";
 
-    private static final String COMP = "" +
+    public static final String COMP = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -92,7 +96,7 @@ public class PGPDecryptionStreamTest {
             "=MDzg\n" +
             "-----END PGP MESSAGE-----";
 
-    private static final String COMP_COMP_LIT = "" +
+    public static final String COMP_COMP_LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -101,7 +105,7 @@ public class PGPDecryptionStreamTest {
             "=K9Zl\n" +
             "-----END PGP MESSAGE-----";
 
-    private static final String SIG_LIT = "" +
+    public static final String SIG_LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -111,6 +115,15 @@ public class PGPDecryptionStreamTest {
             "=WKPn\n" +
             "-----END PGP MESSAGE-----";
 
+    public static final String SENC_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "jA0ECQMCuZ0qHNXWnGhg0j8Bdm1cxV65sYb7jDgb4rRMtdNpQ1dC4UpSYuk9YWS2\n" +
+            "DpNEijbX8b/P1UOK2kJczNDADMRegZuLEI+dNsBnJjk=\n" +
+            "=i4Y0\n" +
+            "-----END PGP MESSAGE-----";
+
     @Test
     public void genLIT() throws IOException {
         ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
@@ -125,7 +138,7 @@ public class PGPDecryptionStreamTest {
     public void processLIT() throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(decIn, out);
@@ -152,10 +165,10 @@ public class PGPDecryptionStreamTest {
     public void processLIT_LIT() throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT_LIT.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        assertThrows(MalformedOpenPgpMessageException.RTE.class, () -> Streams.pipeAll(decIn, out));
+        assertThrows(MalformedOpenPgpMessageException.class, () -> Streams.pipeAll(decIn, out));
     }
 
     @Test
@@ -175,7 +188,7 @@ public class PGPDecryptionStreamTest {
     public void processCOMP_LIT() throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_LIT.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(decIn, out);
@@ -198,8 +211,8 @@ public class PGPDecryptionStreamTest {
     public void processCOMP() throws IOException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        assertThrows(MalformedOpenPgpMessageException.RTE.class, () -> {
-            PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        assertThrows(MalformedOpenPgpMessageException.class, () -> {
+            MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
             Streams.drain(decIn);
         });
     }
@@ -228,7 +241,7 @@ public class PGPDecryptionStreamTest {
     public void processCOMP_COMP_LIT() throws PGPException, IOException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_COMP_LIT.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(decIn, out);
@@ -279,7 +292,35 @@ public class PGPDecryptionStreamTest {
     public void processSIG_LIT() throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(SIG_LIT.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        PGPDecryptionStream decIn = new PGPDecryptionStream(armorIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decIn, out);
+        decIn.close();
+
+        System.out.println(out);
+    }
+
+    @Test
+    public void genSENC_LIT() throws PGPException, IOException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream enc = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
+                                .addPassphrase(Passphrase.fromPassword(PASSPHRASE)))
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
+        enc.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        enc.close();
+
+        System.out.println(out);
+    }
+
+    @Test
+    public void processSENC_LIT() throws IOException, PGPException {
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(SENC_LIT.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get()
+                .addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(decIn, out);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java
deleted file mode 100644
index 1bd07308..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PushDownAutomatonTest.java
+++ /dev/null
@@ -1,205 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import org.junit.jupiter.api.Test;
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
-
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-public class PushDownAutomatonTest {
-
-    /**
-     * MSG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS MSG SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * SIG MSG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS COMP(MSG) SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS ENC(COMP(COMP(MSG))) SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOpsSignedEncryptedCompressedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * MSG SIG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testLiteralPlusSigsFails() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.Signatures));
-    }
-
-    /**
-     * MSG MSG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG MSG) SIG is invalid (two literal packets are illegal).
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG) MSG SIG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails2() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG SIG) is invalid (MSG SIG does not form valid nested message).
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testCorrespondingSignaturesOfOpsSignedMessageAreLayerFurtherDownFails() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.Signatures));
-    }
-
-    /**
-     * Empty COMP is invalid.
-     */
-    @Test
-    public void testEmptyCompressedDataIsInvalid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence));
-    }
-
-    @Test
-    public void testOPSSignedEncryptedCompressedOPSSignedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PushdownAutomaton automaton = new PushdownAutomaton();
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.EncryptedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.OnePassSignatures);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.CompressedData);
-        automaton.next(PushdownAutomaton.InputAlphabet.LiteralData);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        automaton.next(PushdownAutomaton.InputAlphabet.Signatures);
-        automaton.next(PushdownAutomaton.InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java
new file mode 100644
index 00000000..8c1c4921
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java
@@ -0,0 +1,205 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification.automaton;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class NestingPDATest {
+
+    /**
+     * MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS MSG SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * SIG MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS COMP(MSG) SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS ENC(COMP(COMP(MSG))) SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOpsSignedEncryptedCompressedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.EncryptedData);
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.CompressedData);
+
+        automaton.next(InputAlphabet.LiteralData);
+
+        automaton.next(InputAlphabet.EndOfSequence);
+        automaton.next(InputAlphabet.EndOfSequence);
+        automaton.next(InputAlphabet.EndOfSequence);
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * MSG SIG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testLiteralPlusSigsFails() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.Signatures));
+    }
+
+    /**
+     * MSG MSG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG MSG) SIG is invalid (two literal packets are illegal).
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG) MSG SIG is invalid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails2() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.LiteralData));
+    }
+
+    /**
+     * OPS COMP(MSG SIG) is invalid (MSG SIG does not form valid nested message).
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testCorrespondingSignaturesOfOpsSignedMessageAreLayerFurtherDownFails() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.Signatures));
+    }
+
+    /**
+     * Empty COMP is invalid.
+     */
+    @Test
+    public void testEmptyCompressedDataIsInvalid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.CompressedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> automaton.next(InputAlphabet.EndOfSequence));
+    }
+
+    @Test
+    public void testOPSSignedEncryptedCompressedOPSSignedMessageIsValid() throws MalformedOpenPgpMessageException {
+        NestingPDA automaton = new NestingPDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+
+        automaton.next(InputAlphabet.EncryptedData);
+        automaton.next(InputAlphabet.OnePassSignatures);
+
+        automaton.next(InputAlphabet.CompressedData);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
new file mode 100644
index 00000000..6e8a38d6
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
@@ -0,0 +1,75 @@
+package org.pgpainless.decryption_verification.automaton;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class PDATest {
+
+
+    /**
+     * MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
+        PDA automaton = new PDA();
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+    /**
+     * OPS MSG SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
+        PDA automaton = new PDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+
+    /**
+     * SIG MSG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PDA automaton = new PDA();
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.LiteralData);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+
+    /**
+     * OPS COMP(MSG) SIG is valid.
+     *
+     * @throws MalformedOpenPgpMessageException fail
+     */
+    @Test
+    public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
+        PDA automaton = new PDA();
+        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.CompressedData);
+        // Here would be a nested PDA for the LiteralData packet
+        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(automaton.isValid());
+    }
+
+}

From d81c0d44006d1037b8d577869dd3a49cbf494872 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Sep 2022 20:22:31 +0200
Subject: [PATCH 0704/1450] Fix tests

---
 .../OpenPgpMessageInputStream.java            | 57 ++++++++++++++++---
 .../automaton/PDA.java                        |  9 ++-
 .../OpenPgpMessageInputStreamTest.java        | 12 ++++
 .../PGPDecryptionStreamTest.java              | 30 ++++++++++
 4 files changed, 98 insertions(+), 10 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 549fe46b..788be4ab 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -1,6 +1,5 @@
 package org.pgpainless.decryption_verification;
 
-import com.sun.tools.javac.code.Attribute;
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.bcpg.OnePassSignaturePacket;
@@ -25,13 +24,14 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
 import org.pgpainless.decryption_verification.automaton.PDA;
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
@@ -114,7 +114,27 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                     SortedESKs esks = new SortedESKs(encDataList);
 
-                    // TODO: try session keys
+                    if (options.getSessionKey() != null) {
+                        SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                                .getSessionKeyDataDecryptorFactory(options.getSessionKey());
+                        // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
+                        PGPEncryptedData esk = esks.all().get(0);
+                        try {
+                            if (esk instanceof PGPPBEEncryptedData) {
+                                PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
+                                in = skesk.getDataStream(decryptorFactory);
+                                break loop;
+                            } else if (esk instanceof PGPPublicKeyEncryptedData) {
+                                PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
+                                in = pkesk.getDataStream(decryptorFactory);
+                                break loop;
+                            } else {
+                                throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
+                            }
+                        } catch (PGPException e) {
+                            // Session key mismatch?
+                        }
+                    }
 
                     // Try passwords
                     for (PGPPBEEncryptedData skesk : esks.skesks) {
@@ -174,7 +194,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                     // TODO: try interactive password callbacks
 
-                    break loop;
+                    throw new MissingDecryptionMethodException("No working decryption method found.");
 
                 case MARKER:
                     bcpgIn.readPacket(); // skip marker packet
@@ -256,6 +276,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             if (tag == PacketTags.SIGNATURE) {
                 SignaturePacket sigPacket = (SignaturePacket) packet;
                 sigPacket.encode(bcpgOut);
+                tag = bcpgIn.nextPacketTag();
             }
         }
         bcpgOut.close();
@@ -270,16 +291,21 @@ public class OpenPgpMessageInputStream extends InputStream {
     @Override
     public int read() throws IOException {
         int r = -1;
-        try {
-            r = in.read();
-        } catch (IOException e) {
-            //
+        if (in != null) {
+            try {
+                r = in.read();
+            } catch (IOException e) {
+                //
+            }
         }
         if (r == -1) {
             if (in instanceof OpenPgpMessageInputStream) {
+                System.out.println("Read -1: close " + automaton);
                 in.close();
+                in = null;
             } else {
                 try {
+                    System.out.println("Walk " + automaton);
                     walk();
                 } catch (PGPException e) {
                     throw new RuntimeException(e);
@@ -291,8 +317,15 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     @Override
     public void close() throws IOException {
+        if (in == null) {
+            System.out.println("Close " + automaton);
+            automaton.next(InputAlphabet.EndOfSequence);
+            automaton.assertValid();
+            return;
+        }
         try {
             in.close();
+            in = null;
             // Nested streams (except LiteralData) need to be closed.
             if (automaton.getState() != PDA.State.LiteralMessage) {
                 automaton.next(InputAlphabet.EndOfSequence);
@@ -327,5 +360,13 @@ public class OpenPgpMessageInputStream extends InputStream {
                 }
             }
         }
+
+        public List all() {
+            List esks = new ArrayList<>();
+            esks.addAll(skesks);
+            esks.addAll(pkesks);
+            esks.addAll(anonPkesks);
+            return esks;
+        }
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index 6b989720..a3384070 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -9,6 +9,9 @@ import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ops
 import static org.pgpainless.decryption_verification.automaton.StackAlphabet.terminus;
 
 public class PDA {
+
+    private static int ID = 0;
+
     /**
      * Set of states of the automaton.
      * Each state defines its valid transitions in their {@link NestingPDA.State#transition(InputAlphabet, NestingPDA)}
@@ -174,18 +177,20 @@ public class PDA {
 
     private final Stack stack = new Stack<>();
     private State state;
+    private int id;
 
     public PDA() {
         state = State.OpenPgpMessage;
         stack.push(terminus);
         stack.push(msg);
+        this.id = ID++;
     }
 
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
         State old = state;
         StackAlphabet stackItem = stack.isEmpty() ? null : stack.peek();
         state = state.transition(input, this);
-        System.out.println("Transition from " + old + " to " + state + " via " + input + " with stack " + stackItem);
+        System.out.println(id + ": Transition from " + old + " to " + state + " via " + input + " with stack " + stackItem);
     }
 
     /**
@@ -232,6 +237,6 @@ public class PDA {
 
     @Override
     public String toString() {
-        return "State: " + state + " Stack: " + stack;
+        return "PDA " + id + ": State: " + state + " Stack: " + stack;
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index ae6390ce..5b42101c 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -2,8 +2,10 @@ package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
@@ -18,9 +20,11 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_COMP_LIT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_LIT;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.KEY;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT_LIT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PASSPHRASE;
+import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PENC_COMP_LIT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PLAINTEXT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SENC_LIT;
 import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SIG_LIT;
@@ -69,6 +73,14 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(PLAINTEXT, plain);
     }
 
+    @Test
+    public void testProcessPENC_COMP_LIT() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        String plain = process(PENC_COMP_LIT, ConsumerOptions.get()
+                .addDecryptionKey(secretKeys));
+        assertEquals(PLAINTEXT, plain);
+    }
+
     private String process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
index a84da9d5..8da44ec8 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
@@ -7,6 +7,7 @@ import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
@@ -124,6 +125,17 @@ public class PGPDecryptionStreamTest {
             "=i4Y0\n" +
             "-----END PGP MESSAGE-----";
 
+    public static final String PENC_COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "hF4Dyqa/GWUy6WsSAQdAQ62BwmUt8Iby0+jvrLhMgST79KR/as+dyl0nf1uki2sw\n" +
+            "Thg1Ojtf0hOyJgcpQ4nP2Q0wYFR0F1sCydaIlTGreYZHlGtybP7/Ml6KNZILTRWP\n" +
+            "0kYBkGBgK7oQWRIVyoF2POvEP6EX1X8nvQk7O3NysVdRVbnia7gE3AzRYuha4kxs\n" +
+            "pI6xJkntLMS3K6him1Y9FHINIASFSB+C\n" +
+            "=5p00\n" +
+            "-----END PGP MESSAGE-----";
+
     @Test
     public void genLIT() throws IOException {
         ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
@@ -328,4 +340,22 @@ public class PGPDecryptionStreamTest {
 
         System.out.println(out);
     }
+
+    @Test
+    public void genPENC_COMP_LIT() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream enc = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
+                                .addRecipient(cert))
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.ZLIB));
+
+        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
+        enc.close();
+
+        System.out.println(out);
+    }
 }

From 0753f4d38acbc0bf1f2257496871ffa26734b0e9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 14 Sep 2022 19:29:47 +0200
Subject: [PATCH 0705/1450] Work on getting signature verification to function
 again

---
 .../OpenPgpMessageInputStream.java            | 145 +++++++++++++-----
 .../automaton/PDA.java                        |   7 +
 2 files changed, 116 insertions(+), 36 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 788be4ab..e95c9ff7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -30,19 +30,24 @@ import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
 import org.pgpainless.decryption_verification.automaton.PDA;
+import org.pgpainless.decryption_verification.automaton.StackAlphabet;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.signature.consumer.DetachedSignatureCheck;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 public class OpenPgpMessageInputStream extends InputStream {
@@ -52,12 +57,12 @@ public class OpenPgpMessageInputStream extends InputStream {
     protected final BCPGInputStream bcpgIn;
     protected InputStream in;
 
-    private List signatures = new ArrayList<>();
-    private List onePassSignatures = new ArrayList<>();
+    private boolean closed = false;
+
+    private Signatures signatures = new Signatures();
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
-        this.options = options;
         // TODO: Use BCPGInputStream.wrap(inputStream);
         if (inputStream instanceof BCPGInputStream) {
             this.bcpgIn = (BCPGInputStream) inputStream;
@@ -65,41 +70,61 @@ public class OpenPgpMessageInputStream extends InputStream {
             this.bcpgIn = new BCPGInputStream(inputStream);
         }
 
-        walk();
+        this.options = options;
+        this.signatures.addDetachedSignatures(options.getDetachedSignatures());
+
+        consumePackets();
     }
 
-    private void walk() throws IOException, PGPException {
-        loop: while (true) {
-
-            int tag = bcpgIn.nextPacketTag();
-            if (tag == -1) {
-                break loop;
-            }
-
+    /**
+     * This method consumes OpenPGP packets from the current {@link BCPGInputStream}.
+     * Once it reaches a "nested" OpenPGP packet (Literal Data, Compressed Data, Encrypted Data), it sets 
in

+     * to the nested stream and breaks the loop.
+     * The nested stream is either a simple {@link InputStream} (in case of Literal Data), or another
+     * {@link OpenPgpMessageInputStream} in case of Compressed and Encrypted Data.
+     *
+     * @throws IOException
+     * @throws PGPException
+     */
+    private void consumePackets()
+            throws IOException, PGPException {
+        int tag;
+        loop: while ((tag = bcpgIn.nextPacketTag()) != -1) {
             OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
             switch (nextPacket) {
+
+                // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
                     PGPLiteralData literalData = new PGPLiteralData(bcpgIn);
                     in = literalData.getDataStream();
                     break loop;
 
+                // Compressed Data - the content contains another OpenPGP message
                 case COMP:
                     automaton.next(InputAlphabet.CompressedData);
                     PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
                     in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options);
                     break loop;
 
+                // One Pass Signatures
                 case OPS:
                     automaton.next(InputAlphabet.OnePassSignatures);
-                    readOnePassSignatures();
+                    signatures.addOnePassSignatures(readOnePassSignatures());
                     break;
 
+                // Signatures - either prepended to the message, or corresponding to the One Pass Signatures
                 case SIG:
                     automaton.next(InputAlphabet.Signatures);
-                    readSignatures();
+                    PGPSignatureList signatureList = readSignatures();
+                    if (automaton.peekStack() == StackAlphabet.ops) {
+                        signatures.addOnePassCorrespondingSignatures(signatureList);
+                    } else {
+                        signatures.addPrependedSignatures(signatureList);
+                    }
                     break;
 
+                // Encrypted Data (ESKs and SED/SEIPD are parsed the same by BC)
                 case PKESK:
                 case SKESK:
                 case SED:
@@ -200,6 +225,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     bcpgIn.readPacket(); // skip marker packet
                     break;
 
+                // Key Packets are illegal in this context
                 case SK:
                 case PK:
                 case SSK:
@@ -209,13 +235,14 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case UATTR:
 
                 case MOD:
-                    break;
+                    throw new MalformedOpenPgpMessageException("Unexpected Packet in Stream: " + nextPacket);
 
+                // Experimental Packets are not supported
                 case EXP_1:
                 case EXP_2:
                 case EXP_3:
                 case EXP_4:
-                    break;
+                    throw new MalformedOpenPgpMessageException("Unsupported Packet in Stream: " + nextPacket);
             }
         }
     }
@@ -247,7 +274,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         return null;
     }
 
-    private void readOnePassSignatures() throws IOException {
+    private PGPOnePassSignatureList readOnePassSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag = bcpgIn.nextPacketTag();
@@ -262,12 +289,10 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
         PGPOnePassSignatureList signatureList = (PGPOnePassSignatureList) objectFactory.nextObject();
-        for (PGPOnePassSignature ops : signatureList) {
-            onePassSignatures.add(ops);
-        }
+        return signatureList;
     }
 
-    private void readSignatures() throws IOException {
+    private PGPSignatureList readSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag = bcpgIn.nextPacketTag();
@@ -283,9 +308,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
         PGPSignatureList signatureList = (PGPSignatureList) objectFactory.nextObject();
-        for (PGPSignature signature : signatureList) {
-            signatures.add(signature);
-        }
+        return signatureList;
     }
 
     @Override
@@ -298,15 +321,17 @@ public class OpenPgpMessageInputStream extends InputStream {
                 //
             }
         }
-        if (r == -1) {
+        if (r != -1) {
+            byte b = (byte) r;
+            signatures.update(b);
+        } else {
             if (in instanceof OpenPgpMessageInputStream) {
-                System.out.println("Read -1: close " + automaton);
                 in.close();
                 in = null;
             } else {
                 try {
                     System.out.println("Walk " + automaton);
-                    walk();
+                    consumePackets();
                 } catch (PGPException e) {
                     throw new RuntimeException(e);
                 }
@@ -317,25 +342,24 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     @Override
     public void close() throws IOException {
-        if (in == null) {
-            System.out.println("Close " + automaton);
-            automaton.next(InputAlphabet.EndOfSequence);
-            automaton.assertValid();
+        if (closed) {
             return;
         }
-        try {
+
+        if (in != null) {
             in.close();
-            in = null;
-            // Nested streams (except LiteralData) need to be closed.
+            in = null; // TODO: Collect result of in before nulling
             if (automaton.getState() != PDA.State.LiteralMessage) {
                 automaton.next(InputAlphabet.EndOfSequence);
                 automaton.assertValid();
             }
-        } catch (IOException e) {
-            //
+        } else {
+            automaton.next(InputAlphabet.EndOfSequence);
+            automaton.assertValid();
         }
 
         super.close();
+        closed = true;
     }
 
     private static class SortedESKs {
@@ -369,4 +393,53 @@ public class OpenPgpMessageInputStream extends InputStream {
             return esks;
         }
     }
+
+    private static class Signatures {
+        List detachedSignatures = new ArrayList<>();
+        List prependedSignatures = new ArrayList<>();
+        List onePassSignatures = new ArrayList<>();
+        List correspondingSignatures = new ArrayList<>();
+
+        void addDetachedSignatures(Collection signatures) {
+            this.detachedSignatures.addAll(signatures);
+        }
+
+        void addPrependedSignatures(PGPSignatureList signatures) {
+            for (PGPSignature signature : signatures) {
+                this.prependedSignatures.add(signature);
+            }
+        }
+
+        void addOnePassSignatures(PGPOnePassSignatureList signatures) {
+            for (PGPOnePassSignature ops : signatures) {
+                this.onePassSignatures.add(ops);
+            }
+        }
+
+        void addOnePassCorrespondingSignatures(PGPSignatureList signatures) {
+            for (PGPSignature signature : signatures) {
+                correspondingSignatures.add(signature);
+            }
+        }
+
+        public void update(byte b) {
+            /**
+            for (PGPSignature prepended : prependedSignatures) {
+                prepended.update(b);
+            }
+            for (PGPOnePassSignature ops : onePassSignatures) {
+                ops.update(b);
+            }
+            for (PGPSignature detached : detachedSignatures) {
+                detached.update(b);
+            }
+             */
+        }
+
+        public void finish() {
+            for (PGPSignature detached : detachedSignatures) {
+
+            }
+        }
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index a3384070..793a3451 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -202,6 +202,13 @@ public class PDA {
         return state;
     }
 
+    public StackAlphabet peekStack() {
+        if (stack.isEmpty()) {
+            return null;
+        }
+        return stack.peek();
+    }
+
     /**
      * Return true, if the PDA is in a valid state (the OpenPGP message is valid).
      *

From 7b9db97212eb541ffa05ad026bdb49214103de17 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 14 Sep 2022 19:41:22 +0200
Subject: [PATCH 0706/1450] Clean close() method

---
 .../OpenPgpMessageInputStream.java                   | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index e95c9ff7..d95e3e3c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -348,17 +348,11 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         if (in != null) {
             in.close();
-            in = null; // TODO: Collect result of in before nulling
-            if (automaton.getState() != PDA.State.LiteralMessage) {
-                automaton.next(InputAlphabet.EndOfSequence);
-                automaton.assertValid();
-            }
-        } else {
-            automaton.next(InputAlphabet.EndOfSequence);
-            automaton.assertValid();
+            in = null;
         }
 
-        super.close();
+        automaton.next(InputAlphabet.EndOfSequence);
+        automaton.assertValid();
         closed = true;
     }
 

From 9366700895de58a8d4903718e515f4866888fe60 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 14 Sep 2022 20:10:42 +0200
Subject: [PATCH 0707/1450] Add read(b,off,len)

---
 .../OpenPgpMessageInputStream.java            | 71 +++++++++++++------
 1 file changed, 50 insertions(+), 21 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index d95e3e3c..4c6a85c8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -38,14 +38,12 @@ import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
-import org.pgpainless.signature.consumer.DetachedSignatureCheck;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -88,6 +86,7 @@ public class OpenPgpMessageInputStream extends InputStream {
      */
     private void consumePackets()
             throws IOException, PGPException {
+        System.out.println("Walk " + automaton);
         int tag;
         loop: while ((tag = bcpgIn.nextPacketTag()) != -1) {
             OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
@@ -237,7 +236,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case MOD:
                     throw new MalformedOpenPgpMessageException("Unexpected Packet in Stream: " + nextPacket);
 
-                // Experimental Packets are not supported
+                    // Experimental Packets are not supported
                 case EXP_1:
                 case EXP_2:
                 case EXP_3:
@@ -313,15 +312,19 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     @Override
     public int read() throws IOException {
-        int r = -1;
-        if (in != null) {
-            try {
-                r = in.read();
-            } catch (IOException e) {
-                //
-            }
+        if (in == null) {
+            automaton.assertValid();
+            return -1;
         }
-        if (r != -1) {
+
+        int r;
+        try {
+            r = in.read();
+        } catch (IOException e) {
+            r = -1;
+        }
+        boolean eos = r == -1;
+        if (!eos) {
             byte b = (byte) r;
             signatures.update(b);
         } else {
@@ -330,7 +333,32 @@ public class OpenPgpMessageInputStream extends InputStream {
                 in = null;
             } else {
                 try {
-                    System.out.println("Walk " + automaton);
+                    System.out.println("Read consume");
+                    consumePackets();
+                } catch (PGPException e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        }
+        return r;
+    }
+
+    @Override
+    public int read(byte[] b, int off, int len)
+            throws IOException {
+
+        if (in == null) {
+            automaton.assertValid();
+            return -1;
+        }
+
+        int r = in.read(b, off, len);
+        if (r == -1) {
+            if (in instanceof OpenPgpMessageInputStream) {
+                in.close();
+                in = null;
+            } else {
+                try {
                     consumePackets();
                 } catch (PGPException e) {
                     throw new RuntimeException(e);
@@ -343,6 +371,7 @@ public class OpenPgpMessageInputStream extends InputStream {
     @Override
     public void close() throws IOException {
         if (closed) {
+            automaton.assertValid();
             return;
         }
 
@@ -418,15 +447,15 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         public void update(byte b) {
             /**
-            for (PGPSignature prepended : prependedSignatures) {
-                prepended.update(b);
-            }
-            for (PGPOnePassSignature ops : onePassSignatures) {
-                ops.update(b);
-            }
-            for (PGPSignature detached : detachedSignatures) {
-                detached.update(b);
-            }
+             for (PGPSignature prepended : prependedSignatures) {
+             prepended.update(b);
+             }
+             for (PGPOnePassSignature ops : onePassSignatures) {
+             ops.update(b);
+             }
+             for (PGPSignature detached : detachedSignatures) {
+             detached.update(b);
+             }
              */
         }
 

From 54d7d0c7aeaac5a31dbfe15d7459074c590413dd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 16 Sep 2022 00:51:49 +0200
Subject: [PATCH 0708/1450] Implement experimental signature verification
 (correctness only)

---
 .../MessageDecryptionStream.java              | 278 -------------
 .../OpenPgpMessageInputStream.java            | 167 +++++++-
 .../automaton/NestingPDA.java                 | 339 ----------------
 .../MalformedOpenPgpMessageException.java     |  15 -
 .../OpenPgpMessageInputStreamTest.java        | 368 +++++++++++++++++-
 .../PGPDecryptionStreamTest.java              | 361 -----------------
 .../automaton/NestingPDATest.java             | 205 ----------
 7 files changed, 497 insertions(+), 1236 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
deleted file mode 100644
index 335e9d57..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageDecryptionStream.java
+++ /dev/null
@@ -1,278 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import org.bouncycastle.bcpg.BCPGInputStream;
-import org.bouncycastle.bcpg.BCPGOutputStream;
-import org.bouncycastle.bcpg.ModDetectionCodePacket;
-import org.bouncycastle.bcpg.OnePassSignaturePacket;
-import org.bouncycastle.bcpg.Packet;
-import org.bouncycastle.bcpg.PacketTags;
-import org.bouncycastle.bcpg.PublicKeyEncSessionPacket;
-import org.bouncycastle.bcpg.SignaturePacket;
-import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket;
-import org.bouncycastle.openpgp.PGPCompressedData;
-import org.bouncycastle.openpgp.PGPEncryptedData;
-import org.bouncycastle.openpgp.PGPEncryptedDataList;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPOnePassSignatureList;
-import org.bouncycastle.openpgp.PGPPBEEncryptedData;
-import org.bouncycastle.openpgp.PGPSignatureList;
-import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
-import org.pgpainless.algorithm.OpenPgpPacket;
-import org.pgpainless.decryption_verification.automaton.InputAlphabet;
-import org.pgpainless.decryption_verification.automaton.NestingPDA;
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
-import org.pgpainless.exception.MessageNotIntegrityProtectedException;
-import org.pgpainless.exception.MissingDecryptionMethodException;
-import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.util.Passphrase;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.SequenceInputStream;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.NoSuchElementException;
-import java.util.Stack;
-
-public class MessageDecryptionStream extends InputStream {
-
-    private final ConsumerOptions options;
-
-    NestingPDA automaton = new NestingPDA();
-    // nested streams, outermost at the bottom of the stack
-    Stack packetLayers = new Stack<>();
-    List pkeskList = new ArrayList<>();
-    List skeskList = new ArrayList<>();
-
-    public MessageDecryptionStream(InputStream inputStream, ConsumerOptions options)
-            throws IOException, PGPException {
-        this.options = options;
-        packetLayers.push(Layer.initial(inputStream));
-        walkLayer();
-    }
-
-    private void walkLayer() throws PGPException, IOException {
-        if (packetLayers.isEmpty()) {
-            return;
-        }
-
-        // We are currently in the deepest layer
-        Layer layer = packetLayers.peek();
-        BCPGInputStream inputStream = (BCPGInputStream) layer.inputStream;
-
-        loop: while (true) {
-            if (inputStream.nextPacketTag() == -1) {
-                popLayer();
-                break loop;
-            }
-            OpenPgpPacket tag = nextTagOrThrow(inputStream);
-            switch (tag) {
-
-                case LIT:
-                    automaton.next(InputAlphabet.LiteralData);
-                    PGPLiteralData literalData = new PGPLiteralData(inputStream);
-                    packetLayers.push(Layer.literalMessage(literalData.getDataStream()));
-                    break loop;
-
-                case COMP:
-                    automaton.next(InputAlphabet.CompressedData);
-                    PGPCompressedData compressedData = new PGPCompressedData(inputStream);
-                    inputStream = new BCPGInputStream(compressedData.getDataStream());
-                    packetLayers.push(Layer.compressedData(inputStream));
-                    break;
-
-                case OPS:
-                    automaton.next(InputAlphabet.OnePassSignatures);
-                    ByteArrayOutputStream buf = new ByteArrayOutputStream();
-                    BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-                    while (inputStream.nextPacketTag() == PacketTags.ONE_PASS_SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
-                        Packet packet = inputStream.readPacket();
-                        if (packet instanceof OnePassSignaturePacket) {
-                            OnePassSignaturePacket sig = (OnePassSignaturePacket) packet;
-                            sig.encode(bcpgOut);
-                        }
-                    }
-                    PGPOnePassSignatureList onePassSignatures = (PGPOnePassSignatureList) ImplementationFactory.getInstance()
-                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
-                    break;
-
-                case SIG:
-                    automaton.next(InputAlphabet.Signatures);
-
-                    buf = new ByteArrayOutputStream();
-                    bcpgOut = new BCPGOutputStream(buf);
-                    while (inputStream.nextPacketTag() == PacketTags.SIGNATURE || inputStream.nextPacketTag() == PacketTags.MARKER) {
-                        Packet packet = inputStream.readPacket();
-                        if (packet instanceof SignaturePacket) {
-                            SignaturePacket sig = (SignaturePacket) packet;
-                            sig.encode(bcpgOut);
-                        }
-                    }
-                    PGPSignatureList signatures = (PGPSignatureList) ImplementationFactory.getInstance()
-                            .getPGPObjectFactory(buf.toByteArray()).nextObject();
-                    break;
-
-                case PKESK:
-                    PublicKeyEncSessionPacket pkeskPacket = (PublicKeyEncSessionPacket) inputStream.readPacket();
-                    pkeskList.add(pkeskPacket);
-                    break;
-
-                case SKESK:
-                    SymmetricKeyEncSessionPacket skeskPacket = (SymmetricKeyEncSessionPacket) inputStream.readPacket();
-                    skeskList.add(skeskPacket);
-                    break;
-
-                case SED:
-                    if (!options.isIgnoreMDCErrors()) {
-                        throw new MessageNotIntegrityProtectedException();
-                    }
-                    // No break; we continue below!
-                case SEIPD:
-                    automaton.next(InputAlphabet.EncryptedData);
-                    PGPEncryptedDataList encryptedDataList = assembleEncryptedDataList(inputStream);
-
-                    for (PGPEncryptedData encData : encryptedDataList) {
-                        if (encData instanceof PGPPBEEncryptedData) {
-                            PGPPBEEncryptedData skenc = (PGPPBEEncryptedData) encData;
-                            for (Passphrase passphrase : options.getDecryptionPassphrases()) {
-                                PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                                        .getPBEDataDecryptorFactory(passphrase);
-                                InputStream decryptedIn = skenc.getDataStream(decryptorFactory);
-                                packetLayers.push(Layer.encryptedData(new BCPGInputStream(decryptedIn)));
-                                walkLayer();
-                                break loop;
-                            }
-                        }
-                    }
-                    throw new MissingDecryptionMethodException("Cannot decrypt message.");
-
-                case MARKER:
-                    inputStream.readPacket(); // discard
-                    break;
-
-                case SK:
-                case PK:
-                case SSK:
-                case PSK:
-                case TRUST:
-                case UID:
-                case UATTR:
-                    throw new MalformedOpenPgpMessageException("OpenPGP packet " + tag + " MUST NOT be part of OpenPGP messages.");
-                case MOD:
-                    ModDetectionCodePacket modDetectionCodePacket = (ModDetectionCodePacket) inputStream.readPacket();
-                    break;
-                case EXP_1:
-                case EXP_2:
-                case EXP_3:
-                case EXP_4:
-                    throw new MalformedOpenPgpMessageException("Experimental packet " + tag + " found inside the message.");
-            }
-        }
-    }
-
-    private PGPEncryptedDataList assembleEncryptedDataList(BCPGInputStream inputStream)
-            throws IOException {
-        ByteArrayOutputStream buf = new ByteArrayOutputStream();
-        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-
-        for (SymmetricKeyEncSessionPacket skesk : skeskList) {
-            bcpgOut.write(skesk.getEncoded());
-        }
-        skeskList.clear();
-        for (PublicKeyEncSessionPacket pkesk : pkeskList) {
-            bcpgOut.write(pkesk.getEncoded());
-        }
-        pkeskList.clear();
-
-        SequenceInputStream sqin = new SequenceInputStream(
-                new ByteArrayInputStream(buf.toByteArray()), inputStream);
-
-        PGPEncryptedDataList encryptedDataList = (PGPEncryptedDataList) ImplementationFactory.getInstance()
-                .getPGPObjectFactory(sqin).nextObject();
-        return encryptedDataList;
-    }
-
-    private OpenPgpPacket nextTagOrThrow(BCPGInputStream inputStream)
-            throws IOException, InvalidOpenPgpPacketException {
-        try {
-            return OpenPgpPacket.requireFromTag(inputStream.nextPacketTag());
-        } catch (NoSuchElementException e) {
-            throw new InvalidOpenPgpPacketException(e.getMessage());
-        }
-    }
-
-    private void popLayer() throws MalformedOpenPgpMessageException {
-        if (packetLayers.pop().isNested)
-            automaton.next(InputAlphabet.EndOfSequence);
-    }
-
-    @Override
-    public int read() throws IOException {
-        if (packetLayers.isEmpty()) {
-            automaton.assertValid();
-            return -1;
-        }
-
-        int r = -1;
-        try {
-            r = packetLayers.peek().inputStream.read();
-        } catch (IOException e) {
-        }
-        if (r == -1) {
-            popLayer();
-            try {
-                walkLayer();
-            } catch (PGPException e) {
-                throw new RuntimeException(e);
-            }
-            return read();
-        }
-        return r;
-    }
-
-    public static class InvalidOpenPgpPacketException extends PGPException {
-
-        public InvalidOpenPgpPacketException(String message) {
-            super(message);
-        }
-    }
-
-    private static class Layer {
-        InputStream inputStream;
-        boolean isNested;
-
-        private Layer(InputStream inputStream, boolean isNested) {
-            this.inputStream = inputStream;
-            this.isNested = isNested;
-        }
-
-        static Layer initial(InputStream inputStream) {
-            BCPGInputStream bcpgIn;
-            if (inputStream instanceof BCPGInputStream) {
-                bcpgIn = (BCPGInputStream) inputStream;
-            } else {
-                bcpgIn = new BCPGInputStream(inputStream);
-            }
-            return new Layer(bcpgIn, true);
-        }
-
-        static Layer literalMessage(InputStream inputStream) {
-            return new Layer(inputStream, false);
-        }
-
-        static Layer compressedData(InputStream inputStream) {
-            return new Layer(inputStream, true);
-        }
-
-        static Layer encryptedData(InputStream inputStream) {
-            return new Layer(inputStream, true);
-        }
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 4c6a85c8..8dff7189 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -18,11 +18,13 @@ import org.bouncycastle.openpgp.PGPPBEEncryptedData;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
 import org.pgpainless.PGPainless;
@@ -38,6 +40,7 @@ import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
 
@@ -57,7 +60,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private boolean closed = false;
 
-    private Signatures signatures = new Signatures();
+    private Signatures signatures;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
@@ -69,6 +72,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         this.options = options;
+        this.signatures = new Signatures(options);
         this.signatures.addDetachedSignatures(options.getDetachedSignatures());
 
         consumePackets();
@@ -88,8 +92,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             throws IOException, PGPException {
         System.out.println("Walk " + automaton);
         int tag;
-        loop: while ((tag = bcpgIn.nextPacketTag()) != -1) {
+        loop: while ((tag = getTag()) != -1) {
             OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
+            System.out.println(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
@@ -114,9 +119,10 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                 // Signatures - either prepended to the message, or corresponding to the One Pass Signatures
                 case SIG:
+                    boolean isCorrespondingToOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
                     PGPSignatureList signatureList = readSignatures();
-                    if (automaton.peekStack() == StackAlphabet.ops) {
+                    if (isCorrespondingToOPS) {
                         signatures.addOnePassCorrespondingSignatures(signatureList);
                     } else {
                         signatures.addPrependedSignatures(signatureList);
@@ -246,6 +252,19 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
+    private int getTag() throws IOException {
+        try {
+            return bcpgIn.nextPacketTag();
+        } catch (IOException e) {
+            if ("Stream closed".equals(e.getMessage())) {
+                // ZipInflater Streams sometimes close under our feet -.-
+                // Therefore we catch resulting IOEs and return -1 instead.
+                return -1;
+            }
+            throw e;
+        }
+    }
+
     private List> findPotentialDecryptionKeys(PGPPublicKeyEncryptedData pkesk) {
         int algorithm = pkesk.getAlgorithm();
         List> decryptionKeyCandidates = new ArrayList<>();
@@ -276,8 +295,8 @@ public class OpenPgpMessageInputStream extends InputStream {
     private PGPOnePassSignatureList readOnePassSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-        int tag = bcpgIn.nextPacketTag();
-        while (tag == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
+        int tag;
+        while ((tag = getTag()) == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
             Packet packet = bcpgIn.readPacket();
             if (tag == PacketTags.ONE_PASS_SIGNATURE) {
                 OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
@@ -294,13 +313,13 @@ public class OpenPgpMessageInputStream extends InputStream {
     private PGPSignatureList readSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-        int tag = bcpgIn.nextPacketTag();
+        int tag = getTag();
         while (tag == PacketTags.SIGNATURE || tag == PacketTags.MARKER) {
             Packet packet = bcpgIn.readPacket();
             if (tag == PacketTags.SIGNATURE) {
                 SignaturePacket sigPacket = (SignaturePacket) packet;
                 sigPacket.encode(bcpgOut);
-                tag = bcpgIn.nextPacketTag();
+                tag = getTag();
             }
         }
         bcpgOut.close();
@@ -328,6 +347,16 @@ public class OpenPgpMessageInputStream extends InputStream {
             byte b = (byte) r;
             signatures.update(b);
         } else {
+            in.close();
+            in = null;
+
+            try {
+                consumePackets();
+            } catch (PGPException e) {
+                throw new RuntimeException(e);
+            }
+            signatures.finish();
+            /*
             if (in instanceof OpenPgpMessageInputStream) {
                 in.close();
                 in = null;
@@ -335,10 +364,12 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     System.out.println("Read consume");
                     consumePackets();
+                    signatures.finish();
                 } catch (PGPException e) {
                     throw new RuntimeException(e);
                 }
             }
+             */
         }
         return r;
     }
@@ -354,6 +385,16 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         int r = in.read(b, off, len);
         if (r == -1) {
+            in.close();
+            in = null;
+
+            try {
+                consumePackets();
+            } catch (PGPException e) {
+                throw new RuntimeException(e);
+            }
+            signatures.finish();
+            /*
             if (in instanceof OpenPgpMessageInputStream) {
                 in.close();
                 in = null;
@@ -364,6 +405,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     throw new RuntimeException(e);
                 }
             }
+             */
         }
         return r;
     }
@@ -380,6 +422,12 @@ public class OpenPgpMessageInputStream extends InputStream {
             in = null;
         }
 
+        try {
+            consumePackets();
+        } catch (PGPException e) {
+            throw new RuntimeException(e);
+        }
+
         automaton.next(InputAlphabet.EndOfSequence);
         automaton.assertValid();
         closed = true;
@@ -418,50 +466,133 @@ public class OpenPgpMessageInputStream extends InputStream {
     }
 
     private static class Signatures {
+        final ConsumerOptions options;
         List detachedSignatures = new ArrayList<>();
         List prependedSignatures = new ArrayList<>();
         List onePassSignatures = new ArrayList<>();
         List correspondingSignatures = new ArrayList<>();
 
+
+        private Signatures(ConsumerOptions options) {
+            this.options = options;
+        }
+
         void addDetachedSignatures(Collection signatures) {
+            for (PGPSignature signature : signatures) {
+                long keyId = SignatureUtils.determineIssuerKeyId(signature);
+                PGPPublicKeyRing certificate = findCertificate(keyId);
+                initialize(signature, certificate, keyId);
+            }
             this.detachedSignatures.addAll(signatures);
         }
 
         void addPrependedSignatures(PGPSignatureList signatures) {
+            System.out.println("Adding " + signatures.size() + " prepended Signatures");
             for (PGPSignature signature : signatures) {
+                long keyId = SignatureUtils.determineIssuerKeyId(signature);
+                PGPPublicKeyRing certificate = findCertificate(keyId);
+                initialize(signature, certificate, keyId);
                 this.prependedSignatures.add(signature);
             }
         }
 
         void addOnePassSignatures(PGPOnePassSignatureList signatures) {
+            System.out.println("Adding " + signatures.size() + " OPSs");
             for (PGPOnePassSignature ops : signatures) {
+                PGPPublicKeyRing certificate = findCertificate(ops.getKeyID());
+                initialize(ops, certificate);
                 this.onePassSignatures.add(ops);
             }
         }
 
         void addOnePassCorrespondingSignatures(PGPSignatureList signatures) {
+            System.out.println("Adding " + signatures.size() + " Corresponding Signatures");
             for (PGPSignature signature : signatures) {
                 correspondingSignatures.add(signature);
             }
         }
 
+        private void initialize(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
+            if (certificate == null) {
+                // SHIT
+                return;
+            }
+            PGPContentVerifierBuilderProvider verifierProvider = ImplementationFactory.getInstance()
+                    .getPGPContentVerifierBuilderProvider();
+            try {
+                signature.init(verifierProvider, certificate.getPublicKey(keyId));
+            } catch (PGPException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        private void initialize(PGPOnePassSignature ops, PGPPublicKeyRing certificate) {
+            if (certificate == null) {
+                return;
+            }
+            PGPContentVerifierBuilderProvider verifierProvider = ImplementationFactory.getInstance()
+                    .getPGPContentVerifierBuilderProvider();
+            try {
+                ops.init(verifierProvider, certificate.getPublicKey(ops.getKeyID()));
+            } catch (PGPException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        private PGPPublicKeyRing findCertificate(long keyId) {
+            for (PGPPublicKeyRing cert : options.getCertificates()) {
+                PGPPublicKey verificationKey = cert.getPublicKey(keyId);
+                if (verificationKey != null) {
+                    return cert;
+                }
+            }
+            return null; // TODO: Missing cert for sig
+        }
+
         public void update(byte b) {
-            /**
-             for (PGPSignature prepended : prependedSignatures) {
-             prepended.update(b);
-             }
-             for (PGPOnePassSignature ops : onePassSignatures) {
-             ops.update(b);
-             }
-             for (PGPSignature detached : detachedSignatures) {
-             detached.update(b);
-             }
-             */
+            for (PGPSignature prepended : prependedSignatures) {
+                prepended.update(b);
+            }
+            for (PGPOnePassSignature ops : onePassSignatures) {
+                ops.update(b);
+            }
+            for (PGPSignature detached : detachedSignatures) {
+                detached.update(b);
+            }
         }
 
         public void finish() {
             for (PGPSignature detached : detachedSignatures) {
+                boolean verified = false;
+                try {
+                    verified = detached.verify();
+                } catch (PGPException e) {
+                    System.out.println(e.getMessage());
+                }
+                System.out.println("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+            }
 
+            for (PGPSignature prepended : prependedSignatures) {
+                boolean verified = false;
+                try {
+                    verified = prepended.verify();
+                } catch (PGPException e) {
+                    System.out.println(e.getMessage());
+                }
+                System.out.println("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+            }
+
+
+            for (int i = 0; i < onePassSignatures.size(); i++) {
+                PGPOnePassSignature ops = onePassSignatures.get(i);
+                PGPSignature signature = correspondingSignatures.get(correspondingSignatures.size() - i - 1);
+                boolean verified = false;
+                try {
+                    verified = ops.verify(signature);
+                } catch (PGPException e) {
+                    System.out.println(e.getMessage());
+                }
+                System.out.println("One-Pass-Signature by " + Long.toHexString(ops.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
deleted file mode 100644
index cf5ee674..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/NestingPDA.java
+++ /dev/null
@@ -1,339 +0,0 @@
-package org.pgpainless.decryption_verification.automaton;
-
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
-
-import java.util.Stack;
-
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.msg;
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ops;
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.terminus;
-
-/**
- * Pushdown Automaton to verify the correct syntax of OpenPGP messages during decryption.
- * 

- * OpenPGP messages MUST follow certain rules in order to be well-formed.
- * Section §11.3. of RFC4880 specifies a formal grammar for OpenPGP messages.
- * 

- * This grammar was transformed into a pushdown automaton, which is implemented below.
- * The automaton only ends up in a valid state ({@link #isValid()} iff the OpenPGP message conformed to the
- * grammar.
- * 

- * There are some specialties with this implementation though:
- * Bouncy Castle combines ESKs and Encrypted Data Packets into a single object, so we do not have to
- * handle those manually.
- * 

- * Bouncy Castle further combines OnePassSignatures and Signatures into lists, so instead of pushing multiple
- * 'o's onto the stack repeatedly, a sequence of OnePassSignatures causes a single 'o' to be pushed to the stack.
- * The same is true for Signatures.
- * 

- * Therefore, a message is valid, even if the number of OnePassSignatures and Signatures does not match.
- * If a message contains at least one OnePassSignature, it is sufficient if there is at least one Signature to
- * not cause a {@link MalformedOpenPgpMessageException}.
- *
- * @see RFC4880 §11.3. OpenPGP Messages
- */
-public class NestingPDA {
-
-    /**
-     * Set of states of the automaton.
-     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, NestingPDA)}
-     * method.
-     */
-    public enum State {
-
-        OpenPgpMessage {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                if (stackItem != msg) {
-                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-                switch (input) {
-
-                    case LiteralData:
-                        return LiteralMessage;
-
-                    case Signatures:
-                        automaton.pushStack(msg);
-                        return OpenPgpMessage;
-
-                    case OnePassSignatures:
-                        automaton.pushStack(ops);
-                        automaton.pushStack(msg);
-                        return OpenPgpMessage;
-
-                    case CompressedData:
-                        return CompressedMessage;
-
-                    case EncryptedData:
-                        return EncryptedMessage;
-
-                    case EndOfSequence:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        LiteralMessage {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-
-                    case Signatures:
-                        if (stackItem == ops) {
-                            return CorrespondingSignature;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignatures:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        CompressedMessage {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-                    case Signatures:
-                        if (stackItem == ops) {
-                            return CorrespondingSignature;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignatures:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        EncryptedMessage {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-                    case Signatures:
-                        if (stackItem == ops) {
-                            return CorrespondingSignature;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignatures:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        CorrespondingSignature {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                if (stackItem == terminus && input == InputAlphabet.EndOfSequence && automaton.stack.isEmpty()) {
-                    return Valid;
-                } else {
-                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        Valid {
-            @Override
-            State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException {
-                throw new MalformedOpenPgpMessageException(this, input, null);
-            }
-        },
-        ;
-
-        /**
-         * Pop the automatons stack and transition to another state.
-         * If no valid transition from the current state is available given the popped stack item and input symbol,
-         * a {@link MalformedOpenPgpMessageException} is thrown.
-         * Otherwise, the stack is manipulated according to the valid transition and the new state is returned.
-         *
-         * @param input     input symbol
-         * @param automaton automaton
-         * @return new state of the automaton
-         * @throws MalformedOpenPgpMessageException in case of an illegal input symbol
-         */
-        abstract State transition(InputAlphabet input, NestingPDA automaton) throws MalformedOpenPgpMessageException;
-    }
-
-    private final Stack stack = new Stack<>();
-    private State state;
-    // Some OpenPGP packets have nested contents (e.g. compressed / encrypted data).
-    NestingPDA nestedSequence = null;
-
-    public NestingPDA() {
-        state = State.OpenPgpMessage;
-        stack.push(terminus);
-        stack.push(msg);
-    }
-
-    /**
-     * Process the next input packet.
-     *
-     * @param input input
-     * @throws MalformedOpenPgpMessageException in case the input packet is illegal here
-     */
-    public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
-        _next(input);
-    }
-
-    /**
-     * Process the next input packet.
-     * This method returns true, iff the given input triggered a successful closing of this PDAs nested PDA.
-     * 

-     * This is for example the case, if the current packet is a Compressed Data packet which contains a
-     * valid nested OpenPGP message and the last input was {@link InputAlphabet#EndOfSequence} indicating the
-     * end of the Compressed Data packet.
-     * 

-     * If the input triggered this PDAs nested PDA to close its nested PDA, this method returns false
-     * in order to prevent this PDA from closing its nested PDA prematurely.
-     *
-     * @param input input
-     * @return true if this just closed its nested sequence, false otherwise
-     * @throws MalformedOpenPgpMessageException if the input is illegal
-     */
-    private boolean _next(InputAlphabet input) throws MalformedOpenPgpMessageException {
-        if (nestedSequence != null) {
-            boolean sequenceInNestedSequenceWasClosed = nestedSequence._next(input);
-            if (sequenceInNestedSequenceWasClosed) return false; // No need to close out nested sequence too.
-        } else {
-            // make a state transition in this automaton
-            state = state.transition(input, this);
-
-            // If the processed packet contains nested sequence, open nested automaton for it
-            if (input == InputAlphabet.CompressedData || input == InputAlphabet.EncryptedData) {
-                nestedSequence = new NestingPDA();
-            }
-        }
-
-        if (input != InputAlphabet.EndOfSequence) {
-            return false;
-        }
-
-        // Close nested sequence if needed
-        boolean nestedIsInnerMost = nestedSequence != null && nestedSequence.isInnerMost();
-        if (nestedIsInnerMost) {
-            if (nestedSequence.isValid()) {
-                // Close nested sequence
-                nestedSequence = null;
-                return true;
-            } else {
-                throw new MalformedOpenPgpMessageException("Climbing up nested message validation failed." +
-                        " Automaton for current nesting level is not in valid state: " + nestedSequence.getState() + " " + nestedSequence.stack.peek() + " (Input was " + input + ")");
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Return the current state of the PDA.
-     *
-     * @return state
-     */
-    private State getState() {
-        return state;
-    }
-
-    /**
-     * Return true, if the PDA is in a valid state (the OpenPGP message is valid).
-     *
-     * @return true if valid, false otherwise
-     */
-    public boolean isValid() {
-        return getState() == State.Valid && stack.isEmpty();
-    }
-
-    public void assertValid() throws MalformedOpenPgpMessageException {
-        if (!isValid()) {
-            throw new MalformedOpenPgpMessageException("Pushdown Automaton is not in an acceptable state: " + toString());
-        }
-    }
-
-    /**
-     * Pop an item from the stack.
-     *
-     * @return stack item
-     */
-    private StackAlphabet popStack() {
-        return stack.pop();
-    }
-
-    /**
-     * Push an item onto the stack.
-     *
-     * @param item item
-     */
-    private void pushStack(StackAlphabet item) {
-        stack.push(item);
-    }
-
-    /**
-     * Return true, if this packet sequence has no nested sequence.
-     * A nested sequence is for example the content of a Compressed Data packet.
-     *
-     * @return true if PDA is innermost, false if it has a nested sequence
-     */
-    private boolean isInnerMost() {
-        return nestedSequence == null;
-    }
-
-    @Override
-    public String toString() {
-        StringBuilder out = new StringBuilder("State: ").append(state)
-                .append(", Stack (asc.): ").append(stack)
-                .append('\n');
-        if (nestedSequence != null) {
-            // recursively call toString() on nested PDAs and indent their representation
-            String nestedToString = nestedSequence.toString();
-            String[] lines = nestedToString.split("\n");
-            for (int i = 0; i < lines.length; i++) {
-                String nestedLine = lines[i];
-                out.append(i == 0 ? "⤡ " : "  ") // indent nested PDA
-                        .append(nestedLine)
-                        .append('\n');
-            }
-        }
-        return out.toString();
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index 21b6e807..0069209c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -5,7 +5,6 @@
 package org.pgpainless.exception;
 
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
-import org.pgpainless.decryption_verification.automaton.NestingPDA;
 import org.pgpainless.decryption_verification.automaton.PDA;
 import org.pgpainless.decryption_verification.automaton.StackAlphabet;
 
@@ -21,21 +20,7 @@ public class MalformedOpenPgpMessageException extends RuntimeException {
         super(message);
     }
 
-    public MalformedOpenPgpMessageException(String message, MalformedOpenPgpMessageException cause) {
-        super(message, cause);
-    }
-
-    public MalformedOpenPgpMessageException(NestingPDA.State state,
-                                            InputAlphabet input,
-                                            StackAlphabet stackItem) {
-        this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
-    }
-
     public MalformedOpenPgpMessageException(PDA.State state, InputAlphabet input, StackAlphabet stackItem) {
         this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
-
-    public MalformedOpenPgpMessageException(String message, PDA automaton) {
-        super(message + automaton.toString());
-    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 5b42101c..af1fac44 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -1,87 +1,402 @@
 package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.CompressionAlgorithmTags;
+import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionResult;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_COMP_LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.COMP_LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.KEY;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.LIT_LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PASSPHRASE;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PENC_COMP_LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.PLAINTEXT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SENC_LIT;
-import static org.pgpainless.decryption_verification.PGPDecryptionStreamTest.SIG_LIT;
 
 public class OpenPgpMessageInputStreamTest {
 
+
+    public static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: DA05 848F 37D4 68E6 F982  C889 7A70 1FC6 904D 3F4C\n" +
+            "Comment: Alice \n" +
+            "\n" +
+            "lFgEYxzSCBYJKwYBBAHaRw8BAQdAeJU8m4GOJb1eQgv/ryilFHRfNLTYFMNqL6zj\n" +
+            "r0vF7dsAAP42rAtngpJ6dZxoZlJX0Je65zk1VMPeTrXaWfPS2HSKBRGptBxBbGlj\n" +
+            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMc0ggJEHpwH8aQTT9M\n" +
+            "FiEE2gWEjzfUaOb5gsiJenAfxpBNP0wCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
+            "AQAApZEBALUXHtvswPZG28YO+16Men6/fpk+scvqpNMnD4ty3IkAAPwK6TuXjNnZ\n" +
+            "0XuWdnilvLMV23Ai1d5g6em+lwLK5M2SApxdBGMc0ggSCisGAQQBl1UBBQEBB0D8\n" +
+            "mNUVX8y2MXFaSeFYqOTPFnGT7dgNVdn6yc0UtkkHOgMBCAcAAP9y9OtP4SX9voPb\n" +
+            "ID2u9PkJKgo4hTB8NK5LouGppdRtEBGriHUEGBYKAB0FAmMc0ggCngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRB6cB/GkE0/TAywAQDpZRJS/joFH4+xcwheqWfI7ay/\n" +
+            "WfojUoGQMYGnUjsgYwEAkceRUsgkqI0SVgYvuglfaQpZ9k2ns1mZGVLkXvu/yQyc\n" +
+            "WARjHNIIFgkrBgEEAdpHDwEBB0BGN9BybSOrj8B6gim1SjbB/IiqAshlzMDunVkQ\n" +
+            "X23npQABAJqvjOOY7qhBuTusC5/Q5+25iLrhMn4TI+LXlJHMVNOaE0OI1QQYFgoA\n" +
+            "fQUCYxzSCAKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmMc0ggACgkQ\n" +
+            "KALh4BJQXl6yTQD/dh0N5228Uwtu7XHy6dmpMRX62cac5tXQ9WaDzpy8STgBAMdn\n" +
+            "Mq948UOYEhdk/ZY2/hwux/4t+FHvqrXW8ziBe4cLAAoJEHpwH8aQTT9M1hQA/3Ms\n" +
+            "P3kzoed3VsWu1ZMr7dKEngbc6SoJ2XPayzN0QYJaAQCIY5NcT9mZF97HWV3Vgeum\n" +
+            "00sWMHXfkW3+nl5OpUZaDA==\n" +
+            "=THgv\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    public static final String PLAINTEXT = "Hello, World!\n";
+    public static final String PASSPHRASE = "sw0rdf1sh";
+
+    public static final String LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "yxRiAAAAAABIZWxsbywgV29ybGQhCg==\n" +
+            "=WGju\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String LIT_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "yxRiAAAAAABIZWxsbywgV29ybGQhCssUYgAAAAAASGVsbG8sIFdvcmxkIQo=\n" +
+            "=A91Q\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owE7LZLEAAIeqTk5+ToK4flFOSmKXAA=\n" +
+            "=ZYDg\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String COMP = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owEDAA==\n" +
+            "=MDzg\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String COMP_COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "owEBRwC4/6MDQlpoOTFBWSZTWVuW2KAAAAr3hGAQBABgBABAAIAWBJAAAAggADFM\n" +
+            "ABNBqBo00N6puqWR+TqInoXQ58XckU4UJBbltigA\n" +
+            "=K9Zl\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String SIG_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "iHUEABYKACcFAmMc1i0JECgC4eASUF5eFiEEjN3RiJxCf/TyYOQjKALh4BJQXl4A\n" +
+            "AHkrAP98uPpqrgIix7epgL7MM1cjXXGSxqbDfXHwgptk1YGQlgD/fw89VGcXwFaI\n" +
+            "2k7kpXQYy/1BqnovM/jZ3X3mXhhTaAOjATstksQAAh6pOTn5Ogrh+UU5KYpcAA==\n" +
+            "=WKPn\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String SENC_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "jA0ECQMCuZ0qHNXWnGhg0j8Bdm1cxV65sYb7jDgb4rRMtdNpQ1dC4UpSYuk9YWS2\n" +
+            "DpNEijbX8b/P1UOK2kJczNDADMRegZuLEI+dNsBnJjk=\n" +
+            "=i4Y0\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String PENC_COMP_LIT = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "hF4Dyqa/GWUy6WsSAQdAQ62BwmUt8Iby0+jvrLhMgST79KR/as+dyl0nf1uki2sw\n" +
+            "Thg1Ojtf0hOyJgcpQ4nP2Q0wYFR0F1sCydaIlTGreYZHlGtybP7/Ml6KNZILTRWP\n" +
+            "0kYBkGBgK7oQWRIVyoF2POvEP6EX1X8nvQk7O3NysVdRVbnia7gE3AzRYuha4kxs\n" +
+            "pI6xJkntLMS3K6him1Y9FHINIASFSB+C\n" +
+            "=5p00\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static final String OPS_LIT_SIG = "" +
+            "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "kA0DAAoWKALh4BJQXl4ByxRiAAAAAABIZWxsbywgV29ybGQhCoh1BAAWCgAnBQJj\n" +
+            "I3fSCRAoAuHgElBeXhYhBIzd0YicQn/08mDkIygC4eASUF5eAADLOgEA766VyMMv\n" +
+            "sxfQwQHly3T6ySHSNhYEpoyvdxVqhjBBR+EA/3i6C8lKFPPTh/PvTGbVFOl+eUSV\n" +
+            "I0w3c+BRY/pO0m4H\n" +
+            "=tkTV\n" +
+            "-----END PGP MESSAGE-----";
+
+    public static void main(String[] args) throws Exception {
+        // genLIT();
+        // genLIT_LIT();
+        // genCOMP_LIT();
+        // genCOMP();
+        // genCOMP_COMP_LIT();
+        // genKey();
+        // genSIG_LIT();
+        // genSENC_LIT();
+        // genPENC_COMP_LIT();
+        genOPS_LIT_SIG();
+    }
+
+    public static void genLIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        armorOut.close();
+    }
+
+    public static void genLIT_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+
+        litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+
+        armorOut.close();
+    }
+
+    public static void genCOMP_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut = compGen.open(armorOut);
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(compOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        compOut.close();
+        armorOut.close();
+    }
+
+    public static void genCOMP() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut = compGen.open(armorOut);
+        compOut.close();
+        armorOut.close();
+    }
+
+    public static void genCOMP_COMP_LIT() throws IOException {
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+
+        PGPCompressedDataGenerator compGen1 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
+        OutputStream compOut1 = compGen1.open(armorOut);
+
+        PGPCompressedDataGenerator compGen2 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.BZIP2);
+        OutputStream compOut2 = compGen2.open(compOut1);
+
+        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
+        OutputStream litOut = litGen.open(compOut2, PGPLiteralDataGenerator.BINARY, "", PGPLiteralDataGenerator.NOW, new byte[1 << 9]);
+
+        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        litOut.close();
+        compOut2.close();
+        compOut1.close();
+        armorOut.close();
+    }
+
+    public static void genKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        System.out.println(PGPainless.asciiArmor(
+                PGPainless.generateKeyRing().modernKeyRing("Alice ")
+        ));
+    }
+
+    public static void genSIG_LIT() throws PGPException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
+        EncryptionStream signer = PGPainless.encryptAndOrSign()
+                .onOutputStream(msgOut)
+                .withOptions(
+                        ProducerOptions.sign(
+                                SigningOptions.get()
+                                        .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)
+                        ).setAsciiArmor(false)
+                );
+
+        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), signer);
+        signer.close();
+        EncryptionResult result = signer.getResult();
+        PGPSignature detachedSignature = result.getDetachedSignatures().get(result.getDetachedSignatures().keySet().iterator().next()).iterator().next();
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
+        armorOut.flush();
+        detachedSignature.encode(armorOut);
+        armorOut.write(msgOut.toByteArray());
+        armorOut.close();
+
+        String armored = out.toString();
+        System.out.println(armored
+                .replace("-----BEGIN PGP SIGNATURE-----\n", "-----BEGIN PGP MESSAGE-----\n")
+                .replace("-----END PGP SIGNATURE-----", "-----END PGP MESSAGE-----"));
+    }
+
+    public static void genSENC_LIT() throws PGPException, IOException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream enc = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
+                                .addPassphrase(Passphrase.fromPassword(PASSPHRASE)))
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
+        enc.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
+        enc.close();
+
+        System.out.println(out);
+    }
+
+    public static void genPENC_COMP_LIT() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream enc = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
+                                .addRecipient(cert))
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.ZLIB));
+
+        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
+        enc.close();
+
+        System.out.println(out);
+    }
+
+    public static void genOPS_LIT_SIG() throws PGPException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        EncryptionStream enc = PGPainless.encryptAndOrSign()
+                .onOutputStream(out)
+                .withOptions(ProducerOptions.sign(SigningOptions.get()
+                        .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys))
+                        .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
+        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
+        enc.close();
+
+        System.out.println(out);
+    }
+
     @Test
     public void testProcessLIT() throws IOException, PGPException {
-        String plain = process(LIT, ConsumerOptions.get());
+        String plain = processReadBuffered(LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(LIT, ConsumerOptions.get());
         assertEquals(PLAINTEXT, plain);
     }
 
     @Test
     public void testProcessLIT_LIT_fails() {
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> process(LIT_LIT, ConsumerOptions.get()));
+                () -> processReadBuffered(LIT_LIT, ConsumerOptions.get()));
+
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> processReadSequential(LIT_LIT, ConsumerOptions.get()));
     }
 
     @Test
     public void testProcessCOMP_LIT() throws PGPException, IOException {
-        String plain = process(COMP_LIT, ConsumerOptions.get());
+        String plain = processReadBuffered(COMP_LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(COMP_LIT, ConsumerOptions.get());
         assertEquals(PLAINTEXT, plain);
     }
 
     @Test
     public void testProcessCOMP_fails() {
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> process(COMP, ConsumerOptions.get()));
+                () -> processReadBuffered(COMP, ConsumerOptions.get()));
+
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> processReadSequential(COMP, ConsumerOptions.get()));
     }
 
     @Test
     public void testProcessCOMP_COMP_LIT() throws PGPException, IOException {
-        String plain = process(COMP_COMP_LIT, ConsumerOptions.get());
+        String plain = processReadBuffered(COMP_COMP_LIT, ConsumerOptions.get());
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(COMP_COMP_LIT, ConsumerOptions.get());
         assertEquals(PLAINTEXT, plain);
     }
 
     @Test
     public void testProcessSIG_LIT() throws PGPException, IOException {
-        String plain = process(SIG_LIT, ConsumerOptions.get());
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(
+                PGPainless.readKeyRing().secretKeyRing(KEY));
+
+        String plain = processReadBuffered(SIG_LIT, ConsumerOptions.get()
+                .addVerificationCert(cert));
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(SIG_LIT, ConsumerOptions.get()
+                .addVerificationCert(cert));
         assertEquals(PLAINTEXT, plain);
     }
 
     @Test
     public void testProcessSENC_LIT() throws PGPException, IOException {
-        String plain = process(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        String plain = processReadBuffered(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
         assertEquals(PLAINTEXT, plain);
     }
 
     @Test
     public void testProcessPENC_COMP_LIT() throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        String plain = process(PENC_COMP_LIT, ConsumerOptions.get()
+        String plain = processReadBuffered(PENC_COMP_LIT, ConsumerOptions.get()
+                .addDecryptionKey(secretKeys));
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(PENC_COMP_LIT, ConsumerOptions.get()
                 .addDecryptionKey(secretKeys));
         assertEquals(PLAINTEXT, plain);
     }
 
-    private String process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+    @Test
+    public void testProcessOPS_LIT_SIG() throws IOException, PGPException {
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(PGPainless.readKeyRing().secretKeyRing(KEY));
+        String plain = processReadBuffered(OPS_LIT_SIG, ConsumerOptions.get()
+                .addVerificationCert(cert));
+        assertEquals(PLAINTEXT, plain);
+
+        plain = processReadSequential(OPS_LIT_SIG, ConsumerOptions.get()
+                .addVerificationCert(cert));
+        assertEquals(PLAINTEXT, plain);
+    }
+
+    private String processReadBuffered(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(in, out);
@@ -89,6 +404,19 @@ public class OpenPgpMessageInputStreamTest {
         return out.toString();
     }
 
+    private String processReadSequential(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+        OpenPgpMessageInputStream in = get(armoredMessage, options);
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        int r;
+        while ((r = in.read()) != -1) {
+            out.write(r);
+        }
+
+        in.close();
+        return out.toString();
+    }
+
     private OpenPgpMessageInputStream get(String armored, ConsumerOptions options) throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
deleted file mode 100644
index 8da44ec8..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PGPDecryptionStreamTest.java
+++ /dev/null
@@ -1,361 +0,0 @@
-package org.pgpainless.decryption_verification;
-
-import org.bouncycastle.bcpg.ArmoredInputStream;
-import org.bouncycastle.bcpg.ArmoredOutputStream;
-import org.bouncycastle.bcpg.CompressionAlgorithmTags;
-import org.bouncycastle.openpgp.PGPCompressedDataGenerator;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPLiteralDataGenerator;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.CompressionAlgorithm;
-import org.pgpainless.encryption_signing.EncryptionOptions;
-import org.pgpainless.encryption_signing.EncryptionResult;
-import org.pgpainless.encryption_signing.EncryptionStream;
-import org.pgpainless.encryption_signing.ProducerOptions;
-import org.pgpainless.encryption_signing.SigningOptions;
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.util.ArmoredInputStreamFactory;
-import org.pgpainless.util.Passphrase;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-public class PGPDecryptionStreamTest {
-
-    public static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-            "Version: PGPainless\n" +
-            "Comment: DA05 848F 37D4 68E6 F982  C889 7A70 1FC6 904D 3F4C\n" +
-            "Comment: Alice \n" +
-            "\n" +
-            "lFgEYxzSCBYJKwYBBAHaRw8BAQdAeJU8m4GOJb1eQgv/ryilFHRfNLTYFMNqL6zj\n" +
-            "r0vF7dsAAP42rAtngpJ6dZxoZlJX0Je65zk1VMPeTrXaWfPS2HSKBRGptBxBbGlj\n" +
-            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMc0ggJEHpwH8aQTT9M\n" +
-            "FiEE2gWEjzfUaOb5gsiJenAfxpBNP0wCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
-            "AQAApZEBALUXHtvswPZG28YO+16Men6/fpk+scvqpNMnD4ty3IkAAPwK6TuXjNnZ\n" +
-            "0XuWdnilvLMV23Ai1d5g6em+lwLK5M2SApxdBGMc0ggSCisGAQQBl1UBBQEBB0D8\n" +
-            "mNUVX8y2MXFaSeFYqOTPFnGT7dgNVdn6yc0UtkkHOgMBCAcAAP9y9OtP4SX9voPb\n" +
-            "ID2u9PkJKgo4hTB8NK5LouGppdRtEBGriHUEGBYKAB0FAmMc0ggCngECmwwFFgID\n" +
-            "AQAECwkIBwUVCgkICwAKCRB6cB/GkE0/TAywAQDpZRJS/joFH4+xcwheqWfI7ay/\n" +
-            "WfojUoGQMYGnUjsgYwEAkceRUsgkqI0SVgYvuglfaQpZ9k2ns1mZGVLkXvu/yQyc\n" +
-            "WARjHNIIFgkrBgEEAdpHDwEBB0BGN9BybSOrj8B6gim1SjbB/IiqAshlzMDunVkQ\n" +
-            "X23npQABAJqvjOOY7qhBuTusC5/Q5+25iLrhMn4TI+LXlJHMVNOaE0OI1QQYFgoA\n" +
-            "fQUCYxzSCAKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmMc0ggACgkQ\n" +
-            "KALh4BJQXl6yTQD/dh0N5228Uwtu7XHy6dmpMRX62cac5tXQ9WaDzpy8STgBAMdn\n" +
-            "Mq948UOYEhdk/ZY2/hwux/4t+FHvqrXW8ziBe4cLAAoJEHpwH8aQTT9M1hQA/3Ms\n" +
-            "P3kzoed3VsWu1ZMr7dKEngbc6SoJ2XPayzN0QYJaAQCIY5NcT9mZF97HWV3Vgeum\n" +
-            "00sWMHXfkW3+nl5OpUZaDA==\n" +
-            "=THgv\n" +
-            "-----END PGP PRIVATE KEY BLOCK-----";
-
-    public static final String PLAINTEXT = "Hello, World!\n";
-    public static final String PASSPHRASE = "sw0rdf1sh";
-
-    public static final String LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: PGPainless\n" +
-            "\n" +
-            "yxRiAAAAAABIZWxsbywgV29ybGQhCg==\n" +
-            "=WGju\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String LIT_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "yxRiAAAAAABIZWxsbywgV29ybGQhCssUYgAAAAAASGVsbG8sIFdvcmxkIQo=\n" +
-            "=A91Q\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String COMP_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "owE7LZLEAAIeqTk5+ToK4flFOSmKXAA=\n" +
-            "=ZYDg\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String COMP = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "owEDAA==\n" +
-            "=MDzg\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String COMP_COMP_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "owEBRwC4/6MDQlpoOTFBWSZTWVuW2KAAAAr3hGAQBABgBABAAIAWBJAAAAggADFM\n" +
-            "ABNBqBo00N6puqWR+TqInoXQ58XckU4UJBbltigA\n" +
-            "=K9Zl\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String SIG_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "iHUEABYKACcFAmMc1i0JECgC4eASUF5eFiEEjN3RiJxCf/TyYOQjKALh4BJQXl4A\n" +
-            "AHkrAP98uPpqrgIix7epgL7MM1cjXXGSxqbDfXHwgptk1YGQlgD/fw89VGcXwFaI\n" +
-            "2k7kpXQYy/1BqnovM/jZ3X3mXhhTaAOjATstksQAAh6pOTn5Ogrh+UU5KYpcAA==\n" +
-            "=WKPn\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String SENC_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: PGPainless\n" +
-            "\n" +
-            "jA0ECQMCuZ0qHNXWnGhg0j8Bdm1cxV65sYb7jDgb4rRMtdNpQ1dC4UpSYuk9YWS2\n" +
-            "DpNEijbX8b/P1UOK2kJczNDADMRegZuLEI+dNsBnJjk=\n" +
-            "=i4Y0\n" +
-            "-----END PGP MESSAGE-----";
-
-    public static final String PENC_COMP_LIT = "" +
-            "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: PGPainless\n" +
-            "\n" +
-            "hF4Dyqa/GWUy6WsSAQdAQ62BwmUt8Iby0+jvrLhMgST79KR/as+dyl0nf1uki2sw\n" +
-            "Thg1Ojtf0hOyJgcpQ4nP2Q0wYFR0F1sCydaIlTGreYZHlGtybP7/Ml6KNZILTRWP\n" +
-            "0kYBkGBgK7oQWRIVyoF2POvEP6EX1X8nvQk7O3NysVdRVbnia7gE3AzRYuha4kxs\n" +
-            "pI6xJkntLMS3K6him1Y9FHINIASFSB+C\n" +
-            "=5p00\n" +
-            "-----END PGP MESSAGE-----";
-
-    @Test
-    public void genLIT() throws IOException {
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
-        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
-        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
-        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        litOut.close();
-        armorOut.close();
-    }
-
-    @Test
-    public void processLIT() throws IOException, PGPException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decIn, out);
-        assertEquals(PLAINTEXT, out.toString());
-        armorIn.close();
-    }
-
-    @Test
-    public void getLIT_LIT() throws IOException {
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
-        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
-        OutputStream litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
-        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        litOut.close();
-
-        litOut = litGen.open(armorOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
-        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        litOut.close();
-
-        armorOut.close();
-    }
-
-    @Test
-    public void processLIT_LIT() throws IOException, PGPException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(LIT_LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        assertThrows(MalformedOpenPgpMessageException.class, () -> Streams.pipeAll(decIn, out));
-    }
-
-    @Test
-    public void genCOMP_LIT() throws IOException {
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
-        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
-        OutputStream compOut = compGen.open(armorOut);
-        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
-        OutputStream litOut = litGen.open(compOut, PGPLiteralDataGenerator.BINARY, "", PGPLiteralData.NOW, new byte[1 << 9]);
-        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        litOut.close();
-        compOut.close();
-        armorOut.close();
-    }
-
-    @Test
-    public void processCOMP_LIT() throws IOException, PGPException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decIn, out);
-        decIn.close();
-        armorIn.close();
-
-        assertEquals(PLAINTEXT, out.toString());
-    }
-
-    @Test
-    public void genCOMP() throws IOException {
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
-        PGPCompressedDataGenerator compGen = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
-        OutputStream compOut = compGen.open(armorOut);
-        compOut.close();
-        armorOut.close();
-    }
-
-    @Test
-    public void processCOMP() throws IOException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        assertThrows(MalformedOpenPgpMessageException.class, () -> {
-            MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-            Streams.drain(decIn);
-        });
-    }
-
-    @Test
-    public void genCOMP_COMP_LIT() throws IOException {
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
-
-        PGPCompressedDataGenerator compGen1 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.ZIP);
-        OutputStream compOut1 = compGen1.open(armorOut);
-
-        PGPCompressedDataGenerator compGen2 = new PGPCompressedDataGenerator(CompressionAlgorithmTags.BZIP2);
-        OutputStream compOut2 = compGen2.open(compOut1);
-
-        PGPLiteralDataGenerator litGen = new PGPLiteralDataGenerator();
-        OutputStream litOut = litGen.open(compOut2, PGPLiteralDataGenerator.BINARY, "", PGPLiteralDataGenerator.NOW, new byte[1 << 9]);
-
-        litOut.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        litOut.close();
-        compOut2.close();
-        compOut1.close();
-        armorOut.close();
-    }
-
-    @Test
-    public void processCOMP_COMP_LIT() throws PGPException, IOException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(COMP_COMP_LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decIn, out);
-        decIn.close();
-
-        assertEquals(PLAINTEXT, out.toString());
-    }
-
-    @Test
-    public void genKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        System.out.println(PGPainless.asciiArmor(
-                PGPainless.generateKeyRing().modernKeyRing("Alice ")
-        ));
-    }
-
-    @Test
-    public void genSIG_LIT() throws PGPException, IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
-        EncryptionStream signer = PGPainless.encryptAndOrSign()
-                .onOutputStream(msgOut)
-                .withOptions(
-                        ProducerOptions.sign(
-                                SigningOptions.get()
-                                        .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys)
-                        ).setAsciiArmor(false)
-                );
-
-        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), signer);
-        signer.close();
-        EncryptionResult result = signer.getResult();
-        PGPSignature detachedSignature = result.getDetachedSignatures().get(result.getDetachedSignatures().keySet().iterator().next()).iterator().next();
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
-        armorOut.flush();
-        detachedSignature.encode(armorOut);
-        armorOut.write(msgOut.toByteArray());
-        armorOut.close();
-
-        String armored = out.toString();
-        System.out.println(armored
-                .replace("-----BEGIN PGP SIGNATURE-----\n", "-----BEGIN PGP MESSAGE-----\n")
-                .replace("-----END PGP SIGNATURE-----", "-----END PGP MESSAGE-----"));
-    }
-
-    @Test
-    public void processSIG_LIT() throws IOException, PGPException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(SIG_LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get());
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decIn, out);
-        decIn.close();
-
-        System.out.println(out);
-    }
-
-    @Test
-    public void genSENC_LIT() throws PGPException, IOException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        EncryptionStream enc = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
-                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
-                                .addPassphrase(Passphrase.fromPassword(PASSPHRASE)))
-                        .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
-        enc.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
-        enc.close();
-
-        System.out.println(out);
-    }
-
-    @Test
-    public void processSENC_LIT() throws IOException, PGPException {
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(SENC_LIT.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        MessageDecryptionStream decIn = new MessageDecryptionStream(armorIn, ConsumerOptions.get()
-                .addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decIn, out);
-        decIn.close();
-
-        System.out.println(out);
-    }
-
-    @Test
-    public void genPENC_COMP_LIT() throws IOException, PGPException {
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        EncryptionStream enc = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
-                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
-                                .addRecipient(cert))
-                        .overrideCompressionAlgorithm(CompressionAlgorithm.ZLIB));
-
-        Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
-        enc.close();
-
-        System.out.println(out);
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java
deleted file mode 100644
index 8c1c4921..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/NestingPDATest.java
+++ /dev/null
@@ -1,205 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification.automaton;
-
-import org.junit.jupiter.api.Test;
-import org.pgpainless.exception.MalformedOpenPgpMessageException;
-
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-public class NestingPDATest {
-
-    /**
-     * MSG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS MSG SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * SIG MSG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS COMP(MSG) SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * OPS ENC(COMP(COMP(MSG))) SIG is valid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOpsSignedEncryptedCompressedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.EncryptedData);
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.CompressedData);
-
-        automaton.next(InputAlphabet.LiteralData);
-
-        automaton.next(InputAlphabet.EndOfSequence);
-        automaton.next(InputAlphabet.EndOfSequence);
-        automaton.next(InputAlphabet.EndOfSequence);
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-
-    /**
-     * MSG SIG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testLiteralPlusSigsFails() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.Signatures));
-    }
-
-    /**
-     * MSG MSG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG MSG) SIG is invalid (two literal packets are illegal).
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG) MSG SIG is invalid.
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testOPSSignedMessageWithTwoLiteralDataPacketsFails2() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.LiteralData));
-    }
-
-    /**
-     * OPS COMP(MSG SIG) is invalid (MSG SIG does not form valid nested message).
-     *
-     * @throws MalformedOpenPgpMessageException fail
-     */
-    @Test
-    public void testCorrespondingSignaturesOfOpsSignedMessageAreLayerFurtherDownFails() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.LiteralData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.Signatures));
-    }
-
-    /**
-     * Empty COMP is invalid.
-     */
-    @Test
-    public void testEmptyCompressedDataIsInvalid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.CompressedData);
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> automaton.next(InputAlphabet.EndOfSequence));
-    }
-
-    @Test
-    public void testOPSSignedEncryptedCompressedOPSSignedMessageIsValid() throws MalformedOpenPgpMessageException {
-        NestingPDA automaton = new NestingPDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
-
-        automaton.next(InputAlphabet.EncryptedData);
-        automaton.next(InputAlphabet.OnePassSignatures);
-
-        automaton.next(InputAlphabet.CompressedData);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        automaton.next(InputAlphabet.Signatures);
-        automaton.next(InputAlphabet.EndOfSequence);
-
-        assertTrue(automaton.isValid());
-    }
-}

From 7537c9520c07fd3499f683a37b6f651f5f6b8549 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 19 Sep 2022 13:07:33 +0200
Subject: [PATCH 0709/1450] WIP: Add LayerMetadata class

---
 .../pgpainless/algorithm/OpenPgpPacket.java   |   2 +-
 .../OpenPgpMessageInputStream.java            | 271 ++++++++++--------
 2 files changed, 149 insertions(+), 124 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
index 63d14a31..41e3fb08 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/OpenPgpPacket.java
@@ -29,7 +29,7 @@ public enum OpenPgpPacket {
     PSK(PacketTags.PUBLIC_SUBKEY),
     UATTR(PacketTags.USER_ATTRIBUTE),
     SEIPD(PacketTags.SYM_ENC_INTEGRITY_PRO),
-    MOD(PacketTags.MOD_DETECTION_CODE),
+    MDC(PacketTags.MOD_DETECTION_CODE),
 
     EXP_1(PacketTags.EXPERIMENTAL_1),
     EXP_2(PacketTags.EXPERIMENTAL_2),
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 8dff7189..1a38fced 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
@@ -27,9 +31,12 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
+import org.bouncycastle.pqc.crypto.rainbow.Layer;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
 import org.pgpainless.decryption_verification.automaton.PDA;
 import org.pgpainless.decryption_verification.automaton.StackAlphabet;
@@ -55,15 +62,22 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     protected final PDA automaton = new PDA();
     protected final ConsumerOptions options;
+    protected final OpenPgpMetadata.Builder resultBuilder;
     protected final BCPGInputStream bcpgIn;
     protected InputStream in;
 
     private boolean closed = false;
 
     private Signatures signatures;
+    private LayerMetadata layerMetadata;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
+        this(inputStream, options, null);
+    }
+
+    OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, LayerMetadata layerMetadata)
+            throws PGPException, IOException {
         // TODO: Use BCPGInputStream.wrap(inputStream);
         if (inputStream instanceof BCPGInputStream) {
             this.bcpgIn = (BCPGInputStream) inputStream;
@@ -72,12 +86,35 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         this.options = options;
+        this.resultBuilder = OpenPgpMetadata.getBuilder();
         this.signatures = new Signatures(options);
         this.signatures.addDetachedSignatures(options.getDetachedSignatures());
 
         consumePackets();
     }
 
+    static class LayerMetadata {
+
+        private CompressionAlgorithm compressionAlgorithm;
+        private SymmetricKeyAlgorithm symmetricKeyAlgorithm;
+        private LayerMetadata child;
+
+        public LayerMetadata setCompressionAlgorithm(CompressionAlgorithm algorithm) {
+            this.compressionAlgorithm = algorithm;
+            return this;
+        }
+
+        public LayerMetadata setSymmetricEncryptionAlgorithm(SymmetricKeyAlgorithm algorithm) {
+            this.symmetricKeyAlgorithm = algorithm;
+            return this;
+        }
+
+        public LayerMetadata setChild(LayerMetadata child) {
+            this.child = child;
+            return this;
+        }
+    }
+
     /**
      * This method consumes OpenPGP packets from the current {@link BCPGInputStream}.
      * Once it reaches a "nested" OpenPGP packet (Literal Data, Compressed Data, Encrypted Data), it sets 
in

@@ -92,7 +129,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             throws IOException, PGPException {
         System.out.println("Walk " + automaton);
         int tag;
-        loop: while ((tag = getTag()) != -1) {
+        loop: while ((tag = nextTag()) != -1) {
             OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
             System.out.println(nextPacket);
             switch (nextPacket) {
@@ -108,7 +145,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case COMP:
                     automaton.next(InputAlphabet.CompressedData);
                     PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
-                    in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options);
+                    LayerMetadata compressionLayer = new LayerMetadata();
+                    compressionLayer.setCompressionAlgorithm(CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
+                    in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
                     break loop;
 
                 // One Pass Signatures
@@ -119,10 +158,10 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                 // Signatures - either prepended to the message, or corresponding to the One Pass Signatures
                 case SIG:
-                    boolean isCorrespondingToOPS = automaton.peekStack() == StackAlphabet.ops;
+                    boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
                     PGPSignatureList signatureList = readSignatures();
-                    if (isCorrespondingToOPS) {
+                    if (isSigForOPS) {
                         signatures.addOnePassCorrespondingSignatures(signatureList);
                     } else {
                         signatures.addPrependedSignatures(signatureList);
@@ -135,99 +174,15 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case SED:
                 case SEIPD:
                     automaton.next(InputAlphabet.EncryptedData);
-                    PGPEncryptedDataList encDataList = new PGPEncryptedDataList(bcpgIn);
-
-                    // TODO: Replace with !encDataList.isIntegrityProtected()
-                    if (!encDataList.get(0).isIntegrityProtected()) {
-                        throw new MessageNotIntegrityProtectedException();
+                    if (processEncryptedData()) {
+                        break loop;
                     }
 
-                    SortedESKs esks = new SortedESKs(encDataList);
-
-                    if (options.getSessionKey() != null) {
-                        SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                                .getSessionKeyDataDecryptorFactory(options.getSessionKey());
-                        // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
-                        PGPEncryptedData esk = esks.all().get(0);
-                        try {
-                            if (esk instanceof PGPPBEEncryptedData) {
-                                PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
-                                in = skesk.getDataStream(decryptorFactory);
-                                break loop;
-                            } else if (esk instanceof PGPPublicKeyEncryptedData) {
-                                PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
-                                in = pkesk.getDataStream(decryptorFactory);
-                                break loop;
-                            } else {
-                                throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
-                            }
-                        } catch (PGPException e) {
-                            // Session key mismatch?
-                        }
-                    }
-
-                    // Try passwords
-                    for (PGPPBEEncryptedData skesk : esks.skesks) {
-                        for (Passphrase passphrase : options.getDecryptionPassphrases()) {
-                            PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                                    .getPBEDataDecryptorFactory(passphrase);
-                            try {
-                                InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                                in = new OpenPgpMessageInputStream(decrypted, options);
-                                break loop;
-                            } catch (PGPException e) {
-                                // password mismatch? Try next password
-                            }
-
-                        }
-                    }
-
-                    // Try (known) secret keys
-                    for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
-                        long keyId = pkesk.getKeyID();
-                        PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
-                        if (decryptionKeys == null) {
-                            continue;
-                        }
-                        SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
-                        PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
-                        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
-
-                        PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                                .getPublicKeyDataDecryptorFactory(privateKey);
-                        try {
-                            InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                            in = new OpenPgpMessageInputStream(decrypted, options);
-                            break loop;
-                        } catch (PGPException e) {
-                            // hm :/
-                        }
-                    }
-
-                    // try anonymous secret keys
-                    for (PGPPublicKeyEncryptedData pkesk : esks.anonPkesks) {
-                        for (Tuple decryptionKeyCandidate : findPotentialDecryptionKeys(pkesk)) {
-                            SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
-                            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
-                            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                                    .getPublicKeyDataDecryptorFactory(privateKey);
-
-                            try {
-                                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                                in = new OpenPgpMessageInputStream(decrypted, options);
-                                break loop;
-                            } catch (PGPException e) {
-                                // hm :/
-                            }
-                        }
-                    }
-
-                    // TODO: try interactive password callbacks
-
                     throw new MissingDecryptionMethodException("No working decryption method found.");
 
+                // Marker Packets need to be skipped and ignored
                 case MARKER:
-                    bcpgIn.readPacket(); // skip marker packet
+                    bcpgIn.readPacket(); // skip
                     break;
 
                 // Key Packets are illegal in this context
@@ -238,8 +193,11 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case TRUST:
                 case UID:
                 case UATTR:
+                    throw new MalformedOpenPgpMessageException("Illegal Packet in Stream: " + nextPacket);
 
-                case MOD:
+                // MDC packet is usually processed by PGPEncryptedDataList, so it is very likely we encounter this
+                //  packet out of order
+                case MDC:
                     throw new MalformedOpenPgpMessageException("Unexpected Packet in Stream: " + nextPacket);
 
                     // Experimental Packets are not supported
@@ -252,7 +210,100 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    private int getTag() throws IOException {
+    private boolean processEncryptedData() throws IOException, PGPException {
+        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(bcpgIn);
+
+        // TODO: Replace with !encDataList.isIntegrityProtected()
+        if (!encDataList.get(0).isIntegrityProtected()) {
+            throw new MessageNotIntegrityProtectedException();
+        }
+
+        SortedESKs esks = new SortedESKs(encDataList);
+
+        // Try session key
+        if (options.getSessionKey() != null) {
+            SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                    .getSessionKeyDataDecryptorFactory(options.getSessionKey());
+            // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
+            PGPEncryptedData esk = esks.all().get(0);
+            try {
+                if (esk instanceof PGPPBEEncryptedData) {
+                    PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
+                    in = skesk.getDataStream(decryptorFactory);
+                    return true;
+                } else if (esk instanceof PGPPublicKeyEncryptedData) {
+                    PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
+                    in = pkesk.getDataStream(decryptorFactory);
+                    return true;
+                } else {
+                    throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
+                }
+            } catch (PGPException e) {
+                // Session key mismatch?
+            }
+        }
+
+        // Try passwords
+        for (PGPPBEEncryptedData skesk : esks.skesks) {
+            for (Passphrase passphrase : options.getDecryptionPassphrases()) {
+                PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                        .getPBEDataDecryptorFactory(passphrase);
+                try {
+                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                    in = new OpenPgpMessageInputStream(decrypted, options);
+                    return true;
+                } catch (PGPException e) {
+                    // password mismatch? Try next password
+                }
+
+            }
+        }
+
+        // Try (known) secret keys
+        for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+            long keyId = pkesk.getKeyID();
+            PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
+            if (decryptionKeys == null) {
+                continue;
+            }
+            SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
+            PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
+            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
+
+            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                    .getPublicKeyDataDecryptorFactory(privateKey);
+            try {
+                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                in = new OpenPgpMessageInputStream(decrypted, options);
+                return true;
+            } catch (PGPException e) {
+                // hm :/
+            }
+        }
+
+        // try anonymous secret keys
+        for (PGPPublicKeyEncryptedData pkesk : esks.anonPkesks) {
+            for (Tuple decryptionKeyCandidate : findPotentialDecryptionKeys(pkesk)) {
+                SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
+                PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
+                PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                        .getPublicKeyDataDecryptorFactory(privateKey);
+
+                try {
+                    InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                    in = new OpenPgpMessageInputStream(decrypted, options);
+                    return true;
+                } catch (PGPException e) {
+                    // hm :/
+                }
+            }
+        }
+
+        // we did not yet succeed in decrypting any session key :/
+        return false;
+    }
+
+    private int nextTag() throws IOException {
         try {
             return bcpgIn.nextPacketTag();
         } catch (IOException e) {
@@ -296,7 +347,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag;
-        while ((tag = getTag()) == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
+        while ((tag = nextTag()) == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
             Packet packet = bcpgIn.readPacket();
             if (tag == PacketTags.ONE_PASS_SIGNATURE) {
                 OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
@@ -313,13 +364,13 @@ public class OpenPgpMessageInputStream extends InputStream {
     private PGPSignatureList readSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-        int tag = getTag();
+        int tag = nextTag();
         while (tag == PacketTags.SIGNATURE || tag == PacketTags.MARKER) {
             Packet packet = bcpgIn.readPacket();
             if (tag == PacketTags.SIGNATURE) {
                 SignaturePacket sigPacket = (SignaturePacket) packet;
                 sigPacket.encode(bcpgOut);
-                tag = getTag();
+                tag = nextTag();
             }
         }
         bcpgOut.close();
@@ -356,20 +407,6 @@ public class OpenPgpMessageInputStream extends InputStream {
                 throw new RuntimeException(e);
             }
             signatures.finish();
-            /*
-            if (in instanceof OpenPgpMessageInputStream) {
-                in.close();
-                in = null;
-            } else {
-                try {
-                    System.out.println("Read consume");
-                    consumePackets();
-                    signatures.finish();
-                } catch (PGPException e) {
-                    throw new RuntimeException(e);
-                }
-            }
-             */
         }
         return r;
     }
@@ -394,18 +431,6 @@ public class OpenPgpMessageInputStream extends InputStream {
                 throw new RuntimeException(e);
             }
             signatures.finish();
-            /*
-            if (in instanceof OpenPgpMessageInputStream) {
-                in.close();
-                in = null;
-            } else {
-                try {
-                    consumePackets();
-                } catch (PGPException e) {
-                    throw new RuntimeException(e);
-                }
-            }
-             */
         }
         return r;
     }

From efdf2bca0d5b0fcc08448e074d1c9558ec55ff6e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 23 Sep 2022 14:04:44 +0200
Subject: [PATCH 0710/1450] WIP: Play around with TeeInputStreams

---
 .../OpenPgpMessageInputStream.java            | 33 +++++++++--
 .../TeeBCPGInputStream.java                   | 35 +++++++++++
 .../TeeBCPGInputStreamTest.java               | 58 +++++++++++++++++++
 3 files changed, 121 insertions(+), 5 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 1a38fced..990e628d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -343,7 +343,8 @@ public class OpenPgpMessageInputStream extends InputStream {
         return null;
     }
 
-    private PGPOnePassSignatureList readOnePassSignatures() throws IOException {
+    private PGPOnePassSignatureListWrapper readOnePassSignatures() throws IOException {
+        List encapsulating = new ArrayList<>();
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag;
@@ -351,14 +352,16 @@ public class OpenPgpMessageInputStream extends InputStream {
             Packet packet = bcpgIn.readPacket();
             if (tag == PacketTags.ONE_PASS_SIGNATURE) {
                 OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
-                sigPacket.encode(bcpgOut);
+                byte[] bytes = sigPacket.getEncoded();
+                encapsulating.add(bytes[bytes.length - 1] == 1);
+                bcpgOut.write(bytes);
             }
         }
         bcpgOut.close();
 
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
         PGPOnePassSignatureList signatureList = (PGPOnePassSignatureList) objectFactory.nextObject();
-        return signatureList;
+        return new PGPOnePassSignatureListWrapper(signatureList, encapsulating);
     }
 
     private PGPSignatureList readSignatures() throws IOException {
@@ -490,6 +493,26 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
+    /**
+     * Workaround for BC not exposing, whether an OPS is encapsulating or not.
+     * TODO: Remove once our PR is merged
+     *
+     * @see PR against BC
+     */
+    private static class PGPOnePassSignatureListWrapper {
+        private final PGPOnePassSignatureList list;
+        private final List encapsulating;
+
+        public PGPOnePassSignatureListWrapper(PGPOnePassSignatureList signatures, List encapsulating) {
+            this.list = signatures;
+            this.encapsulating = encapsulating;
+        }
+
+        public int size() {
+            return list.size();
+        }
+    }
+
     private static class Signatures {
         final ConsumerOptions options;
         List detachedSignatures = new ArrayList<>();
@@ -521,9 +544,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             }
         }
 
-        void addOnePassSignatures(PGPOnePassSignatureList signatures) {
+        void addOnePassSignatures(PGPOnePassSignatureListWrapper signatures) {
             System.out.println("Adding " + signatures.size() + " OPSs");
-            for (PGPOnePassSignature ops : signatures) {
+            for (PGPOnePassSignature ops : signatures.list) {
                 PGPPublicKeyRing certificate = findCertificate(ops.getKeyID());
                 initialize(ops, certificate);
                 this.onePassSignatures.add(ops);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
new file mode 100644
index 00000000..ab24f22e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -0,0 +1,35 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.BCPGInputStream;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class TeeBCPGInputStream extends BCPGInputStream {
+
+    private final OutputStream out;
+
+    public TeeBCPGInputStream(InputStream in, OutputStream outputStream) {
+        super(in);
+        this.out = outputStream;
+    }
+
+    @Override
+    public int read() throws IOException {
+        int r = super.read();
+        if (r != -1) {
+            out.write(r);
+        }
+        return r;
+    }
+
+    @Override
+    public int read(byte[] buf, int off, int len) throws IOException {
+        int r = super.read(buf, off, len);
+        if (r > 0) {
+            out.write(buf, off, r);
+        }
+        return r;
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
new file mode 100644
index 00000000..765221d3
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
@@ -0,0 +1,58 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.Packet;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPException;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.util.ArmoredInputStreamFactory;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+public class TeeBCPGInputStreamTest {
+
+    private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "owGbwMvMyCUWdXSHvVTUtXbG0yJJDCDgkZqTk6+jEJ5flJOiyNVRysIoxsXAxsqU\n" +
+            "GDiVjUGRUwCmQUyRRWnOn9Z/PIseF3Yz6cCEL05nZDj1OClo75WVTjNmJPemW6qV\n" +
+            "6ki//1K1++2s0qTP+0N11O4z/BVLDDdxnmQryS+5VXjBX7/0Hxnm/eqeX6Zum35r\n" +
+            "M8e7ufwA\n" +
+            "=RDiy\n" +
+            "-----END PGP MESSAGE-----";
+
+    @Test
+    public void test() throws IOException, PGPException {
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
+
+        ByteArrayInputStream bytesIn = new ByteArrayInputStream(INBAND_SIGNED.getBytes(StandardCharsets.UTF_8));
+        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
+        BCPGInputStream bcpgIn = new BCPGInputStream(armorIn);
+        TeeBCPGInputStream teeIn = new TeeBCPGInputStream(bcpgIn, armorOut);
+
+        ByteArrayOutputStream nestedOut = new ByteArrayOutputStream();
+        ArmoredOutputStream nestedArmorOut = new ArmoredOutputStream(nestedOut);
+
+        PGPCompressedData compressedData = new PGPCompressedData(teeIn);
+        InputStream nestedStream = compressedData.getDataStream();
+        BCPGInputStream nestedBcpgIn = new BCPGInputStream(nestedStream);
+        TeeBCPGInputStream nestedTeeIn = new TeeBCPGInputStream(nestedBcpgIn, nestedArmorOut);
+
+        int tag;
+        while ((tag = nestedTeeIn.nextPacketTag()) != -1) {
+            System.out.println(OpenPgpPacket.requireFromTag(tag));
+            Packet packet = nestedTeeIn.readPacket();
+        }
+
+        nestedArmorOut.close();
+        System.out.println(nestedOut);
+    }
+}

From 5c93eb3705c551edc9d05bfa2a1b159084a66dd5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 26 Sep 2022 18:21:06 +0200
Subject: [PATCH 0711/1450] Wip: Introduce MessageMetadata class

---
 .../MessageMetadata.java                      | 249 ++++++++++++++++++
 .../OpenPgpMessageInputStream.java            | 108 ++++----
 .../automaton/PDA.java                        |   3 -
 .../MessageMetadataTest.java                  |  84 ++++++
 .../OpenPgpMessageInputStreamTest.java        | 182 +++++++------
 5 files changed, 498 insertions(+), 128 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
new file mode 100644
index 00000000..7c09fc8d
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -0,0 +1,249 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.StreamEncoding;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.util.SessionKey;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+import java.util.NoSuchElementException;
+
+public class MessageMetadata {
+
+    protected Message message;
+
+    public MessageMetadata(@Nonnull Message message) {
+        this.message = message;
+    }
+
+    public @Nullable SymmetricKeyAlgorithm getEncryptionAlgorithm() {
+        Iterator algorithms = getEncryptionAlgorithms();
+        if (algorithms.hasNext()) {
+            return algorithms.next();
+        }
+        return null;
+    }
+
+    public @Nonnull Iterator getEncryptionAlgorithms() {
+        return new LayerIterator(message) {
+            @Override
+            public boolean matches(Nested layer) {
+                return layer instanceof EncryptedData;
+            }
+
+            @Override
+            public SymmetricKeyAlgorithm getProperty(Layer last) {
+                return ((EncryptedData) last).algorithm;
+            }
+        };
+    }
+
+    public @Nullable CompressionAlgorithm getCompressionAlgorithm() {
+        Iterator algorithms = getCompressionAlgorithms();
+        if (algorithms.hasNext()) {
+            return algorithms.next();
+        }
+        return null;
+    }
+
+    public @Nonnull Iterator getCompressionAlgorithms() {
+        return new LayerIterator(message) {
+            @Override
+            public boolean matches(Nested layer) {
+                return layer instanceof CompressedData;
+            }
+
+            @Override
+            public CompressionAlgorithm getProperty(Layer last) {
+                return ((CompressedData) last).algorithm;
+            }
+        };
+    }
+
+    public String getFilename() {
+        return findLiteralData().getFileName();
+    }
+
+    public Date getModificationDate() {
+        return findLiteralData().getModificationDate();
+    }
+
+    public StreamEncoding getFormat() {
+        return findLiteralData().getFormat();
+    }
+
+    private LiteralData findLiteralData() {
+        Nested nested = message.child;
+        while (nested.hasNestedChild()) {
+            Layer layer = (Layer) nested;
+            nested = layer.child;
+        }
+        return (LiteralData) nested;
+    }
+
+    public static abstract class Layer {
+        protected final List verifiedSignatures = new ArrayList<>();
+        protected final List failedSignatures = new ArrayList<>();
+        protected Nested child;
+
+        public Nested getChild() {
+            return child;
+        }
+
+        public void setChild(Nested child) {
+            this.child = child;
+        }
+
+        public List getVerifiedSignatures() {
+            return new ArrayList<>(verifiedSignatures);
+        }
+
+        public List getFailedSignatures() {
+            return new ArrayList<>(failedSignatures);
+        }
+    }
+
+    public interface Nested {
+        boolean hasNestedChild();
+    }
+
+    public static class Message extends Layer {
+
+    }
+
+    public static class LiteralData implements Nested {
+        protected String fileName;
+        protected Date modificationDate;
+        protected StreamEncoding format;
+
+        public LiteralData() {
+            this("", new Date(0L), StreamEncoding.BINARY);
+        }
+
+        public LiteralData(String fileName, Date modificationDate, StreamEncoding format) {
+            this.fileName = fileName;
+            this.modificationDate = modificationDate;
+            this.format = format;
+        }
+
+        public String getFileName() {
+            return fileName;
+        }
+
+        public Date getModificationDate() {
+            return modificationDate;
+        }
+
+        public StreamEncoding getFormat() {
+            return format;
+        }
+
+        @Override
+        public boolean hasNestedChild() {
+            return false;
+        }
+    }
+
+    public static class CompressedData extends Layer implements Nested {
+        protected final CompressionAlgorithm algorithm;
+
+        public CompressedData(CompressionAlgorithm zip) {
+            this.algorithm = zip;
+        }
+
+        public CompressionAlgorithm getAlgorithm() {
+            return algorithm;
+        }
+
+        @Override
+        public boolean hasNestedChild() {
+            return true;
+        }
+    }
+
+    public static class EncryptedData extends Layer implements Nested {
+        protected final SymmetricKeyAlgorithm algorithm;
+        protected SessionKey sessionKey;
+        protected List recipients;
+
+        public EncryptedData(SymmetricKeyAlgorithm algorithm) {
+            this.algorithm = algorithm;
+        }
+
+        public SymmetricKeyAlgorithm getAlgorithm() {
+            return algorithm;
+        }
+
+        public SessionKey getSessionKey() {
+            return sessionKey;
+        }
+
+        public List getRecipients() {
+            return new ArrayList<>(recipients);
+        }
+
+        @Override
+        public boolean hasNestedChild() {
+            return true;
+        }
+    }
+
+
+    private static abstract class LayerIterator implements Iterator {
+        private Nested current;
+        Layer last = null;
+
+        public LayerIterator(Message message) {
+            super();
+            this.current = message.child;
+            if (matches(current)) {
+                last = (Layer) current;
+            }
+        }
+
+        @Override
+        public boolean hasNext() {
+            if (last == null) {
+                findNext();
+            }
+            return last != null;
+        }
+
+        @Override
+        public O next() {
+            if (last == null) {
+                findNext();
+            }
+            if (last != null) {
+                O property = getProperty(last);
+                last = null;
+                return property;
+            }
+            throw new NoSuchElementException();
+        }
+
+        private void findNext() {
+            while (current instanceof Layer) {
+                current = ((Layer) current).child;
+                if (matches(current)) {
+                    last = (Layer) current;
+                    break;
+                }
+            }
+        }
+
+        abstract boolean matches(Nested layer);
+
+        abstract O getProperty(Layer last);
+    }
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 990e628d..44ebb27e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -31,11 +31,11 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
-import org.bouncycastle.pqc.crypto.rainbow.Layer;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
+import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
 import org.pgpainless.decryption_verification.automaton.PDA;
@@ -69,14 +69,14 @@ public class OpenPgpMessageInputStream extends InputStream {
     private boolean closed = false;
 
     private Signatures signatures;
-    private LayerMetadata layerMetadata;
+    private MessageMetadata.Layer metadata;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
-        this(inputStream, options, null);
+        this(inputStream, options, new MessageMetadata.Message());
     }
 
-    OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, LayerMetadata layerMetadata)
+    OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, MessageMetadata.Layer metadata)
             throws PGPException, IOException {
         // TODO: Use BCPGInputStream.wrap(inputStream);
         if (inputStream instanceof BCPGInputStream) {
@@ -86,33 +86,12 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         this.options = options;
+        this.metadata = metadata;
         this.resultBuilder = OpenPgpMetadata.getBuilder();
         this.signatures = new Signatures(options);
         this.signatures.addDetachedSignatures(options.getDetachedSignatures());
 
-        consumePackets();
-    }
-
-    static class LayerMetadata {
-
-        private CompressionAlgorithm compressionAlgorithm;
-        private SymmetricKeyAlgorithm symmetricKeyAlgorithm;
-        private LayerMetadata child;
-
-        public LayerMetadata setCompressionAlgorithm(CompressionAlgorithm algorithm) {
-            this.compressionAlgorithm = algorithm;
-            return this;
-        }
-
-        public LayerMetadata setSymmetricEncryptionAlgorithm(SymmetricKeyAlgorithm algorithm) {
-            this.symmetricKeyAlgorithm = algorithm;
-            return this;
-        }
-
-        public LayerMetadata setChild(LayerMetadata child) {
-            this.child = child;
-            return this;
-        }
+        consumePackets(); // nom nom nom
     }
 
     /**
@@ -127,27 +106,21 @@ public class OpenPgpMessageInputStream extends InputStream {
      */
     private void consumePackets()
             throws IOException, PGPException {
-        System.out.println("Walk " + automaton);
         int tag;
         loop: while ((tag = nextTag()) != -1) {
             OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
-            System.out.println(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
-                    PGPLiteralData literalData = new PGPLiteralData(bcpgIn);
-                    in = literalData.getDataStream();
+                    processLiteralData();
                     break loop;
 
                 // Compressed Data - the content contains another OpenPGP message
                 case COMP:
                     automaton.next(InputAlphabet.CompressedData);
-                    PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
-                    LayerMetadata compressionLayer = new LayerMetadata();
-                    compressionLayer.setCompressionAlgorithm(CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
-                    in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
+                    processCompressedData();
                     break loop;
 
                 // One Pass Signatures
@@ -160,12 +133,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case SIG:
                     boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
-                    PGPSignatureList signatureList = readSignatures();
-                    if (isSigForOPS) {
-                        signatures.addOnePassCorrespondingSignatures(signatureList);
-                    } else {
-                        signatures.addPrependedSignatures(signatureList);
-                    }
+                    processSignature(isSigForOPS);
                     break;
 
                 // Encrypted Data (ESKs and SED/SEIPD are parsed the same by BC)
@@ -210,6 +178,29 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
+    private void processSignature(boolean isSigForOPS) throws IOException {
+        PGPSignatureList signatureList = readSignatures();
+        if (isSigForOPS) {
+            signatures.addOnePassCorrespondingSignatures(signatureList);
+        } else {
+            signatures.addPrependedSignatures(signatureList);
+        }
+    }
+
+    private void processCompressedData() throws IOException, PGPException {
+        PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
+        MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
+                CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
+        in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
+    }
+
+    private void processLiteralData() throws IOException {
+        PGPLiteralData literalData = new PGPLiteralData(bcpgIn);
+        this.metadata.setChild(new MessageMetadata.LiteralData(literalData.getFileName(), literalData.getModificationTime(),
+                StreamEncoding.requireFromCode(literalData.getFormat())));
+        in = literalData.getDataStream();
+    }
+
     private boolean processEncryptedData() throws IOException, PGPException {
         PGPEncryptedDataList encDataList = new PGPEncryptedDataList(bcpgIn);
 
@@ -227,13 +218,14 @@ public class OpenPgpMessageInputStream extends InputStream {
             // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
             PGPEncryptedData esk = esks.all().get(0);
             try {
+                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(options.getSessionKey().getAlgorithm());
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
-                    in = skesk.getDataStream(decryptorFactory);
+                    in = new OpenPgpMessageInputStream(skesk.getDataStream(decryptorFactory), options, encryptedData);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
-                    in = pkesk.getDataStream(decryptorFactory);
+                    in = new OpenPgpMessageInputStream(pkesk.getDataStream(decryptorFactory), options, encryptedData);
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
@@ -250,7 +242,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                         .getPBEDataDecryptorFactory(passphrase);
                 try {
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                    in = new OpenPgpMessageInputStream(decrypted, options);
+                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                            SymmetricKeyAlgorithm.requireFromId(skesk.getSymmetricAlgorithm(decryptorFactory)));
+                    in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // password mismatch? Try next password
@@ -274,7 +268,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                     .getPublicKeyDataDecryptorFactory(privateKey);
             try {
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                in = new OpenPgpMessageInputStream(decrypted, options);
+                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                        SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                 return true;
             } catch (PGPException e) {
                 // hm :/
@@ -291,7 +287,9 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                 try {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                    in = new OpenPgpMessageInputStream(decrypted, options);
+                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                            SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                    in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // hm :/
@@ -402,6 +400,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             signatures.update(b);
         } else {
             in.close();
+            collectMetadata();
             in = null;
 
             try {
@@ -426,6 +425,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         int r = in.read(b, off, len);
         if (r == -1) {
             in.close();
+            collectMetadata();
             in = null;
 
             try {
@@ -447,6 +447,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         if (in != null) {
             in.close();
+            collectMetadata();
             in = null;
         }
 
@@ -461,6 +462,21 @@ public class OpenPgpMessageInputStream extends InputStream {
         closed = true;
     }
 
+    private void collectMetadata() {
+        if (in instanceof OpenPgpMessageInputStream) {
+            OpenPgpMessageInputStream child = (OpenPgpMessageInputStream) in;
+            MessageMetadata.Layer childLayer = child.metadata;
+            this.metadata.setChild((MessageMetadata.Nested) childLayer);
+        }
+    }
+
+    public MessageMetadata getMetadata() {
+        if (!closed) {
+            throw new IllegalStateException("Stream must be closed before access to metadata can be granted.");
+        }
+        return new MessageMetadata((MessageMetadata.Message) metadata);
+    }
+
     private static class SortedESKs {
 
         private List skesks = new ArrayList<>();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index 793a3451..feb759ea 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -187,10 +187,7 @@ public class PDA {
     }
 
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
-        State old = state;
-        StackAlphabet stackItem = stack.isEmpty() ? null : stack.peek();
         state = state.transition(input, this);
-        System.out.println(id + ": Transition from " + old + " to " + state + " via " + input + " with stack " + stackItem);
     }
 
     /**
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
new file mode 100644
index 00000000..9f887eb9
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
@@ -0,0 +1,84 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.junit.JUtils;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.StreamEncoding;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.util.DateUtil;
+
+import java.util.Date;
+import java.util.Iterator;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class MessageMetadataTest {
+
+    @Test
+    public void processTestMessage_COMP_ENC_ENC_LIT() {
+        // Note: COMP of ENC does not make sense, since ENC is indistinguishable from randomness
+        //  and randomness cannot be encrypted.
+        //  For the sake of testing though, this is okay.
+        MessageMetadata.Message message = new MessageMetadata.Message();
+
+        MessageMetadata.CompressedData compressedData = new MessageMetadata.CompressedData(CompressionAlgorithm.ZIP);
+        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_128);
+        MessageMetadata.EncryptedData encryptedData1 = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_256);
+        MessageMetadata.LiteralData literalData = new MessageMetadata.LiteralData();
+
+        message.setChild(compressedData);
+        compressedData.setChild(encryptedData);
+        encryptedData.setChild(encryptedData1);
+        encryptedData1.setChild(literalData);
+
+        MessageMetadata metadata = new MessageMetadata(message);
+
+        // Check encryption algs
+        assertEquals(SymmetricKeyAlgorithm.AES_128, metadata.getEncryptionAlgorithm(), "getEncryptionAlgorithm() returns alg of outermost EncryptedData");
+        Iterator encryptionAlgs = metadata.getEncryptionAlgorithms();
+        assertTrue(encryptionAlgs.hasNext(), "There is at least one EncryptedData child");
+        assertTrue(encryptionAlgs.hasNext(), "The child is still there");
+        assertEquals(SymmetricKeyAlgorithm.AES_128, encryptionAlgs.next(), "The first algo is AES128");
+        assertTrue(encryptionAlgs.hasNext(), "There is another EncryptedData");
+        assertTrue(encryptionAlgs.hasNext(), "There is *still* another EncryptedData");
+        assertEquals(SymmetricKeyAlgorithm.AES_256, encryptionAlgs.next(), "The second algo is AES256");
+        assertFalse(encryptionAlgs.hasNext(), "There is no more EncryptedData");
+        assertFalse(encryptionAlgs.hasNext(), "There *still* is no more EncryptedData");
+
+        assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm(), "getCompressionAlgorithm() returns alg of outermost CompressedData");
+        Iterator compAlgs = metadata.getCompressionAlgorithms();
+        assertTrue(compAlgs.hasNext());
+        assertTrue(compAlgs.hasNext());
+        assertEquals(CompressionAlgorithm.ZIP, compAlgs.next());
+        assertFalse(compAlgs.hasNext());
+        assertFalse(compAlgs.hasNext());
+
+        assertEquals("", metadata.getFilename());
+        JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
+        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+    }
+
+    @Test
+    public void testProcessLiteralDataMessage() {
+        MessageMetadata.LiteralData literalData = new MessageMetadata.LiteralData(
+                "collateral_murder.zip",
+                DateUtil.parseUTCDate("2010-04-05 10:12:03 UTC"),
+                StreamEncoding.BINARY);
+        MessageMetadata.Message message = new MessageMetadata.Message();
+        message.setChild(literalData);
+
+        MessageMetadata metadata = new MessageMetadata(message);
+        assertNull(metadata.getCompressionAlgorithm());
+        assertNull(metadata.getEncryptionAlgorithm());
+        assertEquals("collateral_murder.zip", metadata.getFilename());
+        assertEquals(DateUtil.parseUTCDate("2010-04-05 10:12:03 UTC"), metadata.getModificationDate());
+        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index af1fac44..8219ec68 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -1,5 +1,21 @@
 package org.pgpainless.decryption_verification;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.stream.Stream;
+
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.bcpg.CompressionAlgorithmTags;
@@ -11,9 +27,14 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Test;
+import org.junit.JUtils;
+import org.junit.jupiter.api.Named;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
@@ -23,17 +44,7 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import org.pgpainless.util.Tuple;
 
 public class OpenPgpMessageInputStreamTest {
 
@@ -304,107 +315,119 @@ public class OpenPgpMessageInputStreamTest {
         System.out.println(out);
     }
 
-    @Test
-    public void testProcessLIT() throws IOException, PGPException {
-        String plain = processReadBuffered(LIT, ConsumerOptions.get());
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(LIT, ConsumerOptions.get());
-        assertEquals(PLAINTEXT, plain);
+    interface Processor {
+        Tuple process(String armoredMessage, ConsumerOptions options) throws PGPException, IOException;
     }
 
-    @Test
-    public void testProcessLIT_LIT_fails() {
+    private static Stream provideMessageProcessors() {
+        return Stream.of(
+                Arguments.of(Named.of("read(buf,off,len)", (Processor) OpenPgpMessageInputStreamTest::processReadBuffered)),
+                Arguments.of(Named.of("read()", (Processor) OpenPgpMessageInputStreamTest::processReadSequential)));
+    }
+
+    @ParameterizedTest(name = "Process LIT using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessLIT(Processor processor) throws IOException, PGPException {
+        Tuple result = processor.process(LIT, ConsumerOptions.get());
+        String plain = result.getA();
+        assertEquals(PLAINTEXT, plain);
+
+        MessageMetadata metadata = result.getB();
+        assertNull(metadata.getCompressionAlgorithm());
+        assertNull(metadata.getEncryptionAlgorithm());
+        assertEquals("", metadata.getFilename());
+        JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
+        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+    }
+
+    @ParameterizedTest(name = "Process LIT LIT using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessLIT_LIT_fails(Processor processor) {
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> processReadBuffered(LIT_LIT, ConsumerOptions.get()));
+                () -> processor.process(LIT_LIT, ConsumerOptions.get()));
+    }
 
+    @ParameterizedTest(name = "Process COMP(LIT) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessCOMP_LIT(Processor processor) throws PGPException, IOException {
+        Tuple result = processor.process(COMP_LIT, ConsumerOptions.get());
+        String plain = result.getA();
+        assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
+    }
+
+    @ParameterizedTest(name = "Process COMP using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessCOMP_fails(Processor processor) {
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> processReadSequential(LIT_LIT, ConsumerOptions.get()));
+                () -> processor.process(COMP, ConsumerOptions.get()));
     }
 
-    @Test
-    public void testProcessCOMP_LIT() throws PGPException, IOException {
-        String plain = processReadBuffered(COMP_LIT, ConsumerOptions.get());
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(COMP_LIT, ConsumerOptions.get());
+    @ParameterizedTest(name = "Process COMP(COMP(LIT)) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessCOMP_COMP_LIT(Processor processor) throws PGPException, IOException {
+        Tuple result = processor.process(COMP_COMP_LIT, ConsumerOptions.get());
+        String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
+        Iterator compressionAlgorithms = metadata.getCompressionAlgorithms();
+        assertEquals(CompressionAlgorithm.ZIP, compressionAlgorithms.next());
+        assertEquals(CompressionAlgorithm.BZIP2, compressionAlgorithms.next());
+        assertFalse(compressionAlgorithms.hasNext());
     }
 
-    @Test
-    public void testProcessCOMP_fails() {
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> processReadBuffered(COMP, ConsumerOptions.get()));
-
-        assertThrows(MalformedOpenPgpMessageException.class,
-                () -> processReadSequential(COMP, ConsumerOptions.get()));
-    }
-
-    @Test
-    public void testProcessCOMP_COMP_LIT() throws PGPException, IOException {
-        String plain = processReadBuffered(COMP_COMP_LIT, ConsumerOptions.get());
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(COMP_COMP_LIT, ConsumerOptions.get());
-        assertEquals(PLAINTEXT, plain);
-    }
-
-    @Test
-    public void testProcessSIG_LIT() throws PGPException, IOException {
+    @ParameterizedTest(name = "Process SIG LIT using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessSIG_LIT(Processor processor) throws PGPException, IOException {
         PGPPublicKeyRing cert = PGPainless.extractCertificate(
                 PGPainless.readKeyRing().secretKeyRing(KEY));
 
-        String plain = processReadBuffered(SIG_LIT, ConsumerOptions.get()
-                .addVerificationCert(cert));
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(SIG_LIT, ConsumerOptions.get()
+        Tuple result = processor.process(SIG_LIT, ConsumerOptions.get()
                 .addVerificationCert(cert));
+        String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
     }
 
-    @Test
-    public void testProcessSENC_LIT() throws PGPException, IOException {
-        String plain = processReadBuffered(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+    @ParameterizedTest(name = "Process SENC(LIT) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessSENC_LIT(Processor processor) throws PGPException, IOException {
+        Tuple result = processor.process(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
     }
 
-    @Test
-    public void testProcessPENC_COMP_LIT() throws IOException, PGPException {
+    @ParameterizedTest(name = "Process PENC(LIT) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessPENC_COMP_LIT(Processor processor) throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        String plain = processReadBuffered(PENC_COMP_LIT, ConsumerOptions.get()
-                .addDecryptionKey(secretKeys));
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(PENC_COMP_LIT, ConsumerOptions.get()
+        Tuple result = processor.process(PENC_COMP_LIT, ConsumerOptions.get()
                 .addDecryptionKey(secretKeys));
+        String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
     }
 
-    @Test
-    public void testProcessOPS_LIT_SIG() throws IOException, PGPException {
+    @ParameterizedTest(name = "Process OPS LIT SIG using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessOPS_LIT_SIG(Processor processor) throws IOException, PGPException {
         PGPPublicKeyRing cert = PGPainless.extractCertificate(PGPainless.readKeyRing().secretKeyRing(KEY));
-        String plain = processReadBuffered(OPS_LIT_SIG, ConsumerOptions.get()
-                .addVerificationCert(cert));
-        assertEquals(PLAINTEXT, plain);
-
-        plain = processReadSequential(OPS_LIT_SIG, ConsumerOptions.get()
+        Tuple result = processor.process(OPS_LIT_SIG, ConsumerOptions.get()
                 .addVerificationCert(cert));
+        String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
     }
 
-    private String processReadBuffered(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+    private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(in, out);
         in.close();
-        return out.toString();
+        MessageMetadata metadata = in.getMetadata();
+        return new Tuple<>(out.toString(), metadata);
     }
 
-    private String processReadSequential(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+    private static Tuple processReadSequential(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
 
@@ -414,10 +437,11 @@ public class OpenPgpMessageInputStreamTest {
         }
 
         in.close();
-        return out.toString();
+        MessageMetadata metadata = in.getMetadata();
+        return new Tuple<>(out.toString(), metadata);
     }
 
-    private OpenPgpMessageInputStream get(String armored, ConsumerOptions options) throws IOException, PGPException {
+    private static OpenPgpMessageInputStream get(String armored, ConsumerOptions options) throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
         OpenPgpMessageInputStream pgpIn = new OpenPgpMessageInputStream(armorIn, options);

From e25f6e17124e8500d28dd84413f956e0477ca887 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 27 Sep 2022 16:11:55 +0200
Subject: [PATCH 0712/1450] Fix checkstyle issues

---
 .../MessageMetadata.java                      |  6 +-
 .../OpenPgpMessageInputStream.java            | 23 +++----
 .../automaton/InputAlphabet.java              |  4 ++
 .../automaton/PDA.java                        |  4 ++
 .../automaton/StackAlphabet.java              |  4 ++
 .../automaton/package-info.java               |  8 +++
 .../OpenPgpMessageInputStreamTest.java        | 60 +++++++++++--------
 .../TeeBCPGInputStreamTest.java               |  7 ++-
 8 files changed, 75 insertions(+), 41 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 7c09fc8d..cbf251a8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -90,7 +90,7 @@ public class MessageMetadata {
         return (LiteralData) nested;
     }
 
-    public static abstract class Layer {
+    public abstract static class Layer {
         protected final List verifiedSignatures = new ArrayList<>();
         protected final List failedSignatures = new ArrayList<>();
         protected Nested child;
@@ -198,11 +198,11 @@ public class MessageMetadata {
     }
 
 
-    private static abstract class LayerIterator implements Iterator {
+    private abstract static class LayerIterator implements Iterator {
         private Nested current;
         Layer last = null;
 
-        public LayerIterator(Message message) {
+        LayerIterator(Message message) {
             super();
             this.current = message.child;
             if (matches(current)) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 44ebb27e..58699fcd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -50,6 +50,8 @@ import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -60,6 +62,8 @@ import java.util.List;
 
 public class OpenPgpMessageInputStream extends InputStream {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream.class);
+
     protected final PDA automaton = new PDA();
     protected final ConsumerOptions options;
     protected final OpenPgpMetadata.Builder resultBuilder;
@@ -519,7 +523,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         private final PGPOnePassSignatureList list;
         private final List encapsulating;
 
-        public PGPOnePassSignatureListWrapper(PGPOnePassSignatureList signatures, List encapsulating) {
+        PGPOnePassSignatureListWrapper(PGPOnePassSignatureList signatures, List encapsulating) {
             this.list = signatures;
             this.encapsulating = encapsulating;
         }
@@ -529,7 +533,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    private static class Signatures {
+    private static final class Signatures {
         final ConsumerOptions options;
         List detachedSignatures = new ArrayList<>();
         List prependedSignatures = new ArrayList<>();
@@ -551,7 +555,6 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         void addPrependedSignatures(PGPSignatureList signatures) {
-            System.out.println("Adding " + signatures.size() + " prepended Signatures");
             for (PGPSignature signature : signatures) {
                 long keyId = SignatureUtils.determineIssuerKeyId(signature);
                 PGPPublicKeyRing certificate = findCertificate(keyId);
@@ -561,7 +564,6 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         void addOnePassSignatures(PGPOnePassSignatureListWrapper signatures) {
-            System.out.println("Adding " + signatures.size() + " OPSs");
             for (PGPOnePassSignature ops : signatures.list) {
                 PGPPublicKeyRing certificate = findCertificate(ops.getKeyID());
                 initialize(ops, certificate);
@@ -570,7 +572,6 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         void addOnePassCorrespondingSignatures(PGPSignatureList signatures) {
-            System.out.println("Adding " + signatures.size() + " Corresponding Signatures");
             for (PGPSignature signature : signatures) {
                 correspondingSignatures.add(signature);
             }
@@ -631,9 +632,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     verified = detached.verify();
                 } catch (PGPException e) {
-                    System.out.println(e.getMessage());
+                    LOGGER.debug("Cannot verify detached signature.", e);
                 }
-                System.out.println("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                LOGGER.debug("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
 
             for (PGPSignature prepended : prependedSignatures) {
@@ -641,9 +642,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     verified = prepended.verify();
                 } catch (PGPException e) {
-                    System.out.println(e.getMessage());
+                    LOGGER.debug("Cannot verify prepended signature.", e);
                 }
-                System.out.println("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                LOGGER.debug("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
 
 
@@ -654,9 +655,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     verified = ops.verify(signature);
                 } catch (PGPException e) {
-                    System.out.println(e.getMessage());
+                    LOGGER.debug("Cannot verify OPS signature.", e);
                 }
-                System.out.println("One-Pass-Signature by " + Long.toHexString(ops.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                LOGGER.debug("One-Pass-Signature by " + Long.toHexString(ops.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
index d015a4b3..8e795f5b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification.automaton;
 
 import org.bouncycastle.openpgp.PGPCompressedData;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index feb759ea..dda2adce 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification.automaton;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
index 97dad3d8..09865f31 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification.automaton;
 
 public enum StackAlphabet {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java
new file mode 100644
index 00000000..80a79e85
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Pushdown Automaton to verify validity of packet sequences according to the OpenPGP Message format.
+ */
+package org.pgpainless.decryption_verification.automaton;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 8219ec68..6962e279 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -35,6 +35,7 @@ import org.junit.jupiter.params.provider.MethodSource;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
+import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionResult;
 import org.pgpainless.encryption_signing.EncryptionStream;
@@ -118,7 +119,7 @@ public class OpenPgpMessageInputStreamTest {
             "=K9Zl\n" +
             "-----END PGP MESSAGE-----";
 
-    public static final String SIG_LIT = "" +
+    public static final String SIG_COMP_LIT = "" +
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
@@ -235,9 +236,9 @@ public class OpenPgpMessageInputStreamTest {
     }
 
     public static void genKey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
-        System.out.println(PGPainless.asciiArmor(
-                PGPainless.generateKeyRing().modernKeyRing("Alice ")
-        ));
+        PGPainless.asciiArmor(
+                PGPainless.generateKeyRing().modernKeyRing("Alice "),
+                System.out);
     }
 
     public static void genSIG_LIT() throws PGPException, IOException {
@@ -265,54 +266,46 @@ public class OpenPgpMessageInputStreamTest {
         armorOut.close();
 
         String armored = out.toString();
+        // CHECKSTYLE:OFF
         System.out.println(armored
                 .replace("-----BEGIN PGP SIGNATURE-----\n", "-----BEGIN PGP MESSAGE-----\n")
                 .replace("-----END PGP SIGNATURE-----", "-----END PGP MESSAGE-----"));
+        // CHECKSTYLE:ON
     }
 
     public static void genSENC_LIT() throws PGPException, IOException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
         EncryptionStream enc = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
+                .onOutputStream(System.out)
                 .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
                                 .addPassphrase(Passphrase.fromPassword(PASSPHRASE)))
                         .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
         enc.write(PLAINTEXT.getBytes(StandardCharsets.UTF_8));
         enc.close();
-
-        System.out.println(out);
     }
 
     public static void genPENC_COMP_LIT() throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
         PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
         EncryptionStream enc = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
+                .onOutputStream(System.out)
                 .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
                                 .addRecipient(cert))
                         .overrideCompressionAlgorithm(CompressionAlgorithm.ZLIB));
 
         Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
         enc.close();
-
-        System.out.println(out);
     }
 
     public static void genOPS_LIT_SIG() throws PGPException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
 
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
         EncryptionStream enc = PGPainless.encryptAndOrSign()
-                .onOutputStream(out)
+                .onOutputStream(System.out)
                 .withOptions(ProducerOptions.sign(SigningOptions.get()
                         .addSignature(SecretKeyRingProtector.unprotectedKeys(), secretKeys))
                         .overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED));
         Streams.pipeAll(new ByteArrayInputStream(PLAINTEXT.getBytes(StandardCharsets.UTF_8)), enc);
         enc.close();
-
-        System.out.println(out);
     }
 
     interface Processor {
@@ -322,7 +315,8 @@ public class OpenPgpMessageInputStreamTest {
     private static Stream provideMessageProcessors() {
         return Stream.of(
                 Arguments.of(Named.of("read(buf,off,len)", (Processor) OpenPgpMessageInputStreamTest::processReadBuffered)),
-                Arguments.of(Named.of("read()", (Processor) OpenPgpMessageInputStreamTest::processReadSequential)));
+                Arguments.of(Named.of("read()", (Processor) OpenPgpMessageInputStreamTest::processReadSequential))
+        );
     }
 
     @ParameterizedTest(name = "Process LIT using {0}")
@@ -349,7 +343,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process COMP(LIT) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessCOMP_LIT(Processor processor) throws PGPException, IOException {
+    public void testProcessCOMP_LIT(Processor processor)
+            throws PGPException, IOException {
         Tuple result = processor.process(COMP_LIT, ConsumerOptions.get());
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
@@ -366,7 +361,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process COMP(COMP(LIT)) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessCOMP_COMP_LIT(Processor processor) throws PGPException, IOException {
+    public void testProcessCOMP_COMP_LIT(Processor processor)
+            throws PGPException, IOException {
         Tuple result = processor.process(COMP_COMP_LIT, ConsumerOptions.get());
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
@@ -376,29 +372,37 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(CompressionAlgorithm.ZIP, compressionAlgorithms.next());
         assertEquals(CompressionAlgorithm.BZIP2, compressionAlgorithms.next());
         assertFalse(compressionAlgorithms.hasNext());
+        assertNull(metadata.getEncryptionAlgorithm());
     }
 
-    @ParameterizedTest(name = "Process SIG LIT using {0}")
+    @ParameterizedTest(name = "Process SIG COMP(LIT) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessSIG_LIT(Processor processor) throws PGPException, IOException {
+    public void testProcessSIG_COMP_LIT(Processor processor) throws PGPException, IOException {
         PGPPublicKeyRing cert = PGPainless.extractCertificate(
                 PGPainless.readKeyRing().secretKeyRing(KEY));
 
-        Tuple result = processor.process(SIG_LIT, ConsumerOptions.get()
+        Tuple result = processor.process(SIG_COMP_LIT, ConsumerOptions.get()
                 .addVerificationCert(cert));
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
+        assertNull(metadata.getEncryptionAlgorithm());
     }
 
     @ParameterizedTest(name = "Process SENC(LIT) using {0}")
     @MethodSource("provideMessageProcessors")
     public void testProcessSENC_LIT(Processor processor) throws PGPException, IOException {
-        Tuple result = processor.process(SENC_LIT, ConsumerOptions.get().addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        Tuple result = processor.process(SENC_LIT, ConsumerOptions.get()
+                .addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertNull(metadata.getCompressionAlgorithm());
+        assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
     }
 
-    @ParameterizedTest(name = "Process PENC(LIT) using {0}")
+    @ParameterizedTest(name = "Process PENC(COMP(LIT)) using {0}")
     @MethodSource("provideMessageProcessors")
     public void testProcessPENC_COMP_LIT(Processor processor) throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
@@ -406,6 +410,9 @@ public class OpenPgpMessageInputStreamTest {
                 .addDecryptionKey(secretKeys));
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
+        assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
     }
 
     @ParameterizedTest(name = "Process OPS LIT SIG using {0}")
@@ -416,6 +423,9 @@ public class OpenPgpMessageInputStreamTest {
                 .addVerificationCert(cert));
         String plain = result.getA();
         assertEquals(PLAINTEXT, plain);
+        MessageMetadata metadata = result.getB();
+        assertNull(metadata.getEncryptionAlgorithm());
+        assertNull(metadata.getCompressionAlgorithm());
     }
 
     private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
index 765221d3..d31c6009 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
@@ -9,6 +9,8 @@ import org.bouncycastle.openpgp.PGPException;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.util.ArmoredInputStreamFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -18,6 +20,7 @@ import java.nio.charset.StandardCharsets;
 
 public class TeeBCPGInputStreamTest {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(TeeBCPGInputStreamTest.class);
     private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -48,11 +51,11 @@ public class TeeBCPGInputStreamTest {
 
         int tag;
         while ((tag = nestedTeeIn.nextPacketTag()) != -1) {
-            System.out.println(OpenPgpPacket.requireFromTag(tag));
+            LOGGER.debug(OpenPgpPacket.requireFromTag(tag).toString());
             Packet packet = nestedTeeIn.readPacket();
         }
 
         nestedArmorOut.close();
-        System.out.println(nestedOut);
+        LOGGER.debug(nestedOut.toString());
     }
 }

From 45555bf82de7e366a99dcc2ac30cad5092f56601 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 28 Sep 2022 16:55:08 +0200
Subject: [PATCH 0713/1450] Wip: Work on OPS verification

---
 .../OpenPgpMessageInputStream.java            | 200 ++++++++++++------
 1 file changed, 133 insertions(+), 67 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 58699fcd..df3d6805 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -56,6 +56,7 @@ import org.slf4j.LoggerFactory;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -64,15 +65,19 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream.class);
 
-    protected final PDA automaton = new PDA();
+    // Options to consume the data
     protected final ConsumerOptions options;
     protected final OpenPgpMetadata.Builder resultBuilder;
-    protected final BCPGInputStream bcpgIn;
-    protected InputStream in;
+    // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
+    protected final PDA automaton = new PDA();
+    // InputStream of OpenPGP packets of the current layer
+    protected final BCPGInputStream packetInputStream;
+    // InputStream of a nested data packet
+    protected InputStream nestedInputStream;
 
     private boolean closed = false;
 
-    private Signatures signatures;
+    private final Signatures signatures;
     private MessageMetadata.Layer metadata;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
@@ -82,31 +87,45 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, MessageMetadata.Layer metadata)
             throws PGPException, IOException {
-        // TODO: Use BCPGInputStream.wrap(inputStream);
-        if (inputStream instanceof BCPGInputStream) {
-            this.bcpgIn = (BCPGInputStream) inputStream;
-        } else {
-            this.bcpgIn = new BCPGInputStream(inputStream);
-        }
 
         this.options = options;
         this.metadata = metadata;
         this.resultBuilder = OpenPgpMetadata.getBuilder();
         this.signatures = new Signatures(options);
-        this.signatures.addDetachedSignatures(options.getDetachedSignatures());
 
-        consumePackets(); // nom nom nom
+        // Add detached signatures only on the outermost OpenPgpMessageInputStream
+        if (metadata instanceof MessageMetadata.Message) {
+            this.signatures.addDetachedSignatures(options.getDetachedSignatures());
+        }
+
+        // TODO: Use BCPGInputStream.wrap(inputStream);
+        BCPGInputStream bcpg = null;
+        if (inputStream instanceof BCPGInputStream) {
+            bcpg = (BCPGInputStream) inputStream;
+        } else {
+            bcpg = new BCPGInputStream(inputStream);
+        }
+        this.packetInputStream = new TeeBCPGInputStream(bcpg, signatures);
+
+        // *omnomnom*
+        consumePackets();
     }
 
     /**
-     * This method consumes OpenPGP packets from the current {@link BCPGInputStream}.
-     * Once it reaches a "nested" OpenPGP packet (Literal Data, Compressed Data, Encrypted Data), it sets 
in

-     * to the nested stream and breaks the loop.
+     * Consume OpenPGP packets from the current {@link BCPGInputStream}.
+     * Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
+     * set 
nestedInputStream
 to the nested stream and breaks the loop.
      * The nested stream is either a simple {@link InputStream} (in case of Literal Data), or another
      * {@link OpenPgpMessageInputStream} in case of Compressed and Encrypted Data.
+     * Once the nested data is processed, this method is called again to consume the remainder
+     * of packets following the nested data packet.
      *
-     * @throws IOException
-     * @throws PGPException
+     * @throws IOException in case of an IO error
+     * @throws PGPException in case of an OpenPGP error
+     * @throws MissingDecryptionMethodException if there is an encrypted data packet which cannot be decrypted
+     * due to missing decryption methods (no key, no password, no sessionkey)
+     * @throws MalformedOpenPgpMessageException if the message is made of an invalid packet sequence which
+     * does not follow the packet syntax of RFC4880.
      */
     private void consumePackets()
             throws IOException, PGPException {
@@ -127,17 +146,23 @@ public class OpenPgpMessageInputStream extends InputStream {
                     processCompressedData();
                     break loop;
 
-                // One Pass Signatures
+                // One Pass Signature
                 case OPS:
                     automaton.next(InputAlphabet.OnePassSignatures);
-                    signatures.addOnePassSignatures(readOnePassSignatures());
+                    signatures.addOnePassSignature(readOnePassSignature());
+                    // signatures.addOnePassSignatures(readOnePassSignatures());
                     break;
 
-                // Signatures - either prepended to the message, or corresponding to the One Pass Signatures
+                // Signature - either prepended to the message, or corresponding to a One Pass Signature
                 case SIG:
                     boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
-                    processSignature(isSigForOPS);
+                    PGPSignature signature = readSignature();
+                    processSignature(signature, isSigForOPS);
+                    /*
+                    PGPSignatureList signatureList = readSignatures();
+                    processSignatures(signatureList, isSigForOPS);
+                     */
                     break;
 
                 // Encrypted Data (ESKs and SED/SEIPD are parsed the same by BC)
@@ -154,7 +179,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                 // Marker Packets need to be skipped and ignored
                 case MARKER:
-                    bcpgIn.readPacket(); // skip
+                    packetInputStream.readPacket(); // skip
                     break;
 
                 // Key Packets are illegal in this context
@@ -182,8 +207,15 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    private void processSignature(boolean isSigForOPS) throws IOException {
-        PGPSignatureList signatureList = readSignatures();
+    private void processSignature(PGPSignature signature, boolean isSigForOPS) {
+        if (isSigForOPS) {
+            signatures.addOnePassCorrespondingSignature(signature);
+        } else {
+            signatures.addPrependedSignature(signature);
+        }
+    }
+
+    private void processSignatures(PGPSignatureList signatureList, boolean isSigForOPS) throws IOException {
         if (isSigForOPS) {
             signatures.addOnePassCorrespondingSignatures(signatureList);
         } else {
@@ -192,21 +224,21 @@ public class OpenPgpMessageInputStream extends InputStream {
     }
 
     private void processCompressedData() throws IOException, PGPException {
-        PGPCompressedData compressedData = new PGPCompressedData(bcpgIn);
+        PGPCompressedData compressedData = new PGPCompressedData(packetInputStream);
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
-        in = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
+        nestedInputStream = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
     }
 
     private void processLiteralData() throws IOException {
-        PGPLiteralData literalData = new PGPLiteralData(bcpgIn);
+        PGPLiteralData literalData = new PGPLiteralData(packetInputStream);
         this.metadata.setChild(new MessageMetadata.LiteralData(literalData.getFileName(), literalData.getModificationTime(),
                 StreamEncoding.requireFromCode(literalData.getFormat())));
-        in = literalData.getDataStream();
+        nestedInputStream = literalData.getDataStream();
     }
 
     private boolean processEncryptedData() throws IOException, PGPException {
-        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(bcpgIn);
+        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
         if (!encDataList.get(0).isIntegrityProtected()) {
@@ -225,11 +257,11 @@ public class OpenPgpMessageInputStream extends InputStream {
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(options.getSessionKey().getAlgorithm());
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
-                    in = new OpenPgpMessageInputStream(skesk.getDataStream(decryptorFactory), options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(skesk.getDataStream(decryptorFactory), options, encryptedData);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
-                    in = new OpenPgpMessageInputStream(pkesk.getDataStream(decryptorFactory), options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(pkesk.getDataStream(decryptorFactory), options, encryptedData);
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
@@ -248,7 +280,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(skesk.getSymmetricAlgorithm(decryptorFactory)));
-                    in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // password mismatch? Try next password
@@ -274,7 +306,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
-                in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+                nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                 return true;
             } catch (PGPException e) {
                 // hm :/
@@ -293,7 +325,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
-                    in = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // hm :/
@@ -307,7 +339,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private int nextTag() throws IOException {
         try {
-            return bcpgIn.nextPacketTag();
+            return packetInputStream.nextPacketTag();
         } catch (IOException e) {
             if ("Stream closed".equals(e.getMessage())) {
                 // ZipInflater Streams sometimes close under our feet -.-
@@ -345,13 +377,23 @@ public class OpenPgpMessageInputStream extends InputStream {
         return null;
     }
 
+    private PGPOnePassSignature readOnePassSignature()
+            throws PGPException, IOException {
+        return new PGPOnePassSignature(packetInputStream);
+    }
+
+    private PGPSignature readSignature()
+            throws PGPException, IOException {
+        return new PGPSignature(packetInputStream);
+    }
+
     private PGPOnePassSignatureListWrapper readOnePassSignatures() throws IOException {
         List encapsulating = new ArrayList<>();
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag;
         while ((tag = nextTag()) == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
-            Packet packet = bcpgIn.readPacket();
+            Packet packet = packetInputStream.readPacket();
             if (tag == PacketTags.ONE_PASS_SIGNATURE) {
                 OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
                 byte[] bytes = sigPacket.getEncoded();
@@ -371,7 +413,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag = nextTag();
         while (tag == PacketTags.SIGNATURE || tag == PacketTags.MARKER) {
-            Packet packet = bcpgIn.readPacket();
+            Packet packet = packetInputStream.readPacket();
             if (tag == PacketTags.SIGNATURE) {
                 SignaturePacket sigPacket = (SignaturePacket) packet;
                 sigPacket.encode(bcpgOut);
@@ -387,14 +429,14 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     @Override
     public int read() throws IOException {
-        if (in == null) {
+        if (nestedInputStream == null) {
             automaton.assertValid();
             return -1;
         }
 
         int r;
         try {
-            r = in.read();
+            r = nestedInputStream.read();
         } catch (IOException e) {
             r = -1;
         }
@@ -403,9 +445,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             byte b = (byte) r;
             signatures.update(b);
         } else {
-            in.close();
+            nestedInputStream.close();
             collectMetadata();
-            in = null;
+            nestedInputStream = null;
 
             try {
                 consumePackets();
@@ -421,16 +463,16 @@ public class OpenPgpMessageInputStream extends InputStream {
     public int read(byte[] b, int off, int len)
             throws IOException {
 
-        if (in == null) {
+        if (nestedInputStream == null) {
             automaton.assertValid();
             return -1;
         }
 
-        int r = in.read(b, off, len);
+        int r = nestedInputStream.read(b, off, len);
         if (r == -1) {
-            in.close();
+            nestedInputStream.close();
             collectMetadata();
-            in = null;
+            nestedInputStream = null;
 
             try {
                 consumePackets();
@@ -449,10 +491,10 @@ public class OpenPgpMessageInputStream extends InputStream {
             return;
         }
 
-        if (in != null) {
-            in.close();
+        if (nestedInputStream != null) {
+            nestedInputStream.close();
             collectMetadata();
-            in = null;
+            nestedInputStream = null;
         }
 
         try {
@@ -467,8 +509,8 @@ public class OpenPgpMessageInputStream extends InputStream {
     }
 
     private void collectMetadata() {
-        if (in instanceof OpenPgpMessageInputStream) {
-            OpenPgpMessageInputStream child = (OpenPgpMessageInputStream) in;
+        if (nestedInputStream instanceof OpenPgpMessageInputStream) {
+            OpenPgpMessageInputStream child = (OpenPgpMessageInputStream) nestedInputStream;
             MessageMetadata.Layer childLayer = child.metadata;
             this.metadata.setChild((MessageMetadata.Nested) childLayer);
         }
@@ -533,13 +575,14 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    private static final class Signatures {
+    private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
         List detachedSignatures = new ArrayList<>();
         List prependedSignatures = new ArrayList<>();
-        List onePassSignatures = new ArrayList<>();
+        List> onePassSignatures = new ArrayList<>();
         List correspondingSignatures = new ArrayList<>();
 
+        boolean lastOpsIsContaining = true;
 
         private Signatures(ConsumerOptions options) {
             this.options = options;
@@ -547,28 +590,44 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         void addDetachedSignatures(Collection signatures) {
             for (PGPSignature signature : signatures) {
-                long keyId = SignatureUtils.determineIssuerKeyId(signature);
-                PGPPublicKeyRing certificate = findCertificate(keyId);
-                initialize(signature, certificate, keyId);
+                addDetachedSignature(signature);
             }
-            this.detachedSignatures.addAll(signatures);
+        }
+
+        void addDetachedSignature(PGPSignature signature) {
+            long keyId = SignatureUtils.determineIssuerKeyId(signature);
+            PGPPublicKeyRing certificate = findCertificate(keyId);
+            initialize(signature, certificate, keyId);
+            this.detachedSignatures.add(signature);
         }
 
         void addPrependedSignatures(PGPSignatureList signatures) {
             for (PGPSignature signature : signatures) {
-                long keyId = SignatureUtils.determineIssuerKeyId(signature);
-                PGPPublicKeyRing certificate = findCertificate(keyId);
-                initialize(signature, certificate, keyId);
-                this.prependedSignatures.add(signature);
+                addPrependedSignature(signature);
             }
         }
 
-        void addOnePassSignatures(PGPOnePassSignatureListWrapper signatures) {
-            for (PGPOnePassSignature ops : signatures.list) {
-                PGPPublicKeyRing certificate = findCertificate(ops.getKeyID());
-                initialize(ops, certificate);
-                this.onePassSignatures.add(ops);
+        void addPrependedSignature(PGPSignature signature) {
+            long keyId = SignatureUtils.determineIssuerKeyId(signature);
+            PGPPublicKeyRing certificate = findCertificate(keyId);
+            initialize(signature, certificate, keyId);
+            this.prependedSignatures.add(signature);
+        }
+
+        void addOnePassSignature(PGPOnePassSignature signature) {
+            List list;
+            if (lastOpsIsContaining) {
+                list = new ArrayList<>();
+                onePassSignatures.add(list);
+            } else {
+                list = onePassSignatures.get(onePassSignatures.size() - 1);
             }
+
+            PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
+            initialize(signature, certificate);
+            list.add(signature);
+
+            // lastOpsIsContaining = signature.isContaining();
         }
 
         void addOnePassCorrespondingSignatures(PGPSignatureList signatures) {
@@ -618,8 +677,10 @@ public class OpenPgpMessageInputStream extends InputStream {
             for (PGPSignature prepended : prependedSignatures) {
                 prepended.update(b);
             }
-            for (PGPOnePassSignature ops : onePassSignatures) {
-                ops.update(b);
+            for (List opss : onePassSignatures) {
+                for (PGPOnePassSignature ops : opss) {
+                    ops.update(b);
+                }
             }
             for (PGPSignature detached : detachedSignatures) {
                 detached.update(b);
@@ -660,5 +721,10 @@ public class OpenPgpMessageInputStream extends InputStream {
                 LOGGER.debug("One-Pass-Signature by " + Long.toHexString(ops.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
         }
+
+        @Override
+        public void write(int b) throws IOException {
+            update((byte) b);
+        }
     }
 }

From 4e44691ef68295f96fdf6ae23456a414fe4f41c8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 28 Sep 2022 17:38:20 +0200
Subject: [PATCH 0714/1450] Wip

---
 .../OpenPgpMessageInputStream.java                 | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index df3d6805..36de2635 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -60,6 +60,7 @@ import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.Stack;
 
 public class OpenPgpMessageInputStream extends InputStream {
 
@@ -577,15 +578,20 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
-        List detachedSignatures = new ArrayList<>();
-        List prependedSignatures = new ArrayList<>();
-        List> onePassSignatures = new ArrayList<>();
-        List correspondingSignatures = new ArrayList<>();
+        final List detachedSignatures;
+        final List prependedSignatures;
+        final Stack> onePassSignatures;
+        final List correspondingSignatures;
 
         boolean lastOpsIsContaining = true;
 
         private Signatures(ConsumerOptions options) {
             this.options = options;
+            this.detachedSignatures = new ArrayList<>();
+            this.prependedSignatures = new ArrayList<>();
+            this.onePassSignatures = new Stack<>();
+            onePassSignatures.push(new ArrayList<>());
+            this.correspondingSignatures = new ArrayList<>();
         }
 
         void addDetachedSignatures(Collection signatures) {

From ec28ba2924667a5ff3719f51c941f57a9275ca98 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 00:15:18 +0200
Subject: [PATCH 0715/1450] SIGNATURE VERIFICATION IN OPENPGP SUCKS BIG TIME

---
 .../OpenPgpMessageInputStream.java            | 198 ++++++++++--------
 .../OpenPgpMessageInputStreamTest.java        |  22 +-
 2 files changed, 128 insertions(+), 92 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 36de2635..a1364997 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -48,6 +48,7 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.SignatureUtils;
+import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
 import org.slf4j.Logger;
@@ -138,19 +139,25 @@ public class OpenPgpMessageInputStream extends InputStream {
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
+                    signatures.commitNested();
                     processLiteralData();
                     break loop;
 
                 // Compressed Data - the content contains another OpenPGP message
                 case COMP:
                     automaton.next(InputAlphabet.CompressedData);
+                    signatures.commitNested();
                     processCompressedData();
                     break loop;
 
                 // One Pass Signature
                 case OPS:
                     automaton.next(InputAlphabet.OnePassSignatures);
-                    signatures.addOnePassSignature(readOnePassSignature());
+                    // signatures.addOnePassSignature(readOnePassSignature());
+                    PGPOnePassSignatureList onePassSignatureList = readOnePassSignatures();
+                    for (PGPOnePassSignature ops : onePassSignatureList) {
+                        signatures.addOnePassSignature(ops);
+                    }
                     // signatures.addOnePassSignatures(readOnePassSignatures());
                     break;
 
@@ -158,12 +165,15 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case SIG:
                     boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
-                    PGPSignature signature = readSignature();
-                    processSignature(signature, isSigForOPS);
-                    /*
+
+                    // PGPSignature signature = readSignature();
+                    // processSignature(signature, isSigForOPS);
+
                     PGPSignatureList signatureList = readSignatures();
-                    processSignatures(signatureList, isSigForOPS);
-                     */
+                    for (PGPSignature signature : signatureList) {
+                        processSignature(signature, isSigForOPS);
+                    }
+
                     break;
 
                 // Encrypted Data (ESKs and SED/SEIPD are parsed the same by BC)
@@ -178,7 +188,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                     throw new MissingDecryptionMethodException("No working decryption method found.");
 
-                // Marker Packets need to be skipped and ignored
+                    // Marker Packets need to be skipped and ignored
                 case MARKER:
                     packetInputStream.readPacket(); // skip
                     break;
@@ -193,8 +203,8 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case UATTR:
                     throw new MalformedOpenPgpMessageException("Illegal Packet in Stream: " + nextPacket);
 
-                // MDC packet is usually processed by PGPEncryptedDataList, so it is very likely we encounter this
-                //  packet out of order
+                    // MDC packet is usually processed by PGPEncryptedDataList, so it is very likely we encounter this
+                    //  packet out of order
                 case MDC:
                     throw new MalformedOpenPgpMessageException("Unexpected Packet in Stream: " + nextPacket);
 
@@ -210,20 +220,12 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private void processSignature(PGPSignature signature, boolean isSigForOPS) {
         if (isSigForOPS) {
-            signatures.addOnePassCorrespondingSignature(signature);
+            signatures.addCorrespondingOnePassSignature(signature);
         } else {
             signatures.addPrependedSignature(signature);
         }
     }
 
-    private void processSignatures(PGPSignatureList signatureList, boolean isSigForOPS) throws IOException {
-        if (isSigForOPS) {
-            signatures.addOnePassCorrespondingSignatures(signatureList);
-        } else {
-            signatures.addPrependedSignatures(signatureList);
-        }
-    }
-
     private void processCompressedData() throws IOException, PGPException {
         PGPCompressedData compressedData = new PGPCompressedData(packetInputStream);
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
@@ -380,16 +382,17 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private PGPOnePassSignature readOnePassSignature()
             throws PGPException, IOException {
-        return new PGPOnePassSignature(packetInputStream);
+        //return new PGPOnePassSignature(packetInputStream);
+        return null;
     }
 
     private PGPSignature readSignature()
             throws PGPException, IOException {
-        return new PGPSignature(packetInputStream);
+        //return new PGPSignature(packetInputStream);
+        return null;
     }
 
-    private PGPOnePassSignatureListWrapper readOnePassSignatures() throws IOException {
-        List encapsulating = new ArrayList<>();
+    private PGPOnePassSignatureList readOnePassSignatures() throws IOException {
         ByteArrayOutputStream buf = new ByteArrayOutputStream();
         BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
         int tag;
@@ -398,7 +401,6 @@ public class OpenPgpMessageInputStream extends InputStream {
             if (tag == PacketTags.ONE_PASS_SIGNATURE) {
                 OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
                 byte[] bytes = sigPacket.getEncoded();
-                encapsulating.add(bytes[bytes.length - 1] == 1);
                 bcpgOut.write(bytes);
             }
         }
@@ -406,7 +408,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
         PGPOnePassSignatureList signatureList = (PGPOnePassSignatureList) objectFactory.nextObject();
-        return new PGPOnePassSignatureListWrapper(signatureList, encapsulating);
+        return signatureList;
     }
 
     private PGPSignatureList readSignatures() throws IOException {
@@ -449,6 +451,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             nestedInputStream.close();
             collectMetadata();
             nestedInputStream = null;
+            signatures.popNested();
 
             try {
                 consumePackets();
@@ -474,6 +477,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             nestedInputStream.close();
             collectMetadata();
             nestedInputStream = null;
+            signatures.popNested();
 
             try {
                 consumePackets();
@@ -556,41 +560,29 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    /**
-     * Workaround for BC not exposing, whether an OPS is encapsulating or not.
-     * TODO: Remove once our PR is merged
-     *
-     * @see PR against BC
-     */
-    private static class PGPOnePassSignatureListWrapper {
-        private final PGPOnePassSignatureList list;
-        private final List encapsulating;
-
-        PGPOnePassSignatureListWrapper(PGPOnePassSignatureList signatures, List encapsulating) {
-            this.list = signatures;
-            this.encapsulating = encapsulating;
-        }
-
-        public int size() {
-            return list.size();
-        }
-    }
-
+    // TODO: In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
+    //  In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
+    //  Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
+    //  For this we might want to provide two update entries into the Signatures class, one for OpenPGP packets and one
+    //  for literal data. UUUUUGLY!!!!
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
         final List detachedSignatures;
         final List prependedSignatures;
-        final Stack> onePassSignatures;
+        final List onePassSignatures;
+        final Stack> opsUpdateStack;
         final List correspondingSignatures;
 
-        boolean lastOpsIsContaining = true;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        List opsCurrentNesting = new ArrayList<>();
 
         private Signatures(ConsumerOptions options) {
             this.options = options;
             this.detachedSignatures = new ArrayList<>();
             this.prependedSignatures = new ArrayList<>();
-            this.onePassSignatures = new Stack<>();
-            onePassSignatures.push(new ArrayList<>());
+            this.onePassSignatures = new ArrayList<>();
+            this.opsUpdateStack = new Stack<>();
             this.correspondingSignatures = new ArrayList<>();
         }
 
@@ -607,12 +599,6 @@ public class OpenPgpMessageInputStream extends InputStream {
             this.detachedSignatures.add(signature);
         }
 
-        void addPrependedSignatures(PGPSignatureList signatures) {
-            for (PGPSignature signature : signatures) {
-                addPrependedSignature(signature);
-            }
-        }
-
         void addPrependedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
@@ -621,27 +607,61 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
-            List list;
-            if (lastOpsIsContaining) {
-                list = new ArrayList<>();
-                onePassSignatures.add(list);
-            } else {
-                list = onePassSignatures.get(onePassSignatures.size() - 1);
-            }
-
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
             initialize(signature, certificate);
-            list.add(signature);
+            onePassSignatures.add(signature);
 
-            // lastOpsIsContaining = signature.isContaining();
+            opsCurrentNesting.add(signature);
+            if (isContaining(signature)) {
+                commitNested();
+            }
         }
 
-        void addOnePassCorrespondingSignatures(PGPSignatureList signatures) {
-            for (PGPSignature signature : signatures) {
-                correspondingSignatures.add(signature);
+        boolean isContaining(PGPOnePassSignature ops) {
+            try {
+                byte[] bytes = ops.getEncoded();
+                return bytes[bytes.length - 1] == 1;
+            } catch (IOException e) {
+                return false;
             }
         }
 
+        void addCorrespondingOnePassSignature(PGPSignature signature) {
+            for (PGPOnePassSignature onePassSignature : onePassSignatures) {
+                if (onePassSignature.getKeyID() != signature.getKeyID()) {
+                    continue;
+                }
+
+                boolean verified = false;
+                try {
+                    verified = onePassSignature.verify(signature);
+                } catch (PGPException e) {
+                    log("Cannot verify OPS signature.", e);
+                }
+                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                try {
+                    log(ArmorUtils.toAsciiArmoredString(out.toByteArray()));
+                } catch (IOException e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        }
+
+        void commitNested() {
+            if (opsCurrentNesting.isEmpty()) {
+                return;
+            }
+
+            log("Committing " + opsCurrentNesting.size() + " OPS sigs for updating");
+            opsUpdateStack.push(opsCurrentNesting);
+            opsCurrentNesting = new ArrayList<>();
+        }
+
+        void popNested() {
+            log("Popping nested");
+            opsUpdateStack.pop();
+        }
+
         private void initialize(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
             if (certificate == null) {
                 // SHIT
@@ -680,14 +700,21 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         public void update(byte b) {
+            if (!opsUpdateStack.isEmpty()) {
+                log("Update");
+                out.write(b);
+            }
+
             for (PGPSignature prepended : prependedSignatures) {
                 prepended.update(b);
             }
-            for (List opss : onePassSignatures) {
+
+            for (List opss : opsUpdateStack) {
                 for (PGPOnePassSignature ops : opss) {
                     ops.update(b);
                 }
             }
+
             for (PGPSignature detached : detachedSignatures) {
                 detached.update(b);
             }
@@ -699,9 +726,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     verified = detached.verify();
                 } catch (PGPException e) {
-                    LOGGER.debug("Cannot verify detached signature.", e);
+                    log("Cannot verify detached signature.", e);
                 }
-                LOGGER.debug("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                log("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
 
             for (PGPSignature prepended : prependedSignatures) {
@@ -709,22 +736,9 @@ public class OpenPgpMessageInputStream extends InputStream {
                 try {
                     verified = prepended.verify();
                 } catch (PGPException e) {
-                    LOGGER.debug("Cannot verify prepended signature.", e);
+                    log("Cannot verify prepended signature.", e);
                 }
-                LOGGER.debug("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-            }
-
-
-            for (int i = 0; i < onePassSignatures.size(); i++) {
-                PGPOnePassSignature ops = onePassSignatures.get(i);
-                PGPSignature signature = correspondingSignatures.get(correspondingSignatures.size() - i - 1);
-                boolean verified = false;
-                try {
-                    verified = ops.verify(signature);
-                } catch (PGPException e) {
-                    LOGGER.debug("Cannot verify OPS signature.", e);
-                }
-                LOGGER.debug("One-Pass-Signature by " + Long.toHexString(ops.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                log("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
             }
         }
 
@@ -733,4 +747,18 @@ public class OpenPgpMessageInputStream extends InputStream {
             update((byte) b);
         }
     }
+
+    static void log(String message) {
+        LOGGER.debug(message);
+        // CHECKSTYLE:OFF
+        System.out.println(message);
+        // CHECKSTYLE:ON
+    }
+
+    static void log(String message, Throwable e) {
+        log(message);
+        // CHECKSTYLE:OFF
+        e.printStackTrace();
+        // CHECKSTYLE:ON
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 6962e279..e52a6016 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -4,6 +4,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -377,7 +378,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process SIG COMP(LIT) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessSIG_COMP_LIT(Processor processor) throws PGPException, IOException {
+    public void testProcessSIG_COMP_LIT(Processor processor)
+            throws PGPException, IOException {
         PGPPublicKeyRing cert = PGPainless.extractCertificate(
                 PGPainless.readKeyRing().secretKeyRing(KEY));
 
@@ -392,7 +394,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process SENC(LIT) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessSENC_LIT(Processor processor) throws PGPException, IOException {
+    public void testProcessSENC_LIT(Processor processor)
+            throws PGPException, IOException {
         Tuple result = processor.process(SENC_LIT, ConsumerOptions.get()
                 .addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
         String plain = result.getA();
@@ -404,7 +407,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process PENC(COMP(LIT)) using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessPENC_COMP_LIT(Processor processor) throws IOException, PGPException {
+    public void testProcessPENC_COMP_LIT(Processor processor)
+            throws IOException, PGPException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
         Tuple result = processor.process(PENC_COMP_LIT, ConsumerOptions.get()
                 .addDecryptionKey(secretKeys));
@@ -417,7 +421,8 @@ public class OpenPgpMessageInputStreamTest {
 
     @ParameterizedTest(name = "Process OPS LIT SIG using {0}")
     @MethodSource("provideMessageProcessors")
-    public void testProcessOPS_LIT_SIG(Processor processor) throws IOException, PGPException {
+    public void testProcessOPS_LIT_SIG(Processor processor)
+            throws IOException, PGPException {
         PGPPublicKeyRing cert = PGPainless.extractCertificate(PGPainless.readKeyRing().secretKeyRing(KEY));
         Tuple result = processor.process(OPS_LIT_SIG, ConsumerOptions.get()
                 .addVerificationCert(cert));
@@ -428,7 +433,8 @@ public class OpenPgpMessageInputStreamTest {
         assertNull(metadata.getCompressionAlgorithm());
     }
 
-    private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+    private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options)
+            throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(in, out);
@@ -437,7 +443,8 @@ public class OpenPgpMessageInputStreamTest {
         return new Tuple<>(out.toString(), metadata);
     }
 
-    private static Tuple processReadSequential(String armoredMessage, ConsumerOptions options) throws PGPException, IOException {
+    private static Tuple processReadSequential(String armoredMessage, ConsumerOptions options)
+            throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
         ByteArrayOutputStream out = new ByteArrayOutputStream();
 
@@ -451,7 +458,8 @@ public class OpenPgpMessageInputStreamTest {
         return new Tuple<>(out.toString(), metadata);
     }
 
-    private static OpenPgpMessageInputStream get(String armored, ConsumerOptions options) throws IOException, PGPException {
+    private static OpenPgpMessageInputStream get(String armored, ConsumerOptions options)
+            throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
         OpenPgpMessageInputStream pgpIn = new OpenPgpMessageInputStream(armorIn, options);

From 527aab922ee3f8cd1982a1f6083472e2bd83135f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 12:33:08 +0200
Subject: [PATCH 0716/1450] Fix ModificationDetectionException by not calling
 PGPUtil.getDecoderStream()

---
 .../DecryptionStreamFactory.java                       | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index a787280a..07be7c10 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -36,7 +36,6 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
-import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
@@ -241,14 +240,12 @@ public final class DecryptionStreamFactory {
         SessionKey sessionKey = options.getSessionKey();
         if (sessionKey != null) {
             integrityProtectedEncryptedInputStream = decryptWithProvidedSessionKey(pgpEncryptedDataList, sessionKey);
-            InputStream decodedDataStream = PGPUtil.getDecoderStream(integrityProtectedEncryptedInputStream);
-            PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream);
+            PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(integrityProtectedEncryptedInputStream);
             return processPGPPackets(factory, ++depth);
         }
 
         InputStream decryptedDataStream = decryptSessionKey(pgpEncryptedDataList);
-        InputStream decodedDataStream = PGPUtil.getDecoderStream(decryptedDataStream);
-        PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream);
+        PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decryptedDataStream);
         return processPGPPackets(factory, ++depth);
     }
 
@@ -299,8 +296,7 @@ public final class DecryptionStreamFactory {
         }
 
         InputStream inflatedDataStream = pgpCompressedData.getDataStream();
-        InputStream decodedDataStream = PGPUtil.getDecoderStream(inflatedDataStream);
-        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decodedDataStream);
+        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(inflatedDataStream);
 
         return processPGPPackets(objectFactory, ++depth);
     }

From 81bb8cba54c5d5040785e8e12829525acbf8ef71 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 12:50:32 +0200
Subject: [PATCH 0717/1450] Use BCs Arrays.constantTimeAreEqual(char[], char[])

---
 .../main/java/org/pgpainless/util/BCUtil.java | 54 -------------------
 .../java/org/pgpainless/util/Passphrase.java  |  4 +-
 .../java/org/pgpainless/util/BCUtilTest.java  | 17 +++---
 3 files changed, 10 insertions(+), 65 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
deleted file mode 100644
index bb811cea..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/util/BCUtil.java
+++ /dev/null
@@ -1,54 +0,0 @@
-// SPDX-FileCopyrightText: 2018 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.util;
-
-public final class BCUtil {
-
-    private BCUtil() {
-
-    }
-
-    /**
-     * A constant time equals comparison - does not terminate early if
-     * test will fail. For best results always pass the expected value
-     * as the first parameter.
-     *
-     * TODO: This method was proposed as a patch to BC:
-     *  https://github.com/bcgit/bc-java/pull/1141
-     *  Replace usage of this method with upstream eventually.
-     *  Remove once BC 172 gets released, given it contains the patch.
-     *
-     * @param expected first array
-     * @param supplied second array
-     * @return true if arrays equal, false otherwise.
-     */
-    public static boolean constantTimeAreEqual(
-            char[]  expected,
-            char[]  supplied) {
-        if (expected == null || supplied == null) {
-            return false;
-        }
-
-        if (expected == supplied) {
-            return true;
-        }
-
-        int len = Math.min(expected.length, supplied.length);
-
-        int nonEqual = expected.length ^ supplied.length;
-
-        // do the char-wise comparison
-        for (int i = 0; i != len; i++) {
-            nonEqual |= (expected[i] ^ supplied[i]);
-        }
-        // If supplied is longer than expected, iterate over rest of supplied with NOPs
-        for (int i = len; i < supplied.length; i++) {
-            nonEqual |= ((byte) supplied[i] ^ (byte) ~supplied[i]);
-        }
-
-        return nonEqual == 0;
-    }
-
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java
index 4cef145a..9576fb3e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/Passphrase.java
@@ -8,8 +8,6 @@ import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import java.util.Arrays;
 
-import static org.pgpainless.util.BCUtil.constantTimeAreEqual;
-
 public class Passphrase {
 
     public final Object lock = new Object();
@@ -165,6 +163,6 @@ public class Passphrase {
         }
         Passphrase other = (Passphrase) obj;
         return (getChars() == null && other.getChars() == null) ||
-                constantTimeAreEqual(getChars(), other.getChars());
+                org.bouncycastle.util.Arrays.constantTimeAreEqual(getChars(), other.getChars());
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
index 6fb90e63..82368762 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
@@ -19,6 +19,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
+import org.bouncycastle.util.Arrays;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.KeyFlag;
@@ -94,14 +95,14 @@ public class BCUtilTest {
     @Test
     public void constantTimeAreEqualsTest() {
         char[] b = "Hello".toCharArray();
-        assertTrue(BCUtil.constantTimeAreEqual(b, b));
-        assertTrue(BCUtil.constantTimeAreEqual("Hello".toCharArray(), "Hello".toCharArray()));
-        assertTrue(BCUtil.constantTimeAreEqual(new char[0], new char[0]));
-        assertTrue(BCUtil.constantTimeAreEqual(new char[] {'H', 'e', 'l', 'l', 'o'}, "Hello".toCharArray()));
+        assertTrue(Arrays.constantTimeAreEqual(b, b));
+        assertTrue(Arrays.constantTimeAreEqual("Hello".toCharArray(), "Hello".toCharArray()));
+        assertTrue(Arrays.constantTimeAreEqual(new char[0], new char[0]));
+        assertTrue(Arrays.constantTimeAreEqual(new char[] {'H', 'e', 'l', 'l', 'o'}, "Hello".toCharArray()));
 
-        assertFalse(BCUtil.constantTimeAreEqual("Hello".toCharArray(), "Hello World".toCharArray()));
-        assertFalse(BCUtil.constantTimeAreEqual(null, "Hello".toCharArray()));
-        assertFalse(BCUtil.constantTimeAreEqual("Hello".toCharArray(), null));
-        assertFalse(BCUtil.constantTimeAreEqual(null, null));
+        assertFalse(Arrays.constantTimeAreEqual("Hello".toCharArray(), "Hello World".toCharArray()));
+        assertFalse(Arrays.constantTimeAreEqual(null, "Hello".toCharArray()));
+        assertFalse(Arrays.constantTimeAreEqual("Hello".toCharArray(), null));
+        assertFalse(Arrays.constantTimeAreEqual((char[]) null, null));
     }
 }

From 09f94944b3f270dd1956733dfef1a7be9a5a14fb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 13:02:22 +0200
Subject: [PATCH 0718/1450] Remove unnecessary throws declarations

---
 .../key/collection/PGPKeyRingCollection.java    |  2 +-
 .../secretkeyring/SecretKeyRingEditor.java      |  2 +-
 .../pgpainless/key/parsing/KeyRingReader.java   |  6 ++----
 .../org/pgpainless/key/util/KeyRingUtils.java   | 17 +++--------------
 .../ModificationDetectionTests.java             |  2 +-
 .../EncryptionOptionsTest.java                  |  3 +--
 .../certification/CertifyCertificateTest.java   |  2 +-
 .../GenerateKeyWithAdditionalUserIdTest.java    |  6 +++---
 .../java/org/pgpainless/util/BCUtilTest.java    |  4 +---
 .../keyring/KeyRingsFromCollectionTest.java     |  4 ++--
 .../java/org/pgpainless/sop/DearmorImpl.java    |  2 +-
 .../java/org/pgpainless/sop/InlineSignImpl.java |  2 +-
 .../org/pgpainless/sop/InlineVerifyImpl.java    |  2 +-
 13 files changed, 19 insertions(+), 35 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java
index 46aa2baf..6cf7102d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/collection/PGPKeyRingCollection.java
@@ -74,7 +74,7 @@ public class PGPKeyRingCollection {
     }
 
     public PGPKeyRingCollection(@Nonnull Collection collection, boolean isSilent)
-            throws IOException, PGPException {
+            throws PGPException {
         List secretKeyRings = new ArrayList<>();
         List publicKeyRings = new ArrayList<>();
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 20876c36..01c09903 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -327,7 +327,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             @Nonnull SecretKeyRingProtector primaryKeyProtector,
             @Nonnull KeyFlag keyFlag,
             KeyFlag... additionalKeyFlags)
-            throws PGPException, IOException, NoSuchAlgorithmException {
+            throws PGPException, IOException {
         KeyFlag[] flags = concat(keyFlag, additionalKeyFlags);
         PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.requireFromId(subkey.getPublicKey().getAlgorithm());
         SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
index b5b8ea65..bbaecd4f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
@@ -232,10 +232,9 @@ public class KeyRingReader {
      * @return public key ring collection
      *
      * @throws IOException in case of an IO error or exceeding of max iterations
-     * @throws PGPException in case of a broken key
      */
     public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream, int maxIterations)
-            throws IOException, PGPException {
+            throws IOException {
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
                 ArmorUtils.getDecoderStream(inputStream));
 
@@ -317,11 +316,10 @@ public class KeyRingReader {
      * @return secret key ring collection
      *
      * @throws IOException in case of an IO error or exceeding of max iterations
-     * @throws PGPException in case of a broken secret key
      */
     public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream,
                                                                          int maxIterations)
-            throws IOException, PGPException {
+            throws IOException {
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
                 ArmorUtils.getDecoderStream(inputStream));
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 0bcdf8d1..013e283e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -167,12 +167,9 @@ public final class KeyRingUtils {
      *
      * @param secretKeyRings secret key ring collection
      * @return public key ring collection
-     * @throws PGPException TODO: remove
-     * @throws IOException TODO: remove
      */
     @Nonnull
-    public static PGPPublicKeyRingCollection publicKeyRingCollectionFrom(@Nonnull PGPSecretKeyRingCollection secretKeyRings)
-            throws PGPException, IOException {
+    public static PGPPublicKeyRingCollection publicKeyRingCollectionFrom(@Nonnull PGPSecretKeyRingCollection secretKeyRings) {
         List certificates = new ArrayList<>();
         for (PGPSecretKeyRing secretKey : secretKeyRings) {
             certificates.add(PGPainless.extractCertificate(secretKey));
@@ -200,13 +197,9 @@ public final class KeyRingUtils {
      *
      * @param rings array of public key rings
      * @return key ring collection
-     *
-     * @throws IOException in case of an io error
-     * @throws PGPException in case of a broken key
      */
     @Nonnull
-    public static PGPPublicKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPPublicKeyRing... rings)
-            throws IOException, PGPException {
+    public static PGPPublicKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPPublicKeyRing... rings) {
         return new PGPPublicKeyRingCollection(Arrays.asList(rings));
     }
 
@@ -215,13 +208,9 @@ public final class KeyRingUtils {
      *
      * @param rings array of secret key rings
      * @return secret key ring collection
-     *
-     * @throws IOException in case of an io error
-     * @throws PGPException in case of a broken key
      */
     @Nonnull
-    public static PGPSecretKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPSecretKeyRing... rings)
-            throws IOException, PGPException {
+    public static PGPSecretKeyRingCollection keyRingsToKeyRingCollection(@Nonnull PGPSecretKeyRing... rings) {
         return new PGPSecretKeyRingCollection(Arrays.asList(rings));
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
index 2ca265ea..14a041ff 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
@@ -530,7 +530,7 @@ public class ModificationDetectionTests {
         );
     }
 
-    private PGPSecretKeyRingCollection getDecryptionKey() throws IOException, PGPException {
+    private PGPSecretKeyRingCollection getDecryptionKey() throws IOException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(keyAscii);
         return new PGPSecretKeyRingCollection(Collections.singletonList(secretKeys));
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
index 3e7ccb4d..3436ba69 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
@@ -9,7 +9,6 @@ import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
@@ -165,7 +164,7 @@ public class EncryptionOptionsTest {
     }
 
     @Test
-    public void testAddRecipients_PGPPublicKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+    public void testAddRecipients_PGPPublicKeyRingCollection() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPPublicKeyRing secondKeyRing = KeyRingUtils.publicKeyRingFrom(
                 PGPainless.generateKeyRing().modernKeyRing("other@pgpainless.org"));
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
index f837be1b..eb0069f5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/certification/CertifyCertificateTest.java
@@ -140,7 +140,7 @@ public class CertifyCertificateTest {
     }
 
     @Test
-    public void testScopedDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+    public void testScopedDelegation() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing aliceKey = PGPainless.generateKeyRing()
                 .modernKeyRing("Alice ");
         PGPSecretKeyRing caKey = PGPainless.generateKeyRing()
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
index 2e2ffc8d..e68d8e9b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
@@ -7,7 +7,6 @@ package org.pgpainless.key.generation;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 
-import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Date;
@@ -26,14 +25,15 @@ import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.key.util.UserId;
 import org.pgpainless.timeframe.TestTimeFrameProvider;
+import org.pgpainless.util.DateUtil;
 import org.pgpainless.util.TestAllImplementations;
 
 public class GenerateKeyWithAdditionalUserIdTest {
 
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
-    public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
-        Date now = new Date();
+    public void test() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
+        Date now = DateUtil.now();
         Date expiration = TestTimeFrameProvider.defaultExpirationForCreationDate(now);
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
index 82368762..821d9e30 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/BCUtilTest.java
@@ -8,7 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Iterator;
@@ -36,8 +35,7 @@ public class BCUtilTest {
 
     @Test
     public void keyRingToCollectionTest()
-            throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException,
-            IOException {
+            throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         PGPSecretKeyRing sec = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(
                         KeyType.RSA(RsaLength._3072),
diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java
index eb3510be..bf4955cd 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/selection/keyring/KeyRingsFromCollectionTest.java
@@ -56,7 +56,7 @@ public class KeyRingsFromCollectionTest {
     }
 
     @Test
-    public void selectPublicKeyRingFromPublicKeyRingCollectionTest() throws IOException, PGPException {
+    public void selectPublicKeyRingFromPublicKeyRingCollectionTest() throws IOException {
         PGPPublicKeyRing emil = TestKeys.getEmilPublicKeyRing();
         PGPPublicKeyRing juliet = TestKeys.getJulietPublicKeyRing();
         PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(Arrays.asList(emil, juliet));
@@ -68,7 +68,7 @@ public class KeyRingsFromCollectionTest {
     }
 
     @Test
-    public void selectPublicKeyRingMapFromPublicKeyRingCollectionMapTest() throws IOException, PGPException {
+    public void selectPublicKeyRingMapFromPublicKeyRingCollectionMapTest() throws IOException {
         PGPPublicKeyRing emil = TestKeys.getEmilPublicKeyRing();
         PGPPublicKeyRing juliet = TestKeys.getJulietPublicKeyRing();
         MultiMap map = new MultiMap<>();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
index ac53d415..f0b21a6d 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
@@ -18,7 +18,7 @@ import sop.operation.Dearmor;
 public class DearmorImpl implements Dearmor {
 
     @Override
-    public Ready data(InputStream data) throws IOException {
+    public Ready data(InputStream data) {
         InputStream decoder;
         try {
             decoder = PGPUtil.getDecoderStream(data);
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index d0cfbfcd..30e1d71e 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -71,7 +71,7 @@ public class InlineSignImpl implements InlineSign {
     }
 
     @Override
-    public Ready data(InputStream data) throws SOPGPException.KeyIsProtected, IOException, SOPGPException.ExpectedText {
+    public Ready data(InputStream data) throws SOPGPException.KeyIsProtected, SOPGPException.ExpectedText {
         for (PGPSecretKeyRing key : signingKeys) {
             try {
                 if (mode == InlineSignAs.clearsigned) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 4af53685..81d614cf 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -49,7 +49,7 @@ public class InlineVerifyImpl implements InlineVerify {
     }
 
     @Override
-    public ReadyWithResult> data(InputStream data) throws IOException, SOPGPException.NoSignature, SOPGPException.BadData {
+    public ReadyWithResult> data(InputStream data) throws SOPGPException.NoSignature, SOPGPException.BadData {
         return new ReadyWithResult>() {
             @Override
             public List writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {

From babd1542e3113065270552568f2c96144348cb7b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 13:02:36 +0200
Subject: [PATCH 0719/1450] DO NOT MERGE: Disable broken test

---
 .../java/org/pgpainless/signature/IgnoreMarkerPackets.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
index c86efd05..87766dfe 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
@@ -20,6 +20,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -159,6 +160,8 @@ public class IgnoreMarkerPackets {
     }
 
     @Test
+    @Disabled
+    // TODO: Enable and fix
     public void markerPlusEncryptedMessage() throws IOException, PGPException {
         String msg = "-----BEGIN PGP MESSAGE-----\n" +
                 "\n" +

From 2ce4486e8936cbbbddf941858b2644b019e2034d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 13:14:32 +0200
Subject: [PATCH 0720/1450] Convert links in javadoc to html

---
 .../java/org/pgpainless/algorithm/PublicKeyAlgorithm.java   | 6 +++---
 .../decryption_verification/MissingPublicKeyCallback.java   | 4 +++-
 .../key/util/PublicKeyParameterValidationUtil.java          | 2 +-
 .../test/java/org/bouncycastle/PGPPublicKeyRingTest.java    | 2 +-
 .../src/test/java/org/pgpainless/key/WeirdKeys.java         | 2 +-
 .../key/generation/GenerateWithEmptyPassphraseTest.java     | 2 +-
 6 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
index baa8f92e..c7599db9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/PublicKeyAlgorithm.java
@@ -28,7 +28,7 @@ public enum PublicKeyAlgorithm {
     /**
      * RSA with usage encryption.
      *
-     * @deprecated see https://tools.ietf.org/html/rfc4880#section-13.5
+     * @deprecated see Deprecation notice
      */
     @Deprecated
     RSA_ENCRYPT     (PublicKeyAlgorithmTags.RSA_ENCRYPT, false, true),
@@ -36,7 +36,7 @@ public enum PublicKeyAlgorithm {
     /**
      * RSA with usage of creating signatures.
      *
-     * @deprecated see https://tools.ietf.org/html/rfc4880#section-13.5
+     * @deprecated see Deprecation notice
      */
     @Deprecated
     RSA_SIGN        (PublicKeyAlgorithmTags.RSA_SIGN, true, false),
@@ -71,7 +71,7 @@ public enum PublicKeyAlgorithm {
     /**
      * ElGamal General.
      *
-     * @deprecated see https://tools.ietf.org/html/rfc4880#section-13.8
+     * @deprecated see Deprecation notice
      */
     @Deprecated
     ELGAMAL_GENERAL (PublicKeyAlgorithmTags.ELGAMAL_GENERAL, true, true),
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java
index f3eb949b..9b6f4a1e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MissingPublicKeyCallback.java
@@ -20,11 +20,13 @@ public interface MissingPublicKeyCallback {
      * you may not only search for the key-id on the key rings primary key!
      *
      * It would be super cool to provide the OpenPgp fingerprint here, but unfortunately one-pass-signatures
-     * only contain the key id (see https://datatracker.ietf.org/doc/html/rfc4880#section-5.4)
+     * only contain the key id.
      *
      * @param keyId ID of the missing signing (sub)key
      *
      * @return keyring containing the key or null
+     *
+     * @see RFC
      */
     @Nullable PGPPublicKeyRing onMissingPublicKeyEncountered(@Nonnull Long keyId);
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index d3c7fe68..69940691 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -237,7 +237,7 @@ public class PublicKeyParameterValidationUtil {
      * Validate ElGamal public key parameters.
      *
      * Original implementation by the openpgpjs authors:
-     * https://github.com/openpgpjs/openpgpjs/blob/main/src/crypto/public_key/elgamal.js#L76-L143
+     * Stackexchange link
      */
     @Test
     public void subkeysDoNotHaveUserIDsTest() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java
index b02b07c5..7500bab4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/WeirdKeys.java
@@ -13,7 +13,7 @@ import org.pgpainless.PGPainless;
  * This class contains a set of slightly out of spec or weird keys.
  * Those are used to test whether implementations behave correctly when dealing with such keys.
  *
- * Original source: https://gitlab.com/sequoia-pgp/weird-keys
+ * @see Original Source
  */
 public class WeirdKeys {
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java
index dbb3f49b..c1375883 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateWithEmptyPassphraseTest.java
@@ -20,7 +20,7 @@ import org.pgpainless.util.TestAllImplementations;
 import org.pgpainless.util.Passphrase;
 
 /**
- * Reproduce behavior of https://github.com/pgpainless/pgpainless/issues/16
+ * Reproduce behavior of 
Date: Thu, 29 Sep 2022 13:15:02 +0200
Subject: [PATCH 0722/1450] Reformat KeyRingReader

---
 .../pgpainless/key/parsing/KeyRingReader.java | 67 ++++++++++++-------
 1 file changed, 44 insertions(+), 23 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
index bbaecd4f..50cacf05 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/parsing/KeyRingReader.java
@@ -41,7 +41,8 @@ public class KeyRingReader {
      * @return key ring
      * @throws IOException in case of an IO error
      */
-    public PGPKeyRing keyRing(@Nonnull InputStream inputStream) throws IOException {
+    public PGPKeyRing keyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readKeyRing(inputStream);
     }
 
@@ -53,7 +54,8 @@ public class KeyRingReader {
      * @return key ring
      * @throws IOException in case of an IO error
      */
-    public PGPKeyRing keyRing(@Nonnull byte[] bytes) throws IOException {
+    public PGPKeyRing keyRing(@Nonnull byte[] bytes)
+            throws IOException {
         return keyRing(new ByteArrayInputStream(bytes));
     }
 
@@ -65,19 +67,23 @@ public class KeyRingReader {
      * @return key ring
      * @throws IOException in case of an IO error
      */
-    public PGPKeyRing keyRing(@Nonnull String asciiArmored) throws IOException {
+    public PGPKeyRing keyRing(@Nonnull String asciiArmored)
+            throws IOException {
         return keyRing(asciiArmored.getBytes(UTF8));
     }
 
-    public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream) throws IOException {
+    public PGPPublicKeyRing publicKeyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readPublicKeyRing(inputStream);
     }
 
-    public PGPPublicKeyRing publicKeyRing(@Nonnull byte[] bytes) throws IOException {
+    public PGPPublicKeyRing publicKeyRing(@Nonnull byte[] bytes)
+            throws IOException {
         return publicKeyRing(new ByteArrayInputStream(bytes));
     }
 
-    public PGPPublicKeyRing publicKeyRing(@Nonnull String asciiArmored) throws IOException {
+    public PGPPublicKeyRing publicKeyRing(@Nonnull String asciiArmored)
+            throws IOException {
         return publicKeyRing(asciiArmored.getBytes(UTF8));
     }
 
@@ -86,23 +92,28 @@ public class KeyRingReader {
         return readPublicKeyRingCollection(inputStream);
     }
 
-    public PGPPublicKeyRingCollection publicKeyRingCollection(@Nonnull byte[] bytes) throws IOException, PGPException {
+    public PGPPublicKeyRingCollection publicKeyRingCollection(@Nonnull byte[] bytes)
+            throws IOException, PGPException {
         return publicKeyRingCollection(new ByteArrayInputStream(bytes));
     }
 
-    public PGPPublicKeyRingCollection publicKeyRingCollection(@Nonnull String asciiArmored) throws IOException, PGPException {
+    public PGPPublicKeyRingCollection publicKeyRingCollection(@Nonnull String asciiArmored)
+            throws IOException, PGPException {
         return publicKeyRingCollection(asciiArmored.getBytes(UTF8));
     }
 
-    public PGPSecretKeyRing secretKeyRing(@Nonnull InputStream inputStream) throws IOException {
+    public PGPSecretKeyRing secretKeyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readSecretKeyRing(inputStream);
     }
 
-    public PGPSecretKeyRing secretKeyRing(@Nonnull byte[] bytes) throws IOException {
+    public PGPSecretKeyRing secretKeyRing(@Nonnull byte[] bytes)
+            throws IOException {
         return secretKeyRing(new ByteArrayInputStream(bytes));
     }
 
-    public PGPSecretKeyRing secretKeyRing(@Nonnull String asciiArmored) throws IOException {
+    public PGPSecretKeyRing secretKeyRing(@Nonnull String asciiArmored)
+            throws IOException {
         return secretKeyRing(asciiArmored.getBytes(UTF8));
     }
 
@@ -111,11 +122,13 @@ public class KeyRingReader {
         return readSecretKeyRingCollection(inputStream);
     }
 
-    public PGPSecretKeyRingCollection secretKeyRingCollection(@Nonnull byte[] bytes) throws IOException, PGPException {
+    public PGPSecretKeyRingCollection secretKeyRingCollection(@Nonnull byte[] bytes)
+            throws IOException, PGPException {
         return secretKeyRingCollection(new ByteArrayInputStream(bytes));
     }
 
-    public PGPSecretKeyRingCollection secretKeyRingCollection(@Nonnull String asciiArmored) throws IOException, PGPException {
+    public PGPSecretKeyRingCollection secretKeyRingCollection(@Nonnull String asciiArmored)
+            throws IOException, PGPException {
         return secretKeyRingCollection(asciiArmored.getBytes(UTF8));
     }
 
@@ -124,11 +137,13 @@ public class KeyRingReader {
         return readKeyRingCollection(inputStream, isSilent);
     }
 
-    public PGPKeyRingCollection keyRingCollection(@Nonnull byte[] bytes, boolean isSilent) throws IOException, PGPException {
+    public PGPKeyRingCollection keyRingCollection(@Nonnull byte[] bytes, boolean isSilent)
+            throws IOException, PGPException {
         return keyRingCollection(new ByteArrayInputStream(bytes), isSilent);
     }
 
-    public PGPKeyRingCollection keyRingCollection(@Nonnull String asciiArmored, boolean isSilent) throws IOException, PGPException {
+    public PGPKeyRingCollection keyRingCollection(@Nonnull String asciiArmored, boolean isSilent)
+            throws IOException, PGPException {
         return keyRingCollection(asciiArmored.getBytes(UTF8), isSilent);
     }
 
@@ -142,7 +157,8 @@ public class KeyRingReader {
      * @return key ring
      * @throws IOException in case of an IO error
      */
-    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream) throws IOException {
+    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readKeyRing(inputStream, MAX_ITERATIONS);
     }
 
@@ -157,7 +173,8 @@ public class KeyRingReader {
      * @return key ring
      * @throws IOException in case of an IO error
      */
-    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
+    public static PGPKeyRing readKeyRing(@Nonnull InputStream inputStream, int maxIterations)
+            throws IOException {
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
                 ArmorUtils.getDecoderStream(inputStream));
         int i = 0;
@@ -181,7 +198,8 @@ public class KeyRingReader {
         throw new IOException("Loop exceeded max iteration count.");
     }
 
-    public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream) throws IOException {
+    public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readPublicKeyRing(inputStream, MAX_ITERATIONS);
     }
 
@@ -196,7 +214,8 @@ public class KeyRingReader {
      *
      * @throws IOException in case of an IO error or exceeding of max iterations
      */
-    public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
+    public static PGPPublicKeyRing readPublicKeyRing(@Nonnull InputStream inputStream, int maxIterations)
+            throws IOException {
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(
                 ArmorUtils.getDecoderStream(inputStream));
         int i = 0;
@@ -218,7 +237,7 @@ public class KeyRingReader {
     }
 
     public static PGPPublicKeyRingCollection readPublicKeyRingCollection(@Nonnull InputStream inputStream)
-            throws IOException, PGPException {
+            throws IOException {
         return readPublicKeyRingCollection(inputStream, MAX_ITERATIONS);
     }
 
@@ -264,7 +283,8 @@ public class KeyRingReader {
         throw new IOException("Loop exceeded max iteration count.");
     }
 
-    public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream) throws IOException {
+    public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream)
+            throws IOException {
         return readSecretKeyRing(inputStream, MAX_ITERATIONS);
     }
 
@@ -279,7 +299,8 @@ public class KeyRingReader {
      *
      * @throws IOException in case of an IO error or exceeding of max iterations
      */
-    public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations) throws IOException {
+    public static PGPSecretKeyRing readSecretKeyRing(@Nonnull InputStream inputStream, int maxIterations)
+            throws IOException {
         InputStream decoderStream = ArmorUtils.getDecoderStream(inputStream);
         PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(decoderStream);
         int i = 0;
@@ -302,7 +323,7 @@ public class KeyRingReader {
     }
 
     public static PGPSecretKeyRingCollection readSecretKeyRingCollection(@Nonnull InputStream inputStream)
-            throws IOException, PGPException {
+            throws IOException {
         return readSecretKeyRingCollection(inputStream, MAX_ITERATIONS);
     }
 

From 5e37d8038a4e241b11ca85324762f4d377a6585f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 29 Sep 2022 17:45:32 +0200
Subject: [PATCH 0723/1450] WIP: So close to working notarizations

---
 .../OpenPgpMessageInputStream.java            | 359 +++++++++++-------
 .../TeeBCPGInputStream.java                   |   1 +
 .../automaton/PDA.java                        |  16 +-
 .../OpenPgpMessageInputStreamTest.java        | 145 +++++++
 version.gradle                                |   2 +-
 5 files changed, 375 insertions(+), 148 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a1364997..2d031edc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -4,12 +4,17 @@
 
 package org.pgpainless.decryption_verification;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.NoSuchElementException;
+import java.util.Stack;
+
 import org.bouncycastle.bcpg.BCPGInputStream;
-import org.bouncycastle.bcpg.BCPGOutputStream;
-import org.bouncycastle.bcpg.OnePassSignaturePacket;
-import org.bouncycastle.bcpg.Packet;
-import org.bouncycastle.bcpg.PacketTags;
-import org.bouncycastle.bcpg.SignaturePacket;
 import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
@@ -17,7 +22,6 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPOnePassSignature;
-import org.bouncycastle.openpgp.PGPOnePassSignatureList;
 import org.bouncycastle.openpgp.PGPPBEEncryptedData;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
@@ -26,11 +30,12 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
+import org.bouncycastle.util.encoders.Hex;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
@@ -54,15 +59,6 @@ import org.pgpainless.util.Tuple;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Stack;
-
 public class OpenPgpMessageInputStream extends InputStream {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream.class);
@@ -100,13 +96,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             this.signatures.addDetachedSignatures(options.getDetachedSignatures());
         }
 
-        // TODO: Use BCPGInputStream.wrap(inputStream);
-        BCPGInputStream bcpg = null;
-        if (inputStream instanceof BCPGInputStream) {
-            bcpg = (BCPGInputStream) inputStream;
-        } else {
-            bcpg = new BCPGInputStream(inputStream);
-        }
+        BCPGInputStream bcpg = BCPGInputStream.wrap(inputStream);
         this.packetInputStream = new TeeBCPGInputStream(bcpg, signatures);
 
         // *omnomnom*
@@ -133,13 +123,20 @@ public class OpenPgpMessageInputStream extends InputStream {
             throws IOException, PGPException {
         int tag;
         loop: while ((tag = nextTag()) != -1) {
-            OpenPgpPacket nextPacket = OpenPgpPacket.requireFromTag(tag);
+            OpenPgpPacket nextPacket;
+            try {
+                nextPacket = OpenPgpPacket.requireFromTag(tag);
+            } catch (NoSuchElementException e) {
+                log("Invalid tag: " + tag);
+                throw e;
+            }
+            log(nextPacket.toString());
+            signatures.nextPacket(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
-                    signatures.commitNested();
                     processLiteralData();
                     break loop;
 
@@ -153,12 +150,8 @@ public class OpenPgpMessageInputStream extends InputStream {
                 // One Pass Signature
                 case OPS:
                     automaton.next(InputAlphabet.OnePassSignatures);
-                    // signatures.addOnePassSignature(readOnePassSignature());
-                    PGPOnePassSignatureList onePassSignatureList = readOnePassSignatures();
-                    for (PGPOnePassSignature ops : onePassSignatureList) {
-                        signatures.addOnePassSignature(ops);
-                    }
-                    // signatures.addOnePassSignatures(readOnePassSignatures());
+                    PGPOnePassSignature onePassSignature = readOnePassSignature();
+                    signatures.addOnePassSignature(onePassSignature);
                     break;
 
                 // Signature - either prepended to the message, or corresponding to a One Pass Signature
@@ -166,13 +159,8 @@ public class OpenPgpMessageInputStream extends InputStream {
                     boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
                     automaton.next(InputAlphabet.Signatures);
 
-                    // PGPSignature signature = readSignature();
-                    // processSignature(signature, isSigForOPS);
-
-                    PGPSignatureList signatureList = readSignatures();
-                    for (PGPSignature signature : signatureList) {
-                        processSignature(signature, isSigForOPS);
-                    }
+                    PGPSignature signature = readSignature();
+                    processSignature(signature, isSigForOPS);
 
                     break;
 
@@ -220,6 +208,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private void processSignature(PGPSignature signature, boolean isSigForOPS) {
         if (isSigForOPS) {
+            signatures.popNested();
             signatures.addCorrespondingOnePassSignature(signature);
         } else {
             signatures.addPrependedSignature(signature);
@@ -240,6 +229,41 @@ public class OpenPgpMessageInputStream extends InputStream {
         nestedInputStream = literalData.getDataStream();
     }
 
+    private void debugEncryptedData() throws PGPException, IOException {
+        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
+
+        // TODO: Replace with !encDataList.isIntegrityProtected()
+        if (!encDataList.get(0).isIntegrityProtected()) {
+            throw new MessageNotIntegrityProtectedException();
+        }
+
+        SortedESKs esks = new SortedESKs(encDataList);
+        for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+            long keyId = pkesk.getKeyID();
+            PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
+            if (decryptionKeys == null) {
+                continue;
+            }
+            SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
+            PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
+            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
+
+            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                    .getPublicKeyDataDecryptorFactory(privateKey);
+            try {
+                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                InputStream decoder = PGPUtil.getDecoderStream(decrypted);
+                PGPObjectFactory objectFactory = ImplementationFactory.getInstance()
+                        .getPGPObjectFactory(decoder);
+                objectFactory.nextObject();
+                objectFactory.nextObject();
+                objectFactory.nextObject();
+            } catch (PGPException e) {
+                // hm :/
+            }
+        }
+    }
+
     private boolean processEncryptedData() throws IOException, PGPException {
         PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
 
@@ -309,7 +333,8 @@ public class OpenPgpMessageInputStream extends InputStream {
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
-                nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+
+                nestedInputStream = new OpenPgpMessageInputStream(PGPUtil.getDecoderStream(decrypted), options, encryptedData);
                 return true;
             } catch (PGPException e) {
                 // hm :/
@@ -382,52 +407,12 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private PGPOnePassSignature readOnePassSignature()
             throws PGPException, IOException {
-        //return new PGPOnePassSignature(packetInputStream);
-        return null;
+        return new PGPOnePassSignature(packetInputStream);
     }
 
     private PGPSignature readSignature()
             throws PGPException, IOException {
-        //return new PGPSignature(packetInputStream);
-        return null;
-    }
-
-    private PGPOnePassSignatureList readOnePassSignatures() throws IOException {
-        ByteArrayOutputStream buf = new ByteArrayOutputStream();
-        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-        int tag;
-        while ((tag = nextTag()) == PacketTags.ONE_PASS_SIGNATURE || tag == PacketTags.MARKER) {
-            Packet packet = packetInputStream.readPacket();
-            if (tag == PacketTags.ONE_PASS_SIGNATURE) {
-                OnePassSignaturePacket sigPacket = (OnePassSignaturePacket) packet;
-                byte[] bytes = sigPacket.getEncoded();
-                bcpgOut.write(bytes);
-            }
-        }
-        bcpgOut.close();
-
-        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
-        PGPOnePassSignatureList signatureList = (PGPOnePassSignatureList) objectFactory.nextObject();
-        return signatureList;
-    }
-
-    private PGPSignatureList readSignatures() throws IOException {
-        ByteArrayOutputStream buf = new ByteArrayOutputStream();
-        BCPGOutputStream bcpgOut = new BCPGOutputStream(buf);
-        int tag = nextTag();
-        while (tag == PacketTags.SIGNATURE || tag == PacketTags.MARKER) {
-            Packet packet = packetInputStream.readPacket();
-            if (tag == PacketTags.SIGNATURE) {
-                SignaturePacket sigPacket = (SignaturePacket) packet;
-                sigPacket.encode(bcpgOut);
-                tag = nextTag();
-            }
-        }
-        bcpgOut.close();
-
-        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(buf.toByteArray());
-        PGPSignatureList signatureList = (PGPSignatureList) objectFactory.nextObject();
-        return signatureList;
+        return new PGPSignature(packetInputStream);
     }
 
     @Override
@@ -446,12 +431,11 @@ public class OpenPgpMessageInputStream extends InputStream {
         boolean eos = r == -1;
         if (!eos) {
             byte b = (byte) r;
-            signatures.update(b);
+            signatures.updateLiteral(b);
         } else {
             nestedInputStream.close();
             collectMetadata();
             nestedInputStream = null;
-            signatures.popNested();
 
             try {
                 consumePackets();
@@ -473,11 +457,13 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         int r = nestedInputStream.read(b, off, len);
-        if (r == -1) {
+        if (r != -1) {
+            signatures.updateLiteral(b, off, r);
+        }
+        else  {
             nestedInputStream.close();
             collectMetadata();
             nestedInputStream = null;
-            signatures.popNested();
 
             try {
                 consumePackets();
@@ -569,14 +555,11 @@ public class OpenPgpMessageInputStream extends InputStream {
         final ConsumerOptions options;
         final List detachedSignatures;
         final List prependedSignatures;
-        final List onePassSignatures;
-        final Stack> opsUpdateStack;
+        final List onePassSignatures;
+        final Stack> opsUpdateStack;
+        List literalOPS = new ArrayList<>();
         final List correspondingSignatures;
 
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-
-        List opsCurrentNesting = new ArrayList<>();
-
         private Signatures(ConsumerOptions options) {
             this.options = options;
             this.detachedSignatures = new ArrayList<>();
@@ -608,57 +591,42 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         void addOnePassSignature(PGPOnePassSignature signature) {
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
-            initialize(signature, certificate);
-            onePassSignatures.add(signature);
+            OPS ops = new OPS(signature);
+            ops.init(certificate);
+            onePassSignatures.add(ops);
 
-            opsCurrentNesting.add(signature);
-            if (isContaining(signature)) {
+            literalOPS.add(ops);
+            if (signature.isContaining()) {
                 commitNested();
             }
         }
 
-        boolean isContaining(PGPOnePassSignature ops) {
-            try {
-                byte[] bytes = ops.getEncoded();
-                return bytes[bytes.length - 1] == 1;
-            } catch (IOException e) {
-                return false;
-            }
-        }
-
         void addCorrespondingOnePassSignature(PGPSignature signature) {
-            for (PGPOnePassSignature onePassSignature : onePassSignatures) {
-                if (onePassSignature.getKeyID() != signature.getKeyID()) {
+            for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
+                OPS onePassSignature = onePassSignatures.get(i);
+                if (onePassSignature.signature.getKeyID() != signature.getKeyID()) {
+                    continue;
+                }
+                if (onePassSignature.finished) {
                     continue;
                 }
 
-                boolean verified = false;
-                try {
-                    verified = onePassSignature.verify(signature);
-                } catch (PGPException e) {
-                    log("Cannot verify OPS signature.", e);
-                }
-                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                try {
-                    log(ArmorUtils.toAsciiArmoredString(out.toByteArray()));
-                } catch (IOException e) {
-                    throw new RuntimeException(e);
-                }
+                boolean verified = onePassSignature.verify(signature);
+                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                System.out.println(onePassSignature);
+                break;
             }
         }
 
         void commitNested() {
-            if (opsCurrentNesting.isEmpty()) {
-                return;
-            }
-
-            log("Committing " + opsCurrentNesting.size() + " OPS sigs for updating");
-            opsUpdateStack.push(opsCurrentNesting);
-            opsCurrentNesting = new ArrayList<>();
+            opsUpdateStack.push(literalOPS);
+            literalOPS = new ArrayList<>();
         }
 
         void popNested() {
-            log("Popping nested");
+            if (opsUpdateStack.isEmpty()) {
+                return;
+            }
             opsUpdateStack.pop();
         }
 
@@ -676,7 +644,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             }
         }
 
-        private void initialize(PGPOnePassSignature ops, PGPPublicKeyRing certificate) {
+        private static void initialize(PGPOnePassSignature ops, PGPPublicKeyRing certificate) {
             if (certificate == null) {
                 return;
             }
@@ -699,20 +667,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             return null; // TODO: Missing cert for sig
         }
 
-        public void update(byte b) {
-            if (!opsUpdateStack.isEmpty()) {
-                log("Update");
-                out.write(b);
-            }
-
-            for (PGPSignature prepended : prependedSignatures) {
-                prepended.update(b);
-            }
-
-            for (List opss : opsUpdateStack) {
-                for (PGPOnePassSignature ops : opss) {
-                    ops.update(b);
-                }
+        public void updateLiteral(byte b) {
+            for (OPS ops : literalOPS) {
+                ops.update(b);
             }
 
             for (PGPSignature detached : detachedSignatures) {
@@ -720,6 +677,33 @@ public class OpenPgpMessageInputStream extends InputStream {
             }
         }
 
+        public void updateLiteral(byte[] b, int off, int len) {
+            for (OPS ops : literalOPS) {
+                ops.update(b, off, len);
+            }
+
+            for (PGPSignature detached : detachedSignatures) {
+                detached.update(b, off, len);
+            }
+        }
+
+        public void updatePacket(byte b) {
+            for (List nestedOPSs : opsUpdateStack) {
+                for (OPS ops : nestedOPSs) {
+                    ops.update(b);
+                }
+            }
+        }
+
+        public void updatePacket(byte[] buf, int off, int len) {
+            for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
+                List nestedOPSs = opsUpdateStack.get(i);
+                for (OPS ops : nestedOPSs) {
+                    ops.update(buf, off, len);
+                }
+            }
+        }
+
         public void finish() {
             for (PGPSignature detached : detachedSignatures) {
                 boolean verified = false;
@@ -743,8 +727,97 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         @Override
-        public void write(int b) throws IOException {
-            update((byte) b);
+        public void write(int b) {
+            updatePacket((byte) b);
+        }
+
+        @Override
+        public void write(byte[] b, int off, int len) {
+            updatePacket(b, off, len);
+        }
+
+        public void nextPacket(OpenPgpPacket nextPacket) {
+            if (nextPacket == OpenPgpPacket.LIT) {
+                if (literalOPS.isEmpty() && !opsUpdateStack.isEmpty()) {
+                    literalOPS = opsUpdateStack.pop();
+                }
+            }
+        }
+
+        static class OPS {
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            PGPOnePassSignature signature;
+            boolean finished;
+            boolean valid;
+
+            public OPS(PGPOnePassSignature signature) {
+                this.signature = signature;
+            }
+
+            public void init(PGPPublicKeyRing certificate) {
+                initialize(signature, certificate);
+            }
+
+            public boolean verify(PGPSignature signature) {
+                if (this.signature.getKeyID() != signature.getKeyID()) {
+                    // nope
+                    return false;
+                }
+                finished = true;
+                try {
+                    valid = this.signature.verify(signature);
+                } catch (PGPException e) {
+                    log("Cannot verify OPS " + signature.getKeyID());
+                }
+                return valid;
+            }
+
+            public void update(byte b) {
+                if (finished) {
+                    log("Updating finished sig!");
+                    return;
+                }
+                signature.update(b);
+                bytes.write(b);
+            }
+
+            public void update(byte[] bytes, int off, int len) {
+                if (finished) {
+                    log("Updating finished sig!");
+                    return;
+                }
+                signature.update(bytes, off, len);
+                this.bytes.write(bytes, off, len);
+            }
+
+            @Override
+            public String toString() {
+                String OPS = "c40d03000a01fbfcc82a015e733001";
+                String LIT_H = "cb28620000000000";
+                String LIT = "656e637279707420e28898207369676e20e28898207369676e20e28898207369676e";
+                String SIG1 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
+                String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
+                    String out = signature.getKeyID() + " last=" + signature.isContaining() + "\n";
+
+                    String hex = Hex.toHexString(bytes.toByteArray());
+                    while (hex.contains(OPS)) {
+                        hex = hex.replace(OPS, "[OPS]");
+                    }
+                    while (hex.contains(LIT_H)) {
+                        hex = hex.replace(LIT_H, "[LIT]");
+                    }
+                    while (hex.contains(LIT)) {
+                        hex = hex.replace(LIT, "");
+                    }
+                    while (hex.contains(SIG1)) {
+                        hex = hex.replace(SIG1, "[SIG1]");
+                    }
+                    while (hex.contains(SIG2)) {
+                        hex = hex.replace(SIG2, "[SIG2]");
+                    }
+
+                    return out + hex;
+            }
         }
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index ab24f22e..cce21051 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -1,6 +1,7 @@
 package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
+import org.pgpainless.util.ArmorUtils;
 
 import java.io.IOException;
 import java.io.InputStream;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index dda2adce..1d4b1189 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -149,11 +149,19 @@ public class PDA {
             @Override
             State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
-                if (stackItem == terminus && input == InputAlphabet.EndOfSequence && automaton.stack.isEmpty()) {
-                    return Valid;
-                } else {
-                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                if (input == InputAlphabet.EndOfSequence) {
+                    if (stackItem == terminus && automaton.stack.isEmpty()) {
+                        return Valid;
+                    } else {
+                        // premature end of stream
+                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
+                    }
+                } else if (input == InputAlphabet.Signatures) {
+                    if (stackItem == ops) {
+                        return CorrespondingSignature;
+                    }
                 }
+                throw new MalformedOpenPgpMessageException(this, input, stackItem);
             }
         },
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index e52a6016..f780b2eb 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -433,6 +433,151 @@ public class OpenPgpMessageInputStreamTest {
         assertNull(metadata.getCompressionAlgorithm());
     }
 
+    @ParameterizedTest(name = "Process PENC(OPS OPS OPS LIT SIG SIG SIG) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessOPS_OPS_OPS_LIT_SIG_SIG_SIG(Processor processor) throws IOException, PGPException {
+        String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+                "Comment: Bob's OpenPGP Transferable Secret Key\n" +
+                "\n" +
+                "lQVYBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
+                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
+                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
+                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
+                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
+                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
+                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
+                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
+                "vLIwa3T4CyshfT0AEQEAAQAL/RZqbJW2IqQDCnJi4Ozm++gPqBPiX1RhTWSjwxfM\n" +
+                "cJKUZfzLj414rMKm6Jh1cwwGY9jekROhB9WmwaaKT8HtcIgrZNAlYzANGRCM4TLK\n" +
+                "3VskxfSwKKna8l+s+mZglqbAjUg3wmFuf9Tj2xcUZYmyRm1DEmcN2ZzpvRtHgX7z\n" +
+                "Wn1mAKUlSDJZSQks0zjuMNbupcpyJokdlkUg2+wBznBOTKzgMxVNC9b2g5/tMPUs\n" +
+                "hGGWmF1UH+7AHMTaS6dlmr2ZBIyogdnfUqdNg5sZwsxSNrbglKP4sqe7X61uEAIQ\n" +
+                "bD7rT3LonLbhkrj3I8wilUD8usIwt5IecoHhd9HziqZjRCc1BUBkboUEoyedbDV4\n" +
+                "i4qfsFZ6CEWoLuD5pW7dEp0M+WeuHXO164Rc+LnH6i1VQrpb1Okl4qO6ejIpIjBI\n" +
+                "1t3GshtUu/mwGBBxs60KBX5g77mFQ9lLCRj8lSYqOsHRKBhUp4qM869VA+fD0BRP\n" +
+                "fqPT0I9IH4Oa/A3jYJcg622GwQYA1LhnP208Waf6PkQSJ6kyr8ymY1yVh9VBE/g6\n" +
+                "fRDYA+pkqKnw9wfH2Qho3ysAA+OmVOX8Hldg+Pc0Zs0e5pCavb0En8iFLvTA0Q2E\n" +
+                "LR5rLue9uD7aFuKFU/VdcddY9Ww/vo4k5p/tVGp7F8RYCFn9rSjIWbfvvZi1q5Tx\n" +
+                "+akoZbga+4qQ4WYzB/obdX6SCmi6BndcQ1QdjCCQU6gpYx0MddVERbIp9+2SXDyL\n" +
+                "hpxjSyz+RGsZi/9UAshT4txP4+MZBgDfK3ZqtW+h2/eMRxkANqOJpxSjMyLO/FXN\n" +
+                "WxzTDYeWtHNYiAlOwlQZEPOydZFty9IVzzNFQCIUCGjQ/nNyhw7adSgUk3+BXEx/\n" +
+                "MyJPYY0BYuhLxLYcrfQ9nrhaVKxRJj25SVHj2ASsiwGJRZW4CC3uw40OYxfKEvNC\n" +
+                "mer/VxM3kg8qqGf9KUzJ1dVdAvjyx2Hz6jY2qWCyRQ6IMjWHyd43C4r3jxooYKUC\n" +
+                "YnstRQyb/gCSKahveSEjo07CiXMr88UGALwzEr3npFAsPW3osGaFLj49y1oRe11E\n" +
+                "he9gCHFm+fuzbXrWmdPjYU5/ZdqdojzDqfu4ThfnipknpVUM1o6MQqkjM896FHm8\n" +
+                "zbKVFSMhEP6DPHSCexMFrrSgN03PdwHTO6iBaIBBFqmGY01tmJ03SxvSpiBPON9P\n" +
+                "NVvy/6UZFedTq8A07OUAxO62YUSNtT5pmK2vzs3SAZJmbFbMh+NN204TRI72GlqT\n" +
+                "t5hcfkuv8hrmwPS/ZR6q312mKQ6w/1pqO9qitCFCb2IgQmFiYmFnZSA8Ym9iQG9w\n" +
+                "ZW5wZ3AuZXhhbXBsZT6JAc4EEwEKADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC\n" +
+                "F4AWIQTRpm4aI7GCyZgPeIz7/MgqAV5zMAUCXaWe+gAKCRD7/MgqAV5zMG9sC/9U\n" +
+                "2T3RrqEbw533FPNfEflhEVRIZ8gDXKM8hU6cqqEzCmzZT6xYTe6sv4y+PJBGXJFX\n" +
+                "yhj0g6FDkSyboM5litOcTupURObVqMgA/Y4UKERznm4fzzH9qek85c4ljtLyNufe\n" +
+                "doL2pp3vkGtn7eD0QFRaLLmnxPKQ/TlZKdLE1G3u8Uot8QHicaR6GnAdc5UXQJE3\n" +
+                "BiV7jZuDyWmZ1cUNwJkKL6oRtp+ZNDOQCrLNLecKHcgCqrpjSQG5oouba1I1Q6Vl\n" +
+                "sP44dhA1nkmLHtxlTOzpeHj4jnk1FaXmyasurrrI5CgU/L2Oi39DGKTH/A/cywDN\n" +
+                "4ZplIQ9zR8enkbXquUZvFDe+Xz+6xRXtb5MwQyWODB3nHw85HocLwRoIN9WdQEI+\n" +
+                "L8a/56AuOwhs8llkSuiITjR7r9SgKJC2WlAHl7E8lhJ3VDW3ELC56KH308d6mwOG\n" +
+                "ZRAqIAKzM1T5FGjMBhq7ZV0eqdEntBh3EcOIfj2M8rg1MzJv+0mHZOIjByawikad\n" +
+                "BVgEXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90YNBj+xS1ldGD\n" +
+                "bUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pzh0LzrBrVNHar\n" +
+                "29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4PIp1DU9ewcc2\n" +
+                "WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+D9LiTWcxdUPB\n" +
+                "leu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYOiEFBJ9lbb4te\n" +
+                "g9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t0c91kbNE5lgj\n" +
+                "Z7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLsT7Vr1QMX9jzn\n" +
+                "JtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH970TGYOe2aUcSx\n" +
+                "IRDMXDOPyzEfjwARAQABAAv9F2CwsjS+Sjh1M1vegJbZjei4gF1HHpEM0K0PSXsp\n" +
+                "SfVvpR4AoSJ4He6CXSMWg0ot8XKtDuZoV9jnJaES5UL9pMAD7JwIOqZm/DYVJM5h\n" +
+                "OASCh1c356/wSbFbzRHPtUdZO9Q30WFNJM5pHbCJPjtNoRmRGkf71RxtvHBzy7np\n" +
+                "Ga+W6U/NVKHw0i0CYwMI0YlKDakYW3Pm+QL+gHZFvngGweTod0f9l2VLLAmeQR/c\n" +
+                "+EZs7lNumhuZ8mXcwhUc9JQIhOkpO+wreDysEFkAcsKbkQP3UDUsA1gFx9pbMzT0\n" +
+                "tr1oZq2a4QBtxShHzP/ph7KLpN+6qtjks3xB/yjTgaGmtrwM8tSe0wD1RwXS+/1o\n" +
+                "BHpXTnQ7TfeOGUAu4KCoOQLv6ELpKWbRBLWuiPwMdbGpvVFALO8+kvKAg9/r+/ny\n" +
+                "zM2GQHY+J3Jh5JxPiJnHfXNZjIKLbFbIPdSKNyJBuazXW8xIa//mEHMI5OcvsZBK\n" +
+                "clAIp7LXzjEjKXIwHwDcTn9pBgDpdOKTHOtJ3JUKx0rWVsDH6wq6iKV/FTVSY5jl\n" +
+                "zN+puOEsskF1Lfxn9JsJihAVO3yNsp6RvkKtyNlFazaCVKtDAmkjoh60XNxcNRqr\n" +
+                "gCnwdpbgdHP6v/hvZY54ZaJjz6L2e8unNEkYLxDt8cmAyGPgH2XgL7giHIp9jrsQ\n" +
+                "aS381gnYwNX6wE1aEikgtY91nqJjwPlibF9avSyYQoMtEqM/1UjTjB2KdD/MitK5\n" +
+                "fP0VpvuXpNYZedmyq4UOMwdkiNMGAOrfmOeT0olgLrTMT5H97Cn3Yxbk13uXHNu/\n" +
+                "ZUZZNe8s+QtuLfUlKAJtLEUutN33TlWQY522FV0m17S+b80xJib3yZVJteVurrh5\n" +
+                "HSWHAM+zghQAvCesg5CLXa2dNMkTCmZKgCBvfDLZuZbjFwnwCI6u/NhOY9egKuUf\n" +
+                "SA/je/RXaT8m5VxLYMxwqQXKApzD87fv0tLPlVIEvjEsaf992tFEFSNPcG1l/jpd\n" +
+                "5AVXw6kKuf85UkJtYR1x2MkQDrqY1QX/XMw00kt8y9kMZUre19aCArcmor+hDhRJ\n" +
+                "E3Gt4QJrD9z/bICESw4b4z2DbgD/Xz9IXsA/r9cKiM1h5QMtXvuhyfVeM01enhxM\n" +
+                "GbOH3gjqqGNKysx0UODGEwr6AV9hAd8RWXMchJLaExK9J5SRawSg671ObAU24SdY\n" +
+                "vMQ9Z4kAQ2+1ReUZzf3ogSMRZtMT+d18gT6L90/y+APZIaoArLPhebIAGq39HLmJ\n" +
+                "26x3z0WAgrpA1kNsjXEXkoiZGPLKIGoe3hqJAbYEGAEKACAWIQTRpm4aI7GCyZgP\n" +
+                "eIz7/MgqAV5zMAUCXaWc8gIbDAAKCRD7/MgqAV5zMOn/C/9ugt+HZIwX308zI+QX\n" +
+                "c5vDLReuzmJ3ieE0DMO/uNSC+K1XEioSIZP91HeZJ2kbT9nn9fuReuoff0T0Dief\n" +
+                "rbwcIQQHFFkrqSp1K3VWmUGp2JrUsXFVdjy/fkBIjTd7c5boWljv/6wAsSfiv2V0\n" +
+                "JSM8EFU6TYXxswGjFVfc6X97tJNeIrXL+mpSmPPqy2bztcCCHkWS5lNLWQw+R7Vg\n" +
+                "71Fe6yBSNVrqC2/imYG2J9zlowjx1XU63Wdgqp2Wxt0l8OmsB/W80S1fRF5G4SDH\n" +
+                "s9HXglXXqPsBRZJYfP+VStm9L5P/sKjCcX6WtZR7yS6G8zj/X767MLK/djANvpPd\n" +
+                "NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91\n" +
+                "6we0CTfF8qqm7BsVAgalon/UUiuMY80U3ueoj3okiSTiHIjD/YtpXSPioC8nMng7\n" +
+                "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" +
+                "=miES\n" +
+                "-----END PGP PRIVATE KEY BLOCK-----";
+        String MSG = "-----BEGIN PGP MESSAGE-----\n" +
+                "\n" +
+                "wcDMA3wvqk35PDeyAQwA0yaEgydkAMEfl7rDTYVGanLKiFiWIs34mkF+LB8qR5eY\n" +
+                "ZRuhodPbX9QjpgOZ8fETPU3DEvzOaR0kMqKAHl7mmP0inydK5vpx0U0JTHIZkNeC\n" +
+                "rQbizphG2VA8fUvxZ79bZAe43uguITI2R2EZgEzeq6vCO7Ca4XqK95OADKZoVzS7\n" +
+                "0uBSMIgAVumrAj2l1ZOYbiIevx0+xJT2NvsLj7TV3ewBIyUg2f5NujcgEnuhpsMu\n" +
+                "wM/k58u4iBLAa8Qr2f8WFvLRwH3btfiT9VlKaW+JvIvU9RuNKhMihNY4PXV1uJfv\n" +
+                "kKsarMDlRgeRMUHJitwCQP3CSiT+ATCmfHz5e83qsJjBPC0d8qc1H+WKYZ2TPvWO\n" +
+                "egzFLTK73ruhTxGeotr4j6fldriewa/S8R9RHWu+6S3NJ9LNWnt9zUJ85d+f0wY3\n" +
+                "GVub3y20Zh1dm8A+hnNvK5EB5JyIEP8SFH2N9Cs2YQJn8X7aWYRuBq4KryQDb20n\n" +
+                "l4FAiRk414D2Z7XKDvxO0sW6AclnT0DfBm4jZDWquY8U5QsAOtvmMhHlZYVlGm8s\n" +
+                "caqoTx9xMugVzkdWv496nx9kFpMWaNB4KBi5B8MBXOeZchOEFIujH0jeWOXUWgJt\n" +
+                "hWfNMJSliYlS6VO9aM3ab5SAPcPiHmCkuXXtWBWtmUyUkbWCrZdgq7b4UfGiwQeI\n" +
+                "q584RnwPOnRpUfglalP1UqufbJMyl7CFjEMVkcxhApp/zgFZZj0w8oeh9aGflcYJ\n" +
+                "PDvsFoJV0P+VbHlI3FTIg+tJZ73gT/X54Mj5ifUpIZQ/abXSSsgrgnZ4qAjLf8Om\n" +
+                "GOly5ITEfxJC5rir1yLyBM4T8YJpra3A+3VJo7x/ZatiOxs40uBB4zILIjs5LlCe\n" +
+                "WAhFzGzq+VvV7LD6c03USxuV70LhfCUH6ZRq4iXFSnjOoWr5tvWZgzVAc7fshlad\n" +
+                "XZB6lz03jWgNvY66kJK5O6pJ8dftuyihHFY7e44+gQttb+41cYhDmm0Nxxq4PDKW\n" +
+                "CvI2ETpnW24792D+ZI7XMEfZhY2LoXGYvCkGt5aeo/dsWHoKa3yDjp5/rc2llEFz\n" +
+                "A3P8mznBfaRNVjW/UhpMAUI3/kn2bbw21ogrm0NuwZGWIS5ea7+G8TjbrznIQsTq\n" +
+                "VlLhMc7d6gK3hKdDsplX5J90YLA0l1SbQGHqb6GXOsIO2tSRpZWUQIIinYdMDmBG\n" +
+                "b1wPdwtXmCtyqJfGs/vwmoZdZ0FnwmcsF+bI7LSUnZMK/Cno/Tcl6kWJtvLtG2eC\n" +
+                "pHxD/tsU3DoArpDa/+/DOotq+u0CB6ymGAi/NnkFKUdNs8oEt0eOw27/F1teKSgv\n" +
+                "wF4KEcbrHoeSlk/95rtnJYT4IkNA1GSZgYALAMSO2sv7XeBab/jRqM7hyMmzKb3R\n" +
+                "uXN+BcDHRA1vdvIEpnTD5/EDon3/mr7xgHctzuK8z30aruQoBHWckIgmibB5LNvV\n" +
+                "xvFFPFkke6dxEXbYWwYwrqUSHk74420euGa58jnuXtQIr0X+g+UTJegzOjt96ZJH\n" +
+                "l92AHadooL7jYiPX8qxw1sln7k0H+RfWSvEbZ0/xsQ0lxgYwds/Ck6yhOUK8hyRW\n" +
+                "OVmz3g1QjdwZUDblypsymO3iFggJ0NNhNlYPKEWmwdfTOMDmtuQS97ewDSv0WgAa\n" +
+                "oUx2FjjM4iOKiyKsM5i8a4ju3MziFu1ghOfixBwtHRbQHneF5/E5cFtrYvuOlAvN\n" +
+                "80r89YesbBzXzsvheez+bIhm4lTHvBKgcb/RNaseYz/72HVk24GGnisSuc37v+O4\n" +
+                "YcLflfi86KuLtYQNtR+QyegfYWYogjbsSocWBEfnPJBgtzAtdAnMkaKWbb6WfT4k\n" +
+                "J6KWH/wANNdjE4yXPJhRevn3PqHnQvKHJqef1DZgzQMcXD3BwOPXxzy1GXXJw4Jn\n" +
+                "Ma1izl7a+KdbPonCnT59Kg24sl6gJplJRZop/tBqUR/c08kIuEuOB1D+qkeAIv6A\n" +
+                "3/uK7l4PvVe7XSjZ12Rfm2S7cY4dQybgW81TWKfCDNNXjSAWGAKtfIO7iojzBTF0\n" +
+                "MPfpuAx0sP++qUXZGsxIOKUhlqZpDNboHw89UDjj8txc9p6NbWTy6VJoYTKv07sG\n" +
+                "4Umrl5oaX49Ub0GlnwWg/wweCrMXszvZAN58qG0Qt2sjnHy1tUIJ7OajDpWrAEYt\n" +
+                "cvGzFvsr/j2k9lXBrgtIfSIWo8oQhXDR1gsBw5AxnCWkX0gQPEjYv+rq5zHxfWrF\n" +
+                "IOG3zXyoO8QHU0TwdA3s7XBd1pbtyaX0BksW7ecqa+J2KkbXhUOQwMTpgCIGkcBV\n" +
+                "CWf3w6voe6ZPfz4KPR3Zbs9ypV6nbfKjUjjfq7Lms1kOVJqZlJp5hf+ew6hxETHp\n" +
+                "0QmdhONHZvl+25z4rOquuBwsBXvFw/V5dlvuusi9VBuTUwh/v9JARSNmql8V054M\n" +
+                "o6Strj5Ukn+ejymZqXs9yeA+cgE3FL4hzdrUEUt8IVLxvD/XYuWROQJ7AckmU9GA\n" +
+                "xpQxbGcDMV6JzkDihKhiX3D6poccaaaFYv85NNCncsDJrPHrU48PQ4qOyr2sFQa+\n" +
+                "sfLYfRv5W60Zj3OyVFlK2JrqCu5sT7tecoxCGPCR0m/IpQYYu99JxN2SFv2vV9HI\n" +
+                "R6Vg18KxWerJ4sWGDe1CKeCCARiBGD8eNajf6JRu+K9VWUjmYpiEkK68Xaa4/Q2T\n" +
+                "x12WVuyITVU3fCfHp6/0A6wPtJezCvoodqPlw/3fd5eSVYzb5C3v564uhz4=\n" +
+                "=JP9T\n" +
+                "-----END PGP MESSAGE-----";
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        Tuple result = processor.process(MSG, ConsumerOptions.get()
+                .addVerificationCert(certificate)
+                .addDecryptionKey(secretKeys));
+        String plain = result.getA();
+        assertEquals("encrypt ∘ sign ∘ sign ∘ sign", plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
+        assertNull(metadata.getCompressionAlgorithm());
+    }
+
     private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options)
             throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);
diff --git a/version.gradle b/version.gradle
index dc50f086..7d25632e 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,7 +4,7 @@
 
 allprojects {
     ext {
-        shortVersion = '1.3.14'
+        shortVersion = '1.4.0'
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8

From e420678076fb33bad2fd94e6928d760098786115 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 6 Oct 2022 21:52:23 +0200
Subject: [PATCH 0724/1450] 2/3 the way to working sig verification

---
 .../DelayedTeeInputStreamInputStream.java     |  38 +++
 .../OpenPgpMessageInputStream.java            | 263 ++++++++++++------
 .../TeeBCPGInputStream.java                   |  36 ---
 .../OpenPgpMessageInputStreamTest.java        | 234 ++++++++++------
 .../TeeBCPGInputStreamTest.java               |  61 ----
 5 files changed, 353 insertions(+), 279 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
new file mode 100644
index 00000000..5cbabf89
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
@@ -0,0 +1,38 @@
+package org.pgpainless.decryption_verification;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class DelayedTeeInputStreamInputStream extends InputStream {
+
+    private int last = -1;
+    private final InputStream inputStream;
+    private final OutputStream outputStream;
+
+    public DelayedTeeInputStreamInputStream(InputStream inputStream, OutputStream outputStream) {
+        this.inputStream = inputStream;
+        this.outputStream = outputStream;
+    }
+
+    @Override
+    public int read() throws IOException {
+        if (last != -1) {
+            outputStream.write(last);
+        }
+        last = inputStream.read();
+        return last;
+    }
+
+    /**
+     * Squeeze the last byte out and update the output stream.
+     *
+     * @throws IOException in case of an IO error
+     */
+    public void squeeze() throws IOException {
+        if (last != -1) {
+            outputStream.write(last);
+        }
+        last = -1;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 2d031edc..8d370965 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -20,7 +20,6 @@ import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPOnePassSignature;
 import org.bouncycastle.openpgp.PGPPBEEncryptedData;
 import org.bouncycastle.openpgp.PGPPrivateKey;
@@ -53,7 +52,6 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.SignatureUtils;
-import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.Tuple;
 import org.slf4j.Logger;
@@ -68,6 +66,7 @@ public class OpenPgpMessageInputStream extends InputStream {
     protected final OpenPgpMetadata.Builder resultBuilder;
     // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
     protected final PDA automaton = new PDA();
+    protected final DelayedTeeInputStreamInputStream delayedTee;
     // InputStream of OpenPGP packets of the current layer
     protected final BCPGInputStream packetInputStream;
     // InputStream of a nested data packet
@@ -96,8 +95,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             this.signatures.addDetachedSignatures(options.getDetachedSignatures());
         }
 
-        BCPGInputStream bcpg = BCPGInputStream.wrap(inputStream);
-        this.packetInputStream = new TeeBCPGInputStream(bcpg, signatures);
+        delayedTee = new DelayedTeeInputStreamInputStream(inputStream, signatures);
+        BCPGInputStream bcpg = BCPGInputStream.wrap(delayedTee);
+        this.packetInputStream = bcpg;
 
         // *omnomnom*
         consumePackets();
@@ -121,22 +121,15 @@ public class OpenPgpMessageInputStream extends InputStream {
      */
     private void consumePackets()
             throws IOException, PGPException {
-        int tag;
-        loop: while ((tag = nextTag()) != -1) {
-            OpenPgpPacket nextPacket;
-            try {
-                nextPacket = OpenPgpPacket.requireFromTag(tag);
-            } catch (NoSuchElementException e) {
-                log("Invalid tag: " + tag);
-                throw e;
-            }
-            log(nextPacket.toString());
+        OpenPgpPacket nextPacket;
+        loop: while ((nextPacket = nextPacketTag()) != null) {
             signatures.nextPacket(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
+                    delayedTee.squeeze();
                     processLiteralData();
                     break loop;
 
@@ -145,12 +138,14 @@ public class OpenPgpMessageInputStream extends InputStream {
                     automaton.next(InputAlphabet.CompressedData);
                     signatures.commitNested();
                     processCompressedData();
+                    delayedTee.squeeze();
                     break loop;
 
                 // One Pass Signature
                 case OPS:
                     automaton.next(InputAlphabet.OnePassSignatures);
                     PGPOnePassSignature onePassSignature = readOnePassSignature();
+                    delayedTee.squeeze();
                     signatures.addOnePassSignature(onePassSignature);
                     break;
 
@@ -160,6 +155,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     automaton.next(InputAlphabet.Signatures);
 
                     PGPSignature signature = readSignature();
+                    delayedTee.squeeze();
                     processSignature(signature, isSigForOPS);
 
                     break;
@@ -170,6 +166,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case SED:
                 case SEIPD:
                     automaton.next(InputAlphabet.EncryptedData);
+                    delayedTee.squeeze();
                     if (processEncryptedData()) {
                         break loop;
                     }
@@ -179,6 +176,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     // Marker Packets need to be skipped and ignored
                 case MARKER:
                     packetInputStream.readPacket(); // skip
+                    delayedTee.squeeze();
                     break;
 
                 // Key Packets are illegal in this context
@@ -206,6 +204,23 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
+    private OpenPgpPacket nextPacketTag() throws IOException {
+        int tag = nextTag();
+        if (tag == -1) {
+            log("EOF");
+            return null;
+        }
+        OpenPgpPacket packet;
+        try {
+            packet = OpenPgpPacket.requireFromTag(tag);
+        } catch (NoSuchElementException e) {
+            log("Invalid tag: " + tag);
+            throw e;
+        }
+        log(packet.toString());
+        return packet;
+    }
+
     private void processSignature(PGPSignature signature, boolean isSigForOPS) {
         if (isSigForOPS) {
             signatures.popNested();
@@ -229,41 +244,6 @@ public class OpenPgpMessageInputStream extends InputStream {
         nestedInputStream = literalData.getDataStream();
     }
 
-    private void debugEncryptedData() throws PGPException, IOException {
-        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
-
-        // TODO: Replace with !encDataList.isIntegrityProtected()
-        if (!encDataList.get(0).isIntegrityProtected()) {
-            throw new MessageNotIntegrityProtectedException();
-        }
-
-        SortedESKs esks = new SortedESKs(encDataList);
-        for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
-            long keyId = pkesk.getKeyID();
-            PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
-            if (decryptionKeys == null) {
-                continue;
-            }
-            SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
-            PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
-            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
-
-            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                    .getPublicKeyDataDecryptorFactory(privateKey);
-            try {
-                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                InputStream decoder = PGPUtil.getDecoderStream(decrypted);
-                PGPObjectFactory objectFactory = ImplementationFactory.getInstance()
-                        .getPGPObjectFactory(decoder);
-                objectFactory.nextObject();
-                objectFactory.nextObject();
-                objectFactory.nextObject();
-            } catch (PGPException e) {
-                // hm :/
-            }
-        }
-    }
-
     private boolean processEncryptedData() throws IOException, PGPException {
         PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
 
@@ -553,12 +533,13 @@ public class OpenPgpMessageInputStream extends InputStream {
     //  for literal data. UUUUUGLY!!!!
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
-        final List detachedSignatures;
-        final List prependedSignatures;
+        final List detachedSignatures;
+        final List prependedSignatures;
         final List onePassSignatures;
         final Stack> opsUpdateStack;
         List literalOPS = new ArrayList<>();
         final List correspondingSignatures;
+        boolean isLiteral = true;
 
         private Signatures(ConsumerOptions options) {
             this.options = options;
@@ -579,14 +560,14 @@ public class OpenPgpMessageInputStream extends InputStream {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.detachedSignatures.add(signature);
+            this.detachedSignatures.add(new SIG(signature));
         }
 
         void addPrependedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.prependedSignatures.add(signature);
+            this.prependedSignatures.add(new SIG(signature));
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
@@ -630,7 +611,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             opsUpdateStack.pop();
         }
 
-        private void initialize(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
+        private static void initialize(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
             if (certificate == null) {
                 // SHIT
                 return;
@@ -672,7 +653,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 ops.update(b);
             }
 
-            for (PGPSignature detached : detachedSignatures) {
+            for (SIG detached : detachedSignatures) {
                 detached.update(b);
             }
         }
@@ -682,13 +663,22 @@ public class OpenPgpMessageInputStream extends InputStream {
                 ops.update(b, off, len);
             }
 
-            for (PGPSignature detached : detachedSignatures) {
+            for (SIG detached : detachedSignatures) {
                 detached.update(b, off, len);
             }
         }
 
         public void updatePacket(byte b) {
-            for (List nestedOPSs : opsUpdateStack) {
+            for (SIG detached : detachedSignatures) {
+                detached.update(b);
+            }
+
+            for (SIG prepended : prependedSignatures) {
+                prepended.update(b);
+            }
+
+            for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
+                List nestedOPSs = opsUpdateStack.get(i);
                 for (OPS ops : nestedOPSs) {
                     ops.update(b);
                 }
@@ -696,6 +686,14 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         public void updatePacket(byte[] buf, int off, int len) {
+            for (SIG detached : detachedSignatures) {
+                detached.update(buf, off, len);
+            }
+
+            for (SIG prepended : prependedSignatures) {
+                prepended.update(buf, off, len);
+            }
+
             for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
                 List nestedOPSs = opsUpdateStack.get(i);
                 for (OPS ops : nestedOPSs) {
@@ -705,24 +703,16 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         public void finish() {
-            for (PGPSignature detached : detachedSignatures) {
-                boolean verified = false;
-                try {
-                    verified = detached.verify();
-                } catch (PGPException e) {
-                    log("Cannot verify detached signature.", e);
-                }
-                log("Detached Signature by " + Long.toHexString(detached.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+            for (SIG detached : detachedSignatures) {
+                boolean verified = detached.verify();
+                log("Detached Signature by " + Long.toHexString(detached.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                System.out.println(detached);
             }
 
-            for (PGPSignature prepended : prependedSignatures) {
-                boolean verified = false;
-                try {
-                    verified = prepended.verify();
-                } catch (PGPException e) {
-                    log("Cannot verify prepended signature.", e);
-                }
-                log("Prepended Signature by " + Long.toHexString(prepended.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+            for (SIG prepended : prependedSignatures) {
+                boolean verified = prepended.verify();
+                log("Prepended Signature by " + Long.toHexString(prepended.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                System.out.println(prepended);
             }
         }
 
@@ -738,9 +728,92 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         public void nextPacket(OpenPgpPacket nextPacket) {
             if (nextPacket == OpenPgpPacket.LIT) {
+                isLiteral = true;
                 if (literalOPS.isEmpty() && !opsUpdateStack.isEmpty()) {
                     literalOPS = opsUpdateStack.pop();
                 }
+            } else {
+                isLiteral = false;
+            }
+        }
+
+        static class SIG {
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            PGPSignature signature;
+            boolean finished;
+            boolean valid;
+
+            public SIG(PGPSignature signature) {
+                this.signature = signature;
+            }
+
+            public void init(PGPPublicKeyRing certificate) {
+                initialize(signature, certificate, signature.getKeyID());
+            }
+
+            public boolean verify() {
+                finished = true;
+                try {
+                    valid = this.signature.verify();
+                } catch (PGPException e) {
+                    log("Cannot verify SIG " + signature.getKeyID());
+                }
+                return valid;
+            }
+
+            public void update(byte b) {
+                if (finished) {
+                    log("Updating finished sig!");
+                    return;
+                }
+                signature.update(b);
+                bytes.write(b);
+            }
+
+            public void update(byte[] bytes, int off, int len) {
+                if (finished) {
+                    log("Updating finished sig!");
+                    return;
+                }
+                signature.update(bytes, off, len);
+                this.bytes.write(bytes, off, len);
+            }
+
+            @Override
+            public String toString() {
+                String OPS = "c40d03000a01fbfcc82a015e733001";
+                String LIT_H = "cb28620000000000";
+                String LIT = "656e637279707420e28898207369676e20e28898207369676e20e28898207369676e";
+                String SIG1 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
+                String SIG1f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
+                String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
+                String SIG2f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
+                String out = "";
+
+                String hex = Hex.toHexString(bytes.toByteArray());
+                while (hex.contains(OPS)) {
+                    hex = hex.replace(OPS, "[OPS]");
+                }
+                while (hex.contains(LIT_H)) {
+                    hex = hex.replace(LIT_H, "[LIT]");
+                }
+                while (hex.contains(LIT)) {
+                    hex = hex.replace(LIT, "");
+                }
+                while (hex.contains(SIG1)) {
+                    hex = hex.replace(SIG1, "[SIG1]");
+                }
+                while (hex.contains(SIG1f)) {
+                    hex = hex.replace(SIG1f, "[SIG1f]");
+                }
+                while (hex.contains(SIG2)) {
+                    hex = hex.replace(SIG2, "[SIG2]");
+                }
+                while (hex.contains(SIG2f)) {
+                    hex = hex.replace(SIG2f, "[SIG2f]");
+                }
+
+                return out + hex;
             }
         }
 
@@ -796,27 +869,35 @@ public class OpenPgpMessageInputStream extends InputStream {
                 String LIT_H = "cb28620000000000";
                 String LIT = "656e637279707420e28898207369676e20e28898207369676e20e28898207369676e";
                 String SIG1 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
+                String SIG1f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
                 String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                    String out = signature.getKeyID() + " last=" + signature.isContaining() + "\n";
+                String SIG2f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
+                String out = "last=" + signature.isContaining() + "\n";
 
-                    String hex = Hex.toHexString(bytes.toByteArray());
-                    while (hex.contains(OPS)) {
-                        hex = hex.replace(OPS, "[OPS]");
-                    }
-                    while (hex.contains(LIT_H)) {
-                        hex = hex.replace(LIT_H, "[LIT]");
-                    }
-                    while (hex.contains(LIT)) {
-                        hex = hex.replace(LIT, "");
-                    }
-                    while (hex.contains(SIG1)) {
-                        hex = hex.replace(SIG1, "[SIG1]");
-                    }
-                    while (hex.contains(SIG2)) {
-                        hex = hex.replace(SIG2, "[SIG2]");
-                    }
+                String hex = Hex.toHexString(bytes.toByteArray());
+                while (hex.contains(OPS)) {
+                    hex = hex.replace(OPS, "[OPS]");
+                }
+                while (hex.contains(LIT_H)) {
+                    hex = hex.replace(LIT_H, "[LIT]");
+                }
+                while (hex.contains(LIT)) {
+                    hex = hex.replace(LIT, "");
+                }
+                while (hex.contains(SIG1)) {
+                    hex = hex.replace(SIG1, "[SIG1]");
+                }
+                while (hex.contains(SIG1f)) {
+                    hex = hex.replace(SIG1f, "[SIG1f]");
+                }
+                while (hex.contains(SIG2)) {
+                    hex = hex.replace(SIG2, "[SIG2]");
+                }
+                while (hex.contains(SIG2f)) {
+                    hex = hex.replace(SIG2f, "[SIG2f]");
+                }
 
-                    return out + hex;
+                return out + hex;
             }
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
deleted file mode 100644
index cce21051..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package org.pgpainless.decryption_verification;
-
-import org.bouncycastle.bcpg.BCPGInputStream;
-import org.pgpainless.util.ArmorUtils;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class TeeBCPGInputStream extends BCPGInputStream {
-
-    private final OutputStream out;
-
-    public TeeBCPGInputStream(InputStream in, OutputStream outputStream) {
-        super(in);
-        this.out = outputStream;
-    }
-
-    @Override
-    public int read() throws IOException {
-        int r = super.read();
-        if (r != -1) {
-            out.write(r);
-        }
-        return r;
-    }
-
-    @Override
-    public int read(byte[] buf, int off, int len) throws IOException {
-        int r = super.read(buf, off, len);
-        if (r > 0) {
-            out.write(buf, off, r);
-        }
-        return r;
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index f780b2eb..46c521ef 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -4,7 +4,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -143,11 +142,11 @@ public class OpenPgpMessageInputStreamTest {
             "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
-            "hF4Dyqa/GWUy6WsSAQdAQ62BwmUt8Iby0+jvrLhMgST79KR/as+dyl0nf1uki2sw\n" +
-            "Thg1Ojtf0hOyJgcpQ4nP2Q0wYFR0F1sCydaIlTGreYZHlGtybP7/Ml6KNZILTRWP\n" +
-            "0kYBkGBgK7oQWRIVyoF2POvEP6EX1X8nvQk7O3NysVdRVbnia7gE3AzRYuha4kxs\n" +
-            "pI6xJkntLMS3K6him1Y9FHINIASFSB+C\n" +
-            "=5p00\n" +
+            "hF4Dyqa/GWUy6WsSAQdAuGt49sQwdAHH3jPx11V3wSh7Amur3TbnONiQYJmMo3Qw\n" +
+            "87yBnZCsaB7evxLBgi6PpF3tiytHM60xlrPeKKPpJhu60vNafRM2OOwqk7AdcZw4\n" +
+            "0kYBEhiioO2btSuafNrQEjYzAgC7K6l7aPCcQObNp4ofryXu1P5vN+vUZp357hyS\n" +
+            "6zZqP+0wJQ9yJZMvFTtFeSaSi0oMP2sb\n" +
+            "=LvRL\n" +
             "-----END PGP MESSAGE-----";
 
     public static final String OPS_LIT_SIG = "" +
@@ -170,8 +169,8 @@ public class OpenPgpMessageInputStreamTest {
         // genKey();
         // genSIG_LIT();
         // genSENC_LIT();
-        // genPENC_COMP_LIT();
-        genOPS_LIT_SIG();
+        genPENC_COMP_LIT();
+        // genOPS_LIT_SIG();
     }
 
     public static void genLIT() throws IOException {
@@ -433,91 +432,144 @@ public class OpenPgpMessageInputStreamTest {
         assertNull(metadata.getCompressionAlgorithm());
     }
 
+    String BOB_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Comment: Bob's OpenPGP Transferable Secret Key\n" +
+            "\n" +
+            "lQVYBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
+            "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
+            "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
+            "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
+            "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
+            "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
+            "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
+            "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
+            "vLIwa3T4CyshfT0AEQEAAQAL/RZqbJW2IqQDCnJi4Ozm++gPqBPiX1RhTWSjwxfM\n" +
+            "cJKUZfzLj414rMKm6Jh1cwwGY9jekROhB9WmwaaKT8HtcIgrZNAlYzANGRCM4TLK\n" +
+            "3VskxfSwKKna8l+s+mZglqbAjUg3wmFuf9Tj2xcUZYmyRm1DEmcN2ZzpvRtHgX7z\n" +
+            "Wn1mAKUlSDJZSQks0zjuMNbupcpyJokdlkUg2+wBznBOTKzgMxVNC9b2g5/tMPUs\n" +
+            "hGGWmF1UH+7AHMTaS6dlmr2ZBIyogdnfUqdNg5sZwsxSNrbglKP4sqe7X61uEAIQ\n" +
+            "bD7rT3LonLbhkrj3I8wilUD8usIwt5IecoHhd9HziqZjRCc1BUBkboUEoyedbDV4\n" +
+            "i4qfsFZ6CEWoLuD5pW7dEp0M+WeuHXO164Rc+LnH6i1VQrpb1Okl4qO6ejIpIjBI\n" +
+            "1t3GshtUu/mwGBBxs60KBX5g77mFQ9lLCRj8lSYqOsHRKBhUp4qM869VA+fD0BRP\n" +
+            "fqPT0I9IH4Oa/A3jYJcg622GwQYA1LhnP208Waf6PkQSJ6kyr8ymY1yVh9VBE/g6\n" +
+            "fRDYA+pkqKnw9wfH2Qho3ysAA+OmVOX8Hldg+Pc0Zs0e5pCavb0En8iFLvTA0Q2E\n" +
+            "LR5rLue9uD7aFuKFU/VdcddY9Ww/vo4k5p/tVGp7F8RYCFn9rSjIWbfvvZi1q5Tx\n" +
+            "+akoZbga+4qQ4WYzB/obdX6SCmi6BndcQ1QdjCCQU6gpYx0MddVERbIp9+2SXDyL\n" +
+            "hpxjSyz+RGsZi/9UAshT4txP4+MZBgDfK3ZqtW+h2/eMRxkANqOJpxSjMyLO/FXN\n" +
+            "WxzTDYeWtHNYiAlOwlQZEPOydZFty9IVzzNFQCIUCGjQ/nNyhw7adSgUk3+BXEx/\n" +
+            "MyJPYY0BYuhLxLYcrfQ9nrhaVKxRJj25SVHj2ASsiwGJRZW4CC3uw40OYxfKEvNC\n" +
+            "mer/VxM3kg8qqGf9KUzJ1dVdAvjyx2Hz6jY2qWCyRQ6IMjWHyd43C4r3jxooYKUC\n" +
+            "YnstRQyb/gCSKahveSEjo07CiXMr88UGALwzEr3npFAsPW3osGaFLj49y1oRe11E\n" +
+            "he9gCHFm+fuzbXrWmdPjYU5/ZdqdojzDqfu4ThfnipknpVUM1o6MQqkjM896FHm8\n" +
+            "zbKVFSMhEP6DPHSCexMFrrSgN03PdwHTO6iBaIBBFqmGY01tmJ03SxvSpiBPON9P\n" +
+            "NVvy/6UZFedTq8A07OUAxO62YUSNtT5pmK2vzs3SAZJmbFbMh+NN204TRI72GlqT\n" +
+            "t5hcfkuv8hrmwPS/ZR6q312mKQ6w/1pqO9qitCFCb2IgQmFiYmFnZSA8Ym9iQG9w\n" +
+            "ZW5wZ3AuZXhhbXBsZT6JAc4EEwEKADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC\n" +
+            "F4AWIQTRpm4aI7GCyZgPeIz7/MgqAV5zMAUCXaWe+gAKCRD7/MgqAV5zMG9sC/9U\n" +
+            "2T3RrqEbw533FPNfEflhEVRIZ8gDXKM8hU6cqqEzCmzZT6xYTe6sv4y+PJBGXJFX\n" +
+            "yhj0g6FDkSyboM5litOcTupURObVqMgA/Y4UKERznm4fzzH9qek85c4ljtLyNufe\n" +
+            "doL2pp3vkGtn7eD0QFRaLLmnxPKQ/TlZKdLE1G3u8Uot8QHicaR6GnAdc5UXQJE3\n" +
+            "BiV7jZuDyWmZ1cUNwJkKL6oRtp+ZNDOQCrLNLecKHcgCqrpjSQG5oouba1I1Q6Vl\n" +
+            "sP44dhA1nkmLHtxlTOzpeHj4jnk1FaXmyasurrrI5CgU/L2Oi39DGKTH/A/cywDN\n" +
+            "4ZplIQ9zR8enkbXquUZvFDe+Xz+6xRXtb5MwQyWODB3nHw85HocLwRoIN9WdQEI+\n" +
+            "L8a/56AuOwhs8llkSuiITjR7r9SgKJC2WlAHl7E8lhJ3VDW3ELC56KH308d6mwOG\n" +
+            "ZRAqIAKzM1T5FGjMBhq7ZV0eqdEntBh3EcOIfj2M8rg1MzJv+0mHZOIjByawikad\n" +
+            "BVgEXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90YNBj+xS1ldGD\n" +
+            "bUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pzh0LzrBrVNHar\n" +
+            "29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4PIp1DU9ewcc2\n" +
+            "WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+D9LiTWcxdUPB\n" +
+            "leu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYOiEFBJ9lbb4te\n" +
+            "g9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t0c91kbNE5lgj\n" +
+            "Z7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLsT7Vr1QMX9jzn\n" +
+            "JtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH970TGYOe2aUcSx\n" +
+            "IRDMXDOPyzEfjwARAQABAAv9F2CwsjS+Sjh1M1vegJbZjei4gF1HHpEM0K0PSXsp\n" +
+            "SfVvpR4AoSJ4He6CXSMWg0ot8XKtDuZoV9jnJaES5UL9pMAD7JwIOqZm/DYVJM5h\n" +
+            "OASCh1c356/wSbFbzRHPtUdZO9Q30WFNJM5pHbCJPjtNoRmRGkf71RxtvHBzy7np\n" +
+            "Ga+W6U/NVKHw0i0CYwMI0YlKDakYW3Pm+QL+gHZFvngGweTod0f9l2VLLAmeQR/c\n" +
+            "+EZs7lNumhuZ8mXcwhUc9JQIhOkpO+wreDysEFkAcsKbkQP3UDUsA1gFx9pbMzT0\n" +
+            "tr1oZq2a4QBtxShHzP/ph7KLpN+6qtjks3xB/yjTgaGmtrwM8tSe0wD1RwXS+/1o\n" +
+            "BHpXTnQ7TfeOGUAu4KCoOQLv6ELpKWbRBLWuiPwMdbGpvVFALO8+kvKAg9/r+/ny\n" +
+            "zM2GQHY+J3Jh5JxPiJnHfXNZjIKLbFbIPdSKNyJBuazXW8xIa//mEHMI5OcvsZBK\n" +
+            "clAIp7LXzjEjKXIwHwDcTn9pBgDpdOKTHOtJ3JUKx0rWVsDH6wq6iKV/FTVSY5jl\n" +
+            "zN+puOEsskF1Lfxn9JsJihAVO3yNsp6RvkKtyNlFazaCVKtDAmkjoh60XNxcNRqr\n" +
+            "gCnwdpbgdHP6v/hvZY54ZaJjz6L2e8unNEkYLxDt8cmAyGPgH2XgL7giHIp9jrsQ\n" +
+            "aS381gnYwNX6wE1aEikgtY91nqJjwPlibF9avSyYQoMtEqM/1UjTjB2KdD/MitK5\n" +
+            "fP0VpvuXpNYZedmyq4UOMwdkiNMGAOrfmOeT0olgLrTMT5H97Cn3Yxbk13uXHNu/\n" +
+            "ZUZZNe8s+QtuLfUlKAJtLEUutN33TlWQY522FV0m17S+b80xJib3yZVJteVurrh5\n" +
+            "HSWHAM+zghQAvCesg5CLXa2dNMkTCmZKgCBvfDLZuZbjFwnwCI6u/NhOY9egKuUf\n" +
+            "SA/je/RXaT8m5VxLYMxwqQXKApzD87fv0tLPlVIEvjEsaf992tFEFSNPcG1l/jpd\n" +
+            "5AVXw6kKuf85UkJtYR1x2MkQDrqY1QX/XMw00kt8y9kMZUre19aCArcmor+hDhRJ\n" +
+            "E3Gt4QJrD9z/bICESw4b4z2DbgD/Xz9IXsA/r9cKiM1h5QMtXvuhyfVeM01enhxM\n" +
+            "GbOH3gjqqGNKysx0UODGEwr6AV9hAd8RWXMchJLaExK9J5SRawSg671ObAU24SdY\n" +
+            "vMQ9Z4kAQ2+1ReUZzf3ogSMRZtMT+d18gT6L90/y+APZIaoArLPhebIAGq39HLmJ\n" +
+            "26x3z0WAgrpA1kNsjXEXkoiZGPLKIGoe3hqJAbYEGAEKACAWIQTRpm4aI7GCyZgP\n" +
+            "eIz7/MgqAV5zMAUCXaWc8gIbDAAKCRD7/MgqAV5zMOn/C/9ugt+HZIwX308zI+QX\n" +
+            "c5vDLReuzmJ3ieE0DMO/uNSC+K1XEioSIZP91HeZJ2kbT9nn9fuReuoff0T0Dief\n" +
+            "rbwcIQQHFFkrqSp1K3VWmUGp2JrUsXFVdjy/fkBIjTd7c5boWljv/6wAsSfiv2V0\n" +
+            "JSM8EFU6TYXxswGjFVfc6X97tJNeIrXL+mpSmPPqy2bztcCCHkWS5lNLWQw+R7Vg\n" +
+            "71Fe6yBSNVrqC2/imYG2J9zlowjx1XU63Wdgqp2Wxt0l8OmsB/W80S1fRF5G4SDH\n" +
+            "s9HXglXXqPsBRZJYfP+VStm9L5P/sKjCcX6WtZR7yS6G8zj/X767MLK/djANvpPd\n" +
+            "NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91\n" +
+            "6we0CTfF8qqm7BsVAgalon/UUiuMY80U3ueoj3okiSTiHIjD/YtpXSPioC8nMng7\n" +
+            "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" +
+            "=miES\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    @ParameterizedTest(name = "Process PENC(OPS OPS LIT SIG SIG) using {0}")
+    @MethodSource("provideMessageProcessors")
+    public void testProcessPENC_OPS_OPS_LIT_SIG_SIG(Processor processor) throws IOException, PGPException {
+        String MSG = "-----BEGIN PGP MESSAGE-----\n" +
+                "\n" +
+                "wcDMA3wvqk35PDeyAQv/RhY9sgxMXj1UxumNMOeN+1+c5bB5e3jSrvA93L8yLFqB\n" +
+                "uF4MsFnHNgu3bS+/a3Z63MRdgS3wOxaRrvEE3y0Q316rP0OQxj9c2mMPZdHlIxjL\n" +
+                "KJMzQ6Ofs4kdtapo7plFqKBEEvnp7rF1hFAPxi0/Z+ekuhhOnWg6dZpAZH+s5Li0\n" +
+                "rKUltzFJ0bxPe6LCuwyYnzKnNBJJsQdKwcvX2Ip8+6lTX/DjQR1s5nhIe76GaNcU\n" +
+                "OvXITOynDsGgNfAmrqTVfrVgDvOVgvj46UPAwS02uYNNk8pWlcy4iGYIlQBUHD6P\n" +
+                "k1ieG7ETWsJvStceFqLQVgSDErAga/YXXAJnNUF3PnOxgOlVewdxDCoEeu+3OdQE\n" +
+                "j7hqmTTo3iA5GaTKCOi07NwXoXRhEMN3X6XDI5+ovqzAYaPkITxtqZzoNVKMT5hi\n" +
+                "tRKl0qwHbMsfHRCQesDmDPU4MlI7TH2iX2jMPxaepyAI++NMW7H6w8bYEFaE0O9v\n" +
+                "tiTL2gcYv4O/pGd3isWb0sOkAdz7HkKDdFCUdVMwP25z6dwhEy+oR/q1Le1CjCE/\n" +
+                "kY1bmJCTBmJwf86YGZElxFuvCTUBBX6ChI7+o18fljQE7eIS0GjXkQ1j2zEXxgGy\n" +
+                "Lhq7yCr6XEIVUj0x8J4LU2RthtgyToOH7EjLRUbqBG2PZD5K7L7b+ueLSkCfM5Gr\n" +
+                "isGbTTj6e+TLy6rXGxlNmNDoojpfp/5rRCxrmqPOjBZrNcio8rG19PfBkaw1IXu9\n" +
+                "fV9klsIxQyiOmUIl7sc74tTBwdIq8F6FJ7sJIScSCrzMjy+J+VLaBl1LyKs9cWDr\n" +
+                "vUqHvc9diwFWjbtZ8wQn9TQug5X4m6sT+pl+7UALAGWdyI9ySlSvVmVnGROKehkV\n" +
+                "5VfRds1ICH9Y4XAD7ylzF4dJ0gadtgwD97HLmfApP9IFD/sC4Oy2fu/ERky3Qqrw\n" +
+                "nvxDpFZBAzNiTR5VXlEPH2DeQUL0tyJJtq5InjqJm/F2K6O11Xk/HSm9VP3Bnhbc\n" +
+                "djaA7GTTYTq2MjPIDYq+ujPkD/WDp5a/2MIWS10ucgZIcLEwJeU/OY+98W/ogrd5\n" +
+                "tg03XkKLcGuK6sGv1iYsOGw1vI6RKAkI1j7YBXb7Twb3Ueq/lcRvutgMx/O5k0L5\n" +
+                "+d3kl6XJVQVKneft7C6DEu6boiGQCTtloJFxaJ9POqq6DzTQ5hSGvBNiUuek3HV7\n" +
+                "lHH544/ONgCufprT3cUSU0CW9EVbeHq3st3wKwxT5ei8nd8R+TuwaPI3TBSqeV03\n" +
+                "9fz5x9U2a22Uh53/qux2vAl8DyZHw7VWTP/Bu3eWHiDBEQIQY9BbRMYc7ueNwPii\n" +
+                "EROFOrHikkDr8UPwNC9FmpLd4vmQQfioY1bAuFvDckTrRFRp2ft+8m0oWLuF+3IH\n" +
+                "lJ2ph3w62VbIOmG0dxtI626n32NcPwk6shCP/gtW1ixuLr1OpiEe5slt2eNiPoTG\n" +
+                "CX5UnxzwUkyJ9KgLr3uFkMUwITCF9d2HbnHRaYqVDbQBpZW0wmgtpkTp2tNTExvp\n" +
+                "T2kx8LNHxAYNoSX+OOWvWzimkCO9MUfjpa0i5kVNxHronNcb1hKAU6X/2r2Mt3C4\n" +
+                "sv2m08spJBQJWnaa/8paYm+c8JS8oACD9SK/8Y4E1kNM3yEgk8dM2BLHKN3xkyT6\n" +
+                "iPXHKKgEHivTdpDa8gY81uoqorRHt5gNPDqL/p2ttFquBbQUtRvDCMkvqif5DADS\n" +
+                "wvLnnlOohCnQbFsNtWg5G6UUQ0TYbt6bixHpNcYIuFEJubJOJTuh/paxPgI3xx1q\n" +
+                "AdrStz97gowgNanOc+Quyt+zmb5cFQdAPLj76xv/W9zd4N601C1NE6+UhZ6mx/Ut\n" +
+                "wboetRk4HNcTRmBci5gjNoqB5oQnyAyqhHL1yiD3YmwwELnRwE8563HrHEpU6ziq\n" +
+                "D1pPMF6YBcmSuHp8FubPeef8iGHYEJQscRTIy/sb6YQjgShjE4VXfGJ2vOz3KRfU\n" +
+                "s7O7MH2b1YkDPsTDuLoDjBzDRoA+2vi034km9Qdcs3w8+vrydw4=\n" +
+                "=mdYs\n" +
+                "-----END PGP MESSAGE-----\n";
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY);
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        Tuple result = processor.process(MSG, ConsumerOptions.get()
+                .addVerificationCert(certificate)
+                .addDecryptionKey(secretKeys));
+        String plain = result.getA();
+        assertEquals("encrypt ∘ sign ∘ sign", plain);
+        MessageMetadata metadata = result.getB();
+        assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
+        assertNull(metadata.getCompressionAlgorithm());
+    }
+
     @ParameterizedTest(name = "Process PENC(OPS OPS OPS LIT SIG SIG SIG) using {0}")
     @MethodSource("provideMessageProcessors")
     public void testProcessOPS_OPS_OPS_LIT_SIG_SIG_SIG(Processor processor) throws IOException, PGPException {
-        String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-                "Comment: Bob's OpenPGP Transferable Secret Key\n" +
-                "\n" +
-                "lQVYBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
-                "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
-                "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
-                "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
-                "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
-                "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
-                "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
-                "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
-                "vLIwa3T4CyshfT0AEQEAAQAL/RZqbJW2IqQDCnJi4Ozm++gPqBPiX1RhTWSjwxfM\n" +
-                "cJKUZfzLj414rMKm6Jh1cwwGY9jekROhB9WmwaaKT8HtcIgrZNAlYzANGRCM4TLK\n" +
-                "3VskxfSwKKna8l+s+mZglqbAjUg3wmFuf9Tj2xcUZYmyRm1DEmcN2ZzpvRtHgX7z\n" +
-                "Wn1mAKUlSDJZSQks0zjuMNbupcpyJokdlkUg2+wBznBOTKzgMxVNC9b2g5/tMPUs\n" +
-                "hGGWmF1UH+7AHMTaS6dlmr2ZBIyogdnfUqdNg5sZwsxSNrbglKP4sqe7X61uEAIQ\n" +
-                "bD7rT3LonLbhkrj3I8wilUD8usIwt5IecoHhd9HziqZjRCc1BUBkboUEoyedbDV4\n" +
-                "i4qfsFZ6CEWoLuD5pW7dEp0M+WeuHXO164Rc+LnH6i1VQrpb1Okl4qO6ejIpIjBI\n" +
-                "1t3GshtUu/mwGBBxs60KBX5g77mFQ9lLCRj8lSYqOsHRKBhUp4qM869VA+fD0BRP\n" +
-                "fqPT0I9IH4Oa/A3jYJcg622GwQYA1LhnP208Waf6PkQSJ6kyr8ymY1yVh9VBE/g6\n" +
-                "fRDYA+pkqKnw9wfH2Qho3ysAA+OmVOX8Hldg+Pc0Zs0e5pCavb0En8iFLvTA0Q2E\n" +
-                "LR5rLue9uD7aFuKFU/VdcddY9Ww/vo4k5p/tVGp7F8RYCFn9rSjIWbfvvZi1q5Tx\n" +
-                "+akoZbga+4qQ4WYzB/obdX6SCmi6BndcQ1QdjCCQU6gpYx0MddVERbIp9+2SXDyL\n" +
-                "hpxjSyz+RGsZi/9UAshT4txP4+MZBgDfK3ZqtW+h2/eMRxkANqOJpxSjMyLO/FXN\n" +
-                "WxzTDYeWtHNYiAlOwlQZEPOydZFty9IVzzNFQCIUCGjQ/nNyhw7adSgUk3+BXEx/\n" +
-                "MyJPYY0BYuhLxLYcrfQ9nrhaVKxRJj25SVHj2ASsiwGJRZW4CC3uw40OYxfKEvNC\n" +
-                "mer/VxM3kg8qqGf9KUzJ1dVdAvjyx2Hz6jY2qWCyRQ6IMjWHyd43C4r3jxooYKUC\n" +
-                "YnstRQyb/gCSKahveSEjo07CiXMr88UGALwzEr3npFAsPW3osGaFLj49y1oRe11E\n" +
-                "he9gCHFm+fuzbXrWmdPjYU5/ZdqdojzDqfu4ThfnipknpVUM1o6MQqkjM896FHm8\n" +
-                "zbKVFSMhEP6DPHSCexMFrrSgN03PdwHTO6iBaIBBFqmGY01tmJ03SxvSpiBPON9P\n" +
-                "NVvy/6UZFedTq8A07OUAxO62YUSNtT5pmK2vzs3SAZJmbFbMh+NN204TRI72GlqT\n" +
-                "t5hcfkuv8hrmwPS/ZR6q312mKQ6w/1pqO9qitCFCb2IgQmFiYmFnZSA8Ym9iQG9w\n" +
-                "ZW5wZ3AuZXhhbXBsZT6JAc4EEwEKADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC\n" +
-                "F4AWIQTRpm4aI7GCyZgPeIz7/MgqAV5zMAUCXaWe+gAKCRD7/MgqAV5zMG9sC/9U\n" +
-                "2T3RrqEbw533FPNfEflhEVRIZ8gDXKM8hU6cqqEzCmzZT6xYTe6sv4y+PJBGXJFX\n" +
-                "yhj0g6FDkSyboM5litOcTupURObVqMgA/Y4UKERznm4fzzH9qek85c4ljtLyNufe\n" +
-                "doL2pp3vkGtn7eD0QFRaLLmnxPKQ/TlZKdLE1G3u8Uot8QHicaR6GnAdc5UXQJE3\n" +
-                "BiV7jZuDyWmZ1cUNwJkKL6oRtp+ZNDOQCrLNLecKHcgCqrpjSQG5oouba1I1Q6Vl\n" +
-                "sP44dhA1nkmLHtxlTOzpeHj4jnk1FaXmyasurrrI5CgU/L2Oi39DGKTH/A/cywDN\n" +
-                "4ZplIQ9zR8enkbXquUZvFDe+Xz+6xRXtb5MwQyWODB3nHw85HocLwRoIN9WdQEI+\n" +
-                "L8a/56AuOwhs8llkSuiITjR7r9SgKJC2WlAHl7E8lhJ3VDW3ELC56KH308d6mwOG\n" +
-                "ZRAqIAKzM1T5FGjMBhq7ZV0eqdEntBh3EcOIfj2M8rg1MzJv+0mHZOIjByawikad\n" +
-                "BVgEXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90YNBj+xS1ldGD\n" +
-                "bUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pzh0LzrBrVNHar\n" +
-                "29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4PIp1DU9ewcc2\n" +
-                "WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+D9LiTWcxdUPB\n" +
-                "leu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYOiEFBJ9lbb4te\n" +
-                "g9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t0c91kbNE5lgj\n" +
-                "Z7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLsT7Vr1QMX9jzn\n" +
-                "JtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH970TGYOe2aUcSx\n" +
-                "IRDMXDOPyzEfjwARAQABAAv9F2CwsjS+Sjh1M1vegJbZjei4gF1HHpEM0K0PSXsp\n" +
-                "SfVvpR4AoSJ4He6CXSMWg0ot8XKtDuZoV9jnJaES5UL9pMAD7JwIOqZm/DYVJM5h\n" +
-                "OASCh1c356/wSbFbzRHPtUdZO9Q30WFNJM5pHbCJPjtNoRmRGkf71RxtvHBzy7np\n" +
-                "Ga+W6U/NVKHw0i0CYwMI0YlKDakYW3Pm+QL+gHZFvngGweTod0f9l2VLLAmeQR/c\n" +
-                "+EZs7lNumhuZ8mXcwhUc9JQIhOkpO+wreDysEFkAcsKbkQP3UDUsA1gFx9pbMzT0\n" +
-                "tr1oZq2a4QBtxShHzP/ph7KLpN+6qtjks3xB/yjTgaGmtrwM8tSe0wD1RwXS+/1o\n" +
-                "BHpXTnQ7TfeOGUAu4KCoOQLv6ELpKWbRBLWuiPwMdbGpvVFALO8+kvKAg9/r+/ny\n" +
-                "zM2GQHY+J3Jh5JxPiJnHfXNZjIKLbFbIPdSKNyJBuazXW8xIa//mEHMI5OcvsZBK\n" +
-                "clAIp7LXzjEjKXIwHwDcTn9pBgDpdOKTHOtJ3JUKx0rWVsDH6wq6iKV/FTVSY5jl\n" +
-                "zN+puOEsskF1Lfxn9JsJihAVO3yNsp6RvkKtyNlFazaCVKtDAmkjoh60XNxcNRqr\n" +
-                "gCnwdpbgdHP6v/hvZY54ZaJjz6L2e8unNEkYLxDt8cmAyGPgH2XgL7giHIp9jrsQ\n" +
-                "aS381gnYwNX6wE1aEikgtY91nqJjwPlibF9avSyYQoMtEqM/1UjTjB2KdD/MitK5\n" +
-                "fP0VpvuXpNYZedmyq4UOMwdkiNMGAOrfmOeT0olgLrTMT5H97Cn3Yxbk13uXHNu/\n" +
-                "ZUZZNe8s+QtuLfUlKAJtLEUutN33TlWQY522FV0m17S+b80xJib3yZVJteVurrh5\n" +
-                "HSWHAM+zghQAvCesg5CLXa2dNMkTCmZKgCBvfDLZuZbjFwnwCI6u/NhOY9egKuUf\n" +
-                "SA/je/RXaT8m5VxLYMxwqQXKApzD87fv0tLPlVIEvjEsaf992tFEFSNPcG1l/jpd\n" +
-                "5AVXw6kKuf85UkJtYR1x2MkQDrqY1QX/XMw00kt8y9kMZUre19aCArcmor+hDhRJ\n" +
-                "E3Gt4QJrD9z/bICESw4b4z2DbgD/Xz9IXsA/r9cKiM1h5QMtXvuhyfVeM01enhxM\n" +
-                "GbOH3gjqqGNKysx0UODGEwr6AV9hAd8RWXMchJLaExK9J5SRawSg671ObAU24SdY\n" +
-                "vMQ9Z4kAQ2+1ReUZzf3ogSMRZtMT+d18gT6L90/y+APZIaoArLPhebIAGq39HLmJ\n" +
-                "26x3z0WAgrpA1kNsjXEXkoiZGPLKIGoe3hqJAbYEGAEKACAWIQTRpm4aI7GCyZgP\n" +
-                "eIz7/MgqAV5zMAUCXaWc8gIbDAAKCRD7/MgqAV5zMOn/C/9ugt+HZIwX308zI+QX\n" +
-                "c5vDLReuzmJ3ieE0DMO/uNSC+K1XEioSIZP91HeZJ2kbT9nn9fuReuoff0T0Dief\n" +
-                "rbwcIQQHFFkrqSp1K3VWmUGp2JrUsXFVdjy/fkBIjTd7c5boWljv/6wAsSfiv2V0\n" +
-                "JSM8EFU6TYXxswGjFVfc6X97tJNeIrXL+mpSmPPqy2bztcCCHkWS5lNLWQw+R7Vg\n" +
-                "71Fe6yBSNVrqC2/imYG2J9zlowjx1XU63Wdgqp2Wxt0l8OmsB/W80S1fRF5G4SDH\n" +
-                "s9HXglXXqPsBRZJYfP+VStm9L5P/sKjCcX6WtZR7yS6G8zj/X767MLK/djANvpPd\n" +
-                "NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91\n" +
-                "6we0CTfF8qqm7BsVAgalon/UUiuMY80U3ueoj3okiSTiHIjD/YtpXSPioC8nMng7\n" +
-                "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" +
-                "=miES\n" +
-                "-----END PGP PRIVATE KEY BLOCK-----";
         String MSG = "-----BEGIN PGP MESSAGE-----\n" +
                 "\n" +
                 "wcDMA3wvqk35PDeyAQwA0yaEgydkAMEfl7rDTYVGanLKiFiWIs34mkF+LB8qR5eY\n" +
@@ -565,7 +617,7 @@ public class OpenPgpMessageInputStreamTest {
                 "x12WVuyITVU3fCfHp6/0A6wPtJezCvoodqPlw/3fd5eSVYzb5C3v564uhz4=\n" +
                 "=JP9T\n" +
                 "-----END PGP MESSAGE-----";
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(BOB_KEY);
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
 
         Tuple result = processor.process(MSG, ConsumerOptions.get()
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
deleted file mode 100644
index d31c6009..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TeeBCPGInputStreamTest.java
+++ /dev/null
@@ -1,61 +0,0 @@
-package org.pgpainless.decryption_verification;
-
-import org.bouncycastle.bcpg.ArmoredInputStream;
-import org.bouncycastle.bcpg.ArmoredOutputStream;
-import org.bouncycastle.bcpg.BCPGInputStream;
-import org.bouncycastle.bcpg.Packet;
-import org.bouncycastle.openpgp.PGPCompressedData;
-import org.bouncycastle.openpgp.PGPException;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.algorithm.OpenPgpPacket;
-import org.pgpainless.util.ArmoredInputStreamFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
-
-public class TeeBCPGInputStreamTest {
-
-    private static final Logger LOGGER = LoggerFactory.getLogger(TeeBCPGInputStreamTest.class);
-    private static final String INBAND_SIGNED = "-----BEGIN PGP MESSAGE-----\n" +
-            "Version: PGPainless\n" +
-            "\n" +
-            "owGbwMvMyCUWdXSHvVTUtXbG0yJJDCDgkZqTk6+jEJ5flJOiyNVRysIoxsXAxsqU\n" +
-            "GDiVjUGRUwCmQUyRRWnOn9Z/PIseF3Yz6cCEL05nZDj1OClo75WVTjNmJPemW6qV\n" +
-            "6ki//1K1++2s0qTP+0N11O4z/BVLDDdxnmQryS+5VXjBX7/0Hxnm/eqeX6Zum35r\n" +
-            "M8e7ufwA\n" +
-            "=RDiy\n" +
-            "-----END PGP MESSAGE-----";
-
-    @Test
-    public void test() throws IOException, PGPException {
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        ArmoredOutputStream armorOut = new ArmoredOutputStream(out);
-
-        ByteArrayInputStream bytesIn = new ByteArrayInputStream(INBAND_SIGNED.getBytes(StandardCharsets.UTF_8));
-        ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        BCPGInputStream bcpgIn = new BCPGInputStream(armorIn);
-        TeeBCPGInputStream teeIn = new TeeBCPGInputStream(bcpgIn, armorOut);
-
-        ByteArrayOutputStream nestedOut = new ByteArrayOutputStream();
-        ArmoredOutputStream nestedArmorOut = new ArmoredOutputStream(nestedOut);
-
-        PGPCompressedData compressedData = new PGPCompressedData(teeIn);
-        InputStream nestedStream = compressedData.getDataStream();
-        BCPGInputStream nestedBcpgIn = new BCPGInputStream(nestedStream);
-        TeeBCPGInputStream nestedTeeIn = new TeeBCPGInputStream(nestedBcpgIn, nestedArmorOut);
-
-        int tag;
-        while ((tag = nestedTeeIn.nextPacketTag()) != -1) {
-            LOGGER.debug(OpenPgpPacket.requireFromTag(tag).toString());
-            Packet packet = nestedTeeIn.readPacket();
-        }
-
-        nestedArmorOut.close();
-        LOGGER.debug(nestedOut.toString());
-    }
-}

From bdc968dd430712c80ccbe8aacdbb4411a8a8b9e2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 8 Oct 2022 13:57:53 +0200
Subject: [PATCH 0725/1450] Create TeeBCPGInputStream to move teeing logic out
 of OpenPgpMessageInputStream

---
 .../DelayedTeeInputStreamInputStream.java     |  38 -----
 .../OpenPgpMessageInputStream.java            | 107 +++++---------
 .../TeeBCPGInputStream.java                   | 131 ++++++++++++++++++
 .../automaton/InputAlphabet.java              |   4 +-
 .../automaton/PDA.java                        |  18 +--
 .../OpenPgpMessageInputStreamTest.java        |   3 +-
 .../automaton/PDATest.java                    |  10 +-
 7 files changed, 182 insertions(+), 129 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
deleted file mode 100644
index 5cbabf89..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DelayedTeeInputStreamInputStream.java
+++ /dev/null
@@ -1,38 +0,0 @@
-package org.pgpainless.decryption_verification;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class DelayedTeeInputStreamInputStream extends InputStream {
-
-    private int last = -1;
-    private final InputStream inputStream;
-    private final OutputStream outputStream;
-
-    public DelayedTeeInputStreamInputStream(InputStream inputStream, OutputStream outputStream) {
-        this.inputStream = inputStream;
-        this.outputStream = outputStream;
-    }
-
-    @Override
-    public int read() throws IOException {
-        if (last != -1) {
-            outputStream.write(last);
-        }
-        last = inputStream.read();
-        return last;
-    }
-
-    /**
-     * Squeeze the last byte out and update the output stream.
-     *
-     * @throws IOException in case of an IO error
-     */
-    public void squeeze() throws IOException {
-        if (last != -1) {
-            outputStream.write(last);
-        }
-        last = -1;
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 8d370965..75359de1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -11,7 +11,6 @@ import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
-import java.util.NoSuchElementException;
 import java.util.Stack;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
@@ -57,6 +56,8 @@ import org.pgpainless.util.Tuple;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.annotation.Nonnull;
+
 public class OpenPgpMessageInputStream extends InputStream {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream.class);
@@ -66,16 +67,15 @@ public class OpenPgpMessageInputStream extends InputStream {
     protected final OpenPgpMetadata.Builder resultBuilder;
     // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
     protected final PDA automaton = new PDA();
-    protected final DelayedTeeInputStreamInputStream delayedTee;
-    // InputStream of OpenPGP packets of the current layer
-    protected final BCPGInputStream packetInputStream;
+    // InputStream of OpenPGP packets
+    protected TeeBCPGInputStream packetInputStream;
     // InputStream of a nested data packet
     protected InputStream nestedInputStream;
 
     private boolean closed = false;
 
     private final Signatures signatures;
-    private MessageMetadata.Layer metadata;
+    private final MessageMetadata.Layer metadata;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
@@ -95,9 +95,7 @@ public class OpenPgpMessageInputStream extends InputStream {
             this.signatures.addDetachedSignatures(options.getDetachedSignatures());
         }
 
-        delayedTee = new DelayedTeeInputStreamInputStream(inputStream, signatures);
-        BCPGInputStream bcpg = BCPGInputStream.wrap(delayedTee);
-        this.packetInputStream = bcpg;
+        packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
 
         // *omnomnom*
         consumePackets();
@@ -122,41 +120,36 @@ public class OpenPgpMessageInputStream extends InputStream {
     private void consumePackets()
             throws IOException, PGPException {
         OpenPgpPacket nextPacket;
-        loop: while ((nextPacket = nextPacketTag()) != null) {
+        loop: while ((nextPacket = packetInputStream.nextPacketTag()) != null) {
             signatures.nextPacket(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
                     automaton.next(InputAlphabet.LiteralData);
-                    delayedTee.squeeze();
                     processLiteralData();
                     break loop;
 
                 // Compressed Data - the content contains another OpenPGP message
                 case COMP:
                     automaton.next(InputAlphabet.CompressedData);
-                    signatures.commitNested();
                     processCompressedData();
-                    delayedTee.squeeze();
                     break loop;
 
                 // One Pass Signature
                 case OPS:
-                    automaton.next(InputAlphabet.OnePassSignatures);
+                    automaton.next(InputAlphabet.OnePassSignature);
                     PGPOnePassSignature onePassSignature = readOnePassSignature();
-                    delayedTee.squeeze();
                     signatures.addOnePassSignature(onePassSignature);
                     break;
 
                 // Signature - either prepended to the message, or corresponding to a One Pass Signature
                 case SIG:
+                    // true if Signature corresponds to OnePassSignature
                     boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
-                    automaton.next(InputAlphabet.Signatures);
+                    automaton.next(InputAlphabet.Signature);
 
-                    PGPSignature signature = readSignature();
-                    delayedTee.squeeze();
-                    processSignature(signature, isSigForOPS);
+                    processSignature(isSigForOPS);
 
                     break;
 
@@ -166,7 +159,6 @@ public class OpenPgpMessageInputStream extends InputStream {
                 case SED:
                 case SEIPD:
                     automaton.next(InputAlphabet.EncryptedData);
-                    delayedTee.squeeze();
                     if (processEncryptedData()) {
                         break loop;
                     }
@@ -175,8 +167,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
                     // Marker Packets need to be skipped and ignored
                 case MARKER:
-                    packetInputStream.readPacket(); // skip
-                    delayedTee.squeeze();
+                    packetInputStream.readMarker();
                     break;
 
                 // Key Packets are illegal in this context
@@ -204,26 +195,10 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    private OpenPgpPacket nextPacketTag() throws IOException {
-        int tag = nextTag();
-        if (tag == -1) {
-            log("EOF");
-            return null;
-        }
-        OpenPgpPacket packet;
-        try {
-            packet = OpenPgpPacket.requireFromTag(tag);
-        } catch (NoSuchElementException e) {
-            log("Invalid tag: " + tag);
-            throw e;
-        }
-        log(packet.toString());
-        return packet;
-    }
-
-    private void processSignature(PGPSignature signature, boolean isSigForOPS) {
+    private void processSignature(boolean isSigForOPS) throws PGPException, IOException {
+        PGPSignature signature = readSignature();
         if (isSigForOPS) {
-            signatures.popNested();
+            signatures.leaveNesting(); // TODO: Only leave nesting if all OPSs are dealt with
             signatures.addCorrespondingOnePassSignature(signature);
         } else {
             signatures.addPrependedSignature(signature);
@@ -231,21 +206,22 @@ public class OpenPgpMessageInputStream extends InputStream {
     }
 
     private void processCompressedData() throws IOException, PGPException {
-        PGPCompressedData compressedData = new PGPCompressedData(packetInputStream);
+        signatures.enterNesting();
+        PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
         nestedInputStream = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
     }
 
     private void processLiteralData() throws IOException {
-        PGPLiteralData literalData = new PGPLiteralData(packetInputStream);
+        PGPLiteralData literalData = packetInputStream.readLiteralData();
         this.metadata.setChild(new MessageMetadata.LiteralData(literalData.getFileName(), literalData.getModificationTime(),
                 StreamEncoding.requireFromCode(literalData.getFormat())));
         nestedInputStream = literalData.getDataStream();
     }
 
     private boolean processEncryptedData() throws IOException, PGPException {
-        PGPEncryptedDataList encDataList = new PGPEncryptedDataList(packetInputStream);
+        PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
         if (!encDataList.get(0).isIntegrityProtected()) {
@@ -345,19 +321,6 @@ public class OpenPgpMessageInputStream extends InputStream {
         return false;
     }
 
-    private int nextTag() throws IOException {
-        try {
-            return packetInputStream.nextPacketTag();
-        } catch (IOException e) {
-            if ("Stream closed".equals(e.getMessage())) {
-                // ZipInflater Streams sometimes close under our feet -.-
-                // Therefore we catch resulting IOEs and return -1 instead.
-                return -1;
-            }
-            throw e;
-        }
-    }
-
     private List> findPotentialDecryptionKeys(PGPPublicKeyEncryptedData pkesk) {
         int algorithm = pkesk.getAlgorithm();
         List> decryptionKeyCandidates = new ArrayList<>();
@@ -387,12 +350,12 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private PGPOnePassSignature readOnePassSignature()
             throws PGPException, IOException {
-        return new PGPOnePassSignature(packetInputStream);
+        return packetInputStream.readOnePassSignature();
     }
 
     private PGPSignature readSignature()
             throws PGPException, IOException {
-        return new PGPSignature(packetInputStream);
+        return packetInputStream.readSignature();
     }
 
     @Override
@@ -428,7 +391,7 @@ public class OpenPgpMessageInputStream extends InputStream {
     }
 
     @Override
-    public int read(byte[] b, int off, int len)
+    public int read(@Nonnull byte[] b, int off, int len)
             throws IOException {
 
         if (nestedInputStream == null) {
@@ -482,8 +445,7 @@ public class OpenPgpMessageInputStream extends InputStream {
     private void collectMetadata() {
         if (nestedInputStream instanceof OpenPgpMessageInputStream) {
             OpenPgpMessageInputStream child = (OpenPgpMessageInputStream) nestedInputStream;
-            MessageMetadata.Layer childLayer = child.metadata;
-            this.metadata.setChild((MessageMetadata.Nested) childLayer);
+            this.metadata.setChild((MessageMetadata.Nested) child.metadata);
         }
     }
 
@@ -496,9 +458,9 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private static class SortedESKs {
 
-        private List skesks = new ArrayList<>();
-        private List pkesks = new ArrayList<>();
-        private List anonPkesks = new ArrayList<>();
+        private final List skesks = new ArrayList<>();
+        private final List pkesks = new ArrayList<>();
+        private final List anonPkesks = new ArrayList<>();
 
         SortedESKs(PGPEncryptedDataList esks) {
             for (PGPEncryptedData esk : esks) {
@@ -526,11 +488,10 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
-    // TODO: In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
-    //  In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
-    //  Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
-    //  For this we might want to provide two update entries into the Signatures class, one for OpenPGP packets and one
-    //  for literal data. UUUUUGLY!!!!
+    // In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
+    // In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
+    // Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
+    // Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
         final List detachedSignatures;
@@ -578,7 +539,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
             literalOPS.add(ops);
             if (signature.isContaining()) {
-                commitNested();
+                enterNesting();
             }
         }
 
@@ -599,12 +560,12 @@ public class OpenPgpMessageInputStream extends InputStream {
             }
         }
 
-        void commitNested() {
+        void enterNesting() {
             opsUpdateStack.push(literalOPS);
             literalOPS = new ArrayList<>();
         }
 
-        void popNested() {
+        void leaveNesting() {
             if (opsUpdateStack.isEmpty()) {
                 return;
             }
@@ -722,7 +683,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
 
         @Override
-        public void write(byte[] b, int off, int len) {
+        public void write(@Nonnull byte[] b, int off, int len) {
             updatePacket(b, off, len);
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
new file mode 100644
index 00000000..f80793f0
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -0,0 +1,131 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.MarkerPacket;
+import org.bouncycastle.bcpg.Packet;
+import org.bouncycastle.openpgp.PGPCompressedData;
+import org.bouncycastle.openpgp.PGPEncryptedDataList;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPOnePassSignature;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.algorithm.OpenPgpPacket;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.NoSuchElementException;
+
+/**
+ * Since we need to update signatures with data from the underlying stream, this class is used to tee out the data.
+ * Unfortunately we cannot simply override {@link BCPGInputStream#read()} to tee the data out though, since
+ * {@link BCPGInputStream#readPacket()} inconsistently calls a mix of {@link BCPGInputStream#read()} and
+ * {@link InputStream#read()} of the underlying stream. This would cause the second length byte to get swallowed up.
+ *
+ * Therefore, this class delegates the teeing to an {@link DelayedTeeInputStreamInputStream} which wraps the underlying
+ * stream. Since calling {@link BCPGInputStream#nextPacketTag()} reads up to and including the next packets tag,
+ * we need to delay teeing out that byte to signature verifiers.
+ * Hence, the reading methods of the {@link TeeBCPGInputStream} handle pushing this byte to the output stream using
+ * {@link DelayedTeeInputStreamInputStream#squeeze()}.
+ */
+public class TeeBCPGInputStream {
+
+    protected final DelayedTeeInputStreamInputStream delayedTee;
+    // InputStream of OpenPGP packets of the current layer
+    protected final BCPGInputStream packetInputStream;
+
+    public TeeBCPGInputStream(BCPGInputStream inputStream, OutputStream outputStream) {
+        this.delayedTee = new DelayedTeeInputStreamInputStream(inputStream, outputStream);
+        this.packetInputStream = BCPGInputStream.wrap(delayedTee);
+    }
+
+    public OpenPgpPacket nextPacketTag() throws IOException {
+        int tag = packetInputStream.nextPacketTag();
+        if (tag == -1) {
+            return null;
+        }
+
+        OpenPgpPacket packet;
+        try {
+            packet = OpenPgpPacket.requireFromTag(tag);
+        } catch (NoSuchElementException e) {
+            throw e;
+        }
+        return packet;
+    }
+
+    public Packet readPacket() throws IOException {
+        return packetInputStream.readPacket();
+    }
+
+    public PGPCompressedData readCompressedData() throws IOException {
+        delayedTee.squeeze();
+        PGPCompressedData compressedData = new PGPCompressedData(packetInputStream);
+        return compressedData;
+    }
+
+    public PGPLiteralData readLiteralData() throws IOException {
+        delayedTee.squeeze();
+        return new PGPLiteralData(packetInputStream);
+    }
+
+    public PGPEncryptedDataList readEncryptedDataList() throws IOException {
+        delayedTee.squeeze();
+        return new PGPEncryptedDataList(packetInputStream);
+    }
+
+    public PGPOnePassSignature readOnePassSignature() throws PGPException, IOException {
+        PGPOnePassSignature onePassSignature = new PGPOnePassSignature(packetInputStream);
+        delayedTee.squeeze();
+        return onePassSignature;
+    }
+
+    public PGPSignature readSignature() throws PGPException, IOException {
+        PGPSignature signature = new PGPSignature(packetInputStream);
+        delayedTee.squeeze();
+        return signature;
+    }
+
+    public MarkerPacket readMarker() throws IOException {
+        MarkerPacket markerPacket = (MarkerPacket) readPacket();
+        delayedTee.squeeze();
+        return markerPacket;
+    }
+
+    public static class DelayedTeeInputStreamInputStream extends InputStream {
+
+        private int last = -1;
+        private final InputStream inputStream;
+        private final OutputStream outputStream;
+
+        public DelayedTeeInputStreamInputStream(InputStream inputStream, OutputStream outputStream) {
+            this.inputStream = inputStream;
+            this.outputStream = outputStream;
+        }
+
+        @Override
+        public int read() throws IOException {
+            if (last != -1) {
+                outputStream.write(last);
+            }
+            last = inputStream.read();
+            return last;
+        }
+
+        /**
+         * Squeeze the last byte out and update the output stream.
+         *
+         * @throws IOException in case of an IO error
+         */
+        public void squeeze() throws IOException {
+            if (last != -1) {
+                outputStream.write(last);
+            }
+            last = -1;
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
index 8e795f5b..ad2a8c55 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
@@ -18,11 +18,11 @@ public enum InputAlphabet {
     /**
      * A {@link PGPSignatureList} object.
      */
-    Signatures,
+    Signature,
     /**
      * A {@link PGPOnePassSignatureList} object.
      */
-    OnePassSignatures,
+    OnePassSignature,
     /**
      * A {@link PGPCompressedData} packet.
      * The contents of this packet MUST form a valid OpenPGP message, so a nested PDA is opened to verify
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index 1d4b1189..156dc2ed 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -35,11 +35,11 @@ public class PDA {
                     case LiteralData:
                         return LiteralMessage;
 
-                    case Signatures:
+                    case Signature:
                         automaton.pushStack(msg);
                         return OpenPgpMessage;
 
-                    case OnePassSignatures:
+                    case OnePassSignature:
                         automaton.pushStack(ops);
                         automaton.pushStack(msg);
                         return OpenPgpMessage;
@@ -63,7 +63,7 @@ public class PDA {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
 
-                    case Signatures:
+                    case Signature:
                         if (stackItem == ops) {
                             return CorrespondingSignature;
                         } else {
@@ -78,7 +78,7 @@ public class PDA {
                         }
 
                     case LiteralData:
-                    case OnePassSignatures:
+                    case OnePassSignature:
                     case CompressedData:
                     case EncryptedData:
                     default:
@@ -92,7 +92,7 @@ public class PDA {
             State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
-                    case Signatures:
+                    case Signature:
                         if (stackItem == ops) {
                             return CorrespondingSignature;
                         } else {
@@ -107,7 +107,7 @@ public class PDA {
                         }
 
                     case LiteralData:
-                    case OnePassSignatures:
+                    case OnePassSignature:
                     case CompressedData:
                     case EncryptedData:
                     default:
@@ -121,7 +121,7 @@ public class PDA {
             State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
                 StackAlphabet stackItem = automaton.popStack();
                 switch (input) {
-                    case Signatures:
+                    case Signature:
                         if (stackItem == ops) {
                             return CorrespondingSignature;
                         } else {
@@ -136,7 +136,7 @@ public class PDA {
                         }
 
                     case LiteralData:
-                    case OnePassSignatures:
+                    case OnePassSignature:
                     case CompressedData:
                     case EncryptedData:
                     default:
@@ -156,7 +156,7 @@ public class PDA {
                         // premature end of stream
                         throw new MalformedOpenPgpMessageException(this, input, stackItem);
                     }
-                } else if (input == InputAlphabet.Signatures) {
+                } else if (input == InputAlphabet.Signature) {
                     if (stackItem == ops) {
                         return CorrespondingSignature;
                     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 46c521ef..1955eebe 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -49,7 +49,6 @@ import org.pgpainless.util.Tuple;
 
 public class OpenPgpMessageInputStreamTest {
 
-
     public static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +
             "Comment: DA05 848F 37D4 68E6 F982  C889 7A70 1FC6 904D 3F4C\n" +
@@ -241,7 +240,7 @@ public class OpenPgpMessageInputStreamTest {
                 System.out);
     }
 
-    public static void genSIG_LIT() throws PGPException, IOException {
+    public static void genSIG_COMP_LIT() throws PGPException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
         ByteArrayOutputStream msgOut = new ByteArrayOutputStream();
         EncryptionStream signer = PGPainless.encryptAndOrSign()
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
index 6e8a38d6..6dbb2cd6 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
@@ -30,9 +30,9 @@ public class PDATest {
     @Test
     public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
         PDA automaton = new PDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.OnePassSignature);
         automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.Signature);
         automaton.next(InputAlphabet.EndOfSequence);
 
         assertTrue(automaton.isValid());
@@ -47,7 +47,7 @@ public class PDATest {
     @Test
     public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
         PDA automaton = new PDA();
-        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.Signature);
         automaton.next(InputAlphabet.LiteralData);
         automaton.next(InputAlphabet.EndOfSequence);
 
@@ -63,10 +63,10 @@ public class PDATest {
     @Test
     public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
         PDA automaton = new PDA();
-        automaton.next(InputAlphabet.OnePassSignatures);
+        automaton.next(InputAlphabet.OnePassSignature);
         automaton.next(InputAlphabet.CompressedData);
         // Here would be a nested PDA for the LiteralData packet
-        automaton.next(InputAlphabet.Signatures);
+        automaton.next(InputAlphabet.Signature);
         automaton.next(InputAlphabet.EndOfSequence);
 
         assertTrue(automaton.isValid());

From 43c369f1f9314c16190796e0fbf8277512248021 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 16 Oct 2022 15:47:47 +0200
Subject: [PATCH 0726/1450] It was the buffering.

---
 .../DecryptionBuilderInterface.java           |   2 +-
 .../DecryptionStream.java                     |  60 +------
 .../DecryptionStreamFactory.java              |  33 +++-
 .../DecryptionStreamImpl.java                 |  65 +++++++
 .../MessageMetadata.java                      |  22 +++
 .../OpenPgpMessageInputStream.java            | 166 ++++++++++++++----
 ...vestigateMultiSEIPMessageHandlingTest.java |  17 +-
 ...ntDecryptionUsingNonEncryptionKeyTest.java |   4 +-
 8 files changed, 256 insertions(+), 113 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
index 07db42f0..b35911de 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
@@ -13,7 +13,7 @@ import org.bouncycastle.openpgp.PGPException;
 public interface DecryptionBuilderInterface {
 
     /**
-     * Create a {@link DecryptionStream} on an {@link InputStream} which contains the encrypted and/or signed data.
+     * Create a {@link DecryptionStreamImpl} on an {@link InputStream} which contains the encrypted and/or signed data.
      *
      * @param inputStream encrypted and/or signed data.
      * @return api handle
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
index e3f1e720..c531f487 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
@@ -1,65 +1,9 @@
-// SPDX-FileCopyrightText: 2018 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
 package org.pgpainless.decryption_verification;
 
-import java.io.IOException;
-import java.io.InputStream;
 import javax.annotation.Nonnull;
 
-import org.bouncycastle.util.io.Streams;
-
-/**
- * Decryption Stream that handles updating and verification of detached signatures,
- * as well as verification of integrity-protected input streams once the stream gets closed.
- */
-public class DecryptionStream extends CloseForResultInputStream {
-
-    private final InputStream inputStream;
-    private final IntegrityProtectedInputStream integrityProtectedInputStream;
-    private final InputStream armorStream;
-
-    /**
-     * Create an input stream that handles decryption and - if necessary - integrity protection verification.
-     *
-     * @param wrapped underlying input stream
-     * @param resultBuilder builder for decryption metadata like algorithms, recipients etc.
-     * @param integrityProtectedInputStream in case of data encrypted using SEIP packet close this stream to check integrity
-     * @param armorStream armor stream to verify CRC checksums
-     */
-    DecryptionStream(@Nonnull InputStream wrapped,
-                     @Nonnull OpenPgpMetadata.Builder resultBuilder,
-                     IntegrityProtectedInputStream integrityProtectedInputStream,
-                     InputStream armorStream) {
+public abstract class DecryptionStream extends CloseForResultInputStream {
+    public DecryptionStream(@Nonnull OpenPgpMetadata.Builder resultBuilder) {
         super(resultBuilder);
-        this.inputStream = wrapped;
-        this.integrityProtectedInputStream = integrityProtectedInputStream;
-        this.armorStream = armorStream;
     }
-
-    @Override
-    public void close() throws IOException {
-        if (armorStream != null) {
-            Streams.drain(armorStream);
-        }
-        inputStream.close();
-        if (integrityProtectedInputStream != null) {
-            integrityProtectedInputStream.close();
-        }
-        super.close();
-    }
-
-    @Override
-    public int read() throws IOException {
-        int r = inputStream.read();
-        return r;
-    }
-
-    @Override
-    public int read(@Nonnull byte[] bytes, int offset, int length) throws IOException {
-        int read = inputStream.read(bytes, offset, length);
-        return read;
-    }
-
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 07be7c10..680f33e4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -40,6 +40,7 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
+import org.graalvm.compiler.lir.amd64.AMD64BinaryConsumer;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
@@ -88,8 +89,28 @@ public final class DecryptionStreamFactory {
 
 
     public static DecryptionStream create(@Nonnull InputStream inputStream,
-                                          @Nonnull ConsumerOptions options)
+                                              @Nonnull ConsumerOptions options)
             throws PGPException, IOException {
+        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(inputStream);
+        openPgpInputStream.reset();
+        if (openPgpInputStream.isBinaryOpenPgp()) {
+            return new OpenPgpMessageInputStream(openPgpInputStream, options);
+        } else if (openPgpInputStream.isAsciiArmored()) {
+            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpInputStream);
+            if (armorIn.isClearText()) {
+                return createOld(openPgpInputStream, options);
+            } else {
+                return new OpenPgpMessageInputStream(armorIn, options);
+            }
+        } else if (openPgpInputStream.isNonOpenPgp()) {
+            return createOld(openPgpInputStream, options);
+        } else {
+            throw new IOException("What?");
+        }
+    }
+
+    public static DecryptionStream createOld(@Nonnull InputStream inputStream,
+                                             @Nonnull ConsumerOptions options) throws IOException, PGPException {
         DecryptionStreamFactory factory = new DecryptionStreamFactory(options);
         OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
         return factory.parseOpenPGPDataAndCreateDecryptionStream(openPgpIn);
@@ -136,7 +157,7 @@ public final class DecryptionStreamFactory {
         if (openPgpIn.isNonOpenPgp() || options.isForceNonOpenPgpData()) {
             outerDecodingStream = openPgpIn;
             pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
-            return new DecryptionStream(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
+            return new DecryptionStreamImpl(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
         }
 
         // Data appears to be OpenPGP message,
@@ -147,7 +168,7 @@ public final class DecryptionStreamFactory {
             objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
             // Parse OpenPGP message
             pgpInStream = processPGPPackets(objectFactory, 1);
-            return new DecryptionStream(pgpInStream,
+            return new DecryptionStreamImpl(pgpInStream,
                     resultBuilder, integrityProtectedEncryptedInputStream, null);
         }
 
@@ -161,7 +182,7 @@ public final class DecryptionStreamFactory {
                 objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
                 // Parse OpenPGP message
                 pgpInStream = processPGPPackets(objectFactory, 1);
-                return new DecryptionStream(pgpInStream,
+                return new DecryptionStreamImpl(pgpInStream,
                         resultBuilder, integrityProtectedEncryptedInputStream,
                         outerDecodingStream);
             }
@@ -170,7 +191,7 @@ public final class DecryptionStreamFactory {
         throw new PGPException("Not sure how to handle the input stream.");
     }
 
-    private DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn)
+    private DecryptionStreamImpl parseCleartextSignedMessage(ArmoredInputStream armorIn)
             throws IOException, PGPException {
         resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
                 .setFileEncoding(StreamEncoding.TEXT);
@@ -185,7 +206,7 @@ public final class DecryptionStreamFactory {
         initializeDetachedSignatures(options.getDetachedSignatures());
 
         InputStream verifyIn = wrapInVerifySignatureStream(multiPassStrategy.getMessageInputStream(), null);
-        return new DecryptionStream(verifyIn, resultBuilder, integrityProtectedEncryptedInputStream,
+        return new DecryptionStreamImpl(verifyIn, resultBuilder, integrityProtectedEncryptedInputStream,
                 null);
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java
new file mode 100644
index 00000000..27ace697
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java
@@ -0,0 +1,65 @@
+// SPDX-FileCopyrightText: 2018 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import java.io.IOException;
+import java.io.InputStream;
+import javax.annotation.Nonnull;
+
+import org.bouncycastle.util.io.Streams;
+
+/**
+ * Decryption Stream that handles updating and verification of detached signatures,
+ * as well as verification of integrity-protected input streams once the stream gets closed.
+ */
+public class DecryptionStreamImpl extends DecryptionStream {
+
+    private final InputStream inputStream;
+    private final IntegrityProtectedInputStream integrityProtectedInputStream;
+    private final InputStream armorStream;
+
+    /**
+     * Create an input stream that handles decryption and - if necessary - integrity protection verification.
+     *
+     * @param wrapped underlying input stream
+     * @param resultBuilder builder for decryption metadata like algorithms, recipients etc.
+     * @param integrityProtectedInputStream in case of data encrypted using SEIP packet close this stream to check integrity
+     * @param armorStream armor stream to verify CRC checksums
+     */
+    DecryptionStreamImpl(@Nonnull InputStream wrapped,
+                         @Nonnull OpenPgpMetadata.Builder resultBuilder,
+                         IntegrityProtectedInputStream integrityProtectedInputStream,
+                         InputStream armorStream) {
+        super(resultBuilder);
+        this.inputStream = wrapped;
+        this.integrityProtectedInputStream = integrityProtectedInputStream;
+        this.armorStream = armorStream;
+    }
+
+    @Override
+    public void close() throws IOException {
+        if (armorStream != null) {
+            Streams.drain(armorStream);
+        }
+        inputStream.close();
+        if (integrityProtectedInputStream != null) {
+            integrityProtectedInputStream.close();
+        }
+        super.close();
+    }
+
+    @Override
+    public int read() throws IOException {
+        int r = inputStream.read();
+        return r;
+    }
+
+    @Override
+    public int read(@Nonnull byte[] bytes, int offset, int length) throws IOException {
+        int read = inputStream.read(bytes, offset, length);
+        return read;
+    }
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index cbf251a8..87f6d7f6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -69,6 +69,28 @@ public class MessageMetadata {
         };
     }
 
+    public @Nullable SessionKey getSessionKey() {
+        Iterator sessionKeys = getSessionKeys();
+        if (sessionKeys.hasNext()) {
+            return sessionKeys.next();
+        }
+        return null;
+    }
+
+    public @Nonnull Iterator getSessionKeys() {
+        return new LayerIterator(message) {
+            @Override
+            boolean matches(Nested layer) {
+                return layer instanceof EncryptedData;
+            }
+
+            @Override
+            SessionKey getProperty(Layer last) {
+                return ((EncryptedData) last).getSessionKey();
+            }
+        };
+    }
+
     public String getFilename() {
         return findLiteralData().getFileName();
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 75359de1..7e34d329 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.decryption_verification;
 
+import java.io.BufferedInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -12,6 +13,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Stack;
+import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.openpgp.PGPCompressedData;
@@ -28,7 +30,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
@@ -46,25 +47,27 @@ import org.pgpainless.decryption_verification.automaton.StackAlphabet;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
+import org.pgpainless.exception.SignatureValidationException;
+import org.pgpainless.exception.UnacceptableAlgorithmException;
 import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.SessionKey;
 import org.pgpainless.util.Tuple;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.annotation.Nonnull;
-
-public class OpenPgpMessageInputStream extends InputStream {
+public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OpenPgpMessageInputStream.class);
 
     // Options to consume the data
     protected final ConsumerOptions options;
-    protected final OpenPgpMetadata.Builder resultBuilder;
     // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
     protected final PDA automaton = new PDA();
     // InputStream of OpenPGP packets
@@ -76,6 +79,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     private final Signatures signatures;
     private final MessageMetadata.Layer metadata;
+    private final Policy policy;
 
     public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
             throws IOException, PGPException {
@@ -84,10 +88,11 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, MessageMetadata.Layer metadata)
             throws PGPException, IOException {
+        super(OpenPgpMetadata.getBuilder());
 
+        this.policy = PGPainless.getPolicy();
         this.options = options;
         this.metadata = metadata;
-        this.resultBuilder = OpenPgpMetadata.getBuilder();
         this.signatures = new Signatures(options);
 
         // Add detached signatures only on the outermost OpenPgpMessageInputStream
@@ -210,7 +215,8 @@ public class OpenPgpMessageInputStream extends InputStream {
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
-        nestedInputStream = new OpenPgpMessageInputStream(compressedData.getDataStream(), options, compressionLayer);
+        InputStream decompressed = compressedData.getDataStream();
+        nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer);
     }
 
     private void processLiteralData() throws IOException {
@@ -232,19 +238,25 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         // Try session key
         if (options.getSessionKey() != null) {
+            SessionKey sessionKey = options.getSessionKey();
+            if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(sessionKey.getAlgorithm())) {
+                throw new UnacceptableAlgorithmException("Symmetric algorithm " + sessionKey.getAlgorithm() + " is not acceptable.");
+            }
             SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                    .getSessionKeyDataDecryptorFactory(options.getSessionKey());
+                    .getSessionKeyDataDecryptorFactory(sessionKey);
             // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
             PGPEncryptedData esk = esks.all().get(0);
             try {
-                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(options.getSessionKey().getAlgorithm());
+                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
-                    nestedInputStream = new OpenPgpMessageInputStream(skesk.getDataStream(decryptorFactory), options, encryptedData);
+                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
-                    nestedInputStream = new OpenPgpMessageInputStream(pkesk.getDataStream(decryptorFactory), options, encryptedData);
+                    InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
@@ -263,7 +275,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(skesk.getSymmetricAlgorithm(decryptorFactory)));
-                    nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // password mismatch? Try next password
@@ -286,14 +298,20 @@ public class OpenPgpMessageInputStream extends InputStream {
             PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getPublicKeyDataDecryptorFactory(privateKey);
             try {
+                SymmetricKeyAlgorithm symAlg = SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory));
+                if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(symAlg)) {
+                    throw new UnacceptableAlgorithmException("Symmetric-key algorithm " + symAlg + " is not acceptable.");
+                }
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
 
-                nestedInputStream = new OpenPgpMessageInputStream(PGPUtil.getDecoderStream(decrypted), options, encryptedData);
+                nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
                 return true;
             } catch (PGPException e) {
-                // hm :/
+                if (e instanceof UnacceptableAlgorithmException) {
+                    throw e;
+                }
             }
         }
 
@@ -309,7 +327,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
-                    nestedInputStream = new OpenPgpMessageInputStream(decrypted, options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
                     return true;
                 } catch (PGPException e) {
                     // hm :/
@@ -321,6 +339,10 @@ public class OpenPgpMessageInputStream extends InputStream {
         return false;
     }
 
+    private static InputStream buffer(InputStream inputStream) {
+        return new BufferedInputStream(inputStream);
+    }
+
     private List> findPotentialDecryptionKeys(PGPPublicKeyEncryptedData pkesk) {
         int algorithm = pkesk.getAlgorithm();
         List> decryptionKeyCandidates = new ArrayList<>();
@@ -420,6 +442,7 @@ public class OpenPgpMessageInputStream extends InputStream {
 
     @Override
     public void close() throws IOException {
+        super.close();
         if (closed) {
             automaton.assertValid();
             return;
@@ -502,6 +525,8 @@ public class OpenPgpMessageInputStream extends InputStream {
         final List correspondingSignatures;
         boolean isLiteral = true;
 
+        final List verified = new ArrayList<>();
+
         private Signatures(ConsumerOptions options) {
             this.options = options;
             this.detachedSignatures = new ArrayList<>();
@@ -521,19 +546,19 @@ public class OpenPgpMessageInputStream extends InputStream {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.detachedSignatures.add(new SIG(signature));
+            this.detachedSignatures.add(new SIG(signature, certificate, keyId));
         }
 
         void addPrependedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.prependedSignatures.add(new SIG(signature));
+            this.prependedSignatures.add(new SIG(signature, certificate, keyId));
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
-            OPS ops = new OPS(signature);
+            OPS ops = new OPS(signature, certificate, signature.getKeyID());
             ops.init(certificate);
             onePassSignatures.add(ops);
 
@@ -546,7 +571,7 @@ public class OpenPgpMessageInputStream extends InputStream {
         void addCorrespondingOnePassSignature(PGPSignature signature) {
             for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
                 OPS onePassSignature = onePassSignatures.get(i);
-                if (onePassSignature.signature.getKeyID() != signature.getKeyID()) {
+                if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) {
                     continue;
                 }
                 if (onePassSignature.finished) {
@@ -554,8 +579,8 @@ public class OpenPgpMessageInputStream extends InputStream {
                 }
 
                 boolean verified = onePassSignature.verify(signature);
-                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                System.out.println(onePassSignature);
+                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.opSignature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
+                log(onePassSignature.toString());
                 break;
             }
         }
@@ -666,14 +691,20 @@ public class OpenPgpMessageInputStream extends InputStream {
         public void finish() {
             for (SIG detached : detachedSignatures) {
                 boolean verified = detached.verify();
+                if (verified) {
+                    this.verified.add(detached.signature);
+                }
                 log("Detached Signature by " + Long.toHexString(detached.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                System.out.println(detached);
+                log(detached.toString());
             }
 
             for (SIG prepended : prependedSignatures) {
                 boolean verified = prepended.verify();
+                if (verified) {
+                    this.verified.add(prepended.signature);
+                }
                 log("Prepended Signature by " + Long.toHexString(prepended.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                System.out.println(prepended);
+                log(prepended.toString());
             }
         }
 
@@ -701,11 +732,15 @@ public class OpenPgpMessageInputStream extends InputStream {
         static class SIG {
             ByteArrayOutputStream bytes = new ByteArrayOutputStream();
             PGPSignature signature;
+            PGPPublicKeyRing certificate;
+            long keyId;
             boolean finished;
             boolean valid;
 
-            public SIG(PGPSignature signature) {
+            public SIG(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
                 this.signature = signature;
+                this.certificate = certificate;
+                this.keyId = keyId;
             }
 
             public void init(PGPPublicKeyRing certificate) {
@@ -713,6 +748,9 @@ public class OpenPgpMessageInputStream extends InputStream {
             }
 
             public boolean verify() {
+                if (finished) {
+                    throw new IllegalStateException("Already finished.");
+                }
                 finished = true;
                 try {
                     valid = this.signature.verify();
@@ -780,26 +818,32 @@ public class OpenPgpMessageInputStream extends InputStream {
 
         static class OPS {
             ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-            PGPOnePassSignature signature;
+            PGPOnePassSignature opSignature;
+            PGPSignature signature;
+            PGPPublicKeyRing certificate;
+            long keyId;
             boolean finished;
             boolean valid;
 
-            public OPS(PGPOnePassSignature signature) {
-                this.signature = signature;
+            public OPS(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
+                this.opSignature = signature;
+                this.certificate = certificate;
+                this.keyId = keyId;
             }
 
             public void init(PGPPublicKeyRing certificate) {
-                initialize(signature, certificate);
+                initialize(opSignature, certificate);
             }
 
             public boolean verify(PGPSignature signature) {
-                if (this.signature.getKeyID() != signature.getKeyID()) {
+                if (this.opSignature.getKeyID() != signature.getKeyID()) {
                     // nope
                     return false;
                 }
+                this.signature = signature;
                 finished = true;
                 try {
-                    valid = this.signature.verify(signature);
+                    valid = this.opSignature.verify(signature);
                 } catch (PGPException e) {
                     log("Cannot verify OPS " + signature.getKeyID());
                 }
@@ -811,7 +855,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     log("Updating finished sig!");
                     return;
                 }
-                signature.update(b);
+                opSignature.update(b);
                 bytes.write(b);
             }
 
@@ -820,7 +864,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                     log("Updating finished sig!");
                     return;
                 }
-                signature.update(bytes, off, len);
+                opSignature.update(bytes, off, len);
                 this.bytes.write(bytes, off, len);
             }
 
@@ -833,7 +877,7 @@ public class OpenPgpMessageInputStream extends InputStream {
                 String SIG1f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
                 String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
                 String SIG2f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                String out = "last=" + signature.isContaining() + "\n";
+                String out = "last=" + opSignature.isContaining() + "\n";
 
                 String hex = Hex.toHexString(bytes.toByteArray());
                 while (hex.contains(OPS)) {
@@ -863,10 +907,64 @@ public class OpenPgpMessageInputStream extends InputStream {
         }
     }
 
+    @Override
+    public OpenPgpMetadata getResult() {
+        MessageMetadata m = getMetadata();
+        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
+        resultBuilder.setModificationDate(m.getModificationDate());
+        resultBuilder.setFileName(m.getFilename());
+        resultBuilder.setFileEncoding(m.getFormat());
+        resultBuilder.setSessionKey(m.getSessionKey());
+
+        for (Signatures.OPS ops : signatures.onePassSignatures) {
+            if (!ops.finished) {
+                continue;
+            }
+
+            SubkeyIdentifier identifier = new SubkeyIdentifier(ops.certificate, ops.keyId);
+            SignatureVerification verification = new SignatureVerification(ops.signature, identifier);
+            if (ops.valid) {
+                resultBuilder.addVerifiedInbandSignature(verification);
+            } else {
+                resultBuilder.addInvalidInbandSignature(verification, new SignatureValidationException("Incorrect signature."));
+            }
+        }
+
+        for (Signatures.SIG prep : signatures.prependedSignatures) {
+            if (!prep.finished) {
+                continue;
+            }
+
+            SubkeyIdentifier identifier = new SubkeyIdentifier(prep.certificate, prep.keyId);
+            SignatureVerification verification = new SignatureVerification(prep.signature, identifier);
+            if (prep.valid) {
+                resultBuilder.addVerifiedInbandSignature(verification);
+            } else {
+                resultBuilder.addInvalidInbandSignature(verification, new SignatureValidationException("Incorrect signature."));
+            }
+        }
+
+        for (Signatures.SIG det : signatures.detachedSignatures) {
+            if (!det.finished) {
+                continue;
+            }
+
+            SubkeyIdentifier identifier = new SubkeyIdentifier(det.certificate, det.keyId);
+            SignatureVerification verification = new SignatureVerification(det.signature, identifier);
+            if (det.valid) {
+                resultBuilder.addVerifiedDetachedSignature(verification);
+            } else {
+                resultBuilder.addInvalidDetachedSignature(verification, new SignatureValidationException("Incorrect signature."));
+            }
+        }
+
+        return resultBuilder.build();
+    }
+
     static void log(String message) {
         LOGGER.debug(message);
         // CHECKSTYLE:OFF
-        System.out.println(message);
+        // System.out.println(message);
         // CHECKSTYLE:ON
     }
 
diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
index 3350203a..d31a0e0f 100644
--- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
+++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
@@ -6,6 +6,7 @@ package investigations;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -32,9 +33,8 @@ import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.util.Passphrase;
@@ -177,7 +177,7 @@ public class InvestigateMultiSEIPMessageHandlingTest {
     }
 
     @Test
-    public void testDecryptAndVerifyDoesIgnoreAppendedSEIPData() throws IOException, PGPException {
+    public void testDecryptAndVerifyDetectsAppendedSEIPData() throws IOException, PGPException {
         PGPSecretKeyRing ring1 = PGPainless.readKeyRing().secretKeyRing(KEY1);
         PGPSecretKeyRing ring2 = PGPainless.readKeyRing().secretKeyRing(KEY2);
 
@@ -191,15 +191,6 @@ public class InvestigateMultiSEIPMessageHandlingTest {
                 .withOptions(options);
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, out);
-        decryptionStream.close();
-
-        assertArrayEquals(data1.getBytes(StandardCharsets.UTF_8), out.toByteArray());
-        OpenPgpMetadata metadata = decryptionStream.getResult();
-        assertEquals(1, metadata.getVerifiedSignatures().size(),
-                "The first SEIP packet is signed exactly only by the signing key of ring1.");
-        assertEquals(
-                new SubkeyIdentifier(ring1, new KeyRingInfo(ring1).getSigningSubkeys().get(0).getKeyID()),
-                metadata.getVerifiedSignatures().keySet().iterator().next());
+        assertThrows(MalformedOpenPgpMessageException.class, () -> Streams.pipeAll(decryptionStream, out));
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
index 851a1bef..7474301b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
@@ -8,6 +8,8 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.EOFException;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 
@@ -185,7 +187,7 @@ public class PreventDecryptionUsingNonEncryptionKeyTest {
         decryptionStream.close();
         OpenPgpMetadata metadata = decryptionStream.getResult();
 
-        assertEquals(metadata.getDecryptionKey(), new SubkeyIdentifier(secretKeys, secretKeys.getPublicKey().getKeyID()));
+        assertEquals(new SubkeyIdentifier(secretKeys, secretKeys.getPublicKey().getKeyID()), metadata.getDecryptionKey());
     }
 
     @Test

From a9f77ea10019ca3889198d4dc3f1253aa3e81073 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 16 Oct 2022 18:15:31 +0200
Subject: [PATCH 0727/1450] Cleaning up and collect signature verifications

---
 .../MessageMetadata.java                      |  85 +++-
 .../OpenPgpMessageInputStream.java            | 375 ++++++++----------
 .../OpenPgpMessageInputStreamTest.java        |  19 +
 3 files changed, 262 insertions(+), 217 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 87f6d7f6..bb2f5c76 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -91,6 +91,62 @@ public class MessageMetadata {
         };
     }
 
+    public @Nonnull List getVerifiedSignatures() {
+        List verifications = new ArrayList<>();
+        Iterator> verificationsByLayer = getVerifiedSignaturesByLayer();
+        while (verificationsByLayer.hasNext()) {
+            verifications.addAll(verificationsByLayer.next());
+        }
+        return verifications;
+    }
+
+    public @Nonnull Iterator> getVerifiedSignaturesByLayer() {
+        return new LayerIterator>(message) {
+            @Override
+            boolean matches(Nested layer) {
+                return layer instanceof Layer;
+            }
+
+            @Override
+            boolean matches(Layer layer) {
+                return true;
+            }
+
+            @Override
+            List getProperty(Layer last) {
+                return new ArrayList<>(last.getVerifiedSignatures());
+            }
+        };
+    }
+
+    public @Nonnull List getRejectedSignatures() {
+        List rejected = new ArrayList<>();
+        Iterator> rejectedByLayer = getRejectedSignaturesByLayer();
+        while (rejectedByLayer.hasNext()) {
+            rejected.addAll(rejectedByLayer.next());
+        }
+        return rejected;
+    }
+
+    public @Nonnull Iterator> getRejectedSignaturesByLayer() {
+        return new LayerIterator>(message) {
+            @Override
+            boolean matches(Nested layer) {
+                return layer instanceof Layer;
+            }
+
+            @Override
+            boolean matches(Layer layer) {
+                return true;
+            }
+
+            @Override
+            List getProperty(Layer last) {
+                return new ArrayList<>(last.getFailedSignatures());
+            }
+        };
+    }
+
     public String getFilename() {
         return findLiteralData().getFileName();
     }
@@ -132,6 +188,14 @@ public class MessageMetadata {
         public List getFailedSignatures() {
             return new ArrayList<>(failedSignatures);
         }
+
+        void addVerifiedSignature(SignatureVerification signatureVerification) {
+            verifiedSignatures.add(signatureVerification);
+        }
+
+        void addFailedSignature(SignatureVerification.Failure failure) {
+            failedSignatures.add(failure);
+        }
     }
 
     public interface Nested {
@@ -223,9 +287,11 @@ public class MessageMetadata {
     private abstract static class LayerIterator implements Iterator {
         private Nested current;
         Layer last = null;
+        Message parent;
 
         LayerIterator(Message message) {
             super();
+            this.parent = message;
             this.current = message.child;
             if (matches(current)) {
                 last = (Layer) current;
@@ -234,6 +300,9 @@ public class MessageMetadata {
 
         @Override
         public boolean hasNext() {
+            if (parent != null && matches(parent)) {
+                return true;
+            }
             if (last == null) {
                 findNext();
             }
@@ -242,6 +311,11 @@ public class MessageMetadata {
 
         @Override
         public O next() {
+            if (parent != null && matches(parent)) {
+                O property = getProperty(parent);
+                parent = null;
+                return property;
+            }
             if (last == null) {
                 findNext();
             }
@@ -263,7 +337,16 @@ public class MessageMetadata {
             }
         }
 
-        abstract boolean matches(Nested layer);
+        boolean matches(Nested layer) {
+            return false;
+        }
+
+        boolean matches(Layer layer) {
+            if (layer instanceof Nested) {
+                return matches((Nested) layer);
+            }
+            return false;
+        }
 
         abstract O getProperty(Layer last);
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 7e34d329..9e26dc20 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -34,7 +34,6 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
-import org.bouncycastle.util.encoders.Hex;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
@@ -81,16 +80,27 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     private final MessageMetadata.Layer metadata;
     private final Policy policy;
 
-    public OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options)
+    public OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+                                     @Nonnull ConsumerOptions options)
             throws IOException, PGPException {
-        this(inputStream, options, new MessageMetadata.Message());
+        this(inputStream, options, PGPainless.getPolicy());
     }
 
-    OpenPgpMessageInputStream(InputStream inputStream, ConsumerOptions options, MessageMetadata.Layer metadata)
+    public OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+                                     @Nonnull ConsumerOptions options,
+                                     @Nonnull Policy policy)
+            throws PGPException, IOException {
+        this(inputStream, options, new MessageMetadata.Message(), policy);
+    }
+
+    protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+                              @Nonnull ConsumerOptions options,
+                              @Nonnull MessageMetadata.Layer metadata,
+                              @Nonnull Policy policy)
             throws PGPException, IOException {
         super(OpenPgpMetadata.getBuilder());
 
-        this.policy = PGPainless.getPolicy();
+        this.policy = policy;
         this.options = options;
         this.metadata = metadata;
         this.signatures = new Signatures(options);
@@ -100,6 +110,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             this.signatures.addDetachedSignatures(options.getDetachedSignatures());
         }
 
+        // tee out packet bytes for signature verification
         packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
 
         // *omnomnom*
@@ -125,37 +136,30 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     private void consumePackets()
             throws IOException, PGPException {
         OpenPgpPacket nextPacket;
-        loop: while ((nextPacket = packetInputStream.nextPacketTag()) != null) {
+
+        loop: // we break this when we go deeper.
+        while ((nextPacket = packetInputStream.nextPacketTag()) != null) {
             signatures.nextPacket(nextPacket);
             switch (nextPacket) {
 
                 // Literal Data - the literal data content is the new input stream
                 case LIT:
-                    automaton.next(InputAlphabet.LiteralData);
                     processLiteralData();
                     break loop;
 
                 // Compressed Data - the content contains another OpenPGP message
                 case COMP:
-                    automaton.next(InputAlphabet.CompressedData);
                     processCompressedData();
                     break loop;
 
                 // One Pass Signature
                 case OPS:
-                    automaton.next(InputAlphabet.OnePassSignature);
-                    PGPOnePassSignature onePassSignature = readOnePassSignature();
-                    signatures.addOnePassSignature(onePassSignature);
+                    processOnePassSignature();
                     break;
 
                 // Signature - either prepended to the message, or corresponding to a One Pass Signature
                 case SIG:
-                    // true if Signature corresponds to OnePassSignature
-                    boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
-                    automaton.next(InputAlphabet.Signature);
-
-                    processSignature(isSigForOPS);
-
+                    processSignature();
                     break;
 
                 // Encrypted Data (ESKs and SED/SEIPD are parsed the same by BC)
@@ -163,14 +167,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 case SKESK:
                 case SED:
                 case SEIPD:
-                    automaton.next(InputAlphabet.EncryptedData);
                     if (processEncryptedData()) {
                         break loop;
                     }
 
                     throw new MissingDecryptionMethodException("No working decryption method found.");
 
-                    // Marker Packets need to be skipped and ignored
+                // Marker Packets need to be skipped and ignored
                 case MARKER:
                     packetInputStream.readMarker();
                     break;
@@ -200,36 +203,51 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
     }
 
-    private void processSignature(boolean isSigForOPS) throws PGPException, IOException {
-        PGPSignature signature = readSignature();
-        if (isSigForOPS) {
-            signatures.leaveNesting(); // TODO: Only leave nesting if all OPSs are dealt with
-            signatures.addCorrespondingOnePassSignature(signature);
-        } else {
-            signatures.addPrependedSignature(signature);
-        }
+    private void processLiteralData() throws IOException {
+        automaton.next(InputAlphabet.LiteralData);
+        PGPLiteralData literalData = packetInputStream.readLiteralData();
+        this.metadata.setChild(new MessageMetadata.LiteralData(
+                literalData.getFileName(),
+                literalData.getModificationTime(),
+                StreamEncoding.requireFromCode(literalData.getFormat())));
+        nestedInputStream = literalData.getDataStream();
     }
 
     private void processCompressedData() throws IOException, PGPException {
+        automaton.next(InputAlphabet.CompressedData);
         signatures.enterNesting();
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
         InputStream decompressed = compressedData.getDataStream();
-        nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer);
+        nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer, policy);
     }
 
-    private void processLiteralData() throws IOException {
-        PGPLiteralData literalData = packetInputStream.readLiteralData();
-        this.metadata.setChild(new MessageMetadata.LiteralData(literalData.getFileName(), literalData.getModificationTime(),
-                StreamEncoding.requireFromCode(literalData.getFormat())));
-        nestedInputStream = literalData.getDataStream();
+    private void processOnePassSignature() throws PGPException, IOException {
+        automaton.next(InputAlphabet.OnePassSignature);
+        PGPOnePassSignature onePassSignature = packetInputStream.readOnePassSignature();
+        signatures.addOnePassSignature(onePassSignature);
+    }
+
+    private void processSignature() throws PGPException, IOException {
+        // true if Signature corresponds to OnePassSignature
+        boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
+        automaton.next(InputAlphabet.Signature);
+        PGPSignature signature = packetInputStream.readSignature();
+        if (isSigForOPS) {
+            signatures.leaveNesting(); // TODO: Only leave nesting if all OPSs of the nesting layer are dealt with
+            signatures.addCorrespondingOnePassSignature(signature, metadata);
+        } else {
+            signatures.addPrependedSignature(signature);
+        }
     }
 
     private boolean processEncryptedData() throws IOException, PGPException {
+        automaton.next(InputAlphabet.EncryptedData);
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
+        //  once BC ships it
         if (!encDataList.get(0).isIntegrityProtected()) {
             throw new MessageNotIntegrityProtectedException();
         }
@@ -239,24 +257,25 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // Try session key
         if (options.getSessionKey() != null) {
             SessionKey sessionKey = options.getSessionKey();
-            if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(sessionKey.getAlgorithm())) {
-                throw new UnacceptableAlgorithmException("Symmetric algorithm " + sessionKey.getAlgorithm() + " is not acceptable.");
-            }
+
+            throwIfUnacceptable(sessionKey.getAlgorithm());
+
             SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getSessionKeyDataDecryptorFactory(sessionKey);
-            // TODO: Replace with encDataList.addSessionKeyDecryptionMethod(sessionKey)
-            PGPEncryptedData esk = esks.all().get(0);
+            MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
+
             try {
-                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
+                // TODO: Use BCs new API once shipped
+                PGPEncryptedData esk = esks.all().get(0);
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
@@ -268,19 +287,25 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         // Try passwords
         for (PGPPBEEncryptedData skesk : esks.skesks) {
+            SymmetricKeyAlgorithm kekAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
+            throwIfUnacceptable(kekAlgorithm);
             for (Passphrase passphrase : options.getDecryptionPassphrases()) {
-                PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                        .getPBEDataDecryptorFactory(passphrase);
-                try {
-                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                            SymmetricKeyAlgorithm.requireFromId(skesk.getSymmetricAlgorithm(decryptorFactory)));
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
-                    return true;
-                } catch (PGPException e) {
-                    // password mismatch? Try next password
-                }
+                    PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                            .getPBEDataDecryptorFactory(passphrase);
 
+                    try {
+                        InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                        SymmetricKeyAlgorithm sessionKeyAlgorithm = SymmetricKeyAlgorithm.requireFromId(
+                                skesk.getSymmetricAlgorithm(decryptorFactory));
+                        throwIfUnacceptable(sessionKeyAlgorithm);
+                        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKeyAlgorithm);
+                        nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                        return true;
+                    } catch (UnacceptableAlgorithmException e) {
+                        throw e;
+                    } catch (PGPException e) {
+                        // Password mismatch?
+                    }
             }
         }
 
@@ -299,19 +324,17 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     .getPublicKeyDataDecryptorFactory(privateKey);
             try {
                 SymmetricKeyAlgorithm symAlg = SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory));
-                if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(symAlg)) {
-                    throw new UnacceptableAlgorithmException("Symmetric-key algorithm " + symAlg + " is not acceptable.");
-                }
+                throwIfUnacceptable(symAlg);
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
 
-                nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
+                nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                 return true;
+            } catch (UnacceptableAlgorithmException e) {
+                throw e;
             } catch (PGPException e) {
-                if (e instanceof UnacceptableAlgorithmException) {
-                    throw e;
-                }
+
             }
         }
 
@@ -327,7 +350,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } catch (PGPException e) {
                     // hm :/
@@ -339,6 +362,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
+    private void throwIfUnacceptable(SymmetricKeyAlgorithm algorithm)
+            throws UnacceptableAlgorithmException {
+        if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) {
+            throw new UnacceptableAlgorithmException("Symmetric-Key algorithm " + algorithm + " is not acceptable for message decryption.");
+        }
+    }
+
     private static InputStream buffer(InputStream inputStream) {
         return new BufferedInputStream(inputStream);
     }
@@ -370,16 +400,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return null;
     }
 
-    private PGPOnePassSignature readOnePassSignature()
-            throws PGPException, IOException {
-        return packetInputStream.readOnePassSignature();
-    }
-
-    private PGPSignature readSignature()
-            throws PGPException, IOException {
-        return packetInputStream.readSignature();
-    }
-
     @Override
     public int read() throws IOException {
         if (nestedInputStream == null) {
@@ -407,7 +427,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             } catch (PGPException e) {
                 throw new RuntimeException(e);
             }
-            signatures.finish();
+            signatures.finish(metadata);
         }
         return r;
     }
@@ -435,7 +455,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             } catch (PGPException e) {
                 throw new RuntimeException(e);
             }
-            signatures.finish();
+            signatures.finish(metadata);
         }
         return r;
     }
@@ -517,11 +537,11 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     // Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
-        final List detachedSignatures;
-        final List prependedSignatures;
-        final List onePassSignatures;
-        final Stack> opsUpdateStack;
-        List literalOPS = new ArrayList<>();
+        final List detachedSignatures;
+        final List prependedSignatures;
+        final List onePassSignatures;
+        final Stack> opsUpdateStack;
+        List literalOPS = new ArrayList<>();
         final List correspondingSignatures;
         boolean isLiteral = true;
 
@@ -546,19 +566,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.detachedSignatures.add(new SIG(signature, certificate, keyId));
+            this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
         }
 
         void addPrependedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
             initialize(signature, certificate, keyId);
-            this.prependedSignatures.add(new SIG(signature, certificate, keyId));
+            this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
-            OPS ops = new OPS(signature, certificate, signature.getKeyID());
+            OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID());
             ops.init(certificate);
             onePassSignatures.add(ops);
 
@@ -568,9 +588,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        void addCorrespondingOnePassSignature(PGPSignature signature) {
+        void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer) {
             for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
-                OPS onePassSignature = onePassSignatures.get(i);
+                OnePassSignature onePassSignature = onePassSignatures.get(i);
                 if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) {
                     continue;
                 }
@@ -579,8 +599,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 }
 
                 boolean verified = onePassSignature.verify(signature);
-                log("One-Pass-Signature by " + Long.toHexString(onePassSignature.opSignature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                log(onePassSignature.toString());
+                SignatureVerification verification = new SignatureVerification(signature,
+                        new SubkeyIdentifier(onePassSignature.certificate, onePassSignature.keyId));
+                if (verified) {
+                    layer.addVerifiedSignature(verification);
+                } else {
+                    layer.addFailedSignature(new SignatureVerification.Failure(verification,
+                            new SignatureValidationException("Incorrect Signature.")));
+                }
                 break;
             }
         }
@@ -597,11 +623,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             opsUpdateStack.pop();
         }
 
-        private static void initialize(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
-            if (certificate == null) {
-                // SHIT
-                return;
-            }
+        private static void initialize(@Nonnull PGPSignature signature, @Nonnull PGPPublicKeyRing certificate, long keyId) {
             PGPContentVerifierBuilderProvider verifierProvider = ImplementationFactory.getInstance()
                     .getPGPContentVerifierBuilderProvider();
             try {
@@ -611,10 +633,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        private static void initialize(PGPOnePassSignature ops, PGPPublicKeyRing certificate) {
-            if (certificate == null) {
-                return;
-            }
+        private static void initialize(@Nonnull PGPOnePassSignature ops, @Nonnull PGPPublicKeyRing certificate) {
             PGPContentVerifierBuilderProvider verifierProvider = ImplementationFactory.getInstance()
                     .getPGPContentVerifierBuilderProvider();
             try {
@@ -635,76 +654,74 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         public void updateLiteral(byte b) {
-            for (OPS ops : literalOPS) {
+            for (OnePassSignature ops : literalOPS) {
                 ops.update(b);
             }
 
-            for (SIG detached : detachedSignatures) {
+            for (DetachedOrPrependedSignature detached : detachedSignatures) {
                 detached.update(b);
             }
+
+            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
+                prepended.update(b);
+            }
         }
 
         public void updateLiteral(byte[] b, int off, int len) {
-            for (OPS ops : literalOPS) {
+            for (OnePassSignature ops : literalOPS) {
                 ops.update(b, off, len);
             }
 
-            for (SIG detached : detachedSignatures) {
+            for (DetachedOrPrependedSignature detached : detachedSignatures) {
                 detached.update(b, off, len);
             }
+
+            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
+                prepended.update(b, off, len);
+            }
         }
 
         public void updatePacket(byte b) {
-            for (SIG detached : detachedSignatures) {
-                detached.update(b);
-            }
-
-            for (SIG prepended : prependedSignatures) {
-                prepended.update(b);
-            }
-
             for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
-                List nestedOPSs = opsUpdateStack.get(i);
-                for (OPS ops : nestedOPSs) {
+                List nestedOPSs = opsUpdateStack.get(i);
+                for (OnePassSignature ops : nestedOPSs) {
                     ops.update(b);
                 }
             }
         }
 
         public void updatePacket(byte[] buf, int off, int len) {
-            for (SIG detached : detachedSignatures) {
-                detached.update(buf, off, len);
-            }
-
-            for (SIG prepended : prependedSignatures) {
-                prepended.update(buf, off, len);
-            }
-
             for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
-                List nestedOPSs = opsUpdateStack.get(i);
-                for (OPS ops : nestedOPSs) {
+                List nestedOPSs = opsUpdateStack.get(i);
+                for (OnePassSignature ops : nestedOPSs) {
                     ops.update(buf, off, len);
                 }
             }
         }
 
-        public void finish() {
-            for (SIG detached : detachedSignatures) {
+        public void finish(MessageMetadata.Layer layer) {
+            for (DetachedOrPrependedSignature detached : detachedSignatures) {
                 boolean verified = detached.verify();
+                SignatureVerification verification = new SignatureVerification(
+                        detached.signature, new SubkeyIdentifier(detached.certificate, detached.keyId));
                 if (verified) {
-                    this.verified.add(detached.signature);
+                    layer.addVerifiedSignature(verification);
+                } else {
+                    layer.addFailedSignature(new SignatureVerification.Failure(
+                        verification, new SignatureValidationException("Incorrect Signature.")));
                 }
-                log("Detached Signature by " + Long.toHexString(detached.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                log(detached.toString());
             }
 
-            for (SIG prepended : prependedSignatures) {
+            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
                 boolean verified = prepended.verify();
+                SignatureVerification verification = new SignatureVerification(
+                        prepended.signature, new SubkeyIdentifier(prepended.certificate, prepended.keyId));
                 if (verified) {
-                    this.verified.add(prepended.signature);
+                    layer.addVerifiedSignature(verification);
+                } else {
+                    layer.addFailedSignature(new SignatureVerification.Failure(
+                            verification, new SignatureValidationException("Incorrect Signature.")));
                 }
-                log("Prepended Signature by " + Long.toHexString(prepended.signature.getKeyID()) + " is " + (verified ? "verified" : "unverified"));
-                log(prepended.toString());
             }
         }
 
@@ -729,7 +746,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        static class SIG {
+        static class DetachedOrPrependedSignature {
             ByteArrayOutputStream bytes = new ByteArrayOutputStream();
             PGPSignature signature;
             PGPPublicKeyRing certificate;
@@ -737,7 +754,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             boolean finished;
             boolean valid;
 
-            public SIG(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
+            public DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
                 this.signature = signature;
                 this.certificate = certificate;
                 this.keyId = keyId;
@@ -762,8 +779,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             public void update(byte b) {
                 if (finished) {
-                    log("Updating finished sig!");
-                    return;
+                    throw new IllegalStateException("Already finished.");
                 }
                 signature.update(b);
                 bytes.write(b);
@@ -771,52 +787,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             public void update(byte[] bytes, int off, int len) {
                 if (finished) {
-                    log("Updating finished sig!");
-                    return;
+                    throw new IllegalStateException("Already finished.");
                 }
                 signature.update(bytes, off, len);
                 this.bytes.write(bytes, off, len);
             }
-
-            @Override
-            public String toString() {
-                String OPS = "c40d03000a01fbfcc82a015e733001";
-                String LIT_H = "cb28620000000000";
-                String LIT = "656e637279707420e28898207369676e20e28898207369676e20e28898207369676e";
-                String SIG1 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
-                String SIG1f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
-                String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                String SIG2f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                String out = "";
-
-                String hex = Hex.toHexString(bytes.toByteArray());
-                while (hex.contains(OPS)) {
-                    hex = hex.replace(OPS, "[OPS]");
-                }
-                while (hex.contains(LIT_H)) {
-                    hex = hex.replace(LIT_H, "[LIT]");
-                }
-                while (hex.contains(LIT)) {
-                    hex = hex.replace(LIT, "");
-                }
-                while (hex.contains(SIG1)) {
-                    hex = hex.replace(SIG1, "[SIG1]");
-                }
-                while (hex.contains(SIG1f)) {
-                    hex = hex.replace(SIG1f, "[SIG1f]");
-                }
-                while (hex.contains(SIG2)) {
-                    hex = hex.replace(SIG2, "[SIG2]");
-                }
-                while (hex.contains(SIG2f)) {
-                    hex = hex.replace(SIG2f, "[SIG2f]");
-                }
-
-                return out + hex;
-            }
         }
 
-        static class OPS {
+        static class OnePassSignature {
             ByteArrayOutputStream bytes = new ByteArrayOutputStream();
             PGPOnePassSignature opSignature;
             PGPSignature signature;
@@ -825,7 +803,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             boolean finished;
             boolean valid;
 
-            public OPS(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
+            public OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
                 this.opSignature = signature;
                 this.certificate = certificate;
                 this.keyId = keyId;
@@ -836,6 +814,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
 
             public boolean verify(PGPSignature signature) {
+                if (finished) {
+                    throw new IllegalStateException("Already finished.");
+                }
+
                 if (this.opSignature.getKeyID() != signature.getKeyID()) {
                     // nope
                     return false;
@@ -852,8 +834,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             public void update(byte b) {
                 if (finished) {
-                    log("Updating finished sig!");
-                    return;
+                    throw new IllegalStateException("Already finished.");
                 }
                 opSignature.update(b);
                 bytes.write(b);
@@ -861,49 +842,11 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             public void update(byte[] bytes, int off, int len) {
                 if (finished) {
-                    log("Updating finished sig!");
-                    return;
+                    throw new IllegalStateException("Already finished.");
                 }
                 opSignature.update(bytes, off, len);
                 this.bytes.write(bytes, off, len);
             }
-
-            @Override
-            public String toString() {
-                String OPS = "c40d03000a01fbfcc82a015e733001";
-                String LIT_H = "cb28620000000000";
-                String LIT = "656e637279707420e28898207369676e20e28898207369676e20e28898207369676e";
-                String SIG1 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
-                String SIG1f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267b0409ed8ea96dac66447bdff5b7b60c9f80a0ab91d257029153dc3b6d8c27b98162104d1a66e1a23b182c9980f788cfbfcc82a015e7330000029640c00846b5096d92474fd446cc7edaf9f14572cab93a80e12384c1e829f95debc6e8373c2ce5402be53dc1a18cf92a0ed909e0fb38855713ef8ffb13502ffac7c830fa254cc1aa6c666a97b0cc3bc176538f6913d3b8e8981a65cc42df10e0f39e4d0a06dfe961437b59a71892f4fca1116aed15123ea0d86a7b2ce47dd9d3ef22d920631bc011e82babe03ad5d72b3ba7f95bf646f20ccf6f7a4d95de37397c76c7d53741458e51ab6074007f61181c7b88b7c98f5b7510c8dfa3be01f4841501679478b15c5249d928e2a10d15ec63efa1500b994d5bfb32ffb174a976116930eb97a111e6dfd4c5e43e04a5d76ba74806a62fda63a8c3f53f6eebaf852892340e81dd08bbf348454a2cf525aeb512cf33aeeee78465ee4c442e41cc45ac4e3bb0c3333677aa60332ee7f464d9020f8554b82d619872477cca18d8431888f4ae8abe5894e9720f759c410cd7991db12703dc147040dd0d3758223e0b75de6ceae49c1a0c2c45efedeb7114ae785cc886afdc45c82172e4476e1ab5b86dc4314dd76";
-                String SIG2 = "c2c10400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                String SIG2f = "c2c13b0400010a006f058262c806350910fbfcc82a015e7330471400000000001e002073616c74406e6f746174696f6e732e736571756f69612d7067702e6f7267a4d9c117dc7ba3a7e9270856f128d2ab271743eac3cb5750b22a89bd5fd60753162104d1a66e1a23b182c9980f788cfbfcc82a015e73300000b8400bff796c20fa8b25ff7a42686338e06417a2966e85a0fc2723c928bef6cd19d34cf5e7d55ada33080613012dadb79e0278e59d9e7ed7d2d6102912a5f768c2e75b60099225c3d8bfe0c123240188b80dbee89b9b3bd5b13ccc662abc37e2129b6968adac9aba43aa778c0fe4fe337591ee87a96a29a013debc83555293c877144fc676aa1b03782c501949521a320adf6ad96c4f2e036b52a18369c637fdc49033696a84d03a69580b953187fce5aca6fb26fc8815da9f3b513bfe8e304f33ecb4b521aeb7d09c4a284ea66123bd0d6a358b2526d762ca110e1f7f20b3038d774b64d5cfd34e2213765828359d7afc5bf24d5270e99d80c3c1568fa01624b6ea1e9ce4e6890ce9bacf6611a45d41e2671f68f5b096446bf08d27ce75608425b2e3ab92146229ad1fcd8224aca5b5f73960506e7df07bfbf3664348e8ecbfb2eb467b9cfe412cb377a6ee2eb5fd11be9cf9208fe9a74c296f52cfa02a1eb0519ad9a8349bf6ccd6495feb7e391451bf96e08a0798883dee5974e47cbf3b51f111b6d3";
-                String out = "last=" + opSignature.isContaining() + "\n";
-
-                String hex = Hex.toHexString(bytes.toByteArray());
-                while (hex.contains(OPS)) {
-                    hex = hex.replace(OPS, "[OPS]");
-                }
-                while (hex.contains(LIT_H)) {
-                    hex = hex.replace(LIT_H, "[LIT]");
-                }
-                while (hex.contains(LIT)) {
-                    hex = hex.replace(LIT, "");
-                }
-                while (hex.contains(SIG1)) {
-                    hex = hex.replace(SIG1, "[SIG1]");
-                }
-                while (hex.contains(SIG1f)) {
-                    hex = hex.replace(SIG1f, "[SIG1f]");
-                }
-                while (hex.contains(SIG2)) {
-                    hex = hex.replace(SIG2, "[SIG2]");
-                }
-                while (hex.contains(SIG2f)) {
-                    hex = hex.replace(SIG2f, "[SIG2f]");
-                }
-
-                return out + hex;
-            }
         }
     }
 
@@ -916,7 +859,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         resultBuilder.setFileEncoding(m.getFormat());
         resultBuilder.setSessionKey(m.getSessionKey());
 
-        for (Signatures.OPS ops : signatures.onePassSignatures) {
+        for (Signatures.OnePassSignature ops : signatures.onePassSignatures) {
             if (!ops.finished) {
                 continue;
             }
@@ -930,7 +873,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        for (Signatures.SIG prep : signatures.prependedSignatures) {
+        for (Signatures.DetachedOrPrependedSignature prep : signatures.prependedSignatures) {
             if (!prep.finished) {
                 continue;
             }
@@ -944,7 +887,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        for (Signatures.SIG det : signatures.detachedSignatures) {
+        for (Signatures.DetachedOrPrependedSignature det : signatures.detachedSignatures) {
             if (!det.finished) {
                 continue;
             }
@@ -964,7 +907,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     static void log(String message) {
         LOGGER.debug(message);
         // CHECKSTYLE:OFF
-        // System.out.println(message);
+        System.out.println(message);
         // CHECKSTYLE:ON
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 1955eebe..87ae27f8 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -4,6 +4,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -331,6 +332,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals("", metadata.getFilename());
         JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
         assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+        assertTrue(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process LIT LIT using {0}")
@@ -349,6 +352,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(PLAINTEXT, plain);
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
+        assertTrue(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process COMP using {0}")
@@ -372,6 +377,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(CompressionAlgorithm.BZIP2, compressionAlgorithms.next());
         assertFalse(compressionAlgorithms.hasNext());
         assertNull(metadata.getEncryptionAlgorithm());
+        assertTrue(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process SIG COMP(LIT) using {0}")
@@ -388,6 +395,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
         assertNull(metadata.getEncryptionAlgorithm());
+        assertFalse(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process SENC(LIT) using {0}")
@@ -401,6 +410,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertNull(metadata.getCompressionAlgorithm());
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
+        assertTrue(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process PENC(COMP(LIT)) using {0}")
@@ -415,6 +426,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
+        assertTrue(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process OPS LIT SIG using {0}")
@@ -429,6 +442,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertNull(metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
+        assertFalse(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     String BOB_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -564,6 +579,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
+        assertFalse(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process PENC(OPS OPS OPS LIT SIG SIG SIG) using {0}")
@@ -627,6 +644,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
+        assertFalse(metadata.getVerifiedSignatures().isEmpty());
+        assertTrue(metadata.getRejectedSignatures().isEmpty());
     }
 
     private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options)

From 654493dfccb2e16f3327c98c402d82757132f0ca Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 16 Oct 2022 18:54:22 +0200
Subject: [PATCH 0728/1450] Properly expose signatures

---
 .../MessageMetadata.java                      |  87 ++++++++--
 .../OpenPgpMessageInputStream.java            | 162 +++++++++---------
 .../OpenPgpMessageInputStreamTest.java        |  36 ++--
 3 files changed, 171 insertions(+), 114 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index bb2f5c76..2cd2a6f2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -91,16 +91,24 @@ public class MessageMetadata {
         };
     }
 
-    public @Nonnull List getVerifiedSignatures() {
+    public List getVerifiedDetachedSignatures() {
+        return new ArrayList<>(message.verifiedDetachedSignatures);
+    }
+
+    public List getRejectedDetachedSignatures() {
+        return new ArrayList<>(message.rejectedDetachedSignatures);
+    }
+
+    public @Nonnull List getVerifiedInlineSignatures() {
         List verifications = new ArrayList<>();
-        Iterator> verificationsByLayer = getVerifiedSignaturesByLayer();
+        Iterator> verificationsByLayer = getVerifiedInlineSignaturesByLayer();
         while (verificationsByLayer.hasNext()) {
             verifications.addAll(verificationsByLayer.next());
         }
         return verifications;
     }
 
-    public @Nonnull Iterator> getVerifiedSignaturesByLayer() {
+    public @Nonnull Iterator> getVerifiedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
             boolean matches(Nested layer) {
@@ -114,21 +122,24 @@ public class MessageMetadata {
 
             @Override
             List getProperty(Layer last) {
-                return new ArrayList<>(last.getVerifiedSignatures());
+                List list = new ArrayList<>();
+                list.addAll(last.getVerifiedOnePassSignatures());
+                list.addAll(last.getVerifiedPrependedSignatures());
+                return list;
             }
         };
     }
 
-    public @Nonnull List getRejectedSignatures() {
+    public @Nonnull List getRejectedInlineSignatures() {
         List rejected = new ArrayList<>();
-        Iterator> rejectedByLayer = getRejectedSignaturesByLayer();
+        Iterator> rejectedByLayer = getRejectedInlineSignaturesByLayer();
         while (rejectedByLayer.hasNext()) {
             rejected.addAll(rejectedByLayer.next());
         }
         return rejected;
     }
 
-    public @Nonnull Iterator> getRejectedSignaturesByLayer() {
+    public @Nonnull Iterator> getRejectedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
             boolean matches(Nested layer) {
@@ -142,7 +153,10 @@ public class MessageMetadata {
 
             @Override
             List getProperty(Layer last) {
-                return new ArrayList<>(last.getFailedSignatures());
+                List list = new ArrayList<>();
+                list.addAll(last.getRejectedOnePassSignatures());
+                list.addAll(last.getRejectedPrependedSignatures());
+                return list;
             }
         };
     }
@@ -169,8 +183,12 @@ public class MessageMetadata {
     }
 
     public abstract static class Layer {
-        protected final List verifiedSignatures = new ArrayList<>();
-        protected final List failedSignatures = new ArrayList<>();
+        protected final List verifiedDetachedSignatures = new ArrayList<>();
+        protected final List rejectedDetachedSignatures = new ArrayList<>();
+        protected final List verifiedOnePassSignatures = new ArrayList<>();
+        protected final List rejectedOnePassSignatures = new ArrayList<>();
+        protected final List verifiedPrependedSignatures = new ArrayList<>();
+        protected final List rejectedPrependedSignatures = new ArrayList<>();
         protected Nested child;
 
         public Nested getChild() {
@@ -181,21 +199,54 @@ public class MessageMetadata {
             this.child = child;
         }
 
-        public List getVerifiedSignatures() {
-            return new ArrayList<>(verifiedSignatures);
+        public List getVerifiedDetachedSignatures() {
+            return new ArrayList<>(verifiedDetachedSignatures);
         }
 
-        public List getFailedSignatures() {
-            return new ArrayList<>(failedSignatures);
+        public List getRejectedDetachedSignatures() {
+            return new ArrayList<>(rejectedDetachedSignatures);
         }
 
-        void addVerifiedSignature(SignatureVerification signatureVerification) {
-            verifiedSignatures.add(signatureVerification);
+        void addVerifiedDetachedSignature(SignatureVerification signatureVerification) {
+            verifiedDetachedSignatures.add(signatureVerification);
         }
 
-        void addFailedSignature(SignatureVerification.Failure failure) {
-            failedSignatures.add(failure);
+        void addRejectedDetachedSignature(SignatureVerification.Failure failure) {
+            rejectedDetachedSignatures.add(failure);
         }
+
+        public List getVerifiedOnePassSignatures() {
+            return new ArrayList<>(verifiedOnePassSignatures);
+        }
+
+        public List getRejectedOnePassSignatures() {
+            return new ArrayList<>(rejectedOnePassSignatures);
+        }
+
+        void addVerifiedOnePassSignature(SignatureVerification verifiedOnePassSignature) {
+            this.verifiedOnePassSignatures.add(verifiedOnePassSignature);
+        }
+
+        void addRejectedOnePassSignature(SignatureVerification.Failure rejected) {
+            this.rejectedOnePassSignatures.add(rejected);
+        }
+
+        public List getVerifiedPrependedSignatures() {
+            return new ArrayList<>(verifiedPrependedSignatures);
+        }
+
+        public List getRejectedPrependedSignatures() {
+            return new ArrayList<>(rejectedPrependedSignatures);
+        }
+
+        void addVerifiedPrependedSignature(SignatureVerification verified) {
+            this.verifiedPrependedSignatures.add(verified);
+        }
+
+        void addRejectedPrependedSignature(SignatureVerification.Failure rejected) {
+            this.rejectedPrependedSignatures.add(rejected);
+        }
+
     }
 
     public interface Nested {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 9e26dc20..a4b05bbe 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -29,6 +29,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
@@ -55,6 +56,7 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
+import org.pgpainless.signature.consumer.SignatureValidator;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
 import org.pgpainless.util.Tuple;
@@ -94,9 +96,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
-                              @Nonnull ConsumerOptions options,
-                              @Nonnull MessageMetadata.Layer metadata,
-                              @Nonnull Policy policy)
+                                        @Nonnull ConsumerOptions options,
+                                        @Nonnull MessageMetadata.Layer metadata,
+                                        @Nonnull Policy policy)
             throws PGPException, IOException {
         super(OpenPgpMetadata.getBuilder());
 
@@ -173,7 +175,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                     throw new MissingDecryptionMethodException("No working decryption method found.");
 
-                // Marker Packets need to be skipped and ignored
+                    // Marker Packets need to be skipped and ignored
                 case MARKER:
                     packetInputStream.readMarker();
                     break;
@@ -236,7 +238,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         PGPSignature signature = packetInputStream.readSignature();
         if (isSigForOPS) {
             signatures.leaveNesting(); // TODO: Only leave nesting if all OPSs of the nesting layer are dealt with
-            signatures.addCorrespondingOnePassSignature(signature, metadata);
+            signatures.addCorrespondingOnePassSignature(signature, metadata, policy);
         } else {
             signatures.addPrependedSignature(signature);
         }
@@ -257,7 +259,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // Try session key
         if (options.getSessionKey() != null) {
             SessionKey sessionKey = options.getSessionKey();
-
             throwIfUnacceptable(sessionKey.getAlgorithm());
 
             SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
@@ -270,11 +271,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                    encryptedData.sessionKey = sessionKey;
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                    encryptedData.sessionKey = sessionKey;
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } else {
@@ -290,22 +293,22 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             SymmetricKeyAlgorithm kekAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
             throwIfUnacceptable(kekAlgorithm);
             for (Passphrase passphrase : options.getDecryptionPassphrases()) {
-                    PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                            .getPBEDataDecryptorFactory(passphrase);
+                PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                        .getPBEDataDecryptorFactory(passphrase);
 
-                    try {
-                        InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                        SymmetricKeyAlgorithm sessionKeyAlgorithm = SymmetricKeyAlgorithm.requireFromId(
-                                skesk.getSymmetricAlgorithm(decryptorFactory));
-                        throwIfUnacceptable(sessionKeyAlgorithm);
-                        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKeyAlgorithm);
-                        nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
-                        return true;
-                    } catch (UnacceptableAlgorithmException e) {
-                        throw e;
-                    } catch (PGPException e) {
-                        // Password mismatch?
-                    }
+                try {
+                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
+                    SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
+                    throwIfUnacceptable(sessionKey.getAlgorithm());
+                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
+                    encryptedData.sessionKey = sessionKey;
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                    return true;
+                } catch (UnacceptableAlgorithmException e) {
+                    throw e;
+                } catch (PGPException e) {
+                    // Password mismatch?
+                }
             }
         }
 
@@ -323,11 +326,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getPublicKeyDataDecryptorFactory(privateKey);
             try {
-                SymmetricKeyAlgorithm symAlg = SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory));
-                throwIfUnacceptable(symAlg);
                 InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
+                throwIfUnacceptable(sessionKey.getAlgorithm());
+
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                encryptedData.sessionKey = sessionKey;
 
                 nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                 return true;
@@ -348,8 +353,12 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 try {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                    SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
+                    throwIfUnacceptable(sessionKey.getAlgorithm());
+
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                    encryptedData.sessionKey = sessionKey;
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
                     return true;
                 } catch (PGPException e) {
@@ -427,7 +436,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             } catch (PGPException e) {
                 throw new RuntimeException(e);
             }
-            signatures.finish(metadata);
+            signatures.finish(metadata, policy);
         }
         return r;
     }
@@ -455,7 +464,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             } catch (PGPException e) {
                 throw new RuntimeException(e);
             }
-            signatures.finish(metadata);
+            signatures.finish(metadata, policy);
         }
         return r;
     }
@@ -588,7 +597,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer) {
+        void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
             for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
                 OnePassSignature onePassSignature = onePassSignatures.get(i);
                 if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) {
@@ -598,19 +607,32 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     continue;
                 }
 
-                boolean verified = onePassSignature.verify(signature);
+                boolean correct = onePassSignature.verify(signature);
                 SignatureVerification verification = new SignatureVerification(signature,
                         new SubkeyIdentifier(onePassSignature.certificate, onePassSignature.keyId));
-                if (verified) {
-                    layer.addVerifiedSignature(verification);
+                if (correct) {
+                    PGPPublicKey signingKey = onePassSignature.certificate.getPublicKey(onePassSignature.keyId);
+                    try {
+                        checkSignatureValidity(signature, signingKey, policy);
+                        layer.addVerifiedOnePassSignature(verification);
+                    } catch (SignatureValidationException e) {
+                        layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
+                    }
                 } else {
-                    layer.addFailedSignature(new SignatureVerification.Failure(verification,
-                            new SignatureValidationException("Incorrect Signature.")));
+                    layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification,
+                            new SignatureValidationException("Bad Signature.")));
                 }
                 break;
             }
         }
 
+        boolean checkSignatureValidity(PGPSignature signature, PGPPublicKey signingKey, Policy policy) throws SignatureValidationException {
+            SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
+            SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
+            SignatureValidator.signatureIsEffective().verify(signature);
+            return true;
+        }
+
         void enterNesting() {
             opsUpdateStack.push(literalOPS);
             literalOPS = new ArrayList<>();
@@ -699,27 +721,39 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        public void finish(MessageMetadata.Layer layer) {
+        public void finish(MessageMetadata.Layer layer, Policy policy) {
             for (DetachedOrPrependedSignature detached : detachedSignatures) {
-                boolean verified = detached.verify();
+                boolean correct = detached.verify();
                 SignatureVerification verification = new SignatureVerification(
                         detached.signature, new SubkeyIdentifier(detached.certificate, detached.keyId));
-                if (verified) {
-                    layer.addVerifiedSignature(verification);
+                if (correct) {
+                    try {
+                        PGPPublicKey signingKey = detached.certificate.getPublicKey(detached.keyId);
+                        checkSignatureValidity(detached.signature, signingKey, policy);
+                        layer.addVerifiedDetachedSignature(verification);
+                    } catch (SignatureValidationException e) {
+                        layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
+                    }
                 } else {
-                    layer.addFailedSignature(new SignatureVerification.Failure(
-                        verification, new SignatureValidationException("Incorrect Signature.")));
+                    layer.addRejectedDetachedSignature(new SignatureVerification.Failure(
+                            verification, new SignatureValidationException("Incorrect Signature.")));
                 }
             }
 
             for (DetachedOrPrependedSignature prepended : prependedSignatures) {
-                boolean verified = prepended.verify();
+                boolean correct = prepended.verify();
                 SignatureVerification verification = new SignatureVerification(
                         prepended.signature, new SubkeyIdentifier(prepended.certificate, prepended.keyId));
-                if (verified) {
-                    layer.addVerifiedSignature(verification);
+                if (correct) {
+                    try {
+                        PGPPublicKey signingKey = prepended.certificate.getPublicKey(prepended.keyId);
+                        checkSignatureValidity(prepended.signature, signingKey, policy);
+                        layer.addVerifiedPrependedSignature(verification);
+                    } catch (SignatureValidationException e) {
+                        layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
+                    }
                 } else {
-                    layer.addFailedSignature(new SignatureVerification.Failure(
+                    layer.addRejectedPrependedSignature(new SignatureVerification.Failure(
                             verification, new SignatureValidationException("Incorrect Signature.")));
                 }
             }
@@ -859,46 +893,18 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         resultBuilder.setFileEncoding(m.getFormat());
         resultBuilder.setSessionKey(m.getSessionKey());
 
-        for (Signatures.OnePassSignature ops : signatures.onePassSignatures) {
-            if (!ops.finished) {
-                continue;
-            }
-
-            SubkeyIdentifier identifier = new SubkeyIdentifier(ops.certificate, ops.keyId);
-            SignatureVerification verification = new SignatureVerification(ops.signature, identifier);
-            if (ops.valid) {
-                resultBuilder.addVerifiedInbandSignature(verification);
-            } else {
-                resultBuilder.addInvalidInbandSignature(verification, new SignatureValidationException("Incorrect signature."));
-            }
+        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
+            resultBuilder.addVerifiedDetachedSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
+            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
         }
 
-        for (Signatures.DetachedOrPrependedSignature prep : signatures.prependedSignatures) {
-            if (!prep.finished) {
-                continue;
-            }
-
-            SubkeyIdentifier identifier = new SubkeyIdentifier(prep.certificate, prep.keyId);
-            SignatureVerification verification = new SignatureVerification(prep.signature, identifier);
-            if (prep.valid) {
-                resultBuilder.addVerifiedInbandSignature(verification);
-            } else {
-                resultBuilder.addInvalidInbandSignature(verification, new SignatureValidationException("Incorrect signature."));
-            }
+        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
+            resultBuilder.addVerifiedInbandSignature(accepted);
         }
-
-        for (Signatures.DetachedOrPrependedSignature det : signatures.detachedSignatures) {
-            if (!det.finished) {
-                continue;
-            }
-
-            SubkeyIdentifier identifier = new SubkeyIdentifier(det.certificate, det.keyId);
-            SignatureVerification verification = new SignatureVerification(det.signature, identifier);
-            if (det.valid) {
-                resultBuilder.addVerifiedDetachedSignature(verification);
-            } else {
-                resultBuilder.addInvalidDetachedSignature(verification, new SignatureValidationException("Incorrect signature."));
-            }
+        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
+            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
         }
 
         return resultBuilder.build();
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 87ae27f8..a8969047 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -332,8 +332,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals("", metadata.getFilename());
         JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
         assertEquals(StreamEncoding.BINARY, metadata.getFormat());
-        assertTrue(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process LIT LIT using {0}")
@@ -352,8 +352,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(PLAINTEXT, plain);
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
-        assertTrue(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process COMP using {0}")
@@ -377,8 +377,8 @@ public class OpenPgpMessageInputStreamTest {
         assertEquals(CompressionAlgorithm.BZIP2, compressionAlgorithms.next());
         assertFalse(compressionAlgorithms.hasNext());
         assertNull(metadata.getEncryptionAlgorithm());
-        assertTrue(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process SIG COMP(LIT) using {0}")
@@ -395,8 +395,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZIP, metadata.getCompressionAlgorithm());
         assertNull(metadata.getEncryptionAlgorithm());
-        assertFalse(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertFalse(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process SENC(LIT) using {0}")
@@ -410,8 +410,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertNull(metadata.getCompressionAlgorithm());
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
-        assertTrue(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process PENC(COMP(LIT)) using {0}")
@@ -426,8 +426,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
-        assertTrue(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process OPS LIT SIG using {0}")
@@ -442,8 +442,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertNull(metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
-        assertFalse(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertFalse(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     String BOB_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -579,8 +579,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
-        assertFalse(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertFalse(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     @ParameterizedTest(name = "Process PENC(OPS OPS OPS LIT SIG SIG SIG) using {0}")
@@ -644,8 +644,8 @@ public class OpenPgpMessageInputStreamTest {
         MessageMetadata metadata = result.getB();
         assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getEncryptionAlgorithm());
         assertNull(metadata.getCompressionAlgorithm());
-        assertFalse(metadata.getVerifiedSignatures().isEmpty());
-        assertTrue(metadata.getRejectedSignatures().isEmpty());
+        assertFalse(metadata.getVerifiedInlineSignatures().isEmpty());
+        assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
     private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options)

From fbcde13df37bfd471d191b817ff5e794c39e9d23 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 16 Oct 2022 19:12:17 +0200
Subject: [PATCH 0729/1450] Reinstate integrity-protection and fix tests

Integrity Protection is now checked when reading from the stream,
not only when closing.
---
 .../OpenPgpMessageInputStream.java            | 17 +++++++++----
 .../TeeBCPGInputStream.java                   | 20 ++++++++++++++--
 .../ModificationDetectionTests.java           | 24 ++++++++++++-------
 3 files changed, 46 insertions(+), 15 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a4b05bbe..54172e7f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -272,13 +272,15 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
                     encryptedData.sessionKey = sessionKey;
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                     encryptedData.sessionKey = sessionKey;
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
@@ -302,7 +304,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     throwIfUnacceptable(sessionKey.getAlgorithm());
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
                     encryptedData.sessionKey = sessionKey;
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
                     return true;
                 } catch (UnacceptableAlgorithmException e) {
                     throw e;
@@ -334,7 +337,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
                 encryptedData.sessionKey = sessionKey;
 
-                nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+                IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+                nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
                 return true;
             } catch (UnacceptableAlgorithmException e) {
                 throw e;
@@ -359,7 +363,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
                     encryptedData.sessionKey = sessionKey;
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(decrypted), options, encryptedData, policy);
+
+                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
                     return true;
                 } catch (PGPException e) {
                     // hm :/
@@ -491,6 +497,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         automaton.next(InputAlphabet.EndOfSequence);
         automaton.assertValid();
+        packetInputStream.close();
         closed = true;
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index f80793f0..2efcfc43 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -96,6 +96,12 @@ public class TeeBCPGInputStream {
         return markerPacket;
     }
 
+
+    public void close() throws IOException {
+        this.packetInputStream.close();
+        this.delayedTee.close();
+    }
+
     public static class DelayedTeeInputStreamInputStream extends InputStream {
 
         private int last = -1;
@@ -112,8 +118,12 @@ public class TeeBCPGInputStream {
             if (last != -1) {
                 outputStream.write(last);
             }
-            last = inputStream.read();
-            return last;
+            try {
+                last = inputStream.read();
+                return last;
+            } catch (IOException e) {
+                return -1;
+            }
         }
 
         /**
@@ -127,5 +137,11 @@ public class TeeBCPGInputStream {
             }
             last = -1;
         }
+
+        @Override
+        public void close() throws IOException {
+            inputStream.close();
+            outputStream.close();
+        }
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
index 14a041ff..9ecaa38a 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
@@ -238,8 +238,10 @@ public class ModificationDetectionTests {
                 );
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, out);
-        assertThrows(ModificationDetectionException.class, decryptionStream::close);
+        assertThrows(ModificationDetectionException.class, () -> {
+            Streams.pipeAll(decryptionStream, out);
+            decryptionStream.close();
+        });
     }
 
     @TestTemplate
@@ -269,8 +271,10 @@ public class ModificationDetectionTests {
                 );
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, out);
-        assertThrows(ModificationDetectionException.class, decryptionStream::close);
+        assertThrows(ModificationDetectionException.class, () -> {
+            Streams.pipeAll(decryptionStream, out);
+            decryptionStream.close();
+        });
     }
 
     @TestTemplate
@@ -313,8 +317,10 @@ public class ModificationDetectionTests {
                 );
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, out);
-        assertThrows(ModificationDetectionException.class, decryptionStream::close);
+        assertThrows(ModificationDetectionException.class, () -> {
+            Streams.pipeAll(decryptionStream, out);
+            decryptionStream.close();
+        });
     }
 
     @TestTemplate
@@ -344,8 +350,10 @@ public class ModificationDetectionTests {
                 );
 
         ByteArrayOutputStream out = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, out);
-        assertThrows(ModificationDetectionException.class, decryptionStream::close);
+        assertThrows(ModificationDetectionException.class, () -> {
+            Streams.pipeAll(decryptionStream, out);
+            decryptionStream.close();
+        });
     }
 
     @TestTemplate

From 6fd705b1dc6de71ea78939d6a1edeae03dfb39cd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Oct 2022 00:53:50 +0200
Subject: [PATCH 0730/1450] Fix checkstyle issues

---
 .../decryption_verification/DecryptionStreamFactory.java     | 1 -
 .../decryption_verification/OpenPgpMessageInputStream.java   | 5 ++---
 .../InvestigateMultiSEIPMessageHandlingTest.java             | 2 --
 .../PreventDecryptionUsingNonEncryptionKeyTest.java          | 2 --
 4 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 680f33e4..5e6b2aec 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -40,7 +40,6 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
-import org.graalvm.compiler.lir.amd64.AMD64BinaryConsumer;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 54172e7f..37ccff37 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -29,7 +29,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
@@ -795,7 +794,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             boolean finished;
             boolean valid;
 
-            public DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
+            DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
                 this.signature = signature;
                 this.certificate = certificate;
                 this.keyId = keyId;
@@ -844,7 +843,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             boolean finished;
             boolean valid;
 
-            public OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
+            OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
                 this.opSignature = signature;
                 this.certificate = certificate;
                 this.keyId = keyId;
diff --git a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
index d31a0e0f..a0ea747a 100644
--- a/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
+++ b/pgpainless-core/src/test/java/investigations/InvestigateMultiSEIPMessageHandlingTest.java
@@ -4,8 +4,6 @@
 
 package investigations;
 
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayInputStream;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
index 7474301b..ba80c69d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
@@ -8,8 +8,6 @@ import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.EOFException;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 

From 7097d449169283751471631f5969d50ee2e41e60 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Oct 2022 02:47:11 +0200
Subject: [PATCH 0731/1450] Fix NPEs and expose decryption keys

---
 .../MessageMetadata.java                      | 20 +++++++++++++
 .../OpenPgpMessageInputStream.java            | 30 ++++++++++++-------
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 2cd2a6f2..1be47112 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -7,6 +7,7 @@ package org.pgpainless.decryption_verification;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.SessionKey;
 
 import javax.annotation.Nonnull;
@@ -182,6 +183,24 @@ public class MessageMetadata {
         return (LiteralData) nested;
     }
 
+    public SubkeyIdentifier getDecryptionKey() {
+        Iterator iterator = new LayerIterator(message) {
+            @Override
+            public boolean matches(Nested layer) {
+                return layer instanceof EncryptedData;
+            }
+
+            @Override
+            public SubkeyIdentifier getProperty(Layer last) {
+                return ((EncryptedData) last).decryptionKey;
+            }
+        };
+        if (iterator.hasNext()) {
+            return iterator.next();
+        }
+        return null;
+    }
+
     public abstract static class Layer {
         protected final List verifiedDetachedSignatures = new ArrayList<>();
         protected final List rejectedDetachedSignatures = new ArrayList<>();
@@ -309,6 +328,7 @@ public class MessageMetadata {
 
     public static class EncryptedData extends Layer implements Nested {
         protected final SymmetricKeyAlgorithm algorithm;
+        protected SubkeyIdentifier decryptionKey;
         protected SessionKey sessionKey;
         protected List recipients;
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 37ccff37..944ce6e4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -334,6 +334,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                         SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeys, decryptionKey.getKeyID());
                 encryptedData.sessionKey = sessionKey;
 
                 IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
@@ -361,6 +362,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                             SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                    encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeyCandidate.getA(), privateKey.getKeyID());
                     encryptedData.sessionKey = sessionKey;
 
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
@@ -560,8 +562,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         final List correspondingSignatures;
         boolean isLiteral = true;
 
-        final List verified = new ArrayList<>();
-
         private Signatures(ConsumerOptions options) {
             this.options = options;
             this.detachedSignatures = new ArrayList<>();
@@ -580,24 +580,33 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         void addDetachedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
-            initialize(signature, certificate, keyId);
-            this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+
+            if (certificate != null) {
+                initialize(signature, certificate, keyId);
+                this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+            }
         }
 
         void addPrependedSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
-            initialize(signature, certificate, keyId);
-            this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+
+            if (certificate != null) {
+                initialize(signature, certificate, keyId);
+                this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+            }
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
-            OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID());
-            ops.init(certificate);
-            onePassSignatures.add(ops);
 
-            literalOPS.add(ops);
+            if (certificate != null) {
+                OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID());
+                ops.init(certificate);
+                onePassSignatures.add(ops);
+
+                literalOPS.add(ops);
+            }
             if (signature.isContaining()) {
                 enterNesting();
             }
@@ -898,6 +907,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         resultBuilder.setFileName(m.getFilename());
         resultBuilder.setFileEncoding(m.getFormat());
         resultBuilder.setSessionKey(m.getSessionKey());
+        resultBuilder.setDecryptionKey(m.getDecryptionKey());
 
         for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
             resultBuilder.addVerifiedDetachedSignature(accepted);

From dfbb01d61cc063ff849d64aa7f21441a7c9facd9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Oct 2022 15:55:47 +0200
Subject: [PATCH 0732/1450] Enfore max recursion depth and fix CRC test

---
 .../MessageMetadata.java                      | 19 ++++++++-
 .../OpenPgpMessageInputStream.java            | 39 ++++++++++++++++---
 .../org/bouncycastle/AsciiArmorCRCTests.java  | 20 +++++-----
 .../MessageMetadataTest.java                  |  6 +--
 .../RecursionDepthTest.java                   |  4 +-
 5 files changed, 66 insertions(+), 22 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 1be47112..59f8052a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -7,6 +7,7 @@ package org.pgpainless.decryption_verification;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.SessionKey;
 
@@ -202,6 +203,8 @@ public class MessageMetadata {
     }
 
     public abstract static class Layer {
+        public static final int MAX_LAYER_DEPTH = 16;
+        protected final int depth;
         protected final List verifiedDetachedSignatures = new ArrayList<>();
         protected final List rejectedDetachedSignatures = new ArrayList<>();
         protected final List verifiedOnePassSignatures = new ArrayList<>();
@@ -210,6 +213,13 @@ public class MessageMetadata {
         protected final List rejectedPrependedSignatures = new ArrayList<>();
         protected Nested child;
 
+        public Layer(int depth) {
+            this.depth = depth;
+            if (depth > MAX_LAYER_DEPTH) {
+                throw new MalformedOpenPgpMessageException("Maximum nesting depth exceeded.");
+            }
+        }
+
         public Nested getChild() {
             return child;
         }
@@ -274,6 +284,9 @@ public class MessageMetadata {
 
     public static class Message extends Layer {
 
+        public Message() {
+            super(0);
+        }
     }
 
     public static class LiteralData implements Nested {
@@ -312,7 +325,8 @@ public class MessageMetadata {
     public static class CompressedData extends Layer implements Nested {
         protected final CompressionAlgorithm algorithm;
 
-        public CompressedData(CompressionAlgorithm zip) {
+        public CompressedData(CompressionAlgorithm zip, int depth) {
+            super(depth);
             this.algorithm = zip;
         }
 
@@ -332,7 +346,8 @@ public class MessageMetadata {
         protected SessionKey sessionKey;
         protected List recipients;
 
-        public EncryptedData(SymmetricKeyAlgorithm algorithm) {
+        public EncryptedData(SymmetricKeyAlgorithm algorithm, int depth) {
+            super(depth);
             this.algorithm = algorithm;
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 944ce6e4..f5ed556a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -15,6 +15,7 @@ import java.util.List;
 import java.util.Stack;
 import javax.annotation.Nonnull;
 
+import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPEncryptedData;
@@ -56,6 +57,7 @@ import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.SignatureValidator;
+import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
 import org.pgpainless.util.Tuple;
@@ -91,7 +93,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                                      @Nonnull ConsumerOptions options,
                                      @Nonnull Policy policy)
             throws PGPException, IOException {
-        this(inputStream, options, new MessageMetadata.Message(), policy);
+        this(prepareInputStream(inputStream, options), options, new MessageMetadata.Message(), policy);
     }
 
     protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
@@ -118,6 +120,26 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         consumePackets();
     }
 
+    private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options) throws IOException {
+        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
+        openPgpIn.reset();
+
+        if (openPgpIn.isBinaryOpenPgp()) {
+            return openPgpIn;
+        }
+
+        if (openPgpIn.isAsciiArmored()) {
+            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
+            if (armorIn.isClearText()) {
+                return armorIn;
+            } else {
+                return armorIn;
+            }
+        } else {
+            return openPgpIn;
+        }
+    }
+
     /**
      * Consume OpenPGP packets from the current {@link BCPGInputStream}.
      * Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
@@ -219,7 +241,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         signatures.enterNesting();
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
-                CompressionAlgorithm.fromId(compressedData.getAlgorithm()));
+                CompressionAlgorithm.fromId(compressedData.getAlgorithm()),
+                metadata.depth + 1);
         InputStream decompressed = compressedData.getDataStream();
         nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer, policy);
     }
@@ -262,7 +285,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getSessionKeyDataDecryptorFactory(sessionKey);
-            MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
+            MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                    sessionKey.getAlgorithm(), metadata.depth + 1);
 
             try {
                 // TODO: Use BCs new API once shipped
@@ -301,7 +325,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
                     SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
                     throwIfUnacceptable(sessionKey.getAlgorithm());
-                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(sessionKey.getAlgorithm());
+                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                            sessionKey.getAlgorithm(), metadata.depth + 1);
                     encryptedData.sessionKey = sessionKey;
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
@@ -333,7 +358,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 throwIfUnacceptable(sessionKey.getAlgorithm());
 
                 MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                        SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                        SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
+                        metadata.depth + 1);
                 encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeys, decryptionKey.getKeyID());
                 encryptedData.sessionKey = sessionKey;
 
@@ -361,7 +387,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     throwIfUnacceptable(sessionKey.getAlgorithm());
 
                     MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                            SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)));
+                            SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
+                            metadata.depth + 1);
                     encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeyCandidate.getA(), privateKey.getKeyID());
                     encryptedData.sessionKey = sessionKey;
 
diff --git a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java
index c3af0bd6..f9bd7a61 100644
--- a/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java
+++ b/pgpainless-core/src/test/java/org/bouncycastle/AsciiArmorCRCTests.java
@@ -489,7 +489,7 @@ public class AsciiArmorCRCTests {
     Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests");
 
     @Test
-    public void testInvalidArmorCRCThrowsOnClose() throws PGPException, IOException {
+    public void testInvalidArmorCRCThrowsOnClose() throws IOException {
         String message = "-----BEGIN PGP MESSAGE-----\n" +
                 "Version: FlowCrypt 5.0.4 Gmail Encryption flowcrypt.com\n" +
                 "Comment: Seamlessly send, receive and search encrypted email\n" +
@@ -542,14 +542,16 @@ public class AsciiArmorCRCTests {
                 "-----END PGP MESSAGE-----\n";
 
         PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(ASCII_KEY);
-        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
-                .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)))
-                .withOptions(new ConsumerOptions().addDecryptionKey(
-                        key, SecretKeyRingProtector.unlockAnyKeyWith(passphrase)
-                ));
+        assertThrows(IOException.class, () -> {
+            DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                    .onInputStream(new ByteArrayInputStream(message.getBytes(StandardCharsets.UTF_8)))
+                    .withOptions(new ConsumerOptions().addDecryptionKey(
+                            key, SecretKeyRingProtector.unlockAnyKeyWith(passphrase)
+                    ));
 
-        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-        Streams.pipeAll(decryptionStream, outputStream);
-        assertThrows(IOException.class, decryptionStream::close);
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            Streams.pipeAll(decryptionStream, outputStream);
+            decryptionStream.close();
+        });
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
index 9f887eb9..d87fc6bf 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
@@ -28,9 +28,9 @@ public class MessageMetadataTest {
         //  For the sake of testing though, this is okay.
         MessageMetadata.Message message = new MessageMetadata.Message();
 
-        MessageMetadata.CompressedData compressedData = new MessageMetadata.CompressedData(CompressionAlgorithm.ZIP);
-        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_128);
-        MessageMetadata.EncryptedData encryptedData1 = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_256);
+        MessageMetadata.CompressedData compressedData = new MessageMetadata.CompressedData(CompressionAlgorithm.ZIP, message.depth + 1);
+        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_128, compressedData.depth + 1);
+        MessageMetadata.EncryptedData encryptedData1 = new MessageMetadata.EncryptedData(SymmetricKeyAlgorithm.AES_256, encryptedData.depth + 1);
         MessageMetadata.LiteralData literalData = new MessageMetadata.LiteralData();
 
         message.setChild(compressedData);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java
index b253cf7f..52c5a906 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RecursionDepthTest.java
@@ -11,12 +11,12 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 
-import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.TestTemplate;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.pgpainless.PGPainless;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.util.TestAllImplementations;
 
 public class RecursionDepthTest {
@@ -143,7 +143,7 @@ public class RecursionDepthTest {
                 "-----END PGP ARMORED FILE-----\n";
 
 
-        assertThrows(PGPException.class, () -> {
+        assertThrows(MalformedOpenPgpMessageException.class, () -> {
             DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
                     .onInputStream(new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8)))
                     .withOptions(new ConsumerOptions().addDecryptionKey(secretKey));

From d3f07a2250d13eab224efc6d08b1c4c5ebebeac9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 14:05:21 +0200
Subject: [PATCH 0733/1450] Reuse *SignatureCheck class

---
 .../DecryptionStreamFactory.java              |  16 +-
 .../OpenPgpMessageInputStream.java            | 391 +++++++-----------
 .../SignatureInputStream.java                 |  12 +-
 ...ignatureCheck.java => SignatureCheck.java} |   6 +-
 4 files changed, 170 insertions(+), 255 deletions(-)
 rename pgpainless-core/src/main/java/org/pgpainless/signature/consumer/{DetachedSignatureCheck.java => SignatureCheck.java} (90%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 5e6b2aec..0739eb19 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -60,7 +60,7 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.SignatureUtils;
-import org.pgpainless.signature.consumer.DetachedSignatureCheck;
+import org.pgpainless.signature.consumer.SignatureCheck;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
@@ -79,7 +79,7 @@ public final class DecryptionStreamFactory {
     private final ConsumerOptions options;
     private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
     private final List onePassSignatureChecks = new ArrayList<>();
-    private final List detachedSignatureChecks = new ArrayList<>();
+    private final List signatureChecks = new ArrayList<>();
     private final Map onePassSignaturesWithMissingCert = new HashMap<>();
 
     private static final PGPContentVerifierBuilderProvider verifierBuilderProvider =
@@ -88,7 +88,7 @@ public final class DecryptionStreamFactory {
 
 
     public static DecryptionStream create(@Nonnull InputStream inputStream,
-                                              @Nonnull ConsumerOptions options)
+                                          @Nonnull ConsumerOptions options)
             throws PGPException, IOException {
         OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(inputStream);
         openPgpInputStream.reset();
@@ -134,9 +134,9 @@ public final class DecryptionStreamFactory {
             SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
             try {
                 signature.init(verifierBuilderProvider, signingKey);
-                DetachedSignatureCheck detachedSignature =
-                        new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
-                detachedSignatureChecks.add(detachedSignature);
+                SignatureCheck detachedSignature =
+                        new SignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
+                signatureChecks.add(detachedSignature);
             } catch (PGPException e) {
                 SignatureValidationException ex = new SignatureValidationException(
                         "Cannot verify detached signature made by " + signingKeyIdentifier + ".", e);
@@ -212,7 +212,7 @@ public final class DecryptionStreamFactory {
     private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
         return new SignatureInputStream.VerifySignatures(
                 bufferedIn, objectFactory, onePassSignatureChecks,
-                onePassSignaturesWithMissingCert, detachedSignatureChecks, options,
+                onePassSignaturesWithMissingCert, signatureChecks, options,
                 resultBuilder);
     }
 
@@ -348,7 +348,7 @@ public final class DecryptionStreamFactory {
         }
 
         return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory,
-                onePassSignatureChecks, onePassSignaturesWithMissingCert, detachedSignatureChecks, options, resultBuilder) {
+                onePassSignatureChecks, onePassSignaturesWithMissingCert, signatureChecks, options, resultBuilder) {
         };
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index f5ed556a..101a60c8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -5,7 +5,6 @@
 package org.pgpainless.decryption_verification;
 
 import java.io.BufferedInputStream;
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -31,6 +30,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
@@ -44,6 +44,8 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.automaton.InputAlphabet;
 import org.pgpainless.decryption_verification.automaton.PDA;
 import org.pgpainless.decryption_verification.automaton.StackAlphabet;
+import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
+import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -56,7 +58,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
-import org.pgpainless.signature.consumer.SignatureValidator;
+import org.pgpainless.signature.consumer.OnePassSignatureCheck;
+import org.pgpainless.signature.consumer.SignatureCheck;
+import org.pgpainless.signature.consumer.SignatureVerifier;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
@@ -93,7 +97,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                                      @Nonnull ConsumerOptions options,
                                      @Nonnull Policy policy)
             throws PGPException, IOException {
-        this(prepareInputStream(inputStream, options), options, new MessageMetadata.Message(), policy);
+        this(
+                prepareInputStream(inputStream, options, policy),
+                options, new MessageMetadata.Message(), policy);
     }
 
     protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
@@ -120,7 +126,20 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         consumePackets();
     }
 
-    private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options) throws IOException {
+    protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+                                 @Nonnull Policy policy,
+                                 @Nonnull ConsumerOptions options) {
+        super(OpenPgpMetadata.getBuilder());
+        this.policy = policy;
+        this.options = options;
+        this.metadata = new MessageMetadata.Message();
+        this.signatures = new Signatures(options);
+        this.signatures.addDetachedSignatures(options.getDetachedSignatures());
+        this.packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
+    }
+
+    private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options, Policy policy)
+            throws IOException, PGPException {
         OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
         openPgpIn.reset();
 
@@ -131,7 +150,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         if (openPgpIn.isAsciiArmored()) {
             ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
             if (armorIn.isClearText()) {
-                return armorIn;
+                return parseCleartextSignedMessage(armorIn, options, policy);
             } else {
                 return armorIn;
             }
@@ -140,6 +159,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
     }
 
+    private static DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn, ConsumerOptions options, Policy policy)
+            throws IOException, PGPException {
+        MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
+        PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
+
+        for (PGPSignature signature : signatures) {
+            options.addVerificationOfDetachedSignature(signature);
+        }
+
+        options.forceNonOpenPgpData();
+        return new OpenPgpMessageInputStream(multiPassStrategy.getMessageInputStream(), policy, options);
+    }
+
     /**
      * Consume OpenPGP packets from the current {@link BCPGInputStream}.
      * Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
@@ -575,17 +607,58 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
     }
 
+    @Override
+    public OpenPgpMetadata getResult() {
+        MessageMetadata m = getMetadata();
+        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
+        resultBuilder.setModificationDate(m.getModificationDate());
+        resultBuilder.setFileName(m.getFilename());
+        resultBuilder.setFileEncoding(m.getFormat());
+        resultBuilder.setSessionKey(m.getSessionKey());
+        resultBuilder.setDecryptionKey(m.getDecryptionKey());
+
+        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
+            resultBuilder.addVerifiedDetachedSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
+            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
+            resultBuilder.addVerifiedInbandSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
+            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        return resultBuilder.build();
+    }
+
+    static void log(String message) {
+        LOGGER.debug(message);
+        // CHECKSTYLE:OFF
+        System.out.println(message);
+        // CHECKSTYLE:ON
+    }
+
+    static void log(String message, Throwable e) {
+        log(message);
+        // CHECKSTYLE:OFF
+        e.printStackTrace();
+        // CHECKSTYLE:ON
+    }
+
     // In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
     // In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
     // Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
     // Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
     private static final class Signatures extends OutputStream {
         final ConsumerOptions options;
-        final List detachedSignatures;
-        final List prependedSignatures;
-        final List onePassSignatures;
-        final Stack> opsUpdateStack;
-        List literalOPS = new ArrayList<>();
+        final List detachedSignatures;
+        final List prependedSignatures;
+        final List onePassSignatures;
+        final Stack> opsUpdateStack;
+        List literalOPS = new ArrayList<>();
         final List correspondingSignatures;
         boolean isLiteral = true;
 
@@ -605,31 +678,37 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         void addDetachedSignature(PGPSignature signature) {
-            long keyId = SignatureUtils.determineIssuerKeyId(signature);
-            PGPPublicKeyRing certificate = findCertificate(keyId);
-
-            if (certificate != null) {
-                initialize(signature, certificate, keyId);
-                this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+            SignatureCheck check = initializeSignature(signature);
+            if (check != null) {
+                detachedSignatures.add(check);
             }
         }
 
         void addPrependedSignature(PGPSignature signature) {
+            SignatureCheck check = initializeSignature(signature);
+            if (check != null) {
+                this.prependedSignatures.add(check);
+            }
+        }
+
+        SignatureCheck initializeSignature(PGPSignature signature) {
             long keyId = SignatureUtils.determineIssuerKeyId(signature);
             PGPPublicKeyRing certificate = findCertificate(keyId);
-
-            if (certificate != null) {
-                initialize(signature, certificate, keyId);
-                this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
+            if (certificate == null) {
+                return null;
             }
+
+            SubkeyIdentifier verifierKey = new SubkeyIdentifier(certificate, keyId);
+            initialize(signature, certificate, keyId);
+            return new SignatureCheck(signature, certificate, verifierKey);
         }
 
         void addOnePassSignature(PGPOnePassSignature signature) {
             PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
 
             if (certificate != null) {
-                OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID());
-                ops.init(certificate);
+                OnePassSignatureCheck ops = new OnePassSignatureCheck(signature, certificate);
+                initialize(signature, certificate);
                 onePassSignatures.add(ops);
 
                 literalOPS.add(ops);
@@ -641,40 +720,29 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
             for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
-                OnePassSignature onePassSignature = onePassSignatures.get(i);
-                if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) {
-                    continue;
-                }
-                if (onePassSignature.finished) {
+                OnePassSignatureCheck onePassSignature = onePassSignatures.get(i);
+                if (onePassSignature.getOnePassSignature().getKeyID() != signature.getKeyID()) {
                     continue;
                 }
 
-                boolean correct = onePassSignature.verify(signature);
+                if (onePassSignature.getSignature() != null) {
+                    continue;
+                }
+
+                onePassSignature.setSignature(signature);
                 SignatureVerification verification = new SignatureVerification(signature,
-                        new SubkeyIdentifier(onePassSignature.certificate, onePassSignature.keyId));
-                if (correct) {
-                    PGPPublicKey signingKey = onePassSignature.certificate.getPublicKey(onePassSignature.keyId);
-                    try {
-                        checkSignatureValidity(signature, signingKey, policy);
-                        layer.addVerifiedOnePassSignature(verification);
-                    } catch (SignatureValidationException e) {
-                        layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
-                    }
-                } else {
-                    layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification,
-                            new SignatureValidationException("Bad Signature.")));
+                        new SubkeyIdentifier(onePassSignature.getVerificationKeys(), onePassSignature.getOnePassSignature().getKeyID()));
+
+                try {
+                    SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
+                    layer.addVerifiedOnePassSignature(verification);
+                } catch (SignatureValidationException e) {
+                    layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
                 }
                 break;
             }
         }
 
-        boolean checkSignatureValidity(PGPSignature signature, PGPPublicKey signingKey, Policy policy) throws SignatureValidationException {
-            SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
-            SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
-            SignatureValidator.signatureIsEffective().verify(signature);
-            return true;
-        }
-
         void enterNesting() {
             opsUpdateStack.push(literalOPS);
             literalOPS = new ArrayList<>();
@@ -718,85 +786,75 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         public void updateLiteral(byte b) {
-            for (OnePassSignature ops : literalOPS) {
-                ops.update(b);
+            for (OnePassSignatureCheck ops : literalOPS) {
+                ops.getOnePassSignature().update(b);
             }
 
-            for (DetachedOrPrependedSignature detached : detachedSignatures) {
-                detached.update(b);
+            for (SignatureCheck detached : detachedSignatures) {
+                detached.getSignature().update(b);
             }
 
-            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
-                prepended.update(b);
+            for (SignatureCheck prepended : prependedSignatures) {
+                prepended.getSignature().update(b);
             }
         }
 
         public void updateLiteral(byte[] b, int off, int len) {
-            for (OnePassSignature ops : literalOPS) {
-                ops.update(b, off, len);
+            for (OnePassSignatureCheck ops : literalOPS) {
+                ops.getOnePassSignature().update(b, off, len);
             }
 
-            for (DetachedOrPrependedSignature detached : detachedSignatures) {
-                detached.update(b, off, len);
+            for (SignatureCheck detached : detachedSignatures) {
+                detached.getSignature().update(b, off, len);
             }
 
-            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
-                prepended.update(b, off, len);
+            for (SignatureCheck prepended : prependedSignatures) {
+                prepended.getSignature().update(b, off, len);
             }
         }
 
         public void updatePacket(byte b) {
             for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
-                List nestedOPSs = opsUpdateStack.get(i);
-                for (OnePassSignature ops : nestedOPSs) {
-                    ops.update(b);
+                List nestedOPSs = opsUpdateStack.get(i);
+                for (OnePassSignatureCheck ops : nestedOPSs) {
+                    ops.getOnePassSignature().update(b);
                 }
             }
         }
 
         public void updatePacket(byte[] buf, int off, int len) {
             for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
-                List nestedOPSs = opsUpdateStack.get(i);
-                for (OnePassSignature ops : nestedOPSs) {
-                    ops.update(buf, off, len);
+                List nestedOPSs = opsUpdateStack.get(i);
+                for (OnePassSignatureCheck ops : nestedOPSs) {
+                    ops.getOnePassSignature().update(buf, off, len);
                 }
             }
         }
 
         public void finish(MessageMetadata.Layer layer, Policy policy) {
-            for (DetachedOrPrependedSignature detached : detachedSignatures) {
-                boolean correct = detached.verify();
-                SignatureVerification verification = new SignatureVerification(
-                        detached.signature, new SubkeyIdentifier(detached.certificate, detached.keyId));
-                if (correct) {
-                    try {
-                        PGPPublicKey signingKey = detached.certificate.getPublicKey(detached.keyId);
-                        checkSignatureValidity(detached.signature, signingKey, policy);
-                        layer.addVerifiedDetachedSignature(verification);
-                    } catch (SignatureValidationException e) {
-                        layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
-                    }
-                } else {
-                    layer.addRejectedDetachedSignature(new SignatureVerification.Failure(
-                            verification, new SignatureValidationException("Incorrect Signature.")));
+            for (SignatureCheck detached : detachedSignatures) {
+                SignatureVerification verification = new SignatureVerification(detached.getSignature(), detached.getSigningKeyIdentifier());
+                try {
+                    SignatureVerifier.verifyInitializedSignature(
+                            detached.getSignature(),
+                            detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
+                            policy, detached.getSignature().getCreationTime());
+                    layer.addVerifiedDetachedSignature(verification);
+                } catch (SignatureValidationException e) {
+                    layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
                 }
             }
 
-            for (DetachedOrPrependedSignature prepended : prependedSignatures) {
-                boolean correct = prepended.verify();
-                SignatureVerification verification = new SignatureVerification(
-                        prepended.signature, new SubkeyIdentifier(prepended.certificate, prepended.keyId));
-                if (correct) {
-                    try {
-                        PGPPublicKey signingKey = prepended.certificate.getPublicKey(prepended.keyId);
-                        checkSignatureValidity(prepended.signature, signingKey, policy);
-                        layer.addVerifiedPrependedSignature(verification);
-                    } catch (SignatureValidationException e) {
-                        layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
-                    }
-                } else {
-                    layer.addRejectedPrependedSignature(new SignatureVerification.Failure(
-                            verification, new SignatureValidationException("Incorrect Signature.")));
+            for (SignatureCheck prepended : prependedSignatures) {
+                SignatureVerification verification = new SignatureVerification(prepended.getSignature(), prepended.getSigningKeyIdentifier());
+                try {
+                    SignatureVerifier.verifyInitializedSignature(
+                            prepended.getSignature(),
+                            prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),
+                            policy, prepended.getSignature().getCreationTime());
+                    layer.addVerifiedPrependedSignature(verification);
+                } catch (SignatureValidationException e) {
+                    layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
                 }
             }
         }
@@ -822,148 +880,5 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
-        static class DetachedOrPrependedSignature {
-            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-            PGPSignature signature;
-            PGPPublicKeyRing certificate;
-            long keyId;
-            boolean finished;
-            boolean valid;
-
-            DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
-                this.signature = signature;
-                this.certificate = certificate;
-                this.keyId = keyId;
-            }
-
-            public void init(PGPPublicKeyRing certificate) {
-                initialize(signature, certificate, signature.getKeyID());
-            }
-
-            public boolean verify() {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-                finished = true;
-                try {
-                    valid = this.signature.verify();
-                } catch (PGPException e) {
-                    log("Cannot verify SIG " + signature.getKeyID());
-                }
-                return valid;
-            }
-
-            public void update(byte b) {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-                signature.update(b);
-                bytes.write(b);
-            }
-
-            public void update(byte[] bytes, int off, int len) {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-                signature.update(bytes, off, len);
-                this.bytes.write(bytes, off, len);
-            }
-        }
-
-        static class OnePassSignature {
-            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-            PGPOnePassSignature opSignature;
-            PGPSignature signature;
-            PGPPublicKeyRing certificate;
-            long keyId;
-            boolean finished;
-            boolean valid;
-
-            OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
-                this.opSignature = signature;
-                this.certificate = certificate;
-                this.keyId = keyId;
-            }
-
-            public void init(PGPPublicKeyRing certificate) {
-                initialize(opSignature, certificate);
-            }
-
-            public boolean verify(PGPSignature signature) {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-
-                if (this.opSignature.getKeyID() != signature.getKeyID()) {
-                    // nope
-                    return false;
-                }
-                this.signature = signature;
-                finished = true;
-                try {
-                    valid = this.opSignature.verify(signature);
-                } catch (PGPException e) {
-                    log("Cannot verify OPS " + signature.getKeyID());
-                }
-                return valid;
-            }
-
-            public void update(byte b) {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-                opSignature.update(b);
-                bytes.write(b);
-            }
-
-            public void update(byte[] bytes, int off, int len) {
-                if (finished) {
-                    throw new IllegalStateException("Already finished.");
-                }
-                opSignature.update(bytes, off, len);
-                this.bytes.write(bytes, off, len);
-            }
-        }
-    }
-
-    @Override
-    public OpenPgpMetadata getResult() {
-        MessageMetadata m = getMetadata();
-        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
-        resultBuilder.setModificationDate(m.getModificationDate());
-        resultBuilder.setFileName(m.getFilename());
-        resultBuilder.setFileEncoding(m.getFormat());
-        resultBuilder.setSessionKey(m.getSessionKey());
-        resultBuilder.setDecryptionKey(m.getDecryptionKey());
-
-        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
-            resultBuilder.addVerifiedDetachedSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
-            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
-            resultBuilder.addVerifiedInbandSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
-            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        return resultBuilder.build();
-    }
-
-    static void log(String message) {
-        LOGGER.debug(message);
-        // CHECKSTYLE:OFF
-        System.out.println(message);
-        // CHECKSTYLE:ON
-    }
-
-    static void log(String message, Throwable e) {
-        log(message);
-        // CHECKSTYLE:OFF
-        e.printStackTrace();
-        // CHECKSTYLE:ON
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
index 275acc17..70a2f4ef 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
@@ -22,7 +22,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.exception.SignatureValidationException;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.consumer.CertificateValidator;
-import org.pgpainless.signature.consumer.DetachedSignatureCheck;
+import org.pgpainless.signature.consumer.SignatureCheck;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
 import org.pgpainless.signature.SignatureUtils;
 import org.slf4j.Logger;
@@ -41,7 +41,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
         private final PGPObjectFactory objectFactory;
         private final List opSignatures;
         private final Map opSignaturesWithMissingCert;
-        private final List detachedSignatures;
+        private final List detachedSignatures;
         private final ConsumerOptions options;
         private final OpenPgpMetadata.Builder resultBuilder;
 
@@ -50,7 +50,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
                 @Nullable PGPObjectFactory objectFactory,
                 List opSignatures,
                 Map onePassSignaturesWithMissingCert,
-                List detachedSignatures,
+                List detachedSignatures,
                 ConsumerOptions options,
                 OpenPgpMetadata.Builder resultBuilder) {
             super(literalDataStream);
@@ -170,7 +170,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
 
         private void verifyDetachedSignatures() {
             Policy policy = PGPainless.getPolicy();
-            for (DetachedSignatureCheck s : detachedSignatures) {
+            for (SignatureCheck s : detachedSignatures) {
                 try {
                     signatureWasCreatedInBounds(options.getVerifyNotBefore(),
                             options.getVerifyNotAfter()).verify(s.getSignature());
@@ -200,13 +200,13 @@ public abstract class SignatureInputStream extends FilterInputStream {
         }
 
         private void updateDetachedSignatures(byte b) {
-            for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
+            for (SignatureCheck detachedSignature : detachedSignatures) {
                 detachedSignature.getSignature().update(b);
             }
         }
 
         private void updateDetachedSignatures(byte[] b, int off, int read) {
-            for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
+            for (SignatureCheck detachedSignature : detachedSignatures) {
                 detachedSignature.getSignature().update(b, off, read);
             }
         }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCheck.java
similarity index 90%
rename from pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
rename to pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCheck.java
index a431c5de..bc9f1f0b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCheck.java
@@ -13,19 +13,19 @@ import org.pgpainless.key.SubkeyIdentifier;
  * Tuple-class which bundles together a signature, the signing key that created the signature,
  * an identifier of the signing key and a record of whether the signature was verified.
  */
-public class DetachedSignatureCheck {
+public class SignatureCheck {
     private final PGPSignature signature;
     private final PGPKeyRing signingKeyRing;
     private final SubkeyIdentifier signingKeyIdentifier;
 
     /**
-     * Create a new {@link DetachedSignatureCheck} object.
+     * Create a new {@link SignatureCheck} object.
      *
      * @param signature signature
      * @param signingKeyRing signing key that created the signature
      * @param signingKeyIdentifier identifier of the used signing key
      */
-    public DetachedSignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) {
+    public SignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) {
         this.signature = signature;
         this.signingKeyRing = signingKeyRing;
         this.signingKeyIdentifier = signingKeyIdentifier;

From 7da34c8329badb17e243dc4ebb937d480164822b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 15:35:15 +0200
Subject: [PATCH 0734/1450] Work on postponed keys

---
 .../OpenPgpMessageInputStream.java            | 121 +++++++++++++++---
 1 file changed, 104 insertions(+), 17 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 101a60c8..dfb0df91 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -10,7 +10,9 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.Stack;
 import javax.annotation.Nonnull;
 
@@ -49,6 +51,7 @@ import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStra
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
+import org.pgpainless.exception.MissingPassphraseException;
 import org.pgpainless.exception.SignatureValidationException;
 import org.pgpainless.exception.UnacceptableAlgorithmException;
 import org.pgpainless.implementation.ImplementationFactory;
@@ -60,6 +63,7 @@ import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
 import org.pgpainless.signature.consumer.SignatureCheck;
+import org.pgpainless.signature.consumer.SignatureValidator;
 import org.pgpainless.signature.consumer.SignatureVerifier;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
@@ -127,8 +131,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
-                                 @Nonnull Policy policy,
-                                 @Nonnull ConsumerOptions options) {
+                                        @Nonnull Policy policy,
+                                        @Nonnull ConsumerOptions options) {
         super(OpenPgpMetadata.getBuilder());
         this.policy = policy;
         this.options = options;
@@ -371,6 +375,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
+        List> postponedDueToMissingPassphrase = new ArrayList<>();
         // Try (known) secret keys
         for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
             long keyId = pkesk.getKeyID();
@@ -378,7 +383,15 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             if (decryptionKeys == null) {
                 continue;
             }
+            PGPSecretKey secretKey = decryptionKeys.getSecretKey(keyId);
+
             SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
+            // Postpone keys with missing passphrase
+            if (!protector.hasPassphraseFor(keyId)) {
+                postponedDueToMissingPassphrase.add(new Tuple<>(secretKey, pkesk));
+                continue;
+            }
+
             PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
             PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
 
@@ -408,7 +421,12 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // try anonymous secret keys
         for (PGPPublicKeyEncryptedData pkesk : esks.anonPkesks) {
             for (Tuple decryptionKeyCandidate : findPotentialDecryptionKeys(pkesk)) {
+                PGPSecretKey secretKey = decryptionKeyCandidate.getB();
                 SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
+                if (!protector.hasPassphraseFor(secretKey.getKeyID())) {
+                    postponedDueToMissingPassphrase.add(new Tuple<>(secretKey, pkesk));
+                    continue;
+                }
                 PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
                 PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPublicKeyDataDecryptorFactory(privateKey);
@@ -433,10 +451,64 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
         }
 
+        if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.THROW_EXCEPTION) {
+            // Non-interactive mode: Throw an exception with all locked decryption keys
+            Set keyIds = new HashSet<>();
+            for (Tuple k : postponedDueToMissingPassphrase) {
+                PGPSecretKey key = k.getA();
+                keyIds.add(new SubkeyIdentifier(getDecryptionKey(key.getKeyID()), key.getKeyID()));
+            }
+            if (!keyIds.isEmpty()) {
+                throw new MissingPassphraseException(keyIds);
+            }
+        } else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) {
+            for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                // Interactive mode: Fire protector callbacks to get passphrases interactively
+                for (Tuple missingPassphrases : postponedDueToMissingPassphrase) {
+                    PGPSecretKey secretKey = missingPassphrases.getA();
+                    long keyId = secretKey.getKeyID();
+                    PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
+                    SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
+                    PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector.getDecryptor(keyId));
+
+                    PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                            .getPublicKeyDataDecryptorFactory(privateKey);
+
+                    try {
+                        InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+                        SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
+                        throwIfUnacceptable(sessionKey.getAlgorithm());
+
+                        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                                SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
+                                metadata.depth + 1);
+                        encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKey, keyId);
+                        encryptedData.sessionKey = sessionKey;
+
+                        IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+                        nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                        return true;
+                    } catch (PGPException e) {
+                        // hm :/
+                    }
+                }
+            }
+        } else {
+            throw new IllegalStateException("Invalid PostponedKeysStrategy set in consumer options.");
+        }
+
         // we did not yet succeed in decrypting any session key :/
         return false;
     }
 
+    private PGPSecretKey getDecryptionKey(PGPSecretKeyRing decryptionKeys, long keyId) {
+        KeyRingInfo info = PGPainless.inspectKeyRing(decryptionKeys);
+        if (info.getEncryptionSubkeys(EncryptionPurpose.ANY).contains(info.getPublicKey(keyId))) {
+            return info.getSecretKey(keyId);
+        }
+        return null;
+    }
+
     private void throwIfUnacceptable(SymmetricKeyAlgorithm algorithm)
             throws UnacceptableAlgorithmException {
         if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) {
@@ -497,10 +569,12 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             collectMetadata();
             nestedInputStream = null;
 
-            try {
-                consumePackets();
-            } catch (PGPException e) {
-                throw new RuntimeException(e);
+            if (packetInputStream != null) {
+                try {
+                    consumePackets();
+                } catch (PGPException e) {
+                    throw new RuntimeException(e);
+                }
             }
             signatures.finish(metadata, policy);
         }
@@ -512,23 +586,26 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             throws IOException {
 
         if (nestedInputStream == null) {
-            automaton.assertValid();
+            if (packetInputStream != null) {
+                automaton.assertValid();
+            }
             return -1;
         }
 
         int r = nestedInputStream.read(b, off, len);
         if (r != -1) {
             signatures.updateLiteral(b, off, r);
-        }
-        else  {
+        } else  {
             nestedInputStream.close();
             collectMetadata();
             nestedInputStream = null;
 
-            try {
-                consumePackets();
-            } catch (PGPException e) {
-                throw new RuntimeException(e);
+            if (packetInputStream != null) {
+                try {
+                    consumePackets();
+                } catch (PGPException e) {
+                    throw new RuntimeException(e);
+                }
             }
             signatures.finish(metadata, policy);
         }
@@ -539,7 +616,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     public void close() throws IOException {
         super.close();
         if (closed) {
-            automaton.assertValid();
+            if (packetInputStream != null) {
+                automaton.assertValid();
+            }
             return;
         }
 
@@ -555,9 +634,11 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             throw new RuntimeException(e);
         }
 
-        automaton.next(InputAlphabet.EndOfSequence);
-        automaton.assertValid();
-        packetInputStream.close();
+        if (packetInputStream != null) {
+            automaton.next(InputAlphabet.EndOfSequence);
+            automaton.assertValid();
+            packetInputStream.close();
+        }
         closed = true;
     }
 
@@ -734,6 +815,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                         new SubkeyIdentifier(onePassSignature.getVerificationKeys(), onePassSignature.getOnePassSignature().getKeyID()));
 
                 try {
+                    SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
+                            .verify(signature);
                     SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
                     layer.addVerifiedOnePassSignature(verification);
                 } catch (SignatureValidationException e) {
@@ -835,6 +918,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             for (SignatureCheck detached : detachedSignatures) {
                 SignatureVerification verification = new SignatureVerification(detached.getSignature(), detached.getSigningKeyIdentifier());
                 try {
+                    SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
+                            .verify(detached.getSignature());
                     SignatureVerifier.verifyInitializedSignature(
                             detached.getSignature(),
                             detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
@@ -848,6 +933,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             for (SignatureCheck prepended : prependedSignatures) {
                 SignatureVerification verification = new SignatureVerification(prepended.getSignature(), prepended.getSigningKeyIdentifier());
                 try {
+                    SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
+                            .verify(prepended.getSignature());
                     SignatureVerifier.verifyInitializedSignature(
                             prepended.getSignature(),
                             prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),

From d39d062a0df05b9a4b67ec6d4bb55a56e6cff334 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 21 Sep 2022 15:03:45 +0200
Subject: [PATCH 0735/1450] WIP: Explore Hardware Decryption

---
 .../ConsumerOptions.java                      |  6 +++
 .../HardwareSecurity.java                     | 27 +++++++++++++
 .../HardwareSecurityCallbackTest.java         | 39 +++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index b6117a60..d57eff48 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -48,6 +48,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
+    private HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = null;
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();
@@ -238,6 +239,11 @@ public class ConsumerOptions {
         return this;
     }
 
+    public ConsumerOptions setHardwareDecryptionCallback(HardwareSecurity.DecryptionCallback callback) {
+        this.hardwareDecryptionCallback = callback;
+        return this;
+    }
+
     public @Nonnull Set getDecryptionKeys() {
         return Collections.unmodifiableSet(decryptionKeys.keySet());
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
new file mode 100644
index 00000000..bea14aef
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -0,0 +1,27 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
+import org.pgpainless.util.SessionKey;
+
+public class HardwareSecurity {
+
+    public interface DecryptionCallback {
+
+        /**
+         * Delegate decryption of a Public-Key-Encrypted-Session-Key (PKESK) to an external API for dealing with
+         * hardware security modules such as smartcards or TPMs.
+         *
+         * If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
+         *
+         * @param pkesk public-key-encrypted session key
+         * @return decrypted session key
+         * @throws HardwareSecurityException exception
+         */
+        SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurityException;
+
+    }
+
+    public static class HardwareSecurityException extends Exception {
+
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java
new file mode 100644
index 00000000..d731277e
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java
@@ -0,0 +1,39 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.util.SessionKey;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+public class HardwareSecurityCallbackTest {
+
+    @Test
+    public void test() throws PGPException, IOException {
+        PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(new byte[0]))
+                .withOptions(ConsumerOptions.get()
+                        .setHardwareDecryptionCallback(new HardwareSecurity.DecryptionCallback() {
+                            @Override
+                            public SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurity.HardwareSecurityException {
+                                /*
+                                pkesk.getSessionKey(new PublicKeyDataDecryptorFactory() {
+                                    @Override
+                                    public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
+                                        return new byte[0];
+                                    }
+
+                                    @Override
+                                    public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key) throws PGPException {
+                                        return null;
+                                    }
+                                });
+                                 */
+                                return null;
+                            }
+                        }));
+    }
+}

From 529c64cf43d62d9764d2ffa540a61b88aaafd622 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 23 Sep 2022 16:17:42 +0200
Subject: [PATCH 0736/1450] Implement exploratory support for custom decryption
 factories This may enable decryption of messages with hardware-backed keys

---
 .../ConsumerOptions.java                      | 24 ++++-
 .../DecryptionStreamFactory.java              | 28 ++++++
 .../HardwareSecurity.java                     | 91 ++++++++++++++++++-
 ...stomPublicKeyDataDecryptorFactoryTest.java | 86 ++++++++++++++++++
 .../HardwareSecurityCallbackTest.java         | 39 --------
 5 files changed, 221 insertions(+), 47 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index d57eff48..8f0576ee 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -22,6 +22,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
@@ -48,7 +49,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
-    private HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = null;
+    private Map, PublicKeyDataDecryptorFactory> customPublicKeyDataDecryptorFactories = new HashMap<>();
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();
@@ -239,11 +240,28 @@ public class ConsumerOptions {
         return this;
     }
 
-    public ConsumerOptions setHardwareDecryptionCallback(HardwareSecurity.DecryptionCallback callback) {
-        this.hardwareDecryptionCallback = callback;
+    /**
+     * Add a custom {@link PublicKeyDataDecryptorFactory} which enable decryption of messages, e.g. using
+     * hardware-backed secret keys.
+     * (See e.g. {@link org.pgpainless.decryption_verification.HardwareSecurity.HardwareDataDecryptorFactory}).
+     *
+     * The set of key-ids determines, whether the decryptor factory shall be consulted to decrypt a given session key.
+     * See for example {@link HardwareSecurity#getIdsOfHardwareBackedKeys(PGPSecretKeyRing)}.
+     *
+     * @param keyIds set of key-ids for which the factory shall be consulted
+     * @param decryptorFactory decryptor factory
+     * @return options
+     */
+    public ConsumerOptions addCustomDecryptorFactory(
+            @Nonnull Set keyIds, @Nonnull PublicKeyDataDecryptorFactory decryptorFactory) {
+        this.customPublicKeyDataDecryptorFactories.put(keyIds, decryptorFactory);
         return this;
     }
 
+    Map, PublicKeyDataDecryptorFactory> getCustomDecryptorFactories() {
+        return new HashMap<>(customPublicKeyDataDecryptorFactories);
+    }
+
     public @Nonnull Set getDecryptionKeys() {
         return Collections.unmodifiableSet(decryptionKeys.keySet());
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 0739eb19..ba837940 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -408,6 +408,34 @@ public final class DecryptionStreamFactory {
             }
         }
 
+        // Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed).
+        Map, PublicKeyDataDecryptorFactory> customFactories = options.getCustomDecryptorFactories();
+        for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
+            Long keyId = publicKeyEncryptedData.getKeyID();
+            for (Set keyIds : customFactories.keySet()) {
+                if (!keyIds.contains(keyId)) {
+                    continue;
+                }
+
+                PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyIds);
+                try {
+                    InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory);
+                    PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory);
+                    SessionKey sessionKey = new SessionKey(pgpSessionKey);
+                    resultBuilder.setSessionKey(sessionKey);
+
+                    throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
+
+                    integrityProtectedEncryptedInputStream =
+                            new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options);
+
+                    return integrityProtectedEncryptedInputStream;
+                } catch (PGPException e) {
+                    LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e);
+                }
+            }
+        }
+
         // Then try decryption with public key encryption
         for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
             PGPPrivateKey privateKey = null;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index bea14aef..cc8cf598 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -1,8 +1,23 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification;
 
-import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
-import org.pgpainless.util.SessionKey;
+import org.bouncycastle.bcpg.S2K;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
 
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Enable integration of hardware-backed OpenPGP keys.
+ */
 public class HardwareSecurity {
 
     public interface DecryptionCallback {
@@ -13,15 +28,81 @@ public class HardwareSecurity {
          *
          * If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
          *
-         * @param pkesk public-key-encrypted session key
+         * @param keyAlgorithm algorithm
+         * @param sessionKeyData encrypted session key
+         *
          * @return decrypted session key
          * @throws HardwareSecurityException exception
          */
-        SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurityException;
+        byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData)
+                throws HardwareSecurityException;
 
     }
 
-    public static class HardwareSecurityException extends Exception {
+    /**
+     * Return the key-ids of all keys which appear to be stored on a hardware token / smartcard.
+     *
+     * @param secretKeys secret keys
+     * @return set of keys with S2K type DIVERT_TO_CARD or GNU_DUMMY_S2K
+     */
+    public static Set getIdsOfHardwareBackedKeys(PGPSecretKeyRing secretKeys) {
+        Set hardwareBackedKeys = new HashSet<>();
+        for (PGPSecretKey secretKey : secretKeys) {
+            S2K s2K = secretKey.getS2K();
+            if (s2K == null) {
+                continue;
+            }
+
+            int type = s2K.getType();
+            // TODO: Is GNU_DUMMY_S2K appropriate?
+            if (type == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD || type == S2K.GNU_DUMMY_S2K) {
+                hardwareBackedKeys.add(secretKey.getKeyID());
+            }
+        }
+        return hardwareBackedKeys;
+    }
+
+    /**
+     * Implementation of {@link PublicKeyDataDecryptorFactory} which delegates decryption of encrypted session keys
+     * to a {@link DecryptionCallback}.
+     * Users can provide such a callback to delegate decryption of messages to hardware security SDKs.
+     */
+    public static class HardwareDataDecryptorFactory implements PublicKeyDataDecryptorFactory {
+
+        private final DecryptionCallback callback;
+        // luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument.
+        private final PublicKeyDataDecryptorFactory factory =
+                new BcPublicKeyDataDecryptorFactory(null);
+
+        /**
+         * Create a new {@link HardwareDataDecryptorFactory}.
+         *
+         * @param callback decryption callback
+         */
+        public HardwareDataDecryptorFactory(DecryptionCallback callback) {
+            this.callback = callback;
+        }
+
+        @Override
+        public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData)
+                throws PGPException {
+            try {
+                // delegate decryption to the callback
+                return callback.decryptSessionKey(keyAlgorithm, secKeyData[0]);
+            } catch (HardwareSecurityException e) {
+                throw new PGPException("Hardware-backed decryption failed.", e);
+            }
+        }
+
+        @Override
+        public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key)
+                throws PGPException {
+            return factory.createDataDecryptor(withIntegrityPacket, encAlgorithm, key);
+        }
+    }
+
+    public static class HardwareSecurityException
+            extends Exception {
 
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
new file mode 100644
index 00000000..f507e02e
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
@@ -0,0 +1,86 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.EncryptionPurpose;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Collections;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class CustomPublicKeyDataDecryptorFactoryTest {
+
+    @Test
+    public void testDecryptionWithEmulatedHardwareDecryptionCallback()
+            throws PGPException, IOException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKey = PGPainless.generateKeyRing().modernKeyRing("Alice");
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKey);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
+        PGPPublicKey encryptionKey = info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0);
+
+        // Encrypt a test message
+        String plaintext = "Hello, World!\n";
+        ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertextOut)
+                .withOptions(ProducerOptions.encrypt(EncryptionOptions.get()
+                        .addRecipient(cert)));
+        encryptionStream.write(plaintext.getBytes(StandardCharsets.UTF_8));
+        encryptionStream.close();
+
+        HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() {
+            @Override
+            public byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData)
+                    throws HardwareSecurity.HardwareSecurityException {
+                // Emulate hardware decryption.
+                try {
+                    PGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyID());
+                    PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase());
+                    PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey);
+                    return internal.recoverSessionData(keyAlgorithm, new byte[][] {sessionKeyData});
+                } catch (PGPException e) {
+                    throw new HardwareSecurity.HardwareSecurityException();
+                }
+            }
+        };
+
+        // Decrypt
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray()))
+                .withOptions(ConsumerOptions.get()
+                        .addCustomDecryptorFactory(
+                                Collections.singleton(encryptionKey.getKeyID()),
+                                new HardwareSecurity.HardwareDataDecryptorFactory(hardwareDecryptionCallback)));
+
+        ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, decryptedOut);
+        decryptionStream.close();
+
+        assertEquals(plaintext, decryptedOut.toString());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java
deleted file mode 100644
index d731277e..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityCallbackTest.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.pgpainless.decryption_verification;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.util.SessionKey;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-
-public class HardwareSecurityCallbackTest {
-
-    @Test
-    public void test() throws PGPException, IOException {
-        PGPainless.decryptAndOrVerify()
-                .onInputStream(new ByteArrayInputStream(new byte[0]))
-                .withOptions(ConsumerOptions.get()
-                        .setHardwareDecryptionCallback(new HardwareSecurity.DecryptionCallback() {
-                            @Override
-                            public SessionKey decryptSessionKey(PGPPublicKeyEncryptedData pkesk) throws HardwareSecurity.HardwareSecurityException {
-                                /*
-                                pkesk.getSessionKey(new PublicKeyDataDecryptorFactory() {
-                                    @Override
-                                    public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
-                                        return new byte[0];
-                                    }
-
-                                    @Override
-                                    public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key) throws PGPException {
-                                        return null;
-                                    }
-                                });
-                                 */
-                                return null;
-                            }
-                        }));
-    }
-}

From 228918f96b3669c852919bf0160e9295dbdd7dd1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Oct 2022 18:01:30 +0200
Subject: [PATCH 0737/1450] Change HardwareSecurity DecryptionCallback to emit
 key-id

---
 .../ConsumerOptions.java                      | 15 +++-----
 .../CustomPublicKeyDataDecryptorFactory.java  | 13 +++++++
 .../DecryptionStreamFactory.java              | 34 +++++++++----------
 .../HardwareSecurity.java                     | 17 +++++++---
 ...stomPublicKeyDataDecryptorFactoryTest.java |  8 ++---
 5 files changed, 51 insertions(+), 36 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 8f0576ee..dba9fca7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -49,7 +49,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
-    private Map, PublicKeyDataDecryptorFactory> customPublicKeyDataDecryptorFactories = new HashMap<>();
+    private Map customPublicKeyDataDecryptorFactories = new HashMap<>();
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();
@@ -245,20 +245,15 @@ public class ConsumerOptions {
      * hardware-backed secret keys.
      * (See e.g. {@link org.pgpainless.decryption_verification.HardwareSecurity.HardwareDataDecryptorFactory}).
      *
-     * The set of key-ids determines, whether the decryptor factory shall be consulted to decrypt a given session key.
-     * See for example {@link HardwareSecurity#getIdsOfHardwareBackedKeys(PGPSecretKeyRing)}.
-     *
-     * @param keyIds set of key-ids for which the factory shall be consulted
-     * @param decryptorFactory decryptor factory
+     * @param factory decryptor factory
      * @return options
      */
-    public ConsumerOptions addCustomDecryptorFactory(
-            @Nonnull Set keyIds, @Nonnull PublicKeyDataDecryptorFactory decryptorFactory) {
-        this.customPublicKeyDataDecryptorFactories.put(keyIds, decryptorFactory);
+    public ConsumerOptions addCustomDecryptorFactory(@Nonnull CustomPublicKeyDataDecryptorFactory factory) {
+        this.customPublicKeyDataDecryptorFactories.put(factory.getKeyId(), factory);
         return this;
     }
 
-    Map, PublicKeyDataDecryptorFactory> getCustomDecryptorFactories() {
+    Map getCustomDecryptorFactories() {
         return new HashMap<>(customPublicKeyDataDecryptorFactories);
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
new file mode 100644
index 00000000..43e8e723
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+
+public interface CustomPublicKeyDataDecryptorFactory extends PublicKeyDataDecryptorFactory {
+
+    long getKeyId();
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index ba837940..23e3e47d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -409,30 +409,28 @@ public final class DecryptionStreamFactory {
         }
 
         // Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed).
-        Map, PublicKeyDataDecryptorFactory> customFactories = options.getCustomDecryptorFactories();
+        Map customFactories = options.getCustomDecryptorFactories();
         for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
             Long keyId = publicKeyEncryptedData.getKeyID();
-            for (Set keyIds : customFactories.keySet()) {
-                if (!keyIds.contains(keyId)) {
-                    continue;
-                }
+            if (!customFactories.containsKey(keyId)) {
+                continue;
+            }
 
-                PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyIds);
-                try {
-                    InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory);
-                    PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory);
-                    SessionKey sessionKey = new SessionKey(pgpSessionKey);
-                    resultBuilder.setSessionKey(sessionKey);
+            PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyId);
+            try {
+                InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory);
+                PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory);
+                SessionKey sessionKey = new SessionKey(pgpSessionKey);
+                resultBuilder.setSessionKey(sessionKey);
 
-                    throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
+                throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
 
-                    integrityProtectedEncryptedInputStream =
-                            new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options);
+                integrityProtectedEncryptedInputStream =
+                        new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options);
 
-                    return integrityProtectedEncryptedInputStream;
-                } catch (PGPException e) {
-                    LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e);
-                }
+                return integrityProtectedEncryptedInputStream;
+            } catch (PGPException e) {
+                LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e);
             }
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index cc8cf598..d5bf60db 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -28,13 +28,14 @@ public class HardwareSecurity {
          *
          * If decryption fails for some reason, a subclass of the {@link HardwareSecurityException} is thrown.
          *
+         * @param keyId id of the key
          * @param keyAlgorithm algorithm
          * @param sessionKeyData encrypted session key
          *
          * @return decrypted session key
          * @throws HardwareSecurityException exception
          */
-        byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData)
+        byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData)
                 throws HardwareSecurityException;
 
     }
@@ -67,20 +68,22 @@ public class HardwareSecurity {
      * to a {@link DecryptionCallback}.
      * Users can provide such a callback to delegate decryption of messages to hardware security SDKs.
      */
-    public static class HardwareDataDecryptorFactory implements PublicKeyDataDecryptorFactory {
+    public static class HardwareDataDecryptorFactory implements CustomPublicKeyDataDecryptorFactory {
 
         private final DecryptionCallback callback;
         // luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument.
         private final PublicKeyDataDecryptorFactory factory =
                 new BcPublicKeyDataDecryptorFactory(null);
+        private long keyId;
 
         /**
          * Create a new {@link HardwareDataDecryptorFactory}.
          *
          * @param callback decryption callback
          */
-        public HardwareDataDecryptorFactory(DecryptionCallback callback) {
+        public HardwareDataDecryptorFactory(long keyId, DecryptionCallback callback) {
             this.callback = callback;
+            this.keyId = keyId;
         }
 
         @Override
@@ -88,7 +91,7 @@ public class HardwareSecurity {
                 throws PGPException {
             try {
                 // delegate decryption to the callback
-                return callback.decryptSessionKey(keyAlgorithm, secKeyData[0]);
+                return callback.decryptSessionKey(keyId, keyAlgorithm, secKeyData[0]);
             } catch (HardwareSecurityException e) {
                 throw new PGPException("Hardware-backed decryption failed.", e);
             }
@@ -99,10 +102,16 @@ public class HardwareSecurity {
                 throws PGPException {
             return factory.createDataDecryptor(withIntegrityPacket, encAlgorithm, key);
         }
+
+        @Override
+        public long getKeyId() {
+            return keyId;
+        }
     }
 
     public static class HardwareSecurityException
             extends Exception {
 
     }
+
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
index f507e02e..4ea894e5 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
@@ -29,7 +29,6 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Collections;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
@@ -55,7 +54,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
 
         HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() {
             @Override
-            public byte[] decryptSessionKey(int keyAlgorithm, byte[] sessionKeyData)
+            public byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData)
                     throws HardwareSecurity.HardwareSecurityException {
                 // Emulate hardware decryption.
                 try {
@@ -74,8 +73,9 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
                 .onInputStream(new ByteArrayInputStream(ciphertextOut.toByteArray()))
                 .withOptions(ConsumerOptions.get()
                         .addCustomDecryptorFactory(
-                                Collections.singleton(encryptionKey.getKeyID()),
-                                new HardwareSecurity.HardwareDataDecryptorFactory(hardwareDecryptionCallback)));
+                                new HardwareSecurity.HardwareDataDecryptorFactory(
+                                        encryptionKey.getKeyID(),
+                                        hardwareDecryptionCallback)));
 
         ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream();
         Streams.pipeAll(decryptionStream, decryptedOut);

From cfd3f77491e6b0b15b01ffc2f466c6fd8c2a3827 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 10 Oct 2022 18:08:43 +0200
Subject: [PATCH 0738/1450] Make map final

---
 .../org/pgpainless/decryption_verification/ConsumerOptions.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index dba9fca7..0f02aba0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -49,7 +49,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
-    private Map customPublicKeyDataDecryptorFactories = new HashMap<>();
+    private final Map customPublicKeyDataDecryptorFactories = new HashMap<>();
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();

From a39c6bc881f2763d6ea812b95d94341918efe3f7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 16:07:31 +0200
Subject: [PATCH 0739/1450] Identify custom decryptor factories by subkey id

---
 .../ConsumerOptions.java                      |  7 ++++---
 .../CustomPublicKeyDataDecryptorFactory.java  |  3 ++-
 .../DecryptionStreamFactory.java              |  2 +-
 .../HardwareSecurity.java                     | 19 +++++++++++++------
 ...stomPublicKeyDataDecryptorFactoryTest.java |  3 ++-
 5 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 0f02aba0..f8f59d36 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -25,6 +25,7 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
+import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
@@ -49,7 +50,7 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
-    private final Map customPublicKeyDataDecryptorFactories = new HashMap<>();
+    private final Map customPublicKeyDataDecryptorFactories = new HashMap<>();
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();
@@ -249,11 +250,11 @@ public class ConsumerOptions {
      * @return options
      */
     public ConsumerOptions addCustomDecryptorFactory(@Nonnull CustomPublicKeyDataDecryptorFactory factory) {
-        this.customPublicKeyDataDecryptorFactories.put(factory.getKeyId(), factory);
+        this.customPublicKeyDataDecryptorFactories.put(factory.getSubkeyIdentifier(), factory);
         return this;
     }
 
-    Map getCustomDecryptorFactories() {
+    Map getCustomDecryptorFactories() {
         return new HashMap<>(customPublicKeyDataDecryptorFactories);
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
index 43e8e723..37dc10a9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
@@ -5,9 +5,10 @@
 package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.pgpainless.key.SubkeyIdentifier;
 
 public interface CustomPublicKeyDataDecryptorFactory extends PublicKeyDataDecryptorFactory {
 
-    long getKeyId();
+    SubkeyIdentifier getSubkeyIdentifier();
 
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
index 23e3e47d..451750ee 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@@ -409,7 +409,7 @@ public final class DecryptionStreamFactory {
         }
 
         // Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed).
-        Map customFactories = options.getCustomDecryptorFactories();
+        Map customFactories = options.getCustomDecryptorFactories();
         for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
             Long keyId = publicKeyEncryptedData.getKeyID();
             if (!customFactories.containsKey(keyId)) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index d5bf60db..f234ff00 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -11,6 +11,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
+import org.pgpainless.key.SubkeyIdentifier;
 
 import java.util.HashSet;
 import java.util.Set;
@@ -74,16 +75,16 @@ public class HardwareSecurity {
         // luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument.
         private final PublicKeyDataDecryptorFactory factory =
                 new BcPublicKeyDataDecryptorFactory(null);
-        private long keyId;
+        private SubkeyIdentifier subkey;
 
         /**
          * Create a new {@link HardwareDataDecryptorFactory}.
          *
          * @param callback decryption callback
          */
-        public HardwareDataDecryptorFactory(long keyId, DecryptionCallback callback) {
+        public HardwareDataDecryptorFactory(SubkeyIdentifier subkeyIdentifier, DecryptionCallback callback) {
             this.callback = callback;
-            this.keyId = keyId;
+            this.subkey = subkeyIdentifier;
         }
 
         @Override
@@ -91,7 +92,7 @@ public class HardwareSecurity {
                 throws PGPException {
             try {
                 // delegate decryption to the callback
-                return callback.decryptSessionKey(keyId, keyAlgorithm, secKeyData[0]);
+                return callback.decryptSessionKey(subkey.getSubkeyId(), keyAlgorithm, secKeyData[0]);
             } catch (HardwareSecurityException e) {
                 throw new PGPException("Hardware-backed decryption failed.", e);
             }
@@ -104,8 +105,14 @@ public class HardwareSecurity {
         }
 
         @Override
-        public long getKeyId() {
-            return keyId;
+        public PGPDataDecryptor createDataDecryptor(int aeadAlgorithm, byte[] iv, int chunkSize, int encAlgorithm, byte[] key)
+                throws PGPException {
+            return factory.createDataDecryptor(aeadAlgorithm, iv, chunkSize, encAlgorithm, key);
+        }
+
+        @Override
+        public SubkeyIdentifier getSubkeyIdentifier() {
+            return subkey;
         }
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
index 4ea894e5..73c3bf56 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
@@ -19,6 +19,7 @@ import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.util.Passphrase;
@@ -74,7 +75,7 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
                 .withOptions(ConsumerOptions.get()
                         .addCustomDecryptorFactory(
                                 new HardwareSecurity.HardwareDataDecryptorFactory(
-                                        encryptionKey.getKeyID(),
+                                        new SubkeyIdentifier(cert, encryptionKey.getKeyID()),
                                         hardwareDecryptionCallback)));
 
         ByteArrayOutputStream decryptedOut = new ByteArrayOutputStream();

From 3d5916c545a125369141e5cde0fe535a7507febb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 16:08:01 +0200
Subject: [PATCH 0740/1450] Implement custom decryptor factories in pda

---
 .../OpenPgpMessageInputStream.java            | 122 +++++++++---------
 1 file changed, 61 insertions(+), 61 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index dfb0df91..bba7b396 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -314,6 +314,20 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         SortedESKs esks = new SortedESKs(encDataList);
 
+        // Try custom decryptor factory
+        for (SubkeyIdentifier subkeyIdentifier : options.getCustomDecryptorFactories().keySet()) {
+            PublicKeyDataDecryptorFactory decryptorFactory = options.getCustomDecryptorFactories().get(subkeyIdentifier);
+            for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                if (pkesk.getKeyID() != subkeyIdentifier.getSubkeyId()) {
+                    continue;
+                }
+
+                if (decryptPKESKAndStream(subkeyIdentifier, decryptorFactory, pkesk)) {
+                    return true;
+                }
+            }
+        }
+
         // Try session key
         if (options.getSessionKey() != null) {
             SessionKey sessionKey = options.getSessionKey();
@@ -357,20 +371,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPBEDataDecryptorFactory(passphrase);
 
-                try {
-                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                    SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
-                    throwIfUnacceptable(sessionKey.getAlgorithm());
-                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                            sessionKey.getAlgorithm(), metadata.depth + 1);
-                    encryptedData.sessionKey = sessionKey;
-                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                if (decryptSKESKAndStream(skesk, decryptorFactory)) {
                     return true;
-                } catch (UnacceptableAlgorithmException e) {
-                    throw e;
-                } catch (PGPException e) {
-                    // Password mismatch?
                 }
             }
         }
@@ -393,28 +395,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
 
             PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
+            SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, decryptionKey.getKeyID());
             PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
 
             PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getPublicKeyDataDecryptorFactory(privateKey);
-            try {
-                InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
-                throwIfUnacceptable(sessionKey.getAlgorithm());
-
-                MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                        SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
-                        metadata.depth + 1);
-                encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeys, decryptionKey.getKeyID());
-                encryptedData.sessionKey = sessionKey;
-
-                IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-                nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+            if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
                 return true;
-            } catch (UnacceptableAlgorithmException e) {
-                throw e;
-            } catch (PGPException e) {
-
             }
         }
 
@@ -430,23 +417,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
                 PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPublicKeyDataDecryptorFactory(privateKey);
+                SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeyCandidate.getA(), privateKey.getKeyID());
 
-                try {
-                    InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                    SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
-                    throwIfUnacceptable(sessionKey.getAlgorithm());
-
-                    MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                            SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
-                            metadata.depth + 1);
-                    encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKeyCandidate.getA(), privateKey.getKeyID());
-                    encryptedData.sessionKey = sessionKey;
-
-                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
                     return true;
-                } catch (PGPException e) {
-                    // hm :/
                 }
             }
         }
@@ -470,26 +444,12 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
                     SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
                     PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector.getDecryptor(keyId));
-
+                    SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
                     PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                             .getPublicKeyDataDecryptorFactory(privateKey);
 
-                    try {
-                        InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                        SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
-                        throwIfUnacceptable(sessionKey.getAlgorithm());
-
-                        MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                                SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
-                                metadata.depth + 1);
-                        encryptedData.decryptionKey = new SubkeyIdentifier(decryptionKey, keyId);
-                        encryptedData.sessionKey = sessionKey;
-
-                        IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-                        nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                    if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
                         return true;
-                    } catch (PGPException e) {
-                        // hm :/
                     }
                 }
             }
@@ -501,6 +461,46 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
+    private boolean decryptSKESKAndStream(PGPPBEEncryptedData skesk, PBEDataDecryptorFactory decryptorFactory) throws IOException, UnacceptableAlgorithmException {
+        try {
+            InputStream decrypted = skesk.getDataStream(decryptorFactory);
+            SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
+            throwIfUnacceptable(sessionKey.getAlgorithm());
+            MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                    sessionKey.getAlgorithm(), metadata.depth + 1);
+            encryptedData.sessionKey = sessionKey;
+            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
+            nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+            return true;
+        } catch (UnacceptableAlgorithmException e) {
+            throw e;
+        } catch (PGPException e) {
+            // Password mismatch?
+        }
+        return false;
+    }
+
+    private boolean decryptPKESKAndStream(SubkeyIdentifier subkeyIdentifier, PublicKeyDataDecryptorFactory decryptorFactory, PGPPublicKeyEncryptedData pkesk) throws IOException {
+        try {
+            InputStream decrypted = pkesk.getDataStream(decryptorFactory);
+            SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
+            throwIfUnacceptable(sessionKey.getAlgorithm());
+
+            MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
+                    SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
+                    metadata.depth + 1);
+            encryptedData.decryptionKey = subkeyIdentifier;
+            encryptedData.sessionKey = sessionKey;
+
+            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+            nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+            return true;
+        } catch (PGPException e) {
+
+        }
+        return false;
+    }
+
     private PGPSecretKey getDecryptionKey(PGPSecretKeyRing decryptionKeys, long keyId) {
         KeyRingInfo info = PGPainless.inspectKeyRing(decryptionKeys);
         if (info.getEncryptionSubkeys(EncryptionPurpose.ANY).contains(info.getPublicKey(keyId))) {

From a9993fd86699bcaf0790dc7f5d8944d2a0f4ccbd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 16:13:18 +0200
Subject: [PATCH 0741/1450] Throw UnacceptableAlgEx for unencrypted encData

---
 .../decryption_verification/OpenPgpMessageInputStream.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index bba7b396..969f3717 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -480,7 +480,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
-    private boolean decryptPKESKAndStream(SubkeyIdentifier subkeyIdentifier, PublicKeyDataDecryptorFactory decryptorFactory, PGPPublicKeyEncryptedData pkesk) throws IOException {
+    private boolean decryptPKESKAndStream(SubkeyIdentifier subkeyIdentifier,
+                                          PublicKeyDataDecryptorFactory decryptorFactory,
+                                          PGPPublicKeyEncryptedData pkesk)
+            throws IOException, UnacceptableAlgorithmException {
         try {
             InputStream decrypted = pkesk.getDataStream(decryptorFactory);
             SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
@@ -495,6 +498,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
             nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
             return true;
+        } catch (UnacceptableAlgorithmException e) {
+            throw e;
         } catch (PGPException e) {
 
         }

From b7acb2a59c98690a5582db351730afe33a3c5311 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 19:35:25 +0200
Subject: [PATCH 0742/1450] Enable logging in tests

---
 pgpainless-core/src/test/resources/logback-test.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/test/resources/logback-test.xml b/pgpainless-core/src/test/resources/logback-test.xml
index 7e4c3194..bb16e293 100644
--- a/pgpainless-core/src/test/resources/logback-test.xml
+++ b/pgpainless-core/src/test/resources/logback-test.xml
@@ -19,7 +19,7 @@ SPDX-License-Identifier: Apache-2.0
         
     
 
-    
+    
         
     
 

From a27c0ff36e10842ffc8c956e5a3b67afda549242 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 20 Oct 2022 19:35:50 +0200
Subject: [PATCH 0743/1450] Add detailled logging to OpenPgpMessageInputStream

---
 .../OpenPgpMessageInputStream.java            | 84 +++++++++++++++----
 .../automaton/PDA.java                        | 13 ++-
 .../org/pgpainless/key/util/KeyIdUtil.java    |  4 +
 3 files changed, 82 insertions(+), 19 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 969f3717..1dbadbbe 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -59,6 +59,7 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.key.util.KeyIdUtil;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
@@ -234,6 +235,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                     // Marker Packets need to be skipped and ignored
                 case MARKER:
+                    LOGGER.debug("Skipping Marker Packet");
                     packetInputStream.readMarker();
                     break;
 
@@ -263,6 +265,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     private void processLiteralData() throws IOException {
+        LOGGER.debug("Literal Data Packet at depth " + metadata.depth + " encountered");
         automaton.next(InputAlphabet.LiteralData);
         PGPLiteralData literalData = packetInputStream.readLiteralData();
         this.metadata.setChild(new MessageMetadata.LiteralData(
@@ -279,6 +282,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()),
                 metadata.depth + 1);
+        LOGGER.debug("Compressed Data Packet (" + compressionLayer.algorithm + ") at depth " + metadata.depth + " encountered");
         InputStream decompressed = compressedData.getDataStream();
         nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer, policy);
     }
@@ -286,6 +290,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     private void processOnePassSignature() throws PGPException, IOException {
         automaton.next(InputAlphabet.OnePassSignature);
         PGPOnePassSignature onePassSignature = packetInputStream.readOnePassSignature();
+        LOGGER.debug("One-Pass-Signature Packet by key " + KeyIdUtil.formatKeyId(onePassSignature.getKeyID()) +
+                "at depth " + metadata.depth + " encountered");
         signatures.addOnePassSignature(onePassSignature);
     }
 
@@ -294,42 +300,59 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
         automaton.next(InputAlphabet.Signature);
         PGPSignature signature = packetInputStream.readSignature();
+        long keyId = SignatureUtils.determineIssuerKeyId(signature);
         if (isSigForOPS) {
+            LOGGER.debug("Signature Packet corresponding to One-Pass-Signature by key " +
+                    KeyIdUtil.formatKeyId(keyId) +
+                    " at depth " + metadata.depth + " encountered");
             signatures.leaveNesting(); // TODO: Only leave nesting if all OPSs of the nesting layer are dealt with
             signatures.addCorrespondingOnePassSignature(signature, metadata, policy);
         } else {
+            LOGGER.debug("Prepended Signature Packet by key " +
+                    KeyIdUtil.formatKeyId(keyId) +
+                    " at depth " + metadata.depth + " encountered");
             signatures.addPrependedSignature(signature);
         }
     }
 
     private boolean processEncryptedData() throws IOException, PGPException {
+        LOGGER.debug("Symmetrically Encrypted Data Packet at depth " + metadata.depth + " encountered");
         automaton.next(InputAlphabet.EncryptedData);
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
         //  once BC ships it
         if (!encDataList.get(0).isIntegrityProtected()) {
+            LOGGER.debug("Symmetrically Encrypted Data Packet is not integrity-protected and is therefore rejected.");
             throw new MessageNotIntegrityProtectedException();
         }
 
         SortedESKs esks = new SortedESKs(encDataList);
+        LOGGER.debug("Symmetrically Encrypted Integrity-Protected Data has " +
+                esks.skesks.size() + " SKESK(s) and " +
+                (esks.pkesks.size() + esks.anonPkesks.size()) + " PKESK(s) from which " +
+                esks.anonPkesks.size() + " PKESK(s) have an anonymous recipient");
 
-        // Try custom decryptor factory
+        // Try custom decryptor factories
         for (SubkeyIdentifier subkeyIdentifier : options.getCustomDecryptorFactories().keySet()) {
+            LOGGER.debug("Attempt decryption with custom decryptor factory with key " + subkeyIdentifier);
             PublicKeyDataDecryptorFactory decryptorFactory = options.getCustomDecryptorFactories().get(subkeyIdentifier);
             for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                // find matching PKESK
                 if (pkesk.getKeyID() != subkeyIdentifier.getSubkeyId()) {
                     continue;
                 }
 
+                // attempt decryption
                 if (decryptPKESKAndStream(subkeyIdentifier, decryptorFactory, pkesk)) {
                     return true;
                 }
             }
         }
 
-        // Try session key
+        // Try provided session key
         if (options.getSessionKey() != null) {
+            LOGGER.debug("Attempt decryption with provided session key");
             SessionKey sessionKey = options.getSessionKey();
             throwIfUnacceptable(sessionKey.getAlgorithm());
 
@@ -340,6 +363,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             try {
                 // TODO: Use BCs new API once shipped
+                //  see https://github.com/bcgit/bc-java/pull/1228 (discussion)
                 PGPEncryptedData esk = esks.all().get(0);
                 if (esk instanceof PGPPBEEncryptedData) {
                     PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
@@ -347,6 +371,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     encryptedData.sessionKey = sessionKey;
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                    LOGGER.debug("Successfully decrypted data with provided session key");
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
@@ -354,20 +379,29 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     encryptedData.sessionKey = sessionKey;
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
                     nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                    LOGGER.debug("Successfully decrypted data with provided session key");
                     return true;
                 } else {
                     throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
                 }
             } catch (PGPException e) {
                 // Session key mismatch?
+                LOGGER.debug("Decryption using provided session key failed. Mismatched session key and message?", e);
             }
         }
 
         // Try passwords
-        for (PGPPBEEncryptedData skesk : esks.skesks) {
-            SymmetricKeyAlgorithm kekAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
-            throwIfUnacceptable(kekAlgorithm);
-            for (Passphrase passphrase : options.getDecryptionPassphrases()) {
+        for (Passphrase passphrase : options.getDecryptionPassphrases()) {
+            for (PGPPBEEncryptedData skesk : esks.skesks) {
+                LOGGER.debug("Attempt decryption with provided passphrase");
+                SymmetricKeyAlgorithm kekAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
+                try {
+                    throwIfUnacceptable(kekAlgorithm);
+                } catch (UnacceptableAlgorithmException e) {
+                    LOGGER.debug("Skipping SKESK with unacceptable encapsulation algorithm", e);
+                    continue;
+                }
+
                 PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPBEDataDecryptorFactory(passphrase);
 
@@ -381,22 +415,25 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // Try (known) secret keys
         for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
             long keyId = pkesk.getKeyID();
+            LOGGER.debug("Encountered PKESK with recipient " + KeyIdUtil.formatKeyId(keyId));
             PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
             if (decryptionKeys == null) {
+                LOGGER.debug("Skipping PKESK because no matching key " + KeyIdUtil.formatKeyId(keyId) + " was provided");
                 continue;
             }
             PGPSecretKey secretKey = decryptionKeys.getSecretKey(keyId);
+            SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
+            LOGGER.debug("Attempt decryption using secret key " + decryptionKeyId);
 
             SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
             // Postpone keys with missing passphrase
             if (!protector.hasPassphraseFor(keyId)) {
+                LOGGER.debug("Missing passphrase for key " + decryptionKeyId + ". Postponing decryption until all other keys were tried");
                 postponedDueToMissingPassphrase.add(new Tuple<>(secretKey, pkesk));
                 continue;
             }
 
-            PGPSecretKey decryptionKey = decryptionKeys.getSecretKey(keyId);
-            SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, decryptionKey.getKeyID());
-            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, protector);
+            PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
 
             PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                     .getPublicKeyDataDecryptorFactory(privateKey);
@@ -408,16 +445,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // try anonymous secret keys
         for (PGPPublicKeyEncryptedData pkesk : esks.anonPkesks) {
             for (Tuple decryptionKeyCandidate : findPotentialDecryptionKeys(pkesk)) {
+                PGPSecretKeyRing decryptionKeys = decryptionKeyCandidate.getA();
                 PGPSecretKey secretKey = decryptionKeyCandidate.getB();
+                SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
+                LOGGER.debug("Attempt decryption of anonymous PKESK with key " + decryptionKeyId);
                 SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
                 if (!protector.hasPassphraseFor(secretKey.getKeyID())) {
+                    LOGGER.debug("Missing passphrase for key " + decryptionKeyId + ". Postponing decryption until all other keys were tried.");
                     postponedDueToMissingPassphrase.add(new Tuple<>(secretKey, pkesk));
                     continue;
                 }
                 PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
                 PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPublicKeyDataDecryptorFactory(privateKey);
-                SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeyCandidate.getA(), privateKey.getKeyID());
 
                 if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
                     return true;
@@ -442,9 +482,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     PGPSecretKey secretKey = missingPassphrases.getA();
                     long keyId = secretKey.getKeyID();
                     PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
+                    SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
+                    LOGGER.debug("Attempt decryption with key " + decryptionKeyId + " while interactively requesting its passphrase");
                     SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
                     PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector.getDecryptor(keyId));
-                    SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
                     PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                             .getPublicKeyDataDecryptorFactory(privateKey);
 
@@ -458,10 +499,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         // we did not yet succeed in decrypting any session key :/
+
+        LOGGER.debug("Failed to decrypt encrypted data packet");
         return false;
     }
 
-    private boolean decryptSKESKAndStream(PGPPBEEncryptedData skesk, PBEDataDecryptorFactory decryptorFactory) throws IOException, UnacceptableAlgorithmException {
+    private boolean decryptSKESKAndStream(PGPPBEEncryptedData skesk, PBEDataDecryptorFactory decryptorFactory)
+            throws IOException, UnacceptableAlgorithmException {
         try {
             InputStream decrypted = skesk.getDataStream(decryptorFactory);
             SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
@@ -469,18 +513,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                     sessionKey.getAlgorithm(), metadata.depth + 1);
             encryptedData.sessionKey = sessionKey;
+            LOGGER.debug("Successfully decrypted data with passphrase");
             IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
             nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
             throw e;
         } catch (PGPException e) {
-            // Password mismatch?
+            LOGGER.debug("Decryption of encrypted data packet using password failed. Password mismatch?", e);
         }
         return false;
     }
 
-    private boolean decryptPKESKAndStream(SubkeyIdentifier subkeyIdentifier,
+    private boolean decryptPKESKAndStream(SubkeyIdentifier decryptionKeyId,
                                           PublicKeyDataDecryptorFactory decryptorFactory,
                                           PGPPublicKeyEncryptedData pkesk)
             throws IOException, UnacceptableAlgorithmException {
@@ -492,16 +537,17 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                     SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
                     metadata.depth + 1);
-            encryptedData.decryptionKey = subkeyIdentifier;
+            encryptedData.decryptionKey = decryptionKeyId;
             encryptedData.sessionKey = sessionKey;
 
+            LOGGER.debug("Successfully decrypted data with key " + decryptionKeyId);
             IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
             nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
             throw e;
         } catch (PGPException e) {
-
+            LOGGER.debug("Decryption of encrypted data packet using secret key failed.", e);
         }
         return false;
     }
@@ -823,8 +869,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
                             .verify(signature);
                     SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
+                    LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedOnePassSignature(verification);
                 } catch (SignatureValidationException e) {
+                    LOGGER.debug("Rejected signature by key " + verification.getSigningKey(), e);
                     layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
                 }
                 break;
@@ -929,8 +977,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                             detached.getSignature(),
                             detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
                             policy, detached.getSignature().getCreationTime());
+                    LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedDetachedSignature(verification);
                 } catch (SignatureValidationException e) {
+                    LOGGER.debug("Rejected signature by key " + verification.getSigningKey(), e);
                     layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
                 }
             }
@@ -944,8 +994,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                             prepended.getSignature(),
                             prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),
                             policy, prepended.getSignature().getCreationTime());
+                    LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedPrependedSignature(verification);
                 } catch (SignatureValidationException e) {
+                    LOGGER.debug("Rejected signature by key " + verification.getSigningKey(), e);
                     layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
                 }
             }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
index 156dc2ed..3df3c5b5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
@@ -5,6 +5,8 @@
 package org.pgpainless.decryption_verification.automaton;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.util.Stack;
 
@@ -15,11 +17,11 @@ import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ter
 public class PDA {
 
     private static int ID = 0;
+    private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
 
     /**
      * Set of states of the automaton.
-     * Each state defines its valid transitions in their {@link NestingPDA.State#transition(InputAlphabet, NestingPDA)}
-     * method.
+     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, PDA)} method.
      */
     public enum State {
 
@@ -199,7 +201,12 @@ public class PDA {
     }
 
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
-        state = state.transition(input, this);
+        try {
+            state = state.transition(input, this);
+        } catch (MalformedOpenPgpMessageException e) {
+            LOGGER.debug("Unexpected Packet or Token '" + input + "' encountered. Message is malformed.", e);
+            throw e;
+        }
     }
 
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java
index e6ab4f48..7ebac8fd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyIdUtil.java
@@ -30,4 +30,8 @@ public final class KeyIdUtil {
 
         return new BigInteger(longKeyId, 16).longValue();
     }
+
+    public static String formatKeyId(long keyId) {
+        return Long.toHexString(keyId).toUpperCase();
+    }
 }

From 977f8c4101fdf5e2cd42049d1c2ac9f116a7b108 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 21 Oct 2022 00:31:25 +0200
Subject: [PATCH 0744/1450] Rename automaton package to syntax_check

---
 .../OpenPgpMessageInputStream.java            | 33 ++++++++++---------
 .../InputAlphabet.java                        |  2 +-
 .../{automaton => syntax_check}/PDA.java      |  8 ++---
 .../StackAlphabet.java                        |  2 +-
 .../package-info.java                         |  2 +-
 .../MalformedOpenPgpMessageException.java     |  6 ++--
 .../{automaton => syntax_check}/PDATest.java  |  2 +-
 7 files changed, 28 insertions(+), 27 deletions(-)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{automaton => syntax_check}/InputAlphabet.java (95%)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{automaton => syntax_check}/PDA.java (96%)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{automaton => syntax_check}/StackAlphabet.java (89%)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/{automaton => syntax_check}/package-info.java (78%)
 rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{automaton => syntax_check}/PDATest.java (97%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 1dbadbbe..a2fa2351 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -43,9 +43,9 @@ import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
-import org.pgpainless.decryption_verification.automaton.InputAlphabet;
-import org.pgpainless.decryption_verification.automaton.PDA;
-import org.pgpainless.decryption_verification.automaton.StackAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.InputAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.PDA;
+import org.pgpainless.decryption_verification.syntax_check.StackAlphabet;
 import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
@@ -80,7 +80,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     // Options to consume the data
     protected final ConsumerOptions options;
     // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
-    protected final PDA automaton = new PDA();
+    protected final PDA syntaxVerifier = new PDA();
     // InputStream of OpenPGP packets
     protected TeeBCPGInputStream packetInputStream;
     // InputStream of a nested data packet
@@ -266,7 +266,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private void processLiteralData() throws IOException {
         LOGGER.debug("Literal Data Packet at depth " + metadata.depth + " encountered");
-        automaton.next(InputAlphabet.LiteralData);
+        syntaxVerifier.next(InputAlphabet.LiteralData);
         PGPLiteralData literalData = packetInputStream.readLiteralData();
         this.metadata.setChild(new MessageMetadata.LiteralData(
                 literalData.getFileName(),
@@ -276,7 +276,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     private void processCompressedData() throws IOException, PGPException {
-        automaton.next(InputAlphabet.CompressedData);
+        syntaxVerifier.next(InputAlphabet.CompressedData);
         signatures.enterNesting();
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
@@ -288,7 +288,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     private void processOnePassSignature() throws PGPException, IOException {
-        automaton.next(InputAlphabet.OnePassSignature);
+        syntaxVerifier.next(InputAlphabet.OnePassSignature);
         PGPOnePassSignature onePassSignature = packetInputStream.readOnePassSignature();
         LOGGER.debug("One-Pass-Signature Packet by key " + KeyIdUtil.formatKeyId(onePassSignature.getKeyID()) +
                 "at depth " + metadata.depth + " encountered");
@@ -297,8 +297,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private void processSignature() throws PGPException, IOException {
         // true if Signature corresponds to OnePassSignature
-        boolean isSigForOPS = automaton.peekStack() == StackAlphabet.ops;
-        automaton.next(InputAlphabet.Signature);
+        boolean isSigForOPS = syntaxVerifier.peekStack() == StackAlphabet.ops;
+        syntaxVerifier.next(InputAlphabet.Signature);
         PGPSignature signature = packetInputStream.readSignature();
         long keyId = SignatureUtils.determineIssuerKeyId(signature);
         if (isSigForOPS) {
@@ -317,7 +317,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private boolean processEncryptedData() throws IOException, PGPException {
         LOGGER.debug("Symmetrically Encrypted Data Packet at depth " + metadata.depth + " encountered");
-        automaton.next(InputAlphabet.EncryptedData);
+        syntaxVerifier.next(InputAlphabet.EncryptedData);
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
@@ -601,7 +601,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     @Override
     public int read() throws IOException {
         if (nestedInputStream == null) {
-            automaton.assertValid();
+            syntaxVerifier.assertValid();
             return -1;
         }
 
@@ -638,7 +638,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         if (nestedInputStream == null) {
             if (packetInputStream != null) {
-                automaton.assertValid();
+                syntaxVerifier.assertValid();
             }
             return -1;
         }
@@ -668,7 +668,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         super.close();
         if (closed) {
             if (packetInputStream != null) {
-                automaton.assertValid();
+                syntaxVerifier.assertValid();
             }
             return;
         }
@@ -686,8 +686,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         if (packetInputStream != null) {
-            automaton.next(InputAlphabet.EndOfSequence);
-            automaton.assertValid();
+            syntaxVerifier.next(InputAlphabet.EndOfSequence);
+            syntaxVerifier.assertValid();
             packetInputStream.close();
         }
         closed = true;
@@ -717,7 +717,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             for (PGPEncryptedData esk : esks) {
                 if (esk instanceof PGPPBEEncryptedData) {
                     skesks.add((PGPPBEEncryptedData) esk);
-                } else if (esk instanceof PGPPublicKeyEncryptedData) {
+                }
+                else if (esk instanceof PGPPublicKeyEncryptedData) {
                     PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
                     if (pkesk.getKeyID() != 0) {
                         pkesks.add(pkesk);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java
similarity index 95%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java
index ad2a8c55..f73ede34 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/InputAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.decryption_verification.automaton;
+package org.pgpainless.decryption_verification.syntax_check;
 
 import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
similarity index 96%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 3df3c5b5..0d6ba28c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.decryption_verification.automaton;
+package org.pgpainless.decryption_verification.syntax_check;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.slf4j.Logger;
@@ -10,9 +10,9 @@ import org.slf4j.LoggerFactory;
 
 import java.util.Stack;
 
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.msg;
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.ops;
-import static org.pgpainless.decryption_verification.automaton.StackAlphabet.terminus;
+import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.msg;
+import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.ops;
+import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.terminus;
 
 public class PDA {
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
similarity index 89%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
index 09865f31..6030fbc8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/StackAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.decryption_verification.automaton;
+package org.pgpainless.decryption_verification.syntax_check;
 
 public enum StackAlphabet {
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/package-info.java
similarity index 78%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/package-info.java
index 80a79e85..4df6af5a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/automaton/package-info.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/package-info.java
@@ -5,4 +5,4 @@
 /**
  * Pushdown Automaton to verify validity of packet sequences according to the OpenPGP Message format.
  */
-package org.pgpainless.decryption_verification.automaton;
+package org.pgpainless.decryption_verification.syntax_check;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index 0069209c..cbe78c05 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -4,9 +4,9 @@
 
 package org.pgpainless.exception;
 
-import org.pgpainless.decryption_verification.automaton.InputAlphabet;
-import org.pgpainless.decryption_verification.automaton.PDA;
-import org.pgpainless.decryption_verification.automaton.StackAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.InputAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.PDA;
+import org.pgpainless.decryption_verification.syntax_check.StackAlphabet;
 
 /**
  * Exception that gets thrown if the OpenPGP message is malformed.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
similarity index 97%
rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index 6dbb2cd6..346e1f3b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/automaton/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -1,4 +1,4 @@
-package org.pgpainless.decryption_verification.automaton;
+package org.pgpainless.decryption_verification.syntax_check;
 
 import org.junit.jupiter.api.Test;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;

From 3977d1f40785ef71fdafa9b41d6a3bd3cdc2a899 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 21 Oct 2022 00:40:40 +0200
Subject: [PATCH 0745/1450] Add more direct PDA tests

---
 .../syntax_check/PDATest.java                 | 86 ++++++++++++++-----
 1 file changed, 63 insertions(+), 23 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index 346e1f3b..e4877d94 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -1,10 +1,11 @@
 package org.pgpainless.decryption_verification.syntax_check;
 
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 import org.junit.jupiter.api.Test;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
 public class PDATest {
 
 
@@ -15,11 +16,11 @@ public class PDATest {
      */
     @Test
     public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
-        PDA automaton = new PDA();
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
+        PDA check = new PDA();
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.EndOfSequence);
 
-        assertTrue(automaton.isValid());
+        assertTrue(check.isValid());
     }
 
     /**
@@ -29,13 +30,13 @@ public class PDATest {
      */
     @Test
     public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
-        PDA automaton = new PDA();
-        automaton.next(InputAlphabet.OnePassSignature);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.Signature);
-        automaton.next(InputAlphabet.EndOfSequence);
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.EndOfSequence);
 
-        assertTrue(automaton.isValid());
+        assertTrue(check.isValid());
     }
 
 
@@ -46,12 +47,12 @@ public class PDATest {
      */
     @Test
     public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PDA automaton = new PDA();
-        automaton.next(InputAlphabet.Signature);
-        automaton.next(InputAlphabet.LiteralData);
-        automaton.next(InputAlphabet.EndOfSequence);
+        PDA check = new PDA();
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.EndOfSequence);
 
-        assertTrue(automaton.isValid());
+        assertTrue(check.isValid());
     }
 
 
@@ -62,14 +63,53 @@ public class PDATest {
      */
     @Test
     public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
-        PDA automaton = new PDA();
-        automaton.next(InputAlphabet.OnePassSignature);
-        automaton.next(InputAlphabet.CompressedData);
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.CompressedData);
         // Here would be a nested PDA for the LiteralData packet
-        automaton.next(InputAlphabet.Signature);
-        automaton.next(InputAlphabet.EndOfSequence);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.EndOfSequence);
 
-        assertTrue(automaton.isValid());
+        assertTrue(check.isValid());
     }
 
+    @Test
+    public void testTwoLiteralDataIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.LiteralData));
+    }
+
+    @Test
+    public void testTrailingSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.Signature));
+    }
+
+    @Test
+    public void testOPSWithPrependedSigIsValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(check.isValid());
+    }
+
+    @Test
+    public void testPrependedSigInsideOPSSignedMessageIsValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.EndOfSequence);
+
+        assertTrue(check.isValid());
+    }
 }

From 54cb9dad713fb466ce234490838f1e670c75f0b6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 21 Oct 2022 13:46:33 +0200
Subject: [PATCH 0746/1450] Further increase coverage of PDA class

---
 .../syntax_check/PDATest.java                 | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index e4877d94..8fa107f6 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -73,6 +73,42 @@ public class PDATest {
         assertTrue(check.isValid());
     }
 
+    @Test
+    public void testOPSSignedEncryptedMessageIsValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.EncryptedData);
+        check.next(InputAlphabet.Signature);
+        check.next(InputAlphabet.EndOfSequence);
+        assertTrue(check.isValid());
+    }
+
+    @Test
+    public void anyInputAfterEOSIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.LiteralData);
+        check.next(InputAlphabet.EndOfSequence);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.Signature));
+    }
+
+    @Test
+    public void testEncryptedMessageWithAppendedStandalongSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.EncryptedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.Signature));
+    }
+
+    @Test
+    public void testOPSSignedEncryptedMessageWithMissingSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.EncryptedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.EndOfSequence));
+    }
+
     @Test
     public void testTwoLiteralDataIsNotValid() {
         PDA check = new PDA();
@@ -89,6 +125,48 @@ public class PDATest {
                 () -> check.next(InputAlphabet.Signature));
     }
 
+    @Test
+    public void testOPSAloneIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.EndOfSequence));
+    }
+
+    @Test
+    public void testOPSLitWithMissingSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.LiteralData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.EndOfSequence));
+    }
+
+    @Test
+    public void testCompressedMessageWithStandalongAppendedSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.CompressedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.Signature));
+    }
+
+    @Test
+    public void testOPSCompressedDataWithMissingSigIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputAlphabet.CompressedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.EndOfSequence));
+    }
+
+    @Test
+    public void testCompressedMessageFollowedByTrailingLiteralDataIsNotValid() {
+        PDA check = new PDA();
+        check.next(InputAlphabet.CompressedData);
+        assertThrows(MalformedOpenPgpMessageException.class,
+                () -> check.next(InputAlphabet.LiteralData));
+    }
+
     @Test
     public void testOPSWithPrependedSigIsValid() {
         PDA check = new PDA();

From 3f8653cf2ea831d9d68bc40f6d1b72cd510d8531 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 21 Oct 2022 16:16:45 +0200
Subject: [PATCH 0747/1450] Fix CRCing test and fully depend on new stream for
 decryption

---
 .../DecryptionBuilder.java                    |   2 +-
 .../MessageMetadata.java                      |  22 ++-
 .../OpenPgpMessageInputStream.java            | 152 +++++++++++++-----
 .../TeeBCPGInputStream.java                   |  14 +-
 .../OpenPgpMessageInputStreamTest.java        |   2 +-
 5 files changed, 137 insertions(+), 55 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
index 68a68847..0baf4124 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
@@ -31,7 +31,7 @@ public class DecryptionBuilder implements DecryptionBuilderInterface {
                 throw new IllegalArgumentException("Consumer options cannot be null.");
             }
 
-            return DecryptionStreamFactory.create(inputStream, consumerOptions);
+            return OpenPgpMessageInputStream.create(inputStream, consumerOptions);
         }
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 59f8052a..7811578e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -164,19 +164,35 @@ public class MessageMetadata {
     }
 
     public String getFilename() {
-        return findLiteralData().getFileName();
+        LiteralData literalData = findLiteralData();
+        if (literalData == null) {
+            return null;
+        }
+        return literalData.getFileName();
     }
 
     public Date getModificationDate() {
-        return findLiteralData().getModificationDate();
+        LiteralData literalData = findLiteralData();
+        if (literalData == null) {
+            return null;
+        }
+        return literalData.getModificationDate();
     }
 
     public StreamEncoding getFormat() {
-        return findLiteralData().getFormat();
+        LiteralData literalData = findLiteralData();
+        if (literalData == null) {
+            return null;
+        }
+        return literalData.getFormat();
     }
 
     private LiteralData findLiteralData() {
         Nested nested = message.child;
+        if (nested == null) {
+            return null;
+        }
+
         while (nested.hasNestedChild()) {
             Layer layer = (Layer) nested;
             nested = layer.child;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a2fa2351..dee59058 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -37,6 +37,8 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
+import org.bouncycastle.util.io.Streams;
+import org.bouncycastle.util.io.TeeInputStream;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.EncryptionPurpose;
@@ -79,32 +81,87 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     // Options to consume the data
     protected final ConsumerOptions options;
+
+    private final Policy policy;
     // Pushdown Automaton to verify validity of OpenPGP packet sequence in an OpenPGP message
     protected final PDA syntaxVerifier = new PDA();
     // InputStream of OpenPGP packets
     protected TeeBCPGInputStream packetInputStream;
-    // InputStream of a nested data packet
+    // InputStream of a data packet containing nested data
     protected InputStream nestedInputStream;
 
     private boolean closed = false;
 
     private final Signatures signatures;
     private final MessageMetadata.Layer metadata;
-    private final Policy policy;
 
-    public OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+    /**
+     * Create an {@link OpenPgpMessageInputStream} suitable for decryption and verification of
+     * OpenPGP messages and signatures.
+     * This constructor will use the global PGPainless {@link Policy}.
+     *
+     * @param inputStream underlying input stream
+     * @param options options for consuming the stream
+     *
+     * @throws IOException in case of an IO error
+     * @throws PGPException in case of an OpenPGP error
+     */
+    public static OpenPgpMessageInputStream create(@Nonnull InputStream inputStream,
                                      @Nonnull ConsumerOptions options)
             throws IOException, PGPException {
-        this(inputStream, options, PGPainless.getPolicy());
+        return create(inputStream, options, PGPainless.getPolicy());
     }
 
-    public OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
+    /**
+     * Create an {@link OpenPgpMessageInputStream} suitable for decryption and verification of
+     * OpenPGP messages and signatures.
+     *
+     * @param inputStream underlying input stream containing the OpenPGP message
+     * @param options options for consuming the message
+     * @param policy policy for acceptable algorithms etc.
+     *
+     * @throws PGPException in case of an OpenPGP error
+     * @throws IOException in case of an IO error
+     */
+    public static OpenPgpMessageInputStream create(@Nonnull InputStream inputStream,
                                      @Nonnull ConsumerOptions options,
                                      @Nonnull Policy policy)
             throws PGPException, IOException {
-        this(
-                prepareInputStream(inputStream, options, policy),
-                options, new MessageMetadata.Message(), policy);
+        return create(inputStream, options, new MessageMetadata.Message(), policy);
+    }
+
+    protected static OpenPgpMessageInputStream create(@Nonnull InputStream inputStream,
+                                                      @Nonnull ConsumerOptions options,
+                                                      @Nonnull MessageMetadata.Layer metadata,
+                                                      @Nonnull Policy policy)
+            throws IOException, PGPException {
+        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
+        openPgpIn.reset();
+
+        if (openPgpIn.isNonOpenPgp() || options.isForceNonOpenPgpData()) {
+            return new OpenPgpMessageInputStream(Type.non_openpgp,
+                    openPgpIn, options, metadata, policy);
+        }
+
+        if (openPgpIn.isBinaryOpenPgp()) {
+            // Simply consume OpenPGP message
+            return new OpenPgpMessageInputStream(Type.standard,
+                    openPgpIn, options, metadata, policy);
+        }
+
+        if (openPgpIn.isAsciiArmored()) {
+            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
+            if (armorIn.isClearText()) {
+                return new OpenPgpMessageInputStream(Type.cleartext_signed,
+                        armorIn, options, metadata, policy);
+            } else {
+                // Simply consume dearmored OpenPGP message
+                return new OpenPgpMessageInputStream(Type.standard,
+                        armorIn, options, metadata, policy);
+            }
+        } else {
+            throw new AssertionError("Huh?");
+        }
     }
 
     protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
@@ -131,52 +188,56 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         consumePackets();
     }
 
-    protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
-                                        @Nonnull Policy policy,
-                                        @Nonnull ConsumerOptions options) {
+    enum Type {
+        standard,
+        cleartext_signed,
+        non_openpgp
+    }
+
+    protected OpenPgpMessageInputStream(@Nonnull Type type,
+                                        @Nonnull InputStream inputStream,
+                                        @Nonnull ConsumerOptions options,
+                                        @Nonnull MessageMetadata.Layer metadata,
+                                        @Nonnull Policy policy) throws PGPException, IOException {
         super(OpenPgpMetadata.getBuilder());
         this.policy = policy;
         this.options = options;
-        this.metadata = new MessageMetadata.Message();
+        this.metadata = metadata;
         this.signatures = new Signatures(options);
-        this.signatures.addDetachedSignatures(options.getDetachedSignatures());
-        this.packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
-    }
 
-    private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options, Policy policy)
-            throws IOException, PGPException {
-        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
-        openPgpIn.reset();
-
-        if (openPgpIn.isBinaryOpenPgp()) {
-            return openPgpIn;
+        if (metadata instanceof MessageMetadata.Message) {
+            this.signatures.addDetachedSignatures(options.getDetachedSignatures());
         }
 
-        if (openPgpIn.isAsciiArmored()) {
-            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
-            if (armorIn.isClearText()) {
-                return parseCleartextSignedMessage(armorIn, options, policy);
-            } else {
-                return armorIn;
-            }
-        } else {
-            return openPgpIn;
+        switch (type) {
+            case standard:
+                // tee out packet bytes for signature verification
+                packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), this.signatures);
+
+                // *omnomnom*
+                consumePackets();
+                break;
+            case cleartext_signed:
+                MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
+                PGPSignatureList detachedSignatures = ClearsignedMessageUtil
+                        .detachSignaturesFromInbandClearsignedMessage(
+                                inputStream, multiPassStrategy.getMessageOutputStream());
+
+                for (PGPSignature signature : detachedSignatures) {
+                    options.addVerificationOfDetachedSignature(signature);
+                }
+
+                options.forceNonOpenPgpData();
+                packetInputStream = null;
+                nestedInputStream = new TeeInputStream(multiPassStrategy.getMessageInputStream(), this.signatures);
+                break;
+            case non_openpgp:
+                packetInputStream = null;
+                nestedInputStream = new TeeInputStream(inputStream, this.signatures);
+                break;
         }
     }
 
-    private static DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn, ConsumerOptions options, Policy policy)
-            throws IOException, PGPException {
-        MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
-        PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
-
-        for (PGPSignature signature : signatures) {
-            options.addVerificationOfDetachedSignature(signature);
-        }
-
-        options.forceNonOpenPgpData();
-        return new OpenPgpMessageInputStream(multiPassStrategy.getMessageInputStream(), policy, options);
-    }
-
     /**
      * Consume OpenPGP packets from the current {@link BCPGInputStream}.
      * Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
@@ -196,6 +257,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     private void consumePackets()
             throws IOException, PGPException {
         OpenPgpPacket nextPacket;
+        if (packetInputStream == null) {
+            return;
+        }
 
         loop: // we break this when we go deeper.
         while ((nextPacket = packetInputStream.nextPacketTag()) != null) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index 2efcfc43..1ca1b3f9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -4,6 +4,11 @@
 
 package org.pgpainless.decryption_verification;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.NoSuchElementException;
+
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.MarkerPacket;
 import org.bouncycastle.bcpg.Packet;
@@ -15,11 +20,6 @@ import org.bouncycastle.openpgp.PGPOnePassSignature;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.pgpainless.algorithm.OpenPgpPacket;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.NoSuchElementException;
-
 /**
  * Since we need to update signatures with data from the underlying stream, this class is used to tee out the data.
  * Unfortunately we cannot simply override {@link BCPGInputStream#read()} to tee the data out though, since
@@ -96,7 +96,6 @@ public class TeeBCPGInputStream {
         return markerPacket;
     }
 
-
     public void close() throws IOException {
         this.packetInputStream.close();
         this.delayedTee.close();
@@ -122,6 +121,9 @@ public class TeeBCPGInputStream {
                 last = inputStream.read();
                 return last;
             } catch (IOException e) {
+                if ("crc check failed in armored message.".equals(e.getMessage())) {
+                    throw e;
+                }
                 return -1;
             }
         }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index a8969047..f9539149 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -677,7 +677,7 @@ public class OpenPgpMessageInputStreamTest {
             throws IOException, PGPException {
         ByteArrayInputStream bytesIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(bytesIn);
-        OpenPgpMessageInputStream pgpIn = new OpenPgpMessageInputStream(armorIn, options);
+        OpenPgpMessageInputStream pgpIn = OpenPgpMessageInputStream.create(armorIn, options);
         return pgpIn;
     }
 }

From e281143d4873f4f2d3f2623b57471a622c54dba3 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 21 Oct 2022 16:17:30 +0200
Subject: [PATCH 0748/1450] Delete old DecryptionStreamFactory

---
 .../DecryptionStreamFactory.java              | 692 ------------------
 1 file changed, 692 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
deleted file mode 100644
index 451750ee..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ /dev/null
@@ -1,692 +0,0 @@
-// SPDX-FileCopyrightText: 2018 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.NoSuchElementException;
-import java.util.Set;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
-
-import org.bouncycastle.bcpg.ArmoredInputStream;
-import org.bouncycastle.openpgp.PGPCompressedData;
-import org.bouncycastle.openpgp.PGPEncryptedData;
-import org.bouncycastle.openpgp.PGPEncryptedDataList;
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPLiteralData;
-import org.bouncycastle.openpgp.PGPObjectFactory;
-import org.bouncycastle.openpgp.PGPOnePassSignature;
-import org.bouncycastle.openpgp.PGPOnePassSignatureList;
-import org.bouncycastle.openpgp.PGPPBEEncryptedData;
-import org.bouncycastle.openpgp.PGPPrivateKey;
-import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSessionKey;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureList;
-import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
-import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
-import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
-import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.CompressionAlgorithm;
-import org.pgpainless.algorithm.EncryptionPurpose;
-import org.pgpainless.algorithm.StreamEncoding;
-import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
-import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
-import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
-import org.pgpainless.exception.FinalIOException;
-import org.pgpainless.exception.MessageNotIntegrityProtectedException;
-import org.pgpainless.exception.MissingDecryptionMethodException;
-import org.pgpainless.exception.MissingLiteralDataException;
-import org.pgpainless.exception.MissingPassphraseException;
-import org.pgpainless.exception.SignatureValidationException;
-import org.pgpainless.exception.UnacceptableAlgorithmException;
-import org.pgpainless.implementation.ImplementationFactory;
-import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.info.KeyRingInfo;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.key.protection.UnlockSecretKey;
-import org.pgpainless.signature.SignatureUtils;
-import org.pgpainless.signature.consumer.SignatureCheck;
-import org.pgpainless.signature.consumer.OnePassSignatureCheck;
-import org.pgpainless.util.ArmoredInputStreamFactory;
-import org.pgpainless.util.Passphrase;
-import org.pgpainless.util.SessionKey;
-import org.pgpainless.util.Tuple;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public final class DecryptionStreamFactory {
-
-
-    private static final Logger LOGGER = LoggerFactory.getLogger(DecryptionStreamFactory.class);
-    // Maximum nesting depth of packets (e.g. compression, encryption...)
-    private static final int MAX_PACKET_NESTING_DEPTH = 16;
-
-    private final ConsumerOptions options;
-    private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
-    private final List onePassSignatureChecks = new ArrayList<>();
-    private final List signatureChecks = new ArrayList<>();
-    private final Map onePassSignaturesWithMissingCert = new HashMap<>();
-
-    private static final PGPContentVerifierBuilderProvider verifierBuilderProvider =
-            ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider();
-    private IntegrityProtectedInputStream integrityProtectedEncryptedInputStream;
-
-
-    public static DecryptionStream create(@Nonnull InputStream inputStream,
-                                          @Nonnull ConsumerOptions options)
-            throws PGPException, IOException {
-        OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(inputStream);
-        openPgpInputStream.reset();
-        if (openPgpInputStream.isBinaryOpenPgp()) {
-            return new OpenPgpMessageInputStream(openPgpInputStream, options);
-        } else if (openPgpInputStream.isAsciiArmored()) {
-            ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpInputStream);
-            if (armorIn.isClearText()) {
-                return createOld(openPgpInputStream, options);
-            } else {
-                return new OpenPgpMessageInputStream(armorIn, options);
-            }
-        } else if (openPgpInputStream.isNonOpenPgp()) {
-            return createOld(openPgpInputStream, options);
-        } else {
-            throw new IOException("What?");
-        }
-    }
-
-    public static DecryptionStream createOld(@Nonnull InputStream inputStream,
-                                             @Nonnull ConsumerOptions options) throws IOException, PGPException {
-        DecryptionStreamFactory factory = new DecryptionStreamFactory(options);
-        OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
-        return factory.parseOpenPGPDataAndCreateDecryptionStream(openPgpIn);
-    }
-
-    public DecryptionStreamFactory(ConsumerOptions options) {
-        this.options = options;
-        initializeDetachedSignatures(options.getDetachedSignatures());
-    }
-
-    private void initializeDetachedSignatures(Set signatures) {
-        for (PGPSignature signature : signatures) {
-            long issuerKeyId = SignatureUtils.determineIssuerKeyId(signature);
-            PGPPublicKeyRing signingKeyRing = findSignatureVerificationKeyRing(issuerKeyId);
-            if (signingKeyRing == null) {
-                SignatureValidationException ex = new SignatureValidationException(
-                        "Missing verification certificate " + Long.toHexString(issuerKeyId));
-                resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, null), ex);
-                continue;
-            }
-            PGPPublicKey signingKey = signingKeyRing.getPublicKey(issuerKeyId);
-            SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
-            try {
-                signature.init(verifierBuilderProvider, signingKey);
-                SignatureCheck detachedSignature =
-                        new SignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
-                signatureChecks.add(detachedSignature);
-            } catch (PGPException e) {
-                SignatureValidationException ex = new SignatureValidationException(
-                        "Cannot verify detached signature made by " + signingKeyIdentifier + ".", e);
-                resultBuilder.addInvalidDetachedSignature(new SignatureVerification(signature, signingKeyIdentifier), ex);
-            }
-        }
-    }
-
-    private DecryptionStream parseOpenPGPDataAndCreateDecryptionStream(OpenPgpInputStream openPgpIn)
-            throws IOException, PGPException {
-
-        InputStream pgpInStream;
-        InputStream outerDecodingStream;
-        PGPObjectFactory objectFactory;
-
-        // Non-OpenPGP data. We are probably verifying detached signatures
-        if (openPgpIn.isNonOpenPgp() || options.isForceNonOpenPgpData()) {
-            outerDecodingStream = openPgpIn;
-            pgpInStream = wrapInVerifySignatureStream(outerDecodingStream, null);
-            return new DecryptionStreamImpl(pgpInStream, resultBuilder, integrityProtectedEncryptedInputStream, null);
-        }
-
-        // Data appears to be OpenPGP message,
-        //  or we handle it as such, since user provided a session-key for decryption
-        if (openPgpIn.isLikelyOpenPgpMessage() ||
-                (openPgpIn.isBinaryOpenPgp() && options.getSessionKey() != null)) {
-            outerDecodingStream = openPgpIn;
-            objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
-            // Parse OpenPGP message
-            pgpInStream = processPGPPackets(objectFactory, 1);
-            return new DecryptionStreamImpl(pgpInStream,
-                    resultBuilder, integrityProtectedEncryptedInputStream, null);
-        }
-
-        if (openPgpIn.isAsciiArmored()) {
-            ArmoredInputStream armoredInputStream = ArmoredInputStreamFactory.get(openPgpIn);
-            if (armoredInputStream.isClearText()) {
-                resultBuilder.setCleartextSigned();
-                return parseCleartextSignedMessage(armoredInputStream);
-            } else {
-                outerDecodingStream = armoredInputStream;
-                objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(outerDecodingStream);
-                // Parse OpenPGP message
-                pgpInStream = processPGPPackets(objectFactory, 1);
-                return new DecryptionStreamImpl(pgpInStream,
-                        resultBuilder, integrityProtectedEncryptedInputStream,
-                        outerDecodingStream);
-            }
-        }
-
-        throw new PGPException("Not sure how to handle the input stream.");
-    }
-
-    private DecryptionStreamImpl parseCleartextSignedMessage(ArmoredInputStream armorIn)
-            throws IOException, PGPException {
-        resultBuilder.setCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
-                .setFileEncoding(StreamEncoding.TEXT);
-
-        MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
-        PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
-
-        for (PGPSignature signature : signatures) {
-            options.addVerificationOfDetachedSignature(signature);
-        }
-
-        initializeDetachedSignatures(options.getDetachedSignatures());
-
-        InputStream verifyIn = wrapInVerifySignatureStream(multiPassStrategy.getMessageInputStream(), null);
-        return new DecryptionStreamImpl(verifyIn, resultBuilder, integrityProtectedEncryptedInputStream,
-                null);
-    }
-
-    private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
-        return new SignatureInputStream.VerifySignatures(
-                bufferedIn, objectFactory, onePassSignatureChecks,
-                onePassSignaturesWithMissingCert, signatureChecks, options,
-                resultBuilder);
-    }
-
-    private InputStream processPGPPackets(@Nonnull PGPObjectFactory objectFactory, int depth)
-            throws IOException, PGPException {
-        if (depth >= MAX_PACKET_NESTING_DEPTH) {
-            throw new PGPException("Maximum depth of nested packages exceeded.");
-        }
-        Object nextPgpObject;
-        try {
-            while ((nextPgpObject = objectFactory.nextObject()) != null) {
-                if (nextPgpObject instanceof PGPEncryptedDataList) {
-                    return processPGPEncryptedDataList((PGPEncryptedDataList) nextPgpObject, depth);
-                }
-                if (nextPgpObject instanceof PGPCompressedData) {
-                    return processPGPCompressedData((PGPCompressedData) nextPgpObject, depth);
-                }
-                if (nextPgpObject instanceof PGPOnePassSignatureList) {
-                    return processOnePassSignatureList(objectFactory, (PGPOnePassSignatureList) nextPgpObject, depth);
-                }
-                if (nextPgpObject instanceof PGPLiteralData) {
-                    return processPGPLiteralData(objectFactory, (PGPLiteralData) nextPgpObject, depth);
-                }
-            }
-        } catch (FinalIOException e) {
-            throw e;
-        } catch (IOException e) {
-            if (depth == 1 && e.getMessage().contains("invalid armor")) {
-                throw e;
-            }
-            if (depth == 1 && e.getMessage().contains("unknown object in stream:")) {
-                throw new MissingLiteralDataException("No Literal Data Packet found.");
-            } else {
-                throw new FinalIOException(e);
-            }
-        }
-
-        throw new MissingLiteralDataException("No Literal Data Packet found");
-    }
-
-    private InputStream processPGPEncryptedDataList(PGPEncryptedDataList pgpEncryptedDataList, int depth)
-            throws PGPException, IOException {
-        LOGGER.debug("Depth {}: Encountered PGPEncryptedDataList", depth);
-
-        SessionKey sessionKey = options.getSessionKey();
-        if (sessionKey != null) {
-            integrityProtectedEncryptedInputStream = decryptWithProvidedSessionKey(pgpEncryptedDataList, sessionKey);
-            PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(integrityProtectedEncryptedInputStream);
-            return processPGPPackets(factory, ++depth);
-        }
-
-        InputStream decryptedDataStream = decryptSessionKey(pgpEncryptedDataList);
-        PGPObjectFactory factory = ImplementationFactory.getInstance().getPGPObjectFactory(decryptedDataStream);
-        return processPGPPackets(factory, ++depth);
-    }
-
-    private IntegrityProtectedInputStream decryptWithProvidedSessionKey(
-            PGPEncryptedDataList pgpEncryptedDataList,
-            SessionKey sessionKey)
-            throws PGPException {
-        SessionKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                .getSessionKeyDataDecryptorFactory(sessionKey);
-        InputStream decryptedDataStream = null;
-        PGPEncryptedData encryptedData = null;
-        for (PGPEncryptedData pgpEncryptedData : pgpEncryptedDataList) {
-            encryptedData = pgpEncryptedData;
-            if (!options.isIgnoreMDCErrors() && !encryptedData.isIntegrityProtected()) {
-                throw new MessageNotIntegrityProtectedException();
-            }
-
-            if (encryptedData instanceof PGPPBEEncryptedData) {
-                PGPPBEEncryptedData pbeEncrypted = (PGPPBEEncryptedData) encryptedData;
-                decryptedDataStream = pbeEncrypted.getDataStream(decryptorFactory);
-                break;
-            } else if (encryptedData instanceof PGPPublicKeyEncryptedData) {
-                PGPPublicKeyEncryptedData pkEncrypted = (PGPPublicKeyEncryptedData) encryptedData;
-                decryptedDataStream = pkEncrypted.getDataStream(decryptorFactory);
-                break;
-            }
-        }
-
-        if (decryptedDataStream == null) {
-            throw new PGPException("No valid PGP data encountered.");
-        }
-
-        resultBuilder.setSessionKey(sessionKey);
-        throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
-        integrityProtectedEncryptedInputStream =
-                new IntegrityProtectedInputStream(decryptedDataStream, encryptedData, options);
-        return integrityProtectedEncryptedInputStream;
-    }
-
-    private InputStream processPGPCompressedData(PGPCompressedData pgpCompressedData, int depth)
-            throws PGPException, IOException {
-        try {
-            CompressionAlgorithm compressionAlgorithm = CompressionAlgorithm.requireFromId(pgpCompressedData.getAlgorithm());
-            LOGGER.debug("Depth {}: Encountered PGPCompressedData: {}", depth, compressionAlgorithm);
-            resultBuilder.setCompressionAlgorithm(compressionAlgorithm);
-        } catch (NoSuchElementException e) {
-            throw new PGPException("Unknown compression algorithm encountered.", e);
-        }
-
-        InputStream inflatedDataStream = pgpCompressedData.getDataStream();
-        PGPObjectFactory objectFactory = ImplementationFactory.getInstance().getPGPObjectFactory(inflatedDataStream);
-
-        return processPGPPackets(objectFactory, ++depth);
-    }
-
-    private InputStream processOnePassSignatureList(
-            @Nonnull PGPObjectFactory objectFactory,
-            PGPOnePassSignatureList onePassSignatures,
-            int depth)
-            throws PGPException, IOException {
-        LOGGER.debug("Depth {}: Encountered PGPOnePassSignatureList of size {}", depth, onePassSignatures.size());
-        initOnePassSignatures(onePassSignatures);
-        return processPGPPackets(objectFactory, depth);
-    }
-
-    private InputStream processPGPLiteralData(
-            @Nonnull PGPObjectFactory objectFactory,
-            PGPLiteralData pgpLiteralData,
-            int depth) {
-        LOGGER.debug("Depth {}: Found PGPLiteralData", depth);
-        InputStream literalDataInputStream = pgpLiteralData.getInputStream();
-
-        resultBuilder.setFileName(pgpLiteralData.getFileName())
-                .setModificationDate(pgpLiteralData.getModificationTime())
-                .setFileEncoding(StreamEncoding.requireFromCode(pgpLiteralData.getFormat()));
-
-        if (onePassSignatureChecks.isEmpty() && onePassSignaturesWithMissingCert.isEmpty()) {
-            LOGGER.debug("No OnePassSignatures found -> We are done");
-            return literalDataInputStream;
-        }
-
-        return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory,
-                onePassSignatureChecks, onePassSignaturesWithMissingCert, signatureChecks, options, resultBuilder) {
-        };
-    }
-
-    private InputStream decryptSessionKey(@Nonnull PGPEncryptedDataList encryptedDataList)
-            throws PGPException {
-        Iterator encryptedDataIterator = encryptedDataList.getEncryptedDataObjects();
-        if (!encryptedDataIterator.hasNext()) {
-            throw new PGPException("Decryption failed - EncryptedDataList has no items");
-        }
-
-        PGPPrivateKey decryptionKey = null;
-        PGPPublicKeyEncryptedData encryptedSessionKey = null;
-
-        List passphraseProtected = new ArrayList<>();
-        List publicKeyProtected = new ArrayList<>();
-        List> postponedDueToMissingPassphrase = new ArrayList<>();
-
-        // Sort PKESK and SKESK packets
-        while (encryptedDataIterator.hasNext()) {
-            PGPEncryptedData encryptedData = encryptedDataIterator.next();
-
-            if (!encryptedData.isIntegrityProtected() && !options.isIgnoreMDCErrors()) {
-                throw new MessageNotIntegrityProtectedException();
-            }
-
-            // SKESK
-            if (encryptedData instanceof PGPPBEEncryptedData) {
-                passphraseProtected.add((PGPPBEEncryptedData) encryptedData);
-            }
-            // PKESK
-            else if (encryptedData instanceof PGPPublicKeyEncryptedData) {
-                publicKeyProtected.add((PGPPublicKeyEncryptedData) encryptedData);
-            }
-        }
-
-        // Try decryption with passphrases first
-        for (PGPPBEEncryptedData pbeEncryptedData : passphraseProtected) {
-            for (Passphrase passphrase : options.getDecryptionPassphrases()) {
-                PBEDataDecryptorFactory passphraseDecryptor = ImplementationFactory.getInstance()
-                        .getPBEDataDecryptorFactory(passphrase);
-                try {
-                    InputStream decryptedDataStream = pbeEncryptedData.getDataStream(passphraseDecryptor);
-
-                    PGPSessionKey pgpSessionKey = pbeEncryptedData.getSessionKey(passphraseDecryptor);
-                    SessionKey sessionKey = new SessionKey(pgpSessionKey);
-                    resultBuilder.setSessionKey(sessionKey);
-
-                    throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
-
-                    integrityProtectedEncryptedInputStream =
-                            new IntegrityProtectedInputStream(decryptedDataStream, pbeEncryptedData, options);
-
-                    return integrityProtectedEncryptedInputStream;
-                } catch (PGPException e) {
-                    LOGGER.debug("Probable passphrase mismatch, skip PBE encrypted data block", e);
-                }
-            }
-        }
-
-        // Try custom PublicKeyDataDecryptorFactories (e.g. hardware-backed).
-        Map customFactories = options.getCustomDecryptorFactories();
-        for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
-            Long keyId = publicKeyEncryptedData.getKeyID();
-            if (!customFactories.containsKey(keyId)) {
-                continue;
-            }
-
-            PublicKeyDataDecryptorFactory decryptorFactory = customFactories.get(keyId);
-            try {
-                InputStream decryptedDataStream = publicKeyEncryptedData.getDataStream(decryptorFactory);
-                PGPSessionKey pgpSessionKey = publicKeyEncryptedData.getSessionKey(decryptorFactory);
-                SessionKey sessionKey = new SessionKey(pgpSessionKey);
-                resultBuilder.setSessionKey(sessionKey);
-
-                throwIfAlgorithmIsRejected(sessionKey.getAlgorithm());
-
-                integrityProtectedEncryptedInputStream =
-                        new IntegrityProtectedInputStream(decryptedDataStream, publicKeyEncryptedData, options);
-
-                return integrityProtectedEncryptedInputStream;
-            } catch (PGPException e) {
-                LOGGER.debug("Decryption with custom PublicKeyDataDecryptorFactory failed", e);
-            }
-        }
-
-        // Then try decryption with public key encryption
-        for (PGPPublicKeyEncryptedData publicKeyEncryptedData : publicKeyProtected) {
-            PGPPrivateKey privateKey = null;
-            if (options.getDecryptionKeys().isEmpty()) {
-                break;
-            }
-
-            long keyId = publicKeyEncryptedData.getKeyID();
-            // Wildcard KeyID
-            if (keyId == 0L) {
-                LOGGER.debug("Hidden recipient detected. Try to decrypt with all available secret keys.");
-                for (PGPSecretKeyRing secretKeys : options.getDecryptionKeys()) {
-                    if (privateKey != null) {
-                        break;
-                    }
-                    KeyRingInfo info = new KeyRingInfo(secretKeys);
-                    List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY);
-                    for (PGPPublicKey pubkey : encryptionSubkeys) {
-                        PGPSecretKey secretKey = secretKeys.getSecretKey(pubkey.getKeyID());
-                        // Skip missing secret key
-                        if (secretKey == null) {
-                            continue;
-                        }
-
-                        privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData,
-                                postponedDueToMissingPassphrase, true);
-                    }
-                }
-            }
-            // Non-wildcard key-id
-            else {
-                LOGGER.debug("PGPEncryptedData is encrypted for key {}", Long.toHexString(keyId));
-                resultBuilder.addRecipientKeyId(keyId);
-
-                PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId);
-                if (secretKeys == null) {
-                    LOGGER.debug("Missing certificate of {}. Skip.", Long.toHexString(keyId));
-                    continue;
-                }
-
-                // Make sure that the recipient key is encryption capable and non-expired
-                KeyRingInfo info = new KeyRingInfo(secretKeys);
-                List encryptionSubkeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY);
-
-                PGPSecretKey secretKey = null;
-                for (PGPPublicKey pubkey : encryptionSubkeys) {
-                    if (pubkey.getKeyID() == keyId) {
-                        secretKey = secretKeys.getSecretKey(keyId);
-                        break;
-                    }
-                }
-
-                if (secretKey == null) {
-                    LOGGER.debug("Key " + Long.toHexString(keyId) + " is not valid or not capable for decryption.");
-                } else {
-                    privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData,
-                            postponedDueToMissingPassphrase, true);
-                }
-            }
-            if (privateKey == null) {
-                continue;
-            }
-            decryptionKey = privateKey;
-            encryptedSessionKey = publicKeyEncryptedData;
-            break;
-        }
-
-        // Try postponed keys with missing passphrases (will cause missing passphrase callbacks to fire)
-        if (encryptedSessionKey == null) {
-
-            if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.THROW_EXCEPTION) {
-                // Non-interactive mode: Throw an exception with all locked decryption keys
-                Set keyIds = new HashSet<>();
-                for (Tuple k : postponedDueToMissingPassphrase) {
-                    keyIds.add(k.getA());
-                }
-                if (!keyIds.isEmpty()) {
-                    throw new MissingPassphraseException(keyIds);
-                }
-            }
-            else if (options.getMissingKeyPassphraseStrategy() == MissingKeyPassphraseStrategy.INTERACTIVE) {
-                // Interactive mode: Fire protector callbacks to get passphrases interactively
-                for (Tuple missingPassphrases : postponedDueToMissingPassphrase) {
-                    SubkeyIdentifier keyId = missingPassphrases.getA();
-                    PGPPublicKeyEncryptedData publicKeyEncryptedData = missingPassphrases.getB();
-                    PGPSecretKeyRing secretKeys = findDecryptionKeyRing(keyId.getKeyId());
-                    PGPSecretKey secretKey = secretKeys.getSecretKey(keyId.getSubkeyId());
-
-                    PGPPrivateKey privateKey = tryPublicKeyDecryption(secretKeys, secretKey, publicKeyEncryptedData,
-                            postponedDueToMissingPassphrase, false);
-                    if (privateKey == null) {
-                        continue;
-                    }
-
-                    decryptionKey = privateKey;
-                    encryptedSessionKey = publicKeyEncryptedData;
-                    break;
-                }
-            } else {
-                throw new IllegalStateException("Invalid PostponedKeysStrategy set in consumer options.");
-            }
-
-        }
-
-        return decryptWith(encryptedSessionKey, decryptionKey);
-    }
-
-    /**
-     * Try decryption of the provided public-key-encrypted-data using the given secret key.
-     * If the secret key is encrypted and the secret key protector does not have a passphrase available and the boolean
-     * postponeIfMissingPassphrase is true, data decryption is postponed by pushing a tuple of the encrypted data decryption key
-     * identifier to the postponed list.
-     *
-     * This method only returns a non-null private key, if the private key is able to decrypt the message successfully.
-     *
-     * @param secretKeys secret key ring
-     * @param secretKey secret key
-     * @param publicKeyEncryptedData encrypted data which is tried to decrypt using the secret key
-     * @param postponed list of postponed decryptions due to missing secret key passphrases
-     * @param postponeIfMissingPassphrase flag to specify whether missing secret key passphrases should result in postponed decryption
-     * @return private key if decryption is successful, null if decryption is unsuccessful or postponed
-     *
-     * @throws PGPException in case of an OpenPGP error
-     */
-    private PGPPrivateKey tryPublicKeyDecryption(
-            PGPSecretKeyRing secretKeys,
-            PGPSecretKey secretKey,
-            PGPPublicKeyEncryptedData publicKeyEncryptedData,
-            List> postponed,
-            boolean postponeIfMissingPassphrase) throws PGPException {
-        SecretKeyRingProtector protector = options.getSecretKeyProtector(secretKeys);
-
-        if (postponeIfMissingPassphrase && !protector.hasPassphraseFor(secretKey.getKeyID())) {
-            // Postpone decryption with key with missing passphrase
-            SubkeyIdentifier identifier = new SubkeyIdentifier(secretKeys, secretKey.getKeyID());
-            postponed.add(new Tuple<>(identifier, publicKeyEncryptedData));
-            return null;
-        }
-
-        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(
-                secretKey, protector.getDecryptor(secretKey.getKeyID()));
-
-        // test if we have the right private key
-        PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                .getPublicKeyDataDecryptorFactory(privateKey);
-        try {
-            publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory); // will only succeed if we have the right secret key
-            LOGGER.debug("Found correct decryption key {}.", Long.toHexString(secretKey.getKeyID()));
-            resultBuilder.setDecryptionKey(new SubkeyIdentifier(secretKeys, privateKey.getKeyID()));
-            return privateKey;
-        } catch (PGPException | ClassCastException e) {
-            return null;
-        }
-    }
-
-    private InputStream decryptWith(PGPPublicKeyEncryptedData encryptedSessionKey, PGPPrivateKey decryptionKey)
-            throws PGPException {
-        if (decryptionKey == null || encryptedSessionKey == null) {
-            throw new MissingDecryptionMethodException("Decryption failed - No suitable decryption key or passphrase found");
-        }
-
-        PublicKeyDataDecryptorFactory dataDecryptor = ImplementationFactory.getInstance()
-                .getPublicKeyDataDecryptorFactory(decryptionKey);
-
-        PGPSessionKey pgpSessionKey = encryptedSessionKey.getSessionKey(dataDecryptor);
-        SessionKey sessionKey = new SessionKey(pgpSessionKey);
-        resultBuilder.setSessionKey(sessionKey);
-
-        SymmetricKeyAlgorithm symmetricKeyAlgorithm = sessionKey.getAlgorithm();
-        if (symmetricKeyAlgorithm == SymmetricKeyAlgorithm.NULL) {
-            LOGGER.debug("Message is unencrypted");
-        } else {
-            LOGGER.debug("Message is encrypted using {}", symmetricKeyAlgorithm);
-        }
-        throwIfAlgorithmIsRejected(symmetricKeyAlgorithm);
-
-        integrityProtectedEncryptedInputStream = new IntegrityProtectedInputStream(
-                encryptedSessionKey.getDataStream(dataDecryptor), encryptedSessionKey, options);
-        return integrityProtectedEncryptedInputStream;
-    }
-
-    private void throwIfAlgorithmIsRejected(SymmetricKeyAlgorithm algorithm)
-            throws UnacceptableAlgorithmException {
-        if (!PGPainless.getPolicy().getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) {
-            throw new UnacceptableAlgorithmException("Data is "
-                    + (algorithm == SymmetricKeyAlgorithm.NULL ?
-                    "unencrypted" :
-                    "encrypted with symmetric algorithm " + algorithm) + " which is not acceptable as per PGPainless' policy.\n" +
-                    "To mark this algorithm as acceptable, use PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy().");
-        }
-    }
-
-    private void initOnePassSignatures(@Nonnull PGPOnePassSignatureList onePassSignatureList)
-            throws PGPException {
-        Iterator iterator = onePassSignatureList.iterator();
-        if (!iterator.hasNext()) {
-            throw new PGPException("Verification failed - No OnePassSignatures found");
-        }
-
-        processOnePassSignatures(iterator);
-    }
-
-    private void processOnePassSignatures(Iterator signatures)
-            throws PGPException {
-        while (signatures.hasNext()) {
-            PGPOnePassSignature signature = signatures.next();
-            processOnePassSignature(signature);
-        }
-    }
-
-    private void processOnePassSignature(PGPOnePassSignature signature)
-            throws PGPException {
-        final long keyId = signature.getKeyID();
-
-        LOGGER.debug("Encountered OnePassSignature from {}", Long.toHexString(keyId));
-
-        // Find public key
-        PGPPublicKeyRing verificationKeyRing = findSignatureVerificationKeyRing(keyId);
-        if (verificationKeyRing == null) {
-            onePassSignaturesWithMissingCert.put(keyId, new OnePassSignatureCheck(signature, null));
-            return;
-        }
-        PGPPublicKey verificationKey = verificationKeyRing.getPublicKey(keyId);
-
-        signature.init(verifierBuilderProvider, verificationKey);
-        OnePassSignatureCheck onePassSignature = new OnePassSignatureCheck(signature, verificationKeyRing);
-        onePassSignatureChecks.add(onePassSignature);
-    }
-
-    private PGPSecretKeyRing findDecryptionKeyRing(long keyId) {
-        for (PGPSecretKeyRing key : options.getDecryptionKeys()) {
-            if (key.getSecretKey(keyId) != null) {
-                return key;
-            }
-        }
-        return null;
-    }
-
-    private PGPPublicKeyRing findSignatureVerificationKeyRing(long keyId) {
-        PGPPublicKeyRing verificationKeyRing = null;
-        for (PGPPublicKeyRing publicKeyRing : options.getCertificates()) {
-            PGPPublicKey verificationKey = publicKeyRing.getPublicKey(keyId);
-            if (verificationKey != null) {
-                LOGGER.debug("Found public key {} for signature verification", Long.toHexString(keyId));
-                verificationKeyRing = publicKeyRing;
-                break;
-            }
-        }
-
-        if (verificationKeyRing == null && options.getMissingCertificateCallback() != null) {
-            verificationKeyRing = options.getMissingCertificateCallback().onMissingPublicKeyEncountered(keyId);
-        }
-
-        return verificationKeyRing;
-    }
-}

From aa398f9963a7704c0da74c9227b561f495f85fcf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 17:49:30 +0200
Subject: [PATCH 0749/1450] Only check message integrity once

---
 .../IntegrityProtectedInputStream.java                | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
index 4da52d0f..286160e8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
@@ -11,12 +11,17 @@ import javax.annotation.Nonnull;
 import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPException;
 import org.pgpainless.exception.ModificationDetectionException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class IntegrityProtectedInputStream extends InputStream {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(IntegrityProtectedInputStream.class);
+
     private final InputStream inputStream;
     private final PGPEncryptedData encryptedData;
     private final ConsumerOptions options;
+    private boolean closed = false;
 
     public IntegrityProtectedInputStream(InputStream inputStream, PGPEncryptedData encryptedData, ConsumerOptions options) {
         this.inputStream = inputStream;
@@ -36,11 +41,17 @@ public class IntegrityProtectedInputStream extends InputStream {
 
     @Override
     public void close() throws IOException {
+        if (closed) {
+            return;
+        }
+        closed = true;
+
         if (encryptedData.isIntegrityProtected() && !options.isIgnoreMDCErrors()) {
             try {
                 if (!encryptedData.verify()) {
                     throw new ModificationDetectionException();
                 }
+                LOGGER.debug("Integrity Protection check passed");
             } catch (PGPException e) {
                 throw new IOException("Failed to verify integrity protection", e);
             }

From e0b21457931aa024a93ff02aa020e7f3022a4e44 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 17:56:33 +0200
Subject: [PATCH 0750/1450] Fix more tests

---
 .../OpenPgpMessageInputStream.java            | 76 ++++++++++++++-----
 .../TeeBCPGInputStream.java                   |  1 -
 2 files changed, 59 insertions(+), 18 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index dee59058..de80f7ff 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -4,7 +4,6 @@
 
 package org.pgpainless.decryption_verification;
 
-import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -37,7 +36,6 @@ import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
-import org.bouncycastle.util.io.Streams;
 import org.bouncycastle.util.io.TeeInputStream;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
@@ -210,6 +208,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         switch (type) {
+
             case standard:
                 // tee out packet bytes for signature verification
                 packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), this.signatures);
@@ -217,20 +216,22 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 // *omnomnom*
                 consumePackets();
                 break;
+
             case cleartext_signed:
+                resultBuilder.setCleartextSigned();
                 MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
                 PGPSignatureList detachedSignatures = ClearsignedMessageUtil
                         .detachSignaturesFromInbandClearsignedMessage(
                                 inputStream, multiPassStrategy.getMessageOutputStream());
 
                 for (PGPSignature signature : detachedSignatures) {
-                    options.addVerificationOfDetachedSignature(signature);
+                    signatures.addDetachedSignature(signature);
                 }
 
                 options.forceNonOpenPgpData();
-                packetInputStream = null;
                 nestedInputStream = new TeeInputStream(multiPassStrategy.getMessageInputStream(), this.signatures);
                 break;
+
             case non_openpgp:
                 packetInputStream = null;
                 nestedInputStream = new TeeInputStream(inputStream, this.signatures);
@@ -348,14 +349,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 metadata.depth + 1);
         LOGGER.debug("Compressed Data Packet (" + compressionLayer.algorithm + ") at depth " + metadata.depth + " encountered");
         InputStream decompressed = compressedData.getDataStream();
-        nestedInputStream = new OpenPgpMessageInputStream(buffer(decompressed), options, compressionLayer, policy);
+        nestedInputStream = new OpenPgpMessageInputStream(decompressed, options, compressionLayer, policy);
     }
 
     private void processOnePassSignature() throws PGPException, IOException {
         syntaxVerifier.next(InputAlphabet.OnePassSignature);
         PGPOnePassSignature onePassSignature = packetInputStream.readOnePassSignature();
         LOGGER.debug("One-Pass-Signature Packet by key " + KeyIdUtil.formatKeyId(onePassSignature.getKeyID()) +
-                "at depth " + metadata.depth + " encountered");
+                " at depth " + metadata.depth + " encountered");
         signatures.addOnePassSignature(onePassSignature);
     }
 
@@ -434,7 +435,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     InputStream decrypted = skesk.getDataStream(decryptorFactory);
                     encryptedData.sessionKey = sessionKey;
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                    nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
                     LOGGER.debug("Successfully decrypted data with provided session key");
                     return true;
                 } else if (esk instanceof PGPPublicKeyEncryptedData) {
@@ -442,7 +443,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     InputStream decrypted = pkesk.getDataStream(decryptorFactory);
                     encryptedData.sessionKey = sessionKey;
                     IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+                    nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
                     LOGGER.debug("Successfully decrypted data with provided session key");
                     return true;
                 } else {
@@ -579,7 +580,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             encryptedData.sessionKey = sessionKey;
             LOGGER.debug("Successfully decrypted data with passphrase");
             IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
-            nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+            nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
             throw e;
@@ -606,7 +607,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             LOGGER.debug("Successfully decrypted data with key " + decryptionKeyId);
             IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-            nestedInputStream = new OpenPgpMessageInputStream(buffer(integrityProtected), options, encryptedData, policy);
+            nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
             throw e;
@@ -631,10 +632,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
     }
 
-    private static InputStream buffer(InputStream inputStream) {
-        return new BufferedInputStream(inputStream);
-    }
-
     private List> findPotentialDecryptionKeys(PGPPublicKeyEncryptedData pkesk) {
         int algorithm = pkesk.getAlgorithm();
         List> decryptionKeyCandidates = new ArrayList<>();
@@ -665,7 +662,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     @Override
     public int read() throws IOException {
         if (nestedInputStream == null) {
-            syntaxVerifier.assertValid();
+            if (packetInputStream != null) {
+                syntaxVerifier.assertValid();
+            }
             return -1;
         }
 
@@ -699,7 +698,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     @Override
     public int read(@Nonnull byte[] b, int off, int len)
             throws IOException {
-
         if (nestedInputStream == null) {
             if (packetInputStream != null) {
                 syntaxVerifier.assertValid();
@@ -768,6 +766,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         if (!closed) {
             throw new IllegalStateException("Stream must be closed before access to metadata can be granted.");
         }
+
         return new MessageMetadata((MessageMetadata.Message) metadata);
     }
 
@@ -857,6 +856,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         final Stack> opsUpdateStack;
         List literalOPS = new ArrayList<>();
         final List correspondingSignatures;
+        final List prependedSignaturesWithMissingCert = new ArrayList<>();
+        final List inbandSignaturesWithMissingCert = new ArrayList<>();
+        final List detachedSignaturesWithMissingCert = new ArrayList<>();
         boolean isLiteral = true;
 
         private Signatures(ConsumerOptions options) {
@@ -876,15 +878,29 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         void addDetachedSignature(PGPSignature signature) {
             SignatureCheck check = initializeSignature(signature);
+            long keyId = SignatureUtils.determineIssuerKeyId(signature);
             if (check != null) {
                 detachedSignatures.add(check);
+            } else {
+                LOGGER.debug("No suitable certificate for verification of signature by key " + KeyIdUtil.formatKeyId(keyId) + " found.");
+                this.detachedSignaturesWithMissingCert.add(new SignatureVerification.Failure(
+                        new SignatureVerification(signature, null),
+                        new SignatureValidationException("Missing verification key")
+                ));
             }
         }
 
         void addPrependedSignature(PGPSignature signature) {
             SignatureCheck check = initializeSignature(signature);
+            long keyId = SignatureUtils.determineIssuerKeyId(signature);
             if (check != null) {
                 this.prependedSignatures.add(check);
+            } else {
+                LOGGER.debug("No suitable certificate for verification of signature by key " + KeyIdUtil.formatKeyId(keyId) + " found.");
+                this.prependedSignaturesWithMissingCert.add(new SignatureVerification.Failure(
+                        new SignatureVerification(signature, null),
+                        new SignatureValidationException("Missing verification key")
+                ));
             }
         }
 
@@ -916,11 +932,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
+            boolean found = false;
+            long keyId = SignatureUtils.determineIssuerKeyId(signature);
             for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
                 OnePassSignatureCheck onePassSignature = onePassSignatures.get(i);
-                if (onePassSignature.getOnePassSignature().getKeyID() != signature.getKeyID()) {
+                if (onePassSignature.getOnePassSignature().getKeyID() != keyId) {
                     continue;
                 }
+                found = true;
 
                 if (onePassSignature.getSignature() != null) {
                     continue;
@@ -942,6 +961,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 }
                 break;
             }
+
+            if (!found) {
+                LOGGER.debug("No suitable certificate for verification of signature by key " + KeyIdUtil.formatKeyId(keyId) + " found.");
+                inbandSignaturesWithMissingCert.add(new SignatureVerification.Failure(
+                        new SignatureVerification(signature, null),
+                        new SignatureValidationException("Missing verification key.")));
+            }
         }
 
         void enterNesting() {
@@ -983,6 +1009,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     return cert;
                 }
             }
+
+            if (options.getMissingCertificateCallback() != null) {
+                return options.getMissingCertificateCallback().onMissingPublicKeyEncountered(keyId);
+            }
             return null; // TODO: Missing cert for sig
         }
 
@@ -1066,6 +1096,18 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
                 }
             }
+
+            for (SignatureVerification.Failure rejected : inbandSignaturesWithMissingCert) {
+                layer.addRejectedOnePassSignature(rejected);
+            }
+
+            for (SignatureVerification.Failure rejected : prependedSignaturesWithMissingCert) {
+                layer.addRejectedPrependedSignature(rejected);
+            }
+
+            for (SignatureVerification.Failure rejected : detachedSignaturesWithMissingCert) {
+                layer.addRejectedDetachedSignature(rejected);
+            }
         }
 
         @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index 1ca1b3f9..bbcf593e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -98,7 +98,6 @@ public class TeeBCPGInputStream {
 
     public void close() throws IOException {
         this.packetInputStream.close();
-        this.delayedTee.close();
     }
 
     public static class DelayedTeeInputStreamInputStream extends InputStream {

From 8097c87b7f8d3f9e310965cf79566db4a5d60663 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 18:30:40 +0200
Subject: [PATCH 0751/1450] Fix last two broken tests

---
 .../OpenPgpMessageInputStream.java            | 31 ++++++++++++-------
 .../org/pgpainless/key/util/KeyRingUtils.java | 11 +++++++
 2 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index de80f7ff..11a61e8c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -9,6 +9,7 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -60,12 +61,13 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.key.util.KeyIdUtil;
+import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
+import org.pgpainless.signature.consumer.CertificateValidator;
 import org.pgpainless.signature.consumer.OnePassSignatureCheck;
 import org.pgpainless.signature.consumer.SignatureCheck;
 import org.pgpainless.signature.consumer.SignatureValidator;
-import org.pgpainless.signature.consumer.SignatureVerifier;
 import org.pgpainless.util.ArmoredInputStreamFactory;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
@@ -654,7 +656,16 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             if (decryptionKey == null) {
                 continue;
             }
-            return secretKeys;
+            
+            KeyRingInfo info = new KeyRingInfo(secretKeys, policy, new Date());
+            List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY);
+            for (PGPPublicKey key : encryptionKeys) {
+                if (key.getKeyID() == keyID) {
+                    return secretKeys;
+                }
+            }
+
+            LOGGER.debug("Subkey " + Long.toHexString(keyID) + " cannot be used for decryption.");
         }
         return null;
     }
@@ -951,8 +962,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 try {
                     SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
-                            .verify(signature);
-                    SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
+                        .verify(signature);
+                    CertificateValidator.validateCertificateAndVerifyOnePassSignature(onePassSignature, policy);
                     LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedOnePassSignature(verification);
                 } catch (SignatureValidationException e) {
@@ -1068,10 +1079,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 try {
                     SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
                             .verify(detached.getSignature());
-                    SignatureVerifier.verifyInitializedSignature(
-                            detached.getSignature(),
-                            detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
-                            policy, detached.getSignature().getCreationTime());
+                    CertificateValidator.validateCertificateAndVerifyInitializedSignature(
+                            detached.getSignature(), KeyRingUtils.publicKeys(detached.getSigningKeyRing()), policy);
                     LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedDetachedSignature(verification);
                 } catch (SignatureValidationException e) {
@@ -1085,10 +1094,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 try {
                     SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
                             .verify(prepended.getSignature());
-                    SignatureVerifier.verifyInitializedSignature(
-                            prepended.getSignature(),
-                            prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),
-                            policy, prepended.getSignature().getCreationTime());
+                    CertificateValidator.validateCertificateAndVerifyInitializedSignature(
+                            prepended.getSignature(), KeyRingUtils.publicKeys(prepended.getSigningKeyRing()), policy);
                     LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedPrependedSignature(verification);
                 } catch (SignatureValidationException e) {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 013e283e..2ce058fd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -144,6 +144,17 @@ public final class KeyRingUtils {
         return secretKey;
     }
 
+    @Nonnull
+    public static PGPPublicKeyRing publicKeys(@Nonnull PGPKeyRing keys) {
+        if (keys instanceof PGPPublicKeyRing) {
+            return (PGPPublicKeyRing) keys;
+        } else if (keys instanceof PGPSecretKeyRing) {
+            return publicKeyRingFrom((PGPSecretKeyRing) keys);
+        } else {
+            throw new IllegalArgumentException("Unknown keys class: " + keys.getClass().getName());
+        }
+    }
+
     /**
      * Extract a {@link PGPPublicKeyRing} containing all public keys from the provided {@link PGPSecretKeyRing}.
      *

From a013ab4ebbc3803dcf513897b1cabb1d8620b4d0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 18:32:56 +0200
Subject: [PATCH 0752/1450] Wrap MalformedOpenPgpMessageException in BadData

---
 .../decryption_verification/OpenPgpMessageInputStream.java     | 2 +-
 .../src/main/java/org/pgpainless/sop/DecryptImpl.java          | 3 ++-
 .../src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java   | 3 ++-
 .../src/main/java/org/pgpainless/sop/InlineVerifyImpl.java     | 3 ++-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 11a61e8c..f081e021 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -656,7 +656,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             if (decryptionKey == null) {
                 continue;
             }
-            
+
             KeyRingInfo info = new KeyRingInfo(secretKeys, policy, new Date());
             List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY);
             for (PGPPublicKey key : encryptionKeys) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 11b20f82..ee86f5e8 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -23,6 +23,7 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.util.Passphrase;
@@ -123,7 +124,7 @@ public class DecryptImpl implements Decrypt {
             throw new SOPGPException.CannotDecrypt("No usable decryption key or password provided.", e);
         } catch (WrongPassphraseException e) {
             throw new SOPGPException.KeyIsProtected();
-        } catch (PGPException | IOException e) {
+        } catch (MalformedOpenPgpMessageException | PGPException | IOException e) {
             throw new SOPGPException.BadData(e);
         } finally {
             // Forget passphrases after decryption
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 3065addf..b563e704 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -18,6 +18,7 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import sop.Verification;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedVerify;
@@ -82,7 +83,7 @@ public class DetachedVerifyImpl implements DetachedVerify {
             }
 
             return verificationList;
-        } catch (PGPException e) {
+        } catch (MalformedOpenPgpMessageException | PGPException e) {
             throw new SOPGPException.BadData(e);
         }
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 81d614cf..4948712c 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -19,6 +19,7 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import sop.ReadyWithResult;
 import sop.Verification;
@@ -82,7 +83,7 @@ public class InlineVerifyImpl implements InlineVerify {
                     return verificationList;
                 } catch (MissingDecryptionMethodException e) {
                     throw new SOPGPException.BadData("Cannot verify encrypted message.", e);
-                } catch (PGPException e) {
+                } catch (MalformedOpenPgpMessageException | PGPException e) {
                     throw new SOPGPException.BadData(e);
                 }
             }

From 192aa9832621ec759f08656681d7a0c6340f8a63 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 18:38:30 +0200
Subject: [PATCH 0753/1450] Add missing REUSE license headers

---
 .../pgpainless/decryption_verification/DecryptionStream.java  | 4 ++++
 .../OpenPgpMessageInputStreamTest.java                        | 4 ++++
 .../decryption_verification/syntax_check/PDATest.java         | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
index c531f487..0f221ad7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification;
 
 import javax.annotation.Nonnull;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index f9539149..d2c62fb2 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index 8fa107f6..9250acfa 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification.syntax_check;
 
 import static org.junit.jupiter.api.Assertions.assertThrows;

From 7e8841abf3097a569ff4e9e5285c26adf635b4b0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Oct 2022 19:23:52 +0200
Subject: [PATCH 0754/1450] Handle unknown packet versions gracefully

---
 .../OpenPgpMessageInputStream.java            |   9 +-
 .../UnsupportedPacketVersionsTest.java        | 410 ++++++++++++++++++
 2 files changed, 418 insertions(+), 1 deletion(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index f081e021..75b78294 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -18,6 +18,7 @@ import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
 import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPEncryptedData;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
@@ -366,7 +367,13 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         // true if Signature corresponds to OnePassSignature
         boolean isSigForOPS = syntaxVerifier.peekStack() == StackAlphabet.ops;
         syntaxVerifier.next(InputAlphabet.Signature);
-        PGPSignature signature = packetInputStream.readSignature();
+        PGPSignature signature;
+        try {
+            signature = packetInputStream.readSignature();
+        } catch (UnsupportedPacketVersionException e) {
+            LOGGER.debug("Unsupported Signature at depth " + metadata.depth + " encountered.", e);
+            return;
+        }
         long keyId = SignatureUtils.determineIssuerKeyId(signature);
         if (isSigForOPS) {
             LOGGER.debug("Signature Packet corresponding to One-Pass-Signature by key " +
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java
new file mode 100644
index 00000000..68916348
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java
@@ -0,0 +1,410 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.charset.Charset;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+
+public class UnsupportedPacketVersionsTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Comment: Bob's OpenPGP Transferable Secret Key\n" +
+            "\n" +
+            "lQVYBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
+            "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
+            "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
+            "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
+            "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
+            "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
+            "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
+            "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
+            "vLIwa3T4CyshfT0AEQEAAQAL/RZqbJW2IqQDCnJi4Ozm++gPqBPiX1RhTWSjwxfM\n" +
+            "cJKUZfzLj414rMKm6Jh1cwwGY9jekROhB9WmwaaKT8HtcIgrZNAlYzANGRCM4TLK\n" +
+            "3VskxfSwKKna8l+s+mZglqbAjUg3wmFuf9Tj2xcUZYmyRm1DEmcN2ZzpvRtHgX7z\n" +
+            "Wn1mAKUlSDJZSQks0zjuMNbupcpyJokdlkUg2+wBznBOTKzgMxVNC9b2g5/tMPUs\n" +
+            "hGGWmF1UH+7AHMTaS6dlmr2ZBIyogdnfUqdNg5sZwsxSNrbglKP4sqe7X61uEAIQ\n" +
+            "bD7rT3LonLbhkrj3I8wilUD8usIwt5IecoHhd9HziqZjRCc1BUBkboUEoyedbDV4\n" +
+            "i4qfsFZ6CEWoLuD5pW7dEp0M+WeuHXO164Rc+LnH6i1VQrpb1Okl4qO6ejIpIjBI\n" +
+            "1t3GshtUu/mwGBBxs60KBX5g77mFQ9lLCRj8lSYqOsHRKBhUp4qM869VA+fD0BRP\n" +
+            "fqPT0I9IH4Oa/A3jYJcg622GwQYA1LhnP208Waf6PkQSJ6kyr8ymY1yVh9VBE/g6\n" +
+            "fRDYA+pkqKnw9wfH2Qho3ysAA+OmVOX8Hldg+Pc0Zs0e5pCavb0En8iFLvTA0Q2E\n" +
+            "LR5rLue9uD7aFuKFU/VdcddY9Ww/vo4k5p/tVGp7F8RYCFn9rSjIWbfvvZi1q5Tx\n" +
+            "+akoZbga+4qQ4WYzB/obdX6SCmi6BndcQ1QdjCCQU6gpYx0MddVERbIp9+2SXDyL\n" +
+            "hpxjSyz+RGsZi/9UAshT4txP4+MZBgDfK3ZqtW+h2/eMRxkANqOJpxSjMyLO/FXN\n" +
+            "WxzTDYeWtHNYiAlOwlQZEPOydZFty9IVzzNFQCIUCGjQ/nNyhw7adSgUk3+BXEx/\n" +
+            "MyJPYY0BYuhLxLYcrfQ9nrhaVKxRJj25SVHj2ASsiwGJRZW4CC3uw40OYxfKEvNC\n" +
+            "mer/VxM3kg8qqGf9KUzJ1dVdAvjyx2Hz6jY2qWCyRQ6IMjWHyd43C4r3jxooYKUC\n" +
+            "YnstRQyb/gCSKahveSEjo07CiXMr88UGALwzEr3npFAsPW3osGaFLj49y1oRe11E\n" +
+            "he9gCHFm+fuzbXrWmdPjYU5/ZdqdojzDqfu4ThfnipknpVUM1o6MQqkjM896FHm8\n" +
+            "zbKVFSMhEP6DPHSCexMFrrSgN03PdwHTO6iBaIBBFqmGY01tmJ03SxvSpiBPON9P\n" +
+            "NVvy/6UZFedTq8A07OUAxO62YUSNtT5pmK2vzs3SAZJmbFbMh+NN204TRI72GlqT\n" +
+            "t5hcfkuv8hrmwPS/ZR6q312mKQ6w/1pqO9qitCFCb2IgQmFiYmFnZSA8Ym9iQG9w\n" +
+            "ZW5wZ3AuZXhhbXBsZT6JAc4EEwEKADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC\n" +
+            "F4AWIQTRpm4aI7GCyZgPeIz7/MgqAV5zMAUCXaWe+gAKCRD7/MgqAV5zMG9sC/9U\n" +
+            "2T3RrqEbw533FPNfEflhEVRIZ8gDXKM8hU6cqqEzCmzZT6xYTe6sv4y+PJBGXJFX\n" +
+            "yhj0g6FDkSyboM5litOcTupURObVqMgA/Y4UKERznm4fzzH9qek85c4ljtLyNufe\n" +
+            "doL2pp3vkGtn7eD0QFRaLLmnxPKQ/TlZKdLE1G3u8Uot8QHicaR6GnAdc5UXQJE3\n" +
+            "BiV7jZuDyWmZ1cUNwJkKL6oRtp+ZNDOQCrLNLecKHcgCqrpjSQG5oouba1I1Q6Vl\n" +
+            "sP44dhA1nkmLHtxlTOzpeHj4jnk1FaXmyasurrrI5CgU/L2Oi39DGKTH/A/cywDN\n" +
+            "4ZplIQ9zR8enkbXquUZvFDe+Xz+6xRXtb5MwQyWODB3nHw85HocLwRoIN9WdQEI+\n" +
+            "L8a/56AuOwhs8llkSuiITjR7r9SgKJC2WlAHl7E8lhJ3VDW3ELC56KH308d6mwOG\n" +
+            "ZRAqIAKzM1T5FGjMBhq7ZV0eqdEntBh3EcOIfj2M8rg1MzJv+0mHZOIjByawikad\n" +
+            "BVgEXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90YNBj+xS1ldGD\n" +
+            "bUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pzh0LzrBrVNHar\n" +
+            "29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4PIp1DU9ewcc2\n" +
+            "WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+D9LiTWcxdUPB\n" +
+            "leu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYOiEFBJ9lbb4te\n" +
+            "g9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t0c91kbNE5lgj\n" +
+            "Z7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLsT7Vr1QMX9jzn\n" +
+            "JtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH970TGYOe2aUcSx\n" +
+            "IRDMXDOPyzEfjwARAQABAAv9F2CwsjS+Sjh1M1vegJbZjei4gF1HHpEM0K0PSXsp\n" +
+            "SfVvpR4AoSJ4He6CXSMWg0ot8XKtDuZoV9jnJaES5UL9pMAD7JwIOqZm/DYVJM5h\n" +
+            "OASCh1c356/wSbFbzRHPtUdZO9Q30WFNJM5pHbCJPjtNoRmRGkf71RxtvHBzy7np\n" +
+            "Ga+W6U/NVKHw0i0CYwMI0YlKDakYW3Pm+QL+gHZFvngGweTod0f9l2VLLAmeQR/c\n" +
+            "+EZs7lNumhuZ8mXcwhUc9JQIhOkpO+wreDysEFkAcsKbkQP3UDUsA1gFx9pbMzT0\n" +
+            "tr1oZq2a4QBtxShHzP/ph7KLpN+6qtjks3xB/yjTgaGmtrwM8tSe0wD1RwXS+/1o\n" +
+            "BHpXTnQ7TfeOGUAu4KCoOQLv6ELpKWbRBLWuiPwMdbGpvVFALO8+kvKAg9/r+/ny\n" +
+            "zM2GQHY+J3Jh5JxPiJnHfXNZjIKLbFbIPdSKNyJBuazXW8xIa//mEHMI5OcvsZBK\n" +
+            "clAIp7LXzjEjKXIwHwDcTn9pBgDpdOKTHOtJ3JUKx0rWVsDH6wq6iKV/FTVSY5jl\n" +
+            "zN+puOEsskF1Lfxn9JsJihAVO3yNsp6RvkKtyNlFazaCVKtDAmkjoh60XNxcNRqr\n" +
+            "gCnwdpbgdHP6v/hvZY54ZaJjz6L2e8unNEkYLxDt8cmAyGPgH2XgL7giHIp9jrsQ\n" +
+            "aS381gnYwNX6wE1aEikgtY91nqJjwPlibF9avSyYQoMtEqM/1UjTjB2KdD/MitK5\n" +
+            "fP0VpvuXpNYZedmyq4UOMwdkiNMGAOrfmOeT0olgLrTMT5H97Cn3Yxbk13uXHNu/\n" +
+            "ZUZZNe8s+QtuLfUlKAJtLEUutN33TlWQY522FV0m17S+b80xJib3yZVJteVurrh5\n" +
+            "HSWHAM+zghQAvCesg5CLXa2dNMkTCmZKgCBvfDLZuZbjFwnwCI6u/NhOY9egKuUf\n" +
+            "SA/je/RXaT8m5VxLYMxwqQXKApzD87fv0tLPlVIEvjEsaf992tFEFSNPcG1l/jpd\n" +
+            "5AVXw6kKuf85UkJtYR1x2MkQDrqY1QX/XMw00kt8y9kMZUre19aCArcmor+hDhRJ\n" +
+            "E3Gt4QJrD9z/bICESw4b4z2DbgD/Xz9IXsA/r9cKiM1h5QMtXvuhyfVeM01enhxM\n" +
+            "GbOH3gjqqGNKysx0UODGEwr6AV9hAd8RWXMchJLaExK9J5SRawSg671ObAU24SdY\n" +
+            "vMQ9Z4kAQ2+1ReUZzf3ogSMRZtMT+d18gT6L90/y+APZIaoArLPhebIAGq39HLmJ\n" +
+            "26x3z0WAgrpA1kNsjXEXkoiZGPLKIGoe3hqJAbYEGAEKACAWIQTRpm4aI7GCyZgP\n" +
+            "eIz7/MgqAV5zMAUCXaWc8gIbDAAKCRD7/MgqAV5zMOn/C/9ugt+HZIwX308zI+QX\n" +
+            "c5vDLReuzmJ3ieE0DMO/uNSC+K1XEioSIZP91HeZJ2kbT9nn9fuReuoff0T0Dief\n" +
+            "rbwcIQQHFFkrqSp1K3VWmUGp2JrUsXFVdjy/fkBIjTd7c5boWljv/6wAsSfiv2V0\n" +
+            "JSM8EFU6TYXxswGjFVfc6X97tJNeIrXL+mpSmPPqy2bztcCCHkWS5lNLWQw+R7Vg\n" +
+            "71Fe6yBSNVrqC2/imYG2J9zlowjx1XU63Wdgqp2Wxt0l8OmsB/W80S1fRF5G4SDH\n" +
+            "s9HXglXXqPsBRZJYfP+VStm9L5P/sKjCcX6WtZR7yS6G8zj/X767MLK/djANvpPd\n" +
+            "NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91\n" +
+            "6we0CTfF8qqm7BsVAgalon/UUiuMY80U3ueoj3okiSTiHIjD/YtpXSPioC8nMng7\n" +
+            "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" +
+            "=miES\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    private static final String PKESK3_PKESK23_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv/YP+fDWtifT7KSk+tWrgbyvsYCt5Wh0IPESTZuiptwvto\n" +
+            "CGbOfwuPbqqzzlFqSvX3UiJwhxjSSB3a1EBIOsbhc4grip/wm+fB50S/nTJxkJ14\n" +
+            "qid40D7HOcIvuz1iQr1QoMNB0oT3nCwMec8mPUX2yOzx1eqr62SZUTCr6FdAmdYI\n" +
+            "1u4EAeEFhRO0rcPRrpMZqwkXtUfx+pu7OzBS0qmOlfkQ50kbETDXBik4iXi30AGl\n" +
+            "Ifo792oRo6DFK7ENquTNRqFPfezjrGZfkJrPWulWh28GogWTpOBwfXG8X262QoIp\n" +
+            "VwZygi7wfj1jh2sXPvWgHjsjjTt7HPAiLI1f6IUl8WCQfPuQkFwCwPv63/rve59v\n" +
+            "sBaeCEykAxdzMbP1oYSBBtONSAPYW9fsUsJSpuuLvxH252+luk09uQXWd6z4aCDm\n" +
+            "EXiolhbkzL3mXCpVP6nMjRkm2ERE1yAWgXGT9JON0gcCb3eVqw6wzOYu+Vwq70ND\n" +
+            "vKYlTMY+9RUx7wLn51UgwUoXQUFBQUFBQUEJYWFhYWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYdJMAQZo\n" +
+            "tUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNVCHg5QDO4\n" +
+            "wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=VS1M\n" +
+            "-----END PGP MESSAGE-----";
+
+    private static final String PKESK23_PKESK3_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wUoXQUFBQUFBQUEJYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYcHAzAN8L6pN+Tw3sgEL/2D/nw1r\n" +
+            "Yn0+ykpPrVq4G8r7GAreVodCDxEk2boqbcL7aAhmzn8Lj26qs85Rakr191IicIcY\n" +
+            "0kgd2tRASDrG4XOIK4qf8JvnwedEv50ycZCdeKoneNA+xznCL7s9YkK9UKDDQdKE\n" +
+            "95wsDHnPJj1F9sjs8dXqq+tkmVEwq+hXQJnWCNbuBAHhBYUTtK3D0a6TGasJF7VH\n" +
+            "8fqbuzswUtKpjpX5EOdJGxEw1wYpOIl4t9ABpSH6O/dqEaOgxSuxDarkzUahT33s\n" +
+            "46xmX5Caz1rpVodvBqIFk6TgcH1xvF9utkKCKVcGcoIu8H49Y4drFz71oB47I407\n" +
+            "exzwIiyNX+iFJfFgkHz7kJBcAsD7+t/673ufb7AWnghMpAMXczGz9aGEgQbTjUgD\n" +
+            "2FvX7FLCUqbri78R9udvpbpNPbkF1nes+Ggg5hF4qJYW5My95lwqVT+pzI0ZJthE\n" +
+            "RNcgFoFxk/STjdIHAm93lasOsMzmLvlcKu9DQ7ymJUzGPvUVMe8C5+dVINJMAQZo\n" +
+            "tUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNVCHg5QDO4\n" +
+            "wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=EhNy\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SKESK23_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv/YP+fDWtifT7KSk+tWrgbyvsYCt5Wh0IPESTZuiptwvto\n" +
+            "CGbOfwuPbqqzzlFqSvX3UiJwhxjSSB3a1EBIOsbhc4grip/wm+fB50S/nTJxkJ14\n" +
+            "qid40D7HOcIvuz1iQr1QoMNB0oT3nCwMec8mPUX2yOzx1eqr62SZUTCr6FdAmdYI\n" +
+            "1u4EAeEFhRO0rcPRrpMZqwkXtUfx+pu7OzBS0qmOlfkQ50kbETDXBik4iXi30AGl\n" +
+            "Ifo792oRo6DFK7ENquTNRqFPfezjrGZfkJrPWulWh28GogWTpOBwfXG8X262QoIp\n" +
+            "VwZygi7wfj1jh2sXPvWgHjsjjTt7HPAiLI1f6IUl8WCQfPuQkFwCwPv63/rve59v\n" +
+            "sBaeCEykAxdzMbP1oYSBBtONSAPYW9fsUsJSpuuLvxH252+luk09uQXWd6z4aCDm\n" +
+            "EXiolhbkzL3mXCpVP6nMjRkm2ERE1yAWgXGT9JON0gcCb3eVqw6wzOYu+Vwq70ND\n" +
+            "vKYlTMY+9RUx7wLn51Ugw00XCQMINQp7MFzAc6T/YWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYdJM\n" +
+            "AQZotUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNVCHg5\n" +
+            "QDO4wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=pvWj\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String SKESK23_PKESK3_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "w00XCQMINQp7MFzAc6T/YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYcHAzAN8L6pN+Tw3sgEL/2D/\n" +
+            "nw1rYn0+ykpPrVq4G8r7GAreVodCDxEk2boqbcL7aAhmzn8Lj26qs85Rakr191Ii\n" +
+            "cIcY0kgd2tRASDrG4XOIK4qf8JvnwedEv50ycZCdeKoneNA+xznCL7s9YkK9UKDD\n" +
+            "QdKE95wsDHnPJj1F9sjs8dXqq+tkmVEwq+hXQJnWCNbuBAHhBYUTtK3D0a6TGasJ\n" +
+            "F7VH8fqbuzswUtKpjpX5EOdJGxEw1wYpOIl4t9ABpSH6O/dqEaOgxSuxDarkzUah\n" +
+            "T33s46xmX5Caz1rpVodvBqIFk6TgcH1xvF9utkKCKVcGcoIu8H49Y4drFz71oB47\n" +
+            "I407exzwIiyNX+iFJfFgkHz7kJBcAsD7+t/673ufb7AWnghMpAMXczGz9aGEgQbT\n" +
+            "jUgD2FvX7FLCUqbri78R9udvpbpNPbkF1nes+Ggg5hF4qJYW5My95lwqVT+pzI0Z\n" +
+            "JthERNcgFoFxk/STjdIHAm93lasOsMzmLvlcKu9DQ7ymJUzGPvUVMe8C5+dVINJM\n" +
+            "AQZotUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNVCHg5\n" +
+            "QDO4wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=STOd\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SKESK4wS2K23_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv/YP+fDWtifT7KSk+tWrgbyvsYCt5Wh0IPESTZuiptwvto\n" +
+            "CGbOfwuPbqqzzlFqSvX3UiJwhxjSSB3a1EBIOsbhc4grip/wm+fB50S/nTJxkJ14\n" +
+            "qid40D7HOcIvuz1iQr1QoMNB0oT3nCwMec8mPUX2yOzx1eqr62SZUTCr6FdAmdYI\n" +
+            "1u4EAeEFhRO0rcPRrpMZqwkXtUfx+pu7OzBS0qmOlfkQ50kbETDXBik4iXi30AGl\n" +
+            "Ifo792oRo6DFK7ENquTNRqFPfezjrGZfkJrPWulWh28GogWTpOBwfXG8X262QoIp\n" +
+            "VwZygi7wfj1jh2sXPvWgHjsjjTt7HPAiLI1f6IUl8WCQfPuQkFwCwPv63/rve59v\n" +
+            "sBaeCEykAxdzMbP1oYSBBtONSAPYW9fsUsJSpuuLvxH252+luk09uQXWd6z4aCDm\n" +
+            "EXiolhbkzL3mXCpVP6nMjRkm2ERE1yAWgXGT9JON0gcCb3eVqw6wzOYu+Vwq70ND\n" +
+            "vKYlTMY+9RUx7wLn51Ugw1AECRcIYWFhYWFhYWFBQUFBYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YdJMAQZotUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNV\n" +
+            "CHg5QDO4wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=/uxY\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String SKESK4wS2K23_PKESK3_SEIP = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "w1AECRcIYWFhYWFhYWFBQUFBYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh\n" +
+            "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYcHAzAN8L6pN+Tw3sgEL\n" +
+            "/2D/nw1rYn0+ykpPrVq4G8r7GAreVodCDxEk2boqbcL7aAhmzn8Lj26qs85Rakr1\n" +
+            "91IicIcY0kgd2tRASDrG4XOIK4qf8JvnwedEv50ycZCdeKoneNA+xznCL7s9YkK9\n" +
+            "UKDDQdKE95wsDHnPJj1F9sjs8dXqq+tkmVEwq+hXQJnWCNbuBAHhBYUTtK3D0a6T\n" +
+            "GasJF7VH8fqbuzswUtKpjpX5EOdJGxEw1wYpOIl4t9ABpSH6O/dqEaOgxSuxDark\n" +
+            "zUahT33s46xmX5Caz1rpVodvBqIFk6TgcH1xvF9utkKCKVcGcoIu8H49Y4drFz71\n" +
+            "oB47I407exzwIiyNX+iFJfFgkHz7kJBcAsD7+t/673ufb7AWnghMpAMXczGz9aGE\n" +
+            "gQbTjUgD2FvX7FLCUqbri78R9udvpbpNPbkF1nes+Ggg5hF4qJYW5My95lwqVT+p\n" +
+            "zI0ZJthERNcgFoFxk/STjdIHAm93lasOsMzmLvlcKu9DQ7ymJUzGPvUVMe8C5+dV\n" +
+            "INJMAQZotUFmYcTQrd5IFriHbF8h/Ov/xKlkW1QOPrZ+ziMQRbwyY4pVwNbZjCNV\n" +
+            "CHg5QDO4wjF686DfZt83NvVYbJ7QNuENoI4YcFj8nw==\n" +
+            "=cIwV\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SEIP_OPS3_LIT_SIG4 = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv+IhkCMhbdRcMnIPZNPGU6OK1Jk5xuRdIEIBsvv7b8jmAr\n" +
+            "9IwjfnV/RDMtH+xR/T9K7qJGGFYnhLY5w0CmYHQcDKpcBqk0Dw6l/eKCNhgRXKAk\n" +
+            "gfaKL1Utt1Pw0nz0mOwHyPEN/pGc0xlVhsjVkRvIOsKcpfuc1EpSZMFgDcBQDhe/\n" +
+            "jAsR/MvRugkW8xLpyQyfeGLJUOEYVrkpam3rLKB1KywAgBmpr9WDwfYITW/VE9k5\n" +
+            "cKIOPMDJFU+u9lzBx6nSS4JRBuCO2mhR4gjcRaGPWiiz+0qZfS+AXYV/MAU5OwK/\n" +
+            "6nhX97zwS4r1Avztjh4taBhLVsY4pw6PuLtACJNwPrev63Yc+a4hJJ4pm1AnHV58\n" +
+            "Y1pZKQL8vA61+/tbhFQ18vbJ8E1NOka/euFLQu9Mg58jhpcscqMouyr3JFMwgH2Y\n" +
+            "eFuRJncJAKotXxlfnF37qz5LG3bamACXWZSObjp9d4quIAoCDUteZlDWQ1xq5R4y\n" +
+            "QYXtk9ZuHsHsmY9A0CiI0sGYAUBtLubJ5qhLLr/GqKAmy8jTSA3MjgtrB55NWj9J\n" +
+            "bjgFNsd1BNGklgnwhtmApHJWY8skAAQkJj0rXj/aOMc734ypiEWDiU1quRbEeRLR\n" +
+            "kDvBNUXx2j2rVF+MmQS/sm5Yk/op+4lH/Wounsci3qWH76GaNZoIlvNE3mdFoVTe\n" +
+            "cRh4W2Em8uAUH4bKwazltRJUhZmXvuGfUnQCmolJTpyPl4DaQQgzdBXLTRcPxwdU\n" +
+            "30e7HnxZWESKx1LnGxp3Oan1k1lXyHwvnEk26EXhve+dhsQ6YsKgvtSLNFqGsfKe\n" +
+            "MVOq37cpOGFQsYStWHZd0tcHjIjWmAeZ8kH+ZzR9tgYKxxjimsxafLS/lo415SkC\n" +
+            "LnOCz6hywI7CufSUcXUlHGJuobZ5HDJcygsQhQmNVLDmKh4xUJDZrORS0ciMy2kc\n" +
+            "XAnxCDYbltVQktc/F/Gl1lTx0UNmV5d9G0utVmxxGbXna3BLkB+6qMuux/ngC+cI\n" +
+            "+0GjeuXDVzUqhKDDC3Sq4T2nwix4CjKvawnHC+vpHzRmdZSkXz3nrSdhJS5JnOap\n" +
+            "I4CdyYkP3jQs5P03dkv5RZAoqNPkeftwadu0cjZj8HEC8bVSd7YCS/0Gbgvp/eK3\n" +
+            "aOXZAWhELyQON4bbXiWzMTcO2AA5soBmP2QnBNdq7NxbEkBec8aAXZiyXn17JYit\n" +
+            "HRtJ7beptXjN0y2bEhOvsBHbDpjGO22fZfQ0aywP2k4/XanDf4WJolEFgLj2Qp8F\n" +
+            "pw1Olc2UhApxhAqjkme09hggli3wUhthQrpBlmntfbvBcmmO+p/jV8Zn\n" +
+            "=Roko\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SEIP_OPS23_LIT_SIG23 = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv/byYGOehnfgZu/HJSSDEQhYE27lh5j+oQPktYBxsTI3Ii\n" +
+            "AJ0pyJggtUM3c/e6z4HioAs4oQiaH1eoGBIl7noROhHJgT6E/oKdHJHmQndo0gT7\n" +
+            "xzSHKrEZYEqT45LD6jT5teOiwGX/B7as6jaQOT+Nh+M0ZqpPrBdWDeUoY/I/lx9j\n" +
+            "IcXQUhKuqJwZ16xsnv0JJ80rdp5qv0g2NHT1hK1JEONyT2fefov3EXaSpQZHRBEi\n" +
+            "XfwToHcJrgemFoGwZBQhXsPWBgKH92aW6r7ZJZMQ4BE2SwqEw+cbaaqwfFRJ9puj\n" +
+            "ZUBi2JGwnYImZyD7jYverkjH05vI7d5qQDhCT6GPD8Q0WKfY225LFTj/zzbC23lp\n" +
+            "VLlbT2Ap8ZFOESpM+crOUaOguBhnTOF05s1eXhQYxIKzJTW8UVrzbwI8ut3BnEDj\n" +
+            "0aDqUR+QDYgYmz8hnEjanHk2McvfaNdV6uOPZNph2RuPzhZeoNcz1PLy+XPFJsQT\n" +
+            "EdqURJ2D35qmrBvq6klN0sGYAXEtW4hxMaKhH7/SIk2m3kUAChjtzr4XRcE2i8h3\n" +
+            "9uD6CRWxokArfRVAp5RpXt3ywoYrl1Mp5prVwWcrTzYVPZwwe/bYAFTIfavi0Ezb\n" +
+            "A/ah2e1EYCTWxLY0Klzil2Xw9/Dc/JPTRqzWJxIn0AU4DVfYNwlH3QimDUDKOKbu\n" +
+            "bw4bLEEBKRr5BcNMA2rJOw/n3AmKxQcdSFJh3ZNtDPWzRwflIzE2qB686hpeOs34\n" +
+            "T2iJcfr9W9rKcYI7+WYcZA3fWokaWUfXdWrPMXBVJuPdGezGLSfe/OM4kw/8s2vR\n" +
+            "Bk88WZ1ZiFXE2CRaHP80fHFpxAZioWTuC5UGhF7NgZ7Q1E85GaGVe1fQeqmeX3mo\n" +
+            "gwAWwq9WFhPQQPwdrDz+1h/pzD0RVW7D+zfWdF//vesc4z1Bpi5prbMdpVdmyvO9\n" +
+            "8Rcc42GtmhtYSB9SPjzPuN8PrWvD3AKgw5vQro6oiNh0TGmj5Se4lXCfRfCl4tak\n" +
+            "cmvdi+1wAvn5OFdxYKKHNvjavwj2SY70nx0ACasBpbMEwoQ0StZmOxCaofkgvEwN\n" +
+            "t8jMq/MVrIfunhMjx0/GDpBZBb8kze8zrvWxlbTnoIfh2yVEqmTZWue9HX5Mnh8P\n" +
+            "wexxNrPaafTjA3nUgXXzlItJ/Wa43pYw2sgcBPlF/jRKSFiD+pDLysqwpH0ANsJ3\n" +
+            "G7t8Qavq1DlrHFgV5jhfR1tjA5ohjxx7yzceQBvZUFxKM1WEWR+9dRb3bpfZJr0g\n" +
+            "qgO36bpCeCEej+ubXpXXTN28LQLXjQHlE2o1NGLoGl+G72tXOTx30kPS\n" +
+            "=wUZn\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SEIP_OPS23_OPS3_LIT_SIG4_SIG23 = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQwAmftqzbRiMRk7YbpJO7uqtWQIq2uZj7nYYOVpQgR777Zb\n" +
+            "QT1J3pbPoCceWFSuHH/D0IeP84T95O+A630dtj3ZWhh4EGnBIKm13R6bEA4jKtcx\n" +
+            "rK3HZyHo85N5TFn/gLOqCc2v/0cxUoygBqFpHFwBG/e4uuQoxgD4RsBGFrdYlyK7\n" +
+            "MMkZ/fgaKhawTCVQ2dtBcp6WvKX/8u6FXSh35zFJJTM30LE7BFDgWEyGPLv0bWnl\n" +
+            "37oCo8zcK+SIK4JooNm1ZxIowWTOxUz1pWPtmtGXA8XoGJtggXt+HpVxNE8bDCgV\n" +
+            "f717+R0HMwQKP4F50Wq3Js9ZJrPjRvXLeiZe6nvqn5AQCOsG8osIIg2YElyW/uIe\n" +
+            "C38OxaZbql297cYzzdEZtRYCTTY7j99pG8ZD1nNdd5IPm027dfPl+JJ5nzn/u3iT\n" +
+            "+FKxgArZ9cYkeEpNB+BfWoWyNfbA830s3Y+G5wt3s4cmH1z8JvDeepUYhyqvA/6M\n" +
+            "RInjwCUwSQCAuI+QhnPi0sOlAYOwkgN8RyqOP4vR4Kd1rJfm7rg2h40ag7tJtu5y\n" +
+            "YXa4sU9DLpspTYvYgzRtsNbYHrH+LFkQlpG+PFnJAI6Qn+Q1zZsZ2HbbK7GOZFug\n" +
+            "0wCg5E3DJQxBNlOx7h7xacpGb2QsmBTLUPvWFiYoq8He5XOx1MleLxO+E5l40kT4\n" +
+            "ZE8RxfRyVreQdp3rZ6RMiIfnM8VljMxteaLmaIzqsLTlvKlf1w2DBRL9reI2oCP6\n" +
+            "BukX8zba16ITsLELnuQ5L8EmQwcH8Yj8Mg37foyFHa2fIvZRg+0tz3b5nJKteWQn\n" +
+            "u/qR/RGNAXT1D/YBQ+Tgnq6qIUd4Da/XEXAi8R6FKprc2yqCNzMSA1wolaq2DUGJ\n" +
+            "ASyRN7uQJpVc1DlxTRTMQLpuoxljQtc6dmn/HKr7DF8jUKcM8cRk6PCqWd6PRYPq\n" +
+            "WJTiHh2FoyDaR5+HuSbRCOr7i9jZXh/TctM70itLIvQlw/x9WEm2ZxwS7+0mHMvP\n" +
+            "h9U4Wi70mfR0WllDNpWm5ZEeksoUF7aCQ2lVIQH8E6YGmWUSCYUgjgiIsfSqn9kh\n" +
+            "tG8WGCrM1sPSIzQG70d1fuirRg5H7oeVRTPzpYN/cSXqRULk31Z9RneXwgZZZgPB\n" +
+            "Q1hE3oJmP4LJEfRhL4P7TL2Xp+1Kvius53my2zKnVXoBNlAUHSdidXsd+xVaOEkE\n" +
+            "cNyhLg4cZmlyuz5Ew/NHPAD70Cd9qXQraOf3dqZ77yhG0y/FCwXxnnfW1FnTLe14\n" +
+            "3RWuNAFhbuNuYrXn0Zq+SFz3UnNNKMoNejwDcvkxxZ92KQXJcB7zCRnEehjBz/At\n" +
+            "iNgsVfiOVRxzzp12iV+ljtM8A3KJHnnBQypPIeq4yKsXxtumVhryAc5k2neRZkvc\n" +
+            "Wo1x3T/EY0SSlFFSYsiyDgbaj0SguiVNTrJbLQd62a1S4ZCYB5k2hlzm22eIKHIa\n" +
+            "lb+sYaTGbSkxVH2xMvjxgO4dx9YvTlH6rsTIktmhvYxnF27Y6Bfhp+x8I3RoYPRC\n" +
+            "ImMgllybYE9AOHLI5uogvoe133OfHAmHVm36qx+S24r8YTMdZ6iJKLCd0Hav6aS9\n" +
+            "b4ptBiKQQQR2mtxaQNyBVEjfbpt2/ATnzRg5D/TAJATvhoeByWRYNP21iATnWU5c\n" +
+            "H3uK3dNDLnZAbaEf2XfqEG2fcw/Bn9mbXUodEay+EQl0Z11kWKOBSwMyGwSxdMhw\n" +
+            "S+9tTnfFZ73B/fyD41p3Ft02cUJcD2yW/j3+5JLOqZJJlTEhtAFvixkhcfR7VJTl\n" +
+            "arZfECPXOOMbiBxQmFA4+AZfP+9bMFPz9/guZTkIWsjKO4JI6ge6ayl6Eel2Qsbo\n" +
+            "MzsYA6m9h4a0VQPmHf1Itg5kiEpecG4rEqzJC2ov4mTiD4kVlPhUj6Je+VU3mEgT\n" +
+            "geMf/8JkD6+IParbR7iaEQF2wPgrR/VcBX/5Y8AI4mW8eiTCybtPt9z4X6w326Uy\n" +
+            "UkaqeswhQmd2sODDqxxrdjVmYQEWqVKIRRBLsR5fvDiqyiVFbPEO\n" +
+            "=qFHk\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private static final String PKESK3_SEIP_OPS3_OPS23_LIT_SIG23_SIG4 = "-----BEGIN PGP MESSAGE-----\n" +
+            "\n" +
+            "wcDMA3wvqk35PDeyAQv+JdNtgn26/Q4yXJ9egCmJ1/3SaeSB+y93jz+fmabMvc97\n" +
+            "KbI1HN9RoG23UxDoQED+jGcbbrw+7ho73U3uRC4NtE4D4SZZMQZZXTadI0MEu4eN\n" +
+            "yGgyFmZLy2Fek5N33m4PShvKqbeDnubmxv/lPlpz//KuxbVNPL+vtiVxZuI6vusB\n" +
+            "q3T0Br0kH7OqCizCIKzl85d9hYAKXDaCaGw/0VXmFs0HgjBSB5RRHKt3GpVt83dI\n" +
+            "b7vyyrzo6D0bwr+9nYC9Q+rku0lPNJutdSBRv9Xoc8eB7ud+0x9Ybj61C91gjvJp\n" +
+            "NkeuqcCYOZw+iFckDR8+GUM4T5PO3dwxEVQUUeO99EKuCH2S/PqgrH8JFiRcCvED\n" +
+            "SsngpAL3IfkoKCuAO0gpK4ebDKQ8R46ho/ER1UApT9A8lNbzLYIwCQ8fcK53AICe\n" +
+            "XWDTGb1uqqkt0vFPxsKA0R6Wyk6gA8j8ta6zpgTpwGOyRbMKo8QW08mw+2UROCPj\n" +
+            "/cdtV1Z6Iv0GrbKwrwB20sOlAYDKbSloZBhkwugYMqYWQfzPcM8S+sCX/+Kv/O79\n" +
+            "oWucvbSAiUv0JlD6zqdNcileqJKCiiAVaCUZhLpZcgVWpLqfJuFFnHBOo98ARIHe\n" +
+            "D5CzXn2sx+0ZlFW0fJk8Z2ZWXK9rKAleqsGB4dIA3WoC4UAFFjBqXG/4pa/H0He2\n" +
+            "G8R3Q+wFqEaXYgm2Znq/+UxPGjAJLH7EUrwfBvK17eByT+bLqyZpKHhuZJXy/rw1\n" +
+            "n+pCC1fedDWdxKj7+1Xw8cVlAWYCp2314DQjfI8BzFw0JWq8MU7hwGDQkJgfI3qH\n" +
+            "RlBhIgE2iJAOQi4YaSgC9QaAxL4Uw3uo9+kwUGt87j+M4d7ALQ1XXLtCim6P36jP\n" +
+            "kjOoAvfgwZ1NZEbzo/YS9/NK9KVXrhfgmkWSPjLaqJeur2Av9IkDuQmFF+EVxjRo\n" +
+            "eQzZHk8RHOj03jjTZH/QHNiiUDfr2cMDj8Hi+r5pCvS/T67gymyE6VHQJSYS9dXP\n" +
+            "0EMoe4jaG+aOdbAi3OPtKETSvtsKLflMR4k/RxRXN6lsV238wVna+w6nYZxqMqd4\n" +
+            "fNnL5YUHZOEt2qxVguOCEZDANHoR0RFVXM6yBF36Ivwjhg5a1aujyHv150KwDDsc\n" +
+            "YMI4O2pTcmhDX1aiV2X35EyLWJbSovbNj/IveMKa0q/xOXe4V8INX9Xv4sxm0mqY\n" +
+            "RR8CY1E3cYG2g6Uhc4WkirSvXoN/IRq1MrYmcCHQrEDDBL5h/8/TIn/TAOZqBrZ/\n" +
+            "gF1gfFW4ZgEcPZUeUmErHxLvdVqC+WK7/5qE86PXGo9yD9/Xxv5U7i8BbxgknUlD\n" +
+            "SyRmBfzkRJudTHvH9wnk9KA5hPHqXk6ZkrBo4ugaiwUa/EejvkiHW7KRWijH57nL\n" +
+            "JDzP13FU16gPuhPFTXP2zLvLeMSpVmkv2B9Mzvnrg+836B+hY0elAy5U/3D1/wxG\n" +
+            "IjfDTsAcUQ8yULCRj6iZrx1SZc0HJDe4mjvqVqg0VOSpxGHfRNcte+zh6p8Fqqly\n" +
+            "2O72vb49uEr54ZeL33j/ggCXWvMgdK7EtIirmzcwFsmamy89QSl1VzZzh5338n7f\n" +
+            "9SOd67xL8BVSh8lee8ByuBiZryLbIuy1d8stndbbxLi+W7+Y/W08g3QyE+NwcpKd\n" +
+            "/zTVViCZolgs4Ol73WEe6A131u+AMlJWXYD5tai+RmQOFugvCVX+QhezK1v3YrMH\n" +
+            "KlIfFsh4Cq+JIo2jMMoVjLBK662kU24w8eaEagdIjBgd1XlEBgKUR/f754BOfoKi\n" +
+            "JX2ySeHdQCCn/yc753X1TH3FNEThmJPHJG0ESkpIxqoTKdL3Ut+8BFlhWYwxCc8r\n" +
+            "R8m9ixq0cQBXrNVaJsFVKqI9H4SJMc8ySGe8HYwJV2hhK9HbuhAfrKiJoUmoQHvD\n" +
+            "jL9Y6H3ejK5YmqQ/zXoiepRfAklN3q+ByqhRMjZfDMuk0fcMaPy9RFoo1FqIPyqw\n" +
+            "alekNaR/K4albyRcMoYxBhn3QFHf7VuaPuaxhg1ri3YfrWykv3RA\n" +
+            "=jGpv\n" +
+            "-----END PGP MESSAGE-----\n";
+
+    private final PGPSecretKeyRing key;
+    private final PGPPublicKeyRing cert;
+
+    public UnsupportedPacketVersionsTest() throws IOException {
+        key = PGPainless.readKeyRing().secretKeyRing(KEY);
+        cert = PGPainless.extractCertificate(key);
+    }
+
+    @Test
+    public void pkesk3_pkesk23_seip() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_PKESK23_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    public void pkesk23_pkesk_seip() throws PGPException, IOException {
+        decryptAndCompare(PKESK23_PKESK3_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    public void pkesk3_skesk23_seip() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SKESK23_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    public void skesk23_pkesk3_seip() throws PGPException, IOException {
+        decryptAndCompare(SKESK23_PKESK3_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    @Disabled("Enable once https://github.com/bcgit/bc-java/pull/1268 is available")
+    public void pkesk3_skesk4Ws2k23_seip() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SKESK4wS2K23_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    @Disabled("Enable once https://github.com/bcgit/bc-java/pull/1268 is available")
+    public void skesk4Ws2k23_pkesk3_seip() throws PGPException, IOException {
+        decryptAndCompare(SKESK4wS2K23_PKESK3_SEIP, "Encrypted using SEIP + MDC.");
+    }
+
+    @Test
+    public void pkesk3_seip_ops3_lit_sig4() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SEIP_OPS3_LIT_SIG4, "Encrypted, signed message.");
+    }
+
+    @Test
+    public void pkesk3_seip_ops23_lit_sig23() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SEIP_OPS23_LIT_SIG23, "Encrypted, signed message.");
+    }
+
+    @Test
+    public void pkesk3_seip_ops23_ops3_lit_sig4_sig23() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SEIP_OPS23_OPS3_LIT_SIG4_SIG23, "Encrypted, signed message.");
+    }
+
+    @Test
+    public void pkesk3_seip_ops3_ops23_lit_sig23_sig4() throws PGPException, IOException {
+        decryptAndCompare(PKESK3_SEIP_OPS3_OPS23_LIT_SIG23_SIG4, "Encrypted, signed message.");
+    }
+
+    public void decryptAndCompare(String msg, String plain) throws IOException, PGPException {
+        // noinspection CharsetObjectCanBeUsed
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(msg.getBytes(Charset.forName("UTF8")));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(inputStream)
+                .withOptions(ConsumerOptions.get()
+                        .addDecryptionKey(key)
+                        .addVerificationCert(cert));
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+
+        assertEquals(plain, out.toString());
+    }
+}

From a0ba6828c982bfce4192162e45f6c853a976790a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 26 Oct 2022 18:22:50 +0200
Subject: [PATCH 0755/1450] Remove superfluous states

---
 .../syntax_check/PDA.java                     | 26 +++----------------
 .../syntax_check/StackAlphabet.java           |  4 ---
 2 files changed, 3 insertions(+), 27 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 0d6ba28c..c77b50cc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -67,7 +67,7 @@ public class PDA {
 
                     case Signature:
                         if (stackItem == ops) {
-                            return CorrespondingSignature;
+                            return LiteralMessage;
                         } else {
                             throw new MalformedOpenPgpMessageException(this, input, stackItem);
                         }
@@ -96,7 +96,7 @@ public class PDA {
                 switch (input) {
                     case Signature:
                         if (stackItem == ops) {
-                            return CorrespondingSignature;
+                            return CompressedMessage;
                         } else {
                             throw new MalformedOpenPgpMessageException(this, input, stackItem);
                         }
@@ -125,7 +125,7 @@ public class PDA {
                 switch (input) {
                     case Signature:
                         if (stackItem == ops) {
-                            return CorrespondingSignature;
+                            return EncryptedMessage;
                         } else {
                             throw new MalformedOpenPgpMessageException(this, input, stackItem);
                         }
@@ -147,26 +147,6 @@ public class PDA {
             }
         },
 
-        CorrespondingSignature {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                if (input == InputAlphabet.EndOfSequence) {
-                    if (stackItem == terminus && automaton.stack.isEmpty()) {
-                        return Valid;
-                    } else {
-                        // premature end of stream
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                    }
-                } else if (input == InputAlphabet.Signature) {
-                    if (stackItem == ops) {
-                        return CorrespondingSignature;
-                    }
-                }
-                throw new MalformedOpenPgpMessageException(this, input, stackItem);
-            }
-        },
-
         Valid {
             @Override
             State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
index 6030fbc8..a8a2a213 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
@@ -13,10 +13,6 @@ public enum StackAlphabet {
      * OnePassSignature (in case of BC this represents a OnePassSignatureList).
      */
     ops,
-    /**
-     * ESK. Not used, as BC combines encrypted data with their encrypted session keys.
-     */
-    esk,
     /**
      * Special symbol representing the end of the message.
      */

From a2a5c9223eaff33c9ec0f2d6ea7336c2e25d657f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 26 Oct 2022 18:24:19 +0200
Subject: [PATCH 0756/1450] Remove debugging fields

---
 .../pgpainless/decryption_verification/syntax_check/PDA.java | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index c77b50cc..40021734 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -16,7 +16,6 @@ import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.
 
 public class PDA {
 
-    private static int ID = 0;
     private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
 
     /**
@@ -171,13 +170,11 @@ public class PDA {
 
     private final Stack stack = new Stack<>();
     private State state;
-    private int id;
 
     public PDA() {
         state = State.OpenPgpMessage;
         stack.push(terminus);
         stack.push(msg);
-        this.id = ID++;
     }
 
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
@@ -240,6 +237,6 @@ public class PDA {
 
     @Override
     public String toString() {
-        return "PDA " + id + ": State: " + state + " Stack: " + stack;
+        return "State: " + state + " Stack: " + stack;
     }
 }

From 798e68e87f4c76239564a988a887dc6beaa92c4c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 26 Oct 2022 18:39:20 +0200
Subject: [PATCH 0757/1450] Improve syntax error reporting

---
 .../decryption_verification/syntax_check/PDA.java     | 11 +++++++++--
 .../exception/MalformedOpenPgpMessageException.java   |  6 +++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 40021734..550cb855 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -8,6 +8,9 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Stack;
 
 import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.msg;
@@ -169,6 +172,7 @@ public class PDA {
     }
 
     private final Stack stack = new Stack<>();
+    private final List inputs = new ArrayList<>(); // keep track of inputs for debugging / error reporting
     private State state;
 
     public PDA() {
@@ -180,9 +184,12 @@ public class PDA {
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
         try {
             state = state.transition(input, this);
+            inputs.add(input);
         } catch (MalformedOpenPgpMessageException e) {
-            LOGGER.debug("Unexpected Packet or Token '" + input + "' encountered. Message is malformed.", e);
-            throw e;
+            MalformedOpenPgpMessageException wrapped = new MalformedOpenPgpMessageException("Malformed message: After reading stream " + Arrays.toString(inputs.toArray()) +
+                    ", token '" + input + "' is unexpected and illegal.", e);
+            LOGGER.debug("Invalid input '" + input + "'", wrapped);
+            throw wrapped;
         }
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index cbe78c05..aa158746 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -21,6 +21,10 @@ public class MalformedOpenPgpMessageException extends RuntimeException {
     }
 
     public MalformedOpenPgpMessageException(PDA.State state, InputAlphabet input, StackAlphabet stackItem) {
-        this("Invalid input: There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
+        this("There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
+    }
+
+    public MalformedOpenPgpMessageException(String s, MalformedOpenPgpMessageException e) {
+        super(s, e);
     }
 }

From b3d61b0494a9c63d6037436fe600fa2769f1999c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 11:56:10 +0200
Subject: [PATCH 0758/1450] Separate out syntax logic

---
 .../syntax_check/OpenPgpMessageSyntax.java    | 119 +++++++++++++
 .../syntax_check/PDA.java                     | 165 ++----------------
 .../syntax_check/State.java                   |  16 ++
 .../syntax_check/Syntax.java                  |  13 ++
 .../syntax_check/Transition.java              |  28 +++
 .../MalformedOpenPgpMessageException.java     |   4 +-
 6 files changed, 189 insertions(+), 156 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/State.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
new file mode 100644
index 00000000..ab45a896
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
@@ -0,0 +1,119 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification.syntax_check;
+
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+public class OpenPgpMessageSyntax implements Syntax {
+
+    @Override
+    public Transition transition(State from, InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        switch (from) {
+            case OpenPgpMessage:
+                return fromOpenPgpMessage(input, stackItem);
+            case LiteralMessage:
+                return fromLiteralMessage(input, stackItem);
+            case CompressedMessage:
+                return fromCompressedMessage(input, stackItem);
+            case EncryptedMessage:
+                return fromEncryptedMessage(input, stackItem);
+            case Valid:
+                return fromValid(input, stackItem);
+        }
+
+        throw new MalformedOpenPgpMessageException(from, input, stackItem);
+    }
+
+    Transition fromOpenPgpMessage(InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        if (stackItem != StackAlphabet.msg) {
+            throw new MalformedOpenPgpMessageException(State.OpenPgpMessage, input, stackItem);
+        }
+
+        switch (input) {
+            case LiteralData:
+                return new Transition(State.LiteralMessage);
+
+            case Signature:
+                return new Transition(State.OpenPgpMessage, StackAlphabet.msg);
+
+            case OnePassSignature:
+                return new Transition(State.OpenPgpMessage, StackAlphabet.ops, StackAlphabet.msg);
+
+            case CompressedData:
+                return new Transition(State.CompressedMessage);
+
+            case EncryptedData:
+                return new Transition(State.EncryptedMessage);
+
+            case EndOfSequence:
+            default:
+                throw new MalformedOpenPgpMessageException(State.OpenPgpMessage, input, stackItem);
+        }
+    }
+
+    Transition fromLiteralMessage(InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        switch (input) {
+            case Signature:
+                if (stackItem == StackAlphabet.ops) {
+                    return new Transition(State.LiteralMessage);
+                }
+                break;
+
+            case EndOfSequence:
+                if (stackItem == StackAlphabet.terminus) {
+                    return new Transition(State.Valid);
+                }
+                break;
+        }
+
+        throw new MalformedOpenPgpMessageException(State.LiteralMessage, input, stackItem);
+    }
+
+    Transition fromCompressedMessage(InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        switch (input) {
+            case Signature:
+                if (stackItem == StackAlphabet.ops) {
+                    return new Transition(State.CompressedMessage);
+                }
+                break;
+
+            case EndOfSequence:
+                if (stackItem == StackAlphabet.terminus) {
+                    return new Transition(State.Valid);
+                }
+                break;
+        }
+
+        throw new MalformedOpenPgpMessageException(State.CompressedMessage, input, stackItem);
+    }
+
+    Transition fromEncryptedMessage(InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        switch (input) {
+            case Signature:
+                if (stackItem == StackAlphabet.ops) {
+                    return new Transition(State.EncryptedMessage);
+                }
+                break;
+
+            case EndOfSequence:
+                if (stackItem == StackAlphabet.terminus) {
+                    return new Transition(State.Valid);
+                }
+                break;
+        }
+
+        throw new MalformedOpenPgpMessageException(State.EncryptedMessage, input, stackItem);
+    }
+
+    Transition fromValid(InputAlphabet input, StackAlphabet stackItem)
+            throws MalformedOpenPgpMessageException {
+        throw new MalformedOpenPgpMessageException(State.Valid, input, stackItem);
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 550cb855..94c1739e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -14,177 +14,31 @@ import java.util.List;
 import java.util.Stack;
 
 import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.msg;
-import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.ops;
 import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.terminus;
 
 public class PDA {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
 
-    /**
-     * Set of states of the automaton.
-     * Each state defines its valid transitions in their {@link State#transition(InputAlphabet, PDA)} method.
-     */
-    public enum State {
-
-        OpenPgpMessage {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                if (stackItem != msg) {
-                    throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-                switch (input) {
-
-                    case LiteralData:
-                        return LiteralMessage;
-
-                    case Signature:
-                        automaton.pushStack(msg);
-                        return OpenPgpMessage;
-
-                    case OnePassSignature:
-                        automaton.pushStack(ops);
-                        automaton.pushStack(msg);
-                        return OpenPgpMessage;
-
-                    case CompressedData:
-                        return CompressedMessage;
-
-                    case EncryptedData:
-                        return EncryptedMessage;
-
-                    case EndOfSequence:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        LiteralMessage {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-
-                    case Signature:
-                        if (stackItem == ops) {
-                            return LiteralMessage;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignature:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        CompressedMessage {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-                    case Signature:
-                        if (stackItem == ops) {
-                            return CompressedMessage;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignature:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        EncryptedMessage {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                StackAlphabet stackItem = automaton.popStack();
-                switch (input) {
-                    case Signature:
-                        if (stackItem == ops) {
-                            return EncryptedMessage;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case EndOfSequence:
-                        if (stackItem == terminus && automaton.stack.isEmpty()) {
-                            return Valid;
-                        } else {
-                            throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                        }
-
-                    case LiteralData:
-                    case OnePassSignature:
-                    case CompressedData:
-                    case EncryptedData:
-                    default:
-                        throw new MalformedOpenPgpMessageException(this, input, stackItem);
-                }
-            }
-        },
-
-        Valid {
-            @Override
-            State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException {
-                throw new MalformedOpenPgpMessageException(this, input, null);
-            }
-        },
-        ;
-
-        /**
-         * Pop the automatons stack and transition to another state.
-         * If no valid transition from the current state is available given the popped stack item and input symbol,
-         * a {@link MalformedOpenPgpMessageException} is thrown.
-         * Otherwise, the stack is manipulated according to the valid transition and the new state is returned.
-         *
-         * @param input     input symbol
-         * @param automaton automaton
-         * @return new state of the automaton
-         * @throws MalformedOpenPgpMessageException in case of an illegal input symbol
-         */
-        abstract State transition(InputAlphabet input, PDA automaton) throws MalformedOpenPgpMessageException;
-    }
-
     private final Stack stack = new Stack<>();
     private final List inputs = new ArrayList<>(); // keep track of inputs for debugging / error reporting
     private State state;
+    private Syntax syntax = new OpenPgpMessageSyntax();
 
     public PDA() {
         state = State.OpenPgpMessage;
-        stack.push(terminus);
-        stack.push(msg);
+        pushStack(terminus);
+        pushStack(msg);
     }
 
     public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
         try {
-            state = state.transition(input, this);
+            Transition transition = syntax.transition(state, input, popStack());
             inputs.add(input);
+            state = transition.getNewState();
+            for (StackAlphabet item : transition.getPushedItems()) {
+                pushStack(item);
+            }
         } catch (MalformedOpenPgpMessageException e) {
             MalformedOpenPgpMessageException wrapped = new MalformedOpenPgpMessageException("Malformed message: After reading stream " + Arrays.toString(inputs.toArray()) +
                     ", token '" + input + "' is unexpected and illegal.", e);
@@ -230,6 +84,9 @@ public class PDA {
      * @return stack item
      */
     private StackAlphabet popStack() {
+        if (stack.isEmpty()) {
+            return null;
+        }
         return stack.pop();
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/State.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/State.java
new file mode 100644
index 00000000..9dee9af1
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/State.java
@@ -0,0 +1,16 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification.syntax_check;
+
+/**
+ * Set of states of the automaton.
+ */
+public enum State {
+    OpenPgpMessage,
+    LiteralMessage,
+    CompressedMessage,
+    EncryptedMessage,
+    Valid
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
new file mode 100644
index 00000000..47813a9e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification.syntax_check;
+
+import org.pgpainless.exception.MalformedOpenPgpMessageException;
+
+public interface Syntax {
+
+    Transition transition(State from, InputAlphabet inputAlphabet, StackAlphabet stackItem)
+        throws MalformedOpenPgpMessageException;
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
new file mode 100644
index 00000000..bbc28e58
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
@@ -0,0 +1,28 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification.syntax_check;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class Transition {
+
+    private final List pushedItems = new ArrayList<>();
+    private final State newState;
+
+    public Transition(State newState, StackAlphabet... pushedItems) {
+        this.newState = newState;
+        this.pushedItems.addAll(Arrays.asList(pushedItems));
+    }
+
+    public State getNewState() {
+        return newState;
+    }
+
+    public List getPushedItems() {
+        return new ArrayList<>(pushedItems);
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index aa158746..db8d0df6 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -5,8 +5,8 @@
 package org.pgpainless.exception;
 
 import org.pgpainless.decryption_verification.syntax_check.InputAlphabet;
-import org.pgpainless.decryption_verification.syntax_check.PDA;
 import org.pgpainless.decryption_verification.syntax_check.StackAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.State;
 
 /**
  * Exception that gets thrown if the OpenPGP message is malformed.
@@ -20,7 +20,7 @@ public class MalformedOpenPgpMessageException extends RuntimeException {
         super(message);
     }
 
-    public MalformedOpenPgpMessageException(PDA.State state, InputAlphabet input, StackAlphabet stackItem) {
+    public MalformedOpenPgpMessageException(State state, InputAlphabet input, StackAlphabet stackItem) {
         this("There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
 

From 8ca0cfd3ae9dff01ded689c434dd5d6cb9f6d6e7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 12:07:22 +0200
Subject: [PATCH 0759/1450] Rename *Alphabet to *Symbol and add javadoc

---
 .../OpenPgpMessageInputStream.java            |  18 ++--
 .../{InputAlphabet.java => InputSymbol.java}  |   2 +-
 .../syntax_check/OpenPgpMessageSyntax.java    |  41 ++++---
 .../syntax_check/PDA.java                     |  18 ++--
 .../{StackAlphabet.java => StackSymbol.java}  |   2 +-
 .../syntax_check/Syntax.java                  |  19 +++-
 .../syntax_check/Transition.java              |   6 +-
 .../MalformedOpenPgpMessageException.java     |   6 +-
 .../syntax_check/PDATest.java                 | 102 +++++++++---------
 9 files changed, 121 insertions(+), 93 deletions(-)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/{InputAlphabet.java => InputSymbol.java} (98%)
 rename pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/{StackAlphabet.java => StackSymbol.java} (93%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 75b78294..a0f17210 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -45,9 +45,9 @@ import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
-import org.pgpainless.decryption_verification.syntax_check.InputAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.InputSymbol;
 import org.pgpainless.decryption_verification.syntax_check.PDA;
-import org.pgpainless.decryption_verification.syntax_check.StackAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.StackSymbol;
 import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
@@ -334,7 +334,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private void processLiteralData() throws IOException {
         LOGGER.debug("Literal Data Packet at depth " + metadata.depth + " encountered");
-        syntaxVerifier.next(InputAlphabet.LiteralData);
+        syntaxVerifier.next(InputSymbol.LiteralData);
         PGPLiteralData literalData = packetInputStream.readLiteralData();
         this.metadata.setChild(new MessageMetadata.LiteralData(
                 literalData.getFileName(),
@@ -344,7 +344,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     private void processCompressedData() throws IOException, PGPException {
-        syntaxVerifier.next(InputAlphabet.CompressedData);
+        syntaxVerifier.next(InputSymbol.CompressedData);
         signatures.enterNesting();
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
@@ -356,7 +356,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     }
 
     private void processOnePassSignature() throws PGPException, IOException {
-        syntaxVerifier.next(InputAlphabet.OnePassSignature);
+        syntaxVerifier.next(InputSymbol.OnePassSignature);
         PGPOnePassSignature onePassSignature = packetInputStream.readOnePassSignature();
         LOGGER.debug("One-Pass-Signature Packet by key " + KeyIdUtil.formatKeyId(onePassSignature.getKeyID()) +
                 " at depth " + metadata.depth + " encountered");
@@ -365,8 +365,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private void processSignature() throws PGPException, IOException {
         // true if Signature corresponds to OnePassSignature
-        boolean isSigForOPS = syntaxVerifier.peekStack() == StackAlphabet.ops;
-        syntaxVerifier.next(InputAlphabet.Signature);
+        boolean isSigForOPS = syntaxVerifier.peekStack() == StackSymbol.ops;
+        syntaxVerifier.next(InputSymbol.Signature);
         PGPSignature signature;
         try {
             signature = packetInputStream.readSignature();
@@ -391,7 +391,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
     private boolean processEncryptedData() throws IOException, PGPException {
         LOGGER.debug("Symmetrically Encrypted Data Packet at depth " + metadata.depth + " encountered");
-        syntaxVerifier.next(InputAlphabet.EncryptedData);
+        syntaxVerifier.next(InputSymbol.EncryptedData);
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         // TODO: Replace with !encDataList.isIntegrityProtected()
@@ -766,7 +766,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         if (packetInputStream != null) {
-            syntaxVerifier.next(InputAlphabet.EndOfSequence);
+            syntaxVerifier.next(InputSymbol.EndOfSequence);
             syntaxVerifier.assertValid();
             packetInputStream.close();
         }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputSymbol.java
similarity index 98%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputSymbol.java
index f73ede34..854c3305 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/InputSymbol.java
@@ -10,7 +10,7 @@ import org.bouncycastle.openpgp.PGPLiteralData;
 import org.bouncycastle.openpgp.PGPOnePassSignatureList;
 import org.bouncycastle.openpgp.PGPSignatureList;
 
-public enum InputAlphabet {
+public enum InputSymbol {
     /**
      * A {@link PGPLiteralData} packet.
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
index ab45a896..4c811e9f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
@@ -6,10 +6,20 @@ package org.pgpainless.decryption_verification.syntax_check;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
+/**
+ * This class describes the syntax for OpenPGP messages as specified by rfc4880.
+ *
+ * @see 
+ *     rfc4880 - §11.3. OpenPGP Messages
+ * @see 
+ *     Blog post about theoretic background and translation of grammar to PDA syntax
+ * @see 
+ *     Blog post about practically implementing the PDA for packet syntax validation
+ */
 public class OpenPgpMessageSyntax implements Syntax {
 
     @Override
-    public Transition transition(State from, InputAlphabet input, StackAlphabet stackItem)
+    public Transition transition(State from, InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (from) {
             case OpenPgpMessage:
@@ -27,9 +37,9 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(from, input, stackItem);
     }
 
-    Transition fromOpenPgpMessage(InputAlphabet input, StackAlphabet stackItem)
+    Transition fromOpenPgpMessage(InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
-        if (stackItem != StackAlphabet.msg) {
+        if (stackItem != StackSymbol.msg) {
             throw new MalformedOpenPgpMessageException(State.OpenPgpMessage, input, stackItem);
         }
 
@@ -38,10 +48,10 @@ public class OpenPgpMessageSyntax implements Syntax {
                 return new Transition(State.LiteralMessage);
 
             case Signature:
-                return new Transition(State.OpenPgpMessage, StackAlphabet.msg);
+                return new Transition(State.OpenPgpMessage, StackSymbol.msg);
 
             case OnePassSignature:
-                return new Transition(State.OpenPgpMessage, StackAlphabet.ops, StackAlphabet.msg);
+                return new Transition(State.OpenPgpMessage, StackSymbol.ops, StackSymbol.msg);
 
             case CompressedData:
                 return new Transition(State.CompressedMessage);
@@ -55,17 +65,17 @@ public class OpenPgpMessageSyntax implements Syntax {
         }
     }
 
-    Transition fromLiteralMessage(InputAlphabet input, StackAlphabet stackItem)
+    Transition fromLiteralMessage(InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
-                if (stackItem == StackAlphabet.ops) {
+                if (stackItem == StackSymbol.ops) {
                     return new Transition(State.LiteralMessage);
                 }
                 break;
 
             case EndOfSequence:
-                if (stackItem == StackAlphabet.terminus) {
+                if (stackItem == StackSymbol.terminus) {
                     return new Transition(State.Valid);
                 }
                 break;
@@ -74,17 +84,17 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.LiteralMessage, input, stackItem);
     }
 
-    Transition fromCompressedMessage(InputAlphabet input, StackAlphabet stackItem)
+    Transition fromCompressedMessage(InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
-                if (stackItem == StackAlphabet.ops) {
+                if (stackItem == StackSymbol.ops) {
                     return new Transition(State.CompressedMessage);
                 }
                 break;
 
             case EndOfSequence:
-                if (stackItem == StackAlphabet.terminus) {
+                if (stackItem == StackSymbol.terminus) {
                     return new Transition(State.Valid);
                 }
                 break;
@@ -93,17 +103,17 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.CompressedMessage, input, stackItem);
     }
 
-    Transition fromEncryptedMessage(InputAlphabet input, StackAlphabet stackItem)
+    Transition fromEncryptedMessage(InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
-                if (stackItem == StackAlphabet.ops) {
+                if (stackItem == StackSymbol.ops) {
                     return new Transition(State.EncryptedMessage);
                 }
                 break;
 
             case EndOfSequence:
-                if (stackItem == StackAlphabet.terminus) {
+                if (stackItem == StackSymbol.terminus) {
                     return new Transition(State.Valid);
                 }
                 break;
@@ -112,8 +122,9 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.EncryptedMessage, input, stackItem);
     }
 
-    Transition fromValid(InputAlphabet input, StackAlphabet stackItem)
+    Transition fromValid(InputSymbol input, StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
+        // There is no applicable transition rule out of Valid
         throw new MalformedOpenPgpMessageException(State.Valid, input, stackItem);
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 94c1739e..68a5e2c4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -13,15 +13,15 @@ import java.util.Arrays;
 import java.util.List;
 import java.util.Stack;
 
-import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.msg;
-import static org.pgpainless.decryption_verification.syntax_check.StackAlphabet.terminus;
+import static org.pgpainless.decryption_verification.syntax_check.StackSymbol.msg;
+import static org.pgpainless.decryption_verification.syntax_check.StackSymbol.terminus;
 
 public class PDA {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
 
-    private final Stack stack = new Stack<>();
-    private final List inputs = new ArrayList<>(); // keep track of inputs for debugging / error reporting
+    private final Stack stack = new Stack<>();
+    private final List inputs = new ArrayList<>(); // keep track of inputs for debugging / error reporting
     private State state;
     private Syntax syntax = new OpenPgpMessageSyntax();
 
@@ -31,12 +31,12 @@ public class PDA {
         pushStack(msg);
     }
 
-    public void next(InputAlphabet input) throws MalformedOpenPgpMessageException {
+    public void next(InputSymbol input) throws MalformedOpenPgpMessageException {
         try {
             Transition transition = syntax.transition(state, input, popStack());
             inputs.add(input);
             state = transition.getNewState();
-            for (StackAlphabet item : transition.getPushedItems()) {
+            for (StackSymbol item : transition.getPushedItems()) {
                 pushStack(item);
             }
         } catch (MalformedOpenPgpMessageException e) {
@@ -56,7 +56,7 @@ public class PDA {
         return state;
     }
 
-    public StackAlphabet peekStack() {
+    public StackSymbol peekStack() {
         if (stack.isEmpty()) {
             return null;
         }
@@ -83,7 +83,7 @@ public class PDA {
      *
      * @return stack item
      */
-    private StackAlphabet popStack() {
+    private StackSymbol popStack() {
         if (stack.isEmpty()) {
             return null;
         }
@@ -95,7 +95,7 @@ public class PDA {
      *
      * @param item item
      */
-    private void pushStack(StackAlphabet item) {
+    private void pushStack(StackSymbol item) {
         stack.push(item);
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackSymbol.java
similarity index 93%
rename from pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
rename to pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackSymbol.java
index a8a2a213..120458e5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackAlphabet.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/StackSymbol.java
@@ -4,7 +4,7 @@
 
 package org.pgpainless.decryption_verification.syntax_check;
 
-public enum StackAlphabet {
+public enum StackSymbol {
     /**
      * OpenPGP Message.
      */
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
index 47813a9e..63d63fed 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
@@ -6,8 +6,25 @@ package org.pgpainless.decryption_verification.syntax_check;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
+/**
+ * This interface can be used to define a custom syntax for the {@link PDA}.
+ */
 public interface Syntax {
 
-    Transition transition(State from, InputAlphabet inputAlphabet, StackAlphabet stackItem)
+    /**
+     * Describe a transition rule from {@link State} 
from
 for {@link InputSymbol} 
input

+     * with {@link StackSymbol} 
stackItem
 from the top of the {@link PDA PDAs} stack.
+     * The resulting {@link Transition} contains the new {@link State}, as well as a list of
+     * {@link StackSymbol StackSymbols} that get pushed onto the stack by the transition rule.
+     * If there is no applicable rule, a {@link MalformedOpenPgpMessageException} is thrown, since in this case
+     * the {@link InputSymbol} must be considered illegal.
+     *
+     * @param from current state of the PDA
+     * @param input input symbol
+     * @param stackItem item that got popped from the top of the stack
+     * @return applicable transition rule containing the new state and pushed stack symbols
+     * @throws MalformedOpenPgpMessageException if there is no applicable transition rule (the input symbol is illegal)
+     */
+    Transition transition(State from, InputSymbol input, StackSymbol stackItem)
         throws MalformedOpenPgpMessageException;
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
index bbc28e58..a0e58cf0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
@@ -10,10 +10,10 @@ import java.util.List;
 
 public class Transition {
 
-    private final List pushedItems = new ArrayList<>();
+    private final List pushedItems = new ArrayList<>();
     private final State newState;
 
-    public Transition(State newState, StackAlphabet... pushedItems) {
+    public Transition(State newState, StackSymbol... pushedItems) {
         this.newState = newState;
         this.pushedItems.addAll(Arrays.asList(pushedItems));
     }
@@ -22,7 +22,7 @@ public class Transition {
         return newState;
     }
 
-    public List getPushedItems() {
+    public List getPushedItems() {
         return new ArrayList<>(pushedItems);
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
index db8d0df6..f98a4048 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/exception/MalformedOpenPgpMessageException.java
@@ -4,8 +4,8 @@
 
 package org.pgpainless.exception;
 
-import org.pgpainless.decryption_verification.syntax_check.InputAlphabet;
-import org.pgpainless.decryption_verification.syntax_check.StackAlphabet;
+import org.pgpainless.decryption_verification.syntax_check.InputSymbol;
+import org.pgpainless.decryption_verification.syntax_check.StackSymbol;
 import org.pgpainless.decryption_verification.syntax_check.State;
 
 /**
@@ -20,7 +20,7 @@ public class MalformedOpenPgpMessageException extends RuntimeException {
         super(message);
     }
 
-    public MalformedOpenPgpMessageException(State state, InputAlphabet input, StackAlphabet stackItem) {
+    public MalformedOpenPgpMessageException(State state, InputSymbol input, StackSymbol stackItem) {
         this("There is no legal transition from state '" + state + "' for input '" + input + "' when '" + stackItem + "' is on top of the stack.");
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index 9250acfa..2b66eee0 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -21,8 +21,8 @@ public class PDATest {
     @Test
     public void testSimpleLiteralMessageIsValid() throws MalformedOpenPgpMessageException {
         PDA check = new PDA();
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }
@@ -35,10 +35,10 @@ public class PDATest {
     @Test
     public void testSimpleOpsSignedMesssageIsValid() throws MalformedOpenPgpMessageException {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }
@@ -52,9 +52,9 @@ public class PDATest {
     @Test
     public void testSimplePrependSignedMessageIsValid() throws MalformedOpenPgpMessageException {
         PDA check = new PDA();
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }
@@ -68,11 +68,11 @@ public class PDATest {
     @Test
     public void testOPSSignedCompressedMessageIsValid() throws MalformedOpenPgpMessageException {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.CompressedData);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.CompressedData);
         // Here would be a nested PDA for the LiteralData packet
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }
@@ -80,105 +80,105 @@ public class PDATest {
     @Test
     public void testOPSSignedEncryptedMessageIsValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.EncryptedData);
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.EncryptedData);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.EndOfSequence);
         assertTrue(check.isValid());
     }
 
     @Test
     public void anyInputAfterEOSIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.EndOfSequence);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.Signature));
+                () -> check.next(InputSymbol.Signature));
     }
 
     @Test
     public void testEncryptedMessageWithAppendedStandalongSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.EncryptedData);
+        check.next(InputSymbol.EncryptedData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.Signature));
+                () -> check.next(InputSymbol.Signature));
     }
 
     @Test
     public void testOPSSignedEncryptedMessageWithMissingSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.EncryptedData);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.EncryptedData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.EndOfSequence));
+                () -> check.next(InputSymbol.EndOfSequence));
     }
 
     @Test
     public void testTwoLiteralDataIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.LiteralData);
+        check.next(InputSymbol.LiteralData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.LiteralData));
+                () -> check.next(InputSymbol.LiteralData));
     }
 
     @Test
     public void testTrailingSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.LiteralData);
+        check.next(InputSymbol.LiteralData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.Signature));
+                () -> check.next(InputSymbol.Signature));
     }
 
     @Test
     public void testOPSAloneIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
+        check.next(InputSymbol.OnePassSignature);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.EndOfSequence));
+                () -> check.next(InputSymbol.EndOfSequence));
     }
 
     @Test
     public void testOPSLitWithMissingSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.LiteralData);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.LiteralData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.EndOfSequence));
+                () -> check.next(InputSymbol.EndOfSequence));
     }
 
     @Test
     public void testCompressedMessageWithStandalongAppendedSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.CompressedData);
+        check.next(InputSymbol.CompressedData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.Signature));
+                () -> check.next(InputSymbol.Signature));
     }
 
     @Test
     public void testOPSCompressedDataWithMissingSigIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.CompressedData);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.CompressedData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.EndOfSequence));
+                () -> check.next(InputSymbol.EndOfSequence));
     }
 
     @Test
     public void testCompressedMessageFollowedByTrailingLiteralDataIsNotValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.CompressedData);
+        check.next(InputSymbol.CompressedData);
         assertThrows(MalformedOpenPgpMessageException.class,
-                () -> check.next(InputAlphabet.LiteralData));
+                () -> check.next(InputSymbol.LiteralData));
     }
 
     @Test
     public void testOPSWithPrependedSigIsValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }
@@ -186,11 +186,11 @@ public class PDATest {
     @Test
     public void testPrependedSigInsideOPSSignedMessageIsValid() {
         PDA check = new PDA();
-        check.next(InputAlphabet.OnePassSignature);
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.LiteralData);
-        check.next(InputAlphabet.Signature);
-        check.next(InputAlphabet.EndOfSequence);
+        check.next(InputSymbol.OnePassSignature);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.LiteralData);
+        check.next(InputSymbol.Signature);
+        check.next(InputSymbol.EndOfSequence);
 
         assertTrue(check.isValid());
     }

From ec793c66ffab343ab32cb659e32c279be9279a90 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 12:42:30 +0200
Subject: [PATCH 0760/1450] More cleanup and better error reporting

---
 .../syntax_check/OpenPgpMessageSyntax.java    | 15 ++++++++-----
 .../syntax_check/PDA.java                     | 19 +++++++++++-----
 .../syntax_check/Syntax.java                  |  5 ++++-
 .../syntax_check/Transition.java              | 22 ++++++++++++++++++-
 .../syntax_check/PDATest.java                 |  2 +-
 5 files changed, 48 insertions(+), 15 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
index 4c811e9f..c6de8765 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
@@ -6,6 +6,9 @@ package org.pgpainless.decryption_verification.syntax_check;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * This class describes the syntax for OpenPGP messages as specified by rfc4880.
  *
@@ -19,7 +22,7 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 public class OpenPgpMessageSyntax implements Syntax {
 
     @Override
-    public Transition transition(State from, InputSymbol input, StackSymbol stackItem)
+    public @Nonnull Transition transition(@Nonnull State from, @Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (from) {
             case OpenPgpMessage:
@@ -37,7 +40,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(from, input, stackItem);
     }
 
-    Transition fromOpenPgpMessage(InputSymbol input, StackSymbol stackItem)
+    Transition fromOpenPgpMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         if (stackItem != StackSymbol.msg) {
             throw new MalformedOpenPgpMessageException(State.OpenPgpMessage, input, stackItem);
@@ -65,7 +68,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         }
     }
 
-    Transition fromLiteralMessage(InputSymbol input, StackSymbol stackItem)
+    Transition fromLiteralMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
@@ -84,7 +87,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.LiteralMessage, input, stackItem);
     }
 
-    Transition fromCompressedMessage(InputSymbol input, StackSymbol stackItem)
+    Transition fromCompressedMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
@@ -103,7 +106,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.CompressedMessage, input, stackItem);
     }
 
-    Transition fromEncryptedMessage(InputSymbol input, StackSymbol stackItem)
+    Transition fromEncryptedMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
             case Signature:
@@ -122,7 +125,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.EncryptedMessage, input, stackItem);
     }
 
-    Transition fromValid(InputSymbol input, StackSymbol stackItem)
+    Transition fromValid(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         // There is no applicable transition rule out of Valid
         throw new MalformedOpenPgpMessageException(State.Valid, input, stackItem);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 68a5e2c4..ed9175fd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -20,10 +20,13 @@ public class PDA {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
 
+    // right now we implement what rfc4880 specifies.
+    // TODO: Consider implementing what we proposed here:
+    //  https://mailarchive.ietf.org/arch/msg/openpgp/uepOF6XpSegMO4c59tt9e5H1i4g/
+    private final Syntax syntax = new OpenPgpMessageSyntax();
     private final Stack stack = new Stack<>();
-    private final List inputs = new ArrayList<>(); // keep track of inputs for debugging / error reporting
+    private final List inputs = new ArrayList<>(); // Track inputs for debugging / error reporting
     private State state;
-    private Syntax syntax = new OpenPgpMessageSyntax();
 
     public PDA() {
         state = State.OpenPgpMessage;
@@ -32,16 +35,20 @@ public class PDA {
     }
 
     public void next(InputSymbol input) throws MalformedOpenPgpMessageException {
+        StackSymbol stackSymbol = popStack();
         try {
-            Transition transition = syntax.transition(state, input, popStack());
-            inputs.add(input);
+            Transition transition = syntax.transition(state, input, stackSymbol);
             state = transition.getNewState();
             for (StackSymbol item : transition.getPushedItems()) {
                 pushStack(item);
             }
+            inputs.add(input);
         } catch (MalformedOpenPgpMessageException e) {
-            MalformedOpenPgpMessageException wrapped = new MalformedOpenPgpMessageException("Malformed message: After reading stream " + Arrays.toString(inputs.toArray()) +
-                    ", token '" + input + "' is unexpected and illegal.", e);
+            MalformedOpenPgpMessageException wrapped = new MalformedOpenPgpMessageException(
+                    "Malformed message: After reading stream " + Arrays.toString(inputs.toArray()) +
+                    ", token '" + input + "' is not allowed." +
+                    "\nNo transition from state '" + state + "' with stack " + Arrays.toString(stack.toArray()) +
+                            (stackSymbol != null ? "||'" + stackSymbol + "'." : "."), e);
             LOGGER.debug("Invalid input '" + input + "'", wrapped);
             throw wrapped;
         }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
index 63d63fed..2f3d0a57 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Syntax.java
@@ -6,6 +6,9 @@ package org.pgpainless.decryption_verification.syntax_check;
 
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
 /**
  * This interface can be used to define a custom syntax for the {@link PDA}.
  */
@@ -25,6 +28,6 @@ public interface Syntax {
      * @return applicable transition rule containing the new state and pushed stack symbols
      * @throws MalformedOpenPgpMessageException if there is no applicable transition rule (the input symbol is illegal)
      */
-    Transition transition(State from, InputSymbol input, StackSymbol stackItem)
+    @Nonnull Transition transition(@Nonnull State from, @Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
         throws MalformedOpenPgpMessageException;
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
index a0e58cf0..ab0db5ef 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/Transition.java
@@ -4,24 +4,44 @@
 
 package org.pgpainless.decryption_verification.syntax_check;
 
+import javax.annotation.Nonnull;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
+/**
+ * Result of applying a transition rule.
+ * Transition rules can be described by implementing the {@link Syntax} interface.
+ */
 public class Transition {
 
     private final List pushedItems = new ArrayList<>();
     private final State newState;
 
-    public Transition(State newState, StackSymbol... pushedItems) {
+    public Transition(@Nonnull State newState, @Nonnull StackSymbol... pushedItems) {
         this.newState = newState;
         this.pushedItems.addAll(Arrays.asList(pushedItems));
     }
 
+    /**
+     * Return the new {@link State} that is reached by applying the transition.
+     *
+     * @return new state
+     */
+    @Nonnull
     public State getNewState() {
         return newState;
     }
 
+    /**
+     * Return a list of {@link StackSymbol StackSymbols} that are pushed onto the stack
+     * by applying the transition.
+     * The list contains items in the order in which they are pushed onto the stack.
+     * The list may be empty.
+     *
+     * @return list of items to be pushed onto the stack
+     */
+    @Nonnull
     public List getPushedItems() {
         return new ArrayList<>(pushedItems);
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
index 2b66eee0..d0486a3e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/syntax_check/PDATest.java
@@ -97,7 +97,7 @@ public class PDATest {
     }
 
     @Test
-    public void testEncryptedMessageWithAppendedStandalongSigIsNotValid() {
+    public void testEncryptedMessageWithAppendedStandaloneSigIsNotValid() {
         PDA check = new PDA();
         check.next(InputSymbol.EncryptedData);
         assertThrows(MalformedOpenPgpMessageException.class,

From 161ce577115f20c797f79d83d36655c3d0834c6e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 12:47:42 +0200
Subject: [PATCH 0761/1450] Clean up old unused code

---
 .../DecryptionBuilderInterface.java           |   2 +-
 .../DecryptionStreamImpl.java                 |  65 ------
 .../SignatureInputStream.java                 | 215 ------------------
 .../exception/FinalIOException.java           |  17 --
 .../MissingLiteralDataException.java          |  17 --
 5 files changed, 1 insertion(+), 315 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
index b35911de..07db42f0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilderInterface.java
@@ -13,7 +13,7 @@ import org.bouncycastle.openpgp.PGPException;
 public interface DecryptionBuilderInterface {
 
     /**
-     * Create a {@link DecryptionStreamImpl} on an {@link InputStream} which contains the encrypted and/or signed data.
+     * Create a {@link DecryptionStream} on an {@link InputStream} which contains the encrypted and/or signed data.
      *
      * @param inputStream encrypted and/or signed data.
      * @return api handle
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java
deleted file mode 100644
index 27ace697..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamImpl.java
+++ /dev/null
@@ -1,65 +0,0 @@
-// SPDX-FileCopyrightText: 2018 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import java.io.IOException;
-import java.io.InputStream;
-import javax.annotation.Nonnull;
-
-import org.bouncycastle.util.io.Streams;
-
-/**
- * Decryption Stream that handles updating and verification of detached signatures,
- * as well as verification of integrity-protected input streams once the stream gets closed.
- */
-public class DecryptionStreamImpl extends DecryptionStream {
-
-    private final InputStream inputStream;
-    private final IntegrityProtectedInputStream integrityProtectedInputStream;
-    private final InputStream armorStream;
-
-    /**
-     * Create an input stream that handles decryption and - if necessary - integrity protection verification.
-     *
-     * @param wrapped underlying input stream
-     * @param resultBuilder builder for decryption metadata like algorithms, recipients etc.
-     * @param integrityProtectedInputStream in case of data encrypted using SEIP packet close this stream to check integrity
-     * @param armorStream armor stream to verify CRC checksums
-     */
-    DecryptionStreamImpl(@Nonnull InputStream wrapped,
-                         @Nonnull OpenPgpMetadata.Builder resultBuilder,
-                         IntegrityProtectedInputStream integrityProtectedInputStream,
-                         InputStream armorStream) {
-        super(resultBuilder);
-        this.inputStream = wrapped;
-        this.integrityProtectedInputStream = integrityProtectedInputStream;
-        this.armorStream = armorStream;
-    }
-
-    @Override
-    public void close() throws IOException {
-        if (armorStream != null) {
-            Streams.drain(armorStream);
-        }
-        inputStream.close();
-        if (integrityProtectedInputStream != null) {
-            integrityProtectedInputStream.close();
-        }
-        super.close();
-    }
-
-    @Override
-    public int read() throws IOException {
-        int r = inputStream.read();
-        return r;
-    }
-
-    @Override
-    public int read(@Nonnull byte[] bytes, int offset, int length) throws IOException {
-        int read = inputStream.read(bytes, offset, length);
-        return read;
-    }
-
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
deleted file mode 100644
index 70a2f4ef..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
+++ /dev/null
@@ -1,215 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import static org.pgpainless.signature.consumer.SignatureValidator.signatureWasCreatedInBounds;
-
-import java.io.FilterInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.List;
-import java.util.Map;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
-
-import org.bouncycastle.openpgp.PGPObjectFactory;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureList;
-import org.pgpainless.PGPainless;
-import org.pgpainless.exception.SignatureValidationException;
-import org.pgpainless.policy.Policy;
-import org.pgpainless.signature.consumer.CertificateValidator;
-import org.pgpainless.signature.consumer.SignatureCheck;
-import org.pgpainless.signature.consumer.OnePassSignatureCheck;
-import org.pgpainless.signature.SignatureUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public abstract class SignatureInputStream extends FilterInputStream {
-
-    protected SignatureInputStream(InputStream inputStream) {
-        super(inputStream);
-    }
-
-    public static class VerifySignatures extends SignatureInputStream {
-
-        private static final Logger LOGGER = LoggerFactory.getLogger(VerifySignatures.class);
-
-        private final PGPObjectFactory objectFactory;
-        private final List opSignatures;
-        private final Map opSignaturesWithMissingCert;
-        private final List detachedSignatures;
-        private final ConsumerOptions options;
-        private final OpenPgpMetadata.Builder resultBuilder;
-
-        public VerifySignatures(
-                InputStream literalDataStream,
-                @Nullable PGPObjectFactory objectFactory,
-                List opSignatures,
-                Map onePassSignaturesWithMissingCert,
-                List detachedSignatures,
-                ConsumerOptions options,
-                OpenPgpMetadata.Builder resultBuilder) {
-            super(literalDataStream);
-            this.objectFactory = objectFactory;
-            this.opSignatures = opSignatures;
-            this.opSignaturesWithMissingCert = onePassSignaturesWithMissingCert;
-            this.detachedSignatures = detachedSignatures;
-            this.options = options;
-            this.resultBuilder = resultBuilder;
-        }
-
-        @Override
-        public int read() throws IOException {
-            final int data = super.read();
-            final boolean endOfStream = data == -1;
-            if (endOfStream) {
-                finalizeSignatures();
-            } else {
-                byte b = (byte) data;
-                updateOnePassSignatures(b);
-                updateDetachedSignatures(b);
-            }
-            return data;
-        }
-
-        @Override
-        public int read(@Nonnull byte[] b, int off, int len) throws IOException {
-            int read = super.read(b, off, len);
-
-            final boolean endOfStream = read == -1;
-            if (endOfStream) {
-                finalizeSignatures();
-            } else {
-                updateOnePassSignatures(b, off, read);
-                updateDetachedSignatures(b, off, read);
-            }
-            return read;
-        }
-
-        private void finalizeSignatures() {
-            parseAndCombineSignatures();
-            verifyOnePassSignatures();
-            verifyDetachedSignatures();
-        }
-
-        public void parseAndCombineSignatures() {
-            if (objectFactory == null) {
-                return;
-            }
-            // Parse signatures from message
-            PGPSignatureList signatures;
-            try {
-                signatures = parseSignatures(objectFactory);
-            } catch (IOException e) {
-                return;
-            }
-            List signatureList = SignatureUtils.toList(signatures);
-            // Set signatures as comparison sigs in OPS checks
-            for (int i = 0; i < opSignatures.size(); i++) {
-                int reversedIndex = opSignatures.size() - i - 1;
-                opSignatures.get(i).setSignature(signatureList.get(reversedIndex));
-            }
-
-            for (PGPSignature signature : signatureList) {
-                if (opSignaturesWithMissingCert.containsKey(signature.getKeyID())) {
-                    OnePassSignatureCheck check = opSignaturesWithMissingCert.remove(signature.getKeyID());
-                    check.setSignature(signature);
-
-                    resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null),
-                            new SignatureValidationException(
-                                    "Missing verification certificate " + Long.toHexString(signature.getKeyID())));
-                }
-            }
-        }
-
-        private PGPSignatureList parseSignatures(PGPObjectFactory objectFactory) throws IOException {
-            PGPSignatureList signatureList = null;
-            Object pgpObject = objectFactory.nextObject();
-            while (pgpObject !=  null && signatureList == null) {
-                if (pgpObject instanceof PGPSignatureList) {
-                    signatureList = (PGPSignatureList) pgpObject;
-                } else {
-                    pgpObject = objectFactory.nextObject();
-                }
-            }
-
-            if (signatureList == null || signatureList.isEmpty()) {
-                throw new IOException("Verification failed - No Signatures found");
-            }
-
-            return signatureList;
-        }
-
-
-        private synchronized void verifyOnePassSignatures() {
-            Policy policy = PGPainless.getPolicy();
-            for (OnePassSignatureCheck opSignature : opSignatures) {
-                if (opSignature.getSignature() == null) {
-                    LOGGER.warn("Found OnePassSignature without respective signature packet -> skip");
-                    continue;
-                }
-
-                try {
-                    signatureWasCreatedInBounds(options.getVerifyNotBefore(),
-                            options.getVerifyNotAfter()).verify(opSignature.getSignature());
-                    CertificateValidator.validateCertificateAndVerifyOnePassSignature(opSignature, policy);
-                    resultBuilder.addVerifiedInbandSignature(
-                            new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()));
-                } catch (SignatureValidationException e) {
-                    LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}",
-                            opSignature.getSigningKey(), e.getMessage(), e);
-                    resultBuilder.addInvalidInbandSignature(
-                            new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()), e);
-                }
-            }
-        }
-
-        private void verifyDetachedSignatures() {
-            Policy policy = PGPainless.getPolicy();
-            for (SignatureCheck s : detachedSignatures) {
-                try {
-                    signatureWasCreatedInBounds(options.getVerifyNotBefore(),
-                            options.getVerifyNotAfter()).verify(s.getSignature());
-                    CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(),
-                            (PGPPublicKeyRing) s.getSigningKeyRing(), policy);
-                    resultBuilder.addVerifiedDetachedSignature(new SignatureVerification(s.getSignature(),
-                            s.getSigningKeyIdentifier()));
-                } catch (SignatureValidationException e) {
-                    LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}",
-                            s.getSigningKeyIdentifier(), e.getMessage(), e);
-                    resultBuilder.addInvalidDetachedSignature(new SignatureVerification(s.getSignature(),
-                            s.getSigningKeyIdentifier()), e);
-                }
-            }
-        }
-
-        private void updateOnePassSignatures(byte data) {
-            for (OnePassSignatureCheck opSignature : opSignatures) {
-                opSignature.getOnePassSignature().update(data);
-            }
-        }
-
-        private void updateOnePassSignatures(byte[] bytes, int offset, int length) {
-            for (OnePassSignatureCheck opSignature : opSignatures) {
-                opSignature.getOnePassSignature().update(bytes, offset, length);
-            }
-        }
-
-        private void updateDetachedSignatures(byte b) {
-            for (SignatureCheck detachedSignature : detachedSignatures) {
-                detachedSignature.getSignature().update(b);
-            }
-        }
-
-        private void updateDetachedSignatures(byte[] b, int off, int read) {
-            for (SignatureCheck detachedSignature : detachedSignatures) {
-                detachedSignature.getSignature().update(b, off, read);
-            }
-        }
-
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
deleted file mode 100644
index 6b6f86de..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/FinalIOException.java
+++ /dev/null
@@ -1,17 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.exception;
-
-import java.io.IOException;
-
-/**
- * Wrapper for {@link IOException} indicating that we need to throw this exception up.
- */
-public class FinalIOException extends IOException {
-
-    public FinalIOException(IOException e) {
-        super(e);
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java b/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java
deleted file mode 100644
index e396b1df..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/exception/MissingLiteralDataException.java
+++ /dev/null
@@ -1,17 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.exception;
-
-import org.bouncycastle.openpgp.PGPException;
-
-/**
- * Exception that gets thrown if a {@link org.bouncycastle.bcpg.LiteralDataPacket} is expected, but not found.
- */
-public class MissingLiteralDataException extends PGPException {
-
-    public MissingLiteralDataException(String message) {
-        super(message);
-    }
-}

From 8cb7d19487d01d4cf0746782068bff500713c2b4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 13:13:27 +0200
Subject: [PATCH 0762/1450] Allow injection of different syntax into PDA

---
 .../syntax_check/PDA.java                      | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index ed9175fd..65210ce0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -8,6 +8,7 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.annotation.Nonnull;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -23,15 +24,24 @@ public class PDA {
     // right now we implement what rfc4880 specifies.
     // TODO: Consider implementing what we proposed here:
     //  https://mailarchive.ietf.org/arch/msg/openpgp/uepOF6XpSegMO4c59tt9e5H1i4g/
-    private final Syntax syntax = new OpenPgpMessageSyntax();
+    private final Syntax syntax;
     private final Stack stack = new Stack<>();
     private final List inputs = new ArrayList<>(); // Track inputs for debugging / error reporting
     private State state;
 
+    /**
+     *
+     */
     public PDA() {
-        state = State.OpenPgpMessage;
-        pushStack(terminus);
-        pushStack(msg);
+        this(new OpenPgpMessageSyntax(), State.OpenPgpMessage, terminus, msg);
+    }
+
+    public PDA(@Nonnull Syntax syntax, @Nonnull State initialState, @Nonnull StackSymbol... initialStack) {
+        this.syntax = syntax;
+        this.state = initialState;
+        for (StackSymbol symbol : initialStack) {
+            pushStack(symbol);
+        }
     }
 
     public void next(InputSymbol input) throws MalformedOpenPgpMessageException {

From 208612ab56d96c0785d9938b31265644023debdc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 13:53:54 +0200
Subject: [PATCH 0763/1450] Add (commented-out) read(buf, off, len)
 implementation for DelayedTeeInputStream

---
 .../TeeBCPGInputStream.java                   | 32 +++++++++++++++----
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index bbcf593e..52ec9001 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -26,20 +26,20 @@ import org.pgpainless.algorithm.OpenPgpPacket;
  * {@link BCPGInputStream#readPacket()} inconsistently calls a mix of {@link BCPGInputStream#read()} and
  * {@link InputStream#read()} of the underlying stream. This would cause the second length byte to get swallowed up.
  *
- * Therefore, this class delegates the teeing to an {@link DelayedTeeInputStreamInputStream} which wraps the underlying
+ * Therefore, this class delegates the teeing to an {@link DelayedTeeInputStream} which wraps the underlying
  * stream. Since calling {@link BCPGInputStream#nextPacketTag()} reads up to and including the next packets tag,
  * we need to delay teeing out that byte to signature verifiers.
  * Hence, the reading methods of the {@link TeeBCPGInputStream} handle pushing this byte to the output stream using
- * {@link DelayedTeeInputStreamInputStream#squeeze()}.
+ * {@link DelayedTeeInputStream#squeeze()}.
  */
 public class TeeBCPGInputStream {
 
-    protected final DelayedTeeInputStreamInputStream delayedTee;
+    protected final DelayedTeeInputStream delayedTee;
     // InputStream of OpenPGP packets of the current layer
     protected final BCPGInputStream packetInputStream;
 
     public TeeBCPGInputStream(BCPGInputStream inputStream, OutputStream outputStream) {
-        this.delayedTee = new DelayedTeeInputStreamInputStream(inputStream, outputStream);
+        this.delayedTee = new DelayedTeeInputStream(inputStream, outputStream);
         this.packetInputStream = BCPGInputStream.wrap(delayedTee);
     }
 
@@ -100,13 +100,13 @@ public class TeeBCPGInputStream {
         this.packetInputStream.close();
     }
 
-    public static class DelayedTeeInputStreamInputStream extends InputStream {
+    public static class DelayedTeeInputStream extends InputStream {
 
         private int last = -1;
         private final InputStream inputStream;
         private final OutputStream outputStream;
 
-        public DelayedTeeInputStreamInputStream(InputStream inputStream, OutputStream outputStream) {
+        public DelayedTeeInputStream(InputStream inputStream, OutputStream outputStream) {
             this.inputStream = inputStream;
             this.outputStream = outputStream;
         }
@@ -127,6 +127,26 @@ public class TeeBCPGInputStream {
             }
         }
 
+        // TODO: Uncomment, once BC-172.1 is available
+        //  see https://github.com/bcgit/bc-java/issues/1257
+        /*
+        @Override
+        public int read(byte[] b, int off, int len) throws IOException {
+            if (last != -1) {
+                outputStream.write(last);
+            }
+
+            int r = inputStream.read(b, off, len);
+            if (r > 0) {
+                outputStream.write(b, off, r - 1);
+                last = b[off + r - 1];
+            } else {
+                last = -1;
+            }
+            return r;
+        }
+         */
+
         /**
          * Squeeze the last byte out and update the output stream.
          *

From 8fafb6aa562255c7961c7061520c2d5db21eae4b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Oct 2022 13:55:58 +0200
Subject: [PATCH 0764/1450] Add comments

---
 .../OpenPgpMessageInputStream.java                 | 14 ++++++++++++--
 .../decryption_verification/syntax_check/PDA.java  |  2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a0f17210..1b11744c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -116,6 +116,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
     /**
      * Create an {@link OpenPgpMessageInputStream} suitable for decryption and verification of
      * OpenPGP messages and signatures.
+     * This factory method takes a custom {@link Policy} instead of using the global policy object.
      *
      * @param inputStream underlying input stream containing the OpenPGP message
      * @param options options for consuming the message
@@ -161,7 +162,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                         armorIn, options, metadata, policy);
             }
         } else {
-            throw new AssertionError("Huh?");
+            throw new AssertionError("Cannot deduce type of data.");
         }
     }
 
@@ -212,6 +213,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         switch (type) {
 
+            // Binary OpenPGP Message
             case standard:
                 // tee out packet bytes for signature verification
                 packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), this.signatures);
@@ -220,6 +222,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 consumePackets();
                 break;
 
+            // Cleartext Signature Framework (probably signed message)
             case cleartext_signed:
                 resultBuilder.setCleartextSigned();
                 MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
@@ -235,6 +238,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 nestedInputStream = new TeeInputStream(multiPassStrategy.getMessageInputStream(), this.signatures);
                 break;
 
+            // Non-OpenPGP Data (e.g. detached signature verification)
             case non_openpgp:
                 packetInputStream = null;
                 nestedInputStream = new TeeInputStream(inputStream, this.signatures);
@@ -265,7 +269,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             return;
         }
 
-        loop: // we break this when we go deeper.
+        loop: // we break this when we enter nested packets and later resume
         while ((nextPacket = packetInputStream.nextPacketTag()) != null) {
             signatures.nextPacket(nextPacket);
             switch (nextPacket) {
@@ -296,6 +300,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 case SED:
                 case SEIPD:
                     if (processEncryptedData()) {
+                        // Successfully decrypted, enter nested content
                         break loop;
                     }
 
@@ -336,10 +341,12 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         LOGGER.debug("Literal Data Packet at depth " + metadata.depth + " encountered");
         syntaxVerifier.next(InputSymbol.LiteralData);
         PGPLiteralData literalData = packetInputStream.readLiteralData();
+        // Extract Metadata
         this.metadata.setChild(new MessageMetadata.LiteralData(
                 literalData.getFileName(),
                 literalData.getModificationTime(),
                 StreamEncoding.requireFromCode(literalData.getFormat())));
+
         nestedInputStream = literalData.getDataStream();
     }
 
@@ -347,9 +354,11 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         syntaxVerifier.next(InputSymbol.CompressedData);
         signatures.enterNesting();
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
+        // Extract Metadata
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
                 CompressionAlgorithm.fromId(compressedData.getAlgorithm()),
                 metadata.depth + 1);
+
         LOGGER.debug("Compressed Data Packet (" + compressionLayer.algorithm + ") at depth " + metadata.depth + " encountered");
         InputStream decompressed = compressedData.getDataStream();
         nestedInputStream = new OpenPgpMessageInputStream(decompressed, options, compressionLayer, policy);
@@ -374,6 +383,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             LOGGER.debug("Unsupported Signature at depth " + metadata.depth + " encountered.", e);
             return;
         }
+
         long keyId = SignatureUtils.determineIssuerKeyId(signature);
         if (isSigForOPS) {
             LOGGER.debug("Signature Packet corresponding to One-Pass-Signature by key " +
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 65210ce0..07a5fdcb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -30,7 +30,7 @@ public class PDA {
     private State state;
 
     /**
-     *
+     * Default constructor which initializes the PDA to work with the {@link OpenPgpMessageSyntax}.
      */
     public PDA() {
         this(new OpenPgpMessageSyntax(), State.OpenPgpMessage, terminus, msg);

From 705e36080c6030056143e7adb0af917d9a075a3d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 23 Sep 2022 14:51:06 +0200
Subject: [PATCH 0765/1450] Implement caching PublicKeyDataDecryptorFactory

---
 .../CachingPublicKeyDataDecryptorFactory.java | 75 +++++++++++++++++++
 .../java/org/bouncycastle/package-info.java   |  8 ++
 2 files changed, 83 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java
 create mode 100644 pgpainless-core/src/main/java/org/bouncycastle/package-info.java

diff --git a/pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java
new file mode 100644
index 00000000..1498b6f2
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java
@@ -0,0 +1,75 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.bouncycastle;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
+import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.bouncycastle.util.encoders.Base64;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Implementation of the {@link PublicKeyDataDecryptorFactory} which caches decrypted session keys.
+ * That way, if a message needs to be decrypted multiple times, expensive private key operations can be omitted.
+ *
+ * This implementation changes the behavior or {@link #recoverSessionData(int, byte[][])} to first return any
+ * cache hits.
+ * If no hit is found, the method call is delegated to the underlying {@link PublicKeyDataDecryptorFactory}.
+ * The result of that is then placed in the cache and returned.
+ *
+ * TODO: Do we also cache invalid session keys?
+ */
+public class CachingPublicKeyDataDecryptorFactory implements PublicKeyDataDecryptorFactory {
+
+    private final Map cachedSessionKeys = new HashMap<>();
+    private final PublicKeyDataDecryptorFactory factory;
+
+    public CachingPublicKeyDataDecryptorFactory(PublicKeyDataDecryptorFactory factory) {
+        this.factory = factory;
+    }
+
+    @Override
+    public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
+        byte[] sessionKey = lookup(secKeyData);
+        if (sessionKey == null) {
+            sessionKey = factory.recoverSessionData(keyAlgorithm, secKeyData);
+            cache(secKeyData, sessionKey);
+        }
+        return sessionKey;
+    }
+
+    private byte[] lookup(byte[][] secKeyData) {
+        byte[] sk = secKeyData[0];
+        String key = Base64.toBase64String(sk);
+        byte[] sessionKey = cachedSessionKeys.get(key);
+        return copy(sessionKey);
+    }
+
+    private void cache(byte[][] secKeyData, byte[] sessionKey) {
+        byte[] sk = secKeyData[0];
+        String key = Base64.toBase64String(sk);
+        cachedSessionKeys.put(key, copy(sessionKey));
+    }
+
+    private static byte[] copy(byte[] bytes) {
+        if (bytes == null) {
+            return null;
+        }
+        byte[] copy = new byte[bytes.length];
+        System.arraycopy(bytes, 0, copy, 0, copy.length);
+        return copy;
+    }
+
+    public void clear() {
+        cachedSessionKeys.clear();
+    }
+
+    @Override
+    public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key) throws PGPException {
+        return null;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/bouncycastle/package-info.java b/pgpainless-core/src/main/java/org/bouncycastle/package-info.java
new file mode 100644
index 00000000..565bb5f4
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/bouncycastle/package-info.java
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Classes which could be upstreamed to BC at some point.
+ */
+package org.bouncycastle;

From 8c0d096fc6d34566f937ae26fb49cae5dc38d534 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 14:56:06 +0200
Subject: [PATCH 0766/1450] Fix CachingBcPublicKeyDataDecryptorFactory

---
 ...chingBcPublicKeyDataDecryptorFactory.java} | 44 ++++++---
 ...ngBcPublicKeyDataDecryptorFactoryTest.java | 96 +++++++++++++++++++
 2 files changed, 126 insertions(+), 14 deletions(-)
 rename pgpainless-core/src/main/java/org/bouncycastle/{CachingPublicKeyDataDecryptorFactory.java => CachingBcPublicKeyDataDecryptorFactory.java} (52%)
 create mode 100644 pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java

diff --git a/pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
similarity index 52%
rename from pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java
rename to pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
index 1498b6f2..3c967224 100644
--- a/pgpainless-core/src/main/java/org/bouncycastle/CachingPublicKeyDataDecryptorFactory.java
+++ b/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
@@ -5,9 +5,15 @@
 package org.bouncycastle;
 
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
+import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
 import org.bouncycastle.util.encoders.Base64;
+import org.bouncycastle.util.encoders.Hex;
+import org.pgpainless.decryption_verification.CustomPublicKeyDataDecryptorFactory;
+import org.pgpainless.key.SubkeyIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -20,36 +26,46 @@ import java.util.Map;
  * cache hits.
  * If no hit is found, the method call is delegated to the underlying {@link PublicKeyDataDecryptorFactory}.
  * The result of that is then placed in the cache and returned.
- *
- * TODO: Do we also cache invalid session keys?
  */
-public class CachingPublicKeyDataDecryptorFactory implements PublicKeyDataDecryptorFactory {
+public class CachingBcPublicKeyDataDecryptorFactory
+        extends BcPublicKeyDataDecryptorFactory
+        implements CustomPublicKeyDataDecryptorFactory {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(CachingBcPublicKeyDataDecryptorFactory.class);
 
     private final Map cachedSessionKeys = new HashMap<>();
-    private final PublicKeyDataDecryptorFactory factory;
+    private final SubkeyIdentifier decryptionKey;
 
-    public CachingPublicKeyDataDecryptorFactory(PublicKeyDataDecryptorFactory factory) {
-        this.factory = factory;
+    public CachingBcPublicKeyDataDecryptorFactory(PGPPrivateKey privateKey, SubkeyIdentifier decryptionKey) {
+        super(privateKey);
+        this.decryptionKey = decryptionKey;
     }
 
     @Override
     public byte[] recoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
-        byte[] sessionKey = lookup(secKeyData);
+        byte[] sessionKey = lookupSessionKeyData(secKeyData);
         if (sessionKey == null) {
-            sessionKey = factory.recoverSessionData(keyAlgorithm, secKeyData);
-            cache(secKeyData, sessionKey);
+            LOGGER.debug("Cache miss for encrypted session key " + Hex.toHexString(secKeyData[0]));
+            sessionKey = costlyRecoverSessionData(keyAlgorithm, secKeyData);
+            cacheSessionKeyData(secKeyData, sessionKey);
+        } else {
+            LOGGER.debug("Cache hit for encrypted session key " + Hex.toHexString(secKeyData[0]));
         }
         return sessionKey;
     }
 
-    private byte[] lookup(byte[][] secKeyData) {
+    public byte[] costlyRecoverSessionData(int keyAlgorithm, byte[][] secKeyData) throws PGPException {
+        return super.recoverSessionData(keyAlgorithm, secKeyData);
+    }
+
+    private byte[] lookupSessionKeyData(byte[][] secKeyData) {
         byte[] sk = secKeyData[0];
         String key = Base64.toBase64String(sk);
         byte[] sessionKey = cachedSessionKeys.get(key);
         return copy(sessionKey);
     }
 
-    private void cache(byte[][] secKeyData, byte[] sessionKey) {
+    private void cacheSessionKeyData(byte[][] secKeyData, byte[] sessionKey) {
         byte[] sk = secKeyData[0];
         String key = Base64.toBase64String(sk);
         cachedSessionKeys.put(key, copy(sessionKey));
@@ -69,7 +85,7 @@ public class CachingPublicKeyDataDecryptorFactory implements PublicKeyDataDecryp
     }
 
     @Override
-    public PGPDataDecryptor createDataDecryptor(boolean withIntegrityPacket, int encAlgorithm, byte[] key) throws PGPException {
-        return null;
+    public SubkeyIdentifier getSubkeyIdentifier() {
+        return decryptionKey;
     }
 }
diff --git a/pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
new file mode 100644
index 00000000..186bcbc2
--- /dev/null
+++ b/pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
@@ -0,0 +1,96 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package bouncycastle;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+
+import org.bouncycastle.CachingBcPublicKeyDataDecryptorFactory;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.EncryptionPurpose;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.key.protection.UnlockSecretKey;
+
+public class CachingBcPublicKeyDataDecryptorFactoryTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: C8AE 4279 5958 5F46 86A9  8B5F EC69 7C29 2BE4 44E0\n" +
+            "Comment: Alice\n" +
+            "\n" +
+            "lFgEY1vEcxYJKwYBBAHaRw8BAQdAXOUK1uc1iBeM+mMt2nLCukXWoJd/SodrtN9S\n" +
+            "U/zzwu0AAP9eePPw91KLuq6PF9jQoTRz/cW4CyiALNJpsOJIZ1rp3xOBtAVBbGlj\n" +
+            "ZYiPBBMWCgBBBQJjW8RzCRDsaXwpK+RE4BYhBMiuQnlZWF9GhqmLX+xpfCkr5ETg\n" +
+            "Ap4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAGqWAQC8oz7l8izjUis5ji+sgI+q\n" +
+            "gML22VNybqmLBpzZwnNU5wEApe9fNTRbK5yAITGBscxH7o74Qe+CLI6Ni5MwzKxr\n" +
+            "5AucXQRjW8RzEgorBgEEAZdVAQUBAQdAm8xk0QSvpp2ZU1KQ31E7eEZYLKpbW4JE\n" +
+            "opmtMQx6AlIDAQgHAAD/XTb/qSosfkNvli3BQiUzVRAqKaU4PKAq7at6afxoYSgN\n" +
+            "4Yh1BBgWCgAdBQJjW8RzAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQ7Gl8KSvk\n" +
+            "ROB38QEA0MvDt0bjEXwFoM0E34z0MtPcG3VBYcQ+iFRIqFfEl5UA/2yZxFjoZqrs\n" +
+            "AQE8TaVpXYfbc2p/GEKA9LGd9l/g0QQLnFgEY1vEcxYJKwYBBAHaRw8BAQdAyCOv\n" +
+            "6hGUvHcCBSDKP3fRz+scyJ9zwMt7nFXK5A/k2YgAAQCn3Es+IhvePn3eBlcYMMr0\n" +
+            "xcktrY1NJAIZPfjlUJ0J1g6LiNUEGBYKAH0FAmNbxHMCngECmwIFFgIDAQAECwkI\n" +
+            "BwUVCgkIC18gBBkWCgAGBQJjW8RzAAoJECxLf7KoUc8wD18BANNpIr4E+RRVVztR\n" +
+            "OVwdxSe0SRWGjkW8nHrRyghHKTuMAP9p4ZKicOYA1uZbiNNjyuJuS8xBH6Hihurb\n" +
+            "gDypVgxdBQAKCRDsaXwpK+RE4EQjAP9ARZEPxKNLFkrvjoZ8nrts3qhv3VtMrU+9\n" +
+            "huZnYLe1FQEAtgO6V7wutHvVARHXqPJ6lcv+SueIu+BjLFYEKuBwggs=\n" +
+            "=ShJd\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    private static final String MSG = "-----BEGIN PGP MESSAGE-----\n" +
+            "Version: PGPainless\n" +
+            "\n" +
+            "hF4DJmQMTBqw3G8SAQdALkHpO0UkS/CqkwxUz74MJU3PV72ZrIL8ZcrO8ofhblkw\n" +
+            "iDIhSwwGTG3tj+sG+ZVWKsmONKi7Om5seJDHQtQ8MfdCELAgwYHSt6MrgDBhuDIH\n" +
+            "0kABZhq2/8qk3EGXPpc+xxs4r4g8SgHOiiHSim5NGtounXXIaF6T/hUmlorkeYf/\n" +
+            "a9pCC0QXRUAr8NOcdsfbvb5V\n" +
+            "=dQa8\n" +
+            "-----END PGP MESSAGE-----";
+
+    @Test
+    public void test() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
+        SubkeyIdentifier decryptionKey = new SubkeyIdentifier(secretKeys,
+                info.getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID());
+
+        PGPSecretKey secretKey = secretKeys.getSecretKey(decryptionKey.getSubkeyId());
+        PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
+        CachingBcPublicKeyDataDecryptorFactory cachingFactory = new CachingBcPublicKeyDataDecryptorFactory(
+                privateKey, decryptionKey);
+
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(MSG.getBytes());
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(ConsumerOptions.get()
+                        .addCustomDecryptorFactory(cachingFactory));
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+
+        decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(ConsumerOptions.get()
+                        .addCustomDecryptorFactory(cachingFactory));
+        out = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, out);
+        decryptionStream.close();
+    }
+}

From 07320ed3cfc4ab3cf6158a9e2ea549b5166f0372 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 14:56:41 +0200
Subject: [PATCH 0767/1450] Fix HardwareSecurity.getIdsOfHardwareBackedKeys()

---
 .../decryption_verification/HardwareSecurity.java    | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index f234ff00..6d9719dd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -47,8 +47,8 @@ public class HardwareSecurity {
      * @param secretKeys secret keys
      * @return set of keys with S2K type DIVERT_TO_CARD or GNU_DUMMY_S2K
      */
-    public static Set getIdsOfHardwareBackedKeys(PGPSecretKeyRing secretKeys) {
-        Set hardwareBackedKeys = new HashSet<>();
+    public static Set getIdsOfHardwareBackedKeys(PGPSecretKeyRing secretKeys) {
+        Set hardwareBackedKeys = new HashSet<>();
         for (PGPSecretKey secretKey : secretKeys) {
             S2K s2K = secretKey.getS2K();
             if (s2K == null) {
@@ -56,9 +56,11 @@ public class HardwareSecurity {
             }
 
             int type = s2K.getType();
+            int mode = s2K.getProtectionMode();
             // TODO: Is GNU_DUMMY_S2K appropriate?
-            if (type == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD || type == S2K.GNU_DUMMY_S2K) {
-                hardwareBackedKeys.add(secretKey.getKeyID());
+            if (type == S2K.GNU_DUMMY_S2K && mode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) {
+                SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyID());
+                hardwareBackedKeys.add(hardwareBackedKey);
             }
         }
         return hardwareBackedKeys;
@@ -75,7 +77,7 @@ public class HardwareSecurity {
         // luckily we can instantiate the BcPublicKeyDataDecryptorFactory with null as argument.
         private final PublicKeyDataDecryptorFactory factory =
                 new BcPublicKeyDataDecryptorFactory(null);
-        private SubkeyIdentifier subkey;
+        private final SubkeyIdentifier subkey;
 
         /**
          * Create a new {@link HardwareDataDecryptorFactory}.

From 7467170bccef1ec52b16fe389281f042a9c531b7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 16:20:36 +0200
Subject: [PATCH 0768/1450] Move CachingBcPublicKeyDataDecryptorFactoryTest to
 correct package

---
 .../CachingBcPublicKeyDataDecryptorFactoryTest.java            | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 rename pgpainless-core/src/test/java/{ => org}/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java (98%)

diff --git a/pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
similarity index 98%
rename from pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
rename to pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
index 186bcbc2..6a43772d 100644
--- a/pgpainless-core/src/test/java/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
+++ b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package bouncycastle;
+package org.bouncycastle;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -10,7 +10,6 @@ import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 
-import org.bouncycastle.CachingBcPublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPSecretKey;

From 2487e3300a58f1ed7e615f54f8c9dd0549a76e00 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 16:36:08 +0200
Subject: [PATCH 0769/1450] Add and test GnuDummyKeyUtil

---
 .../key/gnu_dummy_s2k/GNUExtension.java       |  24 +++
 .../key/gnu_dummy_s2k/GnuDummyKeyUtil.java    | 114 ++++++++++
 .../key/gnu_dummy_s2k/package-info.java       |   8 +
 .../HardwareSecurityTest.java                 |  82 ++++++++
 .../gnu_dummy_s2k/GnuDummyKeyUtilTest.java    | 199 ++++++++++++++++++
 5 files changed, 427 insertions(+)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
new file mode 100644
index 00000000..ff42ef6e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
@@ -0,0 +1,24 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.gnu_dummy_s2k;
+
+import org.bouncycastle.bcpg.S2K;
+
+public enum GNUExtension {
+
+    NO_PRIVATE_KEY(S2K.GNU_PROTECTION_MODE_NO_PRIVATE_KEY),
+    DIVERT_TO_CARD(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD),
+    ;
+
+    private final int id;
+
+    GNUExtension(int id) {
+        this.id = id;
+    }
+
+    public int getId() {
+        return id;
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
new file mode 100644
index 00000000..a8de5aa3
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
@@ -0,0 +1,114 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.gnu_dummy_s2k;
+
+import org.bouncycastle.bcpg.PublicKeyPacket;
+import org.bouncycastle.bcpg.S2K;
+import org.bouncycastle.bcpg.SecretKeyPacket;
+import org.bouncycastle.bcpg.SecretSubkeyPacket;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public final class GnuDummyKeyUtil {
+
+    private GnuDummyKeyUtil() {
+
+    }
+
+    public static Builder modify(PGPSecretKeyRing secretKeys) {
+        return new Builder(secretKeys);
+    }
+
+    public static final class Builder {
+
+        private final PGPSecretKeyRing keys;
+
+        private Builder(PGPSecretKeyRing keys) {
+            this.keys = keys;
+        }
+
+        public PGPSecretKeyRing removePrivateKeys(KeyFilter filter) {
+            return doIt(GNUExtension.NO_PRIVATE_KEY, null, filter);
+        }
+
+        public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter) {
+            return divertPrivateKeysToCard(filter, new byte[16]);
+        }
+
+        public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter, byte[] cardSerialNumber) {
+            return doIt(GNUExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
+        }
+
+        private PGPSecretKeyRing doIt(GNUExtension extension, byte[] serial, KeyFilter filter) {
+            byte[] encodedSerial = serial != null ? encodeSerial(serial) : null;
+            S2K s2k = extensionToS2K(extension);
+
+            List secretKeyList = new ArrayList<>();
+            for (PGPSecretKey secretKey : keys) {
+                if (!filter.filter(secretKey.getKeyID())) {
+                    // No conversion, do not modify subkey
+                    secretKeyList.add(secretKey);
+                    continue;
+                }
+
+                PublicKeyPacket publicKeyPacket = secretKey.getPublicKey().getPublicKeyPacket();
+                if (secretKey.isMasterKey()) {
+                    SecretKeyPacket keyPacket = new SecretKeyPacket(publicKeyPacket,
+                            0, 255, s2k, null, encodedSerial);
+                    PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey());
+                    secretKeyList.add(onCard);
+                } else {
+                    SecretSubkeyPacket keyPacket = new SecretSubkeyPacket(publicKeyPacket,
+                            0, 255, s2k, null, encodedSerial);
+                    PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey());
+                    secretKeyList.add(onCard);
+                }
+            }
+
+            PGPSecretKeyRing gnuDummyKey = new PGPSecretKeyRing(secretKeyList);
+            return gnuDummyKey;
+        }
+
+        private byte[] encodeSerial(byte[] serial) {
+            byte[] encoded = new byte[serial.length + 1];
+            encoded[0] = 0x10;
+            System.arraycopy(serial, 0, encoded, 1, serial.length);
+            return encoded;
+        }
+
+        private S2K extensionToS2K(GNUExtension extension) {
+            S2K s2k = S2K.gnuDummyS2K(extension == GNUExtension.DIVERT_TO_CARD ?
+                    S2K.GNUDummyParams.divertToCard() : S2K.GNUDummyParams.noPrivateKey());
+            return s2k;
+        }
+    }
+
+    public interface KeyFilter {
+
+        /**
+         * Return true, if the given key should be selected, false otherwise.
+         *
+         * @param keyId id of the key
+         * @return select
+         */
+        boolean filter(long keyId);
+
+        static KeyFilter any() {
+            return keyId -> true;
+        }
+
+        static KeyFilter only(long onlyKeyId) {
+            return keyId -> keyId == onlyKeyId;
+        }
+
+        static KeyFilter selected(Collection ids) {
+            return keyId -> ids.contains(keyId);
+        }
+    }
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java
new file mode 100644
index 00000000..5c2a727e
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Utility classes related to creating keys with GNU DUMMY S2K values.
+ */
+package org.pgpainless.key.gnu_dummy_s2k;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
new file mode 100644
index 00000000..f1606cec
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
@@ -0,0 +1,82 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.gnu_dummy_s2k.GnuDummyKeyUtil;
+import org.pgpainless.key.util.KeyIdUtil;
+
+public class HardwareSecurityTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: DE2E 9AB2 6650 8191 53E7  D599 C176 507F 2B5D 43B3\n" +
+            "Comment: Alice \n" +
+            "\n" +
+            "lFgEY1vjgRYJKwYBBAHaRw8BAQdAXjLoPTOIOdvlFT2Nt3rcvLTVx5ujPBGghZ5S\n" +
+            "D5tEnyoAAP0fAUJTiPrxZYdzs6MP0KFo+Nmr/wb1PJHTkzmYpt4wkRKBtBxBbGlj\n" +
+            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmNb44EJEMF2UH8rXUOz\n" +
+            "FiEE3i6asmZQgZFT59WZwXZQfytdQ7MCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
+            "AQAAHLYA/AgW+YrpU+UqrwX2dhY6RAfgHTTMU89RHjaTHJx8pLrBAP4gthGof00a\n" +
+            "XEjwTWteDOO049SIp2AUfj9deJqtrQcHD5xdBGNb44ESCisGAQQBl1UBBQEBB0DN\n" +
+            "vUT3awa3YLmwf41LRpPrm7B87AOHfYIP8S9QJ4GDJgMBCAcAAP9bwlSaF+lti8JY\n" +
+            "qKFO3qt3ZYQMu1l/LRBle89ZB4zD+BDOiHUEGBYKAB0FAmNb44ECngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRDBdlB/K11Ds/TsAP9kvpUrCWnrWGq+a9n1CqEfCMX5\n" +
+            "cT+qzrwNf+J0L22KowD+M9SVO0qssiAqutLE9h9dGYLbEiFvsHzK3WSnjKYbIgac\n" +
+            "WARjW+OBFgkrBgEEAdpHDwEBB0BCPh8M5TnXSmG6Ygwp4j5RR4u3hmxl8CYjX4h/\n" +
+            "XtvvNwAA/RP04coSrLHVI6vUfbJk4MhWYeyhJBRYY0vGp7yq+wVtEpKI1QQYFgoA\n" +
+            "fQUCY1vjgQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNb44EACgkQ\n" +
+            "mlozJSF7rXQW+AD/TA3YBxTd+YbBSwfgqzWNbfT9BBcFrdn3uPCsbvfmqXoA/3oj\n" +
+            "oupkgoaXesrGxn2k9hW9/GBXSvNcgY2txZ6/oYoIAAoJEMF2UH8rXUOziZ4A/0Xl\n" +
+            "xSZJWmkRpBh5AO8Cnqosz6j947IYAxS16ay+sIOHAP9aN9CUNJIIdHnHdFHO4GZz\n" +
+            "ejjknn4wt8NVJP97JxlnBQ==\n" +
+            "=qSQb\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    @Test
+    public void testGetSingleIdOfHardwareBackedKey() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
+        long encryptionKeyId = KeyIdUtil.fromLongKeyId("0AAD8F5891262F50");
+
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(encryptionKeyId));
+
+        Set hardwareBackedKeys = HardwareSecurity
+                .getIdsOfHardwareBackedKeys(withHardwareBackedEncryptionKey);
+        assertEquals(Collections.singleton(new SubkeyIdentifier(secretKeys, encryptionKeyId)), hardwareBackedKeys);
+    }
+
+
+    @Test
+    public void testGetIdsOfFullyHardwareBackedKey() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+        assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
+
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.any());
+        Set expected = new HashSet<>();
+        for (PGPSecretKey key : secretKeys) {
+            expected.add(new SubkeyIdentifier(secretKeys, key.getKeyID()));
+        }
+
+        Set hardwareBackedKeys = HardwareSecurity
+                .getIdsOfHardwareBackedKeys(withHardwareBackedEncryptionKey);
+
+        assertEquals(expected, hardwareBackedKeys);
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
new file mode 100644
index 00000000..0b19c551
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
@@ -0,0 +1,199 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key.gnu_dummy_s2k;
+
+import org.bouncycastle.bcpg.S2K;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.util.KeyIdUtil;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class GnuDummyKeyUtilTest {
+    // normal, non-hw-backed key
+    private static final String FULL_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lFgEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTQAAPwJN+Xmr0jjN7RA9jgqXnxC/rcWHmdp/j9NdEd7K2Wbxw/rtCBIYXJk\n" +
+            "eSBIYXJkd2FyZSA8aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9\n" +
+            "qfdqTxYhBAH9q2zgSlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJ\n" +
+            "CAsCmQEAAPk2AP922T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1M\n" +
+            "l9qqx6QGcaNKe8deMe3EhTant6mS9tqMHp2/3gmcXQRjW9KIEgorBgEEAZdVAQUB\n" +
+            "AQdAVXBLNvNmFh9KX6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgHAAD/fw9hnzeH\n" +
+            "VtBaHi6efXvnc4rdVj8zWk0LKo1clFd3bTAN+oh1BBgWCgAdBQJjW9KIAp4BApsM\n" +
+            "BRYCAwEABAsJCAcFFQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdi\n" +
+            "Ags0yZrQPkMs6eL+83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUT\n" +
+            "vP0BnFgEY1vSiBYJKwYBBAHaRw8BAQdAvSYTD60t8vx10dSEBACUoIfVCpeOB30D\n" +
+            "6nfwJtbDT0YAAQCgnCsN9iX7s2TQd8NPggWs4QdhaFpb6olt3SlAvUy/wRBDiNUE\n" +
+            "GBYKAH0FAmNb0ogCngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjW9KI\n" +
+            "AAoJEJQCL6VtwFtJDmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0yUxa76cmSWe5f\n" +
+            "AQD2oLSEW1GOgIs64+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6\n" +
+            "AP9Xftw8xZ7/MWhYImk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwG\n" +
+            "jF6AYiLOzO/R1x5bSlYD3FeJ3Qo=\n" +
+            "=+vXp\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    private static final long primaryKeyId = KeyIdUtil.fromLongKeyId("C312C97DA9F76A4F");
+    private static final long encryptionKeyId = KeyIdUtil.fromLongKeyId("6924D066714CE8C6");
+    private static final long signatureKeyId = KeyIdUtil.fromLongKeyId("94022FA56DC05B49");
+    private static final byte[] cardSerial = new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+
+    public static final String ALL_KEYS_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lEwEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTT/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
+            "aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9qfdqTxYhBAH9q2zg\n" +
+            "SlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAPk2AP92\n" +
+            "2T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1Ml9qqx6QGcaNKe8de\n" +
+            "Me3EhTant6mS9tqMHp2/3gmcUQRjW9KIEgorBgEEAZdVAQUBAQdAVXBLNvNmFh9K\n" +
+            "X6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/wBlAEdOVQIQAAECAwQFBgcICQoL\n" +
+            "DA0OD4h1BBgWCgAdBQJjW9KIAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQwxLJ\n" +
+            "fan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdiAgs0yZrQPkMs6eL+83te770A/jG0DeJy\n" +
+            "+88fOfWTj+mixO98PZPnQ0MybWC/1QUTvP0BnEwEY1vSiBYJKwYBBAHaRw8BAQdA\n" +
+            "vSYTD60t8vx10dSEBACUoIfVCpeOB30D6nfwJtbDT0b/AGUAR05VAhAAAQIDBAUG\n" +
+            "BwgJCgsMDQ4PiNUEGBYKAH0FAmNb0ogCngECmwIFFgIDAQAECwkIBwUVCgkIC18g\n" +
+            "BBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJDmMBAKqsGfRFQxJXyPgugWBgEaO5lt9f\n" +
+            "MM0yUxa76cmSWe5fAQD2oLSEW1GOgIs64+Z3gvtXopmeupT09HhI7ger98zDAwAK\n" +
+            "CRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhYImk/xheqPy07K4qo3T1pGKUvUqjWQQEA\n" +
+            "hE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5bSlYD3FeJ3Qo=\n" +
+            "=wsFa\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    public static final String PRIMARY_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lEwEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTT/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
+            "aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9qfdqTxYhBAH9q2zg\n" +
+            "SlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAPk2AP92\n" +
+            "2T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1Ml9qqx6QGcaNKe8de\n" +
+            "Me3EhTant6mS9tqMHp2/3gmcXQRjW9KIEgorBgEEAZdVAQUBAQdAVXBLNvNmFh9K\n" +
+            "X6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgHAAD/fw9hnzeHVtBaHi6efXvnc4rd\n" +
+            "Vj8zWk0LKo1clFd3bTAN+oh1BBgWCgAdBQJjW9KIAp4BApsMBRYCAwEABAsJCAcF\n" +
+            "FQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdiAgs0yZrQPkMs6eL+\n" +
+            "83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUTvP0BnFgEY1vSiBYJ\n" +
+            "KwYBBAHaRw8BAQdAvSYTD60t8vx10dSEBACUoIfVCpeOB30D6nfwJtbDT0YAAQCg\n" +
+            "nCsN9iX7s2TQd8NPggWs4QdhaFpb6olt3SlAvUy/wRBDiNUEGBYKAH0FAmNb0ogC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJ\n" +
+            "DmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0yUxa76cmSWe5fAQD2oLSEW1GOgIs6\n" +
+            "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
+            "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
+            "SlYD3FeJ3Qo=\n" +
+            "=s+B1\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    public static final String ENCRYPTION_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lFgEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTQAAPwJN+Xmr0jjN7RA9jgqXnxC/rcWHmdp/j9NdEd7K2Wbxw/rtCBIYXJk\n" +
+            "eSBIYXJkd2FyZSA8aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9\n" +
+            "qfdqTxYhBAH9q2zgSlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJ\n" +
+            "CAsCmQEAAPk2AP922T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1M\n" +
+            "l9qqx6QGcaNKe8deMe3EhTant6mS9tqMHp2/3gmcUQRjW9KIEgorBgEEAZdVAQUB\n" +
+            "AQdAVXBLNvNmFh9KX6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/wBlAEdOVQIQ\n" +
+            "AAECAwQFBgcICQoLDA0OD4h1BBgWCgAdBQJjW9KIAp4BApsMBRYCAwEABAsJCAcF\n" +
+            "FQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdiAgs0yZrQPkMs6eL+\n" +
+            "83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUTvP0BnFgEY1vSiBYJ\n" +
+            "KwYBBAHaRw8BAQdAvSYTD60t8vx10dSEBACUoIfVCpeOB30D6nfwJtbDT0YAAQCg\n" +
+            "nCsN9iX7s2TQd8NPggWs4QdhaFpb6olt3SlAvUy/wRBDiNUEGBYKAH0FAmNb0ogC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJ\n" +
+            "DmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0yUxa76cmSWe5fAQD2oLSEW1GOgIs6\n" +
+            "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
+            "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
+            "SlYD3FeJ3Qo=\n" +
+            "=TPAl\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    public static final String SIGNATURE_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lFgEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTQAAPwJN+Xmr0jjN7RA9jgqXnxC/rcWHmdp/j9NdEd7K2Wbxw/rtCBIYXJk\n" +
+            "eSBIYXJkd2FyZSA8aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9\n" +
+            "qfdqTxYhBAH9q2zgSlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJ\n" +
+            "CAsCmQEAAPk2AP922T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1M\n" +
+            "l9qqx6QGcaNKe8deMe3EhTant6mS9tqMHp2/3gmcXQRjW9KIEgorBgEEAZdVAQUB\n" +
+            "AQdAVXBLNvNmFh9KX6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgHAAD/fw9hnzeH\n" +
+            "VtBaHi6efXvnc4rdVj8zWk0LKo1clFd3bTAN+oh1BBgWCgAdBQJjW9KIAp4BApsM\n" +
+            "BRYCAwEABAsJCAcFFQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdi\n" +
+            "Ags0yZrQPkMs6eL+83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUT\n" +
+            "vP0BnEwEY1vSiBYJKwYBBAHaRw8BAQdAvSYTD60t8vx10dSEBACUoIfVCpeOB30D\n" +
+            "6nfwJtbDT0b/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PiNUEGBYKAH0FAmNb0ogC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJ\n" +
+            "DmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0yUxa76cmSWe5fAQD2oLSEW1GOgIs6\n" +
+            "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
+            "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
+            "SlYD3FeJ3Qo=\n" +
+            "=p8I9\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    @Test
+    public void testMoveAllKeysToCard() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ALL_KEYS_ON_CARD);
+
+        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.any(), cardSerial);
+
+        for (PGPSecretKey key : onCard) {
+            assertEquals(255, key.getS2KUsage());
+            S2K s2K = key.getS2K();
+            assertEquals(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD, s2K.getProtectionMode());
+        }
+
+        assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
+    }
+
+    @Test
+    public void testMovePrimaryKeyToCard() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(PRIMARY_KEY_ON_CARD);
+
+        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(primaryKeyId), cardSerial);
+
+        assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
+    }
+
+    @Test
+    public void testMoveEncryptionKeyToCard() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_KEY_ON_CARD);
+
+        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(encryptionKeyId), cardSerial);
+
+        assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
+    }
+
+    @Test
+    public void testMoveSigningKeyToCard() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(SIGNATURE_KEY_ON_CARD);
+
+        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(signatureKeyId), cardSerial);
+
+        assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
+    }
+}

From a8d2319d6374111fb7287be8f27dbc8490e52dcf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 16:48:49 +0200
Subject: [PATCH 0770/1450] Add documentation to GnuDummyKeyUtil

---
 .../key/gnu_dummy_s2k/GnuDummyKeyUtil.java    | 76 ++++++++++++++++---
 1 file changed, 66 insertions(+), 10 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
index a8de5aa3..f074fad2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
@@ -11,16 +11,26 @@ import org.bouncycastle.bcpg.SecretSubkeyPacket;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 
+import javax.annotation.Nonnull;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+/**
+ * This class can be used to remove private keys from secret keys.
+ */
 public final class GnuDummyKeyUtil {
 
     private GnuDummyKeyUtil() {
 
     }
 
+    /**
+     * Modify the given {@link PGPSecretKeyRing}.
+     *
+     * @param secretKeys secret keys
+     * @return builder
+     */
     public static Builder modify(PGPSecretKeyRing secretKeys) {
         return new Builder(secretKeys);
     }
@@ -33,19 +43,50 @@ public final class GnuDummyKeyUtil {
             this.keys = keys;
         }
 
+        /**
+         * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
+         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#NO_PRIVATE_KEY}.
+         *
+         * @param filter filter to select keys for removal
+         * @return modified key ring
+         */
         public PGPSecretKeyRing removePrivateKeys(KeyFilter filter) {
-            return doIt(GNUExtension.NO_PRIVATE_KEY, null, filter);
+            return replacePrivateKeys(GNUExtension.NO_PRIVATE_KEY, null, filter);
         }
 
+        /**
+         * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
+         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#DIVERT_TO_CARD}.
+         * This method will set the serial number of the card to 0x00000000000000000000000000000000.
+         *
+         * NOTE: This method does not actually move any keys to a card.
+         *
+         * @param filter filter to select keys for removal
+         * @return modified key ring
+         */
         public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter) {
             return divertPrivateKeysToCard(filter, new byte[16]);
         }
 
+        /**
+         * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
+         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#DIVERT_TO_CARD}.
+         * This method will include the card serial number into the encoded dummy key.
+         *
+         * NOTE: This method does not actually move any keys to a card.
+         * 
+         * @param filter filter to select keys for removal
+         * @param cardSerialNumber serial number of the card (at most 16 bytes long)
+         * @return modified key ring
+         */
         public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter, byte[] cardSerialNumber) {
-            return doIt(GNUExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
+            if (cardSerialNumber != null && cardSerialNumber.length > 16) {
+                throw new IllegalArgumentException("Card serial number length cannot exceed 16 bytes.");
+            }
+            return replacePrivateKeys(GNUExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
         }
 
-        private PGPSecretKeyRing doIt(GNUExtension extension, byte[] serial, KeyFilter filter) {
+        private PGPSecretKeyRing replacePrivateKeys(GNUExtension extension, byte[] serial, KeyFilter filter) {
             byte[] encodedSerial = serial != null ? encodeSerial(serial) : null;
             S2K s2k = extensionToS2K(extension);
 
@@ -71,21 +112,19 @@ public final class GnuDummyKeyUtil {
                 }
             }
 
-            PGPSecretKeyRing gnuDummyKey = new PGPSecretKeyRing(secretKeyList);
-            return gnuDummyKey;
+            return new PGPSecretKeyRing(secretKeyList);
         }
 
-        private byte[] encodeSerial(byte[] serial) {
+        private byte[] encodeSerial(@Nonnull byte[] serial) {
             byte[] encoded = new byte[serial.length + 1];
-            encoded[0] = 0x10;
+            encoded[0] = (byte) (serial.length & 0xff);
             System.arraycopy(serial, 0, encoded, 1, serial.length);
             return encoded;
         }
 
-        private S2K extensionToS2K(GNUExtension extension) {
-            S2K s2k = S2K.gnuDummyS2K(extension == GNUExtension.DIVERT_TO_CARD ?
+        private S2K extensionToS2K(@Nonnull GNUExtension extension) {
+            return S2K.gnuDummyS2K(extension == GNUExtension.DIVERT_TO_CARD ?
                     S2K.GNUDummyParams.divertToCard() : S2K.GNUDummyParams.noPrivateKey());
-            return s2k;
         }
     }
 
@@ -99,15 +138,32 @@ public final class GnuDummyKeyUtil {
          */
         boolean filter(long keyId);
 
+        /**
+         * Select any key.
+         * @return filter
+         */
         static KeyFilter any() {
             return keyId -> true;
         }
 
+        /**
+         * Select only the given keyId.
+         *
+         * @param onlyKeyId only acceptable key id
+         * @return filter
+         */
         static KeyFilter only(long onlyKeyId) {
             return keyId -> keyId == onlyKeyId;
         }
 
+        /**
+         * Select all keyIds which are contained in the given set of ids.
+         *
+         * @param ids set of acceptable keyIds
+         * @return filter
+         */
         static KeyFilter selected(Collection ids) {
+            // noinspection Convert2MethodRef
             return keyId -> ids.contains(keyId);
         }
     }

From 033beaa8f2ae1c16e552cd8d2004fff27307a86b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 28 Oct 2022 17:05:56 +0200
Subject: [PATCH 0771/1450] Use S2K usage SHA1 in GnuDummyKeyUtil

---
 .../key/gnu_dummy_s2k/GNUExtension.java       |  7 ++++++
 .../key/gnu_dummy_s2k/GnuDummyKeyUtil.java    |  6 ++---
 .../gnu_dummy_s2k/GnuDummyKeyUtilTest.java    | 23 ++++++++++---------
 3 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
index ff42ef6e..e829bd7b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
@@ -8,7 +8,14 @@ import org.bouncycastle.bcpg.S2K;
 
 public enum GNUExtension {
 
+    /**
+     * Do not store the secret part at all.
+     */
     NO_PRIVATE_KEY(S2K.GNU_PROTECTION_MODE_NO_PRIVATE_KEY),
+
+    /**
+     * A stub to access smartcards.
+     */
     DIVERT_TO_CARD(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD),
     ;
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
index f074fad2..7817a676 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
@@ -74,7 +74,7 @@ public final class GnuDummyKeyUtil {
          * This method will include the card serial number into the encoded dummy key.
          *
          * NOTE: This method does not actually move any keys to a card.
-         * 
+         *
          * @param filter filter to select keys for removal
          * @param cardSerialNumber serial number of the card (at most 16 bytes long)
          * @return modified key ring
@@ -101,12 +101,12 @@ public final class GnuDummyKeyUtil {
                 PublicKeyPacket publicKeyPacket = secretKey.getPublicKey().getPublicKeyPacket();
                 if (secretKey.isMasterKey()) {
                     SecretKeyPacket keyPacket = new SecretKeyPacket(publicKeyPacket,
-                            0, 255, s2k, null, encodedSerial);
+                            0, SecretKeyPacket.USAGE_SHA1, s2k, null, encodedSerial);
                     PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey());
                     secretKeyList.add(onCard);
                 } else {
                     SecretSubkeyPacket keyPacket = new SecretSubkeyPacket(publicKeyPacket,
-                            0, 255, s2k, null, encodedSerial);
+                            0, SecretKeyPacket.USAGE_SHA1, s2k, null, encodedSerial);
                     PGPSecretKey onCard = new PGPSecretKey(keyPacket, secretKey.getPublicKey());
                     secretKeyList.add(onCard);
                 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
index 0b19c551..99966903 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
@@ -5,6 +5,7 @@
 package org.pgpainless.key.gnu_dummy_s2k;
 
 import org.bouncycastle.bcpg.S2K;
+import org.bouncycastle.bcpg.SecretKeyPacket;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
@@ -54,22 +55,22 @@ public class GnuDummyKeyUtilTest {
             "Comment: Hardy Hardware \n" +
             "\n" +
             "lEwEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
-            "eBwCeTT/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
+            "eBwCeTT+AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
             "aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9qfdqTxYhBAH9q2zg\n" +
             "SlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAPk2AP92\n" +
             "2T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1Ml9qqx6QGcaNKe8de\n" +
             "Me3EhTant6mS9tqMHp2/3gmcUQRjW9KIEgorBgEEAZdVAQUBAQdAVXBLNvNmFh9K\n" +
-            "X6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/wBlAEdOVQIQAAECAwQFBgcICQoL\n" +
+            "X6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/gBlAEdOVQIQAAECAwQFBgcICQoL\n" +
             "DA0OD4h1BBgWCgAdBQJjW9KIAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQwxLJ\n" +
             "fan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdiAgs0yZrQPkMs6eL+83te770A/jG0DeJy\n" +
             "+88fOfWTj+mixO98PZPnQ0MybWC/1QUTvP0BnEwEY1vSiBYJKwYBBAHaRw8BAQdA\n" +
-            "vSYTD60t8vx10dSEBACUoIfVCpeOB30D6nfwJtbDT0b/AGUAR05VAhAAAQIDBAUG\n" +
+            "vSYTD60t8vx10dSEBACUoIfVCpeOB30D6nfwJtbDT0b+AGUAR05VAhAAAQIDBAUG\n" +
             "BwgJCgsMDQ4PiNUEGBYKAH0FAmNb0ogCngECmwIFFgIDAQAECwkIBwUVCgkIC18g\n" +
             "BBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJDmMBAKqsGfRFQxJXyPgugWBgEaO5lt9f\n" +
             "MM0yUxa76cmSWe5fAQD2oLSEW1GOgIs64+Z3gvtXopmeupT09HhI7ger98zDAwAK\n" +
             "CRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhYImk/xheqPy07K4qo3T1pGKUvUqjWQQEA\n" +
             "hE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5bSlYD3FeJ3Qo=\n" +
-            "=wsFa\n" +
+            "=rYoa\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
     public static final String PRIMARY_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -78,7 +79,7 @@ public class GnuDummyKeyUtilTest {
             "Comment: Hardy Hardware \n" +
             "\n" +
             "lEwEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
-            "eBwCeTT/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
+            "eBwCeTT+AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PtCBIYXJkeSBIYXJkd2FyZSA8\n" +
             "aGFyZHlAaGFyZC53YXJlPoiPBBMWCgBBBQJjW9KICRDDEsl9qfdqTxYhBAH9q2zg\n" +
             "SlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAPk2AP92\n" +
             "2T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1Ml9qqx6QGcaNKe8de\n" +
@@ -94,7 +95,7 @@ public class GnuDummyKeyUtilTest {
             "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
             "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
             "SlYD3FeJ3Qo=\n" +
-            "=s+B1\n" +
+            "=zQLi\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
     public static final String ENCRYPTION_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -108,7 +109,7 @@ public class GnuDummyKeyUtilTest {
             "qfdqTxYhBAH9q2zgSlB4ef5KGMMSyX2p92pPAp4BApsBBRYCAwEABAsJCAcFFQoJ\n" +
             "CAsCmQEAAPk2AP922T5TQ7hukFlpxX3ThMhieJnECGY5Eqt5U0/vEY1XdgD/eE1M\n" +
             "l9qqx6QGcaNKe8deMe3EhTant6mS9tqMHp2/3gmcUQRjW9KIEgorBgEEAZdVAQUB\n" +
-            "AQdAVXBLNvNmFh9KX6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/wBlAEdOVQIQ\n" +
+            "AQdAVXBLNvNmFh9KX6iLmdNJM28Zc9PGnzEoAD9+T4p0lDwDAQgH/gBlAEdOVQIQ\n" +
             "AAECAwQFBgcICQoLDA0OD4h1BBgWCgAdBQJjW9KIAp4BApsMBRYCAwEABAsJCAcF\n" +
             "FQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdiAgs0yZrQPkMs6eL+\n" +
             "83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUTvP0BnFgEY1vSiBYJ\n" +
@@ -119,7 +120,7 @@ public class GnuDummyKeyUtilTest {
             "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
             "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
             "SlYD3FeJ3Qo=\n" +
-            "=TPAl\n" +
+            "=7OZu\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
     public static final String SIGNATURE_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -138,13 +139,13 @@ public class GnuDummyKeyUtilTest {
             "BRYCAwEABAsJCAcFFQoJCAsACgkQwxLJfan3ak/JyQD9GBj0vjtYZAf5Fi0eEKdi\n" +
             "Ags0yZrQPkMs6eL+83te770A/jG0DeJy+88fOfWTj+mixO98PZPnQ0MybWC/1QUT\n" +
             "vP0BnEwEY1vSiBYJKwYBBAHaRw8BAQdAvSYTD60t8vx10dSEBACUoIfVCpeOB30D\n" +
-            "6nfwJtbDT0b/AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PiNUEGBYKAH0FAmNb0ogC\n" +
+            "6nfwJtbDT0b+AGUAR05VAhAAAQIDBAUGBwgJCgsMDQ4PiNUEGBYKAH0FAmNb0ogC\n" +
             "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjW9KIAAoJEJQCL6VtwFtJ\n" +
             "DmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0yUxa76cmSWe5fAQD2oLSEW1GOgIs6\n" +
             "4+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDDEsl9qfdqTwR6AP9Xftw8xZ7/MWhY\n" +
             "Imk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r0oTcJn+KVCwGjF6AYiLOzO/R1x5b\n" +
             "SlYD3FeJ3Qo=\n" +
-            "=p8I9\n" +
+            "=GpEw\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
     @Test
@@ -156,7 +157,7 @@ public class GnuDummyKeyUtilTest {
                 .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.any(), cardSerial);
 
         for (PGPSecretKey key : onCard) {
-            assertEquals(255, key.getS2KUsage());
+            assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage());
             S2K s2K = key.getS2K();
             assertEquals(S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD, s2K.getProtectionMode());
         }

From 3af6ab1b85b7f8cd554fcb6e848e205b3038d3a2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 29 Oct 2022 14:09:41 +0200
Subject: [PATCH 0772/1450] Rename GnuPGDummyExtension + GnuPGDummyKeyUtil

---
 ...xtension.java => GnuPGDummyExtension.java} |  4 +--
 ...mmyKeyUtil.java => GnuPGDummyKeyUtil.java} | 31 ++++++++++++-------
 .../HardwareSecurityTest.java                 | 10 +++---
 ...ilTest.java => GnuPGDummyKeyUtilTest.java} | 18 +++++------
 4 files changed, 36 insertions(+), 27 deletions(-)
 rename pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/{GNUExtension.java => GnuPGDummyExtension.java} (88%)
 rename pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/{GnuDummyKeyUtil.java => GnuPGDummyKeyUtil.java} (81%)
 rename pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/{GnuDummyKeyUtilTest.java => GnuPGDummyKeyUtilTest.java} (93%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java
similarity index 88%
rename from pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
rename to pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java
index e829bd7b..9f75bf7e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GNUExtension.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java
@@ -6,7 +6,7 @@ package org.pgpainless.key.gnu_dummy_s2k;
 
 import org.bouncycastle.bcpg.S2K;
 
-public enum GNUExtension {
+public enum GnuPGDummyExtension {
 
     /**
      * Do not store the secret part at all.
@@ -21,7 +21,7 @@ public enum GNUExtension {
 
     private final int id;
 
-    GNUExtension(int id) {
+    GnuPGDummyExtension(int id) {
         this.id = id;
     }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
similarity index 81%
rename from pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
rename to pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
index 7817a676..3a913894 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
@@ -17,11 +17,15 @@ import java.util.Collection;
 import java.util.List;
 
 /**
- * This class can be used to remove private keys from secret keys.
+ * This class can be used to remove private keys from secret software-keys by replacing them with
+ * stub secret keys in the style of GnuPGs proprietary extensions.
+ *
+ * @see 
+ *     GnuPGs doc/DETAILS - GNU extensions to the S2K algorithm
  */
-public final class GnuDummyKeyUtil {
+public final class GnuPGDummyKeyUtil {
 
-    private GnuDummyKeyUtil() {
+    private GnuPGDummyKeyUtil() {
 
     }
 
@@ -45,18 +49,18 @@ public final class GnuDummyKeyUtil {
 
         /**
          * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
-         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#NO_PRIVATE_KEY}.
+         * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#NO_PRIVATE_KEY}.
          *
          * @param filter filter to select keys for removal
          * @return modified key ring
          */
         public PGPSecretKeyRing removePrivateKeys(KeyFilter filter) {
-            return replacePrivateKeys(GNUExtension.NO_PRIVATE_KEY, null, filter);
+            return replacePrivateKeys(GnuPGDummyExtension.NO_PRIVATE_KEY, null, filter);
         }
 
         /**
          * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
-         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#DIVERT_TO_CARD}.
+         * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}.
          * This method will set the serial number of the card to 0x00000000000000000000000000000000.
          *
          * NOTE: This method does not actually move any keys to a card.
@@ -70,7 +74,7 @@ public final class GnuDummyKeyUtil {
 
         /**
          * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
-         * GNU_DUMMY keys with S2K protection mode {@link GNUExtension#DIVERT_TO_CARD}.
+         * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}.
          * This method will include the card serial number into the encoded dummy key.
          *
          * NOTE: This method does not actually move any keys to a card.
@@ -83,10 +87,10 @@ public final class GnuDummyKeyUtil {
             if (cardSerialNumber != null && cardSerialNumber.length > 16) {
                 throw new IllegalArgumentException("Card serial number length cannot exceed 16 bytes.");
             }
-            return replacePrivateKeys(GNUExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
+            return replacePrivateKeys(GnuPGDummyExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
         }
 
-        private PGPSecretKeyRing replacePrivateKeys(GNUExtension extension, byte[] serial, KeyFilter filter) {
+        private PGPSecretKeyRing replacePrivateKeys(GnuPGDummyExtension extension, byte[] serial, KeyFilter filter) {
             byte[] encodedSerial = serial != null ? encodeSerial(serial) : null;
             S2K s2k = extensionToS2K(extension);
 
@@ -122,12 +126,16 @@ public final class GnuDummyKeyUtil {
             return encoded;
         }
 
-        private S2K extensionToS2K(@Nonnull GNUExtension extension) {
-            return S2K.gnuDummyS2K(extension == GNUExtension.DIVERT_TO_CARD ?
+        private S2K extensionToS2K(@Nonnull GnuPGDummyExtension extension) {
+            return S2K.gnuDummyS2K(extension == GnuPGDummyExtension.DIVERT_TO_CARD ?
                     S2K.GNUDummyParams.divertToCard() : S2K.GNUDummyParams.noPrivateKey());
         }
     }
 
+    /**
+     * Filter for selecting keys.
+     */
+    @FunctionalInterface
     public interface KeyFilter {
 
         /**
@@ -140,6 +148,7 @@ public final class GnuDummyKeyUtil {
 
         /**
          * Select any key.
+         *
          * @return filter
          */
         static KeyFilter any() {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
index f1606cec..a2160edf 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
@@ -17,7 +17,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.gnu_dummy_s2k.GnuDummyKeyUtil;
+import org.pgpainless.key.gnu_dummy_s2k.GnuPGDummyKeyUtil;
 import org.pgpainless.key.util.KeyIdUtil;
 
 public class HardwareSecurityTest {
@@ -53,8 +53,8 @@ public class HardwareSecurityTest {
         assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
         long encryptionKeyId = KeyIdUtil.fromLongKeyId("0AAD8F5891262F50");
 
-        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(encryptionKeyId));
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId));
 
         Set hardwareBackedKeys = HardwareSecurity
                 .getIdsOfHardwareBackedKeys(withHardwareBackedEncryptionKey);
@@ -67,8 +67,8 @@ public class HardwareSecurityTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
         assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
 
-        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.any());
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any());
         Set expected = new HashSet<>();
         for (PGPSecretKey key : secretKeys) {
             expected.add(new SubkeyIdentifier(secretKeys, key.getKeyID()));
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
similarity index 93%
rename from pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
index 99966903..1fc3b892 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuDummyKeyUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
@@ -17,7 +17,7 @@ import java.io.IOException;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-public class GnuDummyKeyUtilTest {
+public class GnuPGDummyKeyUtilTest {
     // normal, non-hw-backed key
     private static final String FULL_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +
@@ -153,8 +153,8 @@ public class GnuDummyKeyUtilTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
         PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ALL_KEYS_ON_CARD);
 
-        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.any(), cardSerial);
+        PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any(), cardSerial);
 
         for (PGPSecretKey key : onCard) {
             assertEquals(SecretKeyPacket.USAGE_SHA1, key.getS2KUsage());
@@ -170,8 +170,8 @@ public class GnuDummyKeyUtilTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
         PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(PRIMARY_KEY_ON_CARD);
 
-        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(primaryKeyId), cardSerial);
+        PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(primaryKeyId), cardSerial);
 
         assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
     }
@@ -181,8 +181,8 @@ public class GnuDummyKeyUtilTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
         PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_KEY_ON_CARD);
 
-        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(encryptionKeyId), cardSerial);
+        PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId), cardSerial);
 
         assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
     }
@@ -192,8 +192,8 @@ public class GnuDummyKeyUtilTest {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
         PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(SIGNATURE_KEY_ON_CARD);
 
-        PGPSecretKeyRing onCard = GnuDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuDummyKeyUtil.KeyFilter.only(signatureKeyId), cardSerial);
+        PGPSecretKeyRing onCard = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(signatureKeyId), cardSerial);
 
         assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
     }

From df4fc94ce715ea63278d2379df0e75c07f75c627 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 29 Oct 2022 14:51:39 +0200
Subject: [PATCH 0773/1450] Add test for decryption with removed private key

---
 .../HardwareSecurity.java                     | 31 -------
 .../key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java  | 30 +++++++
 .../HardwareSecurityTest.java                 | 82 -------------------
 ...DecryptWithUnavailableGnuDummyKeyTest.java | 52 ++++++++++++
 .../gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java  | 77 +++++++++++++++++
 5 files changed, 159 insertions(+), 113 deletions(-)
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index 6d9719dd..daf902d4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -4,18 +4,12 @@
 
 package org.pgpainless.decryption_verification;
 
-import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
 import org.pgpainless.key.SubkeyIdentifier;
 
-import java.util.HashSet;
-import java.util.Set;
-
 /**
  * Enable integration of hardware-backed OpenPGP keys.
  */
@@ -41,31 +35,6 @@ public class HardwareSecurity {
 
     }
 
-    /**
-     * Return the key-ids of all keys which appear to be stored on a hardware token / smartcard.
-     *
-     * @param secretKeys secret keys
-     * @return set of keys with S2K type DIVERT_TO_CARD or GNU_DUMMY_S2K
-     */
-    public static Set getIdsOfHardwareBackedKeys(PGPSecretKeyRing secretKeys) {
-        Set hardwareBackedKeys = new HashSet<>();
-        for (PGPSecretKey secretKey : secretKeys) {
-            S2K s2K = secretKey.getS2K();
-            if (s2K == null) {
-                continue;
-            }
-
-            int type = s2K.getType();
-            int mode = s2K.getProtectionMode();
-            // TODO: Is GNU_DUMMY_S2K appropriate?
-            if (type == S2K.GNU_DUMMY_S2K && mode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) {
-                SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyID());
-                hardwareBackedKeys.add(hardwareBackedKey);
-            }
-        }
-        return hardwareBackedKeys;
-    }
-
     /**
      * Implementation of {@link PublicKeyDataDecryptorFactory} which delegates decryption of encrypted session keys
      * to a {@link DecryptionCallback}.
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
index 3a913894..64c7ed26 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
@@ -10,11 +10,14 @@ import org.bouncycastle.bcpg.SecretKeyPacket;
 import org.bouncycastle.bcpg.SecretSubkeyPacket;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.pgpainless.key.SubkeyIdentifier;
 
 import javax.annotation.Nonnull;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 /**
  * This class can be used to remove private keys from secret software-keys by replacing them with
@@ -29,6 +32,33 @@ public final class GnuPGDummyKeyUtil {
 
     }
 
+    /**
+     * Return the key-ids of all keys which appear to be stored on a hardware token / smartcard by GnuPG.
+     * Note, that this functionality is based on GnuPGs proprietary S2K extensions, which are not strictly required
+     * for dealing with hardware-backed keys.
+     *
+     * @param secretKeys secret keys
+     * @return set of keys with S2K type GNU_DUMMY_S2K and protection mode DIVERT_TO_CARD
+     */
+    public static Set getIdsOfKeysWithGnuPGS2KDivertedToCard(PGPSecretKeyRing secretKeys) {
+        Set hardwareBackedKeys = new HashSet<>();
+        for (PGPSecretKey secretKey : secretKeys) {
+            S2K s2K = secretKey.getS2K();
+            if (s2K == null) {
+                continue;
+            }
+
+            int type = s2K.getType();
+            int mode = s2K.getProtectionMode();
+            // TODO: Is GNU_DUMMY_S2K appropriate?
+            if (type == S2K.GNU_DUMMY_S2K && mode == S2K.GNU_PROTECTION_MODE_DIVERT_TO_CARD) {
+                SubkeyIdentifier hardwareBackedKey = new SubkeyIdentifier(secretKeys, secretKey.getKeyID());
+                hardwareBackedKeys.add(hardwareBackedKey);
+            }
+        }
+        return hardwareBackedKeys;
+    }
+
     /**
      * Modify the given {@link PGPSecretKeyRing}.
      *
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
deleted file mode 100644
index a2160edf..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/HardwareSecurityTest.java
+++ /dev/null
@@ -1,82 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.io.IOException;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.gnu_dummy_s2k.GnuPGDummyKeyUtil;
-import org.pgpainless.key.util.KeyIdUtil;
-
-public class HardwareSecurityTest {
-
-    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-            "Version: PGPainless\n" +
-            "Comment: DE2E 9AB2 6650 8191 53E7  D599 C176 507F 2B5D 43B3\n" +
-            "Comment: Alice \n" +
-            "\n" +
-            "lFgEY1vjgRYJKwYBBAHaRw8BAQdAXjLoPTOIOdvlFT2Nt3rcvLTVx5ujPBGghZ5S\n" +
-            "D5tEnyoAAP0fAUJTiPrxZYdzs6MP0KFo+Nmr/wb1PJHTkzmYpt4wkRKBtBxBbGlj\n" +
-            "ZSA8YWxpY2VAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmNb44EJEMF2UH8rXUOz\n" +
-            "FiEE3i6asmZQgZFT59WZwXZQfytdQ7MCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
-            "AQAAHLYA/AgW+YrpU+UqrwX2dhY6RAfgHTTMU89RHjaTHJx8pLrBAP4gthGof00a\n" +
-            "XEjwTWteDOO049SIp2AUfj9deJqtrQcHD5xdBGNb44ESCisGAQQBl1UBBQEBB0DN\n" +
-            "vUT3awa3YLmwf41LRpPrm7B87AOHfYIP8S9QJ4GDJgMBCAcAAP9bwlSaF+lti8JY\n" +
-            "qKFO3qt3ZYQMu1l/LRBle89ZB4zD+BDOiHUEGBYKAB0FAmNb44ECngECmwwFFgID\n" +
-            "AQAECwkIBwUVCgkICwAKCRDBdlB/K11Ds/TsAP9kvpUrCWnrWGq+a9n1CqEfCMX5\n" +
-            "cT+qzrwNf+J0L22KowD+M9SVO0qssiAqutLE9h9dGYLbEiFvsHzK3WSnjKYbIgac\n" +
-            "WARjW+OBFgkrBgEEAdpHDwEBB0BCPh8M5TnXSmG6Ygwp4j5RR4u3hmxl8CYjX4h/\n" +
-            "XtvvNwAA/RP04coSrLHVI6vUfbJk4MhWYeyhJBRYY0vGp7yq+wVtEpKI1QQYFgoA\n" +
-            "fQUCY1vjgQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNb44EACgkQ\n" +
-            "mlozJSF7rXQW+AD/TA3YBxTd+YbBSwfgqzWNbfT9BBcFrdn3uPCsbvfmqXoA/3oj\n" +
-            "oupkgoaXesrGxn2k9hW9/GBXSvNcgY2txZ6/oYoIAAoJEMF2UH8rXUOziZ4A/0Xl\n" +
-            "xSZJWmkRpBh5AO8Cnqosz6j947IYAxS16ay+sIOHAP9aN9CUNJIIdHnHdFHO4GZz\n" +
-            "ejjknn4wt8NVJP97JxlnBQ==\n" +
-            "=qSQb\n" +
-            "-----END PGP PRIVATE KEY BLOCK-----";
-
-    @Test
-    public void testGetSingleIdOfHardwareBackedKey() throws IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
-        long encryptionKeyId = KeyIdUtil.fromLongKeyId("0AAD8F5891262F50");
-
-        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId));
-
-        Set hardwareBackedKeys = HardwareSecurity
-                .getIdsOfHardwareBackedKeys(withHardwareBackedEncryptionKey);
-        assertEquals(Collections.singleton(new SubkeyIdentifier(secretKeys, encryptionKeyId)), hardwareBackedKeys);
-    }
-
-
-    @Test
-    public void testGetIdsOfFullyHardwareBackedKey() throws IOException {
-        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
-        assertTrue(HardwareSecurity.getIdsOfHardwareBackedKeys(secretKeys).isEmpty());
-
-        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
-                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any());
-        Set expected = new HashSet<>();
-        for (PGPSecretKey key : secretKeys) {
-            expected.add(new SubkeyIdentifier(secretKeys, key.getKeyID()));
-        }
-
-        Set hardwareBackedKeys = HardwareSecurity
-                .getIdsOfHardwareBackedKeys(withHardwareBackedEncryptionKey);
-
-        assertEquals(expected, hardwareBackedKeys);
-    }
-}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
new file mode 100644
index 00000000..79fa7a8e
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
@@ -0,0 +1,52 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.encryption_signing.EncryptionOptions;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.key.gnu_dummy_s2k.GnuPGDummyKeyUtil;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TryDecryptWithUnavailableGnuDummyKeyTest {
+
+    @Test
+    public void testAttemptToDecryptWithRemovedPrivateKeysThrows()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
+                .modernKeyRing("Hardy Hardware ");
+        PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
+
+        ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertextOut)
+                .withOptions(
+                        ProducerOptions.encrypt(EncryptionOptions.get().addRecipient(certificate)));
+        ByteArrayInputStream plaintextIn = new ByteArrayInputStream("Hello, World!\n".getBytes());
+        Streams.pipeAll(plaintextIn, encryptionStream);
+        encryptionStream.close();
+
+        PGPSecretKeyRing removedKeys = GnuPGDummyKeyUtil.modify(secretKeys)
+                .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any());
+
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray());
+        assertThrows(PGPException.class, () -> PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(ConsumerOptions.get().addDecryptionKey(removedKeys)));
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
index 1fc3b892..e175e27f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
@@ -10,12 +10,17 @@ import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
+import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.util.KeyIdUtil;
 
 import java.io.IOException;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class GnuPGDummyKeyUtilTest {
     // normal, non-hw-backed key
@@ -73,6 +78,29 @@ public class GnuPGDummyKeyUtilTest {
             "=rYoa\n" +
             "-----END PGP PRIVATE KEY BLOCK-----";
 
+    public static final String ALL_KEYS_REMOVED = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
+            "Comment: Hardy Hardware \n" +
+            "\n" +
+            "lDsEY1vSiBYJKwYBBAHaRw8BAQdAQ58lZn/HOtg+1b1KS18odyQ6M4LaDdbJAyRf\n" +
+            "eBwCeTT+AGUAR05VAbQgSGFyZHkgSGFyZHdhcmUgPGhhcmR5QGhhcmQud2FyZT6I\n" +
+            "jwQTFgoAQQUCY1vSiAkQwxLJfan3ak8WIQQB/ats4EpQeHn+ShjDEsl9qfdqTwKe\n" +
+            "AQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAD5NgD/dtk+U0O4bpBZacV904TIYniZ\n" +
+            "xAhmORKreVNP7xGNV3YA/3hNTJfaqsekBnGjSnvHXjHtxIU2p7epkvbajB6dv94J\n" +
+            "nEAEY1vSiBIKKwYBBAGXVQEFAQEHQFVwSzbzZhYfSl+oi5nTSTNvGXPTxp8xKAA/\n" +
+            "fk+KdJQ8AwEIB/4AZQBHTlUBiHUEGBYKAB0FAmNb0ogCngECmwwFFgIDAQAECwkI\n" +
+            "BwUVCgkICwAKCRDDEsl9qfdqT8nJAP0YGPS+O1hkB/kWLR4Qp2ICCzTJmtA+Qyzp\n" +
+            "4v7ze17vvQD+MbQN4nL7zx859ZOP6aLE73w9k+dDQzJtYL/VBRO8/QGcOwRjW9KI\n" +
+            "FgkrBgEEAdpHDwEBB0C9JhMPrS3y/HXR1IQEAJSgh9UKl44HfQPqd/Am1sNPRv4A\n" +
+            "ZQBHTlUBiNUEGBYKAH0FAmNb0ogCngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkW\n" +
+            "CgAGBQJjW9KIAAoJEJQCL6VtwFtJDmMBAKqsGfRFQxJXyPgugWBgEaO5lt9fMM0y\n" +
+            "Uxa76cmSWe5fAQD2oLSEW1GOgIs64+Z3gvtXopmeupT09HhI7ger98zDAwAKCRDD\n" +
+            "Esl9qfdqTwR6AP9Xftw8xZ7/MWhYImk/xheqPy07K4qo3T1pGKUvUqjWQQEAhE3r\n" +
+            "0oTcJn+KVCwGjF6AYiLOzO/R1x5bSlYD3FeJ3Qo=\n" +
+            "=GEN/\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
     public static final String PRIMARY_KEY_ON_CARD = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Version: PGPainless\n" +
             "Comment: 01FD AB6C E04A 5078 79FE  4A18 C312 C97D A9F7 6A4F\n" +
@@ -197,4 +225,53 @@ public class GnuPGDummyKeyUtilTest {
 
         assertArrayEquals(expected.getEncoded(), onCard.getEncoded());
     }
+
+    @Test
+    public void testRemoveAllKeys() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        PGPSecretKeyRing expected = PGPainless.readKeyRing().secretKeyRing(ALL_KEYS_REMOVED);
+
+        PGPSecretKeyRing removedSecretKeys = GnuPGDummyKeyUtil.modify(secretKeys)
+                .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any());
+
+        for (PGPSecretKey key : removedSecretKeys) {
+            assertEquals(key.getS2KUsage(), SecretKeyPacket.USAGE_SHA1);
+            S2K s2k = key.getS2K();
+            assertEquals(GnuPGDummyExtension.NO_PRIVATE_KEY.getId(), s2k.getProtectionMode());
+        }
+
+        assertArrayEquals(expected.getEncoded(), removedSecretKeys.getEncoded());
+    }
+
+    @Test
+    public void testGetSingleIdOfHardwareBackedKey() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys).isEmpty());
+
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.only(encryptionKeyId));
+
+        Set hardwareBackedKeys = GnuPGDummyKeyUtil
+                .getIdsOfKeysWithGnuPGS2KDivertedToCard(withHardwareBackedEncryptionKey);
+        assertEquals(Collections.singleton(new SubkeyIdentifier(secretKeys, encryptionKeyId)), hardwareBackedKeys);
+    }
+
+
+    @Test
+    public void testGetIdsOfFullyHardwareBackedKey() throws IOException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(FULL_KEY);
+        assertTrue(GnuPGDummyKeyUtil.getIdsOfKeysWithGnuPGS2KDivertedToCard(secretKeys).isEmpty());
+
+        PGPSecretKeyRing withHardwareBackedEncryptionKey = GnuPGDummyKeyUtil.modify(secretKeys)
+                .divertPrivateKeysToCard(GnuPGDummyKeyUtil.KeyFilter.any());
+        Set expected = new HashSet<>();
+        for (PGPSecretKey key : secretKeys) {
+            expected.add(new SubkeyIdentifier(secretKeys, key.getKeyID()));
+        }
+
+        Set hardwareBackedKeys = GnuPGDummyKeyUtil
+                .getIdsOfKeysWithGnuPGS2KDivertedToCard(withHardwareBackedEncryptionKey);
+
+        assertEquals(expected, hardwareBackedKeys);
+    }
 }

From 58aa9f571201e9df55d532e830287a26203899f6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 29 Oct 2022 14:58:18 +0200
Subject: [PATCH 0774/1450] Move classes related to GNU dummy keys to gnupg
 package

---
 .../key/gnu_dummy_s2k => gnupg}/GnuPGDummyExtension.java      | 2 +-
 .../key/gnu_dummy_s2k => gnupg}/GnuPGDummyKeyUtil.java        | 2 +-
 .../{pgpainless/key/gnu_dummy_s2k => gnupg}/package-info.java | 2 +-
 .../key/gnu_dummy_s2k => gnupg}/GnuPGDummyKeyUtilTest.java    | 4 +++-
 .../TryDecryptWithUnavailableGnuDummyKeyTest.java             | 2 +-
 5 files changed, 7 insertions(+), 5 deletions(-)
 rename pgpainless-core/src/main/java/org/{pgpainless/key/gnu_dummy_s2k => gnupg}/GnuPGDummyExtension.java (93%)
 rename pgpainless-core/src/main/java/org/{pgpainless/key/gnu_dummy_s2k => gnupg}/GnuPGDummyKeyUtil.java (99%)
 rename pgpainless-core/src/main/java/org/{pgpainless/key/gnu_dummy_s2k => gnupg}/package-info.java (81%)
 rename pgpainless-core/src/test/java/org/{pgpainless/key/gnu_dummy_s2k => gnupg}/GnuPGDummyKeyUtilTest.java (99%)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java
similarity index 93%
rename from pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java
rename to pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java
index 9f75bf7e..d744e222 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyExtension.java
+++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyExtension.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.key.gnu_dummy_s2k;
+package org.gnupg;
 
 import org.bouncycastle.bcpg.S2K;
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
similarity index 99%
rename from pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
rename to pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
index 64c7ed26..983d8e68 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.key.gnu_dummy_s2k;
+package org.gnupg;
 
 import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.S2K;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java b/pgpainless-core/src/main/java/org/gnupg/package-info.java
similarity index 81%
rename from pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java
rename to pgpainless-core/src/main/java/org/gnupg/package-info.java
index 5c2a727e..03268619 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/gnu_dummy_s2k/package-info.java
+++ b/pgpainless-core/src/main/java/org/gnupg/package-info.java
@@ -5,4 +5,4 @@
 /**
  * Utility classes related to creating keys with GNU DUMMY S2K values.
  */
-package org.pgpainless.key.gnu_dummy_s2k;
+package org.gnupg;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
similarity index 99%
rename from pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
rename to pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
index e175e27f..b9562f60 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/gnu_dummy_s2k/GnuPGDummyKeyUtilTest.java
+++ b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
@@ -2,12 +2,14 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.pgpainless.key.gnu_dummy_s2k;
+package org.gnupg;
 
 import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SecretKeyPacket;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.gnupg.GnuPGDummyExtension;
+import org.gnupg.GnuPGDummyKeyUtil;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.key.SubkeyIdentifier;
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
index 79fa7a8e..419c529d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
@@ -13,7 +13,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
-import org.pgpainless.key.gnu_dummy_s2k.GnuPGDummyKeyUtil;
+import org.gnupg.GnuPGDummyKeyUtil;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;

From 58195c19b139f3fcd34693b0e7053529e8f59d17 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 29 Oct 2022 15:12:12 +0200
Subject: [PATCH 0775/1450] Properly handle failed decryption caused by removed
 private keys

---
 .../OpenPgpMessageInputStream.java            | 25 +++++++++++++++++++
 .../java/org/gnupg/GnuPGDummyKeyUtilTest.java | 24 ++++++++----------
 ...DecryptWithUnavailableGnuDummyKeyTest.java |  3 ++-
 3 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 1b11744c..a509cde2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -18,6 +18,7 @@ import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.BCPGInputStream;
+import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
 import org.bouncycastle.openpgp.PGPCompressedData;
 import org.bouncycastle.openpgp.PGPEncryptedData;
@@ -507,6 +508,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
             PGPSecretKey secretKey = decryptionKeys.getSecretKey(keyId);
             SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
+            S2K s2K = secretKey.getS2K();
+            if (s2K != null) {
+                int s2kType = s2K.getType();
+                if (s2kType >= 100 && s2kType <= 110) {
+                    LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
+                    continue;
+                }
+            }
             LOGGER.debug("Attempt decryption using secret key " + decryptionKeyId);
 
             SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeys);
@@ -532,6 +541,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 PGPSecretKeyRing decryptionKeys = decryptionKeyCandidate.getA();
                 PGPSecretKey secretKey = decryptionKeyCandidate.getB();
                 SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
+                S2K s2K = secretKey.getS2K();
+                if (s2K != null) {
+                    int s2kType = s2K.getType();
+                    if (s2kType >= 100 && s2kType <= 110) {
+                        LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
+                        continue;
+                    }
+                }
                 LOGGER.debug("Attempt decryption of anonymous PKESK with key " + decryptionKeyId);
                 SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
                 if (!protector.hasPassphraseFor(secretKey.getKeyID())) {
@@ -567,6 +584,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     long keyId = secretKey.getKeyID();
                     PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
                     SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
+                    S2K s2K = secretKey.getS2K();
+                    if (s2K != null) {
+                        int s2kType = s2K.getType();
+                        if (s2kType >= 100 && s2kType <= 110) {
+                            LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
+                            continue;
+                        }
+                    }
                     LOGGER.debug("Attempt decryption with key " + decryptionKeyId + " while interactively requesting its passphrase");
                     SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
                     PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector.getDecryptor(keyId));
diff --git a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
index b9562f60..87c5b02e 100644
--- a/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
+++ b/pgpainless-core/src/test/java/org/gnupg/GnuPGDummyKeyUtilTest.java
@@ -4,25 +4,23 @@
 
 package org.gnupg;
 
-import org.bouncycastle.bcpg.S2K;
-import org.bouncycastle.bcpg.SecretKeyPacket;
-import org.bouncycastle.openpgp.PGPSecretKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.gnupg.GnuPGDummyExtension;
-import org.gnupg.GnuPGDummyKeyUtil;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.key.SubkeyIdentifier;
-import org.pgpainless.key.util.KeyIdUtil;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import org.bouncycastle.bcpg.S2K;
+import org.bouncycastle.bcpg.SecretKeyPacket;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.util.KeyIdUtil;
 
 public class GnuPGDummyKeyUtilTest {
     // normal, non-hw-backed key
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
index 419c529d..640025b1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TryDecryptWithUnavailableGnuDummyKeyTest.java
@@ -14,6 +14,7 @@ import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.gnupg.GnuPGDummyKeyUtil;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -45,7 +46,7 @@ public class TryDecryptWithUnavailableGnuDummyKeyTest {
                 .removePrivateKeys(GnuPGDummyKeyUtil.KeyFilter.any());
 
         ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertextOut.toByteArray());
-        assertThrows(PGPException.class, () -> PGPainless.decryptAndOrVerify()
+        assertThrows(MissingDecryptionMethodException.class, () -> PGPainless.decryptAndOrVerify()
                 .onInputStream(ciphertextIn)
                 .withOptions(ConsumerOptions.get().addDecryptionKey(removedKeys)));
     }

From ca49ed087b4f1bb7e416d0d636caaeb37d35e225 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 29 Oct 2022 15:50:34 +0200
Subject: [PATCH 0776/1450] Small clean-ups in OpenPgpMessageInputStream

---
 .../OpenPgpMessageInputStream.java            | 108 +++++++-----------
 1 file changed, 43 insertions(+), 65 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a509cde2..f2c30ced 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -109,7 +109,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
      * @throws PGPException in case of an OpenPGP error
      */
     public static OpenPgpMessageInputStream create(@Nonnull InputStream inputStream,
-                                     @Nonnull ConsumerOptions options)
+                                                   @Nonnull ConsumerOptions options)
             throws IOException, PGPException {
         return create(inputStream, options, PGPainless.getPolicy());
     }
@@ -127,8 +127,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
      * @throws IOException in case of an IO error
      */
     public static OpenPgpMessageInputStream create(@Nonnull InputStream inputStream,
-                                     @Nonnull ConsumerOptions options,
-                                     @Nonnull Policy policy)
+                                                   @Nonnull ConsumerOptions options,
+                                                   @Nonnull Policy policy)
             throws PGPException, IOException {
         return create(inputStream, options, new MessageMetadata.Message(), policy);
     }
@@ -479,9 +479,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         for (Passphrase passphrase : options.getDecryptionPassphrases()) {
             for (PGPPBEEncryptedData skesk : esks.skesks) {
                 LOGGER.debug("Attempt decryption with provided passphrase");
-                SymmetricKeyAlgorithm kekAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
+                SymmetricKeyAlgorithm encapsulationAlgorithm = SymmetricKeyAlgorithm.requireFromId(skesk.getAlgorithm());
                 try {
-                    throwIfUnacceptable(kekAlgorithm);
+                    throwIfUnacceptable(encapsulationAlgorithm);
                 } catch (UnacceptableAlgorithmException e) {
                     LOGGER.debug("Skipping SKESK with unacceptable encapsulation algorithm", e);
                     continue;
@@ -489,7 +489,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPBEDataDecryptorFactory(passphrase);
-
                 if (decryptSKESKAndStream(skesk, decryptorFactory)) {
                     return true;
                 }
@@ -497,10 +496,11 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         List> postponedDueToMissingPassphrase = new ArrayList<>();
+
         // Try (known) secret keys
         for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
             long keyId = pkesk.getKeyID();
-            LOGGER.debug("Encountered PKESK with recipient " + KeyIdUtil.formatKeyId(keyId));
+            LOGGER.debug("Encountered PKESK for recipient " + KeyIdUtil.formatKeyId(keyId));
             PGPSecretKeyRing decryptionKeys = getDecryptionKey(keyId);
             if (decryptionKeys == null) {
                 LOGGER.debug("Skipping PKESK because no matching key " + KeyIdUtil.formatKeyId(keyId) + " was provided");
@@ -508,13 +508,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
             PGPSecretKey secretKey = decryptionKeys.getSecretKey(keyId);
             SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
-            S2K s2K = secretKey.getS2K();
-            if (s2K != null) {
-                int s2kType = s2K.getType();
-                if (s2kType >= 100 && s2kType <= 110) {
-                    LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
-                    continue;
-                }
+            if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) {
+                continue;
             }
             LOGGER.debug("Attempt decryption using secret key " + decryptionKeyId);
 
@@ -527,10 +522,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
 
             PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
-
-            PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                    .getPublicKeyDataDecryptorFactory(privateKey);
-            if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
+            if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
                 return true;
             }
         }
@@ -541,13 +533,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 PGPSecretKeyRing decryptionKeys = decryptionKeyCandidate.getA();
                 PGPSecretKey secretKey = decryptionKeyCandidate.getB();
                 SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKeys, secretKey.getKeyID());
-                S2K s2K = secretKey.getS2K();
-                if (s2K != null) {
-                    int s2kType = s2K.getType();
-                    if (s2kType >= 100 && s2kType <= 110) {
-                        LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
-                        continue;
-                    }
+                if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) {
+                    continue;
                 }
                 LOGGER.debug("Attempt decryption of anonymous PKESK with key " + decryptionKeyId);
                 SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKeyCandidate.getA());
@@ -556,11 +543,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     postponedDueToMissingPassphrase.add(new Tuple<>(secretKey, pkesk));
                     continue;
                 }
-                PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKeyCandidate.getB(), protector);
-                PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                        .getPublicKeyDataDecryptorFactory(privateKey);
 
-                if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
+                PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
+                if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
                     return true;
                 }
             }
@@ -571,7 +556,8 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             Set keyIds = new HashSet<>();
             for (Tuple k : postponedDueToMissingPassphrase) {
                 PGPSecretKey key = k.getA();
-                keyIds.add(new SubkeyIdentifier(getDecryptionKey(key.getKeyID()), key.getKeyID()));
+                PGPSecretKeyRing keys = getDecryptionKey(key.getKeyID());
+                keyIds.add(new SubkeyIdentifier(keys, key.getKeyID()));
             }
             if (!keyIds.isEmpty()) {
                 throw new MissingPassphraseException(keyIds);
@@ -584,21 +570,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     long keyId = secretKey.getKeyID();
                     PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
                     SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
-                    S2K s2K = secretKey.getS2K();
-                    if (s2K != null) {
-                        int s2kType = s2K.getType();
-                        if (s2kType >= 100 && s2kType <= 110) {
-                            LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
-                            continue;
-                        }
+                    if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) {
+                        continue;
                     }
+
                     LOGGER.debug("Attempt decryption with key " + decryptionKeyId + " while interactively requesting its passphrase");
                     SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
-                    PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector.getDecryptor(keyId));
-                    PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
-                            .getPublicKeyDataDecryptorFactory(privateKey);
-
-                    if (decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk)) {
+                    PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
+                    if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
                         return true;
                     }
                 }
@@ -613,6 +592,27 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
+    private boolean decryptWithPrivateKey(PGPPrivateKey privateKey,
+                                          SubkeyIdentifier decryptionKeyId,
+                                          PGPPublicKeyEncryptedData pkesk)
+            throws PGPException, IOException {
+        PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
+                .getPublicKeyDataDecryptorFactory(privateKey);
+        return decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk);
+    }
+
+    private static boolean hasUnsupportedS2KSpecifier(PGPSecretKey secretKey, SubkeyIdentifier decryptionKeyId) {
+        S2K s2K = secretKey.getS2K();
+        if (s2K != null) {
+            int s2kType = s2K.getType();
+            if (s2kType >= 100 && s2kType <= 110) {
+                LOGGER.debug("Skipping PKESK because key " + decryptionKeyId + " has unsupported private S2K specifier " + s2kType);
+                return true;
+            }
+        }
+        return false;
+    }
+
     private boolean decryptSKESKAndStream(PGPPBEEncryptedData skesk, PBEDataDecryptorFactory decryptorFactory)
             throws IOException, UnacceptableAlgorithmException {
         try {
@@ -661,14 +661,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
-    private PGPSecretKey getDecryptionKey(PGPSecretKeyRing decryptionKeys, long keyId) {
-        KeyRingInfo info = PGPainless.inspectKeyRing(decryptionKeys);
-        if (info.getEncryptionSubkeys(EncryptionPurpose.ANY).contains(info.getPublicKey(keyId))) {
-            return info.getSecretKey(keyId);
-        }
-        return null;
-    }
-
     private void throwIfUnacceptable(SymmetricKeyAlgorithm algorithm)
             throws UnacceptableAlgorithmException {
         if (!policy.getSymmetricKeyDecryptionAlgorithmPolicy().isAcceptable(algorithm)) {
@@ -883,20 +875,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return resultBuilder.build();
     }
 
-    static void log(String message) {
-        LOGGER.debug(message);
-        // CHECKSTYLE:OFF
-        System.out.println(message);
-        // CHECKSTYLE:ON
-    }
-
-    static void log(String message, Throwable e) {
-        log(message);
-        // CHECKSTYLE:OFF
-        e.printStackTrace();
-        // CHECKSTYLE:ON
-    }
-
     // In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
     // In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
     // Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
@@ -1004,7 +982,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 try {
                     SignatureValidator.signatureWasCreatedInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter())
-                        .verify(signature);
+                            .verify(signature);
                     CertificateValidator.validateCertificateAndVerifyOnePassSignature(onePassSignature, policy);
                     LOGGER.debug("Acceptable signature by key " + verification.getSigningKey());
                     layer.addVerifiedOnePassSignature(verification);

From f86aae499726e715ef1dd793314014c1bbdb2050 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 2 Nov 2022 10:37:24 +0100
Subject: [PATCH 0777/1450] Implement efficient read(buf,off,len) for
 DelayedInputStream

---
 .../decryption_verification/TeeBCPGInputStream.java           | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index 52ec9001..28b415e0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -127,9 +127,6 @@ public class TeeBCPGInputStream {
             }
         }
 
-        // TODO: Uncomment, once BC-172.1 is available
-        //  see https://github.com/bcgit/bc-java/issues/1257
-        /*
         @Override
         public int read(byte[] b, int off, int len) throws IOException {
             if (last != -1) {
@@ -145,7 +142,6 @@ public class TeeBCPGInputStream {
             }
             return r;
         }
-         */
 
         /**
          * Squeeze the last byte out and update the output stream.

From b1f9a1398a879ef0d8ed2a1b4301618cade9df5e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 12:07:26 +0100
Subject: [PATCH 0778/1450] Add comment for ArmorUtils method

---
 .../src/main/java/org/pgpainless/util/ArmorUtils.java            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index 8a51ff3d..b3e60023 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -178,6 +178,7 @@ public final class ArmorUtils {
      * If it is 
false
, the signature will be encoded as-is.
      *
      * @param signature signature
+     * @param export whether to exclude non-exportable subpackets or trust-packets.
      * @return ascii armored string
      *
      * @throws IOException in case of an error in the {@link ArmoredOutputStream}

From 313dbcfaa88d1bacc6f38f2af676f58d1157e9c7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 12:29:50 +0100
Subject: [PATCH 0779/1450] Update changelog

---
 CHANGELOG.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 551728aa..af1029ce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,35 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.0-SNAPSHOT
+- Reimplement message consumption via new `OpenPgpMessageInputStream`
+    - Fix validation of prepended signatures (#314)
+    - Fix validation of nested signatures (#319)
+    - Reject malformed messages (#237)
+        - Utilize new `PDA` syntax verifier class
+        - Allow for custom message syntax via `Syntax` class
+    - Gracefully handle `UnsupportedPacketVersionException` for signatures
+    - Allow plugin decryption code (e.g. to add support for hardware-backed keys (see #318))
+        - Add `HardwareSecurity` utility class
+        - Add `GnuPGDummyKeyUtil` which can be used to mimic GnuPGs proprietary S2K extensions
+          for keys which were placed on hardware tokens
+    - Add `OpenPgpPacket` enum class to enumerate available packet tags
+    - Remove old decryption classes in favor of new implementation
+        - Removed `DecryptionStream` class and replaced with new abstract class
+        - Removed `DecryptionStreamFactory`
+        - Removed `FinalIOException`
+        - Removed `MissingLiteralDataException` (replaced by `MalformedOpenPgpMessageException`)
+    - Introduce `MessageMetadata` class as potential future replacement for `OpenPgpMetadata`.
+        - can be obtained via `((OpenPgpMessageInputStream) decryptionStream).getMetadata();`
+- Add `CachingBcPublicKeyDataDecryptorFactory` which can be extended to prevent costly decryption
+  of session keys
+- Fix: Only verify message integrity once
+- Remove unnecessary `@throws` declarations on `KeyRingReader` methods
+- Remove unnecessary `@throws` declarations on `KeyRingUtils` methods
+- Add `KeyIdUtil.formatKeyId(long id)` to format hexadecimal key-ids.
+- Add `KeyRingUtils.publicKeys(PGPKeyRing keys)`
+- Remove `BCUtil` class
+
 ## 1.3.13
 - Bump `sop-java` to `4.0.7`
 

From 256920bfae35da2009ba328d57d04862f567b949 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 12:34:52 +0100
Subject: [PATCH 0780/1450] PGPainless 1.4.0-rc1

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af1029ce..54b9b8a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.0-SNAPSHOT
+## 1.4.0-rc1
 - Reimplement message consumption via new `OpenPgpMessageInputStream`
     - Fix validation of prepended signatures (#314)
     - Fix validation of nested signatures (#319)
diff --git a/README.md b/README.md
index 90f6be81..1855f742 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.3.13'
+	implementation 'org.pgpainless:pgpainless-core:1.4.0-rc1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 4a18136d..893804dd 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.3.13"
+    implementation "org.pgpainless:pgpainless-sop:1.4.0-rc1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.3.13
+        1.4.0-rc1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 7d25632e..d99e2f6b 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.0'
-        isSnapshot = true
+        shortVersion = '1.4.0-rc1'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 6243d690614eb10cb22fa378d59b647cf5a67f09 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 12:38:38 +0100
Subject: [PATCH 0781/1450] PGPainless 1.4.0-rc2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index d99e2f6b..d6634b93 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.0-rc1'
-        isSnapshot = false
+        shortVersion = '1.4.0-rc2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From f80b3e0cdb4d2ef6b5cb34229a9af06d44532960 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 12:52:20 +0100
Subject: [PATCH 0782/1450] Use BCs PGPEncryptedDataList.isIntegrityProtected()

---
 .../decryption_verification/OpenPgpMessageInputStream.java    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index f2c30ced..83c0a3f2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -405,9 +405,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         syntaxVerifier.next(InputSymbol.EncryptedData);
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
-        // TODO: Replace with !encDataList.isIntegrityProtected()
-        //  once BC ships it
-        if (!encDataList.get(0).isIntegrityProtected()) {
+        if (!encDataList.isIntegrityProtected()) {
             LOGGER.debug("Symmetrically Encrypted Data Packet is not integrity-protected and is therefore rejected.");
             throw new MessageNotIntegrityProtectedException();
         }

From 59e81dc514018b4e1705decdc0e375e34b43bb33 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 13:04:13 +0100
Subject: [PATCH 0783/1450] Use BCs
 PGPEncryptedDataList.extractSessionKeyEncryptedData() for decryption with
 session key

---
 .../OpenPgpMessageInputStream.java            | 30 +++++--------------
 1 file changed, 8 insertions(+), 22 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 83c0a3f2..28440257 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -33,6 +33,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSessionKeyEncryptedData;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
@@ -444,29 +445,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                     sessionKey.getAlgorithm(), metadata.depth + 1);
 
+            PGPSessionKeyEncryptedData sessionKeyEncryptedData = encDataList.extractSessionKeyEncryptedData();
             try {
-                // TODO: Use BCs new API once shipped
-                //  see https://github.com/bcgit/bc-java/pull/1228 (discussion)
-                PGPEncryptedData esk = esks.all().get(0);
-                if (esk instanceof PGPPBEEncryptedData) {
-                    PGPPBEEncryptedData skesk = (PGPPBEEncryptedData) esk;
-                    InputStream decrypted = skesk.getDataStream(decryptorFactory);
-                    encryptedData.sessionKey = sessionKey;
-                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
-                    LOGGER.debug("Successfully decrypted data with provided session key");
-                    return true;
-                } else if (esk instanceof PGPPublicKeyEncryptedData) {
-                    PGPPublicKeyEncryptedData pkesk = (PGPPublicKeyEncryptedData) esk;
-                    InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-                    encryptedData.sessionKey = sessionKey;
-                    IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
-                    nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
-                    LOGGER.debug("Successfully decrypted data with provided session key");
-                    return true;
-                } else {
-                    throw new RuntimeException("Unknown ESK class type: " + esk.getClass().getName());
-                }
+                InputStream decrypted = sessionKeyEncryptedData.getDataStream(decryptorFactory);
+                encryptedData.sessionKey = sessionKey;
+                IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, sessionKeyEncryptedData, options);
+                nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
+                LOGGER.debug("Successfully decrypted data with provided session key");
+                return true;
             } catch (PGPException e) {
                 // Session key mismatch?
                 LOGGER.debug("Decryption using provided session key failed. Mismatched session key and message?", e);

From 963b678a9e5ec5b98e50e1a68bf2a391e6e8f8c4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 13:04:36 +0100
Subject: [PATCH 0784/1450] Enable test for decryption of messages without ESKs

---
 .../TestDecryptionOfMessageWithoutESKUsingSessionKey.java      | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
index c9778426..b28af822 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/TestDecryptionOfMessageWithoutESKUsingSessionKey.java
@@ -7,7 +7,6 @@ package org.pgpainless.decryption_verification;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.util.SessionKey;
@@ -55,8 +54,6 @@ public class TestDecryptionOfMessageWithoutESKUsingSessionKey {
         assertEquals("Hello, World!\n", out.toString());
     }
 
-    // TODO: Enable when BC 173 gets released with our fix
-    @Disabled("Bug in BC 172. See https://github.com/bcgit/bc-java/pull/1228")
     @Test
     public void decryptMessageWithoutSKESK() throws PGPException, IOException {
         ByteArrayInputStream in = new ByteArrayInputStream(encryptedMessageWithoutESK.getBytes(StandardCharsets.UTF_8));

From 6dcc1e68cd2ea4969caf0a7a94bb1fdb925f5ff0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 13:04:53 +0100
Subject: [PATCH 0785/1450] Fix expected exception in roundtrip test

---
 .../java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 515cf71d..22af5b70 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -512,7 +512,7 @@ public class EncryptDecryptRoundTripTest {
                 "-----END PGP MESSAGE-----").getBytes(StandardCharsets.UTF_8);
         SessionKey wrongSessionKey = SessionKey.fromString("9:63F741E7FB60247BE59C64158573308F727236482DB7653908C95839E4166AAE");
 
-        assertThrows(SOPGPException.BadData.class, () ->
+        assertThrows(SOPGPException.CannotDecrypt.class, () ->
                 sop.decrypt().withSessionKey(wrongSessionKey).ciphertext(ciphertext));
     }
 

From 2dc72d76908f8f00200b187d2b95751722731326 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 3 Nov 2022 13:14:58 +0100
Subject: [PATCH 0786/1450] Update CHANGELOG

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54b9b8a4..cff696f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.0-rc2-SNAPSHOT
+- Use BCs `PGPEncryptedDataList.extractSessionKeyEncryptedData()` method
+  to do decryption using session keys. This enables decryption of messages
+  without encrypted session key packets.
+- Use BCs `PGPEncryptedDataList.isIntegrityProtected()` to check for integrity protection
+
 ## 1.4.0-rc1
 - Reimplement message consumption via new `OpenPgpMessageInputStream`
     - Fix validation of prepended signatures (#314)

From 552459608234e4c4edc9b9b50f7ab5fd91d82947 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 6 Nov 2022 18:53:40 +0100
Subject: [PATCH 0787/1450] Add more tests for sop code

---
 .../cli/commands/DearmorCmdTest.java          |  13 +++
 .../RoundTripInlineSignVerifyCmdTest.java     | 107 ++++++++++++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignVerifyCmdTest.java

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index 4ebaf21d..b8e5532f 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -6,6 +6,7 @@ package org.pgpainless.cli.commands;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -87,4 +88,16 @@ public class DearmorCmdTest extends CLITest {
 
         assertEquals("Hello, World\n", out.toString());
     }
+
+    @Test
+    public void dearmorGarbageEmitsEmpty() {
+        String noArmoredData = "This is not armored.";
+        System.setIn(new ByteArrayInputStream(noArmoredData.getBytes(StandardCharsets.UTF_8)));
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        System.setOut(new PrintStream(out));
+        PGPainlessCLI.execute("dearmor");
+
+        assertTrue(out.toString().isEmpty());
+    }
+
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignVerifyCmdTest.java
new file mode 100644
index 00000000..82fda430
--- /dev/null
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignVerifyCmdTest.java
@@ -0,0 +1,107 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cli.commands;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+
+import com.ginsberg.junit.exit.FailOnSystemExit;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.cli.PGPainlessCLI;
+import org.pgpainless.cli.TestUtils;
+
+public class RoundTripInlineSignVerifyCmdTest {
+    private static File tempDir;
+    private static PrintStream originalSout;
+
+    @BeforeAll
+    public static void prepare() throws IOException {
+        tempDir = TestUtils.createTempDirectory();
+    }
+
+    @Test
+    @FailOnSystemExit
+    public void encryptAndDecryptAMessage() throws IOException {
+        originalSout = System.out;
+        File sigmundKeyFile = new File(tempDir, "sigmund.key");
+        assertTrue(sigmundKeyFile.createNewFile());
+
+        File sigmundCertFile = new File(tempDir, "sigmund.cert");
+        assertTrue(sigmundCertFile.createNewFile());
+
+        File msgFile = new File(tempDir, "signed.asc");
+        assertTrue(msgFile.createNewFile());
+
+        File passwordFile = new File(tempDir, "password");
+        assertTrue(passwordFile.createNewFile());
+
+        // write password file
+        FileOutputStream passwordOut = new FileOutputStream(passwordFile);
+        passwordOut.write("sw0rdf1sh".getBytes(StandardCharsets.UTF_8));
+        passwordOut.close();
+
+        // generate key
+        OutputStream sigmundKeyOut = new FileOutputStream(sigmundKeyFile);
+        System.setOut(new PrintStream(sigmundKeyOut));
+        PGPainlessCLI.execute("generate-key",
+                "--with-key-password=" + passwordFile.getAbsolutePath(),
+                "Sigmund Freud ");
+        sigmundKeyOut.close();
+
+        // extract cert
+        FileInputStream sigmundKeyIn = new FileInputStream(sigmundKeyFile);
+        System.setIn(sigmundKeyIn);
+        OutputStream sigmundCertOut = new FileOutputStream(sigmundCertFile);
+        System.setOut(new PrintStream(sigmundCertOut));
+        PGPainlessCLI.execute("extract-cert");
+        sigmundKeyIn.close();
+        sigmundCertOut.close();
+
+        // sign message
+        String msg = "Hello World!\n";
+        ByteArrayInputStream msgIn = new ByteArrayInputStream(msg.getBytes(StandardCharsets.UTF_8));
+        System.setIn(msgIn);
+        OutputStream msgAscOut = new FileOutputStream(msgFile);
+        System.setOut(new PrintStream(msgAscOut));
+        PGPainlessCLI.execute("inline-sign",
+                "--with-key-password=" + passwordFile.getAbsolutePath(),
+                sigmundKeyFile.getAbsolutePath());
+        msgAscOut.close();
+
+        File verifyFile = new File(tempDir, "verify.txt");
+
+        FileInputStream msgAscIn = new FileInputStream(msgFile);
+        System.setIn(msgAscIn);
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        PrintStream pOut = new PrintStream(out);
+        System.setOut(pOut);
+        PGPainlessCLI.execute("inline-verify",
+                "--verifications-out", verifyFile.getAbsolutePath(),
+                sigmundCertFile.getAbsolutePath());
+        msgAscIn.close();
+
+        assertEquals(msg, out.toString());
+    }
+
+    @AfterAll
+    public static void after() {
+        System.setOut(originalSout);
+        // CHECKSTYLE:OFF
+        System.out.println(tempDir.getAbsolutePath());
+        // CHECKSTYLE:ON
+    }
+}

From 86c72291727e8f202a1101d48047e90648480494 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 9 Nov 2022 22:23:24 +0100
Subject: [PATCH 0788/1450] Do not reject bnacksig signatures when they predate
 subkey binding date

Fixes #334

SOP verify: force data to be non-openpgp data

Update changelog

SOP: Unify key/certificate reading code

Fix key/password matching in SOPs detached sign command

Rework CLI tests

update changelog

PGPainless 1.3.11

PGPainless 1.3.12-SNAPSHOT

Merge branch 'release/1.3'
---
 .../org/pgpainless/cli/commands/DearmorCmdTest.java    | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index b8e5532f..8fcf093d 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -90,13 +90,11 @@ public class DearmorCmdTest extends CLITest {
     }
 
     @Test
-    public void dearmorGarbageEmitsEmpty() {
+    public void dearmorGarbageEmitsEmpty() throws IOException {
         String noArmoredData = "This is not armored.";
-        System.setIn(new ByteArrayInputStream(noArmoredData.getBytes(StandardCharsets.UTF_8)));
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-        System.setOut(new PrintStream(out));
-        PGPainlessCLI.execute("dearmor");
-
+        pipeStringToStdin(noArmoredData);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("dearmor"));
         assertTrue(out.toString().isEmpty());
     }
 

From b287d28a28bf07cfc4aaa6c51fb3fdca4029d4a1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 9 Aug 2022 15:10:59 +0200
Subject: [PATCH 0789/1450] Depend on pgp-certificate-store

---
 pgpainless-core/build.gradle | 3 +++
 version.gradle               | 1 +
 2 files changed, 4 insertions(+)

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index 3c73121f..544fb8a4 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -24,6 +24,9 @@ dependencies {
     api "org.bouncycastle:bcpg-jdk15to18:$bouncyPgVersion"
     // api(files("../libs/bcpg-jdk18on-1.70.jar"))
 
+    // certificate store
+    api "org.pgpainless:pgp-certificate-store:$pgpCertificateStoreVersion"
+
     // @Nullable, @Nonnull annotations
     implementation "com.google.code.findbugs:jsr305:3.0.2"
 }
diff --git a/version.gradle b/version.gradle
index d6634b93..302f54e0 100644
--- a/version.gradle
+++ b/version.gradle
@@ -17,6 +17,7 @@ allprojects {
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
+        pgpCertificateStoreVersion = '0.1.1'
         slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.7'
     }

From d486a17cf1b864d9d37073bd9e7cb891654daf14 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 9 Aug 2022 15:11:18 +0200
Subject: [PATCH 0790/1450] Implement EncryptionOptions.addRecipient(store,
 fingerprint)

---
 .../encryption_signing/EncryptionOptions.java | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 6d2ca642..4bf21434 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.encryption_signing;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
@@ -21,6 +22,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
+import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyException;
@@ -30,6 +32,10 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyAccessor;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.CertificateStore;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
 
 /**
  * Options for the encryption process.
@@ -235,6 +241,30 @@ public class EncryptionOptions {
         return this;
     }
 
+    /**
+     * Add a recipient by providing a {@link CertificateStore} and the {@link OpenPgpFingerprint} of the recipients key.
+     * If no such certificate is found in the store, a {@link NoSuchElementException is thrown}.
+     *
+     * @param certificateStore certificate store
+     * @param certificateFingerprint fingerprint of the recipient certificate
+     * @return builder
+     * @throws BadDataException if the certificate contains bad data
+     * @throws BadNameException if the fingerprint is not in a recognizable form for the store
+     * @throws IOException in case of an IO error
+     * @throws NoSuchElementException if the store does not contain a certificate for the given fingerprint
+     */
+    public EncryptionOptions addRecipient(@Nonnull CertificateStore certificateStore,
+                                          @Nonnull OpenPgpFingerprint certificateFingerprint)
+            throws BadDataException, BadNameException, IOException {
+        String fingerprint = certificateFingerprint.toString().toLowerCase();
+        Certificate certificateRecord = certificateStore.getCertificate(fingerprint);
+        if (certificateRecord == null) {
+            throw new NoSuchElementException("Cannot find certificate '" + certificateFingerprint + "'");
+        }
+        PGPPublicKeyRing recipientCertificate = PGPainless.readKeyRing().publicKeyRing(certificateRecord.getInputStream());
+        return addRecipient(recipientCertificate);
+    }
+
     private void addRecipientKey(PGPPublicKeyRing keyRing, PGPPublicKey key) {
         encryptionKeys.add(new SubkeyIdentifier(keyRing, key.getKeyID()));
         PGPKeyEncryptionMethodGenerator encryptionMethod = ImplementationFactory

From 6dc5b84d668388646085018ada1945e5933f346c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 12 Aug 2022 15:05:42 +0200
Subject: [PATCH 0791/1450] Depend on pgp-certificate-store again

---
 .../encryption_signing/EncryptionOptions.java         | 11 ++++++-----
 version.gradle                                        |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 4bf21434..13131f08 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -32,8 +32,8 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyAccessor;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
-import pgp.certificate_store.Certificate;
-import pgp.certificate_store.CertificateStore;
+import pgp.certificate_store.PGPCertificateStore;
+import pgp.certificate_store.certificate.Certificate;
 import pgp.certificate_store.exception.BadDataException;
 import pgp.certificate_store.exception.BadNameException;
 
@@ -242,7 +242,7 @@ public class EncryptionOptions {
     }
 
     /**
-     * Add a recipient by providing a {@link CertificateStore} and the {@link OpenPgpFingerprint} of the recipients key.
+     * Add a recipient by providing a {@link PGPCertificateStore} and the {@link OpenPgpFingerprint} of the recipients key.
      * If no such certificate is found in the store, a {@link NoSuchElementException is thrown}.
      *
      * @param certificateStore certificate store
@@ -253,7 +253,7 @@ public class EncryptionOptions {
      * @throws IOException in case of an IO error
      * @throws NoSuchElementException if the store does not contain a certificate for the given fingerprint
      */
-    public EncryptionOptions addRecipient(@Nonnull CertificateStore certificateStore,
+    public EncryptionOptions addRecipient(@Nonnull PGPCertificateStore certificateStore,
                                           @Nonnull OpenPgpFingerprint certificateFingerprint)
             throws BadDataException, BadNameException, IOException {
         String fingerprint = certificateFingerprint.toString().toLowerCase();
@@ -261,7 +261,8 @@ public class EncryptionOptions {
         if (certificateRecord == null) {
             throw new NoSuchElementException("Cannot find certificate '" + certificateFingerprint + "'");
         }
-        PGPPublicKeyRing recipientCertificate = PGPainless.readKeyRing().publicKeyRing(certificateRecord.getInputStream());
+        PGPPublicKeyRing recipientCertificate = PGPainless.readKeyRing()
+                .publicKeyRing(certificateRecord.getInputStream());
         return addRecipient(recipientCertificate);
     }
 
diff --git a/version.gradle b/version.gradle
index 302f54e0..260ef548 100644
--- a/version.gradle
+++ b/version.gradle
@@ -17,7 +17,7 @@ allprojects {
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
-        pgpCertificateStoreVersion = '0.1.1'
+        pgpCertificateStoreVersion = '0.1.2-SNAPSHOT'
         slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.7'
     }

From d0277fbbecfeed576e1d0dab9960fe43deec368e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 25 Aug 2022 17:20:45 +0200
Subject: [PATCH 0792/1450] Bump cert-d-java to 0.2.0

---
 pgpainless-core/build.gradle | 3 ++-
 version.gradle               | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index 544fb8a4..84b4273f 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -25,7 +25,8 @@ dependencies {
     // api(files("../libs/bcpg-jdk18on-1.70.jar"))
 
     // certificate store
-    api "org.pgpainless:pgp-certificate-store:$pgpCertificateStoreVersion"
+    api "org.pgpainless:pgp-certificate-store:$pgpCertDJavaVersion"
+    testImplementation "org.pgpainless:pgpainless-cert-d:$pgpainlessCertDVersion"
 
     // @Nullable, @Nonnull annotations
     implementation "com.google.code.findbugs:jsr305:3.0.2"
diff --git a/version.gradle b/version.gradle
index 260ef548..109e592e 100644
--- a/version.gradle
+++ b/version.gradle
@@ -17,7 +17,8 @@ allprojects {
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
-        pgpCertificateStoreVersion = '0.1.2-SNAPSHOT'
+        pgpainlessCertDVersion = '0.1.3-SNAPSHOT'
+        pgpCertDJavaVersion = '0.2.0'
         slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.7'
     }

From 22abb624435ec3fc5bd6ad974b6e0f5b2df75941 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 25 Aug 2022 18:56:37 +0200
Subject: [PATCH 0793/1450] Add test for encryption to cert from certificate
 store

---
 .../EncryptWithKeyFromKeyStoreTest.java       | 111 ++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
new file mode 100644
index 00000000..9291d703
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
@@ -0,0 +1,111 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.encryption_signing;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.certificate_store.MergeCallbacks;
+import org.pgpainless.certificate_store.PGPainlessCertD;
+import org.pgpainless.key.OpenPgpFingerprint;
+import pgp.cert_d.PGPCertificateStoreAdapter;
+import pgp.certificate_store.certificate.Certificate;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class EncryptWithKeyFromKeyStoreTest {
+
+    // Collection of 3 certificates (fingerprints below)
+    private static final String CERT_COLLECTION = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "mDMEYwemqhYJKwYBBAHaRw8BAQdAkhI29iXd05I2msAucVCmM2Chg52093a3MdHs\n" +
+            "NHu83i+0FEEgPGFAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHpqoJEAcHMNbM\n" +
+            "aq4mFiEEdjJKQcwZwKozs8H2Bwcw1sxqriYCngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
+            "CwKZAQAAoZcBAPhMQ8TLPRMLiWcNi4bO3A9OonFpxOyfLRC8yiJSL6bbAQDcMylf\n" +
+            "pgOZGQ+uxWPokoJtWQt7I9IWsBxrwyW8iUniDbg4BGMHpqoSCisGAQQBl1UBBQEB\n" +
+            "B0D9g9P9VCLNFKteqgESsYK+OKeeDDk3LRgcsxANBkWNcwMBCAeIdQQYFgoAHQUC\n" +
+            "YwemqgKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEAcHMNbMaq4ml8MBAL8EUAIS\n" +
+            "cusSuhIJpep961GS7dvUjn/Hg0TW5llUzg8fAQCl3vSqbSsNAUxmrOr3600IuyM2\n" +
+            "EFlE412iEa5lhc/oArgzBGMHpqoWCSsGAQQB2kcPAQEHQKgUT/3nK/hqpgYR9zpw\n" +
+            "2AYOXsJSHRdJOGW6dEMRvIBaiNUEGBYKAH0FAmMHpqoCngECmwIFFgIDAQAECwkI\n" +
+            "BwUVCgkIC18gBBkWCgAGBQJjB6aqAAoJEGkhuqcOCjqNAfMA/3eG/POfM+6INiC3\n" +
+            "DY7mTMgSEqjojd3aBWAGdbGuQ0b+AQDgfhLFYN/Ip6dvbEAhf8d0TCrs4dFmS9Pp\n" +
+            "BOfWWgEsBgAKCRAHBzDWzGquJmIIAP4sQO7j7FH41KQf1E22SpbxiKSC2lK+9hxT\n" +
+            "kv6divqdZgD/T91FUb9AenAJBLzyaTwReQSt/iEx1mxLi7QilaJCDA6YMwRjB6aq\n" +
+            "FgkrBgEEAdpHDwEBB0D/8+N/bzvx2kZTrQ3fvGv6GTyBZGy1qqH9+70/orCegbQU\n" +
+            "QiA8YkBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwemqgkQDmT2NIT1D4IWIQTH\n" +
+            "zU3gfxyXLgTTOGAOZPY0hPUPggKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAAp\n" +
+            "3wEA4Pj8MpGKBiwG/I2A26B6IDz0MZ/IiR204tWjh54ZgIYA/RYrxyfdmuKhEzMf\n" +
+            "MA0a0juZ1euzxYPeNvgYJRjOnoUCuDgEYwemqhIKKwYBBAGXVQEFAQEHQPiGISsj\n" +
+            "Hv/wd8eQXUxMFU2I1ex6c9LcDXKOHHvL4XB1AwEIB4h1BBgWCgAdBQJjB6aqAp4B\n" +
+            "ApsMBRYCAwEABAsJCAcFFQoJCAsACgkQDmT2NIT1D4IdlQEA8cjOGf2X0D0v7gRg\n" +
+            "wV6C8o7KaIjwqbRFjbw4v7dewT4BANjBU/KD+SgKG9l27t0pv7fzklWxUwehfIYR\n" +
+            "veVegsEKuDMEYwemqhYJKwYBBAHaRw8BAQdAZA6ryWxnMEfhxhmfA8n54fgQXUE2\n" +
+            "BwPobUGLfhjee8eI1QQYFgoAfQUCYwemqgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgL\n" +
+            "XyAEGRYKAAYFAmMHpqoACgkQB/5eyqSzV2hurwEAv0ODS93BTlgBXL6dDZ+6vO+y\n" +
+            "emW6wH4RBZcrvQOhmpMBALhVrbS6L97HukL9B9QMSyP9Ir3QrBJihJNQjIcs/9UD\n" +
+            "AAoJEA5k9jSE9Q+CAogA/jdAcbky2S6Ym39EqV8xCQKr7ddOKMzMUhGM65W6sAlP\n" +
+            "AP99OZu3bNXsH79eJ8KmSpTaRH8meRgSaIve/6NgAmO2CpgzBGMHpqoWCSsGAQQB\n" +
+            "2kcPAQEHQOdxRopw4vC2USLv4kqEVKNlAM+NkYomruNqsVlde9iutBRDIDxjQHBn\n" +
+            "cGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6aqCRBUXcAjBoWYJBYhBJFl6D4X+Xm9\n" +
+            "JjH+/VRdwCMGhZgkAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAAD4AQD9PvbC\n" +
+            "y/SNXx62jnQmNHVXo/UDOmUqHymwHvm0MrKHeQEA06X5eLoHsttbRTvQt4NVYjdy\n" +
+            "pDT4ySNvQCu6a5CiKg+4OARjB6aqEgorBgEEAZdVAQUBAQdAV1TW1qj0O2DGGBnR\n" +
+            "y11gSj6uHhxOaGps2QE9asfp7QEDAQgHiHUEGBYKAB0FAmMHpqoCngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRBUXcAjBoWYJIY9AQCVPseDfgRuCG7ygCmPtLO3Vp5j\n" +
+            "ZcDF1fke/J3Z6LVAvQEA2bxaKgArPRrTlmCgM7iJSOBVyzryWZ7+lmbjLeqVxgi4\n" +
+            "MwRjB6aqFgkrBgEEAdpHDwEBB0CCEWkyuz0HoWS63dinLk2VZJde4s4w0sQR9pPB\n" +
+            "6wlwvIjVBBgWCgB9BQJjB6aqAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoA\n" +
+            "BgUCYwemqgAKCRD9CgygdUb5mXWoAP0Zp5qSRFMJEghCgnZqcGIjlotGUc65uXv4\n" +
+            "U5iqHfgEJAD/aAhA55MmlxIDXUkDMlKsy8WfhksLu6dfMkjJY2LYEAgACgkQVF3A\n" +
+            "IwaFmCTV5wD9ErsC4w6ajM6PTGImtrK6IJEdMGajOwSGYWHiX9yaOI4BANdWby+h\n" +
+            "Pr2snaTp6/NukIbg3D/YMXm+mM6119v7HJkO\n" +
+            "=KVYs\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----";
+    private static final OpenPgpFingerprint cert1fp = OpenPgpFingerprint.parse("76324A41CC19C0AA33B3C1F6070730D6CC6AAE26");
+    private static final OpenPgpFingerprint cert2fp = OpenPgpFingerprint.parse("C7CD4DE07F1C972E04D338600E64F63484F50F82");
+    private static final OpenPgpFingerprint cert3fp = OpenPgpFingerprint.parse("9165E83E17F979BD2631FEFD545DC02306859824");
+
+    @Test
+    public void encryptWithKeyFromStore() throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
+        // In-Memory certificate store
+        PGPainlessCertD certificateDirectory = PGPainlessCertD.inMemory();
+        PGPCertificateStoreAdapter adapter = new PGPCertificateStoreAdapter(certificateDirectory);
+
+        // Populate store
+        PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing().publicKeyRingCollection(CERT_COLLECTION);
+        for (PGPPublicKeyRing cert : certificates) {
+            certificateDirectory.insert(new ByteArrayInputStream(cert.getEncoded()), MergeCallbacks.mergeWithExisting());
+        }
+
+        // Encrypt message
+        ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertextOut)
+                .withOptions(ProducerOptions.encrypt(
+                        EncryptionOptions.encryptCommunications()
+                                .addRecipient(adapter, cert2fp)));
+        ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World! This message is encrypted using a cert from a store!".getBytes());
+        Streams.pipeAll(plaintext, encryptionStream);
+        encryptionStream.close();
+
+        // Get cert from store
+        Certificate cert = adapter.getCertificate(cert2fp.toString());
+        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(cert.getInputStream());
+
+        // check if message was encrypted for cert
+        assertTrue(encryptionStream.getResult().isEncryptedFor(publicKeys));
+    }
+}

From 4594b494a96089534f597fb2a6b14ca292ef8959 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 25 Aug 2022 19:46:28 +0200
Subject: [PATCH 0794/1450] Implement signature verification with certificate
 stores as cert source

---
 .../ConsumerOptions.java                      |  93 +++++++-
 .../EncryptWithKeyFromKeyStoreTest.java       | 213 ++++++++++++++----
 .../pgpainless/sop/DetachedVerifyImpl.java    |   2 +-
 .../org/pgpainless/sop/InlineVerifyImpl.java  |   2 +-
 4 files changed, 257 insertions(+), 53 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index f8f59d36..f7b3c020 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -6,10 +6,12 @@ package org.pgpainless.decryption_verification;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -23,6 +25,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
+import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.key.SubkeyIdentifier;
@@ -30,6 +33,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
+import pgp.certificate_store.PGPCertificateStore;
+import pgp.certificate_store.certificate.Certificate;
+import pgp.certificate_store.exception.BadDataException;
 
 /**
  * Options for decryption and signature verification.
@@ -43,8 +49,7 @@ public class ConsumerOptions {
     private Date verifyNotBefore = null;
     private Date verifyNotAfter = new Date();
 
-    // Set of verification keys
-    private final Set certificates = new HashSet<>();
+    private final CertificateSource certificates = new CertificateSource();
     private final Set detachedSignatures = new HashSet<>();
     private MissingPublicKeyCallback missingCertificateCallback = null;
 
@@ -113,7 +118,7 @@ public class ConsumerOptions {
      * @return options
      */
     public ConsumerOptions addVerificationCert(PGPPublicKeyRing verificationCert) {
-        this.certificates.add(verificationCert);
+        this.certificates.addCertificate(verificationCert);
         return this;
     }
 
@@ -130,6 +135,11 @@ public class ConsumerOptions {
         return this;
     }
 
+    public ConsumerOptions addVerificationCerts(PGPCertificateStore certificateStore) {
+        this.certificates.addStore(certificateStore);
+        return this;
+    }
+
     public ConsumerOptions addVerificationOfDetachedSignatures(InputStream signatureInputStream) throws IOException, PGPException {
         List signatures = SignatureUtils.readSignatures(signatureInputStream);
         return addVerificationOfDetachedSignatures(signatures);
@@ -266,8 +276,19 @@ public class ConsumerOptions {
         return Collections.unmodifiableSet(decryptionPassphrases);
     }
 
+    /**
+     * Return the explicitly set verification certificates.
+     *
+     * @deprecated use {@link #getCertificateSource()} instead.
+     * @return verification certs
+     */
+    @Deprecated
     public @Nonnull Set getCertificates() {
-        return Collections.unmodifiableSet(certificates);
+        return certificates.getExplicitCertificates();
+    }
+
+    public @Nonnull CertificateSource getCertificateSource() {
+        return certificates;
     }
 
     public @Nullable MissingPublicKeyCallback getMissingCertificateCallback() {
@@ -385,4 +406,68 @@ public class ConsumerOptions {
     public MultiPassStrategy getMultiPassStrategy() {
         return multiPassStrategy;
     }
+
+    public static class CertificateSource {
+
+        private List stores = new ArrayList<>();
+        private Set explicitCertificates = new HashSet<>();
+
+        /**
+         * Add a certificate store as source for verification certificates.
+         *
+         * @param certificateStore cert store
+         */
+        public void addStore(PGPCertificateStore certificateStore) {
+            this.stores.add(certificateStore);
+        }
+
+        /**
+         * Add a certificate as verification cert explicitly.
+         *
+         * @param certificate certificate
+         */
+        public void addCertificate(PGPPublicKeyRing certificate) {
+            this.explicitCertificates.add(certificate);
+        }
+
+        /**
+         * Return the set of explicitly set verification certificates.
+         * @return explicitly set verification certs
+         */
+        public Set getExplicitCertificates() {
+            return Collections.unmodifiableSet(explicitCertificates);
+        }
+
+        /**
+         * Return a certificate which contains a subkey with the given keyId.
+         * This method first checks all explicitly set verification certs and if no cert is found it consults
+         * the certificate stores.
+         *
+         * @param keyId key id
+         * @return certificate
+         */
+        public PGPPublicKeyRing getCertificate(long keyId) {
+
+            for (PGPPublicKeyRing cert : explicitCertificates) {
+                if (cert.getPublicKey(keyId) != null) {
+                    return cert;
+                }
+            }
+
+            for (PGPCertificateStore store : stores) {
+                try {
+                    Iterator certs = store.getCertificatesBySubkeyId(keyId);
+                    if (!certs.hasNext()) {
+                        continue;
+                    }
+                    Certificate cert = certs.next();
+                    PGPPublicKeyRing publicKey = PGPainless.readKeyRing().publicKeyRing(cert.getInputStream());
+                    return publicKey;
+                } catch (IOException | BadDataException e) {
+                    continue;
+                }
+            }
+            return null;
+        }
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
index 9291d703..48f1bbd7 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
@@ -7,12 +7,18 @@ package org.pgpainless.encryption_signing;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.certificate_store.MergeCallbacks;
 import org.pgpainless.certificate_store.PGPainlessCertD;
+import org.pgpainless.decryption_verification.ConsumerOptions;
+import org.pgpainless.decryption_verification.DecryptionStream;
+import org.pgpainless.decryption_verification.OpenPgpMetadata;
 import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 import pgp.cert_d.PGPCertificateStoreAdapter;
 import pgp.certificate_store.certificate.Certificate;
 import pgp.certificate_store.exception.BadDataException;
@@ -26,60 +32,116 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class EncryptWithKeyFromKeyStoreTest {
 
+    // Collection of 3 keys (fingerprints below)
+    private static final String KEY_COLLECTION = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: BCPG v1.71\n" +
+            "\n" +
+            "lFgEYwerQBYJKwYBBAHaRw8BAQdAl3XjFMXQdmhMuFEIbE7IJUP1k+5utUT6IAW3\n" +
+            "zlWguvQAAQDK7Qh5Q9EAB5cTh2OWsPeydfDqRmnuxlZjlwf4WWQLhRAltBRBIDxh\n" +
+            "QHBncGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6tBCRBoj2Vso6FpsxYhBNqK9ZX8\n" +
+            "QfcbxPJmCGiPZWyjoWmzAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACEaAP9P\n" +
+            "49Q/E19vyx2rV8EjQd+XBFnDuYxBjw80ZVC0TaKJNgEAgWsQqcg/ARkG9XGxaE3X\n" +
+            "IE9tFHh4wpjQhnK1Ta/wJAOcXQRjB6tBEgorBgEEAZdVAQUBAQdATJM1XKfKVF+C\n" +
+            "B2/xrGU+F89Ir9viOut4sna4aWfvwHoDAQgHAAD/UN84yv5jxKsPgfw/XZCDwoey\n" +
+            "Y69ompSiBuZjzOWrjegToIh1BBgWCgAdBQJjB6tBAp4BApsMBRYCAwEABAsJCAcF\n" +
+            "FQoJCAsACgkQaI9lbKOhabP/PAEApov4hYuhIENq26z+w4s3A1gakN+gax54F7+M\n" +
+            "YSUm16sBAPiuEdpVJOwTk3WMXKyLOYaVU3JstlP2H1ouguvYTt4CnFgEYwerQRYJ\n" +
+            "KwYBBAHaRw8BAQdA5xpeGHNy9v+QUbl+Rs7Mx0c6D913gksW1eZ4Qeg31B0AAQCx\n" +
+            "6b3P5lRBAraZstlRupymrt6vF2JpeJB8JOOQ+rdVYBJpiNUEGBYKAH0FAmMHq0EC\n" +
+            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjB6tBAAoJENH9GnI3A/RM\n" +
+            "IVMA/1GU9E+vA8bs0vJVDjp1ri3J4S7u+abwmlivDw8g8XCWAPwKWWfHLgJCsAHk\n" +
+            "INuDgJdqbNPATFiXxH9FqYnOvWy6DAAKCRBoj2Vso6Fps884AP9D5ZOwuBEXyT/j\n" +
+            "0G8CWBZ0lT14kRGFucjQi9kZStAuVgEA5cd3eUWofnekd/P6R3UgmvhVOqvxwUUg\n" +
+            "Y3mEArH7+waUWARjB6tBFgkrBgEEAdpHDwEBB0BCYWjTs0pfBnKYgO0O07djiMSB\n" +
+            "tUJVpUFo6zrVK92RgAAA/38G6IEK5rJs1OCusmmhHJk1vDu0hbesK7JH7dh75mVY\n" +
+            "Ep20FEIgPGJAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHq0EJEAnsE6FTTHNl\n" +
+            "FiEE2/L5HBba6IFDHu8cCewToVNMc2UCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
+            "AQAAS7MBAI74uYLK7XR6oCwWYk7C6nwdgu3t478MaEpVHQz/9nEGAQCvJCYqqOd6\n" +
+            "cAG6fwFaIJ3h99/Y5o2NaiN17S2zOXEZDJxdBGMHq0ESCisGAQQBl1UBBQEBB0BU\n" +
+            "EjXQCT4xwJryksXsMLaFo43pFTwWaTzduiWgCy2KMgMBCAcAAP9lXlnMYtBfXpgH\n" +
+            "doUZZk3cvWBOH3awc12V3jZSLtSE8BAJiHUEGBYKAB0FAmMHq0ECngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRAJ7BOhU0xzZf5lAQDOgzMhqg3fE8Hg4Hbt4+B0fAD0\n" +
+            "kp6EJgsKRWT7KbZ0SQD/aVGFv7VRVqiiqOT/YMQKBBwHnq/CGJqxUwUmavBMRAqc\n" +
+            "WARjB6tBFgkrBgEEAdpHDwEBB0A5kv3bpsnlxs2LrAzeBx4RgtXQNBhGRhzko1to\n" +
+            "4q+ebQAA/1SU1hvrqd9gNmcc4wff1iwJ1dnqnrbGbO1Yz9rYZjXRE4iI1QQYFgoA\n" +
+            "fQUCYwerQQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmMHq0EACgkQ\n" +
+            "pYWdiAVpxGRW4AD+Lade9kJrvcBMSq8EERhYTH6DFka4eMgFB76kH31WmpQA+gOU\n" +
+            "7kwqKmtyVsXVgCLGMcdTvbZr+73C5m8R7LsdY5kEAAoJEAnsE6FTTHNl7BAA/2v8\n" +
+            "Wzfmg1OO6IWCohmmNgF4rIDBW8Q9s3+1I/mWlMyjAP9YGR+fnN/YOQrlSG9UiXE5\n" +
+            "fGwUhaPB0LEGWp0wmmQYA5RYBGMHq0EWCSsGAQQB2kcPAQEHQI8C53+C8crLCQ48\n" +
+            "OKQa1dEKc8XWQSA6Ckg5j73tOJRLAAD/VRvioGU2M9G6+eKTn68mBVZ8G512HELr\n" +
+            "apK9M5UFGUMPXLQUQyA8Y0BwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwerQQkQ\n" +
+            "ommXHYx1l94WIQQp+Mrw86EV1myUgUKiaZcdjHWX3gKeAQKbAQUWAgMBAAQLCQgH\n" +
+            "BRUKCQgLApkBAAAQ5wEAvahnnRuwY+Y7EPSQG+sqhsdvSTumleYPtEOnHfKctpkA\n" +
+            "/iaTp4OoUw/RtyWUAk8MLN47CAW5wwhFUbVfZOaS88wMnF0EYwerQRIKKwYBBAGX\n" +
+            "VQEFAQEHQNz/s68ZGUBfDmMz510cFgHz+mAdC2nXeE4hHKV/HIVsAwEIBwAA/1HB\n" +
+            "vRl84B8r/PY+5j/X6A+4J08QB/vd5wIHVdkrX+xQELGIdQQYFgoAHQUCYwerQQKe\n" +
+            "AQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEKJplx2MdZfeqzYA/jLtjRmy42MCOxnF\n" +
+            "3A95WZIDoEohFU0QAeE/yVTLGoDTAP4xhTznleABK7VbD9GJXfD6DkEC749tOsST\n" +
+            "eYO/GOxKDpxYBGMHq0EWCSsGAQQB2kcPAQEHQFnvyWSgOv4gn3Ch3RY74pRg+7hX\n" +
+            "OBJAf6ybwvx9t4olAAEAwYG1CL0JozVD1216yrENkP8La132O1MI28kqMsoF6FcP\n" +
+            "I4jVBBgWCgB9BQJjB6tBAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUC\n" +
+            "YwerQQAKCRB8jJGVps/ENgz7AP9ZMENJH+rIKMjynb9WPBlvJ8yJ9dMhzCxcssxg\n" +
+            "EVZYXAEA5ZsE5xJLQC/cVMGFvqaQ8iPo5jhDZpQJ8RCVlb8XzQwACgkQommXHYx1\n" +
+            "l96SkgD/f0FYkK4yB8FWuntJ3n0FUfE31wDwpxvvpvP+o3d2GB4BAP9LRKBXMwj4\n" +
+            "jzJc4ViKmwiNJAPttDQCpYjzJT7LUKAA\n" +
+            "=EAvh\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
     // Collection of 3 certificates (fingerprints below)
     private static final String CERT_COLLECTION = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
             "Version: BCPG v1.71\n" +
             "\n" +
-            "mDMEYwemqhYJKwYBBAHaRw8BAQdAkhI29iXd05I2msAucVCmM2Chg52093a3MdHs\n" +
-            "NHu83i+0FEEgPGFAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHpqoJEAcHMNbM\n" +
-            "aq4mFiEEdjJKQcwZwKozs8H2Bwcw1sxqriYCngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
-            "CwKZAQAAoZcBAPhMQ8TLPRMLiWcNi4bO3A9OonFpxOyfLRC8yiJSL6bbAQDcMylf\n" +
-            "pgOZGQ+uxWPokoJtWQt7I9IWsBxrwyW8iUniDbg4BGMHpqoSCisGAQQBl1UBBQEB\n" +
-            "B0D9g9P9VCLNFKteqgESsYK+OKeeDDk3LRgcsxANBkWNcwMBCAeIdQQYFgoAHQUC\n" +
-            "YwemqgKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEAcHMNbMaq4ml8MBAL8EUAIS\n" +
-            "cusSuhIJpep961GS7dvUjn/Hg0TW5llUzg8fAQCl3vSqbSsNAUxmrOr3600IuyM2\n" +
-            "EFlE412iEa5lhc/oArgzBGMHpqoWCSsGAQQB2kcPAQEHQKgUT/3nK/hqpgYR9zpw\n" +
-            "2AYOXsJSHRdJOGW6dEMRvIBaiNUEGBYKAH0FAmMHpqoCngECmwIFFgIDAQAECwkI\n" +
-            "BwUVCgkIC18gBBkWCgAGBQJjB6aqAAoJEGkhuqcOCjqNAfMA/3eG/POfM+6INiC3\n" +
-            "DY7mTMgSEqjojd3aBWAGdbGuQ0b+AQDgfhLFYN/Ip6dvbEAhf8d0TCrs4dFmS9Pp\n" +
-            "BOfWWgEsBgAKCRAHBzDWzGquJmIIAP4sQO7j7FH41KQf1E22SpbxiKSC2lK+9hxT\n" +
-            "kv6divqdZgD/T91FUb9AenAJBLzyaTwReQSt/iEx1mxLi7QilaJCDA6YMwRjB6aq\n" +
-            "FgkrBgEEAdpHDwEBB0D/8+N/bzvx2kZTrQ3fvGv6GTyBZGy1qqH9+70/orCegbQU\n" +
-            "QiA8YkBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwemqgkQDmT2NIT1D4IWIQTH\n" +
-            "zU3gfxyXLgTTOGAOZPY0hPUPggKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAAp\n" +
-            "3wEA4Pj8MpGKBiwG/I2A26B6IDz0MZ/IiR204tWjh54ZgIYA/RYrxyfdmuKhEzMf\n" +
-            "MA0a0juZ1euzxYPeNvgYJRjOnoUCuDgEYwemqhIKKwYBBAGXVQEFAQEHQPiGISsj\n" +
-            "Hv/wd8eQXUxMFU2I1ex6c9LcDXKOHHvL4XB1AwEIB4h1BBgWCgAdBQJjB6aqAp4B\n" +
-            "ApsMBRYCAwEABAsJCAcFFQoJCAsACgkQDmT2NIT1D4IdlQEA8cjOGf2X0D0v7gRg\n" +
-            "wV6C8o7KaIjwqbRFjbw4v7dewT4BANjBU/KD+SgKG9l27t0pv7fzklWxUwehfIYR\n" +
-            "veVegsEKuDMEYwemqhYJKwYBBAHaRw8BAQdAZA6ryWxnMEfhxhmfA8n54fgQXUE2\n" +
-            "BwPobUGLfhjee8eI1QQYFgoAfQUCYwemqgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgL\n" +
-            "XyAEGRYKAAYFAmMHpqoACgkQB/5eyqSzV2hurwEAv0ODS93BTlgBXL6dDZ+6vO+y\n" +
-            "emW6wH4RBZcrvQOhmpMBALhVrbS6L97HukL9B9QMSyP9Ir3QrBJihJNQjIcs/9UD\n" +
-            "AAoJEA5k9jSE9Q+CAogA/jdAcbky2S6Ym39EqV8xCQKr7ddOKMzMUhGM65W6sAlP\n" +
-            "AP99OZu3bNXsH79eJ8KmSpTaRH8meRgSaIve/6NgAmO2CpgzBGMHpqoWCSsGAQQB\n" +
-            "2kcPAQEHQOdxRopw4vC2USLv4kqEVKNlAM+NkYomruNqsVlde9iutBRDIDxjQHBn\n" +
-            "cGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6aqCRBUXcAjBoWYJBYhBJFl6D4X+Xm9\n" +
-            "JjH+/VRdwCMGhZgkAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAAAD4AQD9PvbC\n" +
-            "y/SNXx62jnQmNHVXo/UDOmUqHymwHvm0MrKHeQEA06X5eLoHsttbRTvQt4NVYjdy\n" +
-            "pDT4ySNvQCu6a5CiKg+4OARjB6aqEgorBgEEAZdVAQUBAQdAV1TW1qj0O2DGGBnR\n" +
-            "y11gSj6uHhxOaGps2QE9asfp7QEDAQgHiHUEGBYKAB0FAmMHpqoCngECmwwFFgID\n" +
-            "AQAECwkIBwUVCgkICwAKCRBUXcAjBoWYJIY9AQCVPseDfgRuCG7ygCmPtLO3Vp5j\n" +
-            "ZcDF1fke/J3Z6LVAvQEA2bxaKgArPRrTlmCgM7iJSOBVyzryWZ7+lmbjLeqVxgi4\n" +
-            "MwRjB6aqFgkrBgEEAdpHDwEBB0CCEWkyuz0HoWS63dinLk2VZJde4s4w0sQR9pPB\n" +
-            "6wlwvIjVBBgWCgB9BQJjB6aqAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoA\n" +
-            "BgUCYwemqgAKCRD9CgygdUb5mXWoAP0Zp5qSRFMJEghCgnZqcGIjlotGUc65uXv4\n" +
-            "U5iqHfgEJAD/aAhA55MmlxIDXUkDMlKsy8WfhksLu6dfMkjJY2LYEAgACgkQVF3A\n" +
-            "IwaFmCTV5wD9ErsC4w6ajM6PTGImtrK6IJEdMGajOwSGYWHiX9yaOI4BANdWby+h\n" +
-            "Pr2snaTp6/NukIbg3D/YMXm+mM6119v7HJkO\n" +
-            "=KVYs\n" +
+            "mDMEYwerQBYJKwYBBAHaRw8BAQdAl3XjFMXQdmhMuFEIbE7IJUP1k+5utUT6IAW3\n" +
+            "zlWguvS0FEEgPGFAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHq0EJEGiPZWyj\n" +
+            "oWmzFiEE2or1lfxB9xvE8mYIaI9lbKOhabMCngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
+            "CwKZAQAAIRoA/0/j1D8TX2/LHatXwSNB35cEWcO5jEGPDzRlULRNook2AQCBaxCp\n" +
+            "yD8BGQb1cbFoTdcgT20UeHjCmNCGcrVNr/AkA7g4BGMHq0ESCisGAQQBl1UBBQEB\n" +
+            "B0BMkzVcp8pUX4IHb/GsZT4Xz0iv2+I663iydrhpZ+/AegMBCAeIdQQYFgoAHQUC\n" +
+            "YwerQQKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEGiPZWyjoWmz/zwBAKaL+IWL\n" +
+            "oSBDatus/sOLNwNYGpDfoGseeBe/jGElJterAQD4rhHaVSTsE5N1jFysizmGlVNy\n" +
+            "bLZT9h9aLoLr2E7eArgzBGMHq0EWCSsGAQQB2kcPAQEHQOcaXhhzcvb/kFG5fkbO\n" +
+            "zMdHOg/dd4JLFtXmeEHoN9QdiNUEGBYKAH0FAmMHq0ECngECmwIFFgIDAQAECwkI\n" +
+            "BwUVCgkIC18gBBkWCgAGBQJjB6tBAAoJENH9GnI3A/RMIVMA/1GU9E+vA8bs0vJV\n" +
+            "Djp1ri3J4S7u+abwmlivDw8g8XCWAPwKWWfHLgJCsAHkINuDgJdqbNPATFiXxH9F\n" +
+            "qYnOvWy6DAAKCRBoj2Vso6Fps884AP9D5ZOwuBEXyT/j0G8CWBZ0lT14kRGFucjQ\n" +
+            "i9kZStAuVgEA5cd3eUWofnekd/P6R3UgmvhVOqvxwUUgY3mEArH7+waYMwRjB6tB\n" +
+            "FgkrBgEEAdpHDwEBB0BCYWjTs0pfBnKYgO0O07djiMSBtUJVpUFo6zrVK92RgLQU\n" +
+            "QiA8YkBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwerQQkQCewToVNMc2UWIQTb\n" +
+            "8vkcFtrogUMe7xwJ7BOhU0xzZQKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAABL\n" +
+            "swEAjvi5gsrtdHqgLBZiTsLqfB2C7e3jvwxoSlUdDP/2cQYBAK8kJiqo53pwAbp/\n" +
+            "AVogneH339jmjY1qI3XtLbM5cRkMuDgEYwerQRIKKwYBBAGXVQEFAQEHQFQSNdAJ\n" +
+            "PjHAmvKSxewwtoWjjekVPBZpPN26JaALLYoyAwEIB4h1BBgWCgAdBQJjB6tBAp4B\n" +
+            "ApsMBRYCAwEABAsJCAcFFQoJCAsACgkQCewToVNMc2X+ZQEAzoMzIaoN3xPB4OB2\n" +
+            "7ePgdHwA9JKehCYLCkVk+ym2dEkA/2lRhb+1UVaooqjk/2DECgQcB56vwhiasVMF\n" +
+            "JmrwTEQKuDMEYwerQRYJKwYBBAHaRw8BAQdAOZL926bJ5cbNi6wM3gceEYLV0DQY\n" +
+            "RkYc5KNbaOKvnm2I1QQYFgoAfQUCYwerQQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgL\n" +
+            "XyAEGRYKAAYFAmMHq0EACgkQpYWdiAVpxGRW4AD+Lade9kJrvcBMSq8EERhYTH6D\n" +
+            "Fka4eMgFB76kH31WmpQA+gOU7kwqKmtyVsXVgCLGMcdTvbZr+73C5m8R7LsdY5kE\n" +
+            "AAoJEAnsE6FTTHNl7BAA/2v8Wzfmg1OO6IWCohmmNgF4rIDBW8Q9s3+1I/mWlMyj\n" +
+            "AP9YGR+fnN/YOQrlSG9UiXE5fGwUhaPB0LEGWp0wmmQYA5gzBGMHq0EWCSsGAQQB\n" +
+            "2kcPAQEHQI8C53+C8crLCQ48OKQa1dEKc8XWQSA6Ckg5j73tOJRLtBRDIDxjQHBn\n" +
+            "cGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6tBCRCiaZcdjHWX3hYhBCn4yvDzoRXW\n" +
+            "bJSBQqJplx2MdZfeAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAABDnAQC9qGed\n" +
+            "G7Bj5jsQ9JAb6yqGx29JO6aV5g+0Q6cd8py2mQD+JpOng6hTD9G3JZQCTwws3jsI\n" +
+            "BbnDCEVRtV9k5pLzzAy4OARjB6tBEgorBgEEAZdVAQUBAQdA3P+zrxkZQF8OYzPn\n" +
+            "XRwWAfP6YB0Ladd4TiEcpX8chWwDAQgHiHUEGBYKAB0FAmMHq0ECngECmwwFFgID\n" +
+            "AQAECwkIBwUVCgkICwAKCRCiaZcdjHWX3qs2AP4y7Y0ZsuNjAjsZxdwPeVmSA6BK\n" +
+            "IRVNEAHhP8lUyxqA0wD+MYU855XgASu1Ww/RiV3w+g5BAu+PbTrEk3mDvxjsSg64\n" +
+            "MwRjB6tBFgkrBgEEAdpHDwEBB0BZ78lkoDr+IJ9wod0WO+KUYPu4VzgSQH+sm8L8\n" +
+            "fbeKJYjVBBgWCgB9BQJjB6tBAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoA\n" +
+            "BgUCYwerQQAKCRB8jJGVps/ENgz7AP9ZMENJH+rIKMjynb9WPBlvJ8yJ9dMhzCxc\n" +
+            "ssxgEVZYXAEA5ZsE5xJLQC/cVMGFvqaQ8iPo5jhDZpQJ8RCVlb8XzQwACgkQommX\n" +
+            "HYx1l96SkgD/f0FYkK4yB8FWuntJ3n0FUfE31wDwpxvvpvP+o3d2GB4BAP9LRKBX\n" +
+            "Mwj4jzJc4ViKmwiNJAPttDQCpYjzJT7LUKAA\n" +
+            "=WaRm\n" +
             "-----END PGP PUBLIC KEY BLOCK-----";
-    private static final OpenPgpFingerprint cert1fp = OpenPgpFingerprint.parse("76324A41CC19C0AA33B3C1F6070730D6CC6AAE26");
-    private static final OpenPgpFingerprint cert2fp = OpenPgpFingerprint.parse("C7CD4DE07F1C972E04D338600E64F63484F50F82");
-    private static final OpenPgpFingerprint cert3fp = OpenPgpFingerprint.parse("9165E83E17F979BD2631FEFD545DC02306859824");
+    private static final OpenPgpFingerprint cert1fp = OpenPgpFingerprint.parse("DA8AF595FC41F71BC4F26608688F656CA3A169B3");
+    private static final OpenPgpFingerprint cert2fp = OpenPgpFingerprint.parse("DBF2F91C16DAE881431EEF1C09EC13A1534C7365");
+    private static final OpenPgpFingerprint cert3fp = OpenPgpFingerprint.parse("29F8CAF0F3A115D66C948142A269971D8C7597DE");
 
     @Test
-    public void encryptWithKeyFromStore() throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
+    public void encryptWithCertFromCertificateStore() throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
         // In-Memory certificate store
         PGPainlessCertD certificateDirectory = PGPainlessCertD.inMemory();
         PGPCertificateStoreAdapter adapter = new PGPCertificateStoreAdapter(certificateDirectory);
@@ -108,4 +170,61 @@ public class EncryptWithKeyFromKeyStoreTest {
         // check if message was encrypted for cert
         assertTrue(encryptionStream.getResult().isEncryptedFor(publicKeys));
     }
+
+    @Test
+    public void verifyWithCertFromCertificateStore()
+            throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
+        // In-Memory certificate store
+        PGPainlessCertD certificateDirectory = PGPainlessCertD.inMemory();
+        PGPCertificateStoreAdapter adapter = new PGPCertificateStoreAdapter(certificateDirectory);
+
+        // Populate store
+        PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing().publicKeyRingCollection(CERT_COLLECTION);
+        for (PGPPublicKeyRing cert : certificates) {
+            certificateDirectory.insert(new ByteArrayInputStream(cert.getEncoded()), MergeCallbacks.mergeWithExisting());
+        }
+
+        // Prepare keys
+        OpenPgpFingerprint cryptFp = cert3fp;
+        OpenPgpFingerprint signFp = cert1fp;
+        PGPSecretKeyRingCollection secretKeys = PGPainless.readKeyRing().secretKeyRingCollection(KEY_COLLECTION);
+        PGPSecretKeyRing signingKey = secretKeys.getSecretKeyRing(signFp.getKeyId());
+        PGPSecretKeyRing decryptionKey = secretKeys.getSecretKeyRing(cryptFp.getKeyId());
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+
+        // Encrypt and sign message
+        ByteArrayInputStream plaintextIn = new ByteArrayInputStream(
+                "This message was encrypted with a cert from a store and gets verified with a cert from a store as well".getBytes());
+        ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertext)
+                .withOptions(
+                        ProducerOptions.signAndEncrypt(
+                                EncryptionOptions.encryptCommunications()
+                                        .addRecipient(adapter, cryptFp),
+                                SigningOptions.get()
+                                        .addSignature(protector, signingKey)
+                        ));
+        Streams.pipeAll(plaintextIn, encryptionStream);
+        encryptionStream.close();
+
+        // Prepare ciphertext for decryption
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertext.toByteArray());
+        ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
+        // Decrypt and verify
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(ciphertextIn)
+                .withOptions(
+                        new ConsumerOptions()
+                                .addDecryptionKey(decryptionKey, protector)
+                                .addVerificationCerts(adapter));
+        Streams.pipeAll(decryptionStream, plaintextOut);
+        decryptionStream.close();
+
+        // Check that message can be decrypted and is verified
+        OpenPgpMetadata result = decryptionStream.getResult();
+        assertTrue(result.isEncrypted());
+        assertTrue(result.isVerified());
+        assertTrue(result.containsVerifiedSignatureFrom(signFp));
+    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index b563e704..3a5b3b6a 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -76,7 +76,7 @@ public class DetachedVerifyImpl implements DetachedVerify {
                 verificationList.add(map(signatureVerification));
             }
 
-            if (!options.getCertificates().isEmpty()) {
+            if (!options.getCertificateSource().getExplicitCertificates().isEmpty()) {
                 if (verificationList.isEmpty()) {
                     throw new SOPGPException.NoSignature();
                 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 4948712c..82ed4282 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -74,7 +74,7 @@ public class InlineVerifyImpl implements InlineVerify {
                         verificationList.add(map(signatureVerification));
                     }
 
-                    if (!options.getCertificates().isEmpty()) {
+                    if (!options.getCertificateSource().getExplicitCertificates().isEmpty()) {
                         if (verificationList.isEmpty()) {
                             throw new SOPGPException.NoSignature();
                         }

From c19b8297a3fd09df528d03942f1396aa14de9738 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 29 Aug 2022 10:36:39 +0200
Subject: [PATCH 0795/1450] Add TODO for when bumping cert-d-java

---
 .../org/pgpainless/encryption_signing/EncryptionOptions.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 13131f08..8d7098d3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -258,6 +258,8 @@ public class EncryptionOptions {
             throws BadDataException, BadNameException, IOException {
         String fingerprint = certificateFingerprint.toString().toLowerCase();
         Certificate certificateRecord = certificateStore.getCertificate(fingerprint);
+        // TODO: getCertificate throws NSEE automatically in 0.2.2+
+        //  Remove if statement below when bumping
         if (certificateRecord == null) {
             throw new NoSuchElementException("Cannot find certificate '" + certificateFingerprint + "'");
         }

From 43e0f43bd9ff96744adcaa1239a7281b45cc3237 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 1 Sep 2022 11:44:27 +0200
Subject: [PATCH 0796/1450] Bump cert-d-java to 0.2.1 and cert-d-pgpainless to
 0.2.0

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 109e592e..eb20dc66 100644
--- a/version.gradle
+++ b/version.gradle
@@ -17,8 +17,8 @@ allprojects {
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
-        pgpainlessCertDVersion = '0.1.3-SNAPSHOT'
-        pgpCertDJavaVersion = '0.2.0'
+        pgpainlessCertDVersion = '0.2.0'
+        pgpCertDJavaVersion = '0.2.1'
         slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.7'
     }

From a7929528455c5587b4e3064167970ba6aabeac10 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 1 Sep 2022 13:29:53 +0200
Subject: [PATCH 0797/1450] Remove code to manually throw NSEE for missing
 certs

This is now done further down in the store itself
---
 .../org/pgpainless/encryption_signing/EncryptionOptions.java | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 8d7098d3..cf3b426a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -258,11 +258,6 @@ public class EncryptionOptions {
             throws BadDataException, BadNameException, IOException {
         String fingerprint = certificateFingerprint.toString().toLowerCase();
         Certificate certificateRecord = certificateStore.getCertificate(fingerprint);
-        // TODO: getCertificate throws NSEE automatically in 0.2.2+
-        //  Remove if statement below when bumping
-        if (certificateRecord == null) {
-            throw new NoSuchElementException("Cannot find certificate '" + certificateFingerprint + "'");
-        }
         PGPPublicKeyRing recipientCertificate = PGPainless.readKeyRing()
                 .publicKeyRing(certificateRecord.getInputStream());
         return addRecipient(recipientCertificate);

From d7e4fcaec6293881e2de3cb75fde9e8c7b5b38d5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 14:20:17 +0100
Subject: [PATCH 0798/1450] OpenPgpMessageInputStream: Source verification
 certs from ConsumerOptions.getCertificateSource()

---
 .../OpenPgpMessageInputStream.java                        | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 28440257..65c8dad5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -1018,11 +1018,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
 
         private PGPPublicKeyRing findCertificate(long keyId) {
-            for (PGPPublicKeyRing cert : options.getCertificates()) {
-                PGPPublicKey verificationKey = cert.getPublicKey(keyId);
-                if (verificationKey != null) {
-                    return cert;
-                }
+            PGPPublicKeyRing cert = options.getCertificateSource().getCertificate(keyId);
+            if (cert != null) {
+                return cert;
             }
 
             if (options.getMissingCertificateCallback() != null) {

From 3877410a65b0bb7c838417cb97403a4a056f535a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 11 Nov 2022 14:28:33 +0100
Subject: [PATCH 0799/1450] Update CHANGELOG

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cff696f1..6f19bc95 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ SPDX-License-Identifier: CC0-1.0
   to do decryption using session keys. This enables decryption of messages
   without encrypted session key packets.
 - Use BCs `PGPEncryptedDataList.isIntegrityProtected()` to check for integrity protection
+- Depend on `pgp-certificate-store`
+- Add `ConsumerOptions.addVerificationCerts(PGPCertificateStore)` to allow sourcing certificates from
+  e.g. a [certificate store implementation](https://github.com/pgpainless/cert-d-java).
 
 ## 1.4.0-rc1
 - Reimplement message consumption via new `OpenPgpMessageInputStream`

From 90c3a015770cc9f2b1aa4bafd4fe8be873c5f79b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 14 Nov 2022 12:58:31 +0100
Subject: [PATCH 0800/1450] Add test to verify proper functionality of
 MatchMakingSecretKeyRingProtector

---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index 3d7980b0..5d635beb 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -233,4 +233,32 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         String verificationString = verificationsOut.toString();
         assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
     }
+
+    @Test
+    public void testUnlockKeyWithOneOfMultiplePasswords() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File wrong1 = writeFile("wrong_1", "BuzzAldr1n");
+        File correct = writeFile("correct", KEY_1_PASSWORD);
+        File wrong2 = writeFile("wrong_2", "NeilArmstr0ng");
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                key.getAbsolutePath(),
+                "--with-key-password", wrong1.getAbsolutePath(),
+                "--with-key-password", correct.getAbsolutePath(),
+                "--with-key-password", wrong2.getAbsolutePath()));
+
+        File cert = writeFile("cert.asc", CERT_1);
+        pipeStringToStdin(ciphertextOut.toString());
+        ByteArrayOutputStream msgOut = pipeStdoutToStream();
+        File verificationsFile = nonExistentFile("verifications");
+        assertSuccess(executeCommand("inline-verify",
+                "--verifications-out", verificationsFile.getAbsolutePath(),
+                cert.getAbsolutePath()));
+
+        assertEquals(MESSAGE, msgOut.toString());
+        String verificationString = readStringFromFile(verificationsFile);
+        assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
+    }
 }

From 093d786329bdd1ae38177dbf49b26677622fecc1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 21:27:22 +0100
Subject: [PATCH 0801/1450] Doc: Add section about indirect data types

---
 docs/source/pgpainless-cli/usage.md | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index 967bfc11..2045de6b 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -84,8 +84,24 @@ Exit Codes:
   61   Input file does not exist
   67   Cannot unlock password protected secret key
   69   Unsupported subcommand
-  71   Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+  71   Unsupported special prefix (e.g. "@ENV/@FD") of indirect parameter
   73   Ambiguous input (a filename matching the designator already exists)
   79   Key is not signing capable
 Powered by picocli
-```
\ No newline at end of file
+```
+
+## Indirect Data Types
+
+Some commands take options whose arguments are indirect data types. Those are arguments which are not used directly,
+but instead they point to a place where the argument value can be sourced from, such as a file, an environment variable
+or a file descriptor.
+
+It is important to keep in mind, that options like `--with-password` or `--with-key-password` are examples for such
+indirect data types. If you want to unlock a key whose password is `sw0rdf1sh`, you *cannot* provide the password
+like `--with-key-password sw0rdf1sh`, but instead you have to either write out the password into a file and provide
+the file's path (e.g. `--with-key-password /path/to/file`), store the password in an environment variable and pass that
+(e.g. `--with-key-password @ENV:myvar`), or provide a numbered file descriptor from which the password can be read
+(e.g. `--with-key-password @FD:4`).
+
+Note, that environment variables and file descriptors can only be used to pass input data to the program.
+For output parameters (e.g. `--verifications-out`) only file paths are allowed.

From b7478729b13b8792b34aa64cd144c64ceeab78d1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 21:47:46 +0100
Subject: [PATCH 0802/1450] Update man pages

Since commit 0e777de14f927ad4b265adfc5ba201be29b1bde1 in pgpainless/sop-java,
man page generation is reproducible.
This very commit adopts reproducible man pages for the first time
---
 pgpainless-cli/packaging/man/pgpainless-cli-armor.1    |  4 +---
 pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1  |  4 +---
 pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1  | 10 ++--------
 pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1  | 10 ++--------
 .../packaging/man/pgpainless-cli-extract-cert.1        |  4 +---
 .../packaging/man/pgpainless-cli-generate-completion.1 |  7 +++----
 .../packaging/man/pgpainless-cli-generate-key.1        | 10 ++--------
 pgpainless-cli/packaging/man/pgpainless-cli-help.1     |  7 +++----
 .../packaging/man/pgpainless-cli-inline-detach.1       |  4 +---
 .../packaging/man/pgpainless-cli-inline-sign.1         | 10 ++--------
 .../packaging/man/pgpainless-cli-inline-verify.1       | 10 ++--------
 pgpainless-cli/packaging/man/pgpainless-cli-sign.1     | 10 ++--------
 pgpainless-cli/packaging/man/pgpainless-cli-verify.1   |  4 +---
 pgpainless-cli/packaging/man/pgpainless-cli-version.1  |  4 +---
 pgpainless-cli/packaging/man/pgpainless-cli.1          |  7 +++----
 15 files changed, 27 insertions(+), 78 deletions(-)

diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-armor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
index d85b6bf9..c34cf923 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-armor.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-armor
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-ARMOR" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-ARMOR" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -43,5 +42,4 @@ Label to be used in the header and tail of the armoring
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1 b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
index 98fae5ea..19ef25f1 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-dearmor.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-dearmor
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-DEARMOR" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-DEARMOR" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -38,5 +37,4 @@ pgpainless\-cli\-dearmor \- Remove ASCII Armor from standard input
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
index 400adcff..17d59134 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-decrypt
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-DECRYPT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-DECRYPT" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -65,12 +64,7 @@ Defaults to beginning of time (\(aq\-\(aq).
 Can be used to learn the session key on successful decryption
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP
+\fB\-\-stacktrace\fP, \fB\-\-verify\-out, \-\-verifications\-out\fP=\fIVERIFICATIONS\fP
 .RS 4
 Emits signature verification status to the designated output
 .RE
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
index 5cb9495b..f1d804d0 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-encrypt
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-ENCRYPT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-ENCRYPT" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -53,12 +52,7 @@ ASCII armor the output
 Sign the output with a private key
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+\fB\-\-stacktrace\fP, \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1 b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
index 0482c183..dcaf6e71 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-extract-cert.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-extract-cert
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-EXTRACT\-CERT" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-EXTRACT\-CERT" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -43,5 +42,4 @@ ASCII armor the output
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
index 637b1231..5ab3d673 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-generate-completion
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: generate-completion 4.6.3
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-GENERATE\-COMPLETION" "1" "2022-11-06" "generate\-completion 4.6.3" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-GENERATE\-COMPLETION" "1" "" "generate\-completion 4.6.3" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -51,7 +50,7 @@ Show this help message and exit.
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
+Print stacktrace
 .RE
 .sp
 \fB\-V\fP, \fB\-\-version\fP
@@ -142,7 +141,7 @@ Unsupported subcommand
 .sp
 \fB71\fP
 .RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+Unsupported special prefix (e.g. "@ENV/@FD") of indirect parameter
 .RE
 .sp
 \fB73\fP
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
index ef950df9..96b069f3 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-generate-key
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-GENERATE\-KEY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-GENERATE\-KEY" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -42,12 +41,7 @@ pgpainless\-cli\-generate\-key \- Generate a secret key
 ASCII armor the output
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+\fB\-\-stacktrace\fP, \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Password to protect the private key with
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-help.1 b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
index 67ef1ce6..6152fc87 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-help.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-help
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-HELP" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-HELP" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -45,7 +44,7 @@ Show usage help for the help command and exit.
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
+Print stacktrace
 .RE
 .SH "ARGUMENTS"
 .sp
@@ -137,7 +136,7 @@ Unsupported subcommand
 .sp
 \fB71\fP
 .RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+Unsupported special prefix (e.g. "@ENV/@FD") of indirect parameter
 .RE
 .sp
 \fB73\fP
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
index 3d356293..c5d9d983 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-detach.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-inline-detach
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-DETACH" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-DETACH" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -48,5 +47,4 @@ Destination to which a detached signatures block will be written
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
index 3f653b40..7deb568c 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-inline-sign
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-SIGN" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-SIGN" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -56,12 +55,7 @@ If \(aq\-\-as=text\(aq and the input data is not valid UTF\-8, inline\-sign fail
 ASCII armor the output
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+\fB\-\-stacktrace\fP, \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
index 73f8316d..d97f274d 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-verify.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-inline-verify
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-INLINE\-VERIFY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-INLINE\-VERIFY" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -57,12 +56,7 @@ Reject signatures with a creation date not in range.
 Defaults to beginning of time ("\-").
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-verifications\-out\fP=\fI\fP
+\fB\-\-stacktrace\fP, \fB\-\-verifications\-out\fP=\fI\fP
 .RS 4
 File to write details over successful verifications to
 .RE
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
index 3c63dccf..6519e0ec 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-sign
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-SIGN" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-SIGN" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -56,12 +55,7 @@ Emits the digest algorithm used to the specified file in a way that can be used
 ASCII armor the output
 .RE
 .sp
-\fB\-\-stacktrace\fP
-.RS 4
-Print Stacktrace
-.RE
-.sp
-\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
+\fB\-\-stacktrace\fP, \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Passphrase to unlock the secret key(s).
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
index a07ef2d7..5cf0020c 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-verify
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-VERIFY" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-VERIFY" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -48,7 +47,6 @@ Defaults to beginning of time ("\-").
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
 .SH "ARGUMENTS"
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-version.1 b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
index 9e80f4b3..003e549f 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-version.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli-version
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI\-VERSION" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI\-VERSION" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -48,5 +47,4 @@ Print an extended version string
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli.1 b/pgpainless-cli/packaging/man/pgpainless-cli.1
index 14bd9fb9..686f728f 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli.1
@@ -2,12 +2,11 @@
 .\"     Title: pgpainless-cli
 .\"    Author: [see the "AUTHOR(S)" section]
 .\" Generator: Asciidoctor 2.0.10
-.\"      Date: 2022-11-06
 .\"    Manual: PGPainless-CLI Manual
 .\"    Source: 
 .\"  Language: English
 .\"
-.TH "PGPAINLESS\-CLI" "1" "2022-11-06" "" "PGPainless\-CLI Manual"
+.TH "PGPAINLESS\-CLI" "1" "" "" "PGPainless\-CLI Manual"
 .ie \n(.g .ds Aq \(aq
 .el       .ds Aq '
 .ss \n[.ss] 0
@@ -38,7 +37,7 @@ pgpainless\-cli \- Stateless OpenPGP Protocol
 .sp
 \fB\-\-stacktrace\fP
 .RS 4
-Print Stacktrace
+Print stacktrace
 .RE
 .SH "COMMANDS"
 .sp
@@ -195,7 +194,7 @@ Unsupported subcommand
 .sp
 \fB71\fP
 .RS 4
-Unsupported special prefix (e.g. "@env/@fd") of indirect parameter
+Unsupported special prefix (e.g. "@ENV/@FD") of indirect parameter
 .RE
 .sp
 \fB73\fP

From bfeed54ede095bfa70b394340edf21b277bce7ee Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 21:52:02 +0100
Subject: [PATCH 0803/1450] Docs: Update output of pgpainless-cli help command

---
 docs/source/pgpainless-cli/usage.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index 2045de6b..9d3f6d93 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -49,7 +49,10 @@ Hereafter, the program will be referred to as `pgpainless-cli`.
 ```
 $ pgpainless-cli help
 Stateless OpenPGP Protocol
-Usage: pgpainless-cli [COMMAND]
+Usage: pgpainless-cli [--stacktrace] [COMMAND]
+
+Options:
+      --stacktrace   Print Stacktrace
 
 Commands:
   help           Display usage information for the specified subcommand
@@ -68,7 +71,7 @@ Commands:
   version        Display version information about the tool
 
 Exit Codes:
-   0   Successful program execution.
+   0   Successful program execution
    1   Generic program error
    3   Verification requested but no verifiable signature found
   13   Unsupported asymmetric algorithm
@@ -87,7 +90,6 @@ Exit Codes:
   71   Unsupported special prefix (e.g. "@ENV/@FD") of indirect parameter
   73   Ambiguous input (a filename matching the designator already exists)
   79   Key is not signing capable
-Powered by picocli
 ```
 
 ## Indirect Data Types

From 38a2162d6a2db64fe21f81ea9155f4e55e1ead96 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 22:07:20 +0100
Subject: [PATCH 0804/1450] Docs: Document generation/updating of man pages

---
 docs/source/pgpainless-cli/usage.md | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index 9d3f6d93..dd56c8b1 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -42,6 +42,36 @@ $ gradle installDist
 Afterwards, an uncompressed distributable is installed in `build/install/`.
 To execute the application, you can call `build/install/bin/pgpainless-cli{.bat}`
 
+Building / updating man pages is a two-step process.
+The contents of the man pages is largely defined by the `sop-java-picocli` source code.
+
+In order to generate a fresh set of man pages from the `sop-java-picocli` source, you need to clone that repository
+next to the `pgpainless` repository:
+```shell
+$ ls
+pgpainless
+$ git clone https://github.com/pgpainless/sop-java.git
+$ ls
+pgpainless  sop-java
+```
+
+Next, you need to execute the `asciiDoctor` gradle task inside the sop-java repository:
+```shell
+$ cd sop-java
+$ gradle asciiDoctor
+```
+
+This will generate generic sop manpages in `sop-java-picocli/build/docs/manpage/`.
+
+Next, you need to execute a script for converting the `sop` manpages to fit the `pgpainless-cli` command with the help
+of a script in the `pgpainless` repository:
+```shell
+$ cd ../pgpainless/pgpainless-cli
+$ ./rewriteManPages.sh
+```
+
+The resulting updated man pages are placed in `packaging/man/`.
+
 ## Usage
 
 Hereafter, the program will be referred to as `pgpainless-cli`.

From 936a3f654fa13886e3f625cd538d2e5dd2fd9d80 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 22:28:18 +0100
Subject: [PATCH 0805/1450] Docs: Add usage examples for pgpainless-cli

---
 docs/source/pgpainless-cli/usage.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/source/pgpainless-cli/usage.md b/docs/source/pgpainless-cli/usage.md
index dd56c8b1..4bc1d166 100644
--- a/docs/source/pgpainless-cli/usage.md
+++ b/docs/source/pgpainless-cli/usage.md
@@ -122,6 +122,24 @@ Exit Codes:
   79   Key is not signing capable
 ```
 
+To get help on a subcommand, e.g. `encrypt`, just call the help subcommand followed by the subcommand you
+are interested in (e.g. `pgpainless-cli help encrypt`).
+
+## Examples
+```shell
+$ # Generate a key
+$ pgpainless-cli generate-key "Alice " > key.asc
+$ # Extract a certificate from a key
+$ cat key.asc | pgpainless-cli extract-cert > cert.asc
+$ # Create an encrypted signed message
+$ echo "Hello, World!" | pgpainless-cli encrypt cert.asc --sign-with key.asc > msg.asc
+$ # Decrypt an encrypted message and verify the signature
+$ cat msg.asc | pgpainless-cli decrypt key.asc --verify-with cert.asc --verifications-out verifications.txt
+Hello, World!
+$ cat verifications.txt
+2022-11-15T21:25:48Z 4FF67C69150209ED8139DE22578CB2FABD5D7897 9000235358B8CEA6A368EC86DE56DC2D942ACAA4
+```
+
 ## Indirect Data Types
 
 Some commands take options whose arguments are indirect data types. Those are arguments which are not used directly,

From 847d4b5e3327772bd67de33e9776f0c128591453 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 16:05:29 +0100
Subject: [PATCH 0806/1450] Update SECURITY.md

---
 SECURITY.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 59e9adbf..fad439b5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,11 +12,12 @@ SPDX-License-Identifier: Apache-2.0
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
-| Version | Supported          |
-|---------| ------------------ |
-| 1.1.X   | :white_check_mark: |
-| 1.0.X   | :white_check_mark: |
-| < 1.0.0 | :x:                |
+| Version  | Supported          |
+|----------|--------------------|
+| 1.4.X-rc | :white_check_mark: |
+| 1.3.X    | :white_check_mark: |
+| 1.2.X    | :white_check_mark: |
+| < 1.2.0  | :x:                |
 
 ## Reporting a Vulnerability
 

From 03d04fb324672c1532488a7faba62c1a17007dc6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 16:29:24 +0100
Subject: [PATCH 0807/1450] Tests: Replace usages of default algorithm policies
 with specific policies

---
 .../encryption_signing/EncryptDecryptTest.java  |  4 ++--
 .../org/pgpainless/example/ManagePolicy.java    | 17 +++++++++--------
 .../generation/GeneratingWeakKeyThrowsTest.java | 10 ++++++----
 .../modification/RefuseToAddWeakSubkeyTest.java |  4 ++--
 .../java/org/pgpainless/policy/PolicyTest.java  |  2 +-
 5 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
index 88a2c38b..216d0c65 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
@@ -66,9 +66,9 @@ public class EncryptDecryptTest {
     @BeforeEach
     public void setDefaultPolicy() {
         PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy(
-                Policy.SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyEncryptionAlgorithmPolicy());
+                Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022());
         PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy(
-                Policy.SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyDecryptionAlgorithmPolicy());
+                Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022());
     }
 
     @TestTemplate
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
index fa2759dc..711de225 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
@@ -44,22 +44,22 @@ public class ManagePolicy {
     public void resetPolicy() {
         // Policy for hash algorithms in non-revocation signatures
         PGPainless.getPolicy().setSignatureHashAlgorithmPolicy(
-                Policy.HashAlgorithmPolicy.defaultSignatureAlgorithmPolicy());
+                Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy());
         // Policy for hash algorithms in revocation signatures
         PGPainless.getPolicy().setRevocationSignatureHashAlgorithmPolicy(
-                Policy.HashAlgorithmPolicy.defaultRevocationSignatureHashAlgorithmPolicy());
+                Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy());
         // Policy for public key algorithms and bit lengths
         PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(
-                Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+                Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
         // Policy for acceptable symmetric encryption algorithms when decrypting messages
         PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy(
-                Policy.SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyDecryptionAlgorithmPolicy());
+                Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022());
         // Policy for acceptable symmetric encryption algorithms when encrypting messages
         PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy(
-                Policy.SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyEncryptionAlgorithmPolicy());
+                Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022());
         // Policy for acceptable compression algorithms
         PGPainless.getPolicy().setCompressionAlgorithmPolicy(
-                Policy.CompressionAlgorithmPolicy.defaultCompressionAlgorithmPolicy());
+                Policy.CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy());
         // Known notations
         PGPainless.getPolicy().getNotationRegistry().clear();
     }
@@ -73,7 +73,7 @@ public class ManagePolicy {
      *
      * Per default, PGPainless will reject non-revocation signatures that use SHA-1 as hash algorithm.
      * To inspect PGPainless' default signature hash algorithm policy, see
-     * {@link Policy.HashAlgorithmPolicy#defaultSignatureAlgorithmPolicy()}.
+     * {@link Policy.HashAlgorithmPolicy#static2022SignatureHashAlgorithmPolicy()}.
      *
      * Since it may be a valid use-case to accept signatures made using SHA-1 as part of a less strict policy,
      * this example demonstrates how to set a custom signature hash algorithm policy.
@@ -108,7 +108,8 @@ public class ManagePolicy {
     /**
      * Similar to hash algorithms, {@link PublicKeyAlgorithm PublicKeyAlgorithms} tend to get outdated eventually.
      * Per default, PGPainless will reject signatures made by keys of unacceptable algorithm or length.
-     * See {@link Policy.PublicKeyAlgorithmPolicy#defaultPublicKeyAlgorithmPolicy()} to inspect PGPainless' defaults.
+     * See {@link Policy.PublicKeyAlgorithmPolicy#bsi2021PublicKeyAlgorithmPolicy()}
+     * to inspect PGPainless' defaults.
      *
      * This example demonstrates how to set a custom public key algorithm policy.
      */
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java
index aa79add5..6fbf0572 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java
@@ -26,7 +26,7 @@ public class GeneratingWeakKeyThrowsTest {
     public void refuseToGenerateWeakPrimaryKeyTest() {
         // ensure we have default public key algorithm policy set
         PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(
-                Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+                Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
 
         assertThrows(IllegalArgumentException.class, () ->
                 PGPainless.buildKeyRing()
@@ -38,7 +38,7 @@ public class GeneratingWeakKeyThrowsTest {
     public void refuseToAddWeakSubkeyDuringGenerationTest() {
         // ensure we have default public key algorithm policy set
         PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(
-                Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+                Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
 
         KeyRingBuilder kb = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096),
@@ -50,7 +50,8 @@ public class GeneratingWeakKeyThrowsTest {
     }
 
     @Test
-    public void allowToAddWeakKeysWithWeakPolicy() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+    public void allowToAddWeakKeysWithWeakPolicy()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         // set a weak algorithm policy
         Map bitStrengths = new HashMap<>();
         bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512);
@@ -67,6 +68,7 @@ public class GeneratingWeakKeyThrowsTest {
                 .build();
 
         // reset public key algorithm policy
-        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(
+                Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
index 2570837f..73c5953c 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
@@ -34,7 +34,7 @@ public class RefuseToAddWeakSubkeyTest {
     public void testEditorRefusesToAddWeakSubkey()
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         // ensure default policy is set
-        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
 
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .modernKeyRing("Alice");
@@ -84,6 +84,6 @@ public class RefuseToAddWeakSubkeyTest {
         assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size());
 
         // reset default policy
-        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+        PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
index 4e3cb51e..aa7078e4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
@@ -56,7 +56,7 @@ public class PolicyTest {
         policy.setRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512,
                 revHashAlgoMap));
 
-        policy.setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
+        policy.setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
     }
 
     @Test

From e976cc6dd244ce61b165984a46f24f1f061e55bc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 15 Nov 2022 16:46:17 +0100
Subject: [PATCH 0808/1450] Move getResult() method around

---
 .../OpenPgpMessageInputStream.java            | 54 +++++++++----------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 65c8dad5..a73b5154 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -799,6 +799,33 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return new MessageMetadata((MessageMetadata.Message) metadata);
     }
 
+    @Override
+    public OpenPgpMetadata getResult() {
+        MessageMetadata m = getMetadata();
+        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
+        resultBuilder.setModificationDate(m.getModificationDate());
+        resultBuilder.setFileName(m.getFilename());
+        resultBuilder.setFileEncoding(m.getFormat());
+        resultBuilder.setSessionKey(m.getSessionKey());
+        resultBuilder.setDecryptionKey(m.getDecryptionKey());
+
+        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
+            resultBuilder.addVerifiedDetachedSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
+            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
+            resultBuilder.addVerifiedInbandSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
+            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        return resultBuilder.build();
+    }
+
     private static class SortedESKs {
 
         private final List skesks = new ArrayList<>();
@@ -832,33 +859,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         }
     }
 
-    @Override
-    public OpenPgpMetadata getResult() {
-        MessageMetadata m = getMetadata();
-        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
-        resultBuilder.setModificationDate(m.getModificationDate());
-        resultBuilder.setFileName(m.getFilename());
-        resultBuilder.setFileEncoding(m.getFormat());
-        resultBuilder.setSessionKey(m.getSessionKey());
-        resultBuilder.setDecryptionKey(m.getDecryptionKey());
-
-        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
-            resultBuilder.addVerifiedDetachedSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
-            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
-            resultBuilder.addVerifiedInbandSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
-            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        return resultBuilder.build();
-    }
-
     // In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
     // In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
     // Therefore, we need to handle the innermost signature layer differently when updating with Literal data.

From 3023d532e3a36e793538380915b7e0b81716fa5d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 15:32:15 +0100
Subject: [PATCH 0809/1450] Make DecryptionStream.getMetadata() first-class,
 deprecate getResult()

---
 .../CloseForResultInputStream.java            | 39 -------------------
 .../DecryptionStream.java                     | 12 ++++--
 .../MessageMetadata.java                      | 35 +++++++++++++++++
 .../OpenPgpMessageInputStream.java            | 33 ++--------------
 4 files changed, 46 insertions(+), 73 deletions(-)
 delete mode 100644 pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java
deleted file mode 100644
index ba895a08..00000000
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CloseForResultInputStream.java
+++ /dev/null
@@ -1,39 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.decryption_verification;
-
-import java.io.IOException;
-import java.io.InputStream;
-import javax.annotation.Nonnull;
-
-public abstract class CloseForResultInputStream extends InputStream {
-
-    protected final OpenPgpMetadata.Builder resultBuilder;
-    private boolean isClosed = false;
-
-    public CloseForResultInputStream(@Nonnull OpenPgpMetadata.Builder resultBuilder) {
-        this.resultBuilder = resultBuilder;
-    }
-
-    @Override
-    public void close() throws IOException {
-        this.isClosed = true;
-    }
-
-    /**
-     * Return the result of the decryption.
-     * The result contains metadata about the decryption, such as signatures, used keys and algorithms, as well as information
-     * about the decrypted file/stream.
-     *
-     * Can only be obtained once the stream got successfully closed ({@link #close()}).
-     * @return metadata
-     */
-    public OpenPgpMetadata getResult() {
-        if (!isClosed) {
-            throw new IllegalStateException("Stream MUST be closed before the result can be accessed.");
-        }
-        return resultBuilder.build();
-    }
-}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
index 0f221ad7..e3a51bb9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
@@ -4,10 +4,14 @@
 
 package org.pgpainless.decryption_verification;
 
-import javax.annotation.Nonnull;
+import java.io.InputStream;
 
-public abstract class DecryptionStream extends CloseForResultInputStream {
-    public DecryptionStream(@Nonnull OpenPgpMetadata.Builder resultBuilder) {
-        super(resultBuilder);
+public abstract class DecryptionStream extends InputStream {
+
+    public abstract MessageMetadata getMetadata();
+
+    @Deprecated
+    public OpenPgpMetadata getResult() {
+        return getMetadata().toLegacyMetadata();
     }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 7811578e..26439b40 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -300,9 +300,16 @@ public class MessageMetadata {
 
     public static class Message extends Layer {
 
+        protected boolean cleartextSigned;
+
         public Message() {
             super(0);
         }
+
+        public boolean isCleartextSigned() {
+            return cleartextSigned;
+        }
+
     }
 
     public static class LiteralData implements Nested {
@@ -453,4 +460,32 @@ public class MessageMetadata {
         abstract O getProperty(Layer last);
     }
 
+    public OpenPgpMetadata toLegacyMetadata() {
+        OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
+        resultBuilder.setCompressionAlgorithm(getCompressionAlgorithm());
+        resultBuilder.setModificationDate(getModificationDate());
+        resultBuilder.setFileName(getFilename());
+        resultBuilder.setFileEncoding(getFormat());
+        resultBuilder.setSessionKey(getSessionKey());
+        resultBuilder.setDecryptionKey(getDecryptionKey());
+
+        for (SignatureVerification accepted : getVerifiedDetachedSignatures()) {
+            resultBuilder.addVerifiedDetachedSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : getRejectedDetachedSignatures()) {
+            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        for (SignatureVerification accepted : getVerifiedInlineSignatures()) {
+            resultBuilder.addVerifiedInbandSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : getRejectedInlineSignatures()) {
+            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+        if (message.isCleartextSigned()) {
+            resultBuilder.setCleartextSigned();
+        }
+
+        return resultBuilder.build();
+    }
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a73b5154..a820dca5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -156,6 +156,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         if (openPgpIn.isAsciiArmored()) {
             ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
             if (armorIn.isClearText()) {
+                ((MessageMetadata.Message) metadata).cleartextSigned = true;
                 return new OpenPgpMessageInputStream(Type.cleartext_signed,
                         armorIn, options, metadata, policy);
             } else {
@@ -173,7 +174,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                                         @Nonnull MessageMetadata.Layer metadata,
                                         @Nonnull Policy policy)
             throws PGPException, IOException {
-        super(OpenPgpMetadata.getBuilder());
+        super();
 
         this.policy = policy;
         this.options = options;
@@ -203,7 +204,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                                         @Nonnull ConsumerOptions options,
                                         @Nonnull MessageMetadata.Layer metadata,
                                         @Nonnull Policy policy) throws PGPException, IOException {
-        super(OpenPgpMetadata.getBuilder());
+        super();
         this.policy = policy;
         this.options = options;
         this.metadata = metadata;
@@ -226,7 +227,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
             // Cleartext Signature Framework (probably signed message)
             case cleartext_signed:
-                resultBuilder.setCleartextSigned();
                 MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
                 PGPSignatureList detachedSignatures = ClearsignedMessageUtil
                         .detachSignaturesFromInbandClearsignedMessage(
@@ -799,33 +799,6 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return new MessageMetadata((MessageMetadata.Message) metadata);
     }
 
-    @Override
-    public OpenPgpMetadata getResult() {
-        MessageMetadata m = getMetadata();
-        resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
-        resultBuilder.setModificationDate(m.getModificationDate());
-        resultBuilder.setFileName(m.getFilename());
-        resultBuilder.setFileEncoding(m.getFormat());
-        resultBuilder.setSessionKey(m.getSessionKey());
-        resultBuilder.setDecryptionKey(m.getDecryptionKey());
-
-        for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
-            resultBuilder.addVerifiedDetachedSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
-            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
-            resultBuilder.addVerifiedInbandSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
-            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        return resultBuilder.build();
-    }
-
     private static class SortedESKs {
 
         private final List skesks = new ArrayList<>();

From 33d9a784bb34da7b68200cfc4d3714fcf13aed03 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:20:43 +0100
Subject: [PATCH 0810/1450] Add javadoc to MEssageMetadata class

---
 .../MessageMetadata.java                      | 368 +++++++++++++++---
 1 file changed, 312 insertions(+), 56 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 26439b40..1bf22b47 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -19,6 +19,9 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.NoSuchElementException;
 
+/**
+ * View for extracting metadata about a {@link Message}.
+ */
 public class MessageMetadata {
 
     protected Message message;
@@ -27,6 +30,57 @@ public class MessageMetadata {
         this.message = message;
     }
 
+    /**
+     * Convert this {@link MessageMetadata} object into a legacy {@link OpenPgpMetadata} object.
+     * This method is intended to be used for a transition period between the 1.3 / 1.4+ branches.
+     * TODO: Remove in 1.5.X
+     *
+     * @return converted {@link OpenPgpMetadata} object
+     */
+    public @Nonnull OpenPgpMetadata toLegacyMetadata() {
+        OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
+        resultBuilder.setCompressionAlgorithm(getCompressionAlgorithm());
+        Date modDate = getModificationDate();
+        if (modDate != null) {
+            resultBuilder.setModificationDate(modDate);
+        }
+        String fileName = getFilename();
+        if (fileName != null) {
+            resultBuilder.setFileName(fileName);
+        }
+        StreamEncoding encoding = getFormat();
+        if (encoding != null) {
+            resultBuilder.setFileEncoding(encoding);
+        }
+        resultBuilder.setSessionKey(getSessionKey());
+        resultBuilder.setDecryptionKey(getDecryptionKey());
+
+        for (SignatureVerification accepted : getVerifiedDetachedSignatures()) {
+            resultBuilder.addVerifiedDetachedSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : getRejectedDetachedSignatures()) {
+            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+
+        for (SignatureVerification accepted : getVerifiedInlineSignatures()) {
+            resultBuilder.addVerifiedInbandSignature(accepted);
+        }
+        for (SignatureVerification.Failure rejected : getRejectedInlineSignatures()) {
+            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
+        }
+        if (message.isCleartextSigned()) {
+            resultBuilder.setCleartextSigned();
+        }
+
+        return resultBuilder.build();
+    }
+
+    /**
+     * Return the {@link SymmetricKeyAlgorithm} of the outermost encrypted data packet, or null if message is
+     * unencrypted.
+     *
+     * @return encryption algorithm
+     */
     public @Nullable SymmetricKeyAlgorithm getEncryptionAlgorithm() {
         Iterator algorithms = getEncryptionAlgorithms();
         if (algorithms.hasNext()) {
@@ -35,6 +89,14 @@ public class MessageMetadata {
         return null;
     }
 
+    /**
+     * Return an {@link Iterator} of {@link SymmetricKeyAlgorithm SymmetricKeyAlgorithms} encountered in the message.
+     * The first item returned by the iterator is the algorithm of the outermost encrypted data packet, the next item
+     * that of the next nested encrypted data packet and so on.
+     * The iterator might also be empty, in case of an unencrypted message.
+     *
+     * @return iterator of symmetric encryption algorithms
+     */
     public @Nonnull Iterator getEncryptionAlgorithms() {
         return new LayerIterator(message) {
             @Override
@@ -49,6 +111,12 @@ public class MessageMetadata {
         };
     }
 
+    /**
+     * Return the {@link CompressionAlgorithm} of the outermost compressed data packet, or null, if the message
+     * does not contain any compressed data packets.
+     *
+     * @return compression algorithm
+     */
     public @Nullable CompressionAlgorithm getCompressionAlgorithm() {
         Iterator algorithms = getCompressionAlgorithms();
         if (algorithms.hasNext()) {
@@ -57,6 +125,14 @@ public class MessageMetadata {
         return null;
     }
 
+    /**
+     * Return an {@link Iterator} of {@link CompressionAlgorithm CompressionAlgorithms} encountered in the message.
+     * The first item returned by the iterator is the algorithm of the outermost compressed data packet, the next
+     * item that of the next nested compressed data packet and so on.
+     * The iterator might also be empty, in case of a message without any compressed data packets.
+     *
+     * @return iterator of compression algorithms
+     */
     public @Nonnull Iterator getCompressionAlgorithms() {
         return new LayerIterator(message) {
             @Override
@@ -71,6 +147,12 @@ public class MessageMetadata {
         };
     }
 
+    /**
+     * Return the {@link SessionKey} of the outermost encrypted data packet.
+     * If the message was unencrypted, this method returns 
null
.
+     *
+     * @return session key of the message
+     */
     public @Nullable SessionKey getSessionKey() {
         Iterator sessionKeys = getSessionKeys();
         if (sessionKeys.hasNext()) {
@@ -79,6 +161,14 @@ public class MessageMetadata {
         return null;
     }
 
+    /**
+     * Return an {@link Iterator} of {@link SessionKey SessionKeys} for all encrypted data packets in the message.
+     * The first item returned by the iterator is the session key of the outermost encrypted data packet,
+     * the next item that of the next nested encrypted data packet and so on.
+     * The iterator might also be empty, in case of an unencrypted message.
+     *
+     * @return iterator of session keys
+     */
     public @Nonnull Iterator getSessionKeys() {
         return new LayerIterator(message) {
             @Override
@@ -93,14 +183,31 @@ public class MessageMetadata {
         };
     }
 
-    public List getVerifiedDetachedSignatures() {
-        return new ArrayList<>(message.verifiedDetachedSignatures);
+    /**
+     * Return a list of all verified detached signatures.
+     * This list contains all acceptable, correct detached signatures.
+     *
+     * @return verified detached signatures
+     */
+    public @Nonnull List getVerifiedDetachedSignatures() {
+        return message.getVerifiedDetachedSignatures();
     }
 
-    public List getRejectedDetachedSignatures() {
-        return new ArrayList<>(message.rejectedDetachedSignatures);
+    /**
+     * Return a list of all rejected detached signatures.
+     *
+     * @return rejected detached signatures
+     */
+    public @Nonnull List getRejectedDetachedSignatures() {
+        return message.getRejectedDetachedSignatures();
     }
 
+    /**
+     * Return a list of all verified inline-signatures.
+     * This list contains all acceptable, correct signatures that were part of the message itself.
+     *
+     * @return verified inline signatures
+     */
     public @Nonnull List getVerifiedInlineSignatures() {
         List verifications = new ArrayList<>();
         Iterator> verificationsByLayer = getVerifiedInlineSignaturesByLayer();
@@ -110,6 +217,16 @@ public class MessageMetadata {
         return verifications;
     }
 
+    /**
+     * Return an {@link Iterator} of {@link List Lists} of verified inline-signatures of the message.
+     * Since signatures might occur in different layers within a message, this method can be used to gain more detailed
+     * insights into what signatures were encountered at what layers of the message structure.
+     * Each item of the {@link Iterator} represents a layer of the message and contains only signatures from
+     * this layer.
+     * An empty list means no (or no acceptable) signatures were encountered in that layer.
+     *
+     * @return iterator of lists of signatures by-layer.
+     */
     public @Nonnull Iterator> getVerifiedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
@@ -132,6 +249,11 @@ public class MessageMetadata {
         };
     }
 
+    /**
+     * Return a list of all rejected inline-signatures of the message.
+     *
+     * @return list of rejected inline-signatures
+     */
     public @Nonnull List getRejectedInlineSignatures() {
         List rejected = new ArrayList<>();
         Iterator> rejectedByLayer = getRejectedInlineSignaturesByLayer();
@@ -141,6 +263,12 @@ public class MessageMetadata {
         return rejected;
     }
 
+    /**
+     * Similar to {@link #getVerifiedInlineSignaturesByLayer()}, this method returns all rejected inline-signatures
+     * of the message, but organized by layer.
+     *
+     * @return rejected inline-signatures by-layer
+     */
     public @Nonnull Iterator> getRejectedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
@@ -163,7 +291,16 @@ public class MessageMetadata {
         };
     }
 
-    public String getFilename() {
+    /**
+     * Return the value of the literal data packet's filename field.
+     * This value can be used to store a decrypted file under its original filename,
+     * but since this field is not necessarily part of the signed data of a message, usage of this field is
+     * discouraged.
+     *
+     * @return filename
+     * @see RFC4880 §5.9. Literal Data Packet
+     */
+    public @Nullable String getFilename() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
             return null;
@@ -171,7 +308,15 @@ public class MessageMetadata {
         return literalData.getFileName();
     }
 
-    public Date getModificationDate() {
+    /**
+     * Return the value of the literal data packets modification date field.
+     * This value can be used to restore the modification date of a decrypted file,
+     * but since this field is not necessarily part of the signed data, its use is discouraged.
+     *
+     * @return modification date
+     * @see RFC4880 §5.9. Literal Data Packet
+     */
+    public @Nullable Date getModificationDate() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
             return null;
@@ -179,7 +324,15 @@ public class MessageMetadata {
         return literalData.getModificationDate();
     }
 
-    public StreamEncoding getFormat() {
+    /**
+     * Return the value of the format field of the literal data packet.
+     * This value indicates what format (text, binary data, ...) the data has.
+     * Since this field is not necessarily part of the signed data of a message, its usage is discouraged.
+     *
+     * @return format
+     * @see RFC4880 §5.9. Literal Data Packet
+     */
+    public @Nullable StreamEncoding getFormat() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
             return null;
@@ -187,19 +340,33 @@ public class MessageMetadata {
         return literalData.getFormat();
     }
 
-    private LiteralData findLiteralData() {
-        Nested nested = message.child;
+    /**
+     * Find the {@link LiteralData} layer of an OpenPGP message.
+     * Usually, every message has a literal data packet, but for malformed messages this method might still
+     * return 
null
.
+     *
+     * @return literal data
+     */
+    private @Nullable LiteralData findLiteralData() {
+        Nested nested = message.getChild();
         if (nested == null) {
             return null;
         }
 
-        while (nested.hasNestedChild()) {
+        while (nested != null && nested.hasNestedChild()) {
             Layer layer = (Layer) nested;
-            nested = layer.child;
+            nested = layer.getChild();
         }
         return (LiteralData) nested;
     }
 
+    /**
+     * Return the {@link SubkeyIdentifier} of the decryption key that was used to decrypt the outermost encryption
+     * layer.
+     * If the message was unencrypted, this might return 
null
.
+     *
+     * @return decryption key
+     */
     public SubkeyIdentifier getDecryptionKey() {
         Iterator iterator = new LayerIterator(message) {
             @Override
@@ -236,58 +403,130 @@ public class MessageMetadata {
             }
         }
 
-        public Nested getChild() {
+        /**
+         * Return the nested child element of this layer.
+         * Might return 
null
, if this layer does not have a child element
+         * (e.g. if this is a {@link LiteralData} packet).
+         *
+         * @return child element
+         */
+        public @Nullable Nested getChild() {
             return child;
         }
 
-        public void setChild(Nested child) {
+        /**
+         * Set the nested child element for this layer.
+         *
+         * @param child child element
+         */
+        void setChild(Nested child) {
             this.child = child;
         }
 
+        /**
+         * Return a list of all verified detached signatures of this layer.
+         *
+         * @return all verified detached signatures of this layer
+         */
         public List getVerifiedDetachedSignatures() {
             return new ArrayList<>(verifiedDetachedSignatures);
         }
 
+        /**
+         * Return a list of all rejected detached signatures of this layer.
+         *
+         * @return all rejected detached signatures of this layer
+         */
         public List getRejectedDetachedSignatures() {
             return new ArrayList<>(rejectedDetachedSignatures);
         }
 
+        /**
+         * Add a verified detached signature for this layer.
+         *
+         * @param signatureVerification verified detached signature
+         */
         void addVerifiedDetachedSignature(SignatureVerification signatureVerification) {
             verifiedDetachedSignatures.add(signatureVerification);
         }
 
+        /**
+         * Add a rejected detached signature for this layer.
+         *
+         * @param failure rejected detached signature
+         */
         void addRejectedDetachedSignature(SignatureVerification.Failure failure) {
             rejectedDetachedSignatures.add(failure);
         }
 
+        /**
+         * Return a list of all verified one-pass-signatures of this layer.
+         *
+         * @return all verified one-pass-signatures of this layer
+         */
         public List getVerifiedOnePassSignatures() {
             return new ArrayList<>(verifiedOnePassSignatures);
         }
 
+        /**
+         * Return a list of all rejected one-pass-signatures of this layer.
+         *
+         * @return all rejected one-pass-signatures of this layer
+         */
         public List getRejectedOnePassSignatures() {
             return new ArrayList<>(rejectedOnePassSignatures);
         }
 
+        /**
+         * Add a verified one-pass-signature for this layer.
+         *
+         * @param verifiedOnePassSignature verified one-pass-signature for this layer
+         */
         void addVerifiedOnePassSignature(SignatureVerification verifiedOnePassSignature) {
             this.verifiedOnePassSignatures.add(verifiedOnePassSignature);
         }
 
+        /**
+         * Add a rejected one-pass-signature for this layer.
+         *
+         * @param rejected rejected one-pass-signature for this layer
+         */
         void addRejectedOnePassSignature(SignatureVerification.Failure rejected) {
             this.rejectedOnePassSignatures.add(rejected);
         }
 
+        /**
+         * Return a list of all verified prepended signatures of this layer.
+         *
+         * @return all verified prepended signatures of this layer
+         */
         public List getVerifiedPrependedSignatures() {
             return new ArrayList<>(verifiedPrependedSignatures);
         }
 
+        /**
+         * Return a list of all rejected prepended signatures of this layer.
+         *
+         * @return all rejected prepended signatures of this layer
+         */
         public List getRejectedPrependedSignatures() {
             return new ArrayList<>(rejectedPrependedSignatures);
         }
 
+        /**
+         * Add a verified prepended signature for this layer.
+         *
+         * @param verified verified prepended signature
+         */
         void addVerifiedPrependedSignature(SignatureVerification verified) {
             this.verifiedPrependedSignatures.add(verified);
         }
 
+        /**
+         * Add a rejected prepended signature for this layer.
+         *
+         * @param rejected rejected prepended signature
+         */
         void addRejectedPrependedSignature(SignatureVerification.Failure rejected) {
             this.rejectedPrependedSignatures.add(rejected);
         }
@@ -306,6 +545,12 @@ public class MessageMetadata {
             super(0);
         }
 
+        /**
+         * Returns true, is the message is a signed message using the cleartext signature framework.
+         *
+         * @return 
true
 if message is cleartext-signed, 
false
 otherwise
+         * @see RFC4880 §7. Cleartext Signature Framework
+         */
         public boolean isCleartextSigned() {
             return cleartextSigned;
         }
@@ -321,26 +566,46 @@ public class MessageMetadata {
             this("", new Date(0L), StreamEncoding.BINARY);
         }
 
-        public LiteralData(String fileName, Date modificationDate, StreamEncoding format) {
+        public LiteralData(@Nonnull String fileName,
+                           @Nonnull Date modificationDate,
+                           @Nonnull StreamEncoding format) {
             this.fileName = fileName;
             this.modificationDate = modificationDate;
             this.format = format;
         }
 
-        public String getFileName() {
+        /**
+         * Return the value of the filename field.
+         * An empty String 
""
 indicates no filename.
+         *
+         * @return filename
+         */
+        public @Nonnull String getFileName() {
             return fileName;
         }
 
-        public Date getModificationDate() {
+        /**
+         * Return the value of the modification date field.
+         * A special date 
{@code new Date(0L)}
 indicates no modification date.
+         *
+         * @return modification date
+         */
+        public @Nonnull Date getModificationDate() {
             return modificationDate;
         }
 
-        public StreamEncoding getFormat() {
+        /**
+         * Return the value of the format field.
+         *
+         * @return format
+         */
+        public @Nonnull StreamEncoding getFormat() {
             return format;
         }
 
         @Override
         public boolean hasNestedChild() {
+            // A literal data packet MUST NOT have a child element, as its content is the plaintext
             return false;
         }
     }
@@ -348,17 +613,22 @@ public class MessageMetadata {
     public static class CompressedData extends Layer implements Nested {
         protected final CompressionAlgorithm algorithm;
 
-        public CompressedData(CompressionAlgorithm zip, int depth) {
+        public CompressedData(@Nonnull CompressionAlgorithm zip, int depth) {
             super(depth);
             this.algorithm = zip;
         }
 
-        public CompressionAlgorithm getAlgorithm() {
+        /**
+         * Return the {@link CompressionAlgorithm} used to compress the packet.
+         * @return compression algorithm
+         */
+        public @Nonnull CompressionAlgorithm getAlgorithm() {
             return algorithm;
         }
 
         @Override
         public boolean hasNestedChild() {
+            // A compressed data packet MUST have a child element
             return true;
         }
     }
@@ -369,25 +639,40 @@ public class MessageMetadata {
         protected SessionKey sessionKey;
         protected List recipients;
 
-        public EncryptedData(SymmetricKeyAlgorithm algorithm, int depth) {
+        public EncryptedData(@Nonnull SymmetricKeyAlgorithm algorithm, int depth) {
             super(depth);
             this.algorithm = algorithm;
         }
 
-        public SymmetricKeyAlgorithm getAlgorithm() {
+        /**
+         * Return the {@link SymmetricKeyAlgorithm} used to encrypt the packet.
+         * @return symmetric encryption algorithm
+         */
+        public @Nonnull SymmetricKeyAlgorithm getAlgorithm() {
             return algorithm;
         }
 
-        public SessionKey getSessionKey() {
+        /**
+         * Return the {@link SessionKey} used to decrypt the packet.
+         *
+         * @return session key
+         */
+        public @Nonnull SessionKey getSessionKey() {
             return sessionKey;
         }
 
-        public List getRecipients() {
+        /**
+         * Return a list of all recipient key ids to which the packet was encrypted for.
+         *
+         * @return recipients
+         */
+        public @Nonnull List getRecipients() {
             return new ArrayList<>(recipients);
         }
 
         @Override
         public boolean hasNestedChild() {
+            // An encrypted data packet MUST have a child element
             return true;
         }
     }
@@ -398,10 +683,10 @@ public class MessageMetadata {
         Layer last = null;
         Message parent;
 
-        LayerIterator(Message message) {
+        LayerIterator(@Nonnull Message message) {
             super();
             this.parent = message;
-            this.current = message.child;
+            this.current = message.getChild();
             if (matches(current)) {
                 last = (Layer) current;
             }
@@ -437,8 +722,8 @@ public class MessageMetadata {
         }
 
         private void findNext() {
-            while (current instanceof Layer) {
-                current = ((Layer) current).child;
+            while (current != null && current instanceof Layer) {
+                current = ((Layer) current).getChild();
                 if (matches(current)) {
                     last = (Layer) current;
                     break;
@@ -459,33 +744,4 @@ public class MessageMetadata {
 
         abstract O getProperty(Layer last);
     }
-
-    public OpenPgpMetadata toLegacyMetadata() {
-        OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
-        resultBuilder.setCompressionAlgorithm(getCompressionAlgorithm());
-        resultBuilder.setModificationDate(getModificationDate());
-        resultBuilder.setFileName(getFilename());
-        resultBuilder.setFileEncoding(getFormat());
-        resultBuilder.setSessionKey(getSessionKey());
-        resultBuilder.setDecryptionKey(getDecryptionKey());
-
-        for (SignatureVerification accepted : getVerifiedDetachedSignatures()) {
-            resultBuilder.addVerifiedDetachedSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : getRejectedDetachedSignatures()) {
-            resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-
-        for (SignatureVerification accepted : getVerifiedInlineSignatures()) {
-            resultBuilder.addVerifiedInbandSignature(accepted);
-        }
-        for (SignatureVerification.Failure rejected : getRejectedInlineSignatures()) {
-            resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
-        }
-        if (message.isCleartextSigned()) {
-            resultBuilder.setCleartextSigned();
-        }
-
-        return resultBuilder.build();
-    }
 }

From 70cca563d7dd0ab87e61c0a7b0f41bf83e5bc220 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:24:26 +0100
Subject: [PATCH 0811/1450] Add javadoc to getMetadata() and getResult()

---
 .../decryption_verification/DecryptionStream.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
index e3a51bb9..c967ba10 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
@@ -8,8 +8,21 @@ import java.io.InputStream;
 
 public abstract class DecryptionStream extends InputStream {
 
+    /**
+     * Return {@link MessageMetadata metadata} about the decrypted / verified message.
+     * The {@link DecryptionStream} MUST be closed via {@link #close()} before the metadata object can be accessed.
+     *
+     * @return message metadata
+     */
     public abstract MessageMetadata getMetadata();
 
+    /**
+     * Return a {@link OpenPgpMetadata} object containing information about the decrypted / verified message.
+     * The {@link DecryptionStream} MUST be closed via {@link #close()} before the metadata object can be accessed.
+     *
+     * @return message metadata
+     * @deprecated use {@link #getMetadata()} instead.
+     */
     @Deprecated
     public OpenPgpMetadata getResult() {
         return getMetadata().toLegacyMetadata();

From 14376048360331d8204979a8e3dc83f74458a604 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:36:25 +0100
Subject: [PATCH 0812/1450] Add documentation to DecryptionStream

---
 .../pgpainless/decryption_verification/DecryptionStream.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
index c967ba10..28642bbf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStream.java
@@ -6,6 +6,9 @@ package org.pgpainless.decryption_verification;
 
 import java.io.InputStream;
 
+/**
+ * Abstract definition of an {@link InputStream} which can be used to decrypt / verify OpenPGP messages.
+ */
 public abstract class DecryptionStream extends InputStream {
 
     /**

From fd2f6523ecb8caea3f830fbb63384e11e79808f8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:36:51 +0100
Subject: [PATCH 0813/1450] More specific exception message for when nesting
 depth is exceeded

---
 .../org/pgpainless/decryption_verification/MessageMetadata.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 1bf22b47..3af2a4d3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -399,7 +399,7 @@ public class MessageMetadata {
         public Layer(int depth) {
             this.depth = depth;
             if (depth > MAX_LAYER_DEPTH) {
-                throw new MalformedOpenPgpMessageException("Maximum nesting depth exceeded.");
+                throw new MalformedOpenPgpMessageException("Maximum packet nesting depth (" + MAX_LAYER_DEPTH + ") exceeded.");
             }
         }
 

From 8faec25ecf1b39c888f0da138c0366b4e4307f30 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:38:38 +0100
Subject: [PATCH 0814/1450] Enable previously disabled test for marker+seipd
 packet processing

---
 .../java/org/pgpainless/signature/IgnoreMarkerPackets.java     | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
index 87766dfe..c86efd05 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
@@ -20,7 +20,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -160,8 +159,6 @@ public class IgnoreMarkerPackets {
     }
 
     @Test
-    @Disabled
-    // TODO: Enable and fix
     public void markerPlusEncryptedMessage() throws IOException, PGPException {
         String msg = "-----BEGIN PGP MESSAGE-----\n" +
                 "\n" +

From b95568f30a82e38f028b7c3dcb8d1c4de96cf3f5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:39:48 +0100
Subject: [PATCH 0815/1450] Rename IgnoreMarkerPacketsTest

---
 .../{IgnoreMarkerPackets.java => IgnoreMarkerPacketsTest.java}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename pgpainless-core/src/test/java/org/pgpainless/signature/{IgnoreMarkerPackets.java => IgnoreMarkerPacketsTest.java} (99%)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java
similarity index 99%
rename from pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
rename to pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java
index c86efd05..6ece093b 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPackets.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/IgnoreMarkerPacketsTest.java
@@ -33,7 +33,7 @@ import org.pgpainless.key.util.KeyRingUtils;
  *
  * @see Sequoia Test-Suite
  */
-public class IgnoreMarkerPackets {
+public class IgnoreMarkerPacketsTest {
 
     private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Comment: Bob's OpenPGP Transferable Secret Key\n" +

From 4e4c095d8dfe4f55dd7c0ffbf85e5e3cb24dc49c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 17:40:51 +0100
Subject: [PATCH 0816/1450] Rename tests to end in Test

---
 ...pientMessage.java => DecryptHiddenRecipientMessageTest.java} | 2 +-
 ...va => RejectWeakSymmetricAlgorithmDuringDecryptionTest.java} | 2 +-
 ... SignedMessageVerificationWithoutCertIsStillSignedTest.java} | 2 +-
 ...allback.java => VerifyWithMissingPublicKeyCallbackTest.java} | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{DecryptHiddenRecipientMessage.java => DecryptHiddenRecipientMessageTest.java} (99%)
 rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{RejectWeakSymmetricAlgorithmDuringDecryption.java => RejectWeakSymmetricAlgorithmDuringDecryptionTest.java} (99%)
 rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{SignedMessageVerificationWithoutCertIsStillSigned.java => SignedMessageVerificationWithoutCertIsStillSignedTest.java} (96%)
 rename pgpainless-core/src/test/java/org/pgpainless/decryption_verification/{VerifyWithMissingPublicKeyCallback.java => VerifyWithMissingPublicKeyCallbackTest.java} (98%)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java
similarity index 99%
rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java
index 5c63a996..5400d17c 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessage.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptHiddenRecipientMessageTest.java
@@ -24,7 +24,7 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.TestAllImplementations;
 
-public class DecryptHiddenRecipientMessage {
+public class DecryptHiddenRecipientMessageTest {
 
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java
similarity index 99%
rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java
index 53c690ed..1201ef69 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryption.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/RejectWeakSymmetricAlgorithmDuringDecryptionTest.java
@@ -22,7 +22,7 @@ import org.pgpainless.exception.UnacceptableAlgorithmException;
  * Test PGPainless' default symmetric key algorithm policy for decryption of messages.
  * The default decryption policy rejects messages encrypted with IDEA and TripleDES, as well as unencrypted messages.
  */
-public class RejectWeakSymmetricAlgorithmDuringDecryption {
+public class RejectWeakSymmetricAlgorithmDuringDecryptionTest {
 
     private static final String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "   Comment: Bob's OpenPGP Transferable Secret Key\n" +
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java
similarity index 96%
rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java
index 0b2f5d7d..27bc9954 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSigned.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/SignedMessageVerificationWithoutCertIsStillSignedTest.java
@@ -17,7 +17,7 @@ import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 
-public class SignedMessageVerificationWithoutCertIsStillSigned {
+public class SignedMessageVerificationWithoutCertIsStillSignedTest {
 
     private static final String message = "-----BEGIN PGP MESSAGE-----\n" +
             "\n" +
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java
similarity index 98%
rename from pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
rename to pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java
index bcbad822..14136650 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallback.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyWithMissingPublicKeyCallbackTest.java
@@ -38,7 +38,7 @@ import org.pgpainless.key.util.KeyRingUtils;
  * a signature is encountered which was made by a key that was not provided in
  * {@link ConsumerOptions#addVerificationCert(PGPPublicKeyRing)}.
  */
-public class VerifyWithMissingPublicKeyCallback {
+public class VerifyWithMissingPublicKeyCallbackTest {
 
     @Test
     public void testMissingPublicKeyCallback() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {

From 6ba7e91f2a57eecdd510ebcae3b178a1116ca432 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 16 Nov 2022 18:00:44 +0100
Subject: [PATCH 0817/1450] Add documentation and removal-TODO to old
 OpenPgpMetadata class

---
 .../pgpainless/decryption_verification/OpenPgpMetadata.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
index 130ea554..e26fb804 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
@@ -27,6 +27,12 @@ import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.SessionKey;
 
+/**
+ * Legacy class containing metadata about an OpenPGP message.
+ * It is advised to use {@link MessageMetadata} instead.
+ *
+ * TODO: Remove in 1.5.X
+ */
 public class OpenPgpMetadata {
 
     private final Set recipientKeyIds;

From b9152d5cdea2b31a4dcc66c2126d8540d3b52365 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 17 Nov 2022 14:28:29 +0100
Subject: [PATCH 0818/1450] SOP: Add test to ensure that armoring
 already-armored data is idempotent

---
 .../java/org/pgpainless/cli/commands/ArmorCmdTest.java | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
index c1fb810f..afd5ded4 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ArmorCmdTest.java
@@ -97,4 +97,14 @@ public class ArmorCmdTest extends CLITest {
         assertEquals(SOPGPException.UnsupportedOption.EXIT_CODE, exitCode);
         assertEquals(0, out.size());
     }
+
+    @Test
+    public void armorAlreadyArmoredDataIsIdempotent() throws IOException {
+        pipeStringToStdin(key);
+        ByteArrayOutputStream armorOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("armor"));
+
+        String armored = armorOut.toString();
+        assertEquals(key, armored);
+    }
 }

From de76f4b3a9f79a3a3bf7b52548925ac7a005348d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 14:17:47 +0100
Subject: [PATCH 0819/1450] Fix indentation for CLI tests

---
 .../java/org/pgpainless/cli/commands/CLITest.java |  3 ++-
 .../cli/commands/ExtractCertCmdTest.java          |  3 ++-
 .../cli/commands/GenerateKeyCmdTest.java          |  6 ++++--
 .../commands/RoundTripEncryptDecryptCmdTest.java  | 15 ++++++++++-----
 .../cli/commands/RoundTripSignVerifyCmdTest.java  |  3 ++-
 5 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
index d5d076cc..9e2fd895 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/CLITest.java
@@ -161,6 +161,7 @@ public abstract class CLITest {
     }
 
     public void assertSuccess(int exitCode) {
-        assertEquals(0, exitCode, "Expected successful program execution");
+        assertEquals(0, exitCode,
+                "Expected successful program execution");
     }
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
index 3eebcb47..f1f69912 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/ExtractCertCmdTest.java
@@ -30,7 +30,8 @@ public class ExtractCertCmdTest extends CLITest {
     }
 
     @Test
-    public void testExtractCert() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
+    public void testExtractCert()
+            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
                 .simpleEcKeyRing("Juliet Capulet ");
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
index 2e4e6e7f..302e4b8f 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/GenerateKeyCmdTest.java
@@ -83,7 +83,8 @@ public class GenerateKeyCmdTest extends CLITest {
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
         assertTrue(info.isFullyEncrypted());
 
-        assertNotNull(UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), Passphrase.fromPassword("sw0rdf1sh")));
+        assertNotNull(UnlockSecretKey
+                .unlockSecretKey(secretKeys.getSecretKey(), Passphrase.fromPassword("sw0rdf1sh")));
     }
 
     @Test
@@ -91,6 +92,7 @@ public class GenerateKeyCmdTest extends CLITest {
         int exit = executeCommand("generate-key",
                 "--with-key-password", "nonexistent", "Alice ");
 
-        assertEquals(SOPGPException.MissingInput.EXIT_CODE, exit, "Expected MISSING_INPUT (" + SOPGPException.MissingInput.EXIT_CODE + ")");
+        assertEquals(SOPGPException.MissingInput.EXIT_CODE, exit,
+                "Expected MISSING_INPUT (" + SOPGPException.MissingInput.EXIT_CODE + ")");
     }
 }
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
index 5d183ea6..9122829a 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
@@ -168,7 +168,8 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
 
         File verifications = nonExistentFile("verifications");
         ByteArrayOutputStream out = pipeStdoutToStream();
-        int exitCode = executeCommand("decrypt", "--verifications-out", verifications.getAbsolutePath(), key.getAbsolutePath());
+        int exitCode = executeCommand("decrypt", "--verifications-out",
+                verifications.getAbsolutePath(), key.getAbsolutePath());
 
         assertEquals(SOPGPException.IncompleteVerification.EXIT_CODE, exitCode);
         assertEquals(0, out.size());
@@ -211,7 +212,8 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
 
         pipeStringToStdin(ciphertext);
         ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
-        assertSuccess(executeCommand("decrypt", "--session-key-out", sessionKeyFile.getAbsolutePath(), key.getAbsolutePath()));
+        assertSuccess(executeCommand("decrypt", "--session-key-out",
+                sessionKeyFile.getAbsolutePath(), key.getAbsolutePath()));
 
         assertEquals(plaintext, plaintextOut.toString());
         String resultSessionKey = readStringFromFile(sessionKeyFile);
@@ -300,7 +302,8 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
             InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .addUserId("No Crypt ")
-                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519),
+                        KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
                 .build();
         PGPPublicKeyRing cert = PGPainless.extractCertificate(secretKeys);
         File certFile = writeFile("cert.pgp", cert.getEncoded());
@@ -314,11 +317,13 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
     }
 
     @Test
-    public void testSignWithIncapableKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+    public void testSignWithIncapableKey()
+            throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .addUserId("Cannot Sign ")
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
-                .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
+                .addSubkey(KeySpec.getBuilder(
+                        KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE))
                 .build();
         File keyFile = writeFile("key.pgp", secretKeys.getEncoded());
         File certFile = writeFile("cert.pgp", PGPainless.extractCertificate(secretKeys).getEncoded());
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
index 7f420054..6196a847 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
@@ -189,7 +189,8 @@ public class RoundTripSignVerifyCmdTest extends CLITest {
     }
 
     @Test
-    public void testSignWithIncapableKey() throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+    public void testSignWithIncapableKey()
+            throws IOException, PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing()
                 .addUserId("Cannot Sign ")
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))

From b9f985a84c0fa5e64977173ceb2240b0901b51bd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 14:55:14 +0100
Subject: [PATCH 0820/1450] Add tests for SOP decrypt

---
 .../RoundTripEncryptDecryptCmdTest.java       | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
index 9122829a..d314de20 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
@@ -563,4 +563,85 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
                 keyFile.getAbsolutePath()));
         assertEquals(msg, out.toString());
     }
+
+    @Test
+    public void decryptMalformedMessageYieldsBadData() throws IOException {
+        // Message contains encrypted data packet which contains the plaintext directly - no literal data packet.
+        // It is therefore malformed.
+        String malformed = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: BCPG v1.72b04\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdApKA6VDKSLQvwS2kbWqlhcXD8XHdFkSccqv5tBptZnBgw\n" +
+                "nZNXVhwUpap0ymb4jPTD+EVPKOfPyy04ouIGZAJKkfYDeSL/8sKcbnPPuQJYYjGQ\n" +
+                "ySDNmidrtTonwcSuwAfRyn74BBqOVhrr8GXkVIfevIlZFQ==\n" +
+                "=wIgl\n" +
+                "-----END PGP MESSAGE-----";
+        File key = writeFile("key.asc", KEY);
+        pipeStringToStdin(malformed);
+        int exitCode = executeCommand("decrypt", key.getAbsolutePath());
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+    }
+
+    @Test
+    public void decryptWithPasswordWithPendingWhitespaceWorks() throws IOException {
+        assertEncryptWithPasswordADecryptWithPasswordBWorks("sw0rdf1sh", "sw0rdf1sh \n");
+    }
+
+    @Test
+    public void encryptWithTrailingWhitespaceDecryptWithoutWorks() throws IOException {
+        assertEncryptWithPasswordADecryptWithPasswordBWorks("sw0rdf1sh \n", "sw0rdf1sh");
+    }
+
+    @Test
+    public void decryptWithWhitespacePasswordWorks() throws IOException {
+        // is encrypted for "sw0rdf1sh \n"
+        String encryptedToPasswordWithTrailingWhitespace = "-----BEGIN PGP MESSAGE-----\n" +
+                "\n" +
+                "jA0ECQMC32tEJug0BCpg0kABfT3dKgA4K8XGpk2ul67BXLZD//fCCSmIQIWnNhE1\n" +
+                "6q97xFQ628K8f/58+XoBzLqLDT+LEz9Bz+Yg9QfzkEFy\n" +
+                "=2Y+K\n" +
+                "-----END PGP MESSAGE-----";
+        pipeStringToStdin(encryptedToPasswordWithTrailingWhitespace);
+        File password = writeFile("password", "sw0rdf1sh \n");
+        ByteArrayOutputStream plaintext = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-password", password.getAbsolutePath()));
+
+        assertEquals("Hello, World!\n", plaintext.toString());
+    }
+
+    private void assertEncryptWithPasswordADecryptWithPasswordBWorks(String passwordA, String passwordB)
+            throws IOException {
+        File passwordAFile = writeFile("password", passwordA);
+        File passwordBFile = writeFile("passwordWithWS", passwordB);
+
+        String msg = "Hello, World!\n";
+        pipeStringToStdin(msg);
+        ByteArrayOutputStream ciphertext = pipeStdoutToStream();
+        assertSuccess(executeCommand("encrypt", "--with-password", passwordAFile.getAbsolutePath()));
+
+        pipeStringToStdin(ciphertext.toString());
+        ByteArrayOutputStream plaintext = pipeStdoutToStream();
+        assertSuccess(executeCommand("decrypt", "--with-password", passwordBFile.getAbsolutePath()));
+
+        assertEquals(msg, plaintext.toString());
+    }
+
+    @Test
+    public void testDecryptWithoutDecryptionOptionFails() throws IOException {
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "hF4D831k4umlLu4SAQdAYisjZTDRm217LHQbqjB766tm62CKTkRj3Gd0wYxVRCgw\n" +
+                "48SnOJINCJoPgDsxk2NiJmLCImoiET7IElqxN9htdDXQJwcRK+71r/ZyO4YJpWuX\n" +
+                "0sAAAcEFc3nT+un31sOi8KoBJlc5n+MemntQvcWDs8B87BEW/Ncjrs0s4pJpZKBQ\n" +
+                "/AWc4wLCI3ylfMQJB2pICqaOO3KP3WepgTIw5fuZm6YfriKQi7uZvVx1N+uaCIoa\n" +
+                "K2IVVf/7O9KZJ9GbsGYdpBj9IdaIZiVS3Xi8rwgQl3haI/EeHC3nnCsWyj23Fjt3\n" +
+                "LjbMqpHbSnp8U1cQ8rXavrREaKv69PFeJio6/hRg32TzJqn05dPALRxHMEkxxa4h\n" +
+                "FpVU\n" +
+                "=edS5\n" +
+                "-----END PGP MESSAGE-----";
+        pipeStringToStdin(ciphertext);
+        int exitCode = executeCommand("decrypt");
+        assertEquals(SOPGPException.MissingArg.EXIT_CODE, exitCode);
+    }
 }

From a9014f1985c63045f58b5d5f27e25ae8825004ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 15:27:58 +0100
Subject: [PATCH 0821/1450] Add disabled test for broken data during dearmor

---
 .../pgpainless/cli/commands/DearmorCmdTest.java   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index 8fcf093d..64576bfe 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -13,9 +13,11 @@ import java.io.IOException;
 
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
 
 public class DearmorCmdTest extends CLITest {
 
@@ -59,6 +61,19 @@ public class DearmorCmdTest extends CLITest {
         assertArrayEquals(secretKey.getEncoded(), dearmored.toByteArray());
     }
 
+    @Test
+    @Disabled("Enable with SOP-Java 4.0.7")
+    // TODO: Enable
+    public void dearmorBrokenArmoredKeyFails() throws IOException {
+        // contains a "-"
+        String invalidBase64 = "lFgEY2vOkhYJKwYBBAHaRw8BAQdAqGOtLd1tKnuwaYYcdr2/7C0cPiCCggRMKG+Wt32QQdEAAP9VaBzjk/AaAqyykZnQHmS1HByEvRLv5/4yJMSr22451BFjtBRhbGljZUBwZ3BhaW5sZXNzLm9yZ4iOBBMWCgBBBQJja86SCRCLB1F3AflTTBYhBGLp3aTyD4NB0rxLT-IsHUXcB+VNMAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACZhAP4s8hn/RBDvyLvGROOd15EYATnWlgyi+b5WXP6cELalJwD1FZy3RROhfNtZWcJPS43fG03pYNyb0NXoitIMAaXEB5xdBGNrzpISCisGAQQBl1UBBQEBB0CqCcYethOynfni8uRO+r/cZWp9hCLy8pRIExKqzcyEFAMBCAcAAP9sRRLoZkLpDaTNNrtIBovXu2ANhL8keUMWtVcuEHnkQA6iiHUEGBYKAB0FAmNrzpICngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRCLB1F3AflTTBVpAP491etrjqCMWx2bBaw3K1vP0Mix6U0vF3J4kP9UeZm6owEA4kX9VAGESvLgIc7CEiswmxdWjxnLQyCRtWXfjgFmYQucWARja86SFgkrBgEEAdpHDwEBB0DBslhDpWC6CV3xJUSo071NSO5Cf4fgOwOj+QHs8mpFbwABAPkQioSydYiMi04LyfPohyrhhcdJDHallQg+jYHHUb2pEJCI1QQYFgoAfQUCY2vOkgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNrzpIACgkQiHlkvEXh+f1eywEA9A2GLU9LxCJxZf2X4qcZY//YJDChIZHPnY0Vaek1DsMBAN1YILrH2rxQeCXjm4bUKfJIRrGt6ZJscwORgNI1dFQFAAoJEIsHUXcB+VNMK3gA/3vvPm57JsHA860wlB4D1II71oFNL8TFnJqTAvpSKe1AAP49S4mKB4PE0ElcDo7n+nEYt6ba8IMRDlMorsH85mUgCw==";
+        pipeStringToStdin(invalidBase64);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("dearmor");
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
 
     @Test
     public void dearmorCertificate() throws IOException {

From ce929fd05554ca15b9ff89140bb29cbd1a4a9c80 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 15:35:30 +0100
Subject: [PATCH 0822/1450] Add inline-verify test for message without
 verifiable signatures

---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 35 ++++++++++++++++---
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index 5d635beb..ce0a7674 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -4,16 +4,17 @@
 
 package org.pgpainless.cli.commands;
 
-import org.junit.jupiter.api.Test;
-import org.slf4j.LoggerFactory;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import org.junit.jupiter.api.Test;
+import org.slf4j.LoggerFactory;
+import sop.exception.SOPGPException;
 
 public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
 
@@ -171,6 +172,30 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
     }
 
+    @Test
+    public void createSignedMessageWithKeyAAndVerifyWithKeyBFails() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password", KEY_1_PASSWORD);
+        File cert = writeFile("cert.asc", CERT_2); // mismatch
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        File verifications = nonExistentFile("verifications");
+        pipeStringToStdin(ciphertextOut.toString());
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        int exitCode = executeCommand("inline-verify",
+                "--verifications-out", verifications.getAbsolutePath(),
+                cert.getAbsolutePath());
+
+        assertEquals(SOPGPException.NoSignature.EXIT_CODE, exitCode);
+        assertEquals(MESSAGE, plaintextOut.toString()); // message is emitted nonetheless
+        assertFalse(verifications.exists(), "Verifications file MUST NOT be written.");
+    }
+
     @Test
     public void createAndVerifyMultiKeyBinarySignedMessage() throws IOException {
         File key1Pass = writeFile("password", KEY_1_PASSWORD);

From 508864c4ff21d7db8ccf2e2c7fe7f915fe433a06 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 15:36:58 +0100
Subject: [PATCH 0823/1450] Add test for inline-sign --as=text

---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index ce0a7674..1ff3a14b 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -172,6 +172,31 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
     }
 
+    @Test
+    public void createAndVerifyTextSignedMessage() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password", KEY_1_PASSWORD);
+
+        pipeStringToStdin(MESSAGE);
+        ByteArrayOutputStream ciphertextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-sign",
+                "--as", "text",
+                key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath()));
+
+        File cert = writeFile("cert.asc", CERT_1);
+        File verifications = nonExistentFile("verifications");
+        pipeStringToStdin(ciphertextOut.toString());
+        ByteArrayOutputStream plaintextOut = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-verify",
+                "--verifications-out", verifications.getAbsolutePath(),
+                cert.getAbsolutePath()));
+
+        assertEquals(MESSAGE, plaintextOut.toString());
+        String verificationString = readStringFromFile(verifications);
+        assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
+    }
+
     @Test
     public void createSignedMessageWithKeyAAndVerifyWithKeyBFails() throws IOException {
         File key = writeFile("key.asc", KEY_1);

From 75c39c2fde55fd0744c9c0d070e9cb7d36ff0bdf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 18 Nov 2022 16:03:20 +0100
Subject: [PATCH 0824/1450] Add tests for inline-verify

---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 100 ++++++++++++++++++
 1 file changed, 100 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index 1ff3a14b..d5a94f3a 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -11,8 +11,19 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 
+import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.encryption_signing.EncryptionStream;
+import org.pgpainless.encryption_signing.ProducerOptions;
+import org.pgpainless.encryption_signing.SigningOptions;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.slf4j.LoggerFactory;
 import sop.exception.SOPGPException;
 
@@ -311,4 +322,93 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         String verificationString = readStringFromFile(verificationsFile);
         assertTrue(verificationString.contains(CERT_1_SIGNING_KEY));
     }
+
+    @Test
+    public void cannotVerifyEncryptedMessage() throws IOException {
+        File key = writeFile("key.asc", KEY_2);
+        File cert = writeFile("cert.asc", CERT_2);
+
+        String msg = "Hello, World!\n";
+        pipeStringToStdin(msg);
+        ByteArrayOutputStream ciphertext = pipeStdoutToStream();
+        assertSuccess(executeCommand("encrypt", cert.getAbsolutePath(),
+                "--sign-with", key.getAbsolutePath()));
+
+        File verifications = nonExistentFile("verifications");
+        pipeBytesToStdin(ciphertext.toByteArray());
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("inline-verify", cert.getAbsolutePath(),
+                "--verifications-out", verifications.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void createMalformedMessage() throws IOException, PGPException {
+        String msg = "Hello, World!\n";
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(KEY_2);
+        ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
+        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
+                .onOutputStream(ciphertext)
+                .withOptions(ProducerOptions.sign(SigningOptions.get()
+                                .addDetachedSignature(SecretKeyRingProtector.unprotectedKeys(), key)
+                        ).overrideCompressionAlgorithm(CompressionAlgorithm.UNCOMPRESSED)
+                        .setAsciiArmor(false));
+        encryptionStream.write(msg.getBytes(StandardCharsets.UTF_8));
+        encryptionStream.close();
+        PGPSignature sig = encryptionStream.getResult().getDetachedSignatures().entrySet()
+                .iterator().next().getValue().iterator().next();
+        ArmoredOutputStream armorOut = new ArmoredOutputStream(System.out);
+        armorOut.write(ciphertext.toByteArray());
+        armorOut.write(sig.getEncoded());
+        armorOut.close();
+    }
+
+    @Test
+    public void cannotVerifyMalformedMessage() throws IOException {
+        // appended signature -> malformed
+        String malformedSignedMessage = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: BCPG v1.72b04\n" +
+                "\n" +
+                "yxRiAAAAAABIZWxsbywgV29ybGQhCoh1BAAWCgAnBQJjd52aCRCPvdNtAYMWcxYh\n" +
+                "BHoHPt8nPJAnltJZUo+9020BgxZzAACThwD/Vr7CMitMOul40VK12XXjOv5f8vgi\n" +
+                "ksqhrI2ysItID9oA/0Csgf3Sv2YenYVzqnd0hhiPe5IVPl8w4sTZKpriYMIG\n" +
+                "=DPPU\n" +
+                "-----END PGP MESSAGE-----";
+        File cert = writeFile("cert.asc", CERT_2);
+        File verifications = nonExistentFile("verifications");
+
+        pipeStringToStdin(malformedSignedMessage);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("inline-verify", cert.getAbsolutePath(),
+                "--verifications-out", verifications.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+        assertEquals("Hello, World!\n", out.toString());
+    }
+
+    @Test
+    public void verifyPrependedSignedMessage() throws IOException {
+        // message with prepended signature
+        String malformedSignedMessage = "-----BEGIN PGP SIGNATURE-----\n" +
+                "Version: BCPG v1.72b04\n" +
+                "\n" +
+                "iHUEABYKACcFAmN3nOUJEI+9020BgxZzFiEEegc+3yc8kCeW0llSj73TbQGDFnMA\n" +
+                "ANPKAPkBxLVHvgeCkX/tTHdBH3CDeuUQF2wmtUmGXqhZA1IFtwD/dK0XQBHO3RO+\n" +
+                "GHpzA7fDAroqF0zM72tu2W4PPw04FgKjATstksQAAh6pOTn5Ogrh+UU5KYpcAA==\n" +
+                "=xtik\n" +
+                "-----END PGP SIGNATURE-----";
+        File cert = writeFile("cert.asc", CERT_2);
+        File verifications = nonExistentFile("verifications");
+
+        pipeStringToStdin(malformedSignedMessage);
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("inline-verify", cert.getAbsolutePath(),
+                "--verifications-out", verifications.getAbsolutePath()));
+        assertEquals("Hello, World!\n", out.toString());
+        String ver = readStringFromFile(verifications);
+        assertEquals(
+                "2022-11-18T14:55:33Z 7A073EDF273C902796D259528FBDD36D01831673 AEA0FD2C899D3FC077815F0026560D2AE53DB86F\n", ver);
+    }
 }

From a34f46b6c6b64949ffa2525bcd40760ae513ef96 Mon Sep 17 00:00:00 2001
From: GregorGott <85785843+GregorGott@users.noreply.github.com>
Date: Sun, 20 Nov 2022 10:54:11 +0000
Subject: [PATCH 0825/1450] Correct method name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Correct `verifyWith()` to `verifyWithCert()´
---
 docs/source/pgpainless-sop/quickstart.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
index ecd7d81d..10ef0a72 100644
--- a/docs/source/pgpainless-sop/quickstart.md
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -209,7 +209,7 @@ byte[] ciphertext = ...; // the encrypted message
 
 ReadyWithResult readyWithResult = sop.decrypt()
         .withKey(bobKey)
-        .verifyWith(aliceCert)
+        .verifyWithCert(aliceCert)
         .withKeyPassword("password123") // if decryption key is protected
         .ciphertext(ciphertext);
 ```

From ab82a638ccbe4de4ce0dca2c7049ef4944ef6c0e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 21 Nov 2022 14:11:12 +0100
Subject: [PATCH 0826/1450] Add tests for inline-sign

---
 ...oundTripInlineSignInlineVerifyCmdTest.java | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index d5a94f3a..1e5310f5 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -411,4 +411,52 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         assertEquals(
                 "2022-11-18T14:55:33Z 7A073EDF273C902796D259528FBDD36D01831673 AEA0FD2C899D3FC077815F0026560D2AE53DB86F\n", ver);
     }
+
+    @Test
+    public void testInlineSignWithMissingSecretKeysFails() throws IOException {
+        String missingSecretKeys = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+                "Comment: 8677 37CA 1979 28FA 325A  DE56 B455 9329 9882 36BE\n" +
+                "Comment: Mrs. Secret Key \n" +
+                "\n" +
+                "lEwEY3t3pRYJKwYBBAHaRw8BAQdA7lifUc85s7omw7eYNIaIj2mZrGeZ9KkG0WX2\n" +
+                "hAx5qXT+AGUAR05VAhAAAAAAAAAAAAAAAAAAAAAAtCFNcnMuIFNlY3JldCBLZXkg\n" +
+                "PG1pc3NAc2VjcmV0LmtleT6IjwQTFgoAQQUCY3t3pQkQtFWTKZiCNr4WIQSGdzfK\n" +
+                "GXko+jJa3la0VZMpmII2vgKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAABNTQEA\n" +
+                "uU5L9hJ1QKWxL5wetJwR08rXJTzsuX1LRfy8dlnlJl0BAKPSqydLoTEVlJQ/2sjO\n" +
+                "xQmc6aedoOoXKKVNDW5ibrsEnFEEY3t3pRIKKwYBBAGXVQEFAQEHQA/WdwR+NFaY\n" +
+                "7NeZnRwI3X9sI5fMq0vtEauMLfZjqTc/AwEIB/4AZQBHTlUCEAAAAAAAAAAAAAAA\n" +
+                "AAAAAACIdQQYFgoAHQUCY3t3pQKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJELRV\n" +
+                "kymYgja+8XMA/1quBVvaSf4QxbB2S7rKt93rAynDLqGQD8hC6wiZc+ihAQC87n2r\n" +
+                "meZ9kiYLYiQuBTGvXyzDBtw5m7wQtMWTfXisBpxMBGN7d6UWCSsGAQQB2kcPAQEH\n" +
+                "QMguDhFon0ZI//CIpC2ZndmtvKdJhcEAeVNkdcsIZajl/gBlAEdOVQIQAAAAAAAA\n" +
+                "AAAAAAAAAAAAAIjVBBgWCgB9BQJje3elAp4BApsCBRYCAwEABAsJCAcFFQoJCAtf\n" +
+                "IAQZFgoABgUCY3t3pQAKCRC14KclsvqqOstPAQDYiL7+4HucWKmd7dcd9XJZpdB6\n" +
+                "lneoK0qku0wvTVjX7gEAtUt2eXMlBE4ox+ZmY964PCc2gEHuC7PBtsAzuF7GSQwA\n" +
+                "CgkQtFWTKZiCNr7JKwEA3aLsOWAYzqvKgiboYSzle+SVBUb3chKlzf3YmckjmwgA\n" +
+                "/3YN1W8CiQFvE9NvetZkr2wXB+QVkuL6cxM0ogEo4lAG\n" +
+                "=9ZMl\n" +
+                "-----END PGP PRIVATE KEY BLOCK-----\n";
+        File key = writeFile("key.asc", missingSecretKeys);
+
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("inline-sign", key.getAbsolutePath());
+
+        assertEquals(SOPGPException.KeyCannotSign.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
+
+    @Test
+    public void signWithProtectedKeyWithWrongPassphraseFails() throws IOException {
+        File key = writeFile("key.asc", KEY_1);
+        File password = writeFile("password.asc", "not_correct!");
+
+        pipeStringToStdin("Hello, World!\n");
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        int exitCode = executeCommand("inline-sign", key.getAbsolutePath(),
+                "--with-key-password", password.getAbsolutePath());
+
+        assertEquals(SOPGPException.KeyIsProtected.EXIT_CODE, exitCode);
+        assertEquals(0, out.size());
+    }
 }

From a19fc9ebda01cd694c9e1a50a1d4327dc1d0e556 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 21 Nov 2022 15:04:13 +0100
Subject: [PATCH 0827/1450] Add tests for inline-detach

---
 .../cli/commands/InlineDetachCmdTest.java     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
index eabdd6ad..8854d837 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
@@ -129,4 +129,27 @@ public class InlineDetachCmdTest extends CLITest {
         assertEquals(0, msgOut.size());
     }
 
+    @Test
+    public void detachNonOpenPgpDataFails() throws IOException {
+        File sig = nonExistentFile("sig.asc");
+        pipeStringToStdin("This is non-OpenPGP data and therefore we cannot detach any signatures from it.");
+        int exitCode = executeCommand("inline-detach", "--signatures-out", sig.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+    }
+
+    @Test
+    public void detachMissingSignaturesFromCleartextSignedMessageFails() throws IOException {
+        String cleartextSignedNoSigs = "-----BEGIN PGP SIGNED MESSAGE-----\n" +
+                "\n" +
+                "Hello, World!\n" +
+                "What's Up!??\n" +
+                "\n" +
+                "\n";
+        pipeStringToStdin(cleartextSignedNoSigs);
+        File sig = nonExistentFile("sig.asc");
+        int exitCode = executeCommand("inline-detach", "--signatures-out", sig.getAbsolutePath());
+
+        assertEquals(SOPGPException.BadData.EXIT_CODE, exitCode);
+    }
 }

From e4560ac5b502334d0bd6f50122517c59eccb8850 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 21 Nov 2022 15:04:52 +0100
Subject: [PATCH 0828/1450] Cleartext Signaure Framework: Support for multiple
 Hash: headers

---
 .../encryption_signing/EncryptionStream.java  | 27 ++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
index 27d35ea5..2e370b94 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionStream.java
@@ -8,7 +8,10 @@ import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
 import java.util.List;
+import java.util.Set;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.ArmoredOutputStream;
@@ -22,6 +25,7 @@ import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.bouncycastle.openpgp.operator.PGPDataEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
 import org.pgpainless.algorithm.CompressionAlgorithm;
+import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.implementation.ImplementationFactory;
@@ -165,9 +169,8 @@ public final class EncryptionStream extends OutputStream {
 
     private void prepareLiteralDataProcessing() throws IOException {
         if (options.isCleartextSigned()) {
-            // Begin cleartext with hash algorithm of first signing method
-            SigningOptions.SigningMethod firstMethod = options.getSigningOptions().getSigningMethods().values().iterator().next();
-            armorOutputStream.beginClearText(firstMethod.getHashAlgorithm().getAlgorithmId());
+            int[] algorithmIds = collectHashAlgorithmsForCleartextSigning();
+            armorOutputStream.beginClearText(algorithmIds);
             return;
         }
 
@@ -195,6 +198,24 @@ public final class EncryptionStream extends OutputStream {
         outermostStream = crlfGeneratorStream;
     }
 
+    private int[] collectHashAlgorithmsForCleartextSigning() {
+        SigningOptions signOpts = options.getSigningOptions();
+        Set hashAlgorithms = new HashSet<>();
+        if (signOpts != null) {
+            for (SigningOptions.SigningMethod method : signOpts.getSigningMethods().values()) {
+                hashAlgorithms.add(method.getHashAlgorithm());
+            }
+        }
+
+        int[] algorithmIds = new int[hashAlgorithms.size()];
+        Iterator iterator = hashAlgorithms.iterator();
+        for (int i = 0; i < algorithmIds.length; i++) {
+            algorithmIds[i] = iterator.next().getAlgorithmId();
+        }
+
+        return algorithmIds;
+    }
+
     @Override
     public void write(int data) throws IOException {
         outermostStream.write(data);

From 24ec665f76a66d7e310c9c9e74d403f2c09a8ef6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 14:39:32 +0100
Subject: [PATCH 0829/1450] Bump bcpg to 1.72.3

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index eb20dc66..86fc8f54 100644
--- a/version.gradle
+++ b/version.gradle
@@ -13,7 +13,7 @@ allprojects {
         // unfortunately we rely on 1.72.1 or 1.72.3 for a patch for https://github.com/bcgit/bc-java/issues/1257
         //  which is a bug we introduced with a PR against BC :/ oops
         // When bouncyCastleVersion is 1.71, bouncyPgVersion can simply be set to 1.71 as well.
-        bouncyPgVersion = '1.72.1'
+        bouncyPgVersion = '1.72.3'
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'

From 616e14d04354d072413feef1dbcd8238aa69038d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 14:40:31 +0100
Subject: [PATCH 0830/1450] Enable tests for unsupported s2k identifiers

---
 .../decryption_verification/UnsupportedPacketVersionsTest.java | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java
index 68916348..f8ce9e29 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/UnsupportedPacketVersionsTest.java
@@ -15,7 +15,6 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 
@@ -361,13 +360,11 @@ public class UnsupportedPacketVersionsTest {
     }
 
     @Test
-    @Disabled("Enable once https://github.com/bcgit/bc-java/pull/1268 is available")
     public void pkesk3_skesk4Ws2k23_seip() throws PGPException, IOException {
         decryptAndCompare(PKESK3_SKESK4wS2K23_SEIP, "Encrypted using SEIP + MDC.");
     }
 
     @Test
-    @Disabled("Enable once https://github.com/bcgit/bc-java/pull/1268 is available")
     public void skesk4Ws2k23_pkesk3_seip() throws PGPException, IOException {
         decryptAndCompare(SKESK4wS2K23_PKESK3_SEIP, "Encrypted using SEIP + MDC.");
     }

From 3ae2afcfa0155ba6439a1ebd74b4a160d2df0323 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 14:46:08 +0100
Subject: [PATCH 0831/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f19bc95..9fc7e655 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ SPDX-License-Identifier: CC0-1.0
 # PGPainless Changelog
 
 ## 1.4.0-rc2-SNAPSHOT
+- Bump `bcpg-jdk15to18` to `1.72.3`
 - Use BCs `PGPEncryptedDataList.extractSessionKeyEncryptedData()` method
   to do decryption using session keys. This enables decryption of messages
   without encrypted session key packets.
@@ -13,6 +14,8 @@ SPDX-License-Identifier: CC0-1.0
 - Depend on `pgp-certificate-store`
 - Add `ConsumerOptions.addVerificationCerts(PGPCertificateStore)` to allow sourcing certificates from
   e.g. a [certificate store implementation](https://github.com/pgpainless/cert-d-java).
+- Make `DecryptionStream.getMetadata()` first class
+  - Deprecate `DecryptionStream.getResult()`
 
 ## 1.4.0-rc1
 - Reimplement message consumption via new `OpenPgpMessageInputStream`

From 39f8f89fe0bb117f91655ef21440042b7f36a8f1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:19:39 +0100
Subject: [PATCH 0832/1450] Add convenience methods to MessageMetadata

---
 .../MessageMetadata.java                      | 221 +++++++++++-------
 1 file changed, 139 insertions(+), 82 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 3af2a4d3..5318fcb1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -4,6 +4,18 @@
 
 package org.pgpainless.decryption_verification;
 
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+import java.util.NoSuchElementException;
+import java.util.function.Function;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPLiteralData;
+import org.bouncycastle.openpgp.PGPPublicKey;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
@@ -11,14 +23,6 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.util.SessionKey;
 
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-import java.util.NoSuchElementException;
-
 /**
  * View for extracting metadata about a {@link Message}.
  */
@@ -40,18 +44,9 @@ public class MessageMetadata {
     public @Nonnull OpenPgpMetadata toLegacyMetadata() {
         OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
         resultBuilder.setCompressionAlgorithm(getCompressionAlgorithm());
-        Date modDate = getModificationDate();
-        if (modDate != null) {
-            resultBuilder.setModificationDate(modDate);
-        }
-        String fileName = getFilename();
-        if (fileName != null) {
-            resultBuilder.setFileName(fileName);
-        }
-        StreamEncoding encoding = getFormat();
-        if (encoding != null) {
-            resultBuilder.setFileEncoding(encoding);
-        }
+        resultBuilder.setModificationDate(getModificationDate());
+        resultBuilder.setFileName(getFilename());
+        resultBuilder.setFileEncoding(getLiteralDataEncoding());
         resultBuilder.setSessionKey(getSessionKey());
         resultBuilder.setDecryptionKey(getDecryptionKey());
 
@@ -75,6 +70,39 @@ public class MessageMetadata {
         return resultBuilder.build();
     }
 
+    public boolean isEncrypted() {
+        SymmetricKeyAlgorithm algorithm = getEncryptionAlgorithm();
+        return algorithm != null && algorithm != SymmetricKeyAlgorithm.NULL;
+    }
+
+    public boolean isEncryptedFor(@Nonnull PGPKeyRing keys) {
+        Iterator encryptionLayers = getEncryptionLayers();
+        while (encryptionLayers.hasNext()) {
+            EncryptedData encryptedData = encryptionLayers.next();
+            for (long recipient : encryptedData.getRecipients()) {
+                PGPPublicKey key = keys.getPublicKey(recipient);
+                if (key != null) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    public @Nonnull Iterator getEncryptionLayers() {
+        return new LayerIterator(message) {
+            @Override
+            public boolean matches(Nested layer) {
+                return layer instanceof EncryptedData;
+            }
+
+            @Override
+            public EncryptedData getProperty(Layer last) {
+                return (EncryptedData) last;
+            }
+        };
+    }
+
     /**
      * Return the {@link SymmetricKeyAlgorithm} of the outermost encrypted data packet, or null if message is
      * unencrypted.
@@ -82,11 +110,7 @@ public class MessageMetadata {
      * @return encryption algorithm
      */
     public @Nullable SymmetricKeyAlgorithm getEncryptionAlgorithm() {
-        Iterator algorithms = getEncryptionAlgorithms();
-        if (algorithms.hasNext()) {
-            return algorithms.next();
-        }
-        return null;
+        return firstOrNull(getEncryptionAlgorithms());
     }
 
     /**
@@ -98,15 +122,19 @@ public class MessageMetadata {
      * @return iterator of symmetric encryption algorithms
      */
     public @Nonnull Iterator getEncryptionAlgorithms() {
-        return new LayerIterator(message) {
+        return map(getEncryptionLayers(), encryptedData -> encryptedData.algorithm);
+    }
+
+    public @Nonnull Iterator getCompressionLayers() {
+        return new LayerIterator(message) {
             @Override
-            public boolean matches(Nested layer) {
-                return layer instanceof EncryptedData;
+            boolean matches(Layer layer) {
+                return layer instanceof CompressedData;
             }
 
             @Override
-            public SymmetricKeyAlgorithm getProperty(Layer last) {
-                return ((EncryptedData) last).algorithm;
+            CompressedData getProperty(Layer last) {
+                return (CompressedData) last;
             }
         };
     }
@@ -118,11 +146,7 @@ public class MessageMetadata {
      * @return compression algorithm
      */
     public @Nullable CompressionAlgorithm getCompressionAlgorithm() {
-        Iterator algorithms = getCompressionAlgorithms();
-        if (algorithms.hasNext()) {
-            return algorithms.next();
-        }
-        return null;
+        return firstOrNull(getCompressionAlgorithms());
     }
 
     /**
@@ -134,17 +158,7 @@ public class MessageMetadata {
      * @return iterator of compression algorithms
      */
     public @Nonnull Iterator getCompressionAlgorithms() {
-        return new LayerIterator(message) {
-            @Override
-            public boolean matches(Nested layer) {
-                return layer instanceof CompressedData;
-            }
-
-            @Override
-            public CompressionAlgorithm getProperty(Layer last) {
-                return ((CompressedData) last).algorithm;
-            }
-        };
+        return map(getCompressionLayers(), compressionLayer -> compressionLayer.algorithm);
     }
 
     /**
@@ -154,11 +168,7 @@ public class MessageMetadata {
      * @return session key of the message
      */
     public @Nullable SessionKey getSessionKey() {
-        Iterator sessionKeys = getSessionKeys();
-        if (sessionKeys.hasNext()) {
-            return sessionKeys.next();
-        }
-        return null;
+        return firstOrNull(getSessionKeys());
     }
 
     /**
@@ -170,17 +180,15 @@ public class MessageMetadata {
      * @return iterator of session keys
      */
     public @Nonnull Iterator getSessionKeys() {
-        return new LayerIterator(message) {
-            @Override
-            boolean matches(Nested layer) {
-                return layer instanceof EncryptedData;
-            }
+        return map(getEncryptionLayers(), encryptedData -> encryptedData.sessionKey);
+    }
 
-            @Override
-            SessionKey getProperty(Layer last) {
-                return ((EncryptedData) last).getSessionKey();
-            }
-        };
+    public boolean isVerifiedSignedBy(@Nonnull PGPKeyRing keys) {
+        return isVerifiedInlineSignedBy(keys) || isVerifiedDetachedSignedBy(keys);
+    }
+
+    public boolean isVerifiedDetachedSignedBy(@Nonnull PGPKeyRing keys) {
+        return containsSignatureBy(getVerifiedDetachedSignatures(), keys);
     }
 
     /**
@@ -202,6 +210,10 @@ public class MessageMetadata {
         return message.getRejectedDetachedSignatures();
     }
 
+    public boolean isVerifiedInlineSignedBy(@Nonnull PGPKeyRing keys) {
+        return containsSignatureBy(getVerifiedInlineSignatures(), keys);
+    }
+
     /**
      * Return a list of all verified inline-signatures.
      * This list contains all acceptable, correct signatures that were part of the message itself.
@@ -291,6 +303,28 @@ public class MessageMetadata {
         };
     }
 
+    private static boolean containsSignatureBy(@Nonnull List verifications,
+                                               @Nonnull PGPKeyRing keys) {
+        for (SignatureVerification verification : verifications) {
+            SubkeyIdentifier issuer = verification.getSigningKey();
+            if (issuer == null) {
+                // No issuer, shouldn't happen, but better be safe and skip...
+                continue;
+            }
+
+            if (keys.getPublicKey().getKeyID() != issuer.getPrimaryKeyId()) {
+                // Wrong cert
+                continue;
+            }
+
+            if (keys.getPublicKey(issuer.getSubkeyId()) != null) {
+                // Matching cert and signing key
+                return true;
+            }
+        }
+        return false;
+    }
+
     /**
      * Return the value of the literal data packet's filename field.
      * This value can be used to store a decrypted file under its original filename,
@@ -300,14 +334,23 @@ public class MessageMetadata {
      * @return filename
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nullable String getFilename() {
+    public @Nonnull String getFilename() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            return null;
+            throw new NoSuchElementException("No Literal Data Packet found.");
         }
         return literalData.getFileName();
     }
 
+    /**
+     * Returns true, if the filename of the literal data packet indicates that the data is intended for your eyes only.
+     *
+     * @return isForYourEyesOnly
+     */
+    public boolean isForYourEyesOnly() {
+        return PGPLiteralData.CONSOLE.equals(getFilename());
+    }
+
     /**
      * Return the value of the literal data packets modification date field.
      * This value can be used to restore the modification date of a decrypted file,
@@ -316,10 +359,10 @@ public class MessageMetadata {
      * @return modification date
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nullable Date getModificationDate() {
+    public @Nonnull Date getModificationDate() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            return null;
+            throw new NoSuchElementException("No Literal Data Packet found.");
         }
         return literalData.getModificationDate();
     }
@@ -332,10 +375,10 @@ public class MessageMetadata {
      * @return format
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nullable StreamEncoding getFormat() {
+    public @Nonnull StreamEncoding getLiteralDataEncoding() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            return null;
+            throw new NoSuchElementException("No Literal Data Packet found.");
         }
         return literalData.getFormat();
     }
@@ -368,21 +411,7 @@ public class MessageMetadata {
      * @return decryption key
      */
     public SubkeyIdentifier getDecryptionKey() {
-        Iterator iterator = new LayerIterator(message) {
-            @Override
-            public boolean matches(Nested layer) {
-                return layer instanceof EncryptedData;
-            }
-
-            @Override
-            public SubkeyIdentifier getProperty(Layer last) {
-                return ((EncryptedData) last).decryptionKey;
-            }
-        };
-        if (iterator.hasNext()) {
-            return iterator.next();
-        }
-        return null;
+        return firstOrNull(map(getEncryptionLayers(), encryptedData -> encryptedData.decryptionKey));
     }
 
     public abstract static class Layer {
@@ -744,4 +773,32 @@ public class MessageMetadata {
 
         abstract O getProperty(Layer last);
     }
+
+    private static  Iterator map(Iterator from, Function mapping) {
+        return new Iterator() {
+            @Override
+            public boolean hasNext() {
+                return from.hasNext();
+            }
+
+            @Override
+            public B next() {
+                return mapping.apply(from.next());
+            }
+        };
+    }
+
+    private static @Nullable  A firstOrNull(Iterator iterator) {
+        if (iterator.hasNext()) {
+            return iterator.next();
+        }
+        return null;
+    }
+
+    private static @Nonnull  A firstOr(Iterator iterator, A item) {
+        if (iterator.hasNext()) {
+            return iterator.next();
+        }
+        return item;
+    }
 }

From 8f6227c14b359792fe9d03ef3b3b938d9e1e9718 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:20:06 +0100
Subject: [PATCH 0833/1450] Rework some tests to use MessageMetadata

---
 .../MessageMetadataTest.java                  |  4 ++--
 .../OpenPgpMessageInputStreamTest.java        |  2 +-
 .../FileInformationTest.java                  | 20 +++++++++----------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
index d87fc6bf..771cb8f1 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/MessageMetadataTest.java
@@ -62,7 +62,7 @@ public class MessageMetadataTest {
 
         assertEquals("", metadata.getFilename());
         JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
-        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+        assertEquals(StreamEncoding.BINARY, metadata.getLiteralDataEncoding());
     }
 
     @Test
@@ -79,6 +79,6 @@ public class MessageMetadataTest {
         assertNull(metadata.getEncryptionAlgorithm());
         assertEquals("collateral_murder.zip", metadata.getFilename());
         assertEquals(DateUtil.parseUTCDate("2010-04-05 10:12:03 UTC"), metadata.getModificationDate());
-        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+        assertEquals(StreamEncoding.BINARY, metadata.getLiteralDataEncoding());
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index d2c62fb2..01966bbe 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -335,7 +335,7 @@ public class OpenPgpMessageInputStreamTest {
         assertNull(metadata.getEncryptionAlgorithm());
         assertEquals("", metadata.getFilename());
         JUtils.assertDateEquals(new Date(0L), metadata.getModificationDate());
-        assertEquals(StreamEncoding.BINARY, metadata.getFormat());
+        assertEquals(StreamEncoding.BINARY, metadata.getLiteralDataEncoding());
         assertTrue(metadata.getVerifiedInlineSignatures().isEmpty());
         assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
index 662971e4..2b0a7106 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/FileInformationTest.java
@@ -28,7 +28,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 
 public class FileInformationTest {
 
@@ -80,11 +80,11 @@ public class FileInformationTest {
 
         decryptionStream.close();
 
-        OpenPgpMetadata decResult = decryptionStream.getResult();
+        MessageMetadata decResult = decryptionStream.getMetadata();
 
-        assertEquals(fileName, decResult.getFileName());
+        assertEquals(fileName, decResult.getFilename());
         JUtils.assertDateEquals(modificationDate, decResult.getModificationDate());
-        assertEquals(encoding, decResult.getFileEncoding());
+        assertEquals(encoding, decResult.getLiteralDataEncoding());
     }
 
     @Test
@@ -119,11 +119,11 @@ public class FileInformationTest {
 
         decryptionStream.close();
 
-        OpenPgpMetadata decResult = decryptionStream.getResult();
+        MessageMetadata decResult = decryptionStream.getMetadata();
 
-        assertEquals("", decResult.getFileName());
+        assertEquals("", decResult.getFilename());
         JUtils.assertDateEquals(PGPLiteralData.NOW, decResult.getModificationDate());
-        assertEquals(PGPLiteralData.BINARY, decResult.getFileEncoding().getCode());
+        assertEquals(PGPLiteralData.BINARY, decResult.getLiteralDataEncoding().getCode());
         assertFalse(decResult.isForYourEyesOnly());
     }
 
@@ -160,11 +160,11 @@ public class FileInformationTest {
 
         decryptionStream.close();
 
-        OpenPgpMetadata decResult = decryptionStream.getResult();
+        MessageMetadata decResult = decryptionStream.getMetadata();
 
-        assertEquals(PGPLiteralData.CONSOLE, decResult.getFileName());
+        assertEquals(PGPLiteralData.CONSOLE, decResult.getFilename());
         JUtils.assertDateEquals(PGPLiteralData.NOW, decResult.getModificationDate());
-        assertEquals(PGPLiteralData.BINARY, decResult.getFileEncoding().getCode());
+        assertEquals(PGPLiteralData.BINARY, decResult.getLiteralDataEncoding().getCode());
         assertTrue(decResult.isForYourEyesOnly());
     }
 }

From 6926cedf615dc0f079f7b96394328f64a6f92fe9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:41:58 +0100
Subject: [PATCH 0834/1450] Fix compilation errors and simplify LayerIterator
 by introducing Packet interface

---
 ...oundTripInlineSignInlineVerifyCmdTest.java |  2 +-
 .../MessageMetadata.java                      | 53 +++++++------------
 .../OpenPgpMetadata.java                      |  2 +-
 .../pgpainless/sop/DetachedVerifyImpl.java    |  4 +-
 4 files changed, 24 insertions(+), 37 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index 1e5310f5..d36ee58f 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -287,7 +287,7 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         File cert = writeFile("cert.asc", CERT_1);
         pipeStringToStdin(msgOut.toString());
         ByteArrayOutputStream verificationsOut = pipeStdoutToStream();
-        assertSuccess(executeCommand("verify",
+        assertSuccess(executeCommand("verify", "--stacktrace",
                 sigFile.getAbsolutePath(),
                 cert.getAbsolutePath()));
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 5318fcb1..da6902c5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -9,7 +9,6 @@ import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import java.util.NoSuchElementException;
-import java.util.function.Function;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
@@ -92,7 +91,7 @@ public class MessageMetadata {
     public @Nonnull Iterator getEncryptionLayers() {
         return new LayerIterator(message) {
             @Override
-            public boolean matches(Nested layer) {
+            public boolean matches(Packet layer) {
                 return layer instanceof EncryptedData;
             }
 
@@ -128,7 +127,7 @@ public class MessageMetadata {
     public @Nonnull Iterator getCompressionLayers() {
         return new LayerIterator(message) {
             @Override
-            boolean matches(Layer layer) {
+            boolean matches(Packet layer) {
                 return layer instanceof CompressedData;
             }
 
@@ -242,15 +241,10 @@ public class MessageMetadata {
     public @Nonnull Iterator> getVerifiedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
-            boolean matches(Nested layer) {
+            boolean matches(Packet layer) {
                 return layer instanceof Layer;
             }
 
-            @Override
-            boolean matches(Layer layer) {
-                return true;
-            }
-
             @Override
             List getProperty(Layer last) {
                 List list = new ArrayList<>();
@@ -284,15 +278,10 @@ public class MessageMetadata {
     public @Nonnull Iterator> getRejectedInlineSignaturesByLayer() {
         return new LayerIterator>(message) {
             @Override
-            boolean matches(Nested layer) {
+            boolean matches(Packet layer) {
                 return layer instanceof Layer;
             }
 
-            @Override
-            boolean matches(Layer layer) {
-                return true;
-            }
-
             @Override
             List getProperty(Layer last) {
                 List list = new ArrayList<>();
@@ -334,10 +323,10 @@ public class MessageMetadata {
      * @return filename
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nonnull String getFilename() {
+    public @Nullable String getFilename() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            throw new NoSuchElementException("No Literal Data Packet found.");
+            return null;
         }
         return literalData.getFileName();
     }
@@ -359,10 +348,10 @@ public class MessageMetadata {
      * @return modification date
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nonnull Date getModificationDate() {
+    public @Nullable Date getModificationDate() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            throw new NoSuchElementException("No Literal Data Packet found.");
+            return null;
         }
         return literalData.getModificationDate();
     }
@@ -375,10 +364,10 @@ public class MessageMetadata {
      * @return format
      * @see RFC4880 §5.9. Literal Data Packet
      */
-    public @Nonnull StreamEncoding getLiteralDataEncoding() {
+    public @Nullable StreamEncoding getLiteralDataEncoding() {
         LiteralData literalData = findLiteralData();
         if (literalData == null) {
-            throw new NoSuchElementException("No Literal Data Packet found.");
+            return null;
         }
         return literalData.getFormat();
     }
@@ -414,7 +403,10 @@ public class MessageMetadata {
         return firstOrNull(map(getEncryptionLayers(), encryptedData -> encryptedData.decryptionKey));
     }
 
-    public abstract static class Layer {
+    public interface Packet {
+
+    }
+    public abstract static class Layer implements Packet {
         public static final int MAX_LAYER_DEPTH = 16;
         protected final int depth;
         protected final List verifiedDetachedSignatures = new ArrayList<>();
@@ -562,7 +554,7 @@ public class MessageMetadata {
 
     }
 
-    public interface Nested {
+    public interface Nested extends Packet {
         boolean hasNestedChild();
     }
 
@@ -760,16 +752,7 @@ public class MessageMetadata {
             }
         }
 
-        boolean matches(Nested layer) {
-            return false;
-        }
-
-        boolean matches(Layer layer) {
-            if (layer instanceof Nested) {
-                return matches((Nested) layer);
-            }
-            return false;
-        }
+        abstract boolean matches(Packet layer);
 
         abstract O getProperty(Layer last);
     }
@@ -788,6 +771,10 @@ public class MessageMetadata {
         };
     }
 
+    public interface Function {
+        B apply(A item);
+    }
+
     private static @Nullable  A firstOrNull(Iterator iterator) {
         if (iterator.hasNext()) {
             return iterator.next();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
index e26fb804..be9cf2b1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMetadata.java
@@ -328,7 +328,7 @@ public class OpenPgpMetadata {
             return this;
         }
 
-        public Builder setFileName(@Nonnull String fileName) {
+        public Builder setFileName(@Nullable String fileName) {
             this.fileName = fileName;
             return this;
         }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 3a5b3b6a..1ed43941 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -16,7 +16,7 @@ import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import sop.Verification;
@@ -69,7 +69,7 @@ public class DetachedVerifyImpl implements DetachedVerify {
             Streams.drain(decryptionStream);
             decryptionStream.close();
 
-            OpenPgpMetadata metadata = decryptionStream.getResult();
+            MessageMetadata metadata = decryptionStream.getMetadata();
             List verificationList = new ArrayList<>();
 
             for (SignatureVerification signatureVerification : metadata.getVerifiedDetachedSignatures()) {

From c031ea92856360fea41a6717bd99ef6ea52289ef Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:51:31 +0100
Subject: [PATCH 0835/1450] Remove empty newlines

---
 .../test/java/org/pgpainless/example/ManagePolicy.java    | 6 ------
 .../src/test/java/org/pgpainless/example/ModifyKeys.java  | 8 --------
 .../src/test/java/org/pgpainless/example/ReadKeys.java    | 2 --
 .../java/org/pgpainless/example/UnlockSecretKeys.java     | 2 --
 4 files changed, 18 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
index 711de225..858c99a9 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
@@ -88,7 +88,6 @@ public class ManagePolicy {
         // Per default, non-revocation signatures using SHA-1 are rejected
         assertFalse(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1));
 
-
         // Create a new custom policy which contains SHA-1
         Policy.HashAlgorithmPolicy customPolicy = new Policy.HashAlgorithmPolicy(
                 // The default hash algorithm will be used when hash algorithm negotiation fails when creating a sig
@@ -98,7 +97,6 @@ public class ManagePolicy {
         // Set the hash algo policy as policy for non-revocation signatures
         policy.setSignatureHashAlgorithmPolicy(customPolicy);
 
-
         sigHashAlgoPolicy = policy.getSignatureHashAlgorithmPolicy();
         assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512));
         // SHA-1 is now acceptable as well
@@ -122,7 +120,6 @@ public class ManagePolicy {
         assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 1024));
         assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.ECDSA, 256));
 
-
         Policy.PublicKeyAlgorithmPolicy customPolicy = new Policy.PublicKeyAlgorithmPolicy(
                 new HashMap(){{
                     // Put minimum bit strengths for acceptable algorithms.
@@ -133,7 +130,6 @@ public class ManagePolicy {
         );
         policy.setPublicKeyAlgorithmPolicy(customPolicy);
 
-
         pkAlgorithmPolicy = policy.getPublicKeyAlgorithmPolicy();
         assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096));
         // RSA 2048 is no longer acceptable
@@ -156,10 +152,8 @@ public class ManagePolicy {
         NotationRegistry notationRegistry = policy.getNotationRegistry();
         assertFalse(notationRegistry.isKnownNotation("unknown@pgpainless.org"));
 
-
         notationRegistry.addKnownNotation("unknown@pgpainless.org");
 
-
         assertTrue(notationRegistry.isKnownNotation("unknown@pgpainless.org"));
     }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
index a0785993..768064e7 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ModifyKeys.java
@@ -67,7 +67,6 @@ public class ModifyKeys {
         // the certificate consists of only the public keys
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
 
-
         KeyRingInfo info = PGPainless.inspectKeyRing(certificate);
         assertFalse(info.isSecretKey());
     }
@@ -79,11 +78,9 @@ public class ModifyKeys {
     public void toAsciiArmoredString() throws IOException {
         PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKey);
 
-
         String asciiArmoredSecretKey = PGPainless.asciiArmor(secretKey);
         String asciiArmoredCertificate = PGPainless.asciiArmor(certificate);
 
-
         assertTrue(asciiArmoredSecretKey.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----"));
         assertTrue(asciiArmoredCertificate.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----"));
     }
@@ -99,7 +96,6 @@ public class ModifyKeys {
                 .toNewPassphrase(Passphrase.fromPassword("n3wP4ssW0rD"))
                 .done();
 
-
         // Old passphrase no longer works
         assertThrows(WrongPassphraseException.class, () ->
                 UnlockSecretKey.unlockSecretKey(secretKey.getSecretKey(), Passphrase.fromPassword(originalPassphrase)));
@@ -120,7 +116,6 @@ public class ModifyKeys {
                 .toNewPassphrase(Passphrase.fromPassword("cryptP4ssphr4s3"))
                 .done();
 
-
         // encryption key can now only be unlocked using the new passphrase
         assertThrows(WrongPassphraseException.class, () ->
                 UnlockSecretKey.unlockSecretKey(
@@ -143,7 +138,6 @@ public class ModifyKeys {
                 .addUserId("additional@user.id", protector)
                 .done();
 
-
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
         assertTrue(info.isUserIdValid("additional@user.id"));
         assertFalse(info.isUserIdValid("another@user.id"));
@@ -176,7 +170,6 @@ public class ModifyKeys {
                         protector)
                 .done();
 
-
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
         assertEquals(4, info.getSecretKeys().size());
         assertEquals(4, info.getPublicKeys().size());
@@ -199,7 +192,6 @@ public class ModifyKeys {
                 .setExpirationDate(expirationDate, protector)
                 .done();
 
-
         KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
         assertEquals(DateUtil.formatUTCDate(expirationDate),
                 DateUtil.formatUTCDate(info.getPrimaryKeyExpirationDate()));
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java
index 60256c06..54e00c26 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/ReadKeys.java
@@ -44,7 +44,6 @@ public class ReadKeys {
         PGPPublicKeyRing publicKey = PGPainless.readKeyRing()
                 .publicKeyRing(certificate);
 
-
         KeyRingInfo keyInfo = new KeyRingInfo(publicKey);
         OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94  4E63 F231 550C 4F47 E38E");
         assertEquals(fingerprint, keyInfo.getFingerprint());
@@ -77,7 +76,6 @@ public class ReadKeys {
         PGPSecretKeyRing secretKey = PGPainless.readKeyRing()
                 .secretKeyRing(key);
 
-
         KeyRingInfo keyInfo = new KeyRingInfo(secretKey);
         OpenPgpFingerprint fingerprint = new OpenPgpV4Fingerprint("EB85 BB5F A33A 75E1 5E94  4E63 F231 550C 4F47 E38E");
         assertEquals(fingerprint, keyInfo.getFingerprint());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java
index c6f227f3..92387978 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/UnlockSecretKeys.java
@@ -40,7 +40,6 @@ public class UnlockSecretKeys {
         // This protector will only unlock unprotected keys
         SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
 
-
         assertProtectorUnlocksAllSecretKeys(unprotectedKey, protector);
     }
 
@@ -105,7 +104,6 @@ public class UnlockSecretKeys {
         protector.addPassphrase(new OpenPgpV4Fingerprint("DD8E1195E4B1720E7FB10EF7F60402708E75D941"),
                 Passphrase.fromPassword("s3c0ndsubk3y"));
 
-
         assertProtectorUnlocksAllSecretKeys(secretKey, protector);
     }
 

From f005885318321b397b83371de3e6efc874c09ccd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:52:04 +0100
Subject: [PATCH 0836/1450] Add MessageMetadata.isVerifiedSigned() and
 .getVerifiedSignatures()

---
 .../decryption_verification/MessageMetadata.java       | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index da6902c5..7743d32e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -186,6 +186,12 @@ public class MessageMetadata {
         return isVerifiedInlineSignedBy(keys) || isVerifiedDetachedSignedBy(keys);
     }
 
+    public List getVerifiedSignatures() {
+        List allVerifiedSignatures = getVerifiedInlineSignatures();
+        allVerifiedSignatures.addAll(getVerifiedDetachedSignatures());
+        return allVerifiedSignatures;
+    }
+
     public boolean isVerifiedDetachedSignedBy(@Nonnull PGPKeyRing keys) {
         return containsSignatureBy(getVerifiedDetachedSignatures(), keys);
     }
@@ -403,6 +409,10 @@ public class MessageMetadata {
         return firstOrNull(map(getEncryptionLayers(), encryptedData -> encryptedData.decryptionKey));
     }
 
+    public boolean isVerifiedSigned() {
+        return !getVerifiedSignatures().isEmpty();
+    }
+
     public interface Packet {
 
     }

From 27fd15a01262949b77f9854aa8f53d907980335d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 15:52:15 +0100
Subject: [PATCH 0837/1450] Update examples with new MessageMetadata class

---
 .../pgpainless/example/DecryptOrVerify.java   | 21 +++++-----
 .../java/org/pgpainless/example/Encrypt.java  | 42 +++++++++----------
 2 files changed, 30 insertions(+), 33 deletions(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
index 074fc206..2e6c982f 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
@@ -24,7 +24,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
 import org.pgpainless.encryption_signing.SigningOptions;
@@ -168,9 +168,9 @@ public class DecryptOrVerify {
         decryptionStream.close(); // remember to close the stream!
 
         // The metadata object contains information about the message
-        OpenPgpMetadata metadata = decryptionStream.getResult();
+        MessageMetadata metadata = decryptionStream.getMetadata();
         assertTrue(metadata.isEncrypted()); // message was encrypted
-        assertFalse(metadata.isVerified()); // We did not do any signature verification
+        assertFalse(metadata.isVerifiedSigned()); // We did not do any signature verification
 
         // The output stream now contains the decrypted message
         assertEquals(PLAINTEXT, plaintextOut.toString());
@@ -200,11 +200,10 @@ public class DecryptOrVerify {
         decryptionStream.close(); // remember to close the stream to finish signature verification
 
         // metadata with information on the message, like signatures
-        OpenPgpMetadata metadata = decryptionStream.getResult();
+        MessageMetadata metadata = decryptionStream.getMetadata();
         assertTrue(metadata.isEncrypted()); // messages was in fact encrypted
-        assertTrue(metadata.isSigned()); // message contained some signatures
-        assertTrue(metadata.isVerified()); // the signatures were actually correct
-        assertTrue(metadata.containsVerifiedSignatureFrom(certificate)); // the signatures could be verified using the certificate
+        assertTrue(metadata.isVerifiedSigned()); // the signatures were actually correct
+        assertTrue(metadata.isVerifiedSignedBy(certificate)); // the signatures could be verified using the certificate
 
         assertEquals(PLAINTEXT, plaintextOut.toString());
     }
@@ -232,8 +231,8 @@ public class DecryptOrVerify {
             verificationStream.close(); // remember to close the stream to finish sig verification
 
             // Get the metadata object for information about the message
-            OpenPgpMetadata metadata = verificationStream.getResult();
-            assertTrue(metadata.isVerified()); // signatures were verified successfully
+            MessageMetadata metadata = verificationStream.getMetadata();
+            assertTrue(metadata.isVerifiedSigned()); // signatures were verified successfully
             // The output stream we piped to now contains the message
             assertEquals(PLAINTEXT, out.toString());
         }
@@ -286,8 +285,8 @@ public class DecryptOrVerify {
             verificationStream.close(); // as always, remember to close the stream
 
             // Metadata will confirm that the message was in fact signed
-            OpenPgpMetadata metadata = verificationStream.getResult();
-            assertTrue(metadata.isVerified());
+            MessageMetadata metadata = verificationStream.getMetadata();
+            assertTrue(metadata.isVerifiedSigned());
             // compare the plaintext to what we originally signed
             assertArrayEquals(msg.getBytes(StandardCharsets.UTF_8), plain.toByteArray());
         }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
index ed57b90b..ba832516 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/Encrypt.java
@@ -21,7 +21,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.DocumentSignatureType;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.encryption_signing.EncryptionOptions;
 import org.pgpainless.encryption_signing.EncryptionStream;
 import org.pgpainless.encryption_signing.ProducerOptions;
@@ -148,12 +148,12 @@ public class Encrypt {
         EncryptionStream encryptor = PGPainless.encryptAndOrSign()
                 .onOutputStream(ciphertext)
                 .withOptions(ProducerOptions.signAndEncrypt(
-                        // we want to encrypt communication (affects key selection based on key flags)
-                        EncryptionOptions.encryptCommunications()
-                                .addRecipient(certificateBob)
-                                .addRecipient(certificateAlice),
-                        new SigningOptions()
-                                .addInlineSignature(protectorAlice, keyAlice, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
+                                // we want to encrypt communication (affects key selection based on key flags)
+                                EncryptionOptions.encryptCommunications()
+                                        .addRecipient(certificateBob)
+                                        .addRecipient(certificateAlice),
+                                new SigningOptions()
+                                        .addInlineSignature(protectorAlice, keyAlice, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT)
                         ).setAsciiArmor(true)
                 );
 
@@ -176,9 +176,9 @@ public class Encrypt {
         decryptor.close();
 
         // Check the metadata to see how the message was encrypted/signed
-        OpenPgpMetadata metadata = decryptor.getResult();
+        MessageMetadata metadata = decryptor.getMetadata();
         assertTrue(metadata.isEncrypted());
-        assertTrue(metadata.containsVerifiedSignatureFrom(certificateAlice));
+        assertTrue(metadata.isVerifiedSignedBy(certificateAlice));
         assertEquals(message, plaintext.toString());
     }
 
@@ -236,10 +236,10 @@ public class Encrypt {
         // plaintext message to encrypt
         String message = "Hello, World!\n";
         String[] comments = {
-        		"This comment was added using options.",
-        		"And it has three lines.",
-        		" ",
-        		"Empty lines are skipped."
+                "This comment was added using options.",
+                "And it has three lines.",
+                " ",
+                "Empty lines are skipped."
         };
         String comment = comments[0] + "\n" + comments[1] + "\n" + comments[2] + "\n" + comments[3];
         ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
@@ -247,12 +247,12 @@ public class Encrypt {
         EncryptionStream encryptor = PGPainless.encryptAndOrSign()
                 .onOutputStream(ciphertext)
                 .withOptions(ProducerOptions.encrypt(
-                        // we want to encrypt communication (affects key selection based on key flags)
-                        EncryptionOptions.encryptCommunications()
-                                .addRecipient(certificateBob)
-                                .addRecipient(certificateAlice)
-                        ).setAsciiArmor(true)
-                		.setComment(comment)
+                                        // we want to encrypt communication (affects key selection based on key flags)
+                                        EncryptionOptions.encryptCommunications()
+                                                .addRecipient(certificateBob)
+                                                .addRecipient(certificateAlice)
+                                ).setAsciiArmor(true)
+                                .setComment(comment)
                 );
 
         // Pipe data trough and CLOSE the stream (important)
@@ -281,10 +281,8 @@ public class Encrypt {
         decryptor.close();
 
         // Check the metadata to see how the message was encrypted/signed
-        OpenPgpMetadata metadata = decryptor.getResult();
+        MessageMetadata metadata = decryptor.getMetadata();
         assertTrue(metadata.isEncrypted());
         assertEquals(message, plaintext.toString());
     }
-
-
 }

From 2c7801b7590e4080bb5964997b239f44c782304c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 16:09:37 +0100
Subject: [PATCH 0838/1450] Add MatchMakingSecretKeyRingProtectorTest

---
 ...MatchMakingSecretKeyRingProtectorTest.java | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java
new file mode 100644
index 00000000..9dc2b6c6
--- /dev/null
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtectorTest.java
@@ -0,0 +1,108 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.util.Passphrase;
+
+public class MatchMakingSecretKeyRingProtectorTest {
+
+    private static final String PROTECTED_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 0221 626A 3B5A 4705 7A41  7EAB 2B9F C90E 44FA 1947\n" +
+            "Comment: Alice\n" +
+            "\n" +
+            "lIYEY3zkcRYJKwYBBAHaRw8BAQdAzww+ctlV7imTD/LSQlVn3onybSvQa54CIUaN\n" +
+            "xN9FDFH+CQMCqDw0ZfofkfxgK7+uSfi7btqa6+o+zGkKfKQCvYCuU5gorD7vyOFL\n" +
+            "2ezeQOjb17HHaKbJqLrx+p+LS2uU2f3cwa73PFHwNcBoDLRTrUXjzrQFQWxpY2WI\n" +
+            "jwQTFgoAQQUCY3zkcQkQK5/JDkT6GUcWIQQCIWJqO1pHBXpBfqsrn8kORPoZRwKe\n" +
+            "AQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAABTCQD9HCDmb8LlO+n/5jJv7n6gAHCA\n" +
+            "UUNAe7xU4WcYSxLpTPIBAOxBmbZiDai0QwDOqNihpwrInu82fRi8OEpSjE/9OrEC\n" +
+            "nIsEY3zkcRIKKwYBBAGXVQEFAQEHQBsnJtVYXMaGB4BDcUEKB1v/lsXJ1z+favfn\n" +
+            "e73/crYEAwEIB/4JAwKoPDRl+h+R/GBdZY7QJt8TPaXckyOR1eZvUejD+Vw/slB1\n" +
+            "3KUwGI/3MG2iJYp924wP67DewZI89eYHu24wN75XxVKAGnUX5n7Dr2JIB79liHUE\n" +
+            "GBYKAB0FAmN85HECngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRArn8kORPoZR5bF\n" +
+            "APsHLmhDRDV2Ra0BsfQRNI2yMXxVRFD/ZzryWFT/BPNGUAEA9cnhItp9ucqBbeWE\n" +
+            "PDzf1vdx5BCNYhRpOqGjGtFgMQGchgRjfORxFgkrBgEEAdpHDwEBB0AAvsniUT76\n" +
+            "OeLyq9e1bgdsDLiGrtroSt6wR/B94Dm5uP4JAwKoPDRl+h+R/GC8mQnynSzBJXdy\n" +
+            "DFDnxOieEOh7390vs3P4NwULTqV12sAQ6i5MbsIHnFMtYCCA9aOPlpofQ0Sm3m6q\n" +
+            "T/uyx9RE1LRiceW5iNUEGBYKAH0FAmN85HECngECmwIFFgIDAQAECwkIBwUVCgkI\n" +
+            "C18gBBkWCgAGBQJjfORxAAoJEGiOcMMZDPmyw7QBAJuNTLiNWgieuGOVCAmkaN6g\n" +
+            "L6JlYYwqFS88zzDLJJq5AQDwKt+jvKco6Mya3b1NEXogBLhWHTle9deL07NrCwp4\n" +
+            "AwAKCRArn8kORPoZR7r0AP0TDUKaooNfW2MWqLWHbbIhdWFIQEYIGnGSFj28y6t1\n" +
+            "zQD/UFtpzBP5ZlTUtZCdjNqo9SEPktbiOxTS8m4SW7xeNwE=\n" +
+            "=91/N\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+    private static final String PASSWORD = "sw0rdf1sh";
+    private static final String UNPROTECTED_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9A0A F461 3E00 E1D4 4C29  601E AAF1 12F4 64BB 1E8E\n" +
+            "Comment: Bob\n" +
+            "\n" +
+            "lFgEY3zlDBYJKwYBBAHaRw8BAQdAvHofWedfSBvyW2+gCADX9CptwFzqVea4A2tL\n" +
+            "zr3wnwsAAP9ICAoMGkgdNLy3LiVP0q4+OljXcQTIAJbJ2wCpIF9Y7g05tANCb2KI\n" +
+            "jwQTFgoAQQUCY3zlDAkQqvES9GS7Ho4WIQSaCvRhPgDh1EwpYB6q8RL0ZLsejgKe\n" +
+            "AQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAAAZ8QD/fEW105B77KBt/OmA0QLTq3GG\n" +
+            "5PI6kITM8+2cd60VOzEA/ivzkhmtdvHzmOARBl81Y3LfeRWWm45z/dYDnffk/DcI\n" +
+            "nF0EY3zlDBIKKwYBBAGXVQEFAQEHQC1sYpvzEsjCoTOKEllFkWA3U51FXsHbbALq\n" +
+            "QfprOrYKAwEIBwAA/3H4zdk83/0A55hJxBIgh3v/+EV1RKPDCjMHjI5ULc7AEa6I\n" +
+            "dQQYFgoAHQUCY3zlDAKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEKrxEvRkux6O\n" +
+            "pEsA/imXUEpj6mKkT4ZBioT7Gn2mUR4iMGS/pt7QBscDX2/PAP9FFRzsaDII1K+i\n" +
+            "zW5sHEif9EjgX6ThIpg8z4/5/7yQBZxYBGN85QwWCSsGAQQB2kcPAQEHQDTAYxP0\n" +
+            "rH0tjpOKOxdoHKq87n4tYXd1t/A9Nzjbl36AAAD+PMBIpNmN+k3THARd9UGQtLo4\n" +
+            "nieLnqbuPVtMps0kQjgQxojVBBgWCgB9BQJjfOUMAp4BApsCBRYCAwEABAsJCAcF\n" +
+            "FQoJCAtfIAQZFgoABgUCY3zlDAAKCRB0YfQ676jh4zoMAP98SwGcoy8Vzk8QnQ0X\n" +
+            "gziC+4HtmTLuiDVAvrMLpPz5cwD8C40DDHEjrOJs9bgyOeTELXtjq40Wrt2Fld0G\n" +
+            "3JJpFAwACgkQqvES9GS7Ho7EXwD7BwICVWrg458XKpy2EXGSI3mGA47EbyyFc9X3\n" +
+            "lBzjnCgA/jUBlZE2LhpAyMTbjDC9eAD1iXeTALdRKBeqnZrQTL0N\n" +
+            "=OypZ\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    @Test
+    public void addSamePasswordTwice() throws IOException {
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(PROTECTED_KEY);
+        MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+        protector.addPassphrase(Passphrase.fromPassword(PASSWORD));
+        protector.addPassphrase(Passphrase.fromPassword(PASSWORD));
+        protector.addSecretKey(key);
+
+        assertTrue(protector.hasPassphraseFor(key.getPublicKey().getKeyID()));
+    }
+
+    @Test
+    public void addKeyTwiceAndEmptyPasswordTest() throws IOException {
+        PGPSecretKeyRing unprotectedKey = PGPainless.readKeyRing().secretKeyRing(UNPROTECTED_KEY);
+        MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+        protector.addSecretKey(unprotectedKey);
+        protector.addPassphrase(Passphrase.emptyPassphrase());
+        protector.addSecretKey(unprotectedKey);
+        assertTrue(protector.hasPassphraseFor(unprotectedKey.getPublicKey().getKeyID()));
+    }
+
+    @Test
+    public void getEncryptorTest() throws IOException, PGPException {
+        PGPSecretKeyRing unprotectedKey = PGPainless.readKeyRing().secretKeyRing(UNPROTECTED_KEY);
+        MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
+        protector.addSecretKey(unprotectedKey);
+        assertTrue(protector.hasPassphraseFor(unprotectedKey.getPublicKey().getKeyID()));
+        assertNull(protector.getEncryptor(unprotectedKey.getPublicKey().getKeyID()));
+        assertNull(protector.getDecryptor(unprotectedKey.getPublicKey().getKeyID()));
+
+        PGPSecretKeyRing protectedKey = PGPainless.readKeyRing().secretKeyRing(PROTECTED_KEY);
+        protector.addSecretKey(protectedKey);
+        protector.addPassphrase(Passphrase.fromPassword(PASSWORD));
+        assertNotNull(protector.getEncryptor(protectedKey.getPublicKey().getKeyID()));
+        assertNotNull(protector.getDecryptor(protectedKey.getPublicKey().getKeyID()));
+    }
+}

From b36b5413e2a93bf0d7a7caba0deffa7bc34a8746 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 16:22:01 +0100
Subject: [PATCH 0839/1450] Fix isEncryptedFor()

---
 .../MessageMetadata.java                      |  3 ++
 .../OpenPgpMessageInputStream.java            | 46 ++++++++++++-------
 .../pgpainless/example/DecryptOrVerify.java   |  3 ++
 3 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 7743d32e..8c18eadb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -698,6 +698,9 @@ public class MessageMetadata {
          * @return recipients
          */
         public @Nonnull List getRecipients() {
+            if (recipients == null) {
+                return new ArrayList<>();
+            }
             return new ArrayList<>(recipients);
         }
 
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index a820dca5..263871de 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -428,7 +428,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 }
 
                 // attempt decryption
-                if (decryptPKESKAndStream(subkeyIdentifier, decryptorFactory, pkesk)) {
+                if (decryptPKESKAndStream(esks, subkeyIdentifier, decryptorFactory, pkesk)) {
                     return true;
                 }
             }
@@ -473,7 +473,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
                 PBEDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                         .getPBEDataDecryptorFactory(passphrase);
-                if (decryptSKESKAndStream(skesk, decryptorFactory)) {
+                if (decryptSKESKAndStream(esks, skesk, decryptorFactory)) {
                     return true;
                 }
             }
@@ -506,7 +506,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
 
             PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
-            if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
+            if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) {
                 return true;
             }
         }
@@ -529,7 +529,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 }
 
                 PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
-                if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
+                if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) {
                     return true;
                 }
             }
@@ -561,7 +561,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     LOGGER.debug("Attempt decryption with key " + decryptionKeyId + " while interactively requesting its passphrase");
                     SecretKeyRingProtector protector = options.getSecretKeyProtector(decryptionKey);
                     PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(secretKey, protector);
-                    if (decryptWithPrivateKey(privateKey, decryptionKeyId, pkesk)) {
+                    if (decryptWithPrivateKey(esks, privateKey, decryptionKeyId, pkesk)) {
                         return true;
                     }
                 }
@@ -576,13 +576,14 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
-    private boolean decryptWithPrivateKey(PGPPrivateKey privateKey,
+    private boolean decryptWithPrivateKey(SortedESKs esks,
+                                          PGPPrivateKey privateKey,
                                           SubkeyIdentifier decryptionKeyId,
                                           PGPPublicKeyEncryptedData pkesk)
             throws PGPException, IOException {
         PublicKeyDataDecryptorFactory decryptorFactory = ImplementationFactory.getInstance()
                 .getPublicKeyDataDecryptorFactory(privateKey);
-        return decryptPKESKAndStream(decryptionKeyId, decryptorFactory, pkesk);
+        return decryptPKESKAndStream(esks, decryptionKeyId, decryptorFactory, pkesk);
     }
 
     private static boolean hasUnsupportedS2KSpecifier(PGPSecretKey secretKey, SubkeyIdentifier decryptionKeyId) {
@@ -597,17 +598,23 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
-    private boolean decryptSKESKAndStream(PGPPBEEncryptedData skesk, PBEDataDecryptorFactory decryptorFactory)
+    private boolean decryptSKESKAndStream(SortedESKs esks,
+                                          PGPPBEEncryptedData symEsk,
+                                          PBEDataDecryptorFactory decryptorFactory)
             throws IOException, UnacceptableAlgorithmException {
         try {
-            InputStream decrypted = skesk.getDataStream(decryptorFactory);
-            SessionKey sessionKey = new SessionKey(skesk.getSessionKey(decryptorFactory));
+            InputStream decrypted = symEsk.getDataStream(decryptorFactory);
+            SessionKey sessionKey = new SessionKey(symEsk.getSessionKey(decryptorFactory));
             throwIfUnacceptable(sessionKey.getAlgorithm());
             MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
                     sessionKey.getAlgorithm(), metadata.depth + 1);
             encryptedData.sessionKey = sessionKey;
+            encryptedData.recipients = new ArrayList<>();
+            for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                encryptedData.recipients.add(pkesk.getKeyID());
+            }
             LOGGER.debug("Successfully decrypted data with passphrase");
-            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, skesk, options);
+            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, symEsk, options);
             nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
@@ -618,23 +625,28 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         return false;
     }
 
-    private boolean decryptPKESKAndStream(SubkeyIdentifier decryptionKeyId,
+    private boolean decryptPKESKAndStream(SortedESKs esks,
+                                          SubkeyIdentifier decryptionKeyId,
                                           PublicKeyDataDecryptorFactory decryptorFactory,
-                                          PGPPublicKeyEncryptedData pkesk)
+                                          PGPPublicKeyEncryptedData asymEsk)
             throws IOException, UnacceptableAlgorithmException {
         try {
-            InputStream decrypted = pkesk.getDataStream(decryptorFactory);
-            SessionKey sessionKey = new SessionKey(pkesk.getSessionKey(decryptorFactory));
+            InputStream decrypted = asymEsk.getDataStream(decryptorFactory);
+            SessionKey sessionKey = new SessionKey(asymEsk.getSessionKey(decryptorFactory));
             throwIfUnacceptable(sessionKey.getAlgorithm());
 
             MessageMetadata.EncryptedData encryptedData = new MessageMetadata.EncryptedData(
-                    SymmetricKeyAlgorithm.requireFromId(pkesk.getSymmetricAlgorithm(decryptorFactory)),
+                    SymmetricKeyAlgorithm.requireFromId(asymEsk.getSymmetricAlgorithm(decryptorFactory)),
                     metadata.depth + 1);
             encryptedData.decryptionKey = decryptionKeyId;
             encryptedData.sessionKey = sessionKey;
+            encryptedData.recipients = new ArrayList<>();
+            for (PGPPublicKeyEncryptedData pkesk : esks.pkesks) {
+                encryptedData.recipients.add(pkesk.getKeyID());
+            }
 
             LOGGER.debug("Successfully decrypted data with key " + decryptionKeyId);
-            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, pkesk, options);
+            IntegrityProtectedInputStream integrityProtected = new IntegrityProtectedInputStream(decrypted, asymEsk, options);
             nestedInputStream = new OpenPgpMessageInputStream(integrityProtected, options, encryptedData, policy);
             return true;
         } catch (UnacceptableAlgorithmException e) {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
index 2e6c982f..c35b3572 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/example/DecryptOrVerify.java
@@ -170,6 +170,7 @@ public class DecryptOrVerify {
         // The metadata object contains information about the message
         MessageMetadata metadata = decryptionStream.getMetadata();
         assertTrue(metadata.isEncrypted()); // message was encrypted
+        assertTrue(metadata.isEncryptedFor(secretKey));
         assertFalse(metadata.isVerifiedSigned()); // We did not do any signature verification
 
         // The output stream now contains the decrypted message
@@ -202,6 +203,7 @@ public class DecryptOrVerify {
         // metadata with information on the message, like signatures
         MessageMetadata metadata = decryptionStream.getMetadata();
         assertTrue(metadata.isEncrypted()); // messages was in fact encrypted
+        assertTrue(metadata.isEncryptedFor(certificate));
         assertTrue(metadata.isVerifiedSigned()); // the signatures were actually correct
         assertTrue(metadata.isVerifiedSignedBy(certificate)); // the signatures could be verified using the certificate
 
@@ -233,6 +235,7 @@ public class DecryptOrVerify {
             // Get the metadata object for information about the message
             MessageMetadata metadata = verificationStream.getMetadata();
             assertTrue(metadata.isVerifiedSigned()); // signatures were verified successfully
+            assertTrue(metadata.isVerifiedSignedBy(certificate));
             // The output stream we piped to now contains the message
             assertEquals(PLAINTEXT, out.toString());
         }

From 25190fc5df41ad3a6c2acb245d6abf63ce7d197a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 16:27:34 +0100
Subject: [PATCH 0840/1450] SOP: Use new MessageMetadata class

---
 .../decryption_verification/MessageMetadata.java          | 4 ++++
 .../src/main/java/org/pgpainless/sop/DecryptImpl.java     | 6 +++---
 .../main/java/org/pgpainless/sop/InlineVerifyImpl.java    | 8 ++++----
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 8c18eadb..648b99ab 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -69,6 +69,10 @@ public class MessageMetadata {
         return resultBuilder.build();
     }
 
+    public boolean isUsingCleartextSignatureFramework() {
+        return message.isCleartextSigned();
+    }
+
     public boolean isEncrypted() {
         SymmetricKeyAlgorithm algorithm = getEncryptionAlgorithm();
         return algorithm != null && algorithm != SymmetricKeyAlgorithm.NULL;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index ee86f5e8..867024ef 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -21,7 +21,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -136,14 +136,14 @@ public class DecryptImpl implements Decrypt {
             public DecryptionResult writeTo(OutputStream outputStream) throws IOException, SOPGPException.NoSignature {
                 Streams.pipeAll(decryptionStream, outputStream);
                 decryptionStream.close();
-                OpenPgpMetadata metadata = decryptionStream.getResult();
+                MessageMetadata metadata = decryptionStream.getMetadata();
 
                 if (!metadata.isEncrypted()) {
                     throw new SOPGPException.BadData("Data is not encrypted.");
                 }
 
                 List verificationList = new ArrayList<>();
-                for (SignatureVerification signatureVerification : metadata.getVerifiedInbandSignatures()) {
+                for (SignatureVerification signatureVerification : metadata.getVerifiedInlineSignatures()) {
                     verificationList.add(map(signatureVerification));
                 }
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 82ed4282..f33f718b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -17,7 +17,7 @@ import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
+import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -63,12 +63,12 @@ public class InlineVerifyImpl implements InlineVerify {
                     Streams.pipeAll(decryptionStream, outputStream);
                     decryptionStream.close();
 
-                    OpenPgpMetadata metadata = decryptionStream.getResult();
+                    MessageMetadata metadata = decryptionStream.getMetadata();
                     List verificationList = new ArrayList<>();
 
-                    List verifications = metadata.isCleartextSigned() ?
+                    List verifications = metadata.isUsingCleartextSignatureFramework() ?
                             metadata.getVerifiedDetachedSignatures() :
-                            metadata.getVerifiedInbandSignatures();
+                            metadata.getVerifiedInlineSignatures();
 
                     for (SignatureVerification signatureVerification : verifications) {
                         verificationList.add(map(signatureVerification));

From b495e602e58b606472730670750f2185c83b57f2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 22 Nov 2022 16:30:06 +0100
Subject: [PATCH 0841/1450] More precise error message for malformed message

---
 .../pgpainless/decryption_verification/syntax_check/PDA.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index 07a5fdcb..adc5bb39 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -55,7 +55,7 @@ public class PDA {
             inputs.add(input);
         } catch (MalformedOpenPgpMessageException e) {
             MalformedOpenPgpMessageException wrapped = new MalformedOpenPgpMessageException(
-                    "Malformed message: After reading stream " + Arrays.toString(inputs.toArray()) +
+                    "Malformed message: After reading packet sequence " + Arrays.toString(inputs.toArray()) +
                     ", token '" + input + "' is not allowed." +
                     "\nNo transition from state '" + state + "' with stack " + Arrays.toString(stack.toArray()) +
                             (stackSymbol != null ? "||'" + stackSymbol + "'." : "."), e);

From be7349f0b52976f93e4e287b0fd4653a3fbc135d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:07:03 +0100
Subject: [PATCH 0842/1450] Clean up CachingBcPublicKeyDataDecryptorFactory

---
 .../CachingBcPublicKeyDataDecryptorFactory.java        | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
index 3c967224..510b0938 100644
--- a/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
+++ b/pgpainless-core/src/main/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactory.java
@@ -59,16 +59,20 @@ public class CachingBcPublicKeyDataDecryptorFactory
     }
 
     private byte[] lookupSessionKeyData(byte[][] secKeyData) {
-        byte[] sk = secKeyData[0];
-        String key = Base64.toBase64String(sk);
+        String key = toKey(secKeyData);
         byte[] sessionKey = cachedSessionKeys.get(key);
         return copy(sessionKey);
     }
 
     private void cacheSessionKeyData(byte[][] secKeyData, byte[] sessionKey) {
+        String key = toKey(secKeyData);
+        cachedSessionKeys.put(key, copy(sessionKey));
+    }
+
+    private static String toKey(byte[][] secKeyData) {
         byte[] sk = secKeyData[0];
         String key = Base64.toBase64String(sk);
-        cachedSessionKeys.put(key, copy(sessionKey));
+        return key;
     }
 
     private static byte[] copy(byte[] bytes) {

From c72b3a4b8e251a3fa99df0c010a5785b5ce6a7ff Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 23 Nov 2022 20:07:42 +0100
Subject: [PATCH 0843/1450] Improve CachingBcPublicKeyDataDecryptorFactoryTest

---
 .../CachingBcPublicKeyDataDecryptorFactoryTest.java        | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
index 6a43772d..e57df5d9 100644
--- a/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
+++ b/pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java
@@ -25,6 +25,8 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class CachingBcPublicKeyDataDecryptorFactoryTest {
 
     private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
@@ -83,7 +85,9 @@ public class CachingBcPublicKeyDataDecryptorFactoryTest {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         Streams.pipeAll(decryptionStream, out);
         decryptionStream.close();
+        assertEquals("Hello, World!\n", out.toString());
 
+        ciphertextIn = new ByteArrayInputStream(MSG.getBytes());
         decryptionStream = PGPainless.decryptAndOrVerify()
                 .onInputStream(ciphertextIn)
                 .withOptions(ConsumerOptions.get()
@@ -91,5 +95,8 @@ public class CachingBcPublicKeyDataDecryptorFactoryTest {
         out = new ByteArrayOutputStream();
         Streams.pipeAll(decryptionStream, out);
         decryptionStream.close();
+        assertEquals("Hello, World!\n", out.toString());
+
+        cachingFactory.clear();
     }
 }

From a495f2275c233c6ed7989697da67823e122d5e26 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 21:34:25 +0100
Subject: [PATCH 0844/1450] Precise error message for
 IntegrityProtectedInputStream

---
 .../decryption_verification/IntegrityProtectedInputStream.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
index 286160e8..37dcfca4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/IntegrityProtectedInputStream.java
@@ -53,7 +53,7 @@ public class IntegrityProtectedInputStream extends InputStream {
                 }
                 LOGGER.debug("Integrity Protection check passed");
             } catch (PGPException e) {
-                throw new IOException("Failed to verify integrity protection", e);
+                throw new IOException("Data appears to not be integrity protected.", e);
             }
         }
     }

From 5bdd4f6ad04d05a97011ea55639fd381136d4fb7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:09:22 +0100
Subject: [PATCH 0845/1450] Test rejection of messages with unacceptable skesk
 kek algorithm

---
 .../DecryptAndVerifyMessageTest.java          | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
index f7402238..e939de0a 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/DecryptAndVerifyMessageTest.java
@@ -7,6 +7,7 @@ package org.pgpainless.decryption_verification;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
@@ -18,14 +19,17 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestTemplate;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.TestKeys;
 import org.pgpainless.key.util.KeyRingUtils;
+import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.TestAllImplementations;
 
 public class DecryptAndVerifyMessageTest {
@@ -118,4 +122,21 @@ public class DecryptAndVerifyMessageTest {
         assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.JULIET_FINGERPRINT));
         assertEquals(new SubkeyIdentifier(TestKeys.JULIET_FINGERPRINT), metadata.getDecryptionKey());
     }
+
+    @Test
+    public void testDecryptMessageWithUnacceptableSymmetricAlgorithm() {
+        String ciphertext = "-----BEGIN PGP MESSAGE-----\n" +
+                "Version: PGPainless\n" +
+                "\n" +
+                "jA0EAQMCZv8glrLeXPhg0jgBpMN+E8dCuEDxJnSi8/e+HOKcdYQbgQh/MG4Kn7NK\n" +
+                "wRM5wNOFKn8jbsoC+JalzjwzMJSV+ZM1aQ==\n" +
+                "=9aCQ\n" +
+                "-----END PGP MESSAGE-----";
+        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertext.getBytes());
+        assertThrows(MissingDecryptionMethodException.class,
+                () -> PGPainless.decryptAndOrVerify()
+                        .onInputStream(ciphertextIn)
+                        .withOptions(ConsumerOptions.get()
+                                .addDecryptionPassphrase(Passphrase.fromPassword("sw0rdf1sh"))));
+    }
 }

From 68886613a6c0c28a79b411d2e9b230c794a317e4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:14:06 +0100
Subject: [PATCH 0846/1450] SOP KeyReader: wrap IOException in BadData

---
 .../src/main/java/org/pgpainless/sop/KeyReader.java          | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
index 064a5e39..5e6f3a7d 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
@@ -31,7 +31,7 @@ class KeyReader {
             }
             throw e;
         } catch (PGPException e) {
-            throw new IOException("Cannot read keys.", e);
+            throw new SOPGPException.BadData("Cannot read keys.", e);
         }
 
         if (requireContent && (keys == null || keys.size() == 0)) {
@@ -41,7 +41,8 @@ class KeyReader {
         return keys;
     }
 
-    static PGPPublicKeyRingCollection readPublicKeys(InputStream certIn, boolean requireContent) throws IOException {
+    static PGPPublicKeyRingCollection readPublicKeys(InputStream certIn, boolean requireContent)
+            throws IOException {
         PGPPublicKeyRingCollection certs;
         try {
             certs = PGPainless.readKeyRing().publicKeyRingCollection(certIn);

From 9919bbf0136b2a835ef564aba94589115962b7bc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:20:02 +0100
Subject: [PATCH 0847/1450] Enable test for reading broken keys in SOP

---
 .../test/java/org/pgpainless/cli/commands/DearmorCmdTest.java  | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
index 64576bfe..7ebb7308 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/DearmorCmdTest.java
@@ -13,7 +13,6 @@ import java.io.IOException;
 
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.slf4j.LoggerFactory;
@@ -62,8 +61,6 @@ public class DearmorCmdTest extends CLITest {
     }
 
     @Test
-    @Disabled("Enable with SOP-Java 4.0.7")
-    // TODO: Enable
     public void dearmorBrokenArmoredKeyFails() throws IOException {
         // contains a "-"
         String invalidBase64 = "lFgEY2vOkhYJKwYBBAHaRw8BAQdAqGOtLd1tKnuwaYYcdr2/7C0cPiCCggRMKG+Wt32QQdEAAP9VaBzjk/AaAqyykZnQHmS1HByEvRLv5/4yJMSr22451BFjtBRhbGljZUBwZ3BhaW5sZXNzLm9yZ4iOBBMWCgBBBQJja86SCRCLB1F3AflTTBYhBGLp3aTyD4NB0rxLT-IsHUXcB+VNMAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACZhAP4s8hn/RBDvyLvGROOd15EYATnWlgyi+b5WXP6cELalJwD1FZy3RROhfNtZWcJPS43fG03pYNyb0NXoitIMAaXEB5xdBGNrzpISCisGAQQBl1UBBQEBB0CqCcYethOynfni8uRO+r/cZWp9hCLy8pRIExKqzcyEFAMBCAcAAP9sRRLoZkLpDaTNNrtIBovXu2ANhL8keUMWtVcuEHnkQA6iiHUEGBYKAB0FAmNrzpICngECmwwFFgIDAQAECwkIBwUVCgkICwAKCRCLB1F3AflTTBVpAP491etrjqCMWx2bBaw3K1vP0Mix6U0vF3J4kP9UeZm6owEA4kX9VAGESvLgIc7CEiswmxdWjxnLQyCRtWXfjgFmYQucWARja86SFgkrBgEEAdpHDwEBB0DBslhDpWC6CV3xJUSo071NSO5Cf4fgOwOj+QHs8mpFbwABAPkQioSydYiMi04LyfPohyrhhcdJDHallQg+jYHHUb2pEJCI1QQYFgoAfQUCY2vOkgKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmNrzpIACgkQiHlkvEXh+f1eywEA9A2GLU9LxCJxZf2X4qcZY//YJDChIZHPnY0Vaek1DsMBAN1YILrH2rxQeCXjm4bUKfJIRrGt6ZJscwORgNI1dFQFAAoJEIsHUXcB+VNMK3gA/3vvPm57JsHA860wlB4D1II71oFNL8TFnJqTAvpSKe1AAP49S4mKB4PE0ElcDo7n+nEYt6ba8IMRDlMorsH85mUgCw==";

From 39d656d2dd86ccf758bf32b1e2d8a8ad5b9a979d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:22:21 +0100
Subject: [PATCH 0848/1450] Add javadoc for HardwareDataDecryptorFactory
 constructor argument

---
 .../org/pgpainless/decryption_verification/HardwareSecurity.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
index daf902d4..cdadf2c4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/HardwareSecurity.java
@@ -51,6 +51,7 @@ public class HardwareSecurity {
         /**
          * Create a new {@link HardwareDataDecryptorFactory}.
          *
+         * @param subkeyIdentifier identifier of the decryption subkey
          * @param callback decryption callback
          */
         public HardwareDataDecryptorFactory(SubkeyIdentifier subkeyIdentifier, DecryptionCallback callback) {

From e88a88a447e78c3ee7bc5bea703eed1fffbde6d2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:24:12 +0100
Subject: [PATCH 0849/1450] Add javadoc for OpenPgpMessageInputStream factory
 method return value

---
 .../decryption_verification/OpenPgpMessageInputStream.java      | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 263871de..c26c949b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -105,6 +105,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
      *
      * @param inputStream underlying input stream
      * @param options options for consuming the stream
+     * @return input stream that consumes OpenPGP messages
      *
      * @throws IOException in case of an IO error
      * @throws PGPException in case of an OpenPGP error
@@ -123,6 +124,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
      * @param inputStream underlying input stream containing the OpenPGP message
      * @param options options for consuming the message
      * @param policy policy for acceptable algorithms etc.
+     * @return input stream that consumes OpenPGP messages
      *
      * @throws PGPException in case of an OpenPGP error
      * @throws IOException in case of an IO error

From ce049bf9a42b8a70cc6c1e9acba2effefab989de Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:25:27 +0100
Subject: [PATCH 0850/1450] PGPainless 1.4.0-rc2

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9fc7e655..0a335092 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.0-rc2-SNAPSHOT
+## 1.4.0-rc2
 - Bump `bcpg-jdk15to18` to `1.72.3`
 - Use BCs `PGPEncryptedDataList.extractSessionKeyEncryptedData()` method
   to do decryption using session keys. This enables decryption of messages
diff --git a/README.md b/README.md
index 1855f742..30af42f8 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.0-rc1'
+	implementation 'org.pgpainless:pgpainless-core:1.4.0-rc2'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 893804dd..2e4927a6 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.0-rc1"
+    implementation "org.pgpainless:pgpainless-sop:1.4.0-rc2"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.0-rc1
+        1.4.0-rc2
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 86fc8f54..aee46cd8 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.0-rc2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From c8c93594853a881e527624e8d8044cc5e94c96da Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 24 Nov 2022 22:28:15 +0100
Subject: [PATCH 0851/1450] PGPainless 1.4.0-rc3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index aee46cd8..2d9745dd 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.0-rc2'
-        isSnapshot = false
+        shortVersion = '1.4.0-rc3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 3f70936ff158c7d0c0b884751cb2d0ad38541b55 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 14:26:55 +0100
Subject: [PATCH 0852/1450] Add documetation to PDA class

---
 .../syntax_check/PDA.java                     | 39 +++++++++++++++++--
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
index adc5bb39..7d7cf973 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/PDA.java
@@ -9,6 +9,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -17,6 +18,12 @@ import java.util.Stack;
 import static org.pgpainless.decryption_verification.syntax_check.StackSymbol.msg;
 import static org.pgpainless.decryption_verification.syntax_check.StackSymbol.terminus;
 
+/**
+ * Pushdown Automaton for validating context-free languages.
+ * In PGPainless, this class is used to validate OpenPGP message packet sequences against the allowed syntax.
+ *
+ * @see OpenPGP Message Syntax
+ */
 public class PDA {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PDA.class);
@@ -36,6 +43,13 @@ public class PDA {
         this(new OpenPgpMessageSyntax(), State.OpenPgpMessage, terminus, msg);
     }
 
+    /**
+     * Construct a PDA with a custom {@link Syntax}, initial {@link State} and initial {@link StackSymbol StackSymbols}.
+     *
+     * @param syntax syntax
+     * @param initialState initial state
+     * @param initialStack zero or more initial stack items (get pushed onto the stack in order of appearance)
+     */
     public PDA(@Nonnull Syntax syntax, @Nonnull State initialState, @Nonnull StackSymbol... initialStack) {
         this.syntax = syntax;
         this.state = initialState;
@@ -44,7 +58,16 @@ public class PDA {
         }
     }
 
-    public void next(InputSymbol input) throws MalformedOpenPgpMessageException {
+    /**
+     * Process the next {@link InputSymbol}.
+     * This will either leave the PDA in the next state, or throw a {@link MalformedOpenPgpMessageException} if the
+     * input symbol is rejected.
+     *
+     * @param input input symbol
+     * @throws MalformedOpenPgpMessageException if the input symbol is rejected
+     */
+    public void next(@Nonnull InputSymbol input)
+            throws MalformedOpenPgpMessageException {
         StackSymbol stackSymbol = popStack();
         try {
             Transition transition = syntax.transition(state, input, stackSymbol);
@@ -69,11 +92,16 @@ public class PDA {
      *
      * @return state
      */
-    public State getState() {
+    public @Nonnull State getState() {
         return state;
     }
 
-    public StackSymbol peekStack() {
+    /**
+     * Peek at the stack, returning the topmost stack item without changing the stack.
+     *
+     * @return topmost stack item, or null if stack is empty
+     */
+    public @Nullable StackSymbol peekStack() {
         if (stack.isEmpty()) {
             return null;
         }
@@ -89,6 +117,11 @@ public class PDA {
         return getState() == State.Valid && stack.isEmpty();
     }
 
+    /**
+     * Throw a {@link MalformedOpenPgpMessageException} if the pda is not in a valid state right now.
+     *
+     * @throws MalformedOpenPgpMessageException if the pda is not in an acceptable state
+     */
     public void assertValid() throws MalformedOpenPgpMessageException {
         if (!isValid()) {
             throw new MalformedOpenPgpMessageException("Pushdown Automaton is not in an acceptable state: " + toString());

From 7cc27515272f192fab678bbd32c9fc79bd0bbe27 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 14:38:45 +0100
Subject: [PATCH 0853/1450] Add @Nonnull annotations to OpenPgpMessageSyntax

---
 .../syntax_check/OpenPgpMessageSyntax.java                   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
index c6de8765..6abb507a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
@@ -40,6 +40,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(from, input, stackItem);
     }
 
+    @Nonnull
     Transition fromOpenPgpMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         if (stackItem != StackSymbol.msg) {
@@ -68,6 +69,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         }
     }
 
+    @Nonnull
     Transition fromLiteralMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
@@ -87,6 +89,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.LiteralMessage, input, stackItem);
     }
 
+    @Nonnull
     Transition fromCompressedMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
@@ -106,6 +109,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.CompressedMessage, input, stackItem);
     }
 
+    @Nonnull
     Transition fromEncryptedMessage(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         switch (input) {
@@ -125,6 +129,7 @@ public class OpenPgpMessageSyntax implements Syntax {
         throw new MalformedOpenPgpMessageException(State.EncryptedMessage, input, stackItem);
     }
 
+    @Nonnull
     Transition fromValid(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
         // There is no applicable transition rule out of Valid

From e1ab128c2e01db597d4f584dc3555a89b3c2d810 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 14:40:57 +0100
Subject: [PATCH 0854/1450] Add annotations to GnuPGDummyKeyUtil

---
 .../java/org/gnupg/GnuPGDummyKeyUtil.java     | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
index 983d8e68..42af92d8 100644
--- a/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
+++ b/pgpainless-core/src/main/java/org/gnupg/GnuPGDummyKeyUtil.java
@@ -13,6 +13,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.pgpainless.key.SubkeyIdentifier;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashSet;
@@ -40,7 +41,7 @@ public final class GnuPGDummyKeyUtil {
      * @param secretKeys secret keys
      * @return set of keys with S2K type GNU_DUMMY_S2K and protection mode DIVERT_TO_CARD
      */
-    public static Set getIdsOfKeysWithGnuPGS2KDivertedToCard(PGPSecretKeyRing secretKeys) {
+    public static Set getIdsOfKeysWithGnuPGS2KDivertedToCard(@Nonnull PGPSecretKeyRing secretKeys) {
         Set hardwareBackedKeys = new HashSet<>();
         for (PGPSecretKey secretKey : secretKeys) {
             S2K s2K = secretKey.getS2K();
@@ -65,7 +66,7 @@ public final class GnuPGDummyKeyUtil {
      * @param secretKeys secret keys
      * @return builder
      */
-    public static Builder modify(PGPSecretKeyRing secretKeys) {
+    public static Builder modify(@Nonnull PGPSecretKeyRing secretKeys) {
         return new Builder(secretKeys);
     }
 
@@ -73,7 +74,7 @@ public final class GnuPGDummyKeyUtil {
 
         private final PGPSecretKeyRing keys;
 
-        private Builder(PGPSecretKeyRing keys) {
+        private Builder(@Nonnull PGPSecretKeyRing keys) {
             this.keys = keys;
         }
 
@@ -84,7 +85,7 @@ public final class GnuPGDummyKeyUtil {
          * @param filter filter to select keys for removal
          * @return modified key ring
          */
-        public PGPSecretKeyRing removePrivateKeys(KeyFilter filter) {
+        public PGPSecretKeyRing removePrivateKeys(@Nonnull KeyFilter filter) {
             return replacePrivateKeys(GnuPGDummyExtension.NO_PRIVATE_KEY, null, filter);
         }
 
@@ -92,13 +93,12 @@ public final class GnuPGDummyKeyUtil {
          * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
          * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}.
          * This method will set the serial number of the card to 0x00000000000000000000000000000000.
-         *
          * NOTE: This method does not actually move any keys to a card.
          *
          * @param filter filter to select keys for removal
          * @return modified key ring
          */
-        public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter) {
+        public PGPSecretKeyRing divertPrivateKeysToCard(@Nonnull KeyFilter filter) {
             return divertPrivateKeysToCard(filter, new byte[16]);
         }
 
@@ -106,21 +106,22 @@ public final class GnuPGDummyKeyUtil {
          * Remove all private keys that match the given {@link KeyFilter} from the key ring and replace them with
          * GNU_DUMMY keys with S2K protection mode {@link GnuPGDummyExtension#DIVERT_TO_CARD}.
          * This method will include the card serial number into the encoded dummy key.
-         *
          * NOTE: This method does not actually move any keys to a card.
          *
          * @param filter filter to select keys for removal
          * @param cardSerialNumber serial number of the card (at most 16 bytes long)
          * @return modified key ring
          */
-        public PGPSecretKeyRing divertPrivateKeysToCard(KeyFilter filter, byte[] cardSerialNumber) {
+        public PGPSecretKeyRing divertPrivateKeysToCard(@Nonnull KeyFilter filter, @Nullable byte[] cardSerialNumber) {
             if (cardSerialNumber != null && cardSerialNumber.length > 16) {
                 throw new IllegalArgumentException("Card serial number length cannot exceed 16 bytes.");
             }
             return replacePrivateKeys(GnuPGDummyExtension.DIVERT_TO_CARD, cardSerialNumber, filter);
         }
 
-        private PGPSecretKeyRing replacePrivateKeys(GnuPGDummyExtension extension, byte[] serial, KeyFilter filter) {
+        private PGPSecretKeyRing replacePrivateKeys(@Nonnull GnuPGDummyExtension extension,
+                                                    @Nullable byte[] serial,
+                                                    @Nonnull KeyFilter filter) {
             byte[] encodedSerial = serial != null ? encodeSerial(serial) : null;
             S2K s2k = extensionToS2K(extension);
 

From 4426895814952b6ec10e4e7a9a49b2dd358dd200 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 14:55:46 +0100
Subject: [PATCH 0855/1450] Add tests for CollectionUtils

---
 .../pgpainless/util/CollectionUtilsTest.java  | 112 ++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/util/CollectionUtilsTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/util/CollectionUtilsTest.java b/pgpainless-core/src/test/java/org/pgpainless/util/CollectionUtilsTest.java
new file mode 100644
index 00000000..2bfe6cb1
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/CollectionUtilsTest.java
@@ -0,0 +1,112 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.util;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+
+public class CollectionUtilsTest {
+
+    @Test
+    public void testConcat() {
+        String a = "A";
+        String[] bc = new String[] {"B", "C"};
+
+        String[] abc = CollectionUtils.concat(a, bc);
+        assertArrayEquals(new String[] {"A", "B", "C"}, abc);
+    }
+
+    @Test
+    public void testConcatWithEmptyArray() {
+        String a = "A";
+        String[] empty = new String[0];
+
+        String[] concat = CollectionUtils.concat(a, empty);
+        assertArrayEquals(new String[] {"A"}, concat);
+    }
+
+    @Test
+    public void iteratorToListTest() {
+        List list = Arrays.asList("A", "B", "C");
+        Iterator iterator = list.iterator();
+
+        List listFromIterator = CollectionUtils.iteratorToList(iterator);
+        assertEquals(list, listFromIterator);
+    }
+
+    @Test
+    public void iteratorToList_emptyIteratorTest() {
+        Iterator iterator = Collections.emptyIterator();
+
+        List listFromIterator = CollectionUtils.iteratorToList(iterator);
+        assertTrue(listFromIterator.isEmpty());
+    }
+
+    @Test
+    public void containsTest() {
+        String[] abc = new String[] {"A", "B", "C"};
+
+        assertTrue(CollectionUtils.contains(abc, "A"));
+        assertTrue(CollectionUtils.contains(abc, "B"));
+        assertTrue(CollectionUtils.contains(abc, "C"));
+        assertFalse(CollectionUtils.contains(abc, "D"));
+    }
+
+    @Test
+    public void contains_emptyTest() {
+        String[] empty = new String[0];
+
+        assertFalse(CollectionUtils.contains(empty, "A"));
+    }
+
+    @Test
+    public void addAllTest() {
+        List list = new ArrayList<>();
+        list.add("A");
+        list.add("B");
+
+        List other = new ArrayList<>();
+        other.add("C");
+        other.add("D");
+        Iterator iterator = other.iterator();
+
+        CollectionUtils.addAll(iterator, list);
+
+        assertEquals(Arrays.asList("A", "B", "C", "D"), list);
+    }
+
+    @Test
+    public void addAllEmptyListTest() {
+        List empty = new ArrayList<>();
+
+        List other = Arrays.asList("A", "B", "C");
+        Iterator iterator = other.iterator();
+
+        CollectionUtils.addAll(iterator, empty);
+        assertEquals(Arrays.asList("A", "B", "C"), empty);
+    }
+
+    @Test
+    public void addAllEmptyIterator() {
+        List list = new ArrayList<>();
+        list.add("A");
+        list.add("B");
+
+        Iterator iterator = Collections.emptyIterator();
+
+        CollectionUtils.addAll(iterator, list);
+        assertEquals(Arrays.asList("A", "B"), list);
+    }
+}

From ae6a427d90a29aa030ee4cc8a96b9316c0004192 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 15:34:54 +0100
Subject: [PATCH 0856/1450] Add test for UniversalSignatureBuilder

---
 .../builder/UniversalSignatureBuilder.java    |  3 +-
 .../subpackets/SignatureSubpackets.java       |  4 +
 .../UniversalSignatureBuilderTest.java        | 90 +++++++++++++++++++
 3 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java
index b3ed5bf0..7ca512bf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/UniversalSignatureBuilder.java
@@ -12,7 +12,6 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureGenerator;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.subpackets.BaseSignatureSubpackets;
 import org.pgpainless.signature.subpackets.SignatureSubpackets;
 
 /**
@@ -43,7 +42,7 @@ public class UniversalSignatureBuilder extends AbstractSignatureBuilder {
+
+    }
+
     public static SignatureSubpackets refreshHashedSubpackets(PGPPublicKey issuer, PGPSignature oldSignature) {
         return createHashedSubpacketsFrom(issuer, oldSignature.getHashedSubPackets());
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java
new file mode 100644
index 00000000..37bc6fd3
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/UniversalSignatureBuilderTest.java
@@ -0,0 +1,90 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.signature.builder;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+import java.io.IOException;
+
+import org.bouncycastle.bcpg.sig.PrimaryUserID;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+import org.pgpainless.signature.subpackets.SignatureSubpackets;
+
+public class UniversalSignatureBuilderTest {
+
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Version: PGPainless\n" +
+            "Comment: 9611 510F 313E DBC2 BBBC  DC24 3BAD F1F8 3E70 DC34\n" +
+            "Comment: Signora Universa \n" +
+            "\n" +
+            "lFgEY4DKKRYJKwYBBAHaRw8BAQdA65vJxvvLASI/gczDP8ZKH4C+16MLU7F5iP91\n" +
+            "8WWUqM0AAQCRSTHLLQWT9tuNRgkG3xaIiBGkEGD7Ou/R3oga6tc1MA8UtClTaWdu\n" +
+            "b3JhIFVuaXZlcnNhIDxzaWdub3JhQHBncGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJj\n" +
+            "gMopCRA7rfH4PnDcNBYhBJYRUQ8xPtvCu7zcJDut8fg+cNw0Ap4BApsBBRYCAwEA\n" +
+            "BAsJCAcFFQoJCAsCmQEAAOgMAPwIOXWt3EBBusK5Ps3m7p/5HsecZv3IXtscEQBx\n" +
+            "vKlULwD/YuLP1XJSqcE2cQJRNt6OLi9Nt02MKBYkhWrRCYZAcQicXQRjgMopEgor\n" +
+            "BgEEAZdVAQUBAQdAWTstuhvHwmSXaQ4Vh8yxl0DZcvjrWkZI+n9/uFBxEmoDAQgH\n" +
+            "AAD/eRt6kgOMzWsTuM00am4UhSygxmDt7h6JkBTnpyyhK0gPiYh1BBgWCgAdBQJj\n" +
+            "gMopAp4BApsMBRYCAwEABAsJCAcFFQoJCAsACgkQO63x+D5w3DRnZAEA6GlS9Tw8\n" +
+            "9SJlUvh5aciYSlQUplnEdng+Pvzbj74zcXIA/2OkyMN428ddNhkHWWkZCMOxApum\n" +
+            "/zNDSYMwvByQ2KcFnFgEY4DKKRYJKwYBBAHaRw8BAQdAfhPrtVuG3g/zXF51VrPv\n" +
+            "kpQQk9aqjrkBMI0qlztBpu0AAP9Mw7NCsAVwg9CgmSzG2ATIDp3yf/4BGVYDs7qu\n" +
+            "+sbn7xKIiNUEGBYKAH0FAmOAyikCngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkW\n" +
+            "CgAGBQJjgMopAAoJENmzwZA/hq5ZCqIBAMYeOnASBd+WWta7Teh3g7Bl7sFY42Qy\n" +
+            "0OnaSGk/pLm9AP4yC62Xpb9DhWeiQIOY7k5n4lhNn173IfzDK6KXzBKkBgAKCRA7\n" +
+            "rfH4PnDcNMInAP4oanG9tbuczBNLN3JY4Hg4AaB+w5kfdOJxKwnAw7U0cgEAtasg\n" +
+            "67qSjHvsEvjNKeXzUm+db7NWP3fpIHxAmjWVjwM=\n" +
+            "=Dqbd\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+
+    private PGPSecretKeyRing secretKeys;
+    private final SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+
+    @BeforeEach
+    public void parseKey() throws IOException {
+        secretKeys = PGPainless.readKeyRing().secretKeyRing(KEY);
+    }
+
+    @Test
+    public void createPetNameSignature() throws PGPException {
+        PGPSecretKey signingKey = secretKeys.getSecretKey();
+        PGPSignature archetype = signingKey.getPublicKey().getSignatures().next();
+        UniversalSignatureBuilder builder = new UniversalSignatureBuilder(
+                signingKey, protector, archetype);
+
+        builder.applyCallback(new SignatureSubpackets.Callback() {
+            @Override
+            public void modifyHashedSubpackets(SignatureSubpackets hashedSubpackets) {
+                hashedSubpackets.setExportable(true, false);
+                hashedSubpackets.setPrimaryUserId(new PrimaryUserID(false, false));
+            }
+        });
+
+        PGPSignatureGenerator generator = builder.getSignatureGenerator();
+
+        String petName = "mykey";
+        PGPSignature petNameSig = generator.generateCertification(petName, secretKeys.getPublicKey());
+
+        assertEquals(SignatureType.POSITIVE_CERTIFICATION.getCode(), petNameSig.getSignatureType());
+        assertEquals(4, petNameSig.getVersion());
+        assertEquals(signingKey.getKeyID(), petNameSig.getKeyID());
+        assertEquals(HashAlgorithm.SHA512.getAlgorithmId(), petNameSig.getHashAlgorithm());
+        assertEquals(KeyFlag.toBitmask(KeyFlag.CERTIFY_OTHER), petNameSig.getHashedSubPackets().getKeyFlags());
+        assertFalse(petNameSig.getHashedSubPackets().isExportable());
+        assertFalse(petNameSig.getHashedSubPackets().isPrimaryUserID());
+    }
+}

From 6913aa3d6dce6566715c12ffdca4f7863691ba7d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 25 Nov 2022 15:41:56 +0100
Subject: [PATCH 0857/1450] Add more tests for RevocationState

---
 .../pgpainless/algorithm/RevocationStateTest.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
index c1e45413..e23d92d3 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
@@ -72,6 +72,8 @@ public class RevocationStateTest {
         Date now = new Date();
         assertEquals(RevocationState.softRevoked(now), RevocationState.softRevoked(now));
 
+        assertEquals(1, RevocationState.softRevoked(now).compareTo(RevocationState.notRevoked()));
+
         assertEquals(0, RevocationState.notRevoked().compareTo(RevocationState.notRevoked()));
         assertEquals(0, RevocationState.hardRevoked().compareTo(RevocationState.hardRevoked()));
         assertTrue(RevocationState.hardRevoked().compareTo(RevocationState.notRevoked()) > 0);
@@ -93,4 +95,15 @@ public class RevocationStateTest {
 
         assertEquals(states, Arrays.asList(not, not2, laterSoft, earlySoft, hard));
     }
+
+    @SuppressWarnings({"SimplifiableAssertion", "ConstantConditions", "EqualsWithItself", "EqualsBetweenInconvertibleTypes"})
+    @Test
+    public void equalsTest() {
+        RevocationState rev = RevocationState.hardRevoked();
+        assertFalse(rev.equals(null));
+        assertTrue(rev.equals(rev));
+        assertFalse(rev.equals("not a revocation"));
+        RevocationState other = RevocationState.notRevoked();
+        assertFalse(rev.equals(other));
+    }
 }

From b0c283e1435f859a5d23e1b656bc512a90f19638 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Nov 2022 15:34:04 +0100
Subject: [PATCH 0858/1450] Clean up UserId.toString() behavior

---
 .../java/org/pgpainless/key/util/UserId.java  | 37 ++++++++++---------
 .../java/org/pgpainless/key/UserIdTest.java   | 10 ++---
 .../GenerateKeyWithAdditionalUserIdTest.java  |  6 +--
 3 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index ca233759..25db7e39 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -5,6 +5,7 @@
 package org.pgpainless.key.util;
 
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 public final class UserId implements CharSequence {
     public static final class Builder {
@@ -64,18 +65,18 @@ public final class UserId implements CharSequence {
     private final String email;
     private long hash = Long.MAX_VALUE;
 
-    private UserId(String name, String comment, String email) {
-        this.name = name;
-        this.comment = comment;
-        this.email = email;
+    private UserId(@Nullable String name, @Nullable String comment, @Nullable String email) {
+        this.name = name == null ? null : name.trim();
+        this.comment = comment == null ? null : comment.trim();
+        this.email = email == null ? null : email.trim();
     }
 
-    public static UserId onlyEmail(String email) {
+    public static UserId onlyEmail(@Nonnull String email) {
         checkNotNull("email", email);
         return new UserId(null, null, email);
     }
 
-    public static UserId nameAndEmail(String name, String email) {
+    public static UserId nameAndEmail(@Nonnull String name, @Nonnull String email) {
         checkNotNull("name", name);
         checkNotNull("email", email);
         return new UserId(name, null, email);
@@ -118,27 +119,29 @@ public final class UserId implements CharSequence {
 
     @Override
     public @Nonnull String toString() {
-        return asString(false);
+        return asString();
     }
 
     /**
      * Returns a string representation of the object.
-     * @param ignoreEmptyValues Flag which indicates that empty string values should not be outputted.
      * @return a string representation of the object.
      */
-    public String asString(boolean ignoreEmptyValues) {
+    public String asString() {
         StringBuilder sb = new StringBuilder();
-        if (name != null && (!ignoreEmptyValues || !name.isEmpty())) {
+        if (name != null && !name.isEmpty()) {
             sb.append(name);
         }
-        if (comment != null && (!ignoreEmptyValues || !comment.isEmpty())) {
-            sb.append(" (").append(comment).append(')');
+        if (comment != null && !comment.isEmpty()) {
+            if (sb.length() > 0) {
+                sb.append(' ');
+            }
+            sb.append('(').append(comment).append(')');
         }
-        if (email != null && (!ignoreEmptyValues || !email.isEmpty())) {
-            final boolean moreThanJustEmail = sb.length() > 0;
-            if (moreThanJustEmail) sb.append(" <");
-            sb.append(email);
-            if (moreThanJustEmail) sb.append('>');
+        if (email != null && !email.isEmpty()) {
+            if (sb.length() > 0) {
+                sb.append(' ');
+            }
+            sb.append('<').append(email).append('>');
         }
         return sb.toString();
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index 4e596b3f..32d56eff 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -151,15 +151,13 @@ public class UserIdTest {
     @Test
     void testEmailOnlyFormatting() {
         final UserId userId = UserId.onlyEmail("john.smith@example.com");
-        assertEquals("john.smith@example.com", userId.toString());
+        assertEquals("", userId.toString());
     }
 
     @Test
     void testEmptyNameAndValidEmailFormatting() {
         final UserId userId = UserId.nameAndEmail("", "john.smith@example.com");
-        assertEquals("john.smith@example.com", userId.toString());
-        assertEquals("john.smith@example.com", userId.asString(false));
-        assertEquals("john.smith@example.com", userId.asString(true));
+        assertEquals("", userId.toString());
     }
 
     @Test
@@ -169,9 +167,7 @@ public class UserIdTest {
                 .withName("")
                 .withEmail("john.smith@example.com")
                 .build();
-        assertEquals(" () ", userId.toString());
-        assertEquals(" () ", userId.asString(false));
-        assertEquals("john.smith@example.com", userId.asString(true));
+        assertEquals("", userId.toString());
     }
 
     @Test
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
index e68d8e9b..cf12ab57 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/generation/GenerateKeyWithAdditionalUserIdTest.java
@@ -51,9 +51,9 @@ public class GenerateKeyWithAdditionalUserIdTest {
         JUtils.assertDateEquals(expiration, PGPainless.inspectKeyRing(publicKeys).getPrimaryKeyExpirationDate());
 
         Iterator userIds = publicKeys.getPublicKey().getUserIDs();
-        assertEquals("primary@user.id", userIds.next());
-        assertEquals("additional@user.id", userIds.next());
-        assertEquals("additional2@user.id", userIds.next());
+        assertEquals("", userIds.next());
+        assertEquals("", userIds.next());
+        assertEquals("", userIds.next());
         assertEquals("trimThis@user.id", userIds.next());
         assertFalse(userIds.hasNext());
     }

From 4c1d359971106124f2c0c68eb61836a8886d3651 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Nov 2022 15:35:31 +0100
Subject: [PATCH 0859/1450] Deprecate UserId.asString()

---
 .../java/org/pgpainless/key/util/UserId.java   | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 25db7e39..3ac3d77a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -119,14 +119,6 @@ public final class UserId implements CharSequence {
 
     @Override
     public @Nonnull String toString() {
-        return asString();
-    }
-
-    /**
-     * Returns a string representation of the object.
-     * @return a string representation of the object.
-     */
-    public String asString() {
         StringBuilder sb = new StringBuilder();
         if (name != null && !name.isEmpty()) {
             sb.append(name);
@@ -146,6 +138,16 @@ public final class UserId implements CharSequence {
         return sb.toString();
     }
 
+    /**
+     * Returns a string representation of the object.
+     * @return a string representation of the object.
+     * @deprecated use {@link #toString()} instead.
+     */
+    @Deprecated
+    public String asString() {
+        return toString();
+    }
+
     @Override
     public boolean equals(Object o) {
         if (o == null) return false;

From 837fbd36355008fa81c263c510e9201b9752c02e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Nov 2022 15:41:53 +0100
Subject: [PATCH 0860/1450] Simplify UserIdTests

---
 .../java/org/pgpainless/key/util/UserId.java  | 18 +++-------------
 .../java/org/pgpainless/key/UserIdTest.java   | 21 -------------------
 2 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 3ac3d77a..71ee8121 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -22,20 +22,17 @@ public final class UserId implements CharSequence {
             this.email = email;
         }
 
-        public Builder withName(String name) {
-            checkNotNull("name", name);
+        public Builder withName(@Nonnull String name) {
             this.name = name;
             return this;
         }
 
-        public Builder withComment(String comment) {
-            checkNotNull("comment", comment);
+        public Builder withComment(@Nonnull String comment) {
             this.comment = comment;
             return this;
         }
 
-        public Builder withEmail(String email) {
-            checkNotNull("email", email);
+        public Builder withEmail(@Nonnull String email) {
             this.email = email;
             return this;
         }
@@ -72,13 +69,10 @@ public final class UserId implements CharSequence {
     }
 
     public static UserId onlyEmail(@Nonnull String email) {
-        checkNotNull("email", email);
         return new UserId(null, null, email);
     }
 
     public static UserId nameAndEmail(@Nonnull String name, @Nonnull String email) {
-        checkNotNull("name", name);
-        checkNotNull("email", email);
         return new UserId(name, null, email);
     }
 
@@ -180,10 +174,4 @@ public final class UserId implements CharSequence {
                 || (!valueIsNull && !otherValueIsNull
                 && (ignoreCase ? value.equalsIgnoreCase(otherValue) : value.equals(otherValue)));
     }
-
-    private static void checkNotNull(String paramName, String value) {
-        if (value == null) {
-            throw new IllegalArgumentException(paramName + " must be not null");
-        }
-    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index 32d56eff..5fe4d9c9 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -10,25 +10,9 @@ import org.pgpainless.key.util.UserId;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class UserIdTest {
 
-    @Test
-    public void throwForNullName() {
-        assertThrows(IllegalArgumentException.class, () -> UserId.newBuilder().withName(null));
-    }
-
-    @Test
-    public void throwForNullComment() {
-        assertThrows(IllegalArgumentException.class, () -> UserId.newBuilder().withComment(null));
-    }
-
-    @Test
-    public void throwForNullEmail() {
-        assertThrows(IllegalArgumentException.class, () -> UserId.newBuilder().withEmail(null));
-    }
-
     @Test
     public void testFormatOnlyName() {
         assertEquals(
@@ -66,11 +50,6 @@ public class UserIdTest {
                         .toString());
     }
 
-    @Test
-    public void throwIfOnlyEmailEmailNull() {
-        assertThrows(IllegalArgumentException.class, () -> UserId.onlyEmail(null));
-    }
-
     @Test
     public void testNameAndEmail() {
         UserId userId = UserId.nameAndEmail("Maurice Moss", "moss.m@reynholm.co.uk");

From e69c4a8cf709ee55d5f8e6e0ba65bc9526f15308 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 30 Nov 2022 16:06:01 +0100
Subject: [PATCH 0861/1450] More UserId tests

---
 .../java/org/pgpainless/key/UserIdTest.java   | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index 5fe4d9c9..5a553513 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -181,4 +181,35 @@ public class UserIdTest {
         final UserId userId2 = UserId.newBuilder().withComment(comment2).withName(name).withEmail(email).build();
         assertNotEquals(userId1, userId2);
     }
+
+    @Test
+    public void testLength() {
+        UserId id = UserId.nameAndEmail("Alice", "alice@pgpainless.org");
+        assertEquals(28, id.length());
+    }
+
+    @Test
+    public void testSubSequence() {
+        UserId id = UserId.onlyEmail("alice@pgpainless.org");
+        assertEquals("alice@pgpainless.org", id.subSequence(1, id.length() - 1));
+    }
+
+    @Test
+    public void asStringTest() {
+        UserId id = UserId.newBuilder()
+                .withName("Alice")
+                .withComment("Work Email")
+                .withEmail("alice@pgpainless.org")
+                .build();
+
+        // noinspection deprecation
+        assertEquals(id.toString(), id.asString());
+    }
+
+    @Test
+    public void charAtTest() {
+        UserId id = UserId.onlyEmail("alice@pgpainless.org");
+        assertEquals('<', id.charAt(0));
+        assertEquals('>', id.charAt(id.length() - 1));
+    }
 }

From b07e0c2be5952e06c41f79b3271e36b3304c56ba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 1 Dec 2022 14:48:33 +0100
Subject: [PATCH 0862/1450] Programmatically confirm that we do not yet support
 OpenPGP V5 keys :/

---
 .../org/bouncycastle/V5OpenPgpKeyTest.java    | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java

diff --git a/pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java b/pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java
new file mode 100644
index 00000000..b1337bcb
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java
@@ -0,0 +1,61 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.bouncycastle;
+
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+
+import java.io.IOException;
+
+public class V5OpenPgpKeyTest {
+
+    // Both key and cert are provided by Daniel on
+    //  https://mailarchive.ietf.org/arch/msg/openpgp/Z2Mkq9TfvgY5jUJzlNRwgDsDSUk/
+    private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "\n" +
+            "xVwFY4d/4xYAAAAtCSsGAQQB2kcPAQEHQPlNp7tI1gph5WdwamWH0DMZmbud\n" +
+            "iRoIJC6thFQ9+JWjAAD9GXKBexK+cH6NX1hs5hNhIB00TrJmosgv3mg1ditl\n" +
+            "sLcOpMKkBR8WCgAAAB8FAmOHf+MDCwkHBRUKDggMAhYAAhsDAh4JBScJAgcC\n" +
+            "AAAAIyIhBRe8+DZtlDb3rzfq2hVsZJRlblqXac8tXLNF+Lg0NvZSecUms7MC\n" +
+            "rI0Ofp1iKV6QwGFEAQDnd37qxR3r/ezwXEfWUd64NKsHy88o3UG3QasrgR9e\n" +
+            "SwEAmCPJHs0LvoU81IFsYhEYaZok9uC0DhdnO2lwYUbCTAXHYQVjh3/jEgAA\n" +
+            "ADIKKwYBBAGXVQEFAQEHQPz3/CmqzgFI9D6tvzoPlpHQoyKiQ2JWJ4Dtkl2o\n" +
+            "TnFbAwEIBwAA/01gCk95TUR3XFeibg/u/tVY6a//1q0NWC1X+yui3O24Eb3C\n" +
+            "jgUYFgoAAAAJBQJjh3/jAhsMAAAAIyIhBRe8+DZtlDb3rzfq2hVsZJRlblqX\n" +
+            "ac8tXLNF+Lg0NvZS78S6dZamUg5K+sXfU/N1umwTAP9JjPVrtnHjtvYTazZm\n" +
+            "dZhAn8aRLUtGG1owtmLGwCSh6wD/bNrWG4nHfVk/aEHGZ4cjaFlapFr5t1QS\n" +
+            "psL7nEy94gs=\n" +
+            "=5xrR\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----";
+    private static final String CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "\n" +
+            "xjcFY4d/4xYAAAAtCSsGAQQB2kcPAQEHQPlNp7tI1gph5WdwamWH0DMZmbud\n" +
+            "iRoIJC6thFQ9+JWjwqQFHxYKAAAAHwUCY4d/4wMLCQcFFQoOCAwCFgACGwMC\n" +
+            "HgkFJwkCBwIAAAAjIiEFF7z4Nm2UNvevN+raFWxklGVuWpdpzy1cs0X4uDQ2\n" +
+            "9lJ5xSazswKsjQ5+nWIpXpDAYUQBAOd3furFHev97PBcR9ZR3rg0qwfLzyjd\n" +
+            "QbdBqyuBH15LAQCYI8kezQu+hTzUgWxiERhpmiT24LQOF2c7aXBhRsJMBc48\n" +
+            "BWOHf+MSAAAAMgorBgEEAZdVAQUBAQdA/Pf8KarOAUj0Pq2/Og+WkdCjIqJD\n" +
+            "YlYngO2SXahOcVsDAQgHwo4FGBYKAAAACQUCY4d/4wIbDAAAACMiIQUXvPg2\n" +
+            "bZQ296836toVbGSUZW5al2nPLVyzRfi4NDb2Uu/EunWWplIOSvrF31Pzdbps\n" +
+            "EwD/SYz1a7Zx47b2E2s2ZnWYQJ/GkS1LRhtaMLZixsAkoesA/2za1huJx31Z\n" +
+            "P2hBxmeHI2hZWqRa+bdUEqbC+5xMveIL\n" +
+            "=sVUI\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+    @Test
+    @Disabled("BC 1.72 does not yet support V5 keys")
+    public void testParseCert() throws IOException {
+        PGPPublicKeyRing cert = PGPainless.readKeyRing().publicKeyRing(CERT);
+    }
+
+    @Test
+    @Disabled("BC 1.72 does not yet support V5 keys")
+    public void testParseKey() throws IOException {
+        PGPSecretKeyRing key = PGPainless.readKeyRing().secretKeyRing(KEY);
+    }
+}

From bfcfaa04c4c0d6ee98ee31d19a1033162fd484e1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 1 Dec 2022 16:02:45 +0100
Subject: [PATCH 0863/1450] Add UserId.compare(uid1, uid2, comparator) along
 with some default comparators

---
 .../java/org/pgpainless/key/util/UserId.java  | 85 +++++++++++++++++++
 .../java/org/pgpainless/key/UserIdTest.java   | 65 +++++++++++++-
 2 files changed, 147 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 71ee8121..a1b251dc 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.key.util;
 
+import java.util.Comparator;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
@@ -174,4 +175,88 @@ public final class UserId implements CharSequence {
                 || (!valueIsNull && !otherValueIsNull
                 && (ignoreCase ? value.equalsIgnoreCase(otherValue) : value.equals(otherValue)));
     }
+
+    public static int compare(@Nullable UserId o1, @Nullable UserId o2, @Nonnull Comparator comparator) {
+        return comparator.compare(o1, o2);
+    }
+
+    public static class DefaultComparator implements Comparator {
+
+        @Override
+        public int compare(UserId o1, UserId o2) {
+            if (o1 == o2) {
+                return 0;
+            }
+            if (o1 == null) {
+                return -1;
+            }
+            if (o2 == null) {
+                return 1;
+            }
+
+            NullSafeStringComparator c = new NullSafeStringComparator();
+            int cName = c.compare(o1.getName(), o2.getName());
+            if (cName != 0) {
+                return cName;
+            }
+
+            int cComment = c.compare(o1.getComment(), o2.getComment());
+            if (cComment != 0) {
+                return cComment;
+            }
+
+            return c.compare(o1.getEmail(), o2.getEmail());
+        }
+    }
+
+    public static class DefaultIgnoreCaseComparator implements Comparator {
+
+        @Override
+        public int compare(UserId o1, UserId o2) {
+            if (o1 == o2) {
+                return 0;
+            }
+            if (o1 == null) {
+                return -1;
+            }
+            if (o2 == null) {
+                return 1;
+            }
+
+            NullSafeStringComparator c = new NullSafeStringComparator();
+            int cName = c.compare(lower(o1.getName()), lower(o2.getName()));
+            if (cName != 0) {
+                return cName;
+            }
+
+            int cComment = c.compare(lower(o1.getComment()), lower(o2.getComment()));
+            if (cComment != 0) {
+                return cComment;
+            }
+
+            return c.compare(lower(o1.getEmail()), lower(o2.getEmail()));
+        }
+
+        private static String lower(String string) {
+            return string == null ? null : string.toLowerCase();
+        }
+    }
+
+    private static class NullSafeStringComparator implements Comparator {
+
+        @Override
+        public int compare(String o1, String o2) {
+            // noinspection StringEquality
+            if (o1 == o2) {
+                return 0;
+            }
+            if (o1 == null) {
+                return -1;
+            }
+            if (o2 == null) {
+                return 1;
+            }
+            return o1.compareTo(o2);
+        }
+    }
 }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index 5a553513..acc90918 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -4,13 +4,15 @@
 
 package org.pgpainless.key;
 
-import org.junit.jupiter.api.Test;
-import org.pgpainless.key.util.UserId;
-
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
 
+import java.util.Comparator;
+
+import org.junit.jupiter.api.Test;
+import org.pgpainless.key.util.UserId;
+
 public class UserIdTest {
 
     @Test
@@ -212,4 +214,61 @@ public class UserIdTest {
         assertEquals('<', id.charAt(0));
         assertEquals('>', id.charAt(id.length() - 1));
     }
+
+    @Test
+    public void defaultCompareTest() {
+        UserId id1 = UserId.onlyEmail("alice@pgpainless.org");
+        UserId id2 = UserId.onlyEmail("alice@gnupg.org");
+        UserId id3 = UserId.nameAndEmail("Alice", "alice@pgpainless.org");
+        UserId id3_ = UserId.nameAndEmail("Alice", "alice@pgpainless.org");
+        UserId id4 = UserId.newBuilder().withName("Alice").build();
+        UserId id5 = UserId.newBuilder().withName("Alice").withComment("Work Mail").withEmail("alice@pgpainless.org").build();
+
+        assertEquals(id3.hashCode(), id3_.hashCode());
+        assertNotEquals(id2.hashCode(), id3.hashCode());
+
+        Comparator c = new UserId.DefaultComparator();
+        assertEquals(0, UserId.compare(null, null, c));
+        assertEquals(0, UserId.compare(id1, id1, c));
+        assertNotEquals(0, UserId.compare(id1, null, c));
+        assertNotEquals(0, UserId.compare(null, id1, c));
+        assertNotEquals(0, UserId.compare(id1, id2, c));
+        assertNotEquals(0, UserId.compare(id2, id1, c));
+        assertNotEquals(0, UserId.compare(id1, id3, c));
+        assertNotEquals(0, UserId.compare(id1, id4, c));
+        assertNotEquals(0, UserId.compare(id4, id1, c));
+        assertNotEquals(0, UserId.compare(id2, id3, c));
+        assertNotEquals(0, UserId.compare(id1, id5, c));
+        assertNotEquals(0, UserId.compare(id5, id1, c));
+        assertNotEquals(0, UserId.compare(id3, id5, c));
+        assertNotEquals(0, UserId.compare(id5, id3, c));
+        assertEquals(0, UserId.compare(id3, id3, c));
+        assertEquals(0, UserId.compare(id3, id3_, c));
+    }
+
+    @Test
+    public void defaultIgnoreCaseCompareTest() {
+        UserId id1 = UserId.nameAndEmail("Alice", "alice@pgpainless.org");
+        UserId id2 = UserId.nameAndEmail("alice", "alice@pgpainless.org");
+        UserId id3 = UserId.nameAndEmail("Alice", "Alice@Pgpainless.Org");
+        UserId id4 = UserId.newBuilder().withName("Alice").withComment("Work Email").withEmail("Alice@Pgpainless.Org").build();
+        UserId id5 = UserId.newBuilder().withName("alice").withComment("work email").withEmail("alice@pgpainless.org").build();
+        UserId id6 = UserId.nameAndEmail("Bob", "bob@pgpainless.org");
+
+        Comparator c = new UserId.DefaultIgnoreCaseComparator();
+        assertEquals(0, UserId.compare(id1, id2, c));
+        assertEquals(0, UserId.compare(id1, id3, c));
+        assertEquals(0, UserId.compare(id2, id3, c));
+        assertEquals(0, UserId.compare(null, null, c));
+        assertEquals(0, UserId.compare(id1, id1, c));
+        assertEquals(0, UserId.compare(id4, id4, c));
+        assertEquals(0, UserId.compare(id4, id5, c));
+        assertEquals(0, UserId.compare(id5, id4, c));
+        assertNotEquals(0, UserId.compare(null, id1, c));
+        assertNotEquals(0, UserId.compare(id1, null, c));
+        assertNotEquals(0, UserId.compare(id1, id4, c));
+        assertNotEquals(0, UserId.compare(id4, id1, c));
+        assertNotEquals(0, UserId.compare(id1, id6, c));
+        assertNotEquals(0, UserId.compare(id6, id1, c));
+    }
 }

From 907d1c4d1c2eda73ee662f35ea19cf5586d6c301 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 1 Dec 2022 16:04:45 +0100
Subject: [PATCH 0864/1450] move V5OpenPgpKeyTest to org.pgpainless.key

---
 .../org/{bouncycastle => pgpainless/key}/V5OpenPgpKeyTest.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename pgpainless-core/src/test/java/org/{bouncycastle => pgpainless/key}/V5OpenPgpKeyTest.java (99%)

diff --git a/pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/V5OpenPgpKeyTest.java
similarity index 99%
rename from pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java
rename to pgpainless-core/src/test/java/org/pgpainless/key/V5OpenPgpKeyTest.java
index b1337bcb..d1b941fd 100644
--- a/pgpainless-core/src/test/java/org/bouncycastle/V5OpenPgpKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/V5OpenPgpKeyTest.java
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.bouncycastle;
+package org.pgpainless.key;
 
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;

From 218da50da30f6751e0b498fcfcc433b1a2643adb Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Dec 2022 13:47:54 +0100
Subject: [PATCH 0865/1450] Create gradle mavenCentralChecksums task to quickly
 fetch checksums of published artifacts

gradle mavenCentralChecksums will fetch the checksums of the currently checked out release, while
gradle -Prelease=1.3.13 for example will fetch those of the 1.3.13 release
---
 build.gradle | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/build.gradle b/build.gradle
index 7802bdb1..6e086754 100644
--- a/build.gradle
+++ b/build.gradle
@@ -257,3 +257,44 @@ task javadocAll(type: Javadoc) {
             "https://docs.oracle.com/javase/${sourceCompatibility.getMajorVersion()}/docs/api/",
     ] as String[]
 }
+
+/**
+ * Fetch sha256 checksums of artifacts published to maven central.
+ *
+ * Example: gradle -Prelease=1.3.13 mavenCentralChecksums
+ */
+task mavenCentralChecksums() {
+    description 'Fetch and display checksums for artifacts published to Maven Central'
+    String ver = project.hasProperty('release') ? release : shortVersion
+    doLast {
+        Process p = "curl -f https://repo1.maven.org/maven2/org/pgpainless/pgpainless-core/${ver}/pgpainless-core-${ver}.jar.sha256".execute()
+        if (p.waitFor() == 0) {
+            print p.text.trim()
+            println "  pgpainless-core/build/libs/pgpainless-core-${ver}.jar"
+        }
+
+        p = "curl -f https://repo1.maven.org/maven2/org/pgpainless/pgpainless-sop/${ver}/pgpainless-sop-${ver}.jar.sha256".execute()
+        if (p.waitFor() == 0) {
+            print p.text.trim()
+            println "  pgpainless-sop/build/libs/pgpainless-sop-${ver}.jar"
+        }
+
+        p = "curl -f https://repo1.maven.org/maven2/org/pgpainless/pgpainless-cli/${ver}/pgpainless-cli-${ver}-all.jar.sha256".execute()
+        if (p.waitFor() == 0) {
+            print p.text.trim()
+            println "  pgpainless-cli/build/libs/pgpainless-cli-${ver}-all.jar"
+        }
+
+        p = "curl -f https://repo1.maven.org/maven2/org/pgpainless/pgpainless-cli/${ver}/pgpainless-cli-${ver}.jar.sha256".execute()
+        if (p.waitFor() == 0) {
+            print p.text.trim()
+            println "  pgpainless-cli/build/libs/pgpainless-cli-${ver}.jar"
+        }
+
+        p = "curl -f https://repo1.maven.org/maven2/org/pgpainless/hsregex/${ver}/hsregex-${ver}.jar.sha256".execute()
+        if (p.waitFor() == 0) {
+            print p.text.trim()
+            println "  hsregex/build/libs/hsregex-${ver}.jar"
+        }
+    }
+}

From e168ac6f557f96be478d7d979575dfeb3892c700 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 5 Dec 2022 14:00:34 +0100
Subject: [PATCH 0866/1450] Update documentation to use new MessageMetadata
 class

---
 docs/source/pgpainless-core/quickstart.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index 371a5f6f..d61a881c 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -242,7 +242,7 @@ or the passphrase.
 ### Decrypt and/or Verify a Message
 Decryption and verification of a message is both done using the same API.
 Whether a message was actually signed / encrypted can be determined after the message has been processed by checking
-the `OpenPgpMetadata` object which can be obtained from the `DecryptionStream`.
+the `MessageMetadata` object which can be obtained from the `DecryptionStream`.
 
 To configure the decryption / verification process, the `ConsumerOptions` object is used:
 
@@ -283,16 +283,16 @@ Streams.pipeAll(consumerStream, plaintext);
 consumerStream.close(); // important!
 
 // The result will contain metadata of the message
-OpenPgpMetadata result = consumerStream.getResult();
+MessageMetadata result = consumerStream.getMetadata();
 ```
 
-After the message has been processed, you can consult the `OpenPgpMetadata` object to determine the nature of the message:
+After the message has been processed, you can consult the `MessageMetadata` object to determine the nature of the message:
 
 ```java
 boolean wasEncrypted = result.isEncrypted();
 SubkeyIdentifier decryptionKey = result.getDecryptionKey();
-Map validSignatures = result.getVerifiedSignatures();
-boolean wasSignedByCert = result.containsVerifiedSignatureFrom(certificate);
+List validSignatures = result.getVerifiedSignatures();
+boolean wasSignedByCert = result.isVerifiedSignedBy(certificate);
 
 // For files:
 String fileName = result.getFileName();
@@ -323,6 +323,6 @@ DecryptionStream verificationStream = PGPainless.decryptAndOrVerify()
 Streams.drain(verificationStream); // push all the data through the stream
 verificationStream.close(); // finish verification
 
-OpenPgpMetadata result = verificationStream.getResult(); // get metadata of signed message
-assertTrue(result.containsVerifiedSignatureFrom(certificate)); // check if message was in fact signed
+MessageMetadata result = verificationStream.getMetadata(); // get metadata of signed message
+assertTrue(result.isVerifiedSignedBy(certificate)); // check if message was in fact signed
 ```
\ No newline at end of file

From f5414bcc196c91da22d40be4dc32e10ead488c08 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Dec 2022 16:11:17 +0100
Subject: [PATCH 0867/1450] Use proper method to unlock private key when
 detached-signing

---
 .../java/org/pgpainless/encryption_signing/SigningOptions.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 0a7c47c4..0af07fc9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -359,8 +359,7 @@ public final class SigningOptions {
             if (signingSecKey == null) {
                 throw new KeyException.MissingSecretKeyException(OpenPgpFingerprint.of(secretKey), signingPubKey.getKeyID());
             }
-            PGPPrivateKey signingSubkey = signingSecKey.extractPrivateKey(
-                    secretKeyDecryptor.getDecryptor(signingPubKey.getKeyID()));
+            PGPPrivateKey signingSubkey = UnlockSecretKey.unlockSecretKey(signingSecKey, secretKeyDecryptor);
             Set hashAlgorithms = userId != null ? keyRingInfo.getPreferredHashAlgorithms(userId)
                     : keyRingInfo.getPreferredHashAlgorithms(signingPubKey.getKeyID());
             HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(hashAlgorithms, PGPainless.getPolicy());

From 4f435a0fa0dd9d70383d1c0c9e8eaf832a5a102e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Dec 2022 16:15:32 +0100
Subject: [PATCH 0868/1450] Fix parameter check for DSA keys

Fixes #345
---
 .../PublicKeyParameterValidationUtil.java     |   2 +-
 .../sop/CarolKeySignEncryptRoundtripTest.java | 295 ++++++++++++++++++
 2 files changed, 296 insertions(+), 1 deletion(-)
 create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index 69940691..88e9897a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -195,7 +195,7 @@ public class PublicKeyParameterValidationUtil {
         }
 
         // q > 160 bits
-        boolean qLarge = pQ.getLowestSetBit() > 160;
+        boolean qLarge = pQ.bitLength() > 160;
         if (!qLarge) {
             return false;
         }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java
new file mode 100644
index 00000000..81bf7645
--- /dev/null
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java
@@ -0,0 +1,295 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import java.io.IOException;
+
+import org.junit.jupiter.api.Test;
+import sop.ByteArrayAndResult;
+import sop.DecryptionResult;
+import sop.Ready;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class CarolKeySignEncryptRoundtripTest {
+
+    private static final String CAROL_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "\n" +
+            "xcQTBF3+CmgRDADZhdKTM3ms3XpXnQke83FgaIBtP1g1qhqpCfg50WiPS0kjiMC0\n" +
+            "OJz2vh59nusbBLzgI//Y1VMhKfIWYbqMcIY+lWbseHjl52rqW6AaJ0TH4NgVt7vh\n" +
+            "yVeJt0k/NnxvNhMd0587KXmfpDxrwBqc/l5cVB+p0rL8vs8kxojHXAi5V3koM0Uj\n" +
+            "REWs5Jpj/XU9LhEoyXZkeJC/pes1u6UKoFYn7dFIP49Kkd1kb+1bNfdPYtA0JpcG\n" +
+            "zYgeMNOvdWJwn43dNhxoeuXfmAEhA8LdzT0C0O+7akXOKWrfhXJ8MTBqvPgWZYx7\n" +
+            "MNuQx/ejIMZHl+Iaf7hG976ILH+NCGiKkhidd9GIuA/WteHiQbXLyfiQ4n8P12q9\n" +
+            "+4dq6ybUM65tnozRyyN+1m3rU2a/+Ly3JCh4TeO27w+cxMWkaeHyTQaJVMbMbDpX\n" +
+            "duVd32MA33UVNH5/KXMVczVi5asVjuKDSojJDV1QwX8izZNl1t+AI0L3balCabV0\n" +
+            "SFhlfnBEUj1my1sBAMOSO/I67BvBS3IPHZWXHjgclhs26mPzRlZLryAUWR2DDACH\n" +
+            "5fx+yUAdZ8Vu/2zWTHxwWJ/X6gGTLqa9CmfDq5UDqYFFzuWwN4HJ+ryOuak1CGwS\n" +
+            "KJUBSA75HExbv0naWg+suy+pEDvF0VALPU9VUkSQtHyR10YO2FWOe3AEtpbYDRwp\n" +
+            "dr1ZwEbb3L6IGQ5i/4CNHbJ2u3yUeXsDNAvrpVSEcIjA01RPCOKmf58SDZp4yDdP\n" +
+            "xGhM8w6a18+fdQr22f2cJ0xgfPlbzFbO+FUsEgKvn6QTLhbaYw4zs7rdQDejWHV8\n" +
+            "2hP4K+rb9FwknYdV9uo4m77MgGlU+4yvJnGEYaL3jwjI3bH9aooNOl6XbvVAzNzo\n" +
+            "mYmaTO7mp6xFAu43yuGyd9K+1E4k7CQTROxTZ+RdtQjV95hSsEmMg792nQvDSBW4\n" +
+            "xwfOQ7pf3kC7r9fm8u9nBlEN12HsbQ8Yvux/ld5q5RaIlD19jzfVR6+hJzbj2ZnU\n" +
+            "yQs4ksAfIHTzTdLttRxS9lTRTkVx2vbUnoSBy6TYF1mf6nRPpSm1riZxnkR4+BQL\n" +
+            "/0rUAxwegTNIG/5M612s2a45QvYK1turZ7spI1RGitJUIjBXUuR76jIsyqagIhBl\n" +
+            "5nEsQ4HLv8OQ3EgJ5T9gldLFpHNczLxBQnnNwfPoD2e0kC/iy0rfiNX8HWpTgQpb\n" +
+            "zAosLj5/E0iNlildynIhuqBosyRWFqGva0O6qioL90srlzlfKCloe9R9w3HizjCb\n" +
+            "f59yEspuJt9iHVNOPOW2Wj5ub0KTiJPp9vBmrFaB79/IlgojpQoYvQ77Hx5A9CJq\n" +
+            "paMCHGOW6Uz9euN1ozzETEkIPtL8XAxcogfpe2JKE1uS7ugxsKEGEDfxOQFKAGV0\n" +
+            "XFtIx50vFCr2vQro0WB858CGN47dCxChhNUxNtGc11JNEkNv/X7hKtRf/5VCmnaz\n" +
+            "GWwNK47cqZ7GJfEBnElD7s/tQvTC5Qp7lg9gEt47TUX0bjzUTCxNvLosuKL9+J1W\n" +
+            "ln1myRpff/5ZOAnZTPHR+AbX4bRB4sK5zijQe4139Dn2oRYK+EIYoBAxFxSOzehP\n" +
+            "IQAA/2BCN5HryGjVff2t7Q6fVrQQS9hsMisszZl5rWwUOO6zETHCigQfEQgAPAUC\n" +
+            "Xf4KaQMLCQoJEJunidx21oSaBBUKCQgCFgECF4ACGwMCHgEWIQRx/9oARAnl3bDD\n" +
+            "6PGbp4ncdtaEmgAAYoUA/1VpxdR2wYT/pC8FrKsbmIxLJRLDNlED3ihivWp/B2e/\n" +
+            "AQCT2oi9zqbjprCKAnzoIYTGTil4yFfmeey8GjMOxUHz4M0mQ2Fyb2wgT2xkc3R5\n" +
+            "bGUgPGNhcm9sQG9wZW5wZ3AuZXhhbXBsZT7CigQTEQgAPAUCXf4KaQMLCQoJEJun\n" +
+            "idx21oSaBBUKCQgCFgECF4ACGwMCHgEWIQRx/9oARAnl3bDD6PGbp4ncdtaEmgAA\n" +
+            "UEwA/2TFwL0mymjCSaQH8KdQuygI+itpNggM+Y8FF8hn9fo1AP9ogDIl9V3C8t59\n" +
+            "C/Mrc4HvP1ABR2nwZeK5+A5lLoH4Y8fD8QRd/gpoEAwA2YXSkzN5rN16V50JHvNx\n" +
+            "YGiAbT9YNaoaqQn4OdFoj0tJI4jAtDic9r4efZ7rGwS84CP/2NVTISnyFmG6jHCG\n" +
+            "PpVm7Hh45edq6lugGidEx+DYFbe74clXibdJPzZ8bzYTHdOfOyl5n6Q8a8AanP5e\n" +
+            "XFQfqdKy/L7PJMaIx1wIuVd5KDNFI0RFrOSaY/11PS4RKMl2ZHiQv6XrNbulCqBW\n" +
+            "J+3RSD+PSpHdZG/tWzX3T2LQNCaXBs2IHjDTr3VicJ+N3TYcaHrl35gBIQPC3c09\n" +
+            "AtDvu2pFzilq34VyfDEwarz4FmWMezDbkMf3oyDGR5fiGn+4Rve+iCx/jQhoipIY\n" +
+            "nXfRiLgP1rXh4kG1y8n4kOJ/D9dqvfuHausm1DOubZ6M0csjftZt61Nmv/i8tyQo\n" +
+            "eE3jtu8PnMTFpGnh8k0GiVTGzGw6V3blXd9jAN91FTR+fylzFXM1YuWrFY7ig0qI\n" +
+            "yQ1dUMF/Is2TZdbfgCNC922pQmm1dEhYZX5wRFI9ZstbDACH5fx+yUAdZ8Vu/2zW\n" +
+            "THxwWJ/X6gGTLqa9CmfDq5UDqYFFzuWwN4HJ+ryOuak1CGwSKJUBSA75HExbv0na\n" +
+            "Wg+suy+pEDvF0VALPU9VUkSQtHyR10YO2FWOe3AEtpbYDRwpdr1ZwEbb3L6IGQ5i\n" +
+            "/4CNHbJ2u3yUeXsDNAvrpVSEcIjA01RPCOKmf58SDZp4yDdPxGhM8w6a18+fdQr2\n" +
+            "2f2cJ0xgfPlbzFbO+FUsEgKvn6QTLhbaYw4zs7rdQDejWHV82hP4K+rb9FwknYdV\n" +
+            "9uo4m77MgGlU+4yvJnGEYaL3jwjI3bH9aooNOl6XbvVAzNzomYmaTO7mp6xFAu43\n" +
+            "yuGyd9K+1E4k7CQTROxTZ+RdtQjV95hSsEmMg792nQvDSBW4xwfOQ7pf3kC7r9fm\n" +
+            "8u9nBlEN12HsbQ8Yvux/ld5q5RaIlD19jzfVR6+hJzbj2ZnUyQs4ksAfIHTzTdLt\n" +
+            "tRxS9lTRTkVx2vbUnoSBy6TYF1mf6nRPpSm1riZxnkR4+BQL/jEGmn1tLhxfjfDA\n" +
+            "5vFFj73+FXdFCdFKSI0VpdoU1fgR5DX72ZQUYYUCKYTYikXv1mqdH/5VthptrktC\n" +
+            "oAco4zVxM04sK7Xthl+uTOhei8/Dd9ZLdSIoNcRjrr/uh5sUzUfIC9iuT3SXiZ/D\n" +
+            "0yVq0Uu/gWPB3ZIG/sFacxOXAr6RYhvz9MqnwXS1sVT5TyO3XIQ5JseIgIRyV/Sf\n" +
+            "4F/4Qui9wMzzSajTwCsttMGKf67k228AaJVv+IpFoo+OtCa7wbJukqfNQN3m2ojf\n" +
+            "V5CcoCzsoRsoTInhrpQmM+gGoQBXBArT1xk3KK3VdZibYfMoxeIGXw0MoNJzFuGK\n" +
+            "+PcnhV3ETFMNcszd0Pb9s86g7hYtpRmE12Jlai2MzPSmyztlsRP9tcZwYy7JdPZf\n" +
+            "xXQP24XWat7eP2qWxTnkEP4/wKYb81m7CZ4RvUO/nd1aA5c9IBYknbgmCAAKvHVD\n" +
+            "iTY61E5GbC9aTiI4WIwjItroikukUJE+p77rpjxfw/1U51BnmQAA/ih5jIthn2ZE\n" +
+            "r1YoOsUs8CBhylTsRZK6VS4ZCErcyl2tD2LCigQYEQgAPAUCXf4KaQMLCQoJEJun\n" +
+            "idx21oSaBBUKCQgCFgECF4ACGwwCHgEWIQRx/9oARAnl3bDD6PGbp4ncdtaEmgAA\n" +
+            "QSkA/3WEWqZxvZmpVxpEMxJWaGQRwUhGake8OhC1WfywCtarAQCLwfBsyEv5jBEi\n" +
+            "1FkOSekLi8WNMdUx3XMyvP8nJ65P2Q==\n" +
+            "=Xj8h\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    private static final String CAROL_CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "\n" +
+            "xsPuBF3+CmgRDADZhdKTM3ms3XpXnQke83FgaIBtP1g1qhqpCfg50WiPS0kjiMC0\n" +
+            "OJz2vh59nusbBLzgI//Y1VMhKfIWYbqMcIY+lWbseHjl52rqW6AaJ0TH4NgVt7vh\n" +
+            "yVeJt0k/NnxvNhMd0587KXmfpDxrwBqc/l5cVB+p0rL8vs8kxojHXAi5V3koM0Uj\n" +
+            "REWs5Jpj/XU9LhEoyXZkeJC/pes1u6UKoFYn7dFIP49Kkd1kb+1bNfdPYtA0JpcG\n" +
+            "zYgeMNOvdWJwn43dNhxoeuXfmAEhA8LdzT0C0O+7akXOKWrfhXJ8MTBqvPgWZYx7\n" +
+            "MNuQx/ejIMZHl+Iaf7hG976ILH+NCGiKkhidd9GIuA/WteHiQbXLyfiQ4n8P12q9\n" +
+            "+4dq6ybUM65tnozRyyN+1m3rU2a/+Ly3JCh4TeO27w+cxMWkaeHyTQaJVMbMbDpX\n" +
+            "duVd32MA33UVNH5/KXMVczVi5asVjuKDSojJDV1QwX8izZNl1t+AI0L3balCabV0\n" +
+            "SFhlfnBEUj1my1sBAMOSO/I67BvBS3IPHZWXHjgclhs26mPzRlZLryAUWR2DDACH\n" +
+            "5fx+yUAdZ8Vu/2zWTHxwWJ/X6gGTLqa9CmfDq5UDqYFFzuWwN4HJ+ryOuak1CGwS\n" +
+            "KJUBSA75HExbv0naWg+suy+pEDvF0VALPU9VUkSQtHyR10YO2FWOe3AEtpbYDRwp\n" +
+            "dr1ZwEbb3L6IGQ5i/4CNHbJ2u3yUeXsDNAvrpVSEcIjA01RPCOKmf58SDZp4yDdP\n" +
+            "xGhM8w6a18+fdQr22f2cJ0xgfPlbzFbO+FUsEgKvn6QTLhbaYw4zs7rdQDejWHV8\n" +
+            "2hP4K+rb9FwknYdV9uo4m77MgGlU+4yvJnGEYaL3jwjI3bH9aooNOl6XbvVAzNzo\n" +
+            "mYmaTO7mp6xFAu43yuGyd9K+1E4k7CQTROxTZ+RdtQjV95hSsEmMg792nQvDSBW4\n" +
+            "xwfOQ7pf3kC7r9fm8u9nBlEN12HsbQ8Yvux/ld5q5RaIlD19jzfVR6+hJzbj2ZnU\n" +
+            "yQs4ksAfIHTzTdLttRxS9lTRTkVx2vbUnoSBy6TYF1mf6nRPpSm1riZxnkR4+BQL\n" +
+            "/0rUAxwegTNIG/5M612s2a45QvYK1turZ7spI1RGitJUIjBXUuR76jIsyqagIhBl\n" +
+            "5nEsQ4HLv8OQ3EgJ5T9gldLFpHNczLxBQnnNwfPoD2e0kC/iy0rfiNX8HWpTgQpb\n" +
+            "zAosLj5/E0iNlildynIhuqBosyRWFqGva0O6qioL90srlzlfKCloe9R9w3HizjCb\n" +
+            "f59yEspuJt9iHVNOPOW2Wj5ub0KTiJPp9vBmrFaB79/IlgojpQoYvQ77Hx5A9CJq\n" +
+            "paMCHGOW6Uz9euN1ozzETEkIPtL8XAxcogfpe2JKE1uS7ugxsKEGEDfxOQFKAGV0\n" +
+            "XFtIx50vFCr2vQro0WB858CGN47dCxChhNUxNtGc11JNEkNv/X7hKtRf/5VCmnaz\n" +
+            "GWwNK47cqZ7GJfEBnElD7s/tQvTC5Qp7lg9gEt47TUX0bjzUTCxNvLosuKL9+J1W\n" +
+            "ln1myRpff/5ZOAnZTPHR+AbX4bRB4sK5zijQe4139Dn2oRYK+EIYoBAxFxSOzehP\n" +
+            "IcKKBB8RCAA8BQJd/gppAwsJCgkQm6eJ3HbWhJoEFQoJCAIWAQIXgAIbAwIeARYh\n" +
+            "BHH/2gBECeXdsMPo8Zunidx21oSaAABihQD/VWnF1HbBhP+kLwWsqxuYjEslEsM2\n" +
+            "UQPeKGK9an8HZ78BAJPaiL3OpuOmsIoCfOghhMZOKXjIV+Z57LwaMw7FQfPgzSZD\n" +
+            "YXJvbCBPbGRzdHlsZSA8Y2Fyb2xAb3BlbnBncC5leGFtcGxlPsKKBBMRCAA8BQJd\n" +
+            "/gppAwsJCgkQm6eJ3HbWhJoEFQoJCAIWAQIXgAIbAwIeARYhBHH/2gBECeXdsMPo\n" +
+            "8Zunidx21oSaAABQTAD/ZMXAvSbKaMJJpAfwp1C7KAj6K2k2CAz5jwUXyGf1+jUA\n" +
+            "/2iAMiX1XcLy3n0L8ytzge8/UAFHafBl4rn4DmUugfhjzsPMBF3+CmgQDADZhdKT\n" +
+            "M3ms3XpXnQke83FgaIBtP1g1qhqpCfg50WiPS0kjiMC0OJz2vh59nusbBLzgI//Y\n" +
+            "1VMhKfIWYbqMcIY+lWbseHjl52rqW6AaJ0TH4NgVt7vhyVeJt0k/NnxvNhMd0587\n" +
+            "KXmfpDxrwBqc/l5cVB+p0rL8vs8kxojHXAi5V3koM0UjREWs5Jpj/XU9LhEoyXZk\n" +
+            "eJC/pes1u6UKoFYn7dFIP49Kkd1kb+1bNfdPYtA0JpcGzYgeMNOvdWJwn43dNhxo\n" +
+            "euXfmAEhA8LdzT0C0O+7akXOKWrfhXJ8MTBqvPgWZYx7MNuQx/ejIMZHl+Iaf7hG\n" +
+            "976ILH+NCGiKkhidd9GIuA/WteHiQbXLyfiQ4n8P12q9+4dq6ybUM65tnozRyyN+\n" +
+            "1m3rU2a/+Ly3JCh4TeO27w+cxMWkaeHyTQaJVMbMbDpXduVd32MA33UVNH5/KXMV\n" +
+            "czVi5asVjuKDSojJDV1QwX8izZNl1t+AI0L3balCabV0SFhlfnBEUj1my1sMAIfl\n" +
+            "/H7JQB1nxW7/bNZMfHBYn9fqAZMupr0KZ8OrlQOpgUXO5bA3gcn6vI65qTUIbBIo\n" +
+            "lQFIDvkcTFu/SdpaD6y7L6kQO8XRUAs9T1VSRJC0fJHXRg7YVY57cAS2ltgNHCl2\n" +
+            "vVnARtvcvogZDmL/gI0dsna7fJR5ewM0C+ulVIRwiMDTVE8I4qZ/nxINmnjIN0/E\n" +
+            "aEzzDprXz591CvbZ/ZwnTGB8+VvMVs74VSwSAq+fpBMuFtpjDjOzut1AN6NYdXza\n" +
+            "E/gr6tv0XCSdh1X26jibvsyAaVT7jK8mcYRhovePCMjdsf1qig06Xpdu9UDM3OiZ\n" +
+            "iZpM7uanrEUC7jfK4bJ30r7UTiTsJBNE7FNn5F21CNX3mFKwSYyDv3adC8NIFbjH\n" +
+            "B85Dul/eQLuv1+by72cGUQ3XYextDxi+7H+V3mrlFoiUPX2PN9VHr6EnNuPZmdTJ\n" +
+            "CziSwB8gdPNN0u21HFL2VNFORXHa9tSehIHLpNgXWZ/qdE+lKbWuJnGeRHj4FAv+\n" +
+            "MQaafW0uHF+N8MDm8UWPvf4Vd0UJ0UpIjRWl2hTV+BHkNfvZlBRhhQIphNiKRe/W\n" +
+            "ap0f/lW2Gm2uS0KgByjjNXEzTiwrte2GX65M6F6Lz8N31kt1Iig1xGOuv+6HmxTN\n" +
+            "R8gL2K5PdJeJn8PTJWrRS7+BY8Hdkgb+wVpzE5cCvpFiG/P0yqfBdLWxVPlPI7dc\n" +
+            "hDkmx4iAhHJX9J/gX/hC6L3AzPNJqNPAKy20wYp/ruTbbwBolW/4ikWij460JrvB\n" +
+            "sm6Sp81A3ebaiN9XkJygLOyhGyhMieGulCYz6AahAFcECtPXGTcordV1mJth8yjF\n" +
+            "4gZfDQyg0nMW4Yr49yeFXcRMUw1yzN3Q9v2zzqDuFi2lGYTXYmVqLYzM9KbLO2Wx\n" +
+            "E/21xnBjLsl09l/FdA/bhdZq3t4/apbFOeQQ/j/AphvzWbsJnhG9Q7+d3VoDlz0g\n" +
+            "FiSduCYIAAq8dUOJNjrUTkZsL1pOIjhYjCMi2uiKS6RQkT6nvuumPF/D/VTnUGeZ\n" +
+            "wooEGBEIADwFAl3+CmkDCwkKCRCbp4ncdtaEmgQVCgkIAhYBAheAAhsMAh4BFiEE\n" +
+            "cf/aAEQJ5d2ww+jxm6eJ3HbWhJoAAEEpAP91hFqmcb2ZqVcaRDMSVmhkEcFIRmpH\n" +
+            "vDoQtVn8sArWqwEAi8HwbMhL+YwRItRZDknpC4vFjTHVMd1zMrz/JyeuT9k=\n" +
+            "=pa/S\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+    private static final String BOB_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+            "Comment: Bob's OpenPGP Transferable Secret Key\n" +
+            "\n" +
+            "lQVYBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
+            "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
+            "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
+            "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
+            "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
+            "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
+            "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
+            "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
+            "vLIwa3T4CyshfT0AEQEAAQAL/RZqbJW2IqQDCnJi4Ozm++gPqBPiX1RhTWSjwxfM\n" +
+            "cJKUZfzLj414rMKm6Jh1cwwGY9jekROhB9WmwaaKT8HtcIgrZNAlYzANGRCM4TLK\n" +
+            "3VskxfSwKKna8l+s+mZglqbAjUg3wmFuf9Tj2xcUZYmyRm1DEmcN2ZzpvRtHgX7z\n" +
+            "Wn1mAKUlSDJZSQks0zjuMNbupcpyJokdlkUg2+wBznBOTKzgMxVNC9b2g5/tMPUs\n" +
+            "hGGWmF1UH+7AHMTaS6dlmr2ZBIyogdnfUqdNg5sZwsxSNrbglKP4sqe7X61uEAIQ\n" +
+            "bD7rT3LonLbhkrj3I8wilUD8usIwt5IecoHhd9HziqZjRCc1BUBkboUEoyedbDV4\n" +
+            "i4qfsFZ6CEWoLuD5pW7dEp0M+WeuHXO164Rc+LnH6i1VQrpb1Okl4qO6ejIpIjBI\n" +
+            "1t3GshtUu/mwGBBxs60KBX5g77mFQ9lLCRj8lSYqOsHRKBhUp4qM869VA+fD0BRP\n" +
+            "fqPT0I9IH4Oa/A3jYJcg622GwQYA1LhnP208Waf6PkQSJ6kyr8ymY1yVh9VBE/g6\n" +
+            "fRDYA+pkqKnw9wfH2Qho3ysAA+OmVOX8Hldg+Pc0Zs0e5pCavb0En8iFLvTA0Q2E\n" +
+            "LR5rLue9uD7aFuKFU/VdcddY9Ww/vo4k5p/tVGp7F8RYCFn9rSjIWbfvvZi1q5Tx\n" +
+            "+akoZbga+4qQ4WYzB/obdX6SCmi6BndcQ1QdjCCQU6gpYx0MddVERbIp9+2SXDyL\n" +
+            "hpxjSyz+RGsZi/9UAshT4txP4+MZBgDfK3ZqtW+h2/eMRxkANqOJpxSjMyLO/FXN\n" +
+            "WxzTDYeWtHNYiAlOwlQZEPOydZFty9IVzzNFQCIUCGjQ/nNyhw7adSgUk3+BXEx/\n" +
+            "MyJPYY0BYuhLxLYcrfQ9nrhaVKxRJj25SVHj2ASsiwGJRZW4CC3uw40OYxfKEvNC\n" +
+            "mer/VxM3kg8qqGf9KUzJ1dVdAvjyx2Hz6jY2qWCyRQ6IMjWHyd43C4r3jxooYKUC\n" +
+            "YnstRQyb/gCSKahveSEjo07CiXMr88UGALwzEr3npFAsPW3osGaFLj49y1oRe11E\n" +
+            "he9gCHFm+fuzbXrWmdPjYU5/ZdqdojzDqfu4ThfnipknpVUM1o6MQqkjM896FHm8\n" +
+            "zbKVFSMhEP6DPHSCexMFrrSgN03PdwHTO6iBaIBBFqmGY01tmJ03SxvSpiBPON9P\n" +
+            "NVvy/6UZFedTq8A07OUAxO62YUSNtT5pmK2vzs3SAZJmbFbMh+NN204TRI72GlqT\n" +
+            "t5hcfkuv8hrmwPS/ZR6q312mKQ6w/1pqO9qitCFCb2IgQmFiYmFnZSA8Ym9iQG9w\n" +
+            "ZW5wZ3AuZXhhbXBsZT6JAc4EEwEKADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC\n" +
+            "F4AWIQTRpm4aI7GCyZgPeIz7/MgqAV5zMAUCXaWe+gAKCRD7/MgqAV5zMG9sC/9U\n" +
+            "2T3RrqEbw533FPNfEflhEVRIZ8gDXKM8hU6cqqEzCmzZT6xYTe6sv4y+PJBGXJFX\n" +
+            "yhj0g6FDkSyboM5litOcTupURObVqMgA/Y4UKERznm4fzzH9qek85c4ljtLyNufe\n" +
+            "doL2pp3vkGtn7eD0QFRaLLmnxPKQ/TlZKdLE1G3u8Uot8QHicaR6GnAdc5UXQJE3\n" +
+            "BiV7jZuDyWmZ1cUNwJkKL6oRtp+ZNDOQCrLNLecKHcgCqrpjSQG5oouba1I1Q6Vl\n" +
+            "sP44dhA1nkmLHtxlTOzpeHj4jnk1FaXmyasurrrI5CgU/L2Oi39DGKTH/A/cywDN\n" +
+            "4ZplIQ9zR8enkbXquUZvFDe+Xz+6xRXtb5MwQyWODB3nHw85HocLwRoIN9WdQEI+\n" +
+            "L8a/56AuOwhs8llkSuiITjR7r9SgKJC2WlAHl7E8lhJ3VDW3ELC56KH308d6mwOG\n" +
+            "ZRAqIAKzM1T5FGjMBhq7ZV0eqdEntBh3EcOIfj2M8rg1MzJv+0mHZOIjByawikad\n" +
+            "BVgEXaWc8gEMANYwv1xsYyunXYK0X1vY/rP1NNPvhLyLIE7NpK90YNBj+xS1ldGD\n" +
+            "bUdZqZeef2xJe8gMQg05DoD1DF3GipZ0Ies65beh+d5hegb7N4pzh0LzrBrVNHar\n" +
+            "29b5ExdI7i4iYD5TO6Vr/qTUOiAN/byqELEzAb+L+b2DVz/RoCm4PIp1DU9ewcc2\n" +
+            "WB38Ofqut3nLYA5tqJ9XvAiEQme+qAVcM3ZFcaMt4I4dXhDZZNg+D9LiTWcxdUPB\n" +
+            "leu8iwDRjAgyAhPzpFp+nWoqWA81uIiULWD1Fj+IVoY3ZvgivoYOiEFBJ9lbb4te\n" +
+            "g9m5UT/AaVDTWuHzbspVlbiVe+qyB77C2daWzNyx6UYBPLOo4r0t0c91kbNE5lgj\n" +
+            "Z7xz6los0N1U8vq91EFSeQJoSQ62XWavYmlCLmdNT6BNfgh4icLsT7Vr1QMX9jzn\n" +
+            "JtTPxdXytSdHvpSpULsqJ016l0dtmONcK3z9mj5N5z0k1tg1AH970TGYOe2aUcSx\n" +
+            "IRDMXDOPyzEfjwARAQABAAv9F2CwsjS+Sjh1M1vegJbZjei4gF1HHpEM0K0PSXsp\n" +
+            "SfVvpR4AoSJ4He6CXSMWg0ot8XKtDuZoV9jnJaES5UL9pMAD7JwIOqZm/DYVJM5h\n" +
+            "OASCh1c356/wSbFbzRHPtUdZO9Q30WFNJM5pHbCJPjtNoRmRGkf71RxtvHBzy7np\n" +
+            "Ga+W6U/NVKHw0i0CYwMI0YlKDakYW3Pm+QL+gHZFvngGweTod0f9l2VLLAmeQR/c\n" +
+            "+EZs7lNumhuZ8mXcwhUc9JQIhOkpO+wreDysEFkAcsKbkQP3UDUsA1gFx9pbMzT0\n" +
+            "tr1oZq2a4QBtxShHzP/ph7KLpN+6qtjks3xB/yjTgaGmtrwM8tSe0wD1RwXS+/1o\n" +
+            "BHpXTnQ7TfeOGUAu4KCoOQLv6ELpKWbRBLWuiPwMdbGpvVFALO8+kvKAg9/r+/ny\n" +
+            "zM2GQHY+J3Jh5JxPiJnHfXNZjIKLbFbIPdSKNyJBuazXW8xIa//mEHMI5OcvsZBK\n" +
+            "clAIp7LXzjEjKXIwHwDcTn9pBgDpdOKTHOtJ3JUKx0rWVsDH6wq6iKV/FTVSY5jl\n" +
+            "zN+puOEsskF1Lfxn9JsJihAVO3yNsp6RvkKtyNlFazaCVKtDAmkjoh60XNxcNRqr\n" +
+            "gCnwdpbgdHP6v/hvZY54ZaJjz6L2e8unNEkYLxDt8cmAyGPgH2XgL7giHIp9jrsQ\n" +
+            "aS381gnYwNX6wE1aEikgtY91nqJjwPlibF9avSyYQoMtEqM/1UjTjB2KdD/MitK5\n" +
+            "fP0VpvuXpNYZedmyq4UOMwdkiNMGAOrfmOeT0olgLrTMT5H97Cn3Yxbk13uXHNu/\n" +
+            "ZUZZNe8s+QtuLfUlKAJtLEUutN33TlWQY522FV0m17S+b80xJib3yZVJteVurrh5\n" +
+            "HSWHAM+zghQAvCesg5CLXa2dNMkTCmZKgCBvfDLZuZbjFwnwCI6u/NhOY9egKuUf\n" +
+            "SA/je/RXaT8m5VxLYMxwqQXKApzD87fv0tLPlVIEvjEsaf992tFEFSNPcG1l/jpd\n" +
+            "5AVXw6kKuf85UkJtYR1x2MkQDrqY1QX/XMw00kt8y9kMZUre19aCArcmor+hDhRJ\n" +
+            "E3Gt4QJrD9z/bICESw4b4z2DbgD/Xz9IXsA/r9cKiM1h5QMtXvuhyfVeM01enhxM\n" +
+            "GbOH3gjqqGNKysx0UODGEwr6AV9hAd8RWXMchJLaExK9J5SRawSg671ObAU24SdY\n" +
+            "vMQ9Z4kAQ2+1ReUZzf3ogSMRZtMT+d18gT6L90/y+APZIaoArLPhebIAGq39HLmJ\n" +
+            "26x3z0WAgrpA1kNsjXEXkoiZGPLKIGoe3hqJAbYEGAEKACAWIQTRpm4aI7GCyZgP\n" +
+            "eIz7/MgqAV5zMAUCXaWc8gIbDAAKCRD7/MgqAV5zMOn/C/9ugt+HZIwX308zI+QX\n" +
+            "c5vDLReuzmJ3ieE0DMO/uNSC+K1XEioSIZP91HeZJ2kbT9nn9fuReuoff0T0Dief\n" +
+            "rbwcIQQHFFkrqSp1K3VWmUGp2JrUsXFVdjy/fkBIjTd7c5boWljv/6wAsSfiv2V0\n" +
+            "JSM8EFU6TYXxswGjFVfc6X97tJNeIrXL+mpSmPPqy2bztcCCHkWS5lNLWQw+R7Vg\n" +
+            "71Fe6yBSNVrqC2/imYG2J9zlowjx1XU63Wdgqp2Wxt0l8OmsB/W80S1fRF5G4SDH\n" +
+            "s9HXglXXqPsBRZJYfP+VStm9L5P/sKjCcX6WtZR7yS6G8zj/X767MLK/djANvpPd\n" +
+            "NVniEke6hM3CNBXYPAMhQBMWhCulcoz+0lxi8L34rMN+Dsbma96psdUrn7uLaB91\n" +
+            "6we0CTfF8qqm7BsVAgalon/UUiuMY80U3ueoj3okiSTiHIjD/YtpXSPioC8nMng7\n" +
+            "xqAY9Bwizt4FWgXuLm1a4+So4V9j1TRCXd12Uc2l2RNmgDE=\n" +
+            "=miES\n" +
+            "-----END PGP PRIVATE KEY BLOCK-----\n";
+
+    private static final String BOB_CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+            "Comment: Bob's OpenPGP certificate\n" +
+            "\n" +
+            "mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv\n" +
+            "/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz\n" +
+            "/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/\n" +
+            "5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3\n" +
+            "X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv\n" +
+            "9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0\n" +
+            "qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb\n" +
+            "SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb\n" +
+            "vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w\n" +
+            "bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx\n" +
+            "gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz\n" +
+            "XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO\n" +
+            "ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g\n" +
+            "9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF\n" +
+            "DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c\n" +
+            "ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1\n" +
+            "6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ\n" +
+            "ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo\n" +
+            "zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW\n" +
+            "ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI\n" +
+            "DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+\n" +
+            "Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO\n" +
+            "baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT\n" +
+            "86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh\n" +
+            "827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6\n" +
+            "vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U\n" +
+            "qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A\n" +
+            "EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ\n" +
+            "EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS\n" +
+            "KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx\n" +
+            "cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i\n" +
+            "tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV\n" +
+            "dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w\n" +
+            "qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy\n" +
+            "jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj\n" +
+            "zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV\n" +
+            "NEJd3XZRzaXZE2aAMQ==\n" +
+            "=NXei\n" +
+            "-----END PGP PUBLIC KEY BLOCK-----\n";
+
+    @Test
+    public void regressionTest() throws IOException {
+        SOPImpl sop = new SOPImpl();
+        byte[] msg = "Hello, World!\n".getBytes();
+        Ready encryption = sop.encrypt()
+                .signWith(CAROL_KEY.getBytes())
+                .withCert(BOB_CERT.getBytes())
+                .plaintext(msg);
+        byte[] ciphertext = encryption.getBytes();
+
+        ByteArrayAndResult decryption = sop.decrypt()
+                .withKey(BOB_KEY.getBytes())
+                .verifyWithCert(CAROL_CERT.getBytes())
+                .ciphertext(ciphertext)
+                .toByteArrayAndResult();
+
+        byte[] plaintext = decryption.getBytes();
+        assertArrayEquals(msg, plaintext);
+        assertEquals(1, decryption.getResult().getVerifications().size());
+    }
+}

From 23130b6c8aec7aa39833d49424332e0a0e4ad941 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Dec 2022 16:25:44 +0100
Subject: [PATCH 0869/1450] PGPainless 1.3.14

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a335092..8e5b5ebe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,11 @@ SPDX-License-Identifier: CC0-1.0
 - Add `KeyRingUtils.publicKeys(PGPKeyRing keys)`
 - Remove `BCUtil` class
 
+## 1.3.14
+- Bump `bcpg` to `1.72.3`
+- Fix DSA key parameter check
+- Use proper method to unlock private signing keys when creating detached signatures
+
 ## 1.3.13
 - Bump `sop-java` to `4.0.7`
 

From 66abd5f65fb4bfc9ab32f06faa2f988d300e66ad Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Dec 2022 16:42:51 +0100
Subject: [PATCH 0870/1450] Cleartext-signatures MUST use TEXT mode

---
 .../src/main/java/org/pgpainless/sop/InlineSignImpl.java        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index 30e1d71e..82c3603b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -75,7 +75,7 @@ public class InlineSignImpl implements InlineSign {
         for (PGPSecretKeyRing key : signingKeys) {
             try {
                 if (mode == InlineSignAs.clearsigned) {
-                    signingOptions.addDetachedSignature(protector, key);
+                    signingOptions.addDetachedSignature(protector, key, DocumentSignatureType.CANONICAL_TEXT_DOCUMENT);
                 } else {
                     signingOptions.addInlineSignature(protector, key, modeToSigType(mode));
                 }

From 2d46fb18f775d6298b95d3f2dcd331d573b45e08 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 13 Dec 2022 17:02:53 +0100
Subject: [PATCH 0871/1450] SOP: Allow generation of keys without user-ids

---
 .../key/generation/KeyRingTemplates.java      | 53 ++++++++++---------
 .../org/pgpainless/sop/GenerateKeyImpl.java   |  9 ++--
 .../org/pgpainless/sop/GenerateKeyTest.java   |  7 ---
 3 files changed, 32 insertions(+), 37 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 444e7d74..42eb7efa 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -7,6 +7,7 @@ package org.pgpainless.key.generation;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
@@ -38,9 +39,9 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable UserId userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleRsaKeyRing(userId.toString(), length);
+        return simpleRsaKeyRing(userId == null ? null : userId.toString(), length);
     }
 
     /**
@@ -56,7 +57,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         return simpleRsaKeyRing(userId, length, Passphrase.emptyPassphrase());
     }
@@ -75,9 +76,9 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull UserId userId, @Nonnull RsaLength length, String password)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable UserId userId, @Nonnull RsaLength length, @Nullable String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleRsaKeyRing(userId.toString(), length, password);
+        return simpleRsaKeyRing(userId == null ? null : userId.toString(), length, password);
     }
 
     /**
@@ -94,7 +95,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, String password)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length, @Nullable String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         Passphrase passphrase = Passphrase.emptyPassphrase();
         if (!isNullOrEmpty(password)) {
@@ -103,12 +104,14 @@ public final class KeyRingTemplates {
         return simpleRsaKeyRing(userId, length, passphrase);
     }
 
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nonnull String userId, @Nonnull RsaLength length, @Nonnull Passphrase passphrase)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length, @Nonnull Passphrase passphrase)
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS))
-                .addUserId(userId)
                 .setPassphrase(passphrase);
+        if (userId != null) {
+            builder.addUserId(userId);
+        }
         return builder.build();
     }
 
@@ -125,9 +128,9 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable UserId userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleEcKeyRing(userId.toString());
+        return simpleEcKeyRing(userId == null ? null : userId.toString());
     }
 
     /**
@@ -143,7 +146,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         return simpleEcKeyRing(userId, Passphrase.emptyPassphrase());
     }
@@ -162,9 +165,9 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull UserId userId, String password)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable UserId userId, String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleEcKeyRing(userId.toString(), password);
+        return simpleEcKeyRing(userId == null ? null : userId.toString(), password);
     }
 
     /**
@@ -181,7 +184,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, String password)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         Passphrase passphrase = Passphrase.emptyPassphrase();
         if (!isNullOrEmpty(password)) {
@@ -190,13 +193,15 @@ public final class KeyRingTemplates {
         return simpleEcKeyRing(userId, passphrase);
     }
 
-    public PGPSecretKeyRing simpleEcKeyRing(@Nonnull String userId, @Nonnull Passphrase passphrase)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId, @Nonnull Passphrase passphrase)
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
                 .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
-                .addUserId(userId)
                 .setPassphrase(passphrase);
+        if (userId != null) {
+            builder.addUserId(userId);
+        }
         return builder.build();
     }
 
@@ -211,8 +216,8 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing modernKeyRing(String userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        return modernKeyRing(userId, (Passphrase) null);
+    public PGPSecretKeyRing modernKeyRing(@Nullable String userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        return modernKeyRing(userId, Passphrase.emptyPassphrase());
     }
 
     /**
@@ -227,21 +232,21 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing modernKeyRing(String userId, String password)
+    public PGPSecretKeyRing modernKeyRing(@Nullable String userId, @Nullable String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        Passphrase passphrase = (password != null ? Passphrase.fromPassword(password) : null);
+        Passphrase passphrase = (password != null ? Passphrase.fromPassword(password) : Passphrase.emptyPassphrase());
         return modernKeyRing(userId, passphrase);
     }
 
-    public PGPSecretKeyRing modernKeyRing(String userId, Passphrase passphrase)
+    public PGPSecretKeyRing modernKeyRing(@Nullable String userId, @Nonnull Passphrase passphrase)
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
                 .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
                 .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
-                .addUserId(userId);
-        if (passphrase != null && !passphrase.isEmpty()) {
-            builder.setPassphrase(passphrase);
+                .setPassphrase(passphrase);
+        if (userId != null) {
+            builder.addUserId(userId);
         }
         return builder.build();
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index 893c8dd8..c75087c8 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -28,7 +28,7 @@ public class GenerateKeyImpl implements GenerateKey {
 
     private boolean armor = true;
     private final Set userIds = new LinkedHashSet<>();
-    private Passphrase passphrase;
+    private Passphrase passphrase = Passphrase.emptyPassphrase();
 
     @Override
     public GenerateKey noArmor() {
@@ -51,14 +51,11 @@ public class GenerateKeyImpl implements GenerateKey {
     @Override
     public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo {
         Iterator userIdIterator = userIds.iterator();
-        if (!userIdIterator.hasNext()) {
-            throw new SOPGPException.MissingArg("Missing user-id.");
-        }
-
         PGPSecretKeyRing key;
         try {
+            String primaryUserId = userIdIterator.hasNext() ? userIdIterator.next() : null;
              key = PGPainless.generateKeyRing()
-                    .modernKeyRing(userIdIterator.next(), passphrase);
+                    .modernKeyRing(primaryUserId, passphrase);
 
             if (userIdIterator.hasNext()) {
                 SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(key);
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
index 7f1710fd..a71eda12 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
@@ -6,7 +6,6 @@ package org.pgpainless.sop;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
@@ -17,7 +16,6 @@ import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.key.info.KeyRingInfo;
 import sop.SOP;
-import sop.exception.SOPGPException;
 
 public class GenerateKeyTest {
 
@@ -28,11 +26,6 @@ public class GenerateKeyTest {
         sop = new SOPImpl();
     }
 
-    @Test
-    public void testMissingUserId() {
-        assertThrows(SOPGPException.MissingArg.class, () -> sop.generateKey().generate());
-    }
-
     @Test
     public void generateKey() throws IOException {
         byte[] bytes = sop.generateKey()

From cfba77dea5eb75bf5fdf9ec255e196f338d0fe11 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 14 Dec 2022 00:11:23 +0100
Subject: [PATCH 0872/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e5b5ebe..ac12a0f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.0-rc3-SNAPSHOT
+- `sop generate-key`: Add support for keys without user-ids
+- `sop inline-sign --as=clearsigned`: Make signature in TEXT mode
+
 ## 1.4.0-rc2
 - Bump `bcpg-jdk15to18` to `1.72.3`
 - Use BCs `PGPEncryptedDataList.extractSessionKeyEncryptedData()` method

From bfbaa30e4cb5567078098a080055cf6cf3b376f7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 16:12:30 +0100
Subject: [PATCH 0873/1450] Make KO-countermeasures configurable (off by
 default)

---
 .../key/protection/UnlockSecretKey.java       |  5 +++-
 .../java/org/pgpainless/policy/Policy.java    | 29 +++++++++++++++++++
 .../ModifiedPublicKeysInvestigation.java      |  6 ++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java
index 42a5b9b7..78c849ab 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/UnlockSecretKey.java
@@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
+import org.pgpainless.PGPainless;
 import org.pgpainless.exception.KeyIntegrityException;
 import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.key.info.KeyInfo;
@@ -51,7 +52,9 @@ public final class UnlockSecretKey {
             throw new PGPException("Cannot decrypt secret key.");
         }
 
-        PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey());
+        if (PGPainless.getPolicy().isEnableKeyParameterValidation()) {
+            PublicKeyParameterValidationUtil.verifyPublicKeyParameterIntegrity(privateKey, secretKey.getPublicKey());
+        }
 
         return privateKey;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
index ad9f0635..3556f104 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/policy/Policy.java
@@ -49,6 +49,8 @@ public final class Policy {
     // Signers User-ID is soon to be deprecated.
     private SignerUserIdValidationLevel signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED;
 
+    private boolean enableKeyParameterValidation = false;
+
     public enum SignerUserIdValidationLevel {
         /**
          * PGPainless will verify {@link org.bouncycastle.bcpg.sig.SignerUserID} subpackets in signatures strictly.
@@ -701,4 +703,31 @@ public final class Policy {
         this.signerUserIdValidationLevel = signerUserIdValidationLevel;
         return this;
     }
+
+    /**
+     * Enable or disable validation of public key parameters when unlocking private keys.
+     * Disabled by default.
+     * When enabled, PGPainless will validate, whether public key parameters have been tampered with.
+     * This is a countermeasure against possible attacks described in the paper
+     * "Victory by KO: Attacking OpenPGP Using Key Overwriting" by Lara Bruseghini, Daniel Huigens, and Kenneth G. Paterson.
+     * Since these attacks are only possible in very special conditions (attacker has access to the encrypted private key),
+     * and the countermeasures are very costly, they are disabled by default, but can be enabled using this method.
+     *
+     * @see KOpenPGP.com
+     * @param enable boolean
+     * @return this
+     */
+    public Policy setEnableKeyParameterValidation(boolean enable) {
+        this.enableKeyParameterValidation = enable;
+        return this;
+    }
+
+    /**
+     * Return true, if countermeasures against the KOpenPGP attacks are enabled, false otherwise.
+     *
+     * @return true if countermeasures are enabled, false otherwise.
+     */
+    public boolean isEnableKeyParameterValidation() {
+        return enableKeyParameterValidation;
+    }
 }
diff --git a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java
index ba16e2d0..6930f78f 100644
--- a/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java
+++ b/pgpainless-core/src/test/java/investigations/ModifiedPublicKeysInvestigation.java
@@ -212,10 +212,12 @@ public class ModifiedPublicKeysInvestigation {
         SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678"));
         PGPSecretKeyRing dsa = PGPainless.readKeyRing().secretKeyRing(DSA);
 
+        PGPainless.getPolicy().setEnableKeyParameterValidation(true);
         assertThrows(KeyIntegrityException.class, () ->
                 UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("b1bd1f049ec87f3d")), protector));
         assertThrows(KeyIntegrityException.class, () ->
                 UnlockSecretKey.unlockSecretKey(dsa.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector));
+        PGPainless.getPolicy().setEnableKeyParameterValidation(false);
     }
 
     @Test
@@ -223,8 +225,10 @@ public class ModifiedPublicKeysInvestigation {
         SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("12345678"));
         PGPSecretKeyRing elgamal = PGPainless.readKeyRing().secretKeyRing(ELGAMAL);
 
+        PGPainless.getPolicy().setEnableKeyParameterValidation(true);
         assertThrows(KeyIntegrityException.class, () ->
                 UnlockSecretKey.unlockSecretKey(elgamal.getSecretKey(KeyIdUtil.fromLongKeyId("f5ffdf6d71dd5789")), protector));
+        PGPainless.getPolicy().setEnableKeyParameterValidation(false);
     }
 
     @Test
@@ -232,8 +236,10 @@ public class ModifiedPublicKeysInvestigation {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(INJECTED_KEY);
         SecretKeyRingProtector protector = SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword("pass"));
 
+        PGPainless.getPolicy().setEnableKeyParameterValidation(true);
         assertThrows(KeyIntegrityException.class, () ->
                 UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(), protector));
+        PGPainless.getPolicy().setEnableKeyParameterValidation(false);
     }
 
     @Test

From 6a5c6c55096ea8ac99587accc3120b72d9dcfe23 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 16:28:10 +0100
Subject: [PATCH 0874/1450] Improve ElGamal validation by refraining from
 biginteger for loop variable

---
 .../key/util/PublicKeyParameterValidationUtil.java       | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index 88e9897a..344f063b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -265,14 +265,15 @@ public class PublicKeyParameterValidationUtil {
 
         // check g^i mod p != 1 for i < threshold
         BigInteger res = g;
-        BigInteger i = BigInteger.valueOf(1);
-        BigInteger threshold = BigInteger.valueOf(2).shiftLeft(17);
-        while (i.compareTo(threshold) < 0) {
+        // 262144
+        int threshold = 2 << 17;
+        int i = 1;
+        while (i < threshold) {
             res = res.multiply(g).mod(p);
             if (res.equals(one)) {
                 return false;
             }
-            i = i.add(one);
+            i++;
         }
 
         // blinded exponentiation to check y = g^(r*(p-1)+x) mod p

From 3f10efac7a8f561da5ce5f503020b6ab1fa78d28 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 18:06:50 +0100
Subject: [PATCH 0875/1450] Update changelog

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac12a0f1..bb449799 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.4.0-rc3-SNAPSHOT
 - `sop generate-key`: Add support for keys without user-ids
 - `sop inline-sign --as=clearsigned`: Make signature in TEXT mode
+- Make countermeasures against KOpenPGP attacks configurable
+  - Countermeasures are now disabled by default since they are costly and have a specific threat model
+  - Can be enabled by calling `Policy.setEnableKeyParameterValidation(true)`
 
 ## 1.4.0-rc2
 - Bump `bcpg-jdk15to18` to `1.72.3`
@@ -50,6 +53,11 @@ SPDX-License-Identifier: CC0-1.0
 - Add `KeyRingUtils.publicKeys(PGPKeyRing keys)`
 - Remove `BCUtil` class
 
+## 1.3.15
+- Fix crash in `sop generate-key --with-key-password` when more than one user-id is given
+- `sop generate-key`: Allow key generation without user-ids
+- `sop inline-sign --as=clearsigned`: Make signatures of type 'text' instead of 'binary'
+
 ## 1.3.14
 - Bump `bcpg` to `1.72.3`
 - Fix DSA key parameter check

From 7a326ddef0e21360cadf519a68450440dacee72e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 18:19:13 +0100
Subject: [PATCH 0876/1450] PGPainless 1.4.0

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb449799..a8c57019 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.0-rc3-SNAPSHOT
+## 1.4.0
 - `sop generate-key`: Add support for keys without user-ids
 - `sop inline-sign --as=clearsigned`: Make signature in TEXT mode
 - Make countermeasures against KOpenPGP attacks configurable
diff --git a/README.md b/README.md
index 30af42f8..39741bb5 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.0-rc2'
+	implementation 'org.pgpainless:pgpainless-core:1.4.0'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 2e4927a6..e7e612de 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.0-rc2"
+    implementation "org.pgpainless:pgpainless-sop:1.4.0"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.0-rc2
+        1.4.0
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 2d9745dd..8ced1bc0 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.0-rc3'
-        isSnapshot = true
+        shortVersion = '1.4.0'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 01e6ef0013ab0638e3465f2069032bf39cda6309 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 18:22:04 +0100
Subject: [PATCH 0877/1450] PGPainless 1.4.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 8ced1bc0..65038afb 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.0'
-        isSnapshot = false
+        shortVersion = '1.4.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From c90b56ba13eac5ade70c64caf6808b52e31187a6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 16 Dec 2022 17:20:10 +0100
Subject: [PATCH 0878/1450] Add YourKit endorsement

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 39741bb5..6dbceacd 100644
--- a/README.md
+++ b/README.md
@@ -222,6 +222,9 @@ Parts of PGPainless development ([project page](https://nlnet.nl/project/PGPainl
 NGI Assure is made possible with financial support from the [European Commission](https://ec.europa.eu/)'s [Next Generation Internet](https://ngi.eu/) programme, under the aegis of [DG Communications Networks, Content and Technology](https://ec.europa.eu/info/departments/communications-networks-content-and-technology_en).
 [![NGI Assure Logo](https://blog.jabberhead.tk/wp-content/uploads/2022/05/NGIAssure_tag.svg)](https://nlnet.nl/assure/)
 
+Thanks to [YourKit](https://www.yourkit.com/) for providing a free license of the [YourKit Java Profiler](https://www.yourkit.com/java/profiler/) to support PGPainless Development!
+[![YourKit Logo](https://www.yourkit.com/images/yklogo.png)](https://www.yourkit.com/)
+
 Big thank you also to those who decided to support the work by donating!  
 Notably @msfjarvis
 

From dbcca586d1c58d931d053ce323dbe189fa1110da Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 16 Dec 2022 17:34:53 +0100
Subject: [PATCH 0879/1450] Add link to KOpenPGP to changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a8c57019..4bafa039 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,7 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.4.0
 - `sop generate-key`: Add support for keys without user-ids
 - `sop inline-sign --as=clearsigned`: Make signature in TEXT mode
-- Make countermeasures against KOpenPGP attacks configurable
+- Make countermeasures against [KOpenPGP](https://kopenpgp.com/) attacks configurable
   - Countermeasures are now disabled by default since they are costly and have a specific threat model
   - Can be enabled by calling `Policy.setEnableKeyParameterValidation(true)`
 

From 59217d25013df10eb8c22c129d7f30201e77bfc0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 19 Dec 2022 16:25:27 +0100
Subject: [PATCH 0880/1450] Implement UserId.parse(mailbox)

---
 .../java/org/pgpainless/key/util/UserId.java  |  62 +++++++++-
 .../java/org/pgpainless/key/UserIdTest.java   | 110 ++++++++++++++++++
 2 files changed, 171 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index a1b251dc..6dca06b5 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -5,10 +5,21 @@
 package org.pgpainless.key.util;
 
 import java.util.Comparator;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
 public final class UserId implements CharSequence {
+
+    private static final Pattern emailPattern = Pattern.compile("(?:[\\p{L}\\u0900-\\u097F0-9!#\\$%&'*+/=?^_`{|}~-]+(?:\\.[\\p{L}\\u0900-\\u097F0-9!#\\$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-" +
+            "\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[\\p{L}\\u0900-\\u097F0-9](?:[\\p{L}\\u0900-\\u097F0-9" +
+            "-]*[\\p{L}\\u0900-\\u097F0-9])?\\.)+[\\p{L}\\u0900-\\u097F0-9](?:[\\p{L}\\u0900-\\u097F0-9-]*[\\p{L}\\u0900-\\u097F0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" +
+            "\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[$\\p{L}\\u0900-\\u097F0-9-]*[\\p{L}\\u0900-\\u097F0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f" +
+            "\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)])");
+
+    private static final Pattern nameAddrPattern = Pattern.compile("^((?.+?)\\s)?(\\((?.+?)\\)\\s)?(<(?.+?)>)?$");
+
     public static final class Builder {
         private String name;
         private String comment;
@@ -58,6 +69,37 @@ public final class UserId implements CharSequence {
         }
     }
 
+    public static UserId parse(@Nonnull String string) {
+        Builder builder = newBuilder();
+        string = string.trim();
+        Matcher matcher = nameAddrPattern.matcher(string);
+        if (matcher.find()) {
+            String name = matcher.group("name");
+            String comment = matcher.group("comment");
+            String mail = matcher.group("email");
+            matcher = emailPattern.matcher(mail);
+            if (!matcher.matches()) {
+                throw new IllegalArgumentException("Malformed email address");
+            }
+
+            if (name != null) {
+                builder.withName(name);
+            }
+            if (comment != null) {
+                builder.withComment(comment);
+            }
+            builder.withEmail(mail);
+        } else {
+            matcher = emailPattern.matcher(string);
+            if (matcher.matches()) {
+                builder.withEmail(string);
+            } else {
+                throw new IllegalArgumentException("Malformed email address");
+            }
+        }
+        return builder.build();
+    }
+
     private final String name;
     private final String comment;
     private final String email;
@@ -86,6 +128,24 @@ public final class UserId implements CharSequence {
     }
 
     public String getName() {
+        return getName(false);
+    }
+
+    public String getName(boolean preserveQuotes) {
+        if (name == null || name.isEmpty()) {
+            return name;
+        }
+
+        if (name.startsWith("\"")) {
+            if (preserveQuotes) {
+                return name;
+            }
+            String withoutQuotes = name.substring(1);
+            if (withoutQuotes.endsWith("\"")) {
+                withoutQuotes = withoutQuotes.substring(0, withoutQuotes.length() - 1);
+            }
+            return withoutQuotes;
+        }
         return name;
     }
 
@@ -116,7 +176,7 @@ public final class UserId implements CharSequence {
     public @Nonnull String toString() {
         StringBuilder sb = new StringBuilder();
         if (name != null && !name.isEmpty()) {
-            sb.append(name);
+            sb.append(getName(true));
         }
         if (comment != null && !comment.isEmpty()) {
             if (sb.length() > 0) {
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index acc90918..b910e1b4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -271,4 +271,114 @@ public class UserIdTest {
         assertNotEquals(0, UserId.compare(id1, id6, c));
         assertNotEquals(0, UserId.compare(id6, id1, c));
     }
+
+    @Test
+    public void parseNameAndEmail() {
+        UserId id = UserId.parse("Alice ");
+
+        assertEquals("Alice", id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("Alice ", id.toString());
+    }
+
+    @Test
+    public void parseNameCommentAndEmail() {
+        UserId id = UserId.parse("Alice (work mail) ");
+
+        assertEquals("Alice", id.getName());
+        assertEquals("work mail", id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("Alice (work mail) ", id.toString());
+    }
+
+    @Test
+    public void parseLongNameAndEmail() {
+        UserId id = UserId.parse("Alice von Painleicester ");
+
+        assertEquals("Alice von Painleicester", id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("Alice von Painleicester ", id.toString());
+    }
+
+    @Test
+    public void parseLongNameCommentAndEmail() {
+        UserId id = UserId.parse("Alice von Painleicester (work email) ");
+
+        assertEquals("Alice von Painleicester", id.getName());
+        assertEquals("work email", id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("Alice von Painleicester (work email) ", id.toString());
+    }
+
+    @Test
+    public void parseQuotedNameAndEmail() {
+        UserId id = UserId.parse("\"Alice\" ");
+
+        assertEquals("Alice", id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("\"Alice\" ", id.toString());
+    }
+
+    @Test
+    public void parseQuotedNameCommentAndEmail() {
+        UserId id = UserId.parse("\"Alice\" (work email) ");
+
+        assertEquals("Alice", id.getName());
+        assertEquals("work email", id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("\"Alice\" (work email) ", id.toString());
+    }
+
+    @Test
+    public void parseLongQuotedNameAndEmail() {
+        UserId id = UserId.parse("\"Alice Mac Painlester\" ");
+
+        assertEquals("Alice Mac Painlester", id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("\"Alice Mac Painlester\" ", id.toString());
+    }
+
+    @Test
+    public void parseLongQuotedNameCommentAndEmail() {
+        UserId id = UserId.parse("\"Alice Mac Painlester\" (work email) ");
+
+        assertEquals("Alice Mac Painlester", id.getName());
+        assertEquals("work email", id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("\"Alice Mac Painlester\" (work email) ", id.toString());
+    }
+
+    @Test
+    public void parseEmailOnly() {
+        UserId id = UserId.parse("alice@pgpainless.org");
+
+        assertNull(id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("", id.toString());
+    }
+
+    @Test
+    public void parseBracketedEmailOnly() {
+        UserId id = UserId.parse("");
+
+        assertNull(id.getName());
+        assertNull(id.getComment());
+        assertEquals("alice@pgpainless.org", id.getEmail());
+
+        assertEquals("", id.toString());
+    }
 }

From 94851ccb8f5294941f4715a66d5e4a50467d91d1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 20 Dec 2022 15:57:11 +0100
Subject: [PATCH 0881/1450] Add javadoc for UserId.parse()

---
 .../java/org/pgpainless/key/util/UserId.java   | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 6dca06b5..3c43b92c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -69,6 +69,24 @@ public final class UserId implements CharSequence {
         }
     }
 
+    /**
+     * Parse a {@link UserId} from free-form text, 
name-addr
 or 
mailbox
 string and split it
+     * up into its components.
+     * Example inputs for this method:
+     * 
    
+     *     
  • john@pgpainless.org
    • 
+     *     
  • <john@pgpainless.org>
    • 
+     *     
  • John Doe
    • 
+     *     
  • John Doe <john@pgpainless.org>
    • 
+     *     
  • John Doe (work email) <john@pgpainless.org>
    • 
+     * 

+     * In these cases, {@link #parse(String)} will detect email addresses, names and comments and expose those
+     * via the respective getters.
+     *
+     * @see RFC5322 §3.4. Address Specification
+     * @param string user-id
+     * @return parsed {@link UserId} object
+     */
     public static UserId parse(@Nonnull String string) {
         Builder builder = newBuilder();
         string = string.trim();

From 75f69c0473c1a2807fc39d0d89ce20c474df79c5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 20 Dec 2022 17:27:32 +0100
Subject: [PATCH 0882/1450] Fix Android compatibility by using
 Matcher.group(int) instead of Matcher.group(String)

---
 .../src/main/java/org/pgpainless/key/util/UserId.java       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 3c43b92c..e79d9700 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -92,9 +92,9 @@ public final class UserId implements CharSequence {
         string = string.trim();
         Matcher matcher = nameAddrPattern.matcher(string);
         if (matcher.find()) {
-            String name = matcher.group("name");
-            String comment = matcher.group("comment");
-            String mail = matcher.group("email");
+            String name = matcher.group(2);
+            String comment = matcher.group(4);
+            String mail = matcher.group(6);
             matcher = emailPattern.matcher(mail);
             if (!matcher.matches()) {
                 throw new IllegalArgumentException("Malformed email address");

From a376587680ecd76b8b3302875731f596e4c44805 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 14:43:09 +0100
Subject: [PATCH 0883/1450] Add tests for international user-ids

---
 .../java/org/pgpainless/key/UserIdTest.java   | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index b910e1b4..aece0efb 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -381,4 +381,64 @@ public class UserIdTest {
 
         assertEquals("", id.toString());
     }
+
+    @Test
+    public void parseLatinWithDiacritics() {
+        UserId pele = UserId.parse("PelÊ@example.com");
+        assertEquals("PelÊ@example.com", pele.getEmail());
+
+        pele = UserId.parse("Marquez PelÊ ");
+        assertEquals("PelÊ@example.com", pele.getEmail());
+        assertEquals("Marquez PelÊ", pele.getName());
+    }
+
+    @Test
+    public void parseGreekAlphabet() {
+        UserId dokimi = UserId.parse("δÎŋÎēΚÎŧÎŽ@Ī€ÎąĪÎŦδÎĩΚÎŗÎŧÎą.δÎŋÎēΚÎŧÎŽ");
+        assertEquals("δÎŋÎēΚÎŧÎŽ@Ī€ÎąĪÎŦδÎĩΚÎŗÎŧÎą.δÎŋÎēΚÎŧÎŽ", dokimi.getEmail());
+
+        dokimi = UserId.parse("δÎŋÎēΚÎŧÎŽ <δÎŋÎēΚÎŧÎŽ@Ī€ÎąĪÎŦδÎĩΚÎŗÎŧÎą.δÎŋÎēΚÎŧÎŽ>");
+        assertEquals("δÎŋÎēΚÎŧÎŽ", dokimi.getName());
+        assertEquals("δÎŋÎēΚÎŧÎŽ@Ī€ÎąĪÎŦδÎĩΚÎŗÎŧÎą.δÎŋÎēΚÎŧÎŽ", dokimi.getEmail());
+    }
+
+    @Test
+    public void parseTraditionalChinese() {
+        UserId womai = UserId.parse("æˆ‘č˛ˇ@åą‹äŧ.éĻ™æ¸¯");
+        assertEquals("æˆ‘č˛ˇ@åą‹äŧ.éĻ™æ¸¯", womai.getEmail());
+
+        womai = UserId.parse("æˆ‘č˛ˇ <æˆ‘č˛ˇ@åą‹äŧ.éĻ™æ¸¯>");
+        assertEquals("æˆ‘č˛ˇ@åą‹äŧ.éĻ™æ¸¯", womai.getEmail());
+        assertEquals("æˆ‘č˛ˇ", womai.getName());
+    }
+
+    @Test
+    public void parseJapanese() {
+        UserId ninomiya = UserId.parse("äēŒãƒŽåŽŽ@éģ’åˇ.æ—ĨæœŦ");
+        assertEquals("äēŒãƒŽåŽŽ@éģ’åˇ.æ—ĨæœŦ", ninomiya.getEmail());
+
+        ninomiya = UserId.parse("äēŒãƒŽåŽŽ <äēŒãƒŽåŽŽ@éģ’åˇ.æ—ĨæœŦ>");
+        assertEquals("äēŒãƒŽåŽŽ@éģ’åˇ.æ—ĨæœŦ", ninomiya.getEmail());
+        assertEquals("äēŒãƒŽåŽŽ", ninomiya.getName());
+    }
+
+    @Test
+    public void parseCyrillic() {
+        UserId medved = UserId.parse("ĐŧĐĩдвĐĩĐ´ŅŒ@Ņ-йаĐģĐ°ĐģĐ°ĐšĐēОК.Ņ€Ņ„");
+        assertEquals("ĐŧĐĩдвĐĩĐ´ŅŒ@Ņ-йаĐģĐ°ĐģĐ°ĐšĐēОК.Ņ€Ņ„", medved.getEmail());
+
+        medved = UserId.parse("ĐŧĐĩдвĐĩĐ´ŅŒ <ĐŧĐĩдвĐĩĐ´ŅŒ@Ņ-йаĐģĐ°ĐģĐ°ĐšĐēОК.Ņ€Ņ„>");
+        assertEquals("ĐŧĐĩдвĐĩĐ´ŅŒ@Ņ-йаĐģĐ°ĐģĐ°ĐšĐēОК.Ņ€Ņ„", medved.getEmail());
+        assertEquals("ĐŧĐĩдвĐĩĐ´ŅŒ", medved.getName());
+    }
+
+    @Test
+    public void parseDevanagari() {
+        UserId samparka = UserId.parse("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•@ā¤Ąā¤žā¤Ÿā¤žā¤ŽāĨ‡ā¤˛.ā¤­ā¤žā¤°ā¤¤");
+        assertEquals("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•@ā¤Ąā¤žā¤Ÿā¤žā¤ŽāĨ‡ā¤˛.ā¤­ā¤žā¤°ā¤¤", samparka.getEmail());
+
+        samparka = UserId.parse("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤• <ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•@ā¤Ąā¤žā¤Ÿā¤žā¤ŽāĨ‡ā¤˛.ā¤­ā¤žā¤°ā¤¤>");
+        assertEquals("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•@ā¤Ąā¤žā¤Ÿā¤žā¤ŽāĨ‡ā¤˛.ā¤­ā¤žā¤°ā¤¤", samparka.getEmail());
+        assertEquals("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•", samparka.getName());
+    }
 }

From 533b54a6b7c5f1aad340d261fdfcd54fa8cde032 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:01:10 +0100
Subject: [PATCH 0884/1450] Add some more tests for valid email address formats

---
 .../java/org/pgpainless/key/util/UserId.java  |  6 ++
 .../java/org/pgpainless/key/UserIdTest.java   | 91 +++++++++++++++++++
 2 files changed, 97 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index e79d9700..1a2ea265 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -82,6 +82,12 @@ public final class UserId implements CharSequence {
      * 
      * In these cases, {@link #parse(String)} will detect email addresses, names and comments and expose those
      * via the respective getters.
+     * This method does not support parsing mail addresses of the following formats:
+     * 
    
+     *     
  • Local domains without TLDs (
    user@localdomain1
    )
    • 
+     *     
  • " "@example.org
     (spaces between the quotes)
    • 
+     *     
  • "very.(),:;<>[]\".VERY.\"very@\\ \"very\".unusual"@strange.example.com
    • 
+     * 

      *
      * @see RFC5322 §3.4. Address Specification
      * @param string user-id
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
index aece0efb..93cb6922 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/UserIdTest.java
@@ -441,4 +441,95 @@ public class UserIdTest {
         assertEquals("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•@ā¤Ąā¤žā¤Ÿā¤žā¤ŽāĨ‡ā¤˛.ā¤­ā¤žā¤°ā¤¤", samparka.getEmail());
         assertEquals("ā¤¸ā¤‚ā¤Ēā¤°āĨā¤•", samparka.getName());
     }
+
+    @Test
+    public void parseMailWithPlus() {
+        UserId id = UserId.parse("disposable.style.email.with+symbol@example.com");
+        assertEquals("disposable.style.email.with+symbol@example.com", id.getEmail());
+
+        id = UserId.parse("Disposable Mail ");
+        assertEquals("disposable.style.email.with+symbol@example.com", id.getEmail());
+        assertEquals("Disposable Mail", id.getName());
+    }
+
+    @Test
+    public void parseMailWithHyphen() {
+        UserId id = UserId.parse("other.email-with-hyphen@example.com");
+        assertEquals("other.email-with-hyphen@example.com", id.getEmail());
+
+        id = UserId.parse("Other Email ");
+        assertEquals("other.email-with-hyphen@example.com", id.getEmail());
+        assertEquals("Other Email", id.getName());
+    }
+
+    @Test
+    public void parseMailWithTagAndSorting() {
+        UserId id = UserId.parse("user.name+tag+sorting@example.com");
+        assertEquals("user.name+tag+sorting@example.com", id.getEmail());
+
+        id = UserId.parse("User Name ");
+        assertEquals("user.name+tag+sorting@example.com", id.getEmail());
+        assertEquals("User Name", id.getName());
+    }
+
+    @Test
+    public void parseMailWithSlash() {
+        UserId id = UserId.parse("test/test@test.com");
+        assertEquals("test/test@test.com", id.getEmail());
+
+        id = UserId.parse("Who uses Slashes ");
+        assertEquals("test/test@test.com", id.getEmail());
+        assertEquals("Who uses Slashes", id.getName());
+    }
+
+    @Test
+    public void parseDoubleDots() {
+        UserId id = UserId.parse("\"john..doe\"@example.org");
+        assertEquals("\"john..doe\"@example.org", id.getEmail());
+
+        id = UserId.parse("John Doe <\"john..doe\"@example.org>");
+        assertEquals("\"john..doe\"@example.org", id.getEmail());
+        assertEquals("John Doe", id.getName());
+    }
+
+    @Test
+    public void parseBangifiedHostRoute() {
+        UserId id = UserId.parse("mailhost!username@example.org");
+        assertEquals("mailhost!username@example.org", id.getEmail());
+
+        id = UserId.parse("Bangified Host Route ");
+        assertEquals("mailhost!username@example.org", id.getEmail());
+        assertEquals("Bangified Host Route", id.getName());
+    }
+
+    @Test
+    public void parsePercentRouted() {
+        UserId id = UserId.parse("user%example.com@example.org");
+        assertEquals("user%example.com@example.org", id.getEmail());
+
+        id = UserId.parse("User ");
+        assertEquals("user%example.com@example.org", id.getEmail());
+        assertEquals("User", id.getName());
+    }
+
+    @Test
+    public void parseLocalPartEndingWithNonAlphanumericCharacter() {
+        UserId id = UserId.parse("user-@example.org");
+        assertEquals("user-@example.org", id.getEmail());
+
+        id = UserId.parse("User ");
+        assertEquals("user-@example.org", id.getEmail());
+        assertEquals("User", id.getName());
+    }
+
+    @Test
+    public void parseDomainIsIpAddress() {
+        UserId id = UserId.parse("postmaster@[123.123.123.123]");
+        assertEquals("postmaster@[123.123.123.123]", id.getEmail());
+
+        id = UserId.parse("Alice (work email) ");
+        assertEquals("postmaster@[123.123.123.123]", id.getEmail());
+        assertEquals("Alice", id.getName());
+        assertEquals("work email", id.getComment());
+    }
 }

From 44738766e5fa5da50ba883ecd5c347061fc4387c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:19:42 +0100
Subject: [PATCH 0885/1450] Add comments to regexes

---
 .../src/main/java/org/pgpainless/key/util/UserId.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 1a2ea265..f59cd36f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -12,12 +12,20 @@ import javax.annotation.Nullable;
 
 public final class UserId implements CharSequence {
 
+    // Email regex: https://emailregex.com/
+    // switched "a-z0-9" to "\p{L}\u0900-\u097F0-9" for better support for international characters
+    // \\p{L} = Unicode Letters
+    // \u0900-\u097F = Hindi Letters
     private static final Pattern emailPattern = Pattern.compile("(?:[\\p{L}\\u0900-\\u097F0-9!#\\$%&'*+/=?^_`{|}~-]+(?:\\.[\\p{L}\\u0900-\\u097F0-9!#\\$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-" +
             "\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[\\p{L}\\u0900-\\u097F0-9](?:[\\p{L}\\u0900-\\u097F0-9" +
             "-]*[\\p{L}\\u0900-\\u097F0-9])?\\.)+[\\p{L}\\u0900-\\u097F0-9](?:[\\p{L}\\u0900-\\u097F0-9-]*[\\p{L}\\u0900-\\u097F0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" +
             "\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[$\\p{L}\\u0900-\\u097F0-9-]*[\\p{L}\\u0900-\\u097F0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f" +
             "\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)])");
 
+    // User-ID Regex
+    // "Firstname Lastname (Comment) "
+    // All groups are optional
+    // https://www.rfc-editor.org/rfc/rfc5322#page-16
     private static final Pattern nameAddrPattern = Pattern.compile("^((?.+?)\\s)?(\\((?.+?)\\)\\s)?(<(?.+?)>)?$");
 
     public static final class Builder {

From b5128be6fb65e7fb791e8e8e3debae49ec644c90 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:23:00 +0100
Subject: [PATCH 0886/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4bafa039..4493fe1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.1
+- Add `UserId.parse()` method to parse user-ids into their components
+
 ## 1.4.0
 - `sop generate-key`: Add support for keys without user-ids
 - `sop inline-sign --as=clearsigned`: Make signature in TEXT mode

From 35c62663e95c0f444531cc2bf20854d6079792ba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:30:11 +0100
Subject: [PATCH 0887/1450] Fix javadoc

---
 .../src/main/java/org/pgpainless/key/util/UserId.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index f59cd36f..03a50321 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -94,7 +94,7 @@ public final class UserId implements CharSequence {
      * 
    
      *     
  • Local domains without TLDs (
    user@localdomain1
    )
    • 
      *     
  • " "@example.org
     (spaces between the quotes)
    • 
-     *     
  • "very.(),:;<>[]\".VERY.\"very@\\ \"very\".unusual"@strange.example.com
    • 
+     *     
  • "very.(),:;<>[]\".VERY.\"very@\\ \"very\".unusual"@strange.example.com
    • 
      * 

      *
      * @see RFC5322 §3.4. Address Specification

From 77c476dff2c0015cdac8be63d708e7081e136941 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:31:32 +0100
Subject: [PATCH 0888/1450] PGPainless 1.4.1

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 6dbceacd..49320f94 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.0'
+	implementation 'org.pgpainless:pgpainless-core:1.4.1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index e7e612de..c1b2a988 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.0"
+    implementation "org.pgpainless:pgpainless-sop:1.4.1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.0
+        1.4.1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 65038afb..76939ca7 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 7be12b0aaaca1bb5fcdecf55ef7e947cdc385986 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 22 Dec 2022 15:33:24 +0100
Subject: [PATCH 0889/1450] PGPainless 1.4.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 76939ca7..c6f7104e 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.1'
-        isSnapshot = false
+        shortVersion = '1.4.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 94d9efa1e7c123445b24754fec13631672f6d4fa Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 13:12:14 +0100
Subject: [PATCH 0890/1450] OpenPgpMessageInputStream: Ignore
 non-integrity-protected data if configured

---
 .../decryption_verification/OpenPgpMessageInputStream.java  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index c26c949b..bb5d67b3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -409,8 +409,10 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         PGPEncryptedDataList encDataList = packetInputStream.readEncryptedDataList();
 
         if (!encDataList.isIntegrityProtected()) {
-            LOGGER.debug("Symmetrically Encrypted Data Packet is not integrity-protected and is therefore rejected.");
-            throw new MessageNotIntegrityProtectedException();
+            LOGGER.warn("Symmetrically Encrypted Data Packet is not integrity-protected.");
+            if (!options.isIgnoreMDCErrors()) {
+                throw new MessageNotIntegrityProtectedException();
+            }
         }
 
         SortedESKs esks = new SortedESKs(encDataList);

From 00b593823a2bf7fce7b897c530f60032c2d16d7c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 13:18:18 +0100
Subject: [PATCH 0891/1450] Modify SED test to test successful decryption of
 SED packet

---
 .../ModificationDetectionTests.java            | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
index 9ecaa38a..59021f95 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/ModificationDetectionTests.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.decryption_verification;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayInputStream;
@@ -374,7 +375,7 @@ public class ModificationDetectionTests {
 
     @TestTemplate
     @ExtendWith(TestAllImplementations.class)
-    public void decryptMessageWithSEDPacket() throws IOException {
+    public void decryptMessageWithSEDPacket() throws IOException, PGPException {
         Passphrase passphrase = Passphrase.fromPassword("flowcrypt compatibility tests");
         String key = "-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n" +
                 "Version: FlowCrypt 6.9.1 Gmail Encryption\r\n" +
@@ -536,6 +537,21 @@ public class ModificationDetectionTests {
                 .withOptions(new ConsumerOptions().addDecryptionKey(secretKeyRing,
                         SecretKeyRingProtector.unlockAnyKeyWith(passphrase)))
         );
+
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(ciphertext.getBytes(StandardCharsets.UTF_8)))
+                .withOptions(ConsumerOptions.get().addDecryptionKey(secretKeyRing,
+                        SecretKeyRingProtector.unlockAnyKeyWith(passphrase))
+                        .setIgnoreMDCErrors(true));
+        ByteArrayOutputStream plaintext = new ByteArrayOutputStream();
+        Streams.pipeAll(decryptionStream, plaintext);
+        decryptionStream.close();
+
+        assertEquals("As stated in subject\r\n" +
+                "\r\n" +
+                "Shall not decrypt automatically\r\n" +
+                "\r\n" +
+                "Has to show a warning\r\n", plaintext.toString());
     }
 
     private PGPSecretKeyRingCollection getDecryptionKey() throws IOException {

From b36494ecd439546fbf4b4c34c4a63649b396ff7a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 13:53:12 +0100
Subject: [PATCH 0892/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4493fe1a..9a35d4d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.2-SNAPSHOT
+- Properly decrypt messages without MDC packets when `ConsumerOptions.setIgnoreMDCErrors(true)` is set
+
 ## 1.4.1
 - Add `UserId.parse()` method to parse user-ids into their components
 

From 507b36468b299173da06f4a21583763f2697541d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 14:06:19 +0100
Subject: [PATCH 0893/1450] Update docs on UserId parsing

---
 docs/source/pgpainless-core/userids.md | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/docs/source/pgpainless-core/userids.md b/docs/source/pgpainless-core/userids.md
index 78126828..d2b5730e 100644
--- a/docs/source/pgpainless-core/userids.md
+++ b/docs/source/pgpainless-core/userids.md
@@ -29,4 +29,19 @@ UserId full = UserId.newBuilder()
         .withComment("Work Address")
         .build();
 assertEquals("Peter Pattern (Work Address) ", full.toString());
-```
\ No newline at end of file
+```
+
+If you have a User-ID in form of a string (e.g. because a user provided it via a text field),
+you can parse it into its components like this:
+
+```java
+String string = "John Doe ";
+UserId userId = UserId.parse(string);
+
+// Now you can access the different components
+assertEquals("John Doe", userId.getName());
+assertEquals("john@doe.corp", userId.getEmail());
+assertNull(userId.getComment());
+```
+
+The method `UserId.parse(String string)` will throw an `IllegalArgumentException` if the User-ID is malformed.

From 1452af71fd885b65f781b4104212c96d5f0e7cea Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 15:23:29 +0100
Subject: [PATCH 0894/1450] Add more docs for Policy related configuration

---
 docs/source/pgpainless-core/quickstart.md | 162 ++++++++++++++++++++++
 1 file changed, 162 insertions(+)

diff --git a/docs/source/pgpainless-core/quickstart.md b/docs/source/pgpainless-core/quickstart.md
index d61a881c..5382923f 100644
--- a/docs/source/pgpainless-core/quickstart.md
+++ b/docs/source/pgpainless-core/quickstart.md
@@ -325,4 +325,166 @@ verificationStream.close(); // finish verification
 
 MessageMetadata result = verificationStream.getMetadata(); // get metadata of signed message
 assertTrue(result.isVerifiedSignedBy(certificate)); // check if message was in fact signed
+```
+
+### Legacy Compatibility
+Out of the box, PGPainless is configured to use secure defaults and perform checks for recommended
+security features. This means that for example messages generated using older OpenPGP
+implementations which do not follow those best practices might fail to decrypt/verify.
+
+It is however possible to circumvent certain security checks to allow processing of such messages.
+
+:::{note}
+It is not recommended to disable security checks, as that might enable certain attacks on the OpenPGP protocol.
+:::
+
+#### Missing / broken MDC (modification detection code)
+RFC4880 has two different types of encrypted data packets. The *Symmetrically Encrypted Data* packet (SED) and the *Symmetrically Encrypted Integrity-Protected Data* packet.
+The latter has an added MDC packet which prevents modifications to the ciphertext.
+
+While implementations are highly encouraged to only use the latter package type, some older implementations still generate
+encrypted data packets which are not integrity protected.
+
+To allow PGPainless to decrypt such messages, you need to set a flag in the `ConsumerOptions` object:
+```java
+ConsumerOptions options = ConsumerOptions.get()
+        .setIgnoreMDCErrors(true) // <-
+        .setDecryptionKey(secretKey)
+        ...
+
+DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+        .onInputStream(ciphertextIn)
+        .withOptions(options);
+...
+```
+
+:::{note}
+It is highly advised to only set this flag if you know what you are doing.
+It might also be a good idea to try decrypting a message without the flag set first and only re-try
+decryption with the flag set in case of a `MessageNotIntegrityProtectedException` (don't forget to rewind the ciphertextInputStream).
+:::
+
+#### Weak keys and broken algorithms
+Some users might cling on to older keys using weak algorithms / small key sizes.
+PGPainless refuses to encrypt to weak certificates and sign with weak keys.
+By default, PGPainless follows the recommendations for acceptable key sizes of [the German BSI in 2021](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf).
+It can however be configured to accept older key material / algorithms too.
+
+Minimal key lengths can be configured by changing PGPainless' policy:
+```java
+Map algorithms = new HashMap<>();
+// put all acceptable algorithms and their minimal key length
+algorithms.put(PublicKeyAlgorithm.RSA_GENERAL, 1024);
+algorithms.put(PublicKeyAlgorithm.ECDSA, 100);
+...
+Policy.PublicKeyAlgorithmPolicy pkPolicy = 
+        new Policy.PublicKeyAlgorithmPolicy(algorithms);
+// set the custom algorithm policy
+PGPainless.getPolicy().setPublicKeyAlgorithmPolicy();
+```
+
+Since OpenPGP uses a hybrid encryption scheme of asymmetric and symmetric encryption algorithms,
+it also comes with a policy for symmetric encryption algorithms.
+This list can be modified to allow for weaker algorithms like follows:
+```java
+// default fallback algorithm for message encryption
+SymmetricKeyAlgorithm fallbackAlgorithm = SymmetricKeyAlgorithm.AES_256;
+// acceptable algorithms
+List algorithms = new ArrayList<>();
+algorithms.add(SymmetricKeyAlgorithm.AES_256);
+algorithms.add(SymmetricKeyAlgorithm.AES_192);
+algorithms.add(SymmetricKeyAlgorithm.AES_128);
+algorithms.add(SymmetricKeyAlgorithm.TWOFISH);
+algorithms.add(SymmetricKeyAlgorithm.BLOWFISH);
+...
+Policy.SymmetricKeyAlgorithmPolicy skPolicy = 
+        new SymmtricKeyAlgorithmPolicy(fallbackAlgorithm, algorithms);
+// set the custom algorithm policy
+// algorithm policy applicable when decrypting messages created by legacy senders:
+PGPainless.getPolicy()
+        .setSymmetricKeyDecryptionAlgorithmPolicy(skPolicy);
+// algorithm policy applicable when generating messages for legacy recipients:
+PGPainless.getPolicy()
+        .setSymmetricKeyEncryptionAlgorithmPolicy(skPolicy);
+```
+
+Hash algorithms are used in OpenPGP to create signatures.
+Since signature verification is an integral part of the OpenPGP protocol, PGPainless comes
+with multiple policies for acceptable hash algorithms, depending on the use-case.
+Revocation signatures are critical, so you might want to handle revocation signatures differently from normal signatures.
+
+By default, PGPainless uses a smart hash algorithm policy for both use-cases, which takes into consideration
+not only the hash algorithm itself, but also the creation date of the signature.
+That way, signatures using SHA-1 are acceptable if they were created before February 2013, but are rejected if their
+creation date is after that point in time.
+
+A custom hash algorithm policy can be set like this:
+```java
+HashAlgorithm fallbackAlgorithm = HashAlgorithm.SHA512;
+Map algorithms = new HashMap<>();
+// Accept MD5 on signatures made before 1997-02-01
+algorithms.put(HashAlgorithm.MD5,
+        DateUtil.parseUTCDate("1997-02-01 00:00:00 UTC"));
+// Accept SHA-1, regardless of signature creation time
+algorithms.put(HashAlgorithm.SHA1, null);
+...
+Policy.HashAlgorithmPolicy hPolicy =
+        new Policy.HashAlgorithmPolicy(fallbackAlgorithm, algorithms);
+// set policy for revocation signatures
+PGPainless.getPolicy()
+        .setRevocationSignatureHashAlgorithmPolicy(hPolicy);
+// set policy for normal signatures (certifications and document signatures)
+PGPainless.getPolicy()
+        .setSignatureHashAlgorithmPolicy(hPolicy);
+```
+
+Lastly, PGPainless comes with a policy on acceptable compression algorithms, which currently accepts any
+compression algorithm.
+A custom compression algorithm policy can be set in a similar way:
+```java
+CompressionAlgorithm fallback = CompressionAlgorithm.ZIP;
+List algorithms = new ArrayList<>();
+algorithms.add(CompressionAlgorith.ZIP);
+algorithms.add(CompressionAlgorithm.BZIP2);
+...
+Policy.CompressionAlgorithmPolicy cPolicy =
+        new Policy.CompressionAlgorithmPolicy(fallback, algorithms);
+PGPainless.getPolicy()
+        .setCompressionAlgorithmPolicy(cPolicy);
+```
+
+To prevent a class of attacks described in the [paper](https://www.kopenpgp.com/#paper)
+"Victory by KO: Attacking OpenPGP Using Key Overwriting",
+PGPainless offers the option to validate private key material each time before using it,
+to make sure that an attacker didn't tamper with the corresponding public key parameters.
+
+These checks are disabled by default, but they can be enabled as follows:
+```java
+PGPainless.getPolicy()
+        .setEnableKeyParameterValidation(true);
+```
+
+:::{note}
+Validation checks against KOpenPGP attacks are disabled by default, since they are very costly
+and only make sense in certain scenarios.
+Please read and understand the paper to decide, if enabling the checks makes sense for your use-case.
+:::
+
+
+### Known Notations
+In OpenPGP, signatures can contain [notation subpackets](https://www.rfc-editor.org/rfc/rfc4880#section-5.2.3.16).
+A notation can give meaning to a signature, or add additional contextual information.
+Signature subpackets can be marked as critical, meaning an implementation that does not know about
+a certain subpacket MUST reject the signature.
+The same is true for critical notations.
+
+For that reason, PGPainless comes with a `NotationRegistry` class which can be used to register known notations,
+such that a signature containing a critical notation of a certain value is not rejected.
+To register a known notation, you can do the following:
+
+```java
+NotationRegistry registry = PGPainless.getPolicy()
+        .getNotationRegistry();
+
+registry.addKnownNotation("sample@example.com");
 ```
\ No newline at end of file

From 51c7bc932b73a7c55571ef3907cd7b644d588ddd Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 2 Jan 2023 15:35:55 +0100
Subject: [PATCH 0895/1450] Bump gradlew to 7.5

---
 gradle/wrapper/gradle-wrapper.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index a488f210..8049c684 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.4-rc-1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

From abf723cc6c94a492993835a2a01d78afe789cb06 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 4 Jan 2023 18:27:14 +0100
Subject: [PATCH 0896/1450] Add note about UserId.parse().toString() not
 guaranteing identity

---
 .../src/main/java/org/pgpainless/key/util/UserId.java           | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 03a50321..427f9060 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -96,6 +96,8 @@ public final class UserId implements CharSequence {
      *     
  • " "@example.org
     (spaces between the quotes)
    • 
      *     
  • "very.(),:;<>[]\".VERY.\"very@\\ \"very\".unusual"@strange.example.com
    • 
      * 
+     * Note: This method does not guarantee that 
    string.equals(UserId.parse(string).toString())
     is true.
+     * For example, 
    UserId.parse("alice@pgpainless.org").toString()
     wraps the mail address in angled brackets.
      *
      * @see RFC5322 §3.4. Address Specification
      * @param string user-id

From 41cc71c274a3560019010de300a56a035aabb6d4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 4 Jan 2023 18:50:10 +0100
Subject: [PATCH 0897/1450] Add missing javadoc to ConsumerOptions

---
 .../ConsumerOptions.java                      | 99 ++++++++++++++++---
 1 file changed, 87 insertions(+), 12 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index f7b3c020..33404c48 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -42,7 +42,6 @@ import pgp.certificate_store.exception.BadDataException;
  */
 public class ConsumerOptions {
 
-
     private boolean ignoreMDCErrors = false;
     private boolean forceNonOpenPgpData = false;
 
@@ -55,7 +54,8 @@ public class ConsumerOptions {
 
     // Session key for decryption without passphrase/key
     private SessionKey sessionKey = null;
-    private final Map customPublicKeyDataDecryptorFactories = new HashMap<>();
+    private final Map customPublicKeyDataDecryptorFactories =
+            new HashMap<>();
 
     private final Map decryptionKeys = new HashMap<>();
     private final Set decryptionPassphrases = new HashSet<>();
@@ -135,16 +135,38 @@ public class ConsumerOptions {
         return this;
     }
 
+    /**
+     * Pass in a {@link PGPCertificateStore} from which certificates can be sourced for signature verification.
+     *
+     * @param certificateStore certificate store
+     * @return options
+     */
     public ConsumerOptions addVerificationCerts(PGPCertificateStore certificateStore) {
         this.certificates.addStore(certificateStore);
         return this;
     }
 
-    public ConsumerOptions addVerificationOfDetachedSignatures(InputStream signatureInputStream) throws IOException, PGPException {
+    /**
+     * Add some detached signatures from the given {@link InputStream} for verification.
+     *
+     * @param signatureInputStream input stream of detached signatures
+     * @return options
+     *
+     * @throws IOException in case of an IO error
+     * @throws PGPException in case of an OpenPGP error
+     */
+    public ConsumerOptions addVerificationOfDetachedSignatures(InputStream signatureInputStream)
+            throws IOException, PGPException {
         List signatures = SignatureUtils.readSignatures(signatureInputStream);
         return addVerificationOfDetachedSignatures(signatures);
     }
 
+    /**
+     * Add some detached signatures for verification.
+     *
+     * @param detachedSignatures detached signatures
+     * @return options
+     */
     public ConsumerOptions addVerificationOfDetachedSignatures(List detachedSignatures) {
         for (PGPSignature signature : detachedSignatures) {
             addVerificationOfDetachedSignature(signature);
@@ -211,14 +233,15 @@ public class ConsumerOptions {
     }
 
     /**
-     * Add a key for message decryption. If the key is encrypted, the {@link SecretKeyRingProtector} is used to decrypt it
-     * when needed.
+     * Add a key for message decryption. If the key is encrypted, the {@link SecretKeyRingProtector}
+     * is used to decrypt it when needed.
      *
      * @param key key
      * @param keyRingProtector protector for the secret key
      * @return options
      */
-    public ConsumerOptions addDecryptionKey(@Nonnull PGPSecretKeyRing key, @Nonnull SecretKeyRingProtector keyRingProtector) {
+    public ConsumerOptions addDecryptionKey(@Nonnull PGPSecretKeyRing key,
+                                            @Nonnull SecretKeyRingProtector keyRingProtector) {
         decryptionKeys.put(key, keyRingProtector);
         return this;
     }
@@ -230,7 +253,8 @@ public class ConsumerOptions {
      * @param keyRingProtector protector for encrypted secret keys
      * @return options
      */
-    public ConsumerOptions addDecryptionKeys(@Nonnull PGPSecretKeyRingCollection keys, @Nonnull SecretKeyRingProtector keyRingProtector) {
+    public ConsumerOptions addDecryptionKeys(@Nonnull PGPSecretKeyRingCollection keys,
+                                             @Nonnull SecretKeyRingProtector keyRingProtector) {
         for (PGPSecretKeyRing key : keys) {
             addDecryptionKey(key, keyRingProtector);
         }
@@ -264,14 +288,31 @@ public class ConsumerOptions {
         return this;
     }
 
+    /**
+     * Return the custom {@link PublicKeyDataDecryptorFactory PublicKeyDataDecryptorFactories} that were
+     * set by the user.
+     * These factories can be used to decrypt session keys using a custom logic.
+     *
+     * @return custom decryptor factories
+     */
     Map getCustomDecryptorFactories() {
         return new HashMap<>(customPublicKeyDataDecryptorFactories);
     }
 
+    /**
+     * Return the set of available decryption keys.
+     *
+     * @return decryption keys
+     */
     public @Nonnull Set getDecryptionKeys() {
         return Collections.unmodifiableSet(decryptionKeys.keySet());
     }
 
+    /**
+     * Return the set of available message decryption passphrases.
+     *
+     * @return decryption passphrases
+     */
     public @Nonnull Set getDecryptionPassphrases() {
         return Collections.unmodifiableSet(decryptionPassphrases);
     }
@@ -287,18 +328,40 @@ public class ConsumerOptions {
         return certificates.getExplicitCertificates();
     }
 
+    /**
+     * Return an object holding available certificates for signature verification.
+     *
+     * @return certificate source
+     */
     public @Nonnull CertificateSource getCertificateSource() {
         return certificates;
     }
 
+    /**
+     * Return the callback that gets called when a certificate for signature verification is missing.
+     * This method might return 
    null
     if the users hasn't set a callback.
+     *
+     * @return missing public key callback
+     */
     public @Nullable MissingPublicKeyCallback getMissingCertificateCallback() {
         return missingCertificateCallback;
     }
 
+    /**
+     * Return the {@link SecretKeyRingProtector} for the given {@link PGPSecretKeyRing}.
+     *
+     * @param decryptionKeyRing secret key
+     * @return protector for that particular secret key
+     */
     public @Nonnull SecretKeyRingProtector getSecretKeyProtector(PGPSecretKeyRing decryptionKeyRing) {
         return decryptionKeys.get(decryptionKeyRing);
     }
 
+    /**
+     * Return the set of detached signatures the user provided.
+     *
+     * @return detached signatures
+     */
     public @Nonnull Set getDetachedSignatures() {
         return Collections.unmodifiableSet(detachedSignatures);
     }
@@ -307,12 +370,14 @@ public class ConsumerOptions {
      * By default, PGPainless will require encrypted messages to make use of SEIP data packets.
      * Those are Symmetrically Encrypted Integrity Protected Data packets.
      * Symmetrically Encrypted Data Packets without integrity protection are rejected by default.
-     * Furthermore, PGPainless will throw an exception if verification of the MDC error detection code of the SEIP packet
-     * fails.
+     * Furthermore, PGPainless will throw an exception if verification of the MDC error detection
+     * code of the SEIP packet fails.
      *
-     * Failure of MDC verification indicates a tampered ciphertext, which might be the cause of an attack or data corruption.
+     * Failure of MDC verification indicates a tampered ciphertext, which might be the cause of an
+     * attack or data corruption.
      *
-     * This method can be used to ignore MDC errors and allow PGPainless to consume encrypted data without integrity protection.
+     * This method can be used to ignore MDC errors and allow PGPainless to consume encrypted data
+     * without integrity protection.
      * If the flag 
    ignoreMDCErrors
     is set to true, PGPainless will
      * 
      
      *     
    • not throw exceptions for SEIP packets with tampered ciphertext
      • 
@@ -323,7 +388,8 @@ public class ConsumerOptions {
      *
      * It will however still throw an exception if it encounters a SEIP packet with missing or truncated MDC
      *
-     * @see Sym. Encrypted Integrity Protected Data Packet
+     * @see 
+     *     Sym. Encrypted Integrity Protected Data Packet
      * @param ignoreMDCErrors true if MDC errors or missing MDCs shall be ignored, false otherwise.
      * @return options
      */
@@ -353,6 +419,11 @@ public class ConsumerOptions {
         return this;
     }
 
+    /**
+     * Return true, if the ciphertext should be handled as binary non-OpenPGP data.
+     *
+     * @return true if non-OpenPGP data is forced
+     */
     boolean isForceNonOpenPgpData() {
         return forceNonOpenPgpData;
     }
@@ -407,6 +478,10 @@ public class ConsumerOptions {
         return multiPassStrategy;
     }
 
+    /**
+     * Source for OpenPGP certificates.
+     * When verifying signatures on a message, this object holds available signer certificates.
+     */
     public static class CertificateSource {
 
         private List stores = new ArrayList<>();

From 980daeca31f5f1554f86f34eeb67164a7d73fc2b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 4 Jan 2023 18:55:57 +0100
Subject: [PATCH 0898/1450] Add missing javadoc to
 CustomPublicKeyDataDecryptorFactory

---
 .../CustomPublicKeyDataDecryptorFactory.java        | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
index 37dc10a9..91902cc7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.java
@@ -7,8 +7,21 @@ package org.pgpainless.decryption_verification;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.pgpainless.key.SubkeyIdentifier;
 
+/**
+ * Custom {@link PublicKeyDataDecryptorFactory} which can enable customized implementations of message decryption
+ * using public keys.
+ * This class can for example be used to implement message encryption using hardware tokens like smartcards or
+ * TPMs.
+ * @see ConsumerOptions#addCustomDecryptorFactory(CustomPublicKeyDataDecryptorFactory)
+ */
 public interface CustomPublicKeyDataDecryptorFactory extends PublicKeyDataDecryptorFactory {
 
+    /**
+     * Return the {@link SubkeyIdentifier} for which this particular {@link CustomPublicKeyDataDecryptorFactory}
+     * is intended.
+     *
+     * @return subkey identifier
+     */
     SubkeyIdentifier getSubkeyIdentifier();
 
 }

From 3b2d0795f7e62462a17a0d9651d8eb9adcfa11bf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 12:25:35 +0100
Subject: [PATCH 0899/1450] Fix NPE when sop generate-key --with-key-password
 is used with multiple uids

Fixes #351
---
 CHANGELOG.md                                                   | 2 ++
 .../src/main/java/org/pgpainless/sop/GenerateKeyImpl.java      | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a35d4d5..d5be2adc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.4.2-SNAPSHOT
 - Properly decrypt messages without MDC packets when `ConsumerOptions.setIgnoreMDCErrors(true)` is set
+- Fix crash in `sop generate-key --with-key-password` when more than one user-id is given
+
 
 ## 1.4.1
 - Add `UserId.parse()` method to parse user-ids into their components
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index c75087c8..70561693 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -51,6 +51,7 @@ public class GenerateKeyImpl implements GenerateKey {
     @Override
     public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo {
         Iterator userIdIterator = userIds.iterator();
+        Passphrase passphraseCopy = new Passphrase(passphrase.getChars()); // generateKeyRing clears the original passphrase
         PGPSecretKeyRing key;
         try {
             String primaryUserId = userIdIterator.hasNext() ? userIdIterator.next() : null;
@@ -61,7 +62,7 @@ public class GenerateKeyImpl implements GenerateKey {
                 SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(key);
 
                 while (userIdIterator.hasNext()) {
-                    editor.addUserId(userIdIterator.next(), SecretKeyRingProtector.unprotectedKeys());
+                    editor.addUserId(userIdIterator.next(), SecretKeyRingProtector.unlockAnyKeyWith(passphraseCopy));
                 }
 
                 key = editor.done();

From ab6b6ca2e74fc192781d74db183ae47fab38e1ec Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 15 Dec 2022 12:30:30 +0100
Subject: [PATCH 0900/1450] Add regression test for #351

---
 .../org/pgpainless/sop/GenerateKeyTest.java   | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
index a71eda12..3a6e4476 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
@@ -6,15 +6,20 @@ package org.pgpainless.sop;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
 
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.key.info.KeyRingInfo;
+import org.pgpainless.key.protection.UnlockSecretKey;
+import org.pgpainless.util.Passphrase;
 import sop.SOP;
 
 public class GenerateKeyTest {
@@ -67,4 +72,24 @@ public class GenerateKeyTest {
 
         assertFalse(new String(bytes).startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----"));
     }
+
+    @Test
+    public void protectedMultiUserIdKey() throws IOException, PGPException {
+        byte[] bytes = sop.generateKey()
+                .userId("Alice")
+                .userId("Bob")
+                .withKeyPassword("sw0rdf1sh")
+                .generate()
+                .getBytes();
+
+        PGPSecretKeyRing secretKey = PGPainless.readKeyRing().secretKeyRing(bytes);
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKey);
+
+        assertTrue(info.getUserIds().contains("Alice"));
+        assertTrue(info.getUserIds().contains("Bob"));
+
+        for (PGPSecretKey key : secretKey) {
+            assertNotNull(UnlockSecretKey.unlockSecretKey(key, Passphrase.fromPassword("sw0rdf1sh")));
+        }
+    }
 }

From 7a2c9d864c2ecb9db1025dfe23df3872a6b6881e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 17:52:59 +0100
Subject: [PATCH 0901/1450] Add javadoc to DecryptionBuilder

---
 .../decryption_verification/DecryptionBuilder.java           | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
index 0baf4124..96b4ad60 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionBuilder.java
@@ -10,6 +10,11 @@ import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPException;
 
+/**
+ * Builder class that takes an {@link InputStream} of ciphertext (or plaintext signed data)
+ * and combines it with a configured {@link ConsumerOptions} object to form a {@link DecryptionStream} which
+ * can be used to decrypt an OpenPGP message or verify signatures.
+ */
 public class DecryptionBuilder implements DecryptionBuilderInterface {
 
     @Override

From 8cb773841b0c7881fa3e878dda424e746f565ab0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 19:18:02 +0100
Subject: [PATCH 0902/1450] Revert certificate-store integration

Integration of certificate-store and pgpainless-cert-d makes packaging
complicated. Alternatively, users can simply integrate the certificate-store
with PGPainless themselves.
---
 pgpainless-core/build.gradle                  |   4 -
 .../ConsumerOptions.java                      |  40 ---
 .../encryption_signing/EncryptionOptions.java |  29 ---
 .../EncryptWithKeyFromKeyStoreTest.java       | 230 ------------------
 version.gradle                                |   2 -
 5 files changed, 305 deletions(-)
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java

diff --git a/pgpainless-core/build.gradle b/pgpainless-core/build.gradle
index 84b4273f..3c73121f 100644
--- a/pgpainless-core/build.gradle
+++ b/pgpainless-core/build.gradle
@@ -24,10 +24,6 @@ dependencies {
     api "org.bouncycastle:bcpg-jdk15to18:$bouncyPgVersion"
     // api(files("../libs/bcpg-jdk18on-1.70.jar"))
 
-    // certificate store
-    api "org.pgpainless:pgp-certificate-store:$pgpCertDJavaVersion"
-    testImplementation "org.pgpainless:pgpainless-cert-d:$pgpainlessCertDVersion"
-
     // @Nullable, @Nonnull annotations
     implementation "com.google.code.findbugs:jsr305:3.0.2"
 }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
index 33404c48..d0d9230b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/ConsumerOptions.java
@@ -6,12 +6,10 @@ package org.pgpainless.decryption_verification;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -25,7 +23,6 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
-import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.cleartext_signatures.InMemoryMultiPassStrategy;
 import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.key.SubkeyIdentifier;
@@ -33,9 +30,6 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.Passphrase;
 import org.pgpainless.util.SessionKey;
-import pgp.certificate_store.PGPCertificateStore;
-import pgp.certificate_store.certificate.Certificate;
-import pgp.certificate_store.exception.BadDataException;
 
 /**
  * Options for decryption and signature verification.
@@ -135,17 +129,6 @@ public class ConsumerOptions {
         return this;
     }
 
-    /**
-     * Pass in a {@link PGPCertificateStore} from which certificates can be sourced for signature verification.
-     *
-     * @param certificateStore certificate store
-     * @return options
-     */
-    public ConsumerOptions addVerificationCerts(PGPCertificateStore certificateStore) {
-        this.certificates.addStore(certificateStore);
-        return this;
-    }
-
     /**
      * Add some detached signatures from the given {@link InputStream} for verification.
      *
@@ -484,18 +467,8 @@ public class ConsumerOptions {
      */
     public static class CertificateSource {
 
-        private List stores = new ArrayList<>();
         private Set explicitCertificates = new HashSet<>();
 
-        /**
-         * Add a certificate store as source for verification certificates.
-         *
-         * @param certificateStore cert store
-         */
-        public void addStore(PGPCertificateStore certificateStore) {
-            this.stores.add(certificateStore);
-        }
-
         /**
          * Add a certificate as verification cert explicitly.
          *
@@ -529,19 +502,6 @@ public class ConsumerOptions {
                 }
             }
 
-            for (PGPCertificateStore store : stores) {
-                try {
-                    Iterator certs = store.getCertificatesBySubkeyId(keyId);
-                    if (!certs.hasNext()) {
-                        continue;
-                    }
-                    Certificate cert = certs.next();
-                    PGPPublicKeyRing publicKey = PGPainless.readKeyRing().publicKeyRing(cert.getInputStream());
-                    return publicKey;
-                } catch (IOException | BadDataException e) {
-                    continue;
-                }
-            }
             return null;
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index cf3b426a..612dcd50 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -4,7 +4,6 @@
 
 package org.pgpainless.encryption_signing;
 
-import java.io.IOException;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
@@ -14,7 +13,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.NoSuchElementException;
 import java.util.Set;
-
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.openpgp.PGPPublicKey;
@@ -22,7 +20,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator;
-import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyException;
@@ -32,10 +29,6 @@ import org.pgpainless.key.SubkeyIdentifier;
 import org.pgpainless.key.info.KeyAccessor;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
-import pgp.certificate_store.PGPCertificateStore;
-import pgp.certificate_store.certificate.Certificate;
-import pgp.certificate_store.exception.BadDataException;
-import pgp.certificate_store.exception.BadNameException;
 
 /**
  * Options for the encryption process.
@@ -241,28 +234,6 @@ public class EncryptionOptions {
         return this;
     }
 
-    /**
-     * Add a recipient by providing a {@link PGPCertificateStore} and the {@link OpenPgpFingerprint} of the recipients key.
-     * If no such certificate is found in the store, a {@link NoSuchElementException is thrown}.
-     *
-     * @param certificateStore certificate store
-     * @param certificateFingerprint fingerprint of the recipient certificate
-     * @return builder
-     * @throws BadDataException if the certificate contains bad data
-     * @throws BadNameException if the fingerprint is not in a recognizable form for the store
-     * @throws IOException in case of an IO error
-     * @throws NoSuchElementException if the store does not contain a certificate for the given fingerprint
-     */
-    public EncryptionOptions addRecipient(@Nonnull PGPCertificateStore certificateStore,
-                                          @Nonnull OpenPgpFingerprint certificateFingerprint)
-            throws BadDataException, BadNameException, IOException {
-        String fingerprint = certificateFingerprint.toString().toLowerCase();
-        Certificate certificateRecord = certificateStore.getCertificate(fingerprint);
-        PGPPublicKeyRing recipientCertificate = PGPainless.readKeyRing()
-                .publicKeyRing(certificateRecord.getInputStream());
-        return addRecipient(recipientCertificate);
-    }
-
     private void addRecipientKey(PGPPublicKeyRing keyRing, PGPPublicKey key) {
         encryptionKeys.add(new SubkeyIdentifier(keyRing, key.getKeyID()));
         PGPKeyEncryptionMethodGenerator encryptionMethod = ImplementationFactory
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
deleted file mode 100644
index 48f1bbd7..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptWithKeyFromKeyStoreTest.java
+++ /dev/null
@@ -1,230 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.encryption_signing;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
-import org.bouncycastle.util.io.Streams;
-import org.junit.jupiter.api.Test;
-import org.pgpainless.PGPainless;
-import org.pgpainless.certificate_store.MergeCallbacks;
-import org.pgpainless.certificate_store.PGPainlessCertD;
-import org.pgpainless.decryption_verification.ConsumerOptions;
-import org.pgpainless.decryption_verification.DecryptionStream;
-import org.pgpainless.decryption_verification.OpenPgpMetadata;
-import org.pgpainless.key.OpenPgpFingerprint;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import pgp.cert_d.PGPCertificateStoreAdapter;
-import pgp.certificate_store.certificate.Certificate;
-import pgp.certificate_store.exception.BadDataException;
-import pgp.certificate_store.exception.BadNameException;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-public class EncryptWithKeyFromKeyStoreTest {
-
-    // Collection of 3 keys (fingerprints below)
-    private static final String KEY_COLLECTION = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "lFgEYwerQBYJKwYBBAHaRw8BAQdAl3XjFMXQdmhMuFEIbE7IJUP1k+5utUT6IAW3\n" +
-            "zlWguvQAAQDK7Qh5Q9EAB5cTh2OWsPeydfDqRmnuxlZjlwf4WWQLhRAltBRBIDxh\n" +
-            "QHBncGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6tBCRBoj2Vso6FpsxYhBNqK9ZX8\n" +
-            "QfcbxPJmCGiPZWyjoWmzAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAACEaAP9P\n" +
-            "49Q/E19vyx2rV8EjQd+XBFnDuYxBjw80ZVC0TaKJNgEAgWsQqcg/ARkG9XGxaE3X\n" +
-            "IE9tFHh4wpjQhnK1Ta/wJAOcXQRjB6tBEgorBgEEAZdVAQUBAQdATJM1XKfKVF+C\n" +
-            "B2/xrGU+F89Ir9viOut4sna4aWfvwHoDAQgHAAD/UN84yv5jxKsPgfw/XZCDwoey\n" +
-            "Y69ompSiBuZjzOWrjegToIh1BBgWCgAdBQJjB6tBAp4BApsMBRYCAwEABAsJCAcF\n" +
-            "FQoJCAsACgkQaI9lbKOhabP/PAEApov4hYuhIENq26z+w4s3A1gakN+gax54F7+M\n" +
-            "YSUm16sBAPiuEdpVJOwTk3WMXKyLOYaVU3JstlP2H1ouguvYTt4CnFgEYwerQRYJ\n" +
-            "KwYBBAHaRw8BAQdA5xpeGHNy9v+QUbl+Rs7Mx0c6D913gksW1eZ4Qeg31B0AAQCx\n" +
-            "6b3P5lRBAraZstlRupymrt6vF2JpeJB8JOOQ+rdVYBJpiNUEGBYKAH0FAmMHq0EC\n" +
-            "ngECmwIFFgIDAQAECwkIBwUVCgkIC18gBBkWCgAGBQJjB6tBAAoJENH9GnI3A/RM\n" +
-            "IVMA/1GU9E+vA8bs0vJVDjp1ri3J4S7u+abwmlivDw8g8XCWAPwKWWfHLgJCsAHk\n" +
-            "INuDgJdqbNPATFiXxH9FqYnOvWy6DAAKCRBoj2Vso6Fps884AP9D5ZOwuBEXyT/j\n" +
-            "0G8CWBZ0lT14kRGFucjQi9kZStAuVgEA5cd3eUWofnekd/P6R3UgmvhVOqvxwUUg\n" +
-            "Y3mEArH7+waUWARjB6tBFgkrBgEEAdpHDwEBB0BCYWjTs0pfBnKYgO0O07djiMSB\n" +
-            "tUJVpUFo6zrVK92RgAAA/38G6IEK5rJs1OCusmmhHJk1vDu0hbesK7JH7dh75mVY\n" +
-            "Ep20FEIgPGJAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHq0EJEAnsE6FTTHNl\n" +
-            "FiEE2/L5HBba6IFDHu8cCewToVNMc2UCngECmwEFFgIDAQAECwkIBwUVCgkICwKZ\n" +
-            "AQAAS7MBAI74uYLK7XR6oCwWYk7C6nwdgu3t478MaEpVHQz/9nEGAQCvJCYqqOd6\n" +
-            "cAG6fwFaIJ3h99/Y5o2NaiN17S2zOXEZDJxdBGMHq0ESCisGAQQBl1UBBQEBB0BU\n" +
-            "EjXQCT4xwJryksXsMLaFo43pFTwWaTzduiWgCy2KMgMBCAcAAP9lXlnMYtBfXpgH\n" +
-            "doUZZk3cvWBOH3awc12V3jZSLtSE8BAJiHUEGBYKAB0FAmMHq0ECngECmwwFFgID\n" +
-            "AQAECwkIBwUVCgkICwAKCRAJ7BOhU0xzZf5lAQDOgzMhqg3fE8Hg4Hbt4+B0fAD0\n" +
-            "kp6EJgsKRWT7KbZ0SQD/aVGFv7VRVqiiqOT/YMQKBBwHnq/CGJqxUwUmavBMRAqc\n" +
-            "WARjB6tBFgkrBgEEAdpHDwEBB0A5kv3bpsnlxs2LrAzeBx4RgtXQNBhGRhzko1to\n" +
-            "4q+ebQAA/1SU1hvrqd9gNmcc4wff1iwJ1dnqnrbGbO1Yz9rYZjXRE4iI1QQYFgoA\n" +
-            "fQUCYwerQQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgLXyAEGRYKAAYFAmMHq0EACgkQ\n" +
-            "pYWdiAVpxGRW4AD+Lade9kJrvcBMSq8EERhYTH6DFka4eMgFB76kH31WmpQA+gOU\n" +
-            "7kwqKmtyVsXVgCLGMcdTvbZr+73C5m8R7LsdY5kEAAoJEAnsE6FTTHNl7BAA/2v8\n" +
-            "Wzfmg1OO6IWCohmmNgF4rIDBW8Q9s3+1I/mWlMyjAP9YGR+fnN/YOQrlSG9UiXE5\n" +
-            "fGwUhaPB0LEGWp0wmmQYA5RYBGMHq0EWCSsGAQQB2kcPAQEHQI8C53+C8crLCQ48\n" +
-            "OKQa1dEKc8XWQSA6Ckg5j73tOJRLAAD/VRvioGU2M9G6+eKTn68mBVZ8G512HELr\n" +
-            "apK9M5UFGUMPXLQUQyA8Y0BwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwerQQkQ\n" +
-            "ommXHYx1l94WIQQp+Mrw86EV1myUgUKiaZcdjHWX3gKeAQKbAQUWAgMBAAQLCQgH\n" +
-            "BRUKCQgLApkBAAAQ5wEAvahnnRuwY+Y7EPSQG+sqhsdvSTumleYPtEOnHfKctpkA\n" +
-            "/iaTp4OoUw/RtyWUAk8MLN47CAW5wwhFUbVfZOaS88wMnF0EYwerQRIKKwYBBAGX\n" +
-            "VQEFAQEHQNz/s68ZGUBfDmMz510cFgHz+mAdC2nXeE4hHKV/HIVsAwEIBwAA/1HB\n" +
-            "vRl84B8r/PY+5j/X6A+4J08QB/vd5wIHVdkrX+xQELGIdQQYFgoAHQUCYwerQQKe\n" +
-            "AQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEKJplx2MdZfeqzYA/jLtjRmy42MCOxnF\n" +
-            "3A95WZIDoEohFU0QAeE/yVTLGoDTAP4xhTznleABK7VbD9GJXfD6DkEC749tOsST\n" +
-            "eYO/GOxKDpxYBGMHq0EWCSsGAQQB2kcPAQEHQFnvyWSgOv4gn3Ch3RY74pRg+7hX\n" +
-            "OBJAf6ybwvx9t4olAAEAwYG1CL0JozVD1216yrENkP8La132O1MI28kqMsoF6FcP\n" +
-            "I4jVBBgWCgB9BQJjB6tBAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoABgUC\n" +
-            "YwerQQAKCRB8jJGVps/ENgz7AP9ZMENJH+rIKMjynb9WPBlvJ8yJ9dMhzCxcssxg\n" +
-            "EVZYXAEA5ZsE5xJLQC/cVMGFvqaQ8iPo5jhDZpQJ8RCVlb8XzQwACgkQommXHYx1\n" +
-            "l96SkgD/f0FYkK4yB8FWuntJ3n0FUfE31wDwpxvvpvP+o3d2GB4BAP9LRKBXMwj4\n" +
-            "jzJc4ViKmwiNJAPttDQCpYjzJT7LUKAA\n" +
-            "=EAvh\n" +
-            "-----END PGP PRIVATE KEY BLOCK-----";
-
-    // Collection of 3 certificates (fingerprints below)
-    private static final String CERT_COLLECTION = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
-            "Version: BCPG v1.71\n" +
-            "\n" +
-            "mDMEYwerQBYJKwYBBAHaRw8BAQdAl3XjFMXQdmhMuFEIbE7IJUP1k+5utUT6IAW3\n" +
-            "zlWguvS0FEEgPGFAcGdwYWlubGVzcy5vcmc+iI8EExYKAEEFAmMHq0EJEGiPZWyj\n" +
-            "oWmzFiEE2or1lfxB9xvE8mYIaI9lbKOhabMCngECmwEFFgIDAQAECwkIBwUVCgkI\n" +
-            "CwKZAQAAIRoA/0/j1D8TX2/LHatXwSNB35cEWcO5jEGPDzRlULRNook2AQCBaxCp\n" +
-            "yD8BGQb1cbFoTdcgT20UeHjCmNCGcrVNr/AkA7g4BGMHq0ESCisGAQQBl1UBBQEB\n" +
-            "B0BMkzVcp8pUX4IHb/GsZT4Xz0iv2+I663iydrhpZ+/AegMBCAeIdQQYFgoAHQUC\n" +
-            "YwerQQKeAQKbDAUWAgMBAAQLCQgHBRUKCQgLAAoJEGiPZWyjoWmz/zwBAKaL+IWL\n" +
-            "oSBDatus/sOLNwNYGpDfoGseeBe/jGElJterAQD4rhHaVSTsE5N1jFysizmGlVNy\n" +
-            "bLZT9h9aLoLr2E7eArgzBGMHq0EWCSsGAQQB2kcPAQEHQOcaXhhzcvb/kFG5fkbO\n" +
-            "zMdHOg/dd4JLFtXmeEHoN9QdiNUEGBYKAH0FAmMHq0ECngECmwIFFgIDAQAECwkI\n" +
-            "BwUVCgkIC18gBBkWCgAGBQJjB6tBAAoJENH9GnI3A/RMIVMA/1GU9E+vA8bs0vJV\n" +
-            "Djp1ri3J4S7u+abwmlivDw8g8XCWAPwKWWfHLgJCsAHkINuDgJdqbNPATFiXxH9F\n" +
-            "qYnOvWy6DAAKCRBoj2Vso6Fps884AP9D5ZOwuBEXyT/j0G8CWBZ0lT14kRGFucjQ\n" +
-            "i9kZStAuVgEA5cd3eUWofnekd/P6R3UgmvhVOqvxwUUgY3mEArH7+waYMwRjB6tB\n" +
-            "FgkrBgEEAdpHDwEBB0BCYWjTs0pfBnKYgO0O07djiMSBtUJVpUFo6zrVK92RgLQU\n" +
-            "QiA8YkBwZ3BhaW5sZXNzLm9yZz6IjwQTFgoAQQUCYwerQQkQCewToVNMc2UWIQTb\n" +
-            "8vkcFtrogUMe7xwJ7BOhU0xzZQKeAQKbAQUWAgMBAAQLCQgHBRUKCQgLApkBAABL\n" +
-            "swEAjvi5gsrtdHqgLBZiTsLqfB2C7e3jvwxoSlUdDP/2cQYBAK8kJiqo53pwAbp/\n" +
-            "AVogneH339jmjY1qI3XtLbM5cRkMuDgEYwerQRIKKwYBBAGXVQEFAQEHQFQSNdAJ\n" +
-            "PjHAmvKSxewwtoWjjekVPBZpPN26JaALLYoyAwEIB4h1BBgWCgAdBQJjB6tBAp4B\n" +
-            "ApsMBRYCAwEABAsJCAcFFQoJCAsACgkQCewToVNMc2X+ZQEAzoMzIaoN3xPB4OB2\n" +
-            "7ePgdHwA9JKehCYLCkVk+ym2dEkA/2lRhb+1UVaooqjk/2DECgQcB56vwhiasVMF\n" +
-            "JmrwTEQKuDMEYwerQRYJKwYBBAHaRw8BAQdAOZL926bJ5cbNi6wM3gceEYLV0DQY\n" +
-            "RkYc5KNbaOKvnm2I1QQYFgoAfQUCYwerQQKeAQKbAgUWAgMBAAQLCQgHBRUKCQgL\n" +
-            "XyAEGRYKAAYFAmMHq0EACgkQpYWdiAVpxGRW4AD+Lade9kJrvcBMSq8EERhYTH6D\n" +
-            "Fka4eMgFB76kH31WmpQA+gOU7kwqKmtyVsXVgCLGMcdTvbZr+73C5m8R7LsdY5kE\n" +
-            "AAoJEAnsE6FTTHNl7BAA/2v8Wzfmg1OO6IWCohmmNgF4rIDBW8Q9s3+1I/mWlMyj\n" +
-            "AP9YGR+fnN/YOQrlSG9UiXE5fGwUhaPB0LEGWp0wmmQYA5gzBGMHq0EWCSsGAQQB\n" +
-            "2kcPAQEHQI8C53+C8crLCQ48OKQa1dEKc8XWQSA6Ckg5j73tOJRLtBRDIDxjQHBn\n" +
-            "cGFpbmxlc3Mub3JnPoiPBBMWCgBBBQJjB6tBCRCiaZcdjHWX3hYhBCn4yvDzoRXW\n" +
-            "bJSBQqJplx2MdZfeAp4BApsBBRYCAwEABAsJCAcFFQoJCAsCmQEAABDnAQC9qGed\n" +
-            "G7Bj5jsQ9JAb6yqGx29JO6aV5g+0Q6cd8py2mQD+JpOng6hTD9G3JZQCTwws3jsI\n" +
-            "BbnDCEVRtV9k5pLzzAy4OARjB6tBEgorBgEEAZdVAQUBAQdA3P+zrxkZQF8OYzPn\n" +
-            "XRwWAfP6YB0Ladd4TiEcpX8chWwDAQgHiHUEGBYKAB0FAmMHq0ECngECmwwFFgID\n" +
-            "AQAECwkIBwUVCgkICwAKCRCiaZcdjHWX3qs2AP4y7Y0ZsuNjAjsZxdwPeVmSA6BK\n" +
-            "IRVNEAHhP8lUyxqA0wD+MYU855XgASu1Ww/RiV3w+g5BAu+PbTrEk3mDvxjsSg64\n" +
-            "MwRjB6tBFgkrBgEEAdpHDwEBB0BZ78lkoDr+IJ9wod0WO+KUYPu4VzgSQH+sm8L8\n" +
-            "fbeKJYjVBBgWCgB9BQJjB6tBAp4BApsCBRYCAwEABAsJCAcFFQoJCAtfIAQZFgoA\n" +
-            "BgUCYwerQQAKCRB8jJGVps/ENgz7AP9ZMENJH+rIKMjynb9WPBlvJ8yJ9dMhzCxc\n" +
-            "ssxgEVZYXAEA5ZsE5xJLQC/cVMGFvqaQ8iPo5jhDZpQJ8RCVlb8XzQwACgkQommX\n" +
-            "HYx1l96SkgD/f0FYkK4yB8FWuntJ3n0FUfE31wDwpxvvpvP+o3d2GB4BAP9LRKBX\n" +
-            "Mwj4jzJc4ViKmwiNJAPttDQCpYjzJT7LUKAA\n" +
-            "=WaRm\n" +
-            "-----END PGP PUBLIC KEY BLOCK-----";
-    private static final OpenPgpFingerprint cert1fp = OpenPgpFingerprint.parse("DA8AF595FC41F71BC4F26608688F656CA3A169B3");
-    private static final OpenPgpFingerprint cert2fp = OpenPgpFingerprint.parse("DBF2F91C16DAE881431EEF1C09EC13A1534C7365");
-    private static final OpenPgpFingerprint cert3fp = OpenPgpFingerprint.parse("29F8CAF0F3A115D66C948142A269971D8C7597DE");
-
-    @Test
-    public void encryptWithCertFromCertificateStore() throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
-        // In-Memory certificate store
-        PGPainlessCertD certificateDirectory = PGPainlessCertD.inMemory();
-        PGPCertificateStoreAdapter adapter = new PGPCertificateStoreAdapter(certificateDirectory);
-
-        // Populate store
-        PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing().publicKeyRingCollection(CERT_COLLECTION);
-        for (PGPPublicKeyRing cert : certificates) {
-            certificateDirectory.insert(new ByteArrayInputStream(cert.getEncoded()), MergeCallbacks.mergeWithExisting());
-        }
-
-        // Encrypt message
-        ByteArrayOutputStream ciphertextOut = new ByteArrayOutputStream();
-        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
-                .onOutputStream(ciphertextOut)
-                .withOptions(ProducerOptions.encrypt(
-                        EncryptionOptions.encryptCommunications()
-                                .addRecipient(adapter, cert2fp)));
-        ByteArrayInputStream plaintext = new ByteArrayInputStream("Hello, World! This message is encrypted using a cert from a store!".getBytes());
-        Streams.pipeAll(plaintext, encryptionStream);
-        encryptionStream.close();
-
-        // Get cert from store
-        Certificate cert = adapter.getCertificate(cert2fp.toString());
-        PGPPublicKeyRing publicKeys = PGPainless.readKeyRing().publicKeyRing(cert.getInputStream());
-
-        // check if message was encrypted for cert
-        assertTrue(encryptionStream.getResult().isEncryptedFor(publicKeys));
-    }
-
-    @Test
-    public void verifyWithCertFromCertificateStore()
-            throws PGPException, IOException, BadDataException, InterruptedException, BadNameException {
-        // In-Memory certificate store
-        PGPainlessCertD certificateDirectory = PGPainlessCertD.inMemory();
-        PGPCertificateStoreAdapter adapter = new PGPCertificateStoreAdapter(certificateDirectory);
-
-        // Populate store
-        PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing().publicKeyRingCollection(CERT_COLLECTION);
-        for (PGPPublicKeyRing cert : certificates) {
-            certificateDirectory.insert(new ByteArrayInputStream(cert.getEncoded()), MergeCallbacks.mergeWithExisting());
-        }
-
-        // Prepare keys
-        OpenPgpFingerprint cryptFp = cert3fp;
-        OpenPgpFingerprint signFp = cert1fp;
-        PGPSecretKeyRingCollection secretKeys = PGPainless.readKeyRing().secretKeyRingCollection(KEY_COLLECTION);
-        PGPSecretKeyRing signingKey = secretKeys.getSecretKeyRing(signFp.getKeyId());
-        PGPSecretKeyRing decryptionKey = secretKeys.getSecretKeyRing(cryptFp.getKeyId());
-        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
-
-        // Encrypt and sign message
-        ByteArrayInputStream plaintextIn = new ByteArrayInputStream(
-                "This message was encrypted with a cert from a store and gets verified with a cert from a store as well".getBytes());
-        ByteArrayOutputStream ciphertext = new ByteArrayOutputStream();
-        EncryptionStream encryptionStream = PGPainless.encryptAndOrSign()
-                .onOutputStream(ciphertext)
-                .withOptions(
-                        ProducerOptions.signAndEncrypt(
-                                EncryptionOptions.encryptCommunications()
-                                        .addRecipient(adapter, cryptFp),
-                                SigningOptions.get()
-                                        .addSignature(protector, signingKey)
-                        ));
-        Streams.pipeAll(plaintextIn, encryptionStream);
-        encryptionStream.close();
-
-        // Prepare ciphertext for decryption
-        ByteArrayInputStream ciphertextIn = new ByteArrayInputStream(ciphertext.toByteArray());
-        ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
-        // Decrypt and verify
-        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
-                .onInputStream(ciphertextIn)
-                .withOptions(
-                        new ConsumerOptions()
-                                .addDecryptionKey(decryptionKey, protector)
-                                .addVerificationCerts(adapter));
-        Streams.pipeAll(decryptionStream, plaintextOut);
-        decryptionStream.close();
-
-        // Check that message can be decrypted and is verified
-        OpenPgpMetadata result = decryptionStream.getResult();
-        assertTrue(result.isEncrypted());
-        assertTrue(result.isVerified());
-        assertTrue(result.containsVerifiedSignatureFrom(signFp));
-    }
-}
diff --git a/version.gradle b/version.gradle
index c6f7104e..53705861 100644
--- a/version.gradle
+++ b/version.gradle
@@ -17,8 +17,6 @@ allprojects {
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
-        pgpainlessCertDVersion = '0.2.0'
-        pgpCertDJavaVersion = '0.2.1'
         slf4jVersion = '1.7.36'
         sopJavaVersion = '4.0.7'
     }

From 4bf2e07ddbab6f00f2f6b079948fabd61439bc3b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 19:30:35 +0100
Subject: [PATCH 0903/1450] Bump sop-java to 4.1.0

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 53705861..fd3129e3 100644
--- a/version.gradle
+++ b/version.gradle
@@ -18,6 +18,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.0.7'
+        sopJavaVersion = '4.1.0'
     }
 }

From 75feb167f0a12756f5b99c0f281fd0c2206fe5a5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 19:30:41 +0100
Subject: [PATCH 0904/1450] Update CHANGELOG

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d5be2adc..25272b18 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,8 @@ SPDX-License-Identifier: CC0-1.0
 ## 1.4.2-SNAPSHOT
 - Properly decrypt messages without MDC packets when `ConsumerOptions.setIgnoreMDCErrors(true)` is set
 - Fix crash in `sop generate-key --with-key-password` when more than one user-id is given
-
+- Revert integration with `pgp-certificate-store`
+- Bump `sop-java` to `4.1.0`
 
 ## 1.4.1
 - Add `UserId.parse()` method to parse user-ids into their components

From 2d33a7e5d3cefa110608b6c4a70ae04c58c85fe2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 19:33:26 +0100
Subject: [PATCH 0905/1450] PGPainless 1.4.2

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 25272b18..370dace7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.2-SNAPSHOT
+## 1.4.2
 - Properly decrypt messages without MDC packets when `ConsumerOptions.setIgnoreMDCErrors(true)` is set
 - Fix crash in `sop generate-key --with-key-password` when more than one user-id is given
 - Revert integration with `pgp-certificate-store`
diff --git a/README.md b/README.md
index 49320f94..3b6dc7cb 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.1'
+	implementation 'org.pgpainless:pgpainless-core:1.4.2'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index c1b2a988..97b7765a 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.1"
+    implementation "org.pgpainless:pgpainless-sop:1.4.2"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.1
+        1.4.2
     
     ...
 
diff --git a/version.gradle b/version.gradle
index fd3129e3..83ea0d7d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.2'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 6c0bb6c6272166e0cd53f766b9126afc9c7f0f74 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 13 Jan 2023 19:38:37 +0100
Subject: [PATCH 0906/1450] PGPainless 1.4.3-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 83ea0d7d..b49f7930 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.2'
-        isSnapshot = false
+        shortVersion = '1.4.3'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From b58861635d4206909f2c0b65b47af0f04d08a7fe Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 16 Jan 2023 19:38:52 +0100
Subject: [PATCH 0907/1450] Add some missing javadoc

---
 build.gradle                                    | 12 ++++++++++++
 .../java/org/pgpainless/cli/PGPainlessCLI.java  | 10 ++++++++++
 .../main/java/org/pgpainless/sop/ArmorImpl.java |  3 +++
 .../java/org/pgpainless/sop/DearmorImpl.java    |  3 +++
 .../java/org/pgpainless/sop/DecryptImpl.java    |  3 +++
 .../org/pgpainless/sop/DetachedSignImpl.java    |  3 +++
 .../org/pgpainless/sop/DetachedVerifyImpl.java  |  3 +++
 .../java/org/pgpainless/sop/EncryptImpl.java    |  3 +++
 .../org/pgpainless/sop/ExtractCertImpl.java     |  3 +++
 .../org/pgpainless/sop/GenerateKeyImpl.java     |  3 +++
 .../org/pgpainless/sop/InlineDetachImpl.java    |  3 +++
 .../java/org/pgpainless/sop/InlineSignImpl.java |  3 +++
 .../org/pgpainless/sop/InlineVerifyImpl.java    |  3 +++
 .../main/java/org/pgpainless/sop/KeyReader.java |  3 +++
 .../sop/MatchMakingSecretKeyRingProtector.java  | 17 +++++++++++++++++
 .../main/java/org/pgpainless/sop/SOPImpl.java   |  6 ++++++
 .../java/org/pgpainless/sop/VersionImpl.java    |  3 +++
 17 files changed, 84 insertions(+)

diff --git a/build.gradle b/build.gradle
index 6e086754..eb4ff723 100644
--- a/build.gradle
+++ b/build.gradle
@@ -258,6 +258,18 @@ task javadocAll(type: Javadoc) {
     ] as String[]
 }
 
+if (JavaVersion.current().isJava8Compatible()) {
+    tasks.withType(Javadoc) {
+        // The '-quiet' as second argument is actually a hack,
+        // since the one paramater addStringOption doesn't seem to
+        // work, we extra add '-quiet', which is added anyway by
+        // gradle. See https://github.com/gradle/gradle/issues/2354
+        // See JDK-8200363 (https://bugs.openjdk.java.net/browse/JDK-8200363)
+        // for information about the -Xwerror option.
+        options.addStringOption('Xwerror', '-quiet')
+    }
+}
+
 /**
  * Fetch sha256 checksums of artifacts published to maven central.
  *
diff --git a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
index 35791a3e..938bf1aa 100644
--- a/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
+++ b/pgpainless-cli/src/main/java/org/pgpainless/cli/PGPainlessCLI.java
@@ -18,6 +18,10 @@ public class PGPainlessCLI {
         SopCLI.setSopInstance(new SOPImpl());
     }
 
+    /**
+     * Main method of the CLI application.
+     * @param args arguments
+     */
     public static void main(String[] args) {
         int result = execute(args);
         if (result != 0) {
@@ -25,6 +29,12 @@ public class PGPainlessCLI {
         }
     }
 
+    /**
+     * Execute the given command and return the exit code of the program.
+     *
+     * @param args command string array (e.g. ["pgpainless-cli", "generate-key", "Alice"])
+     * @return exit code
+     */
     public static int execute(String... args) {
         return SopCLI.execute(args);
     }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
index d65c2925..daee3a9b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ArmorImpl.java
@@ -18,6 +18,9 @@ import sop.enums.ArmorLabel;
 import sop.exception.SOPGPException;
 import sop.operation.Armor;
 
+/**
+ * Implementation of the 
      armor
       operation using PGPainless.
+ */
 public class ArmorImpl implements Armor {
 
     @Override
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
index f0b21a6d..29483437 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DearmorImpl.java
@@ -15,6 +15,9 @@ import sop.Ready;
 import sop.exception.SOPGPException;
 import sop.operation.Dearmor;
 
+/**
+ * Implementation of the 
      dearmor
       operation using PGPainless.
+ */
 public class DearmorImpl implements Dearmor {
 
     @Override
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index 867024ef..f7876799 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -34,6 +34,9 @@ import sop.Verification;
 import sop.exception.SOPGPException;
 import sop.operation.Decrypt;
 
+/**
+ * Implementation of the 
      decrypt
       operation using PGPainless.
+ */
 public class DecryptImpl implements Decrypt {
 
     private final ConsumerOptions consumerOptions = ConsumerOptions.get();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
index f6ab8172..c32cb219 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java
@@ -36,6 +36,9 @@ import sop.enums.SignAs;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedSign;
 
+/**
+ * Implementation of the 
      sign
       operation using PGPainless.
+ */
 public class DetachedSignImpl implements DetachedSign {
 
     private boolean armor = true;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 1ed43941..93ad398c 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -23,6 +23,9 @@ import sop.Verification;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedVerify;
 
+/**
+ * Implementation of the 
      verify
       operation using PGPainless.
+ */
 public class DetachedVerifyImpl implements DetachedVerify {
 
     private final ConsumerOptions options = ConsumerOptions.get();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 61a46731..1874d9e1 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -34,6 +34,9 @@ import sop.exception.SOPGPException;
 import sop.operation.Encrypt;
 import sop.util.ProxyOutputStream;
 
+/**
+ * Implementation of the 
      encrypt
       operation using PGPainless.
+ */
 public class EncryptImpl implements Encrypt {
 
     EncryptionOptions encryptionOptions = EncryptionOptions.get();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
index 5be3ad31..be7fc9c3 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ExtractCertImpl.java
@@ -19,6 +19,9 @@ import sop.Ready;
 import sop.exception.SOPGPException;
 import sop.operation.ExtractCert;
 
+/**
+ * Implementation of the 
      extract-cert
       operation using PGPainless.
+ */
 public class ExtractCertImpl implements ExtractCert {
 
     private boolean armor = true;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index 70561693..da99c854 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -24,6 +24,9 @@ import sop.Ready;
 import sop.exception.SOPGPException;
 import sop.operation.GenerateKey;
 
+/**
+ * Implementation of the 
      generate-key
       operation using PGPainless.
+ */
 public class GenerateKeyImpl implements GenerateKey {
 
     private boolean armor = true;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
index 178018aa..bafc2794 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineDetachImpl.java
@@ -30,6 +30,9 @@ import sop.Signatures;
 import sop.exception.SOPGPException;
 import sop.operation.InlineDetach;
 
+/**
+ * Implementation of the 
      inline-detach
       operation using PGPainless.
+ */
 public class InlineDetachImpl implements InlineDetach {
 
     private boolean armor = true;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
index 82c3603b..dd4ab0cf 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineSignImpl.java
@@ -29,6 +29,9 @@ import sop.enums.InlineSignAs;
 import sop.exception.SOPGPException;
 import sop.operation.InlineSign;
 
+/**
+ * Implementation of the 
      inline-sign
       operation using PGPainless.
+ */
 public class InlineSignImpl implements InlineSign {
 
     private boolean armor = true;
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index f33f718b..7665a7bb 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -26,6 +26,9 @@ import sop.Verification;
 import sop.exception.SOPGPException;
 import sop.operation.InlineVerify;
 
+/**
+ * Implementation of the 
      inline-verify
       operation using PGPainless.
+ */
 public class InlineVerifyImpl implements InlineVerify {
 
     private final ConsumerOptions options = ConsumerOptions.get();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
index 5e6f3a7d..036ec126 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/KeyReader.java
@@ -13,6 +13,9 @@ import sop.exception.SOPGPException;
 import java.io.IOException;
 import java.io.InputStream;
 
+/**
+ * Reader for OpenPGP keys and certificates with error matching according to the SOP spec.
+ */
 class KeyReader {
 
     static PGPSecretKeyRingCollection readSecretKeys(InputStream keyInputStream, boolean requireContent)
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java
index df54583e..0b88cb5d 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/MatchMakingSecretKeyRingProtector.java
@@ -20,12 +20,21 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.util.Passphrase;
 
+/**
+ * Implementation of the {@link SecretKeyRingProtector} which can be handed passphrases and keys separately,
+ * and which then matches up passphrases and keys when needed.
+ */
 public class MatchMakingSecretKeyRingProtector implements SecretKeyRingProtector {
 
     private final Set passphrases = new HashSet<>();
     private final Set keys = new HashSet<>();
     private final CachingSecretKeyRingProtector protector = new CachingSecretKeyRingProtector();
 
+    /**
+     * Add a single passphrase to the protector.
+     *
+     * @param passphrase passphrase
+     */
     public void addPassphrase(Passphrase passphrase) {
         if (passphrase.isEmpty()) {
             return;
@@ -46,6 +55,11 @@ public class MatchMakingSecretKeyRingProtector implements SecretKeyRingProtector
         }
     }
 
+    /**
+     * Add a single {@link PGPSecretKeyRing} to the protector.
+     *
+     * @param key secret keys
+     */
     public void addSecretKey(PGPSecretKeyRing key) {
         if (!keys.add(key)) {
             return;
@@ -89,6 +103,9 @@ public class MatchMakingSecretKeyRingProtector implements SecretKeyRingProtector
         return protector.getEncryptor(keyId);
     }
 
+    /**
+     * Clear all known passphrases from the protector.
+     */
     public void clear() {
         for (Passphrase passphrase : passphrases) {
             passphrase.clear();
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
index 28772f10..a49f7e34 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
@@ -19,6 +19,12 @@ import sop.operation.InlineSign;
 import sop.operation.InlineVerify;
 import sop.operation.Version;
 
+/**
+ * Implementation of the 
      sop
       API using PGPainless.
+ * 
       {@code
+ * SOP sop = new SOPImpl();
+ * }
      
+ */
 public class SOPImpl implements SOP {
 
     static {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index dbd1cf35..4449af10 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -12,6 +12,9 @@ import java.util.Properties;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import sop.operation.Version;
 
+/**
+ * Implementation of the 
      version
       operation using PGPainless.
+ */
 public class VersionImpl implements Version {
 
     // draft version

From a50c2d97142c30b492d7a57a6a352ef957cfa3d7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 16 Jan 2023 20:15:57 +0100
Subject: [PATCH 0908/1450] More missing javadoc

---
 .../pgpainless/algorithm/AEADAlgorithm.java    |  5 +++++
 .../protection/BaseSecretKeyRingProtector.java | 16 ++++++++++++++++
 .../key/protection/SecretKeyRingProtector.java |  6 ++++++
 .../java/org/pgpainless/util/ArmorUtils.java   | 18 ++++++++++++++++++
 .../util/ArmoredInputStreamFactory.java        | 11 +++++++++++
 .../util/ArmoredOutputStreamFactory.java       | 10 ++++++++++
 6 files changed, 66 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
index 106d6bff..a5885005 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/algorithm/AEADAlgorithm.java
@@ -41,6 +41,11 @@ public enum AEADAlgorithm {
         this.tagLength = tagLength;
     }
 
+    /**
+     * Return the ID of the AEAD algorithm.
+     *
+     * @return algorithm ID
+     */
     public int getAlgorithmId() {
         return algorithmId;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java
index 5b545c12..1a31d0e8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/BaseSecretKeyRingProtector.java
@@ -13,15 +13,31 @@ import org.pgpainless.util.Passphrase;
 
 import javax.annotation.Nullable;
 
+/**
+ * Basic {@link SecretKeyRingProtector} implementation that respects the users {@link KeyRingProtectionSettings} when
+ * encrypting keys.
+ */
 public class BaseSecretKeyRingProtector implements SecretKeyRingProtector {
 
     private final SecretKeyPassphraseProvider passphraseProvider;
     private final KeyRingProtectionSettings protectionSettings;
 
+    /**
+     * Constructor that uses the given {@link SecretKeyPassphraseProvider} to retrieve passphrases and PGPainless'
+     * default {@link KeyRingProtectionSettings}.
+     *
+     * @param passphraseProvider provider for passphrases
+     */
     public BaseSecretKeyRingProtector(SecretKeyPassphraseProvider passphraseProvider) {
         this(passphraseProvider, KeyRingProtectionSettings.secureDefaultSettings());
     }
 
+    /**
+     * Constructor that uses the given {@link SecretKeyPassphraseProvider} and {@link KeyRingProtectionSettings}.
+     *
+     * @param passphraseProvider provider for passphrases
+     * @param protectionSettings protection settings
+     */
     public BaseSecretKeyRingProtector(SecretKeyPassphraseProvider passphraseProvider, KeyRingProtectionSettings protectionSettings) {
         this.passphraseProvider = passphraseProvider;
         this.protectionSettings = protectionSettings;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
index ee461a4e..d7ed5c85 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java
@@ -29,6 +29,12 @@ import org.pgpainless.util.Passphrase;
  */
 public interface SecretKeyRingProtector {
 
+    /**
+     * Returns true, if the protector has a passphrase for the key with the given key-id.
+     *
+     * @param keyId key id
+     * @return true if it has a passphrase, false otherwise
+     */
     boolean hasPassphraseFor(Long keyId);
 
     /**
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
index b3e60023..87170638 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmorUtils.java
@@ -33,15 +33,33 @@ import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.decryption_verification.OpenPgpInputStream;
 import org.pgpainless.key.OpenPgpFingerprint;
 
+/**
+ * Utility class for dealing with ASCII armored OpenPGP data.
+ */
 public final class ArmorUtils {
 
     // MessageIDs are 32 printable characters
     private static final Pattern PATTERN_MESSAGE_ID = Pattern.compile("^\\S{32}$");
 
+    /**
+     * Constant armor key for comments.
+     */
     public static final String HEADER_COMMENT = "Comment";
+    /**
+     * Constant armor key for program versions.
+     */
     public static final String HEADER_VERSION = "Version";
+    /**
+     * Constant armor key for message IDs. Useful for split messages.
+     */
     public static final String HEADER_MESSAGEID = "MessageID";
+    /**
+     * Constant armor key for used hash algorithms in clearsigned messages.
+     */
     public static final String HEADER_HASH = "Hash";
+    /**
+     * Constant armor key for message character sets.
+     */
     public static final String HEADER_CHARSET = "Charset";
 
     private ArmorUtils() {
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java
index 0c5ceeaf..e48fb4c0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredInputStreamFactory.java
@@ -9,12 +9,23 @@ import java.io.InputStream;
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 
+/**
+ * Factory class for instantiating preconfigured {@link ArmoredInputStream ArmoredInputStreams}.
+ * {@link #get(InputStream)} will return an {@link ArmoredInputStream} that is set up to properly detect CRC errors.
+ */
 public final class ArmoredInputStreamFactory {
 
     private ArmoredInputStreamFactory() {
 
     }
 
+    /**
+     * Return an instance of {@link ArmoredInputStream} which will detect CRC errors.
+     *
+     * @param inputStream input stream
+     * @return armored input stream
+     * @throws IOException in case of an IO error
+     */
     public static ArmoredInputStream get(InputStream inputStream) throws IOException {
         if (inputStream instanceof CRCingArmoredInputStreamWrapper) {
             return (ArmoredInputStream) inputStream;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
index fb2cd4f5..f61bacb1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/ArmoredOutputStreamFactory.java
@@ -15,6 +15,9 @@ import org.pgpainless.encryption_signing.ProducerOptions;
  */
 public final class ArmoredOutputStreamFactory {
 
+    /**
+     * Name of the program.
+     */
     public static final String PGPAINLESS = "PGPainless";
     private static String version = PGPAINLESS;
     private static String[] comment = new String[0];
@@ -42,6 +45,13 @@ public final class ArmoredOutputStreamFactory {
         return armoredOutputStream;
     }
 
+    /**
+     * Return an instance of the {@link ArmoredOutputStream} which might have pre-populated armor headers.
+     *
+     * @param outputStream output stream
+     * @param options options
+     * @return armored output stream
+     */
     public static ArmoredOutputStream get(OutputStream outputStream, ProducerOptions options) {
         if (options.isHideArmorHeaders()) {
             ArmoredOutputStream armorOut = new ArmoredOutputStream(outputStream);

From 4cf5a32cc02bc9d3c1f83425e68b86564e9e7ec6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 21 Jan 2023 19:17:49 +0100
Subject: [PATCH 0909/1450] Update SECURITY.md

---
 SECURITY.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index fad439b5..0549d1a0 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,12 +12,11 @@ SPDX-License-Identifier: Apache-2.0
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
-| Version  | Supported          |
-|----------|--------------------|
-| 1.4.X-rc | :white_check_mark: |
-| 1.3.X    | :white_check_mark: |
-| 1.2.X    | :white_check_mark: |
-| < 1.2.0  | :x:                |
+| Version | Supported          |
+|---------|--------------------|
+| 1.4.X   | :white_check_mark: |
+| 1.3.X   | :white_check_mark: |
+| < 1.3.X | :x:                |
 
 ## Reporting a Vulnerability
 

From 67cc59efa26b33696381eeab1cd318c505fe7bd5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 21 Jan 2023 19:16:39 +0100
Subject: [PATCH 0910/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 370dace7..62740014 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,10 @@ SPDX-License-Identifier: CC0-1.0
 - Add `KeyRingUtils.publicKeys(PGPKeyRing keys)`
 - Remove `BCUtil` class
 
+## 1.3.16
+- Bump `sop-java` to `4.1.0`
+- Bump `gradlew` to `7.5`
+
 ## 1.3.15
 - Fix crash in `sop generate-key --with-key-password` when more than one user-id is given
 - `sop generate-key`: Allow key generation without user-ids

From 9f98e4ce371670d8cc05c5e9cdbd095d1b899271 Mon Sep 17 00:00:00 2001
From: DenBond7 
Date: Mon, 23 Jan 2023 10:02:02 +0200
Subject: [PATCH 0911/1450] Fixed redundant dot an exception message.

---
 .../decryption_verification/OpenPgpMessageInputStream.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index bb5d67b3..7fe11bbf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -970,7 +970,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                 LOGGER.debug("No suitable certificate for verification of signature by key " + KeyIdUtil.formatKeyId(keyId) + " found.");
                 inbandSignaturesWithMissingCert.add(new SignatureVerification.Failure(
                         new SignatureVerification(signature, null),
-                        new SignatureValidationException("Missing verification key.")));
+                        new SignatureValidationException("Missing verification key")));
             }
         }
 

From 695e03f8b6cc01e0fc98b6ce2d9894f9f5e605d2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 18:19:08 +0100
Subject: [PATCH 0912/1450] Add EncryptionOptions.hasEncryptionMethod()

---
 .../encryption_signing/EncryptionOptions.java          | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 612dcd50..b5baee83 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -311,6 +311,16 @@ public class EncryptionOptions {
         return this;
     }
 
+    /**
+     * Return 
      true
       iff the user specified at least one encryption method,
+     * 
      false
       otherwise.
+     *
+     * @return encryption methods is not empty
+     */
+    public boolean hasEncryptionMethod() {
+        return !encryptionMethods.isEmpty();
+    }
+
     public interface EncryptionKeySelector {
         List selectEncryptionSubkeys(List encryptionCapableKeys);
     }

From 83ef9cfe80cfbf12d59f7ad7beac3f7eda6c2631 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 18:20:03 +0100
Subject: [PATCH 0913/1450] SOP encrypt: Throw MissingArg if no encryption
 method was provided.

---
 .../src/main/java/org/pgpainless/sop/EncryptImpl.java          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 1874d9e1..62d20bf0 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -113,6 +113,9 @@ public class EncryptImpl implements Encrypt {
 
     @Override
     public Ready plaintext(InputStream plaintext) throws IOException {
+        if (!encryptionOptions.hasEncryptionMethod()) {
+            throw new SOPGPException.MissingArg("Missing encryption method.");
+        }
         ProducerOptions producerOptions = signingOptions != null ?
                 ProducerOptions.signAndEncrypt(encryptionOptions, signingOptions) :
                 ProducerOptions.encrypt(encryptionOptions);

From f4bd17ade8f253575c47dff03492b306c4364944 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 19:02:49 +0100
Subject: [PATCH 0914/1450] Bump sop-java to 4.1.1

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index b49f7930..7154bca5 100644
--- a/version.gradle
+++ b/version.gradle
@@ -18,6 +18,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.1.0'
+        sopJavaVersion = '4.1.1'
     }
 }

From d53cd6d0bdf7e8740de7359f14d1a9f2fc591222 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 19:03:11 +0100
Subject: [PATCH 0915/1450] pgpainless-sop: reuse shared sop-java test suite

---
 pgpainless-sop/build.gradle                   |  4 +++
 .../PGPainlessSopInstanceFactory.java         | 20 ++++++++++++
 .../operation/PGPainlessArmorDearmorTest.java | 11 +++++++
 .../PGPainlessDecryptWIthSessionKeyTest.java  | 11 +++++++
 ...ainlessDetachedSignDetachedVerifyTest.java | 18 +++++++++++
 .../PGPainlessEncryptDecryptTest.java         | 11 +++++++
 .../operation/PGPainlessExtractCertTest.java  | 32 +++++++++++++++++++
 .../operation/PGPainlessGenerateKeyTest.java  | 11 +++++++
 ...ineSignInlineDetachDetachedVerifyTest.java | 12 +++++++
 .../PGPainlessInlineSignInlineVerifyTest.java | 11 +++++++
 .../operation/PGPainlessVersionTest.java      | 11 +++++++
 11 files changed, 152 insertions(+)
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/PGPainlessSopInstanceFactory.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessArmorDearmorTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessExtractCertTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessGenerateKeyTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineDetachDetachedVerifyTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java
 create mode 100644 pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessVersionTest.java

diff --git a/pgpainless-sop/build.gradle b/pgpainless-sop/build.gradle
index 4eca8a7f..1a40bb27 100644
--- a/pgpainless-sop/build.gradle
+++ b/pgpainless-sop/build.gradle
@@ -21,10 +21,14 @@ dependencies {
     // Logging
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
 
+    // Depend on "shared" sop-java test suite (fixtures are turned into tests by inheritance inside test sources)
+    testImplementation(testFixtures("org.pgpainless:sop-java:$sopJavaVersion"))
+
     implementation(project(":pgpainless-core"))
     api "org.pgpainless:sop-java:$sopJavaVersion"
 }
 
 test {
     useJUnitPlatform()
+    environment("test.implementation", "sop.testsuite.pgpainless.PGPainlessSopInstanceFactory")
 }
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/PGPainlessSopInstanceFactory.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/PGPainlessSopInstanceFactory.java
new file mode 100644
index 00000000..a9aac0e9
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/PGPainlessSopInstanceFactory.java
@@ -0,0 +1,20 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless;
+
+import java.util.Collections;
+import java.util.Map;
+
+import org.pgpainless.sop.SOPImpl;
+import sop.SOP;
+import sop.testsuite.SOPInstanceFactory;
+
+public class PGPainlessSopInstanceFactory extends SOPInstanceFactory {
+
+    @Override
+    public Map provideSOPInstances() {
+        return Collections.singletonMap("PGPainless-SOP", new SOPImpl());
+    }
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessArmorDearmorTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessArmorDearmorTest.java
new file mode 100644
index 00000000..9161706d
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessArmorDearmorTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.ArmorDearmorTest;
+
+public class PGPainlessArmorDearmorTest extends ArmorDearmorTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java
new file mode 100644
index 00000000..2825db5f
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDecryptWIthSessionKeyTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.DecryptWithSessionKeyTest;
+
+public class PGPainlessDecryptWIthSessionKeyTest extends DecryptWithSessionKeyTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java
new file mode 100644
index 00000000..dff9e86f
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessDetachedSignDetachedVerifyTest.java
@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import org.junit.jupiter.api.Disabled;
+import sop.SOP;
+import sop.testsuite.operation.DetachedSignDetachedVerifyTest;
+
+public class PGPainlessDetachedSignDetachedVerifyTest extends DetachedSignDetachedVerifyTest {
+
+    @Override
+    @Disabled("Since we allow for dynamic cert loading, we can ignore this test")
+    public void verifyMissingCertCausesMissingArg(SOP sop) {
+        super.verifyMissingCertCausesMissingArg(sop);
+    }
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java
new file mode 100644
index 00000000..b6264d3a
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessEncryptDecryptTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.EncryptDecryptTest;
+
+public class PGPainlessEncryptDecryptTest extends EncryptDecryptTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessExtractCertTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessExtractCertTest.java
new file mode 100644
index 00000000..ee4e9684
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessExtractCertTest.java
@@ -0,0 +1,32 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import java.io.IOException;
+
+import org.junit.jupiter.api.Disabled;
+import sop.SOP;
+import sop.testsuite.operation.ExtractCertTest;
+
+public class PGPainlessExtractCertTest extends ExtractCertTest {
+
+    @Disabled("BC uses old CTBs causing mismatching byte arrays :/")
+    @Override
+    public void extractAliceCertFromAliceKeyTest(SOP sop) throws IOException {
+        super.extractAliceCertFromAliceKeyTest(sop);
+    }
+
+    @Disabled("BC uses old CTBs causing mismatching byte arrays :/")
+    @Override
+    public void extractBobsCertFromBobsKeyTest(SOP sop) throws IOException {
+        super.extractBobsCertFromBobsKeyTest(sop);
+    }
+
+    @Disabled("BC uses old CTBs causing mismatching byte arrays :/")
+    @Override
+    public void extractCarolsCertFromCarolsKeyTest(SOP sop) throws IOException {
+        super.extractCarolsCertFromCarolsKeyTest(sop);
+    }
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessGenerateKeyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessGenerateKeyTest.java
new file mode 100644
index 00000000..fe78bed0
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessGenerateKeyTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.GenerateKeyTest;
+
+public class PGPainlessGenerateKeyTest extends GenerateKeyTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineDetachDetachedVerifyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineDetachDetachedVerifyTest.java
new file mode 100644
index 00000000..20fdc262
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineDetachDetachedVerifyTest.java
@@ -0,0 +1,12 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.InlineSignInlineDetachDetachedVerifyTest;
+
+public class PGPainlessInlineSignInlineDetachDetachedVerifyTest
+        extends InlineSignInlineDetachDetachedVerifyTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java
new file mode 100644
index 00000000..16166eb1
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessInlineSignInlineVerifyTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.InlineSignInlineVerifyTest;
+
+public class PGPainlessInlineSignInlineVerifyTest extends InlineSignInlineVerifyTest {
+
+}
diff --git a/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessVersionTest.java b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessVersionTest.java
new file mode 100644
index 00000000..7a8f7db4
--- /dev/null
+++ b/pgpainless-sop/src/test/java/sop/testsuite/pgpainless/operation/PGPainlessVersionTest.java
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.pgpainless.operation;
+
+import sop.testsuite.operation.VersionTest;
+
+public class PGPainlessVersionTest extends VersionTest {
+
+}

From 9509fff92913af662d13c94a6aad4d18404e06d8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 19:10:14 +0100
Subject: [PATCH 0916/1450] Update changelog

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62740014..d730daed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,13 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.3-SNAPSHOT
+- Bump `sop-java` to `4.1.1`
+- Reuse shared test suite of `sop-java`
+- Add `EncryptionOptions.hasEncryptionMethod()`
+- SOP `encrypt`: Throw `MissingArg` exception if no encryption method was provided
+- Fix redundant dot in exception message (thanks @DenBond7)
+
 ## 1.4.2
 - Properly decrypt messages without MDC packets when `ConsumerOptions.setIgnoreMDCErrors(true)` is set
 - Fix crash in `sop generate-key --with-key-password` when more than one user-id is given

From 1257c52ede623fd377a594ab4daa09ea5647ea1b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 19:12:45 +0100
Subject: [PATCH 0917/1450] PGPainless 1.4.3

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d730daed..d3475dd5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.3-SNAPSHOT
+## 1.4.3
 - Bump `sop-java` to `4.1.1`
 - Reuse shared test suite of `sop-java`
 - Add `EncryptionOptions.hasEncryptionMethod()`
diff --git a/README.md b/README.md
index 3b6dc7cb..bc3484b8 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.2'
+	implementation 'org.pgpainless:pgpainless-core:1.4.3'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 97b7765a..74772110 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.2"
+    implementation "org.pgpainless:pgpainless-sop:1.4.3"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.2
+        1.4.3
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 7154bca5..914de80f 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.3'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 6c2331d4e61342042fefb7c495755c119976c4c0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 31 Jan 2023 19:15:31 +0100
Subject: [PATCH 0918/1450] PGPainless 1.4.4-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 914de80f..68d74212 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.3'
-        isSnapshot = false
+        shortVersion = '1.4.4'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From 30771f470a31e6fc094dd6824eb85cdfd1cc9cc0 Mon Sep 17 00:00:00 2001
From: Bastien JANSEN 
Date: Wed, 8 Feb 2023 09:16:53 +0100
Subject: [PATCH 0919/1450] Support version 3 signature packets

---
 .../consumer/SignatureValidator.java          | 10 ++-
 .../subpackets/SignatureSubpacketsUtil.java   |  3 +
 .../VerifyVersion3SignaturePacketTest.java    | 65 +++++++++++++++++++
 3 files changed, 75 insertions(+), 3 deletions(-)
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index af245235..cf0dc1fb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -158,8 +158,10 @@ public abstract class SignatureValidator {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
                 signatureIsNotMalformed(signingKey).verify(signature);
-                signatureDoesNotHaveCriticalUnknownNotations(policy.getNotationRegistry()).verify(signature);
-                signatureDoesNotHaveCriticalUnknownSubpackets().verify(signature);
+                if (signature.getVersion() >= 4) {
+                    signatureDoesNotHaveCriticalUnknownNotations(policy.getNotationRegistry()).verify(signature);
+                    signatureDoesNotHaveCriticalUnknownSubpackets().verify(signature);
+                }
                 signatureUsesAcceptableHashAlgorithm(policy).verify(signature);
                 signatureUsesAcceptablePublicKeyAlgorithm(policy, signingKey).verify(signature);
             }
@@ -373,7 +375,9 @@ public abstract class SignatureValidator {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
-                signatureHasHashedCreationTime().verify(signature);
+                if (signature.getVersion() >= 4) {
+                    signatureHasHashedCreationTime().verify(signature);
+                }
                 signatureDoesNotPredateSigningKey(creator).verify(signature);
                 if (signature.getSignatureType() != SignatureType.PRIMARYKEY_BINDING.getCode()) {
                     signatureDoesNotPredateSigningKeyBindingDate(creator).verify(signature);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
index cbcbeafc..1105a813 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java
@@ -141,6 +141,9 @@ public final class SignatureSubpacketsUtil {
      * @return signature creation time subpacket
      */
     public static @Nullable SignatureCreationTime getSignatureCreationTime(PGPSignature signature) {
+        if (signature.getVersion() == 3) {
+            return new SignatureCreationTime(false, signature.getCreationTime());
+        }
         return hashed(signature, SignatureSubpacket.signatureCreationTime);
     }
 
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java
new file mode 100644
index 00000000..54b9c94b
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java
@@ -0,0 +1,65 @@
+package org.pgpainless.decryption_verification;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPV3SignatureGenerator;
+import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.HashAlgorithm;
+import org.pgpainless.algorithm.PublicKeyAlgorithm;
+import org.pgpainless.algorithm.SignatureType;
+import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.TestKeys;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class VerifyVersion3SignaturePacketTest {
+
+
+    protected static final byte[] DATA = "hello".getBytes(StandardCharsets.UTF_8);
+
+    @Test
+    void verifyDetachedVersion3Signature() throws PGPException, IOException {
+        PGPSignature version3Signature = generateV3Signature();
+
+        ConsumerOptions options = new ConsumerOptions()
+                .addVerificationCert(TestKeys.getEmilPublicKeyRing())
+                .addVerificationOfDetachedSignatures(new ByteArrayInputStream(version3Signature.getEncoded()));
+
+        DecryptionStream verifier = PGPainless.decryptAndOrVerify()
+                .onInputStream(new ByteArrayInputStream(DATA))
+                .withOptions(options);
+
+        OpenPgpMetadata metadata = processSignedData(verifier);
+        assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.getEmilPublicKeyRing()));
+    }
+
+    private static PGPSignature generateV3Signature() throws IOException, PGPException {
+        PGPContentSignerBuilder builder = ImplementationFactory.getInstance().getPGPContentSignerBuilder(PublicKeyAlgorithm.ECDSA, HashAlgorithm.SHA512);
+        PGPV3SignatureGenerator signatureGenerator = new PGPV3SignatureGenerator(builder);
+
+        PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPPrivateKey privateKey = secretKeys.getSecretKey().extractPrivateKey(protector.getDecryptor(secretKeys.getSecretKey().getKeyID()));
+
+        signatureGenerator.init(SignatureType.CANONICAL_TEXT_DOCUMENT.getCode(), privateKey);
+        signatureGenerator.update(DATA);
+
+        return signatureGenerator.generate();
+    }
+
+    private OpenPgpMetadata processSignedData(DecryptionStream verifier) throws IOException {
+        Streams.drain(verifier);
+        verifier.close();
+        return verifier.getResult();
+    }
+}

From d03f84f415ff43716303e810b7dd8c700559392c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 8 Feb 2023 14:49:10 +0100
Subject: [PATCH 0920/1450] Add reuse header to
 VerifyVersion3SignaturePacketTest

---
 .../VerifyVersion3SignaturePacketTest.java                    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java
index 54b9c94b..2a12e74a 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/VerifyVersion3SignaturePacketTest.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2023 Bastien Jansen
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.openpgp.PGPException;

From 997a6c8c5d109b11585c9ff065afa9e63c11cbd0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 8 Feb 2023 14:51:44 +0100
Subject: [PATCH 0921/1450] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3475dd5..867980ea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.4.4-SNAPSHOT
+- Fix expectations on subpackets of v3 signatures (thanks @bjansen)
+  - Properly verify v3 signatures, which do not yet have signature subpackets, yet we required them to have  
+    a hashed creation date subpacket.
+
 ## 1.4.3
 - Bump `sop-java` to `4.1.1`
 - Reuse shared test suite of `sop-java`

From afc7d491445d641429474feb633f26effad2d348 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 9 Feb 2023 21:55:10 +0100
Subject: [PATCH 0922/1450] PGPainless 1.4.4

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 867980ea..bd7f3505 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.4.4-SNAPSHOT
+## 1.4.4
 - Fix expectations on subpackets of v3 signatures (thanks @bjansen)
   - Properly verify v3 signatures, which do not yet have signature subpackets, yet we required them to have  
     a hashed creation date subpacket.
diff --git a/README.md b/README.md
index bc3484b8..2a91789e 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.3'
+	implementation 'org.pgpainless:pgpainless-core:1.4.4'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 74772110..3aef6d05 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.3"
+    implementation "org.pgpainless:pgpainless-sop:1.4.4"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.3
+        1.4.4
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 68d74212..2593724d 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.4'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From a25ea542d69651fa0dfbccf0d3cb1151c83f772a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 9 Feb 2023 21:58:37 +0100
Subject: [PATCH 0923/1450] PGPainless 1.4.5-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 2593724d..55e9b151 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.4'
-        isSnapshot = false
+        shortVersion = '1.4.5'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'

From ed2c53f5d6362afec315e43a84cb35c5745ccd55 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sat, 25 Feb 2023 11:26:58 +0100
Subject: [PATCH 0924/1450] Make getLastModified() @Nonnull

---
 .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index fa4168dd..46dd500b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -611,7 +611,7 @@ public class KeyRingInfo {
      *
      * @return last modification date.
      */
-    public @Nullable Date getLastModified() {
+    public @Nonnull Date getLastModified() {
         PGPSignature mostRecent = getMostRecentSignature();
         if (mostRecent == null) {
             // No sigs found. Return public key creation date instead.

From acb5d3fd9e98041948e6742804b3c1c439f124e1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 7 Apr 2023 11:26:38 +0200
Subject: [PATCH 0925/1450] getEncryptionSubkeys(): Compare expirations against
 reference date

---
 .../src/main/java/org/pgpainless/key/info/KeyRingInfo.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 46dd500b..1ebd023e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -903,7 +903,7 @@ public class KeyRingInfo {
      */
     public @Nonnull List getEncryptionSubkeys(EncryptionPurpose purpose) {
         Date primaryExpiration = getPrimaryKeyExpirationDate();
-        if (primaryExpiration != null && primaryExpiration.before(new Date())) {
+        if (primaryExpiration != null && primaryExpiration.before(referenceDate)) {
             return Collections.emptyList();
         }
 
@@ -917,7 +917,7 @@ public class KeyRingInfo {
             }
 
             Date subkeyExpiration = getSubkeyExpirationDate(OpenPgpFingerprint.of(subKey));
-            if (subkeyExpiration != null && subkeyExpiration.before(new Date())) {
+            if (subkeyExpiration != null && subkeyExpiration.before(referenceDate)) {
                 continue;
             }
 

From e744668f5ae63dec785b02e48d13f7bb5f8aedd6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 7 Apr 2023 11:47:40 +0200
Subject: [PATCH 0926/1450] Deprecate OpenPgpFingerprint.parse() methods

---
 .../src/main/java/org/pgpainless/key/OpenPgpFingerprint.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index 86ac8265..0525f4c9 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -55,7 +55,9 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable
Date: Fri, 7 Apr 2023 12:28:27 +0200
Subject: [PATCH 0927/1450] Introduce OpenPgpv6Fingerprint

---
 .../pgpainless/key/OpenPgpFingerprint.java    |  11 +-
 .../pgpainless/key/OpenPgpV5Fingerprint.java  |  67 +-------
 .../pgpainless/key/OpenPgpV6Fingerprint.java  |  58 +++++++
 .../pgpainless/key/_64DigitFingerprint.java   | 119 ++++++++++++++
 .../key/OpenPgpV5FingerprintTest.java         |  69 +-------
 .../key/OpenPgpV6FingerprintTest.java         | 154 ++++++++++++++++++
 .../key/_64DigitFingerprintTest.java          |  85 ++++++++++
 7 files changed, 430 insertions(+), 133 deletions(-)
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpV6Fingerprint.java
 create mode 100644 pgpainless-core/src/main/java/org/pgpainless/key/_64DigitFingerprint.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV6FingerprintTest.java
 create mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
index 0525f4c9..1ac900a0 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/OpenPgpFingerprint.java
@@ -36,6 +36,9 @@ public abstract class OpenPgpFingerprint implements CharSequence, Comparable
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import javax.annotation.Nonnull;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+
+/**
+ * This class represents a hex encoded, upper case OpenPGP v6 fingerprint.
+ */
+public class OpenPgpV6Fingerprint extends _64DigitFingerprint {
+
+    /**
+     * Create an {@link OpenPgpV6Fingerprint}.
+     *
+     * @param fingerprint uppercase hexadecimal fingerprint of length 64
+     */
+    public OpenPgpV6Fingerprint(@Nonnull String fingerprint) {
+        super(fingerprint);
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull byte[] bytes) {
+        super(bytes);
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull PGPPublicKey key) {
+        super(key);
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull PGPSecretKey key) {
+        this(key.getPublicKey());
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull PGPPublicKeyRing ring) {
+        super(ring);
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull PGPSecretKeyRing ring) {
+        super(ring);
+    }
+
+    public OpenPgpV6Fingerprint(@Nonnull PGPKeyRing ring) {
+        super(ring);
+    }
+
+    @Override
+    public int getVersion() {
+        return 6;
+    }
+
+}
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/_64DigitFingerprint.java b/pgpainless-core/src/main/java/org/pgpainless/key/_64DigitFingerprint.java
new file mode 100644
index 00000000..11f18058
--- /dev/null
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/_64DigitFingerprint.java
@@ -0,0 +1,119 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import java.nio.Buffer;
+import java.nio.ByteBuffer;
+import javax.annotation.Nonnull;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.encoders.Hex;
+
+/**
+ * This class represents a hex encoded, upper case OpenPGP v5 or v6 fingerprint.
+ * Since both fingerprints use the same format, this class is used when parsing the fingerprint without knowing the
+ * key version.
+ */
+public class _64DigitFingerprint extends OpenPgpFingerprint {
+
+    /**
+     * Create an {@link _64DigitFingerprint}.
+     *
+     * @param fingerprint uppercase hexadecimal fingerprint of length 64
+     */
+    protected _64DigitFingerprint(@Nonnull String fingerprint) {
+        super(fingerprint);
+    }
+
+    protected _64DigitFingerprint(@Nonnull byte[] bytes) {
+        super(Hex.encode(bytes));
+    }
+
+    protected _64DigitFingerprint(@Nonnull PGPPublicKey key) {
+        super(key);
+    }
+
+    protected _64DigitFingerprint(@Nonnull PGPSecretKey key) {
+        this(key.getPublicKey());
+    }
+
+    protected _64DigitFingerprint(@Nonnull PGPPublicKeyRing ring) {
+        super(ring);
+    }
+
+    protected _64DigitFingerprint(@Nonnull PGPSecretKeyRing ring) {
+        super(ring);
+    }
+
+    protected _64DigitFingerprint(@Nonnull PGPKeyRing ring) {
+        super(ring);
+    }
+
+    @Override
+    public int getVersion() {
+        return -1; // might be v5 or v6
+    }
+
+    @Override
+    protected boolean isValid(@Nonnull String fp) {
+        return fp.matches("^[0-9A-F]{64}$");
+    }
+
+    @Override
+    public long getKeyId() {
+        byte[] bytes = Hex.decode(toString().getBytes(utf8));
+        ByteBuffer buf = ByteBuffer.wrap(bytes);
+
+        // The key id is the left-most 8 bytes (conveniently a long).
+        // We have to cast here in order to be compatible with java 8
+        // https://github.com/eclipse/jetty.project/issues/3244
+        ((Buffer) buf).position(0);
+
+        return buf.getLong();
+    }
+
+    @Override
+    public String prettyPrint() {
+        String fp = toString();
+        StringBuilder pretty = new StringBuilder();
+
+        for (int i = 0; i < 4; i++) {
+            pretty.append(fp, i * 8, (i + 1) * 8).append(' ');
+        }
+        pretty.append(' ');
+        for (int i = 4; i < 7; i++) {
+            pretty.append(fp, i * 8, (i + 1) * 8).append(' ');
+        }
+        pretty.append(fp, 56, 64);
+        return pretty.toString();
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (other == null) {
+            return false;
+        }
+
+        if (!(other instanceof CharSequence)) {
+            return false;
+        }
+
+        return this.toString().equals(other.toString());
+    }
+
+    @Override
+    public int hashCode() {
+        return toString().hashCode();
+    }
+
+    @Override
+    public int compareTo(OpenPgpFingerprint openPgpFingerprint) {
+        return toString().compareTo(openPgpFingerprint.toString());
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
index a250bef4..57c98928 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV5FingerprintTest.java
@@ -5,8 +5,6 @@
 package org.pgpainless.key;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -29,77 +27,12 @@ public class OpenPgpV5FingerprintTest {
         OpenPgpV5Fingerprint fingerprint = new OpenPgpV5Fingerprint(fp);
         assertEquals(fp, fingerprint.toString());
         assertEquals(pretty, fingerprint.prettyPrint());
+        assertEquals(5, fingerprint.getVersion());
 
         long id = fingerprint.getKeyId();
         assertEquals("76543210abcdefab", Long.toHexString(id));
     }
 
-    @Test
-    public void testParse() {
-        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
-        OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint);
-
-        assertTrue(parsed instanceof OpenPgpV5Fingerprint);
-        OpenPgpV5Fingerprint v5fp = (OpenPgpV5Fingerprint) parsed;
-        assertEquals(prettyPrint, v5fp.prettyPrint());
-        assertEquals(5, v5fp.getVersion());
-    }
-
-    @Test
-    public void testParseFromBinary() {
-        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
-        byte[] binary = Hex.decode(hex);
-
-        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
-        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
-        assertEquals(hex, fingerprint.toString());
-
-        OpenPgpV5Fingerprint constructed = new OpenPgpV5Fingerprint(binary);
-        assertEquals(fingerprint, constructed);
-    }
-
-    @Test
-    public void testParseFromBinary_leadingZeros() {
-        String hex = "000000000000000001AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
-        byte[] binary = Hex.decode(hex);
-
-        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
-        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
-        assertEquals(hex, fingerprint.toString());
-    }
-
-    @Test
-    public void testParseFromBinary_trailingZeros() {
-        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA100000000000000000";
-        byte[] binary = Hex.decode(hex);
-
-        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
-        assertTrue(fingerprint instanceof OpenPgpV5Fingerprint);
-        assertEquals(hex, fingerprint.toString());
-    }
-
-    @Test
-    public void testParseFromBinary_wrongLength() {
-        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA012345"; // missing 2 digits
-        byte[] binary = Hex.decode(hex);
-
-        assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.parseFromBinary(binary));
-    }
-
-    @Test
-    public void equalsTest() {
-        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
-        OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint);
-
-        assertNotEquals(parsed, null);
-        assertNotEquals(parsed, new Object());
-        assertEquals(parsed, parsed.toString());
-
-        OpenPgpFingerprint parsed2 = new OpenPgpV5Fingerprint(prettyPrint);
-        assertEquals(parsed.hashCode(), parsed2.hashCode());
-        assertEquals(0, parsed.compareTo(parsed2));
-    }
-
     @Test
     public void constructFromMockedPublicKey() {
         String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV6FingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV6FingerprintTest.java
new file mode 100644
index 00000000..7a7b0e45
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/OpenPgpV6FingerprintTest.java
@@ -0,0 +1,154 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.key;
+
+import org.bouncycastle.openpgp.PGPKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.encoders.Hex;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class OpenPgpV6FingerprintTest {
+
+    @Test
+    public void testFingerprintFormatting() {
+        String pretty = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        String fp = pretty.replace(" ", "");
+
+        OpenPgpV6Fingerprint fingerprint = new OpenPgpV6Fingerprint(fp);
+        assertEquals(fp, fingerprint.toString());
+        assertEquals(pretty, fingerprint.prettyPrint());
+        assertEquals(6, fingerprint.getVersion());
+
+        long id = fingerprint.getKeyId();
+        assertEquals("76543210abcdefab", Long.toHexString(id));
+    }
+
+    @Test
+    public void testParseFromBinary_leadingZeros() {
+        String hex = "000000000000000001AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = new OpenPgpV6Fingerprint(binary);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_trailingZeros() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA100000000000000000";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = new OpenPgpV6Fingerprint(binary);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_wrongLength() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA012345"; // missing 2 digits
+        byte[] binary = Hex.decode(hex);
+
+        assertThrows(IllegalArgumentException.class, () -> new OpenPgpV6Fingerprint(binary));
+    }
+
+    @Test
+    public void equalsTest() {
+        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        OpenPgpFingerprint parsed = new OpenPgpV6Fingerprint(prettyPrint);
+
+        assertNotEquals(parsed, null);
+        assertNotEquals(parsed, new Object());
+        assertEquals(parsed, parsed.toString());
+
+        OpenPgpFingerprint parsed2 = new OpenPgpV6Fingerprint(prettyPrint);
+        assertEquals(parsed.hashCode(), parsed2.hashCode());
+        assertEquals(0, parsed.compareTo(parsed2));
+    }
+
+    @Test
+    public void constructFromMockedPublicKey() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKey);
+        assertTrue(fingerprint instanceof OpenPgpV6Fingerprint);
+        assertEquals(6, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedSecretKey() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPSecretKey secretKey = mock(PGPSecretKey.class);
+        when(secretKey.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = new OpenPgpV6Fingerprint(secretKey);
+        assertEquals(6, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedPublicKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPPublicKeyRing publicKeys = mock(PGPPublicKeyRing.class);
+        when(publicKeys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(publicKeys);
+        assertEquals(6, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV6Fingerprint(publicKeys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedSecretKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPSecretKeyRing secretKeys = mock(PGPSecretKeyRing.class);
+        when(secretKeys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(secretKeys);
+        assertEquals(6, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV6Fingerprint(secretKeys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void constructFromMockedKeyRing() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        PGPPublicKey publicKey = getMockedPublicKey(hex);
+        PGPKeyRing keys = mock(PGPKeyRing.class);
+        when(keys.getPublicKey()).thenReturn(publicKey);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(keys);
+        assertEquals(6, fingerprint.getVersion());
+        assertEquals(hex, fingerprint.toString());
+
+        fingerprint = new OpenPgpV6Fingerprint(keys);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    private PGPPublicKey getMockedPublicKey(String hex) {
+        byte[] binary = Hex.decode(hex);
+
+        PGPPublicKey mocked = mock(PGPPublicKey.class);
+        when(mocked.getVersion()).thenReturn(6);
+        when(mocked.getFingerprint()).thenReturn(binary);
+        return mocked;
+    }
+}
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java
new file mode 100644
index 00000000..21ff31c3
--- /dev/null
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java
@@ -0,0 +1,85 @@
+package org.pgpainless.key;
+
+import org.bouncycastle.util.encoders.Hex;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class _64DigitFingerprintTest {
+
+    @Test
+    public void testParse() {
+        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint);
+
+        assertTrue(parsed instanceof _64DigitFingerprint);
+        assertEquals(prettyPrint, parsed.prettyPrint());
+        assertEquals(-1, parsed.getVersion());
+    }
+
+    @Test
+    public void testParseFromBinary() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof _64DigitFingerprint);
+        assertEquals(hex, fingerprint.toString());
+
+        OpenPgpV5Fingerprint v5 = new OpenPgpV5Fingerprint(binary);
+        assertEquals(fingerprint, v5);
+
+        OpenPgpV6Fingerprint v6 = new OpenPgpV6Fingerprint(binary);
+        assertEquals(fingerprint, v6);
+    }
+
+    @Test
+    public void testParseFromBinary_leadingZeros() {
+        String hex = "000000000000000001AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA01234567";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof _64DigitFingerprint);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_trailingZeros() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA100000000000000000";
+        byte[] binary = Hex.decode(hex);
+
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.parseFromBinary(binary);
+        assertTrue(fingerprint instanceof _64DigitFingerprint);
+        assertEquals(hex, fingerprint.toString());
+    }
+
+    @Test
+    public void testParseFromBinary_wrongLength() {
+        String hex = "76543210ABCDEFAB01AB23CD1C0FFEE11EEFF0C1DC32BA10BAFEDCBA012345"; // missing 2 digits
+        byte[] binary = Hex.decode(hex);
+
+        assertThrows(IllegalArgumentException.class, () -> OpenPgpFingerprint.parseFromBinary(binary));
+    }
+
+    @Test
+    public void equalsTest() {
+        String prettyPrint = "76543210 ABCDEFAB 01AB23CD 1C0FFEE1  1EEFF0C1 DC32BA10 BAFEDCBA 01234567";
+        OpenPgpFingerprint parsed = OpenPgpFingerprint.parse(prettyPrint);
+
+        assertNotEquals(parsed, null);
+        assertNotEquals(parsed, new Object());
+        assertEquals(parsed, parsed.toString());
+
+        OpenPgpFingerprint v5 = new OpenPgpV5Fingerprint(prettyPrint);
+        assertEquals(parsed.hashCode(), v5.hashCode());
+        assertEquals(0, parsed.compareTo(v5));
+
+        OpenPgpFingerprint v6 = new OpenPgpV6Fingerprint(prettyPrint);
+        assertEquals(parsed.hashCode(), v6.hashCode());
+        assertEquals(0, parsed.compareTo(v6));
+    }
+
+}

From 2587f19df345075b6c55949aee06dd08c346e156 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Sun, 9 Apr 2023 18:49:20 +0200
Subject: [PATCH 0928/1450] BC173: Fix CRC error detection by improving error
 check

---
 .../pgpainless/decryption_verification/TeeBCPGInputStream.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index 28b415e0..bdbd9bcd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -120,7 +120,7 @@ public class TeeBCPGInputStream {
                 last = inputStream.read();
                 return last;
             } catch (IOException e) {
-                if ("crc check failed in armored message.".equals(e.getMessage())) {
+                if (e.getMessage().contains("crc check failed in armored message")) {
                     throw e;
                 }
                 return -1;

From 44608744c26f2df63daba7f3a8e24d706b8d5db0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 16:17:58 +0200
Subject: [PATCH 0929/1450] Add missing license header

---
 .../test/java/org/pgpainless/key/_64DigitFingerprintTest.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java
index 21ff31c3..a38fa61d 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/_64DigitFingerprintTest.java
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.key;
 
 import org.bouncycastle.util.encoders.Hex;

From e35287a66658af3213628be09b6d025f401cb40c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 14:31:48 +0200
Subject: [PATCH 0930/1450] Add support for SOP05 features

---
 .../org/pgpainless/sop/GenerateKeyImpl.java   | 48 ++++++++++++++++++-
 .../org/pgpainless/sop/ListProfilesImpl.java  | 29 +++++++++++
 .../main/java/org/pgpainless/sop/SOPImpl.java |  6 +++
 version.gradle                                |  2 +-
 4 files changed, 82 insertions(+), 3 deletions(-)
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index da99c854..693ca454 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -8,18 +8,22 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 import java.util.Iterator;
 import java.util.LinkedHashSet;
+import java.util.List;
 import java.util.Set;
 
 import org.bouncycastle.bcpg.ArmoredOutputStream;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.pgpainless.PGPainless;
+import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.Passphrase;
+import sop.Profile;
 import sop.Ready;
 import sop.exception.SOPGPException;
 import sop.operation.GenerateKey;
@@ -29,9 +33,16 @@ import sop.operation.GenerateKey;
  */
 public class GenerateKeyImpl implements GenerateKey {
 
+    public static final Profile DEFAULT_PROFILE = new Profile("default", "Generate keys based on XDH and EdDSA");
+    public static final Profile RSA3072_PROFILE = new Profile("rfc4880-rsa3072@pgpainless.org", "Generate 3072-bit RSA keys");
+    public static final Profile RSA4096_PROFILE = new Profile("rfc4880-rsa4096@pgpainless.org", "Generate 4096-bit RSA keys");
+
+    public static final List SUPPORTED_PROFILES = Arrays.asList(DEFAULT_PROFILE, RSA3072_PROFILE, RSA4096_PROFILE);
+
     private boolean armor = true;
     private final Set userIds = new LinkedHashSet<>();
     private Passphrase passphrase = Passphrase.emptyPassphrase();
+    private String profile = DEFAULT_PROFILE.getName();
 
     @Override
     public GenerateKey noArmor() {
@@ -51,6 +62,18 @@ public class GenerateKeyImpl implements GenerateKey {
         return this;
     }
 
+    @Override
+    public GenerateKey profile(String profileName) {
+        for (Profile profile : SUPPORTED_PROFILES) {
+            if (profile.getName().equals(profileName)) {
+                this.profile = profileName;
+                return this;
+            }
+        }
+
+        throw new SOPGPException.UnsupportedProfile("generate-key", profileName);
+    }
+
     @Override
     public Ready generate() throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo {
         Iterator userIdIterator = userIds.iterator();
@@ -58,8 +81,7 @@ public class GenerateKeyImpl implements GenerateKey {
         PGPSecretKeyRing key;
         try {
             String primaryUserId = userIdIterator.hasNext() ? userIdIterator.next() : null;
-             key = PGPainless.generateKeyRing()
-                    .modernKeyRing(primaryUserId, passphrase);
+            key = generateKeyWithProfile(profile, primaryUserId, passphrase);
 
             if (userIdIterator.hasNext()) {
                 SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(key);
@@ -90,4 +112,26 @@ public class GenerateKeyImpl implements GenerateKey {
             throw new RuntimeException(e);
         }
     }
+
+    private PGPSecretKeyRing generateKeyWithProfile(String profile, String primaryUserId, Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing key;
+        // XDH + EdDSA
+        if (profile.equals(DEFAULT_PROFILE.getName())) {
+            key = PGPainless.generateKeyRing()
+                    .modernKeyRing(primaryUserId, passphrase);
+        }
+        else if (profile.equals(RSA3072_PROFILE.getName())) {
+            key = PGPainless.generateKeyRing()
+                    .simpleRsaKeyRing(primaryUserId, RsaLength._3072, passphrase);
+        }
+        else if (profile.equals(RSA4096_PROFILE.getName())) {
+            key = PGPainless.generateKeyRing()
+                    .simpleRsaKeyRing(primaryUserId, RsaLength._4096, passphrase);
+        }
+        else {
+            throw new SOPGPException.UnsupportedProfile("generate-key", profile);
+        }
+        return key;
+    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java
new file mode 100644
index 00000000..06519bb3
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java
@@ -0,0 +1,29 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import java.util.List;
+
+import sop.Profile;
+import sop.exception.SOPGPException;
+import sop.operation.ListProfiles;
+
+public class ListProfilesImpl implements ListProfiles {
+
+    @Override
+    public List subcommand(String command) {
+        if (command == null) {
+            throw new SOPGPException.UnsupportedProfile("null");
+        }
+
+        switch (command) {
+            case "generate-key":
+                return GenerateKeyImpl.SUPPORTED_PROFILES;
+
+            default:
+                throw new SOPGPException.UnsupportedProfile(command);
+        }
+    }
+}
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
index a49f7e34..a0e5f631 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/SOPImpl.java
@@ -17,6 +17,7 @@ import sop.operation.ExtractCert;
 import sop.operation.GenerateKey;
 import sop.operation.InlineSign;
 import sop.operation.InlineVerify;
+import sop.operation.ListProfiles;
 import sop.operation.Version;
 
 /**
@@ -96,6 +97,11 @@ public class SOPImpl implements SOP {
         return new DearmorImpl();
     }
 
+    @Override
+    public ListProfiles listProfiles() {
+        return new ListProfilesImpl();
+    }
+
     @Override
     public InlineDetach inlineDetach() {
         return new InlineDetachImpl();
diff --git a/version.gradle b/version.gradle
index 55e9b151..1adf151a 100644
--- a/version.gradle
+++ b/version.gradle
@@ -18,6 +18,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '4.1.1'
+        sopJavaVersion = '5.0.0-SNAPSHOT'
     }
 }

From b79e706d65c33defebd132e9ec3db5f6725c89db Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 14:35:55 +0200
Subject: [PATCH 0931/1450] Bump SOP version in VersionImpl to 05

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 4449af10..13a5dc94 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -18,7 +18,7 @@ import sop.operation.Version;
 public class VersionImpl implements Version {
 
     // draft version
-    private static final String SOP_VERSION = "04";
+    private static final String SOP_VERSION = "05";
 
     @Override
     public String getName() {

From f3a4a01d199bd3782d2e34b065ac16c47dd5253b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 16:17:32 +0200
Subject: [PATCH 0932/1450] Add basic tests for new functionality

---
 .../org/pgpainless/sop/GenerateKeyTest.java   | 14 ++++++++
 .../org/pgpainless/sop/ListProfilesTest.java  | 34 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 pgpainless-sop/src/test/java/org/pgpainless/sop/ListProfilesTest.java

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
index 3a6e4476..5894bfa7 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
@@ -7,6 +7,7 @@ package org.pgpainless.sop;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
@@ -21,6 +22,7 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.util.Passphrase;
 import sop.SOP;
+import sop.exception.SOPGPException;
 
 public class GenerateKeyTest {
 
@@ -92,4 +94,16 @@ public class GenerateKeyTest {
             assertNotNull(UnlockSecretKey.unlockSecretKey(key, Passphrase.fromPassword("sw0rdf1sh")));
         }
     }
+
+    @Test
+    public void invalidProfile() {
+        assertThrows(SOPGPException.UnsupportedProfile.class, () ->
+                sop.generateKey().profile("invalid"));
+    }
+
+    @Test
+    public void nullProfile() {
+        assertThrows(SOPGPException.UnsupportedProfile.class, () ->
+                sop.generateKey().profile((String) null));
+    }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/ListProfilesTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/ListProfilesTest.java
new file mode 100644
index 00000000..0103bf4d
--- /dev/null
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/ListProfilesTest.java
@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import sop.SOP;
+import sop.exception.SOPGPException;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class ListProfilesTest {
+
+    private SOP sop;
+
+    @BeforeEach
+    public void prepare() {
+        this.sop = new SOPImpl();
+    }
+
+    @Test
+    public void listProfilesOfGenerateKey() {
+        assertFalse(sop.listProfiles().subcommand("generate-key").isEmpty());
+    }
+
+    @Test
+    public void listProfilesOfHelpCommandThrows() {
+        assertThrows(SOPGPException.UnsupportedProfile.class, () ->
+                sop.listProfiles().subcommand("help"));
+    }
+}

From 702fdf085c2eef616be59b233988d5ab2a28f417 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 12:49:23 +0200
Subject: [PATCH 0933/1450] Thin out and rename profiles of generate-key

---
 .../java/org/pgpainless/sop/GenerateKeyImpl.java | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index 693ca454..d2baf29b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -33,16 +33,15 @@ import sop.operation.GenerateKey;
  */
 public class GenerateKeyImpl implements GenerateKey {
 
-    public static final Profile DEFAULT_PROFILE = new Profile("default", "Generate keys based on XDH and EdDSA");
-    public static final Profile RSA3072_PROFILE = new Profile("rfc4880-rsa3072@pgpainless.org", "Generate 3072-bit RSA keys");
-    public static final Profile RSA4096_PROFILE = new Profile("rfc4880-rsa4096@pgpainless.org", "Generate 4096-bit RSA keys");
+    public static final Profile CURVE25519_PROFILE = new Profile("draft-koch-eddsa-for-openpgp-00", "Generate EdDSA / ECDH keys using Curve25519");
+    public static final Profile RSA4096_PROFILE = new Profile("rfc4880", "Generate 4096-bit RSA keys");
 
-    public static final List SUPPORTED_PROFILES = Arrays.asList(DEFAULT_PROFILE, RSA3072_PROFILE, RSA4096_PROFILE);
+    public static final List SUPPORTED_PROFILES = Arrays.asList(CURVE25519_PROFILE, RSA4096_PROFILE);
 
     private boolean armor = true;
     private final Set userIds = new LinkedHashSet<>();
     private Passphrase passphrase = Passphrase.emptyPassphrase();
-    private String profile = DEFAULT_PROFILE.getName();
+    private String profile = CURVE25519_PROFILE.getName();
 
     @Override
     public GenerateKey noArmor() {
@@ -117,14 +116,11 @@ public class GenerateKeyImpl implements GenerateKey {
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         PGPSecretKeyRing key;
         // XDH + EdDSA
-        if (profile.equals(DEFAULT_PROFILE.getName())) {
+        if (profile.equals(CURVE25519_PROFILE.getName())) {
             key = PGPainless.generateKeyRing()
                     .modernKeyRing(primaryUserId, passphrase);
         }
-        else if (profile.equals(RSA3072_PROFILE.getName())) {
-            key = PGPainless.generateKeyRing()
-                    .simpleRsaKeyRing(primaryUserId, RsaLength._3072, passphrase);
-        }
+        // RSA 4096
         else if (profile.equals(RSA4096_PROFILE.getName())) {
             key = PGPainless.generateKeyRing()
                     .simpleRsaKeyRing(primaryUserId, RsaLength._4096, passphrase);

From 63714859292c7bac51b3e40d127439cf469a93ad Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 14:51:50 +0200
Subject: [PATCH 0934/1450] Add some clarifying comments to GenerateKeyImpl

---
 .../src/main/java/org/pgpainless/sop/GenerateKeyImpl.java     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index d2baf29b..ba788dac 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -63,13 +63,16 @@ public class GenerateKeyImpl implements GenerateKey {
 
     @Override
     public GenerateKey profile(String profileName) {
+        // Sanitize the profile name to make sure we support the given profile
         for (Profile profile : SUPPORTED_PROFILES) {
             if (profile.getName().equals(profileName)) {
                 this.profile = profileName;
+                // return if we found the profile
                 return this;
             }
         }
 
+        // profile not found, throw
         throw new SOPGPException.UnsupportedProfile("generate-key", profileName);
     }
 
@@ -126,6 +129,7 @@ public class GenerateKeyImpl implements GenerateKey {
                     .simpleRsaKeyRing(primaryUserId, RsaLength._4096, passphrase);
         }
         else {
+            // Missing else-if branch for profile. Oops.
             throw new SOPGPException.UnsupportedProfile("generate-key", profile);
         }
         return key;

From 11eda9be953487e2124fba4b48c31f72dbb13a94 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 15:09:15 +0200
Subject: [PATCH 0935/1450] Bump sop-java to 5.0.0

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 1adf151a..4a532368 100644
--- a/version.gradle
+++ b/version.gradle
@@ -18,6 +18,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '5.0.0-SNAPSHOT'
+        sopJavaVersion = '5.0.0'
     }
 }

From 772a98b4ae0701571136be3dd7ff66f7c17042c0 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 15:22:38 +0200
Subject: [PATCH 0936/1450] Update changelog

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd7f3505..6212d8c4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,14 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.5.0-SNAPSHOT
+- Introduce `OpenPgpv6Fingerprint` class
+- Bump `sop-java` to `5.0.0`, implementing [SOP Spec Revision 05](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-05.html)
+  - Add support for `list-profiles` subcommand (`generate-key` only for now)
+  - `generate-key`: Add support for `--profile=` option
+    - Add profile `draft-koch-eddsa-for-openpgp-00` which represents status quo.
+    - Add profile `rfc4880` which generates keys based on 4096-bit RSA.
+
 ## 1.4.4
 - Fix expectations on subpackets of v3 signatures (thanks @bjansen)
   - Properly verify v3 signatures, which do not yet have signature subpackets, yet we required them to have  

From 66d81660052e6a3720eec3026509dcd9d1288491 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 14:35:11 +0200
Subject: [PATCH 0937/1450] Bump sop-java to 6.0.0-SNAPSHOT

---
 version.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.gradle b/version.gradle
index 4a532368..aa025a9e 100644
--- a/version.gradle
+++ b/version.gradle
@@ -18,6 +18,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '5.0.0'
+        sopJavaVersion = '6.0.0'
     }
 }

From 446d121777b47f82aa4bfd993d13ef27880e9d77 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 14:36:31 +0200
Subject: [PATCH 0938/1450] Bump SOP version in VersionImpl to 06

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 13a5dc94..5e851706 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -18,7 +18,7 @@ import sop.operation.Version;
 public class VersionImpl implements Version {
 
     // draft version
-    private static final String SOP_VERSION = "05";
+    private static final String SOP_VERSION = "06";
 
     @Override
     public String getName() {

From 5b363de6e42a9cec16175f6afb5552548b389384 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 14:36:57 +0200
Subject: [PATCH 0939/1450] Implement VersionImpl.getSopSpecVersion()

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 5e851706..8986e295 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -63,4 +63,9 @@ public class VersionImpl implements Version {
                 "Using " + getBackendVersion() + "\n" +
                 "https://www.bouncycastle.org/java.html";
     }
+
+    @Override
+    public String getSopSpecVersion() {
+        return "draft-dkg-openpgp-stateless-cli-" + SOP_VERSION;
+    }
 }

From 3b1edb076c5aa74403777f58f82064d38ef9d2ce Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 15:13:43 +0200
Subject: [PATCH 0940/1450] Basic support for sop encrypt --profile=XXX

---
 .../java/org/pgpainless/sop/EncryptImpl.java  | 20 +++++++++++++++++++
 .../org/pgpainless/sop/ListProfilesImpl.java  |  3 +++
 2 files changed, 23 insertions(+)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 62d20bf0..689e07be 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -8,7 +8,9 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.charset.Charset;
+import java.util.Arrays;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import org.bouncycastle.openpgp.PGPException;
@@ -28,6 +30,7 @@ import org.pgpainless.exception.WrongPassphraseException;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.util.Passphrase;
+import sop.Profile;
 import sop.Ready;
 import sop.enums.EncryptAs;
 import sop.exception.SOPGPException;
@@ -39,10 +42,15 @@ import sop.util.ProxyOutputStream;
  */
 public class EncryptImpl implements Encrypt {
 
+    private static final Profile DEFAULT_PROFILE = new Profile("default", "Use the implementer's recommendations");
+
+    public static final List SUPPORTED_PROFILES = Arrays.asList(DEFAULT_PROFILE);
+
     EncryptionOptions encryptionOptions = EncryptionOptions.get();
     SigningOptions signingOptions = null;
     MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
     private final Set signingKeys = new HashSet<>();
+    private String profile = DEFAULT_PROFILE.getName(); // TODO: Use in future releases
 
     private EncryptAs encryptAs = EncryptAs.Binary;
     boolean armor = true;
@@ -111,6 +119,18 @@ public class EncryptImpl implements Encrypt {
         return this;
     }
 
+    @Override
+    public Encrypt profile(String profileName) {
+        for (Profile profile : SUPPORTED_PROFILES) {
+            if (profile.getName().equals(profileName)) {
+                this.profile = profile.getName();
+                return this;
+            }
+        }
+
+        throw new SOPGPException.UnsupportedProfile("encrypt", profileName);
+    }
+
     @Override
     public Ready plaintext(InputStream plaintext) throws IOException {
         if (!encryptionOptions.hasEncryptionMethod()) {
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java
index 06519bb3..c0f5027a 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/ListProfilesImpl.java
@@ -22,6 +22,9 @@ public class ListProfilesImpl implements ListProfiles {
             case "generate-key":
                 return GenerateKeyImpl.SUPPORTED_PROFILES;
 
+            case "encrypt":
+                return EncryptImpl.SUPPORTED_PROFILES;
+
             default:
                 throw new SOPGPException.UnsupportedProfile(command);
         }

From 926e540016dd6edf8ec7de2234847e3fbbbbc4dc Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Fri, 14 Apr 2023 15:57:29 +0200
Subject: [PATCH 0941/1450] Test fine-grained SOP spec version

---
 .../cli/commands/VersionCmdTest.java          |  8 +++++++
 .../java/org/pgpainless/sop/VersionImpl.java  | 21 +++++++++++++----
 .../java/org/pgpainless/sop/VersionTest.java  | 23 +++++++++++++++++++
 3 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java
index 2e4aa7e4..87f535a8 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/VersionCmdTest.java
@@ -41,4 +41,12 @@ public class VersionCmdTest extends CLITest {
         assertTrue(info.contains("Bouncy Castle"));
         assertTrue(info.contains("Stateless OpenPGP Protocol"));
     }
+
+    @Test
+    public void testSopSpecVersion() throws IOException {
+        ByteArrayOutputStream out = pipeStdoutToStream();
+        assertSuccess(executeCommand("version", "--sop-spec"));
+        String info = out.toString();
+        assertTrue(info.startsWith("draft-dkg-openpgp-stateless-cli-"));
+    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 8986e295..82995edf 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -18,7 +18,7 @@ import sop.operation.Version;
 public class VersionImpl implements Version {
 
     // draft version
-    private static final String SOP_VERSION = "06";
+    private static final int SOP_VERSION = 6;
 
     @Override
     public String getName() {
@@ -51,11 +51,12 @@ public class VersionImpl implements Version {
 
     @Override
     public String getExtendedVersion() {
+        String FORMAT_VERSION = String.format("%02d", SOP_VERSION);
         return getName() + " " + getVersion() + "\n" +
                 "https://codeberg.org/PGPainless/pgpainless/src/branch/master/pgpainless-sop\n" +
                 "\n" +
-                "Implementation of the Stateless OpenPGP Protocol Version " + SOP_VERSION + "\n" +
-                "https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-" + SOP_VERSION + "\n" +
+                "Implementation of the Stateless OpenPGP Protocol Version " + FORMAT_VERSION + "\n" +
+                "https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli-" + FORMAT_VERSION + "\n" +
                 "\n" +
                 "Based on pgpainless-core " + getVersion() + "\n" +
                 "https://pgpainless.org\n" +
@@ -65,7 +66,17 @@ public class VersionImpl implements Version {
     }
 
     @Override
-    public String getSopSpecVersion() {
-        return "draft-dkg-openpgp-stateless-cli-" + SOP_VERSION;
+    public int getSopSpecVersionNumber() {
+        return SOP_VERSION;
+    }
+
+    @Override
+    public boolean isSopSpecImplementationIncomplete() {
+        return false;
+    }
+
+    @Override
+    public String getSopSpecImplementationIncompletenessRemarks() {
+        return null;
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
index c9739471..fa4af6a8 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
@@ -7,6 +7,7 @@ package org.pgpainless.sop;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -49,4 +50,26 @@ public class VersionTest {
         String firstLine = extendedVersion.split("\n")[0];
         assertEquals(sop.version().getName() + " " + sop.version().getVersion(), firstLine);
     }
+
+    @Test
+    public void testGetSopSpecVersion() {
+        boolean incomplete = sop.version().isSopSpecImplementationIncomplete();
+        int revisionNumber = sop.version().getSopSpecVersionNumber();
+
+        String revisionString = sop.version().getSopSpecRevisionString();
+        assertEquals("draft-dkg-openpgp-stateless-cli-" + String.format("%02d", revisionNumber), revisionString);
+
+        String incompletenessRemarks = sop.version().getSopSpecImplementationIncompletenessRemarks();
+
+        String fullSopSpecVersion = sop.version().getSopSpecVersion();
+        if (incomplete) {
+            assertTrue(fullSopSpecVersion.startsWith("~" + revisionString));
+        } else {
+            assertTrue(fullSopSpecVersion.startsWith(revisionString));
+        }
+
+        if (incompletenessRemarks != null) {
+            assertTrue(fullSopSpecVersion.endsWith(incompletenessRemarks));
+        }
+    }
 }

From 676e7d166a22854b53f01a50c6416a8c2f5c1920 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:06:45 +0200
Subject: [PATCH 0942/1450] EncryptImpl: Rename default profile, add
 documentation

---
 .../src/main/java/org/pgpainless/sop/EncryptImpl.java    | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
index 689e07be..18bcabcc 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/EncryptImpl.java
@@ -42,15 +42,15 @@ import sop.util.ProxyOutputStream;
  */
 public class EncryptImpl implements Encrypt {
 
-    private static final Profile DEFAULT_PROFILE = new Profile("default", "Use the implementer's recommendations");
+    private static final Profile RFC4880_PROFILE = new Profile("rfc4880", "Follow the packet format of rfc4880");
 
-    public static final List SUPPORTED_PROFILES = Arrays.asList(DEFAULT_PROFILE);
+    public static final List SUPPORTED_PROFILES = Arrays.asList(RFC4880_PROFILE);
 
     EncryptionOptions encryptionOptions = EncryptionOptions.get();
     SigningOptions signingOptions = null;
     MatchMakingSecretKeyRingProtector protector = new MatchMakingSecretKeyRingProtector();
     private final Set signingKeys = new HashSet<>();
-    private String profile = DEFAULT_PROFILE.getName(); // TODO: Use in future releases
+    private String profile = RFC4880_PROFILE.getName(); // TODO: Use in future releases
 
     private EncryptAs encryptAs = EncryptAs.Binary;
     boolean armor = true;
@@ -121,13 +121,16 @@ public class EncryptImpl implements Encrypt {
 
     @Override
     public Encrypt profile(String profileName) {
+        // sanitize profile name to make sure we only accept supported profiles
         for (Profile profile : SUPPORTED_PROFILES) {
             if (profile.getName().equals(profileName)) {
+                // profile is supported, return
                 this.profile = profile.getName();
                 return this;
             }
         }
 
+        // Profile is not supported, throw
         throw new SOPGPException.UnsupportedProfile("encrypt", profileName);
     }
 

From 003423a165631e8015cbe05f424fc0555b3ae0cf Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:09:51 +0200
Subject: [PATCH 0943/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6212d8c4..7d408157 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,10 @@ SPDX-License-Identifier: CC0-1.0
   - `generate-key`: Add support for `--profile=` option
     - Add profile `draft-koch-eddsa-for-openpgp-00` which represents status quo.
     - Add profile `rfc4880` which generates keys based on 4096-bit RSA.
+- Bump `sop-java` to `6.0.0`, implementing [SOP Spec Revision 06](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-06.html)
+  - `encrypt`: Add support for `--profile=` option
+    - Add profile `rfc4880` to reflect status quo
+  - `version`: Add support for `--sop-spec` option
 
 ## 1.4.4
 - Fix expectations on subpackets of v3 signatures (thanks @bjansen)

From e465ae60a7150faabfeedb32dee3d727fb01662e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:22:54 +0200
Subject: [PATCH 0944/1450] VersionImpl: Fix outdated method names

---
 .../src/main/java/org/pgpainless/sop/VersionImpl.java       | 5 +++--
 .../src/test/java/org/pgpainless/sop/VersionTest.java       | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
index 82995edf..0794c708 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VersionImpl.java
@@ -66,7 +66,7 @@ public class VersionImpl implements Version {
     }
 
     @Override
-    public int getSopSpecVersionNumber() {
+    public int getSopSpecRevisionNumber() {
         return SOP_VERSION;
     }
 
@@ -76,7 +76,8 @@ public class VersionImpl implements Version {
     }
 
     @Override
-    public String getSopSpecImplementationIncompletenessRemarks() {
+    public String getSopSpecImplementationRemarks() {
         return null;
     }
+
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
index fa4af6a8..32d2c2e0 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/VersionTest.java
@@ -54,12 +54,12 @@ public class VersionTest {
     @Test
     public void testGetSopSpecVersion() {
         boolean incomplete = sop.version().isSopSpecImplementationIncomplete();
-        int revisionNumber = sop.version().getSopSpecVersionNumber();
+        int revisionNumber = sop.version().getSopSpecRevisionNumber();
 
-        String revisionString = sop.version().getSopSpecRevisionString();
+        String revisionString = sop.version().getSopSpecRevisionName();
         assertEquals("draft-dkg-openpgp-stateless-cli-" + String.format("%02d", revisionNumber), revisionString);
 
-        String incompletenessRemarks = sop.version().getSopSpecImplementationIncompletenessRemarks();
+        String incompletenessRemarks = sop.version().getSopSpecImplementationRemarks();
 
         String fullSopSpecVersion = sop.version().getSopSpecVersion();
         if (incomplete) {

From 3a3e193bb0466ec4b5618c5fc40645f0e2645a23 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:23:16 +0200
Subject: [PATCH 0945/1450] Bump bouncycastle to 1.73

---
 version.gradle | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/version.gradle b/version.gradle
index aa025a9e..cbd64528 100644
--- a/version.gradle
+++ b/version.gradle
@@ -8,12 +8,8 @@ allprojects {
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
-        bouncyCastleVersion = '1.72'
-        // When using bouncyCastleVersion 1.72:
-        // unfortunately we rely on 1.72.1 or 1.72.3 for a patch for https://github.com/bcgit/bc-java/issues/1257
-        //  which is a bug we introduced with a PR against BC :/ oops
-        // When bouncyCastleVersion is 1.71, bouncyPgVersion can simply be set to 1.71 as well.
-        bouncyPgVersion = '1.72.3'
+        bouncyCastleVersion = '1.73'
+        bouncyPgVersion = bouncyCastleVersion
         junitVersion = '5.8.2'
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'

From d8f32b668910b7c1a53ae288bcffbdb013464b07 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:24:55 +0200
Subject: [PATCH 0946/1450] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7d408157..08184f70 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,8 @@ SPDX-License-Identifier: CC0-1.0
 # PGPainless Changelog
 
 ## 1.5.0-SNAPSHOT
+- Bump `bcpg-jdk15to18` to `1.73`
+- Bump `bcprov-jdk15to18` to `1.73`
 - Introduce `OpenPgpv6Fingerprint` class
 - Bump `sop-java` to `5.0.0`, implementing [SOP Spec Revision 05](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-05.html)
   - Add support for `list-profiles` subcommand (`generate-key` only for now)

From 94a609127e75f1569e42e17f68a32029c039389f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:35:17 +0200
Subject: [PATCH 0947/1450] PGPainless 1.5.0

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 6 +++---
 version.gradle           | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08184f70..51f7a815 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.5.0-SNAPSHOT
+## 1.5.0
 - Bump `bcpg-jdk15to18` to `1.73`
 - Bump `bcprov-jdk15to18` to `1.73`
 - Introduce `OpenPgpv6Fingerprint` class
diff --git a/README.md b/README.md
index 2a91789e..14ff388d 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.4'
+	implementation 'org.pgpainless:pgpainless-core:1.5.0'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 3aef6d05..b4e755dd 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # PGPainless-SOP
 
-[![Spec Revision: 4](https://img.shields.io/badge/Spec%20Revision-4-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
+[![Spec Revision: 6](https://img.shields.io/badge/Spec%20Revision-6-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/)
 [![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/pgpainless-sop)](https://search.maven.org/artifact/org.pgpainless/pgpainless-sop)
 [![javadoc](https://javadoc.io/badge2/org.pgpainless/pgpainless-sop/javadoc.svg)](https://javadoc.io/doc/org.pgpainless/pgpainless-sop)
 
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.4"
+    implementation "org.pgpainless:pgpainless-sop:1.5.0"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.4.4
+        1.5.0
     
     ...
 
diff --git a/version.gradle b/version.gradle
index cbd64528..86239e88 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.4.5'
-        isSnapshot = true
+        shortVersion = '1.5.0'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From 36a52a3e34c76287b0a37ee22c70b8ec57657180 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 17 Apr 2023 16:37:37 +0200
Subject: [PATCH 0948/1450] PGPainless 1.5.1-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 86239e88..3d271a75 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.5.0'
-        isSnapshot = false
+        shortVersion = '1.5.1'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From 9a0b60ac7e45e2f6cae2c6d88e334507348e17d1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 17:41:02 +0200
Subject: [PATCH 0949/1450] Update quickstart document

---
 docs/source/pgpainless-sop/quickstart.md | 40 +++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/docs/source/pgpainless-sop/quickstart.md b/docs/source/pgpainless-sop/quickstart.md
index 10ef0a72..60e1df29 100644
--- a/docs/source/pgpainless-sop/quickstart.md
+++ b/docs/source/pgpainless-sop/quickstart.md
@@ -75,10 +75,21 @@ In both cases, the resulting output will be the UTF8 encoded, ASCII armored Open
 
 To disable ASCII armoring, call `noArmor()` before calling `generate()`.
 
-At the time of writing, the resulting OpenPGP secret key will consist of a certification-capable 256-bits
+Revision `05` of the Stateless OpenPGP Protocol specification introduced the concept of profiles for
+certain operations.
+The key generation feature is the first operation to make use of profiles to specify different key algorithms.
+To set a profile, simply call `profile(String profileName)` and pass in one of the available profile identifiers.
+
+To explore, which profiles are available, refer to the dedicated [section](#explore-profiles).
+
+The default profile used by `pgpainless-sop` is called `draft-koch-eddsa-for-openpgp-00`.
+If this profile is used, the resulting OpenPGP secret key will consist of a certification-capable 256-bits
 ed25519 EdDSA primary key, a 256-bits ed25519 EdDSA subkey used for signing, as well as a 256-bits X25519
 ECDH subkey for encryption.
 
+Another profile defined by `pgpainless-sop` is `rfc4880`, which changes the key generation behaviour such that
+the resulting key is a single 4096-bit RSA key capable of certifying, signing and encrypting.
+
 The whole key does not have an expiration date set.
 
 ### Extract a Certificate
@@ -186,6 +197,13 @@ If any keys used for signing are password protected, you need to provide the sig
 It does not matter in which order signing keys and key passwords are provided, the implementation will figure out
 matches on its own. If different key passwords are used, the `withKeyPassword(_)` method can be called multiple times.
 
+You can modify the behaviour of the encrypt operation by switching between different profiles via the
+`profile(String profileName)` method.
+At the time of writing, the only available profile for this operation is `rfc4880` which applies encryption
+as defined in [rfc4880](https://datatracker.ietf.org/doc/html/rfc4880).
+
+To explore, which profiles are available, refer to the dedicated [section](#explore-profiles).
+
 By default, the encrypted message will be ASCII armored. To disable ASCII armor, call `noArmor()` before the
 `plaintext(_)` method call.
 
@@ -464,3 +482,23 @@ By default, the signatures output will be ASCII armored. This can be disabled by
 prior to `message(_)`.
 
 The detached signatures can now be verified like in the section above.
+
+### Explore Profiles
+
+Certain operations allow modification of their behaviour by selecting between different profiles.
+An example for this is the `generateKey()` operation, where different profiles result in different algorithms used
+during key generation.
+
+To explore, which profiles are supported by a certain operation, you can use the `listProfiles()` operation.
+For example, this is how you can get a list of profiles supported by the `generateKey()` operation:
+
+```java
+List profiles = sop.listProfiles().subcommand("generate-key");
+```
+
+:::{note}
+As you can see, the argument passed into the `subcommand()` method must match the operation name as defined in the
+[Stateless OpenPGP Protocol specification](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/).
+:::
+
+At the time of writing (the latest revision of the SOP spec is 06), only `generate-key` and `encrypt` accept profiles.
\ No newline at end of file

From 05968533a5b64005a38702b7e2fdf787c59265ba Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 18:35:47 +0200
Subject: [PATCH 0950/1450] InlineVerifyImpl: Export signature mode in
 Verification result

---
 .../RoundTripInlineSignInlineVerifyCmdTest.java |  2 +-
 .../org/pgpainless/sop/InlineVerifyImpl.java    | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
index d36ee58f..0676f213 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripInlineSignInlineVerifyCmdTest.java
@@ -409,7 +409,7 @@ public class RoundTripInlineSignInlineVerifyCmdTest extends CLITest {
         assertEquals("Hello, World!\n", out.toString());
         String ver = readStringFromFile(verifications);
         assertEquals(
-                "2022-11-18T14:55:33Z 7A073EDF273C902796D259528FBDD36D01831673 AEA0FD2C899D3FC077815F0026560D2AE53DB86F\n", ver);
+                "2022-11-18T14:55:33Z 7A073EDF273C902796D259528FBDD36D01831673 AEA0FD2C899D3FC077815F0026560D2AE53DB86F mode:binary\n", ver);
     }
 
     @Test
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index 7665a7bb..eea5ebfb 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -13,6 +13,7 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -23,6 +24,7 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import sop.ReadyWithResult;
 import sop.Verification;
+import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
 import sop.operation.InlineVerify;
 
@@ -96,6 +98,19 @@ public class InlineVerifyImpl implements InlineVerify {
     private Verification map(SignatureVerification sigVerification) {
         return new Verification(sigVerification.getSignature().getCreationTime(),
                 sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
-                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString(),
+                getMode(sigVerification.getSignature()),
+                null);
+    }
+
+    private static SignatureMode getMode(PGPSignature signature) {
+        if (signature.getSignatureType() == PGPSignature.BINARY_DOCUMENT) {
+            return SignatureMode.binary;
+        }
+        if (signature.getSignatureType() == PGPSignature.CANONICAL_TEXT_DOCUMENT) {
+            return SignatureMode.text;
+        }
+
+        return null;
     }
 }

From 2ec176e9388e281f98171b89008e84d0f0cb125c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 18:39:52 +0200
Subject: [PATCH 0951/1450] DetachedVerifyImpl: Export signature mode in
 Verification result

---
 .../cli/commands/InlineDetachCmdTest.java       |  4 ++--
 .../commands/RoundTripSignVerifyCmdTest.java    |  4 ++--
 .../org/pgpainless/sop/DetachedVerifyImpl.java  | 17 ++++++++++++++++-
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
index 8854d837..19bc9aa5 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/InlineDetachCmdTest.java
@@ -90,7 +90,7 @@ public class InlineDetachCmdTest extends CLITest {
         pipeStringToStdin(msgOut.toString());
         ByteArrayOutputStream verifyOut = pipeStdoutToStream();
         assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), certFile.getAbsolutePath()));
-        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n",
+        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C mode:text\n",
                 verifyOut.toString());
     }
 
@@ -115,7 +115,7 @@ public class InlineDetachCmdTest extends CLITest {
         ByteArrayOutputStream verifyOut = pipeStdoutToStream();
         File certFile = writeFile("cert.asc", CERT);
         assertSuccess(executeCommand("verify", sigFile.getAbsolutePath(), certFile.getAbsolutePath()));
-        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C\n",
+        assertEquals("2021-05-15T16:08:06Z 4F665C4DC2C4660BC6425E415736E6931ACF370C 4F665C4DC2C4660BC6425E415736E6931ACF370C mode:text\n",
                 verifyOut.toString());
     }
 
diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
index 6196a847..97bfae7e 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
@@ -94,7 +94,7 @@ public class RoundTripSignVerifyCmdTest extends CLITest {
             "=VWAZ\n" +
             "-----END PGP SIGNATURE-----";
     private static final String BINARY_SIG_VERIFICATION =
-            "2022-11-09T18:40:24Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E\n";
+            "2022-11-09T18:40:24Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E mode:binary\n";
     private static final String TEXT_SIG = "-----BEGIN PGP SIGNATURE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
@@ -104,7 +104,7 @@ public class RoundTripSignVerifyCmdTest extends CLITest {
             "=s5xn\n" +
             "-----END PGP SIGNATURE-----";
     private static final String TEXT_SIG_VERIFICATION =
-            "2022-11-09T18:41:18Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E\n";
+            "2022-11-09T18:41:18Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E mode:text\n";
     private static final Date TEXT_SIG_CREATION = UTCUtil.parseUTCDate("2022-11-09T18:41:18Z");
 
     @Test
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index 93ad398c..f0cb1161 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -12,6 +12,7 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -20,6 +21,7 @@ import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import sop.Verification;
+import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedVerify;
 
@@ -94,6 +96,19 @@ public class DetachedVerifyImpl implements DetachedVerify {
     private Verification map(SignatureVerification sigVerification) {
         return new Verification(sigVerification.getSignature().getCreationTime(),
                 sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
-                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString(),
+                getMode(sigVerification.getSignature()),
+                null);
+    }
+
+    private static SignatureMode getMode(PGPSignature signature) {
+        if (signature.getSignatureType() == PGPSignature.BINARY_DOCUMENT) {
+            return SignatureMode.binary;
+        }
+        if (signature.getSignatureType() == PGPSignature.CANONICAL_TEXT_DOCUMENT) {
+            return SignatureMode.text;
+        }
+
+        return null;
     }
 }

From b0974c6ade4569c9f7342884d45d1a80a212e5c4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 18:40:25 +0200
Subject: [PATCH 0952/1450] Add more tests for inline-sign-verify roundtrips

---
 .../sop/InlineSignVerifyRoundtripTest.java    | 50 +++++++++++++++++--
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
index b24b729c..e5ce518b 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
@@ -9,13 +9,14 @@ import sop.ByteArrayAndResult;
 import sop.SOP;
 import sop.Verification;
 import sop.enums.InlineSignAs;
+import sop.enums.SignatureMode;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 public class InlineSignVerifyRoundtripTest {
 
@@ -46,7 +47,11 @@ public class InlineSignVerifyRoundtripTest {
 
         byte[] verified = result.getBytes();
 
-        assertFalse(result.getResult().isEmpty());
+        List verificationList = result.getResult();
+        assertEquals(1, verificationList.size());
+        Verification verification = verificationList.get(0);
+        assertEquals(SignatureMode.text, verification.getSignatureMode());
+
         assertArrayEquals(message, verified);
     }
 
@@ -65,6 +70,7 @@ public class InlineSignVerifyRoundtripTest {
         byte[] inlineSigned = sop.inlineSign()
                 .key(key)
                 .withKeyPassword("sw0rdf1sh")
+                .mode(InlineSignAs.binary)
                 .data(message).getBytes();
 
         ByteArrayAndResult> result = sop.inlineVerify()
@@ -74,7 +80,45 @@ public class InlineSignVerifyRoundtripTest {
 
         byte[] verified = result.getBytes();
 
-        assertFalse(result.getResult().isEmpty());
+        List verificationList = result.getResult();
+        assertEquals(1, verificationList.size());
+        Verification verification = verificationList.get(0);
+        assertEquals(SignatureMode.binary, verification.getSignatureMode());
+
+        assertArrayEquals(message, verified);
+    }
+
+
+    @Test
+    public void testInlineSignAndVerifyWithTextSignatures() throws IOException {
+        byte[] key = sop.generateKey()
+                .userId("Mark")
+                .withKeyPassword("y3110w5ubm4r1n3")
+                .generate().getBytes();
+
+        byte[] cert = sop.extractCert()
+                .key(key).getBytes();
+
+        byte[] message = "Give me a plaintext that I can sign and verify, pls.".getBytes(StandardCharsets.UTF_8);
+
+        byte[] inlineSigned = sop.inlineSign()
+                .key(key)
+                .withKeyPassword("y3110w5ubm4r1n3")
+                .mode(InlineSignAs.text)
+                .data(message).getBytes();
+
+        ByteArrayAndResult> result = sop.inlineVerify()
+                .cert(cert)
+                .data(inlineSigned)
+                .toByteArrayAndResult();
+
+        byte[] verified = result.getBytes();
+
+        List verificationList = result.getResult();
+        assertEquals(1, verificationList.size());
+        Verification verification = verificationList.get(0);
+        assertEquals(SignatureMode.text, verification.getSignatureMode());
+
         assertArrayEquals(message, verified);
     }
 

From 06c924d41dff1a358ea07eb9ddefe4b1984c6185 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 18:43:56 +0200
Subject: [PATCH 0953/1450] Add tests for  mode to DetachedSignTest

---
 .../org/pgpainless/sop/DetachedSignTest.java  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
index c6fcc267..4f274691 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
@@ -23,6 +23,7 @@ import org.pgpainless.signature.SignatureUtils;
 import sop.SOP;
 import sop.Verification;
 import sop.enums.SignAs;
+import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
 
 public class DetachedSignTest {
@@ -49,6 +50,7 @@ public class DetachedSignTest {
     public void signArmored() throws IOException {
         byte[] signature = sop.sign()
                 .key(key)
+                .mode(SignAs.Binary)
                 .data(data)
                 .toByteArrayAndResult().getBytes();
 
@@ -62,6 +64,7 @@ public class DetachedSignTest {
                 .data(data);
 
         assertEquals(1, verifications.size());
+        assertEquals(SignatureMode.binary, verifications.get(0).getSignatureMode());
     }
 
     @Test
@@ -84,6 +87,26 @@ public class DetachedSignTest {
         assertEquals(1, verifications.size());
     }
 
+    @Test
+    public void textSig() throws IOException {
+        byte[] signature = sop.sign()
+                .key(key)
+                .noArmor()
+                .mode(SignAs.Text)
+                .data(data)
+                .toByteArrayAndResult().getBytes();
+
+        List verifications = sop.verify()
+                .cert(cert)
+                .notAfter(new Date(new Date().getTime() + 10000))
+                .notBefore(new Date(new Date().getTime() - 10000))
+                .signatures(signature)
+                .data(data);
+
+        assertEquals(1, verifications.size());
+        assertEquals(SignatureMode.text, verifications.get(0).getSignatureMode());
+    }
+
     @Test
     public void rejectSignatureAsTooOld() throws IOException {
         byte[] signature = sop.sign()

From e3bacdbe35cef9aa7bf0d36d08fe7399747d5478 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 18:53:50 +0200
Subject: [PATCH 0954/1450] Introduce VerificationHelper class and export
 signature mode in decrypt operation

---
 .../RoundTripEncryptDecryptCmdTest.java       |  4 +-
 .../java/org/pgpainless/sop/DecryptImpl.java  |  8 +--
 .../pgpainless/sop/DetachedVerifyImpl.java    | 23 +-------
 .../org/pgpainless/sop/InlineVerifyImpl.java  | 23 +-------
 .../pgpainless/sop/VerificationHelper.java    | 52 +++++++++++++++++++
 5 files changed, 57 insertions(+), 53 deletions(-)
 create mode 100644 pgpainless-sop/src/main/java/org/pgpainless/sop/VerificationHelper.java

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
index d314de20..8c294e59 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripEncryptDecryptCmdTest.java
@@ -129,7 +129,7 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
         String romeosVerif = readStringFromFile(anotherVerificationsFile);
         assertEquals(julietsVerif, romeosVerif);
         assertFalse(julietsVerif.isEmpty());
-        assertEquals(103, julietsVerif.length()); // 103 is number of symbols in [DATE, FINGER, FINGER] for V4
+        assertEquals(115, julietsVerif.length()); // 115 is number of symbols in [DATE, FINGER, FINGER, MODE] for V4
     }
 
     @Test
@@ -274,7 +274,7 @@ public class RoundTripEncryptDecryptCmdTest extends CLITest {
 
         assertEquals(plaintext, out.toString());
         String verificationString = readStringFromFile(verifications);
-        assertEquals("2022-11-09T17:22:48Z C0DCEC44B1A173664B05DABCECD0BF863F65C9A5 A2EC077FC977E15DD799EFF92C0D3C123CF51C08\n",
+        assertEquals("2022-11-09T17:22:48Z C0DCEC44B1A173664B05DABCECD0BF863F65C9A5 A2EC077FC977E15DD799EFF92C0D3C123CF51C08 mode:binary\n",
                 verificationString);
     }
 
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
index f7876799..d15713ca 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DecryptImpl.java
@@ -147,7 +147,7 @@ public class DecryptImpl implements Decrypt {
 
                 List verificationList = new ArrayList<>();
                 for (SignatureVerification signatureVerification : metadata.getVerifiedInlineSignatures()) {
-                    verificationList.add(map(signatureVerification));
+                    verificationList.add(VerificationHelper.mapVerification(signatureVerification));
                 }
 
                 SessionKey sessionKey = null;
@@ -163,10 +163,4 @@ public class DecryptImpl implements Decrypt {
             }
         };
     }
-
-    private Verification map(SignatureVerification sigVerification) {
-        return new Verification(sigVerification.getSignature().getCreationTime(),
-                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
-                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString());
-    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
index f0cb1161..cdae0215 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedVerifyImpl.java
@@ -12,7 +12,6 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -21,7 +20,6 @@ import org.pgpainless.decryption_verification.MessageMetadata;
 import org.pgpainless.decryption_verification.SignatureVerification;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import sop.Verification;
-import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
 import sop.operation.DetachedVerify;
 
@@ -78,7 +76,7 @@ public class DetachedVerifyImpl implements DetachedVerify {
             List verificationList = new ArrayList<>();
 
             for (SignatureVerification signatureVerification : metadata.getVerifiedDetachedSignatures()) {
-                verificationList.add(map(signatureVerification));
+                verificationList.add(VerificationHelper.mapVerification(signatureVerification));
             }
 
             if (!options.getCertificateSource().getExplicitCertificates().isEmpty()) {
@@ -92,23 +90,4 @@ public class DetachedVerifyImpl implements DetachedVerify {
             throw new SOPGPException.BadData(e);
         }
     }
-
-    private Verification map(SignatureVerification sigVerification) {
-        return new Verification(sigVerification.getSignature().getCreationTime(),
-                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
-                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString(),
-                getMode(sigVerification.getSignature()),
-                null);
-    }
-
-    private static SignatureMode getMode(PGPSignature signature) {
-        if (signature.getSignatureType() == PGPSignature.BINARY_DOCUMENT) {
-            return SignatureMode.binary;
-        }
-        if (signature.getSignatureType() == PGPSignature.CANONICAL_TEXT_DOCUMENT) {
-            return SignatureMode.text;
-        }
-
-        return null;
-    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
index eea5ebfb..aecb891b 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/InlineVerifyImpl.java
@@ -13,7 +13,6 @@ import java.util.List;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.pgpainless.PGPainless;
 import org.pgpainless.decryption_verification.ConsumerOptions;
@@ -24,7 +23,6 @@ import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
 import sop.ReadyWithResult;
 import sop.Verification;
-import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
 import sop.operation.InlineVerify;
 
@@ -76,7 +74,7 @@ public class InlineVerifyImpl implements InlineVerify {
                             metadata.getVerifiedInlineSignatures();
 
                     for (SignatureVerification signatureVerification : verifications) {
-                        verificationList.add(map(signatureVerification));
+                        verificationList.add(VerificationHelper.mapVerification(signatureVerification));
                     }
 
                     if (!options.getCertificateSource().getExplicitCertificates().isEmpty()) {
@@ -94,23 +92,4 @@ public class InlineVerifyImpl implements InlineVerify {
             }
         };
     }
-
-    private Verification map(SignatureVerification sigVerification) {
-        return new Verification(sigVerification.getSignature().getCreationTime(),
-                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
-                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString(),
-                getMode(sigVerification.getSignature()),
-                null);
-    }
-
-    private static SignatureMode getMode(PGPSignature signature) {
-        if (signature.getSignatureType() == PGPSignature.BINARY_DOCUMENT) {
-            return SignatureMode.binary;
-        }
-        if (signature.getSignatureType() == PGPSignature.CANONICAL_TEXT_DOCUMENT) {
-            return SignatureMode.text;
-        }
-
-        return null;
-    }
 }
diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/VerificationHelper.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerificationHelper.java
new file mode 100644
index 00000000..126a5e3b
--- /dev/null
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/VerificationHelper.java
@@ -0,0 +1,52 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub 
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import org.bouncycastle.openpgp.PGPSignature;
+import org.pgpainless.decryption_verification.SignatureVerification;
+import sop.Verification;
+import sop.enums.SignatureMode;
+
+/**
+ * Helper class for shared methods related to {@link Verification Verifications}.
+ */
+public class VerificationHelper {
+
+    /**
+     * Map a {@link SignatureVerification} object to a {@link Verification}.
+     *
+     * @param sigVerification signature verification
+     * @return verification
+     */
+    public static Verification mapVerification(SignatureVerification sigVerification) {
+        return new Verification(
+                sigVerification.getSignature().getCreationTime(),
+                sigVerification.getSigningKey().getSubkeyFingerprint().toString(),
+                sigVerification.getSigningKey().getPrimaryKeyFingerprint().toString(),
+                getMode(sigVerification.getSignature()),
+                null);
+    }
+
+    /**
+     * Map an OpenPGP signature type to a {@link SignatureMode} enum.
+     * Note: This method only maps {@link PGPSignature#BINARY_DOCUMENT} and {@link PGPSignature#CANONICAL_TEXT_DOCUMENT}.
+     * Other values are mapped to 
      null
      .
+     *
+     * @param signature signature
+     * @return signature mode enum or null
+     */
+    private static SignatureMode getMode(PGPSignature signature) {
+
+        if (signature.getSignatureType() == PGPSignature.BINARY_DOCUMENT) {
+            return SignatureMode.binary;
+        }
+
+        if (signature.getSignatureType() == PGPSignature.CANONICAL_TEXT_DOCUMENT) {
+            return SignatureMode.text;
+        }
+
+        return null;
+    }
+}

From d5f3dc80bca5706c7381e8163f42a0584bde6fb7 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 18 Apr 2023 19:00:33 +0200
Subject: [PATCH 0955/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51f7a815..893638c3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.5.1-SNAPSHOT
+- SOP: Emit signature `mode:{binary|text}` in `Verification` results
+
 ## 1.5.0
 - Bump `bcpg-jdk15to18` to `1.73`
 - Bump `bcprov-jdk15to18` to `1.73`

From d10841c57a0a76a2092ef7f7ab5d9436d2fcf51c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 24 Apr 2023 16:13:11 +0200
Subject: [PATCH 0956/1450] Add workflow for pull requests

---
 .github/workflows/pr.yml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/pr.yml

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 00000000..cc1ca4e0
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2021 Paul Schaub 
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
+
+name: Build
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+      - name: Build, Check and Coverage
+        uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+        with:
+          arguments: check jacocoRootReport

From 0cb088525193ce845ee4cb51d66ac7c21513ddc1 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 25 Apr 2023 13:28:07 +0200
Subject: [PATCH 0957/1450] Relax constraints on decryption keys to improve
 interop with faulty, broken legacy clients that have been very naughty and
 need punishment

---
 .../OpenPgpMessageInputStream.java            |  9 ++--
 .../org/pgpainless/key/info/KeyRingInfo.java  | 46 +++++++++++++++++++
 ...ntDecryptionUsingNonEncryptionKeyTest.java | 18 ++++++++
 3 files changed, 68 insertions(+), 5 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 7fe11bbf..19a01fbf 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -43,15 +43,14 @@ import org.bouncycastle.openpgp.operator.SessionKeyDataDecryptorFactory;
 import org.bouncycastle.util.io.TeeInputStream;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.CompressionAlgorithm;
-import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.OpenPgpPacket;
 import org.pgpainless.algorithm.StreamEncoding;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
+import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
+import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.decryption_verification.syntax_check.InputSymbol;
 import org.pgpainless.decryption_verification.syntax_check.PDA;
 import org.pgpainless.decryption_verification.syntax_check.StackSymbol;
-import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
-import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
 import org.pgpainless.exception.MalformedOpenPgpMessageException;
 import org.pgpainless.exception.MessageNotIntegrityProtectedException;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -674,7 +673,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
 
         for (PGPSecretKeyRing secretKeys : options.getDecryptionKeys()) {
             KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
-            for (PGPPublicKey publicKey : info.getEncryptionSubkeys(EncryptionPurpose.ANY)) {
+            for (PGPPublicKey publicKey : info.getDecryptionSubkeys()) {
                 if (publicKey.getAlgorithm() == algorithm && info.isSecretKeyAvailable(publicKey.getKeyID())) {
                     PGPSecretKey candidate = secretKeys.getSecretKey(publicKey.getKeyID());
                     decryptionKeyCandidates.add(new Tuple<>(secretKeys, candidate));
@@ -692,7 +691,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             }
 
             KeyRingInfo info = new KeyRingInfo(secretKeys, policy, new Date());
-            List encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.ANY);
+            List encryptionKeys = info.getDecryptionSubkeys();
             for (PGPPublicKey key : encryptionKeys) {
                 if (key.getKeyID() == keyID) {
                     return secretKeys;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 1ebd023e..75d9e16c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -41,11 +41,15 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyException;
 import org.pgpainless.key.OpenPgpFingerprint;
 import org.pgpainless.key.SubkeyIdentifier;
+import org.pgpainless.key.util.KeyIdUtil;
 import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.policy.Policy;
 import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.signature.consumer.SignaturePicker;
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
+import org.pgpainless.util.DateUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Utility class to quickly extract certain information from a {@link PGPPublicKeyRing}/{@link PGPSecretKeyRing}.
@@ -55,6 +59,8 @@ public class KeyRingInfo {
     private static final Pattern PATTERN_EMAIL_FROM_USERID = Pattern.compile("<([a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+@[a-zA-Z0-9.-]+)>");
     private static final Pattern PATTERN_EMAIL_EXPLICIT = Pattern.compile("^([a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+@[a-zA-Z0-9.-]+)$");
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(KeyRingInfo.class);
+
     private final PGPKeyRing keys;
     private final Signatures signatures;
     private final Date referenceDate;
@@ -904,6 +910,7 @@ public class KeyRingInfo {
     public @Nonnull List getEncryptionSubkeys(EncryptionPurpose purpose) {
         Date primaryExpiration = getPrimaryKeyExpirationDate();
         if (primaryExpiration != null && primaryExpiration.before(referenceDate)) {
+            LOGGER.debug("Certificate is expired: Primary key is expired on " + DateUtil.formatUTCDate(primaryExpiration));
             return Collections.emptyList();
         }
 
@@ -913,15 +920,18 @@ public class KeyRingInfo {
             PGPPublicKey subKey = subkeys.next();
 
             if (!isKeyValidlyBound(subKey.getKeyID())) {
+                LOGGER.debug("(Sub?)-Key " + KeyIdUtil.formatKeyId(subKey.getKeyID()) + " is not validly bound.");
                 continue;
             }
 
             Date subkeyExpiration = getSubkeyExpirationDate(OpenPgpFingerprint.of(subKey));
             if (subkeyExpiration != null && subkeyExpiration.before(referenceDate)) {
+                LOGGER.debug("(Sub?)-Key  " + KeyIdUtil.formatKeyId(subKey.getKeyID()) + " is expired on " + DateUtil.formatUTCDate(subkeyExpiration));
                 continue;
             }
 
             if (!subKey.isEncryptionKey()) {
+                LOGGER.debug("(Sub?)-Key " + KeyIdUtil.formatKeyId(subKey.getKeyID()) + " algorithm is not capable of encryption.");
                 continue;
             }
 
@@ -947,6 +957,42 @@ public class KeyRingInfo {
         return encryptionKeys;
     }
 
+    /**
+     * Return a list of all subkeys that could potentially be used to decrypt a message.
+     * Contrary to {@link #getEncryptionSubkeys(EncryptionPurpose)}, this method also includes revoked, expired keys,
+     * as well as keys which do not carry any encryption keyflags.
+     * Merely keys which use algorithms that cannot be used for encryption at all are excluded.
+     * That way, decryption of messages produced by faulty implementations can still be decrypted.
+     *
+     * @return decryption keys
+     */
+    public @Nonnull List getDecryptionSubkeys() {
+        Iterator subkeys = keys.getPublicKeys();
+        List decryptionKeys = new ArrayList<>();
+
+        while (subkeys.hasNext()) {
+            PGPPublicKey subKey = subkeys.next();
+
+            // subkeys have been valid at some point
+            if (subKey.getKeyID() != getKeyId()) {
+                PGPSignature binding = signatures.subkeyBindings.get(subKey.getKeyID());
+                if (binding == null) {
+                    LOGGER.debug("Subkey " + KeyIdUtil.formatKeyId(subKey.getKeyID()) + " was never validly bound.");
+                    continue;
+                }
+            }
+
+            // Public-Key algorithm can encrypt
+            if (!subKey.isEncryptionKey()) {
+                LOGGER.debug("(Sub?)-Key " + KeyIdUtil.formatKeyId(subKey.getKeyID()) + " is not encryption-capable.");
+                continue;
+            }
+
+            decryptionKeys.add(subKey);
+        }
+        return decryptionKeys;
+    }
+
     /**
      * Return a list of all keys which carry the provided key flag in their signature.
      *
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
index ba80c69d..04a98265 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/PreventDecryptionUsingNonEncryptionKeyTest.java
@@ -14,6 +14,7 @@ import java.nio.charset.StandardCharsets;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.exception.MissingDecryptionMethodException;
@@ -189,6 +190,23 @@ public class PreventDecryptionUsingNonEncryptionKeyTest {
     }
 
     @Test
+    public void canDecryptMessageDespiteMissingKeyFlag() throws IOException, PGPException {
+        PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY);
+
+        ByteArrayInputStream msgIn = new ByteArrayInputStream(MSG.getBytes(StandardCharsets.UTF_8));
+        DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
+                .onInputStream(msgIn)
+                .withOptions(new ConsumerOptions().addDecryptionKey(secretKeys));
+
+        Streams.drain(decryptionStream);
+        decryptionStream.close();
+        OpenPgpMetadata metadata = decryptionStream.getResult();
+
+        assertEquals(new SubkeyIdentifier(secretKeys, secretKeys.getPublicKey().getKeyID()), metadata.getDecryptionKey());
+    }
+
+    @Test
+    @Disabled
     public void nonEncryptionKeyCannotDecrypt() throws IOException {
         PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(ENCRYPTION_INCAPABLE_KEY);
 

From 699381238c97089b4c9e3e27cb9c091ed687c654 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 25 Apr 2023 13:28:38 +0200
Subject: [PATCH 0958/1450] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 893638c3..22e452e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ SPDX-License-Identifier: CC0-1.0
 
 ## 1.5.1-SNAPSHOT
 - SOP: Emit signature `mode:{binary|text}` in `Verification` results
+- core: Relax constraints on decryption subkeys to improve interoperability with broken clients
+    - Allow decryption with revoked keys
+    - Allow decryption with expired keys
+    - Allow decryption with erroneously addressed keys without encryption key flags
 
 ## 1.5.0
 - Bump `bcpg-jdk15to18` to `1.73`

From bf2bb31b711d14ca872f6d6d6f49034f98540797 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 25 Apr 2023 13:36:48 +0200
Subject: [PATCH 0959/1450] PGPainless 1.5.1

---
 CHANGELOG.md             | 2 +-
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 22e452e6..d59bf372 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.5.1-SNAPSHOT
+## 1.5.1
 - SOP: Emit signature `mode:{binary|text}` in `Verification` results
 - core: Relax constraints on decryption subkeys to improve interoperability with broken clients
     - Allow decryption with revoked keys
diff --git a/README.md b/README.md
index 14ff388d..06e9f2ed 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.5.0'
+	implementation 'org.pgpainless:pgpainless-core:1.5.1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index b4e755dd..7ae0a63c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.5.0"
+    implementation "org.pgpainless:pgpainless-sop:1.5.1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.5.0
+        1.5.1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index 3d271a75..88c3babd 100644
--- a/version.gradle
+++ b/version.gradle
@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.5.1'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From 23fd630670e1d734d22effad5843a5e9ada49b49 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Tue, 25 Apr 2023 13:39:44 +0200
Subject: [PATCH 0960/1450] PGPainless 1.5.2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 88c3babd..c53ce511 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.5.1'
-        isSnapshot = false
+        shortVersion = '1.5.2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From eb1ff27a900e56d97872fd0b167dbb2b07f3ac2c Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Apr 2023 15:15:42 +0200
Subject: [PATCH 0961/1450] Bump sop-java to 6.1.0

---
 .../commands/RoundTripSignVerifyCmdTest.java  | 11 ++++++-
 .../sop/CarolKeySignEncryptRoundtripTest.java | 10 +++---
 .../org/pgpainless/sop/DetachedSignTest.java  | 14 +++++---
 .../sop/EncryptDecryptRoundTripTest.java      | 31 ++++++++++++------
 .../org/pgpainless/sop/InlineDetachTest.java  | 24 ++++++++------
 .../sop/InlineSignVerifyRoundtripTest.java    | 32 +++++++++----------
 version.gradle                                |  2 +-
 7 files changed, 79 insertions(+), 45 deletions(-)

diff --git a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
index 97bfae7e..0ff83144 100644
--- a/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
+++ b/pgpainless-cli/src/test/java/org/pgpainless/cli/commands/RoundTripSignVerifyCmdTest.java
@@ -13,6 +13,7 @@ import java.io.File;
 import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
+import java.text.ParseException;
 import java.util.Date;
 
 import org.bouncycastle.openpgp.PGPException;
@@ -105,7 +106,15 @@ public class RoundTripSignVerifyCmdTest extends CLITest {
             "-----END PGP SIGNATURE-----";
     private static final String TEXT_SIG_VERIFICATION =
             "2022-11-09T18:41:18Z 444C10AB011EF8424C83F0A9DA9F413986211DC6 9DA09423C9F94BA4CCA30951099B11BF296A373E mode:text\n";
-    private static final Date TEXT_SIG_CREATION = UTCUtil.parseUTCDate("2022-11-09T18:41:18Z");
+    private static final Date TEXT_SIG_CREATION;
+
+    static {
+        try {
+            TEXT_SIG_CREATION = UTCUtil.parseUTCDate("2022-11-09T18:41:18Z");
+        } catch (ParseException e) {
+            throw new RuntimeException(e);
+        }
+    }
 
     @Test
     public void createArmoredSignature() throws IOException {
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java
index 81bf7645..58dfaa62 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/CarolKeySignEncryptRoundtripTest.java
@@ -4,15 +4,15 @@
 
 package org.pgpainless.sop;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
 import java.io.IOException;
 
 import org.junit.jupiter.api.Test;
 import sop.ByteArrayAndResult;
 import sop.DecryptionResult;
 import sop.Ready;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import sop.testsuite.assertions.VerificationListAssert;
 
 public class CarolKeySignEncryptRoundtripTest {
 
@@ -290,6 +290,8 @@ public class CarolKeySignEncryptRoundtripTest {
 
         byte[] plaintext = decryption.getBytes();
         assertArrayEquals(msg, plaintext);
-        assertEquals(1, decryption.getResult().getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(decryption.getResult().getVerifications())
+                .hasSingleItem()
+                .issuedBy("71FFDA004409E5DDB0C3E8F19BA789DC76D6849A", "71FFDA004409E5DDB0C3E8F19BA789DC76D6849A");
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
index 4f274691..316c4a37 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/DetachedSignTest.java
@@ -25,6 +25,7 @@ import sop.Verification;
 import sop.enums.SignAs;
 import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
+import sop.testsuite.assertions.VerificationListAssert;
 
 public class DetachedSignTest {
 
@@ -63,8 +64,9 @@ public class DetachedSignTest {
                 .signatures(signature)
                 .data(data);
 
-        assertEquals(1, verifications.size());
-        assertEquals(SignatureMode.binary, verifications.get(0).getSignatureMode());
+        VerificationListAssert.assertThatVerificationList(verifications)
+                .hasSingleItem()
+                .hasMode(SignatureMode.binary);
     }
 
     @Test
@@ -84,7 +86,8 @@ public class DetachedSignTest {
                 .signatures(signature)
                 .data(data);
 
-        assertEquals(1, verifications.size());
+        VerificationListAssert.assertThatVerificationList(verifications)
+                .hasSingleItem();
     }
 
     @Test
@@ -103,8 +106,9 @@ public class DetachedSignTest {
                 .signatures(signature)
                 .data(data);
 
-        assertEquals(1, verifications.size());
-        assertEquals(SignatureMode.text, verifications.get(0).getSignatureMode());
+        VerificationListAssert.assertThatVerificationList(verifications)
+                .hasSingleItem()
+                .hasMode(SignatureMode.text);
     }
 
     @Test
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
index 22af5b70..f51b711d 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/EncryptDecryptRoundTripTest.java
@@ -21,7 +21,9 @@ import sop.ByteArrayAndResult;
 import sop.DecryptionResult;
 import sop.SOP;
 import sop.SessionKey;
+import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
+import sop.testsuite.assertions.VerificationListAssert;
 
 public class EncryptDecryptRoundTripTest {
 
@@ -75,7 +77,8 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, decrypted.toByteArray());
 
         DecryptionResult result = bytesAndResult.getResult();
-        assertEquals(1, result.getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .hasSingleItem();
     }
 
     @Test
@@ -106,7 +109,8 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, decrypted);
 
         DecryptionResult result = bytesAndResult.getResult();
-        assertEquals(1, result.getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .hasSingleItem();
     }
 
     @Test
@@ -125,7 +129,8 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, decrypted);
 
         DecryptionResult result = bytesAndResult.getResult();
-        assertEquals(0, result.getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .isEmpty();
     }
 
     @Test
@@ -144,7 +149,8 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, decrypted);
 
         DecryptionResult result = bytesAndResult.getResult();
-        assertEquals(0, result.getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .isEmpty();
     }
 
     @Test
@@ -163,7 +169,8 @@ public class EncryptDecryptRoundTripTest {
         assertArrayEquals(message, decrypted);
 
         DecryptionResult result = bytesAndResult.getResult();
-        assertEquals(0, result.getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .isEmpty();
     }
 
     @Test
@@ -180,7 +187,8 @@ public class EncryptDecryptRoundTripTest {
                 .toByteArrayAndResult()
                 .getResult();
 
-        assertTrue(result.getVerifications().isEmpty());
+        VerificationListAssert.assertThatVerificationList(result.getVerifications())
+                .isEmpty();
     }
 
     @Test
@@ -486,14 +494,19 @@ public class EncryptDecryptRoundTripTest {
                 sop.decrypt().withKey(key).verifyWithCert(cert).ciphertext(ciphertext).toByteArrayAndResult();
         assertEquals(sessionKey, bytesAndResult.getResult().getSessionKey().get().toString());
         assertArrayEquals(plaintext, bytesAndResult.getBytes());
-        assertEquals(1, bytesAndResult.getResult().getVerifications().size());
-
+        VerificationListAssert.assertThatVerificationList(bytesAndResult.getResult().getVerifications())
+                .hasSingleItem()
+                .issuedBy("9C26EFAB1C6500A228E8A9C2658EE420C824D191")
+                .hasMode(SignatureMode.binary);
         // Decrypt with session key
         bytesAndResult = sop.decrypt().withSessionKey(SessionKey.fromString(sessionKey))
                 .verifyWithCert(cert).ciphertext(ciphertext).toByteArrayAndResult();
         assertEquals(sessionKey, bytesAndResult.getResult().getSessionKey().get().toString());
         assertArrayEquals(plaintext, bytesAndResult.getBytes());
-        assertEquals(1, bytesAndResult.getResult().getVerifications().size());
+        VerificationListAssert.assertThatVerificationList(bytesAndResult.getResult().getVerifications())
+                .hasSingleItem()
+                .issuedBy("9C26EFAB1C6500A228E8A9C2658EE420C824D191")
+                .hasMode(SignatureMode.binary);
     }
 
     @Test
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
index 1054babb..98279e4f 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineDetachTest.java
@@ -5,8 +5,6 @@
 package org.pgpainless.sop;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -34,7 +32,9 @@ import sop.SOP;
 import sop.Signatures;
 import sop.Verification;
 import sop.enums.InlineSignAs;
+import sop.enums.SignatureMode;
 import sop.exception.SOPGPException;
+import sop.testsuite.assertions.VerificationListAssert;
 
 public class InlineDetachTest {
 
@@ -79,9 +79,11 @@ public class InlineDetachTest {
                 .signatures(signature)
                 .data(message);
 
-        assertFalse(verificationList.isEmpty());
-        assertEquals(1, verificationList.size());
-        assertEquals(new OpenPgpV4Fingerprint(secretKey).toString(), verificationList.get(0).getSigningCertFingerprint());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .issuedBy(new OpenPgpV4Fingerprint(secretKey).toString())
+                .hasMode(SignatureMode.text);
+
         assertArrayEquals(data, message);
     }
 
@@ -121,8 +123,10 @@ public class InlineDetachTest {
                 .signatures(signature)
                 .data(message);
 
-        assertFalse(verificationList.isEmpty());
-        assertEquals(1, verificationList.size());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .hasMode(SignatureMode.binary);
+
         assertArrayEquals(data, message);
     }
 
@@ -191,8 +195,10 @@ public class InlineDetachTest {
                 .signatures(signature)
                 .data(message);
 
-        assertFalse(verificationList.isEmpty());
-        assertEquals(1, verificationList.size());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .hasMode(SignatureMode.binary);
+
         assertArrayEquals(data, message);
     }
 }
diff --git a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
index e5ce518b..f3a50fc3 100644
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/InlineSignVerifyRoundtripTest.java
@@ -4,19 +4,19 @@
 
 package org.pgpainless.sop;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+
 import org.junit.jupiter.api.Test;
 import sop.ByteArrayAndResult;
 import sop.SOP;
 import sop.Verification;
 import sop.enums.InlineSignAs;
 import sop.enums.SignatureMode;
-
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.List;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import sop.testsuite.assertions.VerificationListAssert;
 
 public class InlineSignVerifyRoundtripTest {
 
@@ -48,9 +48,9 @@ public class InlineSignVerifyRoundtripTest {
         byte[] verified = result.getBytes();
 
         List verificationList = result.getResult();
-        assertEquals(1, verificationList.size());
-        Verification verification = verificationList.get(0);
-        assertEquals(SignatureMode.text, verification.getSignatureMode());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .hasMode(SignatureMode.text);
 
         assertArrayEquals(message, verified);
     }
@@ -81,9 +81,9 @@ public class InlineSignVerifyRoundtripTest {
         byte[] verified = result.getBytes();
 
         List verificationList = result.getResult();
-        assertEquals(1, verificationList.size());
-        Verification verification = verificationList.get(0);
-        assertEquals(SignatureMode.binary, verification.getSignatureMode());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .hasMode(SignatureMode.binary);
 
         assertArrayEquals(message, verified);
     }
@@ -115,9 +115,9 @@ public class InlineSignVerifyRoundtripTest {
         byte[] verified = result.getBytes();
 
         List verificationList = result.getResult();
-        assertEquals(1, verificationList.size());
-        Verification verification = verificationList.get(0);
-        assertEquals(SignatureMode.text, verification.getSignatureMode());
+        VerificationListAssert.assertThatVerificationList(verificationList)
+                .hasSingleItem()
+                .hasMode(SignatureMode.text);
 
         assertArrayEquals(message, verified);
     }
diff --git a/version.gradle b/version.gradle
index c53ce511..ce7eebc7 100644
--- a/version.gradle
+++ b/version.gradle
@@ -14,6 +14,6 @@ allprojects {
         logbackVersion = '1.2.11'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'
-        sopJavaVersion = '6.0.0'
+        sopJavaVersion = '6.1.0'
     }
 }

From f51685c1266a17ae55bdd209ce1515c042e9f8c6 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Apr 2023 15:16:37 +0200
Subject: [PATCH 0962/1450] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d59bf372..506ded3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.5.2-SNAPSHOT
+- Bump `sop-java` to `6.1.0`
+
 ## 1.5.1
 - SOP: Emit signature `mode:{binary|text}` in `Verification` results
 - core: Relax constraints on decryption subkeys to improve interoperability with broken clients

From eb45dee04fdeb9634e78cde1c766b2bef8bec9e9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Apr 2023 15:22:43 +0200
Subject: [PATCH 0963/1450] rewriteManPages script: Remind to run Deprecated
 Gradle features were used in this build, making it incompatible with Gradle
 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.5.1/userguide/command_line_interface.html#sec:command_line_warnings in sop repo
---
 pgpainless-cli/rewriteManPages.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-cli/rewriteManPages.sh b/pgpainless-cli/rewriteManPages.sh
index 321dbdde..51d2aa04 100755
--- a/pgpainless-cli/rewriteManPages.sh
+++ b/pgpainless-cli/rewriteManPages.sh
@@ -4,7 +4,7 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 SOP_DIR=$(realpath $SCRIPT_DIR/../../sop-java)
 [ ! -d "$SOP_DIR" ] && echo "sop-java repository MUST be cloned next to pgpainless repo" && exit 1;
 SRC_DIR=$SOP_DIR/sop-java-picocli/build/docs/manpage
-[ ! -d "$SRC_DIR" ] && echo "No sop manpages found." && exit 1;
+[ ! -d "$SRC_DIR" ] && echo "No sop manpages found. Please run `gradle asciidoctor` in the sop-java repo." && exit 1;
 DEST_DIR=$SCRIPT_DIR/packaging/man
 mkdir -p $DEST_DIR
 

From 558036c485d6afbade4380ba5aaddf68ada25906 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Thu, 27 Apr 2023 15:23:37 +0200
Subject: [PATCH 0964/1450] Update man pages

---
 .../packaging/man/pgpainless-cli-decrypt.1    | 36 ++++-----------
 .../packaging/man/pgpainless-cli-encrypt.1    | 12 +++--
 .../man/pgpainless-cli-generate-completion.1  | 10 ++++
 .../man/pgpainless-cli-generate-key.1         |  9 +++-
 .../packaging/man/pgpainless-cli-help.1       | 10 ++++
 .../man/pgpainless-cli-inline-sign.1          |  9 ++--
 .../man/pgpainless-cli-list-profiles.1        | 46 +++++++++++++++++++
 .../packaging/man/pgpainless-cli-sign.1       |  4 +-
 .../packaging/man/pgpainless-cli-verify.1     | 13 +++++-
 .../packaging/man/pgpainless-cli-version.1    |  7 ++-
 pgpainless-cli/packaging/man/pgpainless-cli.1 | 15 ++++++
 11 files changed, 129 insertions(+), 42 deletions(-)
 create mode 100644 pgpainless-cli/packaging/man/pgpainless-cli-list-profiles.1

diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
index 17d59134..258078aa 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-decrypt.1
@@ -30,41 +30,21 @@
 pgpainless\-cli\-decrypt \- Decrypt a message from standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli decrypt\fP [\fB\-\-stacktrace\fP] [\fB\-\-not\-after\fP=\fIDATE\fP] [\fB\-\-not\-before\fP=\fIDATE\fP]
-[\fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP] [\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP]
-[\fB\-\-verify\-with\fP=\fICERT\fP]... [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]...
-[\fB\-\-with\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP]...
-[\fIKEY\fP...]
+\fBpgpainless\-cli decrypt\fP [\fB\-\-stacktrace\fP] [\fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP]
+[\fB\-\-verify\-not\-after\fP=\fIDATE\fP] [\fB\-\-verify\-not\-before\fP=\fIDATE\fP]
+[\fB\-\-verify\-out\fP=\fIVERIFICATIONS\fP] [\fB\-\-verify\-with\fP=\fICERT\fP]...
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-password\fP=\fIPASSWORD\fP]...
+[\fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP]... [\fIKEY\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
 .sp
-\fB\-\-not\-after\fP=\fIDATE\fP
-.RS 4
-ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
-.sp
-Reject signatures with a creation date not in range.
-.sp
-Defaults to current system time (\(aqnow\(aq).
-.sp
-Accepts special value \(aq\-\(aq for end of time.
-.RE
-.sp
-\fB\-\-not\-before\fP=\fIDATE\fP
-.RS 4
-ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
-.sp
-Reject signatures with a creation date not in range.
-.sp
-Defaults to beginning of time (\(aq\-\(aq).
-.RE
-.sp
 \fB\-\-session\-key\-out\fP=\fISESSIONKEY\fP
 .RS 4
 Can be used to learn the session key on successful decryption
 .RE
 .sp
-\fB\-\-stacktrace\fP, \fB\-\-verify\-out, \-\-verifications\-out\fP=\fIVERIFICATIONS\fP
+\fB\-\-stacktrace\fP, \fB\-\-verify\-not\-after\fP=\fIDATE\fP, \fB\-\-verify\-not\-before\fP=\fIDATE\fP, \fB\-\-verify\-out, \-\-verifications\-out\fP=\fIVERIFICATIONS\fP
 .RS 4
 Emits signature verification status to the designated output
 .RE
@@ -87,7 +67,7 @@ Symmetric passphrase to decrypt the message with.
 .sp
 Enables decryption based on any "SKESK" packets in the "CIPHERTEXT".
 .sp
-Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 .RE
 .sp
 \fB\-\-with\-session\-key\fP=\fISESSIONKEY\fP
@@ -96,7 +76,7 @@ Symmetric message key (session key).
 .sp
 Enables decryption of the "CIPHERTEXT" using the session key directly against the "SEIPD" packet.
 .sp
-Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 .RE
 .SH "ARGUMENTS"
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1 b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
index f1d804d0..79002302 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-encrypt.1
@@ -31,8 +31,9 @@ pgpainless\-cli\-encrypt \- Encrypt a message from standard input
 .SH "SYNOPSIS"
 .sp
 \fBpgpainless\-cli encrypt\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=\fI{binary|text}\fP]
-[\fB\-\-sign\-with\fP=\fIKEY\fP]... [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]...
-[\fB\-\-with\-password\fP=\fIPASSWORD\fP]... [\fICERTS\fP...]
+[\fB\-\-profile\fP=\fIPROFILE\fP] [\fB\-\-sign\-with\fP=\fIKEY\fP]...
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fB\-\-with\-password\fP=\fIPASSWORD\fP]...
+[\fICERTS\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -47,6 +48,11 @@ Type of the input data. Defaults to \(aqbinary\(aq
 ASCII armor the output
 .RE
 .sp
+\fB\-\-profile\fP=\fIPROFILE\fP
+.RS 4
+Profile identifier to switch between profiles
+.RE
+.sp
 \fB\-\-sign\-with\fP=\fIKEY\fP
 .RS 4
 Sign the output with a private key
@@ -63,7 +69,7 @@ Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 .RS 4
 Encrypt the message with a password.
 .sp
-Is an INDIRECT data type (e.g. file, environment variable, file descriptor...)
+Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
 .RE
 .SH "ARGUMENTS"
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
index 5ab3d673..5c50ee96 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-completion.1
@@ -152,4 +152,14 @@ Ambiguous input (a filename matching the designator already exists)
 \fB79\fP
 .RS 4
 Key is not signing capable
+.RE
+.sp
+\fB83\fP
+.RS 4
+Options were supplied that are incompatible with each other
+.RE
+.sp
+\fB89\fP
+.RS 4
+The requested profile is unsupported, or the indicated subcommand does not accept profiles
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1 b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
index 96b069f3..a5317665 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-generate-key.1
@@ -30,8 +30,8 @@
 pgpainless\-cli\-generate\-key \- Generate a secret key
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli generate\-key\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]
-[\fIUSERID\fP...]
+\fBpgpainless\-cli generate\-key\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-profile\fP=\fIPROFILE\fP]
+[\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP] [\fIUSERID\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -41,6 +41,11 @@ pgpainless\-cli\-generate\-key \- Generate a secret key
 ASCII armor the output
 .RE
 .sp
+\fB\-\-profile\fP=\fIPROFILE\fP
+.RS 4
+Profile identifier to switch between profiles
+.RE
+.sp
 \fB\-\-stacktrace\fP, \fB\-\-with\-key\-password\fP=\fIPASSWORD\fP
 .RS 4
 Password to protect the private key with
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-help.1 b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
index 6152fc87..1e7c2b08 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-help.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-help.1
@@ -147,4 +147,14 @@ Ambiguous input (a filename matching the designator already exists)
 \fB79\fP
 .RS 4
 Key is not signing capable
+.RE
+.sp
+\fB83\fP
+.RS 4
+Options were supplied that are incompatible with each other
+.RE
+.sp
+\fB89\fP
+.RS 4
+The requested profile is unsupported, or the indicated subcommand does not accept profiles
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
index 7deb568c..db041c0c 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-inline-sign.1
@@ -30,20 +30,19 @@
 pgpainless\-cli\-inline\-sign \- Create an inline\-signed message from data on standard input
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli inline\-sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=
-\fI{binary|text|cleartextsigned}\fP]
+\fBpgpainless\-cli inline\-sign\fP [\fB\-\-[no\-]armor\fP] [\fB\-\-stacktrace\fP] [\fB\-\-as\fP=\fI{binary|text|clearsigned}\fP]
 [\fB\-\-with\-key\-password\fP=\fIPASSWORD\fP]... [\fIKEYS\fP...]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
 .sp
-\fB\-\-as\fP=\fI{binary|text|cleartextsigned}\fP
+\fB\-\-as\fP=\fI{binary|text|clearsigned}\fP
 .RS 4
-Specify the signature format of the signed message
+Specify the signature format of the signed message.
 .sp
 \(aqtext\(aq and \(aqbinary\(aq will produce inline\-signed messages.
 .sp
-\(aqcleartextsigned\(aq will make use of the cleartext signature framework.
+\(aqclearsigned\(aq will make use of the cleartext signature framework.
 .sp
 Defaults to \(aqbinary\(aq.
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-list-profiles.1 b/pgpainless-cli/packaging/man/pgpainless-cli-list-profiles.1
new file mode 100644
index 00000000..9bcfa17f
--- /dev/null
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-list-profiles.1
@@ -0,0 +1,46 @@
+'\" t
+.\"     Title: pgpainless-cli-list-profiles
+.\"    Author: [see the "AUTHOR(S)" section]
+.\" Generator: Asciidoctor 2.0.10
+.\"    Manual: PGPainless-CLI Manual
+.\"    Source: 
+.\"  Language: English
+.\"
+.TH "PGPAINLESS\-CLI\-LIST\-PROFILES" "1" "" "" "PGPainless\-CLI Manual"
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.ss \n[.ss] 0
+.nh
+.ad l
+.de URL
+\fI\\$2\fP <\\$1>\\$3
+..
+.als MTO URL
+.if \n[.g] \{\
+.  mso www.tmac
+.  am URL
+.    ad l
+.  .
+.  am MTO
+.    ad l
+.  .
+.  LINKSTYLE blue R < >
+.\}
+.SH "NAME"
+pgpainless\-cli\-list\-profiles \- Emit a list of profiles supported by the identified subcommand
+.SH "SYNOPSIS"
+.sp
+\fBpgpainless\-cli list\-profiles\fP [\fB\-\-stacktrace\fP] \fICOMMAND\fP
+.SH "DESCRIPTION"
+
+.SH "OPTIONS"
+.sp
+\fB\-\-stacktrace\fP
+.RS 4
+.RE
+.SH "ARGUMENTS"
+.sp
+\fICOMMAND\fP
+.RS 4
+Subcommand for which to list profiles
+.RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1 b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
index 6519e0ec..5bb22e90 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-sign.1
@@ -38,7 +38,7 @@ pgpainless\-cli\-sign \- Create a detached signature on the data from standard i
 .sp
 \fB\-\-as\fP=\fI{binary|text}\fP
 .RS 4
-Specify the output format of the signed message
+Specify the output format of the signed message.
 .sp
 Defaults to \(aqbinary\(aq.
 .sp
@@ -47,7 +47,7 @@ If \(aq\-\-as=text\(aq and the input data is not valid UTF\-8, sign fails with r
 .sp
 \fB\-\-micalg\-out\fP=\fIMICALG\fP
 .RS 4
-Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content\-Type (RFC3156)
+Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content\-Type (RFC3156).
 .RE
 .sp
 \fB\-\-[no\-]armor\fP
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1 b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
index 5cf0020c..714064f6 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-verify.1
@@ -36,7 +36,18 @@ pgpainless\-cli\-verify \- Verify a detached signature over the data from standa
 
 .SH "OPTIONS"
 .sp
-\fB\-\-not\-after\fP=\fIDATE\fP, \fB\-\-not\-before\fP=\fIDATE\fP
+\fB\-\-not\-after\fP=\fIDATE\fP
+.RS 4
+ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
+.sp
+Reject signatures with a creation date not in range.
+.sp
+Defaults to current system time ("now").
+.sp
+Accepts special value "\-" for end of time.
+.RE
+.sp
+\fB\-\-not\-before\fP=\fIDATE\fP
 .RS 4
 ISO\-8601 formatted UTC date (e.g. \(aq2020\-11\-23T16:35Z)
 .sp
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli-version.1 b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
index 003e549f..f1bea312 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli-version.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli-version.1
@@ -30,7 +30,7 @@
 pgpainless\-cli\-version \- Display version information about the tool
 .SH "SYNOPSIS"
 .sp
-\fBpgpainless\-cli version\fP [\fB\-\-stacktrace\fP] [\fB\-\-extended\fP | \fB\-\-backend\fP]
+\fBpgpainless\-cli version\fP [\fB\-\-stacktrace\fP] [\fB\-\-extended\fP | \fB\-\-backend\fP | \fB\-\-pgpainless\-cli\-spec\fP]
 .SH "DESCRIPTION"
 
 .SH "OPTIONS"
@@ -45,6 +45,11 @@ Print information about the cryptographic backend
 Print an extended version string
 .RE
 .sp
+\fB\-\-pgpainless\-cli\-spec\fP
+.RS 4
+Print the latest revision of the SOP specification targeted by the implementation
+.RE
+.sp
 \fB\-\-stacktrace\fP
 .RS 4
 .RE
\ No newline at end of file
diff --git a/pgpainless-cli/packaging/man/pgpainless-cli.1 b/pgpainless-cli/packaging/man/pgpainless-cli.1
index 686f728f..e5cc8129 100644
--- a/pgpainless-cli/packaging/man/pgpainless-cli.1
+++ b/pgpainless-cli/packaging/man/pgpainless-cli.1
@@ -101,6 +101,11 @@ Create an inline\-signed message from data on standard input
 Verify inline\-signed data from standard input
 .RE
 .sp
+\fBlist\-profiles\fP
+.RS 4
+Emit a list of profiles supported by the identified subcommand
+.RE
+.sp
 \fBversion\fP
 .RS 4
 Display version information about the tool
@@ -205,4 +210,14 @@ Ambiguous input (a filename matching the designator already exists)
 \fB79\fP
 .RS 4
 Key is not signing capable
+.RE
+.sp
+\fB83\fP
+.RS 4
+Options were supplied that are incompatible with each other
+.RE
+.sp
+\fB89\fP
+.RS 4
+The requested profile is unsupported, or the indicated subcommand does not accept profiles
 .RE
\ No newline at end of file

From 52fa7e4d46331bacb6839b73012d612d147d6bfa Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 1 May 2023 09:35:28 +0200
Subject: [PATCH 0965/1450] OpenPgpMessageInputStream: Return -1 instead of
 throwing MalformedOpenPgpMessageException when calling read() on drained
 stream

---
 .../OpenPgpMessageInputStream.java              |  2 ++
 .../syntax_check/OpenPgpMessageSyntax.java      |  4 ++++
 .../OpenPgpMessageInputStreamTest.java          | 17 +++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 19a01fbf..d51a6cf7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -744,6 +744,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             throws IOException {
         if (nestedInputStream == null) {
             if (packetInputStream != null) {
+                syntaxVerifier.next(InputSymbol.EndOfSequence);
                 syntaxVerifier.assertValid();
             }
             return -1;
@@ -774,6 +775,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         super.close();
         if (closed) {
             if (packetInputStream != null) {
+                syntaxVerifier.next(InputSymbol.EndOfSequence);
                 syntaxVerifier.assertValid();
             }
             return;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
index 6abb507a..9d20e0a8 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/syntax_check/OpenPgpMessageSyntax.java
@@ -132,6 +132,10 @@ public class OpenPgpMessageSyntax implements Syntax {
     @Nonnull
     Transition fromValid(@Nonnull InputSymbol input, @Nullable StackSymbol stackItem)
             throws MalformedOpenPgpMessageException {
+        if (input == InputSymbol.EndOfSequence) {
+            // allow subsequent read() calls.
+            return new Transition(State.Valid);
+        }
         // There is no applicable transition rule out of Valid
         throw new MalformedOpenPgpMessageException(State.Valid, input, stackItem);
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
index 01966bbe..a0ec7c25 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStreamTest.java
@@ -34,6 +34,7 @@ import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.util.io.Streams;
 import org.junit.JUtils;
 import org.junit.jupiter.api.Named;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
@@ -652,6 +653,22 @@ public class OpenPgpMessageInputStreamTest {
         assertTrue(metadata.getRejectedInlineSignatures().isEmpty());
     }
 
+    @Test
+    public void readAfterCloseTest() throws PGPException, IOException {
+        OpenPgpMessageInputStream pgpIn = get(SENC_LIT, ConsumerOptions.get()
+                .addDecryptionPassphrase(Passphrase.fromPassword(PASSPHRASE)));
+        Streams.drain(pgpIn); // read all
+
+        byte[] buf = new byte[1024];
+        assertEquals(-1, pgpIn.read(buf));
+        assertEquals(-1, pgpIn.read());
+        assertEquals(-1, pgpIn.read(buf));
+        assertEquals(-1, pgpIn.read());
+
+        pgpIn.close();
+        pgpIn.getMetadata();
+    }
+
     private static Tuple processReadBuffered(String armoredMessage, ConsumerOptions options)
             throws PGPException, IOException {
         OpenPgpMessageInputStream in = get(armoredMessage, options);

From 2e730a2c4873b01940bee213dd4a4d8390f2d223 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 1 May 2023 10:10:50 +0200
Subject: [PATCH 0966/1450] Update changelog

---
 CHANGELOG.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 506ded3a..59868c3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,8 +5,11 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
-## 1.5.2-SNAPSHOT
+## 1.5.2-rc1
 - Bump `sop-java` to `6.1.0`
+- Normalize `OpenPgpMessageInputStream.read()` behaviour when reading past the stream
+  - Instead of throwing a `MalformedOpenPgpMessageException` which could throw off unsuspecting parsers,
+    we now simply return `-1` like every other `InputStream`.
 
 ## 1.5.1
 - SOP: Emit signature `mode:{binary|text}` in `Verification` results

From de5926fc472976b7a9fe24f0568364c51204c7f8 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 1 May 2023 10:12:37 +0200
Subject: [PATCH 0967/1450] PGPainless 1.5.2-rc1

---
 README.md                | 2 +-
 pgpainless-sop/README.md | 4 ++--
 version.gradle           | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 06e9f2ed..903d21b8 100644
--- a/README.md
+++ b/README.md
@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.5.1'
+	implementation 'org.pgpainless:pgpainless-core:1.5.2-rc1'
 }
 ```
 
diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md
index 7ae0a63c..a082f09c 100644
--- a/pgpainless-sop/README.md
+++ b/pgpainless-sop/README.md
@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.5.1"
+    implementation "org.pgpainless:pgpainless-sop:1.5.2-rc1"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     
         org.pgpainless
         pgpainless-sop
-        1.5.1
+        1.5.2-rc1
     
     ...
 
diff --git a/version.gradle b/version.gradle
index ce7eebc7..46a173b3 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.5.2'
-        isSnapshot = true
+        shortVersion = '1.5.2-rc1'
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From 671d45a9116e36a3124610e735c3fb122968923b Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Mon, 1 May 2023 10:15:24 +0200
Subject: [PATCH 0968/1450] PGPainless 1.5.2-rc2-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 46a173b3..564100d4 100644
--- a/version.gradle
+++ b/version.gradle
@@ -4,8 +4,8 @@
 
 allprojects {
     ext {
-        shortVersion = '1.5.2-rc1'
-        isSnapshot = false
+        shortVersion = '1.5.2-rc2'
+        isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.73'

From 9c81137f4884c9d401dbc0435d40ba872dcb704e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 13:51:34 +0200
Subject: [PATCH 0969/1450] Add template methods to generate RSA keys with
 primary and subkeys

---
 .../key/generation/KeyRingTemplates.java      | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 42eb7efa..07f2235f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -26,6 +26,78 @@ public final class KeyRingTemplates {
 
     }
 
+    /**
+     * Generate an RSA OpenPGP key consisting of an RSA primary key used for certification,
+     * a dedicated RSA subkey used for signing and a third RSA subkey used for encryption.
+     *
+     * @param userId userId or null
+     * @param length length of the RSA keys
+     * @return key
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
+     */
+    public PGPSecretKeyRing rsaKeyRing(@Nullable CharSequence userId,
+                                       @Nonnull RsaLength length)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        return rsaKeyRing(userId, length, Passphrase.emptyPassphrase());
+    }
+
+    /**
+     * Generate an RSA OpenPGP key consisting of an RSA primary key used for certification,
+     * a dedicated RSA subkey used for signing and a third RSA subkey used for encryption.
+     *
+     * @param userId userId or null
+     * @param length length of the RSA keys
+     * @param password passphrase to encrypt the key with
+     * @return key
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
+     */
+    public PGPSecretKeyRing rsaKeyRing(@Nullable CharSequence userId,
+                                       @Nonnull RsaLength length,
+                                       @Nonnull String password)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        Passphrase passphrase = Passphrase.emptyPassphrase();
+        if (!isNullOrEmpty(password)) {
+            passphrase = Passphrase.fromPassword(password);
+        }
+        return rsaKeyRing(userId, length, passphrase);
+    }
+
+    /**
+     * Generate an RSA OpenPGP key consisting of an RSA primary key used for certification,
+     * a dedicated RSA subkey used for signing and a third RSA subkey used for encryption.
+     *
+     * @param userId userId or null
+     * @param length length of the RSA keys
+     * @param passphrase passphrase to encrypt the key with
+     * @return key
+     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
+     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
+     * @throws PGPException in case of an OpenPGP related error
+     */
+    public PGPSecretKeyRing rsaKeyRing(@Nullable CharSequence userId,
+                                       @Nonnull RsaLength length,
+                                       @Nonnull Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        KeyRingBuilder builder = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER))
+                .addSubkey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.SIGN_DATA))
+                .addSubkey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.ENCRYPT_COMMS, KeyFlag.ENCRYPT_STORAGE));
+
+        if (userId != null) {
+            builder.addUserId(userId.toString());
+        }
+
+        if (!passphrase.isEmpty()) {
+            builder.setPassphrase(passphrase);
+        }
+
+        return builder.build();
+    }
+
     /**
      * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}.
      * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification.

From 8869d9bd783ead32c70725f7dd1cd17d070f085f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 13:51:59 +0200
Subject: [PATCH 0970/1450] Simplify key template methods by replacing String
 and UserID args with CharSequence

---
 .../key/generation/KeyRingTemplates.java      | 113 +++---------------
 1 file changed, 19 insertions(+), 94 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
index 07f2235f..6966232b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingTemplates.java
@@ -17,7 +17,6 @@ import org.pgpainless.key.generation.type.KeyType;
 import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
 import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.generation.type.xdh.XDHSpec;
-import org.pgpainless.key.util.UserId;
 import org.pgpainless.util.Passphrase;
 
 public final class KeyRingTemplates {
@@ -111,46 +110,20 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable UserId userId, @Nonnull RsaLength length)
-            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleRsaKeyRing(userId == null ? null : userId.toString(), length);
-    }
-
-    /**
-     * Creates a simple, unencrypted RSA KeyPair of length {@code length} with user-id {@code userId}.
-     * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification.
-     *
-     * @param userId user id.
-     * @param length length in bits.
-     *
-     * @return {@link PGPSecretKeyRing} containing the KeyPair.
-     *
-     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
-     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
-     * @throws PGPException in case of an OpenPGP related error
-     */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable CharSequence userId, @Nonnull RsaLength length)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         return simpleRsaKeyRing(userId, length, Passphrase.emptyPassphrase());
     }
 
-    /**
-     * Creates a simple RSA KeyPair of length {@code length} with user-id {@code userId}.
-     * The KeyPair consists of a single RSA master key which is used for signing, encryption and certification.
-     *
-     * @param userId user id.
-     * @param length length in bits.
-     * @param password Password of the key. Can be null for unencrypted keys.
-     *
-     * @return {@link PGPSecretKeyRing} containing the KeyPair.
-     *
-     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
-     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
-     * @throws PGPException in case of an OpenPGP related error
-     */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable UserId userId, @Nonnull RsaLength length, @Nullable String password)
-            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleRsaKeyRing(userId == null ? null : userId.toString(), length, password);
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable CharSequence userId, @Nonnull RsaLength length, @Nonnull Passphrase passphrase)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        KeyRingBuilder builder = PGPainless.buildKeyRing()
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS))
+                .setPassphrase(passphrase);
+        if (userId != null) {
+            builder.addUserId(userId.toString());
+        }
+        return builder.build();
     }
 
     /**
@@ -167,7 +140,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length, @Nullable String password)
+    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable CharSequence userId, @Nonnull RsaLength length, @Nullable String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         Passphrase passphrase = Passphrase.emptyPassphrase();
         if (!isNullOrEmpty(password)) {
@@ -176,17 +149,6 @@ public final class KeyRingTemplates {
         return simpleRsaKeyRing(userId, length, passphrase);
     }
 
-    public PGPSecretKeyRing simpleRsaKeyRing(@Nullable String userId, @Nonnull RsaLength length, @Nonnull Passphrase passphrase)
-            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
-        KeyRingBuilder builder = PGPainless.buildKeyRing()
-                .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(length), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA, KeyFlag.ENCRYPT_COMMS))
-                .setPassphrase(passphrase);
-        if (userId != null) {
-            builder.addUserId(userId);
-        }
-        return builder.build();
-    }
-
     /**
      * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey.
      * The EdDSA primary key is used for signing messages and certifying the sub key.
@@ -200,48 +162,11 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nullable UserId userId)
-            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleEcKeyRing(userId == null ? null : userId.toString());
-    }
-
-    /**
-     * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey.
-     * The EdDSA primary key is used for signing messages and certifying the sub key.
-     * The XDH subkey is used for encryption and decryption of messages.
-     *
-     * @param userId user-id
-     *
-     * @return {@link PGPSecretKeyRing} containing the key pairs.
-     *
-     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
-     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
-     * @throws PGPException in case of an OpenPGP related error
-     */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable CharSequence userId)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         return simpleEcKeyRing(userId, Passphrase.emptyPassphrase());
     }
 
-    /**
-     * Creates a key ring consisting of an ed25519 EdDSA primary key and a curve25519 XDH subkey.
-     * The EdDSA primary key is used for signing messages and certifying the sub key.
-     * The XDH subkey is used for encryption and decryption of messages.
-     *
-     * @param userId user-id
-     * @param password Password of the private key. Can be null for an unencrypted key.
-     *
-     * @return {@link PGPSecretKeyRing} containing the key pairs.
-     *
-     * @throws InvalidAlgorithmParameterException in case of invalid key generation parameters
-     * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
-     * @throws PGPException in case of an OpenPGP related error
-     */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nullable UserId userId, String password)
-            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
-        return simpleEcKeyRing(userId == null ? null : userId.toString(), password);
-    }
-
     /**
      * Creates a key ring consisting of an ed25519 EdDSA primary key and a X25519 XDH subkey.
      * The EdDSA primary key is used for signing messages and certifying the sub key.
@@ -256,7 +181,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId, String password)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable CharSequence userId, String password)
             throws PGPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         Passphrase passphrase = Passphrase.emptyPassphrase();
         if (!isNullOrEmpty(password)) {
@@ -265,14 +190,14 @@ public final class KeyRingTemplates {
         return simpleEcKeyRing(userId, passphrase);
     }
 
-    public PGPSecretKeyRing simpleEcKeyRing(@Nullable String userId, @Nonnull Passphrase passphrase)
+    public PGPSecretKeyRing simpleEcKeyRing(@Nullable CharSequence userId, @Nonnull Passphrase passphrase)
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER, KeyFlag.SIGN_DATA))
                 .addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
                 .setPassphrase(passphrase);
         if (userId != null) {
-            builder.addUserId(userId);
+            builder.addUserId(userId.toString());
         }
         return builder.build();
     }
@@ -288,7 +213,7 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing modernKeyRing(@Nullable String userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+    public PGPSecretKeyRing modernKeyRing(@Nullable CharSequence userId) throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         return modernKeyRing(userId, Passphrase.emptyPassphrase());
     }
 
@@ -304,13 +229,13 @@ public final class KeyRingTemplates {
      * @throws NoSuchAlgorithmException in case of missing algorithm implementation in the crypto provider
      * @throws PGPException in case of an OpenPGP related error
      */
-    public PGPSecretKeyRing modernKeyRing(@Nullable String userId, @Nullable String password)
+    public PGPSecretKeyRing modernKeyRing(@Nullable CharSequence userId, @Nullable String password)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
         Passphrase passphrase = (password != null ? Passphrase.fromPassword(password) : Passphrase.emptyPassphrase());
         return modernKeyRing(userId, passphrase);
     }
 
-    public PGPSecretKeyRing modernKeyRing(@Nullable String userId, @Nonnull Passphrase passphrase)
+    public PGPSecretKeyRing modernKeyRing(@Nullable CharSequence userId, @Nonnull Passphrase passphrase)
             throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
         KeyRingBuilder builder = PGPainless.buildKeyRing()
                 .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
@@ -318,7 +243,7 @@ public final class KeyRingTemplates {
                 .addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
                 .setPassphrase(passphrase);
         if (userId != null) {
-            builder.addUserId(userId);
+            builder.addUserId(userId.toString());
         }
         return builder.build();
     }

From a8ab93a49a3faff3f0c9bd7d3074e53fa0f46cee Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 14:07:33 +0200
Subject: [PATCH 0971/1450] SOP: GenerateKey with --profile=rfc4880 now
 generates RSA key with subkeys

---
 .../src/main/java/org/pgpainless/sop/GenerateKeyImpl.java       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
index ba788dac..f86d2893 100644
--- a/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
+++ b/pgpainless-sop/src/main/java/org/pgpainless/sop/GenerateKeyImpl.java
@@ -126,7 +126,7 @@ public class GenerateKeyImpl implements GenerateKey {
         // RSA 4096
         else if (profile.equals(RSA4096_PROFILE.getName())) {
             key = PGPainless.generateKeyRing()
-                    .simpleRsaKeyRing(primaryUserId, RsaLength._4096, passphrase);
+                    .rsaKeyRing(primaryUserId, RsaLength._4096, passphrase);
         }
         else {
             // Missing else-if branch for profile. Oops.

From 15f6cc70b1979882a0ccb0b68db4c0c32e534a86 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 14:30:08 +0200
Subject: [PATCH 0972/1450] Add MessageMetadata.getRecipientKeyIds()

Fixes #376
---
 .../decryption_verification/MessageMetadata.java  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
index 648b99ab..cc97e81a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/MessageMetadata.java
@@ -92,6 +92,21 @@ public class MessageMetadata {
         return false;
     }
 
+    /**
+     * Return a list containing all recipient keyIDs.
+     *
+     * @return list of recipients
+     */
+    public List getRecipientKeyIds() {
+        List keyIds = new ArrayList<>();
+        Iterator encLayers = getEncryptionLayers();
+        while (encLayers.hasNext()) {
+            EncryptedData layer = encLayers.next();
+            keyIds.addAll(layer.getRecipients());
+        }
+        return keyIds;
+    }
+
     public @Nonnull Iterator getEncryptionLayers() {
         return new LayerIterator(message) {
             @Override

From 304350fe5c7b771fb6ab3f8a0dd17cbbd5efd0c2 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 14:38:38 +0200
Subject: [PATCH 0973/1450] Add p-tags to EncryptionOptions javadoc

---
 .../pgpainless/encryption_signing/EncryptionOptions.java  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index b5baee83..2d0fb156 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -33,7 +33,7 @@ import org.pgpainless.util.Passphrase;
 /**
  * Options for the encryption process.
  * This class can be used to set encryption parameters, like encryption keys and passphrases, algorithms etc.
- *
+ * 
      
  * A typical use might look like follows:
  * 
        * {@code
@@ -42,11 +42,11 @@ import org.pgpainless.util.Passphrase;
  * opt.addPassphrase(Passphrase.fromPassword("AdditionalDecryptionPassphrase123"));
  * }
  * 
      
- *
+ *
      
  * To use a custom symmetric encryption algorithm, use {@link #overrideEncryptionAlgorithm(SymmetricKeyAlgorithm)}.
  * This will cause PGPainless to use the provided algorithm for message encryption, instead of negotiating an algorithm
  * by inspecting the provided recipient keys.
- *
+ * 
      
  * By default, PGPainless will encrypt to all suitable, encryption capable subkeys on each recipient's certificate.
  * This behavior can be changed per recipient, e.g. by calling
  * 
      @@ -83,7 +83,7 @@ public class EncryptionOptions {
      * Factory method to create an {@link EncryptionOptions} object which will encrypt for keys
      * which carry either the {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS} or
      * {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE} flag.
-     *
+     * 
      
      * Use this if you are not sure.
      *
      * @return encryption options

From 64c6d7a90409c57837e47cb5ee1eb4f95c73a5a4 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 14:38:52 +0200
Subject: [PATCH 0974/1450] Annotate EncryptionOptions methods with @Nonnull

---
 .../encryption_signing/EncryptionOptions.java | 34 +++++++++++--------
 .../EncryptionOptionsTest.java                |  6 ++--
 2 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
index 2d0fb156..63320853 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java
@@ -75,7 +75,7 @@ public class EncryptionOptions {
         this(EncryptionPurpose.ANY);
     }
 
-    public EncryptionOptions(EncryptionPurpose purpose) {
+    public EncryptionOptions(@Nonnull EncryptionPurpose purpose) {
         this.purpose = purpose;
     }
 
@@ -118,7 +118,7 @@ public class EncryptionOptions {
      * @param keys keys
      * @return this
      */
-    public EncryptionOptions addRecipients(Iterable keys) {
+    public EncryptionOptions addRecipients(@Nonnull Iterable keys) {
         if (!keys.iterator().hasNext()) {
             throw new IllegalArgumentException("Set of recipient keys cannot be empty.");
         }
@@ -154,7 +154,7 @@ public class EncryptionOptions {
      * @param userId user id
      * @return this
      */
-    public EncryptionOptions addRecipient(PGPPublicKeyRing key, String userId) {
+    public EncryptionOptions addRecipient(@Nonnull PGPPublicKeyRing key, @Nonnull CharSequence userId) {
         return addRecipient(key, userId, encryptionKeySelector);
     }
 
@@ -167,11 +167,13 @@ public class EncryptionOptions {
      * @param encryptionKeySelectionStrategy strategy to select one or more encryption subkeys to encrypt to
      * @return this
      */
-    public EncryptionOptions addRecipient(PGPPublicKeyRing key, String userId, EncryptionKeySelector encryptionKeySelectionStrategy) {
+    public EncryptionOptions addRecipient(@Nonnull PGPPublicKeyRing key,
+                                          @Nonnull CharSequence userId,
+                                          @Nonnull EncryptionKeySelector encryptionKeySelectionStrategy) {
         KeyRingInfo info = new KeyRingInfo(key, new Date());
 
         List encryptionSubkeys = encryptionKeySelectionStrategy
-                .selectEncryptionSubkeys(info.getEncryptionSubkeys(userId, purpose));
+                .selectEncryptionSubkeys(info.getEncryptionSubkeys(userId.toString(), purpose));
         if (encryptionSubkeys.isEmpty()) {
             throw new KeyException.UnacceptableEncryptionKeyException(OpenPgpFingerprint.of(key));
         }
@@ -179,7 +181,7 @@ public class EncryptionOptions {
         for (PGPPublicKey encryptionSubkey : encryptionSubkeys) {
             SubkeyIdentifier keyId = new SubkeyIdentifier(key, encryptionSubkey.getKeyID());
             keyRingInfo.put(keyId, info);
-            keyViews.put(keyId, new KeyAccessor.ViaUserId(info, keyId, userId));
+            keyViews.put(keyId, new KeyAccessor.ViaUserId(info, keyId, userId.toString()));
             addRecipientKey(key, encryptionSubkey);
         }
 
@@ -192,7 +194,7 @@ public class EncryptionOptions {
      * @param key key ring
      * @return this
      */
-    public EncryptionOptions addRecipient(PGPPublicKeyRing key) {
+    public EncryptionOptions addRecipient(@Nonnull PGPPublicKeyRing key) {
         return addRecipient(key, encryptionKeySelector);
     }
 
@@ -203,7 +205,8 @@ public class EncryptionOptions {
      * @param encryptionKeySelectionStrategy strategy used to select one or multiple encryption subkeys.
      * @return this
      */
-    public EncryptionOptions addRecipient(PGPPublicKeyRing key, EncryptionKeySelector encryptionKeySelectionStrategy) {
+    public EncryptionOptions addRecipient(@Nonnull PGPPublicKeyRing key,
+                                          @Nonnull EncryptionKeySelector encryptionKeySelectionStrategy) {
         Date evaluationDate = new Date();
         KeyRingInfo info;
         info = new KeyRingInfo(key, evaluationDate);
@@ -234,7 +237,8 @@ public class EncryptionOptions {
         return this;
     }
 
-    private void addRecipientKey(PGPPublicKeyRing keyRing, PGPPublicKey key) {
+    private void addRecipientKey(@Nonnull PGPPublicKeyRing keyRing,
+                                 @Nonnull PGPPublicKey key) {
         encryptionKeys.add(new SubkeyIdentifier(keyRing, key.getKeyID()));
         PGPKeyEncryptionMethodGenerator encryptionMethod = ImplementationFactory
                 .getInstance().getPublicKeyKeyEncryptionMethodGenerator(key);
@@ -247,7 +251,7 @@ public class EncryptionOptions {
      * @param passphrase passphrase
      * @return this
      */
-    public EncryptionOptions addPassphrase(Passphrase passphrase) {
+    public EncryptionOptions addPassphrase(@Nonnull Passphrase passphrase) {
         if (passphrase.isEmpty()) {
             throw new IllegalArgumentException("Passphrase must not be empty.");
         }
@@ -267,7 +271,7 @@ public class EncryptionOptions {
      * @param encryptionMethod encryption method
      * @return this
      */
-    public EncryptionOptions addEncryptionMethod(PGPKeyEncryptionMethodGenerator encryptionMethod) {
+    public EncryptionOptions addEncryptionMethod(@Nonnull PGPKeyEncryptionMethodGenerator encryptionMethod) {
         encryptionMethods.add(encryptionMethod);
         return this;
     }
@@ -303,7 +307,7 @@ public class EncryptionOptions {
      * @param encryptionAlgorithm encryption algorithm override
      * @return this
      */
-    public EncryptionOptions overrideEncryptionAlgorithm(SymmetricKeyAlgorithm encryptionAlgorithm) {
+    public EncryptionOptions overrideEncryptionAlgorithm(@Nonnull SymmetricKeyAlgorithm encryptionAlgorithm) {
         if (encryptionAlgorithm == SymmetricKeyAlgorithm.NULL) {
             throw new IllegalArgumentException("Plaintext encryption can only be used to denote unencrypted secret keys.");
         }
@@ -322,7 +326,7 @@ public class EncryptionOptions {
     }
 
     public interface EncryptionKeySelector {
-        List selectEncryptionSubkeys(List encryptionCapableKeys);
+        List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys);
     }
 
     /**
@@ -333,7 +337,7 @@ public class EncryptionOptions {
     public static EncryptionKeySelector encryptToFirstSubkey() {
         return new EncryptionKeySelector() {
             @Override
-            public List selectEncryptionSubkeys(List encryptionCapableKeys) {
+            public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) {
                 return encryptionCapableKeys.isEmpty() ? Collections.emptyList() : Collections.singletonList(encryptionCapableKeys.get(0));
             }
         };
@@ -347,7 +351,7 @@ public class EncryptionOptions {
     public static EncryptionKeySelector encryptToAllCapableSubkeys() {
         return new EncryptionKeySelector() {
             @Override
-            public List selectEncryptionSubkeys(List encryptionCapableKeys) {
+            public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) {
                 return encryptionCapableKeys;
             }
         };
diff --git a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
index 3436ba69..7d2fa453 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptionOptionsTest.java
@@ -36,6 +36,8 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec;
 import org.pgpainless.key.util.KeyRingUtils;
 import org.pgpainless.util.Passphrase;
 
+import javax.annotation.Nonnull;
+
 public class EncryptionOptionsTest {
 
     private static PGPSecretKeyRing secretKeys;
@@ -149,7 +151,7 @@ public class EncryptionOptionsTest {
         assertThrows(KeyException.UnacceptableEncryptionKeyException.class,
                 () -> options.addRecipient(publicKeys, new EncryptionOptions.EncryptionKeySelector() {
                     @Override
-                    public List selectEncryptionSubkeys(List encryptionCapableKeys) {
+                    public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) {
                         return Collections.emptyList();
                     }
                 }));
@@ -157,7 +159,7 @@ public class EncryptionOptionsTest {
         assertThrows(KeyException.UnacceptableEncryptionKeyException.class,
                 () -> options.addRecipient(publicKeys, "test@pgpainless.org", new EncryptionOptions.EncryptionKeySelector() {
                     @Override
-                    public List selectEncryptionSubkeys(List encryptionCapableKeys) {
+                    public List selectEncryptionSubkeys(@Nonnull List encryptionCapableKeys) {
                         return Collections.emptyList();
                     }
                 }));

From 1d26751b45b00519894f91f80dbf5d3bc52b4d04 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 15:59:21 +0200
Subject: [PATCH 0975/1450] Remove unused KeyRingEditorTest

---
 .../key/modification/KeyRingEditorTest.java   | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java

diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java
deleted file mode 100644
index 68774cfc..00000000
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/KeyRingEditorTest.java
+++ /dev/null
@@ -1,19 +0,0 @@
-// SPDX-FileCopyrightText: 2020 Paul Schaub 
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.key.modification;
-
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import org.junit.jupiter.api.Test;
-import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor;
-
-public class KeyRingEditorTest {
-
-    @Test
-    public void testConstructorThrowsNpeForNull() {
-        assertThrows(NullPointerException.class,
-                () -> new SecretKeyRingEditor(null));
-    }
-}

From 3b8a1b47d7e2cd24d63a562cd246254159b645b5 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 16:03:12 +0200
Subject: [PATCH 0976/1450] Add javadoc p-tags

---
 .../src/main/java/org/pgpainless/PGPainless.java     |  6 +++---
 .../encryption_signing/SigningOptions.java           | 12 ++++++------
 .../java/org/pgpainless/key/info/KeyAccessor.java    |  2 +-
 .../java/org/pgpainless/key/info/KeyRingInfo.java    |  8 ++++----
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 6da77c80..16928210 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -152,7 +152,7 @@ public final class PGPainless {
     /**
      * Make changes to a secret key.
      * This method can be used to change key expiration dates and passphrases, or add/revoke subkeys.
-     *
+     * 
      
      * After making the desired changes in the builder, the modified key ring can be extracted using {@link SecretKeyRingEditorInterface#done()}.
      *
      * @param secretKeys secret key ring
@@ -165,7 +165,7 @@ public final class PGPainless {
     /**
      * Make changes to a secret key at the given reference time.
      * This method can be used to change key expiration dates and passphrases, or add/revoke user-ids and subkeys.
-     *
+     * 
      
      * After making the desired changes in the builder, the modified key can be extracted using {@link SecretKeyRingEditorInterface#done()}.
      *
      * @param secretKeys secret key ring
@@ -179,7 +179,7 @@ public final class PGPainless {
     /**
      * Quickly access information about a {@link org.bouncycastle.openpgp.PGPPublicKeyRing} / {@link PGPSecretKeyRing}.
      * This method can be used to determine expiration dates, key flags and other information about a key.
-     *
+     * 
      
      * To evaluate a key at a given date (e.g. to determine if the key was allowed to create a certain signature)
      * use {@link #inspectKeyRing(PGPKeyRing, Date)} instead.
      *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 0af07fc9..77f95efb 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -158,7 +158,7 @@ public final class SigningOptions {
      * Add an inline-signature.
      * Inline signatures are being embedded into the message itself and can be processed in one pass, thanks to the use
      * of one-pass-signature packets.
-     *
+     * 
      
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
      * @param secretKeyDecryptor decryptor to unlock the signing secret key
@@ -182,7 +182,7 @@ public final class SigningOptions {
      * Add an inline-signature.
      * Inline signatures are being embedded into the message itself and can be processed in one pass, thanks to the use
      * of one-pass-signature packets.
-     *
+     * 
      
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
      * @param secretKeyDecryptor decryptor to unlock the signing secret key
@@ -295,7 +295,7 @@ public final class SigningOptions {
      * Detached signatures are not being added into the PGP message itself.
      * Instead, they can be distributed separately to the message.
      * Detached signatures are useful if the data that is being signed shall not be modified (e.g. when signing a file).
-     *
+     * 
      
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
      * @param secretKeyDecryptor decryptor to unlock the secret signing key
@@ -320,7 +320,7 @@ public final class SigningOptions {
      * Detached signatures are not being added into the PGP message itself.
      * Instead, they can be distributed separately to the message.
      * Detached signatures are useful if the data that is being signed shall not be modified (e.g. when signing a file).
-     *
+     * 
      
      * This method uses the passed in user-id to select user-specific hash algorithms.
      *
      * @param secretKeyDecryptor decryptor to unlock the secret signing key
@@ -406,7 +406,7 @@ public final class SigningOptions {
 
     /**
      * Negotiate, which hash algorithm to use.
-     *
+     * 
      
      * This method gives the highest priority to the algorithm override, which can be set via {@link #overrideHashAlgorithm(HashAlgorithm)}.
      * After that, the signing keys hash algorithm preferences are iterated to find the first acceptable algorithm.
      * Lastly, should no acceptable algorithm be found, the {@link Policy Policies} default signature hash algorithm is
@@ -451,7 +451,7 @@ public final class SigningOptions {
     /**
      * Override hash algorithm negotiation by dictating which hash algorithm needs to be used.
      * If no override has been set, an accetable algorithm will be negotiated instead.
-     *
+     * 
      
      * Note: To override the hash algorithm for signing, call this method *before* calling
      * {@link #addInlineSignature(SecretKeyRingProtector, PGPSecretKeyRing, DocumentSignatureType)} or
      * {@link #addDetachedSignature(SecretKeyRingProtector, PGPSecretKeyRing, DocumentSignatureType)}.
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
index 5fa71d46..48102931 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
@@ -28,7 +28,7 @@ public abstract class KeyAccessor {
     /**
      * Depending on the way we address the key (key-id or user-id), return the respective {@link PGPSignature}
      * which contains the algorithm preferences we are going to use.
-     *
+     * 
      
      * If we address a key via its user-id, we want to rely on the algorithm preferences in the user-id certification,
      * while we would instead rely on those in the direct-key signature if we'd address the key by key-id.
      *
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 75d9e16c..45de52f3 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -292,7 +292,7 @@ public class KeyRingInfo {
 
     /**
      * Return the current primary user-id of the key ring.
-     *
+     * 
      
      * Note: If no user-id is marked as primary key using a {@link PrimaryUserID} packet,
      * this method returns the first user-id on the key, otherwise null.
      *
@@ -472,7 +472,7 @@ public class KeyRingInfo {
 
     /**
      * Return the latest direct-key self signature.
-     *
+     * 
      
      * Note: This signature might be expired (check with {@link SignatureUtils#isSignatureExpired(PGPSignature)}).
      *
      * @return latest direct key self-signature or null
@@ -782,7 +782,7 @@ public class KeyRingInfo {
      * Return the latest date on which  the key ring is still usable for the given key flag.
      * If only a subkey is carrying the required flag and the primary key expires earlier than the subkey,
      * the expiry date of the primary key is returned.
-     *
+     * 
      
      * This method might return null, if the primary key and a subkey with the required flag does not expire.
      * @param use key flag representing the use case, e.g. {@link KeyFlag#SIGN_DATA} or
      * {@link KeyFlag#ENCRYPT_COMMS}/{@link KeyFlag#ENCRYPT_STORAGE}.
@@ -1133,7 +1133,7 @@ public class KeyRingInfo {
     /**
      * Returns true, if this {@link KeyRingInfo} is based on a {@link PGPSecretKeyRing}, which has a valid signing key
      * which is ready to be used (i.e. secret key is present and is not on a smart-card).
-     *
+     * 
      
      * If you just want to check, whether a key / certificate has signing capable subkeys,
      * use {@link #isSigningCapable()} instead.
      *

From 953206b4ed39b692a4c7caa9d9b586382bf81729 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 16:03:50 +0200
Subject: [PATCH 0977/1450] Make more of the API null-safe by using
 @Nonnull/@Nullable

---
 .../main/java/org/pgpainless/PGPainless.java  |  26 ++-
 .../OpenPgpMessageInputStream.java            |   2 +-
 .../BcPGPHashContextContentSignerBuilder.java |   9 +-
 .../encryption_signing/SigningOptions.java    | 114 ++++++-----
 .../org/pgpainless/key/info/KeyAccessor.java  |  39 +++-
 .../org/pgpainless/key/info/KeyRingInfo.java  | 183 ++++++++++++------
 .../secretkeyring/SecretKeyRingEditor.java    |  10 +-
 .../algorithm/RevocationStateTest.java        |   5 -
 .../key/info/UserIdRevocationTest.java        |   1 +
 .../SignatureSubpacketsUtilTest.java          |   3 +
 ...artyCertificationSignatureBuilderTest.java |   6 +-
 .../subpackets/SignatureSubpacketsTest.java   |   2 +-
 12 files changed, 263 insertions(+), 137 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
index 16928210..3da54177 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/PGPainless.java
@@ -40,6 +40,7 @@ public final class PGPainless {
      * Generate a fresh OpenPGP key ring from predefined templates.
      * @return templates
      */
+    @Nonnull
     public static KeyRingTemplates generateKeyRing() {
         return new KeyRingTemplates();
     }
@@ -49,6 +50,7 @@ public final class PGPainless {
      *
      * @return builder
      */
+    @Nonnull
     public static KeyRingBuilder buildKeyRing() {
         return new KeyRingBuilder();
     }
@@ -57,6 +59,7 @@ public final class PGPainless {
      * Read an existing OpenPGP key ring.
      * @return builder
      */
+    @Nonnull
     public static KeyRingReader readKeyRing() {
         return new KeyRingReader();
     }
@@ -67,6 +70,7 @@ public final class PGPainless {
      * @param secretKey secret key
      * @return public key certificate
      */
+    @Nonnull
     public static PGPPublicKeyRing extractCertificate(@Nonnull PGPSecretKeyRing secretKey) {
         return KeyRingUtils.publicKeyRingFrom(secretKey);
     }
@@ -79,6 +83,7 @@ public final class PGPainless {
      * @return merged certificate
      * @throws PGPException in case of an error
      */
+    @Nonnull
     public static PGPPublicKeyRing mergeCertificate(
             @Nonnull PGPPublicKeyRing originalCopy,
             @Nonnull PGPPublicKeyRing updatedCopy)
@@ -94,6 +99,7 @@ public final class PGPainless {
      *
      * @throws IOException in case of an error in the {@link ArmoredOutputStream}
      */
+    @Nonnull
     public static String asciiArmor(@Nonnull PGPKeyRing key)
             throws IOException {
         if (key instanceof PGPSecretKeyRing) {
@@ -111,6 +117,7 @@ public final class PGPainless {
      *
      * @throws IOException in case of an error in the {@link ArmoredOutputStream}
      */
+    @Nonnull
     public static String asciiArmor(@Nonnull PGPSignature signature)
             throws IOException {
         return ArmorUtils.toAsciiArmoredString(signature);
@@ -136,6 +143,7 @@ public final class PGPainless {
      *
      * @return builder
      */
+    @Nonnull
     public static EncryptionBuilder encryptAndOrSign() {
         return new EncryptionBuilder();
     }
@@ -145,6 +153,7 @@ public final class PGPainless {
      *
      * @return builder
      */
+    @Nonnull
     public static DecryptionBuilder decryptAndOrVerify() {
         return new DecryptionBuilder();
     }
@@ -158,8 +167,9 @@ public final class PGPainless {
      * @param secretKeys secret key ring
      * @return builder
      */
-    public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys) {
-        return modifyKeyRing(secretKeys, null);
+    @Nonnull
+    public static SecretKeyRingEditorInterface modifyKeyRing(@Nonnull PGPSecretKeyRing secretKeys) {
+        return modifyKeyRing(secretKeys, new Date());
     }
 
     /**
@@ -172,7 +182,9 @@ public final class PGPainless {
      * @param referenceTime reference time used as signature creation date
      * @return builder
      */
-    public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys, Date referenceTime) {
+    @Nonnull
+    public static SecretKeyRingEditorInterface modifyKeyRing(@Nonnull PGPSecretKeyRing secretKeys,
+                                                             @Nonnull Date referenceTime) {
         return new SecretKeyRingEditor(secretKeys, referenceTime);
     }
 
@@ -186,7 +198,8 @@ public final class PGPainless {
      * @param keyRing key ring
      * @return access object
      */
-    public static KeyRingInfo inspectKeyRing(PGPKeyRing keyRing) {
+    @Nonnull
+    public static KeyRingInfo inspectKeyRing(@Nonnull PGPKeyRing keyRing) {
         return new KeyRingInfo(keyRing);
     }
 
@@ -198,7 +211,8 @@ public final class PGPainless {
      * @param referenceTime date of inspection
      * @return access object
      */
-    public static KeyRingInfo inspectKeyRing(PGPKeyRing keyRing, Date referenceTime) {
+    @Nonnull
+    public static KeyRingInfo inspectKeyRing(@Nonnull PGPKeyRing keyRing, @Nonnull Date referenceTime) {
         return new KeyRingInfo(keyRing, referenceTime);
     }
 
@@ -207,6 +221,7 @@ public final class PGPainless {
      *
      * @return policy
      */
+    @Nonnull
     public static Policy getPolicy() {
         return Policy.getInstance();
     }
@@ -216,6 +231,7 @@ public final class PGPainless {
      *
      * @return builder
      */
+    @Nonnull
     public static CertifyCertificate certify() {
         return new CertifyCertificate();
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index d51a6cf7..04d823d1 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -359,7 +359,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
         PGPCompressedData compressedData = packetInputStream.readCompressedData();
         // Extract Metadata
         MessageMetadata.CompressedData compressionLayer = new MessageMetadata.CompressedData(
-                CompressionAlgorithm.fromId(compressedData.getAlgorithm()),
+                CompressionAlgorithm.requireFromId(compressedData.getAlgorithm()),
                 metadata.depth + 1);
 
         LOGGER.debug("Compressed Data Packet (" + compressionLayer.algorithm + ") at depth " + metadata.depth + " encountered");
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
index df6f6ca3..5cdf9e36 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/BcPGPHashContextContentSignerBuilder.java
@@ -44,10 +44,15 @@ class BcPGPHashContextContentSignerBuilder extends PGPHashContextContentSignerBu
 
     BcPGPHashContextContentSignerBuilder(MessageDigest messageDigest) {
         this.messageDigest = messageDigest;
-        this.hashAlgorithm = HashAlgorithm.fromName(messageDigest.getAlgorithm());
+        this.hashAlgorithm = requireFromName(messageDigest.getAlgorithm());
+    }
+
+    private static HashAlgorithm requireFromName(String digestName) {
+        HashAlgorithm hashAlgorithm = HashAlgorithm.fromName(digestName);
         if (hashAlgorithm == null) {
-            throw new IllegalArgumentException("Cannot recognize OpenPGP Hash Algorithm: " + messageDigest.getAlgorithm());
+            throw new IllegalArgumentException("Cannot recognize OpenPGP Hash Algorithm: " + digestName);
         }
+        return hashAlgorithm;
     }
 
     @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
index 77f95efb..a899bd12 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java
@@ -10,6 +10,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
 import org.bouncycastle.openpgp.PGPException;
@@ -46,7 +47,9 @@ public final class SigningOptions {
         private final boolean detached;
         private final HashAlgorithm hashAlgorithm;
 
-        private SigningMethod(PGPSignatureGenerator signatureGenerator, boolean detached, HashAlgorithm hashAlgorithm) {
+        private SigningMethod(@Nonnull PGPSignatureGenerator signatureGenerator,
+                              boolean detached,
+                              @Nonnull HashAlgorithm hashAlgorithm) {
             this.signatureGenerator = signatureGenerator;
             this.detached = detached;
             this.hashAlgorithm = hashAlgorithm;
@@ -60,7 +63,8 @@ public final class SigningOptions {
          * @param hashAlgorithm hash algorithm used to generate the signature
          * @return inline signing method
          */
-        public static SigningMethod inlineSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) {
+        public static SigningMethod inlineSignature(@Nonnull PGPSignatureGenerator signatureGenerator,
+                                                    @Nonnull HashAlgorithm hashAlgorithm) {
             return new SigningMethod(signatureGenerator, false, hashAlgorithm);
         }
 
@@ -73,7 +77,8 @@ public final class SigningOptions {
          * @param hashAlgorithm hash algorithm used to generate the signature
          * @return detached signing method
          */
-        public static SigningMethod detachedSignature(PGPSignatureGenerator signatureGenerator, HashAlgorithm hashAlgorithm) {
+        public static SigningMethod detachedSignature(@Nonnull PGPSignatureGenerator signatureGenerator,
+                                                      @Nonnull HashAlgorithm hashAlgorithm) {
             return new SigningMethod(signatureGenerator, true, hashAlgorithm);
         }
 
@@ -93,6 +98,7 @@ public final class SigningOptions {
     private final Map signingMethods = new HashMap<>();
     private HashAlgorithm hashAlgorithmOverride;
 
+    @Nonnull
     public static SigningOptions get() {
         return new SigningOptions();
     }
@@ -107,8 +113,9 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or a signing method cannot be created
      */
-    public SigningOptions addSignature(SecretKeyRingProtector signingKeyProtector,
-                                       PGPSecretKeyRing signingKey)
+    @Nonnull
+    public SigningOptions addSignature(@Nonnull SecretKeyRingProtector signingKeyProtector,
+                                       @Nonnull PGPSecretKeyRing signingKey)
             throws PGPException {
         return addInlineSignature(signingKeyProtector, signingKey, DocumentSignatureType.BINARY_DOCUMENT);
     }
@@ -124,9 +131,10 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with any of the keys
      * @throws PGPException if any of the keys cannot be unlocked or a signing method cannot be created
      */
-    public SigningOptions addInlineSignatures(SecretKeyRingProtector secrectKeyDecryptor,
-                                              Iterable signingKeys,
-                                              DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addInlineSignatures(@Nonnull SecretKeyRingProtector secrectKeyDecryptor,
+                                              @Nonnull Iterable signingKeys,
+                                              @Nonnull DocumentSignatureType signatureType)
             throws KeyException, PGPException {
         for (PGPSecretKeyRing signingKey : signingKeys) {
             addInlineSignature(secrectKeyDecryptor, signingKey, signatureType);
@@ -147,9 +155,10 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
-    public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                             PGPSecretKeyRing secretKey,
-                                             DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addInlineSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                             @Nonnull PGPSecretKeyRing secretKey,
+                                             @Nonnull DocumentSignatureType signatureType)
             throws KeyException, PGPException {
         return addInlineSignature(secretKeyDecryptor, secretKey, null, signatureType);
     }
@@ -170,10 +179,11 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
-    public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                             PGPSecretKeyRing secretKey,
-                                             String userId,
-                                             DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addInlineSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                             @Nonnull PGPSecretKeyRing secretKey,
+                                             @Nullable CharSequence userId,
+                                             @Nonnull DocumentSignatureType signatureType)
             throws KeyException, PGPException {
         return addInlineSignature(secretKeyDecryptor, secretKey, userId, signatureType, null);
     }
@@ -195,17 +205,18 @@ public final class SigningOptions {
      * @throws KeyException if the key is invalid
      * @throws PGPException if the key cannot be unlocked or the signing method cannot be created
      */
-    public SigningOptions addInlineSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                             PGPSecretKeyRing secretKey,
-                                             String userId,
-                                             DocumentSignatureType signatureType,
+    @Nonnull
+    public SigningOptions addInlineSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                             @Nonnull PGPSecretKeyRing secretKey,
+                                             @Nullable CharSequence userId,
+                                             @Nonnull DocumentSignatureType signatureType,
                                              @Nullable BaseSignatureSubpackets.Callback subpacketsCallback)
             throws KeyException, PGPException {
         KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date());
         if (userId != null && !keyRingInfo.isUserIdValid(userId)) {
             throw new KeyException.UnboundUserIdException(
                     OpenPgpFingerprint.of(secretKey),
-                    userId,
+                    userId.toString(),
                     keyRingInfo.getLatestUserIdCertification(userId),
                     keyRingInfo.getUserIdRevocation(userId)
             );
@@ -242,9 +253,10 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with any of the keys
      * @throws PGPException if any of the keys cannot be validated or unlocked, or if any signing method cannot be created
      */
-    public SigningOptions addDetachedSignatures(SecretKeyRingProtector secretKeyDecryptor,
-                                                Iterable signingKeys,
-                                                DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addDetachedSignatures(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                                @Nonnull Iterable signingKeys,
+                                                @Nonnull DocumentSignatureType signatureType)
             throws PGPException {
         for (PGPSecretKeyRing signingKey : signingKeys) {
             addDetachedSignature(secretKeyDecryptor, signingKey, signatureType);
@@ -263,8 +275,9 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
-    public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                               PGPSecretKeyRing signingKey)
+    @Nonnull
+    public SigningOptions addDetachedSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                               @Nonnull PGPSecretKeyRing signingKey)
             throws PGPException {
         return addDetachedSignature(secretKeyDecryptor, signingKey, DocumentSignatureType.BINARY_DOCUMENT);
     }
@@ -283,9 +296,10 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
-    public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                               PGPSecretKeyRing secretKey,
-                                               DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addDetachedSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                               @Nonnull PGPSecretKeyRing secretKey,
+                                               @Nonnull DocumentSignatureType signatureType)
             throws PGPException {
         return addDetachedSignature(secretKeyDecryptor, secretKey, null, signatureType);
     }
@@ -307,10 +321,11 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
-    public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                               PGPSecretKeyRing secretKey,
-                                               String userId,
-                                               DocumentSignatureType signatureType)
+    @Nonnull
+    public SigningOptions addDetachedSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                               @Nonnull PGPSecretKeyRing secretKey,
+                                               @Nullable CharSequence userId,
+                                               @Nonnull DocumentSignatureType signatureType)
             throws PGPException {
         return addDetachedSignature(secretKeyDecryptor, secretKey, userId, signatureType, null);
     }
@@ -333,17 +348,18 @@ public final class SigningOptions {
      * @throws KeyException if something is wrong with the key
      * @throws PGPException if the key cannot be validated or unlocked, or if no signature method can be created
      */
-    public SigningOptions addDetachedSignature(SecretKeyRingProtector secretKeyDecryptor,
-                                               PGPSecretKeyRing secretKey,
-                                               String userId,
-                                               DocumentSignatureType signatureType,
+    @Nonnull
+    public SigningOptions addDetachedSignature(@Nonnull SecretKeyRingProtector secretKeyDecryptor,
+                                               @Nonnull PGPSecretKeyRing secretKey,
+                                               @Nullable CharSequence userId,
+                                               @Nonnull DocumentSignatureType signatureType,
                                                @Nullable BaseSignatureSubpackets.Callback subpacketCallback)
             throws PGPException {
         KeyRingInfo keyRingInfo = new KeyRingInfo(secretKey, new Date());
         if (userId != null && !keyRingInfo.isUserIdValid(userId)) {
             throw new KeyException.UnboundUserIdException(
                     OpenPgpFingerprint.of(secretKey),
-                    userId,
+                    userId.toString(),
                     keyRingInfo.getLatestUserIdCertification(userId),
                     keyRingInfo.getUserIdRevocation(userId)
             );
@@ -369,11 +385,11 @@ public final class SigningOptions {
         return this;
     }
 
-    private void addSigningMethod(PGPSecretKeyRing secretKey,
-                                  PGPPrivateKey signingSubkey,
+    private void addSigningMethod(@Nonnull PGPSecretKeyRing secretKey,
+                                  @Nonnull PGPPrivateKey signingSubkey,
                                   @Nullable BaseSignatureSubpackets.Callback subpacketCallback,
-                                  HashAlgorithm hashAlgorithm,
-                                  DocumentSignatureType signatureType,
+                                  @Nonnull HashAlgorithm hashAlgorithm,
+                                  @Nonnull DocumentSignatureType signatureType,
                                   boolean detached)
             throws PGPException {
         SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID());
@@ -416,7 +432,9 @@ public final class SigningOptions {
      * @param policy policy
      * @return selected hash algorithm
      */
-    private HashAlgorithm negotiateHashAlgorithm(Set preferences, Policy policy) {
+    @Nonnull
+    private HashAlgorithm negotiateHashAlgorithm(@Nonnull Set preferences,
+                                                 @Nonnull Policy policy) {
         if (hashAlgorithmOverride != null) {
             return hashAlgorithmOverride;
         }
@@ -425,9 +443,10 @@ public final class SigningOptions {
                 .negotiateHashAlgorithm(preferences);
     }
 
-    private PGPSignatureGenerator createSignatureGenerator(PGPPrivateKey privateKey,
-                                                           HashAlgorithm hashAlgorithm,
-                                                           DocumentSignatureType signatureType)
+    @Nonnull
+    private PGPSignatureGenerator createSignatureGenerator(@Nonnull PGPPrivateKey privateKey,
+                                                           @Nonnull HashAlgorithm hashAlgorithm,
+                                                           @Nonnull DocumentSignatureType signatureType)
             throws PGPException {
         int publicKeyAlgorithm = privateKey.getPublicKeyPacket().getAlgorithm();
         PGPContentSignerBuilder signerBuilder = ImplementationFactory.getInstance()
@@ -444,6 +463,7 @@ public final class SigningOptions {
      *
      * @return signing methods
      */
+    @Nonnull
     Map getSigningMethods() {
         return Collections.unmodifiableMap(signingMethods);
     }
@@ -459,7 +479,8 @@ public final class SigningOptions {
      * @param hashAlgorithmOverride override hash algorithm
      * @return this
      */
-    public SigningOptions overrideHashAlgorithm(HashAlgorithm hashAlgorithmOverride) {
+    @Nonnull
+    public SigningOptions overrideHashAlgorithm(@Nonnull HashAlgorithm hashAlgorithmOverride) {
         this.hashAlgorithmOverride = hashAlgorithmOverride;
         return this;
     }
@@ -469,6 +490,7 @@ public final class SigningOptions {
      *
      * @return hash algorithm override
      */
+    @Nullable
     public HashAlgorithm getHashAlgorithmOverride() {
         return hashAlgorithmOverride;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
index 48102931..8ab8a9c4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyAccessor.java
@@ -20,7 +20,7 @@ public abstract class KeyAccessor {
     protected final KeyRingInfo info;
     protected final SubkeyIdentifier key;
 
-    KeyAccessor(KeyRingInfo info, SubkeyIdentifier key) {
+    KeyAccessor(@Nonnull KeyRingInfo info, @Nonnull SubkeyIdentifier key) {
         this.info = info;
         this.key = key;
     }
@@ -34,13 +34,15 @@ public abstract class KeyAccessor {
      *
      * @return signature
      */
-    public abstract @Nonnull PGPSignature getSignatureWithPreferences();
+    @Nonnull
+    public abstract PGPSignature getSignatureWithPreferences();
 
     /**
      * Return preferred symmetric key encryption algorithms.
      *
      * @return preferred symmetric algorithms
      */
+    @Nonnull
     public Set getPreferredSymmetricKeyAlgorithms() {
         return SignatureSubpacketsUtil.parsePreferredSymmetricKeyAlgorithms(getSignatureWithPreferences());
     }
@@ -50,6 +52,7 @@ public abstract class KeyAccessor {
      *
      * @return preferred hash algorithms
      */
+    @Nonnull
     public Set getPreferredHashAlgorithms() {
         return SignatureSubpacketsUtil.parsePreferredHashAlgorithms(getSignatureWithPreferences());
     }
@@ -59,6 +62,7 @@ public abstract class KeyAccessor {
      *
      * @return preferred compression algorithms
      */
+    @Nonnull
     public Set getPreferredCompressionAlgorithms() {
         return SignatureSubpacketsUtil.parsePreferredCompressionAlgorithms(getSignatureWithPreferences());
     }
@@ -78,13 +82,16 @@ public abstract class KeyAccessor {
          * @param key id of the subkey
          * @param userId user-id
          */
-        public ViaUserId(KeyRingInfo info, SubkeyIdentifier key, String userId) {
+        public ViaUserId(@Nonnull KeyRingInfo info,
+                         @Nonnull SubkeyIdentifier key,
+                         @Nonnull String userId) {
             super(info, key);
             this.userId = userId;
         }
 
         @Override
-        public @Nonnull PGPSignature getSignatureWithPreferences() {
+        @Nonnull
+        public PGPSignature getSignatureWithPreferences() {
             PGPSignature signature = info.getLatestUserIdCertification(userId);
             if (signature != null) {
                 return signature;
@@ -104,19 +111,26 @@ public abstract class KeyAccessor {
          * @param info info about the key at a given date
          * @param key key-id
          */
-        public ViaKeyId(KeyRingInfo info, SubkeyIdentifier key) {
+        public ViaKeyId(@Nonnull KeyRingInfo info,
+                        @Nonnull SubkeyIdentifier key) {
             super(info, key);
         }
 
         @Override
-        public @Nonnull PGPSignature getSignatureWithPreferences() {
+        @Nonnull
+        public PGPSignature getSignatureWithPreferences() {
             String primaryUserId = info.getPrimaryUserId();
             // If the key is located by Key ID, the algorithm of the primary User ID of the key provides the
             // preferred symmetric algorithm.
-            PGPSignature signature = info.getLatestUserIdCertification(primaryUserId);
+            PGPSignature signature = null;
+            if (primaryUserId != null) {
+                signature = info.getLatestUserIdCertification(primaryUserId);
+            }
+
             if (signature == null) {
                 signature = info.getLatestDirectKeySelfSignature();
             }
+
             if (signature == null) {
                 throw new IllegalStateException("No valid signature found.");
             }
@@ -126,22 +140,27 @@ public abstract class KeyAccessor {
 
     public static class SubKey extends KeyAccessor {
 
-        public SubKey(KeyRingInfo info, SubkeyIdentifier key) {
+        public SubKey(@Nonnull KeyRingInfo info,
+                      @Nonnull SubkeyIdentifier key) {
             super(info, key);
         }
 
         @Override
-        public @Nonnull PGPSignature getSignatureWithPreferences() {
+        @Nonnull
+        public PGPSignature getSignatureWithPreferences() {
             PGPSignature signature;
             if (key.getPrimaryKeyId() == key.getSubkeyId()) {
                 signature = info.getLatestDirectKeySelfSignature();
-                if (signature == null) {
+                if (signature == null && info.getPrimaryUserId() != null) {
                     signature = info.getLatestUserIdCertification(info.getPrimaryUserId());
                 }
             } else {
                 signature = info.getCurrentSubkeyBindingSignature(key.getSubkeyId());
             }
 
+            if (signature == null) {
+                throw new IllegalStateException("No valid signature found.");
+            }
             return signature;
         }
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
index 45de52f3..1c20a06c 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@@ -74,7 +74,9 @@ public class KeyRingInfo {
      * @param signature signature
      * @return info of key ring at signature creation time
      */
-    public static KeyRingInfo evaluateForSignature(PGPKeyRing keyRing, PGPSignature signature) {
+    @Nonnull
+    public static KeyRingInfo evaluateForSignature(@Nonnull PGPKeyRing keyRing,
+                                                   @Nonnull PGPSignature signature) {
         return new KeyRingInfo(keyRing, signature.getCreationTime());
     }
 
@@ -83,7 +85,7 @@ public class KeyRingInfo {
      *
      * @param keys key ring
      */
-    public KeyRingInfo(PGPKeyRing keys) {
+    public KeyRingInfo(@Nonnull PGPKeyRing keys) {
         this(keys, new Date());
     }
 
@@ -93,7 +95,8 @@ public class KeyRingInfo {
      * @param keys key ring
      * @param referenceDate date of validation
      */
-    public KeyRingInfo(PGPKeyRing keys, Date referenceDate) {
+    public KeyRingInfo(@Nonnull PGPKeyRing keys,
+                       @Nonnull Date referenceDate) {
         this(keys, PGPainless.getPolicy(), referenceDate);
     }
 
@@ -104,14 +107,17 @@ public class KeyRingInfo {
      * @param policy policy
      * @param referenceDate validation date
      */
-    public KeyRingInfo(PGPKeyRing keys, Policy policy, Date referenceDate) {
-        this.referenceDate = referenceDate != null ? referenceDate : new Date();
+    public KeyRingInfo(@Nonnull PGPKeyRing keys,
+                       @Nonnull Policy policy,
+                       @Nonnull Date referenceDate) {
+        this.referenceDate = referenceDate;
         this.keys = keys;
         this.signatures = new Signatures(keys, this.referenceDate, policy);
         this.primaryUserId = findPrimaryUserId();
         this.revocationState = findRevocationState();
     }
 
+    @Nonnull
     private RevocationState findRevocationState() {
         PGPSignature revocation = signatures.primaryKeyRevocation;
         if (revocation != null) {
@@ -126,6 +132,7 @@ public class KeyRingInfo {
      *
      * @return public key
      */
+    @Nonnull
     public PGPPublicKey getPublicKey() {
         return keys.getPublicKey();
     }
@@ -136,7 +143,8 @@ public class KeyRingInfo {
      * @param fingerprint fingerprint
      * @return public key or null
      */
-    public @Nullable PGPPublicKey getPublicKey(OpenPgpFingerprint fingerprint) {
+    @Nullable
+    public PGPPublicKey getPublicKey(@Nonnull OpenPgpFingerprint fingerprint) {
         return getPublicKey(fingerprint.getKeyId());
     }
 
@@ -146,7 +154,8 @@ public class KeyRingInfo {
      * @param keyId key id
      * @return public key or null
      */
-    public @Nullable PGPPublicKey getPublicKey(long keyId) {
+    @Nullable
+    public PGPPublicKey getPublicKey(long keyId) {
         return getPublicKey(keys, keyId);
     }
 
@@ -157,7 +166,8 @@ public class KeyRingInfo {
      * @param keyId key id
      * @return public key or null
      */
-    public static @Nullable PGPPublicKey getPublicKey(PGPKeyRing keyRing, long keyId) {
+    @Nullable
+    public static PGPPublicKey getPublicKey(@Nonnull PGPKeyRing keyRing, long keyId) {
         return keyRing.getPublicKey(keyId);
     }
 
@@ -210,6 +220,7 @@ public class KeyRingInfo {
      *
      * @return list of public keys
      */
+    @Nonnull
     public List getPublicKeys() {
         Iterator iterator = keys.getPublicKeys();
         List list = iteratorToList(iterator);
@@ -221,7 +232,8 @@ public class KeyRingInfo {
      *
      * @return primary secret key or null if the key ring is public
      */
-    public @Nullable PGPSecretKey getSecretKey() {
+    @Nullable
+    public PGPSecretKey getSecretKey() {
         if (keys instanceof PGPSecretKeyRing) {
             PGPSecretKeyRing secretKeys = (PGPSecretKeyRing) keys;
             return secretKeys.getSecretKey();
@@ -235,7 +247,8 @@ public class KeyRingInfo {
      * @param fingerprint fingerprint
      * @return secret key or null
      */
-    public @Nullable PGPSecretKey getSecretKey(OpenPgpFingerprint fingerprint) {
+    @Nullable
+    public PGPSecretKey getSecretKey(@Nonnull OpenPgpFingerprint fingerprint) {
         return getSecretKey(fingerprint.getKeyId());
     }
 
@@ -245,7 +258,8 @@ public class KeyRingInfo {
      * @param keyId key id
      * @return secret key or null
      */
-    public @Nullable PGPSecretKey getSecretKey(long keyId) {
+    @Nullable
+    public PGPSecretKey getSecretKey(long keyId) {
         if (keys instanceof PGPSecretKeyRing) {
             return ((PGPSecretKeyRing) keys).getSecretKey(keyId);
         }
@@ -259,6 +273,7 @@ public class KeyRingInfo {
      *
      * @return list of secret keys
      */
+    @Nonnull
     public List getSecretKeys() {
         if (keys instanceof PGPSecretKeyRing) {
             PGPSecretKeyRing secretKeys = (PGPSecretKeyRing) keys;
@@ -282,11 +297,13 @@ public class KeyRingInfo {
      *
      * @return fingerprint
      */
+    @Nonnull
     public OpenPgpFingerprint getFingerprint() {
         return OpenPgpFingerprint.of(getPublicKey());
     }
 
-    public @Nullable String getPrimaryUserId() {
+    @Nullable
+    public String getPrimaryUserId() {
         return primaryUserId;
     }
 
@@ -298,6 +315,7 @@ public class KeyRingInfo {
      *
      * @return primary user-id or null
      */
+    @Nullable
     private String findPrimaryUserId() {
         String primaryUserId = null;
         Date currentModificationDate = null;
@@ -342,10 +360,10 @@ public class KeyRingInfo {
      *
      * @return list of user-ids
      */
+    @Nonnull
     public List getUserIds() {
         Iterator iterator = getPublicKey().getUserIDs();
-        List userIds = iteratorToList(iterator);
-        return userIds;
+        return iteratorToList(iterator);
     }
 
     /**
@@ -353,6 +371,7 @@ public class KeyRingInfo {
      *
      * @return valid user-ids
      */
+    @Nonnull
     public List getValidUserIds() {
         List valid = new ArrayList<>();
         List userIds = getUserIds();
@@ -369,6 +388,7 @@ public class KeyRingInfo {
      *
      * @return bound user-ids
      */
+    @Nonnull
     public List getValidAndExpiredUserIds() {
         List probablyExpired = new ArrayList<>();
         List userIds = getUserIds();
@@ -407,21 +427,25 @@ public class KeyRingInfo {
      * @param userId user-id
      * @return true if user-id is valid
      */
-    public boolean isUserIdValid(String userId) {
+    public boolean isUserIdValid(@Nonnull CharSequence userId) {
+        if (primaryUserId == null) {
+            // No primary userID? No userID at all!
+            return false;
+        }
+
         if (!userId.equals(primaryUserId)) {
             if (!isUserIdBound(primaryUserId)) {
-                // primary user-id not valid
+                // primary user-id not valid? UserID not valid!
                 return false;
             }
         }
         return isUserIdBound(userId);
     }
 
-
-    private boolean isUserIdBound(String userId) {
-
-        PGPSignature certification = signatures.userIdCertifications.get(userId);
-        PGPSignature revocation = signatures.userIdRevocations.get(userId);
+    private boolean isUserIdBound(@Nonnull CharSequence userId) {
+        String userIdString = userId.toString();
+        PGPSignature certification = signatures.userIdCertifications.get(userIdString);
+        PGPSignature revocation = signatures.userIdRevocations.get(userIdString);
 
         if (certification == null) {
             return false;
@@ -453,6 +477,7 @@ public class KeyRingInfo {
      *
      * @return email addresses
      */
+    @Nonnull
     public List getEmailAddresses() {
         List userIds = getUserIds();
         List emails = new ArrayList<>();
@@ -477,7 +502,8 @@ public class KeyRingInfo {
      *
      * @return latest direct key self-signature or null
      */
-    public @Nullable PGPSignature getLatestDirectKeySelfSignature() {
+    @Nullable
+    public PGPSignature getLatestDirectKeySelfSignature() {
         return signatures.primaryKeySelfSignature;
     }
 
@@ -486,7 +512,8 @@ public class KeyRingInfo {
      *
      * @return revocation or null
      */
-    public @Nullable PGPSignature getRevocationSelfSignature() {
+    @Nullable
+    public PGPSignature getRevocationSelfSignature() {
         return signatures.primaryKeyRevocation;
     }
 
@@ -496,8 +523,9 @@ public class KeyRingInfo {
      * @param userId user-id
      * @return certification signature or null
      */
-    public @Nullable PGPSignature getLatestUserIdCertification(String userId) {
-        return signatures.userIdCertifications.get(userId);
+    @Nullable
+    public PGPSignature getLatestUserIdCertification(@Nonnull CharSequence userId) {
+        return signatures.userIdCertifications.get(userId.toString());
     }
 
     /**
@@ -506,8 +534,9 @@ public class KeyRingInfo {
      * @param userId user-id
      * @return revocation or null
      */
-    public @Nullable PGPSignature getUserIdRevocation(String userId) {
-        return signatures.userIdRevocations.get(userId);
+    @Nullable
+    public PGPSignature getUserIdRevocation(@Nonnull CharSequence userId) {
+        return signatures.userIdRevocations.get(userId.toString());
     }
 
     /**
@@ -516,7 +545,8 @@ public class KeyRingInfo {
      * @param keyId subkey id
      * @return subkey binding signature or null
      */
-    public @Nullable PGPSignature getCurrentSubkeyBindingSignature(long keyId) {
+    @Nullable
+    public PGPSignature getCurrentSubkeyBindingSignature(long keyId) {
         return signatures.subkeyBindings.get(keyId);
     }
 
@@ -526,7 +556,8 @@ public class KeyRingInfo {
      * @param keyId subkey id
      * @return subkey binding revocation or null
      */
-    public @Nullable PGPSignature getSubkeyRevocationSignature(long keyId) {
+    @Nullable
+    public PGPSignature getSubkeyRevocationSignature(long keyId) {
         return signatures.subkeyRevocations.get(keyId);
     }
 
@@ -535,7 +566,8 @@ public class KeyRingInfo {
      * @param keyId key-id
      * @return list of key flags
      */
-    public @Nonnull List getKeyFlagsOf(long keyId) {
+    @Nonnull
+    public List getKeyFlagsOf(long keyId) {
         // key is primary key
         if (getPublicKey().getKeyID() == keyId) {
 
@@ -575,7 +607,8 @@ public class KeyRingInfo {
      * @param userId user-id
      * @return key flags
      */
-    public @Nonnull List getKeyFlagsOf(String userId) {
+    @Nonnull
+    public List getKeyFlagsOf(String userId) {
         if (!isUserIdValid(userId)) {
             return Collections.emptyList();
         }
@@ -607,6 +640,7 @@ public class KeyRingInfo {
      *
      * @return creation date
      */
+    @Nonnull
     public Date getCreationDate() {
         return getPublicKey().getCreationTime();
     }
@@ -617,7 +651,8 @@ public class KeyRingInfo {
      *
      * @return last modification date.
      */
-    public @Nonnull Date getLastModified() {
+    @Nonnull
+    public Date getLastModified() {
         PGPSignature mostRecent = getMostRecentSignature();
         if (mostRecent == null) {
             // No sigs found. Return public key creation date instead.
@@ -631,7 +666,8 @@ public class KeyRingInfo {
      *
      * @return latest key creation time
      */
-    public @Nonnull Date getLatestKeyCreationDate() {
+    @Nonnull
+    public Date getLatestKeyCreationDate() {
         Date latestCreation = null;
         for (PGPPublicKey key : getPublicKeys()) {
             if (!isKeyValidlyBound(key.getKeyID())) {
@@ -648,7 +684,8 @@ public class KeyRingInfo {
         return latestCreation;
     }
 
-    private @Nullable PGPSignature getMostRecentSignature() {
+    @Nullable
+    private PGPSignature getMostRecentSignature() {
         Set allSignatures = new HashSet<>();
         PGPSignature mostRecentSelfSignature = getLatestDirectKeySelfSignature();
         PGPSignature revocationSelfSignature = getRevocationSelfSignature();
@@ -668,6 +705,7 @@ public class KeyRingInfo {
         return mostRecent;
     }
 
+    @Nonnull
     public RevocationState getRevocationState() {
         return revocationState;
     }
@@ -677,7 +715,8 @@ public class KeyRingInfo {
      *
      * @return revocation date or null
      */
-    public @Nullable Date getRevocationDate() {
+    @Nullable
+    public Date getRevocationDate() {
         return getRevocationState().isSoftRevocation() ? getRevocationState().getDate() : null;
     }
 
@@ -686,7 +725,8 @@ public class KeyRingInfo {
      *
      * @return expiration date
      */
-    public @Nullable Date getPrimaryKeyExpirationDate() {
+    @Nullable
+    public Date getPrimaryKeyExpirationDate() {
         PGPSignature directKeySig = getLatestDirectKeySelfSignature();
         Date directKeyExpirationDate = null;
         if (directKeySig != null) {
@@ -722,6 +762,7 @@ public class KeyRingInfo {
         return userIdExpirationDate;
     }
 
+    @Nullable
     public String getPossiblyExpiredPrimaryUserId() {
         String validPrimaryUserId = getPrimaryUserId();
         if (validPrimaryUserId != null) {
@@ -760,7 +801,8 @@ public class KeyRingInfo {
      * @param fingerprint subkey fingerprint
      * @return expiration date or null
      */
-    public @Nullable Date getSubkeyExpirationDate(OpenPgpFingerprint fingerprint) {
+    @Nullable
+    public Date getSubkeyExpirationDate(OpenPgpFingerprint fingerprint) {
         if (getPublicKey().getKeyID() == fingerprint.getKeyId()) {
             return getPrimaryKeyExpirationDate();
         }
@@ -788,6 +830,7 @@ public class KeyRingInfo {
      * {@link KeyFlag#ENCRYPT_COMMS}/{@link KeyFlag#ENCRYPT_STORAGE}.
      * @return latest date on which the key ring can be used for the given use case, or null if it can be used indefinitely.
      */
+    @Nullable
     public Date getExpirationDateForUse(KeyFlag use) {
         if (use == KeyFlag.SPLIT || use == KeyFlag.SHARED) {
             throw new IllegalArgumentException("SPLIT and SHARED are not uses, but properties.");
@@ -814,20 +857,18 @@ public class KeyRingInfo {
         }
 
         if (nonExpiringSubkeys.isEmpty()) {
-            if (latestSubkeyExpirationDate != null) {
-                if (primaryExpiration == null) {
-                    return latestSubkeyExpirationDate;
-                }
-                if (latestSubkeyExpirationDate.before(primaryExpiration)) {
-                    return latestSubkeyExpirationDate;
-                }
+            if (primaryExpiration == null) {
+                return latestSubkeyExpirationDate;
+            }
+            if (latestSubkeyExpirationDate.before(primaryExpiration)) {
+                return latestSubkeyExpirationDate;
             }
         }
         return primaryExpiration;
     }
 
-    public boolean isHardRevoked(String userId) {
-        PGPSignature revocation = signatures.userIdRevocations.get(userId);
+    public boolean isHardRevoked(@Nonnull CharSequence userId) {
+        PGPSignature revocation = signatures.userIdRevocations.get(userId.toString());
         if (revocation == null) {
             return false;
         }
@@ -907,7 +948,8 @@ public class KeyRingInfo {
      * @param purpose purpose (encrypt data at rest / communications)
      * @return encryption subkeys
      */
-    public @Nonnull List getEncryptionSubkeys(EncryptionPurpose purpose) {
+    @Nonnull
+    public List getEncryptionSubkeys(@Nonnull EncryptionPurpose purpose) {
         Date primaryExpiration = getPrimaryKeyExpirationDate();
         if (primaryExpiration != null && primaryExpiration.before(referenceDate)) {
             LOGGER.debug("Certificate is expired: Primary key is expired on " + DateUtil.formatUTCDate(primaryExpiration));
@@ -966,7 +1008,8 @@ public class KeyRingInfo {
      *
      * @return decryption keys
      */
-    public @Nonnull List getDecryptionSubkeys() {
+    @Nonnull
+    public List getDecryptionSubkeys() {
         Iterator subkeys = keys.getPublicKeys();
         List decryptionKeys = new ArrayList<>();
 
@@ -999,7 +1042,8 @@ public class KeyRingInfo {
      * @param flag flag
      * @return keys with flag
      */
-    public List getKeysWithKeyFlag(KeyFlag flag) {
+    @Nonnull
+    public List getKeysWithKeyFlag(@Nonnull KeyFlag flag) {
         List keysWithFlag = new ArrayList<>();
         for (PGPPublicKey key : getPublicKeys()) {
             List keyFlags = getKeyFlagsOf(key.getKeyID());
@@ -1021,11 +1065,13 @@ public class KeyRingInfo {
      * @param purpose encryption purpose
      * @return encryption subkeys
      */
-    public @Nonnull List getEncryptionSubkeys(String userId, EncryptionPurpose purpose) {
+    @Nonnull
+    public List getEncryptionSubkeys(@Nullable CharSequence userId,
+                                                   @Nonnull EncryptionPurpose purpose) {
         if (userId != null && !isUserIdValid(userId)) {
             throw new KeyException.UnboundUserIdException(
                     OpenPgpFingerprint.of(keys),
-                    userId,
+                    userId.toString(),
                     getLatestUserIdCertification(userId),
                     getUserIdRevocation(userId)
             );
@@ -1039,7 +1085,8 @@ public class KeyRingInfo {
      *
      * @return signing keys
      */
-    public @Nonnull List getSigningSubkeys() {
+    @Nonnull
+    public List getSigningSubkeys() {
         Iterator subkeys = keys.getPublicKeys();
         List signingKeys = new ArrayList<>();
         while (subkeys.hasNext()) {
@@ -1057,39 +1104,48 @@ public class KeyRingInfo {
         return signingKeys;
     }
 
+    @Nonnull
     public Set getPreferredHashAlgorithms() {
         return getPreferredHashAlgorithms(getPrimaryUserId());
     }
 
-    public Set getPreferredHashAlgorithms(String userId) {
+    @Nonnull
+    public Set getPreferredHashAlgorithms(@Nullable CharSequence userId) {
         return getKeyAccessor(userId, getKeyId()).getPreferredHashAlgorithms();
     }
 
+    @Nonnull
     public Set getPreferredHashAlgorithms(long keyId) {
         return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId))
                 .getPreferredHashAlgorithms();
     }
 
+    @Nonnull
     public Set getPreferredSymmetricKeyAlgorithms() {
         return getPreferredSymmetricKeyAlgorithms(getPrimaryUserId());
     }
 
-    public Set getPreferredSymmetricKeyAlgorithms(String userId) {
+    @Nonnull
+    public Set getPreferredSymmetricKeyAlgorithms(@Nullable CharSequence userId) {
         return getKeyAccessor(userId, getKeyId()).getPreferredSymmetricKeyAlgorithms();
     }
 
+    @Nonnull
     public Set getPreferredSymmetricKeyAlgorithms(long keyId) {
         return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredSymmetricKeyAlgorithms();
     }
 
+    @Nonnull
     public Set getPreferredCompressionAlgorithms() {
         return getPreferredCompressionAlgorithms(getPrimaryUserId());
     }
 
-    public Set getPreferredCompressionAlgorithms(String userId) {
+    @Nonnull
+    public Set getPreferredCompressionAlgorithms(@Nullable CharSequence userId) {
         return getKeyAccessor(userId, getKeyId()).getPreferredCompressionAlgorithms();
     }
 
+    @Nonnull
     public Set getPreferredCompressionAlgorithms(long keyId) {
         return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
     }
@@ -1173,15 +1229,20 @@ public class KeyRingInfo {
         return true;
     }
 
-    private KeyAccessor getKeyAccessor(@Nullable String userId, long keyID) {
+    private KeyAccessor getKeyAccessor(@Nullable CharSequence userId, long keyID) {
         if (getPublicKey(keyID) == null) {
             throw new NoSuchElementException("No subkey with key id " + Long.toHexString(keyID) + " found on this key.");
         }
-        if (userId != null && !getUserIds().contains(userId)) {
+
+        if (userId != null && !getUserIds().contains(userId.toString())) {
             throw new NoSuchElementException("No user-id '" + userId + "' found on this key.");
         }
-        return userId == null ? new KeyAccessor.ViaKeyId(this, new SubkeyIdentifier(keys, keyID))
-                : new KeyAccessor.ViaUserId(this, new SubkeyIdentifier(keys, keyID), userId);
+
+        if (userId != null) {
+            return new KeyAccessor.ViaUserId(this, new SubkeyIdentifier(keys, keyID), userId.toString());
+        } else {
+            return new KeyAccessor.ViaKeyId(this, new SubkeyIdentifier(keys, keyID));
+        }
     }
 
     public static class Signatures {
@@ -1193,7 +1254,9 @@ public class KeyRingInfo {
         private final Map subkeyRevocations;
         private final Map subkeyBindings;
 
-        public Signatures(PGPKeyRing keyRing, Date referenceDate, Policy policy) {
+        public Signatures(@Nonnull PGPKeyRing keyRing,
+                          @Nonnull Date referenceDate,
+                          @Nonnull Policy policy) {
             primaryKeyRevocation = SignaturePicker.pickCurrentRevocationSelfSignature(keyRing, policy, referenceDate);
             primaryKeySelfSignature = SignaturePicker.pickLatestDirectKeySignature(keyRing, policy, referenceDate);
             userIdRevocations = new HashMap<>();
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 01c09903..6210ef5b 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -72,14 +72,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
     private PGPSecretKeyRing secretKeyRing;
     private final Date referenceTime;
 
-    public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing) {
-        this(secretKeyRing, null);
+    public SecretKeyRingEditor(@Nonnull PGPSecretKeyRing secretKeyRing) {
+        this(secretKeyRing, new Date());
     }
 
-    public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing, Date referenceTime) {
-        if (secretKeyRing == null) {
-            throw new NullPointerException("SecretKeyRing MUST NOT be null.");
-        }
+    public SecretKeyRingEditor(@Nonnull PGPSecretKeyRing secretKeyRing,
+                               @Nonnull Date referenceTime) {
         this.secretKeyRing = secretKeyRing;
         this.referenceTime = referenceTime;
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
index e23d92d3..c24084b4 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/algorithm/RevocationStateTest.java
@@ -60,11 +60,6 @@ public class RevocationStateTest {
         assertEquals("softRevoked (2022-08-03 18:26:35 UTC)", state.toString());
     }
 
-    @Test
-    public void testSoftRevokedNullDateThrows() {
-        assertThrows(NullPointerException.class, () -> RevocationState.softRevoked(null));
-    }
-
     @Test
     public void orderTest() {
         assertEquals(RevocationState.notRevoked(), RevocationState.notRevoked());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java
index fd665901..0caf8b75 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/info/UserIdRevocationTest.java
@@ -95,6 +95,7 @@ public class UserIdRevocationTest {
         KeyRingInfo info = new KeyRingInfo(secretKeys);
 
         PGPSignature signature = info.getUserIdRevocation("secondary@key.id");
+        assertNotNull(signature);
         RevocationReason reason = (RevocationReason) signature.getHashedSubPackets()
                 .getSubpacket(SignatureSubpacketTags.REVOCATION_REASON);
         assertNotNull(reason);
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
index d5cfb4f5..5b93415e 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/SignatureSubpacketsUtilTest.java
@@ -145,6 +145,7 @@ public class SignatureSubpacketsUtilTest {
 
         PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey());
         Set featureSet = SignatureSubpacketsUtil.parseFeatures(signature);
+        assertNotNull(featureSet);
         assertEquals(2, featureSet.size());
         assertTrue(featureSet.contains(Feature.MODIFICATION_DETECTION));
         assertTrue(featureSet.contains(Feature.AEAD_ENCRYPTED_DATA));
@@ -216,6 +217,7 @@ public class SignatureSubpacketsUtilTest {
         PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey());
 
         RevocationKey revocationKey = SignatureSubpacketsUtil.getRevocationKey(signature);
+        assertNotNull(revocationKey);
         assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), revocationKey.getFingerprint());
         assertEquals(secretKeys.getPublicKey().getAlgorithm(), revocationKey.getAlgorithm());
     }
@@ -277,6 +279,7 @@ public class SignatureSubpacketsUtilTest {
 
         PGPSignature signature = generator.generateCertification(secretKeys.getPublicKey());
         TrustSignature trustSignature = SignatureSubpacketsUtil.getTrustSignature(signature);
+        assertNotNull(trustSignature);
         assertEquals(10, trustSignature.getDepth());
         assertEquals(3, trustSignature.getTrustAmount());
     }
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
index ced6a466..bf1cb694 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/builder/ThirdPartyCertificationSignatureBuilderTest.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.signature.builder;
 
+import org.bouncycastle.bcpg.sig.Exportable;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
@@ -22,6 +23,7 @@ import java.security.NoSuchAlgorithmException;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -61,7 +63,9 @@ public class ThirdPartyCertificationSignatureBuilderTest {
         assertEquals(SignatureType.GENERIC_CERTIFICATION, SignatureType.valueOf(certification.getSignatureType()));
         assertEquals(secretKeys.getPublicKey().getKeyID(), certification.getKeyID());
         assertArrayEquals(secretKeys.getPublicKey().getFingerprint(), certification.getHashedSubPackets().getIssuerFingerprint().getFingerprint());
-        assertFalse(SignatureSubpacketsUtil.getExportableCertification(certification).isExportable());
+        Exportable exportable = SignatureSubpacketsUtil.getExportableCertification(certification);
+        assertNotNull(exportable);
+        assertFalse(exportable.isExportable());
 
         // test sig correctness
         certification.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), secretKeys.getPublicKey());
diff --git a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java
index 988bc776..3c2eda91 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/signature/subpackets/SignatureSubpacketsTest.java
@@ -376,7 +376,7 @@ public class SignatureSubpacketsTest {
     public void testSetSignatureTarget() {
         byte[] hash = new byte[20];
         new Random().nextBytes(hash);
-        wrapper.setSignatureTarget(PublicKeyAlgorithm.fromId(key.getAlgorithm()), HashAlgorithm.SHA512, hash);
+        wrapper.setSignatureTarget(PublicKeyAlgorithm.requireFromId(key.getAlgorithm()), HashAlgorithm.SHA512, hash);
         PGPSignatureSubpacketVector vector = SignatureSubpacketsHelper.toVector(wrapper);
 
         SignatureTarget target = vector.getSignatureTarget();

From d05ffd0451f47633c7def76d6e6fc834c4cc492d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 16:11:06 +0200
Subject: [PATCH 0978/1450] Make DateUtil null-safe

---
 .../src/main/java/org/pgpainless/util/DateUtil.java  | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
index ad1fce09..f56020d4 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/DateUtil.java
@@ -4,6 +4,7 @@
 
 package org.pgpainless.util;
 
+import javax.annotation.Nonnull;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -16,6 +17,7 @@ public final class DateUtil {
     }
 
     // Java's SimpleDateFormat is not thread-safe, therefore we return a new instance on every invocation.
+    @Nonnull
     public static SimpleDateFormat getParser() {
         SimpleDateFormat parser = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z");
         parser.setTimeZone(TimeZone.getTimeZone("UTC"));
@@ -28,11 +30,12 @@ public final class DateUtil {
      * @param dateString timestamp
      * @return date
      */
-    public static Date parseUTCDate(String dateString) {
+    @Nonnull
+    public static Date parseUTCDate(@Nonnull String dateString) {
         try {
             return getParser().parse(dateString);
         } catch (ParseException e) {
-            return null;
+            throw new IllegalArgumentException("Malformed UTC timestamp: " + dateString, e);
         }
     }
 
@@ -42,6 +45,7 @@ public final class DateUtil {
      * @param date date
      * @return timestamp
      */
+    @Nonnull
     public static String formatUTCDate(Date date) {
         return getParser().format(date);
     }
@@ -51,7 +55,8 @@ public final class DateUtil {
      * @param date date
      * @return floored date
      */
-    public static Date toSecondsPrecision(Date date) {
+    @Nonnull
+    public static Date toSecondsPrecision(@Nonnull Date date) {
         long millis = date.getTime();
         long seconds = millis / 1000;
         long floored = seconds * 1000;
@@ -63,6 +68,7 @@ public final class DateUtil {
      *
      * @return now
      */
+    @Nonnull
     public static Date now() {
         return toSecondsPrecision(new Date());
     }

From 21ae48d8c11cc8686fb9c7b3d50ec02116f4a58d Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:13:29 +0200
Subject: [PATCH 0979/1450] Use assert statements to flag impossible NPEs

---
 .../decryption_verification/OpenPgpMessageInputStream.java  | 2 ++
 .../pgpainless/key/certification/CertifyCertificate.java    | 1 +
 .../key/modification/secretkeyring/SecretKeyRingEditor.java | 6 +++++-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
index 04d823d1..07098269 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
@@ -544,6 +544,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
             for (Tuple k : postponedDueToMissingPassphrase) {
                 PGPSecretKey key = k.getA();
                 PGPSecretKeyRing keys = getDecryptionKey(key.getKeyID());
+                assert (keys != null);
                 keyIds.add(new SubkeyIdentifier(keys, key.getKeyID()));
             }
             if (!keyIds.isEmpty()) {
@@ -556,6 +557,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
                     PGPSecretKey secretKey = missingPassphrases.getA();
                     long keyId = secretKey.getKeyID();
                     PGPSecretKeyRing decryptionKey = getDecryptionKey(keyId);
+                    assert (decryptionKey != null);
                     SubkeyIdentifier decryptionKeyId = new SubkeyIdentifier(decryptionKey, keyId);
                     if (hasUnsupportedS2KSpecifier(secretKey, decryptionKeyId)) {
                         continue;
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
index 05e64879..9340d93d 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/certification/CertifyCertificate.java
@@ -275,6 +275,7 @@ public class CertifyCertificate {
         // We only support certification-capable primary keys
         OpenPgpFingerprint fingerprint = info.getFingerprint();
         PGPPublicKey certificationPubKey = info.getPublicKey(fingerprint);
+        assert (certificationPubKey != null);
         if (!info.isKeyValidlyBound(certificationPubKey.getKeyID())) {
             throw new KeyException.RevokedKeyException(fingerprint);
         }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 6210ef5b..73c39c25 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -182,7 +182,10 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             }
 
             // We need to unmark this user-id as primary
-            if (info.getLatestUserIdCertification(otherUserId).getHashedSubPackets().isPrimaryUserID()) {
+            PGPSignature userIdCertification = info.getLatestUserIdCertification(otherUserId);
+            assert (userIdCertification != null);
+
+            if (userIdCertification.getHashedSubPackets().isPrimaryUserID()) {
                 addUserId(otherUserId, new SelfSignatureSubpackets.Callback() {
                     @Override
                     public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@@ -601,6 +604,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
             }
 
             if (prevUserIdSig.getHashedSubPackets().isPrimaryUserID()) {
+                assert (primaryUserId != null);
                 PGPSignature userIdSig = reissueNonPrimaryUserId(secretKeyRingProtector, userId, prevUserIdSig);
                 secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig);
             }

From 09bacd40d1701d52dbb23d3360c7dca1532e2000 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:14:18 +0200
Subject: [PATCH 0980/1450] SecretKeyRingEditor: referenceTime cannot be null
 anymore

---
 .../secretkeyring/SecretKeyRingEditor.java           | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
index 73c39c25..7c577600 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@@ -124,9 +124,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
         }
 
         SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector);
-        if (referenceTime != null) {
-            builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
-        }
+        builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
         builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION);
 
         // Retain signature subpackets of previous signatures
@@ -351,16 +349,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
                 .getV4FingerprintCalculator(), false, subkeyProtector.getEncryptor(subkey.getKeyID()));
 
         SubkeyBindingSignatureBuilder skBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector, hashAlgorithm);
-        if (referenceTime != null) {
-            skBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
-        }
+        skBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
         skBindingBuilder.getHashedSubpackets().setKeyFlags(flags);
 
         if (subkeyAlgorithm.isSigningCapable()) {
             PrimaryKeyBindingSignatureBuilder pkBindingBuilder = new PrimaryKeyBindingSignatureBuilder(secretSubkey, subkeyProtector, hashAlgorithm);
-            if (referenceTime != null) {
-                pkBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
-            }
+            pkBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
             PGPSignature pkBinding = pkBindingBuilder.build(primaryKey.getPublicKey());
             skBindingBuilder.getHashedSubpackets().addEmbeddedSignature(pkBinding);
         }

From 7a194c517ac9ce03d3e9eaffc770c12a1655580a Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:15:30 +0200
Subject: [PATCH 0981/1450] Remove KeyRingUtils.removeSecretKey() in favor of
 stripSecretKey()

---
 .../org/pgpainless/key/util/KeyRingUtils.java | 24 -------------------
 .../CertificateWithMissingSecretKeyTest.java  |  2 +-
 2 files changed, 1 insertion(+), 25 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
index 2ce058fd..23361c13 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
@@ -440,30 +440,6 @@ public final class KeyRingUtils {
         return newSecretKey;
     }
 
-    /**
-     * Remove the secret key of the subkey identified by the given secret key id from the key ring.
-     * The public part stays attached to the key ring, so that it can still be used for encryption / verification of signatures.
-     *
-     * This method is intended to be used to remove secret primary keys from live keys when those are kept in offline storage.
-     *
-     * @param secretKeys secret key ring
-     * @param secretKeyId id of the secret key to remove
-     * @return secret key ring with removed secret key
-     *
-     * @throws IOException in case of an error during serialization / deserialization of the key
-     * @throws PGPException in case of a broken key
-     *
-     * @deprecated use {@link #stripSecretKey(PGPSecretKeyRing, long)} instead.
-     * TODO: Remove in 1.2.X
-     */
-    @Nonnull
-    @Deprecated
-    public static PGPSecretKeyRing removeSecretKey(@Nonnull PGPSecretKeyRing secretKeys,
-                                                   long secretKeyId)
-            throws IOException, PGPException {
-        return stripSecretKey(secretKeys, secretKeyId);
-    }
-
     /**
      * Remove the secret key of the subkey identified by the given secret key id from the key ring.
      * The public part stays attached to the key ring, so that it can still be used for encryption / verification of signatures.
diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
index a53999a6..e5f9e370 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CertificateWithMissingSecretKeyTest.java
@@ -83,7 +83,7 @@ public class CertificateWithMissingSecretKeyTest {
         encryptionSubkeyId = PGPainless.inspectKeyRing(secretKeys)
                 .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0).getKeyID();
         // remove the encryption/decryption secret key
-        missingDecryptionSecKey = KeyRingUtils.removeSecretKey(secretKeys, encryptionSubkeyId);
+        missingDecryptionSecKey = KeyRingUtils.stripSecretKey(secretKeys, encryptionSubkeyId);
     }
 
     @Test

From 5c76f9046f28f013bf3e3ce70c7ac8f092abec6f Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:16:10 +0200
Subject: [PATCH 0982/1450] Turn empty catch block into test failure

---
 .../IgnoreUnknownSignatureVersionsTest.java                    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java
index 2b60ea02..aa1da741 100644
--- a/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/decryption_verification/IgnoreUnknownSignatureVersionsTest.java
@@ -5,6 +5,7 @@
 package org.pgpainless.decryption_verification;
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -71,7 +72,7 @@ public class IgnoreUnknownSignatureVersionsTest {
         try {
             cert = PGPainless.readKeyRing().publicKeyRing(CERT);
         } catch (IOException e) {
-
+            fail("Cannot parse certificate.", e);
         }
     }
 

From 78cb2ec3d0f3b14ff16ff87d4dc5343c803b6c8e Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:16:56 +0200
Subject: [PATCH 0983/1450] Do not catch and immediatelly rethrow exception

---
 .../decryption_verification/TeeBCPGInputStream.java      | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index bdbd9bcd..e1d33f70 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -7,7 +7,6 @@ package org.pgpainless.decryption_verification;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.util.NoSuchElementException;
 
 import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.MarkerPacket;
@@ -49,13 +48,7 @@ public class TeeBCPGInputStream {
             return null;
         }
 
-        OpenPgpPacket packet;
-        try {
-            packet = OpenPgpPacket.requireFromTag(tag);
-        } catch (NoSuchElementException e) {
-            throw e;
-        }
-        return packet;
+        return OpenPgpPacket.requireFromTag(tag);
     }
 
     public Packet readPacket() throws IOException {

From 3cea98536506dfa2a44d5898c27e096cd53cdfb9 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:19:18 +0200
Subject: [PATCH 0984/1450] TeeBCPGInputStream: Annotate byte[] arg as @Nonnull

---
 .../decryption_verification/TeeBCPGInputStream.java           | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
index e1d33f70..725c6f6e 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/TeeBCPGInputStream.java
@@ -19,6 +19,8 @@ import org.bouncycastle.openpgp.PGPOnePassSignature;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.pgpainless.algorithm.OpenPgpPacket;
 
+import javax.annotation.Nonnull;
+
 /**
  * Since we need to update signatures with data from the underlying stream, this class is used to tee out the data.
  * Unfortunately we cannot simply override {@link BCPGInputStream#read()} to tee the data out though, since
@@ -121,7 +123,7 @@ public class TeeBCPGInputStream {
         }
 
         @Override
-        public int read(byte[] b, int off, int len) throws IOException {
+        public int read(@Nonnull byte[] b, int off, int len) throws IOException {
             if (last != -1) {
                 outputStream.write(last);
             }

From fb581f11c792c17f516ec50683b50bcdad24ca53 Mon Sep 17 00:00:00 2001
From: Paul Schaub 
Date: Wed, 3 May 2023 17:20:02 +0200
Subject: [PATCH 0985/1450] UserId.parse(): Prevent self-referencing javadoc

---
 .../src/main/java/org/pgpainless/key/util/UserId.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
index 427f9060..b115afda 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/UserId.java
@@ -88,7 +88,7 @@ public final class UserId implements CharSequence {
      *     
    • John Doe <john@pgpainless.org>
      • 
      *     
    • John Doe (work email) <john@pgpainless.org>
      • 
      * 
    
-     * In these cases, {@link #parse(String)} will detect email addresses, names and comments and expose those
+     * In these cases, this method will detect email addresses, names and comments and expose those
      * via the respective getters.
      * This method does not support parsing mail addresses of the following formats:
      *

    W?rUxsg$(fAlSCsKgD_&3@)_ywzY^ibh9oaktz=+L}ye==Nv9$ltd4M1pBorY~2z z`n^DjIM9}V^esAtb*jfsk>ynV9Zpc5)$5OAb9aGa;_di%S!|UwZ28-&IGYqyo`hWU zxdy|tlw1{XL*ETw7M%k`7aas9+(cHb7Eu*;B1nn@;g)zn6{M`{M*w{b-Gdd9DX2V9 z$3UH1?>xK-|3ko!MzNW@JRs%pcEtcn$ila7S-$lRKKp@$(&{2QkVn6zY{e(* zIPRrSWk^@96Dp07(SrHJ8Xu@EjY^&-It_=>^AsAPb?g;X6* z#T5RHAm2K^ggP!TgeG8sN6EsY0WiR$0T|#}`!m1;@iD;TI7X?ekfOQ*m;7=yw;ZAK zvrPGl7jrm!@d136C#I-L5|L+}`(CO^bY95*G-vzl5U@4UPDab`f0Upwn|~0mu%;}c+Y0rP00h=2XAdgMUq8%YYuhAC+Qct+%oosFIQWY_KLl&^Iqhu< zn>~6y`TU-mBEZ?KoRab>y)s2_iX$*?&8db7zWabc?Nxd0)W% z@&ZW}w@_*Zi|{EYSW!LIigJczkrPkhPF=m}Kv}gJw9x^_sqhG@o!hBOv0h57b{!kT zBP6En?5FhXCjCs(^S{kuj&ximydq=*?A<=M#%s!}0CSjGFIwrRiBIQf4EZ1CFq1## zu+u$iO8*d2mOth&kTk5Ftr}%6=d^K_OwJT5wqK|olAE$L&Dd&oT%Mn&6Sg|`h z9CId%BjM;6s1|lVqiz2s4tqZv+{zZin^;Ykvsb@o&f_4&Ub<%@%2^J$ZO#IWe?isb z9;KdwCjX%O;fFYxx3uh+C@kz~*hX72nO%FKq4KW*9>huQ;H>38U5m4?XV9iR5s-o6 zgbgiAME#>DKhWZX4wOZjX+I}%3yzv%wwe5sR^Nbf$vK?YgQJL_HDcN}G}B#Zn2v^Q zX@lCKT+A74Gk3DVbN0g1_Q&P#^Q@|3Y8wW2+A>nz7nid-{FL3F``yMj>{>1u+RI7S zQ&|5i+Yakohi1^hHYemtTt2D}G`jR`BU>tu{k+yN5u-h48-dv)jF~d9gfL<>nFof7 z&wukHt(G+&XtA>=qi6%%UA>P)#qo$or{a{h6A@cK2`40i{awlSS6VG<+b1`uB{QE5 zU2lhq6B&i4Y9Elkqmg;=(A}=^*5!0;MC9k$kt z?m|zu+)^FJJ@IzSn-F?FKp`lqu~zr75JwUV_;6(OaN;q2pE44*yi{SV+tw@4_bX#k zl-R$7k4D?CZyYp{RZ7`o6<9l?KVanywqUuDwbnO=&?Sx?wJ1T)g6_&xVSkE+wnydD zb$>pMyO>T!(-Zf6p1)rIOC4tQ{_-)v;~}WP$lHve`}@v9ijKf@nNf?J?sZwk+tjI~ zgIlCs1g39z+Wh$m37ngau48led;!k+trNntU8(6l;@;y)Y^$LX7!LT%|KSRB+%M7d z@$_7d&y(xbq`+!XugW^hO8mjC@1tyi1@$uHy0YNHt~Wq)RvO4ht>EUw(r$2&Xs*=d zCYgh{+Ix4U^!S_Ev~c8GYZeEQ&Zr*N@fH{JoA>xCiwx$Kh|Npx&`T{tPsVyz2-eR? zV(y8ytsH4I9OOuVJFH6WQVft)d(vL*i~Jx<{vUUkTn6RiuZVwhhed6?86Cdjy`9yj zXW~QZj6eAN39B#rV45aGKf>xC#<~hM699J@AgunD^mp4rinG2O88fH&9WcKWV2$Hx z8U%HCRZala;oLM0Z2x}Br*ymM{UR5sAOfe$xnV#bOHzpIDc#+hd2uZ}cv9pUYEvAO zj}_=lAejFs+TjN4M!AVW1xv~-#ra;AhbjCA^f?BZ&S(L0G8R&pv?$L z62)EnG%T2^qa-4PC+RHQqCt^)g27d2B}p7{VBfl+!aOWzOdmkkq*e6#R7j)pC_mxt{TwqcQ-&i6Qs9^CJ+ZZ&FXH~33_f4 z%S7O=N{^+rhE{RPEVnlqCJk&mold*QuN64baW)!RqKP&(Aq`q>xgU<)qK4kx770%7 ze087~)jlYt$ASTTibd&92)$iKDYN z$?uK(xSr<$FF*NkJGzNPcsgT=QD?piNl(y>{l%W``lqwjw9S>50lME$#=VyI|tt7u2#iN1_$*tqvON=E$L|o%S<i^x9GmkH0RKK^+CJeywK<}zV@ERGi+t_}7;5IhuJUdRW_?_cNT0HcZB9PiKB zT)(@>>HW+QS+y(_UA~`WRp^?Exxa{0>G6x>#pG%b_nmpxbU~kIvXO0GS{LD4M83n@ zHTldD$CjDm&0L=^Kgi~mu~d=;NTL9QH;bZFlI1N?-bM4SFb9$k{Yt$%ijwhFkmu}A zhR0)}^R!7)yIyp>!f%Py?HKh{<}FU|QURxvS=Sr50Vg&vyedF^w(ArZo{)xk~nWUV2#M4UTXlVg&~o{+3(I2(Nh@)< z!>9_Y@Xfx#EfrpDuS5)8&X77mbF{UD)H)d6(#>UojqL({zW1W+xP8k_%_IN>WEroc zicL+bK|xn?+?JU_tZ>GK$E1;isMe@dqgttWGm9zo^+KS3JYJ@8#{y#g7;U|ogPYqt zbPqv>#+0l=N@T;Upu|kRu76f#YFLf?Q`_aJ<6(p$9Orwj!Pe0$TS0Fm&Zqa6!7+lL zxACI8zjba6)MWErd3gEHZ>b=r&x~Ihe@@qMaVBnRrA7B=P!kk*3(57*Bdxcg<6bZa zy&URf2jsuaX1Xk8*GrU$|_1bH$zyA_+?{J&j zIACW{Y`LKf3cw3Ss?tFs5EX>GY-AFxwc))*{N#Le0h7m`9b!WQMQ&Dl?3y16T zHQkbm=?c;lwwCx|<_V|pQfl~ohg8thYUYrx(YMOtHmi{uY2ZzwBbRKP$=Sh>dfMT zE9}E)LZF0Eg4Fc(rZlri1|QmK&xojFk29R#@4_ELDs3w>@%FU)yuD73n+0SL(a1~2 z#6ZY08`c=xXzBZ>P+^P^zm|bjf9$&)X8KuZBU?1m7b{of{|l&$gw6Hws#vB0fNHm? zv0zm@SNYC8>% zhx;W4L%B(8AQIalm=pT5fF%fp@j+to@C|>^|0-A#5trZZ_Wid;#d0Nvh87RTA3mk= zH=jaEHRT5IDK*W%_|&zqTfiSaMGepYy?Rr4qBA?mTque_&LA3VSO_HLmEX!d^|DoO zRrcTblmjzSDD#IF3}lcIpapXi0`Ms;m`8kdMquNzF=`{AT%)ue+#h-Hm>0B`ivi9! z7}MkK2<+eL^29#)lx5^ej1s(9`cf<#HNcDvo8Dak75rvxyYZdm5)PmRQ~i0e=l_Z^ z{VldI0DBXNHIsi8cnlF22FoS@gAa>K9R7$^XrES&qQZBZUZT7ks4w1h+vx@$#Ex+6 z#(uX)O-c0vh+y_ps_C})SPJvlE{CZem)G#0N`;kq+UH-pIaN~8*(d5pq#u z+hOv`bf?f>nzZJR7VPHaLkkuF(1Mw>GK&1gr~Fqg(7zq9?k%fyRttwLulbF}YU{6x99 z;~y>9)Ilike*6k0!->K^YK;(?5UgYmNXr-_o>U?QUkaSafT++ne$>47L3ZSe8UwYO z{DNaY{)zrV+c=wH6P(B+&>DCO4JX)cA6^wL`fB7y9)8LpYY|b6W!+ysBOB zG!fEL?wKta(NbtSsh=TMf!zON>>YzEX&AQK*v3Q?JDJ$F?TKyMo_J#0)&vuKV%xTD zo}Ibx=Y5|#-&b|czx+$8vwL?}uU^;6Aq@=v^^AtC8kx&OGsTSNbhteXlJ9_6`KGSb zRj>k3Do&N8?qs2M`6=GG{lHoY^IaJoop-U_F1lyzxf- zL3N%la$<|1DK?lXfbsSvm(XxP*yhUWa}^8_wz(k?Ox|M>p2qlh70j?jX~-gWfLTL4 zb`cr%_x+^$g-rIB!jk=ve3^0HC8(*PnCoJRi0DT%qJ8_lIDS%bbQj)fX{1{ex0a4v zXI})TnaNPec$Y64HgTkBENIVpPR8)KoRrfCLCq!z{?X8}LCXw^p2&!~WB2H1eFF7I zTRqN#T~4Cv$?AApPPr@*mIE^)6khVmxN&K7XZUbIrA0ysqKIZNGX{0ES=g3o2rAjF zlw``REbxi{1cdrQd-ADNoT#4o6DowsqV-ev3-bQ_ZlMUu6=p8P$bHD~4pehSszR-G z)Dp19&N2BM1uI?F&ik*hO)ns9bISggPjM2mpS^wkcN8rDa}+H9>;tm$PEDdfI)AQ| z_6giRRw11BNv!eN5yd+v_xV4gV2u<9wsS`TLu8^Ngu_#+Y8tl^{}~1Abz%58^KjVP zi@QaN$1~F*cT&F>cR573aN$3Hw2xPK8lAplrjC`K?EY>Z_Qx`Ia%@ z)BJDQ=1S6bcgNi@|H%hQ1M)#X-1+ml z_VrpvPF>~)-5p8irpAi?Cv8)Yd9mx!M>u>BP%2U_{A6WW(?pN+K9!2dC$M7MMVT)g z_5h`V3v3Rbm?@LXaFn)mizT#xG~M#AQqfPUa5M@~Dzex7g_C}pD5dTEleSUJFii%e zZFuSrPB0UI!`G=FQzpSrn&Df;25s|8#?w!9pL@U3$0S$SzxB?{^>ea@zkOS|>z;A| z8XD%vxy0t6qT$F{{hql>LH(A?qa@)#Oi|oU5#9H}{C>)AE@0n9ac?gLVpFKIcDe z8`ZTUR|%tXEScC&W9?OdI#ax`s z%9){frY1h63bC&4Bu-7|GS$u%XDBlswbfPk{AmntSv(5s=-BfNl`0u?9eXaL>ygSv zT%I$Hh+S{yB%%E4&sWEl9AkxUy=Kmf9U`kj4v$3!)@Jm#zj(=c0ilO$ilV3InR>w7 zGm?gFyR4HgZmv$IHifdIQ^pf)M zjkA)x!T*I+ssKm@_?p5a+7IXGVCMP@scQab60GF>w_IW?vbOpD-eh0mzpWV4@4xWI zTFW#I-JL4G2WA4zc70BQg^1(1GTR3R>=e5=eolf>nbrsKE!xr9*~COlXq=Ain5lUm zmvrbPYdlg0d0I~G2C*#M(CHuFdNipz%N#GYPnGnEg(Rn-TLJPm|DjYi07@l-KRMQ( zZB~0;D(NWvnYR%Zu7f`T_-cEfl**#~e<;;%eIpEASm=J#U0Q``D_|T{<2TjtKa^Zl z*ij5@Y`&Z%_Sr6erz2;6C&ez5#G$pE$6EB^ zSn>lF!7>TixE{cDX4L=oZN38fHcRaAm-_Pdd>l~<$Erd)D zoNQ=Tm+Mv?(KWu!vlEK`CWX&jaceY?sES2JPY??Ts2~kBa;C#e%RoEGY&b<(%RXcW zOT;IR96pytemNe+Yr*9UI**!2=+Bf-Zgo_SOVD`>17Iq0POn4^Ij59;RNVF@91&6M zA2$DBDi30gonoVNX#l30cO?G|-0)5v-IFam3lCh}M+%y0%R1c#JoIy3hso;h2^T~1 zv_B)6A4wOFq_37RXCFB|M1@yIAQa@sFRJc4oUgV!ul+6D=6OEQL=Jg+Fap^2+1AFN^% ze>U+L=c;U~`ig|hx55k<1mhKET)3_B$MUFKIzqe6V@p_E{&pE;s&fnYeC!>BaSZ1T zm6*`;8gSs*IK}eRl%vff>CBLYpZ`AHs(a zUl{~R)=ppdNeSw>cz!i&cBXSO)oE}w#&XYj`@~dIyEFhyb-wH)eHaior1^=d9=ZP) zQyH29FxBt>!c@a6870hP)&Xs6`jgg9C@W=_5&%pE5Gu&hS4`;mF#`B1?QY324k>*) zo}X7Jw~Coqx?^0k&D~;rh9xe`f^l`pptZ-1Yj6t9a21Q z*p9}qEtlY@0?)$TQCrwJvD~T3%+fh20UjU0wRCh87;n6lBg77grRVbRg)Qy5Uj^q@b7ocXe-8yYQ?yq<63o2V;jkWeKg&U%O zc(k3JxSbQko}pU(3PR?q(f<|VC-K``ww3|-J7EDf3;&EhzAu<{1k~GeSdJ6qnd&4% z0$aegsWkEedDB?P@4zt0+AI95RFS>v+|Rzvcr%zq|IkbvpIh>0--d_nl)D<5j>xz9 z;RmIdhurduU2mm-G$fP;pl>t!({TvUx7pz<0k6rbI8BUm?P4{LKiDjf)#&+|7WNaJ z%D`{(55(><7KB#P%F@uN`4!N7^OcM$u}cfz2Quk z_-E_hZ^|XJyRD@ri5*45gD_7xsj*G`iC{fs^zfndy{LEcnGS!F6JG3h2{$tyE49Fr z-`B>QS=IYf0&|dkLrIte41)dkhnr+y_9JJOOx;pESI@_G09(MtTN#bb2gu$rw`$zN&)IyEw`$Qiv?DEi8dB#{svvR?Wm{m@H7T0R7PRD+4}>NB>h4@Q z!`jAa$HYi9>+k#<3yAt7$?lQd}_?2PiByzoK!l%ih+ZiRMQ4d{Jy~kk?e+W13{n z{r)bRRpi0|R{TgW-Hf=vax9+0T>cc?SJXw#mFAec?&AQ&8}^VD3KSf_Df;}5IL8Xb z?mLm=^GIx6lHx3ufCv~|T|)=092|SzM40ana$5Qk4cusIn87|r8&OtoPKH(u&Xt`L zv%jU793V1ORGqtV3=Knn7CX zNOq;gKqq>Y*)A^O%W#4`Xp?-P+QWdb*W8jGhbNNj)B|fQP1opZ-^kZ@jcacaNNhf? z!4YA%UA-#jgx;gHGxB<^l$eaEk5_Y6!^{8B`r zx!o?_o7igk?m@N^Ad<@^jC|WP7+`g3&I|4lc6eg2bl;+`Iy)$vqPrWkrIM+Aw{K+P z3ZtsGKhFlWg*o4PnIgFwM$P)*`3|yqnD)4`Qm;ndG;abe@fvf0M`(`qQQ+0wjOoH( zBe?v3Sp*km0-wVMs`jXr^Gc^QD=JLO=x(YAD|;g2qn$(;@N#g>tmPkM)HdD~r-$E; zOZMg~4mt`&*PUC@m*62X`;fg^(gu?@8RVMkI{fOYQA(0EEkChj4{0d6^S0L49%+gE zAk^p#X+(c7-;wxXYN)RAM-%%_Ea}OALQ-pi?GkL8L8E>kHmLfz4Qk7~^6KUA-uV~B z181Z;4`S{%1w6%O^xfY&0|G+Bbbjue(EOT>&) zJ*kC7&`JrSvClz!&LgY_$q^s7cLM}S;I^$QC{4e(WeMJjH~GR_Z`l+xC{8Y zQ>E2v7tXdzeT#6?Q$;1Xoz7N=?NOvg=j0#T?L0(mp<5;(_?DHYh@=skA2+JWtk!$w z>AP>;0#`V_M_)C+%NCQle7WqKLE4b3xuISmT(s|AV+xsw)-;|`It~m}Uf=xsRhpkk zV|s@7&-bRvOpS4{9pb6$CCarwEYiJvyiJ--xHg&YnNF@^XaOtXUQgnPNv5qBak8Rb zxYp(2HTv#0h^`ap=j7Xa1PbQu-Y4ESJ)J#c1?j53y-ZzTDDj@c@}At7!MX$aKay=9 z8`~eV6EU*t#iWpc4=1~5rqVeGR;0GeFgfLs@sOq5QX$x2Hir?X931(N3Cp*%FTB11 ztFUUQAjW}FdU%I`fHdQ4@zA4g_644e_XT!nU0JA**g4$*4ODPeZ!@&ER`)WLKRrY* zR*h9hFQi(G$WVDGUj|V}@b3#)Z(2y&dGzO9b3y74=y#YpBOlXP@a;T(A27NRy3fIP zV1o0eXIC2K5oVdB;&OZTc6%!l)M>%e6!$Pp%z9XG%>Xqlms@j{ZiXD^(ggyP&cGN? zzZ1fZR72aKbcYe>ZiQczeA_q&f!(H?FDkA+jTISn_KdKh>#M=)m)yxhZyGBWE!oqD z`g4$0%DaIHbTPD>X?dbj{lheZc_LRViE`@fjcAe-#Kzt>Y4}bYrJh0^a|d{w6-8S; z2a@yagATQA2q)eyF4rDA>!*-4|G^f0(Jlpbd3?c-%X+-B7L2Ug)fkMU3Md8>^>lB? zvgM9cRFPW*`wX8^zYE+*W-}p&ZB%w;^A&$^VaX|6P0Ubh-M{hqKGJLbUx?RVko9*! zjGdn8e~A~<|4F<)H^u&c5ic&Aj)UsZIshKh^%DjDjeThiz+Lp0rKk3P1{vucQ#)<# z(b2JD=WHS9S0k&oF>-S#0M(gb#uc9Dv+86%TboxJUaQ|BXLKL#PmR8d?+4c*XA_$6 z(fZUhwjE6awSCM!gWeC{GcSw-H=2LTT!YVZ9O zvUWWSi?41h1*TnyHkuYF$c zcR*nHkD<;PWYLKgRVqWdplK2BiTrZ@lnN+&cv?Mb;jgMHx8s9E>)+BhF)V}mzk&M- z;SYxf8W(YsMAZL5M_!o>v8`kdL-%q&1uTdufc{=3#Ab)$jLeKd;O@Wj1Q=P{F`}3$ z#EhFQYasf|J2B?KM3OZ9aZsDTN@EG5p9uzTk%P%p4JT7#iAfqZXC-OH9m{n_ACW^h z|JVn&s5vdp1cAY>n+@kpy#i70#0-owv>7iCGq64=_#F~iU03jrXVI@jy+0I8?}<7prlSn$LpEF_bB z0$x%XAI9D-FLiV{ehpzs|0|&jK5(5r^D}@m*mDu zS&d!IwRqc%)!Cr~LO4uI&-d;M*Hmf}tKEecz+-z1X8dtbz~U3T;=K^>36RO0zU+Lvxw?k6P|rp&F{;{jNPb*3D_$v z5Fru@%oSm;01T`3?Qh%wHkdk>eGYo2fd^Ri2Hp+| zM<_bUIIwZ!?JdHSxMp>|m|e(6^n}#S5Uw*)^P*%^(Z{6q9fxOyyYBJ`#?F0_bA)nC z2Jx8Wh!zbeX544tV4^=$I2;76pEF`vuPSVL4E7ggqHo6CdJRCWNJx4sjhl@8$R}#l z7tu-s>tU8^1zgq9(mNm=N98&P(&J%>nzI~+tcQ#Wfm{au+G?p2fbo9(ea!Hf$RYy} zTtEtESlv&Xv|S22tK-XO3Ma80>~Ij|Id<{O9pyy;gj7x)FY;u;V9htc8`&;5y|L{h zc_%LT;E_Crh5^&68T@%eGhngLf!JMNA+dxE`nqu?P+9;_yYkALlfS3kQXdjQc?I5u zR56GFpjVD7N>qYq@?ss8B=b~43GKDaE_`P}S~}<3EL3o_Pq0!Ysc{kc9x0qwizEE-T9`JB-S0;=wu=RtucQ)BYi}N~W8qk{TMY zPPs}&sQptbXjESb20qY?5j^+d`QXTc%uYjCP;*x1)JWK~W+dQJXa5qqUReGj6Fzsn z6!Fabs)&I;mQKGpb+PGK(30r-av`8Z(LM@f8HC`% z`~*xrYf=xK-i~i={^jV9_t4`dEMv}~hO_5Omy^&y{h`JAo{+L~!=OJo9Wjttwl{bs zByx+*2EfYN6gT34)VODKJarn7nJ~m=DGK~-GA7!S zi};fKXhyj24!Cz%l}{68(;oR&D|`bL)Ip`~{sTfA z?dYyY3$?ZDAV6H`470Q&G-Oig0sXE|HsN>EoAIO zu39&^G3L)LvEw4N7L+M8z?Rqqgq+Tt#G}S!#SVPU?I|x(4GhiE34{%l3P%QWD~&7B8$wA)NfQJ zQd1}Y2toRt^YlCCqyZpivHc@vspMG>ntXQ`UGN{4mIzR`XrHX_pzxkMvFhvo91}yB z$QuFNL4&cRa5qZ&-Fh$FJcpz0K-Q%tLI? zJS2T4P{vN{&j!wF=QHjX1inAgm8lXmzRQ zX=^F{HW2d%0P>{;AYUCji8d8ZT69gm(zk|tNPo%KSY6ssazTDAz_kRBuSb0cjkhm zK`3-_=S+Q#&u$$t0+26`bgsEcYg+XGI?7@*)Upa`bdr8ag%F2kM)}4CHj@69^lK^6 zY&&8>1dT3rED0H%b6G=dd|o0$jT$^KT1>(cO9YvxQ^W#jjf1e@0BFmO8LF z_z-Wk06BmKDy|v@9OSs0Q{U_7knhZxUvOJ|FYTI_Do}c#$363r{A9XwbZo2(8?aAp z;WAPc%H2q(v*tWKj^sv@X@$kbj_FhMKLKbd+2_|@q4vo(iA|GHUn z2?RJpM4xU}9biq2_H#`P;AUNW&6CSk?(b=%99f7&92^u3jV%QD%{@Rh;;P4Ye?9YI zgZ%B4)83E`J|QQ9SzG({6MPwn&#z{97TqfW+$@vMpZ#vpFqSwe_DhF_X_V zv9g6Bki8|t0xna)X*!10D4^uSao3QatZf%K*j zZq);8WXw240&0QbM`FwbgLE|T(^&V^?O=mMVy%M(WC8uu z!y`t377iz%g|j{ru9P~!w^!s%yZ!GcEK-HZ(6tqOP@1jmw z!KgUQyj9>uXA>1fmZ_*3T)Xizh4YinI*BS}Ur%jcLfR*wNK4GWUw+Ioo63~9WqNcZ z2XI;a$-I#lL7=5C;8}luyof!L-)wMK2O`gN@nxzQp2%GqAZNM%k-IZt2FO`dEXzIk zpD7%hn5zkm{q%t=t>3x%%P!g)TVj->nh|7l70sF6&`QY*e}0#lD^Bc3iqgz;RrGRq zkyYzW;lqI-pA-MS_)^SQuZP=``hY5PomIx{`9t8vCs?e$S^rIA(z!MIbu=U`olBr- zDI66EipXYK~Vpm!K^ehEJ!k^E#U^sFNrkXr3B(Bo%&13)S zSv`~iEPyewUkt=u@sN?PkTVR0NA6OMiK0qNgp(N+!<8kakqkKbOwD$d(GGwyv8nGn zewfP1%+4k|Yr}93kv~gvxVO;?{uvXSEKtmF$v2KaYygySm^-3psas2lTuf)rU%v4@ z+5FYBN=BAAT2K>R8uI?U8H$8NUmJ*om{%Ph4y_X~PLtfaD*{3|X1U~Xs6Gj!vrh0W z23$&0HBe9XBE=JI&2@6jue^Nuo0`etQFxc*+@e*7PUPsB=f6GfC;@ubC-%x=UT|u0 z7wcOV0i9k7t0*^jC^}znIj@%>6Y!)aKs_EYDWh8{#!-F{pYQ9iDtfkInj14IONXD0 zs^a>4UJO0*vylU~#0I|6KpLwmOLGCR7hp>)AE0L)T^l5wCkpL`g{%c$`X9Oo#`BF$ zFapsjMX`QjuY`Q~7VL!kLq>Pue>yl57N-1C*r4^Lb56V>(<~9E9svah9OKT#=oy9~ zhmSR5VVlIUuCWy??d68g>-)z}S00l%=cB8mH~yxw9&i9X>!#-`=@G-{6>4AFG&^^i zgj;(i)8?3#69h`bU(Qo4K}t3oTE^>JOPXg`;Ug*F3Wd5bib9Z|7k0|zdU$P*R;`h5 zG?4fA5=C+L7~5Y&%drOS!P}aXD-C9Ko?m4Eq1_$8!3Iw>Ax8ns14-u8e-xTgF_~FV z@3l=zRPFBZ)r{jW_j0@#X1o?&+425{u@Tz{1#Qk@`O=(2{n^2BHM{an;O8$Z5;!q>l>hJJwhb1>rmCzv@hJ4LT>snhL{%`=3pj& zY?h-(bvXD}Z4apF`m_qa9!lTQ7k0i4+(+a4SgzRmKJOqNWP`k3st?&+7`R=ZheXKn zzS%+3?iSzwLC>LDw~#~hw?z(ozolR1<$FSyh#aAFdqQ6!oM7|1d@CJnM{Ikr!H4E+ z13l$gz1cbf&bpHOcwgbuUH5H$)n{8jB~WL_td4&4>iL_(VS1%7UH$IKu0Kd~S|7sq zJS$@3kEh7$n3+yI)*h+f=JhHIM?kBYoY#Zcj?v{> zevr&LN*WTc^)lV~<;mF}=wYGo!S|^+Vg-)?%E#J`f8SrS`@v^4s)=e6(Pp%zTHYUVWB&N`yR5 zx%YmRc^gOXqCmP=!rci35nz8#Sb&s`s1GfU7 z^eFJ^-ue;F^q*mGdBitLUes#ufK+>YSnzJ~Nk}-}CWVyW7-;L9sEWi!Vm~@KfGM$b}pSjRJooj|*}> zJTNY~i0l_0-j;|iuYxHj+>FLxOT=Yj%o{N4x8n?$yOA$(VW$OCu?|cuNFQppWqx#U zWhFERuE6WCgFwj7aJcFhWMJJKMX#KBvmr6-YR*BtYg(?BT)96KZH zVstO>g#aXFTm}U&m4OR_s&TP?%TF~NY_=kVpZn%te8xx|=ufEAdr!3N7j3yKvi*s^ z(!w(xKI^?9O-J`(gbZw@F$p4x+FtTUI^4>C-{GofUsDS{tr#tLZ0Nax8n!vok*AdB zf8oP^H3y`qN7uUHjGbybRjq!ZC;OVA8G8n=f6;`<-!>i4rdP4yVlSO|(@Az57F^w& z-QtgWu(d)&yssA8csgi2mpFHwm$A2Gb4)U&y(gn)Q`hfZO@nhVh1puA;_<@VG~;GZ zObA#j!(^39H2^uFa#3-*s{$4hII%M`D@W!6p6=X!?V>PPeaZNc=fa@#T3EHjyiGka zVSlsZ)Jd+WsrAQfg{pOGN^cKe>uI%P^)w!8SS^hpMP#WI;t+di4m$?58qXvMALxId z!rks(9-wC6j-L6Nt5q^0jfgFzpe+JZ%&(Qm zLn7FTnAt;Ab^Qa4`sMOX{#G&ljW2z)TGBSnfib-+eUlL!im4+`$Gp-=X5$B*mU>NP zYFb{m*dPB`9Lc~Y>p$B5Y7&C+3=?J|5YNF6B7rkLAuao>sgG`4lFc^377z$p8+|{t zKKh~B()&bNLDUzD`7#TmvMi+IOuB#Rvh4oZ#@x@;9TA2r_s&2m3?ZmvpD_%1W(r=M zhpbpJ3z#?cF-*6(FRA-M=)M>BLM%WUtINTdQ>N~jZKEFhSj0581pu!P({j_CZ(p>VbVWnrMs8wMUR_x9N+{T7;*I^(&mu zVyvg@#g#R|h2t&90Me_xdW6qu%)o~J*~4%uG@pP8I3}6LHPDhAT%MfIW)69DHTEV> zm(ntdkCdpHe0Lu~9_hN~zQBgRia}PuiT&+n_S<(EZE1v(l>R&(G*C%w&jPhYa`?NS zBPFaC+h*FU@}ZtMw~u=|-m=j2JQ&mzcJ=4b7i;)TK0~u?hP)p1+p!VG9s|A4tVIW7 zDu}i9Q0fDf+gd9`S))H0)>OXA8d@DIRj~icysFM`5vL*bz^;w1foE8qgrq`61FDvO zZS}+%_Q7LIdf8gjNA}@P4`$)b_t2dv-W4XN^gqH>=-VDw#Zxty>pM>VEhkASP-Znf zbMppi&@!|e!Uguzb8W~bnMn~rTEB|JQ8P%>L}J0s^yf=bA)~p?X+)0W0nhaxy=xqV z$TW2#HFFMFcI9cDOjl#!k-fTxL8iCkhlXaufDr6R8w9`)HEzDw4T7}Jiilw%Ic!N9 zo_u4ns6K29Q{3WHf^1*g%k!Kq^(--CQPoOmN1wRLoNje1oGM1n))w)u(nnnLf4P5X z?G#ic9pXZto$f1d0o4d@Usx|6b=4fPrk$C^!SyLuw$AK@-?zQJ8jB2Gl70^{jKdaQ zSQF6h7r^7CbvP`VMmu)VaMrAn~`PQeuE|bimCWd zf~^VP1}W_&jOWKZOl8q8J*^&nI}aGrU&IBC+g#J zLOD$v6GruXWv@F|@gW{I+AeH}Tgf+yd zziN37pe=l4-SfUMGK0zSMjve2;3(a|X^EyUT+#i!cQ^V${`BQ_gTi@4-tvuXE$@S@ zzeqC$P5|W2fN7-8D!*$>;EynBE};Xo4fi|mv>PPoC2=FJ=V>%y%R+8Pgrx07ByNv6 zqf{+d<4CyHPG?Sbz%(EJF%;kIk!RpX@qSdenNuCkkT}P~SJbDMn^By(tfEt7K3r$6 z;Y%MinvT1Tc&eU|OB+_3`EA@&K0C#CmlrY5JN(XzW@5f3zJxee%`T=!e_7k=kL>R> zUVjAm>NVyo@v%J!c^(%CzZ~v(TLGRMc!!4RDgd>PN$NuT7>rIbuB`W^?8pytVI3cq z?_97ybKN|3ZLHdJ!7TzIz|SIe;Ez6uCe|ke6nydASbvM0Fl^BSBitf^*MvK=053+PSQ8rw5U=udjp0G`rjaG!aMV4>NS#nose=;NMM7}kkj5NE-7Y5UBM{fW@kCbS!a!eKp~)gtk^ z%_TarRasW?;7Ety_;tAKvb782|jhHuN&-8s78Y5j!O4xuBOxCvS?aasbB4J%z_BpNdbvRQ)YXE64M|v|10=lfECc zd?v7hTykrwitpqjeZ=&_hdTqD0~3Mrd|WCY=pfM+ovq&IdYGb1s*u=HFdmDG;w%hL zNNDfCGUvk)nomQT#3$Hk2N9#^O~UvcYz@}ya^DwN;9_L)|HfJWlVoCJX8JGA%KCqD z*3Ui6|4+{PZ>R|{et8Gv60Vqt*X0lVvWO6~MuIVD5R=FhADDxycW(0U{G|({x)E)E zh;Cvy5oKH)#nK3I#)r%Ei96N@y7;!3XEt)$4+zO!Se~vP*C+cao#d z0HSv%_dK`<$4;lFrD4mEs zN5SQJWQPm|?Q8iJ554-A^MxZiUv>dYA#a;Yj@&6P(b%hs1aERG*^RffACKHNX5sxXk0_l#RS%tuu``*5^TqociO!*R-{m&{B=jl;z z04Y>bxEV7ae?Pmm;VxJvro^%4+T9P{-GR00^q~h1!q-P^^@l=_1BNjxsh`vWL4UO5 zBgKg&GGZXuh~wzAMaZsBBJ7*CSKHNY*bkQrkJxP^6% z)Ae1ORyqA92%M7uw-EcDfROGYbEj-F0hCz=fLX3f8a9$P5f!Ur~DARsROiKU&t1vW7k4vsUb`Kworr}dkNbq5cHGQ(Wk(R z-do|c_tWtb1LQ*R$+u-H7g=#K)MjIbIkznHlG5MTk9H0NFAHH$aQ+POV0IiE!0Lmd zr~*PED1S+-gs=?}BH|%7qzCHC&x4?47qZa6_~iJQa+g<9^#N0>*kHWw|tj$9X^4}qvM}d%S<(dup>p=atjyQfK6)xuz&%^I8#>OGFy4~+M=R}Nm`?TzN*>C>`Vzj?)PRq9TA1qq*NUOOQwOd&XC2# zvAAc97}jFGiK+Ic^jRT+^Z7t1$fY%O$a zA%58#*mUKDXN?OQ(7TDH{Bqbc7KPivYI;Gdf!Lm&$V*ZV-s4lh6ZGB)y(zk>M%{!G#- z`ANYnjUcmQ(NTSf2Kx`PvpNH$lf&#~q=#N3VE%H|d04JWNTK#ho}FH#*_L%2Z2KGZ zh{e&7qaekhw=$_@%s3IjPe7(NC4f}DR@kGC4y73lQdRiHr{5-vL()maiDN@-$YEkJ zC8j%2au;FY&w=~)O9f=$BSnkKjHrB2Datn!A7(KHMj7SrFQb_6my43Z0|%de+SRI9ww;LNy=D0g{r={q-I0%sjFv zSC2pW5&eIR@KfTFW7H~*oiKh_j!+X{jL!%{6tmi06c=-P{OdKV=Y&oI=5YDnJ=uPS=fn=?!^_YRgm^o!JQW0v_@(XZ;$!EaPDADHp>W$%FAjRl^ z!-dWq0*~oyc+D4<)fAeS+;dAa$oI{1D@V}+S9&@*;9=s;l^7@uLFS&?I$dKXnF~I|sN76Du6&`)0kl<|;g^ikf%2)3d%iD8r3AbDOp z5EK|uo;wPDKYPR0Z!%C>RIQN!O`dNYdiV%zxQ`%H%pE#jO?nGxKBOp&c~$!U1|G&c zDDRyXRg`*$6B?&E{j3S!B3~;pghWDP?VPWYZB_X7DS&5^dDsBsVZ$b|oFcg>B%w0r zi6eK!J=!S*FUIPCO!%VAWT77XH|ss-ue0B%e5-_EPtZxIs;}Mm~yyVPjx`gcf2?CYI&>IqX;{*|p z*f9;#QL<5b7FbB81)yoK6eriY$fng21d>~0*oR|G_Wa3y^E{j!(Oxd=!k%Q~`V8^i z8DN#DCZXS?((4p3cLbGaSv~lO82vO?%OHP@b&A$sji*-=T_0PfcTb?GCnci&o~ZRO zuH*RJzvSqR^x#jv@lFVQic5j`nH1DU5T19M?zmORkjc|Sh!K|m?+G|hFqV8+5E{bZ z2{WPdXcD$c$X1?Qc4w527bB%i{`6H~^B~DF{aBPoZNiQV_$U zG0VCcFZSlo!F=nzxCB>YyRr$-5&{LI6yqMG7LmEoN}iP#xUA@ii9(D<>*BA*0eQti zjp;$*mqGOM{o0ooi4pF5hkbZfU@uuS=8as^A{(KE-Ot19pDVwETtE|_A5Wa30nrP6 z<45MI)$N*Wxu}kMK+{(0Z^Nqs<^*lFmLGpJXnK$-RLv}0j-NnKsRTdGG1xyN&Vv(_ zOX!5ki*y^bW>jMmrXT+1_v^`fw+NP{pM`{_1tRur>`RAynt`f(JloKrN?xXcFFbgd z%0k+hS=fgPB3u0MpnXU1t(=4UlunhQ9R!6-HQ)@xu)ttFMMmz7%=cIm{8%R6^YhO$ zl36xQtzw<3u|KVD(Z>JE1No~W4m7+XHhwA%bU1NtDN;3`ufo(P{tuMJ@8sR9$LxOH zjAG3MZ&|4HiIP5=R>G)NUJ>U;fz}{;izkzj#qQi^oa|N-om?xV^-C3et!Kh^=r@Mk z2*M#wBb1tE5`~=Z7vw6vRnft zZ~%HC_SCj5ESKg?2&B!OSB-VY0lLQB)d?&WzDV*>d>?BA*J6(j>0qJfdgWu(f*G1e z9)5L9QAKD>Af0mqwsNI?BM#EEs@kex`_y3sk167;ZFKBehD_C%nYumX?)AyPdf~n| zqbh&?6*`q?fs*4C(X+?h8r@EsAR=YGl)q&?evO@g`b}G*R8HD!+GA1ECu=iZkFM zji5@RszHJ9)oK1J`9f7TZx->|Bg)>@EJ(;}c@;l!r5#zC-|wQWIaRIrLn)#Na({~0jkUb&zxCUsNenD z&rq`t{kM$CJuiI!>X7AaE`i*>2yg{q=E{53y+Y(ELG|h*i+Y^Owj!1CTo&;gQclXe zP_ta&Nw4-{lvG4Eng@S%IRhesB#P6jdkQ(gS8 zjlJImGm3w-R`P=!rOON1=sbw%C{-@Ww}jb639ctu1wc66PQi_7u_1SC8}yr(c{Dd11bwcjo~2?WvKg3 zWHs%>@TfU~^>)SUtkfagVa8I2{s`sW=6t zLFE)Hwc&aP=TX0nbH02VM$ z1wUm%^B1R}W4xobMSx|vVO`|0D1G+}uz=|-_NN!#K#mZ?qe;Sm+2@OSI|Wld%JP&= zUPup;uJQbu%tD~Lj~W6peRLCKEbP=7#Msqt=ZIgMAO|PGQQx6_6v98ZPY1C=a?&An zBOR&Pgq0(h1wxfYBQ$X~<%2c=v2g!WEUf>Af|TiFJ%ju%xvO2^D0A^8Wiow2mi$-5 z`eXls2?0iy@f7N0N3t&YR!KybAML>l#p=;%7S*4C;uVMDkd_E@KMCp~>kCPTqcf($ zR5{_~OB-~`jv(1^w@r-{5M^q-!E?)ys?I176BeCQ;a!wD30|?2D16OPYs!&KqlY?J zj&NclM|@{grX{$fo_2GzC0`+Eb2aIs$YA0TgP@HH(G%M?qwT%Mf!KM?2T9khJx{e* z1qe=^3)JS_$Sk4?;S=o@fRruH$b-H{cpx?re^>2Iww+W(%EaYj&nYnLfljr;{hm8L zy_)oeXG}u$X0?c785eR*j69;UrQM%C*ypm3@oAOS6Sx`a-8?9tuenR^XaPW2xs0FZ zQeoH&I^SNN@YlCi$2;Hlw#&Vot?Aex^o4~^Dc1~dO+>{c&~iB#?|f_kzIiQivXg_H6{!1636YiapV2y z_I~9k8lV<}V*u1b!J-SbV}Ccp&R<*64iV|!qal7a6=vQYhKMJe^UBCk-;c0Tneh@2 zg>LD4dr(~KVWNlI9m*Mv3(Kk1N4j32;&e{CvdP4^zKhyFdnUTyFcf5MOohWb%aQm@ z=53damT{V3jlI+=)@)zII#0aY&+ySPa;on+oT!k;5JI&<@VQf*#Q$VL{`|sl)u@Qk|#ndQwuuOE$Uum238i?>$Eh@|A76RlRv28EHbz z@1E3Cz*CU{v|lGbqLtg@hco%LS+9PP)EkYpb%L)m-^Zi^NCSVL=8jEt zH?A&3_%Q5c=}5`)g~YP{zL~y$#9w*?$F84xQR`pfd~aI`dr$8Fl|<-{ed=yDbI2XJ zW`h0P`TsC>R#9=SVS>eiLvVK|xVyUtcL?rYXprDixVr||;2I#fTX1)G_o?Le?VdH= zvu2)oVI5BWr`YHF_Kx%?hG01N)cw?6#Cl*ccwF0_N3(_IdGO8;rTBss;{VezI;s)% z9!h@V9#^e>_M+1%rgC~{PO}P?_wzgs3$y&yjJ_$q(e~}-Ijjcd#ehYIHvkbXp2Zl|s|0Mvb#X9NCs&#f26xp&FUF$BJFMP?Oe)q+?UU zIpo_G=_lF677GYINd^z-=6m^(e*G`f6+Q0X>{Mrn@2qH-$l|`;kjuJF-izr+o?1Gv z{x<2a>Q6qwXXjEc*u4eTIC zY{ck&p?C9Ns_k^;>^h>_&1+C}d~lMDX_x(OtiM6cmGYP}YNqlt#PTgXCJFh^8&@{@0>s{0m28{QbLZERF6+`u!Z;m+vB zHMs4=XyQ0FO^@^K=lyr)okqumxM{|Xq~#F7%hIs}Her$2Ju04Yu7S%mh5Q$K(qr*F{7 zrHUF>n{VQy*O}sH`Fa!$X|gQvxa-;c3V951F}o1Ri4H*E$GW7C8)|jCyEVh^uxZ>^ zwGF$*pP2l7GZhEx;L+7;hUh0|wH)02W-@O?^E>|7TF=g&WNI5~rv3@j;}D(HUyAx|+N!&3p;j96LuAbr>ajL+Qs}tlnMP?mF9-*IZE+6{*Qxil%U&Db=CEul0rr zAAfD_e8Ds~-lQjL4Fl2{>blC)O#SLffAVW&({~*PERm^eNZans$2klX8NGPyf4Yoi zE{txCi?jv;e)5G8j%a zQ}&tHQcoEpj_Av(lE3DhAzd~!)U^et5Nl+cN!OiCpB4SgdWzh`vd*C7eSeG`?mPaw zu>kaYqkSD?V-Mq7P*S(}xIA7$zi#Bw`1QI;K|0T(b}M0n@Yzx5idnSAK65(v>4 z6eQ*BNA$77eM%a&>egD&EBKe?zV@Qp0Hb@i9F&x4tRf}c^J(OS}5YWtHGbi^WgU8`35{8ScW- zvqtRwv^wB<(E{W$!2Jr_V;U5k6d5R5w}m%gAbIsT^tvaaQDrpqL$lu+!gNlz4e<$S zp5$k>dRIb*CYx!BClLSDYLVQex5OfYU#PN;9wJ+OZI)@vcSv=}&WH7NX)aEXd`$3S z8o?VE0F>*N8*IAWpuo;TCH~H&5tR03J8h4BS)`$l96=Z!-Nj;Ktmq;R84qM~+HS?B zE;MEkSiUe9q%DLKTh2#~eU*L1njM4)t6Wh12W&_M_=b0D-mdb&F> z<<}CbFRJ8CsHXH3klkTkv|;bI*CZHyec7QzA(a*Qm>N@1Vc+Z8(2eVstqjC>wUt>?a!>Ugr$glHa`Z+^g9AT%~t*S7r^7datFk zK1$hO!q^Ii*tz2sMC)q18+Oxs3OER zXO%E^X$xR7eqsjZsKEIPp+cZm{ z(=D$@7IF{kA!jRy!ysZ2let0*+VCL%2yI`Q=b~uAoMY0PFruqKkV?7AsPN5A^LQRh z%-*y&4@-_M2=(A5={Z18BN%S)XKoWnS&5i>4wUQMYy;kvI{rLseeunXb7Se~vn~pq zQcK8maVuF^2y)~b@BlxeVY3deJG`kb-#!_@Cx!E~SknHi=0&I?XwueS0JiSKNV!F>iX#B;uX?<~80ot*@Yml4O zQCu-kx}Bu!tEw+L%o69iE0E<0-`4%s*TF*6hGcjC6}&=ozvG9boUO59#u$o$x5?Qs z=|GS%hpr(tjl+)5nE&i|Vy9N)MPD4HdO18F`So=uHS4r_-b5(b> z>~e;cp1+{J(6LXXNU_u#WK~2^N^W?doStb4gvPF^LjyK9V4RrddxA8bxkr7UKG_R- zuC9h63)SJ6@Z7_!PCUV7e?7f&d>h`s&ew%!&Z+ih6+dRdOh-t0aE#jqX6as?n@rl{ z8}Q%!o2p_shWMDDI0V?;_Wq{r8fC$!W~X`<}Oy^?K$Mp(u0!M}OVov!VE z;HUJ4I4>CM+J5|scW6^DeZgz69K8I@<$uT&vzhanZinc*Vu~7Cqer%AD(Es$B^xqmF7aJ${f32hP{I}PnJb#?5{~xbOV<>p+ ze-2cKT|?+2cTnak3k#JYK5)803gQUvp0yf@<1KWYtT#PiVB)4}3qV4yb-P_7(9*<{ z(T3-poc2||YrQqvzjmIy=%gFIzoqQ1zt_J_TrEE}H9TN36fF&7N;(qBojq4~8FD|Kzw9)w7{6chk{!~1YMgIOWbqf%=qaF&woVBd=;W5ttuv?9o`kr!MW)IpFLpP z*Ygh_W;9DJX-~ql$`4tY-_--EY9pIu%Wu(l&mCcDJn-?(zq`GH!wc_SEX(0gNq#R% zNBy|f^m`Eq7NA%Rt!#f=xb?NtB}3V%3Sni|@~4YQJv_ww^;w8u5^9oJQANB2??z-; zrGo(I9ck|sV<$T%FfP^KiwK1lIRM#$`g=s^tSG8L|ZRAnYm2dD-IdR=LeO{JLE#&c3`h;sQ$u0@PM z_^XTjScSGk){Hs(eFn>afmfiaXQt;&z?cB-s6|6FIu0hp>lsdac$Gj}=F%X%hWf3Y zYVu2#<{Yd!G=+!6e(+xThu1#H5|~NQSk#w8gpdLI)fRl6l5@(r*2|e%gSjKEW(bP# zz0?Z34tm+MtHj<@y(QF1z3f1Eitr78fV_e5@L;Z-Qb%2E?s#8-{y%v@PEa0@$~J_n z3JcJk4er>9w>VBDT}?LMRdh4~smO7MMU)~!&a1O`P##|VW<5HYm$ z;qb}>tEHBoJ#R`8V7z>@kNeC?7TZH|A3Q_@DMTsf7e%i^+E;#nNdc_koxToA7TrXb z_oV)7U+o9kSL?XA!v#W;7}+-!R%+d@@g`Gpp1YiWmDybL6QP-|>@8B35|8tCD6Q2P zgX)0n$em=MI-qfvpw0^+7+j0p$-*rB*TWH`B#?d82<)ezzcW}SIsF0W7UI;q^a;sW z=`tWIgTJsHIl70U1sO6`^C;?iDpP(`H1qJVKb)n!Y6D!f>_fb@$shab#3N|h8UNez zU;8R0XEcoSPQI^fT&b<{6Z9YZDl|d!yI#7bC!y&%KrzIKRtHoE-0XYEq7TG0%j1zY zF|UQ@J*}`bXKho>XN0(u5FzOCL-`_{Yc@!Xu0-}=B1i7=8;RAX*BL%mfF$(KCMw>` zET=IG+VV>$1oeYdd9)1e&`S!srdC^0lVq^Qfv2H)EcNB|ar4Px>G5uHmBCBRd`zrChE{-mNuR=D@1Vy2WVjp>yP07Vagoksm7#J_7L`ScO8KQM!hfln}r;*_FT{`=S9X}Er zl;v$EQJqR!rb#4Q&V4@6Km3J^~ATD0)j!+5uWZ?Ya8^lCLJ#H-oM( zbC&XNyT41Q6SixhB~&v;49vjq7A*Ur{wu#{NMsAB*@LZ!{w|>^wB=8LmQdj{Kuf5( ztGOQHBOBnG%8A3RiFzo(Q)ED?CV37OWv9vtStA-$g+qyhZQF|-%&ef}AW1^a&skI@ z(E)Mo7HW1>Q}B1@P!3O?J*(69TYD$c1q27}^BC?~C~9AG$YDV{sK<-8BZ#g(-PpF+i%@ULG-95hQ^fUR&xh)gr_eAhOewpvfMt^sA{|TXitbe?q$vK54eYwHokm3f<8Sq!H9h1&*-Ne!~YWpG$I&JOX&sR zpq`2Daa+qGRQtQlU`4SjO_7Bau|#4JNp5CP;322g8+@AE4r~<>%V!qPqiF*k-oZdF_z59Po9TJ#Cc;B<7!=G830y$|EXNIlgofj@5}Tx%3B8 zR({cqjVkLhuo9$aMYFNUx_dH~g%^><13zSO(JpV@N3OI|IV$LdMkxck~fhRth zY`TVmXOgVEi&YKSu^d>4DI!5NtJY51dx*JmngK>)>`#67OOylNc@qY*3eSE0kOFtQ zFhQ`uAnF^Q&r8MjGcuefmz+*}_su`0yq8xa;+1CLcHC*_Zyj(?pjH!92mJY`4yg8& zPp&G*%tkY7kZ95S&i;PFukgpcdLUR}9rMS%x{NWaK>Z)?)mJE(BkHHKEvwM@Osl+d z!J1o0UKXFU$*QorXbIp27)84bL>?oJ2y6TY!9VI%i%FiWv=rLvs{^T>hbko;4TYH| zirU%8qCq8PF0Oev@bZ1w7(yAYK-z_C`>UfzVZKu#_-t&6)Y^DGxUxTS!08U282Q&w zd5=8>`{{lKG*BGyQEtx^6bJ0>i(^v3voI)<$Z_%!+37h@@qt*DRDv1GRFBki-c#_* z^hkovqkh_jmKm;v<&LaW{3JPRtkeb#Ug_FrdK4vl{*=l8c}+md%UPo(e!6{|({hlh zX$|=XU_BOpKcxkIJI+Nz97jK<9dU5E*O4Rs{DQbB(^#H+_o z9OE_y7qLIGiXE@XIHVOZZ&{LHq0W)DDw%Se~9>J|CCTIZq807Sua3_zgT&E)QSQW2b41gdCyJ5+}8OPBjxon8Psup z8@_@4nih+r`~lS7DJS{#nG>@!N<|_$fy#avi8mUe6J-G~0CGA16#N?ptSV6JW~XlB zw>Q4RXWuRRz$?a*;}fwGWhu+X6!`C_8CDbIU9ALpSIs;D)mkehU>F0%An$6RG?8k0 zv&i^`Y8x(4HZNZ~iu3v-=O|1jzUfxo&gJfpPEFe*nnuF}g9lak>)HHa7@IQ-pFl+S`O39X$aE}pTD$1<{edDRzf8Wr>Gy<%9@zkn-uBJLyUW;!BI)JR^%V_YdvhyWSB*i%> z19cANo2YtgU%kRj=VH%onS}z zc*5AKMks^~u#|LO8RT76t<;X|1b&HvSWCB!g!Z`3Re9NPleh9(pLPX#SCK*9)pF;t zBWrz&ZGbtG-ZAj6cU6Oj)T@C~A&bXjo); zKnxgRFSv$K&>jX?^R32PBXiaUFw`)xqrPJ|x)y)GV z+2QO~Fvwcibq}I;!h|TyY56N zE`QIT$<(N3Bx9HbqH|o!vbq}a7%h&@8V+SLOwj;05YBm=ghfjL z?^coBFjIZo8KW{nWYsZ(qI4c%!UN~r)!wniIC(^NmjrPukFjZIWpl~Jo1PhQwqVlM zVfx|>Dq{0eh8!{}{uA6FCh>Vb_P&`12FMH6UCTfZj6wyTrGJmiQEBlEhZKg=9B_tZ zoLq&zE@>S+uW@RIPCEh=B)>);loyIC()flV4kY>cBdsi~V(gAQvy(9b zL(pLnBQl`u%Q&jcDe&j%WO@c@jQcbeQhexEoYo4o29p`NwmT1S9{O7c1bsUK()Wc< zl7&%KrBi~etKqgL=aW18G>Vmy8HB(PakF@bT#pSYEd0iu)9CrM^cGe9(9L)M@MBvquxc!f6yObB4ens^G&GcF|g8E zhSF~9`5v1oIXoyD>`$7`Lb zx~lu@>!qgm3(_;`#QDS4vQ2WMyY1Jy>W2w?$P^h>stiEn z&xkSWGwvgfyB&O^91>!hh6(p>xiv?@&P3(L6M9S>qIQiQ1w#&XEI0ew!U(DZvP8XA zzqi{SQ%eWTV=@hT=c`CLY* ziNS8YsWtd|pY*1YN%!)n?&juaQfa-*&!nyAS?X|xynLO7(TXtcR$q?+j^M%4RUvQ5 zF}in!LUg)ViuNu;ZEx$#Cd%#TY(HqCp#^51PYr;xFB(Z-36#4AwhEK?X%Cs)?`Ele z#_~RH3Z2$gmi|iX>pAx~_>!jkyydPsM$I*evi}BeCo0QG54)^f2HhN$4c>zE2 zQ|Wb2(X)>s#9QcVUfFt)uMf5cF7TwAUULj}2uui01b6eDB`{BDC7*V5K1+^2czGEV%dqjJJe+NI=G11%hzVy|N?IqrT9?zHJ)pcro?`-^pKPx8@+3Du%P1kYUNAIy) zUmS%`r|6|GQAWO@Y7Zk7v=ZLi1c8k~0v7Lv-KEDWPxoi<92gHV*}-!H6AJhRbr|!S z+XbPU(MOwdMDJ0*WLgtWHSgbN3pisM4KXNJktjRIma84zpZl1w+(#vdBV)nLdks)X z-)y+lbCM>zJU;5hgesgiAFMvWSx~U=KbCo8A;jhpeXRGk|s`{ za$M-~^;}sUFxlyFsCl`iJ#IwOM_ous8-)aJky}vAt~fEhUIN@%DZ*}MgYCntyoiA{ zg!i*G%3BG)HJ8-g%b^VhvKNyCg?t8UF&-S9$X=%rcwR0kV4E0YWG+lX+(R+V%Fht& z12($uqvEmT5$*XOD&{Wni9S46fvKil&RPWYpEetMU#}7Cd-Fm}pa04s2H&Lq^+*rX zM=d4%fGxcAuFc9FbzmX44ddSR(KGRmkFDH+yRP=0q*~hfhA-nC9qIf;{!ChLLq(q^ zK4EixBJa~|lV;g6G>!O&5)M}t1m~=m@!3HoExXZ`K;B|a#(U9SZbv4~hbX>TDeRFn z3a#Ut^DgT4PAqz}0*b3|OHbQ;-afpum%f;EA$*cXcKbpj?->L45!c9^)6_??n=7x_ z0(yz99C}SpEt~P74y_hzL5y`i#N@AyZ%noppC0}PYWo+){*efBuyg*`atjaZf2X#8 zyn_E9)D}p==e7o-wztAbVh(WWK}S`e0^R5BFMfF>-8HkMg`|zW_#E@QVt}CSJu>vn zq|eV-0AS5a+|;4k{&o2(#r4>)_S(kE_x0G1@%^dz)-QQ|uCt=A^NC}=zO}t$kE8c3 zrQV_1%!Q%)!lBF+6O_!-(UYmRV$k)B`s2ZOjajl;Bu@c-DS`0f+QV+z#d=zj4jo_=rg=B@ciCWF>mqD?T1ojR#Vt3pA@)=Y{R2QUCa zw%IOK-wJBwa0!x{RLFU(2YvMa7PGka{n0Jp8a0|~esxZ@yj356{0zn#x^B?J{I{6p zf!0|#ZUBV>IKUHcnVpZ=*4gJQ*wVvpE}!z=@3+K+y4+ty@}VLBG$OA}2?YGYMb%yR zvL9m)-_`fE0|^9KAa7SlRS2L6yA`D|Kjyvj6`0^E7aBl^NJ8t)fr?qW2Y-rLw2R_@ zidnq4SC+`K^4P*0;dp_qQqi%!zlxM=Nya*KIG@N-y1#A#TqX`2i-Mu9$F+v@*IvPB zO>$cILBzKCrVrIip7^TZ@E>B^-6UN+VJ2@sBEMv7z%rb;7a1WDFBAFecgQExk44#* z<4qXMXjBv*`jgxA&JM&2q33H2w7q_RlMs-gkHe8;)0W9VbIi*SF0kw~^Y1FlU9g8_ z4=tDaXx#)uv2+?V(p z%;HOFgxMJ}`Rq@D${!mqf43pgxw$3pwfqw9#;)h|(pl8O{^R{@t{)H@r%xWERs zsY$-P2zjW!gSVje>M5*g;;`vN1d<0<2R{J(^Wt$FwTZuVnf3+eiVCx6w~^=*O^|6O zhZ5jb7N9Q|2~8|Cq52a*dupdfvRoMSSx^}ZnhoEvB z@ai(bJscd-z9Q0P4Q(p?`Y&MH{Rh|*{{gl<6s5#oS^cW)6{%kckfLU)VZ$$La2#_H-gKhDNW0*1>hDu2l~##uFw5li zfW63eOc9TTn_z9pD{(PKYP$x*qNp&$s^N<{&r%5OYgUKbf!VX2LCVY~FK`nLDg&Qr zCG-~aZ;u8*_3a#Z#s2!raqSb+`ypC=^+d{NJI}AUL=n$zITrYCiW3NWH2NUYmtJz zFnC@Vdj?B8{QT`HlHrVW zx31vo)jscY>WZ!w@zfVnX0!%C>&s`DB%bG0cF4ja9>!0{C)f=SaVG6rTW{MUbfCv| z&%;eA^!eyN6$p> zRP<1=FXOrT)-zUf;tnE1tY@6rD{T#hwN~0!Ix!0nu<*|@d6+c+0^0+1 z0l$TwEiodDsoM@Mk0(Vb{KTI=2_%5Ppn*g}2!m2>$flPHLC!c!sX{+mb%^B?))Hy3 z;M{ITh8f6s0A0a6svk5~{C>U61q7WGZu%kck6Y!Cl0#5Vgcu?_!AY&W$dugzwZK`u}RXWkP}9IlR6 z0i}b0*R8T;S0J>IM^)WOq*lGyDu{}2Z+|0cpitfhNdtAd8%gk2A-)zq)(lElWX+!5 z&Vmx>Ez_{lA1BN@#tJWp9dyjsulXE`5xQJOJD!p48Ub{_$g2OG1sG|3M3U1pAL|i! zin5`VyZLij2nz6vM=TXV(!jK2;{)Dg_&`SJJ^>x*m>T4@?$HRwh;0eD$=cswgps!O zk%{WG(nv*g*G`g#O}g~P8wC9;T(GS|l0AUEXqNQ+kQ@;xI~nt!$<#U!qxL8yx8U3J zWyeNSzDrlP8h@u@;_4Wb_9Rkxlxn$|&K4TTg^#^$3%Cwq{1@5Qf{<I(#^lm5Tz4L~?cnpP#yWkCG7hxPV&)ss+R~y3t0f@iaU$J{E8m^%o-jWMvt;$| zwCSl4L`gS9Eu!urgCx_+wVzh{9t$_oKBTbJEVH!_%jGweX{%1`tVeK5R_L^6rgMXv z!xZM7s$Zt`W%=NcB&{wYPHw!NHU_DNa!S-QtvEYEaJ zT%LjrQE{TDL(b#^MHWZNu~7cpMx~*v@=70AM~d|^R3Jt6aSMlVueMTt98l>6Asb029gG56!DdiRW8TVH$VYB6t{WVij{BD_87uN zuqDXE>Yvw!%uTnpPSk@%d@it2314r zR8XU~;v=d{A70LJGpLpY)F(1DzJhgbvG(u&JZh6ewl2wDn3f^}dZzw;2lIbW+h%Z@ zXeD6k40Ig-p7jao)os~{WCrLIT59+d z@%I!0{csFZgz#BCUfQI2*!2&#Rs09r68(d14`gE>!^iYvzu$K8$lPGSQ`racA>{lwMhRLl@6UdP1? zEwVo#U00i?`wzFR%F$z+w~*bIDH&>V`Hhyib`pg=5yQp%Ld&#vz&ysq`(##)jXMNq z=S?f_Y}GKy6i@z^IJ$C(2k7?QlN=!18Q|izYab$XG2Upp#Q&g~v2t(#^M~BxXEhE* zDY|%lb;YteR4g9K(5q%&KV-lD6U+ktz6QdCsLp$99h?GxgIUVLq`!-L)H0$$!K{d)m09+;i0_At zwTIXg3`hd|3CZi6ieVu_%LK5#XpbmEIy321MK-P#ioltV|FB!Xi_r|Cz`ME^ozwzb zFT~c0n7GHHx+oPZPJV?ZzOj|I66nwM{C=nUpBW#YK*=nVslIv%P%;bjpo%UxheN3x zjI%o-On)KhE1k8hGntAlk-tL1aDN#z?n!Q6y?pX<>lem_UEr5g=(}kR@Vs7S599aE zgSz=Fe-LyA+pe9LTvGqCMM+Y9dCNU{HT$3NHo7tAFT8aC!P~3KQ%_OsMESLdv&oIn ziH>n57q6W?2TD~wPGnxm1wK|x0HF{N!P^JN_6M@G z{v}Q+@DP-jd3dS!T?m1`oNC|q7O0m)d8du(ocAAZJ;l1mPuCOgcXlq+AN^XsfA_nY z%vrg!L!id)v_mEOuKL<&mJ820I|JOOGM-dq>NsB>;=q|F_8S-wsv*Ae9`GkFrnk#k zxHAfUaQFw^`g!@YoZXxYy<0s#w7fLVaM{&pb5G8HARu;v-a)!3QEt`)z*5m9o^pcA|YqmG3XsH;ZM804ye+kLkx!v4W1gGGu zeDZE!CK&S3X-}zUD`bWo4zf&LFEKpd0{8j)P zgcLe8Q<|}gk13TScd#zQ^0li!#C?<1o!{GlnXX|jtbyi>@Ln)zCTzDKk!4Ecbr3PP zh|W-%ZK}Am$vWS+3Q2v4&LQ{sUX{DC2LX@F<|S!HUo15|2aimwrQIg1*U;eX54e51 zR|eyGT6B$!Z}GI_-U$8bzMR}t+wolMW4qq8^6sizJ-@u1{M^hnUwHgZ<$>m*t@Wqe2}Ywe!RM-i*59DB?RnDd zbwxO5rSN4T*YMK5Tu>kx{oN!;X54rzAfot`tsRD0I6!6+%zajB2;KgTSnems{#(sT z>6@W+)VuZ|{cQ*M19?f%`;Vz}T$JhY0(yY>NTPiTk_3#6x0`Ni^Kr?HKt!8p)yHMt zAEZdbr(V8p@Jl0ml<}(rNJ8!-aJK6OL>Hmw8$WmjPxAK-xVLsfk^T6=-|kFVFIJmL zuLe*%bakI3~}i?h{;&4Ow5vT~wH>Nx=NJH^SejyD{eDcIxv29=#k8Dp6$fS_9~F zRGmeDcVgoFiBmRFbo(rO-kk#;zsi$PDlj@YAG6rv6C8t&bne^{$a5$El^MX()-4#5 z3DBF3&UX9ZC+xaZkLD%()5W*lyqDoj?p)-t2jT(djUVy%q`gM6MJcLt$KtQlngz#> zV+lysDRmfKf9g0Sjt3jucRlWxC-YCNN>t}tzHVIJv4%NHC_ThX2;hFgEJ!f4&YCkl z$lE|k?zP9&Bz)|Ojis^v{Y|iSHI0WB^3w?+C%?6rcA|-GrZqpHLo@cflk=JG3E#y= zP2u~@{pGk@NV0UylcE3kKI!w)=3W2tD{R~AE3>!w>o@Qy@jIz)QH(`?!2sVkz9{-7 zdRq%SFAKh((U-3uNr=tCV}IZV3 zRa*PKd!~<`TRgX4dX`=n4Mk3gXywd`Inb|UxiG^>(W-E=b5n6#|43$J=cVlrDRN_B z?sv(68oXY>fn09-th6!;ADs51KaWuSgal2DOpbDQ8Z>{C==SQ2A;0wUjVNc2smCP) zfVT#tc_Yi>^&>W6$Fd0}lqzXrFq(dI&GX{-_=~=pdKAO%wM&eQ06Ke)f?d%q*!GMR85aBYz8kw)C#}cvXz39>vwzQ$g4AQ~>tdTc zxxevP10oi;==YcU1O z#uXDQ84VT7X)USt75;*rXVWCuxs8t8&3;?mh%Il~qc0ex48V3ovAW{>EJE}{y^@VC zu+$dWKqt$hwk-k>!D)uHofV1FmON!d#n-w-?8z?g-5iALZPXXZE!Xodu=&^>Yg;|Btz1EY!(S_3uvk z?zT9u;IoL^yE0uzvcA8##L~WgwpdB%D(B(X03maaUIEQsX9~EVDM!mUX1lr4r359V?g;NX{D}muJN{7fA0TRe z?r=77BWV6)_i9)RXLR{LA@hF=I~?5X?Eg9F%){~Dk@+7*)c*^a&+5zl9dzEW9t3rF zLW%NVCZ%)BiU+3w&5{Y3elf#>t zLxr`=e)fEv=xhs`>%S@Oeh!kn#(j+5mpOFd?>lVCK}SCirKkPmDn<+on1NI@snCPP z#3~DF=n_pTY?MbZ^X@c^ws0C8F&_<-$mG%T(w)Y98zYVM>uLUm7|XqNl_}pFrl!WW zC9+i;eHIKZ5-Jy1a&xzG(IV)Tp^Rk23>p#KK8Tu9M>#M=&h%A|K6R=tvj$wYO< zf3B%aqiQs!nb2P}rZCP;#urD2kyKcOJM2}(dmleYmCBrU1TE>poXrcwDt^V|R}j`J z?XyAy&*bEA-kHKNO(pIAEp9`AN9Pc*Fo6RO}qj&FA`-F$+Y^$4k5@l6z?s z?j7MN14^jVPwf;+;Ly=vwpaB_sa?o41HUd_(2Lm!=f|-pOaBI0q1ZFh9SbsqsqOmg z{JYdeZpRRBzO@Z}KC1bE`cykLR0VI(1KuP9vp|obb~f&B8I`|~$o@ElQha^p&rc5a zoGu*dW6&na>@FP1rDo9lde-gX2)P7}=+uDJ9En73T$i^(NXc#-Zln8P-SJaj_sia= z*j}A4wYSI15<_izlx|W?J_wc!F(Q!hT4BP_RO{bHM!z^JRRUv~v$#HU=mx8A&N9-VJ|McdW=L_AlAw$q?Nc^qW zv?nUpUzBALnmjOPke+KV6pQ^i*g%`}p90TG_uzBz5Iv-yG^oHM^W7h)Ifw6&RX9#p|*P}n9PHV!|17jS)h;xKj!R}Cr z5OIHm;`nK3#1g65^=E>vL??1Y4@D_5q?V?2)bUgx{b;aPQ8@x%f4<8HBor0Onj>3+ zA%ldu7JexXTNvh1ZW!Y-AG1wyk}>QkdWqy(3#*KU$8Sb_HHUu^JoM{P1X0mLrt$fw z$h#@oS!+X_3$fTbfwLM#C3&i*5_GCsSsK=48@|f1b`MGr?68T5hugzI*rx?eHX`-F zUu?#LAEXfn_fElUnsnYj;m4(>x~muZ-hTmbf_I{#d|AE!li)ekWH_Io+O7$+0ws9P zK?xpcs~i1l7mB7Zq_4kujNJ~5OS%cCx~kenmm5ZsiS3Xj1|{V{5+PZW1V^e3_n{h7 zSEX}w2ub3CVGRg?F?0{CEpSOqE1y>`SJQ_qUpCIjv!2kx^!hisZi>`BXzX(KKC&08 zrLy^(ctRl@*`<^^SOyHOn0a?MAsi^dGo6yx)|Qf%@q!CLg=*}+5}T=6rS{cjHt_0hf7WeRX@>v(_Uhj)qT$QX`d1Jv) z$O}z#GYm#}ajR8?6+4Eygz^-jl+#xgH8Iet5SIS;P(XukxP}o~gjca+c_hHe8&f5; zT%`m@JmC{;N0Jberc3k;x$#oLnKw20a33T3udj4%O1XW3AvGS@cvua23=DJZR0or* zs|b<9xH?aDCEuKyJ~41EQfHhb=-Q8Sjn_`5hw;A%l9s7u7KF8e(Ll*&kqo2b)q_zH zjoOMai+xnSU*bjPaWFH#nb5RX0p%|4G`8{AqeN9g?IS$a50h(ysxw0f_%ate>(G&a!u ziGF~r5}XucP6aCo*RFqVIX2;MZ;hvHm7bNBylfi2hYRnc*?NUY*h({f9Q<|67Qz9Y z46ecC`&GVR5a*(1A~yb1SzquyoJcX-FrK+*&~k7i{Ta_1qv)onva7U?Mv4#)ysBL2 zU=-1$X;Gh>eg$562C{l}8v~UZ76(I8UYnRFkZ}$s^-qCE<0^z^k#Lbe#58?7BEsgj z3?m(FY6n!{se)!Qn3eFziJf)&&|u}Cjv2Yb!!>(GP`Pm+8CIna==jPj-|;~xJ_%AR z@@Q*~8ftbe1~rvVEtn%B%D5S4U2^0drt%cq>AQTv?^1@t54U9H7+Kdbj885E9eKG= z^@Iw1%hV{mO*FSnM|%O|RFV>;vR37E4A(L`!<*F7kgk&9yT(t;4bHodX!j@ySnTW6 zfKK~3(*tBDUM|vh&Azt&Sp^%8bKcKCVku+`Ibju^fz$3C<2nRBA2d-cJc#rWIoi?H zjWpyy)6cgjYD{(TvH3WxaIi25P1zJu0gAwWxpQ>9F?SjQlAGM6+UEU*kHuXg-k=L8 zDTXa(WPOO@`5hAPmPY1bvc{rZ1}x%C(e1`Md*MGWpH!>Px^xD$B4etIND|cdZMU%A zyfJm!8mFQuY`PA8RD-VB;v-~{>ljq3HLC_1GBco^q~FmXnv}|dpwo@4F2Ve?NkRT*RPUhfcpKBfs`$1~+T4 zUW37>>22{<((Mw(7hL!%p@hsKHMCnbj#ZBw6u>nOZpIkWyti?BYlc>nnxxgrpZpGb zqCGueg~`Jk@kZ4QTS{%;x2(*<704taWfmR37I)&fU}RAL^vs#Z*EphyG%ry5w$U2R zNS;5VXg8818#4ng@<}HDl*WnLgLM`z>F}~ja2;DpIt4D zwr^DD2DsBWO!YlUYaa8pC_9DMcF=(9G~(qZY)3W5d8xz82OjpnLUFCvEYdq0<4Z2P z!=?*KQt@hUn#+mgH@L%8x@g@J4?rIKY$Qq3^M(N)l;25Hn?KY?8?u&6*sazM%m5t#n#APtd>Tm5^E=n8 z9A$fug!LVm{OcHbBRad%pA&xehF0KZTo3+U^Z1qNjx=NYtM_sMHn4NntdW;kr`h(+ zSf63vOlQwz06R#io-s?wc+t|Wrd6-+l9K0KhkjcfFE#sMpAao&7xm^#-nh=HTKR+< zA%xCxM0q*aC!hJ_@BUXOEYqXfk2*hm%$(8s%+@FuwoWVopC$ARdjr48 z=uzjNoIPkr=Eb;hfTo|<#LY$PjCld>CCyIa5COk_Pm}6zGS4Ig z(mU4!)rL{nv!{3&LfRh+*|Lx~1uD5Q`Le+QuBxu3a#Jaq!J?2TILhunsnAP)j`xJo zDNvV?RvO8m8U`q~S7?mWm-F}(@lZG&R7rab3Z7+|N|IG|r+gy7`{)N@beK1s%)L-? zrGY~I8QZK=w>1BM5q6HjmAw1fo=GyXCdR~^*tTukwr$(CF|lpiwr%TO^WS@)^H!Zx zb*k2fROLfgx}Sb}rGM9bUm``Jx^4VxvfEI;f&@iR5F1r+KcB+5IvL0nX(lEsm;c&# zk~EBcM`bqtZQof>=680cX1C%JK;>=j^Sd|MT4-TB6xJWW_yZ&ZY#eSf2m6z|lA(sb z=b_ln9wCuWFcHIY2aahSDg(>zQ8m27_1Bc*6 z+0!3@SzdVXs$MGY+@FDnY5X(=_wsuplo<_xe1~B*F{!htL{Zjh-6Mp`5AaL!pA6y3 zp#%#6`A%oftbV#p2#ejy0!quKgcY%DO^8xLAz)#WM9Va!36=kap9Ms~JGeM|M&;L6 z7JZ;cu$1|&l%4`Ri`44!T*7ps{W=#`n$fpM{DmIQ zGcspeRGJ%%S&zu-MgG+AN05oDu_e1S=}A?_A|USzNB9*Gg}69UW2Y&E-5E9hLD*1s z_~kbk9jj*Otk~blQWI=-P&}>qB4Iin(3+8%&n|j0pzPq{@#pwjR_hPo9Xc`==L%+^ zuv&l>Nni-|1Bx3y>t3-zWzpH+Eg>vQco|38p|xYAfmZgW%`+cf?H~7!mTQ#8%t^R{ zgWL4!Lb{DOV$uWOzz3lOMw8hg#SO}f&=`0l6Yv5Z`>y^M;03zv1x@;KC5?b^D$#$` zJ4hvP+5cAWaIQ2#PbZTLv-jtdUX0GbZeWe7JJfK+VTPJKUDj5W0n|Ha!1d+-QtyQQ zRqs?WO|i~}jrD@g+|)_(UyJVZ6S_-YnE`;swM;5rIJZ8m@ChIsm&2T)+zV1}>h*jO zPS}mA=vel-l?laGpJMaoIn510<8M;rx29KN9wR68xurOOZ%0~2R9t~nekMCHt&TI=vD2S5g$C9cm-)eHaLVdS0Y;d1)Z%hR2r!h zd>TU`I(F>{VU>=hl+-$1M3<8@vBA`&HlQ|IsK+!@g|$q)+oNB0*>6$s2q=v$w}>5t zC-*CkK~=q7I8UGHjQTfsv*;7`jSKYyD(K}!pKh3UP@Wo_hu1Pn7%nXR+ShewEFBTX z%FZ&k7pJv6eo8ksO{n>hfpAyY+{Z&XAaiSbeq6*|&!uAMh4Hd0}tt zl-y?XiYumm!PgJv$G|Jn7j@tspc3+z}3<@@ykYoD2-;hrAFvW!t=Pqm@jJx-& z@$E>_OUnQ{?#1TJDkjEHpM{;%m8>AXRmjT6hd-eF>hao?lG-7itYQ>u{NW)f>fk!SkF?DD!HEo< z`8wE-bel^0N6qcX*u*cLOMrVv$`cy*OFCLs5Ec%rnjUQup$OX>-7lPbd#Y-GJZrTH zZAf8OW{-wS;F@6zAHNfn4f&1|x@O2{30Mn?dzlzWgkO~I5jCf;Dlc2W7gCVHa4F)J>+UC(`%@)1Xp{J{$S& z1!_F>DuA7t<%aHDV!WK%OYnttA`h%f4dGrL=@pLr`W(mxIj+~TGwOfCg!?v2pmGtT z6QHTYwCBV|n8@LT@cogXx@+`2hzTsIM+FN{9^H+$Kf$s0Cz>rK50)U$wq=T=MJ9Wnj(h{yI#8X~63-X*i- z)|$O(GBIDYSo$7yg+grY*7K>In0zB0L=vUaGkGJc0bbMAjoMT${eeT;OA#uH^gAO2 ze^5FU-_-mLZsxF#jQ%pOl!`P#zmi)ixuMT}D6*AsMg~FPAaQc5KP9XB%R-E2ucj5O z!>P#p`(snFaF|jH|E;4cTG#>-Zf8_*2wM8d3Izd(CwXVvfT~g2fl>04^tLR+lYmT% zN3kc0(IeJuM9qyI8~$oOv#D7%a8ZT{tz9wuHpQtOnto__1pGb=ijrd-+peEGJ&|m! zD%j>9S>rGR@w{dKkQkca&9~x)lg?rb}R=ML-JIuu=FzPNbYI` zc&Q4js^{eYAP5AIb{r6+VOBSLXMjCBqNJNKfT;hbZiTIL7BQb^?}4W4C<$Voq*f^G z5wmYBo=5M+AJg-;I5id%Cu4V!e#&6*h(+hBWZ9fmpmad9k& zg@2KW`=(T|Ls;+MX_mNge;hS|tqKB>RNx$cF+KSw(fd;EBUXQF7xxM{)ISf~1G@SI z0h^Je!m3jN-R3%0p%djxftx&T`6Wu?ETs6JnW_VdP`R&upztLE#Es`}Z*MUv13eITj1J#R6^Jfb?X1Mr1Cou{F7)lRv2D>~6KDHwew zs1qXA(tw;z$WrynPIBp5^CpdGuR<6;gjUSVOu=I`DjQ#{ZQV4E5S6rUVT~VT#;Uvg z)(?^e@(U^vN?vyky5;U$SX}P;A0gVVE5Hy7>Y$N+%+0=cY&kMHjJ^}-#kw;u4rhpm_MqIS~uy7yUT2Q7N$fs+S6YPk_T44M)2 z&5Ge3;o^>51$bvvt!~6?QX9YgV^h;0SUf|=<=hk?qnUE}a*VXl)19Sv|Y7$rKO5>KA#6uV= zit>T!s`*rczU@7d5{&%RG9~Skzb|rv{VBdYgmCIP>TlA^JWF9e>nDA%QV>vhd3!!( zQR#aIrqO6K$s@**fygN;iz^Dg=MjE2LjSXN5T7`~AK$o^4%|xUuLsYH1<)Iwx5gbUYfBr6+yIazUcOr4f6E!%1}8wo@G9 zi6M};_=Q*KJC>IzYq3BSuuwb-HH<2bJFDdLGC6WG1qxJ_ASMe|8b99>*7~zT$0A$p zv*b8`?KkE`PnVMvc52fZwOwgGi-?BfRU(;e1KGk#G?=vh39MD4)ZA?C!qj96gf`kq!YSE$$c+Q}R;5 z8@Ii+pFicT*f!s!4WF*J8@^Xrg14m&bFHK}XS-g=)!40T$WPP3A3?c)7WLkQmp_VN zL(<)BG-EBCPEKl17IAR4C}Q1sgg$_^aEP%t8kQ}LDwyQV38INEQCg4@*N)4R<}SAG zJjUxH&L1}pz%TOM3blpwzW9;(RX=G7$`M0Bc?|L|b;;0}XFOXlAxBo;zEln$1YBhO zxINTr3de@s(hnIjx0fQm+^S!h*s59pTTvqWcrkxTa^HnB(ugzwVH6x`;?u-AP|tnc zq1=+ol~F_9#uaxdtR|WTPuaXi0A0>|Vc;8E1=P8TZQe6{XGioc!u(<$ID_t*Pcoys zixIE}+|v?0EAi&{?~D93ZLH%;DR!T7 zo+{tZm@uu!>I)wf8Tap6RC=w$nWYR7ciF+(ZQH2m)aJQO5*wrgjZleATfsYf0{OMw zdQ=!GdS9aheY1xNDXZ6m%n^7qDK0o5*d=oip733N#-3mHc30-PW#qoZ9$qXCx+M5< zT^rTkyS7~`U~PY#N0i18qQltJRt#ew_eXu-%eyGPxFKcRS6)FoE1_!{RSjWkCelX` zgAlfA7_efxOM~>W(m0S6xOm&_zsX9L?sA*HW(~ZfFy)q%pnk!6$x0j=`!!a%dMh%} zbED**cn1vjIy}R9?@+Aja6t#{jtaZ0%>mXmM$X|zyV$$_&>zx%C8AR?x5gTL-oOEh zxtLv-+G%W39O!=L)*kn~_h-nO@nRx~aynrW>G!JlO9fEUrUrt8MM_+cWY7tfRpd}H zw>A^@_U=N0Ib9|tfeD-I3p9axqU~K4PQ5c}rGA+J(?;^s$|VUU(_>?Ki3gu6E@;Rf ztLH1Hq0RQGvU0`^37Ba3noeO?e-1*qBP9IV4V(Cv*h~rnOi0)g_JQy8R{ViOE_G4x zxS4Je-1XTN?z#y?DnN6O7gKd+O@gGDYpAEu$+ZWbya(Y&B}|D~dkUe{W@-HPdCsCq z+7rQ1kAgy04<$|<9b3EhZgRg?OVQ$S3KVTA5n8kAc{MWb$jl1%FNYi2RJ`ScAKR}EReuS*VT)vv64FPK|WILjq1f~OBiKUCQofW7`k z=GB+WcO5&cWaOeX8ih3b{TN3HD~C4bMcW!~OP=WYedvaxP~)8o|3|VND=4MVGBHU! zRttd#)rEBQY1|Pj#hH3k+a5$TQ~gx?xShKHSjE1>n9-e0FT3} zSq5R8lZEFy>_{?6vRC*PY~w-vB=@*CF@%MkKGmA)xV;jzTYGiQMcmgGvW*$lW2#;m zC_@{|n3M|Ee$w1qw5f^ehih^5ySvhYWZ3Cpyrp{zv#vARr8xwB^B_FerlBxi` z%g`;HFhioEQr6Nclmll1lWv>;b%IR8p7WBp8K-(Zm^H8Ko;>26XK<3ik5F(quC zBLJheX#MS@nqw*OITl!|{OAS83H;8t&y>kU&YG|>a#Y-%sz>VB#uy-Xo-`R@COoH~ z9@3lM)Pl%fHmq*WQl{6@`c^m#WmV3xY?V)b3*}hQZqd7lm7dK8$A$F~*R798x1+S+ zQ3n>xXXT`!D7{`6#G$3}{;*BGBxdCXf3yRU>-p0^dVBkOI`!d=Lhek}Rgwgxvsw;> zczx0v{jS}ju>=onjAb-1P6C{iH2BMBXCC1$5fIAW8r{;RLhDi7 zX*}Mj??UW)_8bqX7@mZ`x^#a_VhD&Z-jNF2hhN$X=#OFv$pa37pWSdI zE?B&mdtx5Z!L}JG&-(=STvyX`cC%MFp6Bq}#%|cuB%jYGGj>@+GtC(f&d=|!UrRe( zG>B#BC9DQ95UKiio`ph_7B^J74y0O8f<&X6ubFAPFVdNKXUC~#^Hb+YMBD(I)-&6} z#^o>EC+L+aD3^Gg2vIcnyYgSdJEMfujL0aYjgX1iERh0dKS`d|Ir=s@a#{7v#50C} zv^sa@4?NgJ9ih8Qk?`%TOnRSfjUUwEL_=O9U(H}75BaGR5dLuQfhom-vWkq!%#Pmo zlXHV!NXV|b&mPa;qP&#YyVAyo>5>?h{FQp`+^4nU-1mvfm4-<1zhMUd5lper(a`)i zX29}4F@wJqYyTH!F!A4*!5xqyEGHjaP7Ke2MAP@JMeJ^{zT(;?7=pR(OT(|u0cK?M zSk;Rg-D)1VF7VJi(zrad(bWUSj4!W$yi??OS?1A4T^~m$+FuTz*>l-b-keL%7*mB6 zM>0uEc2chI1XsyRtpQq-*INw@b=zGZOTXtI966T?I}h(H`Ihcb9+p}Kb2F-Dp^hc9 zao#KMIX*iiMOHC@qW%jrc>Q1jG;0@6ucmM@HcOf?WXBqFNQ=GQAQgLY6XRL6;s2!! zu1FpFz8BLfQ3XIkDfX)Aa^mPb7=-uby0~Euy zdz&UP5Tc;?4`l%Ri0_lLQOK*{=5D!M1!qNHh6n9C#NhU89WC>R@5g|R@YQHYykQXs zQM5xh`p>oHU~51|51HTf0+7*@1#Vc!O=AH!8ig+~a{~bxALvOe3)(O^I zUyL^gB9Ne#LG-iRRGvWiGLkn69YI3!&tPs1zPpHpt}Hn#-b96)?VT{LAKVc7Y1Yi8 z2nhlOXz}l8p*yUCh&?u?sF_gsV1R6U=$?ujgR6>c%aU*U1^eW>aCMt&{7?83xlrJG zhU|j~N2qMt<_?k=h@v#Z+gjQ*Af@+xFt|+)?oc2X^r`lzYS4m@5P>R1tcf`NiU||r zju5l2)MD5gkZ+yeX*&Axcjsu`d0i;{YXD?W^&iN95=p`6h^Jmi)cO8q7!7kKZ{n?b$J4;<>hb)HhFJo|b zBsx;gL1YV--1!5rpXPiQ#TUQ@j?cz5G@>aeUKA8bnJflV{{BZp0m@fZw`8hu*ZkP_ zP6zxE+UKQV+%1Yn2)Ttw380>`DXnR^erB-idm9RUhW5paW3l1n{uVkCgvkr+ulJ97 zDpt^n0*=z;5vrrsYVgj_lKtm!&+u6&05RYuIy)A^FooY$ya$alT*f+i2}|SKQC7L- ztu+9WQO{JJ{H8R;63QhZo?XAKIbI9%z(&)Utq;$l(_kMBXjUs&$6g^U#j0d`ATejj z_pf1eaOxr>T;t>b5?p8T-jc9BGU8(-mEUI5<;giS|JR%F-Wp%cM!jfu7w-^gG zSltYJXd&f~iHV55^(qWfziSgX#n<|Kz<#ay!aU&=Q`NPjvtnGtk1z-7+Q?S_3&8~$gs?VtITrX=6gwy$d*3QVGO^41d7i2&@Ytm7u_RU%TQ?0fl z?juE^gBEHjn++*GuLE&k#)+SX#F`|$W;cGh@B&$Egl9E%8j2dHd%fMUk zSpuqahpRvQhsA|JluudB1--S^Ikj*^o0o)l8}kph15CQ6erR6j2#b80rqNUxX)IoR ziPSARWR$kjM5+|`3r|on@@>#sfX_q(;o>B?xh!CI>*Xse*h)rOv5F#gjgQl zt=wCy@(`$4n6O@WV?avC0fk)>e5>LYmv0g{M(-}aiOPI%W4+5GGZ@|D502p|&t?r-4N5N-8|Mp(3Z|)byq^%vj-Qoui1hX`4Om0YTq;vFj`hr zNax@PnBI=K__!++hFKA1hs1TnPUxEyv6hxJD@}>zlK+(45j?&yyWUmQ3|I^J6GdJk z2{r#mhwx)vp$)3uFCP=H)oI4|$swir-+Teat`(x6*_A!WC8VP6gkC-i)nU`jpOhk?h%g(z##rFqt6gd;ZvGhCp^n374ht+~nhrfF4S*kBZh7o$63o*$}zaQ?W6R zxFow~Fx8w%(i*LCuQsL1b`1n0hFudxyNI5s1Z6H zpUQ0J#ove+??u)N?(WB>BF&5Nuv-O-WUOW+0^t~A=-14yA@BUq_>kSeGx_|r)5Bho zBv@e4GO=CkOJPeKc!6kKRlo!oN_u?*^OkWwcJqpelh-y_04ZdRH4e~9IJcQ>?=Oyb zbrA{tC?Th8ht}L^J1=kzlkzh`j}N>y2(*qHhPGR9D>aFRJB3XZaEzOhv3ZxUFOp|1 zDJ~m|{Cn%^8|X1HYutg&&2RL#Vi_h3e)!4mG4q}biVc1E4Gjr!E5h0eI3CI`aFnZi zh_aE1C)`J7zy{+S3YK?eBev?bc`Q0?5bS|XIXa;K^mj5-FI8~&_yu2(MmWl4Q&Rxr z097lC%tAI1EGU$BkvF!fr74OhDoTK7Nv>R+%U*8=zWEYa{*i*hoE)Um3s}Wkv|IVP5SE z4G@h!=7N~4nE6OaF|7)ns{XctDZ;#iukhZo)Y zQyDyc48RMz0C>Tp)BQhqfgJ!Zc=Jw*PM0+x&({Fp1!rhT-@`V^pEIVB*IIzv zgomw(s{X+X`q5}&lK%@Y*nd-vI`hvT00i~)d3JsQ@B-SLb<@moQu2>dg1Pj4C7H4g z(&!gJ^{oYmX2&_xKX?J4TW#3>ZGS-%^#a^?X?7yX*3bW>>VAVrE~pmtDX8+5=M?OI z^!_NIGK}Ta#Q_1^CxBTLcb-J7nr#Fjn<3Ds&fX-OYWzQV!4gTT($a}K!U+H`II2>O zPX}D)1^a-ZD8=|5#+SQGjD=fY*wszQtn4rvg9B)a&uKAX6sY zxM$YheQQS&^-MTQjYgN6N+&>4?@)gURe5e4^uMj7*Z8;ku+pqE*Oy9O~7< zk5J121eNSHx=JoQQq+a=KhAq3n?N~(<3}>cVc)zDY z5`X>;7MVJsx_vCZTj$vme~S<^pTkAo-sK66Ent*N#S^$YTcW29@J>x?72(RRkF2tXX7Odd?ri_{wd=1<<^E=oNE%!@=6Eb0_efb7Ar|XXrf2%!Oa?}w&DKfzLEEmY1 ze}@X6gk5G4%0Et~{lgZ>5io5|Bn!)6ptW>1VTXL@)0v4lVah#w!PBcm+Y_&o`!V~^4T>S?l3RNDKDAZfBd|9~U#7<@V+j(T8D-DnD{SxhV6b*#&N! zXZx`rqq0vYOcfxJ70v1cy{mV)w%75FvKy9@hi0l?r)53cs4A|DkuJ*xJeeZc`SZ)fpCI7+u*tIIcm`1WG53GAI|r;MGS z6R>}pAT+0^sqM#Afxx{-a5gMHVW!{XrOE*C}}yq zf}S}RsP3NVUdb0ehym7L(ppex4|b(QG0aGp=XV<-AJYgD`{%NcKVHmsb392h?=38f zfBKnLuIjupY#Fuqak}Cisg*qYcO*$JmGjZDq@3FgG8Q%tIh#i!Dmj~ky`Zr5qfl%t zO75B@UYvM-;HJprvpk*hoa1rWg@)h|!Tu0(rj@pxr3AyfRhKMyg}9(FwM!L;a3#Py zMaITy@^C6&P?#o_Ox+@DT6yB|6dBeK4q8wiucB;ZS9!VFnpH1K%&Sh0i+BpCQ;tuc^u%vDtbMnSpa18+JNVSDlyq4*8OlsUU;0DMH7OovXa8-=*cRvvWQ#Bp=T70 zST`JAXvD8ZsUZ9NvU#8R9N2S4vd^2KyT=mqv36w>oDNKaD`5{P+0di+h45EB+s?~Z z(Wm1Ezg?IyW?IKOOyIX|;+~XG*mIc<80rQeKmX+m;)jDp9@91#X!)%h*)#pL?t_?< z(tmVbkBdhCeKuvJxb0jfV`m1*-Yb!Ilw z0iHlqF`l*l04-Zq1QPOlVsgqZ7t!G{t7u@#rpv&~@v+HD3Igi-uFWC48_bumnAoJY zM!*v)&)`Q_iS8Y*7IGyV4#DN>Xwm&Owv6ax5`1q9gy(OU%H{YeZ@C%x*D^x-yeR5iaEfY9TZ;s=g!Nd@OR~~ z5pYf9U}El~n!J-gvMWfQ-iGf!yOZ2aEW!(a!m4T5xDe*@-ytTC7^Ld&E_hIoqmX+= z|51OeDt~v4r4>0Gt8n%YK+5P|Ss4+>OP^=70|xnppTW5{wFUvSzEwQ)^@1Zk_VUAT z`yv9>Ke+n6o6B_Ub)p@rNI< zP-imQmLBF+key#Zqw_T1J9yWwxm6&{u8bhX>J0(zn&4-w?51ku_lcoMklTV?*J~XL zf}w97-}7L*Agr^nAXHpfgO^R|lcNO%XL%-4ik>IWvbSW|;fLq1hT0|4ocQaiukPkln})qboZtyuLJ9VN-yy{7;B*s9pWB`QV|eX*p9mHRLNszb zM7DK>OI1#cEY(R2FF`?riQamNXye&q+iA6 zR1hIN=>HCnBxKGaq(UmtBO;l^)r}C@@mr^H)Ni*|cL=XDuD^7xhxTA%;ZF1i6zU$ zE3@4VR&jFF{6D(MO(s~Pvc0-4`OY4Tpe&{MwPFe+p$ChexQ&HAaK zc_b!!IRS0FOnXt_cJozhbIitA5Ocq|-UgBuHIzl2ZyfOT79M=aKew3AP;1BJJcgX5 z;MHW2KdAWe=(yL6O*n6?PTRA%Qy;MoJlBNn(>#-xe1XQ||4iDcZPa_(eULWU_x>U} z3O>}4J5%%Y-9Xitu+N%h96F%U6<-Oh7G1%vV*QNlo~St`u`9A16)<&tN$Zd@J(pe~ zKM)j;A=pu-Cpgnpm+$It0^>Dj6G@~Q&`|lP-WOK=xd^+_oP>HJ@q20{?uepG$|hrO z1Qs&%o9|j}Q%b{46JEG<9HBj%7!$sN{E}hAL$U!lq`L|(%lT@}SqB}_wAV)hM2lo; z-U0|RI&3wKYLjY<=O%(ll+@dWms^v)df5O*d~%+5sC2K%pmv3IugP}(_eTh)MI=}_ z#c4nxw+Z8B^B8D&HW@Gti~u4lmBr?ioENb2;AF!>qQivOaOO9CaxqkH4y<0mvFK#`;8C=P(rb6(e+Y$I68)nwvAE){ z6m5SX94W@jVnSpx>e%=~m+sn)PtD$x2tBlyj~-CX{exuA3xxs7%fpWD=P=r)YpF)> zeYd5@lO!IZgZ@wS4EA5xWv+&Itq;o`rN$duqEGt~cTtYXNt-J>O!cpO%iu!aQKQ1d z)DeeB|42SX3A;vla66W0T_QgJK7NMjt2JxtGjXCavlX6-&cD z=SPfIM)J<>yiu&{Jco_D9+M2}iX=yddNG;9xSj-9$XYXYpbWpAre{gi4axy$~gnT63Z-|3bT(tNqA z0%6iW3Xq@Mr?MJeyuN*~xDr#Xi7l^Y!QLdcFN?m)GwFV8w@9}?;}Y%7$+eFiB0CIu zw||PaldFh?q{%yvnc#K@?MGL(Ex>%n6qBft_na41RL-Nm^Rp7ht6e7+{?Nj)OQCWi z4YIYfBPW>2fCOsOb~FgLW9>YU!pEdS5P*^j@?@4DL*sy zJM~KV+6^rJaZOO*(<{|L12&xTci+moslh8#H?Pz1-c+i=nNz{s)tW0;kFIPFtlE{? z$Ca6s1x3Q+YgxekX)Ae5*3RJp zr~q#fv!l2{>5Rn3&WQAw|oq;NsFhR$$Ar1+M_|XR`SF$ zVQw%;dIt_?-aPf*Gr+utop-&lRMMRdk+-dD#@Neml@|SQ?AWOFsZ4S&T?#HhF{}i_ zCjA|>XE9XFd6k>scd@QaIE)@$br*zeyiS4EQib|KiDiTUafP#a1}RAux-8$LMRHfD zzro;qwczl`2~Q5z98;-Bgj^11Pi}&GpBX}>=}q7`!h7=O_qMz9kQl+evYyINL1;}| zDsn%!PAP)ODxY3GiNzTp&d)cvUJ?F7BG}hy+#hY*6}ur5HzAA>zh{4Z=xU$fYtk;{ zQh<90`d}70^)i4aG5RuvM^qaQ@H-hHxay2|cl$lx!SE9|(TL zx)sk^2DRN#aM9J_*@Dfr+zhiTmq_-w__}d6^K48t*=y{qvifyk&YPe=r+0Gpv3y#D z2hDhloR053raa`dE#D13`eI{l`acL~5-=$Wog%LB_r9Ao?BRg)=lCH?R zCt;G^@cc7E9OcYkADZU9iO=Nux&0V}iZX@&{myTTV|rH~0VsO3aCG_nGnkyY{@P&! z=riud8_Pu2OzMdRD}3D0kiwU@2eU{{ZO@y2i7g!QEWob z<@irwm}*lmd{E;Mn{7$uk(WKUJMU$?&AdA_Fav|R7r>=`>>_;ZN&k3%QGUfs`K zUpgm=|J!)+KVl|k+W$}2L`y^aKjw?HG=JMb|IY!V#(#3m0AZ8jzl2Q>`q0mfkKX{o zro;{_v{XbED#8%jX~qlZek!Ec=J_(%wXu}Gr7&AlDhw5h!}A3wF7yvQf4yMJ@U0d2?muj1XU-A{0dtL8K1Bv%(jkU>3%^SoH z8%pz9V__PbmG28V$<|)8Z2)1@6BC|Qxye0Cer+(9CHnW7+l{HQ>`xophQ||q|Fr@2gpX%SSz-h7f1?d0uUc&hXObXl81&U0I`*R_}1iq_ylas#t*unJMfs!`4$C8^h zJ=vsV&>KVARmaa&G?!whd#Sk>)M3|C%-{uB|0L~_0n7Ke&#zhSO z*RTw{#X!yaeISMgvz2k2Z}gim#o_Kk#RQr$v{w-Y6sHr?F%IYQ+N^x20{gFdW!N*t zA3N8y5Z-{7&e72#K~sWYO;*GgiF{ox^7_d!(Jh7c_W*0-y~Du+0o7} z?ONzb92l#U9j9g+j6~-12k{|V8RC(R<$)|55KT%dswr`oL6FuYc5I3O3Sg!4xSOLQvm0FX3H z0c(lB0LnWqRxFPHm`IL&bOn99J{t~-26~JQF9o=fuP=wW-_l-q`j5;SW1SN1NJ3+7 z5o(Gho;-lJiGs2Ikc%rp1CU_u@nY-ii$}BB!1m!W2#m~u4aBc?5@O@dQmO2RqcW+7 z$`oPxa1CmNfjH(JISU*f{wr?!f+ms+4o6))+op)x_?b--gG7@(80Q?vqW^8yZ2kax z@YGbA0xoeDjLJp7;g4oJ=>5eJm(70l=^{rY7zkvOtDL9>Sb5Y|K9hxxP615hcohxA zs}1dTne{ss%`dw((VB9@$9(JH#0s}(aNzAbh=d<8(bYL)Ashl(9Sm zA97g)@=oE=&cZ5mIn(w6TXd$L9Y}^!3@iD8Q;;ACQzP+4%y-$2l&OO(zXhN_eNQ(N zC;Y`N@*v15zEfxsy9R2<)mIIp;`Zfg$}yH6*D=G2t{~UE;rrfOKEu8VN`CEU9^+tG zi^e9T)J&H;|63OkbSd1Yq|Y0{hu6nI1_zOHcX}vk-bDb0ZX)E_pqmyqwdsd{N5Mz9 zg^HfVreMOW5$}}+kP`t9PpfrLq5t?Qwc4hZ;-HoB92F1qDo$t+jNC~%N3n>NF=k_l zY`?{{pe&ZP3UK;49gg}Q<<{9Rx_IPdK3@r>A)y_K?#no<=-n(UM2rY7p};=|)4pg9 zoYfP0@>Wl~6kwVAP;g{{L54GIQd5UD!nIW4m23L@15fw;AkCE3J|g*rw0t-2vfnbn z$oL6+BAI^?GUT>U3o74HAu!+2ANQIpgO0#S@EZf-OVrl*<4DG+Bejq=1tP3uh~8lt zC)8p43Pm^xF}#g_i#F-g$3{Zu=Efimq^7A8&QUVoTfrwPPJM+iYxBEzvt&rK^omA` zWO)^S2n1R~3tq^|B5T5gk+<5w>CSn@qUZwM-V)1~gF7&J7%BuylFC3A$Rej`9Y~KU zM()*vr#6hYvMn#nmp!AUMvQ-YFd~SuB5$!z_g|T4%r#}_&7?Ivrd$| zLcC@WZ)rES@I0uBB8RvWZH?F~1}FpNMFq8kl`sBzK+9RLBe7n(!d4t~*?!)HGhJsw zp&%>*98#&1f}%Om<`7nUjWT>wU<%qd?MOlWfGeCm+wmAniklbgcGF1wMIz5gDN=7ZKbBL+ZUO#n7GN}0jxlL(3eV!k=G4RV{6ha*aQwV)I$6y3SekOEm~U086d9( zZ-OwzN|wz;DKYB_>7tjn9Gs#1t8ZF$oog%HmwZ%Blrw zvS3hm)vI2-iwi#{qY_MF*ct^py0u&q+igEL1-ygu;oue08}m(#-#~zl4qHBz#x=TE zT&Ra#sVo_DUAcJ0Snq$B<&2ZYXefB6D^yZwpJRK({4-&+6wJuQ6gXK2Ty@>6)A&>+ zxvN###h8Bk!bRH1xA19YS1Gk~%OA-<4P8()krZ9_1a;$z#DGWcOcbc&Aan9a z9!fGe$VppF|Lg4iWV*mKdFbx}q3;QegFZ>Y!k00rgJ87CFu5M!t0L!vO0g)jng$FQ zd3Ukmgnr_gS+~OqGDw*~?nC$@|B#$4 zrEWaQLAm53W;f%r*AA;Z)MQxa5JVMfj^NdFneJt_D}YQb&>Ef17udi(D3N&oZCAvd zm@%4w_#i{L0YHTS`Q_i~3((4zdKhV`Dsu`#Cd<^|if(%Wm4pt<)FvL__xyOM!3z0a zVI{`2;ZwZAcu{`sJLlDFy6c6nZ?w7O_2KCOXDFuLdo2-@1b%a{jt61|!YAJdVhQEk zx&<>9@z#1Um3%v<6DSb$OpR3^U(LiIeZ?`pn`pLBEC8+=r)la^)?|C8#kaqw7;3fR z3{Z0-6hz9c1^5l0b9&IC6Qh^5@R!(#A2|qz)x%9TqBjbIN&b1yL^u zELNRq@_P{kIZ4qOtQq}bgP7NaMv3QXVDiWx_QpLnYE}Drn4lZ20cRPl^jIR27NZz+ z3D>V(^bo43#|Q%O2M0zOT!A95NU@qU`~5Fkmg8=bCm(G>JmC&Mj~*}T>;zo zpO=lyo5rD|>x3}+(XtBlUh*M*COtaWKML4bzw0w>VSxzty> z14Rr^!KlkukVLbz$v7D$`ZNk|K?p0rQ8YP)W1I*fK;^4ntZwsO{GDdCpt5lMx($gs z5foaeAMr%>>@m>S$faZMh?yq_C4X@X!@m>7uZ()w?Bu9Ad zu826rNL1=Q?`AL?PPhbOOGw|JeXkj-HM!5pl_E1L8!&1Eg;6^V8=1!p>>Rb9=lOj6 zC3;BVL6rM@mr3O1NZlHW)374-gA05tXY<+THq6C*QbQm*_{vMHYBOS6lHJ;^sXpD! z-ieTmr^TYT#X;$RjDNvz~yW+v67FDO{z%7be&INGu!P}pIlW#WpX7DekQJLJqI z{-t%Huy<4$@G$0BgsGf_eD-Y`Pi-A^EwHn_Wz5l~b`; zQ~37yF!{wZbbl(NGGfOOJC{US1~ef4Q?V%*pn*kKaM{8W*fJh*mAI8;AH*rqu~gR5 zIg&I!1pi9Elwgy+O;ID#-Cc{)-ki@H68HpcNbAtdiQZyA8sA!|H%W2iRC-D9H5fHv zbbz^uNUv4$xRq02p8WY)qd|d}fwk=qGwlhKhF$6pQhwSYuD~lHhTKwW|Npv`tNUP2 zb~?%J%lo7I!v;)$8I%&5U5mx`GZ15#~wSw zn87Wm1CH#GXSXgNKpakEf>o?8un_P7n1?>1u|@`;R;J?46buA(qIhP{BxbC)qo)0mMLtJSBL+JYPGNf@v8!3f))FR` z;ETfqnSesDzwnDgp%Q7xu(9ADZxco&4nfVRQCWy3v!1i$*gxK;=@#c#|$J3<#2~6=4_GDb{*3SbEW`OKmimaVL76RQkh-R zrB=GZ>M&xyB9u(vYJx<=Z%?+ITKrAaHNekAsb<80kFVNs?X=Y?z}gf6^ViyRe3M%E zk~bbvYYMjV*V@!RI=&*g=dbFKEFIg&WdX~Fns73cpTg4Es86cd~O528^gXV4>*4n;l zd%Q)Mo)6`fyP}4MOXornXf&HOe#=6pGMHP=y_u5D5P|W>3Qx$VyD286`pE59NJ6@F zY01vyl|_oQ!p!*%J8*I#G~!z?lJ9gmUSZJ zX?iKfG0V4h=Gl+hu_GS<&al<+0obZp_T*=Nn0jBYk3Dk~1#iB`(#Pr(6cT_`5XkaA z-T*GiBU9I%X%s5P6O)kArT&bgBhX0M2&VC(3|wan$;O%yFR^P2R%+|K&>^23O)m zysyRV!uA2Pa+Nska-IxEnW@5|`R{yf=>nRmTmy#-i zGhp2({2YvoCHGtSGD!>j^a^;+gXzJGXIpW>JrtUCiXALy=!T)^&4w!MNIQ}W6}&Y_ z?i+Pyl=C^A`&!i}dFSP)-SU9T{J~iE>x}MEzbpxMn^QM|TL>!HuQpo56LpLy*o0{3 zV>%ma{Q@#gv?9>>ZW-^Cow}KCuQumEgZVOB7T#12X)R&HNOW&fkisx+)FF2qJ6MyI zG=2KxH;&LBZz9lq{C(TU5bRzghMI)KehX4Hu6$gB%nVA44fsOq6e7njHB#MGaYmWl z=;0LASI+2T&}~!}@0g3otGoSOFnG?44%It(_LFe?oSw5Vn?0Qz|BteF3a=z;8*Mus zyJI`)bgUKIwr$%^I<{@wcG9tJ+qRRvz90K)pNn(5bWzVUYp$xd#u$iwch)X2u!7Wk zOq-W$Hch}gj=U^GH-aO|-}9PE=XFEz9)=%#tQGagj_{>?_4Hp^tCvzk!{?c6P_)O+ z!Pot2(n@7ejB~491OKM^r(D$e8G;9fRT5^p_iT)#6EG3lB1JAPh4Tq9838kl#tnMAX25x63N%!9!{u zeU^{1m@L?)Pi@VPsANj9?wsH2Y=}!UV#$}I-Xh$5oknLzb^v{uVS>7L0dk=_0bz1@ zcob`3H8^ishxJQVi~N=6`m*4#GNmztSLZqwkYMQhY1tuVEG%_l`q^R8Mk_qximIYr zaQkXe_`DHo^G`ikw4vgppr@kb*OB%=m!TCIl8_z09@kkxXU=xxk$&?ho5ibu!EgsB z9im>S_f6$Hl1s@OPG_~E&~(69jAv!PWxkSL}P*ULB%M(dQE^hb(nYZ zfbDNspVFGO^{~{%da|*s#*5o6q%k6K&-U+}@)JsS%^sp4_jr4u7xuQpL%;GpjCUdf za78ApB*m&)8=Gq8Nu-Bw{yvJZ296-6N3Pbwc?qe5sGs2>Q-CV2r+j&RB zh~0dbsT`M195x0zwJ5ACu8SK|RBGBprrTRj6*a@rr*t7S8H6p-m^#+$Z&gOG(hXJ% z_UZF>D=saIXa7<9h&&_r4LxLjW1{j3<#lV)jbGqgUJHQFfIan%m$>+o3;d5%^CnJtc3&slA5lcsWRwC+&u!tbuc z9^-IY&yHErM=bF z^s+EW=j!IhQS&ErE(f?RS%vd|;_sbV(;y%j=^67~hVuI;8O`f4rwgnM4wJ*uW+v#T zyU=xk1;ukcxU`vU>+hzU#nhHG(*rHCGPaFR^wv=AeXcFgC@S~S8dmxjtHRNreubaU zv(vVQW{s=-dww;&+c&$b#_*@O)fNYws?2LH>pRCSd^y|dSUu=$ckGEL^4a?px{M^{ zBDc+|h|PC%a&ej*>c_iZntRXlWh;_N*HSP6>#?r~q?YBTpca+Y1a!`R^Vd^95t%wU z00p9(_>|huE29m*_bVqa=D?BTsdrKURQtjHJMUzmorQ}STbaoYUXKEu8*CWY*Q@qHgI;%rWErslt9VQhU}%dFt!Z` z#di6(ylj+u?Fa5l<7tqD?JN|xL?Upr+<9|2Yee}47b(WhynCHd6+qOHaak@l2o?*Z z94-;{$sr>p{T;r~{7G0#?{yKY=2s)s{S%--Rehpu#M1z6TJ*n7A>dp(l6O=R9t1&B zy`~H&|MpNhw?;7N#-tXvB(k!#dWUprd2hQao*|fw;YOa`_945k^wm}&nrj(HznLmm zvZ(!Yb(rxl!2gKT3U{CIpX`tSEu*wE2qlv8(uf<3^pG$QQZ~W`i_iT5vMU(Il#K&w zs#g1FBuVhS7nY=eQu)AM?5Oa7nrP1`d{sN)UseK(=rX~^tzF8su19iWq1d1I=d?v# zF}%%qc8%XM#A;@HNf`s z9Pn^K7-`LEH`B)F3;z=>+*u$Wa;l%Px+Qm5^u`DyjyaT}={tdCGkR@+w>u!+BPSj; z9^4#!YjfP7RPzGWFQaG(GrqKnRUqR~c0XISF{@15U}uyS6_|})tuqjw4W#+EL+L!< z$){#<@e12|YgQ$t)(vydPb#O-%BQKRtYoX%crn|jcU`|HPP&h9qXSv6N0#&;L2Iny zJvYFX=>`d7deN{voHQEY?RT-uVa(kI0(ofVRh7G?M438L>cP&|JvPF(l3>TP(t{nT7RcX z+6x6V>$=RFJc)jrZ7F|T4uyGgQPD}HLcPTuo0>8dp(k3Yl{}6+592jg!V;^m7%GdO zy0uzz2?LJJ{z0n<7Hh#-*f&EssRp%q0m!#B!n8J8R4StV+OJAWa>i(i`s<2$SmG{j zORzCX?8Qu5W=~arVUu9Xiuy=v&JHpy4ZM=mB)D)>vJD9z9)38t54V5K1zI%6H2wG@ zJgL#X0F+R0VUO+W)0WX(qnQy8ifvrgN>V>AA5K+%ofysrgte(7O;iogLtkIGeNWZU zP8fVk_jJtUOoh_rWq6xhJx+dToX)dq75|)mCQsi%#Nh7<3z%2zv#s~TETJiRna^4` z>tv>FRClwVOeZT>k0tY>h1?w*P3*KkdM0*_f0@y9P%`y7v#C@b(xrnP6w=_dsoht= z{(`G!!mz8E(dB{Qk`uh<@>xnN17`^)7Ug5_nrXVaeHZ%JyZX#@7=r#NUHE2sgYM}< zdt={vxg_HL=lXe@<>SqfwZC)F35M5?mp5Z|?E7DBMIZ3XAp$iHO+&4bjxE5e{p8c1 zR@z6$UNT;vQx{iK&!wB;OJ9&*D%9Ekj}hyC4^ICRS7Ze+vix6!lYt)a|Cq7MS-F1AC&7JR}XX%^m zuXkh(cN)$0b;~Uq*mfIHfX+G+aNuB!IupXc+gcUP^}U5o>J1MvjMl_0-Q)}*5Ms|u z>-#!S_Q11Pg3tm!c|~;>saoWOThSW%UI%5*i6$;@4f!^Z3yDxVq}BEdn_3CJs83+A z>k%l4cG#vp*2o-lNWC{gQiXn+eQxaic7(eB*5}~^8Ns#pl{PUDvM5KpCAFtZ=z<~y zPFQ~}&gybT<0PzyYd|UPlnsR@;1o#zdeMb*eJG18rDift;+lh26|&k-t!tViRe^hS zE>(*hfLpl#D`x*|Au}tMGJEdhJABGmD9HqyJ_@(h=9w=w8epvPH*~K2p7duai?hSQ zDlTd&k)OpLGr}YqyWk#dhsP+m`4w~dJb@n+52$Inr*H|AwpcA@W)WBVrfe)@v~e|V z0W6V>_o`ORsiF_Sn-&Of^3%WIpFT9L9`H;iZVsarNa#0crvr;wJ56N?Mg@x8 zS#U3KKN-M&^WzOf%JC7jbppt4ww!K&(f};Os;)m8tqC*{skK1kgb$iQJI54} zT^+DQ`7GTLIATc!z!>RYK@?0N6g|$ggTS15xLRTK_Vd-DDj@_tpZq83_l|l|FPMH@ zEi8mu_MBOR~hoV)i=7TATQekE0B1Tm}X zrB?k>VVXIBZ&HM)aYJOYTH=nEx;_m=H}xN_g|ZQ$8LvVw;ujEAvxX8_tuXa2-~;+= zpu>Pq0_<4O+=BcK_O)PvLUfSR)E%@3l*pTbS{q^3Y}^9`H17VjV9K0~Y= zUQiT}+|&Zd0?ADh$?btr$e-(epw9#;L>gO>nORe#M#(@o^ks@p);7=$Esw4dU_hnF zJX2PmpHy}s6VwjXs)K5j@kI^-0j3fBQFlY^&l_#fTVNxnPLiznci}JY7XDwi!Iui_ z0R!YM>8!V-UZdt8|4~D41J%&{XxFNA1T`l6wUTD6g^>TFhE~pTBx{j`^8~d1ml|3y z!fj_p`^XRn2yV{j!K|87!2Ne)5yU42&U5L(NfX#u#AS{~&P9R6G||^&F7Cr;R{yE( zBqWrQ|L^XEZJKKmMKqc=rh45GmHBxh09s<*4kWBt4A@wVIr~uz$u4Np&mVybEoi=L zd~&wND4F03p$*1wRr^T~km{I17PcNOr7%xnug8`!8X>ia@Cx?dPg!&@nMdS_-8B!& z-)$z;YakwNqU!7TbE&@B`mdB|Gcj4`GrAb_u3-l_RyE2#T1cEZF)I%)&PNxu_jOSE z53Gfx9VoaKNjGaDB_yv&`8)>HE2@&Yt|ST!6Q*nNpA>w$x3x=V;>XS4!>4d!&8lD2 z6IxMa0`zyr(%v_c<7 zl-!D-`-i8?Xh|H79pE7u%_ z%r~N`cb6J>B1hA%Zjz>eBg?1gg7Vga*Xb;du+xm)+=n?E|LNQTOf1SQ?ji%N&?ceP zx=tJ1c<460(?-jFL?Y7mE#SS@*T+zOz{FxxcocH0+O`Pix2(qdb-Y-bNQI*A9qb;^ z3axz?Q~l)Q=3|J4Y08Vn2f-}qGYoUu&^l8u_XDQtt9@_^Wt@YK@<}Z8IvH8LBK;w}9FM0>jlv0JUI}Ig-3lk&NUYP? z+6;b!J0sUduM;7suw*Fw+Ltnl|#biR$`zmG^VmH<&!>wtg5iW zYyT)=!sL{B2x)f%=^O%FfQgx}#2LT;Oa^h0MCKd)r?1G6McpS@jw|{;L=Jp%`Cu%8QTgGkJ&vWm}EHn&A5X4LX?=9Zkl;j8G7xQEDK+Tgyq zc_N8aazMKwf=m0vl~Gh?gr#}()qkYW|Mw7+vr^H@H)D|TjjMnXx%&`;^0#dIg z$l1L6^&3XQ3^5J2iB7(7(@r<=3|++Gc>~1O6gHsp7)-F7ZGg~bv`ggY1ubd)Lb|qj z^fxsfYr%+^eYW=7|JD`Z7;x>n9L`$Lzz-N%T6z1Pd;j2~WE7uYl0z zABSP&ML~>9B>&PPI?W?!gax{XEi#251%JytS?}Bj(02OIy4(ulDWDTN5R!0L8X4-* z4;htQeJ`PS=E4ObYd*=n?OZwgGxVqLdBQ}wv3rV8v&Jm)E19Leqvo&LH{9L20y74+ zc;4&e(riShnJ<^!*E}dil{i`d_M3QIg+>-&U9o30&~ytK-MWwX_82OnXHTZN{6Ea5 zmwb4Zdm6g;#XWc&Vu9qNxD^gJ9;&N~y~Ai)ixTH8CA|0qDwS48mNyI6JRn~)bz0UAwiPh&D~o$0@q$Uk zb08Tn?|CYVXJN!tuMLr{36g$918!iwIQio`*6Gx!6$G+0#JzQ>v;v$}Qd3R^I687KT(Dpkf`P^4ed=ant zhab*`P1I%alJsHA2FqzpYICOPlE@*|;X=U|=Uaoowj%n6a*&|ojVxiOhgm(D3`0gI znh^L}^&VnJc`2~1SihOKPkjUHr%hG7?q9vGIH1KaylkV2CgoUP@kI7JCYMZ=W(F(W z^K$-RJv0w+?*QCO|9dqDa#E|sJZUdhHE?NAHS4kdpt&(eGF&5yAJ&%M$lG}-+sqU` z%+DXivpyuSYQTFxE@F+bna>95^+v@$zOr>}O+ znk|Zkq@s!YJvQf_KjDH` zguL01^B1p1VCf4vwOv~GNfPIGSa#7ap2%sq(I{8sUlhKgYJ&mabQPYd(g8x7Ast%J z;7$0$fr6xQoZ5JC`z9_-5fVZV<;0u7eJMN7#1*^ilsRU`KtLe%(Hx9Z)_J=b0#!_7 z1J9uaSXOM>V5SO3M7jW$6%(T7fn~)LR9>}c3h90BO;v2|!@vI=>ZzW~t67{~WR5L% zw{#CVRr3Z7vQP|^H0S2p0$gj74>;K6h22U2jA;0asXXuHjZ53}n2pmid_)1M%~$rh zQrs(a`-`ay{gp>W%&Rvkb1rE3SC?pw__>ar+1=M$kr3X)K^(l|R}s;kizs3en!Z}P zATioW^fzILp`7?OPVJEDmFdkBx4@4V5!00ntqc@A-xXU_0Ro4D0s=RTr8rxsAzD@r zl9S8D5HU$t4#BMhk)l@_(^gj{D{Uu2?W}=j#uUfrEAJEW3?pQxho264b-2Yt4qoko zm!U?wxa0a3xCn~j9o876j}b!ySqi6o&vf<4pWwffjsT^JQcg9e zZRvoKCs?vvX@)#lTG2g&AdULDyNHy)&Wm&V+`|gbJjna{2CDH9*h}7P!?sr8En=g> zL(O&IIa{95oyvo62r)-AOZO;pgl0>!*ai2(DYDkpgz}Wo zdoFfq`f}tFBd76)T57-ROIl)mSDCo}*nXyT{amaq>**4*A%@t$G=B2-g#{g&9M-+L ztyw{I{|W}}=~gy>54P6*jD3+@0SWnGP1N1>FZJe$VEg;1)yL-|@*9hX74gQ|aT#cP8hX6LJG^1bZaeX$Np+PfZ1 zFw!}reABa;Mufppnv({y0C#D+K>c8T)|FnWi&+fxLUW$H9nxg2?}Ee2FMhAB3ktS| z@iGeqIla#O3hL?PI{DG=`<=rCxu;vQlLEy>2)4i>gC@ZTn~Xp?1qYsu=@X_~48nNC zH1o$!CIcefddBjNc5S!ll4GmA@Od?SgAL<1%!+vjfV;#9FTk5}?jy8)P>87~v6bat zDB%O4xX##&487t9a!=p{+*y{tdLtMui~U7Ky$`~UgkWu#dow2$RsPaYv7Wj>KED~m zO8|9L1~gg;!6K>Dl~Nvp3708F{N1NKf<8v5+;AmrEJu}Lt@b%t0+c&Bk$KeCEeJ1p z&p+WL`37BLKRHpgqs%7W#$zFL+B2LZvlwEnLJE3D2HF<`WZb06O<$`Qg%vhY?E5#q(R2TDa-)@Vt7cAx7IYef- zgA{!FFo2kJC$^w$#ZIZ*tWT{8Byes6GD!}5Oa{`se#^~`)9Ocu`H_(KX-JLZuF4PS;Ji41{T$slMU7o^#e#L5XHo4AT|8XM7d&SZpc94-rSDVeF5Bt+BX0{Zaajm+8G zX4idL@ZfV2XpNqW{XwJ+*^jgSw=)%LW$-t6$n$sXx3a^9Y(hXmg?1s3_>F4&y}g~vep`p zpZoVXR7H<^-%9pjBp16ST@p}n3f6BrUxTap)it9}Z@Q^{t{`8oPqP+sXz`Ctp7dIB zokp82BV-N^W?hQkC(qPYD@PaWBiuvGP+FO) zIBnWV^em5x$ZgIXjujRg^F&#p!`6}mFga&{7my_!vJyjm)Go;hT0O2UIu6Y`CLH_K zqvv*R3xd^dGd}IQxKF7GvvT1X^gD1%&oQspj&!U2n|MKzf6vBusgzl#zQxM|RTO1g zIT<=FiO5VB%^P)!e2>cetRb@=GQFu4tB{sE;B=A6ao`(zCi%=ID|mJP@KmFg+c9J^#|I>P7UJwSz=_xQMP7Lsh~!zK++6f3vo+r|2%40&@QlNKf`-gF6G^jPFVk4 zuI=Bstxat2z7*YI%w-i|L&whU(bf>c7PbyZQ7k}tChzNu4)obqqh&3uw&&2(ufT7( zs{{8b0ZVCoP@C_pP`$vOMi50t9j8#O9AxBvj`Z3%Jxx7vnLV)Xv>~MHg~_C@J5mkw zK6n{gDA)T6>BaCxuzE&=pX-uL(PJQk!B*%l zz%}KZnO)*{aqC<|+XWQec=BKKnIc$CR%t%|Y6Y*E`stgzowj1nPR_GnU1uGPGw`p! z9oHAto<3>@FFdqufJnIQ;`NV{kdUeLR9*6AhN-t7vaIRzVR)m{!tSZZM#wjHIaNA8 zFINHIT^TzI#C;^Xd5Xy{O&_f%mo|ito#(CF@M%^D7T6^BWptz;LI#gPxEtK{CNIUV z+6-s*t)a_*j~y9Q)`{#_+JX>EtvcY)z``OH zefM?naO-}e;pMt+9~a&9)$VdqiO!=VmyylUArid4DA&11*M;$ogT1G#_K5Fyabzkp>Vk1pC|VmG^HL#@*IYU}%|WwsCNvdFW=(Xx8IzwRH{+`*74YYRB0HP7IQ z??tA`vm}3iBbsGKu#U5%(`kcr4u;34?Yt7GVw8knzX;0zgc4lyrI!{MA1zxBVpTksdXg+b&ED|Y&1SM z?8y2c8+n<5wCOj^=`rntixag#eZA_ia2pO6FzXF;6 z^9cq*MmAO!HXa@rM<)kkeQOxE%*8HPH>Jfz`p)I8;|Xs@QxnDnDI2DQQSaYOg1?`Q z;z3FK1EHW}`H-Q+2~}y^Alpj8zytsOrW8g(Z8RIi;g_$|5!2MIs#4LhygaX96l zO6pr*ep4nJ?Ridv25b8KI{yATe$DY6nOIF}TJEmuT3WNL@y5I$un@!sL_#4i+gP1? zU!U`KMf~!BC8Dp~1ekR+?tBShcmMsx((>$LC3Wxpq8d2D`z!t)52v|N6kK;LJT@I& z{Z`&oQ}P_o8Ihc*@rWcnc3m7LT51!hg0m)#B6qgI-SA@bYngZB8BFWSGqoPCzgU9` z)L@dOd2Sw8K?+<$1=yV1tga;A^Bx#t%L@+CcePdc zY6$Fmn!Wo7&;R{0B!Gt>Q^Q4xP8mg$NYW^Xnt}ERV3;$C4sRY97#bv3vwjj1RdA57 z(C`SJPda^aJ2rZ)cXYVFgN2C*|0FBg+i<@h9|MK;M}wuZ<@@&ixUs#p&C7Vj8wqR{ z>sj`06+jKM5i)yYLhpFuY})(YRQV$iGk=2SgpAigYl+w%^u^<@y{7(v@(_s15qb53 zVWtawELsq9hREriH%K$Yrob(F{;kG4-TVyQiJ!f;SIE|fmGT9z zGwezvMt-DY7WUzpzNpjs#rDLe6V-WNHv#WNr7`8{_K#DZJj`}vbiYJndT}sMg*?vL zE5sZUAQ+!t^OUmlZP!)m8*xtO6~y{gC;XW3Ou)NAf(t^o9Kxgkas|J zUE_eRmXca*PD%#T@VUKd`<#Med;)Hmi=|Vc&Wy0xB4v>P?LNCdNZS~mpUJwL#64Te z9ux$V`o^pPiiQapAZFc6VaFrYUb6wrqyt}}F!pl$FREbdp0e04tHDyXd1ETqm7#4~ z$CW9*{&)`T?t%$S;o!wX3a@4kSxy8iL5E|UL_0V zuhFm8A^$uxLqZLRbYj{2oD`sP@KScIUf1wAx+i(qU71wxWVPqo0RIH zTVR3In7}<*;(q<>z5{eoRRlBMWkZ&ObmRpuNiOrGjC4gold=3o>a zAT<2~^7Y-u@D3+;d!(~wQT=Gd3f64@)}nHS&wnWaL%T0N(rf zqStPPhFgoTMw67+8Y<*y&=@!|nY_{I%fXUSo@3)`lg)Q=NA+?jn6$(3?HF;kZ+&G} znimZ`iBV_cn6>UaMHPv6aqUY__Lh!TRNCg3&FyOMt!lF5ty}WTD$`I=(QgO-gpl~K`|1!Be?L^bX?x_~^+8U`&7_Ez-Mvobjz_pP?{+dlz zjU*B2Gw9|~(fG9D=KM+Hgfx#vQ*|7tm_M@QK(5(L5*@yTG+f_q0G;j-n_<{e-ws!b zOlf&!-2R6t!*vYAGdUAkf4V-n9Rs{v;j*mE69P1Qo2%wa33;-@b5_JSC^1}}Qql+s zCxTu|(p-qBcewixF@XBeLBStY*ApT(u{c#6wDAcJp$MAEJhj+94mOabHIFFR)OOFtZ%)t>IulUzE-9D+ndaHGfA*Lv${$Wn8J+f$= z!uT&1qqe4Kpu_NX0aIG-KxyPx<6V;yXfnw&1z+}_=|Se6!4d`5xBM*=*gPSJuo~lZ zd`{eWqH1^!Nb=SE`s1ieR~OuRar{nqnN0Un1^HNOOPX0R$IrblDQ8-ydJswL%#c6fBl~RHvO% zJ^1sc(xx*Njl^qV1*1Pc6XOv)Dk{pcGb*Z7{*BKF%w@*Lh)fR!ehdZ5s6-5!Y$f$_ zXqWK$IGt1XD$@(TAdjj4{_=kPXn9NJIQ#894ph-p-)2&8rrBt!9B)xkR4>;+(;I!G z?rZBeMh{7oiKw8wX_amXrBy4^^tmn*^YoQ2&+FO8;-I~vmXkeIRzR1M;+>*&(q!-7 zQnI@rcwBz>4nnmgRX} z1h2k1Ulx3*Gk9a7P1lUvlVjANYsbMo$89Cj*Zx^eW}V1EnK-rrp3jUwv`56_%!Wl% zd&Yk)oh8PdBB7ve83`SoE6`hTc3`xnVvYWC26aF2G1GSQw_)1RI=G$-<8*&c;WA~0-Jfm=l!XE~B;x=G` zmLg;uc9H*imp>k=m<#)1jGuE{=D^UqU%>Tn*UzL()^DSRNZz;4WaqypA&-Af!0VbdICrp_aY1k znJS8imHI`Dv>-tNvxtSdI)f8TA1)#LPs}K2mo+TiW}JG*lLfiA2!~d2nb2R7b_j;x zjTxlm=W$iG-%wW@E?lsnnGlh?;!;rAAJeVzM|a>jR0;~{)rb?8=vA_=EPSLw`y0W` zlqKYX(A(c@so2yml**%9nV2V++)KO8u3YWzJ15vB9iQ*W-1S`_`0ZPjr9x6DQaUIs zX&2a3Bon`sb%1vgsA9<`%@8yI5d75%W|a%i%?Y>dz{TK^QxX@4VQp7V=a=e5X0!xI zdvLA)&5IED!_)~~1tWES0m4>bG`tg2A-+{lM_)-vUYy@(bS&SE-97O5e)&q9aa4-9 zH15vd_Xbj);;n1NyB2IrVrQ0kB@34G_+OW~T_1vlXXU0juhsF{zU;uhx5o;3NB|}q zZrJUVfZ0?KEsE8gpok#H{_(yD{S=-G%YPJNX+kcb^)M>45(g>;d>t*Tt;23Pai~~C z?-LKkvw{gW6W!eJTUH9G@IzKx^9u1qq(= zZ`Oqu!FS%|p9!S?F)%+xAoZh3kbVNDzQhcAlM~ZZ_)Lm<7blMcvE&msqzh+_jN<<} ze*YnOzu8$xQT$GOG7#Eb>sYtEwxauU>08@&G88rG*GOhq^SJ%gzbhp#t$&*AZ9lgC#v(dB3hyXHE zx(wcC$7V0uPSyc8%G{s(=+eY$$!t;x>JM507opCMb?1nqgAW_FQ@w?B8H|!d7DJ=I z#I_074{WTUS1*i$ddx5)Q<52^OUsJ{6*&Y$74O>3bgcU!tkb5~Z~ObH%t_wQ zvKoMiOs7EAC#TPIbI<2x^XS@O5lotq5+B`cj^<2AB4md!4twYfW*>36$Ucz)f#C3; zhF?trzk2lpxiEV7;Tq&9TXo(>LkJXbMN3B(1HrRjTph<^3B2wU%X^u=!9tGo%r3cgCZ14yxCp2 za}uPI2!~ncRj?@aJ)w;0+tXVJDa=ifD`l1#SHf|Y}nPhRA*z|$P9FJvA zcx71aw$eF-f`K6`f(hqf`GKz6dNZx&I{m}e?fG5LtIO2j)KAwcxht;3-kv_3b7W( z+(Z;2(@)llb&FH$ph41LGH_QJ*ru}$j{)b|SUNWjkJ=iS^))p?RK)sWReqOBdp1Obb#oa8pk8?$D<*4chMbfg+H9>i zkgUSUpu}c9U?$j-Q)+)Tn%4b#(r_4j`?oQrS57jcp1oK{4f%a^SjOAkxrTpI6|SwW z$>U(tW12_T{85~6&Khl-!Rq{Ruow44?0UI02CjMT9p?9FCL&7cTf`y2xb{LUQ3zuY zuZ1Ut5V{Bzoo~(oUDhu)_m8g70i`TgGH6#RHqkzVA)FH451NLsD)-TX&Wz5|J!pxz zq8UacE7=@bok$@T06k{%{??!Vid!>ZopZ`)Ot)-~;dEX|4lcjiRAeA3ymlJv?+5*x zflP849NVT!d{9=kDg!4&-Sa+vlyjthVC+?g{hIPm_`^ml%C&~GD)6fdtnJ%`yanEp zMVXGH=pfBPy=z8llK;?aHPHMFmFlVHPiX@z5Teg8E37-L7hJZ6R;?KPrDrQJRWcQ| zay#IIa?O(SQ2_ih&je1(`qCjH?K)UtDQ}p(rspcx9jo&glc7Wd0oCiSVvdtRhh2r- zehexX8Vj9*&z<$H`+Vb1rXKb2M@!BR7}cE(f(zZ4v)fIjf{}w^QKD}W9IR$X+l}pd zuU)pbTQ30_mfrH}R4hrtfXaJkTJPf%5UO2h#1C0~GN?f*qB&3*%*O9B3Z>j+MraQsfI(0P|QI z6M?kM?_cL65Bv%KclfoWcoKb{ z2|Qwbg%b#jAyG$c3yEl&(mM=z%)1OIsT=*`O9wU`lf_p&B|nGK4I$>{0t@*&q%bk% zwu^`GEa-KOL8J&0U9uxrXVp#f9ZmQiz^B-^fEVfAK10x{4kUG8s0!eMUVkUHU`Fsn zI!0wkhoaluZj)1*AGzjudH39%HQY7nXL<&b_}Sf$;2j1=5wp17e zZhmbA-OBA&3veB*ANC7oYvXejZWaw{CWyx0N_={7M~g#p1ZHe>Y^Kgx3sV+49cvr` z)IF%#7UM1Cv8*>8k81q@9+9F^Mv=6?ziZpy70iA((gZLt^x;v|QW^`6NmB?VAt(4N z;)2q)(bo#Xk1tp*f?6Pp3y)Xo8}E;0TUo&t_I5QFEGurV@0%CKM0l$@TcfJ9_ON%h zSvh6JqF|q(isnmYW1BEca2QGuW)?Y(H-NTqbE=hotS!H^tD;}F zUk-T!rpqc?xYc@2Z{fQK^rrXLG?R<_tCQc`?~basHS?x*nd!`*rv|0jgGq`z7ty?1 ztS`gNaMjb)7n)7wM}rT^ewI*|pC>&ixS`qfJ}Y(sgdOihUxMnPhqDi7x;13XJqI34CH?hRdL?<9ZMqm zY=NF;dra#f#<}mvPv2)hbLY6VcHyra_<10XaGA*d6Fk5l>(E{Hm$F2-Tv z_Hmp4_WM@kbst3x`KX;n)c&IJ>6}AE^Rau2_;``z{TM_fc-cMnaXZBRB^T@D>qjvB z#(x@;^Evq4MBw`R{D%0d`_OZGZ2pvQ`HP6OlG3XwKjV|nvh<%cUMNCA&<@dqmJ<=ArN4B1jlPD8Um z#rKbMVoS1zOJRRlI|xjiqGq76cuaG;l;hD&nn80E2#B2yL^d0CgoL~e+)Ad`j?`PP^mF5 z-(E1!B4z2W65HTJk<1P*R_)E<*ot|WK%D7PKv^#7DxwJ3O{HrlOK%}H%OcD$CkGwn zhYVEGBzoPVPwK!AnLEu_>>0XUM5>$xcx6%`kdu>x3ANOd`+9zv@r>s1;MzP?sd2G))i4^Mw#BzPOp-}v0Z|(Oy|<=WHF}Q6-d$rBW$%5zj2XHynb0^ z3E_CgK4Z$Pw7^^tYaJa?vXAYDJe#Z5IM}=#47u+zq~Gi~s0rr@|B`zo4}S!R!>&{r zqO41gIjl1}jVl1(OGR)J@82R7i-$;!-hU;nrLLvqLsG9oM(#5K7l*WTdh+&s2lFRI zbpSI-{Z6jN`(D(2&t7H0_;MSE6@0BJRI&L(b*-LxrLmx_u+_l^N-pKi^>|$W*@HW{ z_3z8|dE3ED+Tv|(f8EC2NLu48T~z%WKmDzsGs72_Ip4<&rKIId^ubN6MKUDBz;$qs zCJ}AFH!+K%l^c8sLeJgZlidUdRSO9e_8#YM`7j~hMNI>yt;kQIQz;OYK@~3afaT{X zX-FbUe59itJKAEVuzc=6C($yM0m|CG;#tVaiZ#_s9pQ4=3|IzTGs+1HYPy3bbUs6n zQWyi6S_K4F)9tvZ#nq%$HREUo(^To>eh9CJG&*!tx z=>PoPujvHvDLc~)1`eDGw#c>XM>m)X+Iuasf12g}zM9!LhimQ&11;IHi{2 z4Naw)7aLr|7g?yv9Nz9c$RNL)p{mPOHztfioNfzI%~7Hfye8=X>5@T}iRnO(bR64y z6q5B&jz{vNYj3eN<{ll9nZvqtujp=Q#aYG{;bQ@?GbzZU$}XO}&6vfg%%wTm+FznRnVJyGJPs?)vL>Kb`~B~mKJjHP5-8wAWm zq!-^ITJBZcb0kG48EF&mwuajMXyXiD$9(Q3PTtFv#7dKU+#1i(ER-%zpZ6O|`9gJVD1_Ze=GKi2YpH624Aq^JcmrW$HRV$q(h2F>hg=eu_ z%j}<6Jwa#QWhWGM;b{*799zu?-lJ~XFdK=DywEk0{?7JtR3Q*Qv2M@zZm<4~glb>} zxd(~+xm)$6>Z;?-;|9nMWk&TjW6linN#zq}QH(b6^NY0<2_}K!A}kmk#>&j-*T^h9 z0&!)Oc1MmhnGy>|EYl~c3yeSZZkYhS!~V#{qx9dyERzi?rx#)4#`i;&#iSnh5v&o1 zoI2PV9`8ekPb3sw&)J&~0}Bs|hC&N6=$Hw&9>i%-po^j=f||w zYx5elx8%9(Z&0N=7C64;Y?j7^0nzhmWi@(`Z@+ z5G{uQY70u1L(E1}j#2^4)KtV|+@<;~!ciX#PHItH2?PPdqZi>k$E52Qza`I#3&0$3 z*=q%{un5{{9A!2`Vh$@yGfgu(9Irz1+%=$&?a;1@IP$e4h13SRl%|Lt=H%TVYa#!h zg*X-d>z4`{!tF38^Fla|#!DFM7Vx#ne<${D4hNab75vBb{PD9s&oLBGpfgrdI)%j; zbm!m{pJpC&yU(S+q!Cw>O#FZ7`Uc?2zUAH6ww;OXWRgs5+qP|UV%xTD+qP{d6TZyv z-uv$VRsG+oT4(n{f4%oPdv)zvyVuvq??&2s`@<&zHS;AV_aA(xsi%oq)AQ0md|=K9 zhY9ZFYIdbi1g8}j7-xy~?@`rF5>M%e3REMcRY;S3hbO=cElyJ-I1^J^wi=KN=4;F? zxwcw_(uA!b#TW#eaAV{W3rQuNav9WHINcQ9E~Y7R%P zAR>@z;iGoEil*LT`-79QL^XyZPGdGTzG?tdu-BC|v8~w2YJG0in}HRwerd&)Zs)rUcFD38Xu`I%4s`^!??1L?KMr2rpr88X z(iYt=R*!AIK_G7HkIl}u;gO2!Gx<@Qj$@z;zR|JcR|8dq)JO4^St3Y0n4>H zGcKOosXKPZH;_cwo&oPT6@Jlvn~t(1CZNkV+QQHD z@An21i@5;x26MmA66d_5r$t&-PUc6tA{8B`C&wq_M~Q#I!P&+yBq%y40?|8df!Nupm^4L&6u9R`8hfx!x`dRcvn71063IE>>J(6d zAtW*@=7?t}%0+F?w;*jgZANFxL4)0W05R4f27Digz(I6utI&uubclYSN(LUJS#CSad^6_}unk2TmTK`gB{}MF{=skQ8-y&>|k;9eB zop|Q&Y%HTRQ_GWoSYP_!#Osxe)IP}$P1HwLe1 z*9${M7h~aKVaFG&=|=>~PFUb;U=;|X;il0bbOlufuCl$!kBSM+>{goi3xpgc3>4c+ z09|MXj4^uC9aazlh%s4Mb0HG+-cN`XEWkuWD&i%P7zn;n$RR;PK@?#GBM?ulThhxE zR<-neQbrp3deEquGy^0?Bq-!iMnE2^mpC|omen)^QbsCI{g1w|O2|8m5np}+abKBT ziJl(`5%vhNgfAdoe)KsDR;Bc&TV_MXZsuhhl8y|in5jXjf#i(4GO1r91F87(#)n{S zVKQyIHQ2(NHIuO1)~ct$lx@D{8~Io9)_Z6)c6{mU=R=%qJ# zw@_ML*7erWS3H}TnUeX)gJu%qvM%}0+Sk>cB+J-0w9j$mHf8AJ9Wlq3H(Mtke$SxS z*jrzBpLEqkgV6Ri3FzH_z=A&M=vFT}r{7YZBa+YW_|w?7HI7Nqz<_-2`oOhaC*Bn3 zcn*RP=@#6$I$Qj6L4w%U!oS9$c^~`W`D>YNX4;3x@!g3*nnn7?ROmBu9@INtcsqRV z_Od;8y|4GT@ZCpw=v>LH*YK!s_=C|+BPr=TPlI?R5E zVYTC~f-vYzJ7zdegQh!fu<1GuLG4~q>3;485o_nT+T8WI(^cH@7ovxC?mX~kpf6~* z>;-kZ?h@0@D0ln>j=s9-bEdO=;EzW~bL-uwdE9fQJL&jk(L%C#6NOIx8L#cy1Dy}^ zWK5?`!H4cfI1gQ`J>yRJWkIL;&=;cZx(-d}wo5^W^8_T+Eyb^Ms&zUDD(^ro@6eTy zc8^`kk$c2T!185W`X^HU{zF?Av_iW_YU^?`FXjuu9 z4bydgpoxMo$Rq+^D#GEJB9k#pRw<#>@&wIx)2QeCD`WU9n-|+lb0y1Exomm2fNWqP zfA+!7BFbFw37C~~yk}$stpG|QTJ8s4~b2)Na1ohk@D^r*RsP%u}-B*rE?IsKxwkKH)x+? zjYx>r9AH9D?dL;mLl5y{vg#cA>GdpoBXCqQE^(VQg%m9w-l_t2x-iQQdl^M-IkAoR zUv9@qmUWq@l{kqs5)|F>`J(ip-KN9oH`bDCk?9fbkp<9AJ=z3Xu^L3r!f}ABR*V}z z^2?sR@v8UrsId5202cFU1%pRu{T)W_=cGk}!TF-Bs?kPzLm>r;;;Ge=h>007J&E4< zgAHC_zA4JY@pulq4{9Tp&08@N{Gbr!h+a^<#MVhitn8~ZRt^Y~)1?A2!9yc@$PS?W zN5!tFLt4%6TQEH)CyyBJ1OL>eKBxF0=@!hk{4TRw4%9R_8OfG1$(KnZcGi{vCd|c8 zqid5Y_NkAWH~A61vWh~H`VdWEuYW9zpVo1>yKHv~&hBz&Mz~c0jDv_;%@yfnYgm?e z3C^C;`?}KLyhg}T?B^#AKQFfL-jhmMOm5@SeOwhr2X6Nj+IN~n;Nszxad9cr z-($9SuibKtp1Ve$ud;6c>_a3zn?E$FIv@vELamU59F933S|9R}l9_c!U^NjimaLU> z<`5ZC0wjuO<^tr&LIqqPAe9DTJ?6anrqyK6pFJ<&m-DKOcbNB>7hyS$D)BXDfbeH! zBy&jjsx=m>Pk5&_%&SLHs>|E9C(+G>jVFPpH}9i0RMsS{PTt=mamU%TpuzL94GL6j zphS!CJiEOn2XKpX_1Z}d6ket2arpotO!2q_s)*65o0PI^cMp;CSlBCrX{1Y!$vAr`?H z^7gO-VD@}TBg<3TMbHYUh(0<5!F?9Ig}|NH1z`cMmpsuz?4YIvG3fb6vD0~mgYMQV z_BLad!LC@CvPNM3fJuh!7zW^!Y?9>!|FLmWb%?cnOTUVkL{QH@?eue4+6{Ih6ga0H z8tL}+AbKlsvkgQlP#HP*_j3Of8-+o$(Gu63Li{|gB4QiCY^tL&&K+c@hNAQ2DkHd! zoo^zdJTqy*CM0<29F_)tI8}=~+;wn(uO4gSYEKeVMlUw-2mwY%15-vHeHL&b#|;hJ z?7^99uP^hDErrN08(B<2lsVKwT5OM)|qywgzj#yh%P)5{Wh#Ul9oqyRmCVt^Iz_NqS4=!^#*Rpr1uY zA}&62e1ajaxRCn7R4j|`?8AHc%;OCmGfFrT7QG2Xep4a@$RUJlKQ}sY2LG*zGM3IK*ZZJymXJhNi+1 zwO|O^JiMQ&`sz$Ou|2#>gY?WDQO{T?98RBFp$3s6!NMOZ2iXGB7gL;;we+U1Ku|A*c|#d7$^-kFFg!NB~vz4RwD(oAn}7Pqr(}i$b|Kqs!a)_rjHv$LYppwdJ~-vj(E~ zer##Cl%qBiVsrP;$HC|3Y%W<`Mq>OjE$f zB$)Ad!cA?P>$-Sa@BxkC~s|4xL2#N{aaKwBV z3x06~3i&JM9?E{Oekrg##sQ2PJ}v~Bkc1c$v)+ho5C{JJiFsso)F}*SWMWSW(hgcr z4$}8W@Sr&4KuK#hrv{g@_Xzu~o#$m2+-s_*#V6}dv;8|$Pw%&x zdY4Vd`K-f1Dv1in!AGH2Z0BZF<4R18PF+`90TB%k6}}Y{nY->osKPh0R(+&c{DJ`H zA-&l0BU<`JqX;DQqm;&s{b<`0h!ay0<9FL?EyCCieD6Ety3b6PD$naomjb5;g2GBi z@p`ldkq3#Xq{o8rK%Dn6P;wQ&Qa+T@7Y<_rZAx!i?2(e)lHCG743cX(24|ut&5Iya z+N4Mu`9Pi$(~`aP7rd;9I}x{c=@BQjgWnl!W1&ruVv1yHD=9WQD_8^X9>xix+V)m= zTE{Oaezze3$9SqvO*vlMb%ic2$z5x%7t67v&7B!CKi?1y{Ryy>^ip4KETz^?UZ84!>N~rZ zt#vJ?WDmkPRR|4XhTlg3FFi#Bf6&NOZ)qGmE?sJUIF5e?!{D^qoK539Iei?_DZD*N zc?k>Pf4JFqGY?^{p%pJA<&6cB<5B3 zp97otbY(5+_%*hCjqSGwfuAU;leWBDs!dwc+o&A<*~!rS&WP_wYtgj!LY%Si{8guHkx>9Bt ztu>u(O~f+Sp;Xwa+KUR-^`NiG)R#2jA)T<#&dCXu9nIdeN2na)w0VYuZFxb>l{Dm< z?GAdoZK&R`#bauD5eRXPc=wWj%kO!k~& zI&&;^JBj*Pj@w5Fzi6QdIvg~s6-R1%;?|D`LWB@?<=?3eoN2=&&_$>yj z20SR3shX{ruv@;g?g|9xuK`qJZZYi`fUTIZ>-J27kuxn|l#D@T5YG8-x7fn^lGaFq zk*7n}NUBkf2f|~L;~1ytlJ*1VK6rF1S)A~ZZ?K)W-&{UTD2_W#SOWyezt>|4oaUMj zHs*#Ixz(o=P_guMm)y6pdNCoZVEdNcNCFSpw_(cGg=_JQp{RsJ<6xO!M<`E6RcBen zwi&yofntR*eXwt%+oR^G{pqq0fo}-rIaL-l$kt+n79)cZ#a`X14S={pz(csfJpl}C z9*Q2=#+PZ^+w}txMJO?BTZd?moUsW!9C9Y^S_c^D38ngN3`wre_jQU~(ML#i(Zt`0 z3Zz`4%4ZB3^qt`c;E|DQ+n+ zDo1~ud}a7x=#->e8?qd>9AG@}k?xVggLdG=YqUj!4zq4EA2(!dVQ?JZ(O1qdo)r!$`X|4*a^=UC@-KJLp zv7y`SAjedZ?CQB5Ise(>{#l8Q1|1I{J3X*ixHRfh0KP2xZtNb{NfCON4r4Da`D%cI zQbZ>?tT8V#cP&H4!Qbi|0^;lxelP^SXIJI8dQfLt?=ln5XwNXyjxLzxsP9I^FJTX`TEm`W%$uL%YpHewz|AI>V?Chqv7)ES z1w;ZfV*JXb<;x6aQ>Bj8?L2l~yF|lUwlkm_nlo4aSm+0BK(ya$XUDWJ1K&%nJ8tMW z_Py5VFyaKDw4siqtu+&%yl-)+UR#3*c3Qi6;>m+SW~1m@H5-dpYnMa~f$^w7>IVks z9lQaLdgwSY2+!>~iF^W0+vPP= z9D1*{d>nS4HE-IWO?9r42-daIHC>C?#9+|am&k5acD1>Q0qdV|9b*|)BB76`7SL(nI!Cck0pW79oh^TYN?9mhNKcu?!S;AP-9Zo?GmZ*X$RE@Bl&^9C z1WSctpZR{l{;6l_6gD1zDz0XpsVVx1;<4bVVQ(%Tr^LMbmDVsY5ia96v+|DN={;m~ z#@LKOny2{?>S|C~JQ;wUah}oAqpa88I_8T+)k~BqV8^&MVYBCQpD~AnfO~c+cbspl z_-T6tgbRpTdl>%bCDZfQpQiWP_gl}ZS5F?v0|6x-m}C6$;Wkeh9-d^M)SzE_QH#)L z4d$r`*-neNshdt;MNA7764$$c$E%4h0wW)c4POaA`AKvTML_&)EcJHwbtK={)9<;G zUTEUt=M_?tC%$)=I+}q)oF<+hCsyAM55H;vO_<|B8o$zk?d5R;Mh|AEi$55&cTWYO z>)+AX-FA&}$h8>G*B&|QEDLO6M>)O5X-Ly+3_Q>kDFE7SO*bwp1XRiikpu%aj+t%9-&`P z|Ea0a$n3fW1asdKXDdkD>9YHG&pXrWLa(8Rf?Q~vZZVhSo4N9F`VK0JQV zLEvPm`}Wp+(Z-PO-Uho>9IKIZ2IWIqba0$gI1`6A{t;2;{pJQSlk+sisEEm|gFO+M zDCwWQkwv~l@o}nZHFPU=S!SzazvDzrWCWv?1q}DgF{dJ_wpQa{5#x0jFZ_MR>J6#7 zs(1g5@oRQQCC{&f(~$@t*;2*l5B*_e0C<21@+*}c#Fp&N>KxpDt2>W_7A0wx)M5nf z=%!q+&;?@ED*t{;QT-6da}*tl8h)0dpF`HZ#ErfwX6jVK^(e@#Q1rtTuKw%+4Rm=E zKMKM{ucb$d&qNLUs%7xI2-)%j11s$7qbFMm<887zJkY*&T;ikkUTwY(hTo$`k>2-5 ziB&!k>MFna-)(B&YRH7Hy^$?hqEqZTJ0!kSUapIa!defu49%WlIL4$6EDiJu#>LBK z`MMbKp&@UkQd-%Xz>o|d3?vN04B8%H&_4pQ?N8#0^z@^rRkxj$ts64TV|A?6(T{+)wx1Wr}p2YC0YVY)X#44ab`B*AV zD>U7?&9X9S`hN2EGE=xoiW-!Y8M4x-vvrU<$}j;-i+*^~5rwLPo-otelPK3@v#}PT z2i?+kF@N)4ECz_`hOw(=C7ZaeYO2yiT6wnR`BuBJWXRwQ+Pp&feq&J~dggMk{OPJ0%k1Zm_cdQk-ao0)42CydpHfJ1 z^Nvy6!&UHH(k=_xK&uMPU93xIt~^C~4mO)NRBV5aH(&EF$Df{QqO;Y1TX3)Ad%Arv zDd=RB4cmx1+dSV{h1=I#gkLf_U$;zjw3HesFl?dT%cr>gY#0`v&)x<4J^eb6LSstT zhai=>;s~RvYlBy_t2ZHbc3}o)m0%h8$A;}l!bMHevfTEix3o(1vrmOJcv|YuklB$B z;I*8V0;CNkudH_|2^~c)zgqQ1-bVRB*h+1y(C=>9KElIv@eVqaYFTHBRyH14@3H}2 zmA-p%(PGdxQ$GQ59%V>IO4h_vq$q(gWR&uEg)j`Cl0al}_L4v#sBor40CUofcI{TF zR+&G6cch0p2|84VEaGWrifFaYo|OZ`iLwP11q38wkZ%bg6f4taoZVWGE#j*M1KOk~ z2{X4*cO6L4_4E?BO7_W#wu)}@qjRm=q|6k230u{MN=fp*c!zRnc48DF;v?+^fqJ!a z97R8iNw~#Jl>J5AdFMGuGZgz$klYj26IEr`67uTQM}xFa9g_$xl^Kf$6DfOtun0)I z(gI=CgdQSx-WlB49SJc~5679b(^ArsH_wjp<7_JX=^X)mX-Km8rOvd%sBzUVMyF$*A}}hG(W3@_Akb)ezj}1Yk0`Ml{`6JzOBhLj0G_JlFA$=Yo|b58HTPkrZ)r< zNz5LZGYC1-LDvk3G)^m+E{JJ%i7#iDh6AB8o_XIQ2g%P8V~op{->aMLE7bIG#_d?+eqMzld`t zWlxa&ZEz*?RJtwc^Fmewey&{V*e$|$d zUwNXr<(yEV(0Nc=Rej`ni-&!qnj=OIyDH}Xt&6?#R;Y#JazHNB{w#+dhwRNiWur#< zZC;5~!g4iB$+Z~Kz>)28!l@$r?HVOej&7uu=ECuggk?k|=RQkl`{7*8608SO>%lfH zPt3AzSh>jZ35%dKy&RSrEj}XPb=u|PpCjiP+lY(XZ^_#P6lO-mB{M!A4>a=90BJcv9JvG7qG)m^HRzQ8lp`PM&kuR2*EXf5pADF-e%!wtEQGo@+7?;pX@POGc>cxrF6ir5+im6uV=Fiqp{OZ}$2!qQT1%(qD8 zwwv7>jB*2RbddKyAEOLWR$6=8wls4!2zS`V=d{i#{?OdXE{q~wTPu8g}Y zQvyl(k%F5QVw2X}7;el1F}1<`2I<0K((1Ta@vv=*>p*_XE%S$A(R5%CerA(xD};|z zs9WQ+1_yr3Wz6nZm*y5Nnc0K{qD?#?S$G2JXw8>wU@FIOlurbR*37?`sQ=8;w*;eThiLS=rT#giMta(m) z`JC*O9m{ZOJPAGIiJFd>ED)=zLICIigTsGLv<|PR>5Fyk|B)?6>h0kkRNUSPtqy@a+Go$zdA_d|86UC&SN;7PuTlw~z zMtt0xemd>+FYzu>6B`(w;P`sdh`yYo=eqG%AFD$7$vyN+UMWM7tIoiB;&?Xoi_feI z);)ZlIc@!p!AWkvpG3qSFKE4?!-SL{x?0+Mfna}-hx;-TA7JHD1Ii=WBipK>6bK#) z>k;`9@l2tVMnouzoWKYt&Xpjtqk@khO^S#NBN55eq~#mRbwtEdEo2BoBi=%0pq=hj zWaO}=OrS~AneJwwl|AIY=DW+6RnHkzYL_1q=jZ*79Z8_jI&87VngKHnYmyXz`kB|BSwu3%gF!QAjQM%H5Fp;o6!%LT<_F}(DeC===EBCk2U zMBk_l`|9Iiz7+K?7guMiHee5>NVx~TkG)cp!e8Pd=c8LlGx8RMCxlM+GW?AzS{H4u zYm|NpCp*hokb=<#SUJosIDkU7QMzLA++)D`l$_VZpbLQ0++78A-pdBc(vQVxS(HimxlfzoU5<)O zTduQ$8*!|zbZ<~=-B%aK4b6w`Xg*&(SJ>p8Y$T@Ep2>an)?qil>qFky!qHC!yoBzu z5%~;-tx`|*&5Bu5>$xt}SsXj+J*7`kaF;#@1PKw&0EJI;m!5C6fF9?FT+)SoBA>mE7bj`< z#$dMw$4gopIs}zGk_#D*N)E?`5Jx%R^Gck(g0KAL!d5lhdptU*AMxae+VgwX7R`qi zZe~DJL*r=^bv4^`Q$ytgLA=9i7kMDi*5`ngA{C%_bw7O<;+2&S2JthiP2Z^`*_V zC7baEFW?>Q*+Z)jVCtX4my-@AI^*wPCtpQ~4Trc|zyVet%(dm~%IDfgO-ju$O-}G@ z>TMcUEGp2-jm<8VR`E#7O^@(RvO8J5(rZ&r0v}qym0A{RR=`)~liAzz+v~{Iv%2d= ztm}D6y}eC-SyxlNy<7az$3xgQj?IC7%krwvYgv(5K8b8Ch0T?XRypPQ>CPLQ94&VJ zunl~hzzw?s@{tWJ^&!+V^HOBS0uVz+*rpcs3=hC4J{}rWR_ZoB(``+S0asa{aMO`m z=j}fUJ+(G*vn)(8l5DxZObRKwulPDmq0dCLN`Rg6_zVTiOlic6r>PGLzwS&;Da-{b zA20=JQ2K-fP)pMJTg^;q*M5Di8tY-i=vzIk3TLMm)WO_=shi_b7Ox!TVPRGAhntxv zgKYD62cWbC^)=;2KCDJB%{SmJeA1nF`z7fRFZSEFk$bXDY6%-`qR>$-`vsf6VRW@J z8_`IeCY_xW+osBwf1(EaWVUOLVYa04gfxXlreGWSn2h>FK7Lt}@EdFq>R~3>h7h!q zY&4?ir-CTaBpT+^lP@mO@GW|ZL@G55Ijd(yuCk0YB3hx*+d{(Z2l;n5|V$-5tN{=RtS5{XV(0$|-wm(o)D3?73|Rl@f)2FgLYvWT zdkTa|_hJu>4m7*8{W87$xg=vg4P5#WDyiYrUH1tk!Mit|X8?Ttj-j1O-t<|*Irw^4 zZnkuap8G0!ow~~;X#dV-Fao8jL++J(7LRt9_vT=0(UJdpR&2wNFf zb^6k%gxMM?Zf@CL4W=tQutBkT5=UmD$-(?L%hBN?)v(^Q>mB106|EUY@+GE7BP`Xq zG~k9>_jwf8OvlUEZH1B3{^adr;(jGFL0u0$EW~Z`gsJw&PR~xv!z(ld=uFN$2YnC! z#RnVtgE>qL{|-*hDvG79t*?X2|r%JDR50%FgTd%9l#9I1J@2rZZQV= z-XaR%2PRA|9!Aa$aKrnr2Xpb|FLZ$75}5ym?(JV3Zhv#!FmSLlar_UyH@5#Kxlwep zHKG%?v33+Raxkzrvvstw|EDUgXJteu!1wnu-gIk%0kAz4wcerJG z8MOrIUBE<1#^ZeSN5el$q`#wkR)op`_3CcclO3k5sGMR?0GM35T2n@yhd*ksk1p1k znTy$rldEisUGaH}eiR+MUcL^9tvOFxs=Ri$E*iwqILJi5;n)m+GFB*yJ$bn~XBUgS zHkgGtyeAmy6thZe`AB7ZUr3KXo*Llz3~F2)Gs`TUH$)~EP93|y%Wvx!)n`Rt-nFFT zPmd?~0B_+NND5WsQcTVay{WRNJ7P zod(|lUp$^lW%$aS5%r10lKH2$D!E_t`}S+J3(3*2 z2jVML%HTU^@FzgG>Q}8!?WaLi^QTSBDcy{WOn1-4Df-3o{PiQx2kO$@gUa_X{_}MF zx5o#Sm1?%`DvOV0r^)C}kGBs~uX~Gc^B#~7=r3BJ=e*`%=e*v$exFcBzq)gbeRb@? z9q7BK3b*?aPS7i`PtYGYW^_(4UZFdlfBE#nFLg zufFg4f7<@Gv;Au<)L;4k7JB;s%71abb=bf4|I^Pv&%pAJ;@^(Hz~9Gz0R9g8Hy{BA z^S=!KJt3BV1O6lbHS}F)W%!p7wtt-<)L*Q>x_|NhmVb=>)%z}g+y8_6_u~HI{0Hl= z{$Kn5;Qf2-KluOoA->!GVl#03%idr4Z~2R_^)FZPUk~=}FaEkXc_=zX8zpPAzfR!0 z>94<#|9@NvGyQ-6)&CG*GBf-g_P@B1{}Nv^GqN!LPp7ij0ja7n+{*iNoMSC0ij@R` z0Fsau5NM$5v}UwVm)M|2Edmg`=C&`YnS|A@V}PAuYOcci!q@_>ct{P4D}D0^8=F}? z_O|tx$9jXE&H9GNdW&6hL$g%O*EJ4gN5SPY_x6`Z*7Y9{P7~v)3=XF2j`3?Rlc*oV z#b7aDQp8~cj~Z{n+Z=YTID`*){3|uy>jnFZPDd!BI)b5!Fj3YkX;*KfHi&yj-?W$5 zO&2&n9S>#ji3@@`os!w$9v+WB_0w^4V<6Ya*C0UQr+JA3JdqC+SgkWRZjT3w6=U#& z-r1TWDy}`=w)el#`KfTIyBlqWPtqTvQSQ(Qt}(9GIc4>BzhLi@5#>YkiIL+g$yp*~ zO=#PBICGJQ(+l!m4y9*nm>{iuM&``lwMY2>~TWPR#b1)Se zA6sI5_{xX>!u!H&3#t||UZBFQezP_DX2B$OJVZ`vcZaF|^l3&98#xtv;B*Je{B`}y z+~;BL(v-~|D6_ljmE(cd9c|N3TL3x-}6BsVj?aG|s0_*$i3CKs^*m>X`o6L!r5 zwQ`UtB~P3Ax3!ST&MM&*^Rsaa{uuSfxttVy_d_B;e zha+1lfBylbdNf=wga_pQ3)}AM`0RcQbR{Sxw!b!ks8vT*rD7Wjt{@wq`PmxPyY`;I z8I?~U9zK8lOgtfTaGR{e!`(ed0m!DsH1^#Y2OlOBmIvS##QhKdo@N zG6kwV=Cqu@oN_1C%z28$W#+!TR8Nk&UKpq76&*AXjL`S@kwGCM^!Zi|70(= zd01@Pp1u?{JEg3Ub5j1+VTwoh)FFESmr8@c>lCL-h{07{g7%NXRz-^Zpon=$7xuGC z>~kE4mSs6!^pz&NqONARHLgnK#Wr(r#Z|SF260$1mV%=>t^8s;chn>#lFqIRW$xgAmxVT<<*R-sEdl=Rt%L)N61BSsi{%(;{*BlD8eNt#}zxy^Y;l{6Oe|g z<@{5Z$LC73?0hfVYnaOHR1Wsy=Lw^hvm-|5k2xq}{FHI~#l>ki)$&N1@M*K}?Swyv z+d-2Jj+j9D?X+GGUgNq^kz(X5BOh3};o%fltQpOk@3cfKxQo zYnG#oH}gD*>(yN^EcmS8H2uC!_*k+kZSarbW*NTvD(xmxr`41qSBU$v$aUKN(sC^s z*O`g?IgysGRjYDCwon%px(qtICEbfG;8}@5qJf29wfwos+8g-sMQ4+DOaq@t`y>aM za}S71%NjT*Mm}H=BW>S)#vJmosFj7szPQSM*wj;;sR$9eszXNmXRxv6Ws@jVkG%s_ zbKk7AWdkrJl1)=lWcc;j^ zh)nYU=*m%5w6#*$wG7;;5i+ju9wU*5UfU3VM3xrY-)(%zzcBrb3y6dzsP^4N+AVq( zch^o*kOeL+EhBy+CFT#rnBrxYFP+;jBS4P?X4twB_J?wy->g)TUTq*zbf>^>*|zHK z))@%znrm|OW4Q=n3(njJa}21eQqQiFoSNKSKt1>&1PDsp{d7=ANu{_Bd<@Jr}cabnGBSBn1JqrH#_6T*&nSIAqMPXBnsTU;{W8wT-;zwl_OJ^R zrCKZ%8`EPSvG$l$$-pK%su`J$7Q!ViUdEG26I^8h0=(N`zy6fj*R2L%|HQ>3l8BVrOmZhkq_W+!2i+2bm-A10Fy4uXpwx-u z@r9WO(;tB(Erd|c+)_r8zpWj)Za;YL2lQyCJ3Ph~-%UskZ_CHG3?r;Mz==B&&ol0n z&;by`C-G8RNX`~Kh;bnuMyRLw{c=|hp%UM9)U~_!snm#u*MCeZ3BeOYQK*^0yP(73 zxt;c)QgP@7dx)KE)ER|9G0v2@pe2i_Gm~Hf zxp`05{D8l%xp&3oX1iDJm0H*zE&dDk1CPEmRU_(xoWR|A#5x&~b_+$Og6rA{J^P&+dd8LHdV2DE%Yico8y&!f-oxR>g zK3HR=wQ(9I5;jxRjD3 zy;<$#7=XZnbdE?)GHKi`>YIU>1uH^s2PE2!N4QwMRQN82KcodA2u^$KS?5k?4%@cW zCWHrO7gF26m56T_cx7EM{|1LLWc#6ILq~CbQt&qczbWeqOrv+v098a7K zul?lgUcLAZgNm~OrYWxW?AwHM$ciqTMb7j20eUT-CPpNX$VCOOB<~`phseO0kd`xn zWI_0Q%+jbZ?r!zS(x3cB&$_3`jP{g*kd*XjZGqIxr0P97#ft~FxbROh0TXL-Rn4lW zTAQK=bFqN!7$4P?l8<*2kpll#TZ5# zOS^(`s1ivR8l&mF4g~KX3@Wo%!ZalAR1#W^s!PM(uD9Q(+Eed&wOcK|w-yW%A?it@P??S*s{W z@ZOALtI*DO-&BqSuMOr&Eom)bQZ*J)8Td1%_Qs4*0pE(GD#p9c?!XN(q5ZmL*G8@z zpp=Cu88^rj#PhSGlO5dmlXMa6@su3+xjDq2jp&%M3Yl+&1x!vXC-^nQWW;r&$-c0Z zytSlh6A4>^NA3O~=Y9tf1@Gf&=v~(;RyB7MV#ptHHq&{~QUL!9Ob6nNjx!Pv6$bo4 z(UQFv91#_f3$qq87t3FS^h_3a2?>ro5|y%UFhYA7k+cx2JSStihSaXLdE<9Ryoib_ zM9H^Uo=2(VObNu(V*0}vMO^AIGuPD*9umKlM=90}Rk;*|^=s?On)M4>fsR6o-K|T8O@Deyx7M|> zo`W_yfXl}yASt1eD*Jt`(>G%298F%3ad}=TY;NOrzo>T)GU}cPabvFg6JC~kJ+pVC(XtorVkh)M z)AhM>?8ELHF)#cu4Ly_0o`TO-hN2)6UmOp4%*;WS`IeEvAC33xrmEc5j(I}JbOjNUi7?!EkQY)4-Le*{!F(6fv>E6#zlJpt0Fp zW_$=Zv%Ir66)a-zxJ*X5cbQ8XjcRJM=c#DiIIyCSn$U1?)ZM~7Jy+i$<~)&LEk|p3 zB$_5k$jA)I5;}}@G3GEc`xzYpQMzcx=BrSwC6tLN{6n7Nu3=f@F;fEo2@Zgh+@ROwF!$q}bji{#-K_w-n7 zXk2Vd&)r!H?Kh=*Cn8S3hnKp6DItl0@4bLM8?+2Hly6G)Ga|8ZkB9;xY|{k^Y=k|H6XL-tXYhegH2UHVde zP6usGAwg}WsiE7|QBYKx0>>s}Q_cAZ^J;JE3|UjXgm*@JZ_WZ~9ugDW+ykykX4-TW z!~Ru37-DMfa1|xW4OTFcyP?r2b=HOZ#)kLChMdD5)kwST#$N%=F|*B{|3c0@V6=!o zu#vsbVGFKPwX<=V^NiTJX8HVS&e$f#CB|iG96~#Uby>1&>yAwt-VBtwt#XK?N=K4s z#=DT%AJqcND6jRvacpH9bJs_g6lw*2g2={_t6Y0{c$nys!boG`{t1*|sh$k2T8ubN zT{iM}#>g&}7&G@|>m}s{Un6-ppUj&%A-$`F|JK;j&vC^{l}Uy>m|>6Zt96wLA1i)+ z21rRMGs*Cau8*zY_vg?Jp)>A>h4(Bev};gp%O4u2u~1C1Mm`L%L^Tp59}sM@wG@7q z&3j-LAxV}jJ79t#K(?pkK!p78?w}OEuAYg1EmW`V)uaeLS}}Mn1%BH@<~Aotm9z8#+u4%M+Yd)`U}k)V1pLawfnM$9=l~F|lS&5b;XM zmLh+o40R8aNU9yQv1p!Li(Z#meTK8dU9Da*t$|s$G#e(aY?8+mVd-14z-*FUpISF$ z3C=^b6z9*F{B1ux9O&BN9^qeUr+CpcV@?_V>Q zYudMVq2+WO!F`VN8^UxNYJOcs+OJ8IVX^rz^b^Kt^O^7?WXg(`Ks@GS-BIuJ%*u&g zOK?aK?&%2^mu9_DS<&NuZBF^A2d?XjV}>BeLWtP3XQg{6+(iRc{VyuimQo<;o%J}O zVeaKM*1fWj>1O85cjhvZKcR`VEPn*)w2ekiE$YKo}PvD`lrFDC|q7T35s#%$H( zmVZ<=nt4)pEwPyt>Fc2Fu!bOPCgm(HMX=F}C4;MuG8zpUV@hkyo!J zyW+(m6YW{qf$xd&{|PiaMD3h+{VO&W<(lMs4vIBXJr@t=7Lv&{18Y0i?hd_zH%ttI zkO|{#p(+*xN&?T#F|{>N0RD0oYI;O`Z9Se@h;4DANgtqaa5($J2>%A4=?N%>YN%B+<1HB)^>i zeaQ}TJx)UD0=P6uTb-!*A((CV3K^GbT|&v5LJLT0(TkJ+p1nl3Q91ZIaorX9_RC~O z|CbwVkIOhEt7?|d`|Wq8h%-yc+^{=Urm)Ck}9d(cKs{0f!NpNBx%8e;vpzR|+ za7U@iwIt32NwAMr?fGJinVI4G>iS8e#+k4eAqRqh(9AJJn^mKKiZ+kK@+$eSg zL4Ezbl)pdUDOG6*aSBi=NGjsD7Fp*8cDR?u=mYGPb+3Gs}!4I}JQwpfg-C*BDn*#X5V3a`T=Ey>dE#Rc(8fZ!o2;{My)nxtMM8Q*g@&)Dg6ipAdd z9p3kfZYtbK(V4yl@>z>f6jA4YQLjC+?$&>g>WEQRr@_a7m+!;>;71LTV+SN493}w3 zxD0XMR&%Hw*gs`!J&M{Ayu=u!yB~@1>9)Ec#r5$9oalHzTpO%=f8OF^@EQjB3~>WZ zpYwCtwz;BJ&o9Rb_+PGBZOHn8dB%|@=++gBcPRDDRJ{CbF2!L9uKq%g)&ppM=t ze~-gWbLw>ah{-%XwJT#=EMr`s)V{a7Cuj6oaO)S(tSkq`+7xM+H?uDEg9J)1ebz&R ze77CKI12R}yFsTa`XSy6v-sAYmcIDr`7;1DJ4kY;fF`j&O&)WwR?~jbeP_DCca>{d zeH-#m5L8V)CF!@3P!}VSeeQ1#7CaPzg~==>#Xn?FTvO*qD;7ktp&vyt#vNDZ$(5=U ziyBcUm7=&6d#a;sT4$(Sqox|Kekd+?7d`p_nWd3zDpB(|i~_r{-m$;P&3s501Dg!z zTq<cZ#{XS$o_?IIhw2xc#*Gc+|+-Nh5cK3N>d%Z?2h4XeF*5olJ3n^)fIkEBgp} z6;74ER7w`WvX}u!Yt?@JSl0X}V>!p(Cw2PItehE*7{uno)s!YJ&#K1`@4$7Y_f8FM zWyCm@L$&iV%GwCc&VtP+rFKkPM@tvdXO2}yvoZ5yj1_Iw%FGG*RgRVw71>yVCsZ*n zBfoK^X-KNRT0mtk+-&1#>8Jl^e)j$Ot(#aJ!UxVrW%k*FF$!H^YSj|B@*Q&lq^EMq zmftN+WC-1o0dbdfRLO!XJO~&$bc7$8bE2b6Hz_2R7tRcu43>p>KQ!{It+@uQu{K0i z#usjM!8;=_;m-)MtOFLedPUB;?p8FS2Qhb^t$mrA2@&4+zoDY6bzn9u}5&ew?qYe!>OVJKVHr8ZXf(_3|I zH6rIu2ua5M{$Hoo^pqv|@f5?Pkt5B`HP_a$`T!W+NNRFhyOF&SeX9~)6&I}0ecxH8 z=UG&rscYyqbT#?t^V!1uG(;T#W3+8^JQJ@?>dX?@|Vx*YG6wK%eZ}g3RFrvcz zAG{TNRg@%8<+MK}Pjx^(7&^ghXzFaC<6iD(lP%ifcTWoomgZuz zHt6M#PvJ80Sf57E`^x8g5e}JHsfoJ3UC1}$)P7^yV4OjGk-Xo})>!==-?{-zuH&AH zk7Ia35A%RJ=fMu+fUA{jOXV#xMKyOmGp`9$F-a{sV`xJBf>@=LoAS%!9+y)$kL|^MhWT#=O6xP4Ev! zeSxCBWW2J;uWxt@`VFQLzm70Y4*bTMrK)gHa14TE28o*Z^O70?jMGSnyGF&bMBGC1L^?nGUj07#(gohp_#j0i*4=8u6hFBYo}t*{9%u65A+^Bp^EfQ2 ztLY&FbK`2K*u8G~`gvFmE_z5sq0t;WCoQLHFviPT3QEN_@sEVJI@cD1yS{<;)r=x1 zNzYowXrWwqP+e=55O7Z_%Wp<(LAEM!&a%ytLjX`f-)KVNkDn>gE0^vKC>v}**7uSF zno10DaTvs2_6A}C;hLFV;v!|rmKcbtSC@e9M)ZOGZK&%p+`nzVb2?c3(bC@FPr}F{ zc#A_t9M!9uPhQ3agkV7jMf(bD@cl#48a0^|1WFjz;i}oUIp?#}R(a+lWb z%MEIinN3V4&FVBYOS9&#mhIKd!S<#8fHmh3sF)yIGZL~=2qliew^~pORL+z}(4RWe zYiz{BXUq^SrypoUY9eZdN!we-?+dZ_Q)5&|4oex13DLMwEv7M$GCmp2O-xW}9pz#j zkJHDI5)B#~LMoLw49N^##SqthPv$E$!j84+nzqrqyE;F;dek@G=l~MNF|6R2qljUy zpKut^j|n6w_(I@1RcB+eCSdS z5-(Hf?-6&pcG2<7p|&$RAaZ)F3@7A{Sh37ProBcUKg=IPP8^R5S3r$XFmp398ElXT zoVfD#gybByA+TW`Pv7F+-pJc?r&1Kiz$Kj3Rs6<*XJr(^IRX|YJi75p+~UoViJp8? zgy!Jcc#&Iifqtz+eXT=zmWrARFOX#Gl=kM6k+_xd{55X{iB)nU2ah5@RwhuKte1aK z>Mz;}sUQUFUo%JzDN&j)FD@lPtT`EA9>v9QD+bnd;Ct`u?(hEX#DmS5xn++jV;v!L zvE3*vY?_b{`TDFB)_ZGK>$FA~2DSv=9|r|oRIt^A;uL{$4`zatAa*3KkbcaM3>^2@ z_+a9~$-XmA^`~72liut%d>el?U-&n85%rgE@Kudl7RV? zhH~f~Yzd|K^H)qzQv0fYVxCgyR1~sURO?QV0(4XCF7A;B=OhBk&_Zxpl}CpDcwHKa zl8yS+Esf6geU;9Y5kFz&yPmUCF@1rtQLu@TlY8lT$nK(gUL429zK#~MENtBKp0aW) zE8SYA+e&6bBiXy*Y5FUbZ}Fy=e(fLHE+aT%^z?6kYotU4Vo+* zX6%07YkGTMVL^BPnvqOjP(N!$Tsb7C5rzu_Iwxv$>IJ zvmo>S&_8H&V@}R@JA6D~zeb|bno~-et}gpUzeqjtJux&@qZil1d_FZjyJ~EVoff4r z(;e@p=bm^WO^TPDB{<$0d^dB%9yzraX5LcC2yDr5ME+vh;i5}8`NIsR_yln8;tDvW z1{eV{dMPb+gwsv)pAg_f-#Qs4BB^6yBk{~W=zZ{CdlPw0Q67t2u*7@NS+>*c;%Epx zj%4` zcOtlipq@3~my(Az1*tSSi^Hgn(9uDwh!{N0oc*B+8%OX5%o-2SD|`J5w{IxseRs6^ zo_L?M#F^(czz5$!HmJt4AfQI)@kB=!hpVRnaL=oYLb$Np_xaI6#E6vdta;~W$dFja zxGx7Lt!t@RwgA?p!dB{#763v}aO|e@hjAxYJvfj~p~Sn`!DDms3W1gNoad0lnzh** zHRNU+@pticU!g~bWC5Z96$lrpxP+Y^Y?9$f02J|6?2ia_NOhpA&sVq(l|t1PR|XAp z2C1~gRo=ldOkuLlSKASi4do@R6d3zB<(^_>7gXv=dfX{X9GE~^r7DW#gHqEb-uI^V zIJsmd6ND`wtuyq@>+ot5S_$@$zJ&LsHXY`cLv3OmfUd z`v}T<&q~PRgkh#$jukS1x}XKkriU-Fl;?ZjbI$}&+}58a%D#3e1=3AYz^^oyos48QWA1&D%FVIpIDy zec^62^G12uftTj?Jc+=?HNKz4{Dfo{Ixf(vRIsb2TqR6+egT4L zW7Lq!4{2T8U=#~(?g2rKJ$`0Xql9EIjK{}`B(cuZy(6QPin+1^iWd<~3Els7of7r; z@o%XVQ)&Q1Iq+`+V_0q}Xo@Z#+-3ol=T*3Fr`Y>nY8>6fSyc%77*KWUVUq~}G#xH+ zPVtww=h={cmym1s8_AD^UDT7<1zsXXzn_9!;2*%K5rCL|X{^%I3hcz&9hdXmuNB+} zGc{7bMea?!%+xkR&-<>nw6YH;FotL=w{ad@`TxoGl@oQ(1dcK$2m>D|jK<<3sox5u)^H{sT@moH$7eV zdW{XKR-ny-TxL;4lf?l=o13cp%yB63!it$fw|fj>^!l=?T1Um2F`doynb9%QS!vZy zOOMM0d5B9%i0ws|xj~)O&~560R@ab-D^ovcf;hmCN~2E>mR3o<>ize%Xky ze%n7B@Z`#R36KWhP)7O>t@btXWNBezD(C)?MY&1@w%Ch5@i3ZHaQvtP3GJ0ZKE~?w z5lWvWB>D5s2tSDjN{MqdFa%~(k_q@$;=DkqoHs8A?NN^wB*_4*yR9QrS%fIOaFk-) zs~?Ul1IyD-u{D!D4?{Ucw@kvv%F)T;ZacxYM8N}D9C9xW2W;%3Jb3lSbA)DJaDPQ} zC(!RH5-s^7^~tLpoH8cXaV$}iy(R|v=N^pjWNiY^+kRf1POCb|;&Ki@pB$NH&WFy$ zf?pzQhGVhi>J*W(Rzg6gMN1JF2Qxs7^?viX7~-aCOhHm0X|Dx8 z#-#_j9KKt=Lw}j_0@0F5m6VtUxHD>OJh9&J67+HGq&@_32+eQX_!Exk`?T!o(2o{Un1P;TR3$p?Xxf=gLu4j_{L+HN7<4y4IIDhIs&u$eXqvc&jQwp8 z5-EC&H{zybrAWzOB|p1jVxtaw*+xkr>+V1*(+(_Gpc!xk8lA8wy1Y1wq=m#OpMB-e zNzD>Vql}gry9e?IcIK!PUH-X#AQ1Ebgv~2hiDR`4N7M(ppm=+*uF8D`w9QIYjdnge zSs~^WA+AeAxmD;kVFTb3_byMD=PNJT?ogk*4_n|*wD%CFU4+jr+SgE)i>w}<_#tHU zW5r%cNXMMkIzAOri=lo4d9NAZlzu3C4b4 zQ%{Ni{!^4Fj}RnBo9}(Zq05dYe~kF)3q(cnFxS#?PuLIr1E{b=R3S&#OqWifGNAK8 zgKgKV6GpaM*8ko_EOuhrC#h2OdF)tKq1C6W9`1!n=(ao{LMZ zKW}R!RbJdQ#wo?Se0$~J?gvMzZv>h1io<1~RUSU+#fr5{Xc#$vh+vV*bXjfqq$D>R z6-AQhTD)Jo{bWA7Vewz8)G&7V9*XQ%k3H;YR~b2WrM7bI#nSL;W$6l9WeG6JU(<(Jq-E4+y)_I`KL~Gu4Uj{37^ETZ!(>BZ94^&T_ zIl~yEB>^hbjAjQFr$0^-!n|_3p`(rEWqNuTa%+ZYo4P2Q$_=f5vBP>qTWsxK*Ko1oM&zox*H(bZ}oErHO+SYj6rRdt9q+in+PF_D{gz@s_p=dV5glO3F@h zTa6`}bwnhvUFVvoMVg0jLrK>s!6ywpF8b6M3i~raH}G|Na7v0vVAoN+K{4br6@7(; zPJ{Id5FUyni=|3t5)Nl>^qMLL$+g)CldN(J6twM(tlyr;N2K(_>WmfSqHV2&1C~rbl zoD(zgZf4CyK;Y#DrO8~ghO2MQMVK;00u~uCnrT9FY3o7n<^(ht&NdM&!ufZ7GY$)7 zd)RnotY43p`$Y$Szl&bL`9Qs0=XP|re*CJ+vJrx|5%(A*UM&}*oM9c>R6Ko~A7z;Y zf?4IaCN=!#7C~3DUFqU3q<9jgoYAdWW2J#Q#Rq}$xoVN&ly>|GG6`0of+rt$r5NAK zeuOFODLHkY37}M!YhYk?m$p|DSkkhG)vAT#EyyG$(jDl)nwMN_fS)@q2X@4)dF4;8+EPS}> zZE|{&ph=pILvH`tK}pFU2`t?=2|L2kf%y;@SHX)CVWYD{sAqBl0c^O6(?;LLY3u$3j zFh=~F7DuiZ*H>^KcfnC&kCHVNpyQ<37;UE$)nl(+HP%p9TeTbZ47!3t5F)59|>=WFl8^Knf>QazO?Q2Dr+n14|NBFh-q{xR8 z;D}jd*>`(4egXD7MBY%ZiKr)oycQ7`N=mI3E@r;}xaYZdQ0Lv^06P&>hXj{3%)LY) zAQ_>e7uFoc98vdxwqA&9;MM1qoSVb-P+79)Fdf^r*@yS?LS|s`!tX z%|2^=$~;%i4-(F88rU=kjLN|wfi$-xx!|O@?mkAL`4Nz^TyJZs=2U} zp^in4wY4I2$-i2+hl+pe@Vrp%Pq1n69k>`#pG!VZ zm$mO&RFGlm=v5>l2}C>PE`Bl{^=}LgU8`*v=bZpwBH)-_w)!IO`Jnt>xN*bZO!+EM zVuYrtaGu&q8I}Anb5gz?)=B+hYVKNd9ktfPiU zjp4&9xr@IO*yE^T(sowI7}V(;plJWPdCF6|pd`I^cj7ot(wyvBe9u-R#~XS9e$(FW z*1y)Jdo=8StS;hQyQ^)>^KcNq9?%^7;FO8-yz6M$fXM(}#0)U2?j3%8hoOWTZJXcS z?%BA6j$~PHUpss3a;k7Cn^tK#KlO`}y)K35VOzFcf4#d%Lh?%wTYMR90**+{MM^68 z&i_>`dXpS|RiH`^mKcrpUx)ge{BuKXMwySK>#b8Lxq7JS=I3O|`x>}(UiA^!Fq}xfqRa!3f{liKTj*;#5 zv|oETzcuXH6`zuMkvWbSoC&`?rW}Ivk8#9{e0+?s_U~C*kT|qZ?J<@g1Hw5j(1kZ5 zrZ248m1Go=RHwpnqUDt8&QTqByVBLOJ@+r8U9>XE~Zf7yI&>K=*MNgL2*)1MO<#>FiOM;6O{*i=+qFK!`HuM$#T8-8U+)XMM^`+-I|~HVU#9 zahB(dtzwc*A2hga=oL_6I^)|-;+E)h-3)b{yaC8=4aD^={#A8RQR3qPh(~BNb#oRy zRE3v)iTvC@Ja3#(UU$wx4yU?#$XtG(7BryvS&@BiM0cji!h+Y@g9XN<`Qu2KHRd7s}P?HVf6P&oMGjXLq=z>tOD&ZwRe4 z?fSk&+xE7qqk(b1m(Sl+{Bq2qqls1*)62Z_V7#Vd<31xn)4(N$@)=m7s>Z~)$$jA7 zhyC$s%Tv$26X^Mx#ccXGG1XnnF9g}ONx#G2kW2yv26BvC>c`4TKeiU7YU%+bMT);M zhaxixGAT-u51!kjI=$k4VHI%>_a;pW@fhssT*%1UwwrN{)}2-u6vOGo`-S z$k!ewMYWicvOBTwBt-YE7mC-Uu0v5$?XrSQUFn(RT*QIhCkpW5w%fk6zL*Y&lGd_n zTB_WvrcSq=8%qllOUV|dYWi{h7@*y$DFekaO>M5n_dr+USxZ1Kknb4`B9wNam7cgf>J^1$==F!Is7RsICLlw$Y-Xg!q3@8L8WblK8s>%cLM$Az1*HD%4 zh?DHp`Y@Ex;o%fPEJc$5jK5;_xp+`Fg;6#oAAB5ilv^5e#!yx@g~4v?p9aQnLaswh z`a`xyaD!92WY2$P_qc7zQXFp+Z4`8v6xw?-3lIwL8&W8A49#p^`gzeajr%4#$pX z)({+#t$ay&A-P*|C-dy!*=xsrZ>|F430%E_8h_n$XEu;{_^H z=1n|EqI=fS9-N<7&$z4ZNXQV>5c6T{h`8be;wa*1m$Dpd*tndMnKnerMAxATo+xXh z&7k7xLVVf_5Elv3)N;ed6hJ5KbhKR&4uNs7_H6DcSW!ar$U_BIvrOPl(IWF)J3ITc zjnH$`!t?fxP+h;JDPtkfMCK)s12FT=m;rhZd$i0)J7K085h6Fs`KRbg!XU03M~ShV zvdN_d0N$5lW4bUMS5Mpj^&kxkEz9v5{Dxf>!O8*$3tNR73%Lvz zDf`HO7&jU~ZE!FejMh2^uT z&kld)`vVg(eeZu{wunE~r%T(a!kp}(ww9pGO@@BFj>RhVz;!3cb-U#Os}6?90(=o-Oj4@8arc z5o@KXQB4Qn(1#!9`uDgU^IAWAMIs`k+r(<5C9Xv;V8yRl2mGci(!f8J5eX7MH5*W< zTI#tSGQ}qodGh6o^-;7 zH+ctEikWtcRW@1Gt1c}M2_yMFMaJYbiB8z~;_(MHb_yYE)n1F!(s(s(vt#Bh%=8Pq z=vb(f1#$!-_sv)6606MdJ2eD9bpT&XYn_+H05ji+_0c$wb~)zwYurTC78J6>m-A~_ z^g>m^8pj7!qUDPx*7{2eZ{C|-&Xo6kJ;dkj!shfy7S2aP`vaNxlf2n$?csZ!{7HP1 zROlh27v;_8lVS1mmX`9e=hZ0w1MLf;w&Dvo;tL_P>FZs;_w#J%TKj!em_i$X0!jl` z`M6vQq3qYN7#x*f9N+Av^fKR^qwKx%Xx@Z4@>9q($bi>#H0hr05mef;*A8riCkDbD z1`^a6C?n^qcFr5@eCPoXuJv5DU$Q4F$eZH-DfE>7!Mx`+`L*`fqD1@cg!%Kr zq0D(CZG$n7vB0Ew`ex21Fq7UGBrv6J|8Qn}o_4xxLb`|P330Y-$7gpQtq>+Z+ryhKuzHi~VaO=s5JL@QaB3lZxkSBFIFH*`e(o=%^XUKEe-w z2oKy-bQcN_1}YyTB>DjdlUoG0lXmfw4{tHsqsNt3&-=ow4gzQ?XW~sC;8(L!z2fwg z-Tt)ErPRqvPm8yOX%P@0f;O|c-!yXMd&iO!C89+`-Z*6S?U_13;pZ3 z_BTg`NZU;j9sk)eb#$+KGQ6Naxvi^B`Nzy0?;9bm^Dl0o4i;NA?bwj$mF54>bZj+ingLlW5WkBTkYf%t> zO3rE;P*Yj9EJv7Yu2So*o@>rvl-l*mD^AEcpf(Gyo_Shaz@(DyJJ2d&)~2<@ zh7CULdt;CU)nrrhRCToHP4p@+_%WP; zz=IIs<_U(&z1cpuZ^lK~GdIUp0_`-pyMDYuxhnr>mYuZ23%1G0xhZG(S#0E!^IC{G zEXv`9a{bsHiSzgID?WbxAQMsG;Cx+av4Ot5zP*G-V(;uA$ek+*=`NK~A?1y5LZ57Q{;TEt33~v%|#j zZzSWt=#zh28~@gVME_SUNZQ8Q=9}jDmlpJ`{`@yBi0L0J=o=5A`$r^U_}^JU-<$rM z74+TUzgt27+V~%>pns_z{|ofN`0so8pH>hX<9|Rt{yXdOZ3RVV(EZ<5kbOHk&?EDN zn0%oWLtOnyO!_G>ysbhZ7(9MNrx*LvMzaDMBS)&m+y1b9Gxr6o*LQAtaUT0HJGYA$ z=g_)sPI_wgUeS3%f05Pl#AD%Ch6OjtD#O!r>*THb$@GAElHqoWON*O(p=^dT+mNjI zqm%jm!b1w+bmXy>3-@~enNr(;x5TYpyTpo%_T002g!X~inB)9qhNh_&K~?0YeRxjHX&iFF zoKo|*{}z$mwv&&Bo#rpf2=HBmafwB@IjWY)K)TBT>(t_F)zMCzOXVtl594**(?lt` z{nVmVPi}E8ukLpLI|{=`y>Rh%7v4Or#y8}nGNWVO_2PtmU%(6caR`>?&F=&GO6h6C z-!tzt5u?riDv6Hu0sAoZ8q6_+P(coh%#_lWP3(zc2A$!46?mT z9sm*1^R(?eA2JPDxK$;*xh>hBz77NcsHvD#TrbpbN>8p3rRD5$uw8fbdiTJM9tc%`eZqX0VCedfmB#e%r}4ik>i+{1 z`rj4Sf5e2?zANp2U_vbaDzSgc?Eh$i{6B2>KhO97+xGv#8~Rr#`Tz8WzTu?*mpAl} zV)joL%fSu>VyAS{T^2kPC`e4YA9X=JWaP@X6jYbgnvHrK#Lfex>llf@F~KDv!Jt zhE7zywZhr&4Y;!SmDd8_KfIVhdf}mxP3sQ;4gA~BOlZMc?7{mEEMSQ$U~hdHOl@Hq z^L_>sxZw5+WdR!S^muvoEY2X1#QHPZABb!Ptz8)Q1@9mMoJD4X%_yP^`sE4l>o9nC zv8x69wF4ZX{8jYtc4ytwa2&K7ScIGt_raxL7v>x3^0p`J9q=#mSCQZmQXalE#$U{x z!snvHucFbXJ>9=vwh0G4VU5r~Pe>u-8PZ9i$4CDmhp>xg&j4TsjiVDIgBp94w-8}0 z9fYH4nepk#*>R_1V^ek>_MkS}-u!y5}=UOG>DlCcn* zzB3coW>;%2rmJ6@@??cJmVM+Wlz^emaMjt46H>C!sfmzbGq!+g9G3i;*_4yXo?w)l z)f)nGH=Ha%n_RR{NGyKY9Wy}9%FnlVwnEc1IIqwSJuX>+Rgy+rogvLyVC+8kG8Qyj z3;H+g*0EdY_8$cuXj*(vd%qq1FioiBZfg!;0CWuzol)Mf2HFCTf~(N4Ke~drTT!D5 zj%N)J{q0U{zC0tL1$c$vay4s`?5BgZkDTMs;`EMqXCqFG!hUkj5S^u2IAVMO;RZ6A z^+9rV6xU3sjGd=B9S92)U;9mHnNo9gJ*WKW$|-waa?FN?2?3)Ex$;Bs49u7X>bA z(@;?ToqlL_sBf5?S5S=45{K2S9Q_W^Vm41wz)!KG5~Ld|cY6IE#9qk8%Q&m7nJ#uS zp+yEvQJz4o<^A>HmYUfj^job7K?bs)Y{46%D`W!?dw66}O3pH>aas$oS!TN=wN-Th zFML{N{&Z>(J&hFw?*XdThU1lZuDR(`)^dMcVLH#M~DBxMB^ zE18RxA6)SYv80-QC$OPzrwR>d$XpZKV{lyeFZSkaydg53}Tg9oR}IpFw;9Y!U=#O zROK8kB`#ZL*f=Zom}(FG!;yo!0@TuEek=(3ZNfpAC}VhnACg150{Cpp60H}@89cz7 z^VLn!Md${!*L9Hm3SQ1*?HxIlm#6g;W~p|{s#`cXzU6smR6lc%LIcyhT%oF*Dt!gt zZ&C<|NdckAh-&lx5!R%qVV+$VE?gSh(K_*)6e9eG6jHBfKDWOQ1vM0aEzO>k(+B&Y zIrrQHJ1>0y)BLHq2xVMxnE+`bcupjI6^SQAcL&NZ)KaTvSSwMIlWkJcg9b~VX?n^f zD-%Y*Jq`?5k>NlCNONd%juDye;IXQ=%ymbW0R8K!n`Hg1Fw2vUbA^Z8Tg=V4f zVVevglhl{yj;-pTC~;Ppw#6jB^&c{5(1c|9xqX8|P6|5b?-VQ<64L(WI~6e&;JehK z?271Z3ATl|g)g*Mz3M!azA_@(a1QcuEeSL(0`Y%Q*&N*2 zheBa?3V`m4EN8XaF9R~z0AwuP?8vXVufw=cId8@HpL)12Zghafd&*WVYT4j!H*Zbb z#vOC5p=Pu)fxyS!UO`Jj2|h|$g3Sq&xzI^cW0{ECu~PSj)#d@`6_Kg6+I7@g>?V47 zh|h)@=pWgVGBqVO^1%NWU*{ZMNw78g*qGRw*tTukw(Vpx(ZsfG+t$Q3PwZr3zRX?s z-tWF|-S_^e)74db@9J8oc6XmX{oDJ;=p3r)!nkX0!B>tj`pETz({2hE_ZaL>I}E&z zWguf&XA&kedvE~S6Q(nQ8`;=I2xux1m^f0hsfM$eqjDLkx-qQ`-o{`eXUYPab-vVl z)8X8uREg3{J@+z7))fOg61d;>I6W}J5^~TP-47g8V{Zs1us6Qm-;B~x5WG+Ms$&3pKq8&*Xnoc)9EZlZwlKovCaPM#OV;lEa|W- zL>Pa=RabQ9`mo`-83a7Z=sFtL3+u09;u)*45vRdv8Xnudi>_$j5s+?)*1UetgyTXY zS`JJwn4t_y%?^HJg8N;GG6ju#c%=HReY^9T&c&i`)nG3Ecy%@1W9>&{)#t276@<1+ zMMlt)667$6yVcp+t6E!d6aPx>E+rylGDRO%|I&t+6^pLTB#i~FBrevJO_dZPts|`- zJr@w2z<3o_gPN!#@(L|9Q8_846pfvv6e>N_s210TUmeWT!y}jcH#%6bYXYQNc?(oGC^+PEkhpbYWVIC(-Y^nH^aSjL zbYo*=*SjCEKc}_fs7P?x+J$!$2h3eq7_dJggZZh8`rFQJX3x#<=*Pusd_VG)sDkkY z^q_v$t?b+%dX>)nAl6mTP@qV##^MB+IHfi&u<(%~%@17uk{e|7kr6ZmSH`?xa8L_j z7{sk&z`m=W=?OC73RJY*!wRX*v%l`HD93b7RI7*+6%}>#@ApnC+Jaww7Bbe&*GR_j zy+@2>2Ah#CKLRE03;II22P@ow!=fI!8`Kob$Mf zXsi28(Kza6bXcDXvZq)bN>8R%CKdq$*2I6}GQ0{G9~ZaJe=ri|H?cgVu#{{VT@@2X zSpg7<>dvONQ7qf@W!sv(+CjXgnZ`*6+*@{w^+kEKV`6~scwgED)~(1Ep%m(>)OM4$ zcHAR_=DF;Bf9ntZLkuUBEmVYd5Kt^)KpbpF3y_hL1>Hi1AB?Px@#%CQYcAqkL_u`- zv6G{hbww}MZk-8L+&kVzeB@_R`5xmoypBS9aHv~-9%fu76;V^-C`qOILxS*ESw%kXV2Q!CjpnU_#`Y$f3111X;btTAhE2%ZzZ zqElc5l#l}dXe-_&O{@;c+0RKTMBL=56K?z~Gnk}gG)16Py>OU!;!5#gN}>ljYNlGY zYJFxjYk^v1Y5DFzToe?tp$qCLTJkSUw^3jl;AVTnlIhI0{#sJ?tsuV)gZImT`v{1W zM4EINSBfHXQX#&qfT}*J`CYwXlw)-w~5(j@L zA!1p2BO1X^M>kYc(!oMIsaiAbV9sI&#uUPgVD2y$!ZkG$pEnxW3)~IhdYBFM}#WA4#jB z)$LFOO&yhl^I^BKsE{ghT@X&BeDU#!$aA+S;F0Cn;8QV1SwZtjk#&5C9 zv*;&`N8=uPNoGn2pq3mKec_+7K5*GdgI?{3siHxF_oKY+u9Lo9mm947E3rN0Rbk{fg zOmI0EjR+cu||2UpXTA${+OPc2<%| zjR=k)L4I9)1xHLF-Nym|9-ph2xG1xaMrQY2sT!ySEbDi&k=avyNB8eV-J#~H9cQTg zkc(0KPqV*_FkWo3*UW+Iex#`)6;%gUW-7mY1b9<7Zs}=e7C_H?=pVZ>j5x)ilZJ`O zp%--%;MI$J=1U|V60HIhN8h2pHG03~f5@&7P&SI2gWDhnf9xgaELLEVQGmrt7sN;{RJVb?T^Rtc)`Vmyzz7081rLIG@|ZevddPh#rvar$EGj8 z$8=XId5in(CUFyv{)l4eCw_(ADLocXZ6jTWs!YY^^Tzee%_i&#uKUcNkz^osU82L4 zI~P5&rcWMRb}z7|?V@|*&!WOKl6VqY{uLuhmCYmBLyE$V;!9;}CmJ7$q62mj%o-OM zL#;nCWx)IfzcmS~xSI_^`ts-*M;LTwnc45QX0v}M%Y1I0uO*~ckjG=2p?%mA?_Go9 z?Ndw)K>ncs_REa6;|#-P#?S+rU%qru*iTIlj)@0Dh|g_wvjM^yr)p+MOA>W z_(jFX=k_LW`)uMwiA7F+c7X!T^v-egh12G!Gp8(QfE`vJ(m*Z22dM>FN-K@FVz}*n40umM4%KzDyVKY?q z{6VLEjMydvaA6>GHh=9cFgAU9cb(pB&u#sTCS{Cl$r7W?1g#8sjB`r;?-QjNeqcRmNA!S8;fFNF(d1mPT2;24|yf3@3y2P*A#n}~t&+q(w!0gG+&+>Jj--c3sPb96Nw5`^kq{q|rupBLI{7tiKb9{+f zC`YX6%FE~A!Pppl40bq~W*z#-Nq#yIC;T1Y&aP391B3js^nz|`;a@RrL!sH+UNX@5 za*6N0n$C@`UTIIiTvt99z1!xE%zF+`Tc1lxu84|jz}|(b8C{8Q9pgIKKL2~Ia)soo zo|*^d>$lMcnGJGNv{!;8KAr-TlNJ9wYv=`y<#Is-JIP!lsU@Bwqeb~ohnL$7{SMl@ zff@R-WM2ENJy>6dv#LDi)>f(=X%jvDk3rf9VTRn_lQ9T3xbSFXsx%2pGfaOVoiNmc zj7o>3=1w#t!(nhLP%WdaO+Y3X1{jR2)ZURGn6ayoSXhHW5)W&E0v4G(1bc!M z+r@}2WB=%}J7Cg5o8&TYYag?EPs)L+lEMn~3_i_Xv|M%d5I;Svn|8NOw01%Rvb**V z)rIoZi?=Op6h^aIG5dX*@uyPZZBCW$dL>nu{-l+HP;rrD3zkyJHvHU9KAEnaWj<_K zIkUxThD%!YhsY8yL{dm(PcoMGtj+v&u%a8i=$B-0xG_2Q86PIjR7X3XCCS8`aQ|W^ zSJPYpeJ-H47O?Owv|;%xXP8ZI#HQga6E>d*-MeVlpm0rAr%*fm$zdQ%ZMx<&Wyyxh z9Eh<2;u=*8KY#Z_UB=pkzPPDcDzrDe=~i3 zv4OSQkPb0x$JO|Y@r|%1;YrF>(J-neR(4Y6W%Po1(5sKJ6>m@ran<1;h`Llp)J+mk(%6$&n1ftO%L z9kdEbJIe{@WzM~oPJw<05J`y{lfxTRT5Pp7p2VuYwh&q4UzEun>)a40sU7Vdx(+Y! zjdsy1cPO&4K zv{=7_c$;}G_ccwn-0!Q~zUc+JTkFo|w>nEwQ#W+zJj}KBi*6;^-a|(p_72}>$lK7F z<)f?8*)a z(Z1Neld~^Z&U@mtcQP5$+88?whks=99J-f2A)%V1l|oL5N~sd?_~ z<-Y{^AQC6Lja$K##YAXfz&0ZtPt%yem&F`&fSt=t`pfcxCh12Wo*mp`aw?8L=iCrn z?*rp+PZ@I(43ylAKjC;>`hASNIesWJ;GU#UzWrIhhr$0O4t`HG@1J46=HT53@qu^c z;hO@Cc=+(g*zY^yP5S*#;C_Pis7Ggr|BgRlMFY42{Tu^4KE-(6Ld59r-|)W0c+_W% zyuXoUH{P_SkBs@?%TFL*r|^8>fsfE%+h6Z1;%}4RZ;r@c7pB`ENaDvRdrbUEy?*ld zBj1zd(Hk)C)$xXB9tQ+$-{{|fF@WAV^N5Li_^`*2KW*}84gtvUVSUi#<4HI6Ab-3w z#qjUl$Ui@NI7N;yBnI+y2RHZ9zENc_T(|yk`*A;~!FSlRKSoc%^FibvN&a~2!R*g1 z|3bkr1+eyr|81PWGM3M;0I_H+?_{Z`z4B?v!VD)_@+M^AEdTYlG#*%0i5u>)B5brI0<|YToLcQ~8{w0`*6S zx;Quu1-LiEP~;;9%e#-^KD$oKm-!5VWTeiYxhEY3MsQYxB$82sd*6ixYcb_*Z8E9~s0=0B60}e%)Yk@7zoeGtAHGQEEvj19^tP zUmD3C@yOHA=FOZgOm~R;jXBb z>as<7$TVl`S0Uc!JyM1e-aOND;AX7zMUVwwWYPdXEJQUFqE~7aE6Inpc36FoQj7sCL|4%t{-@9E?G!y zu!XOYpavb)k6_7kzY+{JN@hxM1L1>=q0V@lEidx)+>eF5e09>|^j70FXVfw!;+wO0 z7wmrPDfAW{rDzFto%=U##nZ@7Q!~}*&$?Z$Ys>Q;+3?poZho+pSU*3`RPx@T%rG|0 zj!Gu7{#kX-H8v06yu%%RUqIRQISu>eW~v=W5!wT{3RARx`Oqpk>=XliCc}opI0gy> zE`^|B!v-4x(tcdKmmi}eDl+k1vVK|$dyM0^`#v|E|Ga<{8v7&rNH9LRHIF;bvwQ)4 z@W+#l^@y{E`&%l{8|1KfE(yzDe0 z3p>Kk>^i00(vc})N=mhspAM%~sz&1f4FEtmlSp#=$jVNo15BY}_IFn`5sbj(hAKkrh z6z~kh@favT^)p(4R>R&8{1Ky_kJ>%;j3?o7+kK!vX}kkuZRSb^4KTgIf!>)%CK}5$f}7eW}^@GMYU}Y@C!Mjs`btwrV=dA8kXJe!HU)}tf6*Vo_eN!)zohp0=n9ZJQeHs->-+KHTN88C zO0L&)RK3jR$&;a1a8{D!V@@g&<#(I^y>c+?mj^raBA}BcxDbZ3K%vaks*;4JpqGkN z@i$T5s3uxvb-E%&oKh7(6j{msWuU8C1uIiDG2CJu3U=B6oFSd{H8{N80`Af`8g)jR ziX9i3mCZxi<{zX|kJ>Z`p?ZNS?IOgK<^7)b-an28gi%Y-Sn`01V~VW3SxsLNsNc;x z)rIpOZ?f`uSKd#^IWV>$ukrG5!ZJ#QV|G;M{nPy*4`si_UnRUr#wd2YGS3n|Cl-da z7uf@7@LXKpl$!XyLzARurar4HI*Ih9bDcYN(Xpvz_hD|}cTEg<|5^heMMA8(m__Us z2Jl!s6$P9#8x$D^1d!k?!M17~qyCcaMF;k$+hGUq6u|s?!Notpz2K$fzg{vivwk4f&Fp5_gl32lY-p(oK5S93PUMDH)h`DUE~grMb%LqBFD+!XH54J=Z!27~Cn{cmhL`j;untPO`!P2Yea$ZG2$Y z5il#xlKqR=sv80M31NAzg-3C@jAj`|eF`0-TG_NeN1{pPDmhbI)TO5;=p7*>GQiI3 zDpNb$kBOm)OKHBpn{o!Z+F4vQ@Po*d!NjC_22q}JQmP60Tp>wotP2GF-FF3TVW_M? zg{w-YV%A}LFL;FH2$cuhwevyp+-QT+nkTrZNVINig9fnZyir||GIY^44r8-;G}W(uXdklb9B-w`Xn zS){zG5=G_ZJyeztPRAV!XU1HCC}GwhJ~^X}YsD)*y}2E9V7*eBfl_UF^MdEjZppcE z?>=SNjFm9z$n?qEo@&Pmt4bO6By@YxTs6Lc}Y6de9%P-%j=fK#@JBkYjd-cCy-nL zXr5|3pswURkn~(!W$Ri>)@(i>X0W}>b%zJ?FZ#$ykcdw3?JI35iR9A%=IuDMkC5&k zP#mcUVf+ov+etYePlF7yftfZ3611^5v@USLKTuiNc5)nK`$|7?n{L>XIWmte^M*ea zT>YVEcCPGMJa{&5pm-w`S_|Tz?XRGoW`1 z3e0wB^S5M8w*y&=DD!SX2{nW=ibi1BGN2fplY6-`*KT7>6=r(Eh1S3|eK6QPIW-Hq zmeQXb;y5BDC8$yUhd+PMlk307jAy6{dQK%OMv~i?6Im%#hz47`ZnCEZ?tj>(&A@aRZ+zB2tR|+u8oGh}Z&QaSl8LRh* zk4ORdO=4=JN-=rmt~%(Yb=Jjd6xKBiWnQV(NnJ$%NY>H~L9Bc1vPJ)#V9Vjm;H#Mbl`;iaCu{(x^@r;!^C0O8bZ+@rK zM5}}hN1B8NihYA;24tlM7l2}a6yu=Gbo0z=r@mF zMfK3tl3eA%uV2L^kgBjlhI6&hx`ptS7^F3AdE71s$~H%;yQ2+<2+Q>=R1fE!o)pAS z)kC@@gU0JqBhsSFHWUl?NdOomZY>H>ToZ2GSAlKXn|wlZfzal~|ORZmWgGOXXh9BsIr z{WB=d4FlSGGpZdftxUHOtLjrmNVUYhw646Z$HR;z7wB3WXf0tLB2ma*X(r~wle0vq zR;Zv|Dl(;dxlw8tv1bgkrhdMQK$txIXqGuDUlw0ZI6kD{FpNT%3mvHD2`IN;-qv)B z3DJc_@UrH_Q8PwxE&w}c1?Y$HdGE&!zEq9#Zc+}PAG6pCExb-VRCJ_W)I_Sm(TypM z=^1c#@h)$DNQsC8P6gFx3kbS$=L74$TdHtLKIY~*aiD9^9uudO5d{`fa8YpB4u(dx zj{Mpbi;Po}bn)uaCYVV;dPnkA@E4puy~p>B`CuWzJi%YsB_1$=sAo5-mzJE67MF$X!0fF!$Upg0H#%{YyqF2DBz7O9PbWq9Fb)X|$6)~d zTT|OTrZWYhd8_@lqx;!*fHTA^d?dtJA{&5^ll=nWJ$|u{ABy(H;{~SW46xdbAKcB6 zNFvs7OU4O-q6ZT@0EZ%=WI`kgjX4k!Gth}q5=Y;rtFGpc`vC0R6LtK^o+(ns{E1md zLa#6$KTJN`nMDn*XyI$4|r^)fW8Uj2&JM)XmqpICz z0D}$AjIBWZv(b!MUC^WB0Pd_K+tdiF&@GUAD);ZK-6?10OfDUkfx1kK{WDIvqF!Of z`YbSl$V{pPDM$#zO7J=qnCPQAJ+gtiIN!ry02&)?hq$FyE=1pPs=Ag=ATa?qoJ0Dt zEZwn4?QAxJFK1U^<6eAi5TFYBbVl-xp*i>iZ+*)YK?jdd9G?+2dH-wy>k?O3 zLfmr;rxwd^q};*=YKv%!;Z~SIkXL%aCZQg3Dr&Bngau*$XS}5fL?Rd^uhi|7=K<+K zWIX40@Gu6xgWCAxBsbEw+`-T!@uZ;U%`%h1rIf_f?}TxOUIM*5ckJJA6_ijT7rK-- zI*a_O?}15)UHKhUJf%Fv#v%m>AT8w_9$v zQk;`xI6Iw@zOj)O3+xj{{(MS|GU9U?m=Rn{n%H%qXWdXH%uWJ#6J zn{vWca|2}BY(XXHC>=Dep5PFw9qq4tE$n{Z zKE<^y@E(^I&2LT=mhT`qpp$YT_azy@4ob1^BkH)EhZuh2u#qpDBdmio8{#moPp~EJ zC%F~2pD9|uJFHOC3dto^R&1&0bgpz!%5{4v@23mj_M=O;$9>?X1eD(v81h%*s}!6G z=fM1_@$514t$EV+p?z7$Aol!@vDDbt$Gd)=oSU7lsD=dEuyJbV|j9eulYp~8gK z)Ydv;jZFOjqdMD$R%cxed8qt$-JVc1&2=jX%wE?_%Gc4!N%H*;T3y*wN=nq(%`cRG zjM6Q{_;_95v*e}|fnw1SIMDi#~Y4gj65hu?(8{#~W3nG(q?hOQFJEEXB5VcG~rTSB{E3VueLUo=)f-_NG$MFUA|PJ2!Y zE0*kV1EqqSD3By-PIE-dj9&Z|g-XZ;J;yZkp!Og!m>WcvP6IP*2*NaSBUhQdZfW%! zZ|oX%QS8h$d!}PLCLT(upBQNgYHdnldNKiYAOgW-V6VwXSLtGLScKG{!HU`;y^gry z+xNBz<82a=9IdzkyY9W3jhRHWux&%1C(SYbD`Y_b4Y%S81v0`OC(e+_82;A-@d3i^ zJ93uj67H`wJV%hXJQY#Xzq}c@04x{1Y!6ANQJd272`MZs#i9PmV-nrJTxUX&SQcFt z$Zx&O?{0sXX$Z4moBLq=ZZ!8|k}O6Q#JH-AaTU8G@l_Hahybk{sDm_0ldj`nTfzce zi+6s2L{TCf)fj}`h1u2?p5yR_GuQpbm~#}`QNhBjRT68FugN9f{$r*{G6WASmJ z-}$1P#WNum?(;S}`7+_sHb{S5;TVKC3sfY@Qc4XuOhp)#!9e0e1YKb-kwZD<#vm99 zA}y@ro|3J-2u&H|FU3>^Pgcj9b$wHGvX_{p1>xa%ZyhZ@N8&zmQeOOJSd4?T83d^p zsS>oR%Hsgwm=)hoH##44M5s$$VP2c4mBMTGU$b971X&V9P@@tboC)teXn8nk{Q1C93mZx z{HaJHKX?qder}a^ETpU^j~*O4NF833CCq`h@|4@Z)q-)#HGxEfhvN5Agc?DU>@zfs zj)wDM;fHZp+Q^vhf?bKM$BDLmaXzN5>{w%KGgOp0wpLbOJ+3|{e&2kop@;TGPU#uU zsIMjAtaFgGGr;rn-du?0+K5WorF|khinqn1gr(+xDa=tJIH5d>nSRLs6uDVnda&?+{pIHU|CG}}Xr`CU1-?AK}>2IL0Y zcAplA{6;6?ogn~k`cZb7p{Aan2la*IZhfXB<`dIgx!|Z;K48gJ;EW~Lm5EBIVi2b4 zCo-2QCS@op4E1}`xGBd9>E-SZG;LABc2@g-h6!UldjRybxM}qIfg&I`z_2Jj4kWEQ z*iKT76)mU0#ly=hW2fJ1Kl8C5y5FHwNW{a)_;*W@iPkZqddhZFUcd;<{O#Hv-E5ew zY85pvH9{5jSM=_u!KDBm z<%cHEGv6KAB;rVKeF;U6H__7Gfw_ck!)K6Hcpq`>-m11;QsTA?u$ACS9?UK16Mj4h zcoBFav-Ww@ziKx^X0xp(#NtD)7`Xu5%A%s*$~My7@(HX9dg2ti3#1|9v$vpLfa{=3 zEDP&m@aUD%?j)fVut9Hgtbxnp@l0M@9K0e0xD~}N4HU$pP5Thb#}3y)I&kL6!CHnJ z(+>eNuu=GfUfTt-45>?wh=!Zfi3~TUL=!U|Lag+;GF;I-b>R6139bBEzn1@%;~Awp z@DcltNSE-6j}cEB4{q8MPaj913>7{vl~6A~R8A*i8}lMEU-B$rz0hnCWARyv!;}ig z&+?W*WMaeYhr)~cuB;qpIp{KjYnr`-al3sa%*Y?PID#MPJE>%_YV%BDC%ZAQR5(hd zLiiHVTkBRJZnpqVZe4MHl^a>D$D_y9qQ>id7V;Nco(mTph+_e5-uEDx{EpJj9e=o! z$%igEE@0}<7oS{Eb!;Bj2$JStN>U}FwSg~LVF*`o^bs0~+esY1lxz4VLsBJ*Mw0z8 z28`~+y`i;5e%|-RLf&k>#oz|{pKE|c> z<(@isn=W6E$@>co`07)Fvn)(p{Q8y$geY}*`{N2+{Z0ObWqz~iX8(#Mxr&|&8_UlX z4%*Sl8`Q&n-N0O+)orUgeK;tyIyVQOe1A9?$k6i(&MMA_;;pccJZSGLg`6(iYC}Le zYhcA|QUBt*F-jK@4-X^IfL@EGjYFrs1M7t?kGUP&;(#&nK%AlMo&9AC{bg3_F#!QS zc4{gnrDKPE>uyNq7Sy%Xk4a75&e`{tQ?lmByT|(&#A>{st4DA$HXF525G*VRpxY$( zPz7o7f}hvlXy!r~WRiV5d$#3fV?aMx-+dVx_qjG62;NbI{EP!MQxh>Kv`c4}HyY>Qlge01B{T3jvycS@;X~t^( z2mzvkR7$b{eOo;;#7uE|zrGB8G%KSG)&Z+3SD-bh5V4K56S-Rk4@CB%=RpD5gspwI zAnqKQ@uI*Hv;HvqjL3bbDkIQhhPoD3SchpN>eU8+hM%cNo~r=1lIZ7y__jLd@u8;u zs&n?K+ggM?@q{Zv7a2204|(8A9<2$t`Y9^^$qN&_Y*ZCwD%6h`f}7~j0xD7gwn)-c z$dVrGg%h8<)?F|ncI*h>Sc2LG(WceU3;fJ*XefawQrd-J8~-rEAu#9G;EWTR{pnAHyULZ`{4w1=rvJ6?BQIvAok;p-lOB+2ww+u*1 z?W@wx+;!1F%9Q>d-}8#y>*mNoa|~VK>c_iK+l9|_&APwxRO9Chm>iFqnX`Ji<9FBd z{uVrZBz&_&7CF>;+M5r3MrO70d}d7KYnJ|j zT+r(%!+mr{Ue*D7?o+-~Zm%bb3hwZs0Y%EW+Bjzvqn2ujK+ly)Y!9=sg1#B9O2XJi?X>bN*CU%`d{DeWA6B!$Tw88najKJCm>=zf0 ziapLPY%>S$y4}ri^LUp`2b@|7#@YiIm^RQBb;qeK^_yk$fiC-6`&(PHMc>MlVR05( z>VqM~876@+NR@_-?DTC!RhZ;88s3?`rCbXu`|x`DP92LGOZ?PupO_F}k@=0X8Qd?T zYU`?Yv9IuRAM(3_9zzRGZM81_@fx()1?J?6oWTHN1+t!39qyLbi@)}9)!nJr;O{jT zK3#zp;gM4pJKX|14R--|J@$fxP-*%T4TT&~sH=U(Q2CueW!ow`^#SN-8EIjKtwx?- zS5U=`bM|#@)D#`Wzt%dE-DM2lx~A42uEbTL;RW-Wh*uJ3R==GG21%fB6XnUL?kTDs zJq55JKlo$d4P*6}PHcU2Hqjdn)VX{iFaFQ(emb`L( zl+C03GCf2+W2{7Z`9A60;Hn$A&!UQ!k$&K|EEF{}o&OORD{)*BF^O znOOe=5N7`$s_ox6<9`E$h5k1ntZZoKOeWAZObnB_kyVMdOBV8YCVj0|jyUmwiO z|1VIOli>?`{5ztloeLo?6C>k)g2I0lVd(!mDg2km`(LCm$Nx;`pQJDg2giTG^Zpaa z(@p5JD_}qsee?-V$r1%`25wObN+gR)6g4lGJOYK{z$%0$45hh!y!TzsiZerUfqP5? zVCZ$P+CKtn_pc035&RTO49^35pZ4r0^f;XMINV~Gzob0H*xZWy+uZ60o_z7c$shNysUPU(b$9L@9Yy}MP1o$f z!ljd40}dAm|bMkjr$M%f64#da(*GMY+ri+YWpk4@pW8(b^hA=+xNHrPaFTx|J(krWBRN2 zx9{(q{xz?^I{(@KSLVO*wtvq#|BJW%>$(58GqW=M&$shWXJ%q${44ff9Qxn9Eh8rz z2g`rD_hJXM2kLSXgV%Ib`PO2D*X&$;yB2L3Y10C2SrcJiQ6sAsP!n4$*jK>iSPhZ@ z5*s*78)}UB+=zx{Ji}}4V zS^}DZTX3P{m$)%_ZKn60m!NOm(cg+{4gW+V*|`!;mgL8olovhV=zN=Dgks3YEK5cAM@Tj)k^G;4TsL zwsY{+ntH4+iSzZoPztFCC!i?L+s8#R5W!2HKkqm1jzO~fu!El+K+PwtKs=ceWFn$g z%5mx`P^el(sbLhbW6IW^u#dAt~OX?JiPH-P<8|vzVM*woddetGxiF+K4>Gn~}l!rWVy1~2U zd;awni~Bt1XLuXadT2iiydtg_^qLzg6A=6cTKxwo@ z{Dk9p%>Kl7c^d8G&l@?%Jh=ndRZl1+=6=7e4hZzDRDF(LhFkn+0K?yf=-FJ1?~!;Z|1EZ zB~ZY5&<5bLE~6*Gb>Stgk}ue*le`j_eOEAV2ysLn8E?3Q*XTi)G;KMZvTg!!aJS?{ zC_4K*d*-m7kv3$H@ff4?`}%pHUpemg`AP#{o^fv#L@Iv}6ToaE+lfDOi499+8T>4P ziaYJ-;No6e*9xSiR;RJIv$D}ZFRiJlDoZY>qW+zdoJ2=SN%wpDkEgRU(lyl1MYbcRMoRrg(NN2i6$5mV@9xz^79ko8CQ;W1AbYll-PHEGz)QlRA zT#i8+1pHd$A-VdMh~UjJQ%jG_yFTPi>00U+wPfs}nF|(mr9(;-^Q>X1)nIJ`%xB|r zO8Mc2;~}kgF9CT9wM`Y>Q9U&d-2vWDT9DvThe*;U$blFo69~ZOfECms5Te%GvS1 zPbK{R4eyt7NrLU$r82T+Ow!EOQniFG$=Ss;^4QS{!mQuJ{&_!&HMw`a`|jA{?mJzf znX~t@%`bU-T&G3i=qr4v3*DHv#<;kCQ@E4QflHUk;q*Zz{gw@Nky7l?;lbG00E<4w z2uQ+`TA~KAw*1eS(P>g{x>&<-G-+K9_>7V*)op_Jbw2DElwWO}c@XkJcX+x)WeBiy z0*PYxf#K$O^sR5yMJC%GxH zW2e6Cz;4VksIUaCGeud0ncsw`J9$xkxRhN@swnUsamB^Q>m7c+wf#KKGWOu>l$Eq1 zdZEMa#$ptR+55Ai825_Ev>k??_`8msX{DAj-B-Rr{o^Qup!&g=-F6FpwH`aAfI4N{ zfqokpwINR{obxF=^ZkSj;hQ>4T}<&(OeGw2e8-bg=-Q|~7AKSeQyze4-8k#{sasSy z5#`Fz!|)8TF=sd&){&x?tB$&M5RC|m;~pRwM%avEr;c9C<~xN6WT#*AdWf?5K8N zWtU@`(2_;|T-3tW6DAh?#6!Se=(SJEYIFhfUUEKV&11kmv#|Z3`5Ug5iFuLNFL?M{2&=Gz)sIeM*NpEPa z;`;^6Qnknw5YGPL29tHAyDxsu_yjTOG0hxN9!i%b=}k7+9<{&Pm^VFIrV7+m692d& zO?(2bHM+*12C3kyh+Ff3rdL@x<@Wjg$^s(}czmcBm@I$);%I;A>_-C+)}AzbL48AL z%S4-ko7yorVK2;ZU_kxb8&gX^mIN=WzgoEJ8MYELoSe6j+>8|pOrREVS-VQ_M|tm2 zn~K6W?bD9L9C5E3P|D0j{jq0QrP9Uxl4=!t*A5!Ch{^C;RI}E;c%gUjq{dQ)fu!=1 zYX;S8TzmbcCBOwYQ*2Jl$H(qQ_R^XM%(o8-L84XN)x<+vIw|}!cUE=NThrg?{YKV~ z4by9mcU5@Y{!Wbp@#`9eju@!qLCZJ(maA!8j~~Ut7iFuwp%C&}QrfPF&Wtk=#6FZg z@f;Gf&OYBsGShnqR~@v)3Wj$b))s)HqO7Hvu;Hz!%gW2!_aV1Qo2e7FLtk(2eqvxY z-r_q5PodJuZ57f+)8E^cp0CWGK>JrR4^#E#&YU&k+S6X7>b03Tvtg)Mo|)la!m!US zr^wh_M6@KSsE{R9C+T35&KX?15j3eAAG>TB=a_mET=j8_%Q!1=U2YYS^@b zdHGzG)bc*B``YcUt@@nppWgMDOnEX3iiCcE{KH+tJ{gS)Idqi8D zo9oj5Ecv6uyI$CQi{s>klLFw3yL&0pDmq7U5Lwi#@g4KRO;|~(+%`?|TQE-m%7mb7 z4$`*)u`&EcowPBF0%vj%0)rxFG})N3VAB$;L?AA286+Y|7SJ z>65eNjBDR()fs=#r%Cz3J%C^xrNHFx=tKH5ahQsw1RTY>Cd$!^w@mujyNN#fnu|Sj zw^#VkEh^SE=UZlgFVu|}=cL{?s+lTzB)F?LYMmm!-(3rTI*DsO*8O=^b!Eg&0ougeCm8_%aje+mK+Qf6sjLKf9~-=ULebU= z@83Fm)McV01a7lsY-p2KYW-zlygIH+S~NF4))_j48jYxS<>hBJ0O;VZ^q)0VZ^k%i zQZGDoms4H7z)AXDl9P7qwR5Nj*iN(*4LHxst2~59n|!pX3cXG0Pa zKO1YF3nBbdbhW_9f}!*to=P-lD4*rAjMJ1xs;84%v&JwF<8k!i2pHA3ghmoeL#+RH zo!ahwOZ}tfntrGMgJ4S!?c*8m3#+i%rri*>{@6`6-DS!1J9#25(DoYe)sB@DESxW$ z3EWuzidLc)zzWX9JkOfUsz$9zTzphSAbk{jAMZ^f`>kl5H#UuO_z{b&O2HJoVzD>E z_h;J8HVCZ`?A(0Bt;<*tcpBvV{VyweLTDrE-E`c%!*B^d$+(8mu^2PBtL~Qf8SaKA zR`>U5?~rc3Iv&2aFyE{N29-3IBVDW}Q9Iiw6sm3-HWicTE|BXT6d-c1a7c6R@KA_k zIbLSZkLlu8uzLbO%JsOY))xC*8??NlHL3$kU$>l*5$G{O3PE8M%1I1RE%D9l_5oKN zU0s1%+K341o^sM~EHoN1XW_b~kZmeu>#rBOsZz%WtA1c%?Q`c$KP5v}+cquxQ&KrO zs2-Q+N-Q~2Sf13IHK&^Z)6_8~nzZVAO;s*9EApWBNmIL5-%2GQx@EPPB^GkQFz*Fl z*SMf*<7Ye_#6V+EKuK$9R#H%nN*c$+O4G3S-dlrU(+V=#k1ei zugPZPYb3gn;DG|z>UApWESl0~sb&N+q{^(+tZA$!J>e}Hsgkf4PEppFDU#qcv77P) zE20#gfU{L6DMmZRpcBaP%yy|J^zAR+`3~kp&~$%P9FcN1QldpJW^ZP=s9GJ9d`g;0Ptcv{x36 zy@kofR_J>26%#Wexlrq=v`!thjat!hKzp7%?$yXDE+tE%JUNKS-3`NFK<}jO6nCJj zNPbW&Vz1UX&~K_}ppcxr;DQg^MU9~R}pry?f3Tl0h;6gmVtF>pOBwf@{(I>1YSjiyT zz*dk7K?z(5?fJ)4%ba+jnwFJX-Sbq;%VuG6FD7KI`-GnQ{Ta03 zyP|_td~guvmDe*@xa@$T)(GP$*Ngq#)S;?sh*CSJfh7+Ms!}^EnHR?j^a9&7 zqii@<3>h|Q%4-=H8dJL>M{LL_mnZI{h~IYfouF+kUQX9v^>J>9WfC+Ch}RX*qF{^t z3;ry+8)qHKsAhm|v2~68w%W}JiJb55@N`5O z$5R*=uy)BMk9nT@l+aS&P}VA4daJ;)40m3fvD8#(1Vq_(0u+u1-1d!ZzpN z5))G>^T#;>2YxsQR~F&z$03c0M-H42Vs=6p5aMR|f-oXmqlmr$nv~6aqEN^DVwm=J zwk@#k0hgz(h_hP|XDEx+&S<1J_IGB$XUCTEnh^HR&OXB-=EAUJMFRzEl1Y}(Ag(~; zUM=MiM6Vew3K@!a&FrBspchJ3*1{GxVXzEr^`eBt)_b@q#v;NKm!G|XSP|nbr;hYw z{ae5mtuXU>saAl??kqA`8d7Y_xp*{r#mnw?R@A5>h6oiBw-V4w2cbck=GI3j59`D{ zEv&VxjXlVKHb+!3GL*m$>k(rep5v+G#?&cMN&7fV|MsS!H#yqw z7KTEm&D(DX_PeC3a!#G@nnY}rp|Gb_ugjREf`(FRd@$|2yIdme@`J$(MWY# z3f$W;F za5{hqJ9aI4LBQu_GpU1c62h3T0O{>oHcfOa+4u|=aX)+kblO6ogP+I-d&iV59aeL# zzTkh)1{GC;* zmHYeIIs;#qwShH^FVB~ny`28J8{3=DQ^t8CwssDPel{h%rC>b2M8qMrPX^&8NVV&%&)aZrN--e$4(DE2>i=9m|Omy%ACP5&g`zT=&-5>?B#80$G zJ-@#&e!X;D80~=~;(eXcaJgJ;wi%7kJcQjK!vdWQ+sVD$-XQmUUtaTm+{_n=IKVVkA*NjPbE`0AddKE@p}m-6 z2aT0>-%cCA#-U0G)_6L%s9Vy;;}Gw|%{rAUoXU`;Y*}Mi_xi>BLY%rAqQPcp^Oh96 zBm)hHHwQ9DCMg+1NO;MSoP^XvFt`M$Kx4QFq1mjNaiN>16UwX{DO439O`s&P_}kb9 zXje5i0|jlHE2GKJzNe&tq*dJnB1q`Rqx2Y#*xJxxCXOd!Q+EA!!Wbqym9A8r^*)hN zbDfMVyQe1o8rq85`MtYBV{Pno$J6#3`-;7mj%l<0f|)ect%bj5!_!*>%;DX4{Ye400(W{+Ep(m^^LJzp=b{*H*h}-?OKN7kNNN2Nk~S~ zy=;e(jbc&n^?5ygehcgY!xs8E&`~p*b3915N#?wk%Un=eKjx}7`po&1*nS$U8cgI& zQofO7gIX1bK^UdXH!grqi)%s9W1ct!$00(d9V%L*zQT!TA|;f(6B}Z0hJTmcU@W2F z{HeM1rM}HhC5pw2DM<3Xn>}g0GgsbKRuUP(c@7zg_fpiYB@f#PBOn!D&d3~y2-O1j z=L^zaI_<1B>Rv>bn|{Kyrlpr?0?s4NVK>CK`eYydn7TixC*m%%*X!Dey(AtWH70pz zkSJJ=_O&ROsx(-q@;c)OnS=c9UmSjs4rRD#)6@@p2^9haf^j%`+EX!ItI#m_AwjJ{ zlO&Tmol!bwj9o&x)B}u>EB6#V;|G)*V@)6)GuQB7Q(l;<%TlCzjw+f;c#AaSe;Ao> zS*oTA#=AJ>qbzWuj#dW%4cPa232*zmkey!Kg{6hefKlxovXRzSIeXi%7#{6U1+f#h zOCR}u8UL(Bn0Au$L>WU~rYNz<-GiP(OHXX8iEnSSKn3d_OoROW?GyhX400VW+r32U_^pgyhSkZ1@|gNtM=0^Px=7HptVgOPGw9A%EJ8+qcvp zUIpl|ltKFzYW*EiI(O-+?P9KS*ce~(++f^0%6=D>vTDY*lvQVnjYS`wQjbs5N93h9 zUPd)h_CVI`pvE}xNQU38t8{Ly+U&JTc8MH&a$_66#T+aWhaR(uw<8LQ!iMG2X9o*L z&eQJD?oge0RcR`BK{d+`jUqX4mmQPHn%)PUDXe5>iq&8SZy2~R5~!mw8jl5t-;u}= zXG#2ykH52CU>NT_wK|Ciy%3yiL)9=P*z%=;f@vHTMJG7|c)ldMK`MOpH%@?LHFZ%Ea|CRm=T$ z#~+y$I(4ktTua(k{)})<4?s`GrhjgCEV|zE`$(S8ja)E#ojO>+Of6mlp-lhDLrW;hbHRbBX*!qn|D<1aV z&c6el>dy$X?Ys;b5)%<{o8%cQXf>u!#_&cQ;njvQ+cD1mKFFXw^;HZ6WLbO8Cgb_> zUK&yRDpi?iDi-(txcGb=Hp^6J`*fd61{=u3fECLq6^xh?;%Q@J45bom=mSCzMlg&# zau~~1QDY5#;Cash4tPo6mekKI)5SIIz~&GA%kJyzE!=elJP@dIK>y*8NY-I~L1P#B z>;a^2{7lni(0={1OZ3-4v*XL&tm`v#GCZF8pX16&DKx4TTAIOWkv|XPTzhKs5tepe z&6RrB`qu|z?)T73WSSuTW_rg#J?ajk=;Mi{e%5a*$`q@o1$z+-+AgJ99v2>%3y zs;2ve7cWI*yKModS%3HRSgt({7PN7m!TB6rU*z`qf_?9IL1Lj-2Ums>zR~(~iP0QOh)+3m4Xh7T$giOz z@X29O5{Fsk`!Mqx5sM@-NaTgqAz2s`Y&P(LU^Gkl+kOqyLMu;}VjU)ccj=bx{zGR6 zH_5yZ8cxpFiFen8*YQA7=8&-B_GC>D>r?d6MYETMZ$~qCdvkUTVW9>Ayc|pIS zboLIhj53`vRqxg?Vztbp_{f+4&M)S-l!dtt(6N|O{I!98|Gk>w$(cB2Nzs=N76E>N z-C$lQ7C9D?$G`xUEKV4yAs^HxH>UB1QU`bqYkVv{em1_D|+SDvztW&ZqUX`)eQQ?A;isdpW;q$`2&_I!hgqVeTR5yK2 zy`!tqImpg4-*MEVFSF(-OeZ^~P{q9?TGS^#p`1^Ae^@$zL!fks0 zlf;>Ljp%*4TGmx5g+o!&;$&CWTq`q8Rp(mPie~m%xj7kZ4O8gKQm7h}12V!IbsLsp zhv6yXmL-l(v1V01Tw}z%T*ICqnz5OQSy8M*1PPmocC$3aBx94YpsAFq-f~;zy~e$U zplULe!FsMUO|!V2P1K$6ppV^FyFH<}NzUuK0LtLDx&M5`hpNwG_$Qt1=1YI~Q8AZX zl%3lb)x-cEDGIn$ax?l68A@|NyVsXU{g!uvQ)%`kY4 zHai}R)qkxAvzrTH7seYpCM34ZO4}|YWmZsrB=em)_EV@!M&i_^*IKYk-e^q>hm=h|0u&zU0$94afRt> zr~u>lN_B7X!FB&G&-pN8r2asO=n@Sen+rA(>tcwY}t1IgMS7qF=7V88%gunG5SVoYJX_ZUr1TTw>%G50rw zXF%`#zFJqq?3hEK^|m&IPHJn-Q3Ni=d(1(OiR)@ib-K%UzyV==t;tKd3}C!gYBg4B z)kbb2FM@WMmwJFEA-I(qpqc5*`7_MI~bmaLD-Rjh@1m&%_&@ zJx{+#+RVdgT>>*WlT6a*m1(2q>iR&#c^hlPsId`}m5*HqshA>iWNJ%L&sfJLK| zo0IFc91jt=iX=>Qbh5iU37$yKJb+fg(=F*kpQscRsZ4dMCu2w&1#8frA zqI|5v_>|IIJV(%b)_e@xBRzeMeP`2}-lqTVcvBXc@D=ope&DrHIr9E&F2WI@e>Qiz zk75P-Dz8&uhxp(Pe)KymoEuD}F}Ij9cIUL!S;mg&PoR||WlnWn)O>%RSaAmIZvBHY zOEq+l)CQGlc0Kjl$CSa$)9K~GLs(4rYTfBewB_0|eaI)Le5o`I+}Uzr;f0&p;8Lhrbuh!IT5$$KtVw$@ZNv(ZJn3KRZUO_?x8j-7__$i#&t-p|YGyH<{i&X|9w(jlxI9%m z?`^HbtSl{@mUn(JVo3?N+6;7c;pXvH7+sf_*^!R$LYb+u1@Axx;{^SZvvy-$ULeld z%d_PPY;Q`uNQxIr?iJ@{Hgz$JHgT+IB+_h`hWTSPztCkIm5E4yAS+W`w9PVh#^R|Q zqM}?RnY=`$NVWz*tzRyY{1Y1&H+~Kt*mY5u({***gGfG4k|B@1l0A>T zfW3tOHlYa*Mu*DFhi}km>E)}Zvo7ZuL!kSc|0^mcvpZczUnSsg>Tx&wfQk~XrT+KO zO~u{{Z|Doh^*G0?2O;7LjDIeGkReVKCn7lPAm2b;Vx`Rn~THewHFZ=v)%q%Y{kWX#N2Mv-Co-`#ru zEw7J1-;5LZcAuKTEj`^0pcP3tHIS$`0$%_zx=+Im%N|eKTi9Pf_(cvH0LVeT5!}>G zJK(53{djHD`*>SH$}~r+**Tb)_4VS%G#*hv0B%77vVM`Kmfg&DGuxjN=Dn>Bgg`b| z>z{&ZWd8LV1&RT&LC3Y^sx%sF*>BofH8iuE9d7<+CKdkl^hy!L4OV|P;z-y@P|zb? zz%F#IuRkn#Cnit7%qx922Gsv0pwp%w&!u$4B|t|4N=-mDc>lBbpltcL@vGENB8 z7a*KhixI*7y=GA04`Hlab=2+adurH07>o{Db(hTsPua*lbDm`71H(rr&0Mxx5I7!aiss&&mLuKd++B9j;CW4l6V;r{2ZdYYITd-n9?s5!>~P8%iqTH zO>;Y<<1S%kVPA_FJUsEpq~g(&l)^#+>jn=&C+*aK@L%a*7FfBlnDl~$8^#XfKpPlB zX)-M)H6|t3#1U=iLr2cz4Wj7#0|J`ZnG zYkgWgTIVi`RcRdD*HyhZ!MkHYBR;C+VdOrJcz9oKIm*V5`wju@7@OJXCuxqbV=(lF zqN;}B9~~Vk<`j(!Hekmd(mc+?I@P5uw{dDW(l!w#Epu*UEuMj9tBd2D;tL7S4zC+! z7_AK2hNFho(X3>7LNCToOHu36Ibd$^M@dQ$oo>oTY+Ry5*^o9#*ovdjgoPPa)=kBm z8wfE@)uAhHE&nY3+Pvxi)}y~XSHfbP=BdiB{0z}J_W z#4Hx9WCF!F&Ytt=tyArFgMX-!wR!75eueKnK3$6 zDP|;iG$th1xycho6;^ngb$H8gvM$qL#BCx;5BK1ZiX$vYxIH;HxW;uUP3SL?%C+)W zFymaxcDADCVn%}Q{9@7|+bF@_TL+$J>%{4e7K#`-w>wP3~pQIL^y0Xu6W zG5*}d-*6rgzpx-j{=lB${_!gK`6pXmV3-y?ztG*vZg`G7n<$JxOEi{mMF)ib68rUz z-gga(uB1UoM;5YZ&vHL>3Dx6^owQ1p3oPQYAP)8reC@CVtIYdn-IeL^=qT_l$E)V_ zh-InHsm4+66$IDmr8l>e&YAkvmcuMgq_}XA0Rm<@PWJB`JWtii-!pSoh>ORp%7QYm0BOe zLv2u9f~S=z)xIIDLG^{4JC~GJnrqtG0&xrF9-^u#q$$m)uWBl0RQ*4*J9fU_&r>y9 ze%O$*S1E_*s>(@dYM_p)m+Hu+dK!tUr!vmeP)Dcjc-hrjj9w?>8@UMI9Qg~kjGqLz z6pr~b@?RVd!e2ShkC(1RG#@jkAE=RE+elw<@8yIXYoqK#N=^v0Z!M~=d%k+VKGQfI zV?SamNe)W&Tyohkg>gA#yTNo;d4;m^|MVVV;fM4g{Ho6ZB!EYnnT_HnKPT9x3Rt0& za!JswMa3PHw*@%h@~-)N`x|e3puYTx-j;QVL-LCEqk=8qV~y0KiT)sMKqYr_WoVDb zzQcG0P2XiGFNvAmaTK^R>h|-^>>+oCjDf+UbfFLok7bl-(|E->BrBI(va;0GDd?6< z$m7U=RmZBRTAa3&J7sjX8?KCU7tt&3(fAH07@)V1X5`hEWahE;7<$mXxLehl@^H#{ z6-&mQpi<3Rvg%s$7*{px*m??REq+;i;X3%vtkoD+=CLq>=x1E{6BhHJ|8jJ=UmImW z45g|wWcIDH2|TXl+b9hc)2&-LxrbYlZ&EyS9hD50PZlFKL4D-KtEn2VHOeP4L22lB zX09RgF#Ctb3Msg+;@ja`Nsq$WxKY;*=&ZC@I&H#P0G{`fok1%eweW3hux~p+fgP*# ztSmg8a9AV5L$Y=qYOwIq2r+UIAO}K*BTIfXL_|gb1C9r~H_fNNF1Q(Z!u9Pk*H~Fu zm{~_vGwyV^WG)Ar$HE|CFBb+jLWWR578VASkPiwL77|Q&cVyVM063v8xP#r>ePJ}+ z-&bo7(PMjgdu4TS2d$phClAR}6G*wY6rf(Bx=48%k$t^`?7uCX3gx2NS-7d|PfP5- z;`RtYZ5%fShxhs{t_Pdpx-*7Zqh1N`qoV9?bTWdce(M~6TQir5NMs6sHb+Iq!Ic&j zhlw*PgqZBv{TdsvgGyePr-IwF1F@{MSQI6+5bk0Z?^G`*&A6qaO*fFNhC8^X|FTUP zsn4EpP>!nPDW9{lBBlxad|pZ2^aZN1xZwHc9ikuxukViBER*ZWiII9qUVG-vkwC1G$pXzdcY-YvwHyPc?AA6NOq6{nfK!m$YeiW*OrZ7_&Dc1>NHu z9rVZXn~mx-$ADZg0`87_;chc7+vsjHYqdb<3N=xT5nE=WB5I`lB|V5O;$T3#N|)>gB?OXZ=;tj@K2wb0Y{m~M>0ODp`bwf%A#iYez@S>ElGO;LyGQIjyH= zpGCGE^4#h^Qo@(@P2v5pg?v4a_g%V4@Hv`^@zVE-FS$7_EdadDd_U zKk(;-FF=X15U`L2zhmL{*(Cha(;l(%)aClX{2reOi%w2?>J)}65x|G<#2q>Zg^W-3 zednO(hL~{#V^8^PE5X8!K4TXrTJ%`mjzIj8baqm{oDCfPmZXd0O;W&A{NClh_R2VKjD7*OH6Adk0$Q zbzek0cbkuBx7_|`=;m9qHk+_#7Epol0qnEdmK@x(-yZLdx61Qn+x6T#ZMvLH?sZ8>ul=k;Y<5D!&Y>mWa1>-A$zl& z3FptA{n!g`GGInHHA29v^87f62+d|r*q+n+kMz1R`$K!(RWqc-1dlX|y7(guf5`2n zcUhvP(;;uOpuS#Yi*nAD@t-TNrJP`QmtxfP==&I6q0L8iXFK^jw`Kr&0p*36if|(#^dzh0 z*R%i{ENkSKhfMS#OOBrfFO-xwQ#;a&1wmj9SH^f zH17!b!r2i18C-~Hg7m-aw#+E65XU*zs_=h%=}0HoAao4O(yhg~TgUiF%zVyHeX(vI zFPD({o`wvrHlA;g=$`s|+7uJRw2h3|+^!7RKCUAc z{VbBtNMD|rvcDbUoH=*y+F1$1YyZwpqAJduz7%5$kw+H1?;JnRrD+O6TRQxi@`7;| z(BV&sTzOAA6Fjd}?tp#^x&`+T`h@-**M{g)u~D1l8YUmWdIa~FNjI4#HM@dge!WCX z|3HH!y({Pr`zW;=wPQ*70LB&ix`RvqNE%Mq>4QLi{W(>17rS$rJ9ga&|4QX%GHRzV z65qqGC*|YEm;3>CrhW(GRSQ6Wu^yv4u_EF#Z3Lh{)c+jY5%p}7^(^QDT+^j|`Z|+8 zfDve3vz|zL^j*R}QbqE=Q`Pog1-!$)4!Xo2@VEtiLR={UuBi$?C+WhDA-*7AMb3qN zmH_CNSg(5-u|4y;ad=J=+>aW$=_13?7p0~`Fe z3-1pErARCi4&*9X2x^}oA%Q3mmna_gTWu^kC025OyqG9L0(&H^b5v?$P=b0?>yWr9 zX?TXtCQH*@cA;2?sOfJOd$V>?)P4FW=uR7myyyJ2)y{L*wI|5rq|Qv&bEfC?>kQbD z8A3D?js`I{RMZ7t_Sc(~o^Lqf9Vvl6E(bH+R?qvCrL-P?AnRrJc0&*O%`@Kb{$r$k zlqYH2?N9UoJ#tcEEy>Uh6EADGht*ziHUg6caicAEv=5p62+2ubuzUA|_v34~!Pax~ zqc~o7b4N?#RhPGg807s3gKn$u8=M8!y&d*RU!41Szr9bRZ^xGzpMUPwH69iombPDZ zy=nM`M+=oc9xm2zT2#X=4BxN>o3P2hd{&DF3jGf$Mqqy0uvPyp4O?K&SfWwc?CdFO zs@hC6Leb{9DjdYJfD*u^l0lyRnAWXM}j88;0ad^>eVp z*k9ng1n0>UZT~#a2^{^nL1_T~^dly*$D?`+IdOE3Vxvav2R+1E02jX2d871BaoHk8 z7=T{}Id75&UI(Y$8zV#2S30*`cN8u@fKd7-ka(M>p9O!Km+s1+1<$P{d}XB}|H;EzQ|`0?Q$<9_X8egRXVn6YObcO%gfWn3md581h{kR64D9gG zDto0IO>?QrZ$*RlIev|J=?(m_`S-Nt!AT$rI&>_}>iIf+tCD&OiNZ97PnMU?WdAQ{ zY16XhC}WH)RaYzOM;>NdG2r+X=IuR+@NPSNT+2RTb9Rz~#cyY{s1gX}g} zSSJ^MU0v+3N+o27HTp(xU#r++9T1F3#&(k+(Xu6tPG*WgcH5sqR(W zB1Y}o5^a`>JuHB#ZZxejMLX3kajYboj9$+}p{==CTq_lnYN_Wfu0|c<+T&AN5)GRY zF)=(#F_gHL%Uit~LDfa$BDDwIEX+K0G3{g8Ahr$^xl#V;TNz!%wPhLxPu?e1zEw}? z3{V>*I~Y7_1~V{iAC0vqx81sM_>ycm2t5urSz1UOUR~%I4sKESgPL_S$gZNnFQwKS zUz)vL*kXy2h(;wpx}Q3e5B{_(%P!+R4^HAcTyu48qtF1^m0WA;rt?r)-ZI;Y%%(CW zTlRX-r-+*?9X7kDNP8>Z-XJqdxl?t;eGBgDY&YS7-Ga15m5HeJk%NqpiU_94j_;Lf zf`QcIO`Y2K$70h!aTCf`Cj6q)v&Lzys-ks~a>+peMwh(Ai-S?4#+|Bp@`RbKfCH&I zf##7gI1Yck(14C#Z3njOaLRcRR+~mL4pkjtNe~+D^cvOrhmxCr^g--Sv!o0w-ibO= zUd1IfZx|>ah<^U5)i3aSJzIJ@7g1&hJus{V$Z(s(^EC7lp21(}VWuh5nMbJ?)LMoOW>E)qW z^3mop`PCzZzlsD`3YbfZE>UFA6qxs(X>Whs2EP0(wLl@Bqf?{|C%DZV%|a%i_BU4{ zPvTOsjF7BCQ}Iy|M^$hTUGhIm3|A_XYT5+{suBdKoYX9^8!o3#W~OIs^3|FL#iA0b zhE7kriPQ5SO4rb*Em##O+`Q&9@ydNF%<$}=>!a(%h?)hPntByp%2A83lg#DchCcqI z;Wivm5HOw+o|#)oh;ihD6@(;eZ@K3J|UN8=fG89m+g@c99ycZaRP-xza z=!@8m5Tz3}8^jYeqfLHySVOY}a<%>@0mxri{UbV;%$_DJLQWUYaG%$(UbitN06 zVROmv>>p#UvlF=Zj356{yXD!;j)n@l)z}Jj2i~~v*;nf~-R2J7u?oL8*pp+6WW`MN zY0d4EnZiIt*kA?KwT2}P$&e(N#Mob+o}kvS80ny9a-7^|{%nLs&azK8g3us-XriFH z{=@!+pkrv%phMnj?=_ccm%iawYXPm*;WhD=nG*8TvEQg$T1_2Ii7T3o?xVN~QJ^5? z+xXRMDT&Tt$j;7(Q{ko5)}%@q)bq|Du2qXwXhHS0zsf0LjMoNivmx%2$_Ee4RD+zzVQ|ma(R^O!c;WNE ze0=X|-SVtG(=seJ*rCmFOe2^+au6 zf%y=Yf@!7w8h}d-EM_#j)l0j547O>mz-8_rt}5Z|@6!2Qa5Q5Q{{b-;DZIAj?ia`H z>V{ER&Oaz=h+C?d8cy*o_t7jY+VeC21}!b3}GE%^#?TSl%bHvJxrdU0+k*lH03oOJQzZ>T3Fp zxOv%ntPCw6?s~+@gxV`$acT1mr&799Q-D9gS@G#*+h1B`y}hViwgisJm0s?A6W1A% zX6Fg^92EwLl?(327{8_u!@vz+EZoAC(v#&&nJ$vzNOWRvU2N{vaTq8@6#jK0FAI;{ zVaf|dgw?eyOdW=_`LasTNpXHLC!eG9uflQy1k9wQvR!gfCv{rrCNwAb9dr5GDrMfDJ!T@Z?s;Ze)4J3Hls@?XMS|V1y{G}q} zWALQmD7kLiLl6Fejn83K3$4?~+l1Yy7_Rm92g5@S?wz@LNcpU;xC(TKf3ll=L>?%2 z7AQ5SeAcMD%eV_#%2`t9EUyzY;P z;ZV?CA(j8p`mTr)4f68i{S$p&A8Y_J6PxO2_^G7T?s6sV2;&kh=?FgvdTH$#;o%7% z&i)c*Ud2R9gJ-~%{Qef7;u(u1P*$$;t@iY=jZ#&Nmxerf8`ye=s;X)w0xPObI%F01 z(BqK{>wA)*g-uqGu~O7S8;Mg|%W5rS2%*j=+}WcBV8&x!sQb@)1pH3;Z2R!ip7lvEI6Le4Awu4Y0T0*xwC-N?xAie?@T=c=VrR&%!#(xfmcU=jy-Hz zF?BI7@TMXIsfHqAJ1ODt737Mu~5l9 z)3i>?JtMsG`({0<)S}X3oh?oVq3;vIXLgs{EuYiPwA8YoeyA4&h8kREJd=H|*Cq>) zm`kv|<^F^x+X?)LT^@>-K+Qf$s>-XHUTh4+fK>yD0kOHZr%%q$oo)Q-F7LFo5unX_DQ z1|b&1U__{d79j>3PV*@Z({w!*l_kv~3(SEe6_u<#Ybo|j9QYiB0l^oy)c9JAxDC1 zA$XR2NL-;A176IQVyF<&q*bMt*hRz*&MQ`Ti0GB#Z?8-@xYUYDz&mE>IC_fpW3;TI zY~03jPmA}2wwj;o#2`)%Y)-&KAYjlM}p_hTXd=AF{qSj@qBDtwz|*R zu7amR(!kudrrms4c(-bSROMNPlj?))vJ2i>#rWK>l$3)eW|mUyCLc1UoSb)mCo6@0 zD5X5}nMDWXe~?>qYU&wgl6oy&925tDYh{`7ZOFX6-WFd6e^a{GdA0+T6s?FjLOsyzWJUxcF^^8kXj~=%*_iY_~U(Bx06-+b<8PHAP zDdZz_@Qaq*1F+6u8j)+kY_^JE8M5oTHQ;(u1o?Jms?64PVYUI4EMXZ zID-5ST00^*$uQNj3thur!DzSk_NTq0sAjZb+`M#D)_!J29>BJ8w8l47YZ=9kBVS+L z!T0Fft|BF+WP^rPFy;(e&Ctnf@zjtA%ULWh;q#jjn^b9jH)+N%g%Nq6Jvcz0AR!J@ zxj=S`@Mn5Pv?7?pl2oCw>n_*HGiGNb%^Bt{hisaWv;C_?vHKSRd(gwH}gQ%b5;DGOgM@hjQaxgx9krNtaX|inFO&V-Lt0Jh&!~?h3d!HY55p-|1qX5%<6) zzw50AiGt_G&JEgilY<8!hMa`58^UkzWjy(nc(2({+xPXp!U_nj_WsG_$Q@9vuGK-| z*sVi{s<3gu6V|XtiW-jrP+&w97Wf8ftig%iBPl_yya)=g-UBy$Po6tWp09b5k6DAQ`m zX>wQ{yyeQPD(LDe)Dg*BK!H+%_$>i}3PyLrQ|uzl{-YKQs2T_?N;2vD9g<6yNY zJ~(1dw$-qEPVi+0CYTKk4U-)EXu^Jk>3y4+porX)tlVs0WN{}A)u|Dv|;F|bR<3$?U>c3fB#i&^&EJQ zO#|MJQw6hr0cbg}D?T5pkMf9X`K&;DU3qy#_xbiX@$LX$bi;64v>yC{WnfWY%H)I@ ziLOy^i}je?ZR|Q>yH#txLj=ZV@uPTR1O}TS6bvG1{dXt6TS*sL*Ky|u3Eexea7oGF z9tA;mJYq~8$QGp#Hx4fNkADmxUh{lK6xMm zh&1DjNn*MGE$_;GlVDUb_%Td}WZ*5@YQaK}yT|(w3w;$0Bi@gD^Yxb18eui%Iu}rkB4=a*|u9MA64^*aup{{^xpBmk4oV%d z7T2WSAJ+NJi9T(KJ{NbtzE?S~>9ce`@o%+M{q6PfyYd`q5JCkMWrL>qMv*wWgiBT; zIB*(@l{KV8rq^@ab0;5kL#LD9GMX!7IUVJm{MX$ zbF#eM)B5nESj@Rgr6{?xT-As18*YbDi)w!bE z&DnV;9lIr|8}c4=Z z&Hd^|sDk+8y7-iXZInu1R2#{VR#lW8x?Eu|}yHMWD>7_0ze@>TGyagv}v z1jrWfqwWXin&$hG)lvS30<=S7?GYS>52)pA=fnAQVR-_$(x0&q@7o9EsA0DY&Ak*E z?^84x#|q}@q8^}qv?s5_YTOF>+r5MYowkmRa^w$SsQ!UXosYS$L!>Xd@9Sgdt*6y( zuX1YTubUbfm@c&T{Y6D@ldCip% z-eEuA?Wg-k{G|X@pXO|lvy^k0<&pE(w^(Foo>Ne^G#@9{(5g-A&fZXhaA4n# zkUWOVN=NtRGG3wtJ`8i)jYT$l9VGebzul z@&}VA?_uJFW@cH0szL|{21dUkDhN>orENk|ha-#=EED86}PJek~}BGY{4ISigDPvh1`fna^rRXfHoM!?=Mw?I!L4X(g}@ zKgbQ?3d5oa<<$D@`gu@Pl)=iyvsmm{Bc`iaENb@v{za^hw^*M1lQIZQW0!p;K`y~c$+v6*!U}GYXC`FV7$H&8L#l*ln@$%;b-Z4CI_(550 zb9`egPd_&?o`}}3p~hfXAa0Q+y9O~?oY~iBTl4A&|Db#{S&c=vGZT6-CC;)K02?2g zP-rNFog5ccHWKKZn?G`lc=Mf%a z9V|+z>epKAZ_xoDT6cVen1G5b6>@k+cFi`C(hvZMzRa5 zx+gPUfjtFY^7hydeeWvEwI5sGkX~MsiUsf6o#j-D--EjOeM-KlfnJS>7z5#sFIX(>Avq3)x)a3DUy^4Ft_3)D#CsiE11zt?;@#u1?hn4NEbaCLUyM} zVEs~;#l~T!IhvjiC}WDnuBJ>X9vprwp2t4jBb7JHuH4s_C<2Y2>dKLz5(BM~EJ`|1 z@wB3>A{6##O;S#BG_owRR_^9l3paIEa__!!P zPQR@Gx+d9uSfnU=_f_6(-!BeOW@j%Sk2NXYVBlcT5Hc(>QCJ-%RmC0Ug*Bj27{+d< znx2D$i?hMY)ghCZS-B~N{FTtQ2lOmCITbUdzdQJ|tf#U?G8}p) z1}8No7%o!6ONArYv4wWQ>P8gRsNr`bBHiCxr{PBCYocytWz50X)_k>4@ww8>`M4 zeF15;0>MJ0cIKyBrCR0Vc*DC_V&OLbdC#&%#UFz!iFbQVh4#2wtU@lHw3HG6^L%@`W@LuG_Evi-wOuJxa7O4~Fd(EFhshp*9E3-&_AQ_Jy% zTtTO|iHcA00e98u1Id-!>+46h2N_1A&Ue&Thhoqt6U!8%Fl0xNcEM2=Low z+$UZu-Yg=Oxb9Q@$^xveXS>37`%QH}Sti}DiTT~%A_Yy4NFQ+G4P|78X5~hZ(Prh! zI978+!Lj4z55H$UFU-)PvGG2y0Uh7YAhY2OZn#dmMZ)4_a5URmKBD7sBqwhfe?b4) z(BAdjQ?NDsE_Xm!vHul@H|T+T&EDx15)d*F(w0V1;?TZ%l4(9;XYAj_OQd_P0@msc z>ioL@Dcgxh%D^0nqc4auP2d^RXu`?p+|?2x(J{H)yrxX|2$`}cNCQU?FJwEQJ}P?w2@{pBOxM&$wNcNC9Z)p^D=TL z3xO7Pq3=d0HT&lV6kAomHV9Q4T4f##Q$47(b+ipnN7}|8Ydhy%zART8a~BR3)_xI9 z5pZL1&Q;3FPg44)2$W%O$U?kd60njpCPq8Ip{;sbLJ14?lM@eT(x>;bhI8#kTXhej zL~?-lxNJozpBfP>xgxIj0vcO0g22j62D(KYczMj}X79Sl5Svm%lTaJYB42R}aI z9)qH1xF$$V&&jy2M49QsPU9qBnQ(H*HUwpfo2a#=UGkY0tbNigS0=?@nQ3Uu6xJ8B zlCDloDZ|mUIMCZCrn6)+5zTt%)jm=2`7e{8|7rEm0~r53IsN}?^@#kR$?5;Jdc+;| zEX@r5CHAoV4TOr=SUU;`*tlxY0O;BNNl^bKdl&$$f5{#I`~Ob%{OyCJVN2ue{$knT>ne)`0JxE{dY0y_%Z7MdU(ET&!Cu70-%hlICyyh z|G~TniT9r%a1`1FQ z&EEWfP7(sq%>)HcFS(f)9~=M3seejx9{H@l(i+$4edq9#ZA`A5kH$PIGwWkH0@FqX zX&W5}JoldXnCSIWtWuNmAZqv&GpkeY zgGkumBXOI-d-)%YkKg1ML%aBsN@L6yW$Z!o>wcElQ_Kwy$vfGL&f-ywOX;dkUXT7a zI?msdF68$T2=0?7`tsGPs^K>l<7&m8~G-uzb~;{ThwVg6^$|L>0h%YVV$ z{FSr*n-DR8jUK@E@B0gux*%K?N0P`jORl=QHno?kv>i#DTGW46bQC4G#|6$V=LVqy zHR2OM%!0-9St7>&0CxV7F@(AmRR=K$KVsKOTvuxsnKc+Yh(u-wh#ef0+?(v3WJ^1U z3ggBYVXTXL$Z6lC0U1tnyZ+pM_USqC=&)WYQz)6P;?PiH-Y?hy4^6%x!Vat4m}iwg zR%;7|zcUcPH`|Q1TWM?NMb&$QBw(UvtM`sz{g}ps*lh|V4|>dSfpP9K^2&yv6BrFI zzyf=FySCuX78ZME3@va4HuhxtOhwG8;~D!?YxL19cMpqS7$TZEJT-9s#`5QTkSOp$ z-wRMzbln`MjxtogweWJWzTRS#d#CRgID_^}Zj%SV#o`T}xey4Q)NmI!=NIRoG!wml zk6Abt4q`6T(j#GBHkQy3A2__cV;rZpT2d2{vlg~RC^Lt~?3R|l^zK5g&X zTzcee6-7-zk0ZaDo3N3R;cmY9-S;`~?npmxJZIo1aoR=vHS5PMRA|rzvEdQ-ljA4P z=GQkZO8M%F+MU%M5WAGO_;f5?tjQ>Yed-@6o)C7OE@`^fQMWs8|AKJOh)n!vFOi-n zK}0u{x~O=xv4#V3_Gp8bh8>ppkkOU8$0b7w46@G~s?`{`(!*^n{ix8K&h&3154rC1H$ z($#m!mBS^Rbw*DsQedMuQbJo%T_1oouP*R~9+an<5AZpycgVKiwA>=Wqs{Eh*@c$L zh|^(SWCup6wLHnJQ+j8GokxHUX4DDrN2EwNm{RJo|QMBf6=aUQ24g%3a6 z0vCUgy0XY`tj#UA=l=~B+r8Eo!Tdfeh&VU5C`Y4-R8&$D%l)mQ*JT;gY*gbLg)))qoAyc_`TWLl|8E<}@s z6)Ip3o4+vlNBc7Hi5Nylsfp3G4hy;HcFG@HNqyw^?Xm)trf^cbYlat2(>p0kQpU`9 zG`web12&?VHJhGbn5)H4oR*}QFIVa1HZ%fWrbE-sWgdM=>G-Big(SmM(;wVLrhQuw z4?rH5Y1stBBu3J+4(iR{-^eo3In6DITRIr&WO>V;7e|E))kWCLO0yNm$+ZL{9qk95 zNNx4@wj4z2n^$TspC6v9PE!xwYOg?4IRC!)=MQow9~UK$uDn;Gx$#n=UCqtOKA|lH zCoDN(Rx$#`2_{bLq(0JgUAR=XI~YpnvI|B5Uum_5IQ1_2`P2L587EmMoU9EtRU<|Z zl9_YnWFqEq1BGS47Fii?m!V8*E;h%7buPfvp)SqUMSAmpI@=B6jhEV39`sjZsWSgye#avtPE@V4Kf#fh}*c4#7R}mY88T=2$UW_ z1*^pgu-5#Wj+A@j`pYHJ55Yf0>uM?xSz@gu?33K#VFnb=%PymQoGojKfK;?~0cSB? zZ_CkRVlbqHUbila9>w^f%x~_uC@@Q-H8y|~jI>5q)TwS65#`I-aM(79&h^3~_xOkE zh?R8c<>lIBttO-{W(GubS{a9t3SusY!%41`2l>=VqAX_URrRQS$`0rJ0w3G?HLAyb zNi0Vvv8ypLvhE#enGrrREYs1vKUAxk8rF94$}P@Jl{ZXGHD{@KWW>t7v$twZta-PN zVhl`d2c$}Blq%p!tAOfPo!)VoI?PUL@a0FW@Q!e{12F_h&v$iNz|;{-pwf!LfhwXC7c?}xykm9rhQ?^ z#&#FE<1|U?bJrzdF`?-q>J+1Ta5N9yRP`Hvl7ZhfBEQziQts@7KRU0l;n`)9MuF?E zu%iw!klc{(UsSb)rVV^vk}t4gN633Dv_3CB|7^AC<+mh6+35>M?|_r`DTMvGRm}cb zJ}Yg`1sp*tJVThQGjvy>{|cF0GZ^<%c@*j*n||5-%W@`RiM^~(qh~f)xi0=7=O-ey zkK9;BP4F~%;C5oqsGMXxBlZNU>QjV7(4qQkMDN`IX$!@KmHmqBiX$l(PZz)G`^zil z7a3ry;14_OEbIaz_!@kf0OI7t^vF1TX-*7N>zHyQ({1s%jEv}fK% z^K+;UROv3FiyTT$H~ro8JH>X}o(F>0*d$>V@Jh5S4X*T*XVkW8H2$Ht!9%UCp=E-OE1Dxh zXS=Grw8<&Ej0g`+dWvEuhKTff;%jQ2Xms&{ZE3u+U&kPgWtPth(l)Nw-L?$#l_&U- z&vEsAh_Y&rL2A$2bo9PTj;0*f$Dfz85o?Vs+-&X3d@Eim)2c~J-q&;BZU1_oHI2@r zX5pbe6eTsm?M(LN=YuEVQ@4AZg_1*t9Nv4}oDn)QgnEB2v{p^1GhD^qNT5(47{xbQ=%%)aoC4opZTE#Y9Nw0H@rBK~24G`~^NP9mt^aX~5uNWg0e zMc^_b&U2l6h%)}-NuDTGf%$H0k;3Dd613ECJVEgbg7rg~uqY|M@^r+hD*c=bJjrzy+#~&G!+{#>`S|iE>>H%)B*@Mkf)$xZU)#1A8ZX@oz`yE(aNxV?J$wsS#6Yq;Di;7;> zM*@X3=;18oePyuaGG#ilIVv-yD2=c`J`GLfSZ@4-&_IZ^ySOg)>24EaOe^KI3D6Tg z0ct-B3mW!;nKk7GNSHNc2MRHzEA$k<27X2kv`|J$ZnL<10VWt<%~x2yoBM&t`PU3! z9d;(!G8no(OiX-eTf5(uVrp)ncwTuNYQ@0bij@EU(k6iGk^mT23vmbuF6#Y=OL0xl z0;XYy`5O)G4ONNdBVre(HJ}r>4p%N&;*Y52x2ZjW0VC3O7wOQ3S_?+@BhSzrHjLme znb{QsJOPz81sUENP<4sF3>wZfpR0+vs-$dNb@R}(#iT(fAWMwXV-YF4h0f-9N*9@3 zhFNMf%(m`dEJ$RP2L83RnP-fIHbTl{c*+$ni@+Vy7qB?{wOp8GxW}qSO-pHIA^qk7 zzirLr&IXXuD(Xvy4NV-TIkCf-Di3C5g0z1=L8O4Jllv6c-ePj z%Qm;eJ>KD(Ce*9vC5*ZUcWp1Z5hK{#=iMve;WT9DivwGCkBh3;kK&;WuWpZMlZ}On zYD06NJGLiAvv-K-*VGz>T>d4XDlEsJ-mfR@onWZQlvZi^LC@fVQbIe=>duUu(NUn1 z_7O3ot~Qv5XyAZwoMWZjt|Y)#O=i39UrD%{0YqqPdo%mN3{!LjA?mnL2lFXoNnz!2 zLDpjBW$%DcB1SN_2D1oCB^bGvpByP@LYmIJ6Sn?9(j~x?WVs2k-M$hqB|gX zImY&igM=DmCa0t1z8>FYVQ?*;>K5}(vduR>>JaDY?PtXQ4P>oN@h}q-r*BFFG)L3+ zX+53OOaVhf09E9I`ZJ6)B!Aj)xYE3dCH+Fu+1&m-?7A`L>8<*O=f;jlCrFjI(v4p* z0JHcvo7A9gn0dUQfVM;N#B*-Un`fGcK?8m`5Rw=Fe&rQ;Rss7eQMci~Qo$r2>Ei*f z?i(^jibDJ}g9yO;@W6rmhnc20pMd!4Jo}Z{6b>D%%OZgG3Qu=Knp1kqRY!hmxUK5kkAkL@o?0VK7vh#%>@qY>}nm> z>U{|cUnrwqISn&Q(;P11wUX@afcFS^1ggU0m^Wc zqUyPH^E&mpP}4EHW9mo5h?UK2o^>uE&#}*`DbMa+GjBVoa1vgR-O}5%cs7rHI-WPb zx34`Nf8|`?+6{Gccy3!Zn#Nzwg?QQag4c=4;VHdKcqy8(vEK6=4#W3NV|22cm04E^ zq*YNX+nZA{VkRkfF))WPqRRqK9>%tB`V{O7LOg2+zyo+n@B6s$JP!g?ylyK0@KN_D z(NaG7t%LKv&Vu*c_hJ1tUuDS7;9hl$G}rckgP?uMqbJCRy=HUx{C=$Q)Q*SNdidP* zaq_%)11Uwq4knxj5aZqOu-#H&%-sX3RT=ioZ+{AT%I*Y6w)M$)+A3d7$StcI+H`VL z3#o4>nF&Lac~;JM3Xu%*JlOEKPJnMqA{%4@+R)E6Mc zd{F?QQxrVShdk1YtFtq4NdR)m-L~mRO~?5WVq57k>fs8(5#b9oG27=rpKTINWWwh5 zW)KqIcOHD|_U57JP*N{GRN!mrHKjj)Vue=7rO3D5H&)AsKvKx&O@s1Bod@-HEI?j( zPH`EL!pYe3d>xqDwt_Jpt5TZ?HN0ohsa39mF#FCPm6S~qFf?aiQKoaD`3Q6{3&EI4 zriY7~3gvUAv!(my44RK=N50$FF=Zm55W|6>xySloKf=Y|T8ecg3~klK{lOyk`s%|Nakc03fZXCy};GS65*sA9Sw zT0=3FY6vie!IY!4CR|2WNtJWils$uF#3SBY!W3q>Gs6REpLGMq_IF-8GsZR;5E&hv zzE!o>V;hRJ;5ISlQkqO(I@vQ)*v>|x^-~E8Pfq#DpDzb}fkZ*(%2}IjZtgsNTJ}|^ za{A-V!3bz>?lYb)J)^F^u&HibZ>Pa(FEi0LT6ZMF+?WI8s3)bN)q`2w#S2T)FQxH$}xcEn%ot#Kc^iZ#Z~Ne%FX-kOi`o0$XKmi8Ub$$=UXb(qPn* zUH&S!uNdv(>=}wnHpERjrf-OgCiFRZ^h#?Q*DOMq~{jg)`b3L{TDQmF+cFoP$cpIT{ z)RSCiD`hrU+)XM@W~@>}ON)DEo%lfL<-H}l=C?8&G2ZNDCRp3^;y`zu%Ik9<<}|^w z(vJQ68i!8p*a9P_{c_@JTYGEfXlXpHf=ik=9(WDmJiT$stP$Yl#sPy_4jmQT6$}pT z-wU?ApHCqHGFo_V3WHMuUb-{tYk3KKNk9`)%{vCB$N-C-^}=77#^)-A@Catgz!b`X z?a%RXQZCd=Es(TI4kw@;i5@>|I7wpqcS~#+!i$OuG4hH(89t z22{*|fWk$c;Xc-;Qz-V(4uIon(YRQwb zaO#h$(vqZF8Hj#cU%#5Fba~#U8z8cwjn!odoDtRPUMW6}+dtGVpt2S!veb2XHdRhh zozZT{nbVb4IA2}876u6nrWlV;{1SxNEE<`aaS6A0rg^pTh5f4?5 z(MxqmvZNQxGT*?2PS0`mY05XONHQ-#-r;X`=a8UJKa>_`t`E!f=EAZb$Du5X3NPbn zm*ej2YMJR(BBHDe5&bueL$YV^MLqs{y1jNX@MyzcXV~Dy=Tfugs#TGo#RJ9ixssEz zd~MxGDgitl_)NJypuICEEjzEBJ+12gP7b1k{Nc*tL_Jh^2?iF3uKvPa2p}`WG+ALi z%zHOPyKE~v83xqPv$OH`KHQzrbliSPJ(__pdXp*^w)kb?B zjc`^-M?@f_rn#%Q-sSSsxM7p=r?rdQMrVI;R+U@QKupb@^Dzu>lULbx;&!`N9g&T= zT)WGXpdct#!}Hc}-6QSA!*jW8j*Ku=NmPAP3zAcyZP;I!DB)B?;(xBxBi& zx&U=aQiHUvzV7wuwM%KFhEoT3$${c7(&`Zq(u8p{OZz7dijGSMd+Cym!{}DC0!YQk z1Y-?}#a#Pxe@f{gp`!6LYm?Wp=Ec&!tG~`F0}cuo1F1y@2nB8pe?{E{-A05drSnkK z;QUUrT&D_12agfj@NuICs>2Cy{$WYoE8Zf1!PU=AicKS&ngt_vF?C2YnSewl$5{P`C0+#2}uEB7QNkkuI#na=my# z%o<;v&#yjAY-tjL6?0K{hx~14jF{)%Uym1R==FF4NhaIwOGbv>CuM`t#oy~L!p76V zSAi0QvbbYYef1ek9Ra~YNlMAyekq@l>XUXI%FJ|RdcbAMGi*Pu&nd5NR*PVotQwIu zToaHoB&T;91lhXg_KUVseYG`qf|^NvVZlya4a?FDRYN@;flh;%o5t6#NMPD|?HYc>~w`KYP$5}ehtN6TJ~3cM($gpO)p)}KCtD9G(|?rP{rrr9QN0lqscl~1G8Cl zm~Dg2k3v+O!0#X~DI%9{2_{A#JhgllVI1tj;(0XaW0*yFel24@j2s}y=;EDRKd|yf z*`j%|q|W%B{$b#Bb;Y!NG3)vKwK-}EXk=rY*_$O6?12DF$;Mj>3K2Q|+3N>F)wc;QykGD!1flP7a6RG%MTj2rJ~k~}!{b2A_r^0c#u?2| zGpn6|6}7Y-gv?qdprT>yg++ih-SNd#E(c#aiSny0XIMol?9-JSrWBN?4&7>sG?>!e@ek?K|3e8QSu>cThBg*~p-tjb+8XgtOH-(*mrXWpA~pT~xSb zmh;3bal^88)3(M>!Tqtg^y|;$HIa4}MR>uT45q(7hk(0W=6xUta}?${(~;YhFiee{ zSZGtZgz^KqS(GVd{?9m69B{4?ET8t`s|UG=FOiYVF>S;10V=^w2C%s`>=>en*+RIKy^;8GTsuhMi(A z;aotr;|S2u`vcsW%z2ylXKOZ#UUxR5P&~F=0DmM+QAXN;E=$QOg-OF0@Wop@_6#!h&9C=?uII{+Wt;ip>|zz%4wHlCvTyzC znA;-E*L>0poqR|G0%kS4aG~yhuc;{cYrM+GT7q@@C%M1^%G^afW z=InajC(wy>hH%>o!69+14*7Nd)a~_{{S8hddrr=1^y=`MU$D>Zl=jygT3$ zuIF87qVq8aPt)ll+G%Z8)5k>TG+n``<@kx}SjLi;>b%QKPQ12@#bu$Tq$JvfmjRW+ z5;uKjxC!==kENRzrnnn}p$3%&LKMWhsa3pCkkBzS*T`X}l6e;kRE~h+0}{5$S9viT z*vl|1xAvDLoaj72Zm~ik-xI#es43hR(Ggn-u-O_Fj!GFW(utfMZA}?Y*MM$S^4MQM9FiDsbf8J>CNmHR#u2T| zw3*;ToMWBiW6LvT{JBy9Kb{`L+JIvtPF;b4WHtViWNDQ@0o32p(oT2)cYoR4+ADa6AsEL21}NgKtF< z=~`*HxUE8&xUmG8{IZaJc5@S?9DW_Z#puw!Lk1 z<`(PnkGeaXG&19wn74*0uj4*Y_9F&x;wJwTXGQrn3%AurUJgFjp&pxKo((g{1?}$w z>$$VRJ-NoXo^E2`OH>p|A-1g7jq$r7s55_Jju!}Ed*lDLlOiBPV8o>rLp9~!Qm5lG zbjd+@t00k%O8o&Xw9{1*e!ow;FV6jd-!hKCgDHg)o_kYz*1Gn-9*q?9`To)~X%wyBqNiDjjI~X(sgQ|1MtIU85K}p=q|Ii* zM3V>%SfL3_@m=*22fhmMghLPb3IU{QU%6Q4&l3~pnxqU<1?+kj^7X=kNj3tMhBM`T zr_nKHtd?Fl9JoH7Z&2GFZg1xcXeHkUSmX1g#LbAGO3|uBgxsi%0Y7NQR&lYJTxJ=p z?|lAxJDg$6*uua)k<8qXMRCY$mM01Q7zDL9_C!@Q@k; zyR`^(PQSho{RIioAul24WJ}*vnW2>gEtm~eR+JQ+m@6xJ6hEWRbdf#-@{tfd=AX6&k9!6jds%A~)wV}oUx4V43$ zFin{~Rbj4`2k0txqs-YfU}TgA29|93f@3Bh80+(-i>Z}?#oyVOHl*Nje$&|}9jelGDD77v?eC9m~}(o*tycO2}2UQZkzSLi(q3$JTb)@`*8uHUQt zwAL=~GHZH5oz3x2X(6m5*;u_RpwM(`@B-dksfZp99QQ1Ta>WEgwWt#2MNgj&QHDDemO1Cq}Ngl=x$jy_2z*977{A>xl!6yBF=> zssirlb2_sNBF087sEz&I%Cd{1AgE$TAbFN{{2YahK3q5z_J#PS^ecz<(ZR)%1^#O8 zq{s%4LGATpah2AD^N%lJn0dG4qLz7Pid#CXBsJGVXbH-$4pHu(;ortqfn}MiEZCv% zDkKihM5rl+qaEo7BuLH6lc(&VHEdIB`-R}GH5U0LLhmFCPhTg?!-NI7D6{SoRpx8h zRv((8vWvl6-y8FNM*tiYXm=W~Z1V@OCA5T;3va!*^;zB9n|6^3iKMn#B2D&LMQfC% zg-f-F_M`V?789DyHo_vVq0(TvR#Gzw*&T&YCKc9+b4K2=?sF(xN1u-9R_>h}Q ziAsa>TMA{VmL`}N^ZUpiI>iE%8*|wy>@ln6%0R1>4LU2`bQlYE{nHiF(Pp_1m@&PQ zy5+V5u#2%NrJH}TuN>=p;8TzbYgaLlgZN9QI6G6}IJDnvmo&qS)>U(=(q~OAy-q4d zB-Mrnjeig8ErBit39)Tnr%ZWfR>MbFC)dJ*eV#sq%m}G5-522v%<@WqBBbvWY?Q!3 z@OC$!I+bR@N^=L_AL3qNf08%XWOi@@_FEFw$Rk>1udoowNiq}(n|_BBjTF|1jSr<7 zhN%>OCn5_Y8jj$fEFe-RJCDnDLf%(Kk4%>2H;-7&tWK}F7EJ|LOAhKsTs8V_9yJMD z;jnBKFY^?$6)j>f&pKe1uJ|eeOTc6qz{Pt4Ww=YR+&85QsKA?~{-eklUkPWize zsO4h`d&B}^ZsckhB@D#x&-?pE1HzlO@0r+D&Yw>FCKSX)oSv4y2ZV~aH13DmX`CaME(!1htv5b4CBV({_!3f6up6z(eiIb$~oh?&W|*NM7{{!NID zVzpxaZUA9r2%gLU>@hb9{{p}r4uHK%{(u4uSI{PD4(?NYm^UT60Puy7mW}?k1{n?# zqW_SYl)*;I%7AI(|LB@5*eN;R;lSoD1}4~8nFEU0N}S6uok(ahJ%Q6%9mrc0`Yp3` zLbK!XWge7a@xfdbO?%Qo@W4IydJ&xx^>sxFRrJzgH85y-WUBY`G!Ex!&_2?ZTimBA z4)8(IabSS9oyFtrl|}mQ@d19n2gSVYVakFMQ($|&_kk*AH5ifINIQN%t^tAzQ`c)C zLx}C@G;Kcd*ad5U5a&Qu(d+oddjdBf^qC_@W`w~Fl5%qC2x9e88Oj`5kA!1S#HsK( zrC^I-3SW!TJP2v|T2WEktGTBP%f2f}rpe)jxf>okeLZpOA13x?{_v;-S+2+*VUBf3 zooN38ai_#}DCcc2-Ja6z>qf~@T{rPAL0rI0nYl-hLMMzq9TbxpFKUJz@nf~$+mbob zJmvMSs$5wKjWu0{IN#Ks`FZlI^nETh1nXf0L zce^7KFPujO_8#BRSk$r!ks^U5%;sJ7COk7=_>LNkRLH zrKa$vX?)cFd_o25=3d@#>~SIo*^J zSSB|uxcG2*?MS)Wy!CW{;+%YKnDMghXe=-@@jWh7>`o})Nqi$+7ZOh2H8Tmy`g*&Nn1Mxrbc4SaBIltTkQb_LuT^Ek|Q2Zn&K zw{C}J;x};S1~!FjBV38X!mHrvhYfGs%XT&wMhr7v;*75Nfo|b_E@*V= zt}i6%1^zlo$9DIK_aN;>9ZubxvQf{SZ#V-K!xFJG<2KGnn|<^7*Xf z@)UbMN#3Wy$=p)Cx;J<**q>O<_e|KEcFtNG8oAiCMO%+Cv(o64H<&Qbr}ArA?`bL?|-<&-?wJ;~wYh-rGI> zZ$I~bbez}wzR!N%=UvassGEINJwM6YCaK#ERU@;2BtMUdg|625{>xq$wJPoLuYZuD z*QOXjy8A8J0|P7ONZn@7Xv;9&t^=ufL-R*C zU00YH<}q$h)7TuDvYWPg5tAHy`kcG7jII%?KXdmfR&lob{NTlHsmC7a@oG-4O01&$ zXzPuzc{^orJWH;h?O;--j9g~#G4ptdGj8W47H3VL5>vS5*uHNxpIXaG+Z;8^n)#=m zw@gZCSzhcD;cax|(EKB|k2X%_emEUGBf#v)B}av68|n@Wy5i0kS5h;b z)B1GUsp6T(oYGrAa6}*(;RmErPDg*DyIfRQ zvxFmexVfF&k0lLJS*ouj^KXVs3l%s!=R$L)RKQ1^TNEP9(c z*w1zzW1cXz(BW?Gw-0iwXGZMp>sFe2#GwBDsJl^&Yq8hpEY?lQj}j|-#C8vw?oM}S z-rTbGN%uzAZmA>Ioa*i<J49Or>V^AlI$!SGQ>?`D)PlkM`ZloUW~K>vp(@?CzH= z+p&G8*u6HO_S-Kbd3?hB9Xe5qzH4^-_#&=P=#|o^k}|C?JtaK1URO8MVP>pzTzKJ8 z@6+zS=GD5d`)*Nuvc3Cce;;KHr;X0jgI5LTcu%vm`cjkK`r~SXg45?`miiw0?^4pg z-Ig>waO6??@++ASMkcLITeZ;c$>t?`TN(D@jk%Talj|UrdDOx~rVbH39|aVB)Ydp* z$UHKA$>F~CjjO+S`PnHhC6h*$DT< zd()W15{eNHH~N?QuL+zMmb>F)zUBK-n!XNm?F;6Anztp6>OwCt%i6AcZ>7o$LzV23 z`$3cL%4JqfA;rv{Kl5h7Axj5??L5`{dS~B_9?p9-nlwK;iTo;n77L`DVclCWIco4)x+z; ztr>~47rR|zJj`fqGK%O`Yd>-CD96%QP78du9}cZ}Aw6xUOYEZQUrW}@8@Zlk1nbx7 zuv8YOx_R5Ux|k=`=fmbv+t*JUbXe8bABzqdnR8w5zY4z_TjN~!`Mdk1sUK-^3~h;(7a2MC zqV~PKI=TOC-TJ5R&ede`;O6$E(^)m|-tm-5i=qRK^+War?320BU)gM}O|Z7hmc~c- zvgM!qD0{wL_t2f_KpUf`yI&7)l>feP==*r9um}rv zW2-j_iYgypD(EGbN3&gD+rzs+Ydn){kMF6ttPwEzy@~O-#e2@E?W-J8aji;vHfT~n^!yQ%tYlqGzE9TMyHqAs@!Yn}AJ0(D!usua?=`+)>r$Q!B~LA;=F{hg2cs{# zJSN37_KSBkolJA}elTu~O(KOeL~{SO0of{RxTWJ0cd3qhTK8UI`K6rFi~h5!imLCu z&hd}hs_xUOAEo>_VcLt_1kG#R$jZKZl#g0 z`=?KZt=B@5`-ZpfdGsM7V&2R{)$p7F{m9)31JkHZs|T&#-n_Y4&Sg~cBl(sdKjaz} zoL!QS?LRg%3*uZx-xqIZ)jz5p%oO!#*aQ}*D&1N}M)~LwM_Z(n4 zaNuT%rb*O*T{9fUA5ziR|2Xc{b7xn>9%1%|CrRVNjZP}*H-$Nxm{2d&mi41*MJ1le zH^?x^d=@!}x;880Ea%ef%_jS*V~i(lJh*tIo_d9oBen86H*n`X!R;}fAP0cHRNL;hz6do=JUR*}HqafvJt=Te5ztU@( zx?+TNyrTMQPG~~z&BR`toegG{&no|JI?pzbtG1wS(`~u*`=;`thZvD^Dre8?HV-F7 zTFto;cCUZ*F{7xtXJrjz=R}=7Yi4$T&HcVQF}9LylT%wB$+Huj7v9c|X3aBCFN>b% zeq2*3`^VUbcVyf3SJg64q$y@-Jq}7tD1Ma9zD3Qszr`%H?XJcEjrhVE>%ml$R=>o# zvJx5|wexZ`S}olDT?)-;?Ay5j)4;<+wd-ch zmOHU-(YS{dQ&gN?qK?GII_iv2tZczr}OstBXvxmL#|Rm=UxE??EJ<+|PUm$^6lPVnaq z%IBoYy?i9QyfyWZ{~^ECVNEw)ebTGWa=GsJ^~I@Sq?1(*%rPlFJkAyreS58yK4-1M zol&Nvw(7{3O_tCZ6K$+2vGvwK|6bA?CmuWUeAw4sS_M7>w`QvCUcTkHZ0y+Ffx|*8 zGUGS9ZEc&}8hz%ElAy@u^?g@qnRumcKA$ma{b9Ssv{jStbq~3oIZj7^11C)S#kk?K zo@@4k2go|Pk$Pkue#n}$9PNiDbKOf zRd2bBb(T$6y%oHrx_)f)tPP%9)GD|sn=7n!{1#+gS>)PNp52-#RW$hRc`55bZwC(i zGRVeogZJ3;vL}{o@MllZxv=?WX!QxHs;%T`F!b-P2KF`gy6KD+l4oiqA3C%l#l9<#Phxj~0FnmV|_pl$D&HN7&EX9c{| z%WO;DxU22%J^eiE7>`Ru^-kkh=eJ!@sTkuQuYTlQza0wuv(y*oWZ32;_**QxIemsv zpQgKG#xI%JeT%`7#;qB-2jW@=w`}#2Ik5Wuv6X2v2fdUu4&kL(?JpVfK6Q50cYn#! zg4d~iMl1M^c7Jqonai%_Dr@#STYuMPM$ccftH)t4w*8t&8|vrR6{~ON_}?&#vx%l% zHXBl)tYfx8p0<~5uxidGgNCp{;SN*HTBA;w>b*HQ&wu@d@%15dJ)ZBG<1DLG7#ut< zf#v+2rDrRjb#ZXtA0Lwjqy)LHO}&chMr+6Py^0VSHSM3hE5|DE;R)*o)lzysmU$U}Z)Zxac z5k-ev%MNj6M%`a&aq0b9gX&s|mBRuIo~l2!cp~rN@Yv;C{IY}?nfa}k$F!xq-#EL* zVve6dceg&(LuHbmw?2KXdg0>n1^t&OyDGggxu~e{+9+|~{9R$=51-PP8%3$IlinHW zvd?H#|CQfYjLN@%;Tz9d>wEcU--~T3N7DB8ulbryKYwuh{_~UOtO`3m!Rg?0k4=>1 zK^L>P%wWzrD8F%A%NF(21!GT7nQQZdt@SyQEpKuxY|e-CT8xUQ$$MR+o?7wh3rb{O z6<8jfUoiAdjr~*4@B3e-vY+`o8|W-m-Z(8T>%igUXQQSbimloP&Z||K(RvjsuwAA42#vOM8E^e>M z>*IYXcA4(rrj_&_6uIqnd%sGQ_$!$&8%cSnIPHgBN#TX<-pWb^lf7r?&U>ykHgK?! z|ID|qGj3%k^gpu2GUU?715a|~lFZl(-aLFXUT@#V3ayw8u`(ANKPp5A9jw{r5}B5A zYO;C##!tbsLxLN3_ZRL%z9LB1fs~@j^np^3v6(fK1!~LyHO&MeN6WjdudxHx=-oYVH)n&3dUK0GqStpjm9(Ar&v?&2kh6b~0(cN4}X+f5i3vGBIt z3U=hC%yJ*b_K!aAAC_Emw@^KwC*k&`dFhIrjoFoX&(1z{y+lg9`m*q)M6w#o+@;h| zB5R+-dWp-&6(a|v&p6?r6~8HHNTb$lDV_Y&Zw9Y>XuSFiE#m`ZK|2wksot+;e5C1y zS+Puw!&}0uC_{R^USS?K<<6m`rPI16cW2uTI@vU?SFluiyk_-n*%Y~T4qEOG+uLwYRVN9g|5{O}x8X<8hAcwK47+x@~E+lu8}F&Th=` ze(7^K>id5r9&Nk4^s-)@MZ}qn&vq*HX&buESF?JdRO%#_yQZ@J0mIn``dJQLmm)ix zC-M2&6Zy9Zc6x)VW4N~lz9HQX?W3#MY-HcyFrxL&;IBhB4YE|(qkl_I?Y_PDuG2X@ z`BJUwb%u|2_wro+QtE+INsIj2(Yw}`KBRam6+{n`3gLF^Sre8@y1GTm*!o+u(Ywe~ zte&lIF~t^Z1HT)k-5FSTVbav#@lQRHN9+oI>G(On_%rGHoqg&GHa9Z;HGgRDQ*V8# zdO!K4a=`5xjoX1=vWk4Sge>Cx7-q!|T&5{?>sF~MsrL@8yLy#7-YyvUMf&Idh_YWZTIol%vPX%p zZgcW}J;^Qm-&M|~ZoV+0`PqFVa++NHzVk<)=p0;e?Eb4zcS}ERLgPW!x+15BZDiVn z>f{kGhwF~Ku{maI+c1-jMK5J_L(C~w;dR#znQT~Ta;H+(bj-M(Z>!S1h6KsH^&Oa4 z`^~S#^RxU*>sba4UpBHF#zn>st5}#2RBX29L-vT()aeyD!$;WVZ5x_V%bZzg6D~t( z*-|s}w9@P~uMAqHj2>O7^N!neq`0!#_ea%a)k#y#w7rv8oozh)@$$h*LFUP`lg*kE z;;iEft7yhr*WUI&^}1p2SFK0gO`FxJg@@GLf+#=MedAb!D3vF@_IUW!;~s4gN#%f* zk%G~T{ikOec$9}*`?`2VC%fg$&P#fCEteL4=+HM^pWyEyoFksWe*{-CBKIl8?N-rL z>Jw(>_+;vW)E)kxRiba*Ylv?h{7^nV{Y&q_b$%)mBX&e{-YLHZi3$u#Z@&= z{Fba$dVj@liN4RC(65)bE;>H**uudxN@^-`S{uoW&wM2Pt|VxL(Ud-^X?{y| zQkp})UOpTtefI0+*&qAXmN=;_R@#>FNUdgPO{0oI#ofxSrRPHQe6|mWEh2xZiOccc zC@no_sY=h5IL9Ktn`UX=mZ>Y>e#})JvFtuWjm#upw>z$0bmel;e3zVCPaCs7#GRm+ zN30CI93Q;Qpr}l_u)28rw*v!W6^2*J!^_d-OA4-fpASlLtIfZ@(XOI*;&+*C*K3xt z_9fePyZXSALsrYWC|%okPEDz0h>fCu#JPqd*-bYVtJ9e?$y*O;Sy;OKm{MaocXdfm zi)_o)7EPA1mxjnoN`^e`f9Fs|Z{6%BSwFwPo`cdnn#%GQwdJcleX*$3IRXgM+f=e) zyUgd|?kW}Xqel;ye{u+NlE;6&1^@vMY+kKdp`lbd+$;RE6cNe_f-m@aB zHbk#b(szK1oOD)oe;3QqDLXdVY`Iz+Y%c%dD|y72uf4S=4!@YYhrx zB^u&;El{!V_TfsXw*F|%USu<)#IdF`PY(^tZOCIt-agn&UsKex;f7XRj^Y8^Se?kB z2`bw9CPs31dG{5<-ZoXs>6OjgprB|`9kAE=R*DU^!ThE5)^COPDldeM*-*4KYD%@! zly|Y&DKjHorEG@1t5w_ZYVuX`R%3ta+~C;Mir)R&rd^oAO-fjNMl*8XS8BxlFCTXzuLtm3G-TaTTXP zt+`(r$nm}LDtk;|h}OZw2BQP)DoXrW3-%oUkk#58{G9n>+|*mtJ?j@{sI)%VqilR~ zoy@)ZVQY3ymp*X1xcQIa(aRbJZw~Ac>{_GNW?JeUWL)a|Wp&%*CVE3_byGl5@Y|Nq zs=n`MlmzUqKm11C->oP>`kPzPT;J9l^+Hbnwtl;V<1VSSeVP+q+q^H-T-EyRSo2$% z-sa_>9|WICdi8zhkfkrV#V>+x=d$~!b-PVk9;D$A)IIvmriixlul!q+tHVz_J5*ID z#a9J{haRn%!Q#yuFeD~#{KoQr@uoL4^E4iYI?Q)Rh;+q6w_}Hn@AqzZ|?5a zZ!CWQ>F!;9*P_Bv&2lqZuH20;xRH1JQ>k*qsdR^sh^S2t@)0w>eg5F!|Fv#X8jUx{ z<(yLd+JP-TC81s#_9q5Bn(H^8x~0CapXII4Bk86YpYELxc&B~3wy$4!M$D&P(^Dsx z2Yz03y7pnhl zv)>`VEealS8w#$EEoG*RReHWwt#Ed_ltNZ?tY6fc8@U4$uTHwX^hl5Sf!x0DUDxIw zEYB>T;m4S2x_;~V-XG(R-kc^o?2Ogqsd1hO+`L=P)|U0>c6rXVJmJZp+6@UhqNVTB zBh_kV#+Ck_%ZksjSDhcMY@vF2=?WXSnyCFL{@&Xxc3xF9C~`aIbb9y4lRvz7f1K*} zI#bzQC9nU}v-_vf${**9%yINuoP9CP`g;?%?TVpa;D~1jmVbQm{J`mJ<)f?{@0+|Z zHh*_M-jj3c*`Z9o8^)3cD&EAOYAU}eH^-H>_C)S*>gD;0F0*caqMMFb)i0obO1dna zF1M+_%y3ot<^AqWz8_F@^Mpido^+3+>m~Cp$5l7UKbYjOL{53%+?WY(zuY}PHe{j@jJ@VnjETZ5X&Hipye#)qn9XJ=h) zdOkX1P=@-)`kcESX-9k2`7P>xXXE*8ud|vH&U@@<4b71-+;$>GzCL^ARNrmf#x4D3 zCf<-A-4Yq#JTgmm3R59x_#TU|v_*p^=;>Bgjk42ANM5XZCo)0({Iun5!QJ##b_8^m z8w$%~ggph#W-w`}2KpjRW&Z3_(Au3QH2d3RW-JOnnHd?NQ^*v$*vZT&^uI`EhNWy0 z$>P+>o6wYhOlG!s?#?4**-cf=(mP(>mY&YMuzPHz^Tpk~vXH}-GK$6ayP0dGIPZ%J zt5RI2eA`v_wRprRnSRf|UzpafC9LIO_V=;_b+2Sze|9Tb?YeqZ&4HlV+afKCR6U~F zDz6+0oBDp#=&PC5GPnJg#_##;kmO_WQLpjxr>s3~VfIC(5As^v^&^5@cG|2?F?tl8 z)@Y+&8yWZLL4;O#d~RLrwMN5B$7C#%UXgZ|?y7OS-DFpDw(N!RU%Uw&w{OUTd8OY^ z9lE`6aN-=-MDJyNj+W{SNW2%y@Yx>qmFAXcYIb?A~%C5fEbFN)1-hR=s#XRdu z>;9?53XAJg5+007aTv*%`yi>O{Hn2q`Dqz9`n62)lWR1;9?{yvXmE@5&ARwG?sbKS z>qv}w!67q;H%^N+3YIj|3NC=6%L7^z%B5Nqrf+N=>Z%zWy7WYv&gc!T>jL!a^zz0x zR^3c!D~r}{Gq2v7XI`%zeAKdxBp02Qd2QTxYlX6^y`QXaKGF^5HV$KlMx`B>+28u1 zw_%%RNu6&}d{kN{?MmI%B_XXFvz`Y>k8JVqkuMs}ep$Bj&637xM_)fII;RyFd~-+Z z&=#+RHb31Rt@G;h)6RHpes_72s*C={|B*(Y zC=D8_Bd8}xmxh(0eo)#psDt&vPo2h3-zJSdh5Ez#NA=hOIMA;Err;CxE8Jetw*cSv zwg4Ne2e5_V2^4Rcl<--2cm--3pebfVb|sQ~vM(zwxRET(W4 zw+{Lf1KKbqxXwRGCq2Nscyw${#9 zzlZz!TvUFfy<6IOc|YR`bnT70l0CNe-g#;C@P|PY-{}}CX&Rc1vr_&lpO$Z(zbk*) zq@vQVAEL&$bx*81mRIi?QB`4iZ0VCF1t&(tts8vnP}ssRieWvw1xe0&L5nfF?pJ3v z>|NT}Vb-dpbA0EyHTSN}P(!>y|Q!ZlAm#r-T(=`J7u`Xy46OraYu}c1EIG za)Fh0@&xO1Rvy=PTs^sZh>LZ>eMjFr9vi;Im)x~@7`M0Q13jr1to+lP7Cx*}FbI^W z^!2}gaq(H7n^6JXa#KbvNvz|USE;}0!QQ4^_g14iM?F{S^(!Ct+qRZkxxk)Qo31KK zv&KlYRI?|_uA?879Fb-7M~~{h4UFdQL4AtWlhRpl`&PU7^&H;Z?N+salCJBltDZUE zE?4MPpO4wT_Ez!iZL5{zE}nhzN6#OhR6l+(i!ki-CG(FPx9{vujZ;*TZW+AtOMhy} zAcHdlIYXqV(I#alr;ar5IrXSCRsU^Vcg}^lpt2&vAM>Mw-lZL>$?5*F-0XSAiaASX zN0E;ia8eo!cU{}p*r#UD@@SHZYU7Ay!*`lg4K(#Tu)^fU%d+RKiUG4vkZQ)I-6HSh zjNX24ul|JS;Tca3TRoa68SzcB$E4u7i?(da9K1^Y$&cpLZo1PW^JTQBh2Jqjl_8@nWXP zRzHfB+tEGz5fI*IDw#$6MC+UJgboI3*-EUZ;w%Ged!maT8W>^oU~f~kL>m;-t(NwWTbOc*`yjQlK{skG}F6Vo>q^s9Kfv+8}h>F|r} zVbdjkEU38YFnHwR!X94?N0r44E*t&4dUmX@miN^Pl9K#9NzF6UIF;|}Hf66aS67nX zP^;y#Hc_vq%UTb~*I&lOyOmn@9o^=)^hK{!EyLaQBb`b^@_WdXEZA}CS;lCa*cQVV zwjs=~=JmU+h7TV%VP5$3+J_ONr!nrM`_ zZheZ;)2NDv6J50$A zaHfRL|b?Y>}(O%b>*IQ@i6z zUiWb95i<99M8&?!KGe%o#>jl08&*<9{?edicx~9-rnule7I!AOcMp6eWb|A4QCtdnbJFa zlKs?67Z;u_hqrs>4$Z7;wjVd}M2Y9_apB=dq6ab#AC2xGk*=Y3#bjz(@9-!4>&~%` zZQiDnHJ?2wa7CWdH8OMPmTgr(?hol3Bk}s=o+Sy6y!bLh?WFq?PJaC)=8oU|wV$L!DOoYir%oTXaG<%gd39ub`6kV8nyS`jXXY0V$cru82k%|4%Dhv) zaJ=1;JIn9a9DcHE@v68rdoI;YJ@AL-iFBIulWj|PJLD*(O`X2=<8{~fb>X)p%Q%m; z`zz35FFH9*&s@5g6}B>J{H25Wo>O#kUnqUgmpI@3ikG|Mj=Lfh}?j8q+eh$iPDG15fOW(F9yX^46+{i^!4#sSL z^zZ_!=cTR)mc96}ihNq4~&Tq~xbt_h=o_Sm$v8sS;$|LpXjkT6I)Z<*C zPMY!;oj>w=FBxg}*8fO}nZ+Gu1J~X>-*wr{_}(3z7@of0&-l{hWK9B$swr>-5+Ai){x@n=k!r^=!kfw3MQw z2cOK->)%q7I$LZ8hK=|!Ib+d+rLlu+ zR-BueUetI{#@cb(AgQ?1Gq<}rgs#}?UDu;|*t4ORhjkjewdZf8DlS7jxX>;+!%_>w1 zLz<*z<35|~ekntd%HaPB;XR#S0TL!N zuwSJiv~8dB!@RsbKt{?8(*Xn)0_#Oawkx=HUXTV{-v#FEc=BUtN;2lT*)8CDS&)pi zbxEdNKQE|Y`p>E_L|<9Y%LsJ;nl zF4x}42IWFW7%?dnRSt{7WY8FN8jTF|9!|#sOOl4GtDBdng*1hXMfk`PQ9p_lJmQB> zjPLL%D95;@NWn>lPYf=6qJ$HFEQ@QGmvpO_88C%=D~5#jZ4;UO1*eP?4VRHU%^ z{eeTk%lZAW@qS=dqsMdeb_W(OAer)PTs_?pOYHnfS_{BK_&C{dP4qNL`ifpWZ|=;Q zBrT8+a10oPx)YKjLXV%a{dcgJ&LTmhTdID5n<2jhkiIiimFKh_r9m=viLT$*B& zfhmCy8Ia=qw~B=(&}xBr_}YihltJtH+J}1#pcmI-vFW8?{RiBm` zP#`f}HN_?bXM_+TuzvM>2@yyJ_w?cuf-ypv5X7P1DG^)}RNS~x@FM0Ag{iPGAxMXR zCn2~bsF)Wv`2|8STN5ILhTPuoBm{TkR5EV#VoQW38Z}^X*Y6|*_g3g#8x#$RPl#x| zfQYlL8o5K=8Hu=<^Z@W&N?yezgv=%SGTEZP578-WLskR+&Nd^{1K z5YdsJ{+maBDn9a4$@q98J|UtbJ2rXzovOtj+2Q@FU$PMf<}`$Cgz=k4b}D~lC;#He z&JZ2hvA4H=r$lf`P+eGno9n;`v0$?(S! z3g;I`czixCObGG9{@>A#@Gm(9eEmjES4N+i~8FS}?afTm>okayO_Xu8LHC zXe9P{#m4#(CJb@vcM^t6hQj$p@5ja%BuvO}9(ei7P!!HDMiB7UBdD$rAy|jMQzE!( zQ8>RCLEsVNftf#}rTr=+ zF!;iZ_{|Xrf7yyc7chh`VSEz|wkr4pV~aQtJK~EX@QK$G+qvKoju7D#EGqq-Du9cQ zg3rZ)(q9Zs;Eb+_byBdo+;1d_zv4x~9iI3LMihKDEhHT(w!_CKMa#__Z9`IEs4l9<;n#t`GoTXcgN6EnK3VV`^@ZA^{^{@s^a+pR zV(kztrWX95HV78{pt>~pJNlu*-w|x=JNyBCr@<#w!#^po>kB6qyeu%4AT3(F1Ws-$ zGO27;AlI^eBNyK`?Z9RsKZvuL+<_Z(pbEoIzzKGzkQhvsDj2j7BwR%EVDlN|CF*qW zk`5B;94ulQVjf~5Vlu{TzAzBOv2q;&O1NkR#51TO#N#L#^SC~M5?+^&pXhi^#rBW? z20sSiz(hYtxJZx;0S@?TcDn@r9tn&uBt8LiCF~tj%jK;(Ku^= zj`J9^`9$Lz(;bLLl>H6o>3}R9kf8(TF_S~~H6?|i0U3_x|E9%2q=!l(@*9%&;oNq~hh6lno`LEjNx0wyAypee>kVY9}x z2lWH^VReDgn5OgLAm(ED^V^|1(eXRvAS9D^*&zi+Mu2#YWDa;Be2^@#vcKWKzy)JG200>`2>QZ| z1SulcSAw_V)o36nX1_lpJqL<4<)$#`Tum}Mg-fYKv|UnI*uXGD5E1523J6nhfm;Tn>C_nb0>bO^1tc0|QL!^azhW6kK=6Z@%>a%7 zfAK+F$U`A!A;utvpn90*AweMFp>ly%3kidTJOE-2zi*7$d?x=b^AVE;{qhBc!Q^{H z7W9b;Of1IZs~rNy(`cd*3GRh(#^c5y7#gq%g7DBFyw1^StnyDo17bX%p`9`w{)RD^ z?@BRkLk#SU+5Eap#5@oJ#(b!Y7>St2LRNtohuWfH2G!vU4*NS2>dy!V^(DXy)kjJo z5D5Am!AGCq-ViL*H)atCCK4FJ1G(Y$VF9052?T-yH&FM#a8>y6IDtU0LB4}PP|2@a z0%#mUx>JE5;t_F(0Z2m;LHzp2bz#DSGSnXX8}jjBMHoYnCU+t@K|SnmAQaSAU~QP2 zL$Cm*fSJN@{?ZB%UI;c{asFgBw#{lHU^bHw4R+9eqQVn`bG9G=#1AM6rZHGckpK`W z2H=I!2E4#{f_R92kfI`d5pM;G$>%GICope;_=o!&YuY~PP21W=J`kw+f z;5(TP9HPT7C~(4*4KWc71xP6Tp#m`xV<41a%ohAzSZJsnz-||qkO2Okq4-JdpJZr< zsUQ{>cVOuM$5fDSdF>1Z>f0GAY}trm0>%LGhqcqI$?ekv1VFLIG9> zX&K)FP#w{LOb}0CpM0jHdVg*8_%ZgMWTvpYB`n-iv65faP9PW|+|Ep4?G%_kVhYk6 zq;X*ONP{qD@R=q&j-$vD`x|05VkBZ3zaGX^Xe%&d%mqMYOskPLA~%WJ2r(REEc7W5 zT)S|fe+1`m7~NrdKp3Yxx&h(&8@@3ithHFluQD1aKnQorXd$h|))@u94cZ9S9gzS8 znur*Q`oc68eeyN7GxKg|HexR718F?K!`dUp@|lfkI}$Sbj^GQqhjsz;eY`*c{@!ii z7chQO(}m|}_!d_O0iYS%uL=N&>L394((X3kcT78lwGR=?A6ziz2)hbCqcCQPGF6Ci znAW1Y$QsZO5>{vK2f+dyFah%62m%ZwTx?K9?Gc_xXwXk*g8B!6;Da4M(xY)Wsu1k| zIZfzb5x5cXqYuJX8x<@06@dU#uq8eqq}?Kf1p*Yd6E39PNE4wN?kbR$B8I>Z#yIpl z5;9_@K&ufmQ9ab3Alg9n5mV9Mkg!mF^dn$2YRea}uq6mA>F=409}W09t?xw9|7rRq zz!_-4@JH?#@kc->U-|wF?|~4ooxho{U{gT2Uxt>@aTO4@yiU(6drFfC7ssUkyg3H& zu&ZO}wiwz#GH|l@v{1wrT@B0=EGzC}b9xDviO083LV2QDp+{6jiDvzCYCYJfZ_wp)mGe zfTdFyu-(FBv0-724)a`wB9qNhWy766!Ic~hJ1-|USGY)LW}=UNCOUd~xqGUSNOs;l zE`z3O&m~O)L^|Li6aoIvaY4HF@5S+-@P%-3?dMeEzrjUlxcy(t2rhSb9T^FE=l?lh zgcg$i=eP*1`~1&wLBmK_vFR@4cd@gXU4<`Q$nRpOin|D3u%p^t1(z=5cd>)fU4<`Q z$nRp&aaZ9>7xKHwNiDcmWE#rSR{8vdOUQ2CHryIA~0UWid8QmGUzyVO&>LU#FE$?kKI6svFONguanX z9eG?EduvadF; z^Mr*yYj>WLtDTd(Gnas}cu_HiGKYmE2&c$sD0!GFOMILcIJr7Fb5(d;Pj@$0PbXU^ zXD2WJzd>3&H~yz4&|tOs*YrRil8f<{+t_ifJ-H4%u7eF)PyHK=#S60k)C?+{3C#Xk z&2X{dc{#Z*ck^}T@>K2ITu8RgnDTO+owXq?nug~}RYxxuXM!?_Hw*|V11vMMepMNC zTuLaa`d*vlt93Psi3emQ|c@um)cih<6gg1Y>y7x^C$DBd~{Mj$pA!FK6SI~+uwr=6oK*NN|N zZ0v08xh_t2;CbA9mpgen684j@OZ5L<#r_lkmHBTp%-+V!#*1fTw-OL^;(9H|hID&3 zI}&n)B;Im6I-5-fR~M(GZ!=16*fLLo?H@}g#JLXad#r2 z5|SqucIjY%gpFHIPsk0b?c@O0%{ukygtRF?7m)}l0i4cf{+R z++0`a1p#N-?A&j6K1egvg?hfuGPj{{z0kK~l^JtLImh#h_`zc#j zatG5

    W?rUxsg$(fAlSCsKgD_&3@)_ywzY^ibh9oaktz=+L}ye==Nv9$ltd4M1pBorY~2z z`n^DjIM9}V^esAtb*jfsk>ynV9Zpc5)$5OAb9aGa;_di%S!|UwZ28-&IGYqyo`hWU zxdy|tlw1{XL*ETw7M%k`7aas9+(cHb7Eu*;B1nn@;g)zn6{M`{M*w{b-Gdd9DX2V9 z$3UH1?>xK-|3ko!MzNW@JRs%pcEtcn$ila7S-$lRKKp@$(&{2QkVn6zY{e(* zIPRrSWk^@96Dp07(SrHJ8Xu@EjY^&-It_=>^AsAPb?g;X6* z#T5RHAm2K^ggP!TgeG8sN6EsY0WiR$0T|#}`!m1;@iD;TI7X?ekfOQ*m;7=yw;ZAK zvrPGl7jrm!@d136C#I-L5|L+}`(CO^bY95*G-vzl5U@4UPDab`f0Upwn|~0mu%;}c+Y0rP00h=2XAdgMUq8%YYuhAC+Qct+%oosFIQWY_KLl&^Iqhu< zn>~6y`TU-mBEZ?KoRab>y)s2_iX$*?&8db7zWabc?Nxd0)W% z@&ZW}w@_*Zi|{EYSW!LIigJczkrPkhPF=m}Kv}gJw9x^_sqhG@o!hBOv0h57b{!kT zBP6En?5FhXCjCs(^S{kuj&ximydq=*?A<=M#%s!}0CSjGFIwrRiBIQf4EZ1CFq1## zu+u$iO8*d2mOth&kTk5Ftr}%6=d^K_OwJT5wqK|olAE$L&Dd&oT%Mn&6Sg|`h z9CId%BjM;6s1|lVqiz2s4tqZv+{zZin^;Ykvsb@o&f_4&Ub<%@%2^J$ZO#IWe?isb z9;KdwCjX%O;fFYxx3uh+C@kz~*hX72nO%FKq4KW*9>huQ;H>38U5m4?XV9iR5s-o6 zgbgiAME#>DKhWZX4wOZjX+I}%3yzv%wwe5sR^Nbf$vK?YgQJL_HDcN}G}B#Zn2v^Q zX@lCKT+A74Gk3DVbN0g1_Q&P#^Q@|3Y8wW2+A>nz7nid-{FL3F``yMj>{>1u+RI7S zQ&|5i+Yakohi1^hHYemtTt2D}G`jR`BU>tu{k+yN5u-h48-dv)jF~d9gfL<>nFof7 z&wukHt(G+&XtA>=qi6%%UA>P)#qo$or{a{h6A@cK2`40i{awlSS6VG<+b1`uB{QE5 zU2lhq6B&i4Y9Elkqmg;=(A}=^*5!0;MC9k$kt z?m|zu+)^FJJ@IzSn-F?FKp`lqu~zr75JwUV_;6(OaN;q2pE44*yi{SV+tw@4_bX#k zl-R$7k4D?CZyYp{RZ7`o6<9l?KVanywqUuDwbnO=&?Sx?wJ1T)g6_&xVSkE+wnydD zb$>pMyO>T!(-Zf6p1)rIOC4tQ{_-)v;~}WP$lHve`}@v9ijKf@nNf?J?sZwk+tjI~ zgIlCs1g39z+Wh$m37ngau48led;!k+trNntU8(6l;@;y)Y^$LX7!LT%|KSRB+%M7d z@$_7d&y(xbq`+!XugW^hO8mjC@1tyi1@$uHy0YNHt~Wq)RvO4ht>EUw(r$2&Xs*=d zCYgh{+Ix4U^!S_Ev~c8GYZeEQ&Zr*N@fH{JoA>xCiwx$Kh|Npx&`T{tPsVyz2-eR? zV(y8ytsH4I9OOuVJFH6WQVft)d(vL*i~Jx<{vUUkTn6RiuZVwhhed6?86Cdjy`9yj zXW~QZj6eAN39B#rV45aGKf>xC#<~hM699J@AgunD^mp4rinG2O88fH&9WcKWV2$Hx z8U%HCRZala;oLM0Z2x}Br*ymM{UR5sAOfe$xnV#bOHzpIDc#+hd2uZ}cv9pUYEvAO zj}_=lAejFs+TjN4M!AVW1xv~-#ra;AhbjCA^f?BZ&S(L0G8R&pv?$L z62)EnG%T2^qa-4PC+RHQqCt^)g27d2B}p7{VBfl+!aOWzOdmkkq*e6#R7j)pC_mxt{TwqcQ-&i6Qs9^CJ+ZZ&FXH~33_f4 z%S7O=N{^+rhE{RPEVnlqCJk&mold*QuN64baW)!RqKP&(Aq`q>xgU<)qK4kx770%7 ze087~)jlYt$ASTTibd&92)$iKDYN z$?uK(xSr<$FF*NkJGzNPcsgT=QD?piNl(y>{l%W``lqwjw9S>50lME$#=VyI|tt7u2#iN1_$*tqvON=E$L|o%S<i^x9GmkH0RKK^+CJeywK<}zV@ERGi+t_}7;5IhuJUdRW_?_cNT0HcZB9PiKB zT)(@>>HW+QS+y(_UA~`WRp^?Exxa{0>G6x>#pG%b_nmpxbU~kIvXO0GS{LD4M83n@ zHTldD$CjDm&0L=^Kgi~mu~d=;NTL9QH;bZFlI1N?-bM4SFb9$k{Yt$%ijwhFkmu}A zhR0)}^R!7)yIyp>!f%Py?HKh{<}FU|QURxvS=Sr50Vg&vyedF^w(ArZo{)xk~nWUV2#M4UTXlVg&~o{+3(I2(Nh@)< z!>9_Y@Xfx#EfrpDuS5)8&X77mbF{UD)H)d6(#>UojqL({zW1W+xP8k_%_IN>WEroc zicL+bK|xn?+?JU_tZ>GK$E1;isMe@dqgttWGm9zo^+KS3JYJ@8#{y#g7;U|ogPYqt zbPqv>#+0l=N@T;Upu|kRu76f#YFLf?Q`_aJ<6(p$9Orwj!Pe0$TS0Fm&Zqa6!7+lL zxACI8zjba6)MWErd3gEHZ>b=r&x~Ihe@@qMaVBnRrA7B=P!kk*3(57*Bdxcg<6bZa zy&URf2jsuaX1Xk8*GrU$|_1bH$zyA_+?{J&j zIACW{Y`LKf3cw3Ss?tFs5EX>GY-AFxwc))*{N#Le0h7m`9b!WQMQ&Dl?3y16T zHQkbm=?c;lwwCx|<_V|pQfl~ohg8thYUYrx(YMOtHmi{uY2ZzwBbRKP$=Sh>dfMT zE9}E)LZF0Eg4Fc(rZlri1|QmK&xojFk29R#@4_ELDs3w>@%FU)yuD73n+0SL(a1~2 z#6ZY08`c=xXzBZ>P+^P^zm|bjf9$&)X8KuZBU?1m7b{of{|l&$gw6Hws#vB0fNHm? zv0zm@SNYC8>% zhx;W4L%B(8AQIalm=pT5fF%fp@j+to@C|>^|0-A#5trZZ_Wid;#d0Nvh87RTA3mk= zH=jaEHRT5IDK*W%_|&zqTfiSaMGepYy?Rr4qBA?mTque_&LA3VSO_HLmEX!d^|DoO zRrcTblmjzSDD#IF3}lcIpapXi0`Ms;m`8kdMquNzF=`{AT%)ue+#h-Hm>0B`ivi9! z7}MkK2<+eL^29#)lx5^ej1s(9`cf<#HNcDvo8Dak75rvxyYZdm5)PmRQ~i0e=l_Z^ z{VldI0DBXNHIsi8cnlF22FoS@gAa>K9R7$^XrES&qQZBZUZT7ks4w1h+vx@$#Ex+6 z#(uX)O-c0vh+y_ps_C})SPJvlE{CZem)G#0N`;kq+UH-pIaN~8*(d5pq#u z+hOv`bf?f>nzZJR7VPHaLkkuF(1Mw>GK&1gr~Fqg(7zq9?k%fyRttwLulbF}YU{6x99 z;~y>9)Ilike*6k0!->K^YK;(?5UgYmNXr-_o>U?QUkaSafT++ne$>47L3ZSe8UwYO z{DNaY{)zrV+c=wH6P(B+&>DCO4JX)cA6^wL`fB7y9)8LpYY|b6W!+ysBOB zG!fEL?wKta(NbtSsh=TMf!zON>>YzEX&AQK*v3Q?JDJ$F?TKyMo_J#0)&vuKV%xTD zo}Ibx=Y5|#-&b|czx+$8vwL?}uU^;6Aq@=v^^AtC8kx&OGsTSNbhteXlJ9_6`KGSb zRj>k3Do&N8?qs2M`6=GG{lHoY^IaJoop-U_F1lyzxf- zL3N%la$<|1DK?lXfbsSvm(XxP*yhUWa}^8_wz(k?Ox|M>p2qlh70j?jX~-gWfLTL4 zb`cr%_x+^$g-rIB!jk=ve3^0HC8(*PnCoJRi0DT%qJ8_lIDS%bbQj)fX{1{ex0a4v zXI})TnaNPec$Y64HgTkBENIVpPR8)KoRrfCLCq!z{?X8}LCXw^p2&!~WB2H1eFF7I zTRqN#T~4Cv$?AApPPr@*mIE^)6khVmxN&K7XZUbIrA0ysqKIZNGX{0ES=g3o2rAjF zlw``REbxi{1cdrQd-ADNoT#4o6DowsqV-ev3-bQ_ZlMUu6=p8P$bHD~4pehSszR-G z)Dp19&N2BM1uI?F&ik*hO)ns9bISggPjM2mpS^wkcN8rDa}+H9>;tm$PEDdfI)AQ| z_6giRRw11BNv!eN5yd+v_xV4gV2u<9wsS`TLu8^Ngu_#+Y8tl^{}~1Abz%58^KjVP zi@QaN$1~F*cT&F>cR573aN$3Hw2xPK8lAplrjC`K?EY>Z_Qx`Ia%@ z)BJDQ=1S6bcgNi@|H%hQ1M)#X-1+ml z_VrpvPF>~)-5p8irpAi?Cv8)Yd9mx!M>u>BP%2U_{A6WW(?pN+K9!2dC$M7MMVT)g z_5h`V3v3Rbm?@LXaFn)mizT#xG~M#AQqfPUa5M@~Dzex7g_C}pD5dTEleSUJFii%e zZFuSrPB0UI!`G=FQzpSrn&Df;25s|8#?w!9pL@U3$0S$SzxB?{^>ea@zkOS|>z;A| z8XD%vxy0t6qT$F{{hql>LH(A?qa@)#Oi|oU5#9H}{C>)AE@0n9ac?gLVpFKIcDe z8`ZTUR|%tXEScC&W9?OdI#ax`s z%9){frY1h63bC&4Bu-7|GS$u%XDBlswbfPk{AmntSv(5s=-BfNl`0u?9eXaL>ygSv zT%I$Hh+S{yB%%E4&sWEl9AkxUy=Kmf9U`kj4v$3!)@Jm#zj(=c0ilO$ilV3InR>w7 zGm?gFyR4HgZmv$IHifdIQ^pf)M zjkA)x!T*I+ssKm@_?p5a+7IXGVCMP@scQab60GF>w_IW?vbOpD-eh0mzpWV4@4xWI zTFW#I-JL4G2WA4zc70BQg^1(1GTR3R>=e5=eolf>nbrsKE!xr9*~COlXq=Ain5lUm zmvrbPYdlg0d0I~G2C*#M(CHuFdNipz%N#GYPnGnEg(Rn-TLJPm|DjYi07@l-KRMQ( zZB~0;D(NWvnYR%Zu7f`T_-cEfl**#~e<;;%eIpEASm=J#U0Q``D_|T{<2TjtKa^Zl z*ij5@Y`&Z%_Sr6erz2;6C&ez5#G$pE$6EB^ zSn>lF!7>TixE{cDX4L=oZN38fHcRaAm-_Pdd>l~<$Erd)D zoNQ=Tm+Mv?(KWu!vlEK`CWX&jaceY?sES2JPY??Ts2~kBa;C#e%RoEGY&b<(%RXcW zOT;IR96pytemNe+Yr*9UI**!2=+Bf-Zgo_SOVD`>17Iq0POn4^Ij59;RNVF@91&6M zA2$DBDi30gonoVNX#l30cO?G|-0)5v-IFam3lCh}M+%y0%R1c#JoIy3hso;h2^T~1 zv_B)6A4wOFq_37RXCFB|M1@yIAQa@sFRJc4oUgV!ul+6D=6OEQL=Jg+Fap^2+1AFN^% ze>U+L=c;U~`ig|hx55k<1mhKET)3_B$MUFKIzqe6V@p_E{&pE;s&fnYeC!>BaSZ1T zm6*`;8gSs*IK}eRl%vff>CBLYpZ`AHs(a zUl{~R)=ppdNeSw>cz!i&cBXSO)oE}w#&XYj`@~dIyEFhyb-wH)eHaior1^=d9=ZP) zQyH29FxBt>!c@a6870hP)&Xs6`jgg9C@W=_5&%pE5Gu&hS4`;mF#`B1?QY324k>*) zo}X7Jw~Coqx?^0k&D~;rh9xe`f^l`pptZ-1Yj6t9a21Q z*p9}qEtlY@0?)$TQCrwJvD~T3%+fh20UjU0wRCh87;n6lBg77grRVbRg)Qy5Uj^q@b7ocXe-8yYQ?yq<63o2V;jkWeKg&U%O zc(k3JxSbQko}pU(3PR?q(f<|VC-K``ww3|-J7EDf3;&EhzAu<{1k~GeSdJ6qnd&4% z0$aegsWkEedDB?P@4zt0+AI95RFS>v+|Rzvcr%zq|IkbvpIh>0--d_nl)D<5j>xz9 z;RmIdhurduU2mm-G$fP;pl>t!({TvUx7pz<0k6rbI8BUm?P4{LKiDjf)#&+|7WNaJ z%D`{(55(><7KB#P%F@uN`4!N7^OcM$u}cfz2Quk z_-E_hZ^|XJyRD@ri5*45gD_7xsj*G`iC{fs^zfndy{LEcnGS!F6JG3h2{$tyE49Fr z-`B>QS=IYf0&|dkLrIte41)dkhnr+y_9JJOOx;pESI@_G09(MtTN#bb2gu$rw`$zN&)IyEw`$Qiv?DEi8dB#{svvR?Wm{m@H7T0R7PRD+4}>NB>h4@Q z!`jAa$HYi9>+k#<3yAt7$?lQd}_?2PiByzoK!l%ih+ZiRMQ4d{Jy~kk?e+W13{n z{r)bRRpi0|R{TgW-Hf=vax9+0T>cc?SJXw#mFAec?&AQ&8}^VD3KSf_Df;}5IL8Xb z?mLm=^GIx6lHx3ufCv~|T|)=092|SzM40ana$5Qk4cusIn87|r8&OtoPKH(u&Xt`L zv%jU793V1ORGqtV3=Knn7CX zNOq;gKqq>Y*)A^O%W#4`Xp?-P+QWdb*W8jGhbNNj)B|fQP1opZ-^kZ@jcacaNNhf? z!4YA%UA-#jgx;gHGxB<^l$eaEk5_Y6!^{8B`r zx!o?_o7igk?m@N^Ad<@^jC|WP7+`g3&I|4lc6eg2bl;+`Iy)$vqPrWkrIM+Aw{K+P z3ZtsGKhFlWg*o4PnIgFwM$P)*`3|yqnD)4`Qm;ndG;abe@fvf0M`(`qQQ+0wjOoH( zBe?v3Sp*km0-wVMs`jXr^Gc^QD=JLO=x(YAD|;g2qn$(;@N#g>tmPkM)HdD~r-$E; zOZMg~4mt`&*PUC@m*62X`;fg^(gu?@8RVMkI{fOYQA(0EEkChj4{0d6^S0L49%+gE zAk^p#X+(c7-;wxXYN)RAM-%%_Ea}OALQ-pi?GkL8L8E>kHmLfz4Qk7~^6KUA-uV~B z181Z;4`S{%1w6%O^xfY&0|G+Bbbjue(EOT>&) zJ*kC7&`JrSvClz!&LgY_$q^s7cLM}S;I^$QC{4e(WeMJjH~GR_Z`l+xC{8Y zQ>E2v7tXdzeT#6?Q$;1Xoz7N=?NOvg=j0#T?L0(mp<5;(_?DHYh@=skA2+JWtk!$w z>AP>;0#`V_M_)C+%NCQle7WqKLE4b3xuISmT(s|AV+xsw)-;|`It~m}Uf=xsRhpkk zV|s@7&-bRvOpS4{9pb6$CCarwEYiJvyiJ--xHg&YnNF@^XaOtXUQgnPNv5qBak8Rb zxYp(2HTv#0h^`ap=j7Xa1PbQu-Y4ESJ)J#c1?j53y-ZzTDDj@c@}At7!MX$aKay=9 z8`~eV6EU*t#iWpc4=1~5rqVeGR;0GeFgfLs@sOq5QX$x2Hir?X931(N3Cp*%FTB11 ztFUUQAjW}FdU%I`fHdQ4@zA4g_644e_XT!nU0JA**g4$*4ODPeZ!@&ER`)WLKRrY* zR*h9hFQi(G$WVDGUj|V}@b3#)Z(2y&dGzO9b3y74=y#YpBOlXP@a;T(A27NRy3fIP zV1o0eXIC2K5oVdB;&OZTc6%!l)M>%e6!$Pp%z9XG%>Xqlms@j{ZiXD^(ggyP&cGN? zzZ1fZR72aKbcYe>ZiQczeA_q&f!(H?FDkA+jTISn_KdKh>#M=)m)yxhZyGBWE!oqD z`g4$0%DaIHbTPD>X?dbj{lheZc_LRViE`@fjcAe-#Kzt>Y4}bYrJh0^a|d{w6-8S; z2a@yagATQA2q)eyF4rDA>!*-4|G^f0(Jlpbd3?c-%X+-B7L2Ug)fkMU3Md8>^>lB? zvgM9cRFPW*`wX8^zYE+*W-}p&ZB%w;^A&$^VaX|6P0Ubh-M{hqKGJLbUx?RVko9*! zjGdn8e~A~<|4F<)H^u&c5ic&Aj)UsZIshKh^%DjDjeThiz+Lp0rKk3P1{vucQ#)<# z(b2JD=WHS9S0k&oF>-S#0M(gb#uc9Dv+86%TboxJUaQ|BXLKL#PmR8d?+4c*XA_$6 z(fZUhwjE6awSCM!gWeC{GcSw-H=2LTT!YVZ9O zvUWWSi?41h1*TnyHkuYF$c zcR*nHkD<;PWYLKgRVqWdplK2BiTrZ@lnN+&cv?Mb;jgMHx8s9E>)+BhF)V}mzk&M- z;SYxf8W(YsMAZL5M_!o>v8`kdL-%q&1uTdufc{=3#Ab)$jLeKd;O@Wj1Q=P{F`}3$ z#EhFQYasf|J2B?KM3OZ9aZsDTN@EG5p9uzTk%P%p4JT7#iAfqZXC-OH9m{n_ACW^h z|JVn&s5vdp1cAY>n+@kpy#i70#0-owv>7iCGq64=_#F~iU03jrXVI@jy+0I8?}<7prlSn$LpEF_bB z0$x%XAI9D-FLiV{ehpzs|0|&jK5(5r^D}@m*mDu zS&d!IwRqc%)!Cr~LO4uI&-d;M*Hmf}tKEecz+-z1X8dtbz~U3T;=K^>36RO0zU+Lvxw?k6P|rp&F{;{jNPb*3D_$v z5Fru@%oSm;01T`3?Qh%wHkdk>eGYo2fd^Ri2Hp+| zM<_bUIIwZ!?JdHSxMp>|m|e(6^n}#S5Uw*)^P*%^(Z{6q9fxOyyYBJ`#?F0_bA)nC z2Jx8Wh!zbeX544tV4^=$I2;76pEF`vuPSVL4E7ggqHo6CdJRCWNJx4sjhl@8$R}#l z7tu-s>tU8^1zgq9(mNm=N98&P(&J%>nzI~+tcQ#Wfm{au+G?p2fbo9(ea!Hf$RYy} zTtEtESlv&Xv|S22tK-XO3Ma80>~Ij|Id<{O9pyy;gj7x)FY;u;V9htc8`&;5y|L{h zc_%LT;E_Crh5^&68T@%eGhngLf!JMNA+dxE`nqu?P+9;_yYkALlfS3kQXdjQc?I5u zR56GFpjVD7N>qYq@?ss8B=b~43GKDaE_`P}S~}<3EL3o_Pq0!Ysc{kc9x0qwizEE-T9`JB-S0;=wu=RtucQ)BYi}N~W8qk{TMY zPPs}&sQptbXjESb20qY?5j^+d`QXTc%uYjCP;*x1)JWK~W+dQJXa5qqUReGj6Fzsn z6!Fabs)&I;mQKGpb+PGK(30r-av`8Z(LM@f8HC`% z`~*xrYf=xK-i~i={^jV9_t4`dEMv}~hO_5Omy^&y{h`JAo{+L~!=OJo9Wjttwl{bs zByx+*2EfYN6gT34)VODKJarn7nJ~m=DGK~-GA7!S zi};fKXhyj24!Cz%l}{68(;oR&D|`bL)Ip`~{sTfA z?dYyY3$?ZDAV6H`470Q&G-Oig0sXE|HsN>EoAIO zu39&^G3L)LvEw4N7L+M8z?Rqqgq+Tt#G}S!#SVPU?I|x(4GhiE34{%l3P%QWD~&7B8$wA)NfQJ zQd1}Y2toRt^YlCCqyZpivHc@vspMG>ntXQ`UGN{4mIzR`XrHX_pzxkMvFhvo91}yB z$QuFNL4&cRa5qZ&-Fh$FJcpz0K-Q%tLI? zJS2T4P{vN{&j!wF=QHjX1inAgm8lXmzRQ zX=^F{HW2d%0P>{;AYUCji8d8ZT69gm(zk|tNPo%KSY6ssazTDAz_kRBuSb0cjkhm zK`3-_=S+Q#&u$$t0+26`bgsEcYg+XGI?7@*)Upa`bdr8ag%F2kM)}4CHj@69^lK^6 zY&&8>1dT3rED0H%b6G=dd|o0$jT$^KT1>(cO9YvxQ^W#jjf1e@0BFmO8LF z_z-Wk06BmKDy|v@9OSs0Q{U_7knhZxUvOJ|FYTI_Do}c#$363r{A9XwbZo2(8?aAp z;WAPc%H2q(v*tWKj^sv@X@$kbj_FhMKLKbd+2_|@q4vo(iA|GHUn z2?RJpM4xU}9biq2_H#`P;AUNW&6CSk?(b=%99f7&92^u3jV%QD%{@Rh;;P4Ye?9YI zgZ%B4)83E`J|QQ9SzG({6MPwn&#z{97TqfW+$@vMpZ#vpFqSwe_DhF_X_V zv9g6Bki8|t0xna)X*!10D4^uSao3QatZf%K*j zZq);8WXw240&0QbM`FwbgLE|T(^&V^?O=mMVy%M(WC8uu z!y`t377iz%g|j{ru9P~!w^!s%yZ!GcEK-HZ(6tqOP@1jmw z!KgUQyj9>uXA>1fmZ_*3T)Xizh4YinI*BS}Ur%jcLfR*wNK4GWUw+Ioo63~9WqNcZ z2XI;a$-I#lL7=5C;8}luyof!L-)wMK2O`gN@nxzQp2%GqAZNM%k-IZt2FO`dEXzIk zpD7%hn5zkm{q%t=t>3x%%P!g)TVj->nh|7l70sF6&`QY*e}0#lD^Bc3iqgz;RrGRq zkyYzW;lqI-pA-MS_)^SQuZP=``hY5PomIx{`9t8vCs?e$S^rIA(z!MIbu=U`olBr- zDI66EipXYK~Vpm!K^ehEJ!k^E#U^sFNrkXr3B(Bo%&13)S zSv`~iEPyewUkt=u@sN?PkTVR0NA6OMiK0qNgp(N+!<8kakqkKbOwD$d(GGwyv8nGn zewfP1%+4k|Yr}93kv~gvxVO;?{uvXSEKtmF$v2KaYygySm^-3psas2lTuf)rU%v4@ z+5FYBN=BAAT2K>R8uI?U8H$8NUmJ*om{%Ph4y_X~PLtfaD*{3|X1U~Xs6Gj!vrh0W z23$&0HBe9XBE=JI&2@6jue^Nuo0`etQFxc*+@e*7PUPsB=f6GfC;@ubC-%x=UT|u0 z7wcOV0i9k7t0*^jC^}znIj@%>6Y!)aKs_EYDWh8{#!-F{pYQ9iDtfkInj14IONXD0 zs^a>4UJO0*vylU~#0I|6KpLwmOLGCR7hp>)AE0L)T^l5wCkpL`g{%c$`X9Oo#`BF$ zFapsjMX`QjuY`Q~7VL!kLq>Pue>yl57N-1C*r4^Lb56V>(<~9E9svah9OKT#=oy9~ zhmSR5VVlIUuCWy??d68g>-)z}S00l%=cB8mH~yxw9&i9X>!#-`=@G-{6>4AFG&^^i zgj;(i)8?3#69h`bU(Qo4K}t3oTE^>JOPXg`;Ug*F3Wd5bib9Z|7k0|zdU$P*R;`h5 zG?4fA5=C+L7~5Y&%drOS!P}aXD-C9Ko?m4Eq1_$8!3Iw>Ax8ns14-u8e-xTgF_~FV z@3l=zRPFBZ)r{jW_j0@#X1o?&+425{u@Tz{1#Qk@`O=(2{n^2BHM{an;O8$Z5;!q>l>hJJwhb1>rmCzv@hJ4LT>snhL{%`=3pj& zY?h-(bvXD}Z4apF`m_qa9!lTQ7k0i4+(+a4SgzRmKJOqNWP`k3st?&+7`R=ZheXKn zzS%+3?iSzwLC>LDw~#~hw?z(ozolR1<$FSyh#aAFdqQ6!oM7|1d@CJnM{Ikr!H4E+ z13l$gz1cbf&bpHOcwgbuUH5H$)n{8jB~WL_td4&4>iL_(VS1%7UH$IKu0Kd~S|7sq zJS$@3kEh7$n3+yI)*h+f=JhHIM?kBYoY#Zcj?v{> zevr&LN*WTc^)lV~<;mF}=wYGo!S|^+Vg-)?%E#J`f8SrS`@v^4s)=e6(Pp%zTHYUVWB&N`yR5 zx%YmRc^gOXqCmP=!rci35nz8#Sb&s`s1GfU7 z^eFJ^-ue;F^q*mGdBitLUes#ufK+>YSnzJ~Nk}-}CWVyW7-;L9sEWi!Vm~@KfGM$b}pSjRJooj|*}> zJTNY~i0l_0-j;|iuYxHj+>FLxOT=Yj%o{N4x8n?$yOA$(VW$OCu?|cuNFQppWqx#U zWhFERuE6WCgFwj7aJcFhWMJJKMX#KBvmr6-YR*BtYg(?BT)96KZH zVstO>g#aXFTm}U&m4OR_s&TP?%TF~NY_=kVpZn%te8xx|=ufEAdr!3N7j3yKvi*s^ z(!w(xKI^?9O-J`(gbZw@F$p4x+FtTUI^4>C-{GofUsDS{tr#tLZ0Nax8n!vok*AdB zf8oP^H3y`qN7uUHjGbybRjq!ZC;OVA8G8n=f6;`<-!>i4rdP4yVlSO|(@Az57F^w& z-QtgWu(d)&yssA8csgi2mpFHwm$A2Gb4)U&y(gn)Q`hfZO@nhVh1puA;_<@VG~;GZ zObA#j!(^39H2^uFa#3-*s{$4hII%M`D@W!6p6=X!?V>PPeaZNc=fa@#T3EHjyiGka zVSlsZ)Jd+WsrAQfg{pOGN^cKe>uI%P^)w!8SS^hpMP#WI;t+di4m$?58qXvMALxId z!rks(9-wC6j-L6Nt5q^0jfgFzpe+JZ%&(Qm zLn7FTnAt;Ab^Qa4`sMOX{#G&ljW2z)TGBSnfib-+eUlL!im4+`$Gp-=X5$B*mU>NP zYFb{m*dPB`9Lc~Y>p$B5Y7&C+3=?J|5YNF6B7rkLAuao>sgG`4lFc^377z$p8+|{t zKKh~B()&bNLDUzD`7#TmvMi+IOuB#Rvh4oZ#@x@;9TA2r_s&2m3?ZmvpD_%1W(r=M zhpbpJ3z#?cF-*6(FRA-M=)M>BLM%WUtINTdQ>N~jZKEFhSj0581pu!P({j_CZ(p>VbVWnrMs8wMUR_x9N+{T7;*I^(&mu zVyvg@#g#R|h2t&90Me_xdW6qu%)o~J*~4%uG@pP8I3}6LHPDhAT%MfIW)69DHTEV> zm(ntdkCdpHe0Lu~9_hN~zQBgRia}PuiT&+n_S<(EZE1v(l>R&(G*C%w&jPhYa`?NS zBPFaC+h*FU@}ZtMw~u=|-m=j2JQ&mzcJ=4b7i;)TK0~u?hP)p1+p!VG9s|A4tVIW7 zDu}i9Q0fDf+gd9`S))H0)>OXA8d@DIRj~icysFM`5vL*bz^;w1foE8qgrq`61FDvO zZS}+%_Q7LIdf8gjNA}@P4`$)b_t2dv-W4XN^gqH>=-VDw#Zxty>pM>VEhkASP-Znf zbMppi&@!|e!Uguzb8W~bnMn~rTEB|JQ8P%>L}J0s^yf=bA)~p?X+)0W0nhaxy=xqV z$TW2#HFFMFcI9cDOjl#!k-fTxL8iCkhlXaufDr6R8w9`)HEzDw4T7}Jiilw%Ic!N9 zo_u4ns6K29Q{3WHf^1*g%k!Kq^(--CQPoOmN1wRLoNje1oGM1n))w)u(nnnLf4P5X z?G#ic9pXZto$f1d0o4d@Usx|6b=4fPrk$C^!SyLuw$AK@-?zQJ8jB2Gl70^{jKdaQ zSQF6h7r^7CbvP`VMmu)VaMrAn~`PQeuE|bimCWd zf~^VP1}W_&jOWKZOl8q8J*^&nI}aGrU&IBC+g#J zLOD$v6GruXWv@F|@gW{I+AeH}Tgf+yd zziN37pe=l4-SfUMGK0zSMjve2;3(a|X^EyUT+#i!cQ^V${`BQ_gTi@4-tvuXE$@S@ zzeqC$P5|W2fN7-8D!*$>;EynBE};Xo4fi|mv>PPoC2=FJ=V>%y%R+8Pgrx07ByNv6 zqf{+d<4CyHPG?Sbz%(EJF%;kIk!RpX@qSdenNuCkkT}P~SJbDMn^By(tfEt7K3r$6 z;Y%MinvT1Tc&eU|OB+_3`EA@&K0C#CmlrY5JN(XzW@5f3zJxee%`T=!e_7k=kL>R> zUVjAm>NVyo@v%J!c^(%CzZ~v(TLGRMc!!4RDgd>PN$NuT7>rIbuB`W^?8pytVI3cq z?_97ybKN|3ZLHdJ!7TzIz|SIe;Ez6uCe|ke6nydASbvM0Fl^BSBitf^*MvK=053+PSQ8rw5U=udjp0G`rjaG!aMV4>NS#nose=;NMM7}kkj5NE-7Y5UBM{fW@kCbS!a!eKp~)gtk^ z%_TarRasW?;7Ety_;tAKvb782|jhHuN&-8s78Y5j!O4xuBOxCvS?aasbB4J%z_BpNdbvRQ)YXE64M|v|10=lfECc zd?v7hTykrwitpqjeZ=&_hdTqD0~3Mrd|WCY=pfM+ovq&IdYGb1s*u=HFdmDG;w%hL zNNDfCGUvk)nomQT#3$Hk2N9#^O~UvcYz@}ya^DwN;9_L)|HfJWlVoCJX8JGA%KCqD z*3Ui6|4+{PZ>R|{et8Gv60Vqt*X0lVvWO6~MuIVD5R=FhADDxycW(0U{G|({x)E)E zh;Cvy5oKH)#nK3I#)r%Ei96N@y7;!3XEt)$4+zO!Se~vP*C+cao#d z0HSv%_dK`<$4;lFrD4mEs zN5SQJWQPm|?Q8iJ554-A^MxZiUv>dYA#a;Yj@&6P(b%hs1aERG*^RffACKHNX5sxXk0_l#RS%tuu``*5^TqociO!*R-{m&{B=jl;z z04Y>bxEV7ae?Pmm;VxJvro^%4+T9P{-GR00^q~h1!q-P^^@l=_1BNjxsh`vWL4UO5 zBgKg&GGZXuh~wzAMaZsBBJ7*CSKHNY*bkQrkJxP^6% z)Ae1ORyqA92%M7uw-EcDfROGYbEj-F0hCz=fLX3f8a9$P5f!Ur~DARsROiKU&t1vW7k4vsUb`Kworr}dkNbq5cHGQ(Wk(R z-do|c_tWtb1LQ*R$+u-H7g=#K)MjIbIkznHlG5MTk9H0NFAHH$aQ+POV0IiE!0Lmd zr~*PED1S+-gs=?}BH|%7qzCHC&x4?47qZa6_~iJQa+g<9^#N0>*kHWw|tj$9X^4}qvM}d%S<(dup>p=atjyQfK6)xuz&%^I8#>OGFy4~+M=R}Nm`?TzN*>C>`Vzj?)PRq9TA1qq*NUOOQwOd&XC2# zvAAc97}jFGiK+Ic^jRT+^Z7t1$fY%O$a zA%58#*mUKDXN?OQ(7TDH{Bqbc7KPivYI;Gdf!Lm&$V*ZV-s4lh6ZGB)y(zk>M%{!G#- z`ANYnjUcmQ(NTSf2Kx`PvpNH$lf&#~q=#N3VE%H|d04JWNTK#ho}FH#*_L%2Z2KGZ zh{e&7qaekhw=$_@%s3IjPe7(NC4f}DR@kGC4y73lQdRiHr{5-vL()maiDN@-$YEkJ zC8j%2au;FY&w=~)O9f=$BSnkKjHrB2Datn!A7(KHMj7SrFQb_6my43Z0|%de+SRI9ww;LNy=D0g{r={q-I0%sjFv zSC2pW5&eIR@KfTFW7H~*oiKh_j!+X{jL!%{6tmi06c=-P{OdKV=Y&oI=5YDnJ=uPS=fn=?!^_YRgm^o!JQW0v_@(XZ;$!EaPDADHp>W$%FAjRl^ z!-dWq0*~oyc+D4<)fAeS+;dAa$oI{1D@V}+S9&@*;9=s;l^7@uLFS&?I$dKXnF~I|sN76Du6&`)0kl<|;g^ikf%2)3d%iD8r3AbDOp z5EK|uo;wPDKYPR0Z!%C>RIQN!O`dNYdiV%zxQ`%H%pE#jO?nGxKBOp&c~$!U1|G&c zDDRyXRg`*$6B?&E{j3S!B3~;pghWDP?VPWYZB_X7DS&5^dDsBsVZ$b|oFcg>B%w0r zi6eK!J=!S*FUIPCO!%VAWT77XH|ss-ue0B%e5-_EPtZxIs;}Mm~yyVPjx`gcf2?CYI&>IqX;{*|p z*f9;#QL<5b7FbB81)yoK6eriY$fng21d>~0*oR|G_Wa3y^E{j!(Oxd=!k%Q~`V8^i z8DN#DCZXS?((4p3cLbGaSv~lO82vO?%OHP@b&A$sji*-=T_0PfcTb?GCnci&o~ZRO zuH*RJzvSqR^x#jv@lFVQic5j`nH1DU5T19M?zmORkjc|Sh!K|m?+G|hFqV8+5E{bZ z2{WPdXcD$c$X1?Qc4w527bB%i{`6H~^B~DF{aBPoZNiQV_$U zG0VCcFZSlo!F=nzxCB>YyRr$-5&{LI6yqMG7LmEoN}iP#xUA@ii9(D<>*BA*0eQti zjp;$*mqGOM{o0ooi4pF5hkbZfU@uuS=8as^A{(KE-Ot19pDVwETtE|_A5Wa30nrP6 z<45MI)$N*Wxu}kMK+{(0Z^Nqs<^*lFmLGpJXnK$-RLv}0j-NnKsRTdGG1xyN&Vv(_ zOX!5ki*y^bW>jMmrXT+1_v^`fw+NP{pM`{_1tRur>`RAynt`f(JloKrN?xXcFFbgd z%0k+hS=fgPB3u0MpnXU1t(=4UlunhQ9R!6-HQ)@xu)ttFMMmz7%=cIm{8%R6^YhO$ zl36xQtzw<3u|KVD(Z>JE1No~W4m7+XHhwA%bU1NtDN;3`ufo(P{tuMJ@8sR9$LxOH zjAG3MZ&|4HiIP5=R>G)NUJ>U;fz}{;izkzj#qQi^oa|N-om?xV^-C3et!Kh^=r@Mk z2*M#wBb1tE5`~=Z7vw6vRnft zZ~%HC_SCj5ESKg?2&B!OSB-VY0lLQB)d?&WzDV*>d>?BA*J6(j>0qJfdgWu(f*G1e z9)5L9QAKD>Af0mqwsNI?BM#EEs@kex`_y3sk167;ZFKBehD_C%nYumX?)AyPdf~n| zqbh&?6*`q?fs*4C(X+?h8r@EsAR=YGl)q&?evO@g`b}G*R8HD!+GA1ECu=iZkFM zji5@RszHJ9)oK1J`9f7TZx->|Bg)>@EJ(;}c@;l!r5#zC-|wQWIaRIrLn)#Na({~0jkUb&zxCUsNenD z&rq`t{kM$CJuiI!>X7AaE`i*>2yg{q=E{53y+Y(ELG|h*i+Y^Owj!1CTo&;gQclXe zP_ta&Nw4-{lvG4Eng@S%IRhesB#P6jdkQ(gS8 zjlJImGm3w-R`P=!rOON1=sbw%C{-@Ww}jb639ctu1wc66PQi_7u_1SC8}yr(c{Dd11bwcjo~2?WvKg3 zWHs%>@TfU~^>)SUtkfagVa8I2{s`sW=6t zLFE)Hwc&aP=TX0nbH02VM$ z1wUm%^B1R}W4xobMSx|vVO`|0D1G+}uz=|-_NN!#K#mZ?qe;Sm+2@OSI|Wld%JP&= zUPup;uJQbu%tD~Lj~W6peRLCKEbP=7#Msqt=ZIgMAO|PGQQx6_6v98ZPY1C=a?&An zBOR&Pgq0(h1wxfYBQ$X~<%2c=v2g!WEUf>Af|TiFJ%ju%xvO2^D0A^8Wiow2mi$-5 z`eXls2?0iy@f7N0N3t&YR!KybAML>l#p=;%7S*4C;uVMDkd_E@KMCp~>kCPTqcf($ zR5{_~OB-~`jv(1^w@r-{5M^q-!E?)ys?I176BeCQ;a!wD30|?2D16OPYs!&KqlY?J zj&NclM|@{grX{$fo_2GzC0`+Eb2aIs$YA0TgP@HH(G%M?qwT%Mf!KM?2T9khJx{e* z1qe=^3)JS_$Sk4?;S=o@fRruH$b-H{cpx?re^>2Iww+W(%EaYj&nYnLfljr;{hm8L zy_)oeXG}u$X0?c785eR*j69;UrQM%C*ypm3@oAOS6Sx`a-8?9tuenR^XaPW2xs0FZ zQeoH&I^SNN@YlCi$2;Hlw#&Vot?Aex^o4~^Dc1~dO+>{c&~iB#?|f_kzIiQivXg_H6{!1636YiapV2y z_I~9k8lV<}V*u1b!J-SbV}Ccp&R<*64iV|!qal7a6=vQYhKMJe^UBCk-;c0Tneh@2 zg>LD4dr(~KVWNlI9m*Mv3(Kk1N4j32;&e{CvdP4^zKhyFdnUTyFcf5MOohWb%aQm@ z=53damT{V3jlI+=)@)zII#0aY&+ySPa;on+oT!k;5JI&<@VQf*#Q$VL{`|sl)u@Qk|#ndQwuuOE$Uum238i?>$Eh@|A76RlRv28EHbz z@1E3Cz*CU{v|lGbqLtg@hco%LS+9PP)EkYpb%L)m-^Zi^NCSVL=8jEt zH?A&3_%Q5c=}5`)g~YP{zL~y$#9w*?$F84xQR`pfd~aI`dr$8Fl|<-{ed=yDbI2XJ zW`h0P`TsC>R#9=SVS>eiLvVK|xVyUtcL?rYXprDixVr||;2I#fTX1)G_o?Le?VdH= zvu2)oVI5BWr`YHF_Kx%?hG01N)cw?6#Cl*ccwF0_N3(_IdGO8;rTBss;{VezI;s)% z9!h@V9#^e>_M+1%rgC~{PO}P?_wzgs3$y&yjJ_$q(e~}-Ijjcd#ehYIHvkbXp2Zl|s|0Mvb#X9NCs&#f26xp&FUF$BJFMP?Oe)q+?UU zIpo_G=_lF677GYINd^z-=6m^(e*G`f6+Q0X>{Mrn@2qH-$l|`;kjuJF-izr+o?1Gv z{x<2a>Q6qwXXjEc*u4eTIC zY{ck&p?C9Ns_k^;>^h>_&1+C}d~lMDX_x(OtiM6cmGYP}YNqlt#PTgXCJFh^8&@{@0>s{0m28{QbLZERF6+`u!Z;m+vB zHMs4=XyQ0FO^@^K=lyr)okqumxM{|Xq~#F7%hIs}Her$2Ju04Yu7S%mh5Q$K(qr*F{7 zrHUF>n{VQy*O}sH`Fa!$X|gQvxa-;c3V951F}o1Ri4H*E$GW7C8)|jCyEVh^uxZ>^ zwGF$*pP2l7GZhEx;L+7;hUh0|wH)02W-@O?^E>|7TF=g&WNI5~rv3@j;}D(HUyAx|+N!&3p;j96LuAbr>ajL+Qs}tlnMP?mF9-*IZE+6{*Qxil%U&Db=CEul0rr zAAfD_e8Ds~-lQjL4Fl2{>blC)O#SLffAVW&({~*PERm^eNZans$2klX8NGPyf4Yoi zE{txCi?jv;e)5G8j%a zQ}&tHQcoEpj_Av(lE3DhAzd~!)U^et5Nl+cN!OiCpB4SgdWzh`vd*C7eSeG`?mPaw zu>kaYqkSD?V-Mq7P*S(}xIA7$zi#Bw`1QI;K|0T(b}M0n@Yzx5idnSAK65(v>4 z6eQ*BNA$77eM%a&>egD&EBKe?zV@Qp0Hb@i9F&x4tRf}c^J(OS}5YWtHGbi^WgU8`35{8ScW- zvqtRwv^wB<(E{W$!2Jr_V;U5k6d5R5w}m%gAbIsT^tvaaQDrpqL$lu+!gNlz4e<$S zp5$k>dRIb*CYx!BClLSDYLVQex5OfYU#PN;9wJ+OZI)@vcSv=}&WH7NX)aEXd`$3S z8o?VE0F>*N8*IAWpuo;TCH~H&5tR03J8h4BS)`$l96=Z!-Nj;Ktmq;R84qM~+HS?B zE;MEkSiUe9q%DLKTh2#~eU*L1njM4)t6Wh12W&_M_=b0D-mdb&F> z<<}CbFRJ8CsHXH3klkTkv|;bI*CZHyec7QzA(a*Qm>N@1Vc+Z8(2eVstqjC>wUt>?a!>Ugr$glHa`Z+^g9AT%~t*S7r^7datFk zK1$hO!q^Ii*tz2sMC)q18+Oxs3OER zXO%E^X$xR7eqsjZsKEIPp+cZm{ z(=D$@7IF{kA!jRy!ysZ2let0*+VCL%2yI`Q=b~uAoMY0PFruqKkV?7AsPN5A^LQRh z%-*y&4@-_M2=(A5={Z18BN%S)XKoWnS&5i>4wUQMYy;kvI{rLseeunXb7Se~vn~pq zQcK8maVuF^2y)~b@BlxeVY3deJG`kb-#!_@Cx!E~SknHi=0&I?XwueS0JiSKNV!F>iX#B;uX?<~80ot*@Yml4O zQCu-kx}Bu!tEw+L%o69iE0E<0-`4%s*TF*6hGcjC6}&=ozvG9boUO59#u$o$x5?Qs z=|GS%hpr(tjl+)5nE&i|Vy9N)MPD4HdO18F`So=uHS4r_-b5(b> z>~e;cp1+{J(6LXXNU_u#WK~2^N^W?doStb4gvPF^LjyK9V4RrddxA8bxkr7UKG_R- zuC9h63)SJ6@Z7_!PCUV7e?7f&d>h`s&ew%!&Z+ih6+dRdOh-t0aE#jqX6as?n@rl{ z8}Q%!o2p_shWMDDI0V?;_Wq{r8fC$!W~X`<}Oy^?K$Mp(u0!M}OVov!VE z;HUJ4I4>CM+J5|scW6^DeZgz69K8I@<$uT&vzhanZinc*Vu~7Cqer%AD(Es$B^xqmF7aJ${f32hP{I}PnJb#?5{~xbOV<>p+ ze-2cKT|?+2cTnak3k#JYK5)803gQUvp0yf@<1KWYtT#PiVB)4}3qV4yb-P_7(9*<{ z(T3-poc2||YrQqvzjmIy=%gFIzoqQ1zt_J_TrEE}H9TN36fF&7N;(qBojq4~8FD|Kzw9)w7{6chk{!~1YMgIOWbqf%=qaF&woVBd=;W5ttuv?9o`kr!MW)IpFLpP z*Ygh_W;9DJX-~ql$`4tY-_--EY9pIu%Wu(l&mCcDJn-?(zq`GH!wc_SEX(0gNq#R% zNBy|f^m`Eq7NA%Rt!#f=xb?NtB}3V%3Sni|@~4YQJv_ww^;w8u5^9oJQANB2??z-; zrGo(I9ck|sV<$T%FfP^KiwK1lIRM#$`g=s^tSG8L|ZRAnYm2dD-IdR=LeO{JLE#&c3`h;sQ$u0@PM z_^XTjScSGk){Hs(eFn>afmfiaXQt;&z?cB-s6|6FIu0hp>lsdac$Gj}=F%X%hWf3Y zYVu2#<{Yd!G=+!6e(+xThu1#H5|~NQSk#w8gpdLI)fRl6l5@(r*2|e%gSjKEW(bP# zz0?Z34tm+MtHj<@y(QF1z3f1Eitr78fV_e5@L;Z-Qb%2E?s#8-{y%v@PEa0@$~J_n z3JcJk4er>9w>VBDT}?LMRdh4~smO7MMU)~!&a1O`P##|VW<5HYm$ z;qb}>tEHBoJ#R`8V7z>@kNeC?7TZH|A3Q_@DMTsf7e%i^+E;#nNdc_koxToA7TrXb z_oV)7U+o9kSL?XA!v#W;7}+-!R%+d@@g`Gpp1YiWmDybL6QP-|>@8B35|8tCD6Q2P zgX)0n$em=MI-qfvpw0^+7+j0p$-*rB*TWH`B#?d82<)ezzcW}SIsF0W7UI;q^a;sW z=`tWIgTJsHIl70U1sO6`^C;?iDpP(`H1qJVKb)n!Y6D!f>_fb@$shab#3N|h8UNez zU;8R0XEcoSPQI^fT&b<{6Z9YZDl|d!yI#7bC!y&%KrzIKRtHoE-0XYEq7TG0%j1zY zF|UQ@J*}`bXKho>XN0(u5FzOCL-`_{Yc@!Xu0-}=B1i7=8;RAX*BL%mfF$(KCMw>` zET=IG+VV>$1oeYdd9)1e&`S!srdC^0lVq^Qfv2H)EcNB|ar4Px>G5uHmBCBRd`zrChE{-mNuR=D@1Vy2WVjp>yP07Vagoksm7#J_7L`ScO8KQM!hfln}r;*_FT{`=S9X}Er zl;v$EQJqR!rb#4Q&V4@6Km3J^~ATD0)j!+5uWZ?Ya8^lCLJ#H-oM( zbC&XNyT41Q6SixhB~&v;49vjq7A*Ur{wu#{NMsAB*@LZ!{w|>^wB=8LmQdj{Kuf5( ztGOQHBOBnG%8A3RiFzo(Q)ED?CV37OWv9vtStA-$g+qyhZQF|-%&ef}AW1^a&skI@ z(E)Mo7HW1>Q}B1@P!3O?J*(69TYD$c1q27}^BC?~C~9AG$YDV{sK<-8BZ#g(-PpF+i%@ULG-95hQ^fUR&xh)gr_eAhOewpvfMt^sA{|TXitbe?q$vK54eYwHokm3f<8Sq!H9h1&*-Ne!~YWpG$I&JOX&sR zpq`2Daa+qGRQtQlU`4SjO_7Bau|#4JNp5CP;322g8+@AE4r~<>%V!qPqiF*k-oZdF_z59Po9TJ#Cc;B<7!=G830y$|EXNIlgofj@5}Tx%3B8 zR({cqjVkLhuo9$aMYFNUx_dH~g%^><13zSO(JpV@N3OI|IV$LdMkxck~fhRth zY`TVmXOgVEi&YKSu^d>4DI!5NtJY51dx*JmngK>)>`#67OOylNc@qY*3eSE0kOFtQ zFhQ`uAnF^Q&r8MjGcuefmz+*}_su`0yq8xa;+1CLcHC*_Zyj(?pjH!92mJY`4yg8& zPp&G*%tkY7kZ95S&i;PFukgpcdLUR}9rMS%x{NWaK>Z)?)mJE(BkHHKEvwM@Osl+d z!J1o0UKXFU$*QorXbIp27)84bL>?oJ2y6TY!9VI%i%FiWv=rLvs{^T>hbko;4TYH| zirU%8qCq8PF0Oev@bZ1w7(yAYK-z_C`>UfzVZKu#_-t&6)Y^DGxUxTS!08U282Q&w zd5=8>`{{lKG*BGyQEtx^6bJ0>i(^v3voI)<$Z_%!+37h@@qt*DRDv1GRFBki-c#_* z^hkovqkh_jmKm;v<&LaW{3JPRtkeb#Ug_FrdK4vl{*=l8c}+md%UPo(e!6{|({hlh zX$|=XU_BOpKcxkIJI+Nz97jK<9dU5E*O4Rs{DQbB(^#H+_o z9OE_y7qLIGiXE@XIHVOZZ&{LHq0W)DDw%Se~9>J|CCTIZq807Sua3_zgT&E)QSQW2b41gdCyJ5+}8OPBjxon8Psup z8@_@4nih+r`~lS7DJS{#nG>@!N<|_$fy#avi8mUe6J-G~0CGA16#N?ptSV6JW~XlB zw>Q4RXWuRRz$?a*;}fwGWhu+X6!`C_8CDbIU9ALpSIs;D)mkehU>F0%An$6RG?8k0 zv&i^`Y8x(4HZNZ~iu3v-=O|1jzUfxo&gJfpPEFe*nnuF}g9lak>)HHa7@IQ-pFl+S`O39X$aE}pTD$1<{edDRzf8Wr>Gy<%9@zkn-uBJLyUW;!BI)JR^%V_YdvhyWSB*i%> z19cANo2YtgU%kRj=VH%onS}z zc*5AKMks^~u#|LO8RT76t<;X|1b&HvSWCB!g!Z`3Re9NPleh9(pLPX#SCK*9)pF;t zBWrz&ZGbtG-ZAj6cU6Oj)T@C~A&bXjo); zKnxgRFSv$K&>jX?^R32PBXiaUFw`)xqrPJ|x)y)GV z+2QO~Fvwcibq}I;!h|TyY56N zE`QIT$<(N3Bx9HbqH|o!vbq}a7%h&@8V+SLOwj;05YBm=ghfjL z?^coBFjIZo8KW{nWYsZ(qI4c%!UN~r)!wniIC(^NmjrPukFjZIWpl~Jo1PhQwqVlM zVfx|>Dq{0eh8!{}{uA6FCh>Vb_P&`12FMH6UCTfZj6wyTrGJmiQEBlEhZKg=9B_tZ zoLq&zE@>S+uW@RIPCEh=B)>);loyIC()flV4kY>cBdsi~V(gAQvy(9b zL(pLnBQl`u%Q&jcDe&j%WO@c@jQcbeQhexEoYo4o29p`NwmT1S9{O7c1bsUK()Wc< zl7&%KrBi~etKqgL=aW18G>Vmy8HB(PakF@bT#pSYEd0iu)9CrM^cGe9(9L)M@MBvquxc!f6yObB4ens^G&GcF|g8E zhSF~9`5v1oIXoyD>`$7`Lb zx~lu@>!qgm3(_;`#QDS4vQ2WMyY1Jy>W2w?$P^h>stiEn z&xkSWGwvgfyB&O^91>!hh6(p>xiv?@&P3(L6M9S>qIQiQ1w#&XEI0ew!U(DZvP8XA zzqi{SQ%eWTV=@hT=c`CLY* ziNS8YsWtd|pY*1YN%!)n?&juaQfa-*&!nyAS?X|xynLO7(TXtcR$q?+j^M%4RUvQ5 zF}in!LUg)ViuNu;ZEx$#Cd%#TY(HqCp#^51PYr;xFB(Z-36#4AwhEK?X%Cs)?`Ele z#_~RH3Z2$gmi|iX>pAx~_>!jkyydPsM$I*evi}BeCo0QG54)^f2HhN$4c>zE2 zQ|Wb2(X)>s#9QcVUfFt)uMf5cF7TwAUULj}2uui01b6eDB`{BDC7*V5K1+^2czGEV%dqjJJe+NI=G11%hzVy|N?IqrT9?zHJ)pcro?`-^pKPx8@+3Du%P1kYUNAIy) zUmS%`r|6|GQAWO@Y7Zk7v=ZLi1c8k~0v7Lv-KEDWPxoi<92gHV*}-!H6AJhRbr|!S z+XbPU(MOwdMDJ0*WLgtWHSgbN3pisM4KXNJktjRIma84zpZl1w+(#vdBV)nLdks)X z-)y+lbCM>zJU;5hgesgiAFMvWSx~U=KbCo8A;jhpeXRGk|s`{ za$M-~^;}sUFxlyFsCl`iJ#IwOM_ous8-)aJky}vAt~fEhUIN@%DZ*}MgYCntyoiA{ zg!i*G%3BG)HJ8-g%b^VhvKNyCg?t8UF&-S9$X=%rcwR0kV4E0YWG+lX+(R+V%Fht& z12($uqvEmT5$*XOD&{Wni9S46fvKil&RPWYpEetMU#}7Cd-Fm}pa04s2H&Lq^+*rX zM=d4%fGxcAuFc9FbzmX44ddSR(KGRmkFDH+yRP=0q*~hfhA-nC9qIf;{!ChLLq(q^ zK4EixBJa~|lV;g6G>!O&5)M}t1m~=m@!3HoExXZ`K;B|a#(U9SZbv4~hbX>TDeRFn z3a#Ut^DgT4PAqz}0*b3|OHbQ;-afpum%f;EA$*cXcKbpj?->L45!c9^)6_??n=7x_ z0(yz99C}SpEt~P74y_hzL5y`i#N@AyZ%noppC0}PYWo+){*efBuyg*`atjaZf2X#8 zyn_E9)D}p==e7o-wztAbVh(WWK}S`e0^R5BFMfF>-8HkMg`|zW_#E@QVt}CSJu>vn zq|eV-0AS5a+|;4k{&o2(#r4>)_S(kE_x0G1@%^dz)-QQ|uCt=A^NC}=zO}t$kE8c3 zrQV_1%!Q%)!lBF+6O_!-(UYmRV$k)B`s2ZOjajl;Bu@c-DS`0f+QV+z#d=zj4jo_=rg=B@ciCWF>mqD?T1ojR#Vt3pA@)=Y{R2QUCa zw%IOK-wJBwa0!x{RLFU(2YvMa7PGka{n0Jp8a0|~esxZ@yj356{0zn#x^B?J{I{6p zf!0|#ZUBV>IKUHcnVpZ=*4gJQ*wVvpE}!z=@3+K+y4+ty@}VLBG$OA}2?YGYMb%yR zvL9m)-_`fE0|^9KAa7SlRS2L6yA`D|Kjyvj6`0^E7aBl^NJ8t)fr?qW2Y-rLw2R_@ zidnq4SC+`K^4P*0;dp_qQqi%!zlxM=Nya*KIG@N-y1#A#TqX`2i-Mu9$F+v@*IvPB zO>$cILBzKCrVrIip7^TZ@E>B^-6UN+VJ2@sBEMv7z%rb;7a1WDFBAFecgQExk44#* z<4qXMXjBv*`jgxA&JM&2q33H2w7q_RlMs-gkHe8;)0W9VbIi*SF0kw~^Y1FlU9g8_ z4=tDaXx#)uv2+?V(p z%;HOFgxMJ}`Rq@D${!mqf43pgxw$3pwfqw9#;)h|(pl8O{^R{@t{)H@r%xWERs zsY$-P2zjW!gSVje>M5*g;;`vN1d<0<2R{J(^Wt$FwTZuVnf3+eiVCx6w~^=*O^|6O zhZ5jb7N9Q|2~8|Cq52a*dupdfvRoMSSx^}ZnhoEvB z@ai(bJscd-z9Q0P4Q(p?`Y&MH{Rh|*{{gl<6s5#oS^cW)6{%kckfLU)VZ$$La2#_H-gKhDNW0*1>hDu2l~##uFw5li zfW63eOc9TTn_z9pD{(PKYP$x*qNp&$s^N<{&r%5OYgUKbf!VX2LCVY~FK`nLDg&Qr zCG-~aZ;u8*_3a#Z#s2!raqSb+`ypC=^+d{NJI}AUL=n$zITrYCiW3NWH2NUYmtJz zFnC@Vdj?B8{QT`HlHrVW zx31vo)jscY>WZ!w@zfVnX0!%C>&s`DB%bG0cF4ja9>!0{C)f=SaVG6rTW{MUbfCv| z&%;eA^!eyN6$p> zRP<1=FXOrT)-zUf;tnE1tY@6rD{T#hwN~0!Ix!0nu<*|@d6+c+0^0+1 z0l$TwEiodDsoM@Mk0(Vb{KTI=2_%5Ppn*g}2!m2>$flPHLC!c!sX{+mb%^B?))Hy3 z;M{ITh8f6s0A0a6svk5~{C>U61q7WGZu%kck6Y!Cl0#5Vgcu?_!AY&W$dugzwZK`u}RXWkP}9IlR6 z0i}b0*R8T;S0J>IM^)WOq*lGyDu{}2Z+|0cpitfhNdtAd8%gk2A-)zq)(lElWX+!5 z&Vmx>Ez_{lA1BN@#tJWp9dyjsulXE`5xQJOJD!p48Ub{_$g2OG1sG|3M3U1pAL|i! zin5`VyZLij2nz6vM=TXV(!jK2;{)Dg_&`SJJ^>x*m>T4@?$HRwh;0eD$=cswgps!O zk%{WG(nv*g*G`g#O}g~P8wC9;T(GS|l0AUEXqNQ+kQ@;xI~nt!$<#U!qxL8yx8U3J zWyeNSzDrlP8h@u@;_4Wb_9Rkxlxn$|&K4TTg^#^$3%Cwq{1@5Qf{<I(#^lm5Tz4L~?cnpP#yWkCG7hxPV&)ss+R~y3t0f@iaU$J{E8m^%o-jWMvt;$| zwCSl4L`gS9Eu!urgCx_+wVzh{9t$_oKBTbJEVH!_%jGweX{%1`tVeK5R_L^6rgMXv z!xZM7s$Zt`W%=NcB&{wYPHw!NHU_DNa!S-QtvEYEaJ zT%LjrQE{TDL(b#^MHWZNu~7cpMx~*v@=70AM~d|^R3Jt6aSMlVueMTt98l>6Asb029gG56!DdiRW8TVH$VYB6t{WVij{BD_87uN zuqDXE>Yvw!%uTnpPSk@%d@it2314r zR8XU~;v=d{A70LJGpLpY)F(1DzJhgbvG(u&JZh6ewl2wDn3f^}dZzw;2lIbW+h%Z@ zXeD6k40Ig-p7jao)os~{WCrLIT59+d z@%I!0{csFZgz#BCUfQI2*!2&#Rs09r68(d14`gE>!^iYvzu$K8$lPGSQ`racA>{lwMhRLl@6UdP1? zEwVo#U00i?`wzFR%F$z+w~*bIDH&>V`Hhyib`pg=5yQp%Ld&#vz&ysq`(##)jXMNq z=S?f_Y}GKy6i@z^IJ$C(2k7?QlN=!18Q|izYab$XG2Upp#Q&g~v2t(#^M~BxXEhE* zDY|%lb;YteR4g9K(5q%&KV-lD6U+ktz6QdCsLp$99h?GxgIUVLq`!-L)H0$$!K{d)m09+;i0_At zwTIXg3`hd|3CZi6ieVu_%LK5#XpbmEIy321MK-P#ioltV|FB!Xi_r|Cz`ME^ozwzb zFT~c0n7GHHx+oPZPJV?ZzOj|I66nwM{C=nUpBW#YK*=nVslIv%P%;bjpo%UxheN3x zjI%o-On)KhE1k8hGntAlk-tL1aDN#z?n!Q6y?pX<>lem_UEr5g=(}kR@Vs7S599aE zgSz=Fe-LyA+pe9LTvGqCMM+Y9dCNU{HT$3NHo7tAFT8aC!P~3KQ%_OsMESLdv&oIn ziH>n57q6W?2TD~wPGnxm1wK|x0HF{N!P^JN_6M@G z{v}Q+@DP-jd3dS!T?m1`oNC|q7O0m)d8du(ocAAZJ;l1mPuCOgcXlq+AN^XsfA_nY z%vrg!L!id)v_mEOuKL<&mJ820I|JOOGM-dq>NsB>;=q|F_8S-wsv*Ae9`GkFrnk#k zxHAfUaQFw^`g!@YoZXxYy<0s#w7fLVaM{&pb5G8HARu;v-a)!3QEt`)z*5m9o^pcA|YqmG3XsH;ZM804ye+kLkx!v4W1gGGu zeDZE!CK&S3X-}zUD`bWo4zf&LFEKpd0{8j)P zgcLe8Q<|}gk13TScd#zQ^0li!#C?<1o!{GlnXX|jtbyi>@Ln)zCTzDKk!4Ecbr3PP zh|W-%ZK}Am$vWS+3Q2v4&LQ{sUX{DC2LX@F<|S!HUo15|2aimwrQIg1*U;eX54e51 zR|eyGT6B$!Z}GI_-U$8bzMR}t+wolMW4qq8^6sizJ-@u1{M^hnUwHgZ<$>m*t@Wqe2}Ywe!RM-i*59DB?RnDd zbwxO5rSN4T*YMK5Tu>kx{oN!;X54rzAfot`tsRD0I6!6+%zajB2;KgTSnems{#(sT z>6@W+)VuZ|{cQ*M19?f%`;Vz}T$JhY0(yY>NTPiTk_3#6x0`Ni^Kr?HKt!8p)yHMt zAEZdbr(V8p@Jl0ml<}(rNJ8!-aJK6OL>Hmw8$WmjPxAK-xVLsfk^T6=-|kFVFIJmL zuLe*%bakI3~}i?h{;&4Ow5vT~wH>Nx=NJH^SejyD{eDcIxv29=#k8Dp6$fS_9~F zRGmeDcVgoFiBmRFbo(rO-kk#;zsi$PDlj@YAG6rv6C8t&bne^{$a5$El^MX()-4#5 z3DBF3&UX9ZC+xaZkLD%()5W*lyqDoj?p)-t2jT(djUVy%q`gM6MJcLt$KtQlngz#> zV+lysDRmfKf9g0Sjt3jucRlWxC-YCNN>t}tzHVIJv4%NHC_ThX2;hFgEJ!f4&YCkl z$lE|k?zP9&Bz)|Ojis^v{Y|iSHI0WB^3w?+C%?6rcA|-GrZqpHLo@cflk=JG3E#y= zP2u~@{pGk@NV0UylcE3kKI!w)=3W2tD{R~AE3>!w>o@Qy@jIz)QH(`?!2sVkz9{-7 zdRq%SFAKh((U-3uNr=tCV}IZV3 zRa*PKd!~<`TRgX4dX`=n4Mk3gXywd`Inb|UxiG^>(W-E=b5n6#|43$J=cVlrDRN_B z?sv(68oXY>fn09-th6!;ADs51KaWuSgal2DOpbDQ8Z>{C==SQ2A;0wUjVNc2smCP) zfVT#tc_Yi>^&>W6$Fd0}lqzXrFq(dI&GX{-_=~=pdKAO%wM&eQ06Ke)f?d%q*!GMR85aBYz8kw)C#}cvXz39>vwzQ$g4AQ~>tdTc zxxevP10oi;==YcU1O z#uXDQ84VT7X)USt75;*rXVWCuxs8t8&3;?mh%Il~qc0ex48V3ovAW{>EJE}{y^@VC zu+$dWKqt$hwk-k>!D)uHofV1FmON!d#n-w-?8z?g-5iALZPXXZE!Xodu=&^>Yg;|Btz1EY!(S_3uvk z?zT9u;IoL^yE0uzvcA8##L~WgwpdB%D(B(X03maaUIEQsX9~EVDM!mUX1lr4r359V?g;NX{D}muJN{7fA0TRe z?r=77BWV6)_i9)RXLR{LA@hF=I~?5X?Eg9F%){~Dk@+7*)c*^a&+5zl9dzEW9t3rF zLW%NVCZ%)BiU+3w&5{Y3elf#>t zLxr`=e)fEv=xhs`>%S@Oeh!kn#(j+5mpOFd?>lVCK}SCirKkPmDn<+on1NI@snCPP z#3~DF=n_pTY?MbZ^X@c^ws0C8F&_<-$mG%T(w)Y98zYVM>uLUm7|XqNl_}pFrl!WW zC9+i;eHIKZ5-Jy1a&xzG(IV)Tp^Rk23>p#KK8Tu9M>#M=&h%A|K6R=tvj$wYO< zf3B%aqiQs!nb2P}rZCP;#urD2kyKcOJM2}(dmleYmCBrU1TE>poXrcwDt^V|R}j`J z?XyAy&*bEA-kHKNO(pIAEp9`AN9Pc*Fo6RO}qj&FA`-F$+Y^$4k5@l6z?s z?j7MN14^jVPwf;+;Ly=vwpaB_sa?o41HUd_(2Lm!=f|-pOaBI0q1ZFh9SbsqsqOmg z{JYdeZpRRBzO@Z}KC1bE`cykLR0VI(1KuP9vp|obb~f&B8I`|~$o@ElQha^p&rc5a zoGu*dW6&na>@FP1rDo9lde-gX2)P7}=+uDJ9En73T$i^(NXc#-Zln8P-SJaj_sia= z*j}A4wYSI15<_izlx|W?J_wc!F(Q!hT4BP_RO{bHM!z^JRRUv~v$#HU=mx8A&N9-VJ|McdW=L_AlAw$q?Nc^qW zv?nUpUzBALnmjOPke+KV6pQ^i*g%`}p90TG_uzBz5Iv-yG^oHM^W7h)Ifw6&RX9#p|*P}n9PHV!|17jS)h;xKj!R}Cr z5OIHm;`nK3#1g65^=E>vL??1Y4@D_5q?V?2)bUgx{b;aPQ8@x%f4<8HBor0Onj>3+ zA%ldu7JexXTNvh1ZW!Y-AG1wyk}>QkdWqy(3#*KU$8Sb_HHUu^JoM{P1X0mLrt$fw z$h#@oS!+X_3$fTbfwLM#C3&i*5_GCsSsK=48@|f1b`MGr?68T5hugzI*rx?eHX`-F zUu?#LAEXfn_fElUnsnYj;m4(>x~muZ-hTmbf_I{#d|AE!li)ekWH_Io+O7$+0ws9P zK?xpcs~i1l7mB7Zq_4kujNJ~5OS%cCx~kenmm5ZsiS3Xj1|{V{5+PZW1V^e3_n{h7 zSEX}w2ub3CVGRg?F?0{CEpSOqE1y>`SJQ_qUpCIjv!2kx^!hisZi>`BXzX(KKC&08 zrLy^(ctRl@*`<^^SOyHOn0a?MAsi^dGo6yx)|Qf%@q!CLg=*}+5}T=6rS{cjHt_0hf7WeRX@>v(_Uhj)qT$QX`d1Jv) z$O}z#GYm#}ajR8?6+4Eygz^-jl+#xgH8Iet5SIS;P(XukxP}o~gjca+c_hHe8&f5; zT%`m@JmC{;N0Jberc3k;x$#oLnKw20a33T3udj4%O1XW3AvGS@cvua23=DJZR0or* zs|b<9xH?aDCEuKyJ~41EQfHhb=-Q8Sjn_`5hw;A%l9s7u7KF8e(Ll*&kqo2b)q_zH zjoOMai+xnSU*bjPaWFH#nb5RX0p%|4G`8{AqeN9g?IS$a50h(ysxw0f_%ate>(G&a!u ziGF~r5}XucP6aCo*RFqVIX2;MZ;hvHm7bNBylfi2hYRnc*?NUY*h({f9Q<|67Qz9Y z46ecC`&GVR5a*(1A~yb1SzquyoJcX-FrK+*&~k7i{Ta_1qv)onva7U?Mv4#)ysBL2 zU=-1$X;Gh>eg$562C{l}8v~UZ76(I8UYnRFkZ}$s^-qCE<0^z^k#Lbe#58?7BEsgj z3?m(FY6n!{se)!Qn3eFziJf)&&|u}Cjv2Yb!!>(GP`Pm+8CIna==jPj-|;~xJ_%AR z@@Q*~8ftbe1~rvVEtn%B%D5S4U2^0drt%cq>AQTv?^1@t54U9H7+Kdbj885E9eKG= z^@Iw1%hV{mO*FSnM|%O|RFV>;vR37E4A(L`!<*F7kgk&9yT(t;4bHodX!j@ySnTW6 zfKK~3(*tBDUM|vh&Azt&Sp^%8bKcKCVku+`Ibju^fz$3C<2nRBA2d-cJc#rWIoi?H zjWpyy)6cgjYD{(TvH3WxaIi25P1zJu0gAwWxpQ>9F?SjQlAGM6+UEU*kHuXg-k=L8 zDTXa(WPOO@`5hAPmPY1bvc{rZ1}x%C(e1`Md*MGWpH!>Px^xD$B4etIND|cdZMU%A zyfJm!8mFQuY`PA8RD-VB;v-~{>ljq3HLC_1GBco^q~FmXnv}|dpwo@4F2Ve?NkRT*RPUhfcpKBfs`$1~+T4 zUW37>>22{<((Mw(7hL!%p@hsKHMCnbj#ZBw6u>nOZpIkWyti?BYlc>nnxxgrpZpGb zqCGueg~`Jk@kZ4QTS{%;x2(*<704taWfmR37I)&fU}RAL^vs#Z*EphyG%ry5w$U2R zNS;5VXg8818#4ng@<}HDl*WnLgLM`z>F}~ja2;DpIt4D zwr^DD2DsBWO!YlUYaa8pC_9DMcF=(9G~(qZY)3W5d8xz82OjpnLUFCvEYdq0<4Z2P z!=?*KQt@hUn#+mgH@L%8x@g@J4?rIKY$Qq3^M(N)l;25Hn?KY?8?u&6*sazM%m5t#n#APtd>Tm5^E=n8 z9A$fug!LVm{OcHbBRad%pA&xehF0KZTo3+U^Z1qNjx=NYtM_sMHn4NntdW;kr`h(+ zSf63vOlQwz06R#io-s?wc+t|Wrd6-+l9K0KhkjcfFE#sMpAao&7xm^#-nh=HTKR+< zA%xCxM0q*aC!hJ_@BUXOEYqXfk2*hm%$(8s%+@FuwoWVopC$ARdjr48 z=uzjNoIPkr=Eb;hfTo|<#LY$PjCld>CCyIa5COk_Pm}6zGS4Ig z(mU4!)rL{nv!{3&LfRh+*|Lx~1uD5Q`Le+QuBxu3a#Jaq!J?2TILhunsnAP)j`xJo zDNvV?RvO8m8U`q~S7?mWm-F}(@lZG&R7rab3Z7+|N|IG|r+gy7`{)N@beK1s%)L-? zrGY~I8QZK=w>1BM5q6HjmAw1fo=GyXCdR~^*tTukwr$(CF|lpiwr%TO^WS@)^H!Zx zb*k2fROLfgx}Sb}rGM9bUm``Jx^4VxvfEI;f&@iR5F1r+KcB+5IvL0nX(lEsm;c&# zk~EBcM`bqtZQof>=680cX1C%JK;>=j^Sd|MT4-TB6xJWW_yZ&ZY#eSf2m6z|lA(sb z=b_ln9wCuWFcHIY2aahSDg(>zQ8m27_1Bc*6 z+0!3@SzdVXs$MGY+@FDnY5X(=_wsuplo<_xe1~B*F{!htL{Zjh-6Mp`5AaL!pA6y3 zp#%#6`A%oftbV#p2#ejy0!quKgcY%DO^8xLAz)#WM9Va!36=kap9Ms~JGeM|M&;L6 z7JZ;cu$1|&l%4`Ri`44!T*7ps{W=#`n$fpM{DmIQ zGcspeRGJ%%S&zu-MgG+AN05oDu_e1S=}A?_A|USzNB9*Gg}69UW2Y&E-5E9hLD*1s z_~kbk9jj*Otk~blQWI=-P&}>qB4Iin(3+8%&n|j0pzPq{@#pwjR_hPo9Xc`==L%+^ zuv&l>Nni-|1Bx3y>t3-zWzpH+Eg>vQco|38p|xYAfmZgW%`+cf?H~7!mTQ#8%t^R{ zgWL4!Lb{DOV$uWOzz3lOMw8hg#SO}f&=`0l6Yv5Z`>y^M;03zv1x@;KC5?b^D$#$` zJ4hvP+5cAWaIQ2#PbZTLv-jtdUX0GbZeWe7JJfK+VTPJKUDj5W0n|Ha!1d+-QtyQQ zRqs?WO|i~}jrD@g+|)_(UyJVZ6S_-YnE`;swM;5rIJZ8m@ChIsm&2T)+zV1}>h*jO zPS}mA=vel-l?laGpJMaoIn510<8M;rx29KN9wR68xurOOZ%0~2R9t~nekMCHt&TI=vD2S5g$C9cm-)eHaLVdS0Y;d1)Z%hR2r!h zd>TU`I(F>{VU>=hl+-$1M3<8@vBA`&HlQ|IsK+!@g|$q)+oNB0*>6$s2q=v$w}>5t zC-*CkK~=q7I8UGHjQTfsv*;7`jSKYyD(K}!pKh3UP@Wo_hu1Pn7%nXR+ShewEFBTX z%FZ&k7pJv6eo8ksO{n>hfpAyY+{Z&XAaiSbeq6*|&!uAMh4Hd0}tt zl-y?XiYumm!PgJv$G|Jn7j@tspc3+z}3<@@ykYoD2-;hrAFvW!t=Pqm@jJx-& z@$E>_OUnQ{?#1TJDkjEHpM{;%m8>AXRmjT6hd-eF>hao?lG-7itYQ>u{NW)f>fk!SkF?DD!HEo< z`8wE-bel^0N6qcX*u*cLOMrVv$`cy*OFCLs5Ec%rnjUQup$OX>-7lPbd#Y-GJZrTH zZAf8OW{-wS;F@6zAHNfn4f&1|x@O2{30Mn?dzlzWgkO~I5jCf;Dlc2W7gCVHa4F)J>+UC(`%@)1Xp{J{$S& z1!_F>DuA7t<%aHDV!WK%OYnttA`h%f4dGrL=@pLr`W(mxIj+~TGwOfCg!?v2pmGtT z6QHTYwCBV|n8@LT@cogXx@+`2hzTsIM+FN{9^H+$Kf$s0Cz>rK50)U$wq=T=MJ9Wnj(h{yI#8X~63-X*i- z)|$O(GBIDYSo$7yg+grY*7K>In0zB0L=vUaGkGJc0bbMAjoMT${eeT;OA#uH^gAO2 ze^5FU-_-mLZsxF#jQ%pOl!`P#zmi)ixuMT}D6*AsMg~FPAaQc5KP9XB%R-E2ucj5O z!>P#p`(snFaF|jH|E;4cTG#>-Zf8_*2wM8d3Izd(CwXVvfT~g2fl>04^tLR+lYmT% zN3kc0(IeJuM9qyI8~$oOv#D7%a8ZT{tz9wuHpQtOnto__1pGb=ijrd-+peEGJ&|m! zD%j>9S>rGR@w{dKkQkca&9~x)lg?rb}R=ML-JIuu=FzPNbYI` zc&Q4js^{eYAP5AIb{r6+VOBSLXMjCBqNJNKfT;hbZiTIL7BQb^?}4W4C<$Voq*f^G z5wmYBo=5M+AJg-;I5id%Cu4V!e#&6*h(+hBWZ9fmpmad9k& zg@2KW`=(T|Ls;+MX_mNge;hS|tqKB>RNx$cF+KSw(fd;EBUXQF7xxM{)ISf~1G@SI z0h^Je!m3jN-R3%0p%djxftx&T`6Wu?ETs6JnW_VdP`R&upztLE#Es`}Z*MUv13eITj1J#R6^Jfb?X1Mr1Cou{F7)lRv2D>~6KDHwew zs1qXA(tw;z$WrynPIBp5^CpdGuR<6;gjUSVOu=I`DjQ#{ZQV4E5S6rUVT~VT#;Uvg z)(?^e@(U^vN?vyky5;U$SX}P;A0gVVE5Hy7>Y$N+%+0=cY&kMHjJ^}-#kw;u4rhpm_MqIS~uy7yUT2Q7N$fs+S6YPk_T44M)2 z&5Ge3;o^>51$bvvt!~6?QX9YgV^h;0SUf|=<=hk?qnUE}a*VXl)19Sv|Y7$rKO5>KA#6uV= zit>T!s`*rczU@7d5{&%RG9~Skzb|rv{VBdYgmCIP>TlA^JWF9e>nDA%QV>vhd3!!( zQR#aIrqO6K$s@**fygN;iz^Dg=MjE2LjSXN5T7`~AK$o^4%|xUuLsYH1<)Iwx5gbUYfBr6+yIazUcOr4f6E!%1}8wo@G9 zi6M};_=Q*KJC>IzYq3BSuuwb-HH<2bJFDdLGC6WG1qxJ_ASMe|8b99>*7~zT$0A$p zv*b8`?KkE`PnVMvc52fZwOwgGi-?BfRU(;e1KGk#G?=vh39MD4)ZA?C!qj96gf`kq!YSE$$c+Q}R;5 z8@Ii+pFicT*f!s!4WF*J8@^Xrg14m&bFHK}XS-g=)!40T$WPP3A3?c)7WLkQmp_VN zL(<)BG-EBCPEKl17IAR4C}Q1sgg$_^aEP%t8kQ}LDwyQV38INEQCg4@*N)4R<}SAG zJjUxH&L1}pz%TOM3blpwzW9;(RX=G7$`M0Bc?|L|b;;0}XFOXlAxBo;zEln$1YBhO zxINTr3de@s(hnIjx0fQm+^S!h*s59pTTvqWcrkxTa^HnB(ugzwVH6x`;?u-AP|tnc zq1=+ol~F_9#uaxdtR|WTPuaXi0A0>|Vc;8E1=P8TZQe6{XGioc!u(<$ID_t*Pcoys zixIE}+|v?0EAi&{?~D93ZLH%;DR!T7 zo+{tZm@uu!>I)wf8Tap6RC=w$nWYR7ciF+(ZQH2m)aJQO5*wrgjZleATfsYf0{OMw zdQ=!GdS9aheY1xNDXZ6m%n^7qDK0o5*d=oip733N#-3mHc30-PW#qoZ9$qXCx+M5< zT^rTkyS7~`U~PY#N0i18qQltJRt#ew_eXu-%eyGPxFKcRS6)FoE1_!{RSjWkCelX` zgAlfA7_efxOM~>W(m0S6xOm&_zsX9L?sA*HW(~ZfFy)q%pnk!6$x0j=`!!a%dMh%} zbED**cn1vjIy}R9?@+Aja6t#{jtaZ0%>mXmM$X|zyV$$_&>zx%C8AR?x5gTL-oOEh zxtLv-+G%W39O!=L)*kn~_h-nO@nRx~aynrW>G!JlO9fEUrUrt8MM_+cWY7tfRpd}H zw>A^@_U=N0Ib9|tfeD-I3p9axqU~K4PQ5c}rGA+J(?;^s$|VUU(_>?Ki3gu6E@;Rf ztLH1Hq0RQGvU0`^37Ba3noeO?e-1*qBP9IV4V(Cv*h~rnOi0)g_JQy8R{ViOE_G4x zxS4Je-1XTN?z#y?DnN6O7gKd+O@gGDYpAEu$+ZWbya(Y&B}|D~dkUe{W@-HPdCsCq z+7rQ1kAgy04<$|<9b3EhZgRg?OVQ$S3KVTA5n8kAc{MWb$jl1%FNYi2RJ`ScAKR}EReuS*VT)vv64FPK|WILjq1f~OBiKUCQofW7`k z=GB+WcO5&cWaOeX8ih3b{TN3HD~C4bMcW!~OP=WYedvaxP~)8o|3|VND=4MVGBHU! zRttd#)rEBQY1|Pj#hH3k+a5$TQ~gx?xShKHSjE1>n9-e0FT3} zSq5R8lZEFy>_{?6vRC*PY~w-vB=@*CF@%MkKGmA)xV;jzTYGiQMcmgGvW*$lW2#;m zC_@{|n3M|Ee$w1qw5f^ehih^5ySvhYWZ3Cpyrp{zv#vARr8xwB^B_FerlBxi` z%g`;HFhioEQr6Nclmll1lWv>;b%IR8p7WBp8K-(Zm^H8Ko;>26XK<3ik5F(quC zBLJheX#MS@nqw*OITl!|{OAS83H;8t&y>kU&YG|>a#Y-%sz>VB#uy-Xo-`R@COoH~ z9@3lM)Pl%fHmq*WQl{6@`c^m#WmV3xY?V)b3*}hQZqd7lm7dK8$A$F~*R798x1+S+ zQ3n>xXXT`!D7{`6#G$3}{;*BGBxdCXf3yRU>-p0^dVBkOI`!d=Lhek}Rgwgxvsw;> zczx0v{jS}ju>=onjAb-1P6C{iH2BMBXCC1$5fIAW8r{;RLhDi7 zX*}Mj??UW)_8bqX7@mZ`x^#a_VhD&Z-jNF2hhN$X=#OFv$pa37pWSdI zE?B&mdtx5Z!L}JG&-(=STvyX`cC%MFp6Bq}#%|cuB%jYGGj>@+GtC(f&d=|!UrRe( zG>B#BC9DQ95UKiio`ph_7B^J74y0O8f<&X6ubFAPFVdNKXUC~#^Hb+YMBD(I)-&6} z#^o>EC+L+aD3^Gg2vIcnyYgSdJEMfujL0aYjgX1iERh0dKS`d|Ir=s@a#{7v#50C} zv^sa@4?NgJ9ih8Qk?`%TOnRSfjUUwEL_=O9U(H}75BaGR5dLuQfhom-vWkq!%#Pmo zlXHV!NXV|b&mPa;qP&#YyVAyo>5>?h{FQp`+^4nU-1mvfm4-<1zhMUd5lper(a`)i zX29}4F@wJqYyTH!F!A4*!5xqyEGHjaP7Ke2MAP@JMeJ^{zT(;?7=pR(OT(|u0cK?M zSk;Rg-D)1VF7VJi(zrad(bWUSj4!W$yi??OS?1A4T^~m$+FuTz*>l-b-keL%7*mB6 zM>0uEc2chI1XsyRtpQq-*INw@b=zGZOTXtI966T?I}h(H`Ihcb9+p}Kb2F-Dp^hc9 zao#KMIX*iiMOHC@qW%jrc>Q1jG;0@6ucmM@HcOf?WXBqFNQ=GQAQgLY6XRL6;s2!! zu1FpFz8BLfQ3XIkDfX)Aa^mPb7=-uby0~Euy zdz&UP5Tc;?4`l%Ri0_lLQOK*{=5D!M1!qNHh6n9C#NhU89WC>R@5g|R@YQHYykQXs zQM5xh`p>oHU~51|51HTf0+7*@1#Vc!O=AH!8ig+~a{~bxALvOe3)(O^I zUyL^gB9Ne#LG-iRRGvWiGLkn69YI3!&tPs1zPpHpt}Hn#-b96)?VT{LAKVc7Y1Yi8 z2nhlOXz}l8p*yUCh&?u?sF_gsV1R6U=$?ujgR6>c%aU*U1^eW>aCMt&{7?83xlrJG zhU|j~N2qMt<_?k=h@v#Z+gjQ*Af@+xFt|+)?oc2X^r`lzYS4m@5P>R1tcf`NiU||r zju5l2)MD5gkZ+yeX*&Axcjsu`d0i;{YXD?W^&iN95=p`6h^Jmi)cO8q7!7kKZ{n?b$J4;<>hb)HhFJo|b zBsx;gL1YV--1!5rpXPiQ#TUQ@j?cz5G@>aeUKA8bnJflV{{BZp0m@fZw`8hu*ZkP_ zP6zxE+UKQV+%1Yn2)Ttw380>`DXnR^erB-idm9RUhW5paW3l1n{uVkCgvkr+ulJ97 zDpt^n0*=z;5vrrsYVgj_lKtm!&+u6&05RYuIy)A^FooY$ya$alT*f+i2}|SKQC7L- ztu+9WQO{JJ{H8R;63QhZo?XAKIbI9%z(&)Utq;$l(_kMBXjUs&$6g^U#j0d`ATejj z_pf1eaOxr>T;t>b5?p8T-jc9BGU8(-mEUI5<;giS|JR%F-Wp%cM!jfu7w-^gG zSltYJXd&f~iHV55^(qWfziSgX#n<|Kz<#ay!aU&=Q`NPjvtnGtk1z-7+Q?S_3&8~$gs?VtITrX=6gwy$d*3QVGO^41d7i2&@Ytm7u_RU%TQ?0fl z?juE^gBEHjn++*GuLE&k#)+SX#F`|$W;cGh@B&$Egl9E%8j2dHd%fMUk zSpuqahpRvQhsA|JluudB1--S^Ikj*^o0o)l8}kph15CQ6erR6j2#b80rqNUxX)IoR ziPSARWR$kjM5+|`3r|on@@>#sfX_q(;o>B?xh!CI>*Xse*h)rOv5F#gjgQl zt=wCy@(`$4n6O@WV?avC0fk)>e5>LYmv0g{M(-}aiOPI%W4+5GGZ@|D502p|&t?r-4N5N-8|Mp(3Z|)byq^%vj-Qoui1hX`4Om0YTq;vFj`hr zNax@PnBI=K__!++hFKA1hs1TnPUxEyv6hxJD@}>zlK+(45j?&yyWUmQ3|I^J6GdJk z2{r#mhwx)vp$)3uFCP=H)oI4|$swir-+Teat`(x6*_A!WC8VP6gkC-i)nU`jpOhk?h%g(z##rFqt6gd;ZvGhCp^n374ht+~nhrfF4S*kBZh7o$63o*$}zaQ?W6R zxFow~Fx8w%(i*LCuQsL1b`1n0hFudxyNI5s1Z6H zpUQ0J#ove+??u)N?(WB>BF&5Nuv-O-WUOW+0^t~A=-14yA@BUq_>kSeGx_|r)5Bho zBv@e4GO=CkOJPeKc!6kKRlo!oN_u?*^OkWwcJqpelh-y_04ZdRH4e~9IJcQ>?=Oyb zbrA{tC?Th8ht}L^J1=kzlkzh`j}N>y2(*qHhPGR9D>aFRJB3XZaEzOhv3ZxUFOp|1 zDJ~m|{Cn%^8|X1HYutg&&2RL#Vi_h3e)!4mG4q}biVc1E4Gjr!E5h0eI3CI`aFnZi zh_aE1C)`J7zy{+S3YK?eBev?bc`Q0?5bS|XIXa;K^mj5-FI8~&_yu2(MmWl4Q&Rxr z097lC%tAI1EGU$BkvF!fr74OhDoTK7Nv>R+%U*8=zWEYa{*i*hoE)Um3s}Wkv|IVP5SE z4G@h!=7N~4nE6OaF|7)ns{XctDZ;#iukhZo)Y zQyDyc48RMz0C>Tp)BQhqfgJ!Zc=Jw*PM0+x&({Fp1!rhT-@`V^pEIVB*IIzv zgomw(s{X+X`q5}&lK%@Y*nd-vI`hvT00i~)d3JsQ@B-SLb<@moQu2>dg1Pj4C7H4g z(&!gJ^{oYmX2&_xKX?J4TW#3>ZGS-%^#a^?X?7yX*3bW>>VAVrE~pmtDX8+5=M?OI z^!_NIGK}Ta#Q_1^CxBTLcb-J7nr#Fjn<3Ds&fX-OYWzQV!4gTT($a}K!U+H`II2>O zPX}D)1^a-ZD8=|5#+SQGjD=fY*wszQtn4rvg9B)a&uKAX6sY zxM$YheQQS&^-MTQjYgN6N+&>4?@)gURe5e4^uMj7*Z8;ku+pqE*Oy9O~7< zk5J121eNSHx=JoQQq+a=KhAq3n?N~(<3}>cVc)zDY z5`X>;7MVJsx_vCZTj$vme~S<^pTkAo-sK66Ent*N#S^$YTcW29@J>x?72(RRkF2tXX7Odd?ri_{wd=1<<^E=oNE%!@=6Eb0_efb7Ar|XXrf2%!Oa?}w&DKfzLEEmY1 ze}@X6gk5G4%0Et~{lgZ>5io5|Bn!)6ptW>1VTXL@)0v4lVah#w!PBcm+Y_&o`!V~^4T>S?l3RNDKDAZfBd|9~U#7<@V+j(T8D-DnD{SxhV6b*#&N! zXZx`rqq0vYOcfxJ70v1cy{mV)w%75FvKy9@hi0l?r)53cs4A|DkuJ*xJeeZc`SZ)fpCI7+u*tIIcm`1WG53GAI|r;MGS z6R>}pAT+0^sqM#Afxx{-a5gMHVW!{XrOE*C}}yq zf}S}RsP3NVUdb0ehym7L(ppex4|b(QG0aGp=XV<-AJYgD`{%NcKVHmsb392h?=38f zfBKnLuIjupY#Fuqak}Cisg*qYcO*$JmGjZDq@3FgG8Q%tIh#i!Dmj~ky`Zr5qfl%t zO75B@UYvM-;HJprvpk*hoa1rWg@)h|!Tu0(rj@pxr3AyfRhKMyg}9(FwM!L;a3#Py zMaITy@^C6&P?#o_Ox+@DT6yB|6dBeK4q8wiucB;ZS9!VFnpH1K%&Sh0i+BpCQ;tuc^u%vDtbMnSpa18+JNVSDlyq4*8OlsUU;0DMH7OovXa8-=*cRvvWQ#Bp=T70 zST`JAXvD8ZsUZ9NvU#8R9N2S4vd^2KyT=mqv36w>oDNKaD`5{P+0di+h45EB+s?~Z z(Wm1Ezg?IyW?IKOOyIX|;+~XG*mIc<80rQeKmX+m;)jDp9@91#X!)%h*)#pL?t_?< z(tmVbkBdhCeKuvJxb0jfV`m1*-Yb!Ilw z0iHlqF`l*l04-Zq1QPOlVsgqZ7t!G{t7u@#rpv&~@v+HD3Igi-uFWC48_bumnAoJY zM!*v)&)`Q_iS8Y*7IGyV4#DN>Xwm&Owv6ax5`1q9gy(OU%H{YeZ@C%x*D^x-yeR5iaEfY9TZ;s=g!Nd@OR~~ z5pYf9U}El~n!J-gvMWfQ-iGf!yOZ2aEW!(a!m4T5xDe*@-ytTC7^Ld&E_hIoqmX+= z|51OeDt~v4r4>0Gt8n%YK+5P|Ss4+>OP^=70|xnppTW5{wFUvSzEwQ)^@1Zk_VUAT z`yv9>Ke+n6o6B_Ub)p@rNI< zP-imQmLBF+key#Zqw_T1J9yWwxm6&{u8bhX>J0(zn&4-w?51ku_lcoMklTV?*J~XL zf}w97-}7L*Agr^nAXHpfgO^R|lcNO%XL%-4ik>IWvbSW|;fLq1hT0|4ocQaiukPkln})qboZtyuLJ9VN-yy{7;B*s9pWB`QV|eX*p9mHRLNszb zM7DK>OI1#cEY(R2FF`?riQamNXye&q+iA6 zR1hIN=>HCnBxKGaq(UmtBO;l^)r}C@@mr^H)Ni*|cL=XDuD^7xhxTA%;ZF1i6zU$ zE3@4VR&jFF{6D(MO(s~Pvc0-4`OY4Tpe&{MwPFe+p$ChexQ&HAaK zc_b!!IRS0FOnXt_cJozhbIitA5Ocq|-UgBuHIzl2ZyfOT79M=aKew3AP;1BJJcgX5 z;MHW2KdAWe=(yL6O*n6?PTRA%Qy;MoJlBNn(>#-xe1XQ||4iDcZPa_(eULWU_x>U} z3O>}4J5%%Y-9Xitu+N%h96F%U6<-Oh7G1%vV*QNlo~St`u`9A16)<&tN$Zd@J(pe~ zKM)j;A=pu-Cpgnpm+$It0^>Dj6G@~Q&`|lP-WOK=xd^+_oP>HJ@q20{?uepG$|hrO z1Qs&%o9|j}Q%b{46JEG<9HBj%7!$sN{E}hAL$U!lq`L|(%lT@}SqB}_wAV)hM2lo; z-U0|RI&3wKYLjY<=O%(ll+@dWms^v)df5O*d~%+5sC2K%pmv3IugP}(_eTh)MI=}_ z#c4nxw+Z8B^B8D&HW@Gti~u4lmBr?ioENb2;AF!>qQivOaOO9CaxqkH4y<0mvFK#`;8C=P(rb6(e+Y$I68)nwvAE){ z6m5SX94W@jVnSpx>e%=~m+sn)PtD$x2tBlyj~-CX{exuA3xxs7%fpWD=P=r)YpF)> zeYd5@lO!IZgZ@wS4EA5xWv+&Itq;o`rN$duqEGt~cTtYXNt-J>O!cpO%iu!aQKQ1d z)DeeB|42SX3A;vla66W0T_QgJK7NMjt2JxtGjXCavlX6-&cD z=SPfIM)J<>yiu&{Jco_D9+M2}iX=yddNG;9xSj-9$XYXYpbWpAre{gi4axy$~gnT63Z-|3bT(tNqA z0%6iW3Xq@Mr?MJeyuN*~xDr#Xi7l^Y!QLdcFN?m)GwFV8w@9}?;}Y%7$+eFiB0CIu zw||PaldFh?q{%yvnc#K@?MGL(Ex>%n6qBft_na41RL-Nm^Rp7ht6e7+{?Nj)OQCWi z4YIYfBPW>2fCOsOb~FgLW9>YU!pEdS5P*^j@?@4DL*sy zJM~KV+6^rJaZOO*(<{|L12&xTci+moslh8#H?Pz1-c+i=nNz{s)tW0;kFIPFtlE{? z$Ca6s1x3Q+YgxekX)Ae5*3RJp zr~q#fv!l2{>5Rn3&WQAw|oq;NsFhR$$Ar1+M_|XR`SF$ zVQw%;dIt_?-aPf*Gr+utop-&lRMMRdk+-dD#@Neml@|SQ?AWOFsZ4S&T?#HhF{}i_ zCjA|>XE9XFd6k>scd@QaIE)@$br*zeyiS4EQib|KiDiTUafP#a1}RAux-8$LMRHfD zzro;qwczl`2~Q5z98;-Bgj^11Pi}&GpBX}>=}q7`!h7=O_qMz9kQl+evYyINL1;}| zDsn%!PAP)ODxY3GiNzTp&d)cvUJ?F7BG}hy+#hY*6}ur5HzAA>zh{4Z=xU$fYtk;{ zQh<90`d}70^)i4aG5RuvM^qaQ@H-hHxay2|cl$lx!SE9|(TL zx)sk^2DRN#aM9J_*@Dfr+zhiTmq_-w__}d6^K48t*=y{qvifyk&YPe=r+0Gpv3y#D z2hDhloR053raa`dE#D13`eI{l`acL~5-=$Wog%LB_r9Ao?BRg)=lCH?R zCt;G^@cc7E9OcYkADZU9iO=Nux&0V}iZX@&{myTTV|rH~0VsO3aCG_nGnkyY{@P&! z=riud8_Pu2OzMdRD}3D0kiwU@2eU{{ZO@y2i7g!QEWob z<@irwm}*lmd{E;Mn{7$uk(WKUJMU$?&AdA_Fav|R7r>=`>>_;ZN&k3%QGUfs`K zUpgm=|J!)+KVl|k+W$}2L`y^aKjw?HG=JMb|IY!V#(#3m0AZ8jzl2Q>`q0mfkKX{o zro;{_v{XbED#8%jX~qlZek!Ec=J_(%wXu}Gr7&AlDhw5h!}A3wF7yvQf4yMJ@U0d2?muj1XU-A{0dtL8K1Bv%(jkU>3%^SoH z8%pz9V__PbmG28V$<|)8Z2)1@6BC|Qxye0Cer+(9CHnW7+l{HQ>`xophQ||q|Fr@2gpX%SSz-h7f1?d0uUc&hXObXl81&U0I`*R_}1iq_ylas#t*unJMfs!`4$C8^h zJ=vsV&>KVARmaa&G?!whd#Sk>)M3|C%-{uB|0L~_0n7Ke&#zhSO z*RTw{#X!yaeISMgvz2k2Z}gim#o_Kk#RQr$v{w-Y6sHr?F%IYQ+N^x20{gFdW!N*t zA3N8y5Z-{7&e72#K~sWYO;*GgiF{ox^7_d!(Jh7c_W*0-y~Du+0o7} z?ONzb92l#U9j9g+j6~-12k{|V8RC(R<$)|55KT%dswr`oL6FuYc5I3O3Sg!4xSOLQvm0FX3H z0c(lB0LnWqRxFPHm`IL&bOn99J{t~-26~JQF9o=fuP=wW-_l-q`j5;SW1SN1NJ3+7 z5o(Gho;-lJiGs2Ikc%rp1CU_u@nY-ii$}BB!1m!W2#m~u4aBc?5@O@dQmO2RqcW+7 z$`oPxa1CmNfjH(JISU*f{wr?!f+ms+4o6))+op)x_?b--gG7@(80Q?vqW^8yZ2kax z@YGbA0xoeDjLJp7;g4oJ=>5eJm(70l=^{rY7zkvOtDL9>Sb5Y|K9hxxP615hcohxA zs}1dTne{ss%`dw((VB9@$9(JH#0s}(aNzAbh=d<8(bYL)Ashl(9Sm zA97g)@=oE=&cZ5mIn(w6TXd$L9Y}^!3@iD8Q;;ACQzP+4%y-$2l&OO(zXhN_eNQ(N zC;Y`N@*v15zEfxsy9R2<)mIIp;`Zfg$}yH6*D=G2t{~UE;rrfOKEu8VN`CEU9^+tG zi^e9T)J&H;|63OkbSd1Yq|Y0{hu6nI1_zOHcX}vk-bDb0ZX)E_pqmyqwdsd{N5Mz9 zg^HfVreMOW5$}}+kP`t9PpfrLq5t?Qwc4hZ;-HoB92F1qDo$t+jNC~%N3n>NF=k_l zY`?{{pe&ZP3UK;49gg}Q<<{9Rx_IPdK3@r>A)y_K?#no<=-n(UM2rY7p};=|)4pg9 zoYfP0@>Wl~6kwVAP;g{{L54GIQd5UD!nIW4m23L@15fw;AkCE3J|g*rw0t-2vfnbn z$oL6+BAI^?GUT>U3o74HAu!+2ANQIpgO0#S@EZf-OVrl*<4DG+Bejq=1tP3uh~8lt zC)8p43Pm^xF}#g_i#F-g$3{Zu=Efimq^7A8&QUVoTfrwPPJM+iYxBEzvt&rK^omA` zWO)^S2n1R~3tq^|B5T5gk+<5w>CSn@qUZwM-V)1~gF7&J7%BuylFC3A$Rej`9Y~KU zM()*vr#6hYvMn#nmp!AUMvQ-YFd~SuB5$!z_g|T4%r#}_&7?Ivrd$| zLcC@WZ)rES@I0uBB8RvWZH?F~1}FpNMFq8kl`sBzK+9RLBe7n(!d4t~*?!)HGhJsw zp&%>*98#&1f}%Om<`7nUjWT>wU<%qd?MOlWfGeCm+wmAniklbgcGF1wMIz5gDN=7ZKbBL+ZUO#n7GN}0jxlL(3eV!k=G4RV{6ha*aQwV)I$6y3SekOEm~U086d9( zZ-OwzN|wz;DKYB_>7tjn9Gs#1t8ZF$oog%HmwZ%Blrw zvS3hm)vI2-iwi#{qY_MF*ct^py0u&q+igEL1-ygu;oue08}m(#-#~zl4qHBz#x=TE zT&Ra#sVo_DUAcJ0Snq$B<&2ZYXefB6D^yZwpJRK({4-&+6wJuQ6gXK2Ty@>6)A&>+ zxvN###h8Bk!bRH1xA19YS1Gk~%OA-<4P8()krZ9_1a;$z#DGWcOcbc&Aan9a z9!fGe$VppF|Lg4iWV*mKdFbx}q3;QegFZ>Y!k00rgJ87CFu5M!t0L!vO0g)jng$FQ zd3Ukmgnr_gS+~OqGDw*~?nC$@|B#$4 zrEWaQLAm53W;f%r*AA;Z)MQxa5JVMfj^NdFneJt_D}YQb&>Ef17udi(D3N&oZCAvd zm@%4w_#i{L0YHTS`Q_i~3((4zdKhV`Dsu`#Cd<^|if(%Wm4pt<)FvL__xyOM!3z0a zVI{`2;ZwZAcu{`sJLlDFy6c6nZ?w7O_2KCOXDFuLdo2-@1b%a{jt61|!YAJdVhQEk zx&<>9@z#1Um3%v<6DSb$OpR3^U(LiIeZ?`pn`pLBEC8+=r)la^)?|C8#kaqw7;3fR z3{Z0-6hz9c1^5l0b9&IC6Qh^5@R!(#A2|qz)x%9TqBjbIN&b1yL^u zELNRq@_P{kIZ4qOtQq}bgP7NaMv3QXVDiWx_QpLnYE}Drn4lZ20cRPl^jIR27NZz+ z3D>V(^bo43#|Q%O2M0zOT!A95NU@qU`~5Fkmg8=bCm(G>JmC&Mj~*}T>;zo zpO=lyo5rD|>x3}+(XtBlUh*M*COtaWKML4bzw0w>VSxzty> z14Rr^!KlkukVLbz$v7D$`ZNk|K?p0rQ8YP)W1I*fK;^4ntZwsO{GDdCpt5lMx($gs z5foaeAMr%>>@m>S$faZMh?yq_C4X@X!@m>7uZ()w?Bu9Ad zu826rNL1=Q?`AL?PPhbOOGw|JeXkj-HM!5pl_E1L8!&1Eg;6^V8=1!p>>Rb9=lOj6 zC3;BVL6rM@mr3O1NZlHW)374-gA05tXY<+THq6C*QbQm*_{vMHYBOS6lHJ;^sXpD! z-ieTmr^TYT#X;$RjDNvz~yW+v67FDO{z%7be&INGu!P}pIlW#WpX7DekQJLJqI z{-t%Huy<4$@G$0BgsGf_eD-Y`Pi-A^EwHn_Wz5l~b`; zQ~37yF!{wZbbl(NGGfOOJC{US1~ef4Q?V%*pn*kKaM{8W*fJh*mAI8;AH*rqu~gR5 zIg&I!1pi9Elwgy+O;ID#-Cc{)-ki@H68HpcNbAtdiQZyA8sA!|H%W2iRC-D9H5fHv zbbz^uNUv4$xRq02p8WY)qd|d}fwk=qGwlhKhF$6pQhwSYuD~lHhTKwW|Npv`tNUP2 zb~?%J%lo7I!v;)$8I%&5U5mx`GZ15#~wSw zn87Wm1CH#GXSXgNKpakEf>o?8un_P7n1?>1u|@`;R;J?46buA(qIhP{BxbC)qo)0mMLtJSBL+JYPGNf@v8!3f))FR` z;ETfqnSesDzwnDgp%Q7xu(9ADZxco&4nfVRQCWy3v!1i$*gxK;=@#c#|$J3<#2~6=4_GDb{*3SbEW`OKmimaVL76RQkh-R zrB=GZ>M&xyB9u(vYJx<=Z%?+ITKrAaHNekAsb<80kFVNs?X=Y?z}gf6^ViyRe3M%E zk~bbvYYMjV*V@!RI=&*g=dbFKEFIg&WdX~Fns73cpTg4Es86cd~O528^gXV4>*4n;l zd%Q)Mo)6`fyP}4MOXornXf&HOe#=6pGMHP=y_u5D5P|W>3Qx$VyD286`pE59NJ6@F zY01vyl|_oQ!p!*%J8*I#G~!z?lJ9gmUSZJ zX?iKfG0V4h=Gl+hu_GS<&al<+0obZp_T*=Nn0jBYk3Dk~1#iB`(#Pr(6cT_`5XkaA z-T*GiBU9I%X%s5P6O)kArT&bgBhX0M2&VC(3|wan$;O%yFR^P2R%+|K&>^23O)m zysyRV!uA2Pa+Nska-IxEnW@5|`R{yf=>nRmTmy#-i zGhp2({2YvoCHGtSGD!>j^a^;+gXzJGXIpW>JrtUCiXALy=!T)^&4w!MNIQ}W6}&Y_ z?i+Pyl=C^A`&!i}dFSP)-SU9T{J~iE>x}MEzbpxMn^QM|TL>!HuQpo56LpLy*o0{3 zV>%ma{Q@#gv?9>>ZW-^Cow}KCuQumEgZVOB7T#12X)R&HNOW&fkisx+)FF2qJ6MyI zG=2KxH;&LBZz9lq{C(TU5bRzghMI)KehX4Hu6$gB%nVA44fsOq6e7njHB#MGaYmWl z=;0LASI+2T&}~!}@0g3otGoSOFnG?44%It(_LFe?oSw5Vn?0Qz|BteF3a=z;8*Mus zyJI`)bgUKIwr$%^I<{@wcG9tJ+qRRvz90K)pNn(5bWzVUYp$xd#u$iwch)X2u!7Wk zOq-W$Hch}gj=U^GH-aO|-}9PE=XFEz9)=%#tQGagj_{>?_4Hp^tCvzk!{?c6P_)O+ z!Pot2(n@7ejB~491OKM^r(D$e8G;9fRT5^p_iT)#6EG3lB1JAPh4Tq9838kl#tnMAX25x63N%!9!{u zeU^{1m@L?)Pi@VPsANj9?wsH2Y=}!UV#$}I-Xh$5oknLzb^v{uVS>7L0dk=_0bz1@ zcob`3H8^ishxJQVi~N=6`m*4#GNmztSLZqwkYMQhY1tuVEG%_l`q^R8Mk_qximIYr zaQkXe_`DHo^G`ikw4vgppr@kb*OB%=m!TCIl8_z09@kkxXU=xxk$&?ho5ibu!EgsB z9im>S_f6$Hl1s@OPG_~E&~(69jAv!PWxkSL}P*ULB%M(dQE^hb(nYZ zfbDNspVFGO^{~{%da|*s#*5o6q%k6K&-U+}@)JsS%^sp4_jr4u7xuQpL%;GpjCUdf za78ApB*m&)8=Gq8Nu-Bw{yvJZ296-6N3Pbwc?qe5sGs2>Q-CV2r+j&RB zh~0dbsT`M195x0zwJ5ACu8SK|RBGBprrTRj6*a@rr*t7S8H6p-m^#+$Z&gOG(hXJ% z_UZF>D=saIXa7<9h&&_r4LxLjW1{j3<#lV)jbGqgUJHQFfIan%m$>+o3;d5%^CnJtc3&slA5lcsWRwC+&u!tbuc z9^-IY&yHErM=bF z^s+EW=j!IhQS&ErE(f?RS%vd|;_sbV(;y%j=^67~hVuI;8O`f4rwgnM4wJ*uW+v#T zyU=xk1;ukcxU`vU>+hzU#nhHG(*rHCGPaFR^wv=AeXcFgC@S~S8dmxjtHRNreubaU zv(vVQW{s=-dww;&+c&$b#_*@O)fNYws?2LH>pRCSd^y|dSUu=$ckGEL^4a?px{M^{ zBDc+|h|PC%a&ej*>c_iZntRXlWh;_N*HSP6>#?r~q?YBTpca+Y1a!`R^Vd^95t%wU z00p9(_>|huE29m*_bVqa=D?BTsdrKURQtjHJMUzmorQ}STbaoYUXKEu8*CWY*Q@qHgI;%rWErslt9VQhU}%dFt!Z` z#di6(ylj+u?Fa5l<7tqD?JN|xL?Upr+<9|2Yee}47b(WhynCHd6+qOHaak@l2o?*Z z94-;{$sr>p{T;r~{7G0#?{yKY=2s)s{S%--Rehpu#M1z6TJ*n7A>dp(l6O=R9t1&B zy`~H&|MpNhw?;7N#-tXvB(k!#dWUprd2hQao*|fw;YOa`_945k^wm}&nrj(HznLmm zvZ(!Yb(rxl!2gKT3U{CIpX`tSEu*wE2qlv8(uf<3^pG$QQZ~W`i_iT5vMU(Il#K&w zs#g1FBuVhS7nY=eQu)AM?5Oa7nrP1`d{sN)UseK(=rX~^tzF8su19iWq1d1I=d?v# zF}%%qc8%XM#A;@HNf`s z9Pn^K7-`LEH`B)F3;z=>+*u$Wa;l%Px+Qm5^u`DyjyaT}={tdCGkR@+w>u!+BPSj; z9^4#!YjfP7RPzGWFQaG(GrqKnRUqR~c0XISF{@15U}uyS6_|})tuqjw4W#+EL+L!< z$){#<@e12|YgQ$t)(vydPb#O-%BQKRtYoX%crn|jcU`|HPP&h9qXSv6N0#&;L2Iny zJvYFX=>`d7deN{voHQEY?RT-uVa(kI0(ofVRh7G?M438L>cP&|JvPF(l3>TP(t{nT7RcX z+6x6V>$=RFJc)jrZ7F|T4uyGgQPD}HLcPTuo0>8dp(k3Yl{}6+592jg!V;^m7%GdO zy0uzz2?LJJ{z0n<7Hh#-*f&EssRp%q0m!#B!n8J8R4StV+OJAWa>i(i`s<2$SmG{j zORzCX?8Qu5W=~arVUu9Xiuy=v&JHpy4ZM=mB)D)>vJD9z9)38t54V5K1zI%6H2wG@ zJgL#X0F+R0VUO+W)0WX(qnQy8ifvrgN>V>AA5K+%ofysrgte(7O;iogLtkIGeNWZU zP8fVk_jJtUOoh_rWq6xhJx+dToX)dq75|)mCQsi%#Nh7<3z%2zv#s~TETJiRna^4` z>tv>FRClwVOeZT>k0tY>h1?w*P3*KkdM0*_f0@y9P%`y7v#C@b(xrnP6w=_dsoht= z{(`G!!mz8E(dB{Qk`uh<@>xnN17`^)7Ug5_nrXVaeHZ%JyZX#@7=r#NUHE2sgYM}< zdt={vxg_HL=lXe@<>SqfwZC)F35M5?mp5Z|?E7DBMIZ3XAp$iHO+&4bjxE5e{p8c1 zR@z6$UNT;vQx{iK&!wB;OJ9&*D%9Ekj}hyC4^ICRS7Ze+vix6!lYt)a|Cq7MS-F1AC&7JR}XX%^m zuXkh(cN)$0b;~Uq*mfIHfX+G+aNuB!IupXc+gcUP^}U5o>J1MvjMl_0-Q)}*5Ms|u z>-#!S_Q11Pg3tm!c|~;>saoWOThSW%UI%5*i6$;@4f!^Z3yDxVq}BEdn_3CJs83+A z>k%l4cG#vp*2o-lNWC{gQiXn+eQxaic7(eB*5}~^8Ns#pl{PUDvM5KpCAFtZ=z<~y zPFQ~}&gybT<0PzyYd|UPlnsR@;1o#zdeMb*eJG18rDift;+lh26|&k-t!tViRe^hS zE>(*hfLpl#D`x*|Au}tMGJEdhJABGmD9HqyJ_@(h=9w=w8epvPH*~K2p7duai?hSQ zDlTd&k)OpLGr}YqyWk#dhsP+m`4w~dJb@n+52$Inr*H|AwpcA@W)WBVrfe)@v~e|V z0W6V>_o`ORsiF_Sn-&Of^3%WIpFT9L9`H;iZVsarNa#0crvr;wJ56N?Mg@x8 zS#U3KKN-M&^WzOf%JC7jbppt4ww!K&(f};Os;)m8tqC*{skK1kgb$iQJI54} zT^+DQ`7GTLIATc!z!>RYK@?0N6g|$ggTS15xLRTK_Vd-DDj@_tpZq83_l|l|FPMH@ zEi8mu_MBOR~hoV)i=7TATQekE0B1Tm}X zrB?k>VVXIBZ&HM)aYJOYTH=nEx;_m=H}xN_g|ZQ$8LvVw;ujEAvxX8_tuXa2-~;+= zpu>Pq0_<4O+=BcK_O)PvLUfSR)E%@3l*pTbS{q^3Y}^9`H17VjV9K0~Y= zUQiT}+|&Zd0?ADh$?btr$e-(epw9#;L>gO>nORe#M#(@o^ks@p);7=$Esw4dU_hnF zJX2PmpHy}s6VwjXs)K5j@kI^-0j3fBQFlY^&l_#fTVNxnPLiznci}JY7XDwi!Iui_ z0R!YM>8!V-UZdt8|4~D41J%&{XxFNA1T`l6wUTD6g^>TFhE~pTBx{j`^8~d1ml|3y z!fj_p`^XRn2yV{j!K|87!2Ne)5yU42&U5L(NfX#u#AS{~&P9R6G||^&F7Cr;R{yE( zBqWrQ|L^XEZJKKmMKqc=rh45GmHBxh09s<*4kWBt4A@wVIr~uz$u4Np&mVybEoi=L zd~&wND4F03p$*1wRr^T~km{I17PcNOr7%xnug8`!8X>ia@Cx?dPg!&@nMdS_-8B!& z-)$z;YakwNqU!7TbE&@B`mdB|Gcj4`GrAb_u3-l_RyE2#T1cEZF)I%)&PNxu_jOSE z53Gfx9VoaKNjGaDB_yv&`8)>HE2@&Yt|ST!6Q*nNpA>w$x3x=V;>XS4!>4d!&8lD2 z6IxMa0`zyr(%v_c<7 zl-!D-`-i8?Xh|H79pE7u%_ z%r~N`cb6J>B1hA%Zjz>eBg?1gg7Vga*Xb;du+xm)+=n?E|LNQTOf1SQ?ji%N&?ceP zx=tJ1c<460(?-jFL?Y7mE#SS@*T+zOz{FxxcocH0+O`Pix2(qdb-Y-bNQI*A9qb;^ z3axz?Q~l)Q=3|J4Y08Vn2f-}qGYoUu&^l8u_XDQtt9@_^Wt@YK@<}Z8IvH8LBK;w}9FM0>jlv0JUI}Ig-3lk&NUYP? z+6;b!J0sUduM;7suw*Fw+Ltnl|#biR$`zmG^VmH<&!>wtg5iW zYyT)=!sL{B2x)f%=^O%FfQgx}#2LT;Oa^h0MCKd)r?1G6McpS@jw|{;L=Jp%`Cu%8QTgGkJ&vWm}EHn&A5X4LX?=9Zkl;j8G7xQEDK+Tgyq zc_N8aazMKwf=m0vl~Gh?gr#}()qkYW|Mw7+vr^H@H)D|TjjMnXx%&`;^0#dIg z$l1L6^&3XQ3^5J2iB7(7(@r<=3|++Gc>~1O6gHsp7)-F7ZGg~bv`ggY1ubd)Lb|qj z^fxsfYr%+^eYW=7|JD`Z7;x>n9L`$Lzz-N%T6z1Pd;j2~WE7uYl0z zABSP&ML~>9B>&PPI?W?!gax{XEi#251%JytS?}Bj(02OIy4(ulDWDTN5R!0L8X4-* z4;htQeJ`PS=E4ObYd*=n?OZwgGxVqLdBQ}wv3rV8v&Jm)E19Leqvo&LH{9L20y74+ zc;4&e(riShnJ<^!*E}dil{i`d_M3QIg+>-&U9o30&~ytK-MWwX_82OnXHTZN{6Ea5 zmwb4Zdm6g;#XWc&Vu9qNxD^gJ9;&N~y~Ai)ixTH8CA|0qDwS48mNyI6JRn~)bz0UAwiPh&D~o$0@q$Uk zb08Tn?|CYVXJN!tuMLr{36g$918!iwIQio`*6Gx!6$G+0#JzQ>v;v$}Qd3R^I687KT(Dpkf`P^4ed=ant zhab*`P1I%alJsHA2FqzpYICOPlE@*|;X=U|=Uaoowj%n6a*&|ojVxiOhgm(D3`0gI znh^L}^&VnJc`2~1SihOKPkjUHr%hG7?q9vGIH1KaylkV2CgoUP@kI7JCYMZ=W(F(W z^K$-RJv0w+?*QCO|9dqDa#E|sJZUdhHE?NAHS4kdpt&(eGF&5yAJ&%M$lG}-+sqU` z%+DXivpyuSYQTFxE@F+bna>95^+v@$zOr>}O+ znk|Zkq@s!YJvQf_KjDH` zguL01^B1p1VCf4vwOv~GNfPIGSa#7ap2%sq(I{8sUlhKgYJ&mabQPYd(g8x7Ast%J z;7$0$fr6xQoZ5JC`z9_-5fVZV<;0u7eJMN7#1*^ilsRU`KtLe%(Hx9Z)_J=b0#!_7 z1J9uaSXOM>V5SO3M7jW$6%(T7fn~)LR9>}c3h90BO;v2|!@vI=>ZzW~t67{~WR5L% zw{#CVRr3Z7vQP|^H0S2p0$gj74>;K6h22U2jA;0asXXuHjZ53}n2pmid_)1M%~$rh zQrs(a`-`ay{gp>W%&Rvkb1rE3SC?pw__>ar+1=M$kr3X)K^(l|R}s;kizs3en!Z}P zATioW^fzILp`7?OPVJEDmFdkBx4@4V5!00ntqc@A-xXU_0Ro4D0s=RTr8rxsAzD@r zl9S8D5HU$t4#BMhk)l@_(^gj{D{Uu2?W}=j#uUfrEAJEW3?pQxho264b-2Yt4qoko zm!U?wxa0a3xCn~j9o876j}b!ySqi6o&vf<4pWwffjsT^JQcg9e zZRvoKCs?vvX@)#lTG2g&AdULDyNHy)&Wm&V+`|gbJjna{2CDH9*h}7P!?sr8En=g> zL(O&IIa{95oyvo62r)-AOZO;pgl0>!*ai2(DYDkpgz}Wo zdoFfq`f}tFBd76)T57-ROIl)mSDCo}*nXyT{amaq>**4*A%@t$G=B2-g#{g&9M-+L ztyw{I{|W}}=~gy>54P6*jD3+@0SWnGP1N1>FZJe$VEg;1)yL-|@*9hX74gQ|aT#cP8hX6LJG^1bZaeX$Np+PfZ1 zFw!}reABa;Mufppnv({y0C#D+K>c8T)|FnWi&+fxLUW$H9nxg2?}Ee2FMhAB3ktS| z@iGeqIla#O3hL?PI{DG=`<=rCxu;vQlLEy>2)4i>gC@ZTn~Xp?1qYsu=@X_~48nNC zH1o$!CIcefddBjNc5S!ll4GmA@Od?SgAL<1%!+vjfV;#9FTk5}?jy8)P>87~v6bat zDB%O4xX##&487t9a!=p{+*y{tdLtMui~U7Ky$`~UgkWu#dow2$RsPaYv7Wj>KED~m zO8|9L1~gg;!6K>Dl~Nvp3708F{N1NKf<8v5+;AmrEJu}Lt@b%t0+c&Bk$KeCEeJ1p z&p+WL`37BLKRHpgqs%7W#$zFL+B2LZvlwEnLJE3D2HF<`WZb06O<$`Qg%vhY?E5#q(R2TDa-)@Vt7cAx7IYef- zgA{!FFo2kJC$^w$#ZIZ*tWT{8Byes6GD!}5Oa{`se#^~`)9Ocu`H_(KX-JLZuF4PS;Ji41{T$slMU7o^#e#L5XHo4AT|8XM7d&SZpc94-rSDVeF5Bt+BX0{Zaajm+8G zX4idL@ZfV2XpNqW{XwJ+*^jgSw=)%LW$-t6$n$sXx3a^9Y(hXmg?1s3_>F4&y}g~vep`p zpZoVXR7H<^-%9pjBp16ST@p}n3f6BrUxTap)it9}Z@Q^{t{`8oPqP+sXz`Ctp7dIB zokp82BV-N^W?hQkC(qPYD@PaWBiuvGP+FO) zIBnWV^em5x$ZgIXjujRg^F&#p!`6}mFga&{7my_!vJyjm)Go;hT0O2UIu6Y`CLH_K zqvv*R3xd^dGd}IQxKF7GvvT1X^gD1%&oQspj&!U2n|MKzf6vBusgzl#zQxM|RTO1g zIT<=FiO5VB%^P)!e2>cetRb@=GQFu4tB{sE;B=A6ao`(zCi%=ID|mJP@KmFg+c9J^#|I>P7UJwSz=_xQMP7Lsh~!zK++6f3vo+r|2%40&@QlNKf`-gF6G^jPFVk4 zuI=Bstxat2z7*YI%w-i|L&whU(bf>c7PbyZQ7k}tChzNu4)obqqh&3uw&&2(ufT7( zs{{8b0ZVCoP@C_pP`$vOMi50t9j8#O9AxBvj`Z3%Jxx7vnLV)Xv>~MHg~_C@J5mkw zK6n{gDA)T6>BaCxuzE&=pX-uL(PJQk!B*%l zz%}KZnO)*{aqC<|+XWQec=BKKnIc$CR%t%|Y6Y*E`stgzowj1nPR_GnU1uGPGw`p! z9oHAto<3>@FFdqufJnIQ;`NV{kdUeLR9*6AhN-t7vaIRzVR)m{!tSZZM#wjHIaNA8 zFINHIT^TzI#C;^Xd5Xy{O&_f%mo|ito#(CF@M%^D7T6^BWptz;LI#gPxEtK{CNIUV z+6-s*t)a_*j~y9Q)`{#_+JX>EtvcY)z``OH zefM?naO-}e;pMt+9~a&9)$VdqiO!=VmyylUArid4DA&11*M;$ogT1G#_K5Fyabzkp>Vk1pC|VmG^HL#@*IYU}%|WwsCNvdFW=(Xx8IzwRH{+`*74YYRB0HP7IQ z??tA`vm}3iBbsGKu#U5%(`kcr4u;34?Yt7GVw8knzX;0zgc4lyrI!{MA1zxBVpTksdXg+b&ED|Y&1SM z?8y2c8+n<5wCOj^=`rntixag#eZA_ia2pO6FzXF;6 z^9cq*MmAO!HXa@rM<)kkeQOxE%*8HPH>Jfz`p)I8;|Xs@QxnDnDI2DQQSaYOg1?`Q z;z3FK1EHW}`H-Q+2~}y^Alpj8zytsOrW8g(Z8RIi;g_$|5!2MIs#4LhygaX96l zO6pr*ep4nJ?Ridv25b8KI{yATe$DY6nOIF}TJEmuT3WNL@y5I$un@!sL_#4i+gP1? zU!U`KMf~!BC8Dp~1ekR+?tBShcmMsx((>$LC3Wxpq8d2D`z!t)52v|N6kK;LJT@I& z{Z`&oQ}P_o8Ihc*@rWcnc3m7LT51!hg0m)#B6qgI-SA@bYngZB8BFWSGqoPCzgU9` z)L@dOd2Sw8K?+<$1=yV1tga;A^Bx#t%L@+CcePdc zY6$Fmn!Wo7&;R{0B!Gt>Q^Q4xP8mg$NYW^Xnt}ERV3;$C4sRY97#bv3vwjj1RdA57 z(C`SJPda^aJ2rZ)cXYVFgN2C*|0FBg+i<@h9|MK;M}wuZ<@@&ixUs#p&C7Vj8wqR{ z>sj`06+jKM5i)yYLhpFuY})(YRQV$iGk=2SgpAigYl+w%^u^<@y{7(v@(_s15qb53 zVWtawELsq9hREriH%K$Yrob(F{;kG4-TVyQiJ!f;SIE|fmGT9z zGwezvMt-DY7WUzpzNpjs#rDLe6V-WNHv#WNr7`8{_K#DZJj`}vbiYJndT}sMg*?vL zE5sZUAQ+!t^OUmlZP!)m8*xtO6~y{gC;XW3Ou)NAf(t^o9Kxgkas|J zUE_eRmXca*PD%#T@VUKd`<#Med;)Hmi=|Vc&Wy0xB4v>P?LNCdNZS~mpUJwL#64Te z9ux$V`o^pPiiQapAZFc6VaFrYUb6wrqyt}}F!pl$FREbdp0e04tHDyXd1ETqm7#4~ z$CW9*{&)`T?t%$S;o!wX3a@4kSxy8iL5E|UL_0V zuhFm8A^$uxLqZLRbYj{2oD`sP@KScIUf1wAx+i(qU71wxWVPqo0RIH zTVR3In7}<*;(q<>z5{eoRRlBMWkZ&ObmRpuNiOrGjC4gold=3o>a zAT<2~^7Y-u@D3+;d!(~wQT=Gd3f64@)}nHS&wnWaL%T0N(rf zqStPPhFgoTMw67+8Y<*y&=@!|nY_{I%fXUSo@3)`lg)Q=NA+?jn6$(3?HF;kZ+&G} znimZ`iBV_cn6>UaMHPv6aqUY__Lh!TRNCg3&FyOMt!lF5ty}WTD$`I=(QgO-gpl~K`|1!Be?L^bX?x_~^+8U`&7_Ez-Mvobjz_pP?{+dlz zjU*B2Gw9|~(fG9D=KM+Hgfx#vQ*|7tm_M@QK(5(L5*@yTG+f_q0G;j-n_<{e-ws!b zOlf&!-2R6t!*vYAGdUAkf4V-n9Rs{v;j*mE69P1Qo2%wa33;-@b5_JSC^1}}Qql+s zCxTu|(p-qBcewixF@XBeLBStY*ApT(u{c#6wDAcJp$MAEJhj+94mOabHIFFR)OOFtZ%)t>IulUzE-9D+ndaHGfA*Lv${$Wn8J+f$= z!uT&1qqe4Kpu_NX0aIG-KxyPx<6V;yXfnw&1z+}_=|Se6!4d`5xBM*=*gPSJuo~lZ zd`{eWqH1^!Nb=SE`s1ieR~OuRar{nqnN0Un1^HNOOPX0R$IrblDQ8-ydJswL%#c6fBl~RHvO% zJ^1sc(xx*Njl^qV1*1Pc6XOv)Dk{pcGb*Z7{*BKF%w@*Lh)fR!ehdZ5s6-5!Y$f$_ zXqWK$IGt1XD$@(TAdjj4{_=kPXn9NJIQ#894ph-p-)2&8rrBt!9B)xkR4>;+(;I!G z?rZBeMh{7oiKw8wX_amXrBy4^^tmn*^YoQ2&+FO8;-I~vmXkeIRzR1M;+>*&(q!-7 zQnI@rcwBz>4nnmgRX} z1h2k1Ulx3*Gk9a7P1lUvlVjANYsbMo$89Cj*Zx^eW}V1EnK-rrp3jUwv`56_%!Wl% zd&Yk)oh8PdBB7ve83`SoE6`hTc3`xnVvYWC26aF2G1GSQw_)1RI=G$-<8*&c;WA~0-Jfm=l!XE~B;x=G` zmLg;uc9H*imp>k=m<#)1jGuE{=D^UqU%>Tn*UzL()^DSRNZz;4WaqypA&-Af!0VbdICrp_aY1k znJS8imHI`Dv>-tNvxtSdI)f8TA1)#LPs}K2mo+TiW}JG*lLfiA2!~d2nb2R7b_j;x zjTxlm=W$iG-%wW@E?lsnnGlh?;!;rAAJeVzM|a>jR0;~{)rb?8=vA_=EPSLw`y0W` zlqKYX(A(c@so2yml**%9nV2V++)KO8u3YWzJ15vB9iQ*W-1S`_`0ZPjr9x6DQaUIs zX&2a3Bon`sb%1vgsA9<`%@8yI5d75%W|a%i%?Y>dz{TK^QxX@4VQp7V=a=e5X0!xI zdvLA)&5IED!_)~~1tWES0m4>bG`tg2A-+{lM_)-vUYy@(bS&SE-97O5e)&q9aa4-9 zH15vd_Xbj);;n1NyB2IrVrQ0kB@34G_+OW~T_1vlXXU0juhsF{zU;uhx5o;3NB|}q zZrJUVfZ0?KEsE8gpok#H{_(yD{S=-G%YPJNX+kcb^)M>45(g>;d>t*Tt;23Pai~~C z?-LKkvw{gW6W!eJTUH9G@IzKx^9u1qq(= zZ`Oqu!FS%|p9!S?F)%+xAoZh3kbVNDzQhcAlM~ZZ_)Lm<7blMcvE&msqzh+_jN<<} ze*YnOzu8$xQT$GOG7#Eb>sYtEwxauU>08@&G88rG*GOhq^SJ%gzbhp#t$&*AZ9lgC#v(dB3hyXHE zx(wcC$7V0uPSyc8%G{s(=+eY$$!t;x>JM507opCMb?1nqgAW_FQ@w?B8H|!d7DJ=I z#I_074{WTUS1*i$ddx5)Q<52^OUsJ{6*&Y$74O>3bgcU!tkb5~Z~ObH%t_wQ zvKoMiOs7EAC#TPIbI<2x^XS@O5lotq5+B`cj^<2AB4md!4twYfW*>36$Ucz)f#C3; zhF?trzk2lpxiEV7;Tq&9TXo(>LkJXbMN3B(1HrRjTph<^3B2wU%X^u=!9tGo%r3cgCZ14yxCp2 za}uPI2!~ncRj?@aJ)w;0+tXVJDa=ifD`l1#SHf|Y}nPhRA*z|$P9FJvA zcx71aw$eF-f`K6`f(hqf`GKz6dNZx&I{m}e?fG5LtIO2j)KAwcxht;3-kv_3b7W( z+(Z;2(@)llb&FH$ph41LGH_QJ*ru}$j{)b|SUNWjkJ=iS^))p?RK)sWReqOBdp1Obb#oa8pk8?$D<*4chMbfg+H9>i zkgUSUpu}c9U?$j-Q)+)Tn%4b#(r_4j`?oQrS57jcp1oK{4f%a^SjOAkxrTpI6|SwW z$>U(tW12_T{85~6&Khl-!Rq{Ruow44?0UI02CjMT9p?9FCL&7cTf`y2xb{LUQ3zuY zuZ1Ut5V{Bzoo~(oUDhu)_m8g70i`TgGH6#RHqkzVA)FH451NLsD)-TX&Wz5|J!pxz zq8UacE7=@bok$@T06k{%{??!Vid!>ZopZ`)Ot)-~;dEX|4lcjiRAeA3ymlJv?+5*x zflP849NVT!d{9=kDg!4&-Sa+vlyjthVC+?g{hIPm_`^ml%C&~GD)6fdtnJ%`yanEp zMVXGH=pfBPy=z8llK;?aHPHMFmFlVHPiX@z5Teg8E37-L7hJZ6R;?KPrDrQJRWcQ| zay#IIa?O(SQ2_ih&je1(`qCjH?K)UtDQ}p(rspcx9jo&glc7Wd0oCiSVvdtRhh2r- zehexX8Vj9*&z<$H`+Vb1rXKb2M@!BR7}cE(f(zZ4v)fIjf{}w^QKD}W9IR$X+l}pd zuU)pbTQ30_mfrH}R4hrtfXaJkTJPf%5UO2h#1C0~GN?f*qB&3*%*O9B3Z>j+MraQsfI(0P|QI z6M?kM?_cL65Bv%KclfoWcoKb{ z2|Qwbg%b#jAyG$c3yEl&(mM=z%)1OIsT=*`O9wU`lf_p&B|nGK4I$>{0t@*&q%bk% zwu^`GEa-KOL8J&0U9uxrXVp#f9ZmQiz^B-^fEVfAK10x{4kUG8s0!eMUVkUHU`Fsn zI!0wkhoaluZj)1*AGzjudH39%HQY7nXL<&b_}Sf$;2j1=5wp17e zZhmbA-OBA&3veB*ANC7oYvXejZWaw{CWyx0N_={7M~g#p1ZHe>Y^Kgx3sV+49cvr` z)IF%#7UM1Cv8*>8k81q@9+9F^Mv=6?ziZpy70iA((gZLt^x;v|QW^`6NmB?VAt(4N z;)2q)(bo#Xk1tp*f?6Pp3y)Xo8}E;0TUo&t_I5QFEGurV@0%CKM0l$@TcfJ9_ON%h zSvh6JqF|q(isnmYW1BEca2QGuW)?Y(H-NTqbE=hotS!H^tD;}F zUk-T!rpqc?xYc@2Z{fQK^rrXLG?R<_tCQc`?~basHS?x*nd!`*rv|0jgGq`z7ty?1 ztS`gNaMjb)7n)7wM}rT^ewI*|pC>&ixS`qfJ}Y(sgdOihUxMnPhqDi7x;13XJqI34CH?hRdL?<9ZMqm zY=NF;dra#f#<}mvPv2)hbLY6VcHyra_<10XaGA*d6Fk5l>(E{Hm$F2-Tv z_Hmp4_WM@kbst3x`KX;n)c&IJ>6}AE^Rau2_;``z{TM_fc-cMnaXZBRB^T@D>qjvB z#(x@;^Evq4MBw`R{D%0d`_OZGZ2pvQ`HP6OlG3XwKjV|nvh<%cUMNCA&<@dqmJ<=ArN4B1jlPD8Um z#rKbMVoS1zOJRRlI|xjiqGq76cuaG;l;hD&nn80E2#B2yL^d0CgoL~e+)Ad`j?`PP^mF5 z-(E1!B4z2W65HTJk<1P*R_)E<*ot|WK%D7PKv^#7DxwJ3O{HrlOK%}H%OcD$CkGwn zhYVEGBzoPVPwK!AnLEu_>>0XUM5>$xcx6%`kdu>x3ANOd`+9zv@r>s1;MzP?sd2G))i4^Mw#BzPOp-}v0Z|(Oy|<=WHF}Q6-d$rBW$%5zj2XHynb0^ z3E_CgK4Z$Pw7^^tYaJa?vXAYDJe#Z5IM}=#47u+zq~Gi~s0rr@|B`zo4}S!R!>&{r zqO41gIjl1}jVl1(OGR)J@82R7i-$;!-hU;nrLLvqLsG9oM(#5K7l*WTdh+&s2lFRI zbpSI-{Z6jN`(D(2&t7H0_;MSE6@0BJRI&L(b*-LxrLmx_u+_l^N-pKi^>|$W*@HW{ z_3z8|dE3ED+Tv|(f8EC2NLu48T~z%WKmDzsGs72_Ip4<&rKIId^ubN6MKUDBz;$qs zCJ}AFH!+K%l^c8sLeJgZlidUdRSO9e_8#YM`7j~hMNI>yt;kQIQz;OYK@~3afaT{X zX-FbUe59itJKAEVuzc=6C($yM0m|CG;#tVaiZ#_s9pQ4=3|IzTGs+1HYPy3bbUs6n zQWyi6S_K4F)9tvZ#nq%$HREUo(^To>eh9CJG&*!tx z=>PoPujvHvDLc~)1`eDGw#c>XM>m)X+Iuasf12g}zM9!LhimQ&11;IHi{2 z4Naw)7aLr|7g?yv9Nz9c$RNL)p{mPOHztfioNfzI%~7Hfye8=X>5@T}iRnO(bR64y z6q5B&jz{vNYj3eN<{ll9nZvqtujp=Q#aYG{;bQ@?GbzZU$}XO}&6vfg%%wTm+FznRnVJyGJPs?)vL>Kb`~B~mKJjHP5-8wAWm zq!-^ITJBZcb0kG48EF&mwuajMXyXiD$9(Q3PTtFv#7dKU+#1i(ER-%zpZ6O|`9gJVD1_Ze=GKi2YpH624Aq^JcmrW$HRV$q(h2F>hg=eu_ z%j}<6Jwa#QWhWGM;b{*799zu?-lJ~XFdK=DywEk0{?7JtR3Q*Qv2M@zZm<4~glb>} zxd(~+xm)$6>Z;?-;|9nMWk&TjW6linN#zq}QH(b6^NY0<2_}K!A}kmk#>&j-*T^h9 z0&!)Oc1MmhnGy>|EYl~c3yeSZZkYhS!~V#{qx9dyERzi?rx#)4#`i;&#iSnh5v&o1 zoI2PV9`8ekPb3sw&)J&~0}Bs|hC&N6=$Hw&9>i%-po^j=f||w zYx5elx8%9(Z&0N=7C64;Y?j7^0nzhmWi@(`Z@+ z5G{uQY70u1L(E1}j#2^4)KtV|+@<;~!ciX#PHItH2?PPdqZi>k$E52Qza`I#3&0$3 z*=q%{un5{{9A!2`Vh$@yGfgu(9Irz1+%=$&?a;1@IP$e4h13SRl%|Lt=H%TVYa#!h zg*X-d>z4`{!tF38^Fla|#!DFM7Vx#ne<${D4hNab75vBb{PD9s&oLBGpfgrdI)%j; zbm!m{pJpC&yU(S+q!Cw>O#FZ7`Uc?2zUAH6ww;OXWRgs5+qP|UV%xTD+qP{d6TZyv z-uv$VRsG+oT4(n{f4%oPdv)zvyVuvq??&2s`@<&zHS;AV_aA(xsi%oq)AQ0md|=K9 zhY9ZFYIdbi1g8}j7-xy~?@`rF5>M%e3REMcRY;S3hbO=cElyJ-I1^J^wi=KN=4;F? zxwcw_(uA!b#TW#eaAV{W3rQuNav9WHINcQ9E~Y7R%P zAR>@z;iGoEil*LT`-79QL^XyZPGdGTzG?tdu-BC|v8~w2YJG0in}HRwerd&)Zs)rUcFD38Xu`I%4s`^!??1L?KMr2rpr88X z(iYt=R*!AIK_G7HkIl}u;gO2!Gx<@Qj$@z;zR|JcR|8dq)JO4^St3Y0n4>H zGcKOosXKPZH;_cwo&oPT6@Jlvn~t(1CZNkV+QQHD z@An21i@5;x26MmA66d_5r$t&-PUc6tA{8B`C&wq_M~Q#I!P&+yBq%y40?|8df!Nupm^4L&6u9R`8hfx!x`dRcvn71063IE>>J(6d zAtW*@=7?t}%0+F?w;*jgZANFxL4)0W05R4f27Digz(I6utI&uubclYSN(LUJS#CSad^6_}unk2TmTK`gB{}MF{=skQ8-y&>|k;9eB zop|Q&Y%HTRQ_GWoSYP_!#Osxe)IP}$P1HwLe1 z*9${M7h~aKVaFG&=|=>~PFUb;U=;|X;il0bbOlufuCl$!kBSM+>{goi3xpgc3>4c+ z09|MXj4^uC9aazlh%s4Mb0HG+-cN`XEWkuWD&i%P7zn;n$RR;PK@?#GBM?ulThhxE zR<-neQbrp3deEquGy^0?Bq-!iMnE2^mpC|omen)^QbsCI{g1w|O2|8m5np}+abKBT ziJl(`5%vhNgfAdoe)KsDR;Bc&TV_MXZsuhhl8y|in5jXjf#i(4GO1r91F87(#)n{S zVKQyIHQ2(NHIuO1)~ct$lx@D{8~Io9)_Z6)c6{mU=R=%qJ# zw@_ML*7erWS3H}TnUeX)gJu%qvM%}0+Sk>cB+J-0w9j$mHf8AJ9Wlq3H(Mtke$SxS z*jrzBpLEqkgV6Ri3FzH_z=A&M=vFT}r{7YZBa+YW_|w?7HI7Nqz<_-2`oOhaC*Bn3 zcn*RP=@#6$I$Qj6L4w%U!oS9$c^~`W`D>YNX4;3x@!g3*nnn7?ROmBu9@INtcsqRV z_Od;8y|4GT@ZCpw=v>LH*YK!s_=C|+BPr=TPlI?R5E zVYTC~f-vYzJ7zdegQh!fu<1GuLG4~q>3;485o_nT+T8WI(^cH@7ovxC?mX~kpf6~* z>;-kZ?h@0@D0ln>j=s9-bEdO=;EzW~bL-uwdE9fQJL&jk(L%C#6NOIx8L#cy1Dy}^ zWK5?`!H4cfI1gQ`J>yRJWkIL;&=;cZx(-d}wo5^W^8_T+Eyb^Ms&zUDD(^ro@6eTy zc8^`kk$c2T!185W`X^HU{zF?Av_iW_YU^?`FXjuu9 z4bydgpoxMo$Rq+^D#GEJB9k#pRw<#>@&wIx)2QeCD`WU9n-|+lb0y1Exomm2fNWqP zfA+!7BFbFw37C~~yk}$stpG|QTJ8s4~b2)Na1ohk@D^r*RsP%u}-B*rE?IsKxwkKH)x+? zjYx>r9AH9D?dL;mLl5y{vg#cA>GdpoBXCqQE^(VQg%m9w-l_t2x-iQQdl^M-IkAoR zUv9@qmUWq@l{kqs5)|F>`J(ip-KN9oH`bDCk?9fbkp<9AJ=z3Xu^L3r!f}ABR*V}z z^2?sR@v8UrsId5202cFU1%pRu{T)W_=cGk}!TF-Bs?kPzLm>r;;;Ge=h>007J&E4< zgAHC_zA4JY@pulq4{9Tp&08@N{Gbr!h+a^<#MVhitn8~ZRt^Y~)1?A2!9yc@$PS?W zN5!tFLt4%6TQEH)CyyBJ1OL>eKBxF0=@!hk{4TRw4%9R_8OfG1$(KnZcGi{vCd|c8 zqid5Y_NkAWH~A61vWh~H`VdWEuYW9zpVo1>yKHv~&hBz&Mz~c0jDv_;%@yfnYgm?e z3C^C;`?}KLyhg}T?B^#AKQFfL-jhmMOm5@SeOwhr2X6Nj+IN~n;Nszxad9cr z-($9SuibKtp1Ve$ud;6c>_a3zn?E$FIv@vELamU59F933S|9R}l9_c!U^NjimaLU> z<`5ZC0wjuO<^tr&LIqqPAe9DTJ?6anrqyK6pFJ<&m-DKOcbNB>7hyS$D)BXDfbeH! zBy&jjsx=m>Pk5&_%&SLHs>|E9C(+G>jVFPpH}9i0RMsS{PTt=mamU%TpuzL94GL6j zphS!CJiEOn2XKpX_1Z}d6ket2arpotO!2q_s)*65o0PI^cMp;CSlBCrX{1Y!$vAr`?H z^7gO-VD@}TBg<3TMbHYUh(0<5!F?9Ig}|NH1z`cMmpsuz?4YIvG3fb6vD0~mgYMQV z_BLad!LC@CvPNM3fJuh!7zW^!Y?9>!|FLmWb%?cnOTUVkL{QH@?eue4+6{Ih6ga0H z8tL}+AbKlsvkgQlP#HP*_j3Of8-+o$(Gu63Li{|gB4QiCY^tL&&K+c@hNAQ2DkHd! zoo^zdJTqy*CM0<29F_)tI8}=~+;wn(uO4gSYEKeVMlUw-2mwY%15-vHeHL&b#|;hJ z?7^99uP^hDErrN08(B<2lsVKwT5OM)|qywgzj#yh%P)5{Wh#Ul9oqyRmCVt^Iz_NqS4=!^#*Rpr1uY zA}&62e1ajaxRCn7R4j|`?8AHc%;OCmGfFrT7QG2Xep4a@$RUJlKQ}sY2LG*zGM3IK*ZZJymXJhNi+1 zwO|O^JiMQ&`sz$Ou|2#>gY?WDQO{T?98RBFp$3s6!NMOZ2iXGB7gL;;we+U1Ku|A*c|#d7$^-kFFg!NB~vz4RwD(oAn}7Pqr(}i$b|Kqs!a)_rjHv$LYppwdJ~-vj(E~ zer##Cl%qBiVsrP;$HC|3Y%W<`Mq>OjE$f zB$)Ad!cA?P>$-Sa@BxkC~s|4xL2#N{aaKwBV z3x06~3i&JM9?E{Oekrg##sQ2PJ}v~Bkc1c$v)+ho5C{JJiFsso)F}*SWMWSW(hgcr z4$}8W@Sr&4KuK#hrv{g@_Xzu~o#$m2+-s_*#V6}dv;8|$Pw%&x zdY4Vd`K-f1Dv1in!AGH2Z0BZF<4R18PF+`90TB%k6}}Y{nY->osKPh0R(+&c{DJ`H zA-&l0BU<`JqX;DQqm;&s{b<`0h!ay0<9FL?EyCCieD6Ety3b6PD$naomjb5;g2GBi z@p`ldkq3#Xq{o8rK%Dn6P;wQ&Qa+T@7Y<_rZAx!i?2(e)lHCG743cX(24|ut&5Iya z+N4Mu`9Pi$(~`aP7rd;9I}x{c=@BQjgWnl!W1&ruVv1yHD=9WQD_8^X9>xix+V)m= zTE{Oaezze3$9SqvO*vlMb%ic2$z5x%7t67v&7B!CKi?1y{Ryy>^ip4KETz^?UZ84!>N~rZ zt#vJ?WDmkPRR|4XhTlg3FFi#Bf6&NOZ)qGmE?sJUIF5e?!{D^qoK539Iei?_DZD*N zc?k>Pf4JFqGY?^{p%pJA<&6cB<5B3 zp97otbY(5+_%*hCjqSGwfuAU;leWBDs!dwc+o&A<*~!rS&WP_wYtgj!LY%Si{8guHkx>9Bt ztu>u(O~f+Sp;Xwa+KUR-^`NiG)R#2jA)T<#&dCXu9nIdeN2na)w0VYuZFxb>l{Dm< z?GAdoZK&R`#bauD5eRXPc=wWj%kO!k~& zI&&;^JBj*Pj@w5Fzi6QdIvg~s6-R1%;?|D`LWB@?<=?3eoN2=&&_$>yj z20SR3shX{ruv@;g?g|9xuK`qJZZYi`fUTIZ>-J27kuxn|l#D@T5YG8-x7fn^lGaFq zk*7n}NUBkf2f|~L;~1ytlJ*1VK6rF1S)A~ZZ?K)W-&{UTD2_W#SOWyezt>|4oaUMj zHs*#Ixz(o=P_guMm)y6pdNCoZVEdNcNCFSpw_(cGg=_JQp{RsJ<6xO!M<`E6RcBen zwi&yofntR*eXwt%+oR^G{pqq0fo}-rIaL-l$kt+n79)cZ#a`X14S={pz(csfJpl}C z9*Q2=#+PZ^+w}txMJO?BTZd?moUsW!9C9Y^S_c^D38ngN3`wre_jQU~(ML#i(Zt`0 z3Zz`4%4ZB3^qt`c;E|DQ+n+ zDo1~ud}a7x=#->e8?qd>9AG@}k?xVggLdG=YqUj!4zq4EA2(!dVQ?JZ(O1qdo)r!$`X|4*a^=UC@-KJLp zv7y`SAjedZ?CQB5Ise(>{#l8Q1|1I{J3X*ixHRfh0KP2xZtNb{NfCON4r4Da`D%cI zQbZ>?tT8V#cP&H4!Qbi|0^;lxelP^SXIJI8dQfLt?=ln5XwNXyjxLzxsP9I^FJTX`TEm`W%$uL%YpHewz|AI>V?Chqv7)ES z1w;ZfV*JXb<;x6aQ>Bj8?L2l~yF|lUwlkm_nlo4aSm+0BK(ya$XUDWJ1K&%nJ8tMW z_Py5VFyaKDw4siqtu+&%yl-)+UR#3*c3Qi6;>m+SW~1m@H5-dpYnMa~f$^w7>IVks z9lQaLdgwSY2+!>~iF^W0+vPP= z9D1*{d>nS4HE-IWO?9r42-daIHC>C?#9+|am&k5acD1>Q0qdV|9b*|)BB76`7SL(nI!Cck0pW79oh^TYN?9mhNKcu?!S;AP-9Zo?GmZ*X$RE@Bl&^9C z1WSctpZR{l{;6l_6gD1zDz0XpsVVx1;<4bVVQ(%Tr^LMbmDVsY5ia96v+|DN={;m~ z#@LKOny2{?>S|C~JQ;wUah}oAqpa88I_8T+)k~BqV8^&MVYBCQpD~AnfO~c+cbspl z_-T6tgbRpTdl>%bCDZfQpQiWP_gl}ZS5F?v0|6x-m}C6$;Wkeh9-d^M)SzE_QH#)L z4d$r`*-neNshdt;MNA7764$$c$E%4h0wW)c4POaA`AKvTML_&)EcJHwbtK={)9<;G zUTEUt=M_?tC%$)=I+}q)oF<+hCsyAM55H;vO_<|B8o$zk?d5R;Mh|AEi$55&cTWYO z>)+AX-FA&}$h8>G*B&|QEDLO6M>)O5X-Ly+3_Q>kDFE7SO*bwp1XRiikpu%aj+t%9-&`P z|Ea0a$n3fW1asdKXDdkD>9YHG&pXrWLa(8Rf?Q~vZZVhSo4N9F`VK0JQV zLEvPm`}Wp+(Z-PO-Uho>9IKIZ2IWIqba0$gI1`6A{t;2;{pJQSlk+sisEEm|gFO+M zDCwWQkwv~l@o}nZHFPU=S!SzazvDzrWCWv?1q}DgF{dJ_wpQa{5#x0jFZ_MR>J6#7 zs(1g5@oRQQCC{&f(~$@t*;2*l5B*_e0C<21@+*}c#Fp&N>KxpDt2>W_7A0wx)M5nf z=%!q+&;?@ED*t{;QT-6da}*tl8h)0dpF`HZ#ErfwX6jVK^(e@#Q1rtTuKw%+4Rm=E zKMKM{ucb$d&qNLUs%7xI2-)%j11s$7qbFMm<887zJkY*&T;ikkUTwY(hTo$`k>2-5 ziB&!k>MFna-)(B&YRH7Hy^$?hqEqZTJ0!kSUapIa!defu49%WlIL4$6EDiJu#>LBK z`MMbKp&@UkQd-%Xz>o|d3?vN04B8%H&_4pQ?N8#0^z@^rRkxj$ts64TV|A?6(T{+)wx1Wr}p2YC0YVY)X#44ab`B*AV zD>U7?&9X9S`hN2EGE=xoiW-!Y8M4x-vvrU<$}j;-i+*^~5rwLPo-otelPK3@v#}PT z2i?+kF@N)4ECz_`hOw(=C7ZaeYO2yiT6wnR`BuBJWXRwQ+Pp&feq&J~dggMk{OPJ0%k1Zm_cdQk-ao0)42CydpHfJ1 z^Nvy6!&UHH(k=_xK&uMPU93xIt~^C~4mO)NRBV5aH(&EF$Df{QqO;Y1TX3)Ad%Arv zDd=RB4cmx1+dSV{h1=I#gkLf_U$;zjw3HesFl?dT%cr>gY#0`v&)x<4J^eb6LSstT zhai=>;s~RvYlBy_t2ZHbc3}o)m0%h8$A;}l!bMHevfTEix3o(1vrmOJcv|YuklB$B z;I*8V0;CNkudH_|2^~c)zgqQ1-bVRB*h+1y(C=>9KElIv@eVqaYFTHBRyH14@3H}2 zmA-p%(PGdxQ$GQ59%V>IO4h_vq$q(gWR&uEg)j`Cl0al}_L4v#sBor40CUofcI{TF zR+&G6cch0p2|84VEaGWrifFaYo|OZ`iLwP11q38wkZ%bg6f4taoZVWGE#j*M1KOk~ z2{X4*cO6L4_4E?BO7_W#wu)}@qjRm=q|6k230u{MN=fp*c!zRnc48DF;v?+^fqJ!a z97R8iNw~#Jl>J5AdFMGuGZgz$klYj26IEr`67uTQM}xFa9g_$xl^Kf$6DfOtun0)I z(gI=CgdQSx-WlB49SJc~5679b(^ArsH_wjp<7_JX=^X)mX-Km8rOvd%sBzUVMyF$*A}}hG(W3@_Akb)ezj}1Yk0`Ml{`6JzOBhLj0G_JlFA$=Yo|b58HTPkrZ)r< zNz5LZGYC1-LDvk3G)^m+E{JJ%i7#iDh6AB8o_XIQ2g%P8V~op{->aMLE7bIG#_d?+eqMzld`t zWlxa&ZEz*?RJtwc^Fmewey&{V*e$|$d zUwNXr<(yEV(0Nc=Rej`ni-&!qnj=OIyDH}Xt&6?#R;Y#JazHNB{w#+dhwRNiWur#< zZC;5~!g4iB$+Z~Kz>)28!l@$r?HVOej&7uu=ECuggk?k|=RQkl`{7*8608SO>%lfH zPt3AzSh>jZ35%dKy&RSrEj}XPb=u|PpCjiP+lY(XZ^_#P6lO-mB{M!A4>a=90BJcv9JvG7qG)m^HRzQ8lp`PM&kuR2*EXf5pADF-e%!wtEQGo@+7?;pX@POGc>cxrF6ir5+im6uV=Fiqp{OZ}$2!qQT1%(qD8 zwwv7>jB*2RbddKyAEOLWR$6=8wls4!2zS`V=d{i#{?OdXE{q~wTPu8g}Y zQvyl(k%F5QVw2X}7;el1F}1<`2I<0K((1Ta@vv=*>p*_XE%S$A(R5%CerA(xD};|z zs9WQ+1_yr3Wz6nZm*y5Nnc0K{qD?#?S$G2JXw8>wU@FIOlurbR*37?`sQ=8;w*;eThiLS=rT#giMta(m) z`JC*O9m{ZOJPAGIiJFd>ED)=zLICIigTsGLv<|PR>5Fyk|B)?6>h0kkRNUSPtqy@a+Go$zdA_d|86UC&SN;7PuTlw~z zMtt0xemd>+FYzu>6B`(w;P`sdh`yYo=eqG%AFD$7$vyN+UMWM7tIoiB;&?Xoi_feI z);)ZlIc@!p!AWkvpG3qSFKE4?!-SL{x?0+Mfna}-hx;-TA7JHD1Ii=WBipK>6bK#) z>k;`9@l2tVMnouzoWKYt&Xpjtqk@khO^S#NBN55eq~#mRbwtEdEo2BoBi=%0pq=hj zWaO}=OrS~AneJwwl|AIY=DW+6RnHkzYL_1q=jZ*79Z8_jI&87VngKHnYmyXz`kB|BSwu3%gF!QAjQM%H5Fp;o6!%LT<_F}(DeC===EBCk2U zMBk_l`|9Iiz7+K?7guMiHee5>NVx~TkG)cp!e8Pd=c8LlGx8RMCxlM+GW?AzS{H4u zYm|NpCp*hokb=<#SUJosIDkU7QMzLA++)D`l$_VZpbLQ0++78A-pdBc(vQVxS(HimxlfzoU5<)O zTduQ$8*!|zbZ<~=-B%aK4b6w`Xg*&(SJ>p8Y$T@Ep2>an)?qil>qFky!qHC!yoBzu z5%~;-tx`|*&5Bu5>$xt}SsXj+J*7`kaF;#@1PKw&0EJI;m!5C6fF9?FT+)SoBA>mE7bj`< z#$dMw$4gopIs}zGk_#D*N)E?`5Jx%R^Gck(g0KAL!d5lhdptU*AMxae+VgwX7R`qi zZe~DJL*r=^bv4^`Q$ytgLA=9i7kMDi*5`ngA{C%_bw7O<;+2&S2JthiP2Z^`*_V zC7baEFW?>Q*+Z)jVCtX4my-@AI^*wPCtpQ~4Trc|zyVet%(dm~%IDfgO-ju$O-}G@ z>TMcUEGp2-jm<8VR`E#7O^@(RvO8J5(rZ&r0v}qym0A{RR=`)~liAzz+v~{Iv%2d= ztm}D6y}eC-SyxlNy<7az$3xgQj?IC7%krwvYgv(5K8b8Ch0T?XRypPQ>CPLQ94&VJ zunl~hzzw?s@{tWJ^&!+V^HOBS0uVz+*rpcs3=hC4J{}rWR_ZoB(``+S0asa{aMO`m z=j}fUJ+(G*vn)(8l5DxZObRKwulPDmq0dCLN`Rg6_zVTiOlic6r>PGLzwS&;Da-{b zA20=JQ2K-fP)pMJTg^;q*M5Di8tY-i=vzIk3TLMm)WO_=shi_b7Ox!TVPRGAhntxv zgKYD62cWbC^)=;2KCDJB%{SmJeA1nF`z7fRFZSEFk$bXDY6%-`qR>$-`vsf6VRW@J z8_`IeCY_xW+osBwf1(EaWVUOLVYa04gfxXlreGWSn2h>FK7Lt}@EdFq>R~3>h7h!q zY&4?ir-CTaBpT+^lP@mO@GW|ZL@G55Ijd(yuCk0YB3hx*+d{(Z2l;n5|V$-5tN{=RtS5{XV(0$|-wm(o)D3?73|Rl@f)2FgLYvWT zdkTa|_hJu>4m7*8{W87$xg=vg4P5#WDyiYrUH1tk!Mit|X8?Ttj-j1O-t<|*Irw^4 zZnkuap8G0!ow~~;X#dV-Fao8jL++J(7LRt9_vT=0(UJdpR&2wNFf zb^6k%gxMM?Zf@CL4W=tQutBkT5=UmD$-(?L%hBN?)v(^Q>mB106|EUY@+GE7BP`Xq zG~k9>_jwf8OvlUEZH1B3{^adr;(jGFL0u0$EW~Z`gsJw&PR~xv!z(ld=uFN$2YnC! z#RnVtgE>qL{|-*hDvG79t*?X2|r%JDR50%FgTd%9l#9I1J@2rZZQV= z-XaR%2PRA|9!Aa$aKrnr2Xpb|FLZ$75}5ym?(JV3Zhv#!FmSLlar_UyH@5#Kxlwep zHKG%?v33+Raxkzrvvstw|EDUgXJteu!1wnu-gIk%0kAz4wcerJG z8MOrIUBE<1#^ZeSN5el$q`#wkR)op`_3CcclO3k5sGMR?0GM35T2n@yhd*ksk1p1k znTy$rldEisUGaH}eiR+MUcL^9tvOFxs=Ri$E*iwqILJi5;n)m+GFB*yJ$bn~XBUgS zHkgGtyeAmy6thZe`AB7ZUr3KXo*Llz3~F2)Gs`TUH$)~EP93|y%Wvx!)n`Rt-nFFT zPmd?~0B_+NND5WsQcTVay{WRNJ7P zod(|lUp$^lW%$aS5%r10lKH2$D!E_t`}S+J3(3*2 z2jVML%HTU^@FzgG>Q}8!?WaLi^QTSBDcy{WOn1-4Df-3o{PiQx2kO$@gUa_X{_}MF zx5o#Sm1?%`DvOV0r^)C}kGBs~uX~Gc^B#~7=r3BJ=e*`%=e*v$exFcBzq)gbeRb@? z9q7BK3b*?aPS7i`PtYGYW^_(4UZFdlfBE#nFLg zufFg4f7<@Gv;Au<)L;4k7JB;s%71abb=bf4|I^Pv&%pAJ;@^(Hz~9Gz0R9g8Hy{BA z^S=!KJt3BV1O6lbHS}F)W%!p7wtt-<)L*Q>x_|NhmVb=>)%z}g+y8_6_u~HI{0Hl= z{$Kn5;Qf2-KluOoA->!GVl#03%idr4Z~2R_^)FZPUk~=}FaEkXc_=zX8zpPAzfR!0 z>94<#|9@NvGyQ-6)&CG*GBf-g_P@B1{}Nv^GqN!LPp7ij0ja7n+{*iNoMSC0ij@R` z0Fsau5NM$5v}UwVm)M|2Edmg`=C&`YnS|A@V}PAuYOcci!q@_>ct{P4D}D0^8=F}? z_O|tx$9jXE&H9GNdW&6hL$g%O*EJ4gN5SPY_x6`Z*7Y9{P7~v)3=XF2j`3?Rlc*oV z#b7aDQp8~cj~Z{n+Z=YTID`*){3|uy>jnFZPDd!BI)b5!Fj3YkX;*KfHi&yj-?W$5 zO&2&n9S>#ji3@@`os!w$9v+WB_0w^4V<6Ya*C0UQr+JA3JdqC+SgkWRZjT3w6=U#& z-r1TWDy}`=w)el#`KfTIyBlqWPtqTvQSQ(Qt}(9GIc4>BzhLi@5#>YkiIL+g$yp*~ zO=#PBICGJQ(+l!m4y9*nm>{iuM&``lwMY2>~TWPR#b1)Se zA6sI5_{xX>!u!H&3#t||UZBFQezP_DX2B$OJVZ`vcZaF|^l3&98#xtv;B*Je{B`}y z+~;BL(v-~|D6_ljmE(cd9c|N3TL3x-}6BsVj?aG|s0_*$i3CKs^*m>X`o6L!r5 zwQ`UtB~P3Ax3!ST&MM&*^Rsaa{uuSfxttVy_d_B;e zha+1lfBylbdNf=wga_pQ3)}AM`0RcQbR{Sxw!b!ks8vT*rD7Wjt{@wq`PmxPyY`;I z8I?~U9zK8lOgtfTaGR{e!`(ed0m!DsH1^#Y2OlOBmIvS##QhKdo@N zG6kwV=Cqu@oN_1C%z28$W#+!TR8Nk&UKpq76&*AXjL`S@kwGCM^!Zi|70(= zd01@Pp1u?{JEg3Ub5j1+VTwoh)FFESmr8@c>lCL-h{07{g7%NXRz-^Zpon=$7xuGC z>~kE4mSs6!^pz&NqONARHLgnK#Wr(r#Z|SF260$1mV%=>t^8s;chn>#lFqIRW$xgAmxVT<<*R-sEdl=Rt%L)N61BSsi{%(;{*BlD8eNt#}zxy^Y;l{6Oe|g z<@{5Z$LC73?0hfVYnaOHR1Wsy=Lw^hvm-|5k2xq}{FHI~#l>ki)$&N1@M*K}?Swyv z+d-2Jj+j9D?X+GGUgNq^kz(X5BOh3};o%fltQpOk@3cfKxQo zYnG#oH}gD*>(yN^EcmS8H2uC!_*k+kZSarbW*NTvD(xmxr`41qSBU$v$aUKN(sC^s z*O`g?IgysGRjYDCwon%px(qtICEbfG;8}@5qJf29wfwos+8g-sMQ4+DOaq@t`y>aM za}S71%NjT*Mm}H=BW>S)#vJmosFj7szPQSM*wj;;sR$9eszXNmXRxv6Ws@jVkG%s_ zbKk7AWdkrJl1)=lWcc;j^ zh)nYU=*m%5w6#*$wG7;;5i+ju9wU*5UfU3VM3xrY-)(%zzcBrb3y6dzsP^4N+AVq( zch^o*kOeL+EhBy+CFT#rnBrxYFP+;jBS4P?X4twB_J?wy->g)TUTq*zbf>^>*|zHK z))@%znrm|OW4Q=n3(njJa}21eQqQiFoSNKSKt1>&1PDsp{d7=ANu{_Bd<@Jr}cabnGBSBn1JqrH#_6T*&nSIAqMPXBnsTU;{W8wT-;zwl_OJ^R zrCKZ%8`EPSvG$l$$-pK%su`J$7Q!ViUdEG26I^8h0=(N`zy6fj*R2L%|HQ>3l8BVrOmZhkq_W+!2i+2bm-A10Fy4uXpwx-u z@r9WO(;tB(Erd|c+)_r8zpWj)Za;YL2lQyCJ3Ph~-%UskZ_CHG3?r;Mz==B&&ol0n z&;by`C-G8RNX`~Kh;bnuMyRLw{c=|hp%UM9)U~_!snm#u*MCeZ3BeOYQK*^0yP(73 zxt;c)QgP@7dx)KE)ER|9G0v2@pe2i_Gm~Hf zxp`05{D8l%xp&3oX1iDJm0H*zE&dDk1CPEmRU_(xoWR|A#5x&~b_+$Og6rA{J^P&+dd8LHdV2DE%Yico8y&!f-oxR>g zK3HR=wQ(9I5;jxRjD3 zy;<$#7=XZnbdE?)GHKi`>YIU>1uH^s2PE2!N4QwMRQN82KcodA2u^$KS?5k?4%@cW zCWHrO7gF26m56T_cx7EM{|1LLWc#6ILq~CbQt&qczbWeqOrv+v098a7K zul?lgUcLAZgNm~OrYWxW?AwHM$ciqTMb7j20eUT-CPpNX$VCOOB<~`phseO0kd`xn zWI_0Q%+jbZ?r!zS(x3cB&$_3`jP{g*kd*XjZGqIxr0P97#ft~FxbROh0TXL-Rn4lW zTAQK=bFqN!7$4P?l8<*2kpll#TZ5# zOS^(`s1ivR8l&mF4g~KX3@Wo%!ZalAR1#W^s!PM(uD9Q(+Eed&wOcK|w-yW%A?it@P??S*s{W z@ZOALtI*DO-&BqSuMOr&Eom)bQZ*J)8Td1%_Qs4*0pE(GD#p9c?!XN(q5ZmL*G8@z zpp=Cu88^rj#PhSGlO5dmlXMa6@su3+xjDq2jp&%M3Yl+&1x!vXC-^nQWW;r&$-c0Z zytSlh6A4>^NA3O~=Y9tf1@Gf&=v~(;RyB7MV#ptHHq&{~QUL!9Ob6nNjx!Pv6$bo4 z(UQFv91#_f3$qq87t3FS^h_3a2?>ro5|y%UFhYA7k+cx2JSStihSaXLdE<9Ryoib_ zM9H^Uo=2(VObNu(V*0}vMO^AIGuPD*9umKlM=90}Rk;*|^=s?On)M4>fsR6o-K|T8O@Deyx7M|> zo`W_yfXl}yASt1eD*Jt`(>G%298F%3ad}=TY;NOrzo>T)GU}cPabvFg6JC~kJ+pVC(XtorVkh)M z)AhM>?8ELHF)#cu4Ly_0o`TO-hN2)6UmOp4%*;WS`IeEvAC33xrmEc5j(I}JbOjNUi7?!EkQY)4-Le*{!F(6fv>E6#zlJpt0Fp zW_$=Zv%Ir66)a-zxJ*X5cbQ8XjcRJM=c#DiIIyCSn$U1?)ZM~7Jy+i$<~)&LEk|p3 zB$_5k$jA)I5;}}@G3GEc`xzYpQMzcx=BrSwC6tLN{6n7Nu3=f@F;fEo2@Zgh+@ROwF!$q}bji{#-K_w-n7 zXk2Vd&)r!H?Kh=*Cn8S3hnKp6DItl0@4bLM8?+2Hly6G)Ga|8ZkB9;xY|{k^Y=k|H6XL-tXYhegH2UHVde zP6usGAwg}WsiE7|QBYKx0>>s}Q_cAZ^J;JE3|UjXgm*@JZ_WZ~9ugDW+ykykX4-TW z!~Ru37-DMfa1|xW4OTFcyP?r2b=HOZ#)kLChMdD5)kwST#$N%=F|*B{|3c0@V6=!o zu#vsbVGFKPwX<=V^NiTJX8HVS&e$f#CB|iG96~#Uby>1&>yAwt-VBtwt#XK?N=K4s z#=DT%AJqcND6jRvacpH9bJs_g6lw*2g2={_t6Y0{c$nys!boG`{t1*|sh$k2T8ubN zT{iM}#>g&}7&G@|>m}s{Un6-ppUj&%A-$`F|JK;j&vC^{l}Uy>m|>6Zt96wLA1i)+ z21rRMGs*Cau8*zY_vg?Jp)>A>h4(Bev};gp%O4u2u~1C1Mm`L%L^Tp59}sM@wG@7q z&3j-LAxV}jJ79t#K(?pkK!p78?w}OEuAYg1EmW`V)uaeLS}}Mn1%BH@<~Aotm9z8#+u4%M+Yd)`U}k)V1pLawfnM$9=l~F|lS&5b;XM zmLh+o40R8aNU9yQv1p!Li(Z#meTK8dU9Da*t$|s$G#e(aY?8+mVd-14z-*FUpISF$ z3C=^b6z9*F{B1ux9O&BN9^qeUr+CpcV@?_V>Q zYudMVq2+WO!F`VN8^UxNYJOcs+OJ8IVX^rz^b^Kt^O^7?WXg(`Ks@GS-BIuJ%*u&g zOK?aK?&%2^mu9_DS<&NuZBF^A2d?XjV}>BeLWtP3XQg{6+(iRc{VyuimQo<;o%J}O zVeaKM*1fWj>1O85cjhvZKcR`VEPn*)w2ekiE$YKo}PvD`lrFDC|q7T35s#%$H( zmVZ<=nt4)pEwPyt>Fc2Fu!bOPCgm(HMX=F}C4;MuG8zpUV@hkyo!J zyW+(m6YW{qf$xd&{|PiaMD3h+{VO&W<(lMs4vIBXJr@t=7Lv&{18Y0i?hd_zH%ttI zkO|{#p(+*xN&?T#F|{>N0RD0oYI;O`Z9Se@h;4DANgtqaa5($J2>%A4=?N%>YN%B+<1HB)^>i zeaQ}TJx)UD0=P6uTb-!*A((CV3K^GbT|&v5LJLT0(TkJ+p1nl3Q91ZIaorX9_RC~O z|CbwVkIOhEt7?|d`|Wq8h%-yc+^{=Urm)Ck}9d(cKs{0f!NpNBx%8e;vpzR|+ za7U@iwIt32NwAMr?fGJinVI4G>iS8e#+k4eAqRqh(9AJJn^mKKiZ+kK@+$eSg zL4Ezbl)pdUDOG6*aSBi=NGjsD7Fp*8cDR?u=mYGPb+3Gs}!4I}JQwpfg-C*BDn*#X5V3a`T=Ey>dE#Rc(8fZ!o2;{My)nxtMM8Q*g@&)Dg6ipAdd z9p3kfZYtbK(V4yl@>z>f6jA4YQLjC+?$&>g>WEQRr@_a7m+!;>;71LTV+SN493}w3 zxD0XMR&%Hw*gs`!J&M{Ayu=u!yB~@1>9)Ec#r5$9oalHzTpO%=f8OF^@EQjB3~>WZ zpYwCtwz;BJ&o9Rb_+PGBZOHn8dB%|@=++gBcPRDDRJ{CbF2!L9uKq%g)&ppM=t ze~-gWbLw>ah{-%XwJT#=EMr`s)V{a7Cuj6oaO)S(tSkq`+7xM+H?uDEg9J)1ebz&R ze77CKI12R}yFsTa`XSy6v-sAYmcIDr`7;1DJ4kY;fF`j&O&)WwR?~jbeP_DCca>{d zeH-#m5L8V)CF!@3P!}VSeeQ1#7CaPzg~==>#Xn?FTvO*qD;7ktp&vyt#vNDZ$(5=U ziyBcUm7=&6d#a;sT4$(Sqox|Kekd+?7d`p_nWd3zDpB(|i~_r{-m$;P&3s501Dg!z zTq<cZ#{XS$o_?IIhw2xc#*Gc+|+-Nh5cK3N>d%Z?2h4XeF*5olJ3n^)fIkEBgp} z6;74ER7w`WvX}u!Yt?@JSl0X}V>!p(Cw2PItehE*7{uno)s!YJ&#K1`@4$7Y_f8FM zWyCm@L$&iV%GwCc&VtP+rFKkPM@tvdXO2}yvoZ5yj1_Iw%FGG*RgRVw71>yVCsZ*n zBfoK^X-KNRT0mtk+-&1#>8Jl^e)j$Ot(#aJ!UxVrW%k*FF$!H^YSj|B@*Q&lq^EMq zmftN+WC-1o0dbdfRLO!XJO~&$bc7$8bE2b6Hz_2R7tRcu43>p>KQ!{It+@uQu{K0i z#usjM!8;=_;m-)MtOFLedPUB;?p8FS2Qhb^t$mrA2@&4+zoDY6bzn9u}5&ew?qYe!>OVJKVHr8ZXf(_3|I zH6rIu2ua5M{$Hoo^pqv|@f5?Pkt5B`HP_a$`T!W+NNRFhyOF&SeX9~)6&I}0ecxH8 z=UG&rscYyqbT#?t^V!1uG(;T#W3+8^JQJ@?>dX?@|Vx*YG6wK%eZ}g3RFrvcz zAG{TNRg@%8<+MK}Pjx^(7&^ghXzFaC<6iD(lP%ifcTWoomgZuz zHt6M#PvJ80Sf57E`^x8g5e}JHsfoJ3UC1}$)P7^yV4OjGk-Xo})>!==-?{-zuH&AH zk7Ia35A%RJ=fMu+fUA{jOXV#xMKyOmGp`9$F-a{sV`xJBf>@=LoAS%!9+y)$kL|^MhWT#=O6xP4Ev! zeSxCBWW2J;uWxt@`VFQLzm70Y4*bTMrK)gHa14TE28o*Z^O70?jMGSnyGF&bMBGC1L^?nGUj07#(gohp_#j0i*4=8u6hFBYo}t*{9%u65A+^Bp^EfQ2 ztLY&FbK`2K*u8G~`gvFmE_z5sq0t;WCoQLHFviPT3QEN_@sEVJI@cD1yS{<;)r=x1 zNzYowXrWwqP+e=55O7Z_%Wp<(LAEM!&a%ytLjX`f-)KVNkDn>gE0^vKC>v}**7uSF zno10DaTvs2_6A}C;hLFV;v!|rmKcbtSC@e9M)ZOGZK&%p+`nzVb2?c3(bC@FPr}F{ zc#A_t9M!9uPhQ3agkV7jMf(bD@cl#48a0^|1WFjz;i}oUIp?#}R(a+lWb z%MEIinN3V4&FVBYOS9&#mhIKd!S<#8fHmh3sF)yIGZL~=2qliew^~pORL+z}(4RWe zYiz{BXUq^SrypoUY9eZdN!we-?+dZ_Q)5&|4oex13DLMwEv7M$GCmp2O-xW}9pz#j zkJHDI5)B#~LMoLw49N^##SqthPv$E$!j84+nzqrqyE;F;dek@G=l~MNF|6R2qljUy zpKut^j|n6w_(I@1RcB+eCSdS z5-(Hf?-6&pcG2<7p|&$RAaZ)F3@7A{Sh37ProBcUKg=IPP8^R5S3r$XFmp398ElXT zoVfD#gybByA+TW`Pv7F+-pJc?r&1Kiz$Kj3Rs6<*XJr(^IRX|YJi75p+~UoViJp8? zgy!Jcc#&Iifqtz+eXT=zmWrARFOX#Gl=kM6k+_xd{55X{iB)nU2ah5@RwhuKte1aK z>Mz;}sUQUFUo%JzDN&j)FD@lPtT`EA9>v9QD+bnd;Ct`u?(hEX#DmS5xn++jV;v!L zvE3*vY?_b{`TDFB)_ZGK>$FA~2DSv=9|r|oRIt^A;uL{$4`zatAa*3KkbcaM3>^2@ z_+a9~$-XmA^`~72liut%d>el?U-&n85%rgE@Kudl7RV? zhH~f~Yzd|K^H)qzQv0fYVxCgyR1~sURO?QV0(4XCF7A;B=OhBk&_Zxpl}CpDcwHKa zl8yS+Esf6geU;9Y5kFz&yPmUCF@1rtQLu@TlY8lT$nK(gUL429zK#~MENtBKp0aW) zE8SYA+e&6bBiXy*Y5FUbZ}Fy=e(fLHE+aT%^z?6kYotU4Vo+* zX6%07YkGTMVL^BPnvqOjP(N!$Tsb7C5rzu_Iwxv$>IJ zvmo>S&_8H&V@}R@JA6D~zeb|bno~-et}gpUzeqjtJux&@qZil1d_FZjyJ~EVoff4r z(;e@p=bm^WO^TPDB{<$0d^dB%9yzraX5LcC2yDr5ME+vh;i5}8`NIsR_yln8;tDvW z1{eV{dMPb+gwsv)pAg_f-#Qs4BB^6yBk{~W=zZ{CdlPw0Q67t2u*7@NS+>*c;%Epx zj%4` zcOtlipq@3~my(Az1*tSSi^Hgn(9uDwh!{N0oc*B+8%OX5%o-2SD|`J5w{IxseRs6^ zo_L?M#F^(czz5$!HmJt4AfQI)@kB=!hpVRnaL=oYLb$Np_xaI6#E6vdta;~W$dFja zxGx7Lt!t@RwgA?p!dB{#763v}aO|e@hjAxYJvfj~p~Sn`!DDms3W1gNoad0lnzh** zHRNU+@pticU!g~bWC5Z96$lrpxP+Y^Y?9$f02J|6?2ia_NOhpA&sVq(l|t1PR|XAp z2C1~gRo=ldOkuLlSKASi4do@R6d3zB<(^_>7gXv=dfX{X9GE~^r7DW#gHqEb-uI^V zIJsmd6ND`wtuyq@>+ot5S_$@$zJ&LsHXY`cLv3OmfUd z`v}T<&q~PRgkh#$jukS1x}XKkriU-Fl;?ZjbI$}&+}58a%D#3e1=3AYz^^oyos48QWA1&D%FVIpIDy zec^62^G12uftTj?Jc+=?HNKz4{Dfo{Ixf(vRIsb2TqR6+egT4L zW7Lq!4{2T8U=#~(?g2rKJ$`0Xql9EIjK{}`B(cuZy(6QPin+1^iWd<~3Els7of7r; z@o%XVQ)&Q1Iq+`+V_0q}Xo@Z#+-3ol=T*3Fr`Y>nY8>6fSyc%77*KWUVUq~}G#xH+ zPVtww=h={cmym1s8_AD^UDT7<1zsXXzn_9!;2*%K5rCL|X{^%I3hcz&9hdXmuNB+} zGc{7bMea?!%+xkR&-<>nw6YH;FotL=w{ad@`TxoGl@oQ(1dcK$2m>D|jK<<3sox5u)^H{sT@moH$7eV zdW{XKR-ny-TxL;4lf?l=o13cp%yB63!it$fw|fj>^!l=?T1Um2F`doynb9%QS!vZy zOOMM0d5B9%i0ws|xj~)O&~560R@ab-D^ovcf;hmCN~2E>mR3o<>ize%Xky ze%n7B@Z`#R36KWhP)7O>t@btXWNBezD(C)?MY&1@w%Ch5@i3ZHaQvtP3GJ0ZKE~?w z5lWvWB>D5s2tSDjN{MqdFa%~(k_q@$;=DkqoHs8A?NN^wB*_4*yR9QrS%fIOaFk-) zs~?Ul1IyD-u{D!D4?{Ucw@kvv%F)T;ZacxYM8N}D9C9xW2W;%3Jb3lSbA)DJaDPQ} zC(!RH5-s^7^~tLpoH8cXaV$}iy(R|v=N^pjWNiY^+kRf1POCb|;&Ki@pB$NH&WFy$ zf?pzQhGVhi>J*W(Rzg6gMN1JF2Qxs7^?viX7~-aCOhHm0X|Dx8 z#-#_j9KKt=Lw}j_0@0F5m6VtUxHD>OJh9&J67+HGq&@_32+eQX_!Exk`?T!o(2o{Un1P;TR3$p?Xxf=gLu4j_{L+HN7<4y4IIDhIs&u$eXqvc&jQwp8 z5-EC&H{zybrAWzOB|p1jVxtaw*+xkr>+V1*(+(_Gpc!xk8lA8wy1Y1wq=m#OpMB-e zNzD>Vql}gry9e?IcIK!PUH-X#AQ1Ebgv~2hiDR`4N7M(ppm=+*uF8D`w9QIYjdnge zSs~^WA+AeAxmD;kVFTb3_byMD=PNJT?ogk*4_n|*wD%CFU4+jr+SgE)i>w}<_#tHU zW5r%cNXMMkIzAOri=lo4d9NAZlzu3C4b4 zQ%{Ni{!^4Fj}RnBo9}(Zq05dYe~kF)3q(cnFxS#?PuLIr1E{b=R3S&#OqWifGNAK8 zgKgKV6GpaM*8ko_EOuhrC#h2OdF)tKq1C6W9`1!n=(ao{LMZ zKW}R!RbJdQ#wo?Se0$~J?gvMzZv>h1io<1~RUSU+#fr5{Xc#$vh+vV*bXjfqq$D>R z6-AQhTD)Jo{bWA7Vewz8)G&7V9*XQ%k3H;YR~b2WrM7bI#nSL;W$6l9WeG6JU(<(Jq-E4+y)_I`KL~Gu4Uj{37^ETZ!(>BZ94^&T_ zIl~yEB>^hbjAjQFr$0^-!n|_3p`(rEWqNuTa%+ZYo4P2Q$_=f5vBP>qTWsxK*Ko1oM&zox*H(bZ}oErHO+SYj6rRdt9q+in+PF_D{gz@s_p=dV5glO3F@h zTa6`}bwnhvUFVvoMVg0jLrK>s!6ywpF8b6M3i~raH}G|Na7v0vVAoN+K{4br6@7(; zPJ{Id5FUyni=|3t5)Nl>^qMLL$+g)CldN(J6twM(tlyr;N2K(_>WmfSqHV2&1C~rbl zoD(zgZf4CyK;Y#DrO8~ghO2MQMVK;00u~uCnrT9FY3o7n<^(ht&NdM&!ufZ7GY$)7 zd)RnotY43p`$Y$Szl&bL`9Qs0=XP|re*CJ+vJrx|5%(A*UM&}*oM9c>R6Ko~A7z;Y zf?4IaCN=!#7C~3DUFqU3q<9jgoYAdWW2J#Q#Rq}$xoVN&ly>|GG6`0of+rt$r5NAK zeuOFODLHkY37}M!YhYk?m$p|DSkkhG)vAT#EyyG$(jDl)nwMN_fS)@q2X@4)dF4;8+EPS}> zZE|{&ph=pILvH`tK}pFU2`t?=2|L2kf%y;@SHX)CVWYD{sAqBl0c^O6(?;LLY3u$3j zFh=~F7DuiZ*H>^KcfnC&kCHVNpyQ<37;UE$)nl(+HP%p9TeTbZ47!3t5F)59|>=WFl8^Knf>QazO?Q2Dr+n14|NBFh-q{xR8 z;D}jd*>`(4egXD7MBY%ZiKr)oycQ7`N=mI3E@r;}xaYZdQ0Lv^06P&>hXj{3%)LY) zAQ_>e7uFoc98vdxwqA&9;MM1qoSVb-P+79)Fdf^r*@yS?LS|s`!tX z%|2^=$~;%i4-(F88rU=kjLN|wfi$-xx!|O@?mkAL`4Nz^TyJZs=2U} zp^in4wY4I2$-i2+hl+pe@Vrp%Pq1n69k>`#pG!VZ zm$mO&RFGlm=v5>l2}C>PE`Bl{^=}LgU8`*v=bZpwBH)-_w)!IO`Jnt>xN*bZO!+EM zVuYrtaGu&q8I}Anb5gz?)=B+hYVKNd9ktfPiU zjp4&9xr@IO*yE^T(sowI7}V(;plJWPdCF6|pd`I^cj7ot(wyvBe9u-R#~XS9e$(FW z*1y)Jdo=8StS;hQyQ^)>^KcNq9?%^7;FO8-yz6M$fXM(}#0)U2?j3%8hoOWTZJXcS z?%BA6j$~PHUpss3a;k7Cn^tK#KlO`}y)K35VOzFcf4#d%Lh?%wTYMR90**+{MM^68 z&i_>`dXpS|RiH`^mKcrpUx)ge{BuKXMwySK>#b8Lxq7JS=I3O|`x>}(UiA^!Fq}xfqRa!3f{liKTj*;#5 zv|oETzcuXH6`zuMkvWbSoC&`?rW}Ivk8#9{e0+?s_U~C*kT|qZ?J<@g1Hw5j(1kZ5 zrZ248m1Go=RHwpnqUDt8&QTqByVBLOJ@+r8U9>XE~Zf7yI&>K=*MNgL2*)1MO<#>FiOM;6O{*i=+qFK!`HuM$#T8-8U+)XMM^`+-I|~HVU#9 zahB(dtzwc*A2hga=oL_6I^)|-;+E)h-3)b{yaC8=4aD^={#A8RQR3qPh(~BNb#oRy zRE3v)iTvC@Ja3#(UU$wx4yU?#$XtG(7BryvS&@BiM0cji!h+Y@g9XN<`Qu2KHRd7s}P?HVf6P&oMGjXLq=z>tOD&ZwRe4 z?fSk&+xE7qqk(b1m(Sl+{Bq2qqls1*)62Z_V7#Vd<31xn)4(N$@)=m7s>Z~)$$jA7 zhyC$s%Tv$26X^Mx#ccXGG1XnnF9g}ONx#G2kW2yv26BvC>c`4TKeiU7YU%+bMT);M zhaxixGAT-u51!kjI=$k4VHI%>_a;pW@fhssT*%1UwwrN{)}2-u6vOGo`-S z$k!ewMYWicvOBTwBt-YE7mC-Uu0v5$?XrSQUFn(RT*QIhCkpW5w%fk6zL*Y&lGd_n zTB_WvrcSq=8%qllOUV|dYWi{h7@*y$DFekaO>M5n_dr+USxZ1Kknb4`B9wNam7cgf>J^1$==F!Is7RsICLlw$Y-Xg!q3@8L8WblK8s>%cLM$Az1*HD%4 zh?DHp`Y@Ex;o%fPEJc$5jK5;_xp+`Fg;6#oAAB5ilv^5e#!yx@g~4v?p9aQnLaswh z`a`xyaD!92WY2$P_qc7zQXFp+Z4`8v6xw?-3lIwL8&W8A49#p^`gzeajr%4#$pX z)({+#t$ay&A-P*|C-dy!*=xsrZ>|F430%E_8h_n$XEu;{_^H z=1n|EqI=fS9-N<7&$z4ZNXQV>5c6T{h`8be;wa*1m$Dpd*tndMnKnerMAxATo+xXh z&7k7xLVVf_5Elv3)N;ed6hJ5KbhKR&4uNs7_H6DcSW!ar$U_BIvrOPl(IWF)J3ITc zjnH$`!t?fxP+h;JDPtkfMCK)s12FT=m;rhZd$i0)J7K085h6Fs`KRbg!XU03M~ShV zvdN_d0N$5lW4bUMS5Mpj^&kxkEz9v5{Dxf>!O8*$3tNR73%Lvz zDf`HO7&jU~ZE!FejMh2^uT z&kld)`vVg(eeZu{wunE~r%T(a!kp}(ww9pGO@@BFj>RhVz;!3cb-U#Os}6?90(=o-Oj4@8arc z5o@KXQB4Qn(1#!9`uDgU^IAWAMIs`k+r(<5C9Xv;V8yRl2mGci(!f8J5eX7MH5*W< zTI#tSGQ}qodGh6o^-;7 zH+ctEikWtcRW@1Gt1c}M2_yMFMaJYbiB8z~;_(MHb_yYE)n1F!(s(s(vt#Bh%=8Pq z=vb(f1#$!-_sv)6606MdJ2eD9bpT&XYn_+H05ji+_0c$wb~)zwYurTC78J6>m-A~_ z^g>m^8pj7!qUDPx*7{2eZ{C|-&Xo6kJ;dkj!shfy7S2aP`vaNxlf2n$?csZ!{7HP1 zROlh27v;_8lVS1mmX`9e=hZ0w1MLf;w&Dvo;tL_P>FZs;_w#J%TKj!em_i$X0!jl` z`M6vQq3qYN7#x*f9N+Av^fKR^qwKx%Xx@Z4@>9q($bi>#H0hr05mef;*A8riCkDbD z1`^a6C?n^qcFr5@eCPoXuJv5DU$Q4F$eZH-DfE>7!Mx`+`L*`fqD1@cg!%Kr zq0D(CZG$n7vB0Ew`ex21Fq7UGBrv6J|8Qn}o_4xxLb`|P330Y-$7gpQtq>+Z+ryhKuzHi~VaO=s5JL@QaB3lZxkSBFIFH*`e(o=%^XUKEe-w z2oKy-bQcN_1}YyTB>DjdlUoG0lXmfw4{tHsqsNt3&-=ow4gzQ?XW~sC;8(L!z2fwg z-Tt)ErPRqvPm8yOX%P@0f;O|c-!yXMd&iO!C89+`-Z*6S?U_13;pZ3 z_BTg`NZU;j9sk)eb#$+KGQ6Naxvi^B`Nzy0?;9bm^Dl0o4i;NA?bwj$mF54>bZj+ingLlW5WkBTkYf%t> zO3rE;P*Yj9EJv7Yu2So*o@>rvl-l*mD^AEcpf(Gyo_Shaz@(DyJJ2d&)~2<@ zh7CULdt;CU)nrrhRCToHP4p@+_%WP; zz=IIs<_U(&z1cpuZ^lK~GdIUp0_`-pyMDYuxhnr>mYuZ23%1G0xhZG(S#0E!^IC{G zEXv`9a{bsHiSzgID?WbxAQMsG;Cx+av4Ot5zP*G-V(;uA$ek+*=`NK~A?1y5LZ57Q{;TEt33~v%|#j zZzSWt=#zh28~@gVME_SUNZQ8Q=9}jDmlpJ`{`@yBi0L0J=o=5A`$r^U_}^JU-<$rM z74+TUzgt27+V~%>pns_z{|ofN`0so8pH>hX<9|Rt{yXdOZ3RVV(EZ<5kbOHk&?EDN zn0%oWLtOnyO!_G>ysbhZ7(9MNrx*LvMzaDMBS)&m+y1b9Gxr6o*LQAtaUT0HJGYA$ z=g_)sPI_wgUeS3%f05Pl#AD%Ch6OjtD#O!r>*THb$@GAElHqoWON*O(p=^dT+mNjI zqm%jm!b1w+bmXy>3-@~enNr(;x5TYpyTpo%_T002g!X~inB)9qhNh_&K~?0YeRxjHX&iFF zoKo|*{}z$mwv&&Bo#rpf2=HBmafwB@IjWY)K)TBT>(t_F)zMCzOXVtl594**(?lt` z{nVmVPi}E8ukLpLI|{=`y>Rh%7v4Or#y8}nGNWVO_2PtmU%(6caR`>?&F=&GO6h6C z-!tzt5u?riDv6Hu0sAoZ8q6_+P(coh%#_lWP3(zc2A$!46?mT z9sm*1^R(?eA2JPDxK$;*xh>hBz77NcsHvD#TrbpbN>8p3rRD5$uw8fbdiTJM9tc%`eZqX0VCedfmB#e%r}4ik>i+{1 z`rj4Sf5e2?zANp2U_vbaDzSgc?Eh$i{6B2>KhO97+xGv#8~Rr#`Tz8WzTu?*mpAl} zV)joL%fSu>VyAS{T^2kPC`e4YA9X=JWaP@X6jYbgnvHrK#Lfex>llf@F~KDv!Jt zhE7zywZhr&4Y;!SmDd8_KfIVhdf}mxP3sQ;4gA~BOlZMc?7{mEEMSQ$U~hdHOl@Hq z^L_>sxZw5+WdR!S^muvoEY2X1#QHPZABb!Ptz8)Q1@9mMoJD4X%_yP^`sE4l>o9nC zv8x69wF4ZX{8jYtc4ytwa2&K7ScIGt_raxL7v>x3^0p`J9q=#mSCQZmQXalE#$U{x z!snvHucFbXJ>9=vwh0G4VU5r~Pe>u-8PZ9i$4CDmhp>xg&j4TsjiVDIgBp94w-8}0 z9fYH4nepk#*>R_1V^ek>_MkS}-u!y5}=UOG>DlCcn* zzB3coW>;%2rmJ6@@??cJmVM+Wlz^emaMjt46H>C!sfmzbGq!+g9G3i;*_4yXo?w)l z)f)nGH=Ha%n_RR{NGyKY9Wy}9%FnlVwnEc1IIqwSJuX>+Rgy+rogvLyVC+8kG8Qyj z3;H+g*0EdY_8$cuXj*(vd%qq1FioiBZfg!;0CWuzol)Mf2HFCTf~(N4Ke~drTT!D5 zj%N)J{q0U{zC0tL1$c$vay4s`?5BgZkDTMs;`EMqXCqFG!hUkj5S^u2IAVMO;RZ6A z^+9rV6xU3sjGd=B9S92)U;9mHnNo9gJ*WKW$|-waa?FN?2?3)Ex$;Bs49u7X>bA z(@;?ToqlL_sBf5?S5S=45{K2S9Q_W^Vm41wz)!KG5~Ld|cY6IE#9qk8%Q&m7nJ#uS zp+yEvQJz4o<^A>HmYUfj^job7K?bs)Y{46%D`W!?dw66}O3pH>aas$oS!TN=wN-Th zFML{N{&Z>(J&hFw?*XdThU1lZuDR(`)^dMcVLH#M~DBxMB^ zE18RxA6)SYv80-QC$OPzrwR>d$XpZKV{lyeFZSkaydg53}Tg9oR}IpFw;9Y!U=#O zROK8kB`#ZL*f=Zom}(FG!;yo!0@TuEek=(3ZNfpAC}VhnACg150{Cpp60H}@89cz7 z^VLn!Md${!*L9Hm3SQ1*?HxIlm#6g;W~p|{s#`cXzU6smR6lc%LIcyhT%oF*Dt!gt zZ&C<|NdckAh-&lx5!R%qVV+$VE?gSh(K_*)6e9eG6jHBfKDWOQ1vM0aEzO>k(+B&Y zIrrQHJ1>0y)BLHq2xVMxnE+`bcupjI6^SQAcL&NZ)KaTvSSwMIlWkJcg9b~VX?n^f zD-%Y*Jq`?5k>NlCNONd%juDye;IXQ=%ymbW0R8K!n`Hg1Fw2vUbA^Z8Tg=V4f zVVevglhl{yj;-pTC~;Ppw#6jB^&c{5(1c|9xqX8|P6|5b?-VQ<64L(WI~6e&;JehK z?271Z3ATl|g)g*Mz3M!azA_@(a1QcuEeSL(0`Y%Q*&N*2 zheBa?3V`m4EN8XaF9R~z0AwuP?8vXVufw=cId8@HpL)12Zghafd&*WVYT4j!H*Zbb z#vOC5p=Pu)fxyS!UO`Jj2|h|$g3Sq&xzI^cW0{ECu~PSj)#d@`6_Kg6+I7@g>?V47 zh|h)@=pWgVGBqVO^1%NWU*{ZMNw78g*qGRw*tTukw(Vpx(ZsfG+t$Q3PwZr3zRX?s z-tWF|-S_^e)74db@9J8oc6XmX{oDJ;=p3r)!nkX0!B>tj`pETz({2hE_ZaL>I}E&z zWguf&XA&kedvE~S6Q(nQ8`;=I2xux1m^f0hsfM$eqjDLkx-qQ`-o{`eXUYPab-vVl z)8X8uREg3{J@+z7))fOg61d;>I6W}J5^~TP-47g8V{Zs1us6Qm-;B~x5WG+Ms$&3pKq8&*Xnoc)9EZlZwlKovCaPM#OV;lEa|W- zL>Pa=RabQ9`mo`-83a7Z=sFtL3+u09;u)*45vRdv8Xnudi>_$j5s+?)*1UetgyTXY zS`JJwn4t_y%?^HJg8N;GG6ju#c%=HReY^9T&c&i`)nG3Ecy%@1W9>&{)#t276@<1+ zMMlt)667$6yVcp+t6E!d6aPx>E+rylGDRO%|I&t+6^pLTB#i~FBrevJO_dZPts|`- zJr@w2z<3o_gPN!#@(L|9Q8_846pfvv6e>N_s210TUmeWT!y}jcH#%6bYXYQNc?(oGC^+PEkhpbYWVIC(-Y^nH^aSjL zbYo*=*SjCEKc}_fs7P?x+J$!$2h3eq7_dJggZZh8`rFQJX3x#<=*Pusd_VG)sDkkY z^q_v$t?b+%dX>)nAl6mTP@qV##^MB+IHfi&u<(%~%@17uk{e|7kr6ZmSH`?xa8L_j z7{sk&z`m=W=?OC73RJY*!wRX*v%l`HD93b7RI7*+6%}>#@ApnC+Jaww7Bbe&*GR_j zy+@2>2Ah#CKLRE03;II22P@ow!=fI!8`Kob$Mf zXsi28(Kza6bXcDXvZq)bN>8R%CKdq$*2I6}GQ0{G9~ZaJe=ri|H?cgVu#{{VT@@2X zSpg7<>dvONQ7qf@W!sv(+CjXgnZ`*6+*@{w^+kEKV`6~scwgED)~(1Ep%m(>)OM4$ zcHAR_=DF;Bf9ntZLkuUBEmVYd5Kt^)KpbpF3y_hL1>Hi1AB?Px@#%CQYcAqkL_u`- zv6G{hbww}MZk-8L+&kVzeB@_R`5xmoypBS9aHv~-9%fu76;V^-C`qOILxS*ESw%kXV2Q!CjpnU_#`Y$f3111X;btTAhE2%ZzZ zqElc5l#l}dXe-_&O{@;c+0RKTMBL=56K?z~Gnk}gG)16Py>OU!;!5#gN}>ljYNlGY zYJFxjYk^v1Y5DFzToe?tp$qCLTJkSUw^3jl;AVTnlIhI0{#sJ?tsuV)gZImT`v{1W zM4EINSBfHXQX#&qfT}*J`CYwXlw)-w~5(j@L zA!1p2BO1X^M>kYc(!oMIsaiAbV9sI&#uUPgVD2y$!ZkG$pEnxW3)~IhdYBFM}#WA4#jB z)$LFOO&yhl^I^BKsE{ghT@X&BeDU#!$aA+S;F0Cn;8QV1SwZtjk#&5C9 zv*;&`N8=uPNoGn2pq3mKec_+7K5*GdgI?{3siHxF_oKY+u9Lo9mm947E3rN0Rbk{fg zOmI0EjR+cu||2UpXTA${+OPc2<%| zjR=k)L4I9)1xHLF-Nym|9-ph2xG1xaMrQY2sT!ySEbDi&k=avyNB8eV-J#~H9cQTg zkc(0KPqV*_FkWo3*UW+Iex#`)6;%gUW-7mY1b9<7Zs}=e7C_H?=pVZ>j5x)ilZJ`O zp%--%;MI$J=1U|V60HIhN8h2pHG03~f5@&7P&SI2gWDhnf9xgaELLEVQGmrt7sN;{RJVb?T^Rtc)`Vmyzz7081rLIG@|ZevddPh#rvar$EGj8 z$8=XId5in(CUFyv{)l4eCw_(ADLocXZ6jTWs!YY^^Tzee%_i&#uKUcNkz^osU82L4 zI~P5&rcWMRb}z7|?V@|*&!WOKl6VqY{uLuhmCYmBLyE$V;!9;}CmJ7$q62mj%o-OM zL#;nCWx)IfzcmS~xSI_^`ts-*M;LTwnc45QX0v}M%Y1I0uO*~ckjG=2p?%mA?_Go9 z?Ndw)K>ncs_REa6;|#-P#?S+rU%qru*iTIlj)@0Dh|g_wvjM^yr)p+MOA>W z_(jFX=k_LW`)uMwiA7F+c7X!T^v-egh12G!Gp8(QfE`vJ(m*Z22dM>FN-K@FVz}*n40umM4%KzDyVKY?q z{6VLEjMydvaA6>GHh=9cFgAU9cb(pB&u#sTCS{Cl$r7W?1g#8sjB`r;?-QjNeqcRmNA!S8;fFNF(d1mPT2;24|yf3@3y2P*A#n}~t&+q(w!0gG+&+>Jj--c3sPb96Nw5`^kq{q|rupBLI{7tiKb9{+f zC`YX6%FE~A!Pppl40bq~W*z#-Nq#yIC;T1Y&aP391B3js^nz|`;a@RrL!sH+UNX@5 za*6N0n$C@`UTIIiTvt99z1!xE%zF+`Tc1lxu84|jz}|(b8C{8Q9pgIKKL2~Ia)soo zo|*^d>$lMcnGJGNv{!;8KAr-TlNJ9wYv=`y<#Is-JIP!lsU@Bwqeb~ohnL$7{SMl@ zff@R-WM2ENJy>6dv#LDi)>f(=X%jvDk3rf9VTRn_lQ9T3xbSFXsx%2pGfaOVoiNmc zj7o>3=1w#t!(nhLP%WdaO+Y3X1{jR2)ZURGn6ayoSXhHW5)W&E0v4G(1bc!M z+r@}2WB=%}J7Cg5o8&TYYag?EPs)L+lEMn~3_i_Xv|M%d5I;Svn|8NOw01%Rvb**V z)rIoZi?=Op6h^aIG5dX*@uyPZZBCW$dL>nu{-l+HP;rrD3zkyJHvHU9KAEnaWj<_K zIkUxThD%!YhsY8yL{dm(PcoMGtj+v&u%a8i=$B-0xG_2Q86PIjR7X3XCCS8`aQ|W^ zSJPYpeJ-H47O?Owv|;%xXP8ZI#HQga6E>d*-MeVlpm0rAr%*fm$zdQ%ZMx<&Wyyxh z9Eh<2;u=*8KY#Z_UB=pkzPPDcDzrDe=~i3 zv4OSQkPb0x$JO|Y@r|%1;YrF>(J-neR(4Y6W%Po1(5sKJ6>m@ran<1;h`Llp)J+mk(%6$&n1ftO%L z9kdEbJIe{@WzM~oPJw<05J`y{lfxTRT5Pp7p2VuYwh&q4UzEun>)a40sU7Vdx(+Y! zjdsy1cPO&4K zv{=7_c$;}G_ccwn-0!Q~zUc+JTkFo|w>nEwQ#W+zJj}KBi*6;^-a|(p_72}>$lK7F z<)f?8*)a z(Z1Neld~^Z&U@mtcQP5$+88?whks=99J-f2A)%V1l|oL5N~sd?_~ z<-Y{^AQC6Lja$K##YAXfz&0ZtPt%yem&F`&fSt=t`pfcxCh12Wo*mp`aw?8L=iCrn z?*rp+PZ@I(43ylAKjC;>`hASNIesWJ;GU#UzWrIhhr$0O4t`HG@1J46=HT53@qu^c z;hO@Cc=+(g*zY^yP5S*#;C_Pis7Ggr|BgRlMFY42{Tu^4KE-(6Ld59r-|)W0c+_W% zyuXoUH{P_SkBs@?%TFL*r|^8>fsfE%+h6Z1;%}4RZ;r@c7pB`ENaDvRdrbUEy?*ld zBj1zd(Hk)C)$xXB9tQ+$-{{|fF@WAV^N5Li_^`*2KW*}84gtvUVSUi#<4HI6Ab-3w z#qjUl$Ui@NI7N;yBnI+y2RHZ9zENc_T(|yk`*A;~!FSlRKSoc%^FibvN&a~2!R*g1 z|3bkr1+eyr|81PWGM3M;0I_H+?_{Z`z4B?v!VD)_@+M^AEdTYlG#*%0i5u>)B5brI0<|YToLcQ~8{w0`*6S zx;Quu1-LiEP~;;9%e#-^KD$oKm-!5VWTeiYxhEY3MsQYxB$82sd*6ixYcb_*Z8E9~s0=0B60}e%)Yk@7zoeGtAHGQEEvj19^tP zUmD3C@yOHA=FOZgOm~R;jXBb z>as<7$TVl`S0Uc!JyM1e-aOND;AX7zMUVwwWYPdXEJQUFqE~7aE6Inpc36FoQj7sCL|4%t{-@9E?G!y zu!XOYpavb)k6_7kzY+{JN@hxM1L1>=q0V@lEidx)+>eF5e09>|^j70FXVfw!;+wO0 z7wmrPDfAW{rDzFto%=U##nZ@7Q!~}*&$?Z$Ys>Q;+3?poZho+pSU*3`RPx@T%rG|0 zj!Gu7{#kX-H8v06yu%%RUqIRQISu>eW~v=W5!wT{3RARx`Oqpk>=XliCc}opI0gy> zE`^|B!v-4x(tcdKmmi}eDl+k1vVK|$dyM0^`#v|E|Ga<{8v7&rNH9LRHIF;bvwQ)4 z@W+#l^@y{E`&%l{8|1KfE(yzDe0 z3p>Kk>^i00(vc})N=mhspAM%~sz&1f4FEtmlSp#=$jVNo15BY}_IFn`5sbj(hAKkrh z6z~kh@favT^)p(4R>R&8{1Ky_kJ>%;j3?o7+kK!vX}kkuZRSb^4KTgIf!>)%CK}5$f}7eW}^@GMYU}Y@C!Mjs`btwrV=dA8kXJe!HU)}tf6*Vo_eN!)zohp0=n9ZJQeHs->-+KHTN88C zO0L&)RK3jR$&;a1a8{D!V@@g&<#(I^y>c+?mj^raBA}BcxDbZ3K%vaks*;4JpqGkN z@i$T5s3uxvb-E%&oKh7(6j{msWuU8C1uIiDG2CJu3U=B6oFSd{H8{N80`Af`8g)jR ziX9i3mCZxi<{zX|kJ>Z`p?ZNS?IOgK<^7)b-an28gi%Y-Sn`01V~VW3SxsLNsNc;x z)rIpOZ?f`uSKd#^IWV>$ukrG5!ZJ#QV|G;M{nPy*4`si_UnRUr#wd2YGS3n|Cl-da z7uf@7@LXKpl$!XyLzARurar4HI*Ih9bDcYN(Xpvz_hD|}cTEg<|5^heMMA8(m__Us z2Jl!s6$P9#8x$D^1d!k?!M17~qyCcaMF;k$+hGUq6u|s?!Notpz2K$fzg{vivwk4f&Fp5_gl32lY-p(oK5S93PUMDH)h`DUE~grMb%LqBFD+!XH54J=Z!27~Cn{cmhL`j;untPO`!P2Yea$ZG2$Y z5il#xlKqR=sv80M31NAzg-3C@jAj`|eF`0-TG_NeN1{pPDmhbI)TO5;=p7*>GQiI3 zDpNb$kBOm)OKHBpn{o!Z+F4vQ@Po*d!NjC_22q}JQmP60Tp>wotP2GF-FF3TVW_M? zg{w-YV%A}LFL;FH2$cuhwevyp+-QT+nkTrZNVINig9fnZyir||GIY^44r8-;G}W(uXdklb9B-w`Xn zS){zG5=G_ZJyeztPRAV!XU1HCC}GwhJ~^X}YsD)*y}2E9V7*eBfl_UF^MdEjZppcE z?>=SNjFm9z$n?qEo@&Pmt4bO6By@YxTs6Lc}Y6de9%P-%j=fK#@JBkYjd-cCy-nL zXr5|3pswURkn~(!W$Ri>)@(i>X0W}>b%zJ?FZ#$ykcdw3?JI35iR9A%=IuDMkC5&k zP#mcUVf+ov+etYePlF7yftfZ3611^5v@USLKTuiNc5)nK`$|7?n{L>XIWmte^M*ea zT>YVEcCPGMJa{&5pm-w`S_|Tz?XRGoW`1 z3e0wB^S5M8w*y&=DD!SX2{nW=ibi1BGN2fplY6-`*KT7>6=r(Eh1S3|eK6QPIW-Hq zmeQXb;y5BDC8$yUhd+PMlk307jAy6{dQK%OMv~i?6Im%#hz47`ZnCEZ?tj>(&A@aRZ+zB2tR|+u8oGh}Z&QaSl8LRh* zk4ORdO=4=JN-=rmt~%(Yb=Jjd6xKBiWnQV(NnJ$%NY>H~L9Bc1vPJ)#V9Vjm;H#Mbl`;iaCu{(x^@r;!^C0O8bZ+@rK zM5}}hN1B8NihYA;24tlM7l2}a6yu=Gbo0z=r@mF zMfK3tl3eA%uV2L^kgBjlhI6&hx`ptS7^F3AdE71s$~H%;yQ2+<2+Q>=R1fE!o)pAS z)kC@@gU0JqBhsSFHWUl?NdOomZY>H>ToZ2GSAlKXn|wlZfzal~|ORZmWgGOXXh9BsIr z{WB=d4FlSGGpZdftxUHOtLjrmNVUYhw646Z$HR;z7wB3WXf0tLB2ma*X(r~wle0vq zR;Zv|Dl(;dxlw8tv1bgkrhdMQK$txIXqGuDUlw0ZI6kD{FpNT%3mvHD2`IN;-qv)B z3DJc_@UrH_Q8PwxE&w}c1?Y$HdGE&!zEq9#Zc+}PAG6pCExb-VRCJ_W)I_Sm(TypM z=^1c#@h)$DNQsC8P6gFx3kbS$=L74$TdHtLKIY~*aiD9^9uudO5d{`fa8YpB4u(dx zj{Mpbi;Po}bn)uaCYVV;dPnkA@E4puy~p>B`CuWzJi%YsB_1$=sAo5-mzJE67MF$X!0fF!$Upg0H#%{YyqF2DBz7O9PbWq9Fb)X|$6)~d zTT|OTrZWYhd8_@lqx;!*fHTA^d?dtJA{&5^ll=nWJ$|u{ABy(H;{~SW46xdbAKcB6 zNFvs7OU4O-q6ZT@0EZ%=WI`kgjX4k!Gth}q5=Y;rtFGpc`vC0R6LtK^o+(ns{E1md zLa#6$KTJN`nMDn*XyI$4|r^)fW8Uj2&JM)XmqpICz z0D}$AjIBWZv(b!MUC^WB0Pd_K+tdiF&@GUAD);ZK-6?10OfDUkfx1kK{WDIvqF!Of z`YbSl$V{pPDM$#zO7J=qnCPQAJ+gtiIN!ry02&)?hq$FyE=1pPs=Ag=ATa?qoJ0Dt zEZwn4?QAxJFK1U^<6eAi5TFYBbVl-xp*i>iZ+*)YK?jdd9G?+2dH-wy>k?O3 zLfmr;rxwd^q};*=YKv%!;Z~SIkXL%aCZQg3Dr&Bngau*$XS}5fL?Rd^uhi|7=K<+K zWIX40@Gu6xgWCAxBsbEw+`-T!@uZ;U%`%h1rIf_f?}TxOUIM*5ckJJA6_ijT7rK-- zI*a_O?}15)UHKhUJf%Fv#v%m>AT8w_9$v zQk;`xI6Iw@zOj)O3+xj{{(MS|GU9U?m=Rn{n%H%qXWdXH%uWJ#6J zn{vWca|2}BY(XXHC>=Dep5PFw9qq4tE$n{Z zKE<^y@E(^I&2LT=mhT`qpp$YT_azy@4ob1^BkH)EhZuh2u#qpDBdmio8{#moPp~EJ zC%F~2pD9|uJFHOC3dto^R&1&0bgpz!%5{4v@23mj_M=O;$9>?X1eD(v81h%*s}!6G z=fM1_@$514t$EV+p?z7$Aol!@vDDbt$Gd)=oSU7lsD=dEuyJbV|j9eulYp~8gK z)Ydv;jZFOjqdMD$R%cxed8qt$-JVc1&2=jX%wE?_%Gc4!N%H*;T3y*wN=nq(%`cRG zjM6Q{_;_95v*e}|fnw1SIMDi#~Y4gj65hu?(8{#~W3nG(q?hOQFJEEXB5VcG~rTSB{E3VueLUo=)f-_NG$MFUA|PJ2!Y zE0*kV1EqqSD3By-PIE-dj9&Z|g-XZ;J;yZkp!Og!m>WcvP6IP*2*NaSBUhQdZfW%! zZ|oX%QS8h$d!}PLCLT(upBQNgYHdnldNKiYAOgW-V6VwXSLtGLScKG{!HU`;y^gry z+xNBz<82a=9IdzkyY9W3jhRHWux&%1C(SYbD`Y_b4Y%S81v0`OC(e+_82;A-@d3i^ zJ93uj67H`wJV%hXJQY#Xzq}c@04x{1Y!6ANQJd272`MZs#i9PmV-nrJTxUX&SQcFt z$Zx&O?{0sXX$Z4moBLq=ZZ!8|k}O6Q#JH-AaTU8G@l_Hahybk{sDm_0ldj`nTfzce zi+6s2L{TCf)fj}`h1u2?p5yR_GuQpbm~#}`QNhBjRT68FugN9f{$r*{G6WASmJ z-}$1P#WNum?(;S}`7+_sHb{S5;TVKC3sfY@Qc4XuOhp)#!9e0e1YKb-kwZD<#vm99 zA}y@ro|3J-2u&H|FU3>^Pgcj9b$wHGvX_{p1>xa%ZyhZ@N8&zmQeOOJSd4?T83d^p zsS>oR%Hsgwm=)hoH##44M5s$$VP2c4mBMTGU$b971X&V9P@@tboC)teXn8nk{Q1C93mZx z{HaJHKX?qder}a^ETpU^j~*O4NF833CCq`h@|4@Z)q-)#HGxEfhvN5Agc?DU>@zfs zj)wDM;fHZp+Q^vhf?bKM$BDLmaXzN5>{w%KGgOp0wpLbOJ+3|{e&2kop@;TGPU#uU zsIMjAtaFgGGr;rn-du?0+K5WorF|khinqn1gr(+xDa=tJIH5d>nSRLs6uDVnda&?+{pIHU|CG}}Xr`CU1-?AK}>2IL0Y zcAplA{6;6?ogn~k`cZb7p{Aan2la*IZhfXB<`dIgx!|Z;K48gJ;EW~Lm5EBIVi2b4 zCo-2QCS@op4E1}`xGBd9>E-SZG;LABc2@g-h6!UldjRybxM}qIfg&I`z_2Jj4kWEQ z*iKT76)mU0#ly=hW2fJ1Kl8C5y5FHwNW{a)_;*W@iPkZqddhZFUcd;<{O#Hv-E5ew zY85pvH9{5jSM=_u!KDBm z<%cHEGv6KAB;rVKeF;U6H__7Gfw_ck!)K6Hcpq`>-m11;QsTA?u$ACS9?UK16Mj4h zcoBFav-Ww@ziKx^X0xp(#NtD)7`Xu5%A%s*$~My7@(HX9dg2ti3#1|9v$vpLfa{=3 zEDP&m@aUD%?j)fVut9Hgtbxnp@l0M@9K0e0xD~}N4HU$pP5Thb#}3y)I&kL6!CHnJ z(+>eNuu=GfUfTt-45>?wh=!Zfi3~TUL=!U|Lag+;GF;I-b>R6139bBEzn1@%;~Awp z@DcltNSE-6j}cEB4{q8MPaj913>7{vl~6A~R8A*i8}lMEU-B$rz0hnCWARyv!;}ig z&+?W*WMaeYhr)~cuB;qpIp{KjYnr`-al3sa%*Y?PID#MPJE>%_YV%BDC%ZAQR5(hd zLiiHVTkBRJZnpqVZe4MHl^a>D$D_y9qQ>id7V;Nco(mTph+_e5-uEDx{EpJj9e=o! z$%igEE@0}<7oS{Eb!;Bj2$JStN>U}FwSg~LVF*`o^bs0~+esY1lxz4VLsBJ*Mw0z8 z28`~+y`i;5e%|-RLf&k>#oz|{pKE|c> z<(@isn=W6E$@>co`07)Fvn)(p{Q8y$geY}*`{N2+{Z0ObWqz~iX8(#Mxr&|&8_UlX z4%*Sl8`Q&n-N0O+)orUgeK;tyIyVQOe1A9?$k6i(&MMA_;;pccJZSGLg`6(iYC}Le zYhcA|QUBt*F-jK@4-X^IfL@EGjYFrs1M7t?kGUP&;(#&nK%AlMo&9AC{bg3_F#!QS zc4{gnrDKPE>uyNq7Sy%Xk4a75&e`{tQ?lmByT|(&#A>{st4DA$HXF525G*VRpxY$( zPz7o7f}hvlXy!r~WRiV5d$#3fV?aMx-+dVx_qjG62;NbI{EP!MQxh>Kv`c4}HyY>Qlge01B{T3jvycS@;X~t^( z2mzvkR7$b{eOo;;#7uE|zrGB8G%KSG)&Z+3SD-bh5V4K56S-Rk4@CB%=RpD5gspwI zAnqKQ@uI*Hv;HvqjL3bbDkIQhhPoD3SchpN>eU8+hM%cNo~r=1lIZ7y__jLd@u8;u zs&n?K+ggM?@q{Zv7a2204|(8A9<2$t`Y9^^$qN&_Y*ZCwD%6h`f}7~j0xD7gwn)-c z$dVrGg%h8<)?F|ncI*h>Sc2LG(WceU3;fJ*XefawQrd-J8~-rEAu#9G;EWTR{pnAHyULZ`{4w1=rvJ6?BQIvAok;p-lOB+2ww+u*1 z?W@wx+;!1F%9Q>d-}8#y>*mNoa|~VK>c_iK+l9|_&APwxRO9Chm>iFqnX`Ji<9FBd z{uVrZBz&_&7CF>;+M5r3MrO70d}d7KYnJ|j zT+r(%!+mr{Ue*D7?o+-~Zm%bb3hwZs0Y%EW+Bjzvqn2ujK+ly)Y!9=sg1#B9O2XJi?X>bN*CU%`d{DeWA6B!$Tw88najKJCm>=zf0 ziapLPY%>S$y4}ri^LUp`2b@|7#@YiIm^RQBb;qeK^_yk$fiC-6`&(PHMc>MlVR05( z>VqM~876@+NR@_-?DTC!RhZ;88s3?`rCbXu`|x`DP92LGOZ?PupO_F}k@=0X8Qd?T zYU`?Yv9IuRAM(3_9zzRGZM81_@fx()1?J?6oWTHN1+t!39qyLbi@)}9)!nJr;O{jT zK3#zp;gM4pJKX|14R--|J@$fxP-*%T4TT&~sH=U(Q2CueW!ow`^#SN-8EIjKtwx?- zS5U=`bM|#@)D#`Wzt%dE-DM2lx~A42uEbTL;RW-Wh*uJ3R==GG21%fB6XnUL?kTDs zJq55JKlo$d4P*6}PHcU2Hqjdn)VX{iFaFQ(emb`L( zl+C03GCf2+W2{7Z`9A60;Hn$A&!UQ!k$&K|EEF{}o&OORD{)*BF^O znOOe=5N7`$s_ox6<9`E$h5k1ntZZoKOeWAZObnB_kyVMdOBV8YCVj0|jyUmwiO z|1VIOli>?`{5ztloeLo?6C>k)g2I0lVd(!mDg2km`(LCm$Nx;`pQJDg2giTG^Zpaa z(@p5JD_}qsee?-V$r1%`25wObN+gR)6g4lGJOYK{z$%0$45hh!y!TzsiZerUfqP5? zVCZ$P+CKtn_pc035&RTO49^35pZ4r0^f;XMINV~Gzob0H*xZWy+uZ60o_z7c$shNysUPU(b$9L@9Yy}MP1o$f z!ljd40}dAm|bMkjr$M%f64#da(*GMY+ri+YWpk4@pW8(b^hA=+xNHrPaFTx|J(krWBRN2 zx9{(q{xz?^I{(@KSLVO*wtvq#|BJW%>$(58GqW=M&$shWXJ%q${44ff9Qxn9Eh8rz z2g`rD_hJXM2kLSXgV%Ib`PO2D*X&$;yB2L3Y10C2SrcJiQ6sAsP!n4$*jK>iSPhZ@ z5*s*78)}UB+=zx{Ji}}4V zS^}DZTX3P{m$)%_ZKn60m!NOm(cg+{4gW+V*|`!;mgL8olovhV=zN=Dgks3YEK5cAM@Tj)k^G;4TsL zwsY{+ntH4+iSzZoPztFCC!i?L+s8#R5W!2HKkqm1jzO~fu!El+K+PwtKs=ceWFn$g z%5mx`P^el(sbLhbW6IW^u#dAt~OX?JiPH-P<8|vzVM*woddetGxiF+K4>Gn~}l!rWVy1~2U zd;awni~Bt1XLuXadT2iiydtg_^qLzg6A=6cTKxwo@ z{Dk9p%>Kl7c^d8G&l@?%Jh=ndRZl1+=6=7e4hZzDRDF(LhFkn+0K?yf=-FJ1?~!;Z|1EZ zB~ZY5&<5bLE~6*Gb>Stgk}ue*le`j_eOEAV2ysLn8E?3Q*XTi)G;KMZvTg!!aJS?{ zC_4K*d*-m7kv3$H@ff4?`}%pHUpemg`AP#{o^fv#L@Iv}6ToaE+lfDOi499+8T>4P ziaYJ-;No6e*9xSiR;RJIv$D}ZFRiJlDoZY>qW+zdoJ2=SN%wpDkEgRU(lyl1MYbcRMoRrg(NN2i6$5mV@9xz^79ko8CQ;W1AbYll-PHEGz)QlRA zT#i8+1pHd$A-VdMh~UjJQ%jG_yFTPi>00U+wPfs}nF|(mr9(;-^Q>X1)nIJ`%xB|r zO8Mc2;~}kgF9CT9wM`Y>Q9U&d-2vWDT9DvThe*;U$blFo69~ZOfECms5Te%GvS1 zPbK{R4eyt7NrLU$r82T+Ow!EOQniFG$=Ss;^4QS{!mQuJ{&_!&HMw`a`|jA{?mJzf znX~t@%`bU-T&G3i=qr4v3*DHv#<;kCQ@E4QflHUk;q*Zz{gw@Nky7l?;lbG00E<4w z2uQ+`TA~KAw*1eS(P>g{x>&<-G-+K9_>7V*)op_Jbw2DElwWO}c@XkJcX+x)WeBiy z0*PYxf#K$O^sR5yMJC%GxH zW2e6Cz;4VksIUaCGeud0ncsw`J9$xkxRhN@swnUsamB^Q>m7c+wf#KKGWOu>l$Eq1 zdZEMa#$ptR+55Ai825_Ev>k??_`8msX{DAj-B-Rr{o^Qup!&g=-F6FpwH`aAfI4N{ zfqokpwINR{obxF=^ZkSj;hQ>4T}<&(OeGw2e8-bg=-Q|~7AKSeQyze4-8k#{sasSy z5#`Fz!|)8TF=sd&){&x?tB$&M5RC|m;~pRwM%avEr;c9C<~xN6WT#*AdWf?5K8N zWtU@`(2_;|T-3tW6DAh?#6!Se=(SJEYIFhfUUEKV&11kmv#|Z3`5Ug5iFuLNFL?M{2&=Gz)sIeM*NpEPa z;`;^6Qnknw5YGPL29tHAyDxsu_yjTOG0hxN9!i%b=}k7+9<{&Pm^VFIrV7+m692d& zO?(2bHM+*12C3kyh+Ff3rdL@x<@Wjg$^s(}czmcBm@I$);%I;A>_-C+)}AzbL48AL z%S4-ko7yorVK2;ZU_kxb8&gX^mIN=WzgoEJ8MYELoSe6j+>8|pOrREVS-VQ_M|tm2 zn~K6W?bD9L9C5E3P|D0j{jq0QrP9Uxl4=!t*A5!Ch{^C;RI}E;c%gUjq{dQ)fu!=1 zYX;S8TzmbcCBOwYQ*2Jl$H(qQ_R^XM%(o8-L84XN)x<+vIw|}!cUE=NThrg?{YKV~ z4by9mcU5@Y{!Wbp@#`9eju@!qLCZJ(maA!8j~~Ut7iFuwp%C&}QrfPF&Wtk=#6FZg z@f;Gf&OYBsGShnqR~@v)3Wj$b))s)HqO7Hvu;Hz!%gW2!_aV1Qo2e7FLtk(2eqvxY z-r_q5PodJuZ57f+)8E^cp0CWGK>JrR4^#E#&YU&k+S6X7>b03Tvtg)Mo|)la!m!US zr^wh_M6@KSsE{R9C+T35&KX?15j3eAAG>TB=a_mET=j8_%Q!1=U2YYS^@b zdHGzG)bc*B``YcUt@@nppWgMDOnEX3iiCcE{KH+tJ{gS)Idqi8D zo9oj5Ecv6uyI$CQi{s>klLFw3yL&0pDmq7U5Lwi#@g4KRO;|~(+%`?|TQE-m%7mb7 z4$`*)u`&EcowPBF0%vj%0)rxFG})N3VAB$;L?AA286+Y|7SJ z>65eNjBDR()fs=#r%Cz3J%C^xrNHFx=tKH5ahQsw1RTY>Cd$!^w@mujyNN#fnu|Sj zw^#VkEh^SE=UZlgFVu|}=cL{?s+lTzB)F?LYMmm!-(3rTI*DsO*8O=^b!Eg&0ougeCm8_%aje+mK+Qf6sjLKf9~-=ULebU= z@83Fm)McV01a7lsY-p2KYW-zlygIH+S~NF4))_j48jYxS<>hBJ0O;VZ^q)0VZ^k%i zQZGDoms4H7z)AXDl9P7qwR5Nj*iN(*4LHxst2~59n|!pX3cXG0Pa zKO1YF3nBbdbhW_9f}!*to=P-lD4*rAjMJ1xs;84%v&JwF<8k!i2pHA3ghmoeL#+RH zo!ahwOZ}tfntrGMgJ4S!?c*8m3#+i%rri*>{@6`6-DS!1J9#25(DoYe)sB@DESxW$ z3EWuzidLc)zzWX9JkOfUsz$9zTzphSAbk{jAMZ^f`>kl5H#UuO_z{b&O2HJoVzD>E z_h;J8HVCZ`?A(0Bt;<*tcpBvV{VyweLTDrE-E`c%!*B^d$+(8mu^2PBtL~Qf8SaKA zR`>U5?~rc3Iv&2aFyE{N29-3IBVDW}Q9Iiw6sm3-HWicTE|BXT6d-c1a7c6R@KA_k zIbLSZkLlu8uzLbO%JsOY))xC*8??NlHL3$kU$>l*5$G{O3PE8M%1I1RE%D9l_5oKN zU0s1%+K341o^sM~EHoN1XW_b~kZmeu>#rBOsZz%WtA1c%?Q`c$KP5v}+cquxQ&KrO zs2-Q+N-Q~2Sf13IHK&^Z)6_8~nzZVAO;s*9EApWBNmIL5-%2GQx@EPPB^GkQFz*Fl z*SMf*<7Ye_#6V+EKuK$9R#H%nN*c$+O4G3S-dlrU(+V=#k1ei zugPZPYb3gn;DG|z>UApWESl0~sb&N+q{^(+tZA$!J>e}Hsgkf4PEppFDU#qcv77P) zE20#gfU{L6DMmZRpcBaP%yy|J^zAR+`3~kp&~$%P9FcN1QldpJW^ZP=s9GJ9d`g;0Ptcv{x36 zy@kofR_J>26%#Wexlrq=v`!thjat!hKzp7%?$yXDE+tE%JUNKS-3`NFK<}jO6nCJj zNPbW&Vz1UX&~K_}ppcxr;DQg^MU9~R}pry?f3Tl0h;6gmVtF>pOBwf@{(I>1YSjiyT zz*dk7K?z(5?fJ)4%ba+jnwFJX-Sbq;%VuG6FD7KI`-GnQ{Ta03 zyP|_td~guvmDe*@xa@$T)(GP$*Ngq#)S;?sh*CSJfh7+Ms!}^EnHR?j^a9&7 zqii@<3>h|Q%4-=H8dJL>M{LL_mnZI{h~IYfouF+kUQX9v^>J>9WfC+Ch}RX*qF{^t z3;ry+8)qHKsAhm|v2~68w%W}JiJb55@N`5O z$5R*=uy)BMk9nT@l+aS&P}VA4daJ;)40m3fvD8#(1Vq_(0u+u1-1d!ZzpN z5))G>^T#;>2YxsQR~F&z$03c0M-H42Vs=6p5aMR|f-oXmqlmr$nv~6aqEN^DVwm=J zwk@#k0hgz(h_hP|XDEx+&S<1J_IGB$XUCTEnh^HR&OXB-=EAUJMFRzEl1Y}(Ag(~; zUM=MiM6Vew3K@!a&FrBspchJ3*1{GxVXzEr^`eBt)_b@q#v;NKm!G|XSP|nbr;hYw z{ae5mtuXU>saAl??kqA`8d7Y_xp*{r#mnw?R@A5>h6oiBw-V4w2cbck=GI3j59`D{ zEv&VxjXlVKHb+!3GL*m$>k(rep5v+G#?&cMN&7fV|MsS!H#yqw z7KTEm&D(DX_PeC3a!#G@nnY}rp|Gb_ugjREf`(FRd@$|2yIdme@`J$(MWY# z3f$W;F za5{hqJ9aI4LBQu_GpU1c62h3T0O{>oHcfOa+4u|=aX)+kblO6ogP+I-d&iV59aeL# zzTkh)1{GC;* zmHYeIIs;#qwShH^FVB~ny`28J8{3=DQ^t8CwssDPel{h%rC>b2M8qMrPX^&8NVV&%&)aZrN--e$4(DE2>i=9m|Omy%ACP5&g`zT=&-5>?B#80$G zJ-@#&e!X;D80~=~;(eXcaJgJ;wi%7kJcQjK!vdWQ+sVD$-XQmUUtaTm+{_n=IKVVkA*NjPbE`0AddKE@p}m-6 z2aT0>-%cCA#-U0G)_6L%s9Vy;;}Gw|%{rAUoXU`;Y*}Mi_xi>BLY%rAqQPcp^Oh96 zBm)hHHwQ9DCMg+1NO;MSoP^XvFt`M$Kx4QFq1mjNaiN>16UwX{DO439O`s&P_}kb9 zXje5i0|jlHE2GKJzNe&tq*dJnB1q`Rqx2Y#*xJxxCXOd!Q+EA!!Wbqym9A8r^*)hN zbDfMVyQe1o8rq85`MtYBV{Pno$J6#3`-;7mj%l<0f|)ect%bj5!_!*>%;DX4{Ye400(W{+Ep(m^^LJzp=b{*H*h}-?OKN7kNNN2Nk~S~ zy=;e(jbc&n^?5ygehcgY!xs8E&`~p*b3915N#?wk%Un=eKjx}7`po&1*nS$U8cgI& zQofO7gIX1bK^UdXH!grqi)%s9W1ct!$00(d9V%L*zQT!TA|;f(6B}Z0hJTmcU@W2F z{HeM1rM}HhC5pw2DM<3Xn>}g0GgsbKRuUP(c@7zg_fpiYB@f#PBOn!D&d3~y2-O1j z=L^zaI_<1B>Rv>bn|{Kyrlpr?0?s4NVK>CK`eYydn7TixC*m%%*X!Dey(AtWH70pz zkSJJ=_O&ROsx(-q@;c)OnS=c9UmSjs4rRD#)6@@p2^9haf^j%`+EX!ItI#m_AwjJ{ zlO&Tmol!bwj9o&x)B}u>EB6#V;|G)*V@)6)GuQB7Q(l;<%TlCzjw+f;c#AaSe;Ao> zS*oTA#=AJ>qbzWuj#dW%4cPa232*zmkey!Kg{6hefKlxovXRzSIeXi%7#{6U1+f#h zOCR}u8UL(Bn0Au$L>WU~rYNz<-GiP(OHXX8iEnSSKn3d_OoROW?GyhX400VW+r32U_^pgyhSkZ1@|gNtM=0^Px=7HptVgOPGw9A%EJ8+qcvp zUIpl|ltKFzYW*EiI(O-+?P9KS*ce~(++f^0%6=D>vTDY*lvQVnjYS`wQjbs5N93h9 zUPd)h_CVI`pvE}xNQU38t8{Ly+U&JTc8MH&a$_66#T+aWhaR(uw<8LQ!iMG2X9o*L z&eQJD?oge0RcR`BK{d+`jUqX4mmQPHn%)PUDXe5>iq&8SZy2~R5~!mw8jl5t-;u}= zXG#2ykH52CU>NT_wK|Ciy%3yiL)9=P*z%=;f@vHTMJG7|c)ldMK`MOpH%@?LHFZ%Ea|CRm=T$ z#~+y$I(4ktTua(k{)})<4?s`GrhjgCEV|zE`$(S8ja)E#ojO>+Of6mlp-lhDLrW;hbHRbBX*!qn|D<1aV z&c6el>dy$X?Ys;b5)%<{o8%cQXf>u!#_&cQ;njvQ+cD1mKFFXw^;HZ6WLbO8Cgb_> zUK&yRDpi?iDi-(txcGb=Hp^6J`*fd61{=u3fECLq6^xh?;%Q@J45bom=mSCzMlg&# zau~~1QDY5#;Cash4tPo6mekKI)5SIIz~&GA%kJyzE!=elJP@dIK>y*8NY-I~L1P#B z>;a^2{7lni(0={1OZ3-4v*XL&tm`v#GCZF8pX16&DKx4TTAIOWkv|XPTzhKs5tepe z&6RrB`qu|z?)T73WSSuTW_rg#J?ajk=;Mi{e%5a*$`q@o1$z+-+AgJ99v2>%3y zs;2ve7cWI*yKModS%3HRSgt({7PN7m!TB6rU*z`qf_?9IL1Lj-2Ums>zR~(~iP0QOh)+3m4Xh7T$giOz z@X29O5{Fsk`!Mqx5sM@-NaTgqAz2s`Y&P(LU^Gkl+kOqyLMu;}VjU)ccj=bx{zGR6 zH_5yZ8cxpFiFen8*YQA7=8&-B_GC>D>r?d6MYETMZ$~qCdvkUTVW9>Ayc|pIS zboLIhj53`vRqxg?Vztbp_{f+4&M)S-l!dtt(6N|O{I!98|Gk>w$(cB2Nzs=N76E>N z-C$lQ7C9D?$G`xUEKV4yAs^HxH>UB1QU`bqYkVv{em1_D|+SDvztW&ZqUX`)eQQ?A;isdpW;q$`2&_I!hgqVeTR5yK2 zy`!tqImpg4-*MEVFSF(-OeZ^~P{q9?TGS^#p`1^Ae^@$zL!fks0 zlf;>Ljp%*4TGmx5g+o!&;$&CWTq`q8Rp(mPie~m%xj7kZ4O8gKQm7h}12V!IbsLsp zhv6yXmL-l(v1V01Tw}z%T*ICqnz5OQSy8M*1PPmocC$3aBx94YpsAFq-f~;zy~e$U zplULe!FsMUO|!V2P1K$6ppV^FyFH<}NzUuK0LtLDx&M5`hpNwG_$Qt1=1YI~Q8AZX zl%3lb)x-cEDGIn$ax?l68A@|NyVsXU{g!uvQ)%`kY4 zHai}R)qkxAvzrTH7seYpCM34ZO4}|YWmZsrB=em)_EV@!M&i_^*IKYk-e^q>hm=h|0u&zU0$94afRt> zr~u>lN_B7X!FB&G&-pN8r2asO=n@Sen+rA(>tcwY}t1IgMS7qF=7V88%gunG5SVoYJX_ZUr1TTw>%G50rw zXF%`#zFJqq?3hEK^|m&IPHJn-Q3Ni=d(1(OiR)@ib-K%UzyV==t;tKd3}C!gYBg4B z)kbb2FM@WMmwJFEA-I(qpqc5*`7_MI~bmaLD-Rjh@1m&%_&@ zJx{+#+RVdgT>>*WlT6a*m1(2q>iR&#c^hlPsId`}m5*HqshA>iWNJ%L&sfJLK| zo0IFc91jt=iX=>Qbh5iU37$yKJb+fg(=F*kpQscRsZ4dMCu2w&1#8frA zqI|5v_>|IIJV(%b)_e@xBRzeMeP`2}-lqTVcvBXc@D=ope&DrHIr9E&F2WI@e>Qiz zk75P-Dz8&uhxp(Pe)KymoEuD}F}Ij9cIUL!S;mg&PoR||WlnWn)O>%RSaAmIZvBHY zOEq+l)CQGlc0Kjl$CSa$)9K~GLs(4rYTfBewB_0|eaI)Le5o`I+}Uzr;f0&p;8Lhrbuh!IT5$$KtVw$@ZNv(ZJn3KRZUO_?x8j-7__$i#&t-p|YGyH<{i&X|9w(jlxI9%m z?`^HbtSl{@mUn(JVo3?N+6;7c;pXvH7+sf_*^!R$LYb+u1@Axx;{^SZvvy-$ULeld z%d_PPY;Q`uNQxIr?iJ@{Hgz$JHgT+IB+_h`hWTSPztCkIm5E4yAS+W`w9PVh#^R|Q zqM}?RnY=`$NVWz*tzRyY{1Y1&H+~Kt*mY5u({***gGfG4k|B@1l0A>T zfW3tOHlYa*Mu*DFhi}km>E)}Zvo7ZuL!kSc|0^mcvpZczUnSsg>Tx&wfQk~XrT+KO zO~u{{Z|Doh^*G0?2O;7LjDIeGkReVKCn7lPAm2b;Vx`Rn~THewHFZ=v)%q%Y{kWX#N2Mv-Co-`#ru zEw7J1-;5LZcAuKTEj`^0pcP3tHIS$`0$%_zx=+Im%N|eKTi9Pf_(cvH0LVeT5!}>G zJK(53{djHD`*>SH$}~r+**Tb)_4VS%G#*hv0B%77vVM`Kmfg&DGuxjN=Dn>Bgg`b| z>z{&ZWd8LV1&RT&LC3Y^sx%sF*>BofH8iuE9d7<+CKdkl^hy!L4OV|P;z-y@P|zb? zz%F#IuRkn#Cnit7%qx922Gsv0pwp%w&!u$4B|t|4N=-mDc>lBbpltcL@vGENB8 z7a*KhixI*7y=GA04`Hlab=2+adurH07>o{Db(hTsPua*lbDm`71H(rr&0Mxx5I7!aiss&&mLuKd++B9j;CW4l6V;r{2ZdYYITd-n9?s5!>~P8%iqTH zO>;Y<<1S%kVPA_FJUsEpq~g(&l)^#+>jn=&C+*aK@L%a*7FfBlnDl~$8^#XfKpPlB zX)-M)H6|t3#1U=iLr2cz4Wj7#0|J`ZnG zYkgWgTIVi`RcRdD*HyhZ!MkHYBR;C+VdOrJcz9oKIm*V5`wju@7@OJXCuxqbV=(lF zqN;}B9~~Vk<`j(!Hekmd(mc+?I@P5uw{dDW(l!w#Epu*UEuMj9tBd2D;tL7S4zC+! z7_AK2hNFho(X3>7LNCToOHu36Ibd$^M@dQ$oo>oTY+Ry5*^o9#*ovdjgoPPa)=kBm z8wfE@)uAhHE&nY3+Pvxi)}y~XSHfbP=BdiB{0z}J_W z#4Hx9WCF!F&Ytt=tyArFgMX-!wR!75eueKnK3$6 zDP|;iG$th1xycho6;^ngb$H8gvM$qL#BCx;5BK1ZiX$vYxIH;HxW;uUP3SL?%C+)W zFymaxcDADCVn%}Q{9@7|+bF@_TL+$J>%{4e7K#`-w>wP3~pQIL^y0Xu6W zG5*}d-*6rgzpx-j{=lB${_!gK`6pXmV3-y?ztG*vZg`G7n<$JxOEi{mMF)ib68rUz z-gga(uB1UoM;5YZ&vHL>3Dx6^owQ1p3oPQYAP)8reC@CVtIYdn-IeL^=qT_l$E)V_ zh-InHsm4+66$IDmr8l>e&YAkvmcuMgq_}XA0Rm<@PWJB`JWtii-!pSoh>ORp%7QYm0BOe zLv2u9f~S=z)xIIDLG^{4JC~GJnrqtG0&xrF9-^u#q$$m)uWBl0RQ*4*J9fU_&r>y9 ze%O$*S1E_*s>(@dYM_p)m+Hu+dK!tUr!vmeP)Dcjc-hrjj9w?>8@UMI9Qg~kjGqLz z6pr~b@?RVd!e2ShkC(1RG#@jkAE=RE+elw<@8yIXYoqK#N=^v0Z!M~=d%k+VKGQfI zV?SamNe)W&Tyohkg>gA#yTNo;d4;m^|MVVV;fM4g{Ho6ZB!EYnnT_HnKPT9x3Rt0& za!JswMa3PHw*@%h@~-)N`x|e3puYTx-j;QVL-LCEqk=8qV~y0KiT)sMKqYr_WoVDb zzQcG0P2XiGFNvAmaTK^R>h|-^>>+oCjDf+UbfFLok7bl-(|E->BrBI(va;0GDd?6< z$m7U=RmZBRTAa3&J7sjX8?KCU7tt&3(fAH07@)V1X5`hEWahE;7<$mXxLehl@^H#{ z6-&mQpi<3Rvg%s$7*{px*m??REq+;i;X3%vtkoD+=CLq>=x1E{6BhHJ|8jJ=UmImW z45g|wWcIDH2|TXl+b9hc)2&-LxrbYlZ&EyS9hD50PZlFKL4D-KtEn2VHOeP4L22lB zX09RgF#Ctb3Msg+;@ja`Nsq$WxKY;*=&ZC@I&H#P0G{`fok1%eweW3hux~p+fgP*# ztSmg8a9AV5L$Y=qYOwIq2r+UIAO}K*BTIfXL_|gb1C9r~H_fNNF1Q(Z!u9Pk*H~Fu zm{~_vGwyV^WG)Ar$HE|CFBb+jLWWR578VASkPiwL77|Q&cVyVM063v8xP#r>ePJ}+ z-&bo7(PMjgdu4TS2d$phClAR}6G*wY6rf(Bx=48%k$t^`?7uCX3gx2NS-7d|PfP5- z;`RtYZ5%fShxhs{t_Pdpx-*7Zqh1N`qoV9?bTWdce(M~6TQir5NMs6sHb+Iq!Ic&j zhlw*PgqZBv{TdsvgGyePr-IwF1F@{MSQI6+5bk0Z?^G`*&A6qaO*fFNhC8^X|FTUP zsn4EpP>!nPDW9{lBBlxad|pZ2^aZN1xZwHc9ikuxukViBER*ZWiII9qUVG-vkwC1G$pXzdcY-YvwHyPc?AA6NOq6{nfK!m$YeiW*OrZ7_&Dc1>NHu z9rVZXn~mx-$ADZg0`87_;chc7+vsjHYqdb<3N=xT5nE=WB5I`lB|V5O;$T3#N|)>gB?OXZ=;tj@K2wb0Y{m~M>0ODp`bwf%A#iYez@S>ElGO;LyGQIjyH= zpGCGE^4#h^Qo@(@P2v5pg?v4a_g%V4@Hv`^@zVE-FS$7_EdadDd_U zKk(;-FF=X15U`L2zhmL{*(Cha(;l(%)aClX{2reOi%w2?>J)}65x|G<#2q>Zg^W-3 zednO(hL~{#V^8^PE5X8!K4TXrTJ%`mjzIj8baqm{oDCfPmZXd0O;W&A{NClh_R2VKjD7*OH6Adk0$Q zbzek0cbkuBx7_|`=;m9qHk+_#7Epol0qnEdmK@x(-yZLdx61Qn+x6T#ZMvLH?sZ8>ul=k;Y<5D!&Y>mWa1>-A$zl& z3FptA{n!g`GGInHHA29v^87f62+d|r*q+n+kMz1R`$K!(RWqc-1dlX|y7(guf5`2n zcUhvP(;;uOpuS#Yi*nAD@t-TNrJP`QmtxfP==&I6q0L8iXFK^jw`Kr&0p*36if|(#^dzh0 z*R%i{ENkSKhfMS#OOBrfFO-xwQ#;a&1wmj9SH^f zH17!b!r2i18C-~Hg7m-aw#+E65XU*zs_=h%=}0HoAao4O(yhg~TgUiF%zVyHeX(vI zFPD({o`wvrHlA;g=$`s|+7uJRw2h3|+^!7RKCUAc z{VbBtNMD|rvcDbUoH=*y+F1$1YyZwpqAJduz7%5$kw+H1?;JnRrD+O6TRQxi@`7;| z(BV&sTzOAA6Fjd}?tp#^x&`+T`h@-**M{g)u~D1l8YUmWdIa~FNjI4#HM@dge!WCX z|3HH!y({Pr`zW;=wPQ*70LB&ix`RvqNE%Mq>4QLi{W(>17rS$rJ9ga&|4QX%GHRzV z65qqGC*|YEm;3>CrhW(GRSQ6Wu^yv4u_EF#Z3Lh{)c+jY5%p}7^(^QDT+^j|`Z|+8 zfDve3vz|zL^j*R}QbqE=Q`Pog1-!$)4!Xo2@VEtiLR={UuBi$?C+WhDA-*7AMb3qN zmH_CNSg(5-u|4y;ad=J=+>aW$=_13?7p0~`Fe z3-1pErARCi4&*9X2x^}oA%Q3mmna_gTWu^kC025OyqG9L0(&H^b5v?$P=b0?>yWr9 zX?TXtCQH*@cA;2?sOfJOd$V>?)P4FW=uR7myyyJ2)y{L*wI|5rq|Qv&bEfC?>kQbD z8A3D?js`I{RMZ7t_Sc(~o^Lqf9Vvl6E(bH+R?qvCrL-P?AnRrJc0&*O%`@Kb{$r$k zlqYH2?N9UoJ#tcEEy>Uh6EADGht*ziHUg6caicAEv=5p62+2ubuzUA|_v34~!Pax~ zqc~o7b4N?#RhPGg807s3gKn$u8=M8!y&d*RU!41Szr9bRZ^xGzpMUPwH69iombPDZ zy=nM`M+=oc9xm2zT2#X=4BxN>o3P2hd{&DF3jGf$Mqqy0uvPyp4O?K&SfWwc?CdFO zs@hC6Leb{9DjdYJfD*u^l0lyRnAWXM}j88;0ad^>eVp z*k9ng1n0>UZT~#a2^{^nL1_T~^dly*$D?`+IdOE3Vxvav2R+1E02jX2d871BaoHk8 z7=T{}Id75&UI(Y$8zV#2S30*`cN8u@fKd7-ka(M>p9O!Km+s1+1<$P{d}XB}|H;EzQ|`0?Q$<9_X8egRXVn6YObcO%gfWn3md581h{kR64D9gG zDto0IO>?QrZ$*RlIev|J=?(m_`S-Nt!AT$rI&>_}>iIf+tCD&OiNZ97PnMU?WdAQ{ zY16XhC}WH)RaYzOM;>NdG2r+X=IuR+@NPSNT+2RTb9Rz~#cyY{s1gX}g} zSSJ^MU0v+3N+o27HTp(xU#r++9T1F3#&(k+(Xu6tPG*WgcH5sqR(W zB1Y}o5^a`>JuHB#ZZxejMLX3kajYboj9$+}p{==CTq_lnYN_Wfu0|c<+T&AN5)GRY zF)=(#F_gHL%Uit~LDfa$BDDwIEX+K0G3{g8Ahr$^xl#V;TNz!%wPhLxPu?e1zEw}? z3{V>*I~Y7_1~V{iAC0vqx81sM_>ycm2t5urSz1UOUR~%I4sKESgPL_S$gZNnFQwKS zUz)vL*kXy2h(;wpx}Q3e5B{_(%P!+R4^HAcTyu48qtF1^m0WA;rt?r)-ZI;Y%%(CW zTlRX-r-+*?9X7kDNP8>Z-XJqdxl?t;eGBgDY&YS7-Ga15m5HeJk%NqpiU_94j_;Lf zf`QcIO`Y2K$70h!aTCf`Cj6q)v&Lzys-ks~a>+peMwh(Ai-S?4#+|Bp@`RbKfCH&I zf##7gI1Yck(14C#Z3njOaLRcRR+~mL4pkjtNe~+D^cvOrhmxCr^g--Sv!o0w-ibO= zUd1IfZx|>ah<^U5)i3aSJzIJ@7g1&hJus{V$Z(s(^EC7lp21(}VWuh5nMbJ?)LMoOW>E)qW z^3mop`PCzZzlsD`3YbfZE>UFA6qxs(X>Whs2EP0(wLl@Bqf?{|C%DZV%|a%i_BU4{ zPvTOsjF7BCQ}Iy|M^$hTUGhIm3|A_XYT5+{suBdKoYX9^8!o3#W~OIs^3|FL#iA0b zhE7kriPQ5SO4rb*Em##O+`Q&9@ydNF%<$}=>!a(%h?)hPntByp%2A83lg#DchCcqI z;Wivm5HOw+o|#)oh;ihD6@(;eZ@K3J|UN8=fG89m+g@c99ycZaRP-xza z=!@8m5Tz3}8^jYeqfLHySVOY}a<%>@0mxri{UbV;%$_DJLQWUYaG%$(UbitN06 zVROmv>>p#UvlF=Zj356{yXD!;j)n@l)z}Jj2i~~v*;nf~-R2J7u?oL8*pp+6WW`MN zY0d4EnZiIt*kA?KwT2}P$&e(N#Mob+o}kvS80ny9a-7^|{%nLs&azK8g3us-XriFH z{=@!+pkrv%phMnj?=_ccm%iawYXPm*;WhD=nG*8TvEQg$T1_2Ii7T3o?xVN~QJ^5? z+xXRMDT&Tt$j;7(Q{ko5)}%@q)bq|Du2qXwXhHS0zsf0LjMoNivmx%2$_Ee4RD+zzVQ|ma(R^O!c;WNE ze0=X|-SVtG(=seJ*rCmFOe2^+au6 zf%y=Yf@!7w8h}d-EM_#j)l0j547O>mz-8_rt}5Z|@6!2Qa5Q5Q{{b-;DZIAj?ia`H z>V{ER&Oaz=h+C?d8cy*o_t7jY+VeC21}!b3}GE%^#?TSl%bHvJxrdU0+k*lH03oOJQzZ>T3Fp zxOv%ntPCw6?s~+@gxV`$acT1mr&799Q-D9gS@G#*+h1B`y}hViwgisJm0s?A6W1A% zX6Fg^92EwLl?(327{8_u!@vz+EZoAC(v#&&nJ$vzNOWRvU2N{vaTq8@6#jK0FAI;{ zVaf|dgw?eyOdW=_`LasTNpXHLC!eG9uflQy1k9wQvR!gfCv{rrCNwAb9dr5GDrMfDJ!T@Z?s;Ze)4J3Hls@?XMS|V1y{G}q} zWALQmD7kLiLl6Fejn83K3$4?~+l1Yy7_Rm92g5@S?wz@LNcpU;xC(TKf3ll=L>?%2 z7AQ5SeAcMD%eV_#%2`t9EUyzY;P z;ZV?CA(j8p`mTr)4f68i{S$p&A8Y_J6PxO2_^G7T?s6sV2;&kh=?FgvdTH$#;o%7% z&i)c*Ud2R9gJ-~%{Qef7;u(u1P*$$;t@iY=jZ#&Nmxerf8`ye=s;X)w0xPObI%F01 z(BqK{>wA)*g-uqGu~O7S8;Mg|%W5rS2%*j=+}WcBV8&x!sQb@)1pH3;Z2R!ip7lvEI6Le4Awu4Y0T0*xwC-N?xAie?@T=c=VrR&%!#(xfmcU=jy-Hz zF?BI7@TMXIsfHqAJ1ODt737Mu~5l9 z)3i>?JtMsG`({0<)S}X3oh?oVq3;vIXLgs{EuYiPwA8YoeyA4&h8kREJd=H|*Cq>) zm`kv|<^F^x+X?)LT^@>-K+Qf$s>-XHUTh4+fK>yD0kOHZr%%q$oo)Q-F7LFo5unX_DQ z1|b&1U__{d79j>3PV*@Z({w!*l_kv~3(SEe6_u<#Ybo|j9QYiB0l^oy)c9JAxDC1 zA$XR2NL-;A176IQVyF<&q*bMt*hRz*&MQ`Ti0GB#Z?8-@xYUYDz&mE>IC_fpW3;TI zY~03jPmA}2wwj;o#2`)%Y)-&KAYjlM}p_hTXd=AF{qSj@qBDtwz|*R zu7amR(!kudrrms4c(-bSROMNPlj?))vJ2i>#rWK>l$3)eW|mUyCLc1UoSb)mCo6@0 zD5X5}nMDWXe~?>qYU&wgl6oy&925tDYh{`7ZOFX6-WFd6e^a{GdA0+T6s?FjLOsyzWJUxcF^^8kXj~=%*_iY_~U(Bx06-+b<8PHAP zDdZz_@Qaq*1F+6u8j)+kY_^JE8M5oTHQ;(u1o?Jms?64PVYUI4EMXZ zID-5ST00^*$uQNj3thur!DzSk_NTq0sAjZb+`M#D)_!J29>BJ8w8l47YZ=9kBVS+L z!T0Fft|BF+WP^rPFy;(e&Ctnf@zjtA%ULWh;q#jjn^b9jH)+N%g%Nq6Jvcz0AR!J@ zxj=S`@Mn5Pv?7?pl2oCw>n_*HGiGNb%^Bt{hisaWv;C_?vHKSRd(gwH}gQ%b5;DGOgM@hjQaxgx9krNtaX|inFO&V-Lt0Jh&!~?h3d!HY55p-|1qX5%<6) zzw50AiGt_G&JEgilY<8!hMa`58^UkzWjy(nc(2({+xPXp!U_nj_WsG_$Q@9vuGK-| z*sVi{s<3gu6V|XtiW-jrP+&w97Wf8ftig%iBPl_yya)=g-UBy$Po6tWp09b5k6DAQ`m zX>wQ{yyeQPD(LDe)Dg*BK!H+%_$>i}3PyLrQ|uzl{-YKQs2T_?N;2vD9g<6yNY zJ~(1dw$-qEPVi+0CYTKk4U-)EXu^Jk>3y4+porX)tlVs0WN{}A)u|Dv|;F|bR<3$?U>c3fB#i&^&EJQ zO#|MJQw6hr0cbg}D?T5pkMf9X`K&;DU3qy#_xbiX@$LX$bi;64v>yC{WnfWY%H)I@ ziLOy^i}je?ZR|Q>yH#txLj=ZV@uPTR1O}TS6bvG1{dXt6TS*sL*Ky|u3Eexea7oGF z9tA;mJYq~8$QGp#Hx4fNkADmxUh{lK6xMm zh&1DjNn*MGE$_;GlVDUb_%Td}WZ*5@YQaK}yT|(w3w;$0Bi@gD^Yxb18eui%Iu}rkB4=a*|u9MA64^*aup{{^xpBmk4oV%d z7T2WSAJ+NJi9T(KJ{NbtzE?S~>9ce`@o%+M{q6PfyYd`q5JCkMWrL>qMv*wWgiBT; zIB*(@l{KV8rq^@ab0;5kL#LD9GMX!7IUVJm{MX$ zbF#eM)B5nESj@Rgr6{?xT-As18*YbDi)w!bE z&DnV;9lIr|8}c4=Z z&Hd^|sDk+8y7-iXZInu1R2#{VR#lW8x?Eu|}yHMWD>7_0ze@>TGyagv}v z1jrWfqwWXin&$hG)lvS30<=S7?GYS>52)pA=fnAQVR-_$(x0&q@7o9EsA0DY&Ak*E z?^84x#|q}@q8^}qv?s5_YTOF>+r5MYowkmRa^w$SsQ!UXosYS$L!>Xd@9Sgdt*6y( zuX1YTubUbfm@c&T{Y6D@ldCip% z-eEuA?Wg-k{G|X@pXO|lvy^k0<&pE(w^(Foo>Ne^G#@9{(5g-A&fZXhaA4n# zkUWOVN=NtRGG3wtJ`8i)jYT$l9VGebzul z@&}VA?_uJFW@cH0szL|{21dUkDhN>orENk|ha-#=EED86}PJek~}BGY{4ISigDPvh1`fna^rRXfHoM!?=Mw?I!L4X(g}@ zKgbQ?3d5oa<<$D@`gu@Pl)=iyvsmm{Bc`iaENb@v{za^hw^*M1lQIZQW0!p;K`y~c$+v6*!U}GYXC`FV7$H&8L#l*ln@$%;b-Z4CI_(550 zb9`egPd_&?o`}}3p~hfXAa0Q+y9O~?oY~iBTl4A&|Db#{S&c=vGZT6-CC;)K02?2g zP-rNFog5ccHWKKZn?G`lc=Mf%a z9V|+z>epKAZ_xoDT6cVen1G5b6>@k+cFi`C(hvZMzRa5 zx+gPUfjtFY^7hydeeWvEwI5sGkX~MsiUsf6o#j-D--EjOeM-KlfnJS>7z5#sFIX(>Avq3)x)a3DUy^4Ft_3)D#CsiE11zt?;@#u1?hn4NEbaCLUyM} zVEs~;#l~T!IhvjiC}WDnuBJ>X9vprwp2t4jBb7JHuH4s_C<2Y2>dKLz5(BM~EJ`|1 z@wB3>A{6##O;S#BG_owRR_^9l3paIEa__!!P zPQR@Gx+d9uSfnU=_f_6(-!BeOW@j%Sk2NXYVBlcT5Hc(>QCJ-%RmC0Ug*Bj27{+d< znx2D$i?hMY)ghCZS-B~N{FTtQ2lOmCITbUdzdQJ|tf#U?G8}p) z1}8No7%o!6ONArYv4wWQ>P8gRsNr`bBHiCxr{PBCYocytWz50X)_k>4@ww8>`M4 zeF15;0>MJ0cIKyBrCR0Vc*DC_V&OLbdC#&%#UFz!iFbQVh4#2wtU@lHw3HG6^L%@`W@LuG_Evi-wOuJxa7O4~Fd(EFhshp*9E3-&_AQ_Jy% zTtTO|iHcA00e98u1Id-!>+46h2N_1A&Ue&Thhoqt6U!8%Fl0xNcEM2=Low z+$UZu-Yg=Oxb9Q@$^xveXS>37`%QH}Sti}DiTT~%A_Yy4NFQ+G4P|78X5~hZ(Prh! zI978+!Lj4z55H$UFU-)PvGG2y0Uh7YAhY2OZn#dmMZ)4_a5URmKBD7sBqwhfe?b4) z(BAdjQ?NDsE_Xm!vHul@H|T+T&EDx15)d*F(w0V1;?TZ%l4(9;XYAj_OQd_P0@msc z>ioL@Dcgxh%D^0nqc4auP2d^RXu`?p+|?2x(J{H)yrxX|2$`}cNCQU?FJwEQJ}P?w2@{pBOxM&$wNcNC9Z)p^D=TL z3xO7Pq3=d0HT&lV6kAomHV9Q4T4f##Q$47(b+ipnN7}|8Ydhy%zART8a~BR3)_xI9 z5pZL1&Q;3FPg44)2$W%O$U?kd60njpCPq8Ip{;sbLJ14?lM@eT(x>;bhI8#kTXhej zL~?-lxNJozpBfP>xgxIj0vcO0g22j62D(KYczMj}X79Sl5Svm%lTaJYB42R}aI z9)qH1xF$$V&&jy2M49QsPU9qBnQ(H*HUwpfo2a#=UGkY0tbNigS0=?@nQ3Uu6xJ8B zlCDloDZ|mUIMCZCrn6)+5zTt%)jm=2`7e{8|7rEm0~r53IsN}?^@#kR$?5;Jdc+;| zEX@r5CHAoV4TOr=SUU;`*tlxY0O;BNNl^bKdl&$$f5{#I`~Ob%{OyCJVN2ue{$knT>ne)`0JxE{dY0y_%Z7MdU(ET&!Cu70-%hlICyyh z|G~TniT9r%a1`1FQ z&EEWfP7(sq%>)HcFS(f)9~=M3seejx9{H@l(i+$4edq9#ZA`A5kH$PIGwWkH0@FqX zX&W5}JoldXnCSIWtWuNmAZqv&GpkeY zgGkumBXOI-d-)%YkKg1ML%aBsN@L6yW$Z!o>wcElQ_Kwy$vfGL&f-ywOX;dkUXT7a zI?msdF68$T2=0?7`tsGPs^K>l<7&m8~G-uzb~;{ThwVg6^$|L>0h%YVV$ z{FSr*n-DR8jUK@E@B0gux*%K?N0P`jORl=QHno?kv>i#DTGW46bQC4G#|6$V=LVqy zHR2OM%!0-9St7>&0CxV7F@(AmRR=K$KVsKOTvuxsnKc+Yh(u-wh#ef0+?(v3WJ^1U z3ggBYVXTXL$Z6lC0U1tnyZ+pM_USqC=&)WYQz)6P;?PiH-Y?hy4^6%x!Vat4m}iwg zR%;7|zcUcPH`|Q1TWM?NMb&$QBw(UvtM`sz{g}ps*lh|V4|>dSfpP9K^2&yv6BrFI zzyf=FySCuX78ZME3@va4HuhxtOhwG8;~D!?YxL19cMpqS7$TZEJT-9s#`5QTkSOp$ z-wRMzbln`MjxtogweWJWzTRS#d#CRgID_^}Zj%SV#o`T}xey4Q)NmI!=NIRoG!wml zk6Abt4q`6T(j#GBHkQy3A2__cV;rZpT2d2{vlg~RC^Lt~?3R|l^zK5g&X zTzcee6-7-zk0ZaDo3N3R;cmY9-S;`~?npmxJZIo1aoR=vHS5PMRA|rzvEdQ-ljA4P z=GQkZO8M%F+MU%M5WAGO_;f5?tjQ>Yed-@6o)C7OE@`^fQMWs8|AKJOh)n!vFOi-n zK}0u{x~O=xv4#V3_Gp8bh8>ppkkOU8$0b7w46@G~s?`{`(!*^n{ix8K&h&3154rC1H$ z($#m!mBS^Rbw*DsQedMuQbJo%T_1oouP*R~9+an<5AZpycgVKiwA>=Wqs{Eh*@c$L zh|^(SWCup6wLHnJQ+j8GokxHUX4DDrN2EwNm{RJo|QMBf6=aUQ24g%3a6 z0vCUgy0XY`tj#UA=l=~B+r8Eo!Tdfeh&VU5C`Y4-R8&$D%l)mQ*JT;gY*gbLg)))qoAyc_`TWLl|8E<}@s z6)Ip3o4+vlNBc7Hi5Nylsfp3G4hy;HcFG@HNqyw^?Xm)trf^cbYlat2(>p0kQpU`9 zG`web12&?VHJhGbn5)H4oR*}QFIVa1HZ%fWrbE-sWgdM=>G-Big(SmM(;wVLrhQuw z4?rH5Y1stBBu3J+4(iR{-^eo3In6DITRIr&WO>V;7e|E))kWCLO0yNm$+ZL{9qk95 zNNx4@wj4z2n^$TspC6v9PE!xwYOg?4IRC!)=MQow9~UK$uDn;Gx$#n=UCqtOKA|lH zCoDN(Rx$#`2_{bLq(0JgUAR=XI~YpnvI|B5Uum_5IQ1_2`P2L587EmMoU9EtRU<|Z zl9_YnWFqEq1BGS47Fii?m!V8*E;h%7buPfvp)SqUMSAmpI@=B6jhEV39`sjZsWSgye#avtPE@V4Kf#fh}*c4#7R}mY88T=2$UW_ z1*^pgu-5#Wj+A@j`pYHJ55Yf0>uM?xSz@gu?33K#VFnb=%PymQoGojKfK;?~0cSB? zZ_CkRVlbqHUbila9>w^f%x~_uC@@Q-H8y|~jI>5q)TwS65#`I-aM(79&h^3~_xOkE zh?R8c<>lIBttO-{W(GubS{a9t3SusY!%41`2l>=VqAX_URrRQS$`0rJ0w3G?HLAyb zNi0Vvv8ypLvhE#enGrrREYs1vKUAxk8rF94$}P@Jl{ZXGHD{@KWW>t7v$twZta-PN zVhl`d2c$}Blq%p!tAOfPo!)VoI?PUL@a0FW@Q!e{12F_h&v$iNz|;{-pwf!LfhwXC7c?}xykm9rhQ?^ z#&#FE<1|U?bJrzdF`?-q>J+1Ta5N9yRP`Hvl7ZhfBEQziQts@7KRU0l;n`)9MuF?E zu%iw!klc{(UsSb)rVV^vk}t4gN633Dv_3CB|7^AC<+mh6+35>M?|_r`DTMvGRm}cb zJ}Yg`1sp*tJVThQGjvy>{|cF0GZ^<%c@*j*n||5-%W@`RiM^~(qh~f)xi0=7=O-ey zkK9;BP4F~%;C5oqsGMXxBlZNU>QjV7(4qQkMDN`IX$!@KmHmqBiX$l(PZz)G`^zil z7a3ry;14_OEbIaz_!@kf0OI7t^vF1TX-*7N>zHyQ({1s%jEv}fK% z^K+;UROv3FiyTT$H~ro8JH>X}o(F>0*d$>V@Jh5S4X*T*XVkW8H2$Ht!9%UCp=E-OE1Dxh zXS=Grw8<&Ej0g`+dWvEuhKTff;%jQ2Xms&{ZE3u+U&kPgWtPth(l)Nw-L?$#l_&U- z&vEsAh_Y&rL2A$2bo9PTj;0*f$Dfz85o?Vs+-&X3d@Eim)2c~J-q&;BZU1_oHI2@r zX5pbe6eTsm?M(LN=YuEVQ@4AZg_1*t9Nv4}oDn)QgnEB2v{p^1GhD^qNT5(47{xbQ=%%)aoC4opZTE#Y9Nw0H@rBK~24G`~^NP9mt^aX~5uNWg0e zMc^_b&U2l6h%)}-NuDTGf%$H0k;3Dd613ECJVEgbg7rg~uqY|M@^r+hD*c=bJjrzy+#~&G!+{#>`S|iE>>H%)B*@Mkf)$xZU)#1A8ZX@oz`yE(aNxV?J$wsS#6Yq;Di;7;> zM*@X3=;18oePyuaGG#ilIVv-yD2=c`J`GLfSZ@4-&_IZ^ySOg)>24EaOe^KI3D6Tg z0ct-B3mW!;nKk7GNSHNc2MRHzEA$k<27X2kv`|J$ZnL<10VWt<%~x2yoBM&t`PU3! z9d;(!G8no(OiX-eTf5(uVrp)ncwTuNYQ@0bij@EU(k6iGk^mT23vmbuF6#Y=OL0xl z0;XYy`5O)G4ONNdBVre(HJ}r>4p%N&;*Y52x2ZjW0VC3O7wOQ3S_?+@BhSzrHjLme znb{QsJOPz81sUENP<4sF3>wZfpR0+vs-$dNb@R}(#iT(fAWMwXV-YF4h0f-9N*9@3 zhFNMf%(m`dEJ$RP2L83RnP-fIHbTl{c*+$ni@+Vy7qB?{wOp8GxW}qSO-pHIA^qk7 zzirLr&IXXuD(Xvy4NV-TIkCf-Di3C5g0z1=L8O4Jllv6c-ePj z%Qm;eJ>KD(Ce*9vC5*ZUcWp1Z5hK{#=iMve;WT9DivwGCkBh3;kK&;WuWpZMlZ}On zYD06NJGLiAvv-K-*VGz>T>d4XDlEsJ-mfR@onWZQlvZi^LC@fVQbIe=>duUu(NUn1 z_7O3ot~Qv5XyAZwoMWZjt|Y)#O=i39UrD%{0YqqPdo%mN3{!LjA?mnL2lFXoNnz!2 zLDpjBW$%DcB1SN_2D1oCB^bGvpByP@LYmIJ6Sn?9(j~x?WVs2k-M$hqB|gX zImY&igM=DmCa0t1z8>FYVQ?*;>K5}(vduR>>JaDY?PtXQ4P>oN@h}q-r*BFFG)L3+ zX+53OOaVhf09E9I`ZJ6)B!Aj)xYE3dCH+Fu+1&m-?7A`L>8<*O=f;jlCrFjI(v4p* z0JHcvo7A9gn0dUQfVM;N#B*-Un`fGcK?8m`5Rw=Fe&rQ;Rss7eQMci~Qo$r2>Ei*f z?i(^jibDJ}g9yO;@W6rmhnc20pMd!4Jo}Z{6b>D%%OZgG3Qu=Knp1kqRY!hmxUK5kkAkL@o?0VK7vh#%>@qY>}nm> z>U{|cUnrwqISn&Q(;P11wUX@afcFS^1ggU0m^Wc zqUyPH^E&mpP}4EHW9mo5h?UK2o^>uE&#}*`DbMa+GjBVoa1vgR-O}5%cs7rHI-WPb zx34`Nf8|`?+6{Gccy3!Zn#Nzwg?QQag4c=4;VHdKcqy8(vEK6=4#W3NV|22cm04E^ zq*YNX+nZA{VkRkfF))WPqRRqK9>%tB`V{O7LOg2+zyo+n@B6s$JP!g?ylyK0@KN_D z(NaG7t%LKv&Vu*c_hJ1tUuDS7;9hl$G}rckgP?uMqbJCRy=HUx{C=$Q)Q*SNdidP* zaq_%)11Uwq4knxj5aZqOu-#H&%-sX3RT=ioZ+{AT%I*Y6w)M$)+A3d7$StcI+H`VL z3#o4>nF&Lac~;JM3Xu%*JlOEKPJnMqA{%4@+R)E6Mc zd{F?QQxrVShdk1YtFtq4NdR)m-L~mRO~?5WVq57k>fs8(5#b9oG27=rpKTINWWwh5 zW)KqIcOHD|_U57JP*N{GRN!mrHKjj)Vue=7rO3D5H&)AsKvKx&O@s1Bod@-HEI?j( zPH`EL!pYe3d>xqDwt_Jpt5TZ?HN0ohsa39mF#FCPm6S~qFf?aiQKoaD`3Q6{3&EI4 zriY7~3gvUAv!(my44RK=N50$FF=Zm55W|6>xySloKf=Y|T8ecg3~klK{lOyk`s%|Nakc03fZXCy};GS65*sA9Sw zT0=3FY6vie!IY!4CR|2WNtJWils$uF#3SBY!W3q>Gs6REpLGMq_IF-8GsZR;5E&hv zzE!o>V;hRJ;5ISlQkqO(I@vQ)*v>|x^-~E8Pfq#DpDzb}fkZ*(%2}IjZtgsNTJ}|^ za{A-V!3bz>?lYb)J)^F^u&HibZ>Pa(FEi0LT6ZMF+?WI8s3)bN)q`2w#S2T)FQxH$}xcEn%ot#Kc^iZ#Z~Ne%FX-kOi`o0$XKmi8Ub$$=UXb(qPn* zUH&S!uNdv(>=}wnHpERjrf-OgCiFRZ^h#?Q*DOMq~{jg)`b3L{TDQmF+cFoP$cpIT{ z)RSCiD`hrU+)XM@W~@>}ON)DEo%lfL<-H}l=C?8&G2ZNDCRp3^;y`zu%Ik9<<}|^w z(vJQ68i!8p*a9P_{c_@JTYGEfXlXpHf=ik=9(WDmJiT$stP$Yl#sPy_4jmQT6$}pT z-wU?ApHCqHGFo_V3WHMuUb-{tYk3KKNk9`)%{vCB$N-C-^}=77#^)-A@Catgz!b`X z?a%RXQZCd=Es(TI4kw@;i5@>|I7wpqcS~#+!i$OuG4hH(89t z22{*|fWk$c;Xc-;Qz-V(4uIon(YRQwb zaO#h$(vqZF8Hj#cU%#5Fba~#U8z8cwjn!odoDtRPUMW6}+dtGVpt2S!veb2XHdRhh zozZT{nbVb4IA2}876u6nrWlV;{1SxNEE<`aaS6A0rg^pTh5f4?5 z(MxqmvZNQxGT*?2PS0`mY05XONHQ-#-r;X`=a8UJKa>_`t`E!f=EAZb$Du5X3NPbn zm*ej2YMJR(BBHDe5&bueL$YV^MLqs{y1jNX@MyzcXV~Dy=Tfugs#TGo#RJ9ixssEz zd~MxGDgitl_)NJypuICEEjzEBJ+12gP7b1k{Nc*tL_Jh^2?iF3uKvPa2p}`WG+ALi z%zHOPyKE~v83xqPv$OH`KHQzrbliSPJ(__pdXp*^w)kb?B zjc`^-M?@f_rn#%Q-sSSsxM7p=r?rdQMrVI;R+U@QKupb@^Dzu>lULbx;&!`N9g&T= zT)WGXpdct#!}Hc}-6QSA!*jW8j*Ku=NmPAP3zAcyZP;I!DB)B?;(xBxBi& zx&U=aQiHUvzV7wuwM%KFhEoT3$${c7(&`Zq(u8p{OZz7dijGSMd+Cym!{}DC0!YQk z1Y-?}#a#Pxe@f{gp`!6LYm?Wp=Ec&!tG~`F0}cuo1F1y@2nB8pe?{E{-A05drSnkK z;QUUrT&D_12agfj@NuICs>2Cy{$WYoE8Zf1!PU=AicKS&ngt_vF?C2YnSewl$5{P`C0+#2}uEB7QNkkuI#na=my# z%o<;v&#yjAY-tjL6?0K{hx~14jF{)%Uym1R==FF4NhaIwOGbv>CuM`t#oy~L!p76V zSAi0QvbbYYef1ek9Ra~YNlMAyekq@l>XUXI%FJ|RdcbAMGi*Pu&nd5NR*PVotQwIu zToaHoB&T;91lhXg_KUVseYG`qf|^NvVZlya4a?FDRYN@;flh;%o5t6#NMPD|?HYc>~w`KYP$5}ehtN6TJ~3cM($gpO)p)}KCtD9G(|?rP{rrr9QN0lqscl~1G8Cl zm~Dg2k3v+O!0#X~DI%9{2_{A#JhgllVI1tj;(0XaW0*yFel24@j2s}y=;EDRKd|yf z*`j%|q|W%B{$b#Bb;Y!NG3)vKwK-}EXk=rY*_$O6?12DF$;Mj>3K2Q|+3N>F)wc;QykGD!1flP7a6RG%MTj2rJ~k~}!{b2A_r^0c#u?2| zGpn6|6}7Y-gv?qdprT>yg++ih-SNd#E(c#aiSny0XIMol?9-JSrWBN?4&7>sG?>!e@ek?K|3e8QSu>cThBg*~p-tjb+8XgtOH-(*mrXWpA~pT~xSb zmh;3bal^88)3(M>!Tqtg^y|;$HIa4}MR>uT45q(7hk(0W=6xUta}?${(~;YhFiee{ zSZGtZgz^KqS(GVd{?9m69B{4?ET8t`s|UG=FOiYVF>S;10V=^w2C%s`>=>en*+RIKy^;8GTsuhMi(A z;aotr;|S2u`vcsW%z2ylXKOZ#UUxR5P&~F=0DmM+QAXN;E=$QOg-OF0@Wop@_6#!h&9C=?uII{+Wt;ip>|zz%4wHlCvTyzC znA;-E*L>0poqR|G0%kS4aG~yhuc;{cYrM+GT7q@@C%M1^%G^afW z=InajC(wy>hH%>o!69+14*7Nd)a~_{{S8hddrr=1^y=`MU$D>Zl=jygT3$ zuIF87qVq8aPt)ll+G%Z8)5k>TG+n``<@kx}SjLi;>b%QKPQ12@#bu$Tq$JvfmjRW+ z5;uKjxC!==kENRzrnnn}p$3%&LKMWhsa3pCkkBzS*T`X}l6e;kRE~h+0}{5$S9viT z*vl|1xAvDLoaj72Zm~ik-xI#es43hR(Ggn-u-O_Fj!GFW(utfMZA}?Y*MM$S^4MQM9FiDsbf8J>CNmHR#u2T| zw3*;ToMWBiW6LvT{JBy9Kb{`L+JIvtPF;b4WHtViWNDQ@0o32p(oT2)cYoR4+ADa6AsEL21}NgKtF< z=~`*HxUE8&xUmG8{IZaJc5@S?9DW_Z#puw!Lk1 z<`(PnkGeaXG&19wn74*0uj4*Y_9F&x;wJwTXGQrn3%AurUJgFjp&pxKo((g{1?}$w z>$$VRJ-NoXo^E2`OH>p|A-1g7jq$r7s55_Jju!}Ed*lDLlOiBPV8o>rLp9~!Qm5lG zbjd+@t00k%O8o&Xw9{1*e!ow;FV6jd-!hKCgDHg)o_kYz*1Gn-9*q?9`To)~X%wyBqNiDjjI~X(sgQ|1MtIU85K}p=q|Ii* zM3V>%SfL3_@m=*22fhmMghLPb3IU{QU%6Q4&l3~pnxqU<1?+kj^7X=kNj3tMhBM`T zr_nKHtd?Fl9JoH7Z&2GFZg1xcXeHkUSmX1g#LbAGO3|uBgxsi%0Y7NQR&lYJTxJ=p z?|lAxJDg$6*uua)k<8qXMRCY$mM01Q7zDL9_C!@Q@k; zyR`^(PQSho{RIioAul24WJ}*vnW2>gEtm~eR+JQ+m@6xJ6hEWRbdf#-@{tfd=AX6&k9!6jds%A~)wV}oUx4V43$ zFin{~Rbj4`2k0txqs-YfU}TgA29|93f@3Bh80+(-i>Z}?#oyVOHl*Nje$&|}9jelGDD77v?eC9m~}(o*tycO2}2UQZkzSLi(q3$JTb)@`*8uHUQt zwAL=~GHZH5oz3x2X(6m5*;u_RpwM(`@B-dksfZp99QQ1Ta>WEgwWt#2MNgj&QHDDemO1Cq}Ngl=x$jy_2z*977{A>xl!6yBF=> zssirlb2_sNBF087sEz&I%Cd{1AgE$TAbFN{{2YahK3q5z_J#PS^ecz<(ZR)%1^#O8 zq{s%4LGATpah2AD^N%lJn0dG4qLz7Pid#CXBsJGVXbH-$4pHu(;ortqfn}MiEZCv% zDkKihM5rl+qaEo7BuLH6lc(&VHEdIB`-R}GH5U0LLhmFCPhTg?!-NI7D6{SoRpx8h zRv((8vWvl6-y8FNM*tiYXm=W~Z1V@OCA5T;3va!*^;zB9n|6^3iKMn#B2D&LMQfC% zg-f-F_M`V?789DyHo_vVq0(TvR#Gzw*&T&YCKc9+b4K2=?sF(xN1u-9R_>h}Q ziAsa>TMA{VmL`}N^ZUpiI>iE%8*|wy>@ln6%0R1>4LU2`bQlYE{nHiF(Pp_1m@&PQ zy5+V5u#2%NrJH}TuN>=p;8TzbYgaLlgZN9QI6G6}IJDnvmo&qS)>U(=(q~OAy-q4d zB-Mrnjeig8ErBit39)Tnr%ZWfR>MbFC)dJ*eV#sq%m}G5-522v%<@WqBBbvWY?Q!3 z@OC$!I+bR@N^=L_AL3qNf08%XWOi@@_FEFw$Rk>1udoowNiq}(n|_BBjTF|1jSr<7 zhN%>OCn5_Y8jj$fEFe-RJCDnDLf%(Kk4%>2H;-7&tWK}F7EJ|LOAhKsTs8V_9yJMD z;jnBKFY^?$6)j>f&pKe1uJ|eeOTc6qz{Pt4Ww=YR+&85QsKA?~{-eklUkPWize zsO4h`d&B}^ZsckhB@D#x&-?pE1HzlO@0r+D&Yw>FCKSX)oSv4y2ZV~aH13DmX`CaME(!1htv5b4CBV({_!3f6up6z(eiIb$~oh?&W|*NM7{{!NID zVzpxaZUA9r2%gLU>@hb9{{p}r4uHK%{(u4uSI{PD4(?NYm^UT60Puy7mW}?k1{n?# zqW_SYl)*;I%7AI(|LB@5*eN;R;lSoD1}4~8nFEU0N}S6uok(ahJ%Q6%9mrc0`Yp3` zLbK!XWge7a@xfdbO?%Qo@W4IydJ&xx^>sxFRrJzgH85y-WUBY`G!Ex!&_2?ZTimBA z4)8(IabSS9oyFtrl|}mQ@d19n2gSVYVakFMQ($|&_kk*AH5ifINIQN%t^tAzQ`c)C zLx}C@G;Kcd*ad5U5a&Qu(d+oddjdBf^qC_@W`w~Fl5%qC2x9e88Oj`5kA!1S#HsK( zrC^I-3SW!TJP2v|T2WEktGTBP%f2f}rpe)jxf>okeLZpOA13x?{_v;-S+2+*VUBf3 zooN38ai_#}DCcc2-Ja6z>qf~@T{rPAL0rI0nYl-hLMMzq9TbxpFKUJz@nf~$+mbob zJmvMSs$5wKjWu0{IN#Ks`FZlI^nETh1nXf0L zce^7KFPujO_8#BRSk$r!ks^U5%;sJ7COk7=_>LNkRLH zrKa$vX?)cFd_o25=3d@#>~SIo*^J zSSB|uxcG2*?MS)Wy!CW{;+%YKnDMghXe=-@@jWh7>`o})Nqi$+7ZOh2H8Tmy`g*&Nn1Mxrbc4SaBIltTkQb_LuT^Ek|Q2Zn&K zw{C}J;x};S1~!FjBV38X!mHrvhYfGs%XT&wMhr7v;*75Nfo|b_E@*V= zt}i6%1^zlo$9DIK_aN;>9ZubxvQf{SZ#V-K!xFJG<2KGnn|<^7*Xf z@)UbMN#3Wy$=p)Cx;J<**q>O<_e|KEcFtNG8oAiCMO%+Cv(o64H<&Qbr}ArA?`bL?|-<&-?wJ;~wYh-rGI> zZ$I~bbez}wzR!N%=UvassGEINJwM6YCaK#ERU@;2BtMUdg|625{>xq$wJPoLuYZuD z*QOXjy8A8J0|P7ONZn@7Xv;9&t^=ufL-R*C zU00YH<}q$h)7TuDvYWPg5tAHy`kcG7jII%?KXdmfR&lob{NTlHsmC7a@oG-4O01&$ zXzPuzc{^orJWH;h?O;--j9g~#G4ptdGj8W47H3VL5>vS5*uHNxpIXaG+Z;8^n)#=m zw@gZCSzhcD;cax|(EKB|k2X%_emEUGBf#v)B}av68|n@Wy5i0kS5h;b z)B1GUsp6T(oYGrAa6}*(;RmErPDg*DyIfRQ zvxFmexVfF&k0lLJS*ouj^KXVs3l%s!=R$L)RKQ1^TNEP9(c z*w1zzW1cXz(BW?Gw-0iwXGZMp>sFe2#GwBDsJl^&Yq8hpEY?lQj}j|-#C8vw?oM}S z-rTbGN%uzAZmA>Ioa*i<J49Or>V^AlI$!SGQ>?`D)PlkM`ZloUW~K>vp(@?CzH= z+p&G8*u6HO_S-Kbd3?hB9Xe5qzH4^-_#&=P=#|o^k}|C?JtaK1URO8MVP>pzTzKJ8 z@6+zS=GD5d`)*Nuvc3Cce;;KHr;X0jgI5LTcu%vm`cjkK`r~SXg45?`miiw0?^4pg z-Ig>waO6??@++ASMkcLITeZ;c$>t?`TN(D@jk%Talj|UrdDOx~rVbH39|aVB)Ydp* z$UHKA$>F~CjjO+S`PnHhC6h*$DT< zd()W15{eNHH~N?QuL+zMmb>F)zUBK-n!XNm?F;6Anztp6>OwCt%i6AcZ>7o$LzV23 z`$3cL%4JqfA;rv{Kl5h7Axj5??L5`{dS~B_9?p9-nlwK;iTo;n77L`DVclCWIco4)x+z; ztr>~47rR|zJj`fqGK%O`Yd>-CD96%QP78du9}cZ}Aw6xUOYEZQUrW}@8@Zlk1nbx7 zuv8YOx_R5Ux|k=`=fmbv+t*JUbXe8bABzqdnR8w5zY4z_TjN~!`Mdk1sUK-^3~h;(7a2MC zqV~PKI=TOC-TJ5R&ede`;O6$E(^)m|-tm-5i=qRK^+War?320BU)gM}O|Z7hmc~c- zvgM!qD0{wL_t2f_KpUf`yI&7)l>feP==*r9um}rv zW2-j_iYgypD(EGbN3&gD+rzs+Ydn){kMF6ttPwEzy@~O-#e2@E?W-J8aji;vHfT~n^!yQ%tYlqGzE9TMyHqAs@!Yn}AJ0(D!usua?=`+)>r$Q!B~LA;=F{hg2cs{# zJSN37_KSBkolJA}elTu~O(KOeL~{SO0of{RxTWJ0cd3qhTK8UI`K6rFi~h5!imLCu z&hd}hs_xUOAEo>_VcLt_1kG#R$jZKZl#g0 z`=?KZt=B@5`-ZpfdGsM7V&2R{)$p7F{m9)31JkHZs|T&#-n_Y4&Sg~cBl(sdKjaz} zoL!QS?LRg%3*uZx-xqIZ)jz5p%oO!#*aQ}*D&1N}M)~LwM_Z(n4 zaNuT%rb*O*T{9fUA5ziR|2Xc{b7xn>9%1%|CrRVNjZP}*H-$Nxm{2d&mi41*MJ1le zH^?x^d=@!}x;880Ea%ef%_jS*V~i(lJh*tIo_d9oBen86H*n`X!R;}fAP0cHRNL;hz6do=JUR*}HqafvJt=Te5ztU@( zx?+TNyrTMQPG~~z&BR`toegG{&no|JI?pzbtG1wS(`~u*`=;`thZvD^Dre8?HV-F7 zTFto;cCUZ*F{7xtXJrjz=R}=7Yi4$T&HcVQF}9LylT%wB$+Huj7v9c|X3aBCFN>b% zeq2*3`^VUbcVyf3SJg64q$y@-Jq}7tD1Ma9zD3Qszr`%H?XJcEjrhVE>%ml$R=>o# zvJx5|wexZ`S}olDT?)-;?Ay5j)4;<+wd-ch zmOHU-(YS{dQ&gN?qK?GII_iv2tZczr}OstBXvxmL#|Rm=UxE??EJ<+|PUm$^6lPVnaq z%IBoYy?i9QyfyWZ{~^ECVNEw)ebTGWa=GsJ^~I@Sq?1(*%rPlFJkAyreS58yK4-1M zol&Nvw(7{3O_tCZ6K$+2vGvwK|6bA?CmuWUeAw4sS_M7>w`QvCUcTkHZ0y+Ffx|*8 zGUGS9ZEc&}8hz%ElAy@u^?g@qnRumcKA$ma{b9Ssv{jStbq~3oIZj7^11C)S#kk?K zo@@4k2go|Pk$Pkue#n}$9PNiDbKOf zRd2bBb(T$6y%oHrx_)f)tPP%9)GD|sn=7n!{1#+gS>)PNp52-#RW$hRc`55bZwC(i zGRVeogZJ3;vL}{o@MllZxv=?WX!QxHs;%T`F!b-P2KF`gy6KD+l4oiqA3C%l#l9<#Phxj~0FnmV|_pl$D&HN7&EX9c{| z%WO;DxU22%J^eiE7>`Ru^-kkh=eJ!@sTkuQuYTlQza0wuv(y*oWZ32;_**QxIemsv zpQgKG#xI%JeT%`7#;qB-2jW@=w`}#2Ik5Wuv6X2v2fdUu4&kL(?JpVfK6Q50cYn#! zg4d~iMl1M^c7Jqonai%_Dr@#STYuMPM$ccftH)t4w*8t&8|vrR6{~ON_}?&#vx%l% zHXBl)tYfx8p0<~5uxidGgNCp{;SN*HTBA;w>b*HQ&wu@d@%15dJ)ZBG<1DLG7#ut< zf#v+2rDrRjb#ZXtA0Lwjqy)LHO}&chMr+6Py^0VSHSM3hE5|DE;R)*o)lzysmU$U}Z)Zxac z5k-ev%MNj6M%`a&aq0b9gX&s|mBRuIo~l2!cp~rN@Yv;C{IY}?nfa}k$F!xq-#EL* zVve6dceg&(LuHbmw?2KXdg0>n1^t&OyDGggxu~e{+9+|~{9R$=51-PP8%3$IlinHW zvd?H#|CQfYjLN@%;Tz9d>wEcU--~T3N7DB8ulbryKYwuh{_~UOtO`3m!Rg?0k4=>1 zK^L>P%wWzrD8F%A%NF(21!GT7nQQZdt@SyQEpKuxY|e-CT8xUQ$$MR+o?7wh3rb{O z6<8jfUoiAdjr~*4@B3e-vY+`o8|W-m-Z(8T>%igUXQQSbimloP&Z||K(RvjsuwAA42#vOM8E^e>M z>*IYXcA4(rrj_&_6uIqnd%sGQ_$!$&8%cSnIPHgBN#TX<-pWb^lf7r?&U>ykHgK?! z|ID|qGj3%k^gpu2GUU?715a|~lFZl(-aLFXUT@#V3ayw8u`(ANKPp5A9jw{r5}B5A zYO;C##!tbsLxLN3_ZRL%z9LB1fs~@j^np^3v6(fK1!~LyHO&MeN6WjdudxHx=-oYVH)n&3dUK0GqStpjm9(Ar&v?&2kh6b~0(cN4}X+f5i3vGBIt z3U=hC%yJ*b_K!aAAC_Emw@^KwC*k&`dFhIrjoFoX&(1z{y+lg9`m*q)M6w#o+@;h| zB5R+-dWp-&6(a|v&p6?r6~8HHNTb$lDV_Y&Zw9Y>XuSFiE#m`ZK|2wksot+;e5C1y zS+Puw!&}0uC_{R^USS?K<<6m`rPI16cW2uTI@vU?SFluiyk_-n*%Y~T4qEOG+uLwYRVN9g|5{O}x8X<8hAcwK47+x@~E+lu8}F&Th=` ze(7^K>id5r9&Nk4^s-)@MZ}qn&vq*HX&buESF?JdRO%#_yQZ@J0mIn``dJQLmm)ix zC-M2&6Zy9Zc6x)VW4N~lz9HQX?W3#MY-HcyFrxL&;IBhB4YE|(qkl_I?Y_PDuG2X@ z`BJUwb%u|2_wro+QtE+INsIj2(Yw}`KBRam6+{n`3gLF^Sre8@y1GTm*!o+u(Ywe~ zte&lIF~t^Z1HT)k-5FSTVbav#@lQRHN9+oI>G(On_%rGHoqg&GHa9Z;HGgRDQ*V8# zdO!K4a=`5xjoX1=vWk4Sge>Cx7-q!|T&5{?>sF~MsrL@8yLy#7-YyvUMf&Idh_YWZTIol%vPX%p zZgcW}J;^Qm-&M|~ZoV+0`PqFVa++NHzVk<)=p0;e?Eb4zcS}ERLgPW!x+15BZDiVn z>f{kGhwF~Ku{maI+c1-jMK5J_L(C~w;dR#znQT~Ta;H+(bj-M(Z>!S1h6KsH^&Oa4 z`^~S#^RxU*>sba4UpBHF#zn>st5}#2RBX29L-vT()aeyD!$;WVZ5x_V%bZzg6D~t( z*-|s}w9@P~uMAqHj2>O7^N!neq`0!#_ea%a)k#y#w7rv8oozh)@$$h*LFUP`lg*kE z;;iEft7yhr*WUI&^}1p2SFK0gO`FxJg@@GLf+#=MedAb!D3vF@_IUW!;~s4gN#%f* zk%G~T{ikOec$9}*`?`2VC%fg$&P#fCEteL4=+HM^pWyEyoFksWe*{-CBKIl8?N-rL z>Jw(>_+;vW)E)kxRiba*Ylv?h{7^nV{Y&q_b$%)mBX&e{-YLHZi3$u#Z@&= z{Fba$dVj@liN4RC(65)bE;>H**uudxN@^-`S{uoW&wM2Pt|VxL(Ud-^X?{y| zQkp})UOpTtefI0+*&qAXmN=;_R@#>FNUdgPO{0oI#ofxSrRPHQe6|mWEh2xZiOccc zC@no_sY=h5IL9Ktn`UX=mZ>Y>e#})JvFtuWjm#upw>z$0bmel;e3zVCPaCs7#GRm+ zN30CI93Q;Qpr}l_u)28rw*v!W6^2*J!^_d-OA4-fpASlLtIfZ@(XOI*;&+*C*K3xt z_9fePyZXSALsrYWC|%okPEDz0h>fCu#JPqd*-bYVtJ9e?$y*O;Sy;OKm{MaocXdfm zi)_o)7EPA1mxjnoN`^e`f9Fs|Z{6%BSwFwPo`cdnn#%GQwdJcleX*$3IRXgM+f=e) zyUgd|?kW}Xqel;ye{u+NlE;6&1^@vMY+kKdp`lbd+$;RE6cNe_f-m@aB zHbk#b(szK1oOD)oe;3QqDLXdVY`Iz+Y%c%dD|y72uf4S=4!@YYhrx zB^u&;El{!V_TfsXw*F|%USu<)#IdF`PY(^tZOCIt-agn&UsKex;f7XRj^Y8^Se?kB z2`bw9CPs31dG{5<-ZoXs>6OjgprB|`9kAE=R*DU^!ThE5)^COPDldeM*-*4KYD%@! zly|Y&DKjHorEG@1t5w_ZYVuX`R%3ta+~C;Mir)R&rd^oAO-fjNMl*8XS8BxlFCTXzuLtm3G-TaTTXP zt+`(r$nm}LDtk;|h}OZw2BQP)DoXrW3-%oUkk#58{G9n>+|*mtJ?j@{sI)%VqilR~ zoy@)ZVQY3ymp*X1xcQIa(aRbJZw~Ac>{_GNW?JeUWL)a|Wp&%*CVE3_byGl5@Y|Nq zs=n`MlmzUqKm11C->oP>`kPzPT;J9l^+Hbnwtl;V<1VSSeVP+q+q^H-T-EyRSo2$% z-sa_>9|WICdi8zhkfkrV#V>+x=d$~!b-PVk9;D$A)IIvmriixlul!q+tHVz_J5*ID z#a9J{haRn%!Q#yuFeD~#{KoQr@uoL4^E4iYI?Q)Rh;+q6w_}Hn@AqzZ|?5a zZ!CWQ>F!;9*P_Bv&2lqZuH20;xRH1JQ>k*qsdR^sh^S2t@)0w>eg5F!|Fv#X8jUx{ z<(yLd+JP-TC81s#_9q5Bn(H^8x~0CapXII4Bk86YpYELxc&B~3wy$4!M$D&P(^Dsx z2Yz03y7pnhl zv)>`VEealS8w#$EEoG*RReHWwt#Ed_ltNZ?tY6fc8@U4$uTHwX^hl5Sf!x0DUDxIw zEYB>T;m4S2x_;~V-XG(R-kc^o?2Ogqsd1hO+`L=P)|U0>c6rXVJmJZp+6@UhqNVTB zBh_kV#+Ck_%ZksjSDhcMY@vF2=?WXSnyCFL{@&Xxc3xF9C~`aIbb9y4lRvz7f1K*} zI#bzQC9nU}v-_vf${**9%yINuoP9CP`g;?%?TVpa;D~1jmVbQm{J`mJ<)f?{@0+|Z zHh*_M-jj3c*`Z9o8^)3cD&EAOYAU}eH^-H>_C)S*>gD;0F0*caqMMFb)i0obO1dna zF1M+_%y3ot<^AqWz8_F@^Mpido^+3+>m~Cp$5l7UKbYjOL{53%+?WY(zuY}PHe{j@jJ@VnjETZ5X&Hipye#)qn9XJ=h) zdOkX1P=@-)`kcESX-9k2`7P>xXXE*8ud|vH&U@@<4b71-+;$>GzCL^ARNrmf#x4D3 zCf<-A-4Yq#JTgmm3R59x_#TU|v_*p^=;>Bgjk42ANM5XZCo)0({Iun5!QJ##b_8^m z8w$%~ggph#W-w`}2KpjRW&Z3_(Au3QH2d3RW-JOnnHd?NQ^*v$*vZT&^uI`EhNWy0 z$>P+>o6wYhOlG!s?#?4**-cf=(mP(>mY&YMuzPHz^Tpk~vXH}-GK$6ayP0dGIPZ%J zt5RI2eA`v_wRprRnSRf|UzpafC9LIO_V=;_b+2Sze|9Tb?YeqZ&4HlV+afKCR6U~F zDz6+0oBDp#=&PC5GPnJg#_##;kmO_WQLpjxr>s3~VfIC(5As^v^&^5@cG|2?F?tl8 z)@Y+&8yWZLL4;O#d~RLrwMN5B$7C#%UXgZ|?y7OS-DFpDw(N!RU%Uw&w{OUTd8OY^ z9lE`6aN-=-MDJyNj+W{SNW2%y@Yx>qmFAXcYIb?A~%C5fEbFN)1-hR=s#XRdu z>;9?53XAJg5+007aTv*%`yi>O{Hn2q`Dqz9`n62)lWR1;9?{yvXmE@5&ARwG?sbKS z>qv}w!67q;H%^N+3YIj|3NC=6%L7^z%B5Nqrf+N=>Z%zWy7WYv&gc!T>jL!a^zz0x zR^3c!D~r}{Gq2v7XI`%zeAKdxBp02Qd2QTxYlX6^y`QXaKGF^5HV$KlMx`B>+28u1 zw_%%RNu6&}d{kN{?MmI%B_XXFvz`Y>k8JVqkuMs}ep$Bj&637xM_)fII;RyFd~-+Z z&=#+RHb31Rt@G;h)6RHpes_72s*C={|B*(Y zC=D8_Bd8}xmxh(0eo)#psDt&vPo2h3-zJSdh5Ez#NA=hOIMA;Err;CxE8Jetw*cSv zwg4Ne2e5_V2^4Rcl<--2cm--3pebfVb|sQ~vM(zwxRET(W4 zw+{Lf1KKbqxXwRGCq2Nscyw${#9 zzlZz!TvUFfy<6IOc|YR`bnT70l0CNe-g#;C@P|PY-{}}CX&Rc1vr_&lpO$Z(zbk*) zq@vQVAEL&$bx*81mRIi?QB`4iZ0VCF1t&(tts8vnP}ssRieWvw1xe0&L5nfF?pJ3v z>|NT}Vb-dpbA0EyHTSN}P(!>y|Q!ZlAm#r-T(=`J7u`Xy46OraYu}c1EIG za)Fh0@&xO1Rvy=PTs^sZh>LZ>eMjFr9vi;Im)x~@7`M0Q13jr1to+lP7Cx*}FbI^W z^!2}gaq(H7n^6JXa#KbvNvz|USE;}0!QQ4^_g14iM?F{S^(!Ct+qRZkxxk)Qo31KK zv&KlYRI?|_uA?879Fb-7M~~{h4UFdQL4AtWlhRpl`&PU7^&H;Z?N+salCJBltDZUE zE?4MPpO4wT_Ez!iZL5{zE}nhzN6#OhR6l+(i!ki-CG(FPx9{vujZ;*TZW+AtOMhy} zAcHdlIYXqV(I#alr;ar5IrXSCRsU^Vcg}^lpt2&vAM>Mw-lZL>$?5*F-0XSAiaASX zN0E;ia8eo!cU{}p*r#UD@@SHZYU7Ay!*`lg4K(#Tu)^fU%d+RKiUG4vkZQ)I-6HSh zjNX24ul|JS;Tca3TRoa68SzcB$E4u7i?(da9K1^Y$&cpLZo1PW^JTQBh2Jqjl_8@nWXP zRzHfB+tEGz5fI*IDw#$6MC+UJgboI3*-EUZ;w%Ged!maT8W>^oU~f~kL>m;-t(NwWTbOc*`yjQlK{skG}F6Vo>q^s9Kfv+8}h>F|r} zVbdjkEU38YFnHwR!X94?N0r44E*t&4dUmX@miN^Pl9K#9NzF6UIF;|}Hf66aS67nX zP^;y#Hc_vq%UTb~*I&lOyOmn@9o^=)^hK{!EyLaQBb`b^@_WdXEZA}CS;lCa*cQVV zwjs=~=JmU+h7TV%VP5$3+J_ONr!nrM`_ zZheZ;)2NDv6J50$A zaHfRL|b?Y>}(O%b>*IQ@i6z zUiWb95i<99M8&?!KGe%o#>jl08&*<9{?edicx~9-rnule7I!AOcMp6eWb|A4QCtdnbJFa zlKs?67Z;u_hqrs>4$Z7;wjVd}M2Y9_apB=dq6ab#AC2xGk*=Y3#bjz(@9-!4>&~%` zZQiDnHJ?2wa7CWdH8OMPmTgr(?hol3Bk}s=o+Sy6y!bLh?WFq?PJaC)=8oU|wV$L!DOoYir%oTXaG<%gd39ub`6kV8nyS`jXXY0V$cru82k%|4%Dhv) zaJ=1;JIn9a9DcHE@v68rdoI;YJ@AL-iFBIulWj|PJLD*(O`X2=<8{~fb>X)p%Q%m; z`zz35FFH9*&s@5g6}B>J{H25Wo>O#kUnqUgmpI@3ikG|Mj=Lfh}?j8q+eh$iPDG15fOW(F9yX^46+{i^!4#sSL z^zZ_!=cTR)mc96}ihNq4~&Tq~xbt_h=o_Sm$v8sS;$|LpXjkT6I)Z<*C zPMY!;oj>w=FBxg}*8fO}nZ+Gu1J~X>-*wr{_}(3z7@of0&-l{hWK9B$swr>-5+Ai){x@n=k!r^=!kfw3MQw z2cOK->)%q7I$LZ8hK=|!Ib+d+rLlu+ zR-BueUetI{#@cb(AgQ?1Gq<}rgs#}?UDu;|*t4ORhjkjewdZf8DlS7jxX>;+!%_>w1 zLz<*z<35|~ekntd%HaPB;XR#S0TL!N zuwSJiv~8dB!@RsbKt{?8(*Xn)0_#Oawkx=HUXTV{-v#FEc=BUtN;2lT*)8CDS&)pi zbxEdNKQE|Y`p>E_L|<9Y%LsJ;nl zF4x}42IWFW7%?dnRSt{7WY8FN8jTF|9!|#sOOl4GtDBdng*1hXMfk`PQ9p_lJmQB> zjPLL%D95;@NWn>lPYf=6qJ$HFEQ@QGmvpO_88C%=D~5#jZ4;UO1*eP?4VRHU%^ z{eeTk%lZAW@qS=dqsMdeb_W(OAer)PTs_?pOYHnfS_{BK_&C{dP4qNL`ifpWZ|=;Q zBrT8+a10oPx)YKjLXV%a{dcgJ&LTmhTdID5n<2jhkiIiimFKh_r9m=viLT$*B& zfhmCy8Ia=qw~B=(&}xBr_}YihltJtH+J}1#pcmI-vFW8?{RiBm` zP#`f}HN_?bXM_+TuzvM>2@yyJ_w?cuf-ypv5X7P1DG^)}RNS~x@FM0Ag{iPGAxMXR zCn2~bsF)Wv`2|8STN5ILhTPuoBm{TkR5EV#VoQW38Z}^X*Y6|*_g3g#8x#$RPl#x| zfQYlL8o5K=8Hu=<^Z@W&N?yezgv=%SGTEZP578-WLskR+&Nd^{1K z5YdsJ{+maBDn9a4$@q98J|UtbJ2rXzovOtj+2Q@FU$PMf<}`$Cgz=k4b}D~lC;#He z&JZ2hvA4H=r$lf`P+eGno9n;`v0$?(S! z3g;I`czixCObGG9{@>A#@Gm(9eEmjES4N+i~8FS}?afTm>okayO_Xu8LHC zXe9P{#m4#(CJb@vcM^t6hQj$p@5ja%BuvO}9(ei7P!!HDMiB7UBdD$rAy|jMQzE!( zQ8>RCLEsVNftf#}rTr=+ zF!;iZ_{|Xrf7yyc7chh`VSEz|wkr4pV~aQtJK~EX@QK$G+qvKoju7D#EGqq-Du9cQ zg3rZ)(q9Zs;Eb+_byBdo+;1d_zv4x~9iI3LMihKDEhHT(w!_CKMa#__Z9`IEs4l9<;n#t`GoTXcgN6EnK3VV`^@ZA^{^{@s^a+pR zV(kztrWX95HV78{pt>~pJNlu*-w|x=JNyBCr@<#w!#^po>kB6qyeu%4AT3(F1Ws-$ zGO27;AlI^eBNyK`?Z9RsKZvuL+<_Z(pbEoIzzKGzkQhvsDj2j7BwR%EVDlN|CF*qW zk`5B;94ulQVjf~5Vlu{TzAzBOv2q;&O1NkR#51TO#N#L#^SC~M5?+^&pXhi^#rBW? z20sSiz(hYtxJZx;0S@?TcDn@r9tn&uBt8LiCF~tj%jK;(Ku^= zj`J9^`9$Lz(;bLLl>H6o>3}R9kf8(TF_S~~H6?|i0U3_x|E9%2q=!l(@*9%&;oNq~hh6lno`LEjNx0wyAypee>kVY9}x z2lWH^VReDgn5OgLAm(ED^V^|1(eXRvAS9D^*&zi+Mu2#YWDa;Be2^@#vcKWKzy)JG200>`2>QZ| z1SulcSAw_V)o36nX1_lpJqL<4<)$#`Tum}Mg-fYKv|UnI*uXGD5E1523J6nhfm;Tn>C_nb0>bO^1tc0|QL!^azhW6kK=6Z@%>a%7 zfAK+F$U`A!A;utvpn90*AweMFp>ly%3kidTJOE-2zi*7$d?x=b^AVE;{qhBc!Q^{H z7W9b;Of1IZs~rNy(`cd*3GRh(#^c5y7#gq%g7DBFyw1^StnyDo17bX%p`9`w{)RD^ z?@BRkLk#SU+5Eap#5@oJ#(b!Y7>St2LRNtohuWfH2G!vU4*NS2>dy!V^(DXy)kjJo z5D5Am!AGCq-ViL*H)atCCK4FJ1G(Y$VF9052?T-yH&FM#a8>y6IDtU0LB4}PP|2@a z0%#mUx>JE5;t_F(0Z2m;LHzp2bz#DSGSnXX8}jjBMHoYnCU+t@K|SnmAQaSAU~QP2 zL$Cm*fSJN@{?ZB%UI;c{asFgBw#{lHU^bHw4R+9eqQVn`bG9G=#1AM6rZHGckpK`W z2H=I!2E4#{f_R92kfI`d5pM;G$>%GICope;_=o!&YuY~PP21W=J`kw+f z;5(TP9HPT7C~(4*4KWc71xP6Tp#m`xV<41a%ohAzSZJsnz-||qkO2Okq4-JdpJZr< zsUQ{>cVOuM$5fDSdF>1Z>f0GAY}trm0>%LGhqcqI$?ekv1VFLIG9> zX&K)FP#w{LOb}0CpM0jHdVg*8_%ZgMWTvpYB`n-iv65faP9PW|+|Ep4?G%_kVhYk6 zq;X*ONP{qD@R=q&j-$vD`x|05VkBZ3zaGX^Xe%&d%mqMYOskPLA~%WJ2r(REEc7W5 zT)S|fe+1`m7~NrdKp3Yxx&h(&8@@3ithHFluQD1aKnQorXd$h|))@u94cZ9S9gzS8 znur*Q`oc68eeyN7GxKg|HexR718F?K!`dUp@|lfkI}$Sbj^GQqhjsz;eY`*c{@!ii z7chQO(}m|}_!d_O0iYS%uL=N&>L394((X3kcT78lwGR=?A6ziz2)hbCqcCQPGF6Ci znAW1Y$QsZO5>{vK2f+dyFah%62m%ZwTx?K9?Gc_xXwXk*g8B!6;Da4M(xY)Wsu1k| zIZfzb5x5cXqYuJX8x<@06@dU#uq8eqq}?Kf1p*Yd6E39PNE4wN?kbR$B8I>Z#yIpl z5;9_@K&ufmQ9ab3Alg9n5mV9Mkg!mF^dn$2YRea}uq6mA>F=409}W09t?xw9|7rRq zz!_-4@JH?#@kc->U-|wF?|~4ooxho{U{gT2Uxt>@aTO4@yiU(6drFfC7ssUkyg3H& zu&ZO}wiwz#GH|l@v{1wrT@B0=EGzC}b9xDviO083LV2QDp+{6jiDvzCYCYJfZ_wp)mGe zfTdFyu-(FBv0-724)a`wB9qNhWy766!Ic~hJ1-|USGY)LW}=UNCOUd~xqGUSNOs;l zE`z3O&m~O)L^|Li6aoIvaY4HF@5S+-@P%-3?dMeEzrjUlxcy(t2rhSb9T^FE=l?lh zgcg$i=eP*1`~1&wLBmK_vFR@4cd@gXU4<`Q$nRpOin|D3u%p^t1(z=5cd>)fU4<`Q z$nRp&aaZ9>7xKHwNiDcmWE#rSR{8vdOUQ2CHryIA~0UWid8QmGUzyVO&>LU#FE$?kKI6svFONguanX z9eG?EduvadF; z^Mr*yYj>WLtDTd(Gnas}cu_HiGKYmE2&c$sD0!GFOMILcIJr7Fb5(d;Pj@$0PbXU^ zXD2WJzd>3&H~yz4&|tOs*YrRil8f<{+t_ifJ-H4%u7eF)PyHK=#S60k)C?+{3C#Xk z&2X{dc{#Z*ck^}T@>K2ITu8RgnDTO+owXq?nug~}RYxxuXM!?_Hw*|V11vMMepMNC zTuLaa`d*vlt93Psi3emQ|c@um)cih<6gg1Y>y7x^C$DBd~{Mj$pA!FK6SI~+uwr=6oK*NN|N zZ0v08xh_t2;CbA9mpgen684j@OZ5L<#r_lkmHBTp%-+V!#*1fTw-OL^;(9H|hID&3 zI}&n)B;Im6I-5-fR~M(GZ!=16*fLLo?H@}g#JLXad#r2 z5|SqucIjY%gpFHIPsk0b?c@O0%{ukygtRF?7m)}l0i4cf{+R z++0`a1p#N-?A&j6K1egvg?hfuGPj{{z0kK~l^JtLImh#h_`zc#j zatG5